When you configure the SNMP agent for SNMP v3, the agent supports sending traps. SNMP v3 also provides stronger security than v1 or v2c, including cryptographic authentication and encryption.

SNMP v3 informs are not supported. vCenter Server supports only notifications such as v1/v2c traps and v3 traps with all security levels.

Configure SNMP Engine ID

Every SNMP v3 agent has an engine ID, which serves as a unique identifier for the agent. The engine ID is used with a hashing function to generate localized keys for authentication and encryption of SNMP v3 messages.

If you do not specify an engine ID before you enable the SNMP agent, when you enable the standalone SNMP agent, an engine ID is generated.

Procedure

  1. Access the appliance shell and log in as a user who has the administrator or super administrator role.
    The default user with super administrator role is root.
  2. Run the snmp.set --engineid command to configure the target.
    For example, run the following command: 
    snmp.set --engineid 80001adc040102030405060708091011
    where, the value can be broken into hexidecimal digits, 
    80:00:1a:dc:04:24:17:e2:02:b8:61:3f:54:00:00:00:00

    and decoded as:

    80: -- RFC 3411 encoding applies as high bit '10000000' 0x80 and lower 7 bits 0 are part of enterprise id.

    00:1a:dc -- rest of enterprise id, the value parsed by vmware is, 1a:dc hexidecimal (6876 in decimal).

    04: -- type of engineid as per RFC 3411, page 42. Using here '4' to say remaining octets can be tranlated to text.

    0102030405060708091011 -- operator specified text encoded in hexidecmal characters.

Configure SNMP Authentication and Privacy Protocols

SNMP v3 optionally supports authentication and privacy protocols.

Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure confidentiality of data. The privacy protocols provide a higher level of security than is available in SNMP v1 and v2c, which use community strings for security.

Both authentication and privacy are optional. However, you must enable authentication if you plan to enable privacy.

The SNMP v3 authentication and privacy protocols are licensed vSphere features and might not be available in some vSphere editions.

Procedure

  1. Access the appliance shell and log in as a user who has the administrator or super administrator role.
    The default user with super administrator role is root.
  2. (Optional) Run the snmp.set --authentication command to configure authentication.
    For example, run the following command: 
    snmp.set --authentication protocol
    Here, protocol must be either none, for no authentication, SHA1, or MD5.
  3. (Optional) Run the snmp.set --privacy command to configure privacy protocol.
    For example, run the following command: 
    snmp.set --privacy protocol
    Here, protocol must be either none, for no privacy, or AES128.

Configure SNMP Users

You can configure up to five users who can access SNMP v3 information. User names must be no more than 32 characters long.

While configuring a user, you generate authentication and privacy hash values based on the user's authentication and privacy passwords and on the SNMP agent's engine ID. After configuring users, if you change the engine ID, the authentication protocol, or the privacy protocol, the users are no longer valid and must be reconfigured.

Prerequisites

  • Verify that you have configured the authentication and privacy protocols before configuring users.
  • Verify that you know the authentication and privacy passwords for each user that you plan to configure. Passwords must be at least eight characters long. Store these passwords in files on the host system.

Procedure

  1. Access the appliance shell and log in as a user who has the administrator or super administrator role.
    The default user with super administrator role is root.
  2. If you are using authentication or privacy, get the authentication and privacy hash values for the user by the running snmp.hash --auth_hash --priv_hash command.
    For example, run the following command: 
    snmp.hash  --auth_hash secret1 --priv_hash secret2
    Here, secret1 is the path to the file containing the user's authentication password and secret2 is the path to the file containing the user's privacy password. Alternatively, you can specify the flag --raw_secret and set the boolean parameter to true.
    The authentication and privacy hash values are displayed.
  3. Configure the user by running snmp.set --user.
    For example, run the following command: 
    snmp.set --user userid/authhash/privhash/security
    The parameters in the command are as follows.
    Parameter Description
    userid Replace with the user name.
    authhash Replace with the authentication hash value.
    privhash Replace with the privacy hash value.
    security Replace with the level of security enabled for that user, which can be auth, for authentication only, priv, for authentication and privacy, or none, for no authentication or privacy.

Configure SNMP v3 Targets

Configure SNMP v3 targets to allow the SNMP agent to send SNMP v3 traps.

You can configure a maximum of three SNMP v3 targets, in addition to a maximum of three SNMP v1 or v2c targets.

To configure a target, you must specify a host name or IP address of the system that receives the traps, a user name, a security level, and whether to send traps. The security level can be either none, for no security, auth, for authentication only, or priv, for authentication and privacy.

Procedure

  1. Access the appliance shell and log in as a user who has the administrator or super administrator role.
    The default user with super administrator role is root.
  2. Run the snmp.set --v3targets command to set up the SNMP v3 target.
    For example, run the following command: 
    snmp.set --v3targets hostname@port/userid/secLevel/trap
    The parameters in the command are as follows.
    Parameter Description
    hostname Replace with the host name or IP address of the management system that receives the traps.
    port Replace with the port on the management system that receives the traps. If you do not specify a port, the default port, 161, is used.
    userid Replace with the user name.
    secLevel Replace with either none, auth, or priv to indicate the level of authentication and privacy you have configured. Use auth if you have configured authentication only, priv if you have configured both authentication and privacy, and none if you have configured neither.
  3. (Optional) If the SNMP agent is not enabled, enable it by running the snmp.enable command.
  4. (Optional) To send a test trap to verify that the agent is configured correctly, run the snmp.test command.
    The agent sends a warmStart trap to the configured target.