[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

System Management Guide: Communications and Networks

Dynamically update authentication and privacy keys in SNMPv3

This scenario shows how to dynamically update the authentication keys for a user in SNMPv3. In this scenario, user u4 will update the authentication keys for user u8. Both users u4 and u8 have already had authentication keys created based on password defaultpassword and IP address 9.3.149.49, and everything is working.

During this scenario, new keys will be created for user u8 and the /etc/snmpdv3.conf file will be dynamically updated. The authentication key for user u8 in the manager side's /etc/clsnmp.conf file will then need to be manually edited to reflect the new keys.

Make a backup of the /etc/snmpdv3.conf file on the SNMP agent and a backup of the /etc/clsnmp.conf file on the SNMP manager before you start this procedure.

Below is the /etc/snmpdv3.conf file that will be dynamically updated:

USM_USER u4 - HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f - - N -
USM_USER u8 - HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 - - N -

VACM_GROUP group1 SNMPv1  public  -
VACM_GROUP group2 USM u4 -
VACM_GROUP group2 USM u8 -

VACM_VIEW defaultView        internet                   - included -

VACM_ACCESS  group1 - - noAuthNoPriv SNMPv1  defaultView - defaultView -
VACM_ACCESS  group2 - - noAuthNoPriv USM defaultView defaultView defaultView -
VACM_ACCESS  group2 - - AuthNoPriv USM defaultView defaultView defaultView -
VACM_ACCESS  group2 - - AuthPriv USM defaultView defaultView defaultView -

NOTIFY notify1 traptag trap -

TARGET_ADDRESS Target1 UDP 127.0.0.1       traptag trapparms1 - - -
TARGET_ADDRESS Target2 UDP 9.3.149.49       traptag trapparms2 - - -
TARGET_ADDRESS Target3 UDP 9.3.149.49       traptag trapparms3 - - -
TARGET_ADDRESS Target4 UDP 9.3.149.49       traptag trapparms4 - - -

TARGET_PARAMETERS trapparms1 SNMPv1  SNMPv1  public  noAuthNoPriv -
TARGET_PARAMETERS trapparms3 SNMPv2c  SNMPv2c  publicv2c  noAuthNoPriv -
TARGET_PARAMETERS trapparms4 SNMPv3  USM     u4 AuthNoPriv -

Below is the /etc/clsnmp.conf file that will be updated for user u8:

testu4 9.3.149.49 snmpv3 u4 - - AuthNoPriv HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f - -
testu8 9.3.149.49 snmpv3 u8 - - AuthNoPriv HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 - -

Follow these steps to update your password and authentication keys.

  1. On the SNMP manager side, run the pwchange command. In this scenario, we ran the following command:
    pwchange -u auth -p HMAC-SHA defaultpassword newpassword 9.3.149.49

    This command will generate a new authentication key.

    This command produced the following output:

    Dump of 40 byte HMAC-SHA authKey keyChange value:
      8173701d7c00913af002a3379d4b150a
      f9566f56a4dbde21dd778bb166a86249
      4aa3a477e3b96e7d

    You will use this authentication key in the next step.

    Note
    Keep the new passwords you use in a safe place. You will need to use them again when making changes in the future.

  2. On the SNMP manager, user u4 will change the authentication key for user u8 by entering the following command:
    clsnmp -h testu4 set usmUserAuthKeyChange.12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56
     \'8173701d7c00913af002a3379d4b150af9566f56a4dbde21dd778bb166a862494aa3a477e3b96e7d\'h

    The output of the command follows:

    1.3.6.1.6.3.15.1.2.2.1.6.12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56 = '8173701d7c00913af002a3379
    d4b150af9566f56a4dbde21dd778bb166a862494aa3a477e3b96e7d'h

    After this command is completed, the /etc/snmpdv3.conf file will be automatically updated after five minutes on the SNMP agent side. You can also stop and start the SNMP daemon to update the file. The following entry for user u8 will be dynamically updated in the /etc/snmpdv3.conf file:

    USM_USER u8 000000020000000009039531 HMAC-SHA 4be657b3ae92beee322ee5eaeef665b338caf2d9 
    None - L nonVolatile
  3. On the SNMP manager side, run the pwtokey command to generate the new authentication key based on the new password to place in the /etc/clsnmp.conf file. In this scenario, we ran the following command:
    pwtokey -u auth -p HMAC-SHA  newpassword 9.3.149.49

    The result gives the localized and non-localized authentication keys:

    Display of 20 byte HMAC-SHA authKey:          
      79ce23370c820332a7f2c7840c3439d12826c10d    
                                                  
    Display of 20 byte HMAC-SHA localized authKey:
      b07086b278163a4b873aace53a1a9ca250913f91    
  4. Open the /etc/clsnmp.conf file with your favorite text editor and place the non-localized authentication key in the line for the user whose keys are being updated. In this scenario, the entry is as follows:
    testu8 9.3.149.49 snmpv3 u8 - - AuthNoPriv HMAC-SHA 79ce23370c820332a7f2c7840c3439d12826c10d - -
    Save and close the file.
  5. Test the updated configuration by running the following command:
    clsnmp -v -h testu8 walk mib
    where mib is a MIB variable to which user u8 has read access. In this case, user u8 has access to internet.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]