Add User for SNMP (ADDUSRSNMP)

The Add User for SNMP (ADDUSRSNMP) command defines a Simple Network Management Protocol (SNMP) user entry and adds it to the SNMP agent user list. An SNMP agent uses this list of users as part of the SNMPv3 User-based Security Model (USM). The USM is used to protect SNMPv3 packets from Modification of Information (Data Integrity), Masquerading (Data Origin Authentication), Disclosure (Data Confidentiality), and Message Stream Modification (Message Timeliness) threats by utilizing a concept of multiple users where each user provides secret keys for authentication and privacy. Each user entry consists of a user name, an authentication protocol, an authentication password with which the authentication keys will be generated, a privacy protocol, a privacy password with which the privacy keys will be generated, a key type indicating whether the generated keys include the IBM i agent engine ID, and finally the type of storage used for this user entry.

Restrictions:

• You must have input/output system configuration (*IOSYSCFG) special authority to use this command.

User name (USRNAME)

Specifies the name of the SNMP user being added for the User-based Security Model (USM). Each user name must be unique within the SNMP agent user list. The user name has no direct correlation to an IBM i user profile.

This is a required parameter.

character-value

Specify the name of the SNMP user being added. A user name must be a minimum of 1 character and no more than 32 characters in length. A user name cannot contain any leading or imbedded blanks.

Authentication protocol (AUTPCL)

Specifies the authentication protocol to be used for authenticated messages on behalf of the specified user.👁 End of change

*HMACSHA

The HMAC-SHA protocol will be used.

👁 Start of change

*HMACSHA256

The HMAC-SHA-256 protocol will be used.

*HMACSHA512

The HMAC-SHA-512 protocol will be used.

👁 End of change

*HMACMD5

The HMAC-MD5 protocol will be used.

*NONE

No authentication will be used for this user.

Authentication password (AUTPWD)

Specifies the password used to generate the key to be used for authenticating messages on behalf of this user. This parameter must be specified if the Authentication protocol (AUTPCL) parameter is not *NONE.👁 End of change

character-value

👁 Start of change

Specify the authentication password to be used for authenticating messages on behalf of this user. A password must be a minimum of 8 characters in length. Up to 255 characters may be specified.👁 End of change

Privacy protocol (PVYPCL)

Specifies the privacy protocol to be used for encrypted messages on behalf of the specified user. This parameter is only valid if the Authentication protocol (AUTPCL) parameter is not *NONE.👁 End of change

*CBCDES

The CBC-DES protocol will be used.

*CFBAES

The CFB128-AES-128 protocol will be used.

*NONE

No privacy protocol will be used.

Privacy password (PVYPWD)

Specifies the password used to generate the key to be used for encrypting messages to and from this user. This parameter must be specified if the Privacy protocol (PVYPCL) parameter is not *NONE.👁 End of change

character-value

Specify the privacy password to be used. A password must be a minimum of 8 characters in length. Up to 255 characters may be specified.

Key type (KEYTYPE)

Specifies whether the keys generated for this user are localized or not localized. A localized key is generated with the appropriate IBM i SNMP Engine Identifier (ID), and the key can only be used for get and set requests received by the local IBM i SNMP engine. A non-localized key can be used for all types of SNMP communication. This parameter affects keys generated for both the Authentication password (AUTPWD) parameter and the Privacy password (PVYPWD) when either or both are not *NONE.

*NONLOCALIZED

The keys are not localized.

*LOCALIZED

The keys are localized.

Storage type (STGTYPE)

Specifies the type of storage in which this user definition is maintained. This parameter is an indicator of the level of dynamic configuration available for the user.

*NONVOLATILE

The user definition persists across reboots of the SNMP agent. However, it can be changed or even deleted by dynamic configuration requests.

*PERMANENT

The user definition persists across reboots of the SNMP agent. However, it can be changed but not deleted by dynamic configuration requests.

*READONLY

The user definition persists across reboots of the SNMP agent. It can not be changed or deleted by dynamic configuration requests.

Log set requests (LOGSET)

Specifies whether set requests from SNMP managers are logged in journal QSNMP in library QUSRSYS.

*SNMPATR

The value defined with the Change SNMP Attributes (CHGSNMPA) command is used for this user.

*YES

Set requests are logged.

*NO

Set requests are not logged.

Log get requests (LOGGET)

Specifies whether get, get-bulk, and get-next requests from SNMP managers are logged in journal QSNMP in library QUSRSYS.

*SNMPATR

The value defined with the Change SNMP Attributes (CHGSNMPA) command is used for this user.

*YES

Get, get-bulk, and get-next requests are logged.

*NO

Get, get-bulk, and get-next requests are not logged.

Example 1: Adding an Unsecure User for SNMP

ADDUSRSNMP USRNAME(USER1) AUTPCL(*NONE) PVYPCL(*NONE)

This command adds an SNMP user named USER1. The user is not using an authentication or privacy protocol.

Example 2: Adding a Secure User for SNMP

ADDUSRSNMP USRNAME(SECUSER)
 AUTPCL(*HMACSHA2) AUTPWD('pwd4SecUser')
 PVYPCL(*CFBAES) PVYPWD('pvypwd-4-SecUser')
 KEYTYPE(*NONLOCALIZED)

This command adds an SNMP user named SECUSER. The authentication protocol used is HMAC-SHA-2 with an authentication password of 'pwd4SecUser'. The privacy protocol used is CFB-AES-128 with a privacy password of 'pvypwd-4-SecUser'. The key type is *NONLOCALIZED so that the keys generated can be used with different SNMP engines.

*ESCAPE Messages

TCP4001

Error occurred accessing SNMP configuration information.

TCP4027

SNMP user &1 not added.

TCP8050

*IOSYSCFG authority required to use &1.