Table of Contents
Configure SNMP v3
SNMPv1 / 2c public
root@aixtest /etc> snmpv3_ssw -n root@aixtest /etc> cat /etc/snmpdv3.conf VACM_GROUP group1 SNMPv1 public - VACM_GROUP group1 SNMPv2c public - VACM_VIEW defaultView internet - included - VACM_VIEW defaultView 1.3.6.1.4.1.2.2.1.1.1.0 - included - VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191.1.6 - included - # exclude snmpv3 related MIBs from the default view VACM_VIEW defaultView snmpModules - excluded - VACM_VIEW defaultView 1.3.6.1.6.3.1.1.4 - included - VACM_VIEW defaultView 1.3.6.1.6.3.1.1.5 - included - # exclude aixmibd managed MIBs from the default view VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191 - included - # Added for icinga VACM_VIEW defaultView 1.3.6.1.2.1.25.3.8.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.3.8.1.2 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.5 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.3.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.3.1.2 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.3.1.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.3.1.3 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.3.1.5 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.3.1.6 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.3.1.4 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.2 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.3 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.4 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.5 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.6 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.7 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.8 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.9 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.2.1.10 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.4.2.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.4.2.1.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.4.2.1.2 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.4.2.1.4 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.4.2.1.5 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.5.1.1.2 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.5.1.1.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.4.2.1.7 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.3.3.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.3.3.1.1 - included - VACM_VIEW defaultView 1.3.6.1.2.1.25.3.3.1.2 - included - VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView - VACM_ACCESS group1 - - noAuthNoPriv SNMPv2c defaultView - defaultView - COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 -
Restart demons
root@aixtest /etc> stopsrc -s snmpmibd;stopsrc -s aixmibd;stopsrc -s snmpd;stopsrc -s hostmibd;stopsrc -s dpid2 root@aixtest /etc> startsrc -s snmpmibd;startsrc -s aixmibd;startsrc -s snmpd;startsrc -s hostmibd;startsrc -s dpid2
Test
AIX command
root@aixtest /etc> /usr/sbin/snmpinfo -m dump -c public -h aixtest 1.3.6.1.2.1.1.1.0 = "IBM PowerPC CHRP Computer Machine Type: 0x0800004c Processor id: 00C2xxx04B00 Base Operating System Runtime AIX version: 07.02.0005.0203 ...
Linux command (from snmp-utils rpm)
root@aixtest /etc> snmpwalk -v2c -m all -c public aixtest sysName.0 SNMPv2-MIB::sysName.0 = STRING: aixtest root@aixtest /etc> snmpwalk -v1 -m all -c public aixtest sysName.0 SNMPv2-MIB::sysName.0 = STRING: aixtest
To filter on a specific IP change the string COMMUNITY, with IP or subnet Ex:
COMMUNITY public public noAuthNoPriv 10.10.10.10 255.255.255.255 -
or range, Ex:
COMMUNITY public public noAuthNoPriv 172.10.0.0 255.255.0.0 -
To change community public
Change the lines with the new community string, here public is replaced by Str0ngC0mmunity:
VACM_GROUP group1 SNMPv1 Str0ngC0mmunity - COMMUNITY Str0ngC0mmunity Str0ngC0mmunity noAuthNoPriv 0.0.0.0 0.0.0.0 - VACM_GROUP director_group SNMPv2c Str0ngC0mmunity -
You then need to stop the daemons:
stopsrc -s aixmibd stopsrc -s hostmibd stopsrc -s snmpmibd stopsrc -s snmpd
To start the daemons, execute the following commands using the new community string:
startsrc -s aixmibd -a "-c Str0ngC0mmunity" startsrc -s hostmibd -a "-c Str0ngC0mmunity" startsrc -s snmpmibd -a "-c Str0ngC0mmunity" startsrc -s snmp
SNMPv3 public
https://www.ibm.com/support/pages/ibm-aix-how-configure-community-based-snmp-and-snmp-traps
Steps 1. Install “snmp.crypto” fileset from AIX Expansion Pack media
a) The AIX Expansion Pack media can be dwonloaded from our ESS website: https://www.ibm.com/servers/eserver/ess/index.wss
b) For a complete step by step guide on downloading media from ESS please refer tot he following tech note: https://www-01.ibm.com/support/docview.wss?uid=isg3T1027277
2. Switch to snmpdv3e using ‘snmpv3_ssw’ command
# snmpv3_ssw -e In /etc/rc.tcpip file, comment out the line that contains: dpid2 In /etc/rc.tcpip file, remove the comment from the line that contains: snmpmibd Stop daemon: snmpd Make the symbolic link from /usr/sbin/snmpd to /usr/sbin/snmpdv3e Make the symbolic link from /usr/sbin/clsnmp to /usr/sbin/clsnmpe Start daemon: snmpmibd Start daemon: snmpd
3. Edit your /etc/snmpdv3.conf file and configure your views and communities. Below you can see how the file's content looks like by default and a quick explanation on the specific keywords inside:
#VACM_GROUP group1 SNMPv1 public - VACM_VIEW defaultView internet - included - #VACM_VIEW defaultView 1.3.6.1.4.1.2.2.1.1.1.0 - included - #VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191.1.6 - included - # exclude snmpv3 related MIBs from the default view #VACM_VIEW defaultView snmpModules - excluded - #VACM_VIEW defaultView 1.3.6.1.6.3.1.1.4 - included - #VACM_VIEW defaultView 1.3.6.1.6.3.1.1.5 - included - # exclude aixmibd managed MIBs from the default view #VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191 - included - #VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView - #NOTIFY notify1 traptag trap - #TARGET_ADDRESS Target1 UDP 127.0.0.1 traptag trapparms1 - - - #TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv - COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 - #DEFAULT_SECURITY no-access - - logging file=/usr/tmp/snmpdv3.log enabled logging size=1000000 level=3 smux 1.3.6.1.4.1.2.3.1.2.1.2 gated_password # gated
VACM_GROUP - defines a group and associate it with SNMP version and security information VACM_VIEW - specifies view name and view mask VACM_ACCESS - associates a group with security and views NOTIFY, TARGET_ADDRESS, TARGET_PARAMETERS - where to send SNMP traps COMMUNITY - specifies community name and access DEFAULT_SECURITY - defines the default security posture to be configured for the SNMP agent
Here are some recommendations for some default lines you should un-comment:
VACM_GROUP group1 SNMPv1 public - VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView - COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 -
4. Optional Step - If you want to send the SNMP traps to a specific IP address you need to configure it in /etc/snmpdv3.conf
NOTIFY notify1 traptag1 trap - NOTIFY notify2 traptag2 trap - NOTIFY notify3 traptag3 trap - TARGET_ADDRESS Target1 UDP 10.170.4.26 traptag1 trapparms1 - - - TARGET_ADDRESS Target2 UDP 9.3.58.66 traptag2 trapparms2 - - - TARGET_ADDRESS Target3 UDP 127.0.0.1 traptag3 trapparms3 - - - TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv - TARGET_PARAMETERS trapparms2 SNMPv1 SNMPv1 public noAuthNoPriv - TARGET_PARAMETERS trapparms3 SNMPv1 SNMPv1 public noAuthNoPriv -
5. Check IP address in /etc/snmpd.boots corresponds to IP of SNMP agent, example:
# cat /etc/snmpd.boots 000000020000000009033A79 0000000046
a) How this number you see is derived is as follows:
The first 8 hexadecimal digits represent a vendor enterprise ID obtained from the Internet Assigned Numbers Authority (IANA). For IBM, this ID is 00000002. The string 00 indicates that the next 6 hexadecimal digits are zeros, followed by the IP address of the agent in the last 8 hexadecimal digits.
b) The goal here is to change the last 8 hexadecimal digits with the IP address of the SNMP agent.
c) Make sure it matches the IP address of the hostname, in the above example 09:03:3A:79 corresponds to 9.3.58.121 when its converted into hexadecimal.
6. Generate key pairs for the SNMP agent IP
pwtokey [-e ] [ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] Password [ EngineID | HostName | IPAddress ]
# pwtokey -u all u1password 9.3.58.12 Display of 16 byte HMAC-MD5 authKey: f030abfad3123456a5d5416bd232d0a5 Display of 16 byte HMAC-MD5 localized authKey: 6b5bddcf9702102641a9ab8b1d5f791f Display of 16 byte HMAC-MD5 privKey: f030abfad3123456a5d5416bd232d0a5 Display of 16 byte HMAC-MD5 localized privKey: 6b5bddcf9702102641a9ab8b1d5f791f
Replace with your IP address in the example above.
Note: This password is not related to the community name, it's only used to generate keys for user based security. One authentication (authKey) key pair and one privacy (privKey) key pair are generated. “localized” key used by AIX SNMP agent in /etc/snmpdv3.conf file “non-localized” key to be used by SNMP management station
7. Add a “USM_USER” line to snmpdv3.conf file, here’s what the USM_USER line looks like:
USM_USER u1 - HMAC-MD5 6b5bddcf9702102641a9ab8b1d5f791f DES 6b5bddcf9702102641a9ab8b1d5f791f L -
- The first string is the localized authKey genereated in step 6.
- The second string is the localized privKey generated in step 6.
Note that it is ONE line only, ending with a dash as seen bellow
USM_USER u1 - HMAC-MD5 6b5bddcf9702102641a9ab8b1d5f791f DES 6b5bddcf9702102641a9ab8b1d5f791f L -
8. Add VACM_GROUP and VACM_ACCESS lines to snmpdv3.conf example:
VACM_GROUP groupu1 USM u1 - VACM_ACCESS groupu1 - - AuthPriv USM defaultView - defaultView -
Note in this example groupu1 is the group name and u1 is the user.
9. Stop and start snmpd and dpid2 subagents:
Stop dpid2 subagents and snmpd
# stopsrc -s aixmibd # stopsrc -s hostmibd # stopsrc -s snmpmibd # stopsrc -s snmpd
Start snmpd and then dpid2 subagents
# startsrc -s snmpd # startsrc -s aixmibd # startsrc -s hostmibd # startsrc -s snmpmibd
10. Edit /etc/clsnmp.conf file and add this line by replacing with the correct values
user1 9.3.58.121 snmpv3 u1 - - AuthPriv HMAC-MD5 7a3e34265e0e029f27d8b4235ecfa987 DES 7a3e34265e0e029f27d8b4235ecfa987
Note that clsnmp.conf file has the non-localized authKey and privKey configured which were generated in step 6.
11. Try an SNMPv3e query using ‘clsnmp’ command
# clsnmp -h user1 -v walk system
Test with snmpwalk
snmpwalk -v2c -m all -c public 10.10.10.10 snmpwalk -v3 -u u1 -a SHA -A "mypass" 192.178.0.37 snmpwalk -v3 -l authNoPriv -u u1 -a SHA -A "mypass" -x DES -X "mypass" 192.178.0.37 snmpwalk -v3 -l authNoPriv -u u1 -a SHA -A "mypass" -x AES -X "mypass" 192.178.0.37
https://www.centrosun.com/how-to-configure-the-snmp-protocol-of-aix.html
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/dx-apm-agents/SaaS/infrastructure-agent/host-monitoring/Host-Monitoring-on-AIX.html https://www.ibm.com/support/pages/ibm-aix-how-configure-snmpv3-encrypted https://www.centrosun.com/how-to-configure-the-snmp-protocol-of-aix.html https://thwack.solarwinds.com/product-forums/network-performance-monitor-npm/f/forum/78155/snmpv3-configuration-on-aix-server https://unix.stackexchange.com/questions/653104/snmpv3-on-aix-from-linux-shows-authentication-failure https://community.icinga.com/t/aix-snmp-monitoring-interfaces/1594 http://ps-2.kev009.com/wisclibrary/aix52/usr/share/man/info/en_US/a_doc_lib/aixbman/commadmn/snmp_snmpv3_trouble.htm https://docs.centreon.com/fr/pp/integrations/plugin-packs/procedures/operatingsystems-aix-snmp/ https://nagios.fm4dd.com/howto/aix-snmp-setup.shtm
