summaryrefslogtreecommitdiff
path: root/mibs/SNMP-USER-BASED-SM-MIB.txt
diff options
context:
space:
mode:
Diffstat (limited to 'mibs/SNMP-USER-BASED-SM-MIB.txt')
-rw-r--r--mibs/SNMP-USER-BASED-SM-MIB.txt912
1 files changed, 912 insertions, 0 deletions
diff --git a/mibs/SNMP-USER-BASED-SM-MIB.txt b/mibs/SNMP-USER-BASED-SM-MIB.txt
new file mode 100644
index 000000000..3b714030c
--- /dev/null
+++ b/mibs/SNMP-USER-BASED-SM-MIB.txt
@@ -0,0 +1,912 @@
+SNMP-USER-BASED-SM-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE,
+ OBJECT-IDENTITY,
+ snmpModules, Counter32 FROM SNMPv2-SMI
+ TEXTUAL-CONVENTION, TestAndIncr,
+ RowStatus, RowPointer,
+ StorageType, AutonomousType FROM SNMPv2-TC
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
+ SnmpAdminString, SnmpEngineID,
+ snmpAuthProtocols, snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB;
+
+snmpUsmMIB MODULE-IDENTITY
+ LAST-UPDATED "200210160000Z" -- 16 Oct 2002, midnight
+ ORGANIZATION "SNMPv3 Working Group"
+ CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com
+ Subscribe: majordomo@lists.tislabs.com
+ In msg body: subscribe snmpv3
+
+ Chair: Russ Mundy
+ Network Associates Laboratories
+ postal: 15204 Omega Drive, Suite 300
+ Rockville, MD 20850-4601
+ USA
+ email: mundy@tislabs.com
+
+ phone: +1 301-947-7107
+
+ Co-Chair: David Harrington
+ Enterasys Networks
+ Postal: 35 Industrial Way
+ P. O. Box 5004
+ Rochester, New Hampshire 03866-5005
+ USA
+ EMail: dbh@enterasys.com
+ Phone: +1 603-337-2614
+
+ Co-editor Uri Blumenthal
+ Lucent Technologies
+ postal: 67 Whippany Rd.
+ Whippany, NJ 07981
+ USA
+ email: uri@lucent.com
+ phone: +1-973-386-2163
+
+ Co-editor: Bert Wijnen
+ Lucent Technologies
+ postal: Schagen 33
+ 3461 GL Linschoten
+ Netherlands
+ email: bwijnen@lucent.com
+ phone: +31-348-480-685
+ "
+ DESCRIPTION "The management information definitions for the
+ SNMP User-based Security Model.
+
+ Copyright (C) The Internet Society (2002). This
+ version of this MIB module is part of RFC 3414;
+ see the RFC itself for full legal notices.
+ "
+-- Revision history
+
+ REVISION "200210160000Z" -- 16 Oct 2002, midnight
+ DESCRIPTION "Changes in this revision:
+ - Updated references and contact info.
+ - Clarification to usmUserCloneFrom DESCRIPTION
+ clause
+ - Fixed 'command responder' into 'command generator'
+ in last para of DESCRIPTION clause of
+ usmUserTable.
+ This revision published as RFC3414.
+ "
+ REVISION "199901200000Z" -- 20 Jan 1999, midnight
+ DESCRIPTION "Clarifications, published as RFC2574"
+
+ REVISION "199711200000Z" -- 20 Nov 1997, midnight
+ DESCRIPTION "Initial version, published as RFC2274"
+ ::= { snmpModules 15 }
+
+-- Administrative assignments ****************************************
+
+usmMIBObjects OBJECT IDENTIFIER ::= { snmpUsmMIB 1 }
+usmMIBConformance OBJECT IDENTIFIER ::= { snmpUsmMIB 2 }
+
+-- Identification of Authentication and Privacy Protocols ************
+
+usmNoAuthProtocol OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "No Authentication Protocol."
+ ::= { snmpAuthProtocols 1 }
+
+usmHMACMD5AuthProtocol OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The HMAC-MD5-96 Digest Authentication Protocol."
+ REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti HMAC:
+ Keyed-Hashing for Message Authentication,
+ RFC2104, Feb 1997.
+ - Rivest, R., Message Digest Algorithm MD5, RFC1321.
+ "
+ ::= { snmpAuthProtocols 2 }
+
+usmHMACSHAAuthProtocol OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The HMAC-SHA-96 Digest Authentication Protocol."
+ REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti, HMAC:
+ Keyed-Hashing for Message Authentication,
+ RFC2104, Feb 1997.
+ - Secure Hash Algorithm. NIST FIPS 180-1.
+ "
+ ::= { snmpAuthProtocols 3 }
+
+usmNoPrivProtocol OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "No Privacy Protocol."
+ ::= { snmpPrivProtocols 1 }
+
+usmDESPrivProtocol OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The CBC-DES Symmetric Encryption Protocol."
+ REFERENCE "- Data Encryption Standard, National Institute of
+ Standards and Technology. Federal Information
+ Processing Standard (FIPS) Publication 46-1.
+
+ Supersedes FIPS Publication 46,
+ (January, 1977; reaffirmed January, 1988).
+
+ - Data Encryption Algorithm, American National
+ Standards Institute. ANSI X3.92-1981,
+ (December, 1980).
+
+ - DES Modes of Operation, National Institute of
+ Standards and Technology. Federal Information
+ Processing Standard (FIPS) Publication 81,
+ (December, 1980).
+
+ - Data Encryption Algorithm - Modes of Operation,
+ American National Standards Institute.
+ ANSI X3.106-1983, (May 1983).
+ "
+ ::= { snmpPrivProtocols 2 }
+
+-- Textual Conventions ***********************************************
+
+KeyChange ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "Every definition of an object with this syntax must identify
+ a protocol P, a secret key K, and a hash algorithm H
+ that produces output of L octets.
+
+ The object's value is a manager-generated, partially-random
+ value which, when modified, causes the value of the secret
+ key K, to be modified via a one-way function.
+
+ The value of an instance of this object is the concatenation
+ of two components: first a 'random' component and then a
+ 'delta' component.
+
+ The lengths of the random and delta components
+ are given by the corresponding value of the protocol P;
+ if P requires K to be a fixed length, the length of both the
+ random and delta components is that fixed length; if P
+ allows the length of K to be variable up to a particular
+ maximum length, the length of the random component is that
+ maximum length and the length of the delta component is any
+ length less than or equal to that maximum length.
+ For example, usmHMACMD5AuthProtocol requires K to be a fixed
+ length of 16 octets and L - of 16 octets.
+ usmHMACSHAAuthProtocol requires K to be a fixed length of
+ 20 octets and L - of 20 octets. Other protocols may define
+ other sizes, as deemed appropriate.
+
+ When a requester wants to change the old key K to a new
+ key keyNew on a remote entity, the 'random' component is
+ obtained from either a true random generator, or from a
+ pseudorandom generator, and the 'delta' component is
+ computed as follows:
+
+ - a temporary variable is initialized to the existing value
+ of K;
+ - if the length of the keyNew is greater than L octets,
+ then:
+ - the random component is appended to the value of the
+ temporary variable, and the result is input to the
+ the hash algorithm H to produce a digest value, and
+ the temporary variable is set to this digest value;
+ - the value of the temporary variable is XOR-ed with
+ the first (next) L-octets (16 octets in case of MD5)
+ of the keyNew to produce the first (next) L-octets
+ (16 octets in case of MD5) of the 'delta' component.
+ - the above two steps are repeated until the unused
+ portion of the keyNew component is L octets or less,
+ - the random component is appended to the value of the
+ temporary variable, and the result is input to the
+ hash algorithm H to produce a digest value;
+ - this digest value, truncated if necessary to be the same
+ length as the unused portion of the keyNew, is XOR-ed
+ with the unused portion of the keyNew to produce the
+ (final portion of the) 'delta' component.
+
+ For example, using MD5 as the hash algorithm H:
+
+ iterations = (lenOfDelta - 1)/16; /* integer division */
+ temp = keyOld;
+ for (i = 0; i < iterations; i++) {
+ temp = MD5 (temp || random);
+ delta[i*16 .. (i*16)+15] =
+ temp XOR keyNew[i*16 .. (i*16)+15];
+ }
+ temp = MD5 (temp || random);
+ delta[i*16 .. lenOfDelta-1] =
+ temp XOR keyNew[i*16 .. lenOfDelta-1];
+
+ The 'random' and 'delta' components are then concatenated as
+ described above, and the resulting octet string is sent to
+ the recipient as the new value of an instance of this object.
+
+ At the receiver side, when an instance of this object is set
+ to a new value, then a new value of K is computed as follows:
+
+ - a temporary variable is initialized to the existing value
+ of K;
+ - if the length of the delta component is greater than L
+ octets, then:
+ - the random component is appended to the value of the
+ temporary variable, and the result is input to the
+ hash algorithm H to produce a digest value, and the
+ temporary variable is set to this digest value;
+ - the value of the temporary variable is XOR-ed with
+ the first (next) L-octets (16 octets in case of MD5)
+ of the delta component to produce the first (next)
+ L-octets (16 octets in case of MD5) of the new value
+ of K.
+ - the above two steps are repeated until the unused
+ portion of the delta component is L octets or less,
+ - the random component is appended to the value of the
+ temporary variable, and the result is input to the
+ hash algorithm H to produce a digest value;
+ - this digest value, truncated if necessary to be the same
+ length as the unused portion of the delta component, is
+ XOR-ed with the unused portion of the delta component to
+ produce the (final portion of the) new value of K.
+
+ For example, using MD5 as the hash algorithm H:
+
+ iterations = (lenOfDelta - 1)/16; /* integer division */
+ temp = keyOld;
+ for (i = 0; i < iterations; i++) {
+ temp = MD5 (temp || random);
+ keyNew[i*16 .. (i*16)+15] =
+ temp XOR delta[i*16 .. (i*16)+15];
+ }
+ temp = MD5 (temp || random);
+ keyNew[i*16 .. lenOfDelta-1] =
+ temp XOR delta[i*16 .. lenOfDelta-1];
+
+ The value of an object with this syntax, whenever it is
+ retrieved by the management protocol, is always the zero
+ length string.
+
+ Note that the keyOld and keyNew are the localized keys.
+
+ Note that it is probably wise that when an SNMP entity sends
+ a SetRequest to change a key, that it keeps a copy of the old
+ key until it has confirmed that the key change actually
+ succeeded.
+ "
+ SYNTAX OCTET STRING
+
+-- Statistics for the User-based Security Model **********************
+
+usmStats OBJECT IDENTIFIER ::= { usmMIBObjects 1 }
+
+usmStatsUnsupportedSecLevels OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION "The total number of packets received by the SNMP
+ engine which were dropped because they requested a
+ securityLevel that was unknown to the SNMP engine
+ or otherwise unavailable.
+ "
+ ::= { usmStats 1 }
+
+usmStatsNotInTimeWindows OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION "The total number of packets received by the SNMP
+ engine which were dropped because they appeared
+ outside of the authoritative SNMP engine's window.
+ "
+ ::= { usmStats 2 }
+
+usmStatsUnknownUserNames OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION "The total number of packets received by the SNMP
+ engine which were dropped because they referenced a
+ user that was not known to the SNMP engine.
+ "
+ ::= { usmStats 3 }
+
+usmStatsUnknownEngineIDs OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION "The total number of packets received by the SNMP
+ engine which were dropped because they referenced an
+ snmpEngineID that was not known to the SNMP engine.
+ "
+ ::= { usmStats 4 }
+
+usmStatsWrongDigests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION "The total number of packets received by the SNMP
+ engine which were dropped because they didn't
+ contain the expected digest value.
+ "
+ ::= { usmStats 5 }
+
+usmStatsDecryptionErrors OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION "The total number of packets received by the SNMP
+ engine which were dropped because they could not be
+ decrypted.
+ "
+ ::= { usmStats 6 }
+
+-- The usmUser Group ************************************************
+
+usmUser OBJECT IDENTIFIER ::= { usmMIBObjects 2 }
+
+usmUserSpinLock OBJECT-TYPE
+ SYNTAX TestAndIncr
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION "An advisory lock used to allow several cooperating
+ Command Generator Applications to coordinate their
+ use of facilities to alter secrets in the
+ usmUserTable.
+ "
+ ::= { usmUser 1 }
+
+-- The table of valid users for the User-based Security Model ********
+
+usmUserTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF UsmUserEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION "The table of users configured in the SNMP engine's
+ Local Configuration Datastore (LCD).
+
+ To create a new user (i.e., to instantiate a new
+ conceptual row in this table), it is recommended to
+ follow this procedure:
+
+ 1) GET(usmUserSpinLock.0) and save in sValue.
+
+ 2) SET(usmUserSpinLock.0=sValue,
+ usmUserCloneFrom=templateUser,
+ usmUserStatus=createAndWait)
+ You should use a template user to clone from
+ which has the proper auth/priv protocol defined.
+
+ If the new user is to use privacy:
+
+ 3) generate the keyChange value based on the secret
+ privKey of the clone-from user and the secret key
+ to be used for the new user. Let us call this
+ pkcValue.
+ 4) GET(usmUserSpinLock.0) and save in sValue.
+ 5) SET(usmUserSpinLock.0=sValue,
+ usmUserPrivKeyChange=pkcValue
+ usmUserPublic=randomValue1)
+ 6) GET(usmUserPulic) and check it has randomValue1.
+ If not, repeat steps 4-6.
+
+ If the new user will never use privacy:
+
+ 7) SET(usmUserPrivProtocol=usmNoPrivProtocol)
+
+ If the new user is to use authentication:
+
+ 8) generate the keyChange value based on the secret
+ authKey of the clone-from user and the secret key
+ to be used for the new user. Let us call this
+ akcValue.
+ 9) GET(usmUserSpinLock.0) and save in sValue.
+ 10) SET(usmUserSpinLock.0=sValue,
+ usmUserAuthKeyChange=akcValue
+ usmUserPublic=randomValue2)
+ 11) GET(usmUserPulic) and check it has randomValue2.
+ If not, repeat steps 9-11.
+
+ If the new user will never use authentication:
+
+ 12) SET(usmUserAuthProtocol=usmNoAuthProtocol)
+
+ Finally, activate the new user:
+
+ 13) SET(usmUserStatus=active)
+
+ The new user should now be available and ready to be
+ used for SNMPv3 communication. Note however that access
+ to MIB data must be provided via configuration of the
+ SNMP-VIEW-BASED-ACM-MIB.
+
+ The use of usmUserSpinlock is to avoid conflicts with
+ another SNMP command generator application which may
+ also be acting on the usmUserTable.
+ "
+ ::= { usmUser 2 }
+
+usmUserEntry OBJECT-TYPE
+ SYNTAX UsmUserEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION "A user configured in the SNMP engine's Local
+ Configuration Datastore (LCD) for the User-based
+ Security Model.
+ "
+ INDEX { usmUserEngineID,
+ usmUserName
+ }
+ ::= { usmUserTable 1 }
+
+UsmUserEntry ::= SEQUENCE
+ {
+ usmUserEngineID SnmpEngineID,
+ usmUserName SnmpAdminString,
+ usmUserSecurityName SnmpAdminString,
+ usmUserCloneFrom RowPointer,
+ usmUserAuthProtocol AutonomousType,
+ usmUserAuthKeyChange KeyChange,
+ usmUserOwnAuthKeyChange KeyChange,
+ usmUserPrivProtocol AutonomousType,
+ usmUserPrivKeyChange KeyChange,
+ usmUserOwnPrivKeyChange KeyChange,
+ usmUserPublic OCTET STRING,
+ usmUserStorageType StorageType,
+ usmUserStatus RowStatus
+ }
+
+usmUserEngineID OBJECT-TYPE
+ SYNTAX SnmpEngineID
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION "An SNMP engine's administratively-unique identifier.
+
+ In a simple agent, this value is always that agent's
+ own snmpEngineID value.
+
+ The value can also take the value of the snmpEngineID
+ of a remote SNMP engine with which this user can
+ communicate.
+ "
+ ::= { usmUserEntry 1 }
+
+usmUserName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION "A human readable string representing the name of
+ the user.
+
+ This is the (User-based Security) Model dependent
+ security ID.
+ "
+ ::= { usmUserEntry 2 }
+
+usmUserSecurityName OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION "A human readable string representing the user in
+ Security Model independent format.
+
+ The default transformation of the User-based Security
+ Model dependent security ID to the securityName and
+ vice versa is the identity function so that the
+ securityName is the same as the userName.
+ "
+ ::= { usmUserEntry 3 }
+
+usmUserCloneFrom OBJECT-TYPE
+ SYNTAX RowPointer
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "A pointer to another conceptual row in this
+ usmUserTable. The user in this other conceptual
+ row is called the clone-from user.
+
+ When a new user is created (i.e., a new conceptual
+ row is instantiated in this table), the privacy and
+ authentication parameters of the new user must be
+ cloned from its clone-from user. These parameters are:
+ - authentication protocol (usmUserAuthProtocol)
+ - privacy protocol (usmUserPrivProtocol)
+ They will be copied regardless of what the current
+ value is.
+
+ Cloning also causes the initial values of the secret
+ authentication key (authKey) and the secret encryption
+
+ key (privKey) of the new user to be set to the same
+ values as the corresponding secrets of the clone-from
+ user to allow the KeyChange process to occur as
+ required during user creation.
+
+ The first time an instance of this object is set by
+ a management operation (either at or after its
+ instantiation), the cloning process is invoked.
+ Subsequent writes are successful but invoke no
+ action to be taken by the receiver.
+ The cloning process fails with an 'inconsistentName'
+ error if the conceptual row representing the
+ clone-from user does not exist or is not in an active
+ state when the cloning process is invoked.
+
+ When this object is read, the ZeroDotZero OID
+ is returned.
+ "
+ ::= { usmUserEntry 4 }
+
+usmUserAuthProtocol OBJECT-TYPE
+ SYNTAX AutonomousType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "An indication of whether messages sent on behalf of
+ this user to/from the SNMP engine identified by
+ usmUserEngineID, can be authenticated, and if so,
+ the type of authentication protocol which is used.
+
+ An instance of this object is created concurrently
+ with the creation of any other object instance for
+ the same user (i.e., as part of the processing of
+ the set operation which creates the first object
+ instance in the same conceptual row).
+
+ If an initial set operation (i.e. at row creation time)
+ tries to set a value for an unknown or unsupported
+ protocol, then a 'wrongValue' error must be returned.
+
+ The value will be overwritten/set when a set operation
+ is performed on the corresponding instance of
+ usmUserCloneFrom.
+
+ Once instantiated, the value of such an instance of
+ this object can only be changed via a set operation to
+ the value of the usmNoAuthProtocol.
+
+ If a set operation tries to change the value of an
+
+ existing instance of this object to any value other
+ than usmNoAuthProtocol, then an 'inconsistentValue'
+ error must be returned.
+
+ If a set operation tries to set the value to the
+ usmNoAuthProtocol while the usmUserPrivProtocol value
+ in the same row is not equal to usmNoPrivProtocol,
+ then an 'inconsistentValue' error must be returned.
+ That means that an SNMP command generator application
+ must first ensure that the usmUserPrivProtocol is set
+ to the usmNoPrivProtocol value before it can set
+ the usmUserAuthProtocol value to usmNoAuthProtocol.
+ "
+ DEFVAL { usmNoAuthProtocol }
+ ::= { usmUserEntry 5 }
+
+usmUserAuthKeyChange OBJECT-TYPE
+ SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5
+ -- typically (SIZE (0 | 40)) for HMACSHA
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "An object, which when modified, causes the secret
+ authentication key used for messages sent on behalf
+ of this user to/from the SNMP engine identified by
+ usmUserEngineID, to be modified via a one-way
+ function.
+
+ The associated protocol is the usmUserAuthProtocol.
+ The associated secret key is the user's secret
+ authentication key (authKey). The associated hash
+ algorithm is the algorithm used by the user's
+ usmUserAuthProtocol.
+
+ When creating a new user, it is an 'inconsistentName'
+ error for a set operation to refer to this object
+ unless it is previously or concurrently initialized
+ through a set operation on the corresponding instance
+ of usmUserCloneFrom.
+
+ When the value of the corresponding usmUserAuthProtocol
+ is usmNoAuthProtocol, then a set is successful, but
+ effectively is a no-op.
+
+ When this object is read, the zero-length (empty)
+ string is returned.
+
+ The recommended way to do a key change is as follows:
+
+ 1) GET(usmUserSpinLock.0) and save in sValue.
+ 2) generate the keyChange value based on the old
+ (existing) secret key and the new secret key,
+ let us call this kcValue.
+
+ If you do the key change on behalf of another user:
+
+ 3) SET(usmUserSpinLock.0=sValue,
+ usmUserAuthKeyChange=kcValue
+ usmUserPublic=randomValue)
+
+ If you do the key change for yourself:
+
+ 4) SET(usmUserSpinLock.0=sValue,
+ usmUserOwnAuthKeyChange=kcValue
+ usmUserPublic=randomValue)
+
+ If you get a response with error-status of noError,
+ then the SET succeeded and the new key is active.
+ If you do not get a response, then you can issue a
+ GET(usmUserPublic) and check if the value is equal
+ to the randomValue you did send in the SET. If so, then
+ the key change succeeded and the new key is active
+ (probably the response got lost). If not, then the SET
+ request probably never reached the target and so you
+ can start over with the procedure above.
+ "
+ DEFVAL { ''H } -- the empty string
+ ::= { usmUserEntry 6 }
+
+usmUserOwnAuthKeyChange OBJECT-TYPE
+ SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5
+ -- typically (SIZE (0 | 40)) for HMACSHA
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "Behaves exactly as usmUserAuthKeyChange, with one
+ notable difference: in order for the set operation
+ to succeed, the usmUserName of the operation
+ requester must match the usmUserName that
+ indexes the row which is targeted by this
+ operation.
+ In addition, the USM security model must be
+ used for this operation.
+
+ The idea here is that access to this column can be
+ public, since it will only allow a user to change
+ his own secret authentication key (authKey).
+ Note that this can only be done once the row is active.
+
+ When a set is received and the usmUserName of the
+ requester is not the same as the umsUserName that
+ indexes the row which is targeted by this operation,
+ then a 'noAccess' error must be returned.
+
+ When a set is received and the security model in use
+ is not USM, then a 'noAccess' error must be returned.
+ "
+ DEFVAL { ''H } -- the empty string
+ ::= { usmUserEntry 7 }
+
+usmUserPrivProtocol OBJECT-TYPE
+ SYNTAX AutonomousType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "An indication of whether messages sent on behalf of
+ this user to/from the SNMP engine identified by
+ usmUserEngineID, can be protected from disclosure,
+ and if so, the type of privacy protocol which is used.
+
+ An instance of this object is created concurrently
+ with the creation of any other object instance for
+ the same user (i.e., as part of the processing of
+ the set operation which creates the first object
+ instance in the same conceptual row).
+
+ If an initial set operation (i.e. at row creation time)
+ tries to set a value for an unknown or unsupported
+ protocol, then a 'wrongValue' error must be returned.
+
+ The value will be overwritten/set when a set operation
+ is performed on the corresponding instance of
+ usmUserCloneFrom.
+
+ Once instantiated, the value of such an instance of
+ this object can only be changed via a set operation to
+ the value of the usmNoPrivProtocol.
+
+ If a set operation tries to change the value of an
+ existing instance of this object to any value other
+ than usmNoPrivProtocol, then an 'inconsistentValue'
+ error must be returned.
+
+ Note that if any privacy protocol is used, then you
+ must also use an authentication protocol. In other
+ words, if usmUserPrivProtocol is set to anything else
+ than usmNoPrivProtocol, then the corresponding instance
+ of usmUserAuthProtocol cannot have a value of
+
+ usmNoAuthProtocol. If it does, then an
+ 'inconsistentValue' error must be returned.
+ "
+ DEFVAL { usmNoPrivProtocol }
+ ::= { usmUserEntry 8 }
+
+usmUserPrivKeyChange OBJECT-TYPE
+ SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "An object, which when modified, causes the secret
+ encryption key used for messages sent on behalf
+ of this user to/from the SNMP engine identified by
+ usmUserEngineID, to be modified via a one-way
+ function.
+
+ The associated protocol is the usmUserPrivProtocol.
+ The associated secret key is the user's secret
+ privacy key (privKey). The associated hash
+ algorithm is the algorithm used by the user's
+ usmUserAuthProtocol.
+
+ When creating a new user, it is an 'inconsistentName'
+ error for a set operation to refer to this object
+ unless it is previously or concurrently initialized
+ through a set operation on the corresponding instance
+ of usmUserCloneFrom.
+
+ When the value of the corresponding usmUserPrivProtocol
+ is usmNoPrivProtocol, then a set is successful, but
+ effectively is a no-op.
+
+ When this object is read, the zero-length (empty)
+ string is returned.
+ See the description clause of usmUserAuthKeyChange for
+ a recommended procedure to do a key change.
+ "
+ DEFVAL { ''H } -- the empty string
+ ::= { usmUserEntry 9 }
+
+usmUserOwnPrivKeyChange OBJECT-TYPE
+ SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "Behaves exactly as usmUserPrivKeyChange, with one
+ notable difference: in order for the Set operation
+ to succeed, the usmUserName of the operation
+ requester must match the usmUserName that indexes
+
+ the row which is targeted by this operation.
+ In addition, the USM security model must be
+ used for this operation.
+
+ The idea here is that access to this column can be
+ public, since it will only allow a user to change
+ his own secret privacy key (privKey).
+ Note that this can only be done once the row is active.
+
+ When a set is received and the usmUserName of the
+ requester is not the same as the umsUserName that
+ indexes the row which is targeted by this operation,
+ then a 'noAccess' error must be returned.
+
+ When a set is received and the security model in use
+ is not USM, then a 'noAccess' error must be returned.
+ "
+ DEFVAL { ''H } -- the empty string
+ ::= { usmUserEntry 10 }
+
+usmUserPublic OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE(0..32))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "A publicly-readable value which can be written as part
+ of the procedure for changing a user's secret
+ authentication and/or privacy key, and later read to
+ determine whether the change of the secret was
+ effected.
+ "
+ DEFVAL { ''H } -- the empty string
+ ::= { usmUserEntry 11 }
+
+usmUserStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "The storage type for this conceptual row.
+
+ Conceptual rows having the value 'permanent' must
+ allow write-access at a minimum to:
+
+ - usmUserAuthKeyChange, usmUserOwnAuthKeyChange
+ and usmUserPublic for a user who employs
+ authentication, and
+ - usmUserPrivKeyChange, usmUserOwnPrivKeyChange
+ and usmUserPublic for a user who employs
+ privacy.
+
+ Note that any user who employs authentication or
+ privacy must allow its secret(s) to be updated and
+ thus cannot be 'readOnly'.
+
+ If an initial set operation tries to set the value to
+ 'readOnly' for a user who employs authentication or
+ privacy, then an 'inconsistentValue' error must be
+ returned. Note that if the value has been previously
+ set (implicit or explicit) to any value, then the rules
+ as defined in the StorageType Textual Convention apply.
+
+ It is an implementation issue to decide if a SET for
+ a readOnly or permanent row is accepted at all. In some
+ contexts this may make sense, in others it may not. If
+ a SET for a readOnly or permanent row is not accepted
+ at all, then a 'wrongValue' error must be returned.
+ "
+ DEFVAL { nonVolatile }
+ ::= { usmUserEntry 12 }
+
+usmUserStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION "The status of this conceptual row.
+
+ Until instances of all corresponding columns are
+ appropriately configured, the value of the
+ corresponding instance of the usmUserStatus column
+ is 'notReady'.
+
+ In particular, a newly created row for a user who
+ employs authentication, cannot be made active until the
+ corresponding usmUserCloneFrom and usmUserAuthKeyChange
+ have been set.
+
+ Further, a newly created row for a user who also
+ employs privacy, cannot be made active until the
+ usmUserPrivKeyChange has been set.
+
+ The RowStatus TC [RFC2579] requires that this
+ DESCRIPTION clause states under which circumstances
+ other objects in this row can be modified:
+
+ The value of this object has no effect on whether
+ other objects in this conceptual row can be modified,
+ except for usmUserOwnAuthKeyChange and
+ usmUserOwnPrivKeyChange. For these 2 objects, the
+
+ value of usmUserStatus MUST be active.
+ "
+ ::= { usmUserEntry 13 }
+
+-- Conformance Information *******************************************
+
+usmMIBCompliances OBJECT IDENTIFIER ::= { usmMIBConformance 1 }
+usmMIBGroups OBJECT IDENTIFIER ::= { usmMIBConformance 2 }
+
+-- Compliance statements
+
+usmMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION "The compliance statement for SNMP engines which
+ implement the SNMP-USER-BASED-SM-MIB.
+ "
+
+ MODULE -- this module
+ MANDATORY-GROUPS { usmMIBBasicGroup }
+
+ OBJECT usmUserAuthProtocol
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT usmUserPrivProtocol
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+ ::= { usmMIBCompliances 1 }
+
+-- Units of compliance
+usmMIBBasicGroup OBJECT-GROUP
+ OBJECTS {
+ usmStatsUnsupportedSecLevels,
+ usmStatsNotInTimeWindows,
+ usmStatsUnknownUserNames,
+ usmStatsUnknownEngineIDs,
+ usmStatsWrongDigests,
+ usmStatsDecryptionErrors,
+ usmUserSpinLock,
+ usmUserSecurityName,
+ usmUserCloneFrom,
+ usmUserAuthProtocol,
+ usmUserAuthKeyChange,
+ usmUserOwnAuthKeyChange,
+ usmUserPrivProtocol,
+ usmUserPrivKeyChange,
+ usmUserOwnPrivKeyChange,
+ usmUserPublic,
+ usmUserStorageType,
+ usmUserStatus
+ }
+ STATUS current
+ DESCRIPTION "A collection of objects providing for configuration
+ of an SNMP engine which implements the SNMP
+ User-based Security Model.
+ "
+ ::= { usmMIBGroups 1 }
+
+END