Installation and Getting Started Guide
Encryption of SNMP Community Strings
The software automatically encrypts SNMP community strings. Users with read-only access or who do not have
access to management functions in the CLI cannot display the strings. For users with read-write access, the
strings are encrypted in the CLI but are shown in the clear in the Web management interface.
Encryption is enabled by default. You can disable encryption for individual strings or trap receivers if desired. See
the next section for information about encryption.
Adding an SNMP Community String
To add a community string, use either of the following methods. When you add a community string, you can
specify whether the string is encrypted or clear. By default, the string is encrypted.
USING THE CLI
To add an encrypted community string, enter commands such as the following:
HP9300(config)# snmp-server community private rw
HP9300(config)# write memory
Syntax: snmp-server community [0 | 1] <string> ro | rw
The <string> parameter specifies the community string name. The string can be up to 32 characters long.
The ro | rw parameter specifies whether the string is read-only (ro) or read-write (rw).
The 0 | 1 parameter affects encryption for display of the string in the running-config and the startup-config file.
Encryption is enabled by default. When encryption is enabled, the community string is encrypted in the CLI
regardless of the access level you are using. In the Web management interface, the community string is
encrypted at the read-only access level but is visible at the read-write access level.
The encryption option can be omitted (the default) or can be one of the following.
0 – Disables encryption for the community string you specify with the command. The community string is
shown as clear text in the running-config and the startup-config file. Use this option of you do not want
display of the community string to be encrypted.
1 – Assumes that the community string you enter is the encrypted form, and decrypts the value before using
NOTE: If you want the software to assume that the value you enter is the clear-text form, and to encrypt display
of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default
If you specify encryption option 1, the software assumes that you are entering the encrypted form of the
community string. In this case, the software decrypts the community string you enter before using the value for
authentication. If you accidentally enter option 1 followed by the clear-text version of the community string,
authentication will fail because the value used by the software will not match the value you intended to use.
The command in the example above adds the read-write SNMP community string "private". When you save the
new community string to the startup-config file (using the write memory command), the software adds the
following command to the file:
snmp-server community 1 <encrypted-string> rw
To add an non-encrypted community string, you must explicitly specify that you do not want the software to
encrypt the string. Here is an example:
HP9300(config)# snmp-server community 0 private rw
HP9300(config)# write memory
The command in this example adds the string "private" in the clear, which means the string is displayed in the
clear. When you save the new community string to the startup-config file, the software adds the following
command to the file:
snmp-server community 0 private rw
3 - 14