HPE Community
IMC
1753259 Members
5211 Online
108792 Solutions
New Discussion

Re: Hide SNMP community to some operators - 7.2

 
nethusiast
Occasional Contributor

‎03-16-2017 03:18 AM - edited ‎03-16-2017 03:22 AM

‎03-16-2017 03:18 AM - edited ‎03-16-2017 03:22 AM

Hide SNMP community to some operators - 7.2

Hi everybody,
we use IMC on a large scale and we would like to give access to some information at different operators for monitoring purpose.

We would like them to be allowed to see some custom topologies and the switches in it. They should also be able to see which port carries which vlan and how (tagged/untagged). 

We've been able to do it by creating a group with specific permission.

The problem is that if such an operator goes to the "device information" page He could see the SNMP Community in plain text. Obviously we don't what that to happen.

Any experiences to share on the topic?

 

Many thanks

 

0 Kudos
5 REPLIES 5
NeilR
Esteemed Contributor

‎03-16-2017 04:34 PM

‎03-16-2017 04:34 PM

Re: Hide SNMP community to some operators - 7.2

Under system settings, you can set "Display Access Passwords" to cyphertext. That will display any credential including snmp setting as dots.

However this is a global setting, so it will affect all groups.

nethusiast
Occasional Contributor

‎03-17-2017 02:09 AM

‎03-17-2017 02:09 AM

Re: Hide SNMP community to some operators - 7.2

Thank you for your reply.

We already did that and it didn't work. Could it be realated to some DB settings?

0 Kudos
NeilR
Esteemed Contributor

‎03-17-2017 09:46 AM

‎03-17-2017 09:46 AM

Re: Hide SNMP community to some operators - 7.2

hmm. not seen any other override  - at least that's exposed in the UI. My account is in the default admin group, and functions as expected both at the template and device level - see attached pics. It toggles based on the system setting.

Is it working for the default groups but not when using a custom group? haven't checked that.

Is there some other part of the UI you are using where it is not hidden?

Was this a new 7.2 install?

Mine has been upgraded from 7.0, so maybe there is some data item that's been carried forward but recently missing?

But sounds like you need to report it to HPE

nethusiast
Occasional Contributor

‎03-27-2017 05:30 AM

‎03-27-2017 05:30 AM

Re: Hide SNMP community to some operators - 7.2

Thank you @NeilR for your reply!!

The problem occurs when we go into Device Information / Device Detail, under Trap Destination.

Does it occour to you in the same way?

 

 

 

0 Kudos
NeilR
Esteemed Contributor

‎03-27-2017 09:58 AM - edited ‎03-27-2017 10:02 AM

‎03-27-2017 09:58 AM - edited ‎03-27-2017 10:02 AM

Re: Hide SNMP community to some operators - 7.2

On the trap  destination page, if I understand correctly - see image - the Auth parameter is displayed in clear text. (if its a different screen, send a screen shot)

In this case I'd rate that as a lower concern, as this is the credential used by the end device to send traps to imc.

Knowing this credential only authorizes an end device to send alerts (traps) to the  management tool, in this case IMC,. Someone could not use this to change a device's settings unless you used the same value for Read/Write snmp.

Are you restricting your operators from reading the trap messages in imc?

Seeing the trap credential has little affect, as it can only be used to recieve the traps.  I suppose someone could send spoofed traps to imc, but they'd have to know all the device details.

I did find another place a credential is not encrypted. That is under User> User Access Policy > access device management. The radius server key can be displayed if you modify an existing device. I find that a bit more concerning, but you could probably limit operator access to that function.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.