SNMP Master Agent Security

The current SNMP monitoring release supports SNMP versions 1 and 2 only, which lack strong security. Some limited security can be put in place using the community string.

You must configure the SNMP master agent for your operating system first, as described in SNMP Master Agent Integration. Changing the SNMP port is also recommended; see the Sun GlassFish Enterprise Manager SNMP Monitoring 1.0 Installation and Quick Start Guide.

• Solaris Platform

• Linux Platform

• Windows Platform

Solaris Platform

To set up limited security for SNMP, you can create a community string in the /etc/sma/snmp/snmpd.conf file. You can also specify the host or subnet from which this community can be accessed. The syntax of the command to add a community string is as follows:

rocommunity community [source] [OID]

This command creates read-only communities that can be used to access the agent. The source and OID are optional. The source can be a hostname, a subnet, or the word default. A subnet can be specified as IP/mask or IP/bits. The first source/community combination that matches the incoming packet is selected. The OID restricts access for that community to everything below the specified OID. For additional information, see the man page for snmpd.conf.

The following example does not specify a source or OID:

# access granted using community string mfwk
rocommunity mfwk
proxy -v1 -c public gf-ip-address:gf-port 1.3.6.1.4.1.42.2.9999.1.1.1

Substitute the IP address for the machine on which the Enterprise Server is running for gf-ip-address. Substitute the port for the Enterprise Server for gf-port.

Users must indicate a community string when connecting to the SNMP master agent. Requests not specifying the correct community string are rejected. The following snmpwalk command specifies the correct community string:

snmpwalk -c mfwk -v 1 localhost J2EE-MIB::j2eeSrvMoName
J2EE-MIB::j2eeSrvMoName.1.1 = STRING: "name=server"

The following example specifies a subnet for source:

# access granted using community string mfwk on the subnet 10.10.10.255
rocommunity mfwk 10.10.10.0/24
proxy -v1 -c public gf-ip-address:gf-port 1.3.6.1.4.1.42.2.9999.1.1.1

As with the first example, users must indicate a community string when connecting to the SNMP master agent. However, if they are not on the specified subnet, their requests are rejected even with the correct community string.

After you have modified the snmpd.conf file, restart the snmpd daemon using the following command:

/etc/init.d/init.sma start

You can also verify the status:

/etc/init.d/init.sma status

Communities are a quick wrapper around the more complex and powerful com2sec, group, access, and view directive lines. Communities are not as efficient as these directives, because groups are not created, so the tables are potentially larger. These directives are not recommended for complex environments. If your environment is relatively simple or you can sustain a small negative performance impact, use these directives.

Linux Platform

To set up limited security for SNMP, you can create a community string in the /etc/snmp/snmpd.conf file. For example:

# access granted using community string mfwk
rocommunity mfwk
proxy -v1 -c public gf-ip-address:gf-port 1.3.6.1.4.1.42.2.9999.1.1.1

Substitute the IP address for the machine on which the Enterprise Server is running for gf-ip-address. Substitute the port for the Enterprise Server for gf-port.

Users must indicate a community string when connecting to the SNMP master agent. Requests not specifying the correct community string are rejected. The following snmpwalk command specifies the correct community string:

/usr/bin/snmpwalk -v1 -c mfwk localhost 1.3.6.1.4.1.42.2.9999.1.1.1.1.1

After you have modified the snmpd.conf file, restart the snmpd daemon using the following command:

/etc/rc.d/init.d/snmpd restart

You can also verify the status:

/etc/rc.d/init.d/snmpd status

Communities are a quick wrapper around the more complex and powerful com2sec, group, access, and view directive lines. Communities are not as efficient as these directives, because groups are not created, so the tables are potentially larger. These directives are not recommended for complex environments. If your environment is relatively simple or you can sustain a small negative performance impact, use these directives.

Windows Platform

To set up limited security for SNMP by creating a community string, follow these steps:

1. Right click on My Computer and select Manage.

2. In the Computer Management window, open Services in the Services and Applications section.

3. On the right hand side, right click on SNMP Service and select Properties.

4. Go to the Security index and add mfwk as a READ-ONLY community in the Accepted Community Names area.

5. Click on OK.

6. Create a proxy configuration file, for example GlassFish_proxy.reg, and enter the following lines:

   Windows Registry Editor Version 5.00
   [HKEY_LOCAL_MACHINE\SOFTWARE\SNMPPfW\Config\1]
   "AgentAddress"="gf-ip-address"
   "AgentCommunity"="mfwk"
   "AgentPort"="gf-port"
   "ProxyOIDRoot"=".1.3.6.1.4.1.42.2.9999"
   "ProxiedOIDRoot"=".1.3.6.1.4.1.42.2.9999"
   "Retries"="3"
   "TimeOut"="2000"

   Substitute the IP address for the machine on which the Enterprise Server is running for gf-ip-address. Substitute the port for the Enterprise Server for gf-port.

7. Execute the following command:

   regedit /s GlassFish_proxy.reg

   You can edit this configuration later using the regedit command.

8. Restart the Windows SNMP service in one of the following ways:

   • From the Computer Management window, right click on SNMP Service and select Restart.

   • Execute the following commands:

     net stop snmp net start snmp

   • To test the Enterprise Server subagent through the Windows SNMP service, use an snmpwalk command such as this one, which retrieves all Enterprise Server tables:

     snmpwalk.exe -v1 -c mfwk localhost 1.3.6.1.4.1.42.2.9999.1.1.1.1