The SNMPv3 USM is configured in a Java DMK text file, called jdmk.security. Every SNMP engine has an associated security file.
In a traditional agent and manager SNMP architecture, you will have one security file associated with the agent and one associated with the manager. Both files will have a very similar configuration.
The authoritative agent's security file contains all the security information users need when requests are received from the manager. The non-authoritative manager's security file contains all the security information users need when making requests of authoritative agents.
The following examples show typical security files for an agent and a manager.
localEngineID=myHost:8085 localEngineBoots=7 #Typical authenticated entry. Accepts requests from a user called #aSecureUser userEntry=localEngineID,aSecureUser,aSecureUser, usmHMACMD5AuthProtocol, mypasswd #Typical authenticated and encrypted entry. Accepts requests from #aSecureUser #userEntry=localEngineID,aSecureUser,aSecureUser, #usmHMACMD5AuthProtocol, #mypasswd,usmDESPrivProtocol,mypasswd
The example agent jdmk.security file identifies the agent's associated SNMP engine using its host name and port number, records the number of times that engine has rebooted, and sets two possible security configurations for a user called aSecureUser. One possible configuration applies authentication to requests from aSecureUser. The second configuration, which is currently commented out and is therefore inactive, applies both authentication and privacy to requests from the same user.
#Typical authenticated entry. Makes requests to authoritative engine #myHost:8085 with some parameters. userEntry=myHost:8085,aSecureUser,aSecureUser,usmHMACMD5AuthProtocol, mypasswd #Typical authenticated and encrypted entry. Makes requests to authoritative #engine myHost:8085 with some parameters. #userEntry=myHost:8085,aSecureUser,aSecureUser,usmHMACMD5AuthProtocol, #mypasswd, #usmDESPrivProtocol,mypasswd # #####APPENDED PROPERTY#### localEngineBoots=5 # #####APPENDED PROPERTY#### localEngineID=myOtherHost:8087
The example manager jdmk.security file sets two possible configurations to send requests from the user aSecureUser to the above agent. Again, the first configuration applies authentication to requests from aSecureUser, and the second configuration, which is currently commented out and is therefore inactive, applies both authentication and privacy.
The localEngineID for each of the manager and the agent must be different. If two entities that communicate with each other have the same local engine ID, behavior is unpredictable.
As you can see in Example 20–3 and Example 20–4, every user that has access to an agent is represented by a userEntry row in each of the agent's and the manager's security files. The example manager jdmk.security file is configured to send requests from aSecureUser to the agent, either with authentication only, or with privacy activated. The agent is configured to receive those requests.
You configure userEntry as follows, with the parameters separated commas:
userEntry=engine ID,user name,security name,authentication algorithm,authentication key, privacy algorithm,privacy key,storage type,template
The only mandatory parameters are the engine ID and the user name. All the other parameters are optional.
The possible values for the parameters are as follows:
The string localEngineID, to denote the local engine
A hexadecimal string, as generated by EngineIdGenerator; for example, 0x8000002a05819dcb6e00001f95
A human readable string used to generate an engine ID, providing any or all of the host name, port and IANA number, as shown in Generating SNMPv3 Engine IDs
Any human-readable string
Any human-readable string
0 to 32 inclusive for HMACMD5
0 to 40 inclusive for HMACSHA
Any text password or any hexadecimal key starting with 0x; for example, 0x0098768905AB67EFAA855A453B665B12, of size 0 to 32 inclusive
If a hexadecimal string is provided, it must be a localized key
A value of 3 denotes non-volatile, meaning that the user entry is flushed in the security file; any other value than 3 will be rejected, throwing an IllegalArgumentException
Can be either true or false:
If true, the row is a template, not seen from USM MIB. This kind of user is used when cloning users.
The default is false.