IBM Support

SI62450 - OSP-TCPIP-SNMP SNMPV3 ISSUE WITH SECURITY LEVEL VALIDATION

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-TCPIP-SNMP SNMPV3 ISSUE WITH SECURITY LEVEL VALIDATION


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
NONE



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
SNMP is not correctly validating the security level of the
incoming message's SNMPv3 user with the security level of the
configured SNMPv3 user.

CORRECTION FOR APAR SE65607 :
-----------------------------
The SNMP agent code has been changed so that the security level
of the incoming message's SNMPv3 user must exactly match the
security level of the configured SNMPv3 user.  If a mismatch
occurs, the SNMP agent will not send a response to the incoming
message.

CIRCUMVENTION FOR APAR SE65607 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI51555 :
=================================================

Before applying or removing this PTF, the SNMP server must be ended
using the command:  ENDTCPSVR *SNMP

After applying or removing this PTF, the SNMP server must be restarted
using the command:  STRTCPSVR *SNMP

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI50641 :
=================================================

SNMP should be ended prior to applying the PTF using the ENDTCPSVR
*SNMP command.

After applying the PTF, SNMP can be restarted using the STRTCPSVR *SNMP
command.

Any third party SNMP manager or agent jobs must also be ended and
restarted after applying this PTF.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI49918 :
=================================================

Before applying or removing this ptf
endtcpsvr *SNMP
After applying or removing this ptf
strtcpsvr *SNMP

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI49375 :
=================================================

The SNMP server must be ended before applying or removing this PTF
using the command ENDTCPSVR *SNMP.  After the PTF is applied or
removed, the SNMP server should be restarted using the command
STRTCPSVR *SNMP.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI46051 :
=================================================

The SNMP server must be ended with the ENDTCPSVR *SNMP command before
applying the PTF.  After applying the PTF, restart the SNMP server with
the STRTCPSVR *SNMP command.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI40847 :
=================================================

Before Applying/Removing PTF:
endtcpsvr *SNMP
endtrpmgr

After Applying/removing PTF
strtcpsvr *SMTP

If trap manager used:
strtrpmgr

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI43886 :
=================================================

SNMP and the trap manager should be ended prior to applying the PTF
using the ENDTCPSVR *SNMP and ENDTRPMGR commands.

After applying the PTF, SNMP and the trap manager can be restarted
using the STRTCPSVR *SNMP and STRTRPMGR commands.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI43043 :
=================================================

The SNMP server must be ended and restarted in order for this fix to
take effect.  In addition, trap manager applications should also be
ended and restarted.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI38048 :
=================================================

To change the way the SNMP manager performs time synchronization as
part of the authentication process, do the following:

1.  End the SNMP server:  ENDTCPSVR *SNMP

2.  Add the system wide environment variable QIBM_SNMPV3_AUTH:

ADDENVVAR ENVVAR(QIBM_SNMPV3_AUTH) VALUE('0') LEVEL(*SYS)

3.  Restart the SNMP server:  STRTCPSVR *SNMP

Note:  A value '0' as shown in the example is the default server
setting.  A value of '1' bypasses certain time synchronization checks
during authentication.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI37920 :
=================================================

Before applying this PTF, the SNMP server should be ended using the
following command:

ENDTCPSVR *SNMP

After applying this PTF. the SNMP server should be started using the
following command:

STRTCPSVR *SNMP


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI57735      OSP-OTHER-INCORROUT QSNMP JOURNAL LAYOUT/ENTRY INCORRECT
   SI57590      OSP-OTHER-INCORROUT SNMP QUERY TO HRMEMORYSIZE RETURNS 0
   SI56973      OSP-SNMP MSGMCH1401 T/QTOSUTIL WHEN MULTIPLE JOBS START SERV
   SI55745      OSP-COMM-OTHER-INCORROUT SNMP TRAPS USING QIBM_QZCA_SNMPTRAP
   SI55506      OSP-SNMP SENDING RESPONSES VIA PORT 161, GETBULK SUPPORT, AN
   SI51901      OSP-COMM-TCPIP-SNMPA-INCORROUT OID HRSTORAGEDESCR ONLY RETUR
   SI51555      OSP-COMM-TCPIP-SNMPA-INCORROUT SNMP OID FOR HRDISKSTORAGEACC
   SI55487      OSP-SNMP SENDING RESPONSES VIA PORT 161, GETBULK SUPPORT, AN
   SI51671      OSP-SNMP MANY MSGMCH3601 IN QTMSNMP JOB LOG
   SI51299      OSP-COMM-TCPIP-SNMPA CFGTCPSNMP COMMAND FAILS WITH MSGCPF410
   SI50908      OSP SNMPV3 FAILS TO RETURN QUERIES ON OIDS WITH TYPE COUNTER
   SI50641      TCPIP-OTHER-UNPRED SNMPV3 DISCOVERY ENHANCEMENTS.
   SI49918      OSP-MSGB900FDC7-PAR-940XCOMETN WRKPRB SHOW ERROR SRCB900FDC7
   SI49375      OSP-OTHER SNMP SUBAGENT JOB QSNMPSA ENDS AFTER REPEATED MCH1
   SI46168      OSP-COMM-TCPIP-SNMPA-MSGMCH6902 ON SNMPGET AND SNMPGETNEXT A
   SI46051      OSP-COMM-TCPIP-SNMPA-F/QTOSUTIL-MSGTCP4012 SNMPGETNEXT REQUE
   SI44610      TCPIP-OTHER-UNPRED SNMP REPLIES IN MIB WITH AN INCORRECT IP-
   SI44026      SP/QTOSUTIL MOD/QTOSUTIL MSGMCH3402 RC292 RIDS/INIT_AGENT
   SI40847      OSP-COMM-OTHER-MSGCPF5E88 QZCATHR JOB ENDS
   SI43886      OSP-TCPIP-SNMP TRAP RECEIVER DOES NOT SUPPORT IPV6
   SI43575      OSP-COMM-TCPIP-SNMPA-MSGCPFA808 QTRAPRCV
   SI43043      OSP-TCPIP SNMP FAILS WITH MSGTCP4011 FOR MULTIPLE TRAP MGRS
   SI41930      OSP-OTHER-F/FPBLACONVERTHWHIGHUSE-T/QZCAHRF-MSGMCH1212 MSGMC
   SI40458      OSP-TCPIP-SNMP MANAGER API ERROR FOR COUNTER64 DATA
   SI38048      OSP-TCPIP-SNMP SNMPV3 TIME SYNC DIFFERENCES
   SI37976      OSP-TCPIP-SNMP SERVER RESTART NEEDED FOR USM CHANGES
   SI37920      OSP-SNMP Counter64 OIDs are receiving a general error
   SI37843      OSP-TCPIP-SNMP LOOP IN QTMSNMP READING CONFIG FILE
   SI37774      OSP-TCPIP-SNMP ENGINE ID DISCOVERY FAILS
   SI37672      OSP-TCPIP-SNMP V3 AUTHENTICATION FAILS
   SI37572      OSP-SNMP-QTMSNMP ERRORS WITH VERSION 3 CONFIGURATION
   SI36557      OSP-COMM-TCPIP-SNMPA-INCORROUT SNMPGET

Summary Information

System.............................. i
Models..............................
Release............................. V7R1M0
Licensed Program............... 5770SS1
APAR Fixed.......................... SE65607
Superseded by:...................... View fix details for PTF SI66626
Recompile........................... N
Library............................. QSYS
MRI Feature ........................ NONE
Cum Level........................... C6320710


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R1M0

Operating system(s): OS/400

Reference #: SI62450

Modified date: 22 September 2016