SNMP Manager Programmer's Guide
Introduction to Manager Services
SNMP Manager Programmer’s Guide–134249
1-9
Request Authentication
Request Authentication
Before an SNMP request is processed, the receiving entity (agent or subagent)
authenticates the request to determine whether the sending entity (manager) is qualified
to perform the operation in the request. Request authentication rules vary from vendor
to vendor.
Many SNMP agents use a two-step process to determine whether to process manager
requests:
1. The community name contained in the request packet is examined. If a requested
operation is authorized for the manager passing a particular community name, the
agent continues to process the request; otherwise the agent discards the request and
returns an authenticationFailure trap to the manager. This process is known as
community name authentication.
2. If a request passes community name authentication, it is then subjected to MIB
object access authentication. Get and GetNext requests can operate on read-only
MIB objects. Get, GetNext, and Set requests can operate on read-write objects.
While this two-step authentication process is used by many vendors, you should become
acquainted with the exact request authentication algorithm implemented by agents and
subagents responsible for the MIB objects your manager handles.
All agents and subagents that run in NonStop Kernel environments implement the MIB
object access authentication described above. The extent to which additional request
authentication occurs depends on whether your manager communicates with a NonStop
agent using the IPC protocol or TCP/IP.
Requests received over TCP/IP are authenticated like this:
•
When a NonStop agent receives a request over TCP/IP, it examines the community
name and IP address in the request packet. If the name and address values appear in
one of the NonStop agent’s authentication table entries, request processing proceeds.
•
The NonStop agent then determines whether the type of request is authorized by the
access attribute associated with the authentication table entry. An access attribute of
READONLY means that only Get and GetNext requests can be accepted. An access
attribute of READWRITE means that Set, Get, and GetNext requests can be
accepted.
•
Requests for MIB objects under the control of subagents are passed to subagents for
processing. Some subagents perform additional authentication based on the
community name, IP address, and a password appended to the community name:
agent-community-string::subagent-password
•
All the MIB objects under the control of the NonStop agent except zagInProfile
group objects in the NonStop agent’s private MIB are accessible over TCP/IP. Refer
to the SNMP Configuration and Management Manual for complete information
about objects in the NonStop agent’s MIBs.
Requests received using the IPC protocol are authenticated like this:
•
The NonStop agent does not use its authentication table to evaluate requests.