ISTH034E One or more active SNMP agents are configured with a community name of public

Question & Answer

Question

We recently installed z/OS maintenance which added new Communications Server Health Checks and now we are getting an exception from the CSAPP_SNMPAGENT_PUBLIC_COMMUNITY health check when we IPL even though we do not believe we have a community name of public for OSNMPD. We specify a community name on the -c command (PARM=('ENVAR("_CEE_ENVFILE=DD:STDENV")/-c GLMVSTAP -d 0') and we have a PW_SRC file defined. We also have the following in our TCPIP PROFILE:

  SACONFig COMMUNity GLMVSTAP AGENT 161 SACACHETime 30 EnABLed         
          SETSEnAbled OSAEnabled

Here are the messages we are now seeing on SNMP startup:

 EZZ6225I SNMP AGENT: INITIALIZATION COMPLETE 
 HZS0002E CHECK(IBMCS,CSAPP_SNMPAGENT_PUBLIC_COMMUNITY): 
 ISTH034E One or more active SNMP agents are configured with a community name of public

Answer

The support for Healthcheck CSAPP_SNMPAGENT_PUBLIC_COMMUNITY was added by TCP/IP APAR PI51640 (V2R1 PTF UI37013) and SNA APAR OA50122 (V2R1 PTF UA81331).

This issue results from your still using the deprecated PW.SRC and SNMPTRAP.DEST configuration files. You pointed out that you are still using the PW.SRC file, and you are probably using the SNMPTRAP.DEST file as well. SNMPD.CONF is the preferred method for configuring SNMP.

The reason that Health Checker continues to issue a ISTH034E message flagging the community name of "public" is because you are using SNMPTRAP.DEST to configure trap information. When using SNMPTRAP.DEST, the agent uses the hardcoded community name of public in the outbound traps.

Because the community name of public is a well-known name, it should not be used in SNMP traps due to security considerations. The published IBM Techdoc "z/OS V2R1 Communications Server: IBM Health Checker for SMTP, SNMP, and RSHD" documents this guideline, under the "provide trap destination information" and SNMPTRAP.DEST statement syntax" topics in the PDF attached to the Techdoc: (http://www-01.ibm.com/support/docview.wss?uid=swg27047778).

Guideline:
"If you use SNMPTRAP.DEST to configure trap information, the agent uses the hardcoded community name of public in the outbound traps. Because the community name of public is a well-known name, it should not be used in SNMP traps due to security considerations."

You have two options for preventing this false positive:

Convert your deprecated PW.SRC and SNMPTRAP.DEST files to the preferred SNMPD.CONF file. The instructions for making this conversion are detailed in the IP Configuration Reference here: "Migrating the
PW.SRC file and SNMPTRAP.DEST file to the SNMPD.CONF file " in Chapter 20 (http://publibz.boulder.ibm.com/epubs/pdf/f1a2b411.pdf). See also this Techdoc: "Migrating z/OS SNMP to SNMPv3"
(http://www-01.ibm.com/support/docview.wss?uid=swg27004972). Changing the existing behavior for PW.SRC would have caused more issues than solutions for many customers. Since the SNMPD.CONF is the strategic configuration, we want to encourage customers to migrate to SNMPD.CONF
as much as possible.
Suppress that specific health check by issuing this command:

F HZSPROC,DELETE,CHECK=(IBMCS,CSAPP_SNMPAGENT_PUBLIC_COMMUNITY)

Otherwise, you can ignore this specific health check.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
16 September 2016

UID

dwa1304002

Tips