| Netra™ High Availability Suite 3.0 1/08 Foundation Services NMA Programming Guide | 
   |
| C H A P T E R 4 |
NMA information can be accessed using the Simple Network Management Protocol (SNMP). This chapter explains how to configure an external SNMP manager, and provides examples of the configuration files required for three types of SNMP configurations.
The Java DMK can be used to develop a remote manager that communicates with the NMA using SNMP. For information on how to use the Java DMK to develop a manager that communicates using SNMP, see SNMP Manager Configuration Examples. Alternatively, any SNMP manager can be used.
The NMA offers SNMPv1, SNMPv2, and SNMPv3 interfaces via the SNMP protocol adaptor. Edit the following values in the nma.properties file to configure the SNMP protocol adaptor:
| com.sun.nhas.ma.adaptors.snmp.enabled | |
| Set to true to enable the SNMP protocol adaptor | |
| com.sun.nhas.ma.adaptors.snmp.port | |
| Set to the number of the port to be used for SNMP communication, for example, 8085 | |
| com.sun.nhas.ma.adaptors.snmp.trap.port | |
| Set to the number of the port to be used to send SNMP traps, for example, 8086 | |
By default the NMA uses the standard Java DMK access control configuration files. The following templates are available for use in a default installation:
Use these templates to create configuration files for customized access control configuration. Edit the jdmk.acl.file and jdmk.uacl.file properties in the nma.properties file to reflect the paths to your access control configuration files.
The following three files are included for SNMP traps and security configuration, in accordance with the Internet Engineering Task Force RFC 2573.
The NMA MIB is located at: /SUNWcgha/services/SUNWcgha/doc/ma/nhasmib.txt in a default installation.
Note - SNMPv1 does not support 64–bit counters. Retrieval of CGTP statistics that use 64–bit counters is not possible when using SNMPv1. |
In SNMPv1 and SNMPv2, access control is provided on the basis of the IP address and community of the manager's host machine.
The acl group contains one or more access configurations.
access1 access2 ...
acl = {accessN}
|
Each access configuration has the following format:
{
communities = communityList access = accessRights managers = hostList}
|
The communityList is a list of SNMP community names to which this access control applies. The community names in this list are separated by commas.
The accessRights specifies the rights to be granted to all managers connecting from the hosts specified in the hostList. There are two possible values: either read-write or read-only.
The hostList specifies the hosts of the managers to be granted the access rights. The hostList is a comma-separated list of hosts, each of which can be expressed as any one of the following:
The set of all access configurations defines the access policy of the SNMP agent. A manager whose host is specified in a hostList and that identifies itself in one of the communities of the same configuration will be granted the permissions defined by the corresponding accessRights. A manager's host can appear in several access configurations, provided it is associated with a different community list. This will define different access communities with different rights from the same manager.
A manager whose host-community identification pair does not appear in any of the access configurations will be denied all access. This means that protocol data units (PDUs) from this manager will be dropped without being processed.
The trap group specifies the hosts to which the agent will send traps if the InetAddressAcl mechanism is used. This group contains one or more trap community definitions.
community1 community2 ...
trap = {communityN}
|
Each community definition defines the association between a set of hosts and the SNMP community string in the traps to be sent to them. Each trap definition has the following format:
{
trap-community = trapCommunityName hosts = trapHostList}
|
The trapCommunityName item specifies a single SNMP community string. It will be included in the traps sent to the hosts specified in the hosts item. SNMPv3 does not use the community string, so use IP addresses or the context name instead.
The trapHostList item specifies a comma-separated list of hosts. Each host must be identified by its name or complete IP address.
When the SNMP protocol adaptor is instructed to send a trap using the InetAddressAcl mechanism, it will send a trap to every host listed in the trap community definitions. If a host is present in more than one list, it will receive more than one trap, each one identified by its corresponding trap community.
The user-based access control implemented by SNMPv3 is based on contexts and user names. The users, contexts, and associated security information controlling access to the agents in an SNMP session are defined in the nma.uacl file.
acl = {# {# context-names = TEST-CONTEXT# access = read-write# security-level = authNoPriv# users = defaultUser# }}
|
In the nma.uacl file, you define the following:
A list of context names, separated by commas. You can define a null context by declaring context-names = null
The access level, which can be either read-write or read-only
The security level, as follows:
| noAuthNoPriv | No security mechanisms activated |
| authNoPriv | Authentication activated, with no privacy |
| authPriv | Both authentication and privacy activated |
A list of authorized users, separated by commas; an asterisk (*) opens access to all users.
By uncommenting the acl block in EXAMPLE 4-2, you would limit access to MIBs in the TEST-CONTEXT context only, and grant read-write access to the user defaultUser. The security level in the file must also match that of user defaultUser. Therefore, any non-authenticated requests, any request with different security levels, or any requests from a user other than defaultUser, would be rejected.
Under SNMPv1 and SNMPv2, agents act as information servers, and IP-based access control is used to protect this information from unauthorized access. The SNMPv3 protocol provides much more sophisticated security mechanisms, implementing a user-based security model (USM). This model allows both authentication and encryption of the requests sent between agents and their managers, as well as user-based access control.
Note - The default NMA configuration is an example of an SNMPv3 configuration. Modify the security parameters to fit your security requirements. |
You can add and remove users in the nma.security file as specified in Managing Users in Security Files.
Secure SNMPv3 communication requires that the SNMP engine ID, which is generated by the NMA for each node, is used to communicate with the NMA. The SNMP engine ID is unique for the SNMP domain. It is a hexadecimal string calculated from a concatenation of the following properties of the NMA on each node:
The engine ID is stored in the nma.security file of each NMA. The engine ID may be substituted for another engine ID.
Every user that has access to an agent is represented by a userEntry line in each of the agent's security files.
You configure the userEntry as follows, with the parameters separated commas:
userEntry=engine ID,user name,security name,authentication algorithm,authentication key,privacy algorithm,privacy key,storage type,template
The only mandatory parameters are the engine ID and the user name. All the other parameters are optional.
The possible values for the parameters are as follows:
This section contains three examples of SNMP configurations. The NMA implements the Notification MIB module specified by the Internet Engineering Task Force in RFC 2573, which is accessible from http://www.ietf.org.
By default the NMA authorizes localhost to access its MIB using SNMPv1 or SNMPv2 on port 8085. SNMP traps are sent using the mechanism described in the RFC 2573. Traps are sent by default to localhost on port 8086 using SNMPv2 parameters, as defined in the default RFC 2573 configuration files:
The RFC 2573 configuration files can be manually edited. Alternately, use the com.sun.jdmk.snmp.rfc2573.manager.SnmpV3AppliMibRegistration class, found in the rfc2573mgr.jar file. Use this class to dynamically register or unregister SNMP managers at runtime. EXAMPLE 4-3 is a code snippet that uses this class to register a trap target on trap port trapPort of the host localHost. Traps are received using SNMPv3 parameters.
In this configuration, the NMA MIB is accessed using SNMPv2 on port number 8085. The SNMP manager is authorized to access the MIB located on host 10.8.1.253. Traps are sent to the manager on port 8086 using SNMPv2, using the Notification MIB described in RFC 2573.
EXAMPLE 4-4 through EXAMPLE 4-8 list the entries in the NMA configuration files that support this SNMP configuration.
targetsEntry= managerV2,snmpUDPDomain,10.8.1.253/8086,10000,2,trap,snmpV2,3 |
paramsEntry=snmpV2,1,2,public,1,3 |
notificationEntry=notif1,trap,1,3 |
In this configuration, the NMA is located at the CGTP address 10.8.3.18. The NMA MIB can be accessed through SNMPv2 and SNMPv3 using port number 8085. The manager that authorizes access to the MIB in SNMPv2 is located on host 10.8.1.253. The user defaultUser is authorized to access the MIB through SNMPv3 using the security parameters described in the nma.security file. Traps are sent to the manager on port 8086 using SNMPv2 and on port 8095 using SNMPv3. The notification MIB described in the RFC 2573 is used.
EXAMPLE 4-9 through EXAMPLE 4-16 list the entries in the NMA configuration files that support this SNMP configuration.
acl = {
{
context-names = null
access = read-write
security-level=authNoPriv
users = defaultUser
}
}
|
paramsEntry=snmpV2,1,2,public,1,3 paramsEntry=snmpV3,3,3,defaultUser,2,3 |
notificationEntry=notif1,trap,1,3 |
In this configuration, the NMA MIB is accessed using SNMPv3 on port number 8085. The manager authorized to access the MIB is located on host 10.8.1.253. Traps are sent to the manager on trap port 8086. In this case, the notification MIB is not used. Traps are always sent to trap port 8086 as defined in the nma.properties file and use only SNMPv2. The nma.targets.txt, nma.params.txt, and nma.notifs.txt files are not used in this configuration.
EXAMPLE 4-17 through EXAMPLE 4-20 list the entries in the NMA configuration files that support this SNMP configuration.
acl = {
{
context-names = null
access = read-write
security-level=authNoPriv
users = defaultUser
}
}
|
| Netra™ High Availability Suite 3.0 1/08 Foundation Services NMA Programming Guide | 819-5239-13 |
|
Copyright © 2008, Sun Microsystems, Inc. All rights reserved.