Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Secure SNMPv3 communication


In the SNMPv3 protocol, both SNMP agent and manager must encode identical credentials in their PDUs for the communication to succeed. The credentials include several tokens: a user name, an SNMP engine ID, an authorization protocol, and an optional privacy password.

In WebLogic Server, SNMP agents work with the domain's security realm to secure communication. The SNMP agent decodes SNMP credentials in requests and passes the SNMP user name to the security realm. The security realm maps the SNMP user name to a WebLogic Server user, authenticates the user, and authorizes access to monitoring data in the domain. To map the SNMP credentials to a user in a WebLogic Server security realm, you create a credential map.

To secure SNMPv3 communication:

  1. In the Administration Console, if you currently have a lock on the domain's configuration, release the lock by activating your changes. See Use the Change Center.

    The next step of this task requires you to add a user to the security realm. You cannot edit security realm data while you have a lock on the domain's configuration.

  2. Create a WebLogic Server user (later in this task, you will map this WebLogic Server user to SNMP credentials):
    1. In the Administration Console, under Domain Structure, select Security Realms.
    2. On the Summary of Security Realms page select the active security realm and create a user.

      The user name must match the user name that SNMP managers encode in their requests. See Create users.

    3. Add the user to a security group that has sufficient privileges to monitor JMX resources. See Users, Groups, And Security Roles.

    For example, if SNMP managers encode the user name joe in their requests, then create a WebLogic Server user named joe and assign joe to the Monitors security group.

  3. In the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  4. To map this WebLogic Server user to SNMP credentials:
    1. In the Administration Console, under Domain Structure, expand Diagnostics and select SNMP.
    2. On the Summary of SNMP Agents page, click the Security tab.
    3. On the Credential Mappings page, click the New button.
    4. On the Create SNMP Credential Mapping page, from the Credential Mapping Type list, select Authentication.
    5. In User Name, enter the name of the WebLogic Server user that you created in previous steps.
    6. In SNMP Password and Confirm SNMP Password, enter the authentication password that SNMP managers will send in their requests.
    7. Click the OK button.
    8. If you will also use a privacy password to secure SNMP communications, complete the remaining steps
    9. On the Credential Mappings page, click the New button.
    10. On the Create SNMP Credential Mapping page, from the Credential Mapping Type list, select Privacy.
    11. In User Name, enter the same WebLogic Server user that you entered for the authentication credential.
    12. In SNMP Password and Confirm SNMP Password, enter the privacy password that SNMP managers will send in their requests.
    13. Click the OK button.
  5. On the Credential Mappings page, click the Agents tab.
  6. On the Summary of SNMP Agents page, in the Server SNMP Agents table, click the name of an SNMP agent. Configure the agent as follows:
    1. In Engine ID, enter the engine ID that SNMP managers encode into their requests.
    2. In the Authentication Protocol list, select the protocol that SNMP managers use to encrypt authentication credentials.
    3. If you will also use a privacy password to secure SNMP communications, in the Privacy Protocol list, select the protocol that SNMP managers use to encrypt messages.
    4. Click the Save button.
  7. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart (see Use the Change Center).

Back to Top