|
Packit |
022b05 |
SNMP-USER-BASED-SM-MIB DEFINITIONS ::= BEGIN
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
IMPORTS
|
|
Packit |
022b05 |
MODULE-IDENTITY, OBJECT-TYPE,
|
|
Packit |
022b05 |
OBJECT-IDENTITY,
|
|
Packit |
022b05 |
snmpModules, Counter32 FROM SNMPv2-SMI
|
|
Packit |
022b05 |
TEXTUAL-CONVENTION, TestAndIncr,
|
|
Packit |
022b05 |
RowStatus, RowPointer,
|
|
Packit |
022b05 |
StorageType, AutonomousType FROM SNMPv2-TC
|
|
Packit |
022b05 |
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
|
|
Packit |
022b05 |
SnmpAdminString, SnmpEngineID,
|
|
Packit |
022b05 |
snmpAuthProtocols, snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB;
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
snmpUsmMIB MODULE-IDENTITY
|
|
Packit |
022b05 |
LAST-UPDATED "200210160000Z" -- 16 Oct 2002, midnight
|
|
Packit |
022b05 |
ORGANIZATION "SNMPv3 Working Group"
|
|
Packit |
022b05 |
CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com
|
|
Packit |
022b05 |
Subscribe: majordomo@lists.tislabs.com
|
|
Packit |
022b05 |
In msg body: subscribe snmpv3
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Chair: Russ Mundy
|
|
Packit |
022b05 |
Network Associates Laboratories
|
|
Packit |
022b05 |
postal: 15204 Omega Drive, Suite 300
|
|
Packit |
022b05 |
Rockville, MD 20850-4601
|
|
Packit |
022b05 |
USA
|
|
Packit |
022b05 |
email: mundy@tislabs.com
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
phone: +1 301-947-7107
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Co-Chair: David Harrington
|
|
Packit |
022b05 |
Enterasys Networks
|
|
Packit |
022b05 |
Postal: 35 Industrial Way
|
|
Packit |
022b05 |
P. O. Box 5004
|
|
Packit |
022b05 |
Rochester, New Hampshire 03866-5005
|
|
Packit |
022b05 |
USA
|
|
Packit |
022b05 |
EMail: dbh@enterasys.com
|
|
Packit |
022b05 |
Phone: +1 603-337-2614
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Co-editor Uri Blumenthal
|
|
Packit |
022b05 |
Lucent Technologies
|
|
Packit |
022b05 |
postal: 67 Whippany Rd.
|
|
Packit |
022b05 |
Whippany, NJ 07981
|
|
Packit |
022b05 |
USA
|
|
Packit |
022b05 |
email: uri@lucent.com
|
|
Packit |
022b05 |
phone: +1-973-386-2163
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Co-editor: Bert Wijnen
|
|
Packit |
022b05 |
Lucent Technologies
|
|
Packit |
022b05 |
postal: Schagen 33
|
|
Packit |
022b05 |
3461 GL Linschoten
|
|
Packit |
022b05 |
Netherlands
|
|
Packit |
022b05 |
email: bwijnen@lucent.com
|
|
Packit |
022b05 |
phone: +31-348-480-685
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DESCRIPTION "The management information definitions for the
|
|
Packit |
022b05 |
SNMP User-based Security Model.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Copyright (C) The Internet Society (2002). This
|
|
Packit |
022b05 |
version of this MIB module is part of RFC 3414;
|
|
Packit |
022b05 |
see the RFC itself for full legal notices.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
-- Revision history
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
REVISION "200210160000Z" -- 16 Oct 2002, midnight
|
|
Packit |
022b05 |
DESCRIPTION "Changes in this revision:
|
|
Packit |
022b05 |
- Updated references and contact info.
|
|
Packit |
022b05 |
- Clarification to usmUserCloneFrom DESCRIPTION
|
|
Packit |
022b05 |
clause
|
|
Packit |
022b05 |
- Fixed 'command responder' into 'command generator'
|
|
Packit |
022b05 |
in last para of DESCRIPTION clause of
|
|
Packit |
022b05 |
usmUserTable.
|
|
Packit |
022b05 |
This revision published as RFC3414.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
REVISION "199901200000Z" -- 20 Jan 1999, midnight
|
|
Packit |
022b05 |
DESCRIPTION "Clarifications, published as RFC2574"
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
REVISION "199711200000Z" -- 20 Nov 1997, midnight
|
|
Packit |
022b05 |
DESCRIPTION "Initial version, published as RFC2274"
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
::= { snmpModules 15 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Administrative assignments ****************************************
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmMIBObjects OBJECT IDENTIFIER ::= { snmpUsmMIB 1 }
|
|
Packit |
022b05 |
usmMIBConformance OBJECT IDENTIFIER ::= { snmpUsmMIB 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Identification of Authentication and Privacy Protocols ************
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmNoAuthProtocol OBJECT-IDENTITY
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "No Authentication Protocol."
|
|
Packit |
022b05 |
::= { snmpAuthProtocols 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmHMACMD5AuthProtocol OBJECT-IDENTITY
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The HMAC-MD5-96 Digest Authentication Protocol."
|
|
Packit |
022b05 |
REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti HMAC:
|
|
Packit |
022b05 |
Keyed-Hashing for Message Authentication,
|
|
Packit |
022b05 |
RFC2104, Feb 1997.
|
|
Packit |
022b05 |
- Rivest, R., Message Digest Algorithm MD5, RFC1321.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { snmpAuthProtocols 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmHMACSHAAuthProtocol OBJECT-IDENTITY
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The HMAC-SHA-96 Digest Authentication Protocol."
|
|
Packit |
022b05 |
REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti, HMAC:
|
|
Packit |
022b05 |
Keyed-Hashing for Message Authentication,
|
|
Packit |
022b05 |
RFC2104, Feb 1997.
|
|
Packit |
022b05 |
- Secure Hash Algorithm. NIST FIPS 180-1.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { snmpAuthProtocols 3 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmNoPrivProtocol OBJECT-IDENTITY
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "No Privacy Protocol."
|
|
Packit |
022b05 |
::= { snmpPrivProtocols 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmDESPrivProtocol OBJECT-IDENTITY
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The CBC-DES Symmetric Encryption Protocol."
|
|
Packit |
022b05 |
REFERENCE "- Data Encryption Standard, National Institute of
|
|
Packit |
022b05 |
Standards and Technology. Federal Information
|
|
Packit |
022b05 |
Processing Standard (FIPS) Publication 46-1.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Supersedes FIPS Publication 46,
|
|
Packit |
022b05 |
(January, 1977; reaffirmed January, 1988).
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
- Data Encryption Algorithm, American National
|
|
Packit |
022b05 |
Standards Institute. ANSI X3.92-1981,
|
|
Packit |
022b05 |
(December, 1980).
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
- DES Modes of Operation, National Institute of
|
|
Packit |
022b05 |
Standards and Technology. Federal Information
|
|
Packit |
022b05 |
Processing Standard (FIPS) Publication 81,
|
|
Packit |
022b05 |
(December, 1980).
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
- Data Encryption Algorithm - Modes of Operation,
|
|
Packit |
022b05 |
American National Standards Institute.
|
|
Packit |
022b05 |
ANSI X3.106-1983, (May 1983).
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { snmpPrivProtocols 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Textual Conventions ***********************************************
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
KeyChange ::= TEXTUAL-CONVENTION
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION
|
|
Packit |
022b05 |
"Every definition of an object with this syntax must identify
|
|
Packit |
022b05 |
a protocol P, a secret key K, and a hash algorithm H
|
|
Packit |
022b05 |
that produces output of L octets.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The object's value is a manager-generated, partially-random
|
|
Packit |
022b05 |
value which, when modified, causes the value of the secret
|
|
Packit |
022b05 |
key K, to be modified via a one-way function.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The value of an instance of this object is the concatenation
|
|
Packit |
022b05 |
of two components: first a 'random' component and then a
|
|
Packit |
022b05 |
'delta' component.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The lengths of the random and delta components
|
|
Packit |
022b05 |
are given by the corresponding value of the protocol P;
|
|
Packit |
022b05 |
if P requires K to be a fixed length, the length of both the
|
|
Packit |
022b05 |
random and delta components is that fixed length; if P
|
|
Packit |
022b05 |
allows the length of K to be variable up to a particular
|
|
Packit |
022b05 |
maximum length, the length of the random component is that
|
|
Packit |
022b05 |
maximum length and the length of the delta component is any
|
|
Packit |
022b05 |
length less than or equal to that maximum length.
|
|
Packit |
022b05 |
For example, usmHMACMD5AuthProtocol requires K to be a fixed
|
|
Packit |
022b05 |
length of 16 octets and L - of 16 octets.
|
|
Packit |
022b05 |
usmHMACSHAAuthProtocol requires K to be a fixed length of
|
|
Packit |
022b05 |
20 octets and L - of 20 octets. Other protocols may define
|
|
Packit |
022b05 |
other sizes, as deemed appropriate.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When a requester wants to change the old key K to a new
|
|
Packit |
022b05 |
key keyNew on a remote entity, the 'random' component is
|
|
Packit |
022b05 |
obtained from either a true random generator, or from a
|
|
Packit |
022b05 |
pseudorandom generator, and the 'delta' component is
|
|
Packit |
022b05 |
computed as follows:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
- a temporary variable is initialized to the existing value
|
|
Packit |
022b05 |
of K;
|
|
Packit |
022b05 |
- if the length of the keyNew is greater than L octets,
|
|
Packit |
022b05 |
then:
|
|
Packit |
022b05 |
- the random component is appended to the value of the
|
|
Packit |
022b05 |
temporary variable, and the result is input to the
|
|
Packit |
022b05 |
the hash algorithm H to produce a digest value, and
|
|
Packit |
022b05 |
the temporary variable is set to this digest value;
|
|
Packit |
022b05 |
- the value of the temporary variable is XOR-ed with
|
|
Packit |
022b05 |
the first (next) L-octets (16 octets in case of MD5)
|
|
Packit |
022b05 |
of the keyNew to produce the first (next) L-octets
|
|
Packit |
022b05 |
(16 octets in case of MD5) of the 'delta' component.
|
|
Packit |
022b05 |
- the above two steps are repeated until the unused
|
|
Packit |
022b05 |
portion of the keyNew component is L octets or less,
|
|
Packit |
022b05 |
- the random component is appended to the value of the
|
|
Packit |
022b05 |
temporary variable, and the result is input to the
|
|
Packit |
022b05 |
hash algorithm H to produce a digest value;
|
|
Packit |
022b05 |
- this digest value, truncated if necessary to be the same
|
|
Packit |
022b05 |
length as the unused portion of the keyNew, is XOR-ed
|
|
Packit |
022b05 |
with the unused portion of the keyNew to produce the
|
|
Packit |
022b05 |
(final portion of the) 'delta' component.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
For example, using MD5 as the hash algorithm H:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
iterations = (lenOfDelta - 1)/16; /* integer division */
|
|
Packit |
022b05 |
temp = keyOld;
|
|
Packit |
022b05 |
for (i = 0; i < iterations; i++) {
|
|
Packit |
022b05 |
temp = MD5 (temp || random);
|
|
Packit |
022b05 |
delta[i*16 .. (i*16)+15] =
|
|
Packit |
022b05 |
temp XOR keyNew[i*16 .. (i*16)+15];
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
temp = MD5 (temp || random);
|
|
Packit |
022b05 |
delta[i*16 .. lenOfDelta-1] =
|
|
Packit |
022b05 |
temp XOR keyNew[i*16 .. lenOfDelta-1];
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The 'random' and 'delta' components are then concatenated as
|
|
Packit |
022b05 |
described above, and the resulting octet string is sent to
|
|
Packit |
022b05 |
the recipient as the new value of an instance of this object.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
At the receiver side, when an instance of this object is set
|
|
Packit |
022b05 |
to a new value, then a new value of K is computed as follows:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
- a temporary variable is initialized to the existing value
|
|
Packit |
022b05 |
of K;
|
|
Packit |
022b05 |
- if the length of the delta component is greater than L
|
|
Packit |
022b05 |
octets, then:
|
|
Packit |
022b05 |
- the random component is appended to the value of the
|
|
Packit |
022b05 |
temporary variable, and the result is input to the
|
|
Packit |
022b05 |
hash algorithm H to produce a digest value, and the
|
|
Packit |
022b05 |
temporary variable is set to this digest value;
|
|
Packit |
022b05 |
- the value of the temporary variable is XOR-ed with
|
|
Packit |
022b05 |
the first (next) L-octets (16 octets in case of MD5)
|
|
Packit |
022b05 |
of the delta component to produce the first (next)
|
|
Packit |
022b05 |
L-octets (16 octets in case of MD5) of the new value
|
|
Packit |
022b05 |
of K.
|
|
Packit |
022b05 |
- the above two steps are repeated until the unused
|
|
Packit |
022b05 |
portion of the delta component is L octets or less,
|
|
Packit |
022b05 |
- the random component is appended to the value of the
|
|
Packit |
022b05 |
temporary variable, and the result is input to the
|
|
Packit |
022b05 |
hash algorithm H to produce a digest value;
|
|
Packit |
022b05 |
- this digest value, truncated if necessary to be the same
|
|
Packit |
022b05 |
length as the unused portion of the delta component, is
|
|
Packit |
022b05 |
XOR-ed with the unused portion of the delta component to
|
|
Packit |
022b05 |
produce the (final portion of the) new value of K.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
For example, using MD5 as the hash algorithm H:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
iterations = (lenOfDelta - 1)/16; /* integer division */
|
|
Packit |
022b05 |
temp = keyOld;
|
|
Packit |
022b05 |
for (i = 0; i < iterations; i++) {
|
|
Packit |
022b05 |
temp = MD5 (temp || random);
|
|
Packit |
022b05 |
keyNew[i*16 .. (i*16)+15] =
|
|
Packit |
022b05 |
temp XOR delta[i*16 .. (i*16)+15];
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
temp = MD5 (temp || random);
|
|
Packit |
022b05 |
keyNew[i*16 .. lenOfDelta-1] =
|
|
Packit |
022b05 |
temp XOR delta[i*16 .. lenOfDelta-1];
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The value of an object with this syntax, whenever it is
|
|
Packit |
022b05 |
retrieved by the management protocol, is always the zero
|
|
Packit |
022b05 |
length string.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Note that the keyOld and keyNew are the localized keys.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Note that it is probably wise that when an SNMP entity sends
|
|
Packit |
022b05 |
a SetRequest to change a key, that it keeps a copy of the old
|
|
Packit |
022b05 |
key until it has confirmed that the key change actually
|
|
Packit |
022b05 |
succeeded.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
SYNTAX OCTET STRING
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Statistics for the User-based Security Model **********************
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmStats OBJECT IDENTIFIER ::= { usmMIBObjects 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmStatsUnsupportedSecLevels OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX Counter32
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The total number of packets received by the SNMP
|
|
Packit |
022b05 |
engine which were dropped because they requested a
|
|
Packit |
022b05 |
securityLevel that was unknown to the SNMP engine
|
|
Packit |
022b05 |
or otherwise unavailable.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmStats 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmStatsNotInTimeWindows OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX Counter32
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The total number of packets received by the SNMP
|
|
Packit |
022b05 |
engine which were dropped because they appeared
|
|
Packit |
022b05 |
outside of the authoritative SNMP engine's window.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmStats 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmStatsUnknownUserNames OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX Counter32
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The total number of packets received by the SNMP
|
|
Packit |
022b05 |
engine which were dropped because they referenced a
|
|
Packit |
022b05 |
user that was not known to the SNMP engine.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmStats 3 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmStatsUnknownEngineIDs OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX Counter32
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The total number of packets received by the SNMP
|
|
Packit |
022b05 |
engine which were dropped because they referenced an
|
|
Packit |
022b05 |
snmpEngineID that was not known to the SNMP engine.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmStats 4 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmStatsWrongDigests OBJECT-TYPE
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
SYNTAX Counter32
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The total number of packets received by the SNMP
|
|
Packit |
022b05 |
engine which were dropped because they didn't
|
|
Packit |
022b05 |
contain the expected digest value.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmStats 5 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmStatsDecryptionErrors OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX Counter32
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The total number of packets received by the SNMP
|
|
Packit |
022b05 |
engine which were dropped because they could not be
|
|
Packit |
022b05 |
decrypted.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmStats 6 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- The usmUser Group ************************************************
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUser OBJECT IDENTIFIER ::= { usmMIBObjects 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserSpinLock OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX TestAndIncr
|
|
Packit |
022b05 |
MAX-ACCESS read-write
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "An advisory lock used to allow several cooperating
|
|
Packit |
022b05 |
Command Generator Applications to coordinate their
|
|
Packit |
022b05 |
use of facilities to alter secrets in the
|
|
Packit |
022b05 |
usmUserTable.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmUser 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- The table of valid users for the User-based Security Model ********
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserTable OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX SEQUENCE OF UsmUserEntry
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The table of users configured in the SNMP engine's
|
|
Packit |
022b05 |
Local Configuration Datastore (LCD).
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
To create a new user (i.e., to instantiate a new
|
|
Packit |
022b05 |
conceptual row in this table), it is recommended to
|
|
Packit |
022b05 |
follow this procedure:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
1) GET(usmUserSpinLock.0) and save in sValue.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
2) SET(usmUserSpinLock.0=sValue,
|
|
Packit |
022b05 |
usmUserCloneFrom=templateUser,
|
|
Packit |
022b05 |
usmUserStatus=createAndWait)
|
|
Packit |
022b05 |
You should use a template user to clone from
|
|
Packit |
022b05 |
which has the proper auth/priv protocol defined.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If the new user is to use privacy:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
3) generate the keyChange value based on the secret
|
|
Packit |
022b05 |
privKey of the clone-from user and the secret key
|
|
Packit |
022b05 |
to be used for the new user. Let us call this
|
|
Packit |
022b05 |
pkcValue.
|
|
Packit |
022b05 |
4) GET(usmUserSpinLock.0) and save in sValue.
|
|
Packit |
022b05 |
5) SET(usmUserSpinLock.0=sValue,
|
|
Packit |
022b05 |
usmUserPrivKeyChange=pkcValue
|
|
Packit |
022b05 |
usmUserPublic=randomValue1)
|
|
Packit |
022b05 |
6) GET(usmUserPulic) and check it has randomValue1.
|
|
Packit |
022b05 |
If not, repeat steps 4-6.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If the new user will never use privacy:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
7) SET(usmUserPrivProtocol=usmNoPrivProtocol)
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If the new user is to use authentication:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
8) generate the keyChange value based on the secret
|
|
Packit |
022b05 |
authKey of the clone-from user and the secret key
|
|
Packit |
022b05 |
to be used for the new user. Let us call this
|
|
Packit |
022b05 |
akcValue.
|
|
Packit |
022b05 |
9) GET(usmUserSpinLock.0) and save in sValue.
|
|
Packit |
022b05 |
10) SET(usmUserSpinLock.0=sValue,
|
|
Packit |
022b05 |
usmUserAuthKeyChange=akcValue
|
|
Packit |
022b05 |
usmUserPublic=randomValue2)
|
|
Packit |
022b05 |
11) GET(usmUserPulic) and check it has randomValue2.
|
|
Packit |
022b05 |
If not, repeat steps 9-11.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If the new user will never use authentication:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
12) SET(usmUserAuthProtocol=usmNoAuthProtocol)
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Finally, activate the new user:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
13) SET(usmUserStatus=active)
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The new user should now be available and ready to be
|
|
Packit |
022b05 |
used for SNMPv3 communication. Note however that access
|
|
Packit |
022b05 |
to MIB data must be provided via configuration of the
|
|
Packit |
022b05 |
SNMP-VIEW-BASED-ACM-MIB.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The use of usmUserSpinlock is to avoid conflicts with
|
|
Packit |
022b05 |
another SNMP command generator application which may
|
|
Packit |
022b05 |
also be acting on the usmUserTable.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmUser 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserEntry OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX UsmUserEntry
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "A user configured in the SNMP engine's Local
|
|
Packit |
022b05 |
Configuration Datastore (LCD) for the User-based
|
|
Packit |
022b05 |
Security Model.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
INDEX { usmUserEngineID,
|
|
Packit |
022b05 |
usmUserName
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
::= { usmUserTable 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
UsmUserEntry ::= SEQUENCE
|
|
Packit |
022b05 |
{
|
|
Packit |
022b05 |
usmUserEngineID SnmpEngineID,
|
|
Packit |
022b05 |
usmUserName SnmpAdminString,
|
|
Packit |
022b05 |
usmUserSecurityName SnmpAdminString,
|
|
Packit |
022b05 |
usmUserCloneFrom RowPointer,
|
|
Packit |
022b05 |
usmUserAuthProtocol AutonomousType,
|
|
Packit |
022b05 |
usmUserAuthKeyChange KeyChange,
|
|
Packit |
022b05 |
usmUserOwnAuthKeyChange KeyChange,
|
|
Packit |
022b05 |
usmUserPrivProtocol AutonomousType,
|
|
Packit |
022b05 |
usmUserPrivKeyChange KeyChange,
|
|
Packit |
022b05 |
usmUserOwnPrivKeyChange KeyChange,
|
|
Packit |
022b05 |
usmUserPublic OCTET STRING,
|
|
Packit |
022b05 |
usmUserStorageType StorageType,
|
|
Packit |
022b05 |
usmUserStatus RowStatus
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserEngineID OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX SnmpEngineID
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "An SNMP engine's administratively-unique identifier.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
In a simple agent, this value is always that agent's
|
|
Packit |
022b05 |
own snmpEngineID value.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The value can also take the value of the snmpEngineID
|
|
Packit |
022b05 |
of a remote SNMP engine with which this user can
|
|
Packit |
022b05 |
communicate.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmUserEntry 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserName OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX SnmpAdminString (SIZE(1..32))
|
|
Packit |
022b05 |
MAX-ACCESS not-accessible
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "A human readable string representing the name of
|
|
Packit |
022b05 |
the user.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
This is the (User-based Security) Model dependent
|
|
Packit |
022b05 |
security ID.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmUserEntry 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserSecurityName OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX SnmpAdminString
|
|
Packit |
022b05 |
MAX-ACCESS read-only
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "A human readable string representing the user in
|
|
Packit |
022b05 |
Security Model independent format.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The default transformation of the User-based Security
|
|
Packit |
022b05 |
Model dependent security ID to the securityName and
|
|
Packit |
022b05 |
vice versa is the identity function so that the
|
|
Packit |
022b05 |
securityName is the same as the userName.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmUserEntry 3 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserCloneFrom OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX RowPointer
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "A pointer to another conceptual row in this
|
|
Packit |
022b05 |
usmUserTable. The user in this other conceptual
|
|
Packit |
022b05 |
row is called the clone-from user.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When a new user is created (i.e., a new conceptual
|
|
Packit |
022b05 |
row is instantiated in this table), the privacy and
|
|
Packit |
022b05 |
authentication parameters of the new user must be
|
|
Packit |
022b05 |
cloned from its clone-from user. These parameters are:
|
|
Packit |
022b05 |
- authentication protocol (usmUserAuthProtocol)
|
|
Packit |
022b05 |
- privacy protocol (usmUserPrivProtocol)
|
|
Packit |
022b05 |
They will be copied regardless of what the current
|
|
Packit |
022b05 |
value is.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Cloning also causes the initial values of the secret
|
|
Packit |
022b05 |
authentication key (authKey) and the secret encryption
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
key (privKey) of the new user to be set to the same
|
|
Packit |
022b05 |
values as the corresponding secrets of the clone-from
|
|
Packit |
022b05 |
user to allow the KeyChange process to occur as
|
|
Packit |
022b05 |
required during user creation.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The first time an instance of this object is set by
|
|
Packit |
022b05 |
a management operation (either at or after its
|
|
Packit |
022b05 |
instantiation), the cloning process is invoked.
|
|
Packit |
022b05 |
Subsequent writes are successful but invoke no
|
|
Packit |
022b05 |
action to be taken by the receiver.
|
|
Packit |
022b05 |
The cloning process fails with an 'inconsistentName'
|
|
Packit |
022b05 |
error if the conceptual row representing the
|
|
Packit |
022b05 |
clone-from user does not exist or is not in an active
|
|
Packit |
022b05 |
state when the cloning process is invoked.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When this object is read, the ZeroDotZero OID
|
|
Packit |
022b05 |
is returned.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmUserEntry 4 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserAuthProtocol OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX AutonomousType
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "An indication of whether messages sent on behalf of
|
|
Packit |
022b05 |
this user to/from the SNMP engine identified by
|
|
Packit |
022b05 |
usmUserEngineID, can be authenticated, and if so,
|
|
Packit |
022b05 |
the type of authentication protocol which is used.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
An instance of this object is created concurrently
|
|
Packit |
022b05 |
with the creation of any other object instance for
|
|
Packit |
022b05 |
the same user (i.e., as part of the processing of
|
|
Packit |
022b05 |
the set operation which creates the first object
|
|
Packit |
022b05 |
instance in the same conceptual row).
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If an initial set operation (i.e. at row creation time)
|
|
Packit |
022b05 |
tries to set a value for an unknown or unsupported
|
|
Packit |
022b05 |
protocol, then a 'wrongValue' error must be returned.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The value will be overwritten/set when a set operation
|
|
Packit |
022b05 |
is performed on the corresponding instance of
|
|
Packit |
022b05 |
usmUserCloneFrom.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Once instantiated, the value of such an instance of
|
|
Packit |
022b05 |
this object can only be changed via a set operation to
|
|
Packit |
022b05 |
the value of the usmNoAuthProtocol.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If a set operation tries to change the value of an
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
existing instance of this object to any value other
|
|
Packit |
022b05 |
than usmNoAuthProtocol, then an 'inconsistentValue'
|
|
Packit |
022b05 |
error must be returned.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If a set operation tries to set the value to the
|
|
Packit |
022b05 |
usmNoAuthProtocol while the usmUserPrivProtocol value
|
|
Packit |
022b05 |
in the same row is not equal to usmNoPrivProtocol,
|
|
Packit |
022b05 |
then an 'inconsistentValue' error must be returned.
|
|
Packit |
022b05 |
That means that an SNMP command generator application
|
|
Packit |
022b05 |
must first ensure that the usmUserPrivProtocol is set
|
|
Packit |
022b05 |
to the usmNoPrivProtocol value before it can set
|
|
Packit |
022b05 |
the usmUserAuthProtocol value to usmNoAuthProtocol.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { usmNoAuthProtocol }
|
|
Packit |
022b05 |
::= { usmUserEntry 5 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserAuthKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5
|
|
Packit |
022b05 |
-- typically (SIZE (0 | 40)) for HMACSHA
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "An object, which when modified, causes the secret
|
|
Packit |
022b05 |
authentication key used for messages sent on behalf
|
|
Packit |
022b05 |
of this user to/from the SNMP engine identified by
|
|
Packit |
022b05 |
usmUserEngineID, to be modified via a one-way
|
|
Packit |
022b05 |
function.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The associated protocol is the usmUserAuthProtocol.
|
|
Packit |
022b05 |
The associated secret key is the user's secret
|
|
Packit |
022b05 |
authentication key (authKey). The associated hash
|
|
Packit |
022b05 |
algorithm is the algorithm used by the user's
|
|
Packit |
022b05 |
usmUserAuthProtocol.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When creating a new user, it is an 'inconsistentName'
|
|
Packit |
022b05 |
error for a set operation to refer to this object
|
|
Packit |
022b05 |
unless it is previously or concurrently initialized
|
|
Packit |
022b05 |
through a set operation on the corresponding instance
|
|
Packit |
022b05 |
of usmUserCloneFrom.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When the value of the corresponding usmUserAuthProtocol
|
|
Packit |
022b05 |
is usmNoAuthProtocol, then a set is successful, but
|
|
Packit |
022b05 |
effectively is a no-op.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When this object is read, the zero-length (empty)
|
|
Packit |
022b05 |
string is returned.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The recommended way to do a key change is as follows:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
1) GET(usmUserSpinLock.0) and save in sValue.
|
|
Packit |
022b05 |
2) generate the keyChange value based on the old
|
|
Packit |
022b05 |
(existing) secret key and the new secret key,
|
|
Packit |
022b05 |
let us call this kcValue.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If you do the key change on behalf of another user:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
3) SET(usmUserSpinLock.0=sValue,
|
|
Packit |
022b05 |
usmUserAuthKeyChange=kcValue
|
|
Packit |
022b05 |
usmUserPublic=randomValue)
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If you do the key change for yourself:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
4) SET(usmUserSpinLock.0=sValue,
|
|
Packit |
022b05 |
usmUserOwnAuthKeyChange=kcValue
|
|
Packit |
022b05 |
usmUserPublic=randomValue)
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If you get a response with error-status of noError,
|
|
Packit |
022b05 |
then the SET succeeded and the new key is active.
|
|
Packit |
022b05 |
If you do not get a response, then you can issue a
|
|
Packit |
022b05 |
GET(usmUserPublic) and check if the value is equal
|
|
Packit |
022b05 |
to the randomValue you did send in the SET. If so, then
|
|
Packit |
022b05 |
the key change succeeded and the new key is active
|
|
Packit |
022b05 |
(probably the response got lost). If not, then the SET
|
|
Packit |
022b05 |
request probably never reached the target and so you
|
|
Packit |
022b05 |
can start over with the procedure above.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { ''H } -- the empty string
|
|
Packit |
022b05 |
::= { usmUserEntry 6 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserOwnAuthKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5
|
|
Packit |
022b05 |
-- typically (SIZE (0 | 40)) for HMACSHA
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "Behaves exactly as usmUserAuthKeyChange, with one
|
|
Packit |
022b05 |
notable difference: in order for the set operation
|
|
Packit |
022b05 |
to succeed, the usmUserName of the operation
|
|
Packit |
022b05 |
requester must match the usmUserName that
|
|
Packit |
022b05 |
indexes the row which is targeted by this
|
|
Packit |
022b05 |
operation.
|
|
Packit |
022b05 |
In addition, the USM security model must be
|
|
Packit |
022b05 |
used for this operation.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The idea here is that access to this column can be
|
|
Packit |
022b05 |
public, since it will only allow a user to change
|
|
Packit |
022b05 |
his own secret authentication key (authKey).
|
|
Packit |
022b05 |
Note that this can only be done once the row is active.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When a set is received and the usmUserName of the
|
|
Packit |
022b05 |
requester is not the same as the umsUserName that
|
|
Packit |
022b05 |
indexes the row which is targeted by this operation,
|
|
Packit |
022b05 |
then a 'noAccess' error must be returned.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When a set is received and the security model in use
|
|
Packit |
022b05 |
is not USM, then a 'noAccess' error must be returned.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { ''H } -- the empty string
|
|
Packit |
022b05 |
::= { usmUserEntry 7 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserPrivProtocol OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX AutonomousType
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "An indication of whether messages sent on behalf of
|
|
Packit |
022b05 |
this user to/from the SNMP engine identified by
|
|
Packit |
022b05 |
usmUserEngineID, can be protected from disclosure,
|
|
Packit |
022b05 |
and if so, the type of privacy protocol which is used.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
An instance of this object is created concurrently
|
|
Packit |
022b05 |
with the creation of any other object instance for
|
|
Packit |
022b05 |
the same user (i.e., as part of the processing of
|
|
Packit |
022b05 |
the set operation which creates the first object
|
|
Packit |
022b05 |
instance in the same conceptual row).
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If an initial set operation (i.e. at row creation time)
|
|
Packit |
022b05 |
tries to set a value for an unknown or unsupported
|
|
Packit |
022b05 |
protocol, then a 'wrongValue' error must be returned.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The value will be overwritten/set when a set operation
|
|
Packit |
022b05 |
is performed on the corresponding instance of
|
|
Packit |
022b05 |
usmUserCloneFrom.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Once instantiated, the value of such an instance of
|
|
Packit |
022b05 |
this object can only be changed via a set operation to
|
|
Packit |
022b05 |
the value of the usmNoPrivProtocol.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If a set operation tries to change the value of an
|
|
Packit |
022b05 |
existing instance of this object to any value other
|
|
Packit |
022b05 |
than usmNoPrivProtocol, then an 'inconsistentValue'
|
|
Packit |
022b05 |
error must be returned.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Note that if any privacy protocol is used, then you
|
|
Packit |
022b05 |
must also use an authentication protocol. In other
|
|
Packit |
022b05 |
words, if usmUserPrivProtocol is set to anything else
|
|
Packit |
022b05 |
than usmNoPrivProtocol, then the corresponding instance
|
|
Packit |
022b05 |
of usmUserAuthProtocol cannot have a value of
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmNoAuthProtocol. If it does, then an
|
|
Packit |
022b05 |
'inconsistentValue' error must be returned.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { usmNoPrivProtocol }
|
|
Packit |
022b05 |
::= { usmUserEntry 8 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserPrivKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "An object, which when modified, causes the secret
|
|
Packit |
022b05 |
encryption key used for messages sent on behalf
|
|
Packit |
022b05 |
of this user to/from the SNMP engine identified by
|
|
Packit |
022b05 |
usmUserEngineID, to be modified via a one-way
|
|
Packit |
022b05 |
function.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The associated protocol is the usmUserPrivProtocol.
|
|
Packit |
022b05 |
The associated secret key is the user's secret
|
|
Packit |
022b05 |
privacy key (privKey). The associated hash
|
|
Packit |
022b05 |
algorithm is the algorithm used by the user's
|
|
Packit |
022b05 |
usmUserAuthProtocol.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When creating a new user, it is an 'inconsistentName'
|
|
Packit |
022b05 |
error for a set operation to refer to this object
|
|
Packit |
022b05 |
unless it is previously or concurrently initialized
|
|
Packit |
022b05 |
through a set operation on the corresponding instance
|
|
Packit |
022b05 |
of usmUserCloneFrom.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When the value of the corresponding usmUserPrivProtocol
|
|
Packit |
022b05 |
is usmNoPrivProtocol, then a set is successful, but
|
|
Packit |
022b05 |
effectively is a no-op.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When this object is read, the zero-length (empty)
|
|
Packit |
022b05 |
string is returned.
|
|
Packit |
022b05 |
See the description clause of usmUserAuthKeyChange for
|
|
Packit |
022b05 |
a recommended procedure to do a key change.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { ''H } -- the empty string
|
|
Packit |
022b05 |
::= { usmUserEntry 9 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserOwnPrivKeyChange OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "Behaves exactly as usmUserPrivKeyChange, with one
|
|
Packit |
022b05 |
notable difference: in order for the Set operation
|
|
Packit |
022b05 |
to succeed, the usmUserName of the operation
|
|
Packit |
022b05 |
requester must match the usmUserName that indexes
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
the row which is targeted by this operation.
|
|
Packit |
022b05 |
In addition, the USM security model must be
|
|
Packit |
022b05 |
used for this operation.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The idea here is that access to this column can be
|
|
Packit |
022b05 |
public, since it will only allow a user to change
|
|
Packit |
022b05 |
his own secret privacy key (privKey).
|
|
Packit |
022b05 |
Note that this can only be done once the row is active.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When a set is received and the usmUserName of the
|
|
Packit |
022b05 |
requester is not the same as the umsUserName that
|
|
Packit |
022b05 |
indexes the row which is targeted by this operation,
|
|
Packit |
022b05 |
then a 'noAccess' error must be returned.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
When a set is received and the security model in use
|
|
Packit |
022b05 |
is not USM, then a 'noAccess' error must be returned.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { ''H } -- the empty string
|
|
Packit |
022b05 |
::= { usmUserEntry 10 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserPublic OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX OCTET STRING (SIZE(0..32))
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "A publicly-readable value which can be written as part
|
|
Packit |
022b05 |
of the procedure for changing a user's secret
|
|
Packit |
022b05 |
authentication and/or privacy key, and later read to
|
|
Packit |
022b05 |
determine whether the change of the secret was
|
|
Packit |
022b05 |
effected.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { ''H } -- the empty string
|
|
Packit |
022b05 |
::= { usmUserEntry 11 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserStorageType OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX StorageType
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The storage type for this conceptual row.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Conceptual rows having the value 'permanent' must
|
|
Packit |
022b05 |
allow write-access at a minimum to:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
- usmUserAuthKeyChange, usmUserOwnAuthKeyChange
|
|
Packit |
022b05 |
and usmUserPublic for a user who employs
|
|
Packit |
022b05 |
authentication, and
|
|
Packit |
022b05 |
- usmUserPrivKeyChange, usmUserOwnPrivKeyChange
|
|
Packit |
022b05 |
and usmUserPublic for a user who employs
|
|
Packit |
022b05 |
privacy.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Note that any user who employs authentication or
|
|
Packit |
022b05 |
privacy must allow its secret(s) to be updated and
|
|
Packit |
022b05 |
thus cannot be 'readOnly'.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
If an initial set operation tries to set the value to
|
|
Packit |
022b05 |
'readOnly' for a user who employs authentication or
|
|
Packit |
022b05 |
privacy, then an 'inconsistentValue' error must be
|
|
Packit |
022b05 |
returned. Note that if the value has been previously
|
|
Packit |
022b05 |
set (implicit or explicit) to any value, then the rules
|
|
Packit |
022b05 |
as defined in the StorageType Textual Convention apply.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
It is an implementation issue to decide if a SET for
|
|
Packit |
022b05 |
a readOnly or permanent row is accepted at all. In some
|
|
Packit |
022b05 |
contexts this may make sense, in others it may not. If
|
|
Packit |
022b05 |
a SET for a readOnly or permanent row is not accepted
|
|
Packit |
022b05 |
at all, then a 'wrongValue' error must be returned.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
DEFVAL { nonVolatile }
|
|
Packit |
022b05 |
::= { usmUserEntry 12 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserStatus OBJECT-TYPE
|
|
Packit |
022b05 |
SYNTAX RowStatus
|
|
Packit |
022b05 |
MAX-ACCESS read-create
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The status of this conceptual row.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Until instances of all corresponding columns are
|
|
Packit |
022b05 |
appropriately configured, the value of the
|
|
Packit |
022b05 |
corresponding instance of the usmUserStatus column
|
|
Packit |
022b05 |
is 'notReady'.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
In particular, a newly created row for a user who
|
|
Packit |
022b05 |
employs authentication, cannot be made active until the
|
|
Packit |
022b05 |
corresponding usmUserCloneFrom and usmUserAuthKeyChange
|
|
Packit |
022b05 |
have been set.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
Further, a newly created row for a user who also
|
|
Packit |
022b05 |
employs privacy, cannot be made active until the
|
|
Packit |
022b05 |
usmUserPrivKeyChange has been set.
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The RowStatus TC [RFC2579] requires that this
|
|
Packit |
022b05 |
DESCRIPTION clause states under which circumstances
|
|
Packit |
022b05 |
other objects in this row can be modified:
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
The value of this object has no effect on whether
|
|
Packit |
022b05 |
other objects in this conceptual row can be modified,
|
|
Packit |
022b05 |
except for usmUserOwnAuthKeyChange and
|
|
Packit |
022b05 |
usmUserOwnPrivKeyChange. For these 2 objects, the
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
value of usmUserStatus MUST be active.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmUserEntry 13 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Conformance Information *******************************************
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmMIBCompliances OBJECT IDENTIFIER ::= { usmMIBConformance 1 }
|
|
Packit |
022b05 |
usmMIBGroups OBJECT IDENTIFIER ::= { usmMIBConformance 2 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Compliance statements
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmMIBCompliance MODULE-COMPLIANCE
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "The compliance statement for SNMP engines which
|
|
Packit |
022b05 |
implement the SNMP-USER-BASED-SM-MIB.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
MODULE -- this module
|
|
Packit |
022b05 |
MANDATORY-GROUPS { usmMIBBasicGroup }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
OBJECT usmUserAuthProtocol
|
|
Packit |
022b05 |
MIN-ACCESS read-only
|
|
Packit |
022b05 |
DESCRIPTION "Write access is not required."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
OBJECT usmUserPrivProtocol
|
|
Packit |
022b05 |
MIN-ACCESS read-only
|
|
Packit |
022b05 |
DESCRIPTION "Write access is not required."
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
::= { usmMIBCompliances 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
-- Units of compliance
|
|
Packit |
022b05 |
usmMIBBasicGroup OBJECT-GROUP
|
|
Packit |
022b05 |
OBJECTS {
|
|
Packit |
022b05 |
usmStatsUnsupportedSecLevels,
|
|
Packit |
022b05 |
usmStatsNotInTimeWindows,
|
|
Packit |
022b05 |
usmStatsUnknownUserNames,
|
|
Packit |
022b05 |
usmStatsUnknownEngineIDs,
|
|
Packit |
022b05 |
usmStatsWrongDigests,
|
|
Packit |
022b05 |
usmStatsDecryptionErrors,
|
|
Packit |
022b05 |
usmUserSpinLock,
|
|
Packit |
022b05 |
usmUserSecurityName,
|
|
Packit |
022b05 |
usmUserCloneFrom,
|
|
Packit |
022b05 |
usmUserAuthProtocol,
|
|
Packit |
022b05 |
usmUserAuthKeyChange,
|
|
Packit |
022b05 |
usmUserOwnAuthKeyChange,
|
|
Packit |
022b05 |
usmUserPrivProtocol,
|
|
Packit |
022b05 |
usmUserPrivKeyChange,
|
|
Packit |
022b05 |
usmUserOwnPrivKeyChange,
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
usmUserPublic,
|
|
Packit |
022b05 |
usmUserStorageType,
|
|
Packit |
022b05 |
usmUserStatus
|
|
Packit |
022b05 |
}
|
|
Packit |
022b05 |
STATUS current
|
|
Packit |
022b05 |
DESCRIPTION "A collection of objects providing for configuration
|
|
Packit |
022b05 |
of an SNMP engine which implements the SNMP
|
|
Packit |
022b05 |
User-based Security Model.
|
|
Packit |
022b05 |
"
|
|
Packit |
022b05 |
::= { usmMIBGroups 1 }
|
|
Packit |
022b05 |
|
|
Packit |
022b05 |
END
|