HP T9576G06, T9576H01 Management Manual

Page 1

SNMP Configur ation and Management Manual

Abstract

This manual describes how to install, start, configure, and stop the HP Simple Network Management Protocol (SNMP) Agent and subagents. The SCF commands used by SNMP are described. This manual also discusses the objects in the Management Information Bases (MIBs) used by the agent and subagents. The SNMP Agent and its subagents comply w ith SNM P Requ est s for Comm ent (R F Cs) so that SNM P-comp l iant management applications, known as SNMP managers, can manage various resou rces on an HP NonStop™ host.

Product Version

SNMP Agent (T9576G06), T9576H01)

Supported Release Version Updates (RVUs)

This manual supports the G06.24 RVU and all subsequent G-series RVUs and the H06.03 RVU and all subsequent H-series RVUs until otherwise indicated by its replacement publication.

Part Number Published

424777 -006 July 20 05

Page 2

Document History

Part Number Product Version Published

424777- 002 SNMP Ag ent (T9576G06) May 2002 424777- 003 SNMP Ag ent (T9576G06) November 2002 424777- 004 SNMP Ag ent (T9576G06) December 2003 424777- 005 SNMP Ag ent (T9576G06) Septem ber 2004 424777- 006 SNMP Ag ent (T9576G06, T9576 H 01) July 2004

Subagent Product Versions IPX/SPX Sub agent (T8170D30)

TCP/IP Subagent (T7862G05) Ethernet/Token Ring Subagent (T0326G06) Trap Multiplexer (T1041G06) NonStop NET/MASTER Trap Subagent (T8491D20) EMS Trap Subagent (T9632D31) Host Resources Subagent (T8496G04) ONS Subagent (T8103D40)

Page 3

Hewlett-Packard Company—424777-006

SNMP Configuration and Management Manual

Glossary Index Examples Figures Tables

What’s New in This Manual xxiii

Manual Information xxiii New and Changed Information xxiv

About This Manual xxv

Your Comments Invited xxv Audience xxv Purpose xxvi Organization xxvi Related Reading xxviii Notation Conventions xxviii

Part I. Installing and Configuring SNMP

1. The NonStop SNMP Environment

Subsystem Components 1-4

SNMP Manager Station 1-4 SNMP Manager 1-5 PDU 1-5 MIB 1-5 SNMP Agent 1-5

SNMP Subagent 1-6 Toolkits 1-6 Message Protocol 1-6

General SNMP Message Format 1-7

Request PDUs 1-7

Response PDU 1-8

Trap PDU 1-8

Transmitting and Receiving SNMP Packets 1-8 Information Protocol 1-9

SNMP Naming Scheme 1-10

The Management Information Base 1-12

Page 4

Contents

SNMP Configuration and Management Manual—424777-006

1. The NonStop SNMP Environment (continued)

Traps 1-14 Architectural Overview of NonStop SNMP 1-14 RFC Compliance 1-17 Related Documents 1-18

2. Installing and Configuring the SNMP Agent

Installation 2-1 Before You Configure the SNMP Agent Operations Environment 2-1 Initialization Tasks 2-3 The Default SNMP Agent 2-3 The SNMPCTL File 2-6 Configure the SNMCTL File to Control the SNMP Agent 2-6 RUN Command 2-7

Special Considerations for Users of Logical Network Partitions (LNPs) 2-12

Startup Parameter Summary 2-13

WARM | COLD Custom Configuration Parameters for the RUN Command 2-14

The SNMPCTL File and TRAPPORT 2-16 PARAM Statements’ Custom Configuration for the RUN Command 2-16 Using SCF to Configure Components of the SNMP Agent Environment 2-16

SNMP Agent Process 2-16

Security 2-16

Request/Response Connections 2-17

Trap Connections 2-17

Trap Por t 2-17 Configuring the SNMP Agent Through SNMP Requests 2-17

Request/Response Connections 2-17

Trap Connections 2-17

Authentication Table Entries 2-17

Managing Configuration Definitions Through SNMP 2-18 Single-Node and Multiple-Node Scenarios 2-19 Starting Multiple SNMP Agents on Each Node 2-23 Stopping the SNMP Agent 2-24 Configuring the EMS Collector 2-25

Using the COLLECTOR Startup Parameter 2-26

Using the SCF ALTER PROCESS Command 2-26 Configuring Security 2-26

Authenticating Requests Received Over TCP/IP 2-26

Authenticating Requests Received Using the IPC Interface 2-31

Page 5

Contents

SNMP Configuration and Management Manual—424777-006

iii

2. Installing and Configuring the SNMP Agent (continued)

After a Request Has Been Authenticated 2-31 Security Scenarios for SNMP Managers Using TCP/IP 2-32

Configuring TCP/IP Request/Response Connections 2-34

Single-Agent Connections 2-35 Multiple-Agent Connections 2-35 Remote Connections 2-37

Configuring Trap Destinations 2-38

Dynamically Generated Trap Destinations 2-40 Forwarding Traps to Managers Communicating Through IPC 2-41 Disabling the Sending of Traps 2-41 Single-Host Connections 2-42 Multiple-Host Connections 2-43

3. MIBs Supported by th e SNMP Agent

SNMP Agent MIB Groups 3-1 RFC Compliance 3-2 Installation 3-2 System Group 3-3

MIB Objects 3-3 RFC Compliance 3-5

SNMP Group 3-6

MIB Objects 3-7 RFC Compliance 3-10

zagInternal Group 3-10

MIB Objects 3-11 SNMP Manager Access to Private MIB Objects 3-20 Table Row Management Overview 3-22 Managing Table Rows From SNMP Managers 3-24

Creating a Table Row 3-28

Default Values for Table Row Objects 3-29

Activating Table Row Entries 3-29

Deactivating Table Row Entries 3-30

Modifying Table Row Entries 3-30

Deleting a Table Row 3-30 Configuring the SNMP Agent Through SNMP Requests 3-30

Request/Response Connections 3-30

Trap Connections 3-30

Authentication Table Entries 3-31

Page 6

Contents

SNMP Configuration and Management Manual—424777-006

4. Introduction to SCF for the SNMP Agent

Part II. SCF for the SNMP Agent

4. Introduction to SCF for the SNMP Agent

Tasks You Can Perform With SCF 4-1 SCF and the DSM Family of Products 4-2

Subsystem Programmatic Interface 4-2

The Subsystem Control Point 4-2 Objects 4-3

Object Attributes 4-3

Object Hierarchy 4-4

Object States 4-4 The PROCESS O bject 4-5

Naming Conventions: PROCESS Object 4-5

PROCESS Object States 4-6

PROCESS Object Attributes 4-6

Default PROCESS Object 4-6 The ENDPOINT Object 4-8

Naming Conventions: ENDPOINT Object 4-8

ENDPOINT Object States 4-9

ENDPOINT Object Attributes 4-10

Default ENDPOINT Object 4-10 The PROFILE Object 4-12

Naming Conventions: PROFILE Object 4-12

PROFILE Object States 4-14

PROFILE Object Attributes 4-14

Default PROFILE Object 4-14 The TRAPDEST Object 4-16

Naming Conventions: TRAPDEST Object 4-16

TRAPDEST O bject States 4-17

TRAPDEST Object Attributes 4-18

Default TRAPDEST Objects 4-18

SCF-Configured Trap Destination Limitations: Broadcast Only 4-19 Running SCF 4-21 Entering SCF Commands 4-21

SCF Commands for Managing Your SCF Session 4-21

SCF Commands for Managing a Subsystem 4-22

Sensitive and Nonsensitive Commands 4-23

Command Modifiers 4-23

Entering Multiple Commands at a Prompt 4-23

Page 7

Contents

SNMP Configuration and Management Manual—424777-006

4. Introduction to SCF for the SNMP Agent (continued)

Continuing a Command to the Next Line 4-23

Directing Output to a File 4-24 Error Messages 4-24 SCF Online Help 4-24

Displaying Help for NonStop Agent SCF Commands 4-24

Displaying Help for SCF Error Messages 4-25 SCF Information Specific to the NonStop Agent 4-25

The SCF Product Module for the NonStop Agent 4-26

Before You Can Issue SCF Commands Against the NonStop Agent 4-26

SCF Configuration and the TCPIP^PROCESS^NAME Startup Parameter 4-27

5. SCF Commands for the SNMP Agent

Configuration Restrictions: Attribute Conflicts 5-2 ABORT Command 5-3

ABORT ENDPOINT Command 5-3

ABORT PROFILE Command 5-4

ABORT TRAPDEST Command 5-5 ADD Command 5-5

ADD ENDPOINT Command 5-6

ADD PROFILE Command 5-8

ADD TRAPDEST Command 5-10 ALTER Command 5-13

ALTER ENDPOINT Command 5-13

ALTER PROCESS Command 5-15

ALTER PROFILE Command 5-16

ALTER TRAPDEST Comman d 5-17 DELETE Command 5-19

DELETE ENDPOINT Command 5-19

DELETE PROFILE Command 5-19

DELETE TRAPDEST Command 5-20 INFO Command 5-21

INFO ENDPOINT Command 5-21

INFO PROCESS Command 5-22

INFO PROFILE Command 5-23

INFO TRAPDEST Command 5-24 NAMES Command 5-25 START Command 5-26

START ENDPOINT Command 5-26

Page 8

Contents

SNMP Configuration and Management Manual—424777-006

5. SCF Commands for the SNMP Agent (continued)

START PROFILE Command 5-26 START TRAPDEST Command 5-27

ST ATUS Command 5-28

STATUS ENDPOINT Command 5-28 STATUS PROCESS Command 5-29 STATUS PROFILE Command 5-30 STATUS TRAPDEST Command 5-31

STOP Command 5-32

STOP ENDPOINT Command 5-33 STOP PROFILE Command 5-33

STOP TRAPDEST Co mmand 5-34 TRACE Command 5-35 VERSION Comm and 5-37

Part III. Troubleshooting

6. SNMP Agent PTrace Facility

Introduction to PTrace 6-1 Running PTrace 6-3

Starting a Noninteractive PTrace Session 6-3

Starting an Interactive PTrace Session 6-4 Device Type 6-4 PTrace Commands 6-4

PTrace Commands Supported by the NonStop Agent 6-5

PTrace Commands Not Supported by the NonStop Agent

6-5

Subset of Useful NonStop Agent PTrace Commands

6-5

FROM Command 6-6 NEXT Command 6-7 RECORD Command 6-9 SELECT Command 6-10

7. Troubleshooting the SNMP Agent

Troubleshooting Strategy 7-1 Diagnosing Startup Errors 7-1 Identifying Unavailable Resour ces 7-2

Underlying Request/Response Connection Resources 7-2 Underlying Trap Destination Resources 7-2

Using EMS Filters 7-2

Page 9

Contents

SNMP Configuration and Management Manual—424777-006

vii

7. Troubleshoot ing the SNMP Agen t (continued)

7. Troubleshooting the SNMP Agent (continued)

Creating a Filter 7-3 Compiling the Filter 7-4 Displaying Filtered Event Messages 7-4

Using Trace Records 7-4

TCP/IP 7-5 SNMP Agent 7-5

Diagnosing Request Errors 7-6

Part IV. SNMP Subagents

8. TCP/IP Subagent

Architectural Overview 8-1

The TCP/IP Subagent and Its Managed Resources 8-4 The NonStop TCP/IP Subagent and the SNMP Agent 8-4 The Parallel Library TCP/IP Subagent and Its Managed Resources 8-4 The NonStop TCP/IPv6 Subagent and its Managed Resources 8-5 Standard MIB-II Groups Supported by the TCP/IP Subagent 8-5 Private MIB Objects Supported by the TCP/IP Subagent 8-7 MIB Value Derivation 8-7 Unavailable Resources 8-8 Reporting Values for Uninstrumented Objects 8-8 Refreshing MIB Values 8-9

Initiating Backup Process Takeover 8-10 Related Documents 8-11 RFC Compliance

8-11

Installing the TCP/IP Subagent

8-11

Installation Steps 8-11 Before Starting the TCP/IP Subagent 8-12 Starting the TCP/IP Subagent 8-12 Stopping the TCP/IP Subagent 8-16 Configuring a Running TCP/IP Subagent 8-16

Querying a Running TCP/IP Subagent 8-16

Controlling a Running TCP/IP Subagent 8-17 ZTSA MIB Objects 8-20

State Object/Resource Object Pairs 8-28 Interfaces Group 8-30

MIB Objects 8-31

Page 10

Contents

SNMP Configuration and Management Manual—424777-006

viii

8. TCP/IP Subagent (continued)

RFC Compliance 8-38

ifTable Maintenance 8-38 IP Group 8-40

MIB Objects 8-41

RFC Compliance 8-48

ipAddrTable Maintenance 8-50

ipRouteTable Maintenance 8-50

ipNetToMediaTable Maintenance 8-51 ICMP Group 8-51

MIB Objects 8-52

RFC Compliance 8-55 TCP Group 8-56

MIB Objects 8-57

RFC Compliance 8-60

tcpConnTable Maintenance 8-61 UDP Group 8-61

MIB Objects 8-62

RFC Compliance 8-63

udpTable Maintenance 8-63 Traps Generated by the TCP/IP Subagent 8-64 EMS Support 8-64

Data Definitions 8-67

Subsystem ID 8-68

Tokens in ZTSA Event Messages 8-68

Event Message Descriptions 8-70

1001: ZTSA-EVT-SUBAGENT-AVAIL 8-70

1002: ZTSA-EVT-SUBAGENT-UNAVAIL 8-72

1003: ZTSA-EVT-AGENT-OBJ-AVAIL 8-75

1004: ZTSA-EVT-AGENT-OBJ-UNAVAIL 8-77

1005: ZTSA-EVT-BACKUP-OBJ-AVAIL 8-79

1006: ZTSA-EVT-BACKUP-OBJ-UNAVAIL 8-82

1007: ZTSA-EVT-EMSCOLL-OBJ-AVAIL 8-85

1008: ZTSA-EVT-EMSCOLL-OBJ-UNAVAIL 8-87

1009: ZTSA-EVT-TCPIP-OBJ-AVAIL 8-90

1010: ZTSA-EVT-TCPIP-OBJ-UNAVAIL 8-92

1011: ZTSA-EVT-OUT-OF-MEMORY 8-95

1012: ZTSA-EVT-INTERNAL-FAULT 8-97

1013: ZTSA-EVT-CONFIGURATION-INVALID 8-99

Page 11

Contents

SNMP Configuration and Management Manual—424777-006

8. TCP/IP Subagent (continued)

1014: ZTSA-EVT-TAKEOVER-BY-BACKUP 8-101

1015: ZTSA-EVT-LANMON-OBJ-UNAVAIL 8-102

1022: ZTSA-EVT-PIFGETSTATUS-ERROR 8-103

1023: ZTSA-EVT-PIFGETATTR-ERROR 8-105

1039: ZTSA-EVT-LIFGETATTR-ERROR 8-106

1041: ZTSA-EVT-PIFGETSTATS-ERROR 8-108

Converting Events to Traps 8-109

9. EMS Trap Subagent

Architectural Overview 9-1 RFC Compliance 9-3 Installation 9-4

Dependencies 9-4

Installation Steps 9-4 Configuration 9-8

Event Filter 9-8

Trap Connections 9-9 Starting and Stopping the Subagent 9-9 The Trap PDU 9-10 The EMS Trap MIB 9-12

10. NonStop NET/MASTER Trap Subagent

Architectural Overview 10-1 RFC Compliance 10-3 Installation 10-3

Dependencies

10-3

Installation Steps

10-4

Configuration 10-9

Modifying GENTRAP 10-9

Trap Connections 10-13 Starting and Stopping the Subagent 10-13 The Trap PDU 10-14 The EMS Trap MIB 10-14 Messages 10-18

openagent Failures 10-18

sendtrap Failures 10-19

closeagent Failures 10-20

Page 12

Contents

SNMP Configuration and Management Manual—424777-006

11. Host Resources Subagent

Architectural Overview 11-1

Standard MIB Groups 11-1

MIB Extens ions 11-3

Proactive Hardware Manage ment 11-5

Refreshing MIB Values 11-5

MIB Value Management 11-6

Obtaining Information About the Subagent 11-6

Initiating Backup Process Takeover 11-7

Monitoring the Open System Services (OSS) File System 11-7

Related Reading

This manual has three companion manuals:

•

The SNMP Manager Programmer’s Guideexplains how to use the Manager Services Toolkit product to generate SNMP managers that run as NonStop Kernel processes in Guardian or HP NonStop Kernel Open System Services (OSS) environments.

•

The TCP/IP (Parallel Library) Configuration and Management Manual describes how to configure and manage the Parallel Library TCP/IP subsystem.

•

The TCP/IPv6 Configuration and Management Manual describes how to configure and manage the NonStop TCP/IPv6 subsystem.

•

The TC P/IP (P ar allel Librar y) Migr ati on Gu ide provid es in form ation ab out mi gr ating your NonSTop TCP/IP applications to the Parallel Library TCP/IP environment.

Throughout this manual, you will find references to RFCs. RFCs are documents that describe the Internet suite of protocols and related experiments. The Internet Architecture Board requires that protocols be documented in RFCs so that standards and ideas are widely accessible.

You can also obtain information about SNMP at libraries and book stores. Many excellent and up-to-date books are available.

Notation Conventions

Hypertext Links

Blue underline is used to indicate a hypertext link within text. By clicking a passage of text with a blue underline, you are taken to the location described. For example:

This requirement is described under SNMP Ag en t Process

on page 2-16.

General Sy ntax Not a tion

The following list summarizes the notation conventions for syntax presentation in this manual.

UPPERCASE LETTERS. Uppercase letters indicate keywords and reserved words; enter

these items exactly as shown. Items not enclosed in brackets are required. For example:

MAXATTACH

lowercase italic letters. Lowercase italic letters indicate variable items that you supply.

Items not enclosed in brackets are required. For example:

file-name

Page 31

About This Manual

SNMP Configuration and Management Manual—424777-006

xxix

General Syntax Notation

computer type. Computer type letters within text indicate C and Open System Services

(OSS) keywords and reserved words; enter these items exactly as shown. Items not enclosed in brackets are required. For example:

myfile.c

italic computer type. Italic computer type letters within text indicate C and Open

System Services (OSS) variable items that you supply. Items not enclosed in brackets are required. For example:

pathname

[ ] Brackets. Brackets enclose optional syntax items. For example:

TERM [\system-name.]$terminal-name INT[ERRUPTS]

A group of items enclosed in brackets is a list from which you can choose one item or none. The items in the list may be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example:

FC [ num ] [ -num] [ text]

K [ X | D ] address-1

{ } Braces. A group of items enclosed in braces is a list from which you are required to

choose one item. The items in the list may be arranged either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines. For example:

LISTOPENS PROCESS { $appl-mgr-name } { $process-name }

ALLOWSU { ON | OFF }

| Vertical Line. A vertical line separates alternatives in a horizontal list that is enclosed in

brackets or braces. For example:

INSPECT { OFF | ON | SAVEABEND }

… Ellipsis. An ellipsis immediately following a pair of brackets or braces indicates that you

can repeat the enclosed sequence of syntax items any number of times. For example:

M address-1 [ , new-value ]... [ - ] {0|1|2|3|4|5|6|7|8|9}...

An ellipsis imme diately fol lowing a single syntax item indi cates that you can repeat that syntax item any number of times. For example:

"s-char..."

Page 32

About This Manual

SNMP Configuration and Management Manual—424777-006

xxx

General Syntax Notation

Punctuation. Parentheses, commas, semicolons, and other symbols not previously

described must be entered as shown. For example:

error := NEXTFILENAME ( file-name ) ; LISTOPENS SU $process-name.#su-name

Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must enter as shown. For example:

"[" repetition-constant-list "]"

Item Spacing. Spaces shown between items are required unless one of the items is a

punctuation symbol such as a parenthesis or a comma. For example:

CALL STEPMOM ( process-id ) ;

If there is no space between two items, spaces are not permitted. In the following example, there are no spaces permitted between the period and any other items:

$process-name.#su-name

Line Spaci ng. If the syntax of a command is too long to fit on a single line, each

continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections. For example:

ALTER [ / OUT file-spec / ] LINE [ , attribute-spec ]...

!i and !o. In procedure calls, the !i not ation fo llo ws an input parameter (o ne tha t pa sses dat a

to the called procedure); the !o notation follows an output parameter (one that returns data to the calling program). For example:

CALL CHECKRESIZESEGMENT ( segment-id !i , error ) ; !o

!i,o. In procedure calls, the !i,o notation follows an input/output parameter (one that both

passes data to the called procedure and returns data to the calling program). For example:

error := COMPRESSEDIT ( filenum ) ; !i,o

!i:i. In procedure calls, the !i:i notation follows an input string parameter that has a

corresponding parameter specifying the length of the string in bytes. For example:

error := FILENAME_COMPARE_ ( filename1:length !i:i , filename2:length ) ; !i:i

Page 33

About This Manual

SNMP Configuration and Management Manual—424777-006

xxxi

Notation for Messages

!o:i. In procedure calls, the !o:i notation follows an output buffer parameter that has a

corresponding input parameter specifying the maximum length of the output buffer in bytes. For example:

error := FILE_GETINFO_ ( filenum !i , [ filename:maxlen ] ) ; !o:i

Notation for Messages

The following list summarizes the notation conventions for the presentation of displayed messages in this manual.

Bold Text. Bold text in an example indicates user input entered at the terminal. For

example:

ENTER RUN CODE ?123 CODE RECEIVED: 123.00

The user must press the Return key after typing the input.

Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or

returned exactly as shown. For example:

Backup Up.

lowercase italic letters. Lowercase italic letters indicate variable items whose values are

displayed or returned. For example:

p-register process-name

[ ] Brackets. Brackets enclose items that are sometimes, but not always, displayed. For

example:

Event number = number [ Subject = first-subject-value ]

A group of items enclosed in brackets is a list of all possible items that can be displayed, of which one or none might actually be displayed. The items in the list might be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example:

proc-name trapped [ in SQL | in SQL file system ]

{ } Braces. A group of items enclosed in braces is a list of all possible items that can be

displayed, of which one is actually displayed. The items in the list might be arranged

Page 34

About This Manual

SNMP Configuration and Management Manual—424777-006

xxxii

Notation for Management Programming Interfaces

either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines. For example:

obj-type obj-name state changed to state, caused by { Object | Operator | Service }

process-name State changed from old-objstate to objstate { Operator Request. } { Unknown. }

| Vertical Line. A vertical line separates alternatives in a horizontal list that is enclosed in

brackets or braces. For example:

Transfer status: { OK | Failed }

% Percent Sign. A percent sign precedes a number that is not in decimal notation. The

% notation precedes an octal number. The %B notation precedes a binary number. The %H notation precedes a hexadecimal number. For example:

%005400 P=%p-register E=%e-register

Notation for Management Programming Interfaces

The following list summarizes the notation conventions used in the boxed descriptions of programmatic commands, event messages, and error lists in this manual.

UPPERCASE LETTERS. Uppercase letters indicate nam es from defi nition fi les; ente r these

names exactly as shown. For example:

ZCOM-TKN-SUBJ-SERV

lowercase letters. Words in lowercase letters are words that are part of the notation,

including Data Definition Language (DDL) keywords. For example:

token-type

!r. The !r notation following a token or field name indicates that the token or field is

required. For example:

ZCOM-TKN-OBJNAME token-type ZSPI-TYP-STRING. !r

!o. The !o notation following a token or field name indicates that the token or field is

optional. For example:

ZSPI-TKN-MANAGER token-type ZSPI-TYP-FNAME32. !o

Page 35

About This Manual

SNMP Configuration and Management Manual—424777-006

xxxiii

Change Bar Notation

Change bars are used to indicate substantive differences between this edition of the manual and the preceding edition. Change bars are vertical rules placed in the right margin of changed portions of text, figures, tables, examples, and so on. Change bars highlight new or revised information. For example:

The message types specified in the REPORT clause are different in the COBOL85 environment and the Common Run-Time Environment (CRE).

The CRE has many new message types and some new message type codes for old message types. In the CR E, the messa ge type S Y STEM incl udes all me ssages except LOGICAL-CLOSE and LOGICAL-OPEN.

Page 36

About This Manual

SNMP Configuration and Management Manual—424777-006

xxxiv

Change Bar Notation

Page 37

SNMP Configuration and Management Manual—424777-006

Part I. Installing and Configuring SNMP

Part I consists of the following sections, which give an overview of the SNMP agent and provide installation and configuration information:

Section 1 The NonStop SNMP Environment Section 2 Installing and Configuring the SNMP Agent

Page 38

Part I. Installing and Configuring SNMP

SNMP Configuration and Management Manual—424777-006

Page 39

SNMP Configuration and Management Manual—424777-006

1-1

The NonStop SNMP Environment

This section explains how HP has implemented SNMP to facilitate management of its HP NonStop systems by using SNMP-compliant applications known as managers.

SNMP originated in the Internet community in the late 1980s as a means for managing TCP/IP and Ethernet networks. Because of its relative simplicity, SNMP has gained widespread acceptance as a protocol for managing devices from multiple vendors on a network. Today, many vendors offer SNMP-compliant applications that run on several workstation platforms. These applications manage devices attached to various kinds of networks when the devices are instrumented with SNMP-compliant software known as SNMP agents.

Page 40

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-2

Figure 1-1. Default SNMP Agent/Manager Interaction Over TCP/IP

SNMP agent responds to requests and also sends unsolicited trap messages,

in which it includes the

community name "Tandem,"

to manager

Subagent-3

SNMP Manager

HP NonStop Kernel System

Compaq NonStop Kernel System

TCP/IP

Expand

Managed

Resources

SNMP Agent

Subagent-1

Subagent-2

Managed

Resources

Subagent retrieves information from

managed

subsystem

SNMP agent forwards

authenticated requests

to appropriate subagent

Subagent sends response and trap messages to

SNMP agent

Managed

Resources

Authentication Table

Entry Entry

. .

SNMP agent

sends events to

EMS collector

Legend

Trap messages

Request/response message

$ZTC0

VST999.vsd

Manager sends

requests for

information regarding

HP resources

SNMP agent authenticates GET and GETNEXT requests from "Public" community

Page 41

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-3

By default, the SNMP agent does the following:

•

Receives and sends SNMP messages through NonStop Kernel IPC calls or through any available subnet associated with the TCP/IP process $ZTC0 on the local node

•

Accepts any request received through TCP/IP that contains the community name “public,” and gives the “public” community READONLY access

•

Accepts any request received through the IPC interface and grants the requesting manager READWRITE access to all MIB objects supported by the SNMP agent and subagents except the SNMP agent’s private zagInProfile group objects

•

Sends traps through the TCP/IP process $ZTC0 to the Internet address associated with each SNMP manager from which a request is received; includes the community Tandem in the traps. $ZTC0 is on the local node. The SNMP manager must be using TCP/IP.

•

Sends the event messages that the SNMP agent generates to the EMS collector process $0 on the local node.

•

Forwards requests pertaining to managed resources other than those defined in the System and SNMP MIB-II groups to the appropriate subagent and returns responses back to the requesting manager. The SNMP agent processes the SNMP MIB-II groups.

Note. Objec t s in t he SNMP agent’s zagInProfile group (see Us ing SCF to Configure

Compo nents of the SN M P Agent Environment on page 2-16) are access ible only if the

process accessor ID (PAID) of the manager process is compatible with that of the agent process.

Page 42

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-4

Subsystem Components

Subsystem Component s

Following are descriptions of the subsystem components.

SNMP Manager Station

A device on which an SNMP manager runs.

Figure 1-2. Key Components in the SNMP Environment

PDU

MIB

Definitions

SNMP

Manager Station

Managed

Resources

System 2

Local Area Network

Wide Area

Network

SNMP

Manager Station

MIB

Definitions

Managed

Resources

System 1

System 3

Managed

Resources

MIB

Managed

Resources

MIB

Subagent

Managed

Resources

MIB

Subagent

MIBSNMP Agent

Subagent

SNMP Agent

MIB

VST010.vsd

Page 43

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-5

SNMP Manager

An application that automates the management of network elements (managed resources) under the control of one or more SNMP agents. HP provides an SNMP

agent on its NonStop systems, and other vendors provide SNMP agents on their devices. An agent communicates with a manager using the message and information protocol defined in public SNMP documents known as RFCs.

The SNMP manager sends requests to and receives responses from agent processes. Communication between managers and the SNMP agent occurs through the NonStop TCP/IP subsystem, the Parallel Library TCP/IP subsystem or the NonStop TCP/IPv6 subsystem. The NonStop TCP/IP, Parallel Library TCP/IP, and Nonstop TCP/IPv6 subsystems support both local area networks (LANs) and wide area networks (WANs) or, through calls to NonStop Kernel interprocess communication (IPC) procedures, either locally or over Expand, when the manager resides on NonStop Kernel systems.

PDU

Organization of messages exchanged between managers and agents. Protocol d ata units (PDUs), defined i n RF Cs, conduct specifi c ope ratio ns, such a s retr i eving a va lue,

changing a value, or sending unsolicited notifications, known as traps, to an SNMP manager. Message Protocol on page 1-6 provides more detail about the various kinds of PDUs.

MIB

Information exchanged between managers and agents. An MIB describes a collection of objects that can be managed. An example of an MIB object is the physical location of a node. MIBs ar e descr ib ed in a la nguag e know n a s Abst rac t Syntax Not atio n On e (ASN.1). Some MIBs are Internet MIBs defined in RFCs. Other MIBs are vendor defined.

SNMP agent s access and modi fy va lues for MIB obj ect s on behalf of SNMP managers. An SNMP manager can interpret MIB values when the SNMP manager has access to a compiled version of the ASN.1 MIB definition. For more about MIBs, see Information

Protocol on page 1-9.

SNMP Agent

A process that intercepts PDUs from an SNMP manager and responds to them with PDUs. The agent accesses information described in MIBs, either directly or through SNMP subagents. The SNMP agent acts as a server for any SNMP network management requester, providing information about HP resources. The SNMP agent supports two MIB-II groups (System and SNMP) defined by RFC 1213, Management Information Base for Network Management of TCP/IP-Based Internets: MIB-II, and a private group (zagInternal) that is defined by HP. For more information about how the

Note. H-series RVUs do not suport Parallel Library TCP/IP

Page 44

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-6

SNMP Subagent

SNMP agent is implemented, see Architectural Overview of NonStop SNMP on page 1-14.

SNMP Subagent

Entity used by HP (and other vendors), in their SNMP implementations. SNMP subagents handle a particular collection of resources. Some subagents are implemented as independent processes, and some are bound into other processes, such as the agent process. Some subagents, such as those shown in Figure 1-2, have their own MIBs. Other subagents might implement multiple MIBs, or even share a MIB with another subagent. Some subagents can reside on a system different from the agent’s system. For details about each subagent HP currently offers, refer to Part II,

SCF for the SNMP Agent of this manual.

Toolkits

HP offers a Subagent Toolkit that helps programmers generate subagents that interoperate with the SNMP agent. Subagents make customer-written NonStop applications manageable by SNMP managers. For more information about the Subagent Toolkit, refer to the SNMP Subagent Programmer’s Guide.

HP also offers a Manager Services toolkit that allows C and C++ programmers to create SNMP managers that run as NonStop Kernel processes in either the Guardian or in the Open System Services (OSS) environment. For information about Manager Services, refer to the SNMP Manager Programmer’s Guide.

Message Protocol

In an SNMP environment, agents and managers communicate through the exchange of three types of messages:

Each SNMP message contains a unit of information called a PDU. Five types of PDUs are supported by any SNMP agent:

•

GetRequest

•

GetNextRequest

•

SetRequest (request PDUs)

•

GetResponse (response PDU)

•

Trap PDU

The format of SNMP messages is summarized in Figure 1-3 and described in more detail in the following subsection.

Reques t m es s ages Sent by a ma nager to initiate an action by an agen t Response messages Sent by an agent to respond to a manager’s request Trap messag es Sent by a n agent to not ify a manager of th e oc c urrence o f

significan t ev ents

Page 45

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-7

General SNMP Message Format

Each PDU is embedd ed in a messa ge, or p acke t, beginn in g with a versi on numbe r and a community name. The version number identifies the version of SNMP being implemented; currently, this value is always 1 for NonStop SNMP messages. The community name identifies one or more SNMP managers; it is used for access control. Following the version and community identifiers is one of the five types of PDUs.

Request PDUs

The three kinds of request PDUs have the same format as the response PDU, but the error-status and error-index fields are always set to 0. The request-id uniquely identifies individual requests. Variable-bindings are a list of variable names and corresponding values.

Figure 1-3. Format of SNMP Messages

version community PDU

PDU type request-id 0 0 variable-bindings

PDU type request-id error-status error-index variable-bindings

PDU type enterprise

agent-

address

generic-

trap

specific-

trap

time-

stamp

variable-bindings

General SNMP Message Format

Format of GetRequest, GetNextRequest, and SetRequest PDUs

Format of GetResponse PDU

Format of Trap PDU

name-1 value-1 name-n value-n

Format of Variable Bindings

VST011.vsd

Page 46

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-8

Response PDU

The three request PDUs are:

•

GetRequest PDU. This PDU performs a Get operation. The Get operation retrieves a value of a MIB object.

•

GetNextRequest PDU. This PDU performs a GetNext operation. The GetNext operation retrieves the value of the object instance that is next in lexicographic order.

•

SetRequest PDU. This PDU performs a Set operation. The Set operation alters the value of a MIB object.

Response PDU

The function per form ed by a Ge tResp on se PD U is re ferr ed to as a n SNM P Response operation. The Response operation returns a response to the originator of a Get,

GetNext, or Set operation. The response operation contains a request-id that associates it with a request PDU. The response PDU provides such information as error indications and values of MIB objects. Error-status values are described in

Appendix C, Unsolicited SNMP Agent Messages.

Trap PDU

The function per form ed by a Trap PDU is re ferr ed to as an SNMP Trap operation. The Trap operation issues an unsolicited message to an SNMP manager to signal an important event. The enterprise field provides the SNMP agent object identifier or subagent object identifier; the object identifier for the SNMP agent is

1.3.6.1.4.1.16 9.3.15 5.1. ( Object i de ntifiers a re d escribed under Informa ti on Proto col on page 1-9 The agent-address field is the Internet address of the device on which the agent forwarding the trap is installed. The generic-trap and specific-trap fields characterize the trap as a par ticular kind of trap. Values for traps that originate from the SNMP agent are descr ibed in A ppend ix C, Unsolicited SNM P Agent Message s. Values for traps from subagents are described in Se ction 9, EMS Trap Subagen t.

Transmitting and Receiving SNMP Packets

SNMP managers convert user requests into SNMP messages, or packets, as illustrated in Figure 1-3 on page 1-7. The manager then encodes these SNMP packets into a format that can be transported to and decoded by the target agent.

IPC-Encoded and BER-En coded SNM P Packets

The SNMP agent can process SNMP packets encoded using the HP IPC format. The IPC format provides the best encoding and decoding performance on NonStop Kernel systems.

Page 47

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-9

Information Protoc ol

Also, all agents can interpret information encoded according to the basic encoding rules (BER) associated with ASN.1, which define how to encode an ASN.1 value as an octet string. BER-encoded packets can be transmitted over any transport protocol that the manager and target agent mutually support.

Transmission Protocols Supported by the SNMP Agent

IPC-encoded SNMP packets are transmitted and received through NonStop Kernel interprocess communication calls. The SNMP agent supports the interface, #MGR, through which an IPC communication path between an SNMP manager and a SNMP agent can be established.

The most widely supported transmission protocol for transmitting and receiving BERencoded SNMP packets is TCP/IP’s User Datagram Protocol (UDP). The SNMP agent supports the UDP protocol.

Differences in the way the SNMP agent handles requests received through the HP NonStop Kernel IPC and requests received through the UDP protocol are discussed

Section 2, Installing and Configuring the SNMP Agent and in Section 3, MIBs Supported by the SNMP Agent.

Information Protocol

The foundation of any network m anage ment system is a collection of infor matio n about the elements to be managed. In SNMP environments, this information is described by a MIB (Management Information Base). Each item in a MIB is known as a MIB object.

•

Internet-standard MIBs. These MIBs are approved by the Internet Architecture Board (IAB). MIB-I, MIB-II, and Remote Network Monitoring MIB. MIB-I is the original MIB for ma nagi ng TCP/IP- based interne ts. MIB -II is an exte nded ver si on of MIB-I and provides additional object definitions. Remote Network Monitoring MIB defines objects that manage remote network monitoring devices. Most MIB-II objects are supported by the TCP/IP Subagent; two MIB-II groups (System and SNMP) are supported by the SNMP agent. The Host Resources Subagent supports the standard Host Resources MIB, which is contained in the MIB-II subtree.

•

Experimental MIBs. These MIBs are used in Internet experiments.

•

Enterprise MIB s. These MIBs are vendor defined.

To promote interoperability, SNMP defines a standard scheme for naming all MIB objects.

Page 48

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-10

SNMP Naming Scheme

SNMP Nami ng Scheme

SNMP uses a hierarchical model to identify objects. Every object in an SNMP environment is identified by an object descriptor and an object identifier. Object descriptors are logical names. Object identifiers are expressed in numeric dot notation. For example, the System group of MIB-II is identified as:

system

1.3.6.1.2.1.1

As Figure 1-4 shows, an object identifier is a sequence of integers resulting from traversing a global tree. The object tree is composed of an unlabeled root connected to labeled nodes. Each node in turn can have subordinate nodes of its own. A node and its subordinate nodes make up a subtree. A node that has no subordinates is referred to as a leaf object.

Page 49

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-11

SNMP Naming Scheme

Figure 1-4. Nodes in the SNMP Object Tree

ccit (0) iso (1)

identified-organization (3)

dod (6)

internet (1)

directory (1) mgmt (2)

mib-II (1 )

system (1) interfaces (2) at (3) ip (4) icmp (5) tcp (6) udp (7) egp (8) cmot (9) transmission (10) snmp (11)

host (25) experimental (3) private (4)

enterprises (1)

tandem (169)

nonstopsystems (3)

tlam (19) tcp/ip (80) zsmp (155)

zsmpagent (1)

zagInternal (7)

zagInProcess (1) zagInEndpoint (2) zagInProfile (3) zagInTrapdest (4)

joint-iso-ccit (2)

1.3.6.1.2.1.1

object identifier =

VST012.vsd

object identifier =

1.3.6.1.4.1.169.3.155.1

Page 50

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-12

The Management Information Bas e

As Figure 1-4 indicates, MIB-II is described in the mgmt subtree. tandem has been assigned the value 169 in the enterprises subtree. In the tandem subtree, nonstopsystems has been assigned the number 3. The nonstopsystems subtree contains MIBs and subsystems defined by HP.

In the zsmp subtree of the nonstopsystems node, the SNMP agent subtree, zsmpagent, has been assigned the value 1. The object identifier for the SNMP agent is:

1.3.6.1.4.1.169.3.155.1

In the zsmpagent subtree, the zagInternal group (value of 7), encompasses the four subg roups (zagInProcess, zagInEndpoint, zagInProfile, and zagInTrapdest) that constitute the private portion of the SNMP agent’s MIB. The object identifier for this private MIB’s zagInternal group is:

1.3.6.1.4.1.169.3.155.1.7

Object identifiers not only identify organizations and their elements but also identify MIB objects. For example, the zagInTdHostAddr object from the zagInTrapdest group of the SNMP agent’s private MIB is:

1.3.6.1.4.1.169.3.155.1.7.4.2.1.4

The Management Information Base

Each MIB object is identified by an object descriptor and identifier. Sometimes MIB objects are divided into groups called object groups. Most items subordinate to MIB-II in Figure 1-4 are actually object groups. Examples are the UDP group, the Interfaces group, and the TCP group. Many of these groups are supported by the TCP/IP Subagent's MIB, as described in Section 8, TCP/IP Subagent.

Values for individual MIB objects can two forms:

•

Scalar. An object is assigned a scalar value when the object can have only one value. The length of time since the SNMP subsystem was brought up (sysUpTime) is an example of such an object.

•

Tabular. Some objects, such as TCP connections, can have multiple values, each describing a single instance of the object. These object values are organized into tables. Each row in the table represents information about a single object instance. A row in a table is referred to as an entry.

Each MIB object has an access attribute. This attribute determines the kind of access SNMP managers have to values of the object.

read-only The value can be retrieved but not modified. read-write The value can be both retrieved and modified. write-only The value can be modified but not retrieved. not-accessible The value cannot be retrieved or modified.

Page 51

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-13

The Management Information Bas e

In this manual, descriptions of MIB objects are normally provided in tables with four columns (in some instances, the third and fourth columns have been combined). This excerpt from the table describing the System grou p obj ect s in the S NMP agen t’s MIB is followed by a description of each column.

For a description of the objects in the SNMP agent’s MIB, see Section 3, MIBs

Supported by the S NMP Agent . For d escri pt ions of the objects in each subag ent’ s MIB ,

see Part IV, SNMP Subagents, of this manual. When objects are organized into tables, the sections provide information about how the tables are created and maintained.

Table 1-1. System Group Objects Supported by SNMP Agent's MIB

Object and Attributes Definition Format of Value

Derivation of Value

sysContact

1.3.6.1.2.1.1.4 read-write DisplayString (SIZE (0..255))

Information describ ing the contact pe rs on for this node. This value is stored in SNMPCTL.

The default value is unknown.

Initially, the default value. Can be set from an authorized SNMP manager.

Column 1 The first column identifies the MIB object and lists its attributes. This

information appears for each object: its name (object descriptor), its numeric identifier (object identifier), its access attribute, and its ASN.1

syntax. Column 2 The second column defines what the object’s value means. Column 3 The third column describes the format of the value. Column 4 The fourth column indicates how the value was derived.

Page 52

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-14

Traps

Traps are unsolicited messages forwarded by an agent to SNMP managers when significant events occur. Some traps and their contents are defined by the SNMP standards. Other traps are proprietary. Traps that the SNMP agent supports are defined in Part 3, MIBs Supported by the SNMP Agent. Traps that subagents offered by HP generate are described in Part IV, SNMP Subagents.

The SNMP agent can be configured to send traps to one or more specific SNMP managers. You can also suppress traps altogether.

Architectural Overview of NonStop SNMP

Figure 1-5 illustrates how the SNMP agent interacts with NonStop system and network

elements to provide SNMP support:

•

The SNMP agent communicates with the remote SNMP managers through the TCP/IP subsystem and these underlying subsystems:

X.25 Access Method (X25AM) The X25AM subsystem supports WAN data communications over an X.25

packet-switching network and is supported on G-series and H-series RVUs of the NonStop Kernel.

ServerNet LAN Systems Access (SLSA) subsystem The SLSA subsystem supports parallel LAN I/O on systems that implement

ServerNet.

•

The SNMP agent authenticates requests as it receives them using the scheme described in Section 2, Installing and Configuring the SNMP Agent.

•

The SNMP agent uses the Subsystem Programmatic Interface (SPI) protocol to send event messages to an Event Management Service (EMS) collector. Refer to

Appendix C, Unsolicited SNMP Agent Messages

, for a description of event

messages originating from the SNMP agent and to Part IV, SNMP Subagents

for

events from subagents.

•

Most of the MIB-II groups are supported by the TCP/IP Subagent (see Section 8,

TCP/IP Subagent), which supports the management of TCP/IP resources. Tw o

MIB-II groups (System and SNMP) are supported by the SNMP agent. (See

Section 3, MIBs Supported by the SNMP Agent.)

•

The SNMP agent also supports a private MIB (zagInternal group) that describes attributes of the SNMP agent process and defines the resources the SNMP agent

•

uses. These private MIB objects are defined by HP and are used to control the configuration and operation of the SNMP agent.

Page 53

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-15

Architectural Overview of NonStop SNMP

•

The SNMP agent uses Interprocess Communication (IPC) messages to communicate with independent subagents about the resources they manage. Subagents can reside on the same node as the SNMP agent or on different nodes. Each SNMP agent can support one instance of any particular subagent.

•

The SNMP control file (SNMPCTL) contains configuration parameters for the SNMP agent.

•

When the primary SNMP agent process is active, it writes trace records to the file ZZSMPTRP. When the backup process becomes active, it writes to the file ZZSMPTRB.

Page 54

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-16

Architectural Overview of NonStop SNMP

Figure 1-5. NonStop SNMP Architecture

SNMP

Manager Station

Local Area Network

Wide Area

Network

TCP/IP

($ZTC0)

Legend

IPC messages

SNMP request/response m essages SNMP traps

NSK operations

SNMP Agent

Independent

SNMP

Subagents

SNMPCTL

ZZSMPTRP

ZZSMPTRB

EMS

Collector

SNMP

Manager Station

MIB

SNMP

Manager

VST013.vsd

Page 55

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-17

RFC Compliance

The NonS top SNM P impleme nt ation compl ies wi th stand ards and guidel ine s publishe d in these RFCs:

•

RFC 1155, Structure and Identification of Management Information for TCP/IP-Based Internets. This document describes MIB naming conventions,

syntax, and other MIB object characteristics.

•

RFC 1157, A Simple Network Management Protocol (SNMP). This document describes the SNMP architecture and message protocol.

•

RFC 1212, Concise MIB Definitions. This document describes the ASN.1 conventions used to define SNMP MIBs.

•

RFC 1213, Management Information Base for Network Management of TCP/IP-Based Internets: MIB-II.

•

RFC 1215, A Convention for Defining Traps for Use With the SNMP. This document describes ASN.1 conventions for defining traps.

The degree to which subagents comply with MIB object definitions in RFCs is often documented in this manual in three-column tables. For example, the following excerpt from a table describes how the TCP/IP Subagent's MIB complies with IP group definitions in RFC 1213 and is followed by an explanation of each column in the table.

Table 1-2. Compliance With IP Group Definitions in RFC 1213

Object Descriptor Compliance Explanation

ipForwarding Partial Set operation not supported

Column 1 The first column lists the object descriptor. Column 2 The second column cont ai ns one of thr ee va lues i ndica ting th e deg ree to

which implementation of the object complies with RFC guidelines. “Yes”

indicates full compliance. “Partial” indicates some but not full

implementation of the object. “No” indicates no support for the object. Column 3 The third column provides comments that explain deviations and other

special behavior relative to the object.

Page 56

The NonStop SNMP Environment

SNMP Configuration and Management Manual—424777-006

1-18

Related Documents

The RFCs listed earlier and in other sections of this manual are public-domain documents that you can obtain from InfoWay or from one of the following sources:

•

DDN Network Information Center 14200 Park Meadow Drive, Suite 200 Chantilly, VA 22021 USA phone: 1-800-365-3642 mail: nic@nic.ddn.mil

•

The Internet. If your site has IP-co nnectivi ty to the Intern et comm unity, you can use anonymous FTP to the host nic.ddn.mil (residing at 192.112.36.5) and retrieve files from the directory

rfc/

•

Electronic mail. Send a message to

mail-server@nisc.sri.com

In the subject field, indicate the RFC number:

Subject: SEND rfcs/rfc1130.txt

Page 57

SNMP Configuration and Management Manual—424777-006

2-1

Installing and Configuring the SNMP Agent

The section tells you how to install, start, and stop the SNMP agent and how to configure the following:

•

SNMPCTL file (The SNMPCTL File o n page 2-6)

•

Multiple SNMP agents per node Starting Multiple SNMP Agents on Each Node on page 2-23)

•

EMS collector (Configuring the EMS Collector on page 2-25)

•

Security (Configuring Security on page 2-26)

•

TCP/IP request/response connections (Configuring TCP/IP Request/Response

Connections on page 2-34)

•

Trap destinations (Configuring Trap Destinations on page 2-38)

Installation

The SNMP agent is delivered ready to be installed and started without any custom configuration.

You install the SNMP agent using the Distributed Systems Management/Software Configuration Manager DSM/SCM product. The SNMP agent program file is installed on your system as:

$SYSTEM.SYSTEM.SNMPAGT

Refer to the DSM/SCM User’s Guide for complete software installation information. The device type for the SNMP agent is 31.

Before You Configure the SNMP Agent Operations Environment

To configure SNMP you must get the following information from the person responsible for the SNMP agent and from the person responsible for the SNMP manager with

Note. For G-series or later releases of the NonStop Kernel, DSM/SCM replaces the Install program as the standard tool for installing and managi ng new software.

Page 58

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-2

Before You Configure the SNMP Agent Operations

Environment

which the SNMP agent communicates. This information you gather gives you an idea of the configuration you’ll need.

•

The type of access required by the SNMP managers that communicate through TCP/IP to resources managed by the SNMP agent and subagents

•

The Internet address and community name of any SNMP manager that communicates through TCP/IP for which you want to refine the default security scheme

•

The Internet address of any SNMP manager that expects to receive trap messages

•

The community name, if any, that the SNMP manager expects to see in trap messages received from the SNMP agent

•

The HP resources that the SNMP manager wants to manage

•

The Internet addresses by which the SNMP agent can be reached

•

The SNMP traps and MIB objects the SNMP agent and its subagents support and what they mean in the context of the NonStop environment

•

The community name that must be included in requests to the SNMP agent

•

The location of the NonStop system on which the SNMP agent resides

Note. The S N M P im plemen ta ti on supported by HP us es subagen t s to h andle various collections of resources. The HP resources the SNMP manager wants to manage determine the subagents to be installed. The subagents to which the SNMP agent forwards requests are installed, started, and configured separately from the SNMP agent. Definin g t he connect ion between the s ubagent a nd t he SNMP agent is part of the subagent’s configuration, not the SNMP agent’s configuration.

Page 59

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-3

Initializa t ion Tasks

Initialization Tasks

Before you begin to configure the SNMP agent you should understand what the SNMP agent does when it is started to give you an idea of the state of the SNMP agent in which you’ll be configuring. When you start the SNMP agent, it performs these initialization tasks:

•

Ensures that the SNMP agent is running as a named process. If you did not specify a name, TACL assigns one.

•

Ensures that the SNMP agent i s run ning w ith supe r user gr oup acce ss priv ileges, if the PORT startup parameter is port 161 (the standard SNMP port for receiving manager requests) or a port number less than 1023. If the port number is greater than 1023, the SNMP agent generates an EMS event stating that the SNMP agent must run under a super group creator accessor ID and stops running. Refer to the description of the POR T st ar tup p ar amete r (p ag e 2-10) for m ore information on this topic.

•

Opens any TCP/IP subnets configured for communications with SNMP managers. If no TCP/IP subnets are available, the agent process starts but generates socketerror and state-change EMS event messages.

•

Starts a backup process if you requested one.

•

Processes configuration information. Creates a trap destination definition (if none already exists) for the Internet address associated with any manager from which the SNMP agent receives a request through TCP/IP.

The Default SNMP Agent

When started without any customization, the SNMP agent:

•

Receives and sends SNMP messages through NonStop Kernel IPC calls or through any available subnet associated with the TCP/IP process $ZTC0 on the local node.

•

Accepts any request received through TCP/IP that contains the community name “public” and gives the “public” community READONLY access.

•

Sends traps through the TCP/IP process $ZTC0 on the local node to the Internet address associated with each SNMP manager communicating using TCP/IP from which a request is received. Includes the community “Tandem” in the traps.

Note. Objec t s in t he SNMP agent’s zagInProfile group (see SNM P Agent P rivate MIB

Objects on page 3-31) are ac c es s ible only if the pr oc es s ac c essor ID (PAID) of the

manager process is co m patible with that of th e agent process. See Authentication Table

Entries on page 3-31 for more details.

Page 60

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-4

The Default SNMP Agent

•

Sends event messages it generates to the EMS collector process $0 on the local node.

•

Forwards requests pertaining to managed resources other than those defined in the System and SNMP MIB-II groups (which the SNMP agent itself processes) to the appropriate subagent, and returns responses to the requesting manager.

The subagents to which the SNMP agent forwards requests are installed, started, and configured separately from the SNMP agent. Defining the connection between the subagent and the SNMP agent is part of the subagent’s configuration, not the SNMP agent’s configuration. SectionIV, SNMP Subagents, describes installing, starting, and configuring the subagents that HP supports.

Figure 2-1 illustrates the default SNMP agent operating in an SNMP network

management environment.

Page 61

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-5

The Default SNMP Agent

Figure 2-1. Default SNMP Agent/Manager Interaction Over TCP/IP

SNMP agent responds to requests and also sends unsolicited trap messages,

in which it includes the

community name "Tandem,"

to manager

Subagent-3

SNMP Manager

HP NonStop Kernel System

Compaq NonStop Kernel System

TCP/IP

Expand

Managed

Resources

SNMP Agent

Subagent-1

Subagent-2

Managed

Resources

Subagent retrieves information from

managed

subsystem

SNMP agent forwards

authenticated requests

to appropriate subagent

Subagent sends response and trap messages to

SNMP agent

Managed

Resources

Authentication Table

Entry Entry

. .

SNMP agent

sends events to

EMS collector

Legend

Trap messages

Request/response message

$ZTC0

VST999.vsd

Manager sends

requests for

information regarding

HP resources

SNMP agent authenticates GET and GETNEXT requests from "Public" community

Page 62

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-6

The SNMPCTL File

When started, the SNMP agent creates an SNMP control file (SNMPCTL) in the subvolume from which it is started. You control the SNMP agent by configuring the SNMPCTL file. If started using the TRACE startup parameter, the SNMP agent also creates two trace files (ZZSMPTRP and ZZSMPTRB) in the subvolume from which it is started.

Initially, the values shown in Table 2-1 are assigned to several objects in the SNMP agent's MIB. The SNMP agent’s MIB is described in detail in Section 3, MIBs

Supported by the SNMP Agent.

Configure the SNMCTL File to Control the SNMP Agent

Configure the SNMPCTL file in one of four ways:

•

RUN command parameters (RUN Command on page 2-7)

•

PARAM statements (PARAM Statements’ Custom Configuration for the RUN

Command on page 2-16)

Table 2-1. Initial Values of Objects in the SNMP Agent's MIB

MIB Object Initial Value System group objects:

sysDescr

Tandem NonStop Kernel System Version: Dxx Node: node-name Agent: agent-process-name

where Dxx is the product version of the SNMP agent; for

example, D23. sysObjectID 1.3.6.1.4.1.169.3.155.1 sysContact

"unknown"

sysName A name associated with the default TCP/IP process handling

communication between th e SN MP agent an d SNMP

managers. It is derived by a gethostname socket call against

the TCP/IP process specified in the

TCPIP^PROCESS^NAME s tartup parameter or, if none is

specified, against $Z T C 0 on the local no de. sysLocation

"unknown"

sysServices 7 9 SNMP group object:

snmpEnableAuthenTraps

1 (yes)

Page 63

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-7

RUN Command

•

The Subsystem Control Facility (SCF) (Using SCF to Configure Components of the

SNMP Agent Environment on page 2-16)

•

SNMP Set operations on SNMP agent private MIB objects (Configuring the SNMP

Agent Through SNMP Requests on page 2-17)

When the SNMP agent starts, it evaluates all startup parameters in this order:

1. A default value is assigned to every startup parameter.

2. PARAM statements are processed. Unrecognizable or erroneous parameters are ignored without comment.

3. Startup parameters in the RUN command line are pro cessed. With the exce ption of the SWAPVOL startup parameter, unrecognized or erroneous parameters cause the SNMP agent process to terminate. If you define a swap volume as anything other than a local disk, the SWAPVOL startup parameter is ignored, and a warning message is issued.

RUN Command

To start the SNMP agent, use the RUN command. No additional configuration beyond that provided through the RUN command startup parameters is required for the SNMP agent to receive and reply to SN MP reque sts so lel y throug h NonStop Ker nel IPC calls. However, even in this limited scope, additional configuration is required to allow the SNMP agent to forward traps to SNMP managers that communicate through NonStop Kernel IPC calls.

volume

identifies the volume on which the SNMP agent program file SNMPGT resides. You can omit the SNMP agent program if SNMPAGT resides on your current subvolume.

By default, when you install the SNMP agent, SNMPAGT is placed in $SYSTEM.SYSTEM.

subvolume

identifies the subvolume on which SN MPAGT re sides. You can omit the subvolume parameter if it is named in your TACL #PMSEARCHLIST.

Note. Yo u als o define som e components of the SNMP agen t configuration by using RUN line startup options, but these settings persist only as long as the agent process is running.

[RUN] [[$volume.]subvolume.]SNMPAGT / NAME [$agent-process] [,other-run-option]... / [startup-parameter [,startup-parameter]...]

Page 64

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-8

RUN Command

agent-process

identifies the agent process. You can specify one through five alphanumeric characters, but the first character must be alphabetic. HP recommends using $ZSNMP to identify an SNMP agent . If you are run ning mul tip l e SNMP agen ts on a single host (see Starting Multiple SNMP Agents on Each Node on page 2-23), HP recommends appending a digit: for example, $ZSNM0 and $ZSNM1.

If you don’t supply a value for agent-process at /NAME TA CL generates a name, because the SNMP agent must run as a named process. You need to know the name of the agent process to use SCF to configure the SNMP agent. You also need to know the name of the agent process to stop it. The SNMPCTL File and the

WARM Startup Parameter on page 2-14 tells you how to find out the name of the

agent process.

other-run-option

is any of the TACL RUN command options. Refer to the TACL Reference Manual for more information about these options. HP recommends using at least the NOWAIT option so you can resume TACL operations once the SNMP agent is started.

startup-parameter

is one of the following parameters that control attributes of the SNMP agent process. You can specify startup parameters either in the RUN command or through TACL PARAM statements issued before you issue the RUN command. F or more information on TACL PARAM statements, refer to PARAM Statements’

Custom Configuration for the RUN Command on page 2-16.

TRAPPORT trap-port-number |

Page 65

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-9

RUN Command

backup-cpu-number

specifies a backup process processor for a persistent agent process pair. The backup process monitors the primary process and takes over if the primary process fails. HP strongly recommends that you use this parameter.

This parameter should be an integer that identifies one of the processors on your system. By default, this parameter is omitted.

COLD | WARM

tells the SNMP agent what to do with the SNMP control file (SNMPCTL), if one exists, and where to get the SNMP configuration information. Every SNMP agent process stores configuration information and persistent MIB information in a file named SNMPCTL in the run subvolume.

COLD

instructs the SNMP agent to purge any SNMPCTL file in the run subvolume and crea te a n ew, empty SNM P file. To enable the SNMP ag ent to receive requests through TCP/IP, configure at least one ENDPOINT object. You can then complete your configuration either through SCF or through SNMP, as described in Part II, SCF for the SNMP Agent and in

Configuring the SNMP Agent Through SNMP Requests on page 2-17.

WARM

instructs the SNMP agent to use the SNMPCTL file in the run subvolume. If no SNMP file exists, the SNMP agent creates one and fills it with the default configuration values. WARM is the default value for this parameter.

COLLECTOR [$alternate-collector-process]

identifies the EMS collector to which the SNMP agent and its backup process send event messages. The default is $0 on the local node.

To suppress event messages, include this parameter with no value:

COLLECTOR

To send event messages to an alternate collector, identify the name of the collector process:

COLLECTOR $alternate-collector-process

After the SNMP agent is running, you can specify an alternate collector by using SCF. For more information, refer to Part II, SCF for the SNMP Agent.

If you specify a nonexistent alternate collector process name, event messages are suppressed.

Note. No ad dit ional configuration beyond that provided th rough the RUN command startup param et ers is required for the SNMP ag ent to receive SN M P requests solely through NonStop Kernel IPC calls.

Page 66

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-10

RUN Command

DATAPAGES pages [E[XTENSIBLE]]

specifies the amount of storage to allocate for general dynamic memory. Specify a value for pages that ranges from 0 to 65280, representing the

number of 2048-byte pages to be allocated. Including the keyword EXTENSIBLE makes the segment extensible. An

extensible data segment is one for which swap file extents are not allocated until needed. If you specify 0 pages, the SNMP agent allocates data pages dynamically as needed until one of the following conditions exists:

•

Approximately 4 megabytes are allocated.

•

The virtual memory limit is reached.

•

The underlying disk file space is unavailable.

The default value for this parameter is 2040 EXTENSIBLE. The default SNMP agent configuration uses about 1 megabyte of memory.

MAXOPENERS number-of-openers

specifies the total number of openers (including subagents, managers communicating through NonStop Kernel IPC calls, and SCF) that one SNMP agent process can simultaneously support. The default value is 20.

PORT request-port-number

specifies the port number to monitor for requests from managers communicating over TCP/IP. The default value is 161, the SNMP standard port for receiving requests. If a port number greater than 1023 is used, the agent process need not be associated with the super user group (255, n).

You can associate the SNMP agent process with the super user group in two says. From a TACL prompt:

•

Log on using a super group user ID before starting the SNMP agent.

•

Use the File Utility Program (FUP) to give ownership of the SNMP agent program file (SNMPAGT) to a super group user ID. Then secure SNMPAGT so that a user who does not have a super group user ID can execute SNMPAGT, and set the PROGID so that the owner ID of SNMPAGT is used as the creator accessor ID when the program is run. Refer to the File Utility Program (FUP) Reference Manual for more information.

SUBAGENT^TIMEOUT timeout-seconds

is the number of seconds the SNMP agent should wait before canceling a message to a subagent. The default is 3 seconds.

Page 67

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-11

RUN Command

SWAPVOL #disk-name

identifies the disk to use for swapping extended memory. Specify disk-name as an unqualified device name. Any qualification is

ignored. The default disk is the volume used for swapping the virtual data SNMP agent

processes, as specified by the optional SWAP run option. If you omit both the SWAPVOL startup parameter and the SWAP run option, the volume on which SNMPAGT resides is use d for b oth swapping and extende d mem ory swap ping, a situation that can result in insufficient available space.

TCPIP^PROCESS^NAME [$node.]$tcpip-process

specifies the default TCP/IP process to be used when request/response connection points and trap destinations are defined for the SNMP agent. Start the agent using the TCPSAM or TCP6SAM process name as input to this startup parameter only when the product is going to be run on Parallel Library TCP/IP or Nonstop TCP/IPv6.

The TCP/IP process is used as:

•

The default NETWORK attribute value for ENDPOINT objects created through SCF and the default zagInEpNetwork object value for zagInEndpointTable rows created through SNMP

•

The default NETWORK attribute for TRAPDEST objects created through SCF and the default zagInTdNetwork object value for zagInTrapdestTable rows created through SNMP

If you do not include the TCPIP^PROCESS^NAME startup parameter, the default TCP/IP process is $ZTC0 on the local node.

TRACE

enables tracing of the agent process if the backup process takes over. By default, tracing is not enabled.

When you enable tracing through TRACE, the SNMP agent creates a primary trace file (ZZSMPTRP) and a backup trace file (ZZSMPTRB) in the subvolume from which the primary trace file was started. To specify different trace file names, use a TACL DEFINE statement. For example:

ADD DEFINE =PRIMARY-TRACE-FILE, CLASS MAP, FILE $SYSTEM.SNMP.SNMPTRCP ADD DEFINE =BACKUP-TRACE-FILE, CLASS MAP, FILE $SYSTEM.SNMP.SNMPTRCB

For information about the DEFINE statement, refer to the TACL Reference Manual.

Use the TRACE startup parameter to enable tracing in the backup process. You can initiate tracing of the primary agent process by using the SCF TRACE command (as discussed in Section 7, Troubleshooting the SNMP Agent), but

Page 68

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-12

Special Considerations for Users of Logical Network

Partitions (LNPs)

tracing stops when the backu p process t akes over. The SCF trace file is closed and preserved when the backup process takes over.

TRAPPORT trap-port-number

specifies the trap port to send traps from the agent. If you do not specify this option, the default value for the trap port will remain 162.

Special Considerations for Users of Logical Network Partitions (LNPs)

Like NonStop TCP/IP, NonStop TCP/IPv6 allows you to restrict the connectivity of applications to particular subnets. However, T CP/IPv6 allows this through the creation of Logical Network Partitions (LNPs). The TCP/IPv6 Configuration and Management Manual gives a detailed explanation of how to create and use LNPs.

Each LNP is associated with a separate TCP6SAM process. Thus, each LNP on which you want to provide SNMP services requires that you run a separate instance of the SNMP Agent.

To provide SNMP services on one or more LNPs, you must issue a RUN command from a different subvolume for each of those LNPs.

For example, from within one subvolume, specify:

RUN $SYSTEM.SYSTEM.SNMPAGT / NAME $znm0 / & TCP^IP^PROCESS^NAME $zb03A

From within another, specify:

RUN $SYSTEM.SYSTEM.SNMPAGT / NAME $znm1 / & TCP^IP^PROCESS^NAME $zb01a

Note. If your RUN command does not specify a TCP6SAM process associated with a

particular LNP, an SMNP Agent has access only to the subnets comprising the Default Partition.

Page 69

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-13

Startup Parameter Summary

Table 2-2. Summary of Startup Parameters (page1of2)

Startup Parameter What the Parameter Defines Default Behavior

backup-cpu-number

The bac k up proces s C PU f or a persistent agent proc ess pair.

No parameter value is assign ed, and no ba ckup process is created.

COLD | WARM Which SNMPCTL file to use

while running.

If SNMPCTL exists in the run subv olume, tha t file is used. O th erwise, the

SNMP agent creates an

SNMP C T L fi le us ing the default configuration val ues.

COLLECTOR [

$alternate-collector-

process

]

The EMS collector to which to send event messages.

$0 on the local node .

DATAPAGES

pages

[E[XTENSIBLE]]

The amou nt of s to rage to allocate for use as general dynamic memory.

240 2048-byte pages, extensible.

MAXOPENERS

number-of-openers

The maximum number of openers the agent can support simultaneously.

20.

PORT

request-port-number

The port number to monitor for manager requests. If a po rt number greater than 10 23 is used, the

SNMP agent need

not run as a proc ess associated with the super user group (255, n).

161, th e SN M P s tandard port for re c eiv ing requests.

SUBAGENT^TIMEOUT

timeout-seconds

The number of seconds the agent sho uld wait before canceling a message to a subagent.

3 seconds.

SWAPVOL $

disk-name The dis k to us e f or s w apping

extended memory.

The volu m e used for swappi ng virt ual dat a.

Page 70

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-14

WARM | COLD Custom Configuration Parameters

for the RUN Command

WARM | COLD Custom Configuration Parameters for the RUN Command

The startup parameters COLD and WARM allow you to customize how the SNMP agent functions. For details about COLD and WARM parameters see page 2-9.

If you start the SNMP agent using the WARM startup parameter, a default operations environment (from RUN command parameters) is automatically configured.

If you start the SNMP agent using the COLD startup parameter, you must explicitly configure all aspects of the operations environment.

The SNMPCTL File and the WARM Startup Parameter

When you start the SNMP agent using the WARM startup parameter (the default) and no SNMPCTL file exists in the run subvolume (the first time you start an SNMP agent process), the SNMP agent creates an SNMPCTL file and fills it with default RUN command configuration values. You can then modify the SNMP file using RUN command parameters, SCF, PARAM statements, or SNMP requests.

WARM is the default value.

TCPIP^PROCESS^NAME [/node.]$tcpip-process

The default TCP/IP process to be used when request/response connections and trap destinations are defined fo r t he SNMP

agent.

For Parallel Library TCP/IP, this is the TCPSAM process. See the T C P/IP (Parallel

Library) C onfiguration and Management Manual.

For NonStop TCP/IPv6, this is the TCP6SAM process. See the TCP/IPV6 Configuration and Management Manual.

$ZTC0 on the local node.

TRACE Enables tracing of the backup

agent proc ess.

No parameter value is assign ed, and no ba ckup proces s t racing is enabl ed.

TRAPPORT

trap-port-number

The trap port number to send traps to man ager.

162, th e SN M P s tandard port for sending traps.

Table 2-2. Summary of Startup Parameters (page2of2)

Startup Parameter What the Parameter Defines Default Behavior

Page 71

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-15

WARM | COLD Custom Configuration Parameters

for the RUN Command

If an SNMPCTL file already exists in the run subvolume (when you stop and restart an SNMP agent process), the SNMP agent uses the existing configuration values.

The SNMPCTL File and the COLD S tartup Parameter

When you start the SNMP agent using the COLD startup parameter and no SNMPCTL file exists in the run subvolume, the SNMP agent creates an empty SNMPCTL file. You must explicitly set each configuration value to be stored in the SNMPCTL file using the RUN command parameters.

When you start the SNMP agent specifying the COLD startup parameter and an SNMPCTL file already exists in the run subvolume, the SNMP agent purges the existing SNMPCTL file and creates an empty SNMPCTL file. You must explicitly set each configuration value to be stored in the empty SNMPCTL file using the RUN command. Values set when the COLD parameter is specified persist only as long as the agent process is running.

Here is an example of the RUN command in which the COLD parameter is specified:

RUN SNMPAGT /NAME $ZSNMP, NOWAIT/ COLD

Use SCF or SNMP to configure all components of the SNMP agent. (See Part II, SCF

for the SNMP Agent, for more information on SCF for SNMP.)

COLD and WARM Configuration Scenarios.

Note. To stop and resta rt an S N M P agent using the default configuration, you mus t s to p t he

SNMP ag ent, purge th e exist ing SNMPC T L f ile, a nd t hen restart the SNM P agent pr oc es s using the WARM op tio n.

COLD/WARM Startup Parameter

First Time SNMP Agent Started? How Is the SNMP Agent Configured?

COLD Yes/No

The SNMP agent creates an SNMPCTL file after purging any existing file by that name in the run subvolume. The SNMPCTL file must then be explicitly configured.

WARM Yes

No SNMPCTL file exists in the run subvolume. The SNMP agent creates an SNMPCTL file in the run subvolume and fills it with default values.

WARM No

An SNMPCTL file exists in the run subvolume. The SNMP agent opens the SNMPCTL file and is configured with the values specified in the SNMCTL file.

Page 72

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-16

The SNMPCTL File and TRAPPORT

The SNMPCTL file created using earlier versions of the SNMP agent is not compatible with the T9576G06 version. A workaround is to purge the old SNMPCTL file.

PARAM Statements’ Custom Configuration for the RUN Command

You can use TACL PARAM statements to set startup parameters prior to issuing the RUN command. Set the parameters one at a time, using the syntax described in RUN command startup-parameter on page 2-8, and precede the parameters with the keyword PARAM.

For example, these PARAM statements

PARAM DATAPAGES 4000 E PARAM TRACE PARAM TRAPPORT 2000 SNMPAGT /NAME $ZSNMP, NOWAIT, CPU 4/ 6

are equivalent to the following RUN command:

SNMPAGT /NAME $ZSNMP, NOWAIT, CPU 4/ 6, & DATAPAGES 4000 E, TRACE, TRAPPORT 2000

Using SCF to Configure Components of the SNMP Agent Environment

A third way to configure and manage the SNMP agent environment is with SCF. The following five components of the SNMP agent can be configured using SCF.

Refer to Part II, SCF for the SNMP Agent for complete information on SCF commands for SNMP.

SNMP Agent Process

The SCF PROCESS object represents the SNMP agent process. The only attribute you can manage through the SCF interface is the EMS collector to which the SNMP agent process sends event messages it generates.

Security

The SCF PROFILE object defines an entry in an authentication table that the SNMP agent consults to determine whether to accept or reject incoming requests from SNMP managers that communicate through TCP/IP.

Each SCF PROFILE object corresponds to a row in the SNMP agent’s private zagInProfileTable.

Page 73

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-17

Request/Response Connections

The SCF ENDPOINT object identifies an Internet address and TCP/IP process to be used for the receiving and sending of SNMP request/response messages through TCP/IP.

Each SCF ENDPOINT object corresponds to a row in the SNMP agent’s private zagInEndpointTable.

Trap Connections

The SCF TRAPDEST object identifies an Internet address and TCP/IP process to be used for the sending of trap messages.

Each SCF TRAPDEST object corresponds to a row in the SNMP agent’s private zagInTrapdestTable.

Trap Port

The object trap port can't be configured or managed through SCF.

Configuring the SNMP Agent Through SNMP Requests

You can configure and manage the following components of the SNMP agent environment through SNMP requests.

Request/Response Connections

The SNMP agent’s zagInEndpoint group objects define the Internet addresses and TCP/IP processes to be used for the receiving and sending of request/response messages.

Trap Connections

The SNMP agent’s zagInTrapdest group objects identify the Internet addresses and TCP/IP processes to be used for the sending of trap messages. Trap ports can also be used.

Authentication Table Entries

The SNMP agent’s zagInProfile group objects define the authentication table entries to be used for authenticating requests received from SNMP managers that communicate with the SNMP agent through TCP/IP.

Page 74

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-18

Managing Configuration Definitions Through SNMP

Managing C onfiguration Definitions Through SNMP

You can manage the SNMP agent configuration by manipulating rows in the SNMP agent’s private MIB tables, as follows:

•

You create, alter the attributes of, activate, inactivate, and remove rows in the SNMP agent’s private MIB zagInEndpointTable to manage the TCP/IP connection points that the SNMP agent uses for request/response messages. Each row in the zagInEndpointTable corresponds to an SCF ENDPOINT object.

•

You create, alter the attributes of, activate, inactivate, and remove rows in the SNMP agent’s private MIB zagInTrapdestTable to manage the destinations to which the SNMP agent sends traps. Each row in the zagInTrapdestTable corresponds to an SCF TRAPDEST object. However, the object zagInTdPort cannot be viewed or managed through SCF, only from the manager.

•

You create, alter the attributes of, activate, inactivate, and remove rows in the SNMP agent’s private MIB zagInProfileTable to manage the authentication table entries that the SNMP agent uses for accepting or rejecting request messages received through TCP/IP. Each row in the zagInProfileTable corresponds to an SCF PROFILE object.

Page 75

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-19

Single-Node and Multiple-Node Scenar ios

Single-Node and Multiple-Node Scenarios

Figure 2-2. Running Multiple SNMP Agents on a Single Node

SNMP Manager

TCP/IP

SNMP Agent

($ZSNM1)

SNMP Agent

($ZSNM0)

Managed

Resources

Subagents

Managed

Resources

Subagents

130.25.88.1

130.25.88.2

VST202.vsd

Page 76

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-20

Single-Node and Multiple-Node Scenar ios

In Figure 2-2, two SNMP agent s ar e runnin g on the sam e node. To run multiple agen ts on a single node, issue the following two commands. Issue the first command from one subvolume and the second command from a different subvolume.

•

From one subvolume:

RUN $SYSTEM.SYSTEM.SNMPAGT /NAME $ZSNM0, NOWAIT/

•

From a different subvolume:

RUN $SYSTEM.SYSTEM.SNMPAGT /NAME $ZSNM1, NOWAIT/

If the standard SNMP port for receiving requests is used (port 161), only one agent process can use the TCP/IP subnet at a time. Distinct subnets ensure that each message is routed to the appropriate target SNMP agent. Therefore, the type of configuration illustrated in Figure 2-2 is possible only if at least one TCP/IP subnet is available for ea ch SNMP agen t runnin g. Each SNMP agen t must be rea ched thr ough a separate Internet address. You can configure both NonStop TCP/IP and NonStop TCP/IPv6 to have distinct subnets. (To configure distinct subnets for NonStopTCP/IP/v6, use the Logical Network Partition feature described in the TCP/IPv6 Configuration and Management Manual.)

In the Parallel Library TCP/IP environment, in order to bind each agent process to a subnet, you must alter the ENDPOINT object and change the HOSTADDR attribute to the IP address you want the agent bound to. See Remote Connections on page 2-37.

Caution. Each SNMP agen t n eeds exclusive acce s s to an SNMPCTL file. The SN M PC T L file used is the file that resides in the subvolume from which the SNMP agent is started. Therefore, each SNMP agent r unning on the s am e node must b e s ta rted from the subvolume in w hich the SNMPCT L f ile you want the agent to use re si des .

Note. H-series RVUs do not pr ovid e s upport for Parallel Library T C P/ I P.

Page 77

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-21

Single-Node and Multiple-Node Scenar ios

In Figure 2-3, SNMP agents on three different nodes process requests through the same TCP/IP process. This type of configuration is possible only if there is at least one TCP/IP subnet available for each SNMP agent running because a TCP/IP subnet can be used by only one agent process at a time. Each SNMP agent must be reached through a separate Internet address.

A disadvantage of this scenario is that \A and \C cannot be managed if \B fails.

Figure 2-3. Running SNMP Agents on Multiple Nodes

Note. YParallel Library TCP/IP and NonStop TCP/IPv6 do not support this configuration.

SNMP Agent

SNMP ManagerSNMP Manager

SNMP Agent

TCP/IP

Managed

Resources

Subagents

Managed

Resources

Subagents

Managed

Resources

Subagents

130.88.25.1

130.88.25.2

130.88.25.3

VST203.vsd

Page 78

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-22

Single-Node and Multiple-Node Scenar ios

In Figure 2-4, two TCP/IP SNMP managers manage an overlapping set of resources. SNMP manager X monitors resources through SNMP agents 1 and 2. SNMP manager Y monitors resources through SNMP agents 3 and 2. SNMP agent 2 processes requests from both managers. The advantage of this scenario is that if \A or \C fails, resources accessed through SNMP agent 2 and its subagents can still be monitored.

Figure 2-4. Managing Overlapping Sets of Resources

SNMP Manager X

SNMP

Agent 2

SNMP

Agent 1

Subagents

Managed

Resources

Subagents

Managed

Resources

TCP/IP

SNMP Manager Y

SNMP

Agent 3

Subagents

Managed

Resources

TCP/IP

130.88.25.2

130.88.25.1

130.88.26.1

130.88.26.2

VST204.vsd

Page 79

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-23

Starting Multiple SNMP Ag ents on Each Node

Starting Multiple SNMP Agents on Each Node

At least one TCP/IP subnet is required to handle communication between a NonStop agent process and an S NMP mana ger th at is usi ng TCP/IP. To find out whether at l east one subnet is available, issue the SCF INFO and STATUS commands against the TCP/IP subsystem SUBNET object, for example:

INFO SUBNET $ZTC*.*

TCPIP Info SUBNET \EAST.$ZTC0.* Name Devicename *IPADDRESS TYPE *SUBNETMASK #LOOP0 \NOSYS.$NOIOP 127.0.0.1 LOOP-BACK %HFF000000

#EN1 \EAST.LAN1 130.252.60.234 ETHERNET %HFFFF000

STATUS SUBNET $ZTC0.#EN1

TCPIP Status SUBNET \EAST.$ZTC0.#EN1 Name Status #EN1 STARTED

The NonStop agent can use a TCP/IP process on any node to communicate with SNMP managers.

When running more than one SNMP agent on the same node, and when the agent/manager transport protocol is not restricted to NonStop Kernel IPC calls, follow these guidelines:

•

Start each SNMP agent from a different subvolume. Each SNMP agent uses the SNMPCTL file on the subvolume from which the SNMP agent was run. Running each SNMP agent from a different subvolume ensures that each SNMP agent maintains its own distinct configuration.

•

Start only one SNMP agent process using the built-in defaults. Start additional SNMP agents in one of two ways:

Use the COLD startup parameter. Then configure at least one ENDPOINT object through SCF and complete the configuration through SCF or SNMP to avoid configuration conflicts.

Use the TCPIP^PROCESS^NAME startup parameter to specify a different TCP/IP process for the default response/request connection point. Note that:

For Parallel Library TCP/IP, the TCPIP^PROCESS^NAME is the name of a TCPSAM process.

See the TCP/IP (Parallel Library) Configuration and Management Manual for information about how to find the name of a TCPSAM process.

For NonStop TCP/IPv6,the TCPIP^PROCESS^NAME is the name of a TCP6SAM process.

Note. H-series RVUs do not pr ovid e s upport for Parallel Library T C P/ IP.

Page 80

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-24

Stopping the SNMP Agent

See the TCP/IPv6 Configuration and Management Manual for information about how to find the name of a TCP6SAM process.

See also The TCP/IP Subagent and Its Managed Resources on page 8-4.

The following example starts two SNMP agents on the same HP node. For Parallel Library TCP/IP and NonStop TCP/IPv6, the TCP/IP process name is the TCPSAM/TCP6SAM name.

$SYSTEM TCON 5> RUN $SYSTEM.SYSTEM.SNMPAGT/NAME $ZSNM0, NOWAIT/ $SYSTEM TCON 6> VOLUME $SYSTEM.TCON1 $SYSTEM TCON1 7> RUN $SYSTEM.SYSTEM.SNMPAGT/NAME $ZSNM1, NOWAIT/& $SYSTEM TCON1 7> TCPIP^PROCESS^NAME $ZTC1 $SYSTEM TCON1 12> SCF SCF - T9082D20 - (01JUN93) (18MAY93) - 01/09/96 12:38:06 System \EAST Copyright Tandem Computers Incorporated 1986 - 1996

1-> INFO PROCESS $ZSNM0, SUB ALL SNMP Info PROCESS

Name *EMS Collector $ZSNM0 \EAST.$0

SNMP Info PROFILE Name *Access *Hostaddr *Community

$ZSNM0.#DEFAULT READONLY 0.0.0.0 public SNMP Info ENDPOINT Name *Network *Hostaddr

$ZSNM0.#DEFAULT \EAST.$ZTC0 0.0.0.0 2-> INFO PROCESS $ZSNM1, SUB ALL

SNMP Info PROCESS Name *EMS Collector

$ZSNM1 \EAST.$0 SNMP Info PROFILE Name *Access *Hostaddr *Community

$ZSNM1.#DEFAULT READONLY 0.0.0.0 public SNMP Info ENDPOINT Name *Network *Hostaddr

$ZSNM1.#DEFAULT \EAST.$ZTC1 0.0.0.0

Stopping the SNMP Agent

To stop an SNMP agent process, issue the STOP command from a TACL prompt, naming the agent process you want to stop:

STOP $ZSNMP

Page 81

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-25

Configuring the EMS Collect o r

Get the name of the SNMP agent process using either the SCF STATUS PROCESS $ZSNMP command or the TACL STATUS command.

STATUS PROCESS $ZSNMP SNMP Status PROCESS $ZSNMP Name Status Trace Trace File $ZSNMP STARTED OFF N/A

status *, prog $system.system.snmpagt

Process Pri PFR %WT Userid Program file Hometerm

$DMA 5,85 144 011 255,209 $SYSTEM.SYSTEM.SNMPAGT $T304.#TRM6

Configuring the EMS Collector

Configuring the EMS collector requires the following tasks:

•

Direct the SNMP agent process to send its events to a specific EMS collector

•

Configure and manage the authentication mechanism by which the SNMP agent accepts or rejects requests from SNMP managers through TCP/IP

•

Configure and manage TCP/IP request/response connections between the SNMP agent and SNMP managers

•

Configure and manage the definitions of destinations to which the SNMP agent sends traps

When you start the SNMP agent using the default startup parameters, the SNMP agent sends its events to the EMS collector $0. To use an EMS collector other than $0:

•

Include the COLLECTOR startup parameter when you start the SNMP agent.

•

Use the SCF ALTER command to change the EMSCOLL attribute of the PROCESS obje ct.

Collector process information is not stored in the SNMPCTL file. When you stop and restart an SNMP agent process, you must resp eci fy the nondef ault collec tor pro cess to which you want the SNMP agent to send its events.

Note. No MIB obje c t exis t s in the SNMP ag ent’s private za gI nProc ess grou p for spe cifying the EMS collector.

Page 82

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-26

Using the COLLECTOR Startup Parameter

To cause both primary and backup agent processes to send events to an EMS collector other than $0, include the COLLECTOR startup parameter when you start the SNMP agent. For example:

RUN SNMPAGT/NAME $ZSNMP, NOWAIT/ COLLECTOR $ACOL

Although HP does not recommend doing so, you can suppress output of SNMP agent events altogether by including the COLLECTOR startup parameter with no argument:

RUN SNMPAGT/NAME $ZSNMP, NOWAIT/ COLLECTOR

This approach is the only way to suppress event logging. You cannot suppress event logging through SCF.

For more information on the COLLECTOR startup parameter, refer to COLLECTOR

[$alternate-collector-process] on page 2-9.

Using the SCF ALTER PROCESS Command

You can also specify that the agent process send its events to an alternate collector by issuing an SCF ALTER command against the PROCESS object and specifying a new value for the EMSCOLL attribute. For example:

ALTER PROCESS $ZSNMP, EMSCOLL $ACOL

Configuring Security

Before the SNMP agent processes an SNMP request, the SNMP agent authenticates the request to determine whether the SNMP manager is qualified to perform the operation in the request. The request authentication rules implemented by the SNMP agent depend on whether the SNMP manager is communicating through NonStop Kernel IPC calls or through the TCP/IP UDP transport protocol.

Authenticating Requests Received Over TCP/IP

To configure the basis on which the SNMP agent accepts or rejects requests from SNMP managers that communicate through TCP/IP, build an authentication table. Each entry in the authentication table is one instance of a PROFILE object, or one row in the SNMP agent’s private zagInProfileTable. You can configure, request information about, and manage authentication table entries in two ways:

•

By issuing SNMP Set requests against the SNMP agent’s zagInProfile group objects from an SNMP manager that uses NonStop Kernel IPC calls to communicate with the SNMP agent.

•

By issuing SCF commands against PROFILE objects.

Page 83

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-27

Authe n ticating Req u e sts Re c e i ved O ve r T C P/IP

To avoid extraneous authenticationFailure traps, configure security before you configure request/response connection points. Request/response connection points are represented by SCF ENDPOINT objects or by rows in the SNMP agent private zagInEndpointTable. For more information, refer to Configuring TCP/IP

Request/Response Connections on page 2-34.

The Authentication Mechanism

Authentication is the procedure by which the agent process accepts or rejects

requests from an SNMP manager that communicates through TCP/IP. The SNMP agent looks at three element s of an incom ing SNM P messa ge to deter mine

whether to process (or forward) a request:

•

The community name portion of the community string included in the message

•

The Intern et addre ss from which the request originated

•

The SNMP operation that the SNMP manager wants the agent process to run or forward for running on the manager’s behalf

Community Strings

Each request that an SNMP agent receives from an SNMP manager includes a community string composed of one or two discrete sections delimited by two colons (::) as follows:

community-name[::subagent-password]

The community string included in incoming requests is part of the SNMP manager’s configuration and is set as described in the documentation provided by the vendor of the SNMP manager.

The SNMP agent parses the community-name portion of the community string. Community names that an SNMP age nt recogn izes are configur ed thro ugh SCF by the system administrator responsible for the SNMP agent.

When an SNMP agent process receives a request, the SNMP agent searches for a matching community name in the auth entication t able. If the SNMP agent does not find a matching community name entry in the authentication table, the request is dropped. If the snmpEnableAuthenTraps object in the SNMP group supported by the SNMP agent is set to 1, the SNMP agent also sends an authenticationFailure trap to all broadcast type trap destinations. Trap destinations are represented by SCF TRAPDEST objects or by rows in the SNMP agent’s private zagInTrapdestTable. (For more information, see Configuring Trap Destinations on page 2-38.)

Note. The subagent-password is passed to the subagent by the SNM P agent an d is us ed by the subagent to employ additional security. For more inform at ion, see After a Request Has

Been Authenticate d on page 2-31.

Page 84

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-28

Authe n ticating Req u e sts Re c e i ved O ve r T C P/IP

Internet Addresses

Each entry in the authentication table contains a single Internet address or a full wildcard address (0.0.0.0.) specification. Internet addresses are discussed in detail in the TCP/IP Configuration and Management Manual.

When the SNMP agent finds a community name match, the SNMP agent looks at the address from which the request originated. If the address contained in the incoming request matches the address in the authentication table entry, the SNMP agent accepts the request.

If the SNMP agent does not find a matching Internet address entry in the authentication table, the request is dropped. If configured to do so, the SNMP agent sends an authenticationFailure trap to all trap destinations.

SNMP Operations

The authentication table also describes the SNMP operations authorized for each community. Allowable SNMP operations are described by one of two access modes, specified as ACCESS attributes in SCF: READONLY and READWRITE.

•

If the access mode is READONLY, the SNMP agent accepts GetRequest and GetNextRequest PDUs from the SNMP manager. SetRequest PDUs are dropped.

•

If the access mode is READWRITE, the SNMP agent accepts SetRequest, GetRequest, and GetNextRequest PDUs from the SNMP manager.

If the request is for an unauthorized operation, the request is dropped. If configured to do so, the SNMP agent sends an authenticationFailure trap to all trap destinations.

If the request passes all three tests (community name, Internet address, and access mode), the SNMP agent is said to have authenticated the request.

Configuring the Authentication Table

An authentication table entry has the following attributes:

•

You name the object when you define it.

•

COMMUNITY or zagInPfCommunity is a community name, unique among authentication table entries.

•

HOSTADDR or zagInPfHostAddr is an SNMP manager Internet address.

SCF SNMP Agent Private MIB Object Attribute Table Object Within Table Row

PROFILE #profile-name zagInProfileTable zagInPfName

COMMUNITY zagInPfCommunity HOSTADDR zagInPfHostAddr ACCESS zagInPfAccess

Page 85

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-29

Authe n ticating Req u e sts Re c e i ved O ve r T C P/IP

•

ACCESS or zagInPfAccess specifies the SNMP operations authorized for each community: READONLY or READWRITE.

The default auth entic atio n t able entry is name d $agent-process.#DEF A ULT and has the following attribute values associated with it (the SNMP agent process is $ZSNMP):

PROFILE $ZSNMP.#DEFAULT, COMMUNITY public HOSTADDR 0.0.0.0, ACCESS READONLY

You must add an authentication table entry for each community (other than “public”) from which the SNMP agent will be receiving SNMP requests.

Unless you stop or alter the default authentication table entry, the SNMP agent continues to accept incoming Get and GetNext requests from any SNMP manager belonging to the “public” community, regardless of other table entries you define to tighten security.

Page 86

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-30

Authe n ticating Req u e sts Re c e i ved O ve r T C P/IP

Figure 2-5. Authenticating Requests Received Through TCP/IP

LogicalIdentifer

---------------------

#UBLAN

#DEFAULT

COMMUNITY

-------------------

Private

public

ACCESS

-------------------

READWRITE

READONLY

HOSTADDR

----------------------

130.253.15.230

0.0.0.0

SNMP agent

receives request.

N O

YES

Does

access mode permit

requested operati on?

YES

SNMP Manager Station

Authentication Table

Request

authenticationFailure Trap

Response

private::tsmaccess 130.253.15.230 GetNext

Does entry

exist?

SNMP agent looks for

entry containing community

name.

Does address

in request match

address

in table entry?

SNMP agent processes

request or forwards request to

appropria te sub agent.

VST302.vsd

Page 87

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-31

Authenticating Requests Received Using the IPC

Interface

In Figure 2-5, the authentication table permits the SNMP agent to accept Get and GetNext requests from any SNMP manager belonging to the “public” community, as well as Set requests sent under the “Private” community from the SNMP manager whose address is 130.252.15.230. The SCF commands that defined this nondefault PROFILE object are:

ASSUME PROCESS $ZSNMP ADD PROFILE #UBLAN, COMMUNITY Private,& ACCESS READWRITE, HOSTADDR 130.253.15.230 START PROFILE #UBLAN

This request would be authenticated. Note that the trap messages shown in Figure 2-5 are generated only when:

•

A message is received that fails authentication.

•

The snmpEnableAuthenTraps object in the SNMP group of the SNMP agent’s MIB is set to 1.

Refer to Configuring Trap Destinations on page 2-38 for more information on traps.

Authenticating Requests Received Using the IPC Interface

Requests received using the IPC interface are authenticated as follows:

•

The community name and Internet address in the request are not examined. (However, they are passed to the subagent to which the request is forwarded; the subagent can then employ additional security based on the community name and Internet address.)

•

All MIB objects under the control of the SNMP agent are accessible. Requests for operations on objects in the zagInProfile group are performed only if the PAID of the SNMP manager process is compatible with the PA ID of the agent process. If the agent process is associated with the super user group (user ID 255,n), the SNMP manager process must also be associated with the super user group. If the agent process is not associated with the super user group, the PAID of the SNMP manager process is irrelevant.

•

Requests for MIB objects under the control of subagent are passed to subagents for processing, as described in the following subsection.

After a Request Has Been Authenticated

Authentication allows the SNMP manager access to the following SNMP agent services:

•

Access to the MIB-II SNMP and System group objects, as well as the private MIB objects supported by the SNMP agent. These requests are processed by the SNMP agent.

•

The forwarding of SN MP reque sts con cerni n g MIB obj ect s suppo rted by sub agen ts to the appropriate subagent process.

Page 88

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-32

Security Scenarios for SNMP Managers Using

TCP/IP

By default, authenticated manager requests forwarded to subagents are processed in accordance with the access attributes of individual MIB objects. SNMP managers can perform Get and GetNext operations on read-only MIB objects and Get, GetNext, and Set operations on read-write objects.

When the SNMP agent forwards a request to a subagent, the forwarded request includes the Internet ad dress an d comm uni ty string . The sub agent can use the Inte rnet address and the subagent-password portion of the community string to employ additional security, responding to a request to access a MIB object, independent of the subagent’s access attributes, only if the request contains a particular password and originates from a specific Internet address. This option, known as subagent request authentication, requires that the password appear as follows in the manager station’s community string:

agent-community-string::subagent-password

Security Scenarios for SNMP Managers Using TCP/IP

Table 2-3. Security Scenarios (page 1 of 2)

Scenario Tasks

Method (SCF Commands)

Allow an SN M P manager to retrieve information only.

Ask the SNMP administrator to send requests to th e SN MP agen t u nder the “public” c om m unity.

By default, the SNMP agent accepts Get and GetNext requests from all members of the “public” community.

Ask the SNMP administrator.

Allow an SN M P manager to set values and retriev e information.

Configu re an authen ti ca t ion table entry for the host address of the SNMP manager, give the au t henticatio n tab le a unique community name, and assign t he table READWRITE access. Then activate the entry and inform the SNMP administrator of the community name that must be present in requests sent to the SNMP agent.

The SNMP agent accepts Get, GetNext, and Set requests that contain the new community name.

ADD PROFILE START PROFILE

Allow an SN M P manager to retrieve information only.

Ask the SNMP administrator to send requests to th e SN MP agen t u nder the “public” c om m unity.

By default, the SNMP agent accepts Get and GetNext requests from all members of the “public” community.

Ask the SNMP administrator.

Page 89

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-33

Security Scenarios for SNMP Managers Using

TCP/IP

Alternatively, you can simply alter the default P R OF I LE entry and assign READWRITE access to the “public” community. In this case, you should also alter the default host address to make it more restrictive. (Otherwise, all SNMP managers sending requests under the “public” community can alter variables.) Then activate the PROFILE entry.

STOP PROFILE ALTER PROFILE START PROFILE

Revoke Set privileges from an SN MP manager, but allow it to retrieve information.

Deactivate the authentication table entry for the community under which the SNMP manager has bee n s ending re quests. Alte r the SNMP manager’s access mode to READONLY. Then reactivate the authent ic at ion table entry.

The REA D ON LY access w ill apply to all managers using the community name. If READONLY access is not acceptable, ask the ot her SNMP administrators t o reconfig ure their managers to send requests under a different c om m unity nam e.

STOP PROFILE ALTER PROFILE START PROFILE

Revoke all access privileges from an SNMP manager.

Deactivate the authentication table entry for the community under which the SNMP manager has bee n s ending re quests.

The SNMP agent accepts no requests from the SNMP manager.

STOP PROFILE

If more tha n one SNMP m anager se nds requests under that co m m unity, alter the host address to exclude the particular manager. Then activate the entry.

STOP PROFILE ALTER PROFILE START PROFILE

If you cann ot alt er the host a ddress to excl ude one manager, ask th e ot her SNMP adminis tr at ors t o reconfigure their managers to send requests under a different co m m unity name . Then add an authent ic at ion table entry fo r th e new community and activ ate the entr y.

STOP PROFILE ADD PROFILE START PROFILE

Table 2-3. Security Scenarios (page 2 of 2)

Scenario Tasks

Method (SCF Commands)

Page 90

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-34

Configuring TCP/IP Request/Response Connec tions

Configuring TCP/IP Request/Response Connections

The TCP/IP process handling the communication between the SNMP agent process and SNMP managers is represented by a request/response connection definition. You specify and request information about the request/response connections by issuing:

•

SCF commands against ENDPOINT objects.

•

SNMP Set requests against the SNMP agent’s zagInEndpointTable entry objects, as described in Section 3, MIBs Supported by the SNMP Agent.

A TCP/IP request/response connection definition has the following attributes:

•

You name the object when you define it.

•

HOSTADDR or zagInEpHostAddr is the Internet address by which the SNMP agent can be addressed. The Internet address is the TCP/IP subnet address through which the SNMP agent receives requests from SNMP managers.

•

NETWORK or zagInEpNetwork is the TCP/IP process that handles request/response messages.

The default TCP/IP request/response connection definition specifies that the SNMP agent receives SNMP requests and returns responses through any available subnet associated with TCP/IP process $ZTC0 on the node on which the agent process is running.

You can specify that a different TCP/IP process be used in the default configuration by including a TCPIP^PROCESS^NAME startup parameter in the RUN command when you start the SNMP agent process.

Using the default request/response connection definition or passing a TCP/IP process name at start up works for an SNMP age nt proce ss that is not shar in g the same TCP /IP subsystem with other SNMP agent processes. However, when multiple SNMP agent processes use the same TCP/IP subsystem to communicate with SNMP managers, you must ensure that each SNMP agent process has a distinct subnet available for its own use or that each SNMP agent process has been configured at startup to use a unique port. Configuring distinct subnets ensures that each message is routed to the appropriate ta rget SNM P agent.

SCF SNMP Agent Private MIB Object Attribute Table Object Within Table Row

ENDPOINT #endpoint-name zagInEndpointTable zagInEpName

HOSTADDR zagInEpHostAddr NETWORK zagInEpNetwork

Page 91

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-35

Single-Agent Connections

Single-A gent Connections

When only one SNMP agent uses a TCP/IP process, defining the request/response connection is straightforward. Use the default host address value and ensure that at least one subnet is available to handle communication with the SNMP managers. You can issue SCF INFO and STATUS commands ag ainst the T CP/IP subsyst em SUBNE T object to find out about the availability of subnets. For example:

info subnet $ztc0.*

TCPIP Info SUBNET \WEST.$ZTC0.* Name Devicename *IPADDRESS TYPE *SUBNETMASK #LOOP0 \NOSYS.$NOIOP 127.0.0.1 LOOP-BACK %HFF000000

#SUBNET1 \WEST.LAN1 130.252.88.1 ETHERNET %HFFFF0000 #SUBNET2 \WEST.LAN2 130.252.87.1 ETHERNET %HFFFF0000

status subnet $ztc0.#subnet2

TCPIP Status SUBNET \WEST.$ZTC0.#SUBNET2 Name Status #SUBNET2 STARTED

Multiple-A gent Co n ne c tions

If the same TCP/IP subsystem is handling SNMP agent/manager communication for more than one SNMP agent process, each SNMP agent must either be reached through a separate Internet address or must be configured at startup to use a unique port. You must configure nonoverlapping host address values in request/response connection definitions.

If a request/response connection has been defined to use the full wild-card specification (0.0.0.0) to refer to all Internet addresses associated with a particular TCP/IP process, and you want to start another SNMP agent process to be reached through the same TCP/IP process, you must configure nonoverlapping host address values in the two SNMP agents’ request/response connection definitions.

Page 92

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-36

Multiple-Agent Connections

In Figure 2-6 a successful configuration involving two SNMP agents uses the same TCP/IP process for request/response communications. In this configuration, the following is assumed:

•

$ZSNM0 and $ZSNM1 were started from different subvolumes with the built-in defaults.

•

The default request/response connection definition associated using each SNMP agent was altered as illustrated in the following SCF commands:

STOP ENDPOINT $ZSNM1.#DEFAULT STOP ENDPOINT $ZSNM0.#DEFAULT ASSUME PROCESS $ZSNM1

ALTER ENDPOINT #DEFAULT, HOSTADDR 130.25.88.2

START ENDPOINT #DEFAULT ASSUME PROCESS $ZSNM0

ALTER ENDPOINT #DEFAULT, HOSTADDR 130.25.88.1

START ENDPOINT #DEFAULT

Each SNMP agent now has a distinct subnet to handle communication with SNMP managers.

Figure 2-6. Multiple Local SNMP Agents, Single Host Request/Response Connections

SNMP Manager

130.25.88.1

130.25.88.2

$ZTC0

SNMP

Agent

($ZSNM1)

SNMP Agent

($ZSNM0)

VST304.vsd

Page 93

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-37

Remote Connections

The TCP/IP process used for communicating with SNMP managers does not have to be on the same n ode as th e agen t pro cess. A s in the scen ari o fe aturin g mult iple SNM P agents sharing a TCP/IP process on one host (Figure 2-6), you need to ensure that every local and remote agent process sharing the TCP/IP process uses a unique subnet address. In Parallel Library TCP/IP, the agents are not associated with TCP/IP processes but rather just with the IP addresses. This procedure of altering the ENDPOINT is the method by which you bind the agent to unique IP addresses in the Parallel Library TCP/IP process.

In Figure 2-7, agent processes on three nodes are started using the built-in defaults. Later, the default request/response connection definitions are altered for all three SNMP agents. The following example illustrates altering connection definitions using SCF:

SYSTEM \B ASSUME PROCESS $ZSNMP STOP ENDPOINT #DEFAULT

ALTER ENDPOINT #DEFAULT, HOSTADDR 130.25.86.2 START #DEFAULT

SYSTEM \A ASSUME PROCESS $ZSNMP STOP ENDPOINT #DEFAULT

ALTER ENDPOINT #DEFAULT, NETWORK \B.$ZTC0, & HOSTADDR 130.25.86.1 START #DEFAULT

SYSTEM \C ASSUME PROCESS $ZSNMP STOP ENDPOINT #DEFAULT

ALTER ENDPOINT #DEFAULT, NETWORK \B.$ZTC0, & HOSTADDR 130.25.86.3 START #DEFAULT

Note that the ENDPOINT definition for the SNMP agent on node \B uses the default NETWORK attribute value, so this attribute need not be included in the ALTER command.

Note. H-series RVUs do not pr ovid e s upport for Parallel Library T C P/ I P.

Page 94

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-38

Configuring Trap Destinations

Each SNMP manager to which the SNMP agent process sends trap messages is represented by a trap destination definition. You specify and request information about trap destinations by issuing:

•

SCF commands against TRAPDEST objects.

•

SNMP Set requests against the SNMP agent’s zagInTrapdestTable entry objects, as described in Section 3, MIBs Supported by the SNMP Agent.

Figure 2-7. Multiple Remote SNMP Agents, Single Host Request/Response Connections

SNMP Agent

($ZSNMP)

SNMP Manager

130.25.86.1

130.25.86.2

130.25.86.3

SNMP Manager

SNMP Agent

($ZSNMP)

SNMP

Agent

($ZSNMP)

$ZTC0

VST305.vsd

Page 95

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-39

Configuring Trap Destinations

A trap destination definition has the following attributes:

•

You name the object when you define it.

•

COMMUNITY or zagInTdCommunity specifies the name included in trap messages. This attribute is assigned the value “Tandem” by default.

•

HOSTADDR or zagInTdHostAddr specifies the Internet address of an SNMP manager to which traps are to be sent. You cannot use the wild-card Internet address designation “0.0.0.0” as a value for this attribute; each value must be a unique Internet address. No default value exists for this attribute.

•

NETWORK or zagInTdNetwork specifies the TCP/IP process that handles the sending of trap messages. The TCP/IP process determines which subnet to use for the actual dat a tran sfer. The default val ue is the T CP/I P process specified in the TCPIP^PROCESS^NAME startup parameter or, if none was specified, $ZTC0 on the local node.

•

The zagInTdType object specifies the type of the trap destination: directed or broadcast. Directed trap destinations receive only trap messages specifically directed to the trap destinations by the agent or subagent from which the trap originates. Broadcast trap destinations receive all trap messages except directed ones.

•

The zagInTdPort object speci fies the por t to which trap s shou l d be sent. The obj ect zagInTdPort cannot be viewed or managed through SCF, only from the SNMP manager.

You can configure as many trap destination definitions as you like. SCF issues a warning if you add a definition that points to a currently defined destination. In this case, duplicate traps are sent to the same address.

SCF SNMP Agent Private MIB Object Attribute Table Object Within Table Row

TRAPDEST #trapdest-name zagInTrapdestTable zagInTdName

COMMUNITY zagInTdCommunity HOSTADDR zagInTdHostAddr NETWORK zagInTdNetwork

zagInTdType zagInTdPort

Note. SCF does not provide for defining directed type trap destinations. All trap destination definitions created through SCF are of type broadcast. (However, trap designation definitions can be modified through SNMP to type directed.)

Page 96

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-40

Dynamically Generated Trap Destinations

If no trap destinations are defined, then for every SNMP manager communicating through TCP/IP from which the SNMP manager receives a request, the SNMP agent creates a trap destination definition. The trap port value is 162, the default value. Each dynamically generated TRAPDEST object contains the default community, network, and trap type attribute values. The host address attribute of each dynamically generated TRAPDEST object is the Internet address from which the request was received. These TRAPDEST objects are named “#DYNA0,” “#DYNA1,” and so on, and are stored in the SNMPCTL file.

For example, if the SNMP agent receives a request through TCP/IP from the manager at Internet address 130.252.86.10, the SNMP agent creates and starts the following TRAPDEST object:

TRAPDEST $agent-process.#DYNA0, COMMUNITY Tandem, NETWORK $ZTC0, HOSTADDR 130.252.86.10

Then, if the SNMP agent receives a request from the SNMP manager at Internet address 155.186.130.123, the SNMP agent creates and starts another TRAPDEST object:

TRAPDEST $agent-process.#DYNA1, COMMUNITY Tandem, NETWORK $ZTC0, HOSTADDR 155.186.130.123

Once you explicitly create a TRAPDEST object using the ADD command, dynamic TRAPDEST generation stops. The default trap port would be 162, however, the port cannot be seen in SCF, but can be retrieved and set to a different port using the SNMP manager.

The following is a summary of dynamic TRAPDEST object generation:

•

Dynamic TRAPDEST generation is enabled when the SNMP agent is started with the WARM startup parameter and there are no TRAPDEST objects in the SNMPCTL file.

•

Dynamic TRAPDEST generation is disabled when you do one of the following:

•

Use the ADD command to add a TRAPDEST object (or create one through SNMP).

•

Stop and restart the SNMP agent with the WARM option after at least one default TRAPDEST object has been generated.

If the SNMP agent is stopped, and then restarted, using the WARM option, even if you have never explicitly added a TRAPDEST object, no new TRAPDEST objects are dynamically generated since the SNMPCTL file contains the #DYNAn objects created when the SNMP agent was previously running.

Page 97

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-41

Forwarding Traps to Managers Communicating

Through IPC

Forwarding Traps to Managers Communicating Through IPC

No mechanism exists for the SNMP agent to automatically forward traps through the IPC interface. To forward traps to an SNMP manager that communicates with the SNMP agent through NonStop Kernel IPC calls, configure a trap destination using a host address of 127.0.0.1 (the local loopback address, a TCP/IP convention that refers to “this” host).

Disabling the Sending of Traps

Any SNMP manager using the proper access authority can disable the sending of authenticationFailure traps to all configured trap destinations by setting the snmpEnableAuthenTraps MIB object to 2. Refer to Appendix C, Unsolicited SNMP

Agent Messages, for more information.

Page 98

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-42

Single-Host Connections

Single-H os t Connectio ns

In Figure 2-8, two SNMP agents receive requests through one TCP/IP process and send trap messages to the same destination through a diff erent T CP/ IP p rocess. In this configuration:

•

$ZSNM0 was started using the built-in defaults.

•

$ZSNM1 was started (from a different subvolume) using a value of $ZTC1 for the TCPIP^PROC ESS^NAME star tup parameter.

Figure 2-8. Multiple SNMP Agents, Single Host Connections

SNMP Manager Station 2

130.25.88.1

130.25.88.2

$ZTC1

SNMP

Agent

($ZSNM0)

SNMP Agent

($ZSNM1)

SNMP Manager Station 1

Legend

Trap PDUs

Request/Response PDUs

(at 130.25.86.15)

$ZTC0

VST306.vsd

Page 99

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-43

Multiple-Host Connections

The SCF commands used to configure the ENDPOINT and TRAPDEST objects in

Figure 2-8 are:

ASSUME PROCESS $ZSNM0 STOP ENDPOINT #DEFAULT ALTER ENDPOINT #DEFAULT, NETWORK $ZTC1, & HOSTADDR 130.25.88.1 START ENDPOINT #DEFAULT

ADD TRAPDEST #STA1, HOSTADDR 130.25.86.15 START TRAPDEST #STA1

ASSUME PROCESS $ZSNM1 STOP ENDPOINT #DEFAULT ALTER ENDPOINT #DEFAULT, HOSTADDR 130.25.88.2 START ENDPOINT #DEFAULT

ADD TRAPDEST #STA1, NETWORK $ZTC0, HOSTADDR 130.25.86.15 START TRAPDEST #STA1

Multiple-Host Connections

The TCP/IP process handling the sending of traps does not have to be on the same node as the agent process.

Note. Parallel Library TCP/I P and Nonst op TCP/IPv6 do not support Mu lti-Host con nections.

Page 100

Installing and Configuring the SNMP Agent

SNMP Configuration and Management Manual—424777-006

2-44

Multiple-Host Connections

In Figure 2-9, the SNMP agents on nodes \A, \B, and \C accept requests from either SNMP manager, but only send traps to the manager whose internet address is

130.25.86.4. Following are the SCF commands used to configure connections for this

scenario. Note that the SNMP agent on node \B uses the default NETWORK attribute value in its TRAPDEST object definition:

SYSTEM \B ASSUME PROCESS $ZSNMP STOP ENDPOINT #DEFAULT ALTER ENDPOINT #DEFAULT, HOSTADDR 130.25.86.2 START #DEFAULT

ADD TRAPDEST #STA2, HOSTADDR 130.25.86.4 START TRAPDEST #STA2

Figure 2-9. Multiple SNMP Agents, Multiple Host Connections

SNMP Agent

($ZSNMP)

SNMP Manager 2

(at 130.25.86.4)

130.25.86.1

130.25.86.2

130.25.86.3

SNMP Manager 1

(at 130.25.86.5)

SNMP

Agent

($ZSNMP)

SNMP Agent

($ZSNMP)

Legend

Request/Response PDUs

$ZTC0

130.25.86.4

Trap PDUs

VST307.vsd