|
|
15.1 Overview
15.2 Connecting to SNMPv3 Agent
15.3 USM Operations
15.5 VACM Group Access Operations
15.6 VACM View Operations
This document will help you use the SNMP V3Admin tool which is used
for configuring USM user tables and VACM tables for SNMPv3 agent at runtime.
The SNMP V3 administration tool allows you to add, modify, and delete rows
in the User Security Model (USM) table and in the View-based Access Control
Model (VACM) tables.
The SNMP V3Admin tool can be started in two ways:
From Launcher: Double click on SNMPV3Admin icon under SNMP agent.
Using Scripts: Run the SnmpV3AdminTool.bat/.sh script file present under '<JavaAgent_Home>/bin' directory.
15.2 Connecting to SNMPv3 Agent
The SNMP V3Admin tool can be connected to an existing SNMPv3 agent as follows:
15.2.1 Connect
to SNMPv3 Agent:
Click on Operations->Connect
to connect to the SNMPv3 agent. The User
Profile Information dialog pops up.
Enter the following details in the User Profile Information dialog:
Target Host: The host in which the SNMPv3 agent is running.
Target Port: The port in which the agent is running.
Security Name: The security name of the user on whose behalf the operations are to be carried out in the SNMP v3 agent. Refer to the Default Users of SNMPv3 Agent section to know the default security names of the users to connect to the SNMPv3 agent.
Auth Protocol: The authentication protocol to be used for authenticating the user. Either MD5 or SHA protocol can be used. If no authentication is required, select NO_AUTH from the list.
Auth Password: The authentication password of the user. This is not required for NO_AUTH users.
Priv Protocol: The type of privacy protocol to be used for encryption. Choose either NO_PRIV or CBC_DES.
Priv Password: The private key used for encryption. This is not required for NO_PRIV users.
Context Name: The name of the SNMP Context.
Click OK to connect to SNMPV3 agent.
Once the security credentials that are provided using the tool are successfully authenticated by the agent, then the request will be sent to the agent to retrieve the USM and VACM table information. After the information are retrieved it will be exposed in the left side panel of Admin Tool. The purpose of connecting to the agent is as follows:
helps the admin user to know about the type of user configured to the agent.
you can perform minor validations using these details.
15.2.2 Disconnect
from SNMPv3 Agent:
Choose Operations->Disconnect
to disconnect from the agent. You can also click the Disconnect icon from
the toolbar.
The USM operations possible using SNMPv3 administration tool are:
15.3.1 Add User:
This operation lets you add a new user to the existing list of users in the USM table of the SNMPv3 agent.
|
|
Note: When you add a new user, the auth and priv protocol details of the user must be the same as the user for which you connected to the SNMPv3 agent, i.e., the type of user connected to the agent using the admin tool acts as a 'clone from user' for any new user added to the USM table. By default, you would connect to the agent as 'auth' user and hence you can add only 'auth' user. |
You have two options while adding a new user:
Create a new user and map it to the existing VACM details.
Create a new user along with the authorization (VACM) details. The user need not do the VACM operations separately.
15.3.1.1 Creating a New User and Map it to the Existing VACM Details
To create a new user, choose USM operations->Add User from menu bar. Now, the User Settings dialog pops up.
The following are the information in this dialog. In the User Settings dialog, provide the Security Name, and Auth Password or Priv Password or both, depending on the user type:
Security Name: Name of the user to be added to the existing list of users in the USM User Table.
Auth Protocol: The authentication protocol used for authenticating the request sent to the SNMPv3 agent by the manager on behalf of this newly added user. User with either MD5 protocol and SHA protocol can be used.
Auth Password: The authentication password for the user. This is disabled, if NO_AUTH user is selected while connecting to the agent.
Priv Protocol: The type of privacy protocol to be used for encrypting the requests sent to the agent by the manager on behalf of this newly added user.
Priv Password: The private protocol used for encryption. This is disabled, if NO_PRIV user is selected while connecting to the agent.
Click on Next. The Group Settings dialog pops up.
All the existing user groups are listed in the 'Group Name' field. Select the appropriate 'Group Name' from the list and click Update to complete the operation.
15.3.1.2 Creating a New User along with the Authorization (VACM) Details
To create a new user, configure the user details as explained in 15.3.1.1 section for 'User Settings'. All the authorization details for the newly created user, i.e., adding a group, access, and view to the VACM table, can be configured by doing the following steps:
15.3.1.2.1 Adding a New Group Name
To add a new group name, provide the name in the GroupName field of the 'Group Settings' dialog. This creates a new group name. Click 'Next' to add a new access name.
15.3.1.2.2 Adding a New Access Name
The Access Settings dialog is as shown below:
Provide the following information in this dialog:
groupLabel: The group under which the newly created user will be categorized.
Context Prefix: The prefix for the context name with which the manager is querying the agent.
Security Level: The security level of the user with regard to authentication and privacy. A security level of noAuthNoPriv is less than authNoPriv which in turn is less than authPriv.
Security Model: The security model used for gaining access allowed by this entry. In our case, this is USM (User Security Model) and is not editable.
Context Match: If the value of this object is exact(1), the value in Context Prefix should exactly match Context Name. If the value is prefix(2), then it is enough for the Context Name to have Context prefix as the prefix.
Read View Name: The MIB View for which read access is allowed.
Write View Name: The MIB View for which write access is allowed.
Notify View Name: The MIB View for which notification access is allowed.
15.3.1.2.3 Adding a New View Name
To specify a new View name, click the '...' symbol of Read/Write/Notify View Name. The View Settings dialog pops up.
The following fields are present in this dialog:
View Name: The name of the MIB view.
SubTree: The subtree OID in the MIB for which Read/Write/Notify access is allowed for the user.
FamilyMask: The field used to control the elements of the OID sub tree that are considered relevant when determining the view in which an OID is in. The default value is "ff".
FamilyType: This can be either "included" or "excluded" where 'included' denotes the view of all the ObjectID under the OID specified in SubTree. The type "excluded" denotes the specified view of ObjectID under the OID specified in SubTree, i.e., the OID with the next group, say .1.3.7 cannot be accessed by the user.
By default, the existing views are listed
and the fields such as Family Mask
and Family Type are disabled.
When you create a new view by specifying the new View name, the Family Mask and Family
Type fields are enabled.
After providing the necessary details, click Update
to complete the operation.
15.3.2 Modify User
You can modify the password details of existing users using the Modify User option. To do this option:
Select USM Operations -> Modify User or
Select Modify User icon from the toolbar
Upon invoking Modify User, the User Settings dialog pops up. Specify the necessary details and click Update to complete the operation.
|
|
Note: You cannot change configuration for NO_AUTH user. For NO_PRIV users, the oldPrivPassword and PrivPassword fields will be disabled. |
15.3.3 Delete User
You can delete an existing user from USM user table using the Delete User option. To do this option:
Select USM Operations -> Delete User or
Right-click on the user name in the left hand panel and select 'Delete User' or
Select the 'Delete User' icon from the toolbar.
|
|
Warning: Any request from the admin tool will be sent to the agent on behalf of the type of user with which you have connected to the agent from the tool. Hence, care must be taken while deleting entries related to this type of user from USM and VACM tables as it hampers the processing of the request sent from the tool in the agent. |
The users in the USM table can be further categorized into VACM groups. This group along with other constraints is used for deciding the access permissions for a particular user. The following VACM group operations can be performed:
15.4.1 Add Group
The Add Group operation is used for adding a new VACM group. You can invoke Add Group operation by any of the following ways:
Select 'VACM Operations -> Group -> Add Group' from the menu bar
Click the 'Add Group' icon in the toolbar.
Upon invoking the 'Add Group' operation, the Group Settings dialog pops up. Specify the appropriate details as specified in the 'Add Group Name' section and click Update to add a new VACM Group. These details will be persisted in VacmSecurityToGroupTable present under the JavaAgent_Home>/snmpprojects/<project_name>/agent/bin/conf directory.
|
|
Note: The value of the SecurityName field to the Security Model field must be unique in the VacmSecurityToGroupTable file. |
The Modify Group operation lets you modify the Group Name of an existing group. The SecurityModel and SecurityName fields cannot be modified.
This operation can be invoked by selecting 'VACM Operations -> Modify User' from the menu bar. The Group Settings dialog pops up. Specify the appropriate Group Name and click Update.
15.4.3 Delete Group
You can delete an existing group from the VACM Group list by invoking Delete Group operation. Select the group to be deleted and invoke the Delete Group operation. The corresponding entry will be deleted from the VacmSecurityToGroupTable file.
15.5 VACM Group Access Operations
The VACM Group Access Operations manipulate the VacmAccessTable file, which determines the access rights of each group.
15.5.1 Add Access
This operation lets you add a new access in the VACM Access table. This operation can be invoked by selecting 'VACM Operations -> Access -> Add Access' from the menu bar.
The Access Settings dialog comes up. Provide relevant details as explained in the Add New Access Name section. Click on Update to complete the Add Access operation.
15.5.2 Modify Access
If you need to modify the access settings in the VACM Access table, then you need to perform the Modify Access operation. The access details can be modified from the 'Access Settings' dialog. Only Context Match, Read View Name, Write View Name, and Notify View Name fields can be modified. After providing the relevant details, click Update to complete the operation.
15.5.3 Delete Access
This operation is used to delete the access settings from the VACM Access table and can be invoked the same way you invoke the 'Delete User' operation. The corresponding entry will get deleted from the VacmAccessTable file.
The VACM View operations are used for defining the View details for the entries in the VACM table.
15.6.1 Add View
This operation lets you add a new view in the VacmViewTreeFamilyTable. Upon invoking the Add View operation, the View Settings dialog pops up. After providing the relevant details as explained in the 'Add New View Name' section, click Update to add view for the group.
15.6.2 Modify View
This operation lets you modify an existing view in the VacmViewTreeFamilyTable. Upon invoking this operation, the View Settings dialog is displayed. Only the FamilyMask and FamilyType fields can be modified here. After providing the relevant details, click Update to complete the operation.
15.6.3 Delete View
This operation lets you delete an existing view from the VacmViewTreeFamilyTable. Select the view to be deleted and invoke the Delete View operation. The corresponding entry will be deleted from the VacmViewTreeFamilyTable file.
|
|
