System Management Guide: Communications and Networks - Dynamically update authentication and privacy keys in SNMPv3

Dynamically update authentication and privacy keys in SNMPv3

This scenario shows how to dynamically update the authentication keys for a user in SNMPv3. In this scenario, user u4 will update the authentication keys for user u8. Both users u4 and u8 have already had authentication keys created based on password defaultpassword and IP address 9.3.149.49, and everything is working.

During this scenario, new keys will be created for user u8 and the /etc/snmpdv3.conf file will be dynamically updated. The authentication key for user u8 in the manager side's /etc/clsnmp.conf file will then need to be manually edited to reflect the new keys.

Make a backup of the /etc/snmpdv3.conf file on the SNMP agent and a backup of the /etc/clsnmp.conf file on the SNMP manager before you start this procedure.

Below is the /etc/snmpdv3.conf file that will be dynamically updated:

USM_USER u4 - HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f - - N - USM_USER u8 - HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 - - N - VACM_GROUP group1 SNMPv1 public - VACM_GROUP group2 USM u4 - VACM_GROUP group2 USM u8 - VACM_VIEW defaultView internet - included - VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView - VACM_ACCESS group2 - - noAuthNoPriv USM defaultView defaultView defaultView - VACM_ACCESS group2 - - AuthNoPriv USM defaultView defaultView defaultView - VACM_ACCESS group2 - - AuthPriv USM defaultView defaultView defaultView - NOTIFY notify1 traptag trap - TARGET_ADDRESS Target1 UDP 127.0.0.1 traptag trapparms1 - - - TARGET_ADDRESS Target2 UDP 9.3.149.49 traptag trapparms2 - - - TARGET_ADDRESS Target3 UDP 9.3.149.49 traptag trapparms3 - - - TARGET_ADDRESS Target4 UDP 9.3.149.49 traptag trapparms4 - - - TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv - TARGET_PARAMETERS trapparms3 SNMPv2c SNMPv2c publicv2c noAuthNoPriv - TARGET_PARAMETERS trapparms4 SNMPv3 USM u4 AuthNoPriv -

Below is the /etc/clsnmp.conf file that will be updated for user u8:

testu4 9.3.149.49 snmpv3 u4 - - AuthNoPriv HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f - - testu8 9.3.149.49 snmpv3 u8 - - AuthNoPriv HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 - -

Follow these steps to update your password and authentication keys.

On the SNMP manager side, run the pwchange command. In this scenario, we ran the following command:

pwchange -u auth -p HMAC-SHA defaultpassword newpassword 9.3.149.49

This command will generate a new authentication key.

-u auth specifies that only an authentication key will be created. If you are updating privacy keys as well, use -u all.
-p HMAC-SHA specifies the protocol that will be used to create the authentication key. If you are updating privacy keys as well, us -p all.
defaultpassword is the password used to create the latest authentication key (for example, if bluepen would have been used to create the latest authentication key, bluepen would be used here as well)
newpassword is the new password that will be used to generate the authentication key. Keep this password for future reference
9.3.149.49 is the IP address where the SNMP agent is running.

This command produced the following output:

Dump of 40 byte HMAC-SHA authKey keyChange value:
  8173701d7c00913af002a3379d4b150a
  f9566f56a4dbde21dd778bb166a86249
  4aa3a477e3b96e7d

You will use this authentication key in the next step.

Note

Keep the new passwords you use in a safe place. You will need to use them again when making changes in the future.

On the SNMP manager, user u4 will change the authentication key for user u8 by entering the following command:

clsnmp -h testu4 set usmUserAuthKeyChange.12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56
 \'8173701d7c00913af002a3379d4b150af9566f56a4dbde21dd778bb166a862494aa3a477e3b96e7d\'h

testu4 is used because it is mapped to user u4 in the /etc/clsnmp.conf file.
The instance ID of usmUserAuthKeyChange includes, in decimal values, the engine ID of the SNMP agent where the update is taking place and username whose authentication key is being updated. The engine ID can be found in the /etc/snmpd.boots file (the /etc/snmpd.boots file contains two strings of numbers. The engine ID is the first string. Ignore the second string of numbers).
The engine ID will need to be converted from hexadecimal values to decimal values in order to be used here. Each two numbers in the hexadecimal engine ID convert to one decimal value. For example, engine ID 000000020000000009039531 would be read as 00 00 00 02 00 00 00 00 09 03 95 31. Each of those numbers must be converted to decimal values, resulting in, 0.0.0.2.0.0.0.0.9.3.149.49 (For a conversion table, see Appendix B. Conversion Table.). The first number in the string is the number of bytes in the decimal string. In this case, it is 12, resulting in 12.0.0.0.2.0.0.0.0.9.3.149.49.

The following number is the number of bytes in the username, followed by the decimal values for the username itself. In this case, the username is u8. When converted to decimal values, u8 becomes 117.56. Because the username is 2 bytes long, the value representing the username becomes 2.117.56. Add that to the end of the decimal engine ID (For a conversion table, see Appendix B. Conversion Table.).

In this case, the result is 12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56.
The next value in the command is the new authentication key generated using the pwchange command in the previous step.
Note

If the user also has privacy keys configured, this procedure must be repeated to update the privacy keys. When updating the privacy keys, use the usmUserPrivKeyChange value instead of the usmUserAuthKeyChange value.
Using usmUserOwnAuthKeyChange instead of usmUserAuthKeyChange will allow a user to change his or her own authentication key. For example, user u4 could change its own authentication key using usmUserOwnAuthKeyChange.

The output of the command follows:

1.3.6.1.6.3.15.1.2.2.1.6.12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56 = '8173701d7c00913af002a3379
d4b150af9566f56a4dbde21dd778bb166a862494aa3a477e3b96e7d'h

After this command is completed, the /etc/snmpdv3.conf file will be automatically updated after five minutes on the SNMP agent side. You can also stop and start the SNMP daemon to update the file. The following entry for user u8 will be dynamically updated in the /etc/snmpdv3.conf file:

USM_USER u8 000000020000000009039531 HMAC-SHA 4be657b3ae92beee322ee5eaeef665b338caf2d9 
None - L nonVolatile

On the SNMP manager side, run the pwtokey command to generate the new authentication key based on the new password to place in the /etc/clsnmp.conf file. In this scenario, we ran the following command:

pwtokey -u auth -p HMAC-SHA  newpassword 9.3.149.49

-u auth specifies that only an authentication key will be created. If you are updating privacy keys as well, use -u all.
-p HMAC-SHA specifies the protocol that will be used in creating the authentication key. If you are updating privacy keys as well, use -p all.
The password used (in this case newpassword) must be the same as the password used when generating new authentication keys with the pwchange command.
The IP address used (in this case 9.3.149.49) must be the IP address where the agent is running.

The result gives the localized and non-localized authentication keys:

Display of 20 byte HMAC-SHA authKey:          
  79ce23370c820332a7f2c7840c3439d12826c10d    
                                              
Display of 20 byte HMAC-SHA localized authKey:
  b07086b278163a4b873aace53a1a9ca250913f91

Open the /etc/clsnmp.conf file with your favorite text editor and place the non-localized authentication key in the line for the user whose keys are being updated. In this scenario, the entry is as follows:

testu8 9.3.149.49 snmpv3 u8 - - AuthNoPriv HMAC-SHA 79ce23370c820332a7f2c7840c3439d12826c10d - -

Save and close the file.

Test the updated configuration by running the following command:

clsnmp -v -h testu8 walk mib

where mib is a MIB variable to which user u8 has read access. In this case, user u8 has access to internet.