test

Solaris System Management Agent Administration Guide

Creating and Managing Users

This section provides procedures that explain how to create users with security. Several methods are available to create users in the System Management Agent. After you first install the System Management Agent, the default configuration is for new users to be SNMPv1 and SNMPv2c users.

Note –

The agent is not configured to create SNMPv3 users by default. To create SNMPv3 users in the System Management Agent, first you need to edit the main /etc/sma/snmp/snmpd.conf file. For more information, see the snmpd.conf(4) man page.

The first procedure in this section, To Create a New SNMPv3 User, shows you how to create the first, initial new user. Additional users are cloned from this initial user, so that the initial user's authentication and security types can be inherited. These types can be changed later. In cloning, secret key data for the user is set. You must know the passwords for the initial user and later users that you set up. You can only clone one user at a time from the initial user that you set up.

ProcedureTo Create a New SNMPv3 User

The net-snmp-config command used in this procedure adds a line to the /etc/sma/snmp/snmpd.conf file, giving the initial user read and write access to the agent.

  1. Stop the System Management Agent.


    # svcadm disable -t svc:/application/management/sma:default

  2. To create the new user, use the net-snmp-config command.


    # /usr/sfw/bin/net-snmp-config --create-snmpv3-user -a "my_password" newuser

    This command causes a new user to be created, named newuser, with a password equal to my_password. The new user creation uses both MD5 and DES, which are described in Authentication Protocol Algorithms.

    By default, when creating a user using the net-snmp-config command, these settings are created unless otherwise specified:

    auth protocol = MD5security level = rwuser auth

  3. Start the System Management Agent.


    # svcadm enable svc:/application/management/sma:default

  4. Check whether the new user exists.


    # snmpget -v 3 -u newuser -l authNoPriv -a MD5 -A my_password localhost sysUpTime.0
    Note –

    Passwords must contain at least eight characters.

    Giving the new user read and write access is not always useful. If you want to reduce or change the access rights of the new user, edit the /etc/sma/snmp/snmpd.conf file. For more information, see the snmpd.conf(4) man page.

ProcedureTo Create a New User Using System Prompts

  1. Stop the System Management Agent.


    # svcadm disable -t svc:/application/management/sma:default

  2. To create the new user, named newuser, with a password equal to my_password, use the net-snmp-config command interactively.


    # /usr/sfw/bin/net-snmp-config --create-snmpv3-user


    Enter a SNMPv3 user name to create:

  3. Provide the appropriate user name, in this case:


    newuser


    Enter authentication pass-phrase:

  4. Type the appropriate pass-phrase, in this case:


    my_password


    Enter encryption pass-phrase:

  5. To reuse the authentication pass-phrase, press Return.


    adding the following line to /var/sma_snmp/snmpd.conf:
createUser newuser MD5 "newuser_pass" DES
adding the following line to /etc/sma/snmp/snmpd.conf:
rwuser newuser

    By default, when creating a user using the net-snmp-config command, these settings are created unless otherwise specified:

    auth protocol = MD5

    security level = rwuser auth

  6. Start the System Management Agent.


    # svcadm enable svc:/application/management/sma:default

  7. Check whether the new user exists.


    # snmpget -v 3 -u newuser -l authNoPriv -a MD5 -A my_password localhost sysUpTime.0
    Note –

    Passwords must contain at least eight characters.

    Giving the new user read and write access is not always useful. If you want to reduce or change the access rights of the new user, edit the /etc/sma/snmp/snmpd.conf file. For more information, see the snmpd.conf(4) man page.

ProcedureTo Create Additional SNMPv3 Users With Security

The preferred method of creating a new user in secure SNMP is to clone the initial user that you originally set up. This procedure copies the user you set up in To Create a New SNMPv3 User. This procedure uses the snmpusm command described in Using USM for Authentication and Message Privacy. For more information, see the snmpusm(1M) man page.

  1. Check whether the System Management Agent is running.


    # svcs svc:/application/management/sma:default

    If the agent is not running, start it.


    # svcadm enable svc:/application/management/sma:default

  2. Create a new user using the snmpusm command.


    # snmpusm -v 3 -u newuser -a MD5 -A my_password -l authNoPriv localhost create lee newuser

    This command creates a user named “lee”. This new user has the same password my_password, as the source user, named “newuser”, that you created in To Create a New SNMPv3 User.

  3. Change the new user's password.


    # snmpusm -v 3 -u lee -a MD5 -A my_password -l authNoPriv localhost passwd my_password lee_password

    This command gives the user lee a new password, lee_password. The default auth type is MD5.

  4. Create associated VACM entries either by directly editing the /etc/sma/snmp/snmpd.conf file or by using the snmpvacm command.

    If you are directly editing the snmpd.conf file you must first temporarily stop the agent.


    # svcadm disable -t svc:/application/management/sma:default

  5. Assign access to lee.

    • To give lee read and write access, add a new rwuser line to the snmpd.conf file.


      rwuser lee

    • To give lee read-only access, add a new rouser line to the snmpd.conf file.


      rouser lee

    If you do not specify a security level, the System Management Agent defaults to authNoPriv. For more information, see the snmpd.conf(4) or snmpvacm(1M) man pages.

  6. Start the System Management Agent.


    # svcadm enable svc:/application/management/sma:default

  7. Check whether this procedure has been successful.

    Check whether your new user exists.


    # snmget -v 3 -u lee -a MD5 -A lee_password -l authNoPriv localhost sysUpTime.0

Managing SNMPv1 and SNMPv2c Users With SNMPv3 Security

For SNMPv1 and SNMPv2c users, community string is used for security. The standard Net-SNMP token, com2sec, is provided with the SMA. The com2sec token enables you to map a host name and community string pair, for SNMPv1 or SNMPv2c, to a security name. In this case, the security level is noAuthNoPriv. For information on the noAuthNoPriv security level and on other security levels, see Where USM Security Information Is Contained.

Proxy Statements and Security

In the System Management Agent, proxying is supported for SNMPv1 and SNMPv2c users only. For more information, see Proxy Handling for Solstice Enterprise Agents Requests.

Creating and Managing Groups

Creating a large number of groups in SNMP causes management and administration of these groups to become very complex. If you create a large number of groups, troubleshooting these groups very difficult.

Note –

When groups or views are created by editing the snmpd.conf file, the storage type is permanent. If you edit the snmpd.conf file instead of using the snmpvacm command, entries for groups are permanent. You can delete the entries only by removing them from the snmpd.conf file.

Follow the examples provided in Using VACM for Access Control for creating and managing groups.