This scenario shows a typical migration from SNMPv1 to SNMPv3.
In AIX 5.2, the default SNMP agent running at system boot time is the non-encrypted version of SNMPv3. SNMPv3 uses the /etc/snmpdv3.conf file as its configuration file. Any parameters that you had configured in the /etc/snmpd.conf file, which is used by SNMPv1 in AIX 5.1 and earlier, will need to be manually migrated to the /etc/snmpdv3.conf file.
In this scenario, the communities and traps that were configured in the /etc/snmpd.conf file will be migrated to the /etc/snmpdv3.conf file. By the end of the scenario, SNMPv3 will provide identical functionality that SNMPv1 offered. If you did not configure any of your own SNMPv1 communities or traps, there is no need for you to complete this procedure.
This file does not contain any information about features available in SNMPv3. For information about creating users using SNMPv3 features not available in SNMPv1, see Create Users in SNMPv3.
The following file is the example /etc/snmpd.conf file that is going to be migrated. The following communities are configured: daniel, vasu, and david. These communities must be migrated manually.
logging file=/usr/tmp/snmpd.log enabled logging size=0 level=0 community daniel 0.0.0.0 0.0.0.0 readWrite 1.17.35 community vasu 9.3.149.49 255.255.255.255 readOnly 10.3.5 community david 9.53.150.67 255.255.255.255 readWrite 1.17.35 view 1.17.35 udp icmp snmp 1.3.6.1.2.1.25 view 10.3.5 system interfaces tcp icmp trap daniel 9.3.149.49 1.17.35 fe trap vasu 9.3.149.49 10.3.5 fe trap david 9.53.150.67 1.17.35 fe smux 1.3.6.1.4.1.2.3.1.2.3.1.1 sampled_password # sampled
To complete the steps in this scenario, refer to your /etc/snmpd.conf file. Have a copy of that file ready when you start this procedure.
The community names in the /etc/snmpd.conf file become part of the VACM_GROUP entries in the /etc/snmpdv3.conf file. Each community must be placed in a group. You will then give the groups the view and access permissions needed.
#-------------------------------------------------------------------- # VACM_GROUP entries # Defines a security group (made up of users or communities) # for the View-based Access Control Model (VACM). # Format is: # groupName securityModel securityName storageType VACM_GROUP group2 SNMPv1 vasu - VACM_GROUP group3 SNMPv1 daniel - VACM_GROUP group3 SNMPv1 david - #--------------------------------------------------------------------
The communities are now placed in groups.
The view information in the /etc/snmpd.conf file will become COMMUNITY, VACM_VIEW, and VACM_ACCESS entries in the /etc/snmpdv3.conf file. These entries will determine the view and access permissions for each group.
#------------------------------------------------------------------------ # COMMUNITY # Defines a community for community-based security. # Format is: # communityName securityName securityLevel netAddr netMask storageType COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 - COMMUNITY daniel daniel noAuthNoPriv 0.0.0.0 0.0.0.0 - COMMUNITY vasu vasu noAuthNoPriv 9.3.149.49 255.255.255.255 - COMMUNITY david david noAuthNoPriv 9.53.150.67 255.255.255.255 - #------------------------------------------------------------------------
#-------------------------------------------------------------------- # VACM_VIEW entries # Defines a particular set of MIB data, called a view, for the # View-based Access Control Model. # Format is: # viewName viewSubtree viewMask viewType storageType VACM_VIEW group2View system - included - VACM_VIEW group2View interfaces - included - VACM_VIEW group2View tcp - included - VACM_VIEW group2View icmp - included - VACM_VIEW group3View udp - included - VACM_VIEW group3View icmp - included - VACM_VIEW group3View snmp - included - VACM_VIEW group3View 1.3.6.1.2.1.25 - included - #---------------------------------------------------------------------
Define these permissions by adding VACM_ACCESS entries. In this scenario, we gave group2 (vasu) the group2View for readView, but gave it - for writeView because vasu had readOnly in the /etc/snmpd.conf file. We gave group3 (daniel and david) the group3View for both readView and writeView because those groups had readWrite access in /etc/snmpd.conf. See the following example.
#----------------------------------------------------------------------------------------------------------- # VACM_ACCESS entries # Identifies the access permitted to different security groups # for the View-based Access Control Model. # Format is: # groupName contextPrefix contextMatch securityLevel securityModel readView writeView notifyView storageType VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView - VACM_ACCESS group2 - - noAuthNoPriv SNMPv1 group2View - group2View - VACM_ACCESS group3 - - noAuthNoPriv SNMPv1 group3View group3View group3View - #-----------------------------------------------------------------------------------------------------------
The trap entries in the /etc/snmpd.conf file will become the NOTIFY, TARGET_ADDRESS, and TARGET_PARAMETERS entries in the /etc/snmpdv3.conf file. However, only the TARGET_ADDRESS and TARGET_PARAMETERS will need to be migrated.
#------------------------------------------------------------------------------------- # TARGET_ADDRESS # Defines a management application's address and parameters # to be used in sending notifications. # Format is: # targetAddrName tDomain tAddress tagList targetParams timeout retryCount storageType TARGET_ADDRESS Target1 UDP 127.0.0.1 traptag trapparms1 - - - TARGET_ADDRESS Target2 UDP 9.3.149.49 traptag trapparms2 - - - TARGET_ADDRESS Target3 UDP 9.3.149.49 traptag trapparms3 - - - TARGET_ADDRESS Target4 UDP 9.53.150.67 traptag trapparms4 - - - #-------------------------------------------------------------------------------------
#-------------------------------------------------------------------------- # TARGET_PARAMETERS # Defines the message processing and security parameters # to be used in sending notifications to a particular management target. # Format is: # paramsName mpModel securityModel securityName securityLevel storageType TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv - TARGET_PARAMETERS trapparms2 SNMPv1 SNMPv1 daniel noAuthNoPriv - TARGET_PARAMETERS trapparms3 SNMPv1 SNMPv1 vasu noAuthNoPriv - TARGET_PARAMETERS trapparms4 SNMPv1 SNMPv1 david noAuthNoPriv - #--------------------------------------------------------------------------
If you have smux information that you need to migrate, you can copy those lines directly into the new file. In this scenario, the sampled smux entry was configured in the /etc/snmpd.conf file. That line must be copied to the /etc/snmpdv3.conf file.
#-------------------------------------------------------------------------------------------- # smux <client OIdentifier> <password> <address> <netmask> smux 1.3.6.1.4.1.2.3.1.2.3.1.1 sampled_password # sampled #--------------------------------------------------------------------------------------------
After the migration of the /etc/snmpd.conf file to the /etc/snmpdv3.conf file is complete, stop and then start the snmpd daemon. You will need to stop and start the snmpd daemon each time you make changes to the /etc/snmpdv3.conf file.
stopsrc -s snmpd
startsrc -s snmpd