This section of the guide applies when OCSS7 is being upgraded from version 4.0.0.x or earlier to 4.1.x or later, and SNMPv3 is in use.

Background

Releases prior to OCSS7 4.1.0 contained a defect that caused SNMPv3 usernames to be prefixed with the letters sC. This prefix was propagated to the network in SNMPv3 notifications and it was also applied to inbound SNMPv3 authentication. i.e. if a USM user was configured with a username of test the SNMPv3 agent would require inbound queries to be from a user sCtest and all outbound SNMPv3 notifications would be generated with a username of sCtest. It was possible to work around this behaviour by configuring external SNMP agents and clients to use a username with the sC prefixed, i.e. sCtest.

An optional fix was implemented in OCSS7 4.0.0.3 that enabled the SGC to use the correct SNMPv3 username - i.e. without the sC prefix. This fix required activating by setting the snmp.v3.unprefixed_username SGC property to true and restarting the SGC.

OCSS7 4.1.0 rectifies this defect by default for all users. Some users may need to migrate their SNMPv3 configuration as a result.

When SNMPv3 configuration migration is required

SNMPv3 configuration migration is required if:

  • SNMPv3 was in use prior to this upgrade; and

  • The optional fix had not previously been applied. Please note that the full application of the fix was a multi-step process and involved SNMPv3 configuration migration similar to that described in this document.

Summary of migration options

There are two possible migration paths:

  1. SNMPv3 usernames continue to be prefixed with sC:

    • The SGCs must be reconfigured.

    • External SNMPv3 agents and clients do not require reconfiguration.

    • There will be an SNMP outage until all steps are completed.

  2. SNMPv3 usernames to not have the sC prefix:

    • No reconfiguration of the SGC is required.

    • External SNMPv3 agents and clients must be reconfigured.

    • There will be an SNMP outage until all steps are completed.

Option 1: SNMPv3 usernames continue to be prefixed with sC

  1. Perform the SGC upgrade as normal.

    Warning This will result in an SNMP outage until completion of this method of procedure.
  2. Display all SNMP nodes using the SGC CLI:

    127.0.0.1:10111 PC1-1> display-snmp-node:
    Found 2 object(s):
    +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
    |oname          |dependenci|enabled |active  |node           |transport-type |host           |port      |snmp-version   |community      |extended|
    |               |es        |        |        |               |               |               |          |               |               |-traps  |
    +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
    |v3_PC1-1       |0         |true    |true    |PC1-1          |UDP            |127.0.0.1      |10611     |v3             |test           |true    |
    +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
    |v3_PC1-2       |0         |true    |true    |PC1-2          |UDP            |127.0.0.1      |10611     |v3             |test           |true    |
    +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
  3. Disable all SNMP nodes - both v2c and v3:

    127.0.0.1:10111 PC1-1> disable-snmp-node: oname=v3_PC1-1,
    OK snmp-node disabled.
    127.0.0.1:10111 PC1-1> disable-snmp-node: oname=v3_PC1-2,
    OK snmp-node disabled.
  4. Display all USM users:

    127.0.0.1:10111 PC1-1> display-usm-user:
    Found 1 object(s):
    +---------------+----------+---------------+---------------+---------------+---------------+---------------+
    |oname          |dependenci|community      |authProto      |authPassphrase |privProto      |privPassphrase |
    |               |es        |               |               |               |               |               |
    +---------------+----------+---------------+---------------+---------------+---------------+---------------+
    |authNoPriv     |0         |test           |SHA            |testtest       |NONE           |null           |
    +---------------+----------+---------------+---------------+---------------+---------------+---------------+
  5. Modify each USM user’s community (username) to be prefixed with sC and optionally display the modified user:

    127.0.0.1:10111 PC1-1> modify-usm-user: oname=authNoPriv, community=sCtest
    OK usm-user updated.
    127.0.0.1:10111 PC1-1> display-usm-user: oname=authNoPriv
    Found 1 object(s):
    +---------------+----------+---------------+---------------+---------------+---------------+---------------+
    |oname          |dependenci|community      |authProto      |authPassphrase |privProto      |privPassphrase |
    |               |es        |               |               |               |               |               |
    +---------------+----------+---------------+---------------+---------------+---------------+---------------+
    |authNoPriv     |0         |sCtest         |SHA            |cccccccc       |NONE           |null           |
    +---------------+----------+---------------+---------------+---------------+---------------+---------------+
  6. Modify each SNMPv3 node’s community (username) to be prefixed with sC and optionally display the modified SNMP node:

    127.0.0.1:10111 PC1-1> modify-snmp-node: oname=v3_PC1-1, community=sCtest
    OK snmp-node updated.
    127.0.0.1:10111 PC1-1> display-snmp-node: oname=v3_PC1-1
    Found 1 object(s):
    +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
    |oname          |dependenci|enabled |active  |node           |transport-type |host           |port      |snmp-version   |community      |extended|
    |               |es        |        |        |               |               |               |          |               |               |-traps  |
    +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
    |v3_PC1-1       |0         |false   |false   |PC1-1          |UDP            |127.0.0.1      |10611     |v3             |sCtest         |true    |
    +---------------+----------+--------+--------+---------------+---------------+---------------+----------+---------------+---------------+--------+
  7. Enable all SNMP nodes - both v2c and v3.

    127.0.0.1:10111 PC1-1> enable-snmp-node: oname=v3_PC1-1,
    OK snmp-node enabled.
    127.0.0.1:10111 PC1-1> enable-snmp-node: oname=v3_PC1-2,
    OK snmp-node enabled.

Option 2: SNMPv3 usernames to not have the sC prefix

  1. Perform the SGC upgrade as normal.

    Warning This will result in an SNMP outage until completion of this method of procedure.
  2. Reconfigure all external SNMP agents and clients to expect the SGC to no longer require sC at the start of usernames. i.e. if an agent was configured to receive notifications from the SGC with a username of sCtest, the agent should be reconfigured to expect a username of test.

    Note Specific instructions cannot be provided on how to reconfigure third-party SNMP agents and clients. Please read the documentation provided with those third-party products for more information.
Previous page Next page