Access Control Lists (ACL)

For the SNMP adaptor, the Java Dynamic Management Kit provides access control based on the IP address and community of the manager's host machine. Information on the access rights for communities and host machines is stored in an ACL file.

The ACL file also defines the hosts of managers to which to agent will send traps. When a trap is sent, the agent will send it to all hosts listed in the trap definitions of the ACL file.

To enable access control and traps for the SNMP adaptor, ensure that an ACL file exists when any agents are started. The ACL file must be named jdmk.acl and must be located in the configuration directory.

Alternatively, you may specify a different file by setting the jdmk.acl.file property when launching your agent. For example, if the full pathname of your ACL file is MyAclFile, use this command to launch the agent with access control enabled:

$ java -classpath classpath -Djdmk.acl.file=MyAclFile MyAgent

If an ACL file exists, the access rights it defines apply to all managers or proxy servers that access the agent through its SNMP adaptor. If the ACL file does not exist when the agents are started, all managers are granted full access to the agent through the SNMP adaptor.

ACL File Format

An ACL file contains an acl group defining community and manager access rights and a trap group defining the community and hosts for sending traps.

Format of the acl Group

The acl group contains one or more lists of community configurations.

acl = {
   list1
   list2
     ...
   listN
}

Each list has the following format:

{
   communities = communityList
   access = accessRights
   managers = hostList
}

The communityList is a list of SNMP community names to which this access control applies. The community names in this list are separated by commas.

The accessRights specifies the rights to be granted to all managers running on the machines specified in the managers item. There are two possible values: either read-write or read-only.

The hostList item specifies the host machines of the managers to be granted the access rights. The hostList is a comma-separated list of hosts, each of which can be expressed as any one of the following:

• A host name

• An IP address

• A subnet mask

To distinguish between IP addresses and subnet masks in an ACL file, each integer in a subnet mask is separated by an exclamation mark (!) instead of a dot.

Format of the trap Group

The trap group specifies the hosts to which the agent can send traps. This group contains a one or more trap community definitions.

trap = {
   community1
   community2
   ...
   communityN
}

Each defines the association between a set of hosts and the SNMP community string in the traps to be sent to them. Each trap definition has the following format:

{
   trap-community = trapCommunityString
   hosts = trapInterestHostList
}

The trapCommunityString item specifies the SNMP community string. It will be included in the traps sent to the hosts specified in the hosts item.

The trapInterestHostList item specifies a comma-separated list of hosts. Each host must be identified by its name or complete IP address.

Custom Access Control

The ACL file is the default access control mechanism in the SNMP adaptor. The SnmpAdaptorServer class has constructors that let you specify your own access control mechanism. For example, if your agent runs on a device with no file system, you could implement a mechanism which doesn't rely on the jdmk.acl file.

Your access mechanism must be a class that implements the IPAcl interface. This interface specifies the methods that the SNMP adaptor uses to check permissions when processing a request. If you instantiate the SNMP adaptor with your access control class, the adaptor will call your implementation of the access control methods.

The JdmkAcl class implements the default access mechanism that uses an ACL file. It is also an implementation of the IPAcl interface. By default, the SNMP adaptor will use this implementation if no other is passed to its constructor.