Connecting to the agent through TCP

For subagents specifying a TCP connection, you can use the installation's SAF-compliant security product [such as the z/OS® Security Server (RACF®)] to control which of the SNMP subagents are permitted to connect to the SNMP agent. One security product resource name can be created per TCP/IP stack per MVS™ image. The security product resource name is specified in the following format:

 EZB.SNMPAGENT.sysname.tcpprocname

where sysname is the name of the MVS system image and tcpprocname is the TCP/IP started procedure name.

The profile must be created under the SERVAUTH class. After creating the profiles, use the security product to define the user IDs of those subagents which should be permitted to connect via TCP to the SNMP Agent. Authorization failures are documented by security product failure messages and SNMP agent traces.

Note: If you use this authorization function, only SNMP subagents which are associated with the same TCP/IP stack as the SNMP agent will be permitted to connect to the agent. Local SNMP subagents that are associated with other TCP/IP stacks, or remote SNMP subagents, will not be permitted to connect. The following ICH0408I RACF error message is issued:

   ICH408I JOB(OSNMPD  ) STEP(OSNMPD  )  
     EZB.SNMPAGENT.sysname.tcpprocname CL(SERVAUTH)
     INSUFFICIENT ACCESS AUTHORITY
     FROM EZB.SNMPAGENT.** (G)
     ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   ) 

In the ICH0408I message, only the JOB and STEP names are displayed instead of a user ID. Because the subagent was not associated with the same TCP/IP stack as the SNMP agent, the agent could not obtain the user ID.

Also, any subagents which connected to the SNMP agent before the agent security product resource name was created will not have been authorized via the security product.

RDEFINE SERVAUTH EZB.SNMPAGENT.MVSA.TCP1 UACC(NONE) 
PERMIT EZB.SNMPAGENT.MVSA.TCP1  ACCESS(READ) CLASS(SERVAUTH) ID(USER2)