Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

snmpvacm


NAME
     snmpvacm - perform maintenance on an SNMP agent's View-based
     Access Control Module (VACM) table

SYNOPSIS
     /usr/sfw/bin/snmpvacm [common options] [subcommand  options]
     AGENT subcommand subcommand-args

DESCRIPTION
     snmpvacm is a SNMP  application  that  can  be  used  to  do
     maintenance  on  an  SNMP  agent's View-based Access Control
     Module (VACM) table. The VACM table defines a  set  of  ser-
     vices  that can be used for checking access rights, that is,
     checking whether a specific type of  access  to  a  specific
     managed  object is allowed. snmpvacm supports three types of
     entries--group, view, and access. The agent maintains  these
     entries  in memory and stores VACM groups, views, and access
     entries in the  persistent  configuration  file  upon  agent
     shutdown.

  Subcommands
     This section describes the snmpvacm subcommands.

     createSec2Group

         Creates SNMPv3 security to group name entries.  A  group
         name  is  used  to define an access control policy for a
         group of principals.

         Creates SNMPv3 security to group name entries.  A  group
         name  is  used  to define an access control policy for a
         group of principals.


         snmpvacm [common options] createSec2Group MODEL SECURITYNAME GROUPNAME


         MODEL

             An integer greater then zero representing  a  SNMPv3
             security model, such as USM. The reserved values are
             as follows:


             1

                 reserved for SNMPv1





             2

                 reserved for SNMPv2c



             3

                 User-Based Security Model (USM)



         SECURITYNAME

             A string representing a security name for the  prin-
             cipal,  represented  in a security-model-independent
             format, which is mapped from this entry to a  GROUP-
             NAME.



         GROUPNAME

             A string that identifies the  group  to  which  this
             table  entry  (the  combination of securityModel and
             securityName) belongs.



     deleteSec2Group

         Deletes SNMPv3 security to group name entries. The group
         entry  to  be  deleted is indexed by the specified MODEL
         and SECURITYNAME.


         snmpvacm [common options] deleteSec2Group MODEL SECURITYNAME


         MODEL

             An integer greater then zero representing  a  SNMPv3
             security model, such as USM. The reserved values are
             as follows:


             1

                 reserved for SNMPv1



             2

                 reserved for SNMPv2c



             3

                 User-Based Security Model (USM)



         SECURITYNAME

             A string representing a security name for the  prin-
             cipal,  represented  in a security-model-independent
             format, which is mapped from this entry to a  GROUP-
             NAME.



     createView

         Creates a MIB view. A MIB view is a family of view  sub-
         trees, which are pairings of OID subtree values with bit
         string mask values.

         Each MIB view is defined by two sets of  view  subtrees,
         included in or excluded from the MIB view.


         snmpvacm [common options] [-Ce] createView NAME SUBTREE MASK


         -Ce

             An optional flag used when the MIB view  type  needs
             to be "excluded" from the MIB view. If not used, the
             type is defaulted to "included".




         NAME

             The  OID  subtree  which  when  combined  with   the
             corresponding  instance  of MASK defines a family of
             view subtrees.




         SUBTREE

             The  OID  subtree  which  when  combined  with   the
             corresponding  instance  of MASK defines a family of
             view subtrees.



         MASK

             The bit mask, a hex string,  which,  in  combination
             with  the  corresponding instance SUBTREE, defines a
             family of view subtrees.

             The mask  indicates  which  sub-identifiers  of  the
             associated subtree OID are significant to a particu-
             lar MIB view instance.



     deleteView

         Deletes a MIB view. A MIB view is a family of view  sub-
         trees.  A  view  subtree  is a pairing of an OID subtree
         value with a bit string mask value.


         snmpvacm [common options] deleteView NAME SUBTREE


         NAME

             A string representing a MIB view name that is  asso-
             ciated to a subtree/mask pairing.




         SUBTREE

             The  OID  subtree  which,  when  combined  with  the
             corresponding  instance of MASK, defines a family of
             view subtrees.



     createAccess

         Creates  SNMPv3  access  configuration  entries.   These
         entries  are used to store the access rights defined for
         the groups. Each entry is indexed by  a  group  name,  a
         context  prefix, a security model, and a security level.
         A group and view needs to be defined in  order  to  make
         use of the access check.


         snmpvacm [common options] createAccess GROUPNAME
         [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL
         CONTEXTMATCH READVIEWNAME WRITEVIEWNAME
         NOTIFYVIEWNAME


         GROUPNAME

             The name of the group to  which  this  access  right
             applies.




         CONTEXTPREFIX

             A string representing a contextName must  match  the
             value  of  the  instance of this object exactly when
             CONTEXTMATCH is set to  "exact"  or  partially  when
             CONTEXTMATCH is set to "prefix".

             If not specified, the value reverts to the  default,
             an empty string, "".



         SECURITYMODEL

             An integer representing the securityModel that  must
             be  used  in  order  to  gain  access to this access
             right.



         SECURITYLEVEL

             An integer representing the minimum  security  level
             that  must  be  used  to  gain access to this access
             right. A security level of noAuthNoPriv is less than
             authNoPriv and authNoPriv is less than authPriv.

             Integer values supported:


             1

                 noAuthNoPriv

             2

                 authNoPriv



             3

                 authPriv



         CONTEXTMATCH

             An integer whose value determines the type of  match
             required. When set to "exact", the context name must
             exactly match the value in CONTEXTPREFIX. If set  to
             "prefix",  the context name must match the first few
             starting characters of the value in CONTEXTPREFIX.

             Integer values supported:


             1

                 exact




             2

                 prefix



         READVIEWNAME

             The authorized MIB view name used for  read  access.
             If  the  value  is an empty string, then there is no
             active view configured for read access.



         WRITEVIEWNAME

             The authorized MIB view name used for write  access.
             If  the  value  is an empty string, then there is no
             active view configured for write access.



         NOTIFYVIEWNAME

             The authorized MIB view name used for notify access.
             If  the  value  is an empty string, then there is no
             active view configured for notify access.



     deleteAccess

         Deletes SNMPv3 access  configuration  entries,  given  a
         group name, context prefix, security model, and security
         level.


         snmpvacm [common options] deleteAccess GROUPNAME
         [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL


         GROUPNAME

             The name of the group to  which  this  access  right
             applies.




         CONTEXTPREFIX

             A string representing a contextName must  match  the
             value  of  the  instance of this object exactly when
             CONTEXTMATCH is set to  "exact"  or  partially  when
             CONTEXTMATCH is set to "prefix".



         SECURITYMODEL

             An integer representing the securityModel that  must
             be used to gain access to this access right.



         SECURITYLEVEL

             An integer representing the minimum  security  level
             that  must  be  used  to  gain access to this access
             right. A security level of noAuthNoPriv is less than
             authNoPriv and authNoPriv is less than authPriv.

             The following integer values are supported:

             1

                 noAuthNoPriv




             2

                 authNoPriv



             3

                 authPriv



EXAMPLES
     For the following examples, the  user  is  my_user  and  the
     password  is  my_password. Use net-snmp-config to create the
     first  user  (my_user).  Then  clone  my_user  to  configure
     another SNMPv3 user, my_user_2. See snmpusm(1M).

     Example 1: Creating a VACM Group Entry

     Create a VACM group entry, as follows:

     snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A
             my_password -x DES -X my_password localhost createSec2Group
             3 my_user_2 my_group

     Run snmpwalk(1M) to verify the group name was created:

     snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
             my_password -x DES -X my_password localhost
             SNMP-VIEW-BASED-ACM-MIB::vacmGroupName

     In addition to other configured VACM group entries, you will
     note an entry such as the following:

     SNMP-VIEW-BASED-ACM-MIB::vacmGroupName.3."my_user_2" = STRING: my_group

     Example 2: Creating a MIB View Entry

     The command below creates a MIB view entry  applicable  only
     to the system group MIB.

     snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A
             my_password -x DES -X my_password localhost createView
             my_view .1.3.6.1.2.1.1 FF

     Run snmpwalk(1M) to verify the my_view MIB view was created:

     snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
             my_password -x DES -X my_password localhost
             SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyTable

     In snmpwalk output, observe the lines, such as those  below,
     related to the my_view MIB view.

     SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyMask."my_view".2.1.3.6.1.2.1.1\
     = Hex-STRING: FF
     SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyType."my_view".2.1.3.6.1.2.1.1\
     = INTEGER: included(1)
     SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStorageType.\
     "my_view".2.1.3.6.1.2.1.1 = INTEGER: nonVolatile(3)
     SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStatus.\
     "my_view".2.1.3.6.1.2.1.1 = INTEGER: active(1)

     Example 3: Creating an Access Entry

     The command below creates an access entry using the  follow-
     ing components:

       o  the "my_group" entry created above

       o  an empty prefix string ("")

       o  the USM security model (3)

       o  the security level (3)

       o  the context match (1)

       o  the read view name ("my_view")

       o  the write view name ("")

       o  the notify view name ("")


     snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A
             my_password -x DES -X my_password localhost createAccess
             my_group "" 3 3 1 my_view "" ""

     Run snmpwalk(1M) to verify the access entry was created:

     snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
             my_password -x DES -X my_password localhost
             SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable

     SNMP-VIEW-BASED-ACM-MIB::vacmAccessContextMatch."my_group"."".3.authPriv\
     = INTEGER: exact(1)
     SNMP-VIEW-BASED-ACM-MIB::vacmAccessReadViewName."my_group"."".3.authPriv\
     = STRING: my_view
     SNMP-VIEW-BASED-ACM-MIB::vacmAccessWriteViewName."my_group"."".3.authPriv\
     = STRING:
     SNMP-VIEW-BASED-ACM-MIB::vacmAccessNotifyViewName."my_group"."".3.authPriv\
     = STRING:
     SNMP-VIEW-BASED-ACM-MIB::vacmAccessStorageType."my_group"."".3.authPriv\
     = INTEGER: nonVolatile(3)
     SNMP-VIEW-BASED-ACM-MIB::vacmAccessStatus."my_group"."".3.authPriv\
     = INTEGER: active(1)

     Example 4: Testing the Configuration

     Test the preceding setup by verifying the access setup.  You
     do  this  by  accessing  an  object  in the system group and
     another object outside this range. Note the use of the  user
     name my_user_2.

     snmpget -mALL -v 3 -u my_user_2 -l authPriv -a MD5
             -A my_password -x DES -X my_password localhost sysObjectID.0

     At this point, when you to  access  an  object  outside  the
     access range, the attempt fails with an appropriate error:

     snmpgetnext -mALL -v 3 -u my_user_2 -l authPriv -a MD5
             -A my_password -x DES -X my_password localhost ifTable

         RFC1213-MIB::ifTable = No more variables left in this MIB View (It is
             past the end of the MIB tree)

EXIT STATUS
     0

         Successful completion.



     1

         A usage syntax error. A  usage  message  displays.  Also
         used for time out errors.



     2

         An error occurred while executing the command. An  error
         message displays.




ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWsmcmd                   |
    |_____________________________|_____________________________|
    | Interface Stability         | Stable                      |
    |_____________________________|_____________________________|


SEE ALSO
     snmpusm(1M), snmpwalk(1M), snmpd.conf(4), attributes(5)

     RFC 3415










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments