This scenario shows how to dynamically update the authentication keys for a user in SNMPv3. In this scenario, user u4 will update the authentication keys for user u8. Both users u4 and u8 have already had authentication keys created based on password defaultpassword and IP address 9.3.149.49, and everything is working.
During this scenario, new keys will be created for user u8 and the /etc/snmpdv3.conf file will be dynamically updated. The authentication key for user u8 in the manager side's /etc/clsnmp.conf file will then need to be manually edited to reflect the new keys.
Make a backup of the /etc/snmpdv3.conf file on the SNMP agent and a backup of the /etc/clsnmp.conf file on the SNMP manager before you start this procedure.
Below is the /etc/snmpdv3.conf file that will be dynamically updated:
USM_USER u4 - HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f - - N - USM_USER u8 - HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 - - N - VACM_GROUP group1 SNMPv1 public - VACM_GROUP group2 USM u4 - VACM_GROUP group2 USM u8 - VACM_VIEW defaultView internet - included - VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView - VACM_ACCESS group2 - - noAuthNoPriv USM defaultView defaultView defaultView - VACM_ACCESS group2 - - AuthNoPriv USM defaultView defaultView defaultView - VACM_ACCESS group2 - - AuthPriv USM defaultView defaultView defaultView - NOTIFY notify1 traptag trap - TARGET_ADDRESS Target1 UDP 127.0.0.1 traptag trapparms1 - - - TARGET_ADDRESS Target2 UDP 9.3.149.49 traptag trapparms2 - - - TARGET_ADDRESS Target3 UDP 9.3.149.49 traptag trapparms3 - - - TARGET_ADDRESS Target4 UDP 9.3.149.49 traptag trapparms4 - - - TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv - TARGET_PARAMETERS trapparms3 SNMPv2c SNMPv2c publicv2c noAuthNoPriv - TARGET_PARAMETERS trapparms4 SNMPv3 USM u4 AuthNoPriv -
Below is the /etc/clsnmp.conf file that will be updated for user u8:
testu4 9.3.149.49 snmpv3 u4 - - AuthNoPriv HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f - - testu8 9.3.149.49 snmpv3 u8 - - AuthNoPriv HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 - -
Follow these steps to update your password and authentication keys.
pwchange -u auth -p HMAC-SHA defaultpassword newpassword 9.3.149.49
This command will generate a new authentication key.
This command produced the following output:
Dump of 40 byte HMAC-SHA authKey keyChange value: 8173701d7c00913af002a3379d4b150a f9566f56a4dbde21dd778bb166a86249 4aa3a477e3b96e7d
You will use this authentication key in the next step.
clsnmp -h testu4 set usmUserAuthKeyChange.12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56 \'8173701d7c00913af002a3379d4b150af9566f56a4dbde21dd778bb166a862494aa3a477e3b96e7d\'h
The engine ID will need to be converted from hexadecimal values to decimal values in order to be used here. Each two numbers in the hexadecimal engine ID convert to one decimal value. For example, engine ID 000000020000000009039531 would be read as 00 00 00 02 00 00 00 00 09 03 95 31. Each of those numbers must be converted to decimal values, resulting in, 0.0.0.2.0.0.0.0.9.3.149.49 (For a conversion table, see Appendix B. Conversion Table.). The first number in the string is the number of bytes in the decimal string. In this case, it is 12, resulting in 12.0.0.0.2.0.0.0.0.9.3.149.49.
The following number is the number of bytes in the username, followed by the decimal values for the username itself. In this case, the username is u8. When converted to decimal values, u8 becomes 117.56. Because the username is 2 bytes long, the value representing the username becomes 2.117.56. Add that to the end of the decimal engine ID (For a conversion table, see Appendix B. Conversion Table.).
In this case, the result is 12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56.
Using usmUserOwnAuthKeyChange instead of usmUserAuthKeyChange will allow a user to change his or her own authentication key. For example, user u4 could change its own authentication key using usmUserOwnAuthKeyChange.
The output of the command follows:
1.3.6.1.6.3.15.1.2.2.1.6.12.0.0.0.2.0.0.0.0.9.3.149.49.2.117.56 = '8173701d7c00913af002a3379 d4b150af9566f56a4dbde21dd778bb166a862494aa3a477e3b96e7d'h
After this command is completed, the /etc/snmpdv3.conf file will be automatically updated after five minutes on the SNMP agent side. You can also stop and start the SNMP daemon to update the file. The following entry for user u8 will be dynamically updated in the /etc/snmpdv3.conf file:
USM_USER u8 000000020000000009039531 HMAC-SHA 4be657b3ae92beee322ee5eaeef665b338caf2d9 None - L nonVolatile
pwtokey -u auth -p HMAC-SHA newpassword 9.3.149.49
The result gives the localized and non-localized authentication keys:
Display of 20 byte HMAC-SHA authKey: 79ce23370c820332a7f2c7840c3439d12826c10d Display of 20 byte HMAC-SHA localized authKey: b07086b278163a4b873aace53a1a9ca250913f91
testu8 9.3.149.49 snmpv3 u8 - - AuthNoPriv HMAC-SHA 79ce23370c820332a7f2c7840c3439d12826c10d - -Save and close the file.
clsnmp -v -h testu8 walk mib
where mib is a MIB variable to which user u8 has read access. In
this case, user u8 has access to internet.