HPE Community
HPE OneView
1823753 Members
4112 Online
109664 Solutions
New Discussion

OneView and SNMPv1

 
pirx
Valued Contributor

‎08-07-2023 08:46 AM - last edited on ‎08-13-2023 09:46 PM by

‎08-07-2023 08:46 AM - last edited on ‎08-13-2023 09:46 PM by

OneView and SNMPv1

I disabled SNMPv1 on all ILOs by purpose, but as we have to switch from ILO Amplifier to OneView, this was now automaticially enabled again by OV.  This is also documented here Document - HPE OneView 8.4 User Guide for VMs | HPE Support

Aug 7 08:02:00 xxxx iLO5 iLO SNMP settings modified by: _HPOneViewMonitor.
Aug 7 08:03:28 xxxx  iLO5 iLO SNMP settings modified by: _HPOneViewAdmin.

Aug 7 08:19:01 xxxx  iLO5 iLO Overall security status of the system is at risk.

It's kind of funny that the security state then changed to risk and OV alerts me about SNMPv1 being enabeld. With redfish etc. is it really necessary to keep SNMPv1 active?

 

0 Kudos
Reply
6 REPLIES 6
bradawk1
Trusted Contributor

‎08-09-2023 07:18 AM

‎08-09-2023 07:18 AM

Re: OneView and SNMPv1

We aren't on 8 yet, but I do have SNMPv1 disabled on all iLOs.  Did it with this code.  First get session credentials to OneView.  Then pull down a list of all hardware in OneView:

# We have multiple sites.  So, I set a site variable so that I can run the same commands
# simultaneously in multiple terminals.
SITE='<site name>'
HARDWN=hardw-${SITE}
curl --insecure \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --output ${HARDWN} \
     --request GET ${OneView}/rest/server-hardware?start=0&count=-1
#
# That only pulls down 32 devices.  Pull down the rest with:
i=1
NEXT=$(/bin/sed -e 's|^.*nextPageUri":"\(/rest/server-hardware.*\)","prevPageUri.*|\1|' ${HARDWN})
while [[ ${NEXT} != *"null"* ]]; do
   curl --insecure \
        --header "X-API-Version: ${currentVersion}" \
        --header "auth: ${sessionID}" \
        --output ${HARDWN}${i} \
        --request GET ${OneView}${NEXT}
   NEXT=$(/bin/sed -e 's|^.*nextPageUri":"\(/rest/server-hardware.*\)","prevPageUri.*|\1|' ${HARDWN}${i})
   if [[ ${#NEXT} -gt 50 ]]; then
      NEXT=$(/bin/sed -e 's|^.*nextPageUri":"\(.*\)","prevPageUri.*|\1|' ${HARDWN}${i})
   fi
   ((i++))
done
# Concantenate into a single file.
j=0
while [[ ${j} -t ${i} ]]; do
   echo ${j}
   if [[ ${j} -eq 0 ]]; then
      CMD="cat ${HARDWN}"
   else
      CMD="${CMD} ${HARDWN}${j}"
   fi
   ((j++))
done
$(echo ${CMD} > hardw-all-raw-${SITE})
cat hardw-all-raw-${SITE} | jq -r '.' > hardw-${SITE}-all
HARDW=hardw-${SITE}-all
/bin/rm hardw-${SITE} hardw-${SITE}? hardw-${SITE}[1-9]? hardw-all-raw-${SITE}

Then make sure SNMP is enabled, disable SNMP v1, and reset the iLO interface:

# Get OneView session credentials
# Pull down a list of all current hardware.  Set the variable, HARDW, to the downloaded list.
# Set three JSON variables
echo '{"SNMP": {"ProtocolEnabled": true }}' | jq -c '.' > snmp
echo '{"SNMPv1Enabled": false }' | jq -c '.' > snmpv1
echo '{"Action": "Manager.Reset"}' | jq -c '.' > resetiLO
#
for SERVER in $(jq -r '.members[] | "\(.name)"' ${HARDW}); do
   UUID=$(jq -r '.members[] | select(.name=="'${SERVER}'") | "\(.uuid)"' ${HARDW})
   read iLOSSO iLOAuth <<< $(curl --silent --insecure --header "X-API-Version": ${currentVersion}" \
      --header "auth: ${sessionID}" \
      --request GET ${OneView}/reset/server-hardware/${UUID}/remoteConsoleUrl | \
      jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' \
      -e 's|^\(.*\)&sessionkey=\(.*\)$|\1 \2|')
   curl --silent --insecure --include \
      --header "X-Auth-Token: ${iLOAuth}" \
      --header "Content-Type: application/json" \
      --location --data "@snmp" \
      --request PATCH ${iLOSSO}/redfish/v1/Managers/1/networkprotocol
   curl --silent --insecure --include \
      --header "X-Auth-Token: ${iLOAuth}" \
      --header "Content-Type: application/json" \
      --location --data "@snmpv1" \
      --request PATCH ${iLOSSO}/redfish/v1/Managers/1/SnmpService
   curl --silent --insecure --include \
      --header "X-Auth-Token: ${iLOAuth}" \
      --header "Content-Type: application/json" \
      --location --data "@resetiLO" \
      --request POST ${iLOSSO}/redfish/v1/Managers/1/Actions/Manager.Reset
done

 

0 Kudos
Reply
pirx
Valued Contributor

‎08-09-2023 07:42 AM

‎08-09-2023 07:42 AM

Re: OneView and SNMPv1

Well, I know how to disable SNMPv1, I did it before on all ILOs with....

ilorest --nologo set SNMPv1Enabled=False --commit --select=HpeiLOSnmpService. {{ilo_connect_string }}

Strange thing is that the securtiy status changed after adding the servers to OV. And the only thing I see in dashboard that is red is SNMPv1.

But ilorest tool and redfish still report snmpv1 as disabled, even if it there is an alert about it.

 

iLOrest > get SNMPv1Enabled --select=HpeiLOSnmpService.

Discovering data...Done
SNMPv1Enabled=False
iLOrest > set SNMPv1Enabled=False --commit --select=HpeiLOSnmpService.
ERROR : Nothing changed for attribute 'snmpv1enabled'.
Please check if the attribute exists or Read-only or System Unique property or the value trying to set is same or invalid
iLOrest >

 

 

Overall security status of the system is at risk.

Active
  
8/4/23  12:08:29 pm
Resolution 

Navigate to the 'Security Dashboard' tab under the 'Information' section on the iLO Web UI in order to evaluate your configuration for potential risks and view advice on improving system security.



image.png

 

image.pngimage.png

 

 

0 Kudos
Reply
bradawk1
Trusted Contributor

‎08-09-2023 08:13 AM

‎08-09-2023 08:13 AM

Re: OneView and SNMPv1

Your security dashboard is showing snmp v1 is enabled.  Are you sure you disabled it?  On one of my iLO 5s it shows SNMPv1   OK   Disabled     (slider is to the right).   We have 2.78 firmware.

0 Kudos
Reply
pirx
Valued Contributor

‎08-09-2023 10:24 AM

‎08-09-2023 10:24 AM

Re: OneView and SNMPv1

That is what confuses me. During server deployment I use ilorest in an ansible playbook to disable snmpv1, like below.

iLOrest > set SNMPv1Enabled=False --commit --select=HpeiLOSnmpService.

With that the alert in dashboard gets cleared. Now, OV enabled snmpv1 again, but the state in ilorest tool still tells me snmpv1 is disabled, but the dashboard shows the alert.

iLOrest > get SNMPv1Enabled --select=HpeiLOSnmpService.

Discovering data...Done
SNMPv1Enabled=False

 

0 Kudos
Reply
bradawk1
Trusted Contributor

‎08-10-2023 02:41 AM

‎08-10-2023 02:41 AM

Re: OneView and SNMPv1

It's very odd.  I've never seen any of our OneView appliances enabling SNMPv1.  Try running hponcfg and pulling everything out.  See what setting you see in the XML output?

0 Kudos
Reply
MV3
HPE Pro

‎08-13-2023 09:28 PM

‎08-13-2023 09:28 PM

Re: OneView and SNMPv1

Hello,

SNMP will not get enabled automatically, please raise a support case with HPE.

Cheers...



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.