Simple Network Management Protocol agent

Edit online

You can know in detail about Simple Network Management Protocol agent through the information provided here.

The Simple Network Management Protocol (SNMP) agent services request for monitoring the state of the directory server and issues traps to the Network Management Station. Using the IBM® Security Directory Integrator assembly line with the SNMP agent, the performance and wellness information of the directory server can be reported and monitored.The IBM Security Directory Integrator assembly line will collect and report performance and wellness information like monitor search, root DSE search, and system information of the directory server it is monitoring. Directory server performance information will be logged periodically and will be made available in Extensible Markup Language (XML) format.

Note:
  • You must have IBM Security Directory Integrator, Version 7.1.1.4 or later installed to use the SNMP agent.

You also need to add a user to the directory and place ACLs on the suffixes of the directory, denying the user any permission to access the Data Information Tree (DIT) data. This user is created for performing monitor searches only and must exist across all monitored instances.

To monitor IBM Security Directory Server, you need to modify the properties and configuration files for the Simple Network Management Protocol (SNMP) agent.

Each directory server instance has a separate entry in the idssnmp.properties file. Configuration details will be unique for each directory server instance monitored by the idssnmp tool. This enables the idssnmp tool to monitor multiple directory server instances. A single instance of idssnmp tool that is launched will be able to monitor all the directory server instances mentioned in the idssnmp.properties file.

The idssnmp.properties file is encrypted by default once the idssnmp agent is started. This file is located in the <SDSinstall_directory>\idstools\snmp directory. The idssnmp.properties file contains the following settings: 
server: <IP_address>
port: <port_number>
isSSL: True/False
ldapbindDN: <bind_DN>
bindDNpwd: <bind_pwd>
systemuser: <user_ID>
systemuserpwd: <user_pwd>
filterCacheActive: True/False 
filterCacheThreshold: <Threshold Value in percentage>
pendingRequestsActive: True/False 
pendingRequestsThreshold: <Threshold Value>
pendingRequestsSinceLastIntervalActive: True/False 
pendingRequestsSinceLastIntervalThreshold: <Threshold Value>
activeConnectionActive: True/False
activeConnectionThreshold: <Threshold Value>
memoryUtilizationActive: True/False
memoryUtilizationThreshold: <Threshold Value in kilobytes>
cpuUtilizationActive: True/False
cpuUtilizationThreshold: <Threshold Value in percentage>
diskSpaceUtilizationActive: True/False
diskSpaceUtilizationThreshold: <Threshold Value in kilobytes>
replicationPendingChangeCountActive: True/False
replicationPendingChangeCountThreshold: <Threshold Value>
replicationStatusActive: True/False 
trapForMessageId-<log_type>: <GLP...>
where:
server
Represents the IP address of the monitored LDAP server.
port
Represents the port on which the monitored LDAP server is running.
isSSL
Indicates if the communication between the LDAP instance and the SNMP Agent is SSL encrypted.
ldapbindDN
Represents the bind DN.
bindDNpwd
Represents the bind password.
systemuser
Represents the system user ID.
systemuserpwd
Represents the system user password.
filterCacheActive
If set to true, then a trap alert is generated when the percentage of search filter cache used exceeds the threshold limit.
filterCacheThreshold
Specifies the threshold value in percentage.
pendingRequestsActive
If set to true, then a trap alert is generated when the difference between number of operations requested and the number of operations completed (pending requests) exceeds the threshold limit.
pendingRequestsThreshold
Specifies the threshold value.
pendingRequestsSinceLastIntervalActive
If set to true, then a trap alert is generated when the number of pending requests since the last interval exceeds the threshold limit.
pendingRequestsSinceLastIntervalThreshold
Specifies the threshold value.
activeConnectionActive
If set to true, then a trap alert is generated when the number of active connections exceed the threshold limit.
activeConnectionThreshold
Specifies the threshold value.
memoryUtilizationActive
If set to true, then a trap alert is generated when the maximum system memory utilization exceeds the threshold limit.
memoryUtilizationThreshold
Specifies the threshold value in kilobytes.
cpuUtilizationActive
If set to true, then a trap alert is generated when the Maximum CPU utilization exceeds the threshold limit. This is applicable only for non-windows operating systems.
cpuUtilizationThreshold
Specifies the threshold value in percentage.
diskSpaceUtilizationActive
If set to true, then a trap alert is generated when the disk space utilization by the directory where DB2® database is stored exceeds the threshold limit.
diskSpaceUtilizationThreshold
Specifies the threshold value in kilobytes.
replicationPendingChangeCountActive
If set to true, then a trap alert is generated when the replication queue reaches a predefined threshold, for instance if the queue grows larger than 10000 entries.
replicationPendingChangeCountThreshold
Specifies the threshold value.
replicationStatusActive
If set to true, then a trap alert is generated if the current state of replication is incompatible, server is down, authentication has failed, or down level server is not supported.
trapForMessageId
Represents a list of message identifiers. The list will be a “,” separated list of message identifiers. An SNMP trap will be generated in the event of a matching message identifier in the server log requested through an ldap extended operation. The log type describes the type of log required by the ldap extended operation. Each log type must be mentioned separately. For instance:
  • trapForMessageId-slapd:
  • trapForMessageId-audit:
  • trapForMessageId-ibmdiradm:
If you want to send traps for all the messages generated in the log file, you can specify one of the following options:
  • TRAP_MAX – This will send traps for all (Information, Warning and Error) messages seen in the log files.
  • TRAP_MID – This will send traps only for all Warning and Error messages seen in the log files.
  • TRAP_MIN – This will send traps only for all Error messages seen in the log files.
Given below is an example of traps that can be set for log files slapd, audit, and ibmdiradm: 
trapForMessageId-slapd: TRAP_MID
trapForMessageId-audit: TRAP_MAX
trapForMessageId-ibmdiradm: TRAP_MID
Note:
  • TRAP_MIN and TRAP_MID are not valid values for trapForMessageId-audit. This is because the audit log contains only information messages.
  • The traps sent by the idssnmp tool contain the OID 1.3.6.1.4.1.2.6.199.1.1.7. This OID holds the name of the instance to which the event corresponds to.

The configuration file, idssnmp.conf, is in the standard SNMP format, that is, space separated with certain keywords. This configuration file contains the port number on which the SNMP agent runs, at least one IP address or host name, the IP address of the network management system (NMS) to where the connector sends its traps, and the communities that this SNMP Agent responds to. This file is located in the <SDSinstall_directory>\idstools\snmp directory.

  1. Edit the port number in the configuration file for the IBM Security Directory Server SNMP agent. The SNMP Agent monitors IBM Security Directory Server. If you want to monitor something other than the directory server, the SNMP agent for IBM Security Directory Server must be run on a nonstandard port. The nonstandard port is necessary to avoid a port conflict with the agent for the other application. 
    Port 		161
    The example shows that the SNMP agent runs on port 161. If more than one port is specified, only the first line of type Port is read, others are ignored
  2. To properly receive any traps, you must edit the line in the SNMP configuration file that has the keyword Trap by adding the IP address of the NMS receiving the traps (by default the value is 127.0.0.1), its port number and the community string it expects to receive from the agent. You can repeat the line to specify multiple machines that are receiving the traps. For example: 
    Trap		5.4.3.2 162 public
    This example shows that any traps that are generated are sent to a machine with the IP address 5.4.3.2 on port 162 using the community string "public".
  3. Specify a polling interval in seconds. After the specified number of seconds the agent polls the servers to discover their status. 
    Poll		600
    In this example the agent checks the servers every 600 seconds, that is, every 10 minutes.
  4. If you want to restrict access to the agent, you can specify an optional community string. If you specify community, you must provide the string. For example: 
    Community 	dirServer
    Any machine supplying the community string, dirServer, has access to the data. If the community string is not specified, authorization is not restricted. To further restrict access, you can provide other tokens such as the IP address in the community string line that the machine originating the request must have: 
    Community 	dirServer	1.2.3.4
    If no IP Address is specified, then any machine supplying the community string has access to the data. If additional access restrictions are needed, you can also specify the supported access right, readOnly, to the elements of the community and lastly the view of the subtree. Please note that the data is implicitly read only and that readOnly is used to maintain the SNMP configuration file standards. If you specify community, the string is required. The IP address, access right and view are optional, however these restrictions are sequential in nature. You can optionally specify IP address or IP address and access right, but you could not optionally specify the access right and view without IP address.
    This example is the most restrictive and illustrates the correct sequence of the tokens. 
    Community 	dirServer	1.2.3.4		readOnly 	1.5.4.3.2.1
    In this example, the requesting NMSs must supply "dirServer" as a community string. The requests must originate from a machine with IP address 1.2.3.4 and all elements in this community are read only and the view is 1.5.4.3.2.1.
    Note: With restricted authorization, if more than one machine is running an NMS authorized to perform get operation on the Directory SNMP Agent, the community line will need to be duplicated.
  5. If you need to divide the SNMP OID tree, you can specify a view of the subtree. 
    View 		1.5.4.3.2.1
    This example indicates that the agent deals with all the subtrees under the OID 1.5.4.3.2.1.
Note:
  • Load the following MIBS to your NMS: 
    <SDSinstall_directory>\idstools\snmp\IBM-DIRECTORYSERVER-MIB 
<SDSinstall_directory>\idstools\snmp\INET-ADDRESS-MIB

The SNMP agent can be started by running the idssnmp script located in the <SDSinstall_directory>\sbin directory.

See the Configuring section of the IBM Security Directory Integrator documentation for information on how to install IBM Security Directory Integrator and how to setup SSL.