To set up limited security for SNMP, you can create a community string in the /etc/sma/snmp/snmpd.conf file. You can also specify the host or subnet from which this community can be accessed. The syntax of the command to add a community string is as follows:
rocommunity community [source] [OID]
This command creates read-only communities that can be used to access the agent. The source and OID are optional. The source can be a hostname, a subnet, or the word default. A subnet can be specified as IP/mask or IP/bits. The first source/community combination that matches the incoming packet is selected. The OID restricts access for that community to everything below the specified OID. For additional information, see the man page for snmpd.conf.
The following example does not specify a source or OID:
# access granted using community string mfwk rocommunity mfwk proxy -v1 -c public gf-ip-address:gf-port 220.127.116.11.18.104.22.168.9922.214.171.124
Substitute the IP address for the machine on which the Enterprise Server is running for gf-ip-address. Substitute the port for the Enterprise Server for gf-port.
Users must indicate a community string when connecting to the SNMP master agent. Requests not specifying the correct community string are rejected. The following snmpwalk command specifies the correct community string:
snmpwalk -c mfwk -v 1 localhost J2EE-MIB::j2eeSrvMoName J2EE-MIB::j2eeSrvMoName.1.1 = STRING: "name=server"
The following example specifies a subnet for source:
# access granted using community string mfwk on the subnet 10.10.10.255 rocommunity mfwk 10.10.10.0/24 proxy -v1 -c public gf-ip-address:gf-port 126.96.36.199.188.8.131.52.99184.108.40.206
As with the first example, users must indicate a community string when connecting to the SNMP master agent. However, if they are not on the specified subnet, their requests are rejected even with the correct community string.
After you have modified the snmpd.conf file, restart the snmpd daemon using the following command:
You can also verify the status:
Communities are a quick wrapper around the more complex and powerful com2sec, group, access, and view directive lines. Communities are not as efficient as these directives, because groups are not created, so the tables are potentially larger. These directives are not recommended for complex environments. If your environment is relatively simple or you can sustain a small negative performance impact, use these directives.