Hide SNMP community to some operators - 7.2

nethusiast · ‎03-16-2017

Hi everybody,
we use IMC on a large scale and we would like to give access to some information at different operators for monitoring purpose.

We would like them to be allowed to see some custom topologies and the switches in it. They should also be able to see which port carries which vlan and how (tagged/untagged).

We've been able to do it by creating a group with specific permission.

The problem is that if such an operator goes to the "device information" page He could see the SNMP Community in plain text. Obviously we don't what that to happen.

Any experiences to share on the topic?

Many thanks

NeilR · ‎03-16-2017

Under system settings, you can set "Display Access Passwords" to cyphertext. That will display any credential including snmp setting as dots.

However this is a global setting, so it will affect all groups.

nethusiast · ‎03-17-2017

Thank you for your reply.

We already did that and it didn't work. Could it be realated to some DB settings?

NeilR · ‎03-17-2017

hmm. not seen any other override - at least that's exposed in the UI. My account is in the default admin group, and functions as expected both at the template and device level - see attached pics. It toggles based on the system setting.

Is it working for the default groups but not when using a custom group? haven't checked that.

Is there some other part of the UI you are using where it is not hidden?

Was this a new 7.2 install?

Mine has been upgraded from 7.0, so maybe there is some data item that's been carried forward but recently missing?

But sounds like you need to report it to HPE

nethusiast · ‎03-27-2017

Thank you @NeilR for your reply!!

The problem occurs when we go into Device Information / Device Detail, under Trap Destination.

Does it occour to you in the same way?

NeilR · ‎03-27-2017

On the trap destination page, if I understand correctly - see image - the Auth parameter is displayed in clear text. (if its a different screen, send a screen shot)

In this case I'd rate that as a lower concern, as this is the credential used by the end device to send traps to imc.

Knowing this credential only authorizes an end device to send alerts (traps) to the management tool, in this case IMC,. Someone could not use this to change a device's settings unless you used the same value for Read/Write snmp.

Are you restricting your operators from reading the trap messages in imc?

Seeing the trap credential has little affect, as it can only be used to recieve the traps. I suppose someone could send spoofed traps to imc, but they'd have to know all the device details.

I did find another place a credential is not encrypted. That is under User> User Access Policy > access device management. The radius server key can be displayed if you modify an existing device. I find that a bit more concerning, but you could probably limit operator access to that function.