SNMP Subagent Programmer's Guide
Security Checker
2-80 119728—SNMP Subagent Programmer’s Guide
Programming Tutorials
Security Checker
This subagent illustrates subagent authentication, which a subagent can use to
determine whether to process a request based on information about the manager station
that sent it.
The Security Checker subagent is a modified version of the Nowaited Hello World
subagent. It performs the same operations as Nowaited Hello World, but it:
•
Uses the mgmt_security() management function to obtain a request’s community
string and originating IP address
•
Provides its own access functions, which perform requested operations only if the
community string contains the password provided when the subagent is invoked
Access to subagent MIB objects is controlled by both the NonStop agent and the
subagent:
•
The NonStop agent passes requests to subagents when they are from a manager
station configured in the agent’s authentication table. The community name and IP
address associated with the manager station must match those in one of the
authentication table entries. The SNMP Configuration and Management Manual
describes how to configure authentication table entries.
•
The subagent’s MIB object attributes and logic determine whether managers can
access specific MIB objects and which operations managers can perform on those
objects.
SNMP requests are processed in accordance with the access attributes of individual MIB
objects. Managers can perform Get and GetNext operations on read-only MIB objects
and Get, GetNext, and Set operations on read-write objects.
The mgmt_security() function provides subagents with the ability to apply a finer
granularity of MIB object access control. This management function makes available to
a subagent the community string and IP address associated with the manager station
from which a request is received. By using some or all of this information, your
subagent can employ such authentication strategies as:
•
Processing requests only if they originate from a particular manager station
•
Processing Get requests from any manager station, but Set requests from only
particular manager stations
•
Employing various authentication strategies for any particular MIB objects, so that,
for example, one manager station can Get and Set values for an object, but another
manager station can only Get values, even though the object is defined in the MIB as
a read-write object
The format of the community string used for subagent authentication looks like this:
agent-community-string[::subagent-password]
The agent community string must appear in one of the NonStop agent’s authentication
table entries. The agent community string, a double colon, and the subagent password
must appear in the manager station’s community string configuration. The agent