Starting with VMware Cloud Director 10.2.2, you can configure the VMware Cloud Director appliance for SNMP v3. When you configure the SNMP agent for SNMP v3, the agent supports polling and provides stronger security, including cryptographic authentication and encryption.

Configuring the VMware Cloud Director appliance for SNMP v3 consists of three parts.
  1. Configuring the SNMP engine ID
  2. Configuring SNMP authentication and privacy protocols
  3. Configuring SNMP users

Every SNMP v3 agent has an engine ID, which serves as a unique identifier for the agent. The engine ID is used with a hashing function to generate localized keys for authentication and encryption of SNMP v3 messages. If you do not specify an engine ID before you enable the SNMP agent, when you enable the standalone SNMP agent, VMware Cloud Director generates an engine ID.

To ensure the identity of users, you can use authentication. Privacy allows for encryption of SNMP v3 messages to ensure the confidentiality of the data. The privacy protocols provide a higher level of security than is available in SNMP v1 and v2c, which use community strings for security. Both authentication and privacy are optional. However, if you plan to enable privacy, you must enable authentication.

The default value for the authentication and privacy protocols is none.

You can configure up to five users who can access SNMP v3 information. User names must be no more than 32 characters long. While configuring a user, you generate the authentication and privacy hash values based on the authentication and privacy passwords of the user and the engine ID of the SNMP agent. After configuring the users, if you change the engine ID, authentication protocol, or privacy protocol, invalidates the users and you must reconfigure them.

Prerequisites

If you want to configure SNMP authentication and privacy protocols, verify that you know the authentication and privacy passwords for each user that you plan to configure. The passwords must be at least eight characters long.

Procedure

  1. Log in to the appliance shell as a user with administrative privileges.
  2. Run the vicfg-snmp --engineid command to configure the target.
    For example, run the following command:
    vicfg-snmp --engineid 80001f8880167b18238d613d6000000000
    Where 80001f8880167b18238d613d6000000000 is the ID, a hexadecimal string between 5 and 32 characters in length.
  3. (Optional) To configure the authentication protocol, run the vicfg-snmp --authentication command
    For example, run the following command:
    vicfg-snmp --authentication protocol
    Where protocol must be either none, for no authentication, SHA1, SHA256, SHA384, or SHA512. For example, if you want to set the authentication protocol to SHA512, you must run the following command.
    vicfg-snmp --authentication SHA512
  4. (Optional) To configure the privacy protocol, run the vicfg-snmp --privacy command .
    For example, run the following command:
    vicfg-snmp --privacy protocol
    Where protocol must be either none, for no privacy, or AES128, AES192, or AES256. For example, if you want to set the privacy protocol to AES128, you must run the following command.
    vicfg-snmp --privacy AES128
  5. If you are using authentication, privacy, or both, to generate the authentication and privacy hash values for a user, run the following command.
    vicfg-snmp --hashkey authentication-password privacy-password

    You must enter the authentication-password, the privacy-password, or both, depending on your authentication and privacy settings. The passwords must be at least 8 characters long. Make а note of the authentication-password and privacy-password because you need them for setting up an SNMP client. The output of the command includes the Authentication localized key and Privacy localized key information.

  6. Configure one or more users by running the following command.

    You can specify multiple users by adding them as a comma-separated list. You can configure up to five users.

    vicfg-snmp --users userid/authhash/privhash/security

    The parameters in the command are as follows.

    Parameter Description
    userid Replace with the user name.
    authhash Replace with the authentication localized key.
    privhash Replace with the privacy localized key.
    model Replace with the level of security enabled for that user, which can be auth, for authentication only, priv, for authentication and privacy, or none, for no authentication or privacy.
    For example, if you want to configure a user without security, you can run:
    vicfg-snmp --users vcd-snmp-user/-/-/none
    If you want to configure a user with authorization hash, you can run:
    vicfg-snmp --users vcd-snmp-user/225e07958d3c6af615588db17d61986e69fb7a71/-/auth
    If you want to configure a user with authorization hash and privacy hash, you can run:
    vicfg-snmp --users vcd-snmp-user/225e07958d3c6af615588db17d61986e69fb7a71/da1057af05f67a25a09265a9a2bedb53/priv
  7. (Optional) If you want to delete one or more users, repeat step 6 with the new user details.
    Running vicfg-snmp --users again overrides any previous settings.
  8. Enable SNMP by running the following command.
    vicfg-snmp --enable