Monitoring the Server With SNMP

Oracle Unified Directory provides a jar file extension that contains a Simple Network Management Protocol (SNMP) connection handler for Management Information Base (MIB) 2605 support. The extension contains the SNMP connection handler, the required classes to support MIB 2605 objects and SNMP requests, and the SNMP adapter that allows an SNMP manager to access the server monitoring information.

Before you start on the procedures in this section, ensure that you have set up an SNMP-managed network for your particular system.

Configuring the SNMP Connection Handler and Its Dependencies

Oracle Unified Directory provides an SNMP connection handler that you can enable and configure. The SNMP connection handler is provided as a jar file extension and is located in install-dir/lib/extensions/snmp-mib2605.jar.

To Configure SNMP in the Server

Oracle Unified Directory can be configured for monitoring through the Simple Network Management Protocol (SNMP). The server uses the Java Dynamic Management Kit (JDMK) to create smart agents for the SNMP connection handler.

1. Verify that you have the SNMP connection handler.

   Use dsconfig to view the list of current connection handlers.

   $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \
     list-connection-handlers
   
   Connection Handler       : Type : enabled : listen-port : use-ssl
   -------------------------:------:---------:-------------:--------
   JMX Connection Handler   : jmx  : false   : 1689        : false
   LDAP Connection Handler  : ldap : true    : 1389        : false
   LDAPS Connection Handler : ldap : false   : 636         : true
   LDIF Connection Handler  : ldif : true    : -           : -
   SNMP Connection Handler  : snmp : false   : 161         : -  

2. Use the dsconfig command to enable SNMP for the server.

   $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w password -n -X \
     set-connection-handler-prop \
     --handler-name "SNMP Connection Handler" --set enabled:true --set listen-port:8085

To View the SNMP Connection Handler Properties

• Verify that you have the SNMP connection handler.

  Use the following dsconfig command.

  $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \
    get-connection-handler-prop \
    --handler-name "SNMP Connection Handler"

  The connection handler properties are listed with their values, as follows.

  Property            : Value(s)
  --------------------:------------------------------------------
  allowed-client      : -
  allowed-manager     : *
  allowed-user        : *
  community           : OUD
  denied-client       : -
  enabled             : false
  listen-port         : 161
  opendmk-jarfile     : -
  registered-mbean    : false
  security-agent-file : config/snmp/security/oud-snmp.security
  security-level      : authnopriv
  trap-port           : 162
  traps-community     : OUD
  traps-destination   : -

To Access SNMP on a Server Instance

1. Restart the server by using stop-ds and start-ds.

   If the server was started and no modifications were made to the configuration, the restart operation is not required.

2. Check that your SNMP Connection Handler is up and running.

   $ snmpwalk -v 2c -c OUD@OUD localhost:8085 mib-2.66
   SNMPv2-SMI::mib-2.66.1.1.1.1 = STRING: "Oracle Unified Directory Server 11.1.1.5.0 - 
     20090310152800Z"
   SNMPv2-SMI::mib-2.66.1.1.2.1 = STRING: "instance-dir/bin"
   SNMPv2-SMI::mib-2.66.1.1.3.1 = Gauge32: 35
   SNMPv2-SMI::mib-2.66.1.1.4.1 = Gauge32: 1
   SNMPv2-SMI::mib-2.66.1.1.5.1 = Gauge32: 0
   SNMPv2-SMI::mib-2.66.1.1.6.1 = Counter32: 0
   SNMPv2-SMI::mib-2.66.1.1.7.1 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.1.1.1 = INTEGER: 1
   SNMPv2-SMI::mib-2.66.2.1.1.1.2 = INTEGER: 2
   SNMPv2-SMI::mib-2.66.2.1.1.1.3 = INTEGER: 3
   SNMPv2-SMI::mib-2.66.2.1.2.1.1 = OID: SNMPv2-SMI::internet.27.3.8085
   SNMPv2-SMI::mib-2.66.2.1.2.1.2 = OID: SNMPv2-SMI::internet.27.3.1389
   SNMPv2-SMI::mib-2.66.2.1.2.1.3 = OID: SNMPv2-SMI::enterprises.42
   SNMPv2-SMI::mib-2.66.2.1.3.1.1 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.3.1.2 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.3.1.3 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.4.1.1 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.4.1.2 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.4.1.3 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.5.1.1 = Counter32: 1
   SNMPv2-SMI::mib-2.66.2.1.5.1.2 = Counter32: 1
   ...

   The managed objects included in the MIB 2605 are divided into three tables: dsTable, dsAppliIfOpsTable, and dsIntTable. Currently, the dsIntTable table is not implemented.

SNMP Security Configuration

SNMP security configuration depends on the version of SNMP as you are using. This topic discusses security configuration for SNMP V1 and V2c, and vor V3.

SNMP Security Configuration: V1 and V2c

Under SNMP v1 and SNMP v2c, agents act as information servers, and the IP-based access control protects this information from unauthorized access. By default, the MIB 2605 is accessible in v1 and v2c by using the community string OUD@OUD. All managers are allowed to read the monitoring information exposed by the MIB 2605.

You can configure SNMP v1 and SNMP v2c by setting the SNMP connection handler properties with the dsconfig command. Properties related to the SNMP v1 and SNMP v2c security configuration include:

• allowed-manager

• community

SNMP v1 traps are sent on server startup and server shutdown. By default, these traps are sent to localhost and use the trap community string "OUD".

SNMP traps are also configured by setting the SNMP connection properties with the dsconfig command. Properties related to SNMP traps include:

• trap-port

• traps-community

• traps-destination

The ACL file that corresponds to the default values of the SNMP connection handler would be represented as follows:

acl = {
{
communities = OUD
access = read-only
managers = all
}
}
trap = {
{
traps-community = OUD
hosts = localhost
}
}

SNMP Security Configuration: V3

The SNMP v3 protocol provides more sophisticated security mechanisms than SNMP v1 and SNMP v2c. SNMP v3 implements a user-based security model (USM) that authenticates and encrypts the requests sent between agents and their managers, and provides user-based access control. A defaultUser template is provided for adding authorized users in the agent engine using the SNMP cloning mechanism.

Under SNMP v3, the community string described in the previous section is used as the "context" from which the MIB 2605 is registered. By default, the MIB2605 is accessible in v3 by using the context "OUD". All users have access to it.

The SNMP v3 UACL is configured by setting the SNMP connection handler properties with the dsconfig command-line utility. The properties related to SNMP v3 UACL configuration include:

• community

• allowed-user

• security-level

The UACL file corresponding to the default values of the SNMP connection handler would be represented as follows:

uacl = {
{
context-names = OUD
access = read-only
security-level = authNoPriv
users = *
}
}

SNMP USM Configuration: V3

The USM MIB (that is, the MIB that defines allowed users) is registered in the null context and only a snmpAdmin user with a security level authNoPriv has read-write access to it. This snmpAdmin user can add additional users who can access the MIB 2605 information.

The SNMP v3 USM configuration is read from a template file that is located at install-dir/config/snmp/security/oud-snmp.security. The template file is not encrypted.

To access the MIB 2605 in the server agent, use the SNMP clone mechanism to add a user in the security file. Use snmpAdmin to send the SNMP request for the clone mechanism as shown here. The user to clone is defaultUser. The snmpAdmin and defaultUser users cannot access the MIB 2605 information.

• Admin User to add and configure other users.

  userEntry=localEngineID,snmpAdmin,null,usmHMACMD5AuthProtocol,passadmin

• Template user to be cloned with no read or write access.

  userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,password,,,3,true