1. Introduction to the System Management Agent
2. Configuring the System Management Agent
3. Working with the System Management Agent
Using USM for Authentication and Message Privacy
Authentication Protocol Algorithms
Where USM Security Information Is Contained
Where VACM Security Information Is Contained
Troubleshooting Problems With VACM Tables
To Create a New User Using System Prompts
To Create Additional SNMPv3 Users With Security
This section provides procedures that explain how to create users with security. Several methods are available to create users in the System Management Agent. After you first install the System Management Agent, the default configuration is for new users to be SNMPv1 and SNMPv2c users.
Note - The agent is not configured to create SNMPv3 users by default. To create SNMPv3 users in the System Management Agent, first you need to edit the main /etc/sma/snmp/snmpd.conf file. For more information, see the snmpd.conf(4) man page.
The first procedure in this section, To Create a New SNMPv3 User, shows you how to create the first, initial new user. Additional users are cloned from this initial user, so that the initial user's authentication and security types can be inherited. These types can be changed later. In cloning, secret key data for the user is set. You must know the passwords for the initial user and later users that you set up. You can only clone one user at a time from the initial user that you set up.
The net-snmp-config command used in this procedure adds a line to the /etc/sma/snmp/snmpd.conf file, giving the initial user read and write access to the agent.
# svcadm disable -t svc:/application/management/sma:default
# /usr/sfw/bin/net-snmp-config --create-snmpv3-user -a "my_password" newuser
This command causes a new user to be created, named newuser, with a password equal to my_password. The new user creation uses both MD5 and DES, which are described in Authentication Protocol Algorithms.
By default, when creating a user using the net-snmp-config command, these settings are created unless otherwise specified:
auth protocol = MD5security level = rwuser auth
# svcadm enable svc:/application/management/sma:default
# snmpget -v 3 -u newuser -l authNoPriv -a MD5 -A my_password localhost sysUpTime.0
Giving the new user read and write access is not always useful. If you want to reduce or change the access rights of the new user, edit the /etc/sma/snmp/snmpd.conf file. For more information, see the snmpd.conf(4) man page.
# svcadm disable -t svc:/application/management/sma:default
# /usr/sfw/bin/net-snmp-config --create-snmpv3-user
Enter a SNMPv3 user name to create:
newuser
Enter authentication pass-phrase:
my_password
Enter encryption pass-phrase:
adding the following line to /var/sma_snmp/snmpd.conf: createUser newuser MD5 "newuser_pass" DES adding the following line to /etc/sma/snmp/snmpd.conf: rwuser newuser
By default, when creating a user using the net-snmp-config command, these settings are created unless otherwise specified:
auth protocol = MD5
security level = rwuser auth
# svcadm enable svc:/application/management/sma:default
# snmpget -v 3 -u newuser -l authNoPriv -a MD5 -A my_password localhost sysUpTime.0
Note - Passwords must contain at least eight characters.
Giving the new user read and write access is not always useful. If you want to reduce or change the access rights of the new user, edit the /etc/sma/snmp/snmpd.conf file. For more information, see the snmpd.conf(4) man page.
The preferred method of creating a new user in secure SNMP is to clone the initial user that you originally set up. This procedure copies the user you set up in To Create a New SNMPv3 User. This procedure uses the snmpusm command described in Using USM for Authentication and Message Privacy. For more information, see the snmpusm(1M) man page.
# svcs svc:/application/management/sma:default
If the agent is not running, start it.
# svcadm enable svc:/application/management/sma:default
# snmpusm -v 3 -u newuser -a MD5 -A my_password -l authNoPriv localhost create lee newuser
This command creates a user named “lee”. This new user has the same password my_password, as the source user, named “newuser”, that you created in To Create a New SNMPv3 User.
# snmpusm -v 3 -u lee -a MD5 -A my_password -l authNoPriv localhost passwd my_password lee_password
This command gives the user lee a new password, lee_password. The default auth type is MD5.
If you are directly editing the snmpd.conf file you must first temporarily stop the agent.
# svcadm disable -t svc:/application/management/sma:default
To give lee read and write access, add a new rwuser line to the snmpd.conf file.
rwuser lee
To give lee read-only access, add a new rouser line to the snmpd.conf file.
rouser lee
If you do not specify a security level, the System Management Agent defaults to authNoPriv. For more information, see the snmpd.conf(4) or snmpvacm(1M) man pages.
# svcadm enable svc:/application/management/sma:default
Check whether your new user exists.
# snmget -v 3 -u lee -a MD5 -A lee_password -l authNoPriv localhost sysUpTime.0
For SNMPv1 and SNMPv2c users, community string is used for security. The standard Net-SNMP token, com2sec, is provided with the SMA. The com2sec token enables you to map a host name and community string pair, for SNMPv1 or SNMPv2c, to a security name. In this case, the security level is noAuthNoPriv. For information on the noAuthNoPriv security level and on other security levels, see Where USM Security Information Is Contained.
In the System Management Agent, proxying is supported for SNMPv1 and SNMPv2c users only. For more information, see Proxy Handling for Solstice Enterprise Agents Requests.
Creating a large number of groups in SNMP causes management and administration of these groups to become very complex. If you create a large number of groups, troubleshooting these groups very difficult.
Note - When groups or views are created by editing the snmpd.conf file, the storage type is permanent. If you edit the snmpd.conf file instead of using the snmpvacm command, entries for groups are permanent. You can delete the entries only by removing them from the snmpd.conf file.
Follow the examples provided in Using VACM for Access Control for creating and managing groups.