Connecting to the agent through TCP
For subagents specifying a TCP connection, you can use the installation's SAF-compliant security product [such as the z/OS® Security Server (RACF®)] to control which of the SNMP subagents are permitted to connect to the SNMP agent. One security product resource name can be created per TCP/IP stack per MVS™ image. The security product resource name is specified in the following format:
EZB.SNMPAGENT.sysname.tcpprocname
where sysname is the name of the MVS system image and tcpprocname is the TCP/IP started procedure name.
The profile must be created under the SERVAUTH class. After creating
the profiles, use the security product to define the user IDs of those
subagents which should be permitted to connect via TCP to the SNMP
Agent. Authorization failures are documented by security product
failure messages and SNMP agent traces.
Note: If you use this authorization
function, only SNMP subagents which are associated with the same TCP/IP
stack as the SNMP agent will be permitted to connect to the agent.
Local SNMP subagents that are associated with other TCP/IP stacks,
or remote SNMP subagents, will not be permitted to connect. The following ICH0408I RACF error message is issued:
ICH408I JOB(OSNMPD ) STEP(OSNMPD )
EZB.SNMPAGENT.sysname.tcpprocname CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
FROM EZB.SNMPAGENT.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
In the ICH0408I message, only the JOB and STEP names
are displayed instead of a user ID. Because the subagent was not associated
with the same TCP/IP stack as the SNMP agent, the agent could not
obtain the user ID.Also, any subagents which connected to the SNMP agent before the agent security product resource name was created will not have been authorized via the security product.
You can use the control statements in the sample JCL job provided
in SEZAINST(EZARACF) to define this authorization. For example, if
you wanted to permit any SNMP subagents associated with a user ID
of USER2 to connect to the SNMP agent you could use the following
definitions:
RDEFINE SERVAUTH EZB.SNMPAGENT.MVSA.TCP1 UACC(NONE)
PERMIT EZB.SNMPAGENT.MVSA.TCP1 ACCESS(READ) CLASS(SERVAUTH) ID(USER2)