You are currently on IBM Systems Media’s archival website. Click here to view our new website.


Bookmark and Share
RSS

Recent Posts

SNMPv3 Auditing and Other Enhancements

March 1, 2017

<em>Clair Wood wrote this week&rsquo;s article. Clair is an advisory software engineer with IBM in Rochester, Minnesota. His current responsibilities involve development for TCP/IP configuration and applications. He is the product owner of the IBM TCP/IP Connectivity Utilities for i.</em><br /> <br /> This article describes the new support to audit SNMPv3 requests. Additional SNMP enhancements exist for the system description, storage pool descriptions, and storage pool block sizes. These enhancements are available via PTFs.<br /> <br /> <strong>SNMPv3 Auditing</strong><br /> <br /> Auditing SNMPv3 messages is similar to the auditing that&#39;s done for SNMPv1. The same mechanism is used to control the auditing of all SNMP Get or Set requests. Audit messages by changing the system-wide SNMP attributes with the <u><strong><a href="https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/cl/chgsnmpa.htm" target="_blank">Change SNMP Attributes</a></strong></u> (<span style="font-family:courier new,courier,monospace;">CHGSNMPA</span>) command. The Log Get requests (<span style="font-family:courier new,courier,monospace;">LOGGET</span>) parameter and the Log Set requests (<span style="font-family:courier new,courier,monospace;">LOGSET</span>) parameter control whether all Get (Get, GetNext, GetBulk) or Set requests and their associated responses are logged in the QUSRSYS/QSNMP journal. This now includes both SNMPv1 and SNMPv3 messages.<br /> <br /> For SNMPv1, auditing requests for a specific community can be done by turning off the system-wide SNMP audit settings and then changing the <span style="font-family:courier new,courier,monospace;">LOGGET</span> and <span style="font-family:courier new,courier,monospace;">LOGSET</span> parameters for the community with the <a href="https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/cl/chgcomsnmp.htm" target="_blank">C<strong><u>hange Community for SNMP</u></strong></a> (<span style="font-family:courier new,courier,monospace;">CHGCOMSNMP</span>) command. For SNMPv3, there is now a LOGGET and a <span style="font-family:courier new,courier,monospace;">LOGSET</span> parameter on the <u><strong><a href="https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/cl/addusrsnmp.htm" target="_blank">Add User for SNMP</a> </strong></u>(<span style="font-family:courier new,courier,monospace;">ADDUSRSNMP</span>) and <u><strong><a href="https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/cl/chgusrsnmp.htm" target="_blank">Change User for SNMP</a> </strong></u>(<span style="font-family:courier new,courier,monospace;">CHGUSRSNMP</span>) commands which control the auditing of a specific SNMPv3 user.<br /> <br /> SNMPv3 engine ID discovery takes place when an SNMP manager sends a Get request that specifies either a zero length user name or the user name initial and an authoritative engine ID consisting of all zeros. Auditing of engine ID discovery requests will always be done if <span style="font-family:courier new,courier,monospace;">LOGGET(*YES)</span> is specified in the system-wide SNMP attributes.<br /> <br /> Note: When the PTFs are installed, any existing SNMP users will have their auditing attributes set to <span style="font-family:courier new,courier,monospace;">LOGGET(*SNMPATR)</span> and <span style="font-family:courier new,courier,monospace;">LOGSET(*SNMPATR)</span> which means that the system-wide SNMP attributes will initially control auditing for all the existing users.<br /> <br /> The format and contents of an audit entry are described in the IBM i support document <a href="http://www-01.ibm.com/support/docview.wss?uid=nas8N1020901" target="_blank"><u><strong>QSNMP audit journal layout changes after applying PTFs</strong></u>.</a><br /> <br /> <strong>Appending Text to the System Description</strong><br /> <br /> It&rsquo;s now possible to specify additional text to be appended to the standard text description (<span id="cke_bm_203S" style="display: none;">&nbsp;</span><span style="font-family:courier new,courier,monospace;">sysDescr</span><span id="cke_bm_203E" style="display: none;">&nbsp;</span>) that&#39;s returned. The standard text identifies th<span id="cke_bm_204S" style="display: none;">&nbsp;</span>e system as an IBM i and also includes the version and release of the system. The System description (<span style="font-family:courier new,courier,monospace;">SYSD</span>) parameter of the <span style="font-family:courier new,courier,monospace;">CHGSNMPA</span> command had no effect on the standard text that was returned. A new parame<span id="cke_bm_204E" style="display: none;">&nbsp;</span>ter Additional information (<span style="font-family:courier new,courier,monospace;">ADLINF</span>) is now available on the <span style="font-family:courier new,courier,monospace;">CHGSNMPA</span> command. Specifying <span style="font-family:courier new,courier,monospace;">ADLINF(*SYSD)</span> will cause any user specified text entered for the <span style="font-family:courier new,courier,monospace;">SYSD</span> parameter to be appended to the standard text returned for sysDescr. For example, if the command <span style="font-family:courier new,courier,monospace;">CHGSNMPA SYSD(&#39;Application Te<span id="cke_bm_205E" style="display: none;">&nbsp;</span>st System&#39;) ADLINF(*SYSD)</span> is run, the text returned by a GET request for<span style="font-family:courier new,courier,monospace;"> sysDescr</span> will be &quot;IBM OS/400 V7R3M0 Application Test System&quot;.<br /> <br /> <strong>ASP Numbers for Storage Pool Descriptions</strong><br /> <br /> It&rsquo;s also now possible to have the ASP number appended to the descriptive text (<span style="font-family:courier new,courier,monospace;">hrStorageDescr</span>) for all of the storage pools returned in the storage table (<span style="font-family:courier new,courier,monospace;">hrStorageTable</span>). The new <span style="font-family:courier new,courier,monospace;">ADLINF</span> parameter supports a value <span style="font-family:courier new,courier,monospace;">*ASPNBR</span> which will cause the ASP number to be appended to the standard descriptive text. For example, if the command <span style="font-family:courier new,courier,monospace;">CHGSNMPA ADLINF(*ASPNBR)</span> is run, the text returned by a Get request for <span style="font-family:courier new,courier,monospace;">hrStorageDescr</span> for an independent ASP will be &quot;Independent ASP 33&quot; if 33 is the ASP number for that specific auxiliary storage pool.<br /> <br /> The <span style="font-family:courier new,courier,monospace;">ADLINF</span> parameter supports multiple values, so both of the values of <span style="font-family:courier new,courier,monospace;">*ASPNBR</span> and <span style="font-family:courier new,courier,monospace;">*SYSD</span> can be specified at the same time as follows: <span style="font-family:courier new,courier,monospace;">CHGSNMPA ADLINF(*SYSD *ASPNBR)</span>.<br /> <br /> Note: The IBM i SNMP agent must be ended and restarted for changes to the <span style="font-family:courier new,courier,monospace;">ADLINF</span> parameter to take effect.<br /> <br /> <strong>Larger Storage Pool Block Sizes</strong><br /> <br /> The largest possible configurable block size for storage pools supported by the <span style="font-family:courier new,courier,monospace;">Block size (BLKSIZE)</span> parameter of the <span style="font-family:courier new,courier,monospace;">CHGSNMPA</span> command was 32768 bytes. However, even larger block sizes are needed to accurately show storage sizes in the <span style="font-family:courier new,courier,monospace;">hrStorageTable</span>. Now it&rsquo;s possible to use block sizes up to 1 MB (1048576 bytes). In addition, there are special parameter values, such as 512K and 1M, which can be used to make specifying block sizes easier. For example, specifying <span style="font-family:courier new,courier,monospace;">CHGSNMPA BLKSIZE(512K 4096)</span> sets the storage pool block size to 512K (524288) bytes. The block sizes allowed for disk units have not changed.<br /> <br /> <strong>Required PTFs</strong><br /> <br /> The following PTFs provide the new function described by this article:<br /> &bull;<u><strong> <a href="http://www-01.ibm.com/support/docview.wss?uid=nas3SI63661" target="_blank">SI63661</a></strong></u> for IBM i 7.1<br /> &bull; <a href="http://www-01.ibm.com/support/docview.wss?uid=nas3SI63662" target="_blank"><u><strong>SI63662</strong></u></a> for IBM i 7.2<br /> &bull; <a href="http://www-01.ibm.com/support/docview.wss?uid=nas3SI63664" target="_blank"><u><strong>SI63664</strong></u></a><a href="http://www-01.ibm.com/support/docview.wss?uid=nas3SI63664" target="_blank"><u><strong> </strong></u></a>for IBM i 7.3<br />

Posted March 1, 2017| Permalink

-->