PW.SRC example

The PW.SRC statements could be specified as follows:

passwd1 9.0.0.0      255.0.0.0
passwd2 129.34.81.22 255.255.255.255
IPv6passwd3 12ab::0 16 
IPv6passwd4 39B3::F430:03EE 128

The PW.SRC statements specify community names and hosts that can use each community name. The format of a statement is:

community_namedesired_networksnmp_mask

See z/OS Communications Server: IP Configuration Reference for more information about syntax.

The community name of an incoming SNMP request is compared to the known community names. If a match is found, then the IP address of the incoming request is logically ANDed with the snmp_mask of the PW.SRC statement. The result of the logical ANDing process is compared with the desired_network. If they match, the request is accepted.

In the case of a password definition to be used by an IPv6 address or range of IPv6 addresses, the snmp_mask can be specified as a prefix value. The prefix specifies the number of bits to be used to construct an IPv6 address mask.

In the preceding example, if a request for community_name passwd1 is received from the IP address 9.34.22.122, IP address 9.34.22.122 is ANDed with 255.0.0.0. The result is 9.0.0.0, which equals the specified desired_network for passwd1, so this request is accepted. In passwd2, if the community_names match, only requests from host 129.34.81.22 are accepted. The password IPv6passwd3 can be used by any IPv6 address that starts with 12ab.

If the community_name values do not match, or the IP address ANDed with the snmp_mask does not match, an AUTHENTICATION_FAILURE trap is sent if both of the following conditions are true:

A destination entry exists in SNMPTRAP.DEST.
Authentication failure traps have been enabled. These traps are enabled by either setting MIB object snmpEnableAuthenTraps.0 to 1, or specifying the following statement in the OSNMPD.DATA configuration information:
```
snmpEnableAuthenTraps 1
```

A desired_network and snmp_mask of all zeros allows anyone with the correct community_name to make requests. However, the passwords for IPv4 addresses and the passwords for IPv6 addresses are stored and handled separately. Defining a password for use by both IPv4 and IPv6 addresses requires two entries in PW.SRC. Likewise, defining a password to be used by all addresses (both IPv4 and IPv6) requires two entries as follows:

passwd5 0.0.0.0 0.0.0.0
passwd5 0::0 0

Note: By default, the SNMP agent and the snmp command send packets such that a VIPA address will be used as the originating address in the packet, if SOURCEVIPA is configured. This is a change introduced in V2R10; previously, the SNMP agent and the snmp command set a socket option to cause the physical interface addresses to be used as the originating addresses on packets they sent. That meant the PW.SRC file had to contain all of the possible physical interface addresses that might be used, rather than a smaller number of VIPA addresses. A customer can override this change in behavior, if wanted. This can be done for the SNMP agent by invoking it with the -a option. Similarly, you can do the same for the UNIX snmp command by either invoking it from the command line with the -a option, or by coding NOSVIPA in the command's OSNMP.CONF configuration file.