Query: snmpvacm
OS: sunos
Section: 1m
Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar
snmpvacm(1M) System Administration Commands snmpvacm(1M)NAMEsnmpvacm - perform maintenance on an SNMP agent's View-based Access Control Module (VACM) tableSYNOPSIS/usr/sfw/bin/snmpvacm [common options] [subcommand options] AGENT subcommand subcommand-argsDESCRIPTIONsnmpvacm is a SNMP application that can be used to do maintenance on an SNMP agent's View-based Access Control Module (VACM) table. The VACM table defines a set of services that can be used for checking access rights, that is, checking whether a specific type of access to a specific managed object is allowed. snmpvacm supports three types of entries--group, view, and access. The agent maintains these entries in memory and stores VACM groups, views, and access entries in the persistent configuration file upon agent shutdown. Subcommands This section describes the snmpvacm subcommands. createSec2Group Creates SNMPv3 security to group name entries. A group name is used to define an access control policy for a group of principals. Creates SNMPv3 security to group name entries. A group name is used to define an access control policy for a group of principals. snmpvacm [common options] createSec2Group MODEL SECURITYNAME GROUPNAME MODEL An integer greater then zero representing a SNMPv3 security model, such as USM. The reserved values are as follows: 1 reserved for SNMPv1 2 reserved for SNMPv2c 3 User-Based Security Model (USM) SECURITYNAME A string representing a security name for the principal, represented in a security-model-independent format, which is mapped from this entry to a GROUPNAME. GROUPNAME A string that identifies the group to which this table entry (the combination of securityModel and securityName) belongs. deleteSec2Group Deletes SNMPv3 security to group name entries. The group entry to be deleted is indexed by the specified MODEL and SECURITYNAME. snmpvacm [common options] deleteSec2Group MODEL SECURITYNAME MODEL An integer greater then zero representing a SNMPv3 security model, such as USM. The reserved values are as follows: 1 reserved for SNMPv1 2 reserved for SNMPv2c 3 User-Based Security Model (USM) SECURITYNAME A string representing a security name for the principal, represented in a security-model-independent format, which is mapped from this entry to a GROUPNAME. createView Creates a MIB view. A MIB view is a family of view subtrees, which are pairings of OID subtree values with bit string mask values. Each MIB view is defined by two sets of view subtrees, included in or excluded from the MIB view. snmpvacm [common options] [-Ce] createView NAME SUBTREE MASK -Ce An optional flag used when the MIB view type needs to be "excluded" from the MIB view. If not used, the type is defaulted to "included". NAME The OID subtree which when combined with the corresponding instance of MASK defines a family of view subtrees. SUBTREE The OID subtree which when combined with the corresponding instance of MASK defines a family of view subtrees. MASK The bit mask, a hex string, which, in combination with the corresponding instance SUBTREE, defines a family of view subtrees. The mask indicates which sub-identifiers of the associated subtree OID are significant to a particular MIB view instance. deleteView Deletes a MIB view. A MIB view is a family of view subtrees. A view subtree is a pairing of an OID subtree value with a bit string mask value. snmpvacm [common options] deleteView NAME SUBTREE NAME A string representing a MIB view name that is associated to a subtree/mask pairing. SUBTREE The OID subtree which, when combined with the corresponding instance of MASK, defines a family of view subtrees. createAccess Creates SNMPv3 access configuration entries. These entries are used to store the access rights defined for the groups. Each entry is indexed by a group name, a context prefix, a security model, and a security level. A group and view needs to be defined in order to make use of the access check. snmpvacm [common options] createAccess GROUPNAME [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL CONTEXTMATCH READVIEWNAME WRITEVIEWNAME NOTIFYVIEWNAME GROUPNAME The name of the group to which this access right applies. CONTEXTPREFIX A string representing a contextName must match the value of the instance of this object exactly when CONTEXTMATCH is set to "exact" or partially when CONTEXTMATCH is set to "prefix". If not specified, the value reverts to the default, an empty string, "". SECURITYMODEL An integer representing the securityModel that must be used in order to gain access to this access right. SECURITYLEVEL An integer representing the minimum security level that must be used to gain access to this access right. A security level of noAu- thNoPriv is less than authNoPriv and authNoPriv is less than authPriv. Integer values supported: 1 noAuthNoPriv 2 authNoPriv 3 authPriv CONTEXTMATCH An integer whose value determines the type of match required. When set to "exact", the context name must exactly match the value in CONTEXTPREFIX. If set to "prefix", the context name must match the first few starting characters of the value in CONTEXTPREFIX. Integer values supported: 1 exact 2 prefix READVIEWNAME The authorized MIB view name used for read access. If the value is an empty string, then there is no active view configured for read access. WRITEVIEWNAME The authorized MIB view name used for write access. If the value is an empty string, then there is no active view configured for write access. NOTIFYVIEWNAME The authorized MIB view name used for notify access. If the value is an empty string, then there is no active view configured for notify access. deleteAccess Deletes SNMPv3 access configuration entries, given a group name, context prefix, security model, and security level. snmpvacm [common options] deleteAccess GROUPNAME [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL GROUPNAME The name of the group to which this access right applies. CONTEXTPREFIX A string representing a contextName must match the value of the instance of this object exactly when CONTEXTMATCH is set to "exact" or partially when CONTEXTMATCH is set to "prefix". SECURITYMODEL An integer representing the securityModel that must be used to gain access to this access right. SECURITYLEVEL An integer representing the minimum security level that must be used to gain access to this access right. A security level of noAu- thNoPriv is less than authNoPriv and authNoPriv is less than authPriv. The following integer values are supported: 1 noAuthNoPriv 2 authNoPriv 3 authPrivEXAMPLESFor the following examples, the user is my_user and the password is my_password. Use net-snmp-config to create the first user (my_user). Then clone my_user to configure another SNMPv3 user, my_user_2. See snmpusm(1M). Example 1: Creating a VACM Group Entry Create a VACM group entry, as follows: snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost createSec2Group 3 my_user_2 my_group Run snmpwalk(1M) to verify the group name was created: snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost SNMP-VIEW-BASED-ACM-MIB::vacmGroupName In addition to other configured VACM group entries, you will note an entry such as the following: SNMP-VIEW-BASED-ACM-MIB::vacmGroupName.3."my_user_2" = STRING: my_group Example 2: Creating a MIB View Entry The command below creates a MIB view entry applicable only to the system group MIB. snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost createView my_view .1.3.6.1.2.1.1 FF Run snmpwalk(1M) to verify the my_view MIB view was created: snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyTable In snmpwalk output, observe the lines, such as those below, related to the my_view MIB view. SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyMask."my_view".2.1.3.6.1.2.1.1 = Hex-STRING: FF SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyType."my_view".2.1.3.6.1.2.1.1 = INTEGER: included(1) SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStorageType. "my_view".2.1.3.6.1.2.1.1 = INTEGER: nonVolatile(3) SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStatus. "my_view".2.1.3.6.1.2.1.1 = INTEGER: active(1) Example 3: Creating an Access Entry The command below creates an access entry using the following components: o the "my_group" entry created above o an empty prefix string ("") o the USM security model(3) o the security level(3) o the context match(1) o the read view name ("my_view") o the write view name ("") o the notify view name ("") snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost createAccess my_group "" 3 3 1 my_view "" "" Run snmpwalk(1M) to verify the access entry was created: snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A my_password -x DES -X my_password localhost SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable SNMP-VIEW-BASED-ACM-MIB::vacmAccessContextMatch."my_group"."".3.authPriv = INTEGER: exact(1) SNMP-VIEW-BASED-ACM-MIB::vacmAccessReadViewName."my_group"."".3.authPriv = STRING: my_view SNMP-VIEW-BASED-ACM-MIB::vacmAccessWriteViewName."my_group"."".3.authPriv = STRING: SNMP-VIEW-BASED-ACM-MIB::vacmAccessNotifyViewName."my_group"."".3.authPriv = STRING: SNMP-VIEW-BASED-ACM-MIB::vacmAccessStorageType."my_group"."".3.authPriv = INTEGER: nonVolatile(3) SNMP-VIEW-BASED-ACM-MIB::vacmAccessStatus."my_group"."".3.authPriv = INTEGER: active(1) Example 4: Testing the Configuration Test the preceding setup by verifying the access setup. You do this by accessing an object in the system group and another object outside this range. Note the use of the user name my_user_2. snmpget -mALL -v 3 -u my_user_2 -l authPriv -a MD5 -A my_password -x DES -X my_password localhost sysObjectID.0 At this point, when you to access an object outside the access range, the attempt fails with an appropriate error: snmpgetnext -mALL -v 3 -u my_user_2 -l authPriv -a MD5 -A my_password -x DES -X my_password localhost ifTable RFC1213-MIB::ifTable = No more variables left in this MIB View (It is past the end of the MIB tree)EXIT STATUS0 Successful completion. 1 A usage syntax error. A usage message displays. Also used for time out errors. 2 An error occurred while executing the command. An error message displays.ATTRIBUTESSee attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWsmcmd | +-----------------------------+-----------------------------+ |Interface Stability |Stable | +-----------------------------+-----------------------------+SEE ALSOsnmpusm(1M), snmpwalk(1M), snmpd.conf(4), attributes(5) RFC 3415 SunOS 5.10 2 Oct 2003 snmpvacm(1M)