CA Spectrum Unable to Discover SNMPv3 device using hashed passwords (HMAC)

book

Article ID: 128050

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Users are not able to discover SNMPv3 devices in Spectrum even though the agent configuration is correct.  When reviewing a sniffer trace, the agent responds to Spectrum with usmStatsWrongDigests, which indicates that the authentication information between Spectrum and the SNMPv3 agent are incorrect.  Upon further inspection of the agent, it was found that the passwords were hashed.

Cause

Spectrum does not support HMAC-SHA-2 (Hashed Message Authentication Mode) authentication.

Environment

Release:
Component: SPCAPP

Resolution

Reconfigure the SNMPv3 agent so that it does not use HMAC 2 authentication.  The following hash algorithms are HMAC-2 and are not supported:

usmHMAC192SHA256AuthProtocol
usmHMAC128SHA224AuthProtocol
usmHMAC256SHA384AuthProtocol
usmHMAC384SHA512AuthProtocol


The Spectrum SNMP agent supports the standard SHA-1 and MD5 hashing algorithms:

HMAC-MD5-96 (used as 'MD5' in Spectrum)
HMAC-SHA-96 (used as 'SHA' in Spectrum)


 

Additional Information

Support for SHA2 was introduced in Spectrum release 10.4.2.0 and above:

Supporting SHA-256 and SHA-512 for SNMPv3
DX NetOps Spectrum
 now supports SHA-256 and SHA-512 hashing algorithms for SNMPv3 communication. This ability helps you communicate with the devices by using a more secure SNMP communication. You can use the appropriate option (SHA256 or SHA512) while creating the SNMPv3 profile. You can then select that created profile to discover (Module Discovery) the related device or to fetch (MIB Tools) the device information.
For more information about how to use these options, see the "Configuring the SNMPv3 Profile" section in Edit SNMPv3 Profiles Dialog.