snmpvacm(1M) System Administration Commands snmpvacm(1M)NAMEsnmpvacm - perform maintenance on an SNMP agent's View-based Access
Control Module (VACM) table
SYNOPSIS
/usr/sfw/bin/snmpvacm [common options] [subcommand options] AGENT sub‐
command subcommand-args
DESCRIPTIONsnmpvacm is a SNMP application that can be used to do maintenance on an
SNMP agent's View-based Access Control Module (VACM) table. The VACM
table defines a set of services that can be used for checking access
rights, that is, checking whether a specific type of access to a spe‐
cific managed object is allowed. snmpvacm supports three types of
entries--group, view, and access. The agent maintains these entries in
memory and stores VACM groups, views, and access entries in the persis‐
tent configuration file upon agent shutdown.
Subcommands
This section describes the snmpvacm subcommands.
createSec2Group
Creates SNMPv3 security to group name entries. A group name is used
to define an access control policy for a group of principals.
Creates SNMPv3 security to group name entries. A group name is used
to define an access control policy for a group of principals.
snmpvacm [common options] createSec2Group MODEL SECURITYNAME GROUPNAME
MODEL
An integer greater then zero representing a SNMPv3 security
model, such as USM. The reserved values are as follows:
1
reserved for SNMPv1
2
reserved for SNMPv2c
3
User-Based Security Model (USM)
SECURITYNAME
A string representing a security name for the principal, repre‐
sented in a security-model-independent format, which is mapped
from this entry to a GROUPNAME.
GROUPNAME
A string that identifies the group to which this table entry
(the combination of securityModel and securityName) belongs.
deleteSec2Group
Deletes SNMPv3 security to group name entries. The group entry to
be deleted is indexed by the specified MODEL and SECURITYNAME.
snmpvacm [common options] deleteSec2Group MODEL SECURITYNAME
MODEL
An integer greater then zero representing a SNMPv3 security
model, such as USM. The reserved values are as follows:
1
reserved for SNMPv1
2
reserved for SNMPv2c
3
User-Based Security Model (USM)
SECURITYNAME
A string representing a security name for the principal, repre‐
sented in a security-model-independent format, which is mapped
from this entry to a GROUPNAME.
createView
Creates a MIB view. A MIB view is a family of view subtrees, which
are pairings of OID subtree values with bit string mask values.
Each MIB view is defined by two sets of view subtrees, included in
or excluded from the MIB view.
snmpvacm [common options] [-Ce] createView NAME SUBTREE MASK
-Ce
An optional flag used when the MIB view type needs to be
"excluded" from the MIB view. If not used, the type is
defaulted to "included".
NAME
The OID subtree which when combined with the corresponding
instance of MASK defines a family of view subtrees.
SUBTREE
The OID subtree which when combined with the corresponding
instance of MASK defines a family of view subtrees.
MASK
The bit mask, a hex string, which, in combination with the cor‐
responding instance SUBTREE, defines a family of view subtrees.
The mask indicates which sub-identifiers of the associated sub‐
tree OID are significant to a particular MIB view instance.
deleteView
Deletes a MIB view. A MIB view is a family of view subtrees. A view
subtree is a pairing of an OID subtree value with a bit string mask
value.
snmpvacm [common options] deleteView NAME SUBTREE
NAME
A string representing a MIB view name that is associated to a
subtree/mask pairing.
SUBTREE
The OID subtree which, when combined with the corresponding
instance of MASK, defines a family of view subtrees.
createAccess
Creates SNMPv3 access configuration entries. These entries are used
to store the access rights defined for the groups. Each entry is
indexed by a group name, a context prefix, a security model, and a
security level. A group and view needs to be defined in order to
make use of the access check.
snmpvacm [common options] createAccess GROUPNAME
[CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL
CONTEXTMATCH READVIEWNAME WRITEVIEWNAME
NOTIFYVIEWNAME
GROUPNAME
The name of the group to which this access right applies.
CONTEXTPREFIX
A string representing a contextName must match the value of the
instance of this object exactly when CONTEXTMATCH is set to
"exact" or partially when CONTEXTMATCH is set to "prefix".
If not specified, the value reverts to the default, an empty
string, "".
SECURITYMODEL
An integer representing the securityModel that must be used in
order to gain access to this access right.
SECURITYLEVEL
An integer representing the minimum security level that must be
used to gain access to this access right. A security level of
noAuthNoPriv is less than authNoPriv and authNoPriv is less
than authPriv.
Integer values supported:
1
noAuthNoPriv
2
authNoPriv
3
authPriv
CONTEXTMATCH
An integer whose value determines the type of match required.
When set to "exact", the context name must exactly match the
value in CONTEXTPREFIX. If set to "prefix", the context name
must match the first few starting characters of the value in
CONTEXTPREFIX.
Integer values supported:
1
exact
2
prefix
READVIEWNAME
The authorized MIB view name used for read access. If the value
is an empty string, then there is no active view configured for
read access.
WRITEVIEWNAME
The authorized MIB view name used for write access. If the
value is an empty string, then there is no active view config‐
ured for write access.
NOTIFYVIEWNAME
The authorized MIB view name used for notify access. If the
value is an empty string, then there is no active view config‐
ured for notify access.
deleteAccess
Deletes SNMPv3 access configuration entries, given a group name,
context prefix, security model, and security level.
snmpvacm [common options] deleteAccess GROUPNAME
[CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL
GROUPNAME
The name of the group to which this access right applies.
CONTEXTPREFIX
A string representing a contextName must match the value of the
instance of this object exactly when CONTEXTMATCH is set to
"exact" or partially when CONTEXTMATCH is set to "prefix".
SECURITYMODEL
An integer representing the securityModel that must be used to
gain access to this access right.
SECURITYLEVEL
An integer representing the minimum security level that must be
used to gain access to this access right. A security level of
noAuthNoPriv is less than authNoPriv and authNoPriv is less
than authPriv.
The following integer values are supported:
1
noAuthNoPriv
2
authNoPriv
3
authPriv
EXAMPLES
For the following examples, the user is my_user and the password is
my_password. Use net-snmp-config to create the first user (my_user).
Then clone my_user to configure another SNMPv3 user, my_user_2. See
snmpusm(1M).
Example 1: Creating a VACM Group Entry
Create a VACM group entry, as follows:
snmpvacm-v 3 -u my_user -l authPriv -a MD5 -A
my_password -x DES -X my_password localhost createSec2Group
3 my_user_2 my_group
Run snmpwalk(1M) to verify the group name was created:
snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
my_password -x DES -X my_password localhost
SNMP-VIEW-BASED-ACM-MIB::vacmGroupName
In addition to other configured VACM group entries, you will note an
entry such as the following:
SNMP-VIEW-BASED-ACM-MIB::vacmGroupName.3."my_user_2" = STRING: my_group
Example 2: Creating a MIB View Entry
The command below creates a MIB view entry applicable only to the sys‐
tem group MIB.
snmpvacm-v 3 -u my_user -l authPriv -a MD5 -A
my_password -x DES -X my_password localhost createView
my_view .1.3.6.1.2.1.1 FF
Run snmpwalk(1M) to verify the my_view MIB view was created:
snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
my_password -x DES -X my_password localhost
SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyTable
In snmpwalk output, observe the lines, such as those below, related to
the my_view MIB view.
SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyMask."my_view".2.1.3.6.1.2.1.1\
= Hex-STRING: FF
SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyType."my_view".2.1.3.6.1.2.1.1\
= INTEGER: included(1)
SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStorageType.\
"my_view".2.1.3.6.1.2.1.1 = INTEGER: nonVolatile(3)
SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStatus.\
"my_view".2.1.3.6.1.2.1.1 = INTEGER: active(1)
Example 3: Creating an Access Entry
The command below creates an access entry using the following compo‐
nents:
· the "my_group" entry created above
· an empty prefix string ("")
· the USM security model (3)
· the security level (3)
· the context match (1)
· the read view name ("my_view")
· the write view name ("")
· the notify view name ("")
snmpvacm-v 3 -u my_user -l authPriv -a MD5 -A
my_password -x DES -X my_password localhost createAccess
my_group "" 3 3 1 my_view "" ""
Run snmpwalk(1M) to verify the access entry was created:
snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
my_password -x DES -X my_password localhost
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable
SNMP-VIEW-BASED-ACM-MIB::vacmAccessContextMatch."my_group"."".3.authPriv\
= INTEGER: exact(1)
SNMP-VIEW-BASED-ACM-MIB::vacmAccessReadViewName."my_group"."".3.authPriv\
= STRING: my_view
SNMP-VIEW-BASED-ACM-MIB::vacmAccessWriteViewName."my_group"."".3.authPriv\
= STRING:
SNMP-VIEW-BASED-ACM-MIB::vacmAccessNotifyViewName."my_group"."".3.authPriv\
= STRING:
SNMP-VIEW-BASED-ACM-MIB::vacmAccessStorageType."my_group"."".3.authPriv\
= INTEGER: nonVolatile(3)
SNMP-VIEW-BASED-ACM-MIB::vacmAccessStatus."my_group"."".3.authPriv\
= INTEGER: active(1)
Example 4: Testing the Configuration
Test the preceding setup by verifying the access setup. You do this by
accessing an object in the system group and another object outside this
range. Note the use of the user name my_user_2.
snmpget -mALL -v 3 -u my_user_2 -l authPriv -a MD5
-A my_password -x DES -X my_password localhost sysObjectID.0
At this point, when you to access an object outside the access range,
the attempt fails with an appropriate error:
snmpgetnext -mALL -v 3 -u my_user_2 -l authPriv -a MD5
-A my_password -x DES -X my_password localhost ifTable
RFC1213-MIB::ifTable = No more variables left in this MIB View (It is
past the end of the MIB tree)
EXIT STATUS
0
Successful completion.
1
A usage syntax error. A usage message displays. Also used for time
out errors.
2
An error occurred while executing the command. An error message
displays.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWsmcmd │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Stable │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOsnmpusm(1M), snmpwalk(1M), snmpd.conf(4), attributes(5)
RFC 3415
SunOS 5.10 2 Oct 2003 snmpvacm(1M)