SNMPv3
In earlier versions of the AIX operating system, SNMPv1 was the only available version of SNMP for AIX. SNMPv3, provided in the AIX operating system, delivers a powerful and flexible framework for message security and access control.
The information in this section applies to SNMPv3 only.
- Data integrity checking to ensure that the data was not altered in transit.
- Data origin verification to ensure that the request or response originates from the source that it claims to have come from.
- Message timeliness checking and, optionally, data confidentiality to protect against eavesdropping.
The SNMPv3 architecture introduces the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access control. The architecture supports the concurrent use of different security, access control, and message processing models. For example, community-based security can be used concurrently with USM, if desired.
USM uses the concept of a user for which security parameters (levels of security, authentication and privacy protocols, and keys) are configured at both the agent and the manager. Messages sent using USM are better protected than messages sent with community-based security, where passwords are sent in the clear and displayed in traces. With USM, messages exchanged between the manager and the agent have data integrity checking and data origin authentication. Message delays and message replays (beyond what happens normally due to a connectionless transport protocol) are prevented by the use of time indicators and request IDs. Data confidentiality, or encryption, is also available, where permitted, as a separately installable product. The SNMP encrypted version can be found on the AIX® Expansion Pack.
The use of VACM involves defining collections of data (called views), groups of users of the data, and access statements that define which views a particular group of users can use for reading, writing, or receipt in a trap.
SNMPv3 also introduces the ability to dynamically configure the SNMP agent using SNMP SET commands against the MIB objects that represent the agent's configuration. This dynamic configuration support enables addition, deletion, and modification of configuration entries either locally or remotely.
SNMPv3 access policies and security parameters are specified in the /etc/snmpdv3.conf file on the SNMP agent and /etc/clsnmp.conf file on the SNMP manager. For a scenario on how to configure these files, see Creating users in SNMPv3. You can also refer to the /etc/snmpdv3.conf and /etc/clsnmp.conf file formats in Files Reference.