Configuring the Directory Server
Configuring Security in the Directory Server
Monitoring the Directory Server
Working With Monitor Providers
Viewing Monitoring Information Using the cn=monitor Entry
To View the Available Monitoring Information
To Monitor General-Purpose Server Information
To Monitor Version Information
To Monitor the User Root Back End
To Monitor the Backup Back End
To Monitor the monitor Back End
To Monitor the Schema Back End
To Monitor the adminRoot Back End
To Monitor the ads-truststore Back End
To Monitor the LDAP Connection Handler
To Monitor LDAP Connection Handler Statistics
To Monitor Connections on the LDAP Connection Handler
To Monitor the Administration Connector
To Monitor Administration Connector Statistics
To Monitor Connections on the Administration Connector
To Monitor the LDIF Connection Handler
To Monitor the userRoot Database Environment
To Monitor JVM Stack Trace Information
To Monitor the JVM Memory Usage
Monitoring Using Managed Tasks
Configuring Alert Notifications and Account Status Notification Handlers
To View the Replication Repair Logs
General Purpose Enterprise Monitoring Solutions
Monitoring the Directory Server With JConsole
To Configure JMX on a Directory Server Instance
Accessing a Directory Server Instance From JConsole
Viewing Directory Monitoring Information With JConsole
Monitoring the Directory Server With SNMP
Configuring SNMP in the Directory Server
To Configure SNMP in the Directory Server
To View the SNMP Connection Handler Properties
To Access SNMP on a Directory Server Instance
Monitoring the Directory Server With the Control Panel
To View Monitoring Information With the Control Panel
Configuring Logs With dsconfig
Overview of Directory Server Logs
To Configure Log Retention Policies
To Configure Log Rotation Policies
Logging Access Control Information
Differences Between Logging in Sun OpenDS Standard Edition and Sun Java System Directory Server
Configuring Alerts and Account Status Notification Handlers
To View All Configured Alert Handlers
Managing Account Status Notification Handlers
To View the Configured Account Status Notification Handlers
To Enable Account Status Notification Handlers
To Create a New Account Status Notification Handler
To Delete an Account Status Notification Handler
Monitoring a Replicated Topology
Monitoring Replication Status With dsreplication
SNMP security configuration depends on the version of SNMP as you are using. This topic discusses security configuration for SNMP V1 and V2c, and vor V3.
Under SNMP v1 and SNMP v2c, agents act as information servers, and the IP-based access control protects this information from unauthorized access. By default, the MIB 2605 is accessible in v1 and v2c by using the community string OpenDS@OpenDS. All managers are allowed to read the monitoring information exposed by the MIB 2605.
Note - Only read access is authorized on the MIB 2605.
You can configure SNMP v1 and SNMP v2c by setting the SNMP connection handler properties with the dsconfig command. Properties related to the SNMP v1 and SNMP v2c security configuration include:
allowed-manager
community
SNMP v1 traps are sent on server startup and server shutdown. By default, these traps are sent to localhost and use the trap community string "OpenDS".
Note - The default trap port might have to be changed to a value that is allowed by the system.
SNMP traps are also configured by setting the SNMP connection properties with the dsconfig command. Properties related to SNMP traps include:
trap-port
traps-community
traps-destination
The ACL file that corresponds to the default values of the SNMP connection handler would be represented as follows:
acl = { { communities = OpenDS access = read-only managers = all } } trap = { { traps-community = OpenDS hosts = localhost } }
The SNMP v3 protocol provides more sophisticated security mechanisms than SNMP v1 and SNMP v2c. SNMP v3 implements a user-based security model (USM) that authenticates and encrypts the requests sent between agents and their managers, and provides user-based access control. A defaultUser template is provided for adding authorized users in the agent engine using the SNMP cloning mechanism.
Under SNMP v3, the community string described in the previous section is used as the "context" from which the MIB 2605 is registered. By default, the MIB2605 is accessible in v3 by using the context "OpenDS". All users have access to it.
The SNMP v3 UACL is configured by setting the SNMP connection handler properties with the dsconfig command-line utility. The properties related to SNMP v3 UACL configuration include:
community
allowed-user
security-level
The UACL file corresponding to the default values of the SNMP connection handler would be represented as follows:
uacl = { { context-names = OpenDS access = read-only security-level = authNoPriv users = * } }
The USM MIB (that is, the MIB that defines allowed users) is registered in the null context and only a snmpAdmin user with a security level authNoPriv has read-write access to it. This snmpAdmin user can add additional users who can access the MIB 2605 information.
The SNMP v3 USM configuration is read from a template file that is located at install-dir/config/snmp/security/opends-snmp.security. The template file is not encrypted.
To access the MIB 2605 in the directory server agent, use the SNMP clone mechanism to add a user in the security file. Use snmpAdmin to send the SNMP request for the clone mechanism as shown here. The user to clone is defaultUser. The snmpAdmin and defaultUser users cannot access the MIB 2605 information.
Admin User to add and configure other users.
userEntry=localEngineID,snmpAdmin,null,usmHMACMD5AuthProtocol,passadmin
Template user to be cloned with no read or write access.
userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,password,,,3,true
Note - The security file is also used to make the users persistent.