Well, I'm no expert on SNMPv3, but I'll try to have a go at this.
Hopefully one of the others will chip in if I go too far off-beam.
Well, typically an SNMPv3 client should start by "probing" the agent
to determine the engineID.
(i.e. send a dummy request, that will fail but trigger a response
containing the engineID)
The agent typically generates an engineID "sort-of-at-random".
There are a number of possible algorithms used to try and ensure
that engineIDs are unique. But in practise, you shouldn't need to
worry about this. Just use what it comes up with.
Yes - that's very likely.


I can't speak for the castlerock client, but certainly as far as
our tools are concerned, you shouldn't need to fiddle with the engineID
at all. As long as you've got the users and access control set up
properly, things will "just work".

Personally I'd start with a homogeneous environment, and only move on to
using a mixture of tools once you're happy things are working.
Which file did you put the 'createUser' line in?
Have a look at the 'snmpusm' command.
That can be used to delete users, or change their passwords.
Pretty much, yes.
It's only relatively recently that we've started to make any significant
use of contexts. And this is really only relevant if you're wanting
to implement "parallel" OID trees (e.g. for two different systems via
the same agent.

For simple SNMPv3 operation, you can assume the default "" context throughout.

Dave

It was probably mostly needed when first developing the SNMPv3 support.
And there's always going to be one or two wierdos who do need to be
able to set this explicitly.
The agent shouldn't be ignoring this option - it's just not typically
necessary to use it.

I actually argued for downgrade this from a top-level single-character
command-line option (bunching all the SNMPv3-related stuff under '-3x'
style options).
But that didn't receive a lot of support. :-(
SNMP-FRAMEWORK-MIB::snmpEngineID.0
OK - that looks right.

If you start the agent, then stop it again (cleanly),
the 'createUser' is still in the /var/net-snmp/snmpd.conf file - yes?
It's not replaced by a 'usmUser' line?
Fair enough.
I'd try to get things working with a single context to start with, though.
I presume you've got a proper user "internal" as well?
Yup - that looks fine.
Shouldn't matter in this case.
The quotes are interpreted by the shell.

They're only needed if you've got a multi-word context

snmpget -v 3 -u sven -n "my context" ....
What do you mean by "got it working"?
Different contexts, general SNMPv3 access or what?

How are you registering the MIB modules for the non-default context?

Dave

I have few questions regarding net-snmp-5.0.8.

1. Which mib module supports the user based security model. For
view-based-access-control module it is vacm_vars, but for USM which module
is available in the net-snmp-5.0.8.

2. If i want to make my agent (not snmpd) v3 enabled how to do that one.
Do i need to set the data store values, if so how to do that one i mean
functions needed to be invoked.

Regds,
Satya

"Below this line" ?

I tried this on my setup last night, and confirmed that the 'createUser'
lines *are* removed and replaced by 'usmUser' lines when the agent starts
up. So the basic functionality is working.

Try running the agent using

snmpd -f -Le -Dread-config


Have a look at the output, and see if you can spot anything that looks
suspicious....

Dave

No.
It would be if you had

com2sec internal 0.0.0.0/0 public
group mygroup v1 internal
group mygroup v2c internal

That creates an pseudo-user "internal", and assigns it to the group
"mygroup" for community-based requests.

But if you have

group mygroup usm internal

Then this is referring to SNMPv3 request with the user "internal",
so you do have to create a proper user for that to work.

But I suspect that you probably want the two community-based group
commands instead....
There are two alternative approaches to access control.

a) com2sec/group/view/access
(or just group/view/access for SNMPv3)

b) rocommunity/rwcommunity
(or rouser/rwuser for SNMPv3)

I suggest you don't try to mix them.

Please see the FAQ entries
How do I configure access control?
I don't understand the new access control stuff - what does it mean?
for details


Dave

Ah. I see what you mean.
Actually that *does* use the VACM module internally
(which is what was confusing me).
No - that's not what I meant. You said you needed to use contexts to
distinguish between parallel OID trees?

That means that you have to register a particular MIB in a particular
context in some way. By default, everything is registered in the
default context. So if you want to use non-default contexts, you've
got to tell the agent this *within* the agent code.

How are you doing this?

Dave

now it's clear
I mean the software which make the get / getnext reqeust at the agent.
Sven

There's no technical reason not to mix the two styles.
It's purely a matter of following what's happening.

If you're not fully au fait with how the two styles work, it's easier to
think of them as two separate alternatives, and just use one or the other.

But as long as you realise that the single-directive forms will be turned
into full group/view/access settings internally, then there's no real
technical reason not to mix.
What do you mean by client?
Is this a "request generator" - i.e. the equivalent of 'snmpwalk' et al?
In which case you should tell it to use the context ""

Or is it some form of "subagent" that your main agent is passing requests
off to? In which case the interface used to register with the main
agent needs to include the context(s) that it is expecting.
Yes.

Dave