4.4 Agents Access Control File
The agents access control file is a configuration file that stores SNMP-related community information. Every subagent and the Master Agent may have its own access control file. This file name may have any extension, although the extension acl is recommended. This file must be stored in the /etc/snmp/conf directory.
The following is an example of the grammar for the access control configuration file.
<snmp_security> : <acls> <trap_block>
<acls> : /*empty*/ | "acl" "=" {<acls_list> }
<acls_list> : /*empty*/ | <acls_list> <acl_item>
<acl_item> : {<communities_stmt> <acl_access> <hosts> }
<communities_stmt> : "communities" "=" <communities_set>
<communities_set> : <communities_set> , <community_elem> |
<community_elem>
<community_elem>: alphanumeric_string
<acl_access> : "access" "=" <acl_access_type>
<acl_access_type> : read-only | read-write
<hosts> : "managers" "=" <hosts_list>
<hosts_list> : <hosts_list> , <host_item> | <host_item>
<host_item> : alphanumeric_string
<trap_block> : "trap" "=" { <traps_list> }
<traps_list> : /*empty*/ | <trap_list> < trap_item>
<trap_item> : { <trap_community_string> <trap_interest_hosts>
<enterprise_list> }
<trap_community_string> : "trap-community" "=" alphanumeric_string
<trap_interest_hosts_list> : <trap_interest_hosts_list> ,
<trap_interest_host_item> |
<trap_interest_host_item>
<trap_interest_host_item> : alphanumeric_string
<enterprise_list> : /*empty*/ | <enterprise_list> <enterprise_item>
<enterprise_item> : { <enterprise_stmt> <trap_number_stmt> }
<enterprise_stmt> : "enterprise" "=" quouted_alphanumeric_string
<trap_number_stmt> : "trap-num" "=" <trap_number_list>
<trap_number_list> : <trap_number_item>
<trap_number_item> : <trap_range>
<trap_range> : integer - integer | integer
The following is an example of the access control list file.
acl = {
{
communities = public, private
access = read-only
managers = hubble, snowbell, nanak
}
{
communities = jerry
access = read-write
managers = hubble, telescope
}
}
trap = {
{
trap-community = SNMP-trap
hosts = hubble, snowbell
{ enterprise = "Sun"
trap-num = 1, 2-5
}
{
enterprise = "3Com"
trap-num = 4 }
}
{
trap-community = competitor-trap
hosts = hp_server, ibm_server, sgi
{
enterprise = "sun"
trap-num = 1,3 }
{
enterprise = "snmp"
trap-num = 1-32
}
}
}
The access control list file contains the following two groups of configuration variables.
-
acl - this group of variables consists of multiple triplets that include community names, access rights, and names of hosts from accepted SNMP requests (only if the requests include the configured communities). In the previous access control list file example, only GET and GET_NEXT SNMP requests that include public and private community names are accepted from hosts hubble, snowbell, and nanak. This group may contain multiple triplets.
A Master Agent may have the appropriate communities and the access rights to receive SNMP PDUs. However, if the same SNMP PDU is forwarded to a subagent, it may reject the PDU that does not have the proper rights to receive such a PDU (or does not include the proper community). A subagent might have access rights and the community to receive an SNMP PDU, but such a PDU may never reach the subagent if the Master Agent does not have the appropriate community strings and the access rights.
-
trap - this group of variables consists of information for sending and or /forwarding traps received from the subagents. The Master Agent uses the information specified in this group for forwarding the traps. This information specifies the names of the hosts to send the configured trap numbers. The trap PDUs contain the specified trap community. These traps are generated primarily by the subagents and are then sent to the Master Agent.
- © 2010, Oracle Corporation and/or its affiliates