This section of the guide applies when OCSS7 is being upgraded from version 4.0.0.x or earlier to 4.1.x or later, and SNMPv3 is in use.
Background
Releases prior to OCSS7 4.1.0 contained a defect that caused SNMPv3 usernames to be prefixed with the letters sC
.
This prefix was propagated to the network in SNMPv3 notifications and it was also applied to inbound SNMPv3 authentication.
i.e. if a USM user was configured with a username of test
the SNMPv3 agent would require inbound queries to be from a user sCtest
and all outbound SNMPv3 notifications would be generated with a username of sCtest
.
It was possible to work around this behaviour by configuring external SNMP agents and clients to use a username with the sC
prefixed, i.e. sCtest
.
An optional fix was implemented in OCSS7 4.0.0.3
that enabled the SGC to use the correct SNMPv3 username - i.e. without the sC
prefix.
This fix required activating by setting the snmp.v3.unprefixed_username
SGC property to true
and restarting the SGC.
OCSS7 4.1.0 rectifies this defect by default for all users. Some users may need to migrate their SNMPv3 configuration as a result.
When SNMPv3 configuration migration is required
SNMPv3 configuration migration is required if:
-
SNMPv3 was in use prior to this upgrade; and
-
The optional fix had not previously been applied. Please note that the full application of the fix was a multi-step process and involved SNMPv3 configuration migration similar to that described in this document.
Summary of migration options
There are two possible migration paths:
-
SNMPv3 usernames continue to be prefixed with
sC
:-
The SGCs must be reconfigured.
-
External SNMPv3 agents and clients do not require reconfiguration.
-
There will be an SNMP outage until all steps are completed.
-
-
SNMPv3 usernames to not have the
sC
prefix:-
No reconfiguration of the SGC is required.
-
External SNMPv3 agents and clients must be reconfigured.
-
There will be an SNMP outage until all steps are completed.
-
Option 1: SNMPv3 usernames continue to be prefixed with sC
-
Perform the SGC upgrade as normal.
This will result in an SNMP outage until completion of this method of procedure. -
Display all SNMP nodes using the SGC CLI:
127.0.0.1:10111 PC1-1> display-snmp-node: Found 2 object(s): +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+ |oname |dependenci|enabled |active |node |transport-type |host |port |snmp-version |community |extended| | |es | | | | | | | | |-traps | +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+ |v3_PC1-1 |0 |true |true |PC1-1 |UDP |127.0.0.1 |10611 |v3 |test |true | +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+ |v3_PC1-2 |0 |true |true |PC1-2 |UDP |127.0.0.1 |10611 |v3 |test |true | +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
-
Disable all SNMP nodes - both v2c and v3:
127.0.0.1:10111 PC1-1> disable-snmp-node: oname=v3_PC1-1, OK snmp-node disabled. 127.0.0.1:10111 PC1-1> disable-snmp-node: oname=v3_PC1-2, OK snmp-node disabled.
-
Display all USM users:
127.0.0.1:10111 PC1-1> display-usm-user: Found 1 object(s): +---------------+----------+---------------+---------------+---------------+---------------+---------------+ |oname |dependenci|community |authProto |authPassphrase |privProto |privPassphrase | | |es | | | | | | +---------------+----------+---------------+---------------+---------------+---------------+---------------+ |authNoPriv |0 |test |SHA |testtest |NONE |null | +---------------+----------+---------------+---------------+---------------+---------------+---------------+
-
Modify each USM user’s
community
(username) to be prefixed withsC
and optionally display the modified user:127.0.0.1:10111 PC1-1> modify-usm-user: oname=authNoPriv, community=sCtest OK usm-user updated. 127.0.0.1:10111 PC1-1> display-usm-user: oname=authNoPriv Found 1 object(s): +---------------+----------+---------------+---------------+---------------+---------------+---------------+ |oname |dependenci|community |authProto |authPassphrase |privProto |privPassphrase | | |es | | | | | | +---------------+----------+---------------+---------------+---------------+---------------+---------------+ |authNoPriv |0 |sCtest |SHA |cccccccc |NONE |null | +---------------+----------+---------------+---------------+---------------+---------------+---------------+
-
Modify each SNMPv3 node’s
community
(username) to be prefixed withsC
and optionally display the modified SNMP node:127.0.0.1:10111 PC1-1> modify-snmp-node: oname=v3_PC1-1, community=sCtest OK snmp-node updated. 127.0.0.1:10111 PC1-1> display-snmp-node: oname=v3_PC1-1 Found 1 object(s): +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+ |oname |dependenci|enabled |active |node |transport-type |host |port |snmp-version |community |extended| | |es | | | | | | | | |-traps | +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+ |v3_PC1-1 |0 |false |false |PC1-1 |UDP |127.0.0.1 |10611 |v3 |sCtest |true | +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
-
Enable all SNMP nodes - both v2c and v3.
127.0.0.1:10111 PC1-1> enable-snmp-node: oname=v3_PC1-1, OK snmp-node enabled. 127.0.0.1:10111 PC1-1> enable-snmp-node: oname=v3_PC1-2, OK snmp-node enabled.
Option 2: SNMPv3 usernames to not have the sC
prefix
-
Perform the SGC upgrade as normal.
This will result in an SNMP outage until completion of this method of procedure. -
Reconfigure all external SNMP agents and clients to expect the SGC to no longer require
sC
at the start of usernames. i.e. if an agent was configured to receive notifications from the SGC with a username ofsCtest
, the agent should be reconfigured to expect a username oftest
.Specific instructions cannot be provided on how to reconfigure third-party SNMP agents and clients. Please read the documentation provided with those third-party products for more information.