Name | Synopsis | Description | Examples | Exit Status | Attributes | See Also
/usr/sfw/bin/snmpvacm [common options] [subcommand options] AGENT subcommand subcommand-args
snmpvacm is a SNMP application that can be used to do maintenance on an SNMP agent's View-based Access Control Module (VACM) table. The VACM table defines a set of services that can be used for checking access rights, that is, checking whether a specific type of access to a specific managed object is allowed. snmpvacm supports three types of entries--group, view, and access. The agent maintains these entries in memory and stores VACM groups, views, and access entries in the persistent configuration file upon agent shutdown.
This section describes the snmpvacm subcommands.
Creates SNMPv3 security to group name entries. A group name is used to define an access control policy for a group of principals.
Creates SNMPv3 security to group name entries. A group name is used to define an access control policy for a group of principals.
snmpvacm [common options] createSec2Group MODEL SECURITYNAME GROUPNAME |
An integer greater then zero representing a SNMPv3 security model, such as USM. The reserved values are as follows:
reserved for SNMPv1
reserved for SNMPv2c
User-Based Security Model (USM)
A string representing a security name for the principal, represented in a security-model-independent format, which is mapped from this entry to a GROUPNAME.
A string that identifies the group to which this table entry (the combination of securityModel and securityName) belongs.
Deletes SNMPv3 security to group name entries. The group entry to be deleted is indexed by the specified MODEL and SECURITYNAME.
snmpvacm [common options] deleteSec2Group MODEL SECURITYNAME |
An integer greater then zero representing a SNMPv3 security model, such as USM. The reserved values are as follows:
reserved for SNMPv1
reserved for SNMPv2c
User-Based Security Model (USM)
A string representing a security name for the principal, represented in a security-model-independent format, which is mapped from this entry to a GROUPNAME.
Creates a MIB view. A MIB view is a family of view subtrees, which are pairings of OID subtree values with bit string mask values.
Each MIB view is defined by two sets of view subtrees, included in or excluded from the MIB view.
snmpvacm [common options] [-Ce] createView NAME SUBTREE MASK |
An optional flag used when the MIB view type needs to be "excluded" from the MIB view. If not used, the type is defaulted to "included".
The OID subtree which when combined with the corresponding instance of MASK defines a family of view subtrees.
The OID subtree which when combined with the corresponding instance of MASK defines a family of view subtrees.
The bit mask, a hex string, which, in combination with the corresponding instance SUBTREE, defines a family of view subtrees.
The mask indicates which sub-identifiers of the associated subtree OID are significant to a particular MIB view instance.
Deletes a MIB view. A MIB view is a family of view subtrees. A view subtree is a pairing of an OID subtree value with a bit string mask value.
snmpvacm [common options] deleteView NAME SUBTREE |
A string representing a MIB view name that is associated to a subtree/mask pairing.
The OID subtree which, when combined with the corresponding instance of MASK, defines a family of view subtrees.
Creates SNMPv3 access configuration entries. These entries are used to store the access rights defined for the groups. Each entry is indexed by a group name, a context prefix, a security model, and a security level. A group and view needs to be defined in order to make use of the access check.
snmpvacm [common options] createAccess GROUPNAME [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL CONTEXTMATCH READVIEWNAME WRITEVIEWNAME NOTIFYVIEWNAME |
The name of the group to which this access right applies.
A string representing a contextName must match the value of the instance of this object exactly when CONTEXTMATCH is set to “exact” or partially when CONTEXTMATCH is set to “prefix”.
If not specified, the value reverts to the default, an empty string, "".
An integer representing the securityModel that must be used in order to gain access to this access right.
An integer representing the minimum security level that must be used to gain access to this access right. A security level of noAuthNoPriv is less than authNoPriv and authNoPriv is less than authPriv.
Integer values supported:
noAuthNoPriv
authNoPriv
authPriv
An integer whose value determines the type of match required. When set to "exact", the context name must exactly match the value in CONTEXTPREFIX. If set to "prefix", the context name must match the first few starting characters of the value in CONTEXTPREFIX.
Integer values supported:
exact
prefix
The authorized MIB view name used for read access. If the value is an empty string, then there is no active view configured for read access.
The authorized MIB view name used for write access. If the value is an empty string, then there is no active view configured for write access.
The authorized MIB view name used for notify access. If the value is an empty string, then there is no active view configured for notify access.
Deletes SNMPv3 access configuration entries, given a group name, context prefix, security model, and security level.
snmpvacm [common options] deleteAccess GROUPNAME [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL |
The name of the group to which this access right applies.
A string representing a contextName must match the value of the instance of this object exactly when CONTEXTMATCH is set to "exact" or partially when CONTEXTMATCH is set to "prefix".
An integer representing the securityModel that must be used to gain access to this access right.
An integer representing the minimum security level that must be used to gain access to this access right. A security level of noAuthNoPriv is less than authNoPriv and authNoPriv is less than authPriv.
The following integer values are supported:
noAuthNoPriv
authNoPriv
authPriv
For the following examples, the user is my_user and the password is my_password. Use net-snmp-config to create the first user (my_user). Then clone my_user to configure another SNMPv3 user, my_user_2. See snmpusm(1M).
Create a VACM group entry, as follows:
snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost createSec2Group 3 my_user_2 my_group |
Run snmpwalk(1M) to verify the group name was created:
snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost SNMP-VIEW-BASED-ACM-MIB::vacmGroupName |
In addition to other configured VACM group entries, you will note an entry such as the following:
SNMP-VIEW-BASED-ACM-MIB::vacmGroupName.3."my_user_2" = STRING: my_group |
The command below creates a MIB view entry applicable only to the system group MIB.
snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost createView my_view .1.3.6.1.2.1.1 FF |
Run snmpwalk(1M) to verify the my_view MIB view was created:
snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyTable |
In snmpwalk output, observe the lines, such as those below, related to the my_view MIB view.
SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyMask."my_view".2.1.3.6.1.2.1.1\ = Hex-STRING: FF SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyType."my_view".2.1.3.6.1.2.1.1\ = INTEGER: included(1) SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStorageType.\ "my_view".2.1.3.6.1.2.1.1 = INTEGER: nonVolatile(3) SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStatus.\ "my_view".2.1.3.6.1.2.1.1 = INTEGER: active(1) |
The command below creates an access entry using the following components:
the "my_group" entry created above
an empty prefix string ("")
the USM security model (3)
the security level (3)
the context match (1)
the read view name ("my_view")
the write view name ("")
the notify view name ("")
snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost createAccess my_group "" 3 3 1 my_view "" "" |
Run snmpwalk(1M) to verify the access entry was created:
snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable SNMP-VIEW-BASED-ACM-MIB::vacmAccessContextMatch."my_group"."".3.authPriv\ = INTEGER: exact(1) SNMP-VIEW-BASED-ACM-MIB::vacmAccessReadViewName."my_group"."".3.authPriv\ = STRING: my_view SNMP-VIEW-BASED-ACM-MIB::vacmAccessWriteViewName."my_group"."".3.authPriv\ = STRING: SNMP-VIEW-BASED-ACM-MIB::vacmAccessNotifyViewName."my_group"."".3.authPriv\ = STRING: SNMP-VIEW-BASED-ACM-MIB::vacmAccessStorageType."my_group"."".3.authPriv\ = INTEGER: nonVolatile(3) SNMP-VIEW-BASED-ACM-MIB::vacmAccessStatus."my_group"."".3.authPriv\ = INTEGER: active(1) |
Test the preceding setup by verifying the access setup. You do this by accessing an object in the system group and another object outside this range. Note the use of the user name my_user_2.
snmpget -mALL -v 3 -u my_user_2 -l authPriv -a MD5 -A my_password -x DES -X my_password localhost sysObjectID.0 |
At this point, when you to access an object outside the access range, the attempt fails with an appropriate error:
snmpgetnext -mALL -v 3 -u my_user_2 -l authPriv -a MD5 -A my_password -x DES -X my_password localhost ifTable RFC1213-MIB::ifTable = No more variables left in this MIB View (It is past the end of the MIB tree) |
Successful completion.
A usage syntax error. A usage message displays. Also used for time out errors.
An error occurred while executing the command. An error message displays.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWsmcmd |
Interface Stability |
Stable |
snmpusm(1M), snmpwalk(1M), snmpd.conf(4), attributes(5)
RFC 3415
Name | Synopsis | Description | Examples | Exit Status | Attributes | See Also