Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   20652 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

snmpvacm(1M)		System Administration Commands		  snmpvacm(1M)

NAME
       snmpvacm	 -  perform  maintenance  on an SNMP agent's View-based Access
       Control Module (VACM) table

SYNOPSIS
       /usr/sfw/bin/snmpvacm [common options] [subcommand options] AGENT  sub‐
       command subcommand-args

DESCRIPTION
       snmpvacm is a SNMP application that can be used to do maintenance on an
       SNMP agent's View-based Access Control Module (VACM)  table.  The  VACM
       table  defines  a  set of services that can be used for checking access
       rights, that is, checking whether a specific type of access to  a  spe‐
       cific  managed  object  is  allowed.  snmpvacm  supports three types of
       entries--group, view, and access. The agent maintains these entries  in
       memory and stores VACM groups, views, and access entries in the persis‐
       tent configuration file upon agent shutdown.

   Subcommands
       This section describes the snmpvacm subcommands.

       createSec2Group

	   Creates SNMPv3 security to group name entries. A group name is used
	   to define an access control policy for a group of principals.

	   Creates SNMPv3 security to group name entries. A group name is used
	   to define an access control policy for a group of principals.

	   snmpvacm [common options] createSec2Group MODEL SECURITYNAME GROUPNAME

	   MODEL

	       An integer greater then zero  representing  a  SNMPv3  security
	       model, such as USM. The reserved values are as follows:

	       1

		   reserved for SNMPv1

	       2

		   reserved for SNMPv2c

	       3

		   User-Based Security Model (USM)

	   SECURITYNAME

	       A string representing a security name for the principal, repre‐
	       sented in a security-model-independent format, which is	mapped
	       from this entry to a GROUPNAME.

	   GROUPNAME

	       A  string  that	identifies the group to which this table entry
	       (the combination of securityModel and securityName) belongs.

       deleteSec2Group

	   Deletes SNMPv3 security to group name entries. The group  entry  to
	   be deleted is indexed by the specified MODEL and SECURITYNAME.

	   snmpvacm [common options] deleteSec2Group MODEL SECURITYNAME

	   MODEL

	       An  integer  greater  then  zero representing a SNMPv3 security
	       model, such as USM. The reserved values are as follows:

	       1

		   reserved for SNMPv1

	       2

		   reserved for SNMPv2c

	       3

		   User-Based Security Model (USM)

	   SECURITYNAME

	       A string representing a security name for the principal, repre‐
	       sented  in a security-model-independent format, which is mapped
	       from this entry to a GROUPNAME.

       createView

	   Creates a MIB view. A MIB view is a family of view subtrees,	 which
	   are pairings of OID subtree values with bit string mask values.

	   Each	 MIB view is defined by two sets of view subtrees, included in
	   or excluded from the MIB view.

	   snmpvacm [common options] [-Ce] createView NAME SUBTREE MASK

	   -Ce

	       An optional flag used when  the	MIB  view  type	 needs	to  be
	       "excluded"  from	 the  MIB  view.  If  not  used,  the  type is
	       defaulted to "included".

	   NAME

	       The OID subtree which  when  combined  with  the	 corresponding
	       instance of MASK defines a family of view subtrees.

	   SUBTREE

	       The  OID	 subtree  which	 when  combined with the corresponding
	       instance of MASK defines a family of view subtrees.

	   MASK

	       The bit mask, a hex string, which, in combination with the cor‐
	       responding instance SUBTREE, defines a family of view subtrees.

	       The mask indicates which sub-identifiers of the associated sub‐
	       tree OID are significant to a particular MIB view instance.

       deleteView

	   Deletes a MIB view. A MIB view is a family of view subtrees. A view
	   subtree is a pairing of an OID subtree value with a bit string mask
	   value.

	   snmpvacm [common options] deleteView NAME SUBTREE

	   NAME

	       A string representing a MIB view name that is associated	 to  a
	       subtree/mask pairing.

	   SUBTREE

	       The  OID	 subtree  which,  when combined with the corresponding
	       instance of MASK, defines a family of view subtrees.

       createAccess

	   Creates SNMPv3 access configuration entries. These entries are used
	   to  store  the  access rights defined for the groups. Each entry is
	   indexed by a group name, a context prefix, a security model, and  a
	   security  level.  A	group and view needs to be defined in order to
	   make use of the access check.

	   snmpvacm [common options] createAccess GROUPNAME
	   [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL
	   CONTEXTMATCH READVIEWNAME WRITEVIEWNAME
	   NOTIFYVIEWNAME

	   GROUPNAME

	       The name of the group to which this access right applies.

	   CONTEXTPREFIX

	       A string representing a contextName must match the value of the
	       instance	 of  this  object  exactly when CONTEXTMATCH is set to
	       "exact" or partially when CONTEXTMATCH is set to "prefix".

	       If not specified, the value reverts to the  default,  an	 empty
	       string, "".

	   SECURITYMODEL

	       An  integer representing the securityModel that must be used in
	       order to gain access to this access right.

	   SECURITYLEVEL

	       An integer representing the minimum security level that must be
	       used  to	 gain access to this access right. A security level of
	       noAuthNoPriv is less than authNoPriv  and  authNoPriv  is  less
	       than authPriv.

	       Integer values supported:

	       1

		   noAuthNoPriv

	       2

		   authNoPriv

	       3

		   authPriv

	   CONTEXTMATCH

	       An  integer  whose value determines the type of match required.
	       When set to "exact", the context name must  exactly  match  the
	       value  in  CONTEXTPREFIX.  If set to "prefix", the context name
	       must match the first few starting characters of	the  value  in
	       CONTEXTPREFIX.

	       Integer values supported:

	       1

		   exact

	       2

		   prefix

	   READVIEWNAME

	       The authorized MIB view name used for read access. If the value
	       is an empty string, then there is no active view configured for
	       read access.

	   WRITEVIEWNAME

	       The  authorized	MIB  view  name	 used for write access. If the
	       value is an empty string, then there is no active view  config‐
	       ured for write access.

	   NOTIFYVIEWNAME

	       The  authorized	MIB  view  name used for notify access. If the
	       value is an empty string, then there is no active view  config‐
	       ured for notify access.

       deleteAccess

	   Deletes  SNMPv3  access  configuration entries, given a group name,
	   context prefix, security model, and security level.

	   snmpvacm [common options] deleteAccess GROUPNAME
	   [CONTEXTPREFIX] SECURITYMODEL SECURITYLEVEL

	   GROUPNAME

	       The name of the group to which this access right applies.

	   CONTEXTPREFIX

	       A string representing a contextName must match the value of the
	       instance	 of  this  object  exactly when CONTEXTMATCH is set to
	       "exact" or partially when CONTEXTMATCH is set to "prefix".

	   SECURITYMODEL

	       An integer representing the securityModel that must be used  to
	       gain access to this access right.

	   SECURITYLEVEL

	       An integer representing the minimum security level that must be
	       used to gain access to this access right. A security  level  of
	       noAuthNoPriv  is	 less  than  authNoPriv and authNoPriv is less
	       than authPriv.

	       The following integer values are supported:

	       1

		   noAuthNoPriv

	       2

		   authNoPriv

	       3

		   authPriv

EXAMPLES
       For the following examples, the user is my_user	and  the  password  is
       my_password.  Use  net-snmp-config  to create the first user (my_user).
       Then clone my_user to configure another	SNMPv3	user,  my_user_2.  See
       snmpusm(1M).

       Example 1: Creating a VACM Group Entry

       Create a VACM group entry, as follows:

       snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A
	       my_password -x DES -X my_password localhost createSec2Group
	       3 my_user_2 my_group

       Run snmpwalk(1M) to verify the group name was created:

       snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
	       my_password -x DES -X my_password localhost
	       SNMP-VIEW-BASED-ACM-MIB::vacmGroupName

       In  addition  to	 other configured VACM group entries, you will note an
       entry such as the following:

       SNMP-VIEW-BASED-ACM-MIB::vacmGroupName.3."my_user_2" = STRING: my_group

       Example 2: Creating a MIB View Entry

       The command below creates a MIB view entry applicable only to the  sys‐
       tem group MIB.

       snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A
	       my_password -x DES -X my_password localhost createView
	       my_view .1.3.6.1.2.1.1 FF

       Run snmpwalk(1M) to verify the my_view MIB view was created:

       snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
	       my_password -x DES -X my_password localhost
	       SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyTable

       In  snmpwalk output, observe the lines, such as those below, related to
       the my_view MIB view.

       SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyMask."my_view".2.1.3.6.1.2.1.1\
       = Hex-STRING: FF
       SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyType."my_view".2.1.3.6.1.2.1.1\
       = INTEGER: included(1)
       SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStorageType.\
       "my_view".2.1.3.6.1.2.1.1 = INTEGER: nonVolatile(3)
       SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStatus.\
       "my_view".2.1.3.6.1.2.1.1 = INTEGER: active(1)

       Example 3: Creating an Access Entry

       The command below creates an access entry using	the  following	compo‐
       nents:

	 ·  the "my_group" entry created above

	 ·  an empty prefix string ("")

	 ·  the USM security model (3)

	 ·  the security level (3)

	 ·  the context match (1)

	 ·  the read view name ("my_view")

	 ·  the write view name ("")

	 ·  the notify view name ("")

       snmpvacm -v 3 -u my_user -l authPriv -a MD5 -A
	       my_password -x DES -X my_password localhost createAccess
	       my_group "" 3 3 1 my_view "" ""

       Run snmpwalk(1M) to verify the access entry was created:

       snmpwalk -v 3 -u my_user -l authPriv -a MD5 -A
	       my_password -x DES -X my_password localhost
	       SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable

       SNMP-VIEW-BASED-ACM-MIB::vacmAccessContextMatch."my_group"."".3.authPriv\
       = INTEGER: exact(1)
       SNMP-VIEW-BASED-ACM-MIB::vacmAccessReadViewName."my_group"."".3.authPriv\
       = STRING: my_view
       SNMP-VIEW-BASED-ACM-MIB::vacmAccessWriteViewName."my_group"."".3.authPriv\
       = STRING:
       SNMP-VIEW-BASED-ACM-MIB::vacmAccessNotifyViewName."my_group"."".3.authPriv\
       = STRING:
       SNMP-VIEW-BASED-ACM-MIB::vacmAccessStorageType."my_group"."".3.authPriv\
       = INTEGER: nonVolatile(3)
       SNMP-VIEW-BASED-ACM-MIB::vacmAccessStatus."my_group"."".3.authPriv\
       = INTEGER: active(1)

       Example 4: Testing the Configuration

       Test  the preceding setup by verifying the access setup. You do this by
       accessing an object in the system group and another object outside this
       range. Note the use of the user name my_user_2.

       snmpget -mALL -v 3 -u my_user_2 -l authPriv -a MD5
	       -A my_password -x DES -X my_password localhost sysObjectID.0

       At  this	 point, when you to access an object outside the access range,
       the attempt fails with an appropriate error:

       snmpgetnext -mALL -v 3 -u my_user_2 -l authPriv -a MD5
	       -A my_password -x DES -X my_password localhost ifTable

	   RFC1213-MIB::ifTable = No more variables left in this MIB View (It is
	       past the end of the MIB tree)

EXIT STATUS
       0

	   Successful completion.

       1

	   A usage syntax error. A usage message displays. Also used for  time
	   out errors.

       2

	   An  error  occurred	while  executing the command. An error message
	   displays.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │SUNWsmcmd			   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Stable			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       snmpusm(1M), snmpwalk(1M), snmpd.conf(4), attributes(5)

       RFC 3415

SunOS 5.10			  2 Oct 2003			  snmpvacm(1M)

Vote for polarhome