19.2.1 Enabling User-Based Access Control

To enable user-based access control, you must create a UserAcl file. You must then direct the agent applying the access control to look in this file.

The simplest way of enabling access control and traps is to ensure that a user-based access control file UserAcl file exists when the SNMP protocol adaptor MBean is instantiated. To be automatically detected, the UserAcl file must be named jdmk.uacl and must be located in the configuration directory of the Java DMK installation. On UNIX systems with a standard installation of the product, the configuration directory is owned by root and requires superuser privileges to write or modify the UserAcl file.

The other way of enabling file-based access control is to specify a different file through the jdmk.uacl.file system property. The filename associated with the property will override any UserAcl file in the configuration directory. This property can be set programmatically, but it is usually done on the command line when starting your agent. For example, if the full pathname of your UserAcl file is MyUaclFile, use this command to start the agent with SNMP access control enabled:

$ java -classpath classpath -Djdmk.uacl.file=MyUaclFile MyAgent

If a UserAcl file exists, the access rights it defines apply to all management applications that access the agent through its SNMP adaptor. If the UserAcl file does not exist when the SNMP adaptor is instantiated, either in the configuration directory or defined as a property, all SNMP requests will be accepted.

The UserAcl file-based mechanism relies on the SnmpEngineParameters class to provide the access control functionality. This is the class that is initialized with the contents of the UserAcl file. This class provides the rereadTheFile method to reset the access control and trap lists with the contents of the UserAcl file. This method will reload the same file that was used originally, regardless of any new property definitions. After you have updated the UserAcl file, call the following method to update the access control lists:

Uacl.rereadTheFile

The following procedure demonstrates how to enable Uacl, using the example of the simple synchronous manager we saw in 17.1.3 Synchronous SNMPv3 Managers and the simple SNMPv3 agent from Example 16–2.

To Run a Simple Manager with Access Control

1. If you have not already done so, build and compile the AgentV3 example in examplesDir/current/Snmp/Agent.

   Type the following commands:

   $ mibgen -mo -d . mib_II.txt $ javac -classpath classpath -d . *.java

2. Start the AgentV3 example in its Agent directory, this time pointing it to its associated jdmk.uacl file, as well as to its jdmk.security file.

   $ java -classpath classpath -Djdmk.security.file=jdmk.security -Djdmk.uacl.file=jdmk.uacl AgentV3

3. If you have not already done so, in a separate window, compile the SyncManagerV3 example in examplesDir/current/Snmp/Manager.

   $ javac -classpath classpath -d . *.java

4. Start the SyncManagerV3 SNMP manager in its Manager directory, specifying the agent's host and port.

   This is the manager we configured to communicate with AgentV3 in To Run the SyncManagerV3 Example. As before, we set the host to localhost and the port to 8085.

   $ java -classpath classpath -Djdmk.security.file=jdmk.security SyncManagerV3 localhost 8085

   You should see the following error message:

   SyncManagerV3::main:Send get request to SNMP agent on localhost at port 8085 Error status = authorizationError Error index = -1

   The agent refuses the manager's request because the level of security for this agent in the manager's jdmk.security file does not match the level of security set in the agent's jdmk.uacl file.

5. Press Control-C to stop the manager.

6. Start the SyncManagerV3 SNMP manager again

   $ java -classpath classpath -Djdmk.security.file=jdmk.security SyncManagerV3 localhost 8085

   You should now see the manager sending requests to the agent.

   $ SyncManagerV3::main:Send get request to SNMP agent on localhost at port 8085 Result: [Object ID : 1.3.6.1.2.1.1.1.0 (Syntax : String) Value : SunOS sparc 5.8] >> Press Enter if you want to stop this SNMP manager.