Authentication and Authorization

Overview

An SNMP Agent exposes critical information about the device or application being managed through its management interface. To ensure some security to the system, a check has to be kept on the people trying to access such information and capable of performing operations on it. This Authentication mechanism aids us in restricting the user and the kind of information he can avail, thus ensuring security from trespassers who are denied admission.

The AdventNet Java Agent supports Community-based Authentication for SNMPv1 and SNMPv2c requests. On receiving a SNMPv1 or SNMPv2c request from the Manager, the Agent will check for Authentication with the received Community string and the received SNMP Request type (GET,GET-NEXT, SET etc.). Later processes the request.

Apart from Authenticating v1/v2c requests, Multi-Protocol agent also supports View-based access. This facility is provided only when vacl is enabled. Please refer to Enabling Authorization using VACM for more details.

Community Details for Authentication

An Agent authenticates a request based on the Community. Hence it is required to store the community details and the details of the Manager given access for that particular Community in the Agent side. To store these details you can make use of the aclTable present under AGENT-SNMP-CONFIG-MIB -> agentConfiguration group -> v1v2AthenticationTables. This aclTable (.1.3.6.1.4.1.2162.10.3.1.2.1) maintains the set of authentication parameters given below:

aclCommunity - the Community used by the Manager to communicate with the Agent.
aclAccess - the maximum access for the Community being either of these : No Access (0), Read_Only (1), Write_Only (2), Read_Write(3)
aclManager - IP address of the Managers who are allowed specified access for the specified community. The default value is '0:0:0:0' which states access is provided to all Managers for the corresponding community.
aclStatus - the Row Status column.

Adding Communities to Managers

You can also include new communities and specify the Managers to be given access for the community. There are two ways to add communities to the Managers in the Authentication Table. It can be done either : (1) Before Agent start-up or (2) During Run time.

Before Agent Start-Up

Entries can be added to the Authentication Table before Agent start-up either using JMX Compiler UI or using Text/XML
file or using API Calls. To specify the entries before Agent start-up,

Using JMX Compiler UI

1. Create a Project and Load a MIB.

2. Select Project -> Settings from the menubar of JMX Compiler UI.

3. From the Adaptors -> SNMP panel , select the v1v2Authentication node.

4. Select aclTable.

5. Add entries to the Table and

6. Click OK.

Text File / XML File

The entries configured through JMX Compiler UI get stored in the configuration file, AccessControlTable.xml or
AccessControlTable.txt under <Agent Toolkit Home>/jmxprojects/projectname/agent/bin/conf directory, provided
the storage type is chosen. For this purpose,

1. Create a Project and Load a MIB.

2. Select Project -> Settings from the menubar of JMX Compiler UI.

3. From the Adaptors -> SNMP panel , select the v1v2Authentication node.

4. Select aclTable from the v1v2Authentication Panel.

5. Choose XML or Text from the Storage Option. By default XML is chosen.

This file has to be edited for adding Manager Entries. The AccessControlTable.xml given below has been edited for

adding a New Manager with Community "xxx" ; IP Address and "1.192.68.200".

<?xml version="1.0" encoding="UTF-8"?>

<Table>

<row>

</row>

<row>

</row>

</Table>

Please note that the Agent has to be re-started for the changes to take effect.

Using API calls

     By default, the code would be generated in the Main file as given below after the aclTable instantiation. Adding the
  example code highlighted would authenticate the requests sent from community "xxx" and Manager IP Address :
  "127.0.0.1" and also provides READ_WRITE Access to the same.

AclTable aclTable = new AclTable(snmpadaptor.getSnmpAgent());

aclTable.storeData("xml");

AclTableMBean aclMbean = new com.adventnet.adaptors.snmp.AclTableMBean(aclTable);

xmlLocation ="conf" + File.separator + "apiTablesxml" + File.separator + "AclTable.xml";

rmm = new RequiredModelMBean(com.adventnet.utils.jmx.Utilities.convertXmlToModelMBeanInfo

(xmlLocation));

rmm.setManagedResource(aclMbean, "objectReference");

String nameAcl = "Adaptors:type=SNMPAdaptor,name=AclTable";

server.registerMBean(rmm, new ObjectName(nameAcl));

During Run Time

To add Communities dynamically during run time to the aclTable,

From the Manager

To add an entry to the aclTable from the Manager,

Load the AGENT-SNMP-CONFIG-MIB in MIB Browser.
Select aclTable from the v1v2AuthenticationTables module of agentConfiguration group.
By selecting the respective table and clicking SNMP Table icon in MIB Browser will open up a wizard wherein entries can be added to the aclTable.
The entries added from remote get updated in the text/xml file.
Please note that it is possible to access the table from remote only if "Remote Configuration" option is enabled in the aclTable in v1v2Authentication Panel of Project -> Settings menu in JMX Compiler UI.

Using Run Time Memory

Run time memory can be used to store the Manager information in the Agent Memory . Using this option will not store
the entries in text files or in xml files. To use the run time memory for adding Manager entries dynamically,

Create a Project and Load a MIB.
Select Project -> Settings from the menubar of JMX Compiler UI.
From the Adaptors -> SNMP panel , select the v1v2Authentication node.
Select aclTable from the v1v2Authentication Panel.
Select Runtime Memory from Storage Type combo box.

After this, follow the steps given in adding entries From the Manager (previous section). Please note that once the

Agent is killed, the entries added are removed from the memory.

If Authentication Fails

You have seen how a Request is authenticated and how to add a community to the Agent. Let us see the consequences of a community not being authenticated.

If the received Community does not exist then the received message will be dropped and also an "AuthenticationFailure" Trap will be generated by the Agent and sent across to all the registered Managers provided the "snmpEnableAuthenTraps" flag of the RFC1213 snmpGroupCounters is set. By default the Failure Traps will be generated on a community not being authenticated.

You can also disable the facility of receiving Authentication Failure Traps. To do the same, load RFC1213 MIB in the MIB Browser and change the value of snmpEnableAuthenTraps scalar variable in the snmp module to 2(false) from 1(true). Now the Agent will not generate any Traps for this purpose.

In case the Community exists but does not match with the aclAccess and Request Type, then a noAccess Error or noSuchName error is thrown depending on the version of the Agent.

Enabling Authorization using VACM

For security reasons, it is valuable to restrict the access rights of some groups to only a subset of the Management information in the Management domain. To provide this capability, access to a community is via a "MIB view" which details a specific set of managed object types within that community.

For example, for a given community, there will be one MIB view which provides access to all management information in that community, and often there will be other MIB views each of which contains some subset of the information.

So, the access allowed for a group can be restricted in the desired manner by specifying its rights, in terms of the particular (subset) MIB view it can access.

By implementing the View-based access feature, this requirement can be achieved

Note: View-based access Control for v1/v2c Agents is given based on the Community specified in the aclTable.

Details of MIB Views to Managers

AdventNet Java Agent provides vaclTable (.1.3.6.1.4.1.2162.10.3.1.2.1.2) to store the information of Mib views and Community in the Agent side. The vaclTable present under AGENT-SNMP-CONFIG-MIB -> agentConfigurationGroup -> v1v2Authentication module has the following columns defined in it :

aclCommunity (external index) - This column present in the aclTable acts as an external index column for the vaclTable. Any Manager entry is given MIB View Access,based on the community specified in the aclTable.
vaclmibViews - The scalar or table OID for which the particular community (specified earlier) is given view access .
vaclviewStatus - The Row Status column with which rows or columns are added to the table.

Adding Mib Views for Communities

Mib Views for a specified community can be specified in the vaclTable either : (1) Before Agent Start-Up or (2) During Run time.

Before Agent Start-Up

To add MibViews to a Community before Agent start-up,

Using JMX Compiler UI

1. Create a Project and Load a MIB.

2. Select Project-> Settings menu from the JMX Compiler UI.

3. Select V1V2Authentication Panel.

4. Select vaclTable.

5. Click Add to add entries to the wizard.

6. Please note that the aclCommunity column in aclTable should have some entries before adding entries in

vaclTable.

Using Text/XML File

       The entries configured using JMX Compiler UI gets stored in the configuration file, ViewAccessControlTable.xml or
     ViewAccessControlTable.txt gets under <Agent Toolkit Home>/jmxprojects/projectname/agent/bin/conf
    directory. To choose the type of storage,

1.Create a Project and Load a MIB.

2. Select Project->Settings menu from the JMX Compiler UI.

3. Select V1V2Authentication Panel.

4. Choose vaclTable.

5. From the Storage Type combo box, select XML or Text as you prefer. By default XML is chosen.

This file has to be edited for adding View Access to communities. The ViewAccessControlTable.xml given below
has been edited for adding a new entry with Community "private" and mibViews ".1.3.6.1.4.1".

<?xml version="1.0" encoding="UTF-8"?>

<Table>

<row>

</row>

<row>

</row>

</Table>

Please note that the Agent has to be re-started for the changes to take effect.

Using API Calls

Adding the code highlighted below in the Main file generated provides view access to the community xxx from the OID
.1.3.6.1.4.1.

VaclTable vaclTable = new VaclTable(snmpadaptor.getSnmpAgent());

vaclTable.storeData("xml");

VaclTableMBean vaclMbean = new com.adventnet.adaptors.snmp.VaclTableMBean(vaclTable);

xmlLocation ="conf" + File.separator + "apiTablesxml" + File.separator + "VaclTable.xml";

rmm = new RequiredModelMBean(com.adventnet.utils.jmx.Utilities.convertXmlToModelMBeanInfo

(xmlLocation));

rmm.setManagedResource(vaclMbean, "objectReference");

String nameVacl = "Adaptors:type=SNMPAdaptor,name=VaclTable";

server.registerMBean(rmm, new ObjectName(nameVacl));

During Run Time

From the Manager

To add an entry to the vaclTable from the Manager,

Load the AGENT-SNMP-CONFIG-MIB in MIB Browser.
Select vaclTable from the v1v2AuthenticationTables module of agentConfiguration group.
By selecting the respective table and clicking SNMP Table icon in MIB Browser will open up a wizard wherein entries can be added to the vaclTable.
The entries added from remote getupdated in the text/xml file.
Please note that it is possible to access the table from remote only if "Remote Configuration" is enabled in the v1v2Authentication Panel of Project -> Settings menu in JMX Compiler UI.

Using Run Time Memory

1. Create a Project and Load a MIB.

2. Choose Project -> Settings menu of JMX Compiler UI.

3. Select V1V2Authentication Panel.

4. Select vaclTable.

5. Select RAM from Storage Type combo box.

After this, follow the steps given in adding entries From the Manager (previous section). Please note that once the
Agent is killed, the entries added are removed from the memory.