System Management Guide: Communications and Networks

SNMPv3 User Keys

Authentication Keys

Authentication is generally required for SNMPv3 requests to be processed (unless the security level requested is noAuth). When authenticating a request, the SNMP agent verifies that the authentication key sent in an SNMPv3 request can be used to create a message digest that matches the message digest created from the authentication key defined by the user.

When a request is issued from the SNMP manager, the clsnmp command uses the authentication key found on an entry in the /etc/clsnmp.conf file on the SNMP manager. It needs to correlate with the authentication key specified on a USM_USER entry for that user in the SNMP agent's /etc/snmpdv3.conf file. Authentication keys are generated using the pwtokey command.

The authentication key is generated from two pieces of information:

• The specified password
• The identification of the SNMP agent at which the key will be used. If the agent is an IBM agent, and its engineID was generated using the vendor-specific engineID formula, the agent may be identified by IP address or hostname. Otherwise, the engineID must be provided as the agent identification.

A key that incorporates the identification of the agent at which it will be used is called a localized key. It can be used only at that agent. A key that does not incorporate the engineID of the agent at which it will be used is called non-localized.

Keys stored in the clsnmp command's configuration file, /etc/clsnmp.conf, are expected to be non-localized keys. Keys stored in the SNMP agent's configuration file, /etc/snmpdv3.conf, can be either localized or non-localized, though using localized keys is considered more secure.

As an alternative to storing authentication keys in the client configuration file, the clsnmp command allows user passwords to be stored. If the clsnmp command is configured with a password, the code generates an authentication key (and a privacy key if requested, and if the encrypted version is installed) for the user. These keys must produce the same authentication values as the keys configured for the USM_USER in the agent's /etc/snmpdv3.conf file or configured dynamically with the SNMP SET commands. However, the use of passwords in the client configuration file is considered less secure that the use of keys in the configuration file.

Privacy Keys

Encryption is available as a separate product on the AIX Expansion Pack where export laws allow. Keys used for encryption are generated using the same algorithms as those used for authentication. However, key lengths may differ. For example, an HMAC-SHA authentication key is 20 bytes long, but a localized encryption key used with HMAC-SHA is only 16 bytes long.

The encrypted version is automatically activated after installation. To switch back to the non-encrypted version, use the snmpv3_ssw command.

Generating Keys

AIX uses the pwtokey command to generate authentication and, when applicable, privacy keys. The pwtokey command enables the conversion of passwords into localized and non-localized authentication and privacy keys. The pwtokey procedure takes a password and an identifier as the agent and generates authentication and privacy keys. Because the procedure used by the pwtokey command is the same algorithm used by the clsnmp command, the person configuring the SNMP agent can generate appropriate authentication (and privacy) keys to put into the /etc/clsnmp.conf file on the SNMP manager for a user, given a particular password and the IP address at which the target will run on.

Once you have generated the authentication keys (and privacy keys if you are running the encrypted version), you will need to enter those keys in the the /etc/snmpdv3.conf file on the SNMP agent and in the /etc/clsnmp.conf file on the SNMP manager.

In SNMPv3, there are nine possible user configurations. Each possible configuration, along with an example of each, is given below. These particular keys were generated using defaultpassword for the password and 9.3.149.49 as the IP address. The following command was used:

pwtokey -u all -p all defaultpassword 9.3.149.49

The following authentication and privacy keys were generated:

Display of 16 byte HMAC-MD5 authKey:          
  18a2c7b78f3df552367383eef9db2e9f            
                                              
Display of 16 byte HMAC-MD5 localized authKey:
  a59fa9783c04bcbe00359fb1e181a4b4            
                                              
Display of 16 byte HMAC-MD5 privKey:          
  18a2c7b78f3df552367383eef9db2e9f            
                                              
Display of 16 byte HMAC-MD5 localized privKey:
  a59fa9783c04bcbe00359fb1e181a4b4            
                                              
Display of 20 byte HMAC-SHA authKey:          
  754ebf6ab740556be9f0930b2a2256ca40e76ef9    
                                              
Display of 20 byte HMAC-SHA localized authKey:
  cd988a098b4b627a0e8adc24b8f8cd02550463e3    
                                              
Display of 20 byte HMAC-SHA privKey:          
  754ebf6ab740556be9f0930b2a2256ca40e76ef9    
                                              
Display of 16 byte HMAC-SHA localized privKey:
  cd988a098b4b627a0e8adc24b8f8cd02            

These entries would appear in the /etc/snmpdv3.conf file. The following nine configurations are possible:

• Localized authentication and privacy keys using the HMAC-MD5 protocol:

  USM_USER user1 - HMAC-MD5 a59fa9783c04bcbe00359fb1e181a4b4 DES a59fa9783c04bcbe00359fb1e181a4b4 L - -

• Non-localized authentication and privacy keys using the HMAC-MD5 protocol:

  USM_USER user2 - HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f DES 18a2c7b78f3df552367383eef9db2e9f N  - -

• Localized authentication key using the HMAC-MD5 protocol:

  USM_USER user3 - HMAC-MD5 a59fa9783c04bcbe00359fb1e181a4b4 - - L - 

• Non-localized authentication key using the HMAC-MD5 protocol:

  USM_USER user4 - HMAC-MD5 18a2c7b78f3df552367383eef9db2e9f - - N - 

• Localized authentication and privacy keys using the HMAC-SHA protocol:

  USM_USER user5 - HMAC-SHA cd988a098b4b627a0e8adc24b8f8cd02550463e3 DES cd988a098b4b627a0e8adc24b8f8cd02 L -

• Non-localized authentication and privacy keys using the HMAC-SHA protocol:

  USM_USER user6 - HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 DES 754ebf6ab740556be9f0930b2a2256ca40e76ef9 N - 

• Localized authentication key using the HMAC-SHA protocol:

  USM_USER user7 - HMAC-SHA cd988a098b4b627a0e8adc24b8f8cd02550463e3 - - L - 

• Non-localized authentication key using the HMAC-SHA protocol:

  USM_USER user8 - HMAC-SHA 754ebf6ab740556be9f0930b2a2256ca40e76ef9 - - N - 

• Neither authentication nor privacy keys used (SNMPv1)

  USM_USER user9 - none - none - - -

Configuring users in SNMPv3 requires configuration of both the /etc/snmpdv3.conf file and the /etc/clsnmp.conf file. For a scenario on generating user keys and editing the necessary configuration files, see Create Users in SNMPv3. In addition, see the command descriptions for the pwtokey and clsnmp commands in AIX 5L Version 5.2 Commands Reference, and the file formats for the /etc/clsnmp.conf and /etc/snmpdv3.conf files in AIX 5L Version 5.2 Files Reference. You can also refer to the sample snmpdv3.conf and clsnmp.conf configuration files located in the /usr/samples/snmpdv3 directory.

Updating Keys

SNMPv3 offers the capability of updating user keys based on new passwords dynamically. This is done by using the pwchange command to generate new user keys based on an updated password, using the clsnmp command to dynamically update the user key in the /etc/snmpdv3.conf file, and editing the /etc/clsnmp.conf file with the new keys. During this process, the new password is never communicated between machines.

For step-by-step instructions on updating user keys, see Dynamically update authentication and privacy keys in SNMPv3. In addition, refer to the pwchange and clsnmp command descriptions in AIX 5L Version 5.2 Commands Reference and the /etc/clsnmp.conf and /etc/snmpdv3.conf file formats in AIX 5L Version 5.2 Files Reference