|
|
11.2 View Based Access Support in the Agent
11.3 Details of MIB Views to Managers
11.4 Adding Mib View Access to Managers
11.5 Implementing your own View Access
For security reasons, it is valuable to restrict the access rights of some groups to only a subset of the Management information in the Management domain. To provide this capability, access to a community is via a "MIB view" which details a specific set of managed object types within that community.
For example, for a given community, there will be one MIB view which provides access to all management information in that community, and often there will be other MIB views each of which contains some subset of the information.
So, the access allowed for a group can be restricted in the desired manner by specifying its rights, in terms of the particular (subset) MIB view it can access.
By implementing the View-based access feature, this requirement can be achieved.
|
|
Note: View-based access Control for v1/v2c Agents is given based on the Community specified in the aclTable. |
11.2 View-based Access Support in the Agent
By default, v1/v2c Agents do not support View-based Access feature.
The code that gets generated in the Main file on implementing View-based. Access is given below : -
|
Variables Declared for View Based Access are: //
Vacl Support Code generated for View-based Access control implementation : vacl = new com.adventnet.snmp.snmp2.agent.VaclTable((SnmpAgent)this, "ViewAccessControlTable.xml, "xml"); |
11.3 Details of MIB Views to Managers
WebNMS Java Agent provides vaclTable (.1.3.6.1.4.1.2162.10.3.1.2.1.2) to store the information of Mib views and Community in the Agent side. The vaclTable present under AGENT-SNMP-CONFIG-MIB -> agentConfigurationGroup -> v1v2Authentication module has the following columns defined in it :
aclCommunity (external index) - This column present in the aclTable acts as an external index column for the vaclTable. Any Manager entry is given MIB View Access, based on the community specified in the aclTable.
vaclmibViews - The scalar or table OID for which the particular community (specified earlier) is given view access
vaclviewStatus - The RowStatus column with which rows or columns are added to the table.
11.4 Adding MIB Views for Communities
Mib Views for a specified community can be specified in the vaclTable either : (1) Before Agent Start-Up or (2) During Run time.
11.4.1 Before Agent Start-Up
To add Mib Views to a Community before Agent start-up,
Using MIB Compiler UI
Select Project-> Settings menu from the MIB Compiler UI.
Select V1V2Authentication Panel.
Select vaclTable.
Click Add to add entries to the wizard.
Please note that the aclCommunity column in aclTable should have some entries before adding entries in vaclTable.
Using Text File / XML File / Runtime Memory
The entries configured using MIB Compiler UI gets stored in the configuration file, ViewAccessControlTable.xml or ViewAccessControlTable.txt gets under <Agent Toolkit Home>/snmpprojects/projectname/agent/bin/conf directory. To choose the type of storage,
Select Project->Settings menu from the MIB Compiler UI.
Select V1V2Authentication Panel.
Choose vaclTable.
From the Storage Type combo box, select XML File or Text File or Runtime Memory as you prefer. By default XML File is chosen.
This file has to be edited for adding View Access to communities. The ViewAccessControlTable.xml given below has been edited for adding a new entry with Community "private" and mibViews ".1.3.6.1.4.1".
|
i style="font-style: italic;"><?xml version="1.0" encoding="UTF-8"?>
<Table>
<row> </Table> |
Please note that the Agent has to be re-started for the changes to take effect.
Run time memory can be used to store the Manager information in the Agent Memory . Using this option will not store the entries in text files or in xml files. After choosing the storage type, follow the steps given in adding entries "From the Manager" i.e During Runtime (11.4.2). Please note that once the Agent is killed, the entries added are removed from the memory.
Using API Calls
Adding the code highlighted below in the Main file generated provides view access to the community xxx from the OID .1.3.6.1.4.1.
|
vaclTable = new com.adventnet.snmp.snmp2.agent.VaclTable((SnmpAgent)this); vaclTable.addVaclEntry(com.adventnet.snmp.snmp2.agent.VaclTableRequestHandler.createVaclEntry ("public", new String[]{".1.3.6"})); vaclTable.addVaclEntry(com.adventnet.snmp.snmp2.agent.VaclTableRequestHandler.createVaclEntry ("xxx", new String[]{".1.3.6.1.4.1"})); |
11.4.2 During Run Time
From the Manager
To add an entry to the vaclTable from the Manager,
Load the AGENT-SNMP-CONFIG-MIB in MIB Browser.
Select vaclTable from the v1v2AuthenticationTables module of agentConfiguration group.
By selecting the respective table and clicking SNMP Table icon in MIB Browser will open up a wizard wherein entries can be added to the vaclTable.
The entries added from remote get updated in the text/xml file.
Please note that it is possible to access the table from remote only if "Remote Configuration" is enabled in the v1v2Authentication Panel of Project -> Settings menu in MIB Compiler UI.
You can also enable "Remote Configuration" option using the following API call if it is not chosen before generation.
|
// For Vacl Table Remote Configuration vacl = new com.adventnet.snmp.snmp2.agent.VaclTableRequestHandler((SnmpAgent)this, vaclTable); vacl.addRegistrationListener(hdlr); |
This method has to be included in the initSnmpExtensionNodes method.
11.5 Implementing Your Own View Access
You can also define your own View Access to Managers instead of using the default View Based Access Control Table in AGENT-SNMP-CONFIG-MIB. For this purpose: -
Define a similar vaclTable in your MIB using the OBJECT TYPE TABLE construct in MIB Editor. Please refer to "Adding a Table" in Creating a MIB section for using the construct.
The OID structure of the newly defined table should be same as the vaclTable in AGENT-SNMP-CONFIG-MIB.txt after the enterprise level as .1.3.6.1.4.1.your enterpriseOID. .1.3.6.1.4.1.2345.10.3.1.2.2 is a sample entry oid.
Add the following piece of code above the code for restartSnmpAgent in the Main file.
|
setRegisteredOid(java.lang.String oid) |
Now, compile the code and query the Agent with your defined community and check if it has view access.
You will be able to receive the response.
|
|
