Add VACM for SNMP (ADDVACSNMP)

The Add View-based Access Control Model (VACM) for SNMP (ADDVACSNMP) command adds a VACM rule for the local Simple Network Management Protocol (SNMP) agent. VACM rules provide the ability to restrict or allow access to all or parts of the SNMP Management Information Base (MIB) provided by the local SNMP agent. When configuring VACM rules, it's important to consider the following:

• An OBJID for a rule matches an OID in an SNMP message if every integer in the OBJID matches consecutively the same integers in the OID. For example, OBJID('1.3.6.25') matches OID 1.3.6.25.1.2 but it does not match OID 1.3.6.20.1.
• A rule that is a more precise match of the OID being validated takes precedence over a less precise matching rule. For example, if the OID 1.3.6.25.1 is being processed, a rule that specifies OBJID('1.3.6.25') takes precedence over a rule that specifies OBJID('1.3.6').
• A rule that specifies ACCTYPE(*INCLUDE) takes precedence over a rule that specifies ACCTYPE(*EXCLUDE) if both rules match the same number of integers in the OID. For example, if OID 1.3.6.25.1 is being processed, a rule that specifies ACCTYPE(*INCLUDE) and OBJID('1.3.6') takes precedence over a rule that specifies ACCTYPE(*EXCLUDE) and OBJID('1.3.6').
• The local SNMP agent does not need to be ended and restarted in order to configure VACM rules, however, configuring VACM while the SNMP agent is active will affect its performance.
• The system does not support configuring local VACM rules via SNMP set requests sent to the local SNMP agent. All VACM configuration must be done using CL commands.
• VACM rules do not apply to SNMP version 1 (SNMPv1) messages. It is recommended that SNMPv1 be disabled by setting the Allow SNMPv3 (ALWSNMPV3) parameter of the Change SNMP Attributes (CHGSNMPA) command to either *V3ONLY or *V3AGENT.
• VACM rules do not apply to SNMPv3 engine ID discovery or time synchronization operations.

Restrictions:

• You must have input/output system configuration (*IOSYSCFG) special authority to use this command.

Parameters

Rule name (RULNAME)

Specifies the name of the VACM rule being added.

This is a required parameter.

character-value

Specify the name of the VACM rule being added. A rule name must be a minimum of 1 character and no more than 10 characters in length.

Access type (ACCTYPE)

Specifies the access type for this rule in the VACM configuration.

*INCLUDE

Specifies a rule for including access to OIDs.

*EXCLUDE

Specifies a rule for excluding access to OIDs.

View type (VIEWTYPE)

Specifies the view type for this rule in the VACM configuration. The view type determines whether the rule applies to SNMP read, write, or notify operations. Up to 3 values may be specified.

Single values

*ALL

Specifies that this rule applies to all types of SNMP operations.

Other values

*READ

Specifies that this rule applies to read operations (get, get-next, and get-bulk).

*WRITE

Specifies that this rule applies to write operations (set).

*NOTIFY

Specifies that this rule applies to notification operations (trap and inform).

Object identifiers (OBJID)

Specifies the object identifiers (OIDs) for this rule in the VACM configuration. The OIDs can specify either a sub-tree or a specific object in the SNMP agent's Management Information Base (MIB). This also includes OIDs managed by sub-agents. Up to 10 values may be specified.

Single values

*ALL

Specifies that this rule applies to all OIDs. The sub-tree OID corresponding to this rule is 1..

Other values

*HOSTHDW

Specifies that this rule applies to OIDs in the host resources MIB for hardware resources. The sub-tree OIDs corresponding to this rule are 1.3.6.1.2.1.25.2 (hrStorage) and 1.3.6.1.2.1.25.3 (hrDevice).

*HOSTRSC

Specifies that this rule applies to all OIDs in the host resources MIB. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.25 (host).

*HOSTSFW

Specifies that this rule applies to OIDs in the host resources MIB for software resources. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.25.6 (hrSWInstalled).

*HOSTSYS

Specifies that this rule applies to OIDs in the host resources MIB for system information. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.25.1 (hrSystem).

*ICMP

Specifies that this rule applies to OIDs in the Internet Control Message Protocol MIB. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.5 (icmp).

*IFCTBL

Specifies that this rule applies to OIDs for the interface table. The sub-tree OIDs corresponding to this rule are 1.3.6.1.2.1.2.1 (ifNumber) and 1.3.6.1.2.1.2.2 (ifTable).

*IP

Specifies that this rule applies to OIDs in the Internet Protocol MIB. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.4 (ip).

*SYSTEM

Specifies that this rule applies to OIDs in the system group. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.1 (system).

*TCP

Specifies that this rule applies to OIDs in the Transmission Control Protocol MIB. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.6 (tcp).

*UDP

Specifies that this rule applies to OIDs in the User Datagram Protocol MIB. The sub-tree OID corresponding to this rule is 1.3.6.1.2.1.7 (udp).

character-value

Specify an OID for a sub-tree in the SNMP agent or sub-agent's MIB. An OID is a series of integers separated by periods. The entire OID value must be enclosed in apostrophes.

User names (USRNAME)

Specifies the list of SNMPv3 users for this rule in the VACM configuration. The specified users must exist in the SNMPv3 configuration at the time this command is run. Up to 32 users may be specified.

*ALL

Specifies that this rule applies to all configured SNMPv3 users.

Other values

character-value

Specify the name of an existing SNMPv3 user.

Examples

Error messages

*ESCAPE Messages

TCP4001

Error occurred accessing SNMP configuration information.

TCP404D

VACM rule &1 not added.

TCP8050

*IOSYSCFG authority required to use &1.