NAME
agt.pty - party configuration for SNMPv2 agents
SYNOPSIS
PartyName PartyDiscriminator
TDomain TAddress Port Lifetime MaxMsgSize partyIndex partyStorageType partyLocal partyAuthClock AuthPublicSecret | AuthPrivateSecret
| PrivPublicSecret
| PrivPrivateSecret
|
DESCRIPTION
The configuration file agt.pty is one of several configuration files required by the SNMPv2 entities. The default location of agt.pty is /etc/opt/snm/agent for Solaris 2.x and /etc/snm/agent for Solaris 1.x, but can be specified by the environment variable SR_AGT_CONF_DIR.
The agt.pty is similar to the mgr.pty(5) file used by managers; it defines the party table entries for the parties associated with the agent.
Each entry in the file consists of 7 lines:
PartyName PartyDiscriminator
TDomain TAddress Port Lifetime MaxMsgSize partyIndex partyStorageType partyLocal partyAuthClock AuthPublicSecret | AuthPrivateSecret
| PrivPublicSecret
| PrivPrivateSecret
|
where
PartyName
is a unique name for the party. This field is required and must map to an OID in the MIB.
PartyDiscriminator
defines the authentication protocol to be used by this party:
1 or 2 defines this party as noauth/nopriv 3 or 4 defines this party as auth/nopriv 5 or 6 defines this party as auth/priv This field is an integer and must be present for SNMPv2 parties. If the corresponding TDomain is rfc1157Domain, this field is ignored. However, a value must be present, and an entry of 1 would be reasonable.
TDomain
defines the transport domain for the party. There are two valid entries for the TDomain:
rfc1157Domain - indicates this is a SNMPv1 community entry in the party table.
snmpUDPDomain - indicates this is a SNMPv2 party entry. Note: A party can be rfc1157Domain only if the agent is a bilingual agent, i. e., understands both SNMPv1 and SNMPv2. This file is not consulted when the agent is compiled to be SNMPv1 only.
TAddress
depends on TDomain and partyLocal for its definition: When TDomain is rfc1157Domain, this field, in conjunction with the Port field, defines the trap address. When TDomain is snmpUDPDomain and partyLocal is false, this field, in conjunction with the Port field, defines either the trap address or the proxy address. When TDomain is snmpUDPDomain and partyLocal is true, this field, and the Port field, are ignored. This field must be present and is an IP address in dotted decimal form; i.e., 12.169.4.9.
Port depends on TDomain and partyLocal for its definition: When TDomain is rfc1157Domain, this field, in conjunction with the TAddress field, defines the trap address. When TDomain is snmpUDPDomain and partyLocal is false, this field, in conjunction with the TAddress field, defines either the trap address or the proxy address. When TDomain is snmpUDPDomain and partyLocal is true, this field, and the TAddress field, are ignored. This field must be present and is an integer.
partyIndex
used by the ACL table to match a party entry with its access privileges.
Note: This must be a unique value for each party table entry.
This field is an integer in the range of 1 to 65535, inclusive.
partyStorageType
indicates the storage type for this row in the party table. Possible values are:
other
volatile
nonVolatile
permanent
According to RFC1447,
· volatile is lost upon reboot, e. g., in RAM, · nonVolatile is backed up by stable storage, e. g., in NVRAM,
· permanent cannot be changed or deleted, e. g., in ROM,
and "other" is provided in the unlikely event that someone will find a need for a storage type not covered by the other three.
This field is a case-sensitive string corresponding to one of the above values.
partyLocal
When TDomain is rfc1157Domain, this field is ignored. When TDomain is snmpUDPDomain, indicates whether this party represents the "local" end of a transmission. This field has two possible values: true: it is "local,"
or
false: it is not "local,"
Note: When the party is "not local," and the TDomain is snmpUDPDomain (i. e., SNMPv2), the TAddress and Port either may be used by a proxy agent to determine which address/port pair should receive proxy requests or to indicate which address/port pair should receive traps. This field is required (whether representing a SNMPv1 or SNMPv2 party) and is a case-sensitive string corresponding to one of the above values. Note: When the TDomain indicates a SNMPv2 party, the term "local" does not mean local in the sense of location or address, but rather in the sense of origin. This means that on outgoing packets, the source party must be a "local" party - one representing the local entity as the source of the packet; on incoming packets, the source party must be a "remote" party - one representing a valid source party for sending packets to the local entity. In this sense, local means representing the local entity. "Non-local" or "remote" parties are ones that are logically remote to the entity; i. e., the source party of an incoming packetthe party that sent the packet - and the destination party of an outgoing packet -the party that will be receiving the packet at the other end of the transmission.
In other words, packets are received from and sent to "non-local" (or remote) parties, and packets are sent from and received by local parties. Note: entries that are "shared" with another entity will have partyLocal fields that are opposite. For instance, an entry for a local party ( partyLocal = true ) in the agent's party file would be configured as a non-local ( partyLocal = false ) in the manager's party file.
partyAuthClock
defines the current notion of time for the entity. When TDomain is rfc1157Domain, this field is unused. On startup a pre-defined adjustment, TIME_WARP in secure.h, is added to this value-unless the resulting value would exceed the maximum possible time. This is done to help prevent replay attacks across reboots. This field must be present and is an integer in the range 0 to 4294967295, inclusive. A perfectly valid initial value is 0; the security software should adjust and "synch" clocks once everything is up and running.
AuthPublicSecret
is unused by the agent at this time. Will represent the "secret" as a series of hexadecimal numbers, each digit representing the corresponding ASCII value for the character in the string. A value of - represents the null string. The string can range from 0 to 16 bytes.
Note: This field should be null ( - ) for now.
AuthPrivateSecret
represents the "secrets" string for the authentication protocol. The secret is stored as a series of hexadecimal numbers; each digit is the ASCII value for the corresponding character in the string. A value of represents the null string. The string can range from 0 to 16 bytes, depending on the TDomain: If the party is an auth/nopriv or auth/priv party, this field must have a length of 16 bytes (i.e., 16 hexadecimal numbers in the configuration file). Both digits of each number must be represented. In other words, 1 would be entered as 01. If the corresponding TDomain field is equal to rfc1157Domain, contains a community string name as an encoded string of characters and can be any length. For example, if using the community name "public" the entry would be "70 75 62 6c 69 63". The command
echo string | od -x
is very useful for acquiring the correct encoding. It would be practical to mirror entries in the snmpv2d.conf(5) file, but not necessary. Note: Valid only when the PartyDiscriminator indicates authentication (i. e., PartyDiscriminator > 2), or TDomain indicates SNMPv1 community.
PrivPublicSecret
is unused by the entity at this time. Will store the "secret" as a series of hexadecimal numbers, each digit representing the ASCII value for the character in the string. A value of - represents the null string. The string can range from 0 to 16 bytes. Note: This field should be null ( - ) for now.
PrivPrivateSecret
represents the "secrets" string for priv privacy protocol. The secret is stored as a series of hexadecimal numbers; each digit is the ASCII value for the corresponding character in the string. A value of represents the null string.
If the party is an auth/priv party, this field must have a length of 16 bytes (i.e., 16 hexadecimal numbers in the configuration file). Both digits of each number must be represented. In other words, 1 would be entered as 01.
Note: Valid only when the PartyDiscriminator indicates privacy, i. e., PartyDiscriminator > 4).
EXAMPLES
The party table entry:
initialPartyId.192.147.142.16.2 3
snmpUDPDomain 192.147.142.16 162 300 1458 2 nonVolatile false 0
74
68 69 73 74 68 69 73 74 68 69 73 74 68 69 34 -
defines a party as follows:
The party name is initialPartyId.192.147.142.16.2, and this is an auth/nopriv party.
The TDomain is snmpUDPDomain, indicating this is a SNMPv2 party.
Since partyLocal is false and it is a SNMPv2 party, the TAd_dress and Port fields indicate either a proxy address or where traps should be sent.
The Lifetime of the message is set to 300 indicating that the message will be valid as long as it is received by the target at a time greater than the target's idea of "now" minus 300 seconds.
The message can be no longer than 1458 bytes.
The unique party index is 2.
Store this party in non-volatile storage (e. g., NVRAM).
This party is not local to the SNMPv2 entity, so it is a valid outgoing destination or a valid incoming source.
The initial clock will be 0 plus TIME_WARP.
The AuthPublicSecret is unused, so there is a null string for its value.
The AuthPrivateSecret is initialized to
74 68 69 73 74 68 69 73 74 68 69 73 74 68 69 34 which decodes to thisthisthisthi4.
The PrivPublicSecret is unused, so there is a null string for its value.
Since the PartyDiscriminator indicates nopriv, the PrivPrivateSecret is unused, and there is a null string for its value.
Example of a Community Entry
The party table entry:
# public
initialPartyId.192.147.142.16.31 1
rfc1157Domain 192.147.142.16 162 300 1458 31 nonVolatile true 0
70
75 62 6c 69 63
-
defines a party as follows:
The party name is initialPartyId.192.147.142.16.31. The Par_tyDiscriminator is ignored since this is a community, but here must be value in the field; a reasonable entry would be 1 (noauth/nopriv in the SNMPv2 world). This
is essentially a noauth/nopriv since it is a SNMPv1 community, but the actual value of the partyAuthProto_col will be rfc1157noAuth and partyPrivProtocol will be noPriv.
The TDomain indicates this is a SNMPv1 community entry in the party table.
The partyLocal field is unused since this is a community, but a value must be present.
The TAddress and Port fields indicate that traps should be sent to port 162 at IP address 192.147.142.16.
The Lifetime field is unused since this is a community, but a value must be present.
The message can be no longer than 1458 bytes.
The unique party index is 31.
Store this party in non-volatile storage, e. g., NVRAM.
The partyLocal and partyAuthClock fields are unused since this is a community, but values must be present.
The AuthPublicSecret, PrivPublicSecret, and PrivPriva_teSecret fields are also unused since this is a community, but the null strings can be used to fill their spots.
The AuthPrivateSecret contains the community name: 70 75 62 6c 69 63
which decodes to public. This entry may be mirrored in the snmpv2d.conf(5) file.
The command od (1) is helpful when encoding the community name.
FILES
Additional SNMPv2 Configuration Files
When the entity is compiled with either SNMPv2 or both SNMPv1 and SNMPv2 defined (bilingual), the configuration files acl.pty, context.pty, snmpv2d.conf, and view.pty are required.
acl.pty
Access control privileges for the SNMPv2 parties.
context.pty
Context information for the SNMPv2 parties.
snmpv2d.conf
System initialization and SNMPv1 community/trap community configuration.
view.pty
MIB view information for the SNMPv2 parties.
For Solaris 2.x, the files are located under:
/etc/opt/snm/agent/acl.pty
/etc/opt/snm/agent/agt.pty
/etc/opt/snm/agent/context.pty
/etc/opt/snm/agent/view.pty
For Solaris 1.x, the files are located under:
/etc/snm/agent/acl.pty
/etc/snm/agent/agt.pty
/etc/snm/agent/context.pty
/etc/snm/agent/view.pty
SEE ALSO
v2install(1), acl.pty(5), context.pty(5), mgr.cnf(5), mgr.pty(5), snmpv2d.conf(5), view.pty(5), SNMP RFCs (RFC1155 RFC1157 RFC1212 RFC1213 RFC1215, RFCs 1441-1452)