Configure an SNMPv3 User-based Security Model (USM) User

Appliance Controller supports configuration of SNMPv3 User-based Security Model (USM) users, providing authentication and privacy services as defined by the SNMPv3 standard.

Note: For a list of all the Appliance Controller commands, see the Command Index.

Prerequisites

Before configuring SNMPv3 users, do the following to install the Net-SNMP (RHEL/CentOS) packages on the system:

Log in to the Appliance Controller CLI.
At the prompt, enter:

sudo yum install net-snmp net-snmp-utils

General Guidance

SNMPv3 users are part of the User-based Security Model (USM).
Access permissions are enforced through View-based Access Control Model (VACM).
For secure deployments, authPriv with SHA and AES is strongly recommended.
Read-write users should be created only when SNMP SET operations are required.

Add an SNMPv3 USM User

At the prompt, enter:

snmp user add {ro | rw} <username> {noAuthNoPriv | authNoPriv | authPriv} [<auth-password> {SHA | MD5}] [<priv-password> {DES | AES}]

The parameters are:

`{ro \| rw}`	Specifies the View-based Access Control Model (VACM) access level associated with the user. ro: Read-only access. The user may perform GET, GETNEXT, and GETBULK operations. rw: Read-write access. The user may additionally perform SET operations.
`<username>`	The SNMPv3 security name. Length: 1–32 characters. Allowed characters: uppercase letters, lowercase letters, underscore (_). The security name is used by the SNMP engine to identify the user for authentication, privacy, and access control.
`{noAuthNoPriv \| authNoPriv \| authPriv}`	Specifies the SNMPv3 security level. SNMPv3 security consists of two independent services: Authentication (auth) — provides data integrity and origin authentication. Privacy (priv) — provides encryption of SNMP PDUs. Valid security levels are: noAuthNoPriv: No authentication and no privacy. SNMP messages are neither authenticated nor encrypted. authNoPriv: Authentication enabled; privacy disabled. Messages are authenticated and protected against modification but are sent in clear text. authPriv: Authentication and privacy enabled. Messages are authenticated and encrypted. Note: Privacy requires authentication. A noAuthPriv security level is not permitted.
`[<auth-password> {SHA \| MD5}]`	Specifies authentication protocol and passphrase. Required when using authNoPriv or authPriv. <auth-password> Length: 8–12 characters. Allowed characters: uppercase letters, lowercase letters, underscore (_). Used to derive the authentication key. {SHA \| MD5} Authentication protocol used to generate the message authentication code (MAC). SHA is recommended. MD5 is supported for compatibility with legacy systems. Authentication ensures message integrity and verifies the origin of SNMP messages.
`[<priv-password> {DES \| AES}]`	Specifies privacy protocol and passphrase. Required when using authPriv. <priv-password> Length: exactly 8 characters. Allowed characters: uppercase letters, lowercase letters, underscore (_). Used to derive the privacy (encryption) key. {DES \| AES} Privacy protocol used to encrypt SNMP PDUs. AES is recommended. DES is supported for legacy compatibility. Privacy protects the contents of SNMP messages from disclosure while in transit.

Example:

snmp user add ro monitor authPriv AuthPass_1 SHA PrivPass AES

Creates a read-only SNMPv3 user using SHA authentication and AES privacy.

`{ro \| rw}`	Specifies the View-based Access Control Model (VACM) access level associated with the user. ro: Read-only access. The user may perform GET, GETNEXT, and GETBULK operations. rw: Read-write access. The user may additionally perform SET operations.
`<username>`	The SNMPv3 security name. Length: 1–32 characters. Allowed characters: uppercase letters, lowercase letters, underscore (_). The security name is used by the SNMP engine to identify the user for authentication, privacy, and access control.
`{noAuthNoPriv \| authNoPriv \| authPriv}`	Specifies the SNMPv3 security level. SNMPv3 security consists of two independent services: Authentication (auth) — provides data integrity and origin authentication. Privacy (priv) — provides encryption of SNMP PDUs. Valid security levels are: noAuthNoPriv: No authentication and no privacy. SNMP messages are neither authenticated nor encrypted. authNoPriv: Authentication enabled; privacy disabled. Messages are authenticated and protected against modification but are sent in clear text. authPriv: Authentication and privacy enabled. Messages are authenticated and encrypted. Note: Privacy requires authentication. A noAuthPriv security level is not permitted.
`[<auth-password> {SHA \| MD5}]`	Specifies authentication protocol and passphrase. Required when using authNoPriv or authPriv. <auth-password> Length: 8–12 characters. Allowed characters: uppercase letters, lowercase letters, underscore (_). Used to derive the authentication key. {SHA \| MD5} Authentication protocol used to generate the message authentication code (MAC). SHA is recommended. MD5 is supported for compatibility with legacy systems. Authentication ensures message integrity and verifies the origin of SNMP messages.
`[<priv-password> {DES \| AES}]`	Specifies privacy protocol and passphrase. Required when using authPriv. <priv-password> Length: exactly 8 characters. Allowed characters: uppercase letters, lowercase letters, underscore (_). Used to derive the privacy (encryption) key. {DES \| AES} Privacy protocol used to encrypt SNMP PDUs. AES is recommended. DES is supported for legacy compatibility. Privacy protects the contents of SNMP messages from disclosure while in transit.