Add User for SNMP (ADDUSRSNMP)

Where allowed to run: All environments (*ALL)
Threadsafe: Yes

The Add User for SNMP (ADDUSRSNMP) command defines a Simple Network Management Protocol (SNMP) user entry and adds it to the SNMP agent user list. An SNMP agent uses this list of users as part of the SNMPv3 User-based Security Model (USM). The USM is used to protect SNMPv3 packets from Modification of Information (Data Integrity), Masquerading (Data Origin Authentication), Disclosure (Data Confidentiality), and Message Stream Modification (Message Timeliness) threats by utilizing a concept of multiple users where each user provides secret keys for authentication and privacy. Each user entry consists of a user name, an authentication protocol, an authentication password with which the authentication keys will be generated, a privacy protocol, a privacy password with which the privacy keys will be generated, a key type indicating whether the generated keys include the IBM i agent engine ID, and finally the type of storage used for this user entry.

The IBM i SNMP also supports the View-based Access Control Model used to associate groups of users with views. A view is a subset of the objects in the management information base (MIB). The Access Control Subsystem of the SNMP agent has the responsibility for checking whether a specific type of access (read, write, notify) to a particular object (instance) is allowed for this user. Access Control occurs (either implicitly or explicitly) in the IBM i SNMP agent when processing SNMP retrieval or modification request messages from an SNMP manager. Access Control also occurs in the IBM i SNMP agent when an SNMP notification message (trap) is generated. In order to implement the View-based Access Control Model, the SNMP agent stores information about access rights and policies. This information is part of the SNMP engine's Local Configuration Datastore (LCD). For the IBM i agent, the LCD is stored in SNMPD.CONF file located in the /QIBM/UserData/OS/SNMP/ directory.

Restrictions:

You must have input/output system configuration (*IOSYSCFG) special authority to use this command.

Top

Parameters

Keyword	Description	Choices	Notes
USRNAME	User name	Character value	Required, Positional 1
AUTPCL	Authentication protocol	HMACSHA, HMACMD5, *NONE	Optional
AUTPWD	Authentication password	Character value	Optional
PVYPCL	Privacy protocol	CBCDES, NONE	Optional
PVYPWD	Privacy password	Character value	Optional
KEYTYPE	Key type	LOCALIZED, NONLOCALIZED	Optional
STGTYPE	Storage type	NONVOLATILE, PERMANENT, *READONLY	Optional

Top

User name (USRNAME)

Specifies the name of the SNMP user being added for the User-based Security Model (USM). Each user name must be unique within the SNMP agent user list. The user name has no direct correlation to an IBM i user profile.

This is a required parameter.

character-value: Specify the name of the SNMP user being added. A user name must be a minimum of 1 character and no more than 32 characters in length. A user name cannot contain any leading or imbedded blanks.

Top

Authentication protocol (AUTPCL)

Specifies the authentication protocol to be used on authenticated messages on behalf of the specified user.

*HMACSHA: The HMAC-SHA protocol will be used.
*HMACMD5: The HMAC-MD5 protocol will be used.
*NONE: No authentication will be used for this user.

Top

Authentication password (AUTPWD)

Specifies the password used to generate the key to be used in authenticating messages on behalf of this user. This parameter must be specified if the Authentication protocol (AUTPCL) parameter is not *NONE.

character-value: Specify the authentication password to be used in authenticating messages on behalf of this user. A password must be a minimum of 8 characters in length. Up to 255 characters may be specified.

Top

Privacy protocol (PVYPCL)

Specifies the privacy protocol to be used on encrypted messages on behalf of the specified user. This parameter is only valid if the Authentication protocol (AUTPCL) parameter is not *NONE.

*CBCDES: The CBC-DES protocol will be used.
*NONE: No privacy protocol will be used.

Top

Privacy password (PVYPWD)

Specifies the password used to generate the key to be used in encrypting messages to and from this user. This parameter must be specified if the Privacy protocol (PVYPCL) parameter is not *NONE.

character-value: Specify the privacy password to be used. A password must be a minimum of 8 characters in length. Up to 255 characters may be specified.

Top

Key type (KEYTYPE)

Specifies whether the keys generated for this user are localized or not localized. A localized key is generated with the appropriate IBM i SNMP Engine Identifier (ID), and the key will only be usable with the local IBM i SNMP engine. A non-localized key can be used with different SNMP engines. If both the Authentication password (AUTPWD) parameter and the Privacy password (PVYPWD) are not *NONE, the keys generated will be both localized or both non-localized.

*LOCALIZED: The keys are localized.
*NONLOCALIZED: The keys are not localized.

Top

Storage type (STGTYPE)

Specifies the type of storage in which this user definition is maintained. This parameter is an indicator of the level of dynamic configuration available for the user.

*NONVOLATILE: The user definition persists across reboots of the SNMP agent. However, it can be changed or even deleted by dynamic configuration requests.
*PERMANENT: The user definition persists across reboots of the SNMP agent. However, it can be changed but not deleted by dynamic configuration requests.
*READONLY: The user definition persists across reboots of the SNMP agent. It can not be changed or deleted by dynamic configuration requests.

Top

Examples

Example 1: Adding an Unsecure User for SNMP

ADDUSRSNMP   USRNAME(USER1)  AUTPCL(*NONE)  PVYPCL(*NONE)

This command adds an SNMP user named USER1. The user is not using an authentication or privacy protocol.

Example 2: Adding a Secure User for SNMP

ADDUSRSNMP   USRNAME(SECUSER)
             AUTPCL(*HMACMD5)  AUTPWD('pwd4SecUser')
             PVYPCL(*CBCDES)  PVYPWD('pvypwd-4-SecUser')
             KEYTYPE(*NONLOCALIZED)  STGTYPE(*READONLY)

This command adds an SNMP user named SECUSER. The authentication protocol used is HMAC-MD5 with an authentication password of 'pwd4SecUser'. The privacy protocol used is CBC-DES with a privacy password of 'pvypwd-4-SecUser'. The key type is *NONLOCALIZED so that the keys generated can be used with different SNMP engines. The storage type is *READONLY which will prevent this user definition from being changed or deleted by dynamic configuration requests.

Top

Error messages

*ESCAPE Messages

TCP4001: Error occurred accessing SNMP configuration information.
TCP4027: SNMP user &1 not added.
TCP8050: *IOSYSCFG authority required to use &1.

Top