1 SNMP-USER-BASED-SM-MIB DEFINITIONS ::= BEGIN
4 MODULE-IDENTITY, OBJECT-TYPE,
6 snmpModules, Counter32 FROM SNMPv2-SMI
7 TEXTUAL-CONVENTION, TestAndIncr,
9 StorageType, AutonomousType FROM SNMPv2-TC
10 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
11 SnmpAdminString, SnmpEngineID,
12 snmpAuthProtocols, snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB;
14 snmpUsmMIB MODULE-IDENTITY
15 LAST-UPDATED "200210160000Z" -- 16 Oct 2002, midnight
16 ORGANIZATION "SNMPv3 Working Group"
17 CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com
18 Subscribe: majordomo@lists.tislabs.com
19 In msg body: subscribe snmpv3
22 Network Associates Laboratories
23 postal: 15204 Omega Drive, Suite 300
24 Rockville, MD 20850-4601
26 email: mundy@tislabs.com
28 phone: +1 301-947-7107
30 Co-Chair: David Harrington
32 Postal: 35 Industrial Way
34 Rochester, New Hampshire 03866-5005
36 EMail: dbh@enterasys.com
37 Phone: +1 603-337-2614
39 Co-editor Uri Blumenthal
41 postal: 67 Whippany Rd.
45 phone: +1-973-386-2163
47 Co-editor: Bert Wijnen
52 email: bwijnen@lucent.com
53 phone: +31-348-480-685
55 DESCRIPTION "The management information definitions for the
56 SNMP User-based Security Model.
58 Copyright (C) The Internet Society (2002). This
59 version of this MIB module is part of RFC 3414;
60 see the RFC itself for full legal notices.
64 REVISION "200210160000Z" -- 16 Oct 2002, midnight
65 DESCRIPTION "Changes in this revision:
66 - Updated references and contact info.
67 - Clarification to usmUserCloneFrom DESCRIPTION
69 - Fixed 'command responder' into 'command generator'
70 in last para of DESCRIPTION clause of
72 This revision published as RFC3414.
74 REVISION "199901200000Z" -- 20 Jan 1999, midnight
75 DESCRIPTION "Clarifications, published as RFC2574"
77 REVISION "199711200000Z" -- 20 Nov 1997, midnight
78 DESCRIPTION "Initial version, published as RFC2274"
79 ::= { snmpModules 15 }
81 -- Administrative assignments ****************************************
83 usmMIBObjects OBJECT IDENTIFIER ::= { snmpUsmMIB 1 }
84 usmMIBConformance OBJECT IDENTIFIER ::= { snmpUsmMIB 2 }
86 -- Identification of Authentication and Privacy Protocols ************
88 usmNoAuthProtocol OBJECT-IDENTITY
90 DESCRIPTION "No Authentication Protocol."
91 ::= { snmpAuthProtocols 1 }
93 usmHMACMD5AuthProtocol OBJECT-IDENTITY
95 DESCRIPTION "The HMAC-MD5-96 Digest Authentication Protocol."
96 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti HMAC:
97 Keyed-Hashing for Message Authentication,
99 - Rivest, R., Message Digest Algorithm MD5, RFC1321.
101 ::= { snmpAuthProtocols 2 }
103 usmHMACSHAAuthProtocol OBJECT-IDENTITY
105 DESCRIPTION "The HMAC-SHA-96 Digest Authentication Protocol."
106 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti, HMAC:
107 Keyed-Hashing for Message Authentication,
109 - Secure Hash Algorithm. NIST FIPS 180-1.
111 ::= { snmpAuthProtocols 3 }
113 usmNoPrivProtocol OBJECT-IDENTITY
115 DESCRIPTION "No Privacy Protocol."
116 ::= { snmpPrivProtocols 1 }
118 usmDESPrivProtocol OBJECT-IDENTITY
120 DESCRIPTION "The CBC-DES Symmetric Encryption Protocol."
121 REFERENCE "- Data Encryption Standard, National Institute of
122 Standards and Technology. Federal Information
123 Processing Standard (FIPS) Publication 46-1.
125 Supersedes FIPS Publication 46,
126 (January, 1977; reaffirmed January, 1988).
128 - Data Encryption Algorithm, American National
129 Standards Institute. ANSI X3.92-1981,
132 - DES Modes of Operation, National Institute of
133 Standards and Technology. Federal Information
134 Processing Standard (FIPS) Publication 81,
137 - Data Encryption Algorithm - Modes of Operation,
138 American National Standards Institute.
139 ANSI X3.106-1983, (May 1983).
141 ::= { snmpPrivProtocols 2 }
143 -- Textual Conventions ***********************************************
145 KeyChange ::= TEXTUAL-CONVENTION
148 "Every definition of an object with this syntax must identify
149 a protocol P, a secret key K, and a hash algorithm H
150 that produces output of L octets.
152 The object's value is a manager-generated, partially-random
153 value which, when modified, causes the value of the secret
154 key K, to be modified via a one-way function.
156 The value of an instance of this object is the concatenation
157 of two components: first a 'random' component and then a
160 The lengths of the random and delta components
161 are given by the corresponding value of the protocol P;
162 if P requires K to be a fixed length, the length of both the
163 random and delta components is that fixed length; if P
164 allows the length of K to be variable up to a particular
165 maximum length, the length of the random component is that
166 maximum length and the length of the delta component is any
167 length less than or equal to that maximum length.
168 For example, usmHMACMD5AuthProtocol requires K to be a fixed
169 length of 16 octets and L - of 16 octets.
170 usmHMACSHAAuthProtocol requires K to be a fixed length of
171 20 octets and L - of 20 octets. Other protocols may define
172 other sizes, as deemed appropriate.
174 When a requester wants to change the old key K to a new
175 key keyNew on a remote entity, the 'random' component is
176 obtained from either a true random generator, or from a
177 pseudorandom generator, and the 'delta' component is
180 - a temporary variable is initialized to the existing value
182 - if the length of the keyNew is greater than L octets,
184 - the random component is appended to the value of the
185 temporary variable, and the result is input to the
186 the hash algorithm H to produce a digest value, and
187 the temporary variable is set to this digest value;
188 - the value of the temporary variable is XOR-ed with
189 the first (next) L-octets (16 octets in case of MD5)
190 of the keyNew to produce the first (next) L-octets
191 (16 octets in case of MD5) of the 'delta' component.
192 - the above two steps are repeated until the unused
193 portion of the keyNew component is L octets or less,
194 - the random component is appended to the value of the
195 temporary variable, and the result is input to the
196 hash algorithm H to produce a digest value;
197 - this digest value, truncated if necessary to be the same
198 length as the unused portion of the keyNew, is XOR-ed
199 with the unused portion of the keyNew to produce the
200 (final portion of the) 'delta' component.
202 For example, using MD5 as the hash algorithm H:
204 iterations = (lenOfDelta - 1)/16; /* integer division */
206 for (i = 0; i < iterations; i++) {
207 temp = MD5 (temp || random);
208 delta[i*16 .. (i*16)+15] =
209 temp XOR keyNew[i*16 .. (i*16)+15];
211 temp = MD5 (temp || random);
212 delta[i*16 .. lenOfDelta-1] =
213 temp XOR keyNew[i*16 .. lenOfDelta-1];
215 The 'random' and 'delta' components are then concatenated as
216 described above, and the resulting octet string is sent to
217 the recipient as the new value of an instance of this object.
219 At the receiver side, when an instance of this object is set
220 to a new value, then a new value of K is computed as follows:
222 - a temporary variable is initialized to the existing value
224 - if the length of the delta component is greater than L
226 - the random component is appended to the value of the
227 temporary variable, and the result is input to the
228 hash algorithm H to produce a digest value, and the
229 temporary variable is set to this digest value;
230 - the value of the temporary variable is XOR-ed with
231 the first (next) L-octets (16 octets in case of MD5)
232 of the delta component to produce the first (next)
233 L-octets (16 octets in case of MD5) of the new value
235 - the above two steps are repeated until the unused
236 portion of the delta component is L octets or less,
237 - the random component is appended to the value of the
238 temporary variable, and the result is input to the
239 hash algorithm H to produce a digest value;
240 - this digest value, truncated if necessary to be the same
241 length as the unused portion of the delta component, is
242 XOR-ed with the unused portion of the delta component to
243 produce the (final portion of the) new value of K.
245 For example, using MD5 as the hash algorithm H:
247 iterations = (lenOfDelta - 1)/16; /* integer division */
249 for (i = 0; i < iterations; i++) {
250 temp = MD5 (temp || random);
251 keyNew[i*16 .. (i*16)+15] =
252 temp XOR delta[i*16 .. (i*16)+15];
254 temp = MD5 (temp || random);
255 keyNew[i*16 .. lenOfDelta-1] =
256 temp XOR delta[i*16 .. lenOfDelta-1];
258 The value of an object with this syntax, whenever it is
259 retrieved by the management protocol, is always the zero
262 Note that the keyOld and keyNew are the localized keys.
264 Note that it is probably wise that when an SNMP entity sends
265 a SetRequest to change a key, that it keeps a copy of the old
266 key until it has confirmed that the key change actually
271 -- Statistics for the User-based Security Model **********************
273 usmStats OBJECT IDENTIFIER ::= { usmMIBObjects 1 }
275 usmStatsUnsupportedSecLevels OBJECT-TYPE
279 DESCRIPTION "The total number of packets received by the SNMP
280 engine which were dropped because they requested a
281 securityLevel that was unknown to the SNMP engine
282 or otherwise unavailable.
286 usmStatsNotInTimeWindows OBJECT-TYPE
290 DESCRIPTION "The total number of packets received by the SNMP
291 engine which were dropped because they appeared
292 outside of the authoritative SNMP engine's window.
296 usmStatsUnknownUserNames OBJECT-TYPE
300 DESCRIPTION "The total number of packets received by the SNMP
301 engine which were dropped because they referenced a
302 user that was not known to the SNMP engine.
306 usmStatsUnknownEngineIDs OBJECT-TYPE
310 DESCRIPTION "The total number of packets received by the SNMP
311 engine which were dropped because they referenced an
312 snmpEngineID that was not known to the SNMP engine.
316 usmStatsWrongDigests OBJECT-TYPE
320 DESCRIPTION "The total number of packets received by the SNMP
321 engine which were dropped because they didn't
322 contain the expected digest value.
326 usmStatsDecryptionErrors OBJECT-TYPE
330 DESCRIPTION "The total number of packets received by the SNMP
331 engine which were dropped because they could not be
336 -- The usmUser Group ************************************************
338 usmUser OBJECT IDENTIFIER ::= { usmMIBObjects 2 }
340 usmUserSpinLock OBJECT-TYPE
342 MAX-ACCESS read-write
344 DESCRIPTION "An advisory lock used to allow several cooperating
345 Command Generator Applications to coordinate their
346 use of facilities to alter secrets in the
351 -- The table of valid users for the User-based Security Model ********
353 usmUserTable OBJECT-TYPE
354 SYNTAX SEQUENCE OF UsmUserEntry
355 MAX-ACCESS not-accessible
357 DESCRIPTION "The table of users configured in the SNMP engine's
358 Local Configuration Datastore (LCD).
360 To create a new user (i.e., to instantiate a new
361 conceptual row in this table), it is recommended to
362 follow this procedure:
364 1) GET(usmUserSpinLock.0) and save in sValue.
366 2) SET(usmUserSpinLock.0=sValue,
367 usmUserCloneFrom=templateUser,
368 usmUserStatus=createAndWait)
369 You should use a template user to clone from
370 which has the proper auth/priv protocol defined.
372 If the new user is to use privacy:
374 3) generate the keyChange value based on the secret
375 privKey of the clone-from user and the secret key
376 to be used for the new user. Let us call this
378 4) GET(usmUserSpinLock.0) and save in sValue.
379 5) SET(usmUserSpinLock.0=sValue,
380 usmUserPrivKeyChange=pkcValue
381 usmUserPublic=randomValue1)
382 6) GET(usmUserPulic) and check it has randomValue1.
383 If not, repeat steps 4-6.
385 If the new user will never use privacy:
387 7) SET(usmUserPrivProtocol=usmNoPrivProtocol)
389 If the new user is to use authentication:
391 8) generate the keyChange value based on the secret
392 authKey of the clone-from user and the secret key
393 to be used for the new user. Let us call this
395 9) GET(usmUserSpinLock.0) and save in sValue.
396 10) SET(usmUserSpinLock.0=sValue,
397 usmUserAuthKeyChange=akcValue
398 usmUserPublic=randomValue2)
399 11) GET(usmUserPulic) and check it has randomValue2.
400 If not, repeat steps 9-11.
402 If the new user will never use authentication:
404 12) SET(usmUserAuthProtocol=usmNoAuthProtocol)
406 Finally, activate the new user:
408 13) SET(usmUserStatus=active)
410 The new user should now be available and ready to be
411 used for SNMPv3 communication. Note however that access
412 to MIB data must be provided via configuration of the
413 SNMP-VIEW-BASED-ACM-MIB.
415 The use of usmUserSpinlock is to avoid conflicts with
416 another SNMP command generator application which may
417 also be acting on the usmUserTable.
421 usmUserEntry OBJECT-TYPE
423 MAX-ACCESS not-accessible
425 DESCRIPTION "A user configured in the SNMP engine's Local
426 Configuration Datastore (LCD) for the User-based
429 INDEX { usmUserEngineID,
432 ::= { usmUserTable 1 }
434 UsmUserEntry ::= SEQUENCE
436 usmUserEngineID SnmpEngineID,
437 usmUserName SnmpAdminString,
438 usmUserSecurityName SnmpAdminString,
439 usmUserCloneFrom RowPointer,
440 usmUserAuthProtocol AutonomousType,
441 usmUserAuthKeyChange KeyChange,
442 usmUserOwnAuthKeyChange KeyChange,
443 usmUserPrivProtocol AutonomousType,
444 usmUserPrivKeyChange KeyChange,
445 usmUserOwnPrivKeyChange KeyChange,
446 usmUserPublic OCTET STRING,
447 usmUserStorageType StorageType,
448 usmUserStatus RowStatus
451 usmUserEngineID OBJECT-TYPE
453 MAX-ACCESS not-accessible
455 DESCRIPTION "An SNMP engine's administratively-unique identifier.
457 In a simple agent, this value is always that agent's
458 own snmpEngineID value.
460 The value can also take the value of the snmpEngineID
461 of a remote SNMP engine with which this user can
464 ::= { usmUserEntry 1 }
466 usmUserName OBJECT-TYPE
467 SYNTAX SnmpAdminString (SIZE(1..32))
468 MAX-ACCESS not-accessible
470 DESCRIPTION "A human readable string representing the name of
473 This is the (User-based Security) Model dependent
476 ::= { usmUserEntry 2 }
478 usmUserSecurityName OBJECT-TYPE
479 SYNTAX SnmpAdminString
482 DESCRIPTION "A human readable string representing the user in
483 Security Model independent format.
485 The default transformation of the User-based Security
486 Model dependent security ID to the securityName and
487 vice versa is the identity function so that the
488 securityName is the same as the userName.
490 ::= { usmUserEntry 3 }
492 usmUserCloneFrom OBJECT-TYPE
494 MAX-ACCESS read-create
496 DESCRIPTION "A pointer to another conceptual row in this
497 usmUserTable. The user in this other conceptual
498 row is called the clone-from user.
500 When a new user is created (i.e., a new conceptual
501 row is instantiated in this table), the privacy and
502 authentication parameters of the new user must be
503 cloned from its clone-from user. These parameters are:
504 - authentication protocol (usmUserAuthProtocol)
505 - privacy protocol (usmUserPrivProtocol)
506 They will be copied regardless of what the current
509 Cloning also causes the initial values of the secret
510 authentication key (authKey) and the secret encryption
512 key (privKey) of the new user to be set to the same
513 values as the corresponding secrets of the clone-from
514 user to allow the KeyChange process to occur as
515 required during user creation.
517 The first time an instance of this object is set by
518 a management operation (either at or after its
519 instantiation), the cloning process is invoked.
520 Subsequent writes are successful but invoke no
521 action to be taken by the receiver.
522 The cloning process fails with an 'inconsistentName'
523 error if the conceptual row representing the
524 clone-from user does not exist or is not in an active
525 state when the cloning process is invoked.
527 When this object is read, the ZeroDotZero OID
530 ::= { usmUserEntry 4 }
532 usmUserAuthProtocol OBJECT-TYPE
533 SYNTAX AutonomousType
534 MAX-ACCESS read-create
536 DESCRIPTION "An indication of whether messages sent on behalf of
537 this user to/from the SNMP engine identified by
538 usmUserEngineID, can be authenticated, and if so,
539 the type of authentication protocol which is used.
541 An instance of this object is created concurrently
542 with the creation of any other object instance for
543 the same user (i.e., as part of the processing of
544 the set operation which creates the first object
545 instance in the same conceptual row).
547 If an initial set operation (i.e. at row creation time)
548 tries to set a value for an unknown or unsupported
549 protocol, then a 'wrongValue' error must be returned.
551 The value will be overwritten/set when a set operation
552 is performed on the corresponding instance of
555 Once instantiated, the value of such an instance of
556 this object can only be changed via a set operation to
557 the value of the usmNoAuthProtocol.
559 If a set operation tries to change the value of an
561 existing instance of this object to any value other
562 than usmNoAuthProtocol, then an 'inconsistentValue'
563 error must be returned.
565 If a set operation tries to set the value to the
566 usmNoAuthProtocol while the usmUserPrivProtocol value
567 in the same row is not equal to usmNoPrivProtocol,
568 then an 'inconsistentValue' error must be returned.
569 That means that an SNMP command generator application
570 must first ensure that the usmUserPrivProtocol is set
571 to the usmNoPrivProtocol value before it can set
572 the usmUserAuthProtocol value to usmNoAuthProtocol.
574 DEFVAL { usmNoAuthProtocol }
575 ::= { usmUserEntry 5 }
577 usmUserAuthKeyChange OBJECT-TYPE
578 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5
579 -- typically (SIZE (0 | 40)) for HMACSHA
580 MAX-ACCESS read-create
582 DESCRIPTION "An object, which when modified, causes the secret
583 authentication key used for messages sent on behalf
584 of this user to/from the SNMP engine identified by
585 usmUserEngineID, to be modified via a one-way
588 The associated protocol is the usmUserAuthProtocol.
589 The associated secret key is the user's secret
590 authentication key (authKey). The associated hash
591 algorithm is the algorithm used by the user's
594 When creating a new user, it is an 'inconsistentName'
595 error for a set operation to refer to this object
596 unless it is previously or concurrently initialized
597 through a set operation on the corresponding instance
600 When the value of the corresponding usmUserAuthProtocol
601 is usmNoAuthProtocol, then a set is successful, but
602 effectively is a no-op.
604 When this object is read, the zero-length (empty)
607 The recommended way to do a key change is as follows:
609 1) GET(usmUserSpinLock.0) and save in sValue.
610 2) generate the keyChange value based on the old
611 (existing) secret key and the new secret key,
612 let us call this kcValue.
614 If you do the key change on behalf of another user:
616 3) SET(usmUserSpinLock.0=sValue,
617 usmUserAuthKeyChange=kcValue
618 usmUserPublic=randomValue)
620 If you do the key change for yourself:
622 4) SET(usmUserSpinLock.0=sValue,
623 usmUserOwnAuthKeyChange=kcValue
624 usmUserPublic=randomValue)
626 If you get a response with error-status of noError,
627 then the SET succeeded and the new key is active.
628 If you do not get a response, then you can issue a
629 GET(usmUserPublic) and check if the value is equal
630 to the randomValue you did send in the SET. If so, then
631 the key change succeeded and the new key is active
632 (probably the response got lost). If not, then the SET
633 request probably never reached the target and so you
634 can start over with the procedure above.
636 DEFVAL { ''H } -- the empty string
637 ::= { usmUserEntry 6 }
639 usmUserOwnAuthKeyChange OBJECT-TYPE
640 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5
641 -- typically (SIZE (0 | 40)) for HMACSHA
642 MAX-ACCESS read-create
644 DESCRIPTION "Behaves exactly as usmUserAuthKeyChange, with one
645 notable difference: in order for the set operation
646 to succeed, the usmUserName of the operation
647 requester must match the usmUserName that
648 indexes the row which is targeted by this
650 In addition, the USM security model must be
651 used for this operation.
653 The idea here is that access to this column can be
654 public, since it will only allow a user to change
655 his own secret authentication key (authKey).
656 Note that this can only be done once the row is active.
658 When a set is received and the usmUserName of the
659 requester is not the same as the umsUserName that
660 indexes the row which is targeted by this operation,
661 then a 'noAccess' error must be returned.
663 When a set is received and the security model in use
664 is not USM, then a 'noAccess' error must be returned.
666 DEFVAL { ''H } -- the empty string
667 ::= { usmUserEntry 7 }
669 usmUserPrivProtocol OBJECT-TYPE
670 SYNTAX AutonomousType
671 MAX-ACCESS read-create
673 DESCRIPTION "An indication of whether messages sent on behalf of
674 this user to/from the SNMP engine identified by
675 usmUserEngineID, can be protected from disclosure,
676 and if so, the type of privacy protocol which is used.
678 An instance of this object is created concurrently
679 with the creation of any other object instance for
680 the same user (i.e., as part of the processing of
681 the set operation which creates the first object
682 instance in the same conceptual row).
684 If an initial set operation (i.e. at row creation time)
685 tries to set a value for an unknown or unsupported
686 protocol, then a 'wrongValue' error must be returned.
688 The value will be overwritten/set when a set operation
689 is performed on the corresponding instance of
692 Once instantiated, the value of such an instance of
693 this object can only be changed via a set operation to
694 the value of the usmNoPrivProtocol.
696 If a set operation tries to change the value of an
697 existing instance of this object to any value other
698 than usmNoPrivProtocol, then an 'inconsistentValue'
699 error must be returned.
701 Note that if any privacy protocol is used, then you
702 must also use an authentication protocol. In other
703 words, if usmUserPrivProtocol is set to anything else
704 than usmNoPrivProtocol, then the corresponding instance
705 of usmUserAuthProtocol cannot have a value of
707 usmNoAuthProtocol. If it does, then an
708 'inconsistentValue' error must be returned.
710 DEFVAL { usmNoPrivProtocol }
711 ::= { usmUserEntry 8 }
713 usmUserPrivKeyChange OBJECT-TYPE
714 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES
715 MAX-ACCESS read-create
717 DESCRIPTION "An object, which when modified, causes the secret
718 encryption key used for messages sent on behalf
719 of this user to/from the SNMP engine identified by
720 usmUserEngineID, to be modified via a one-way
723 The associated protocol is the usmUserPrivProtocol.
724 The associated secret key is the user's secret
725 privacy key (privKey). The associated hash
726 algorithm is the algorithm used by the user's
729 When creating a new user, it is an 'inconsistentName'
730 error for a set operation to refer to this object
731 unless it is previously or concurrently initialized
732 through a set operation on the corresponding instance
735 When the value of the corresponding usmUserPrivProtocol
736 is usmNoPrivProtocol, then a set is successful, but
737 effectively is a no-op.
739 When this object is read, the zero-length (empty)
741 See the description clause of usmUserAuthKeyChange for
742 a recommended procedure to do a key change.
744 DEFVAL { ''H } -- the empty string
745 ::= { usmUserEntry 9 }
747 usmUserOwnPrivKeyChange OBJECT-TYPE
748 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES
749 MAX-ACCESS read-create
751 DESCRIPTION "Behaves exactly as usmUserPrivKeyChange, with one
752 notable difference: in order for the Set operation
753 to succeed, the usmUserName of the operation
754 requester must match the usmUserName that indexes
756 the row which is targeted by this operation.
757 In addition, the USM security model must be
758 used for this operation.
760 The idea here is that access to this column can be
761 public, since it will only allow a user to change
762 his own secret privacy key (privKey).
763 Note that this can only be done once the row is active.
765 When a set is received and the usmUserName of the
766 requester is not the same as the umsUserName that
767 indexes the row which is targeted by this operation,
768 then a 'noAccess' error must be returned.
770 When a set is received and the security model in use
771 is not USM, then a 'noAccess' error must be returned.
773 DEFVAL { ''H } -- the empty string
774 ::= { usmUserEntry 10 }
776 usmUserPublic OBJECT-TYPE
777 SYNTAX OCTET STRING (SIZE(0..32))
778 MAX-ACCESS read-create
780 DESCRIPTION "A publicly-readable value which can be written as part
781 of the procedure for changing a user's secret
782 authentication and/or privacy key, and later read to
783 determine whether the change of the secret was
786 DEFVAL { ''H } -- the empty string
787 ::= { usmUserEntry 11 }
789 usmUserStorageType OBJECT-TYPE
791 MAX-ACCESS read-create
793 DESCRIPTION "The storage type for this conceptual row.
795 Conceptual rows having the value 'permanent' must
796 allow write-access at a minimum to:
798 - usmUserAuthKeyChange, usmUserOwnAuthKeyChange
799 and usmUserPublic for a user who employs
801 - usmUserPrivKeyChange, usmUserOwnPrivKeyChange
802 and usmUserPublic for a user who employs
805 Note that any user who employs authentication or
806 privacy must allow its secret(s) to be updated and
807 thus cannot be 'readOnly'.
809 If an initial set operation tries to set the value to
810 'readOnly' for a user who employs authentication or
811 privacy, then an 'inconsistentValue' error must be
812 returned. Note that if the value has been previously
813 set (implicit or explicit) to any value, then the rules
814 as defined in the StorageType Textual Convention apply.
816 It is an implementation issue to decide if a SET for
817 a readOnly or permanent row is accepted at all. In some
818 contexts this may make sense, in others it may not. If
819 a SET for a readOnly or permanent row is not accepted
820 at all, then a 'wrongValue' error must be returned.
822 DEFVAL { nonVolatile }
823 ::= { usmUserEntry 12 }
825 usmUserStatus OBJECT-TYPE
827 MAX-ACCESS read-create
829 DESCRIPTION "The status of this conceptual row.
831 Until instances of all corresponding columns are
832 appropriately configured, the value of the
833 corresponding instance of the usmUserStatus column
836 In particular, a newly created row for a user who
837 employs authentication, cannot be made active until the
838 corresponding usmUserCloneFrom and usmUserAuthKeyChange
841 Further, a newly created row for a user who also
842 employs privacy, cannot be made active until the
843 usmUserPrivKeyChange has been set.
845 The RowStatus TC [RFC2579] requires that this
846 DESCRIPTION clause states under which circumstances
847 other objects in this row can be modified:
849 The value of this object has no effect on whether
850 other objects in this conceptual row can be modified,
851 except for usmUserOwnAuthKeyChange and
852 usmUserOwnPrivKeyChange. For these 2 objects, the
854 value of usmUserStatus MUST be active.
856 ::= { usmUserEntry 13 }
858 -- Conformance Information *******************************************
860 usmMIBCompliances OBJECT IDENTIFIER ::= { usmMIBConformance 1 }
861 usmMIBGroups OBJECT IDENTIFIER ::= { usmMIBConformance 2 }
863 -- Compliance statements
865 usmMIBCompliance MODULE-COMPLIANCE
867 DESCRIPTION "The compliance statement for SNMP engines which
868 implement the SNMP-USER-BASED-SM-MIB.
871 MODULE -- this module
872 MANDATORY-GROUPS { usmMIBBasicGroup }
874 OBJECT usmUserAuthProtocol
876 DESCRIPTION "Write access is not required."
878 OBJECT usmUserPrivProtocol
880 DESCRIPTION "Write access is not required."
881 ::= { usmMIBCompliances 1 }
883 -- Units of compliance
884 usmMIBBasicGroup OBJECT-GROUP
886 usmStatsUnsupportedSecLevels,
887 usmStatsNotInTimeWindows,
888 usmStatsUnknownUserNames,
889 usmStatsUnknownEngineIDs,
890 usmStatsWrongDigests,
891 usmStatsDecryptionErrors,
896 usmUserAuthKeyChange,
897 usmUserOwnAuthKeyChange,
899 usmUserPrivKeyChange,
900 usmUserOwnPrivKeyChange,
906 DESCRIPTION "A collection of objects providing for configuration
907 of an SNMP engine which implements the SNMP
908 User-based Security Model.
910 ::= { usmMIBGroups 1 }