Deploying a Module as a Subagent

You can embed a MIB module that was written for the SMA into an external application. This application can be run either as an SNMP master agent or an AgentX subagent. Generally, you should run the SMA as the master agent, and set up your application as a subagent. The subagent attaches to the master agent, and registers its MIB with the master agent. By running the SMA as the master agent, you can easily add and remove subagents while the master agent continues to run. In this way, the agent can continue to communicate with network management applications.

SMA provides Net-SNMP API functions that enable you to embed an SNMP agent or AgentX subagent into an external application. In your application code, you must initialize your module, the SNMP library, and the SNMP agent library. This initialization is done slightly differently depending on whether the application is to run as a master agent or an AgentX subagent.

The functions that you use in the agent application include:

• init_agent(char *name)

  Initializes the embedded agent. This function must be called before the init_snmp() call. The name is used to specify what configuration file to read when init_snmp() is called later. See the API documentation at /usr/sfw/doc/sma_snmp/html/group__library.html for more information.

• init_module()

  Initializes your module. This function must be called after the agent is initialized.

• init_snmp(char *name)

  Initializes the SNMP library, which causes the agent to read the application's configuration file. The configuration file can be used to configure access control, for instance. See the snmp_config(4) and snmpd.conf(4) man pages for more information about configuration files.

• snmp_shutdown(char *name)

  Shuts down the subagent, saving any needed persistent data. See the API documentation at /usr/sfw/doc/sma_snmp/html/group__library.html for more information.

You must also link against the Net-SNMP libraries in your subagent application. The command

net-snmp-config --agent-libs

displays a list of libraries you need.

The demo_module_8 code example shows you how to create a subagent that calls a module that returns load averages.

demo_module_8 Code Example for Implementing a Subagent

The demo_module_8 code example demonstrates how to deploy a module in a subagent. The demo is by default located in the directory /usr/demo/sma_snmp/demo_module_8. The README_demo_module_8 file within that directory includes procedures for building and running the sample module and subagent program.

Subagent Security Guidelines

You must be aware of the following security considerations in writing subagents that use the AgentX protocol:

• The AgentX protocol does not contain a mechanism for authorizing or refusing to initiate sessions. Access control between subagents and master agent must be done at a lower layer, such as the transport layer.

  The SMA supports only UNIX domain sockets for communication between the master agent and subagents. As a result, the master agent and subagents must run on the same host.

  In open source Net-SNMP, the master agent and subagent can be on different hosts. The agents must then use UDP and TCP ports for the AgentX communication. Currently, the AgentX protocol provides no inherent security when using UDP and TCP ports. To reduce security risks, the SMA does not allow subagents to use UDP and TCP ports.

• The AgentX protocol does not define any access control mechanism. The protocol also does not contain a mechanism for authorizing or refusing sessions.

• A subagent can register any subtree. Potentially, a malicious subagent could register an unauthorized subtree of sensitive information. That subagent could then see modification requests to those objects in the tree. A malicious subagent might also give answers to SNMP manager queries. These answers might cause the manager to perform an action that leads to information disclosure or other damage.