Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

HPUXSNMP0

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 2

7.3.3.

HP OpenView Agent for HP-UX and Solaris


One text-configuration file controls the parameters for this agent; the file is
typically named /etc/SnmpAgent.d/snmpd.conf, or /etc/snmpd.conf on older
systems. You don't need to edit this file for the agent to function normally.
If you do edit it, you must stop and restart the master agent by executing the
SnmpMaster script, first with a stop and then a start :
$ /sbin/init.d/SnmpMaster stop
$ /sbin/init.d/SnmpMaster start

7.3.3.1. Simple configuration

The following configuration file configures the agent to respond to get


requests using the community name public and set requests using the community
name private. There are no restrictions on which MIBs can be queried, or which
hosts can make the queries. This configuration has no security, since the
community strings are set to commonly used defaults and are widely known. The
OpenView agent sends authentication-failure traps by default, so you don't have
to enable these traps in the configuration file.
get-community-name: public
set-community-name: private
trap-dest: 127.0.0.1
contact: B.Gates
location: 12 Pyramid - Egypt
The simplest configuration is to edit the file and place more reasonable
community names in the first two lines. We can't say it too much: community
names are essentially passwords. Use the same rules for picking community names
that you would for choosing the root password. You should always set the
destination trap host (trap-dest) to the IP address of the host that will
receive the trap.
The next example configures several different community names:
get-community-name: public
get-community-name: media
set-community-name: hushed
set-community-name: veryprivate
set-community-name: shhhh
We have created two get (read-only) communities and three set (read-write)
communities. These communities can be used as you see fit. (In real life, we
would have chosen more obscure names.) For example, you might give your
operations group in New York public community access and your operations group
in Atlanta media community access. The remaining set communities can further be
subdivided among various administrators and other staff who need read-write
access.

7.3.3.2. Advanced configuration


Setting up multiple community strings doesn't sound very useful, and by itself,
it isn't. But you can take the concept a step further and create different
communities, each of which consists of a few particular hosts and can access
only some of the objects SNMP manages. The next example allows the host
10.123.56.25 to issue gets using the community name comname and sets using the
community name private. The host 10.123.46.101 can issue gets using only the
community name comname. You cannot use hostnames after the IP: directive; you
must use IP addresses.
get-community-name comname IP: 10.123.56.25 10.123.46.101
set-community-name private IP: 10.123.56.25
You can also configure the agent to restrict access to MIB subtrees based on IP
addresses. The next example allows any host to get any object under
iso.org.dod.internet.mgmt.mib-2, except for objects in the interfaces subtree.
The minus sign (-) in front of interfaces instructs the agent to disallow
access to this subtree.
get-community-name public VIEW: mib-2 -interfaces
The final example sets up multiple community names for both sets and gets. An
administrator who is located at host 10.123.46.25 and knows the admin community
string has read access to the entire MIB tree; with the adminset community
string, he has write access to the entire tree. Someone with the operator
community string can sit anywhere and access everything in mib-2 except for the
interfaces subtree, but must be sitting at his desk (10.123.56.101) to issue
sets and is not allowed to set anything in the mib-2 subtree.
get-community-name operator VIEW: mib-2 -interfaces
get-community-name admin IP: 10.123.56.25
set-community-name operset IP: 10.123.46.101 VIEW: -mib-2
set-community-name adminset IP: 10.123.56.25

You might also like