To start successfully, the subagent requires at least read
access to the standard MIB-II on the local node.
About this task
During subagent startup or when network interfaces are
added or removed, the subagent has to query OIDs from the interfaces
group of the standard MIB-II.
Given here is an example of how to use the
snmpd.conf and
snmp.conf configuration files to assign access rights using the View-Based
Access Control Mechanism (VACM). The following access rights are assigned on the local node:
- General read access for the scope of the standard MIB-II
- Write access for the scope of the OSA-Express MIB
- Public local read access for the scope of the interfaces MIB
The example is intended for illustration
purposes only. Depending on the security requirements of your installation,
you might need to define your access differently. See the snmpd man
page for a more information about assigning access rights to snmpd.
Procedure
-
See the SUSE Linux Enterprise
Server 12 SP4 documentation to find out where you
need to place the snmpd.conf file. Some of the possible locations are:
-
Open snmpd.conf with your preferred text editor. There might be a sample
in usr/share/doc/packages/net-snmp/EXAMPLE.conf
- Find the security name section and include
a line of this form to map a community name to a security name:
com2sec <security-name> <source> <community-name>
where:
- <security-name>
- is given access rights through further specifications within snmpd.conf.
- <source>
- is the IP-address or DNS-name of the accessing system, typically
a Network Management Station.
- <community-name>
- is the community string used for basic SNMP password protection.
Example: # sec.name source community
com2sec osasec default osacom
com2sec pubsec localhost public
- Find the group section.
Use
the security name to define a group with different versions of the
master agent for which you want to grant access rights. Include a
line of this form for each master agent version:
group <group-name> <security-model> <security-name>
where:
- <group-name>
- is a group name of your choice.
- <security-model>
- is the security model of the SNMP version.
- <security-name>
- is the same as in step 3.
Example: # groupName securityModel securityName
group osagroup v1 osasec
group osagroup v2c osasec
group osagroup usm osasec
group osasnmpd v2c pubsec
Group osasnmpd
with community public
is required
by osasnmpd to determine the number of network interfaces.
- Find the view section and define your views. A view is
a subset of all OIDs. Include lines of this form:
view <view-name> <included|excluded> <scope>
where:
- <view-name>
- is a view name of your choice.
- <included|excluded>
- indicates whether the following scope is an inclusion or an exclusion
statement.
- <scope>
- specifies a subtree in the OID tree.
Example: # name incl/excl subtree mask(optional)
view allview included .1
view osaview included .1.3.6.1.4.1.2
view ifmibview included interfaces
view ifmibview included system
View allview
encompasses
all OIDs while osaview
is limited to IBM® OIDs. The numeric OID provided for the subtree
is equivalent to the textual OID .iso.org.dod.internet.private.enterprises.ibm
View ifmibview
is
required by osasnmpd to determine the number of network interfaces.
Tip: Specifying the subtree with a numeric
OID leads to better performance than using the corresponding textual
OID.
- Find the access section and define access rights. Include
lines of this form:
access <group-name> "" any noauth exact <read-view> <write-view> none
where:
- <group-name>
- is the group you defined in step 4.
- <read-view>
- is a view for which you want to assign read-only rights.
- <write-view>
- is a view for which you want to assign read-write rights.
Example: # group context sec.model sec.level prefix read write notif
access osagroup "" any noauth exact allview osaview none
access osasnmpd "" v2c noauth exact ifmibview none none
The
access line of the example gives read access to the allview
view
and write access to the osaview
. The second access line
gives read access to the ifmibview
.
- Also include the following line to enable
the AgentX support:
master agentx
AgentX support is compiled into the net-snmp master agent.
-
Save and close snmpd.conf.
Example of an
snmpd.conf file:
# sec.name source community
com2sec osasec default osacom
com2sec pubsec localhost public
# groupName securityModel securityName
group osagroup v1 osasec
group osagroup v2c osasec
group osagroup usm osasec
group osasnmpd v2c pubsec
# name incl/excl subtree mask(optional)
view allview included .1
view osaview included .1.3.6.1.4.1.2
view ifmibview included interfaces
view ifmibview included system
# group context sec.model sec.level prefix read write notif
access osagroup "" any noauth exact allview osaview none
access osasnmpd "" v2c noauth exact ifmibview none none
master agentx
-
Open ~/.snmp/snmp.conf with your preferred text
editor.
Tip: See man snmp.conf for possible locations of
snmp.conf.
- Include a line of this form to specify
the directory to be searched for MIBs:
Example: mibdirs +/usr/share/snmp/mibs
- Include a line of this form to make the OSA-Express
MIB available to the master agent:
- Define defaults for the version
and community to be used by the snmp commands. Add lines of this form:
defVersion <version>
defCommunity <community-name>
where
<version> is
the SNMP protocol version and
<community-name> is
the community you defined in step
3.
Example: defVersion 2c
defCommunity osacom
These default specifications simplify
issuing master agent commands.
-
Save and close ~/.snmp/snmp.conf.