Files Reference

snmpdv3.conf File

Purpose

Defines a sample configuration file for the snmpdv3 agent.

Description

An entry must be contained on one line (i.e., the newline character will be treated as the end of an entry) All of the entry definitions require that all fields on the entry are specified, either with a specific value or a dash (-) to denote the default value. If an error is detected processing an entry and no appropriate default value can be assumed, the entry will be discarded. Statements in the file are not order-dependent. However, if more than one DEFAULT_SECURITY statement is found, the last one in the file is the one that is used.

General Usage Rules

• All values for an entry must be on the same line.
• All keys need to be regenerated using the pwtokey command in order for these sample entries to actually be used.
• In this sample: Keys are generated for use with engineID 00000002000000000943714F.
• Authentication keys were generated with password of username + password, such as u1password.
• Privacy keys were generated with password of username + privpass, such as u1privpass.
• Entries defined to use encryption support, which is available only as a separately orderable feature on the base AIX product, are included below but commented out.

Comments may be entered in the snmpdv3.conf file, with the following restrictions:

• Comments must begin with the pound sign (#) or asterisk (*).
• Comments must begin in column 1. This allows the pound sign and asterisk to be used in names of users, views, etc.

USM_USER entries

Defines a user for the User-based Security Model (USM). Format is:

userName engineID authProto authKey privProto privKey keyType storageType

where

userName

Indicates the name of the user for the User-based Security Model (USM) and must be unique to the SNMP agent. The userName is used as the security name for the User-based Security Model. The contents of this field will be used as the securityName value for other entries (such as the VACM_GROUP entry) when the securityModel is USM. Valid value is:

• An octet string of 1 to 32 octets (characters).

There is no default value.

engineID

Indicates the engineID of the authoritative side of the message. The engineID for the AIX SNMP agent is determined at agent initialization. It is either read in from the SNMPD.BOOTS file or it is generated automatically and stored in the SNMPD.BOOTS file. It can be retrieved dynamically by issuing a get request for object snmpEngineID. For get, getbulk, set, response, and trap messages, the authoritative side is the SNMP agent. For inform messages, the authoritative side is the notification receiver.

Note

AIX will not support informs. engineID is defined in RFC 2271.

Valid values are:

• An octet string of 1 to 32 octets (2 to 64 hex digits).
• A '-' (dash) indicates the default value.

The default value is the local SNMP agent's engineID.

authProto

Indicates the authentication protocol to be used on authenticated messages on behalf of this user. Valid values are:

• HMAC-MD5 - indicates HMAC-MD5.
• HMAC-SHA - indicates HMAC-SHA.
• none - indicates no authentication is to be done.
• '-' (dash) - indicates the default value.

A The default value is HMAC-MD5 (if an authentication key is specified; if no authentication key is specified, no authentication can be done for messages to/from this user).

authKey

Indicates the authentication key to be used in authenticating messages on behalf of this user. This field will be ignored when authProto is specified as none. The keyType field will indicate whether the key is localized or non-localized. Valid values are:

• An octet string of 16 bytes (32 hex digits) when authProto is HMAC-MD5.
• An octet string of 20 bytes (40 hex digits) when authProto is HMAC-SHA.
• A '-' (dash) indicates the default.

The default value is no key, indicating no authentication.

privProto

Indicates the privacy protocol to be used on encrypted messages on behalf of this user. Privacy can be requested only if authentication is also requested. If authentication is not requested, this field is ignored. Valid values are:

• DES - indicates CBC-DES (only with the additional encryption product).
• none - indicates no privacy.
• A '-' (dash) indicates default.

The default value is no privacy. No encryption will be done on messages to/from this user.

privKey

The privacy key to be used in authenticating messages to and from this user. This field will be ignored when privProto is specified or defaulted as none. The keyType field will indicate whether the key is localized or non-localized. Privacy can be requested only if authentication is also requested. If authentication is not requested, this field is ignored. The privacy key and the authentication key are assumed to have been generated using the same authentication protocol (HMAC-MD5 or HMAC-SHA). Valid values are:

• An octet string of 16 bytes (32 hex digits) if the key is localized or if the key is non-localized and the authProto is HMAC-MD5.
• An octet string of 20 bytes (40 hex digits) if the key is non-localized and the authProto is HMAC-SHA.
• The '-' (dash) indicates default.

Default value is no key, indicating no encryption.

keyType

Indicates whether the keys defined by authKey and privKey are localized or non-localized. Localized indicates that they have been generated with the appropriate engineID making the key usable only at one snmpEngine. Non-localized indicates the key may be used at different snmpEngines. The authKey and privKey, if both are specified, must both be localized or both be non-localized. This field is ignored if no authentication or privacy is requested. Valid values are:

• L - indicates keys are localized.
• N - indicates keys are non-localized.
• '-' (dash) indicates default Default value is localized.

storageType

Indicates the type of storage in which this definition is to be maintained. StorageTypes are defined in RFC1903. Valid values are:

• nonVolatile - indicates the entry definition will persist across reboots of the SNMP agent, but it can, however, be changed or even deleted by dynamic configuration requests.
• permanent - indicates the entry definition will persist across reboots of the SNMP agent; it can be changed but not deleted by dynamic configuration requests
• readonly - indicates the entry definition will persist across reboots of the SNMP agent; it cannot be changed or deleted by dynamic configuration requests. readOnly is not permitted if the authentication protocol is not 'none' (because keys must be changeable per RFC 2274 definition of usmUserStorageType) .
• '-' (dash) - indicates default.

Default value is non-volatile.

VACM_GROUP entries

Defines a security group (made up of users or communities) for the View-based Access Control Model (VACM). Format is:

groupName securityModel securityName storageType

where:

groupName

Indicates the group name for the View-based Access Control Model (VACM) and must be unique to the SNMP agent. Valid value is:

• An octet string of 1 to 32 octets (characters).

There is no default value.

securityModel

Indicates the SNMP security model for this entry. When an SNMP message comes in, the securityModel together with the securityName are used to determine to which group the user (or community) represented by the securityName belongs. Valid values are: 'SNMPv1' - indicates community-based security using SNMPv1 message processing. 'SNMPv2c' - indicates community-based security using SNMPv2c message processing. 'USM' - indicates User-based Security Model. A '-' (dash) - indicates default. Default value is 'USM'.

securityName

Indicates a member of this group. For community-based security, it will be a community name. For the User-based Security Model, it will be a user name. Valid values are:

• An octet string of 1 to 32 octets (characters) indicating a USM userName when securityModel is USM.
• An octet string of 1 to 32 octets (characters) indicating a community Name when securityModel is 'SNMPv1' or 'SNMPv2c'.

There is no default value.

StorageType

As defined above on the USM_USER definition.

VACM_VIEW entries

Defines a particular set of MIB data, called a view, for the View-based Access Control Model. Format is:

viewName viewSubtree viewMask viewType storageType

where:

viewName

Indicates the textual name of the view for the View-based Access Control Model. View names do not need to be unique. Multiple entries with the same name together define one view. However, the viewname, together with the subtree object ID, must be unique to an SNMP engine. Valid values are:

• An octet string of 1 to 32 octets (characters).

There is no default value.

viewSubtree

Indicates the MIB object prefix of the MIB objects in the view. Valid values are:

• An object id of up to 128 sub-OIDs.
• A textual object name (or object prefix).
• A combination of textual object name followed by numeric sub-OIDs. The name must be found within the compiled MIB or in the logical extension to the MIB, the MIBS.DATA file.

There is no default value.

viewMask

Indicates a mask that specifies which of the sub-OIDs in the subtree are relevant. See RFC2275 for a definition of the viewMask. Valid values are:

• A hex string of up to 16 octets (up to 128 bits) where each bit indicates whether or not the corresponding sub-OID in the subtree is relevant.
• A '-' (dash) - indicates default.

The default value is a mask of all (meaning all sub-OIDs are relevant).

viewType

Indicates the type of the view definition. Valid values are:

• included - indicating the MIB objects identified by this view definition are within the view.
• excluded - indicating the MIB objects identified by this view definition are excluded from the view.
• A '-' (dash) - indicates default.

The default value is included.

storageType

As defined above on the USM_USER definition.

VACM_ACCESS entries

Identifies the access permitted to different security groups for the View-based Access Control Model.Format is:

groupName contextPrefix contextMatch securityLevel, securityModel 
readView writeView notifyView storageType

where:

groupName

Indicates the group name for the View-based Access Control Model (VACM) for which access is being defined. Valid values are:

• An octet string of 1 to 32 octets (characters).

There is no default value.

contextPrefix

Indicates an octet string to be compared with the incoming contextName if the value specified for the contextMatch field is prefix. Note, however, that the SNMP agent in AIX supports MIB objects in only the local (null) context. Valid values are:

• An octet string of 1 to 32 octets (characters).
• A '-' (dash) - indicates default.

The default value is the null context ("").

contextMatch

Indicates whether the incoming contextName must be compared with (and match exactly) the entire contextName or whether only the first part of the contextName (up to the length of the indicated value of the contextPrefix) must match. Valid values are:

• exact - indicates entire contextName must match.
• prefix - indicates only the prefix of the contextName must match.
• A '-' (dash) - indicates the default.

The default value is exact.

securityLevel

Indicates the securityLevel for this entry. Used in determining which access table entry to use. Valid values are:

• noAuthNoPriv or 'none' - indicates no authentication or privacy protocols applied.
• AuthNoPriv or 'auth' - indicates authentication protocols applied but no privacy protocol is applied.
• AuthPriv or 'priv' - indicates both authentication and privacy protocols applied (If the additional encryption pack is not applied, this level can be configured but cannot actually be used).
• A '-' (dash) - indicates default.

The default value is noAuthNoPriv.

securityModel

Indicates the SNMP security model for this entry. Used in determining which access table entry to use. Valid values are:

• SNMPv1 - indicates community-based security using SNMPv1 message processing.
• SNMPv2c - indicates community-based security using SNMPv2c message processing.
• USM - indicates User-based Security Model.
• A '-' (dash) - indicates default.

The default value is USM.

readView

Indicates the name of the view to be applied when read operations (get, getnext, getbulk) are performed under control of this entry in the access table. Valid values are:

• An octet string of 1 to 32 octets (characters) identifying a view defined by a VACM_VIEW definition.
• A '-' (dash) - indicates default.

The default value is no view; no readView defined for members of this group.

writeView

Indicates the name of the view to be applied when write operations (set) are performed under control of this entry in the access table. Valid values are:

• An octet string of 1 to 32 octets (characters) identifying a view defined by a VACM_VIEW definition.
• A '-' (dash) - indicates default.

The default value is no view; no writeView defined for members of this group.

notifyView

Indicates the name of the view to be applied when notify operations (traps or informs) are performed under control of this entry in the access table. Valid values are:

• An octet string of 1 to 32 octets (characters) identifying a view defined by a VACM_VIEW definition.
• A '-' (dash) - indicates default.

Default value is no view; no notifyView defined for members of this group

NOTIFY entries

Identifies management targets to receive notifications. Format is:

notifyName tag type storageType

where:

notifyName

Is a locally unique identifier for this notify definition. Valid values are:

• An octet string of 1 to 32 octets (characters)

There is no default value.

tag

Indicates a tag value to be compared with the values in the tagLists defined in the snmpTargetAddrTable (either on TARGET_ADDRESS entries or via dynamic configuration). For each match of this tag with a value in the tagLists defined in the snmpTargetAddrTable), a notification may be sent. See RFC2273 for a definition of SnmpTagValue. Valid values are:

• An octet string of 1 to 255 octets (characters). No delimiters are allowed.
• A '-' indicates the default.

Default value is no tag value.

type

Indicates which type of notification should be generated. Valid values are:

• trap - an unconfirmed notification; notification sent with trap PDUs.
• A '-' (dash) - indicates the default.

Default value is trap. inform type traps are not supported on AIX

TARGET_ADDRESS

Defines a management application's address and parameters to be used in sending notifications. Format is:

targetAddrName tDomain tAddress tagList targetParams timeout retryCount storageType

where:

targetAddrName

Indicates a locally unique identifier for this target address definition. Valid values are:

• An octet string of 1 to 32 octets (characters).

There is no default value.

tDomain

Indicates the transport type of the address indicated by tAddress. Valid values are:

• UDP - for UDP datagrams.
• A '-' (dash) - for the default value.

Default value is UDP.

tAddress

Indicates the transport address to which notifications are sent. Valid values are:

• A 1- to 21- octet string indicating the IP address and optionally the UDP port.

Form is

 ip_address:port

IP address must be specified as a.b.c.d where a, b, c and d are in the range of 0 to 255. The port, if specified, must be in the range of 1 to 65535. Example:

9.37.84.48:162

The IP address may not be defaulted, but the port, if not specified, will default to 162.

tagList

Indicates a list of tag values which are used to select target addresses for a notification operation. The AIX implementation will support, via the configuration file, only one tag in a tagList. Because informs are not supported, there is no particular value in supporting multi-tag tagLists. RFC2273 contains the complete definition of SnmpTagList and SnmpTagValue. The AIX implementation accepts as valid values:

• An octet string of 1 to 255 octets (characters). No delimiters are allowed.
• '-' indicates the default.

The default value is an empty list.

targetParams

Indicates a TARGET_PARAMETERS paramsName value that indicates which security and message processing is to be used in sending notifications to this target. Valid values are:

• An octet string of 1 to 32 octets (characters)

There is no default value.

timeout

Indicates the expected maximum round trip time for communicating with this target address (in 1/100ths of a second). timeout is used only for inform type notifications; it is not used for traps. Since only traps are supported on AIX, only the default value is accepted. Valid values are:

• An integer in the range of (0..2147483647) specifying the number of hundredths of a second for the timeout. Note, however, that this value is not used for notifications of type trap.
• '-' (dash) indicating the default.

Default value is 0, meaning no timeout value.

retryCount

Indicates the number of retries to be attempted when a response is not received for a generated message. retryCount is used only for inform type notifications; it is not used for traps. Since only traps are supported on AIX, only the default value is accepted. Valid values are:

• An interger in the range of (0 to 255), indicating the number of retries to be attempted. Note, however, that this value is not used for notifications of type trap.
• A '-' (dash) indicating the default.

Default value is 0, meaning no retry.

TARGET_PARAMETERS

Defines the message processing and security parameters to be used in sending notifications to a particular management target. Format is:

paramsName mpModel securityModel securityName securityLevel storageType

where:

paramsName

A locally unique identifier for this target parameters definition. Valid values are:

• An octet string of 1 to 32 octets (characters).

There is no default value.

mpModel

The message processing model to be used in sending notifications to targets with this parameter definition. Valid values are:

• SNMPv1 - indicates SNMPv1.
• SNMPv2c - indicates SNMPv2c.
• SNMPv3 - indicates SNMPv3.

There is no default value.

securityModel

Indicates the security model to be used in sending notifications to targets with this parameter definition. Valid values are:

• SNMPv1 indicates SNMPv1.
• SNMPv2c Indicates SNMPv2c.
• USM indicates User-based Security Model.

There is no default value.

securityName

Ientifies the principal (user or community) on whose behalf SNMP messages will be generated using this parameter definition. For community based security, this would be a community name. For USM, this would be a user name. Valid values are:

• An octet string of 1 to 32 octets (characters).

There is no default value.

securityLevel

Idicates the security level to be used in sending notifications to targets with this parameter definition. Valid values are:

• noAuthNoPriv or none - indicates no authentication or privacy. protocols applied.
• AuthNoPriv or auth - indicates authentication protocols applied but no privacy protocol is applied.
• AuthPriv or priv - indicates both authentication and privacy protocols applied. (If the additional encryption pack is not applied, this level can be configured, but not actually used.)
• '-' (dash) - indicates default.

Default value is noAuthNoPriv.

COMMUNITY

Defines a community for community-based security. Format is:

communityName securityName securityLevel netAddr netMask storageType

where:

communityName

Indicates a community name for community-based security (SNMPv1 or # SNMPv2c). Valid values are:

• An octet string of 1 to 32 octets (characters).

There is no default value.

securityName

Indicates a securityName defined for this communityName. The securityName is the more generic term for the principal (user or community) for which other entries, such as VACM_GROUP and TARGET_PARAMETERS, are defined. Typically, the securityName would match communityName or, at least, there would be a one-to-one correspondence between securityName and communityName. (Until the community MIB support is implemented, the community name must match the securityName exactly.) Valid values are:

• An octet string of 1 to 32 octets (characters).
• '-' (dash) - indicates default.

The default value is securityName equal to the specified communityName.

securityLevel

Indicates the security level to be applied when processing incoming or outgoing messages with this community name.

Note

When the communityMIB is implemented, authNoPriv will also be a valid level of security, but at the moment, it will be rejected because there is no way to store a securityLevel to be associated with a communityName. When that happens, the following will be added to the list of valid values below:

• authNoPriv or auth - indicates authentication protocols applied.

Note that no additional authentication checking is done by specifying auth. Authentication still involves verifying that the community name is being used by an IP address for which it has been defined and using the views defined for that entry. However, allowing the specification of auth here does allow the system administrator to define a different set of views to be used if the same community name is defined with two different securityNames (each with a different securityLevel)

Valid values are:

• noAuthNoPriv or none - indicates no authentication or privacy protocols applied.
• '-' (dash) - indicates default.

Default value is noAuthNoPriv. Encryption is not supported on SNMPv1/SNMPv2c messages.

netAddr

A network IP address in dotted decimal notation indicating the range of addresses for which this community name may be used. Valid values are:

• A network address in the form of a.b.c.d, where a, b, c and d are in the range of 0 to 255. (Note, not all four octets are required. Also, 255.255.255.255 is not a valid network address.)

There is no default value.

netMask

An IP address mask to be logically ANDed with the origin address of the incoming SNMP message. If the resulting value equals the value specified for netAddr, the incoming message is accepted. Valid values are:

• A network address in the form of a.b.c.d, where a, b, c and d are in the range of 0 to 255. (Not all four octets are required.)

There is no default value.

storageType

As defined above on the USM_USER definition (Note, until the community MIB is implemented, storage type values other than readOnly will be treated as readOnly; i.e., they cannot be changed dynamically.)

DEFAULT_SECURITY

Identifies the default security posture to be configured for the SNMP agent; additional security definitions defined by the use of the preceding eight entry definition types augment any default security configurations defined as a result of the DEFAULT_SECURITY statement. Format is:

securityPosture password privacy

where:

securityPosture

Indicates the default security posture to be configured for the SNMP agent, as defined by Appendix A of RFC 2275 (and outlined below). Valid values are:

• minimum-secure - indicates the SNMP agent will be configured with the least secure default configurations
• semi-secure- indicates the SNMP agent will be configured with moderately secure default configurations.
• no-access - indicates the SNMP agent will be configured with no default configurations.

The default value is no-access.

password

Indicates the password to be used to generate authentication and privacy keys for user 'initial' In the case that no-access is specified as the securityPosture, this keyword is ignored. Valid values are:

• An octet string of 8 to 255 octets (characters).
• '-' (dash) - indicating the default.

Default value is no password. Default only accepted if securityPosture is no-access.

privacy

Indicates whether or not encryption is to be supported for messages on behalf of user 'initial'. Valid values are:

• Yes - indicates privacy is supported for user 'initial' (only with the additional encryption product).
• No - indicates privacy is not supported for user initial.
• '-' (dash) - indicates default value.

Default value is no. If no-access is selected as the security posture, this value will be ignored.

Default security definitions based on the selected security posture:

no-access

No initial configurations are done.

semi-secure

The default (null) context is configured. If privacy is not requested, a default user is configured as if the following USM_USER entry had been specified. USM_USER initial- HMAC-MD5 none - N permanent where ### indicates the key generated from the password specified on the DEFAULT_SECURITY entry. If privacy is requested (and available with the additional encryption product) , a default user is configured as if the following USM_USER entry had been specified: USM_USER initial - HMAC-MD5 ### DES ### N permanent where ### indicates the key generated from the password specified on the DEFAULT_SECURITY entry.

A default group is configured as if the following VACM_GROUP entry had been specified:

VACM_GROUP initial USM initial readOnly. Three default access entries are configured as if the following VACM_ACCESS entries had been specified:

 
VACM_ACCESS initial - exact none.   USM restricted - restricted  readOnly.  
VACM_ACCESS initial - exact auth.   USM internet   internet  internet   readOnly 
VACM_ACCESS initial - exact priv    USM internet   internet  internet   readOnly 
Two default MIB views are configured as if the following 
VACM_VIEW entries .had been specified:  
VACM_VIEW internet   internet     - included readOnly     
VACM_VIEW restricted system       - included readOnly  
VACM_VIEW restricted snmp         - included readOnly
VACM_VIEW restricted snmpEngine   - included readOnly 
VACM_VIEW restricted snmpMPDStats - included readOnly  
VACM_VIEW restricted usmStats     - included readOnly  

minimum-secure

The default (null) context is configured. If privacy is not requested, a default user is configured as if the following USM_USER entry had been specified. : USM_USER initial - HMAC-MD5 ### none - N permanent where ### indicates the key generated from the password specified on the DEFAULT_SECURITY entry.

If privacy is requested (and available with the additional encryption product) , a default user is configured as if the following USM_USER entry had been specified: USM_USER initial - HMAC-MD5 ### DES ### N permanent where ### indicates the key generated from the password specified on the DEFAULT_SECURITY entry.

A default group is configured as if the following VACM_GROUP entry had been specified: VACM_GROUP initial USM initial readOnly.

Three default access entries are configured as if the following VACM_ACCESS entries had been specified:

VACM_ACCESS initial - exact none   USM restricted -    restricted       readOnly  
VACM_ACCESS initial - exact auth   USM internet   internet  internet    readOnly 
VACM_ACCESS initial - exact priv   USM internet   internet  internet 

readOnly

Two default MIB views are configured as if the following VACM_VIEW entries had been specified:

VACM_VIEW internet   internet     - included readOnly 
VACM_VIEW restricted internet     - included readOnly 

logging

Directs logging from the configuration file. Format is:

logging         file=</path/filename>   enabled|disabled
logging         size=<limit>            level=<debug level>

There can be no white spaces around the "=" in the file, size and level fields where </path/filename> specifies the complete path and filename of the log file. Valid values are: An octet string of 1 to 255 octets (characters). Default value is /var/tmp/snmpdv3.log enabled|disabled. Valid values are: 'enabled' - turns logging on; 'disabled' - turns logging off. Default value is 'enabled'.

<limit>

Specifies the maximum size in bytes of the specified logfile Valid values are: '0' - meaning unlimited. An unsigned integer number in the unit of byte. Default value is 0.

<debug level>

specifies the logging level. Valid values are: # 0, 1, 2, 3, or 4 Default value is 0.

logging         file=/usr/tmp/snmpdv3.log       enabled
logging         size=0                          level=0

smux entry

Sets the smux peer configuration parameters # Format is:

smux <client OIdentifier> <password> <address> <netmask>

Fields to the right of <client OIdentifier> are optional, with the limitation that no fields to the left of a specified field are omitted. Where <client OIdentifier> defines the unique object identifer in dotted decimal notation of the SMUX peer client. Valid values are: An unique object identifer in dotted decimal notation up to 128 sub-OIDs of that SMUX peer. There is no default value.

<password>

Specifies the password that snmpd requires from the SMUX peer client to authenticate the SMUX association. If no password is specified, there is no authentication for the SMUX association. Valid values are: An octet string of 8 to 255 octets (characters). Default value is null string

<address>

Identifies the host on which the smux peer client is executing. Valid values are: A host name of 1 to 80 characters or IPv4 address. IP address must be specified as a.b.c.d where a, b, c and d are in the range of 0 to 255. Default value is 127.0.0.1

<netmask>

Specifies the network mask. Valid values are: network mask must be specified as a.b.c.d where a, b, c and d are in the range of 0 to 255. Default value is 255.255.255.255.

smux            1.3.6.1.4.1.2.3.1.2.1.2         gated_password  # gated

Any SNMP agent configuration entries added by dynamic configuration (SET) requests get added to the end of the snmpdv3.conf file.

Related Information

The snmpdv3, clsnmp, pwtokey, and pwchange commands.

The /etc/clsnmp.conf file.

Problem Determination for the SNMP Daemon, Trap Processing, Understanding the SNMP Daemon Logging Facility in AIX 5L Version 5.2 System Management Guide: Communications and Networks.

Understanding the SNMP Daemon in AIX 5L Version 5.2 System Management Guide: Communications and Networks.