topic Re: OneView and SNMPv1 in HPE OneView

OneView and SNMPv1

pirx — Mon, 14 Aug 2023 04:46:33 GMT

I disabled SNMPv1 on all ILOs by purpose, but as we have to switch from ILO Amplifier to OneView, this was now automaticially enabled again by OV. This is also documented here Document - HPE OneView 8.4 User Guide for VMs | HPE Support

Aug 7 08:02:00 xxxx iLO5 iLO SNMP settings modified by: _HPOneViewMonitor.
Aug 7 08:03:28 xxxx iLO5 iLO SNMP settings modified by: _HPOneViewAdmin.

Aug 7 08:19:01 xxxx iLO5 iLO Overall security status of the system is at risk.

It's kind of funny that the security state then changed to risk and OV alerts me about SNMPv1 being enabeld. With redfish etc. is it really necessary to keep SNMPv1 active?

Re: OneView and SNMPv1

bradawk1 — Wed, 09 Aug 2023 14:18:47 GMT

We aren't on 8 yet, but I do have SNMPv1 disabled on all iLOs. Did it with this code. First get session credentials to OneView. Then pull down a list of all hardware in OneView:

# We have multiple sites. So, I set a site variable so that I can run the same commands # simultaneously in multiple terminals. SITE='<site name>' HARDWN=hardw-${SITE} curl --insecure \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --output ${HARDWN} \ --request GET ${OneView}/rest/server-hardware?start=0&count=-1 # # That only pulls down 32 devices. Pull down the rest with: i=1 NEXT=$(/bin/sed -e 's|^.*nextPageUri":"$/rest/server-hardware.*$","prevPageUri.*|\1|' ${HARDWN}) while [[ ${NEXT} != *"null"* ]]; do curl --insecure \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --output ${HARDWN}${i} \ --request GET ${OneView}${NEXT} NEXT=$(/bin/sed -e 's|^.*nextPageUri":"$/rest/server-hardware.*$","prevPageUri.*|\1|' ${HARDWN}${i}) if [[ ${#NEXT} -gt 50 ]]; then NEXT=$(/bin/sed -e 's|^.*nextPageUri":"$.*$","prevPageUri.*|\1|' ${HARDWN}${i}) fi ((i++)) done # Concantenate into a single file. j=0 while [[ ${j} -t ${i} ]]; do echo ${j} if [[ ${j} -eq 0 ]]; then CMD="cat ${HARDWN}" else CMD="${CMD} ${HARDWN}${j}" fi ((j++)) done $(echo ${CMD} > hardw-all-raw-${SITE}) cat hardw-all-raw-${SITE} | jq -r '.' > hardw-${SITE}-all HARDW=hardw-${SITE}-all /bin/rm hardw-${SITE} hardw-${SITE}? hardw-${SITE}[1-9]? hardw-all-raw-${SITE}

Then make sure SNMP is enabled, disable SNMP v1, and reset the iLO interface:

# Get OneView session credentials # Pull down a list of all current hardware. Set the variable, HARDW, to the downloaded list. # Set three JSON variables echo '{"SNMP": {"ProtocolEnabled": true }}' | jq -c '.' > snmp echo '{"SNMPv1Enabled": false }' | jq -c '.' > snmpv1 echo '{"Action": "Manager.Reset"}' | jq -c '.' > resetiLO # for SERVER in $(jq -r '.members[] | "$.name)"' ${HARDW}); do UUID=$(jq -r '.members[] | select(.name=="'${SERVER}'") | "\(.uuid)"' ${HARDW}) read iLOSSO iLOAuth <<< $(curl --silent --insecure --header "X-API-Version": ${currentVersion}" \ --header "auth: ${sessionID}" \ --request GET ${OneView}/reset/server-hardware/${UUID}/remoteConsoleUrl | \ jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' \ -e 's|^\(.*$&sessionkey=$.*$$|\1 \2|') curl --silent --insecure --include \ --header "X-Auth-Token: ${iLOAuth}" \ --header "Content-Type: application/json" \ --location --data "@snmp" \ --request PATCH ${iLOSSO}/redfish/v1/Managers/1/networkprotocol curl --silent --insecure --include \ --header "X-Auth-Token: ${iLOAuth}" \ --header "Content-Type: application/json" \ --location --data "@snmpv1" \ --request PATCH ${iLOSSO}/redfish/v1/Managers/1/SnmpService curl --silent --insecure --include \ --header "X-Auth-Token: ${iLOAuth}" \ --header "Content-Type: application/json" \ --location --data "@resetiLO" \ --request POST ${iLOSSO}/redfish/v1/Managers/1/Actions/Manager.Reset done

Re: OneView and SNMPv1

pirx — Wed, 09 Aug 2023 14:42:47 GMT

Well, I know how to disable SNMPv1, I did it before on all ILOs with....

ilorest --nologo set SNMPv1Enabled=False --commit --select=HpeiLOSnmpService. {{ilo_connect_string }}

Strange thing is that the securtiy status changed after adding the servers to OV. And the only thing I see in dashboard that is red is SNMPv1.

But ilorest tool and redfish still report snmpv1 as disabled, even if it there is an alert about it.

iLOrest > get SNMPv1Enabled --select=HpeiLOSnmpService.
Discovering data...Done
SNMPv1Enabled=False
iLOrest > set SNMPv1Enabled=False --commit --select=HpeiLOSnmpService.
ERROR : Nothing changed for attribute 'snmpv1enabled'.
Please check if the attribute exists or Read-only or System Unique property or the value trying to set is same or invalid
iLOrest >

Overall security status of the system is at risk.

Active

8/4/23 12:08:29 pm

Resolution
Navigate to the 'Security Dashboard' tab under the 'Information' section on the iLO Web UI in order to evaluate your configuration for potential risks and view advice on improving system security.

Re: OneView and SNMPv1

bradawk1 — Wed, 09 Aug 2023 15:13:38 GMT

Your security dashboard is showing snmp v1 is enabled. Are you sure you disabled it? On one of my iLO 5s it shows SNMPv1 OK Disabled (slider is to the right). We have 2.78 firmware.

Re: OneView and SNMPv1

pirx — Wed, 09 Aug 2023 17:24:46 GMT

That is what confuses me. During server deployment I use ilorest in an ansible playbook to disable snmpv1, like below.

iLOrest > set SNMPv1Enabled=False --commit --select=HpeiLOSnmpService.

With that the alert in dashboard gets cleared. Now, OV enabled snmpv1 again, but the state in ilorest tool still tells me snmpv1 is disabled, but the dashboard shows the alert.

iLOrest > get SNMPv1Enabled --select=HpeiLOSnmpService.
Discovering data...Done
SNMPv1Enabled=False

Re: OneView and SNMPv1

bradawk1 — Thu, 10 Aug 2023 09:41:12 GMT

It's very odd. I've never seen any of our OneView appliances enabling SNMPv1. Try running hponcfg and pulling everything out. See what setting you see in the XML output?

Re: OneView and SNMPv1

MV3 — Mon, 14 Aug 2023 04:28:08 GMT

Hello,

SNMP will not get enabled automatically, please raise a support case with HPE.

Cheers...