C H A P T E R 2 |
Configure the SNMP agent with the following file:
/etc/opt/SUNWmasf/conf/snmpd.conf
This file defines the ports where the agent can be accessed, the access controls that the agent is to apply to management information, and destinations for traps. By default, only the port number requires configuring after installation if:
The default configuration used by the agent enables read-only access for the community public. If the default configuration is not required, or it is inappropriate for a particular environment, configure access control as follows:
If there are systems that are to receive traps, provide a list of such hosts to the agent as described in Setting Up Trap Destinations.
If SNMPv3 access is required, further configure SNMPv3 and SNMPv3 users and views as described in SNMPv3 Configuration.
If the management applications using the agent are likely to require information in the MIB-II system branch, see Setting System Information.
Add comments to the configuration file by entering the pound sign (#) as the first character on the comment line.
Configure the port number using the agentaddress keyword. By default, a port number is specified as follows:
agentaddress 9000 |
This instructs the agent to listen to UDP port 9000 on all interfaces configured in the system. Change the port number if you want to listen on a different port.
Note - This port number must not be used by any other application. |
The agent can be made to listen to a specific address by specifying an agent address of the form:
hostname[:port] |
IPv4-address[:port] |
This forces the agent to listen on only that address. Also the agent can listen on multiple ports by using an agent address in the following form:
agentaddress 8161,localaddress:9161 |
This makes the agent listen on UDP port 8161 on all IPv4 interfaces and UDP port 9161 only on the interface associated with the local host address.
The agent must have a port number configured before it starts.
trapsink transportAddr community trap2sink transportAddr community |
This defines a trap destination, a community string used for the MIB view, and the destination port. All trap destinations must have an entry like this, and starting with SNMP 1.6 software, all of these fields must be specified. These commands define the hosts to receive traps:
You can use multiple trapsink, trap2sink lines to specify multiple destinations. You can also specify a host multiple times, in which case a trap is sent for each of the commands listed.
The SNMP daemon (snmpd) sends a cold start trap when it starts. If enabled, it also sends traps on authentication failures.
This results in SNMPv1 traps being sent to the system merlin on port 32768, and SNMPv2 traps being sent to arthur using the default port for traps of 162.
The agent supports the view-based access control model (VACM) as defined in RFC 2575. It, therefore, recognizes the following keywords in the configuration file:
It also recognizes some easier-to-use wrapper directives:
rocommunity community[source] [OID] rwcommunity community[source] [OID] |
These wrapper directives create read-only and read-write communities that can be used to access the agent. They are a simple wrapper around the more complex and powerful com2sec, group, access, and view directive lines. Also, they are not as efficient, because groups are not created, and the tables can be larger as a consequence. It is, therefore, better not to use these wrappers if you have complex situations to set up, and to reserve their use where your setup is simple.
community token specifies the community string for which access is to be granted
format of the source is token and is described in the com2sec directive section.
OID token restricts access for that community to everything below the given OID.
You can apply only one rwcommunity or rocommunity directive for each source and community combination.
rouser username [noauth|auth|priv] [OID] rwuser username [noauth|auth|priv] [OID] |
These wrapper directives configure access permissions for the specified user in the VACM configuration tables. It is more efficient and powerful to use the combined group, access, and view directives instead, but these wrapper directives are much simpler.
username specifies the SNMPv3 security name to which these permissions apply.
Minimum level of authentication and privacy for the username is specified by the first token, which defaults to auth.
OID token restricts access for that user to everything below the given OID.
These directives have no effect unless the corresponding user has been created. See SNMPv3 Configuration.
You can apply only one rwuser or rouser directive for each user.
com2sec username source community |
This wrapper directive specifies the mapping from a source/community pair to a security name.
The first source/community combination that matches the incoming packet is selected
group groupname model username |
This directive defines the mapping from a given security model and security name to a particular group.
access groupname context model level match read write notify |
The access directive specifies the access permissions to be given to a particular group/security model combination.
groupname specifies the name of the group to which the directive applies.
model is the SNMP security model to which the access directive applies. It can take the values of any, v1, v2c, or usm.
level specifies the minimum level of authentication and encryption of the incoming requests for which this directive applies. It can take the values noauth, auth, or priv.
match specifies how context should be matched against the context of the incoming protocol data unit (PDU), or packet, and takes the values exact or prefix.
read, write, and notify specify the view to be used for the corresponding access.
Note - The notify field is ignored for the purposes of access control. All access control for traps and informs is configured by means of the trapsink, trap2sink, and informsink directives. See Setting Up Trap Destinations. |
When model is v1 or v2c, set level to noauth, and context to the empty string ““.
When access for a particular group with a given security model is requested, the agent determines access in the following order:
view viewname type subtree [mask] |
viewname defines the name of the view, which you can then use to reference the view in an access directive.
type takes the values included or excluded. It specifies whether the OID subtree specified in subtree should be included or excluded from the corresponding view.
mask is a list of hex octets, separated by a period (.) or a colon (:). The mask defaults to all 1s (matching is performed against all digits in the subtree) if it is not specified.
A bit value of 0 in the mask acts as a wildcard for the corresponding value in the OID. A bit value of 1 in the mask indicates that the corresponding value in the subtree OID is fixed.
The mask enables you to control access to one row in a table in a relatively simple way.
view cust1 included 1.3.6.1.2.1.2.2.1.1.1 ff.a0 view cust2 included 1.3.6.1.2.1.2.2.1.1.2 ff.a0 |
In the example above, the hex value ff.a0 has a binary equivalent of 11111111.10100000. The bit position of the first 0 is position 10, which means that the view cust1 provides access to all the objects with OIDs that match 1.3.6.1.2.1.2.2.1.x.1, where x is an integer value.
Similarly, the view cust2 provides access to all the objects with OIDs that match 1.3.6.1.2.1.2.2.1.x.2.
The default configuration of the agent, as shipped, is functionally equivalent to the following entries:
This section describes the command that enables the agent to respond to SNM_v3 messages.
engineID string |
You must configure the snmpd agent with an engineID, so that it can respond to SNMPv3 messages. If you do not configure an engineID, the agent uses a default value of the engineID based on the first IP address found for the host name of the machine. If this is inappropriate (for example, if another agent is also using the same engineID), you must configure an engineID explicitly. This line configures the engineID to the value of string.
createUser username MD5 authpassphrase |
MD5 enables the authentication of SNMP users. When you create an SNMPv3 user, you must also update the VACM access control tables to provide an explicit declaration of what the user can access.
Note - This entry is made in the /var/opt/SUNWmasf/snmpd.dat file rather than in the /etc/opt/SUNWmasf/conf/snmpd.conf file. |
The minimum pass phrase length is 8 characters.
Note - When the specified user has been created, the createUser statement provided in the file is removed. |
This section describes the commands that you use to configure the system information in MIB-II.
syslocation string syscontact string sysname string |
These parameters set the system location, system contact, or system name for the agent. This information is reported in the system group in the MIB-II tree. Normally, these objects (sysLocation.0, sysContact.0, and sysName.0) are read-write. However, if you specify the value for one of these objects by giving the appropriate token, the corresponding object becomes read-only, and subsequent attempts to set the value of the object result in a notWritable error response.
sysservices number |
This parameter sets the value of the system.sysServices.0 object. For a host, an acceptable value is 72.
The value of sysservices is a sum based on the network layers for which the node performs transactions. For each layer, L, in the range 1 through 7, for which this node performs transactions, 2 raised to (L - 1) is added to the sum. For example, a node that performs primarily routing functions would have a value of 4 (2^(3-1)). In contrast, a node that is a host offering application services would have a value of 72 (2^(4-1) + 2^(7-1)).
Note - In the context of the Internet suite of protocols, values should be calculated accordingly. |
TABLE 2-1 provides these layer values.
For systems including OSI protocols, layers 5 and 6 can also be counted.
This section describes the commands that enable general configuration of the agent.
agentgroup groupid |
Change to this groupid after opening the port. The groupid can refer to a group by name, or a number if the group number starts with #. For example, specifying agentgroup snmp causes the agent to run as the snmp group, and specifying agentgroup #10 causes the agent to run as the group with groupid 10.
agentuser uid |
Change to this uid after opening the port. The uid can refer to a user by name, or a number if the user number starts with #. For example, specifying agentuser snmp causes the agent to run as the snmp user, and specifying agentuser #10 causes the agent to run as the user with uid 10.
authtrapenable number |
Setting authtrapenable to 1 enables generation of authentication failure traps. The default value is disabled(2). Normally, the corresponding object (snmpEnableAuthenTraps.0) is read-write, but setting its value with this token makes the object read-only, and subsequent attempts to set the value of the object result in a notWritable error response.
You can update the configuration file at any time, either before starting the agent or once the agent has started. If the agent is running, it does not update its running configuration unless explicitly requested to do so.
The SNMP agent must be configured to use a specific network port, and this port cannot be shared with any other component on the system. However, master agent technologies can enable multiple SNMP agents on a system to appear as a single entity to management applications. To use such solutions, configure this agent to use a port that is known to the master agent, which then presents an aggregated OID space.
You can configure the Management Agent for Sun Fire (MASF) and the System Management Agent (SMA) configuration files to work together. The following procedures have been tested with Sun’s SMA.
Note - Any trapsink or trap2sink lines present in the /etc/opt/SUNWmasf/conf/snmpd.conf file must be added to the SMA snmpd.conf file. |
Restart the System Management Agent.
For more information, refer to “Starting and Stopping the System Management Agent” in the Solaris System Management Agent Administration Guide.
# svcadm restart svc:/application/management/sma:default |
# /etc/init.d/masfd stop # /etc/init.d/masfd start |
After both agents start, MASF should now respond to requests directed to the agentaddress as specified in the SMA.
Copyright © 2009, Sun Microsystems, Inc. All rights reserved.