Configuring SNMPv3 access

Server and Cluster Administration Guide for Hitachi NAS Platform

Version
15.1.x
Audience
anonymous
Part Number
MK-92HNAS010-35

SNMPv3 defines a more secure version of SNMP compared to the previously supported SNMPv1 and SNMPv2c. SNMPv3 adds support for user-based authentication and encryption to achieve secure access to the management information held on the HNAS server. SNMPv1 and SNMPv2c continue to be available but cannot be enabled at the same time as SNMPv3.

You must use CLI commands to configure SNMPv3.

The snmp concept man page includes information to describe the supported SNMP versions and restrictions.

The authentication and privacy option is always configured when SNMPv3 is enabled.

The SNMP agent uses HMAC-SHA-96 authentication and AES-128-CFB encryption for data privacy.

  1. Use the CLI command snmp-protocol to configure SNMPv3.
    HNAS1:$        snmp-protocol -v v3
    HNAS1:$        snmp-protocol
                   Protocol:      SNMPv3               
    When SNMPv3 is enabled the SNMP agent will not respond to SNMPv1 or SNMPv2c requests.
  2. Add users with the snmpv3-user-add command.
    HNAS1:$        snmpv3-user-add testuser 
                   Please enter the authentication password:     ********
                   Please re-enter the authentication password:  ********
                   Please enter the privacy password:    ********
                   Please re-enter the privacy password: ********
    		             [snmpv3-user-add took 14 s.]
    
    At least one user, with an authentication password and a privacy password, must be configured in order to use SNMPv3.

    When SNMPv3 is configured, access to the information on the server is restricted to users in the SNMPv3 user list.

    1. You may delete users with the snmp3-user-delete and snmpv3-user-delete-all commands
      HNAS1:$        snmpv3-user-delete testuser
    2. You may list users with the snmpv3-user-list command.
      HNAS1:$        snmpv3-user-list
      
                        Users
                     --------
                     testuser
      
  3. Configure agent ports using the snmp-port-set and snmp-port-show commands. The SNMP port used is normally 161.
    HNAS1:$        snmp-port-set 161
                   SNMP agent port successfully set to:  161 
    
    HNAS1:$        snmp-port-show
                   SNMP agent port:  161
    
  4. The snmp-trap-port-set, snmp-trap-port-show, and snmp-traps commands are available to configure the operation of the SNMP agent for all version of SNMP. The traps are normally sent to port 162.
    HNAS1:$        snmp-trap-port-set 162
    HNAS1:$        snmp-trap-port-show 
                   SNMP trap port:  162 
    

    All notifications are sent using SNMPv1 traps regardless of the configured SNMP protocol version.

  5. When configured to use SNMPv3, the community names configured via the snmp-communities command and the hosts list configured via the snmp-hosts command do not restrict SNMPv3 access to the server.