20. Configuring MultiNet SNMP Services

 

 

This chapter explains how to configure MultiNet SNMP (Simple Network Management Protocol) agents. SNMP agents are the hosts managed by SNMP.

Understanding SNMP

SNMP is a protocol from which hosts called network management stations can obtain and modify information on other network hosts called SNMP agents.

Typical SNMP-based network management systems employ a host that has been configured as an SNMP agent from which the current network configuration of other network nodes can be analyzed and modified. Such management systems often provide graphical interfaces for these tasks.

 

SNMP Managers, Agents, and Traps

SNMP-managed networks typically include the following network entities:

Network Management Station (NMS)

Is a node that requests information about, or makes changes to, remote nodes. The NMS interface is completely vendor-specific. MultiNet performs basic SNMP via the MULTINET SET and MULTINET SHOW commands using the /SNMP_HOST qualifiers (see the Performing SNMP Functions with MultiNet section).

SNMP agent

This software allows the local network configuration to be examined or modified by an NMS. MultiNet provides an SNMP agent in the form of the SNMP service.

 

The data managed by an SNMP agent is called the Management Information Base (MIB). The MultiNet SNMP agent supports the current Internet standard MIB known as MIB-II, described in the file RFC1213-MIB.

 

MultiNet manages MIBs according to the IETF draft “draft_ref_dhcp_server_mib-02.txt”. Both RFC1213-MIB and “draft_ref_...” are found on the IETF website.

 

MultiNet SNMP agent software is extensible. To have private MIBS served by the MultiNet SNMP agent, develop a shareable image that exports the APIs in the private MIBs plus the routine need to access the MIB variables. See the MultiNet for OpenVMS Programmer’s Reference - SNMP Extensible Agent API Routines.

Traps

Traps receive requests such as non-authenticated SNMP requests that are not handled directly by the SNMP agent. Traps are sent only to clients configured to receive traps, as defined in the SNMP agent configuration file (SNMPD.CONF). The agent supports all traps defined in the SNMP protocol, except EGP-Neighbor-Loss, Warm-Start, and Enterprise-Specific.

 

Before NMS can obtain or modify network configuration data, the NMS must be authenticated by the agent. The agent compares a community string sent by the manager to the local read or write community strings.

 

The agent must authenticate community strings sent by the NMS before authenticating requests:

·         For read operations, the NMS string must match the agent’s read community string.

·         For write operations, the NMS string must match the agent’s write community string.

 

Configuring MultiNet SNMP Services

The following is an overview of how to configure a host as an SNMP agent. Each step is discussed in detail following this overview.

1. Enable the SNMP service (see the Enabling the SNMP Service section).

2. Configure an SNMP subagent by setting the subagent image (see the Configuring SNMP Subagents (except AgentX) section).

3. Edit the SNMP configuration file (see the Configuration File section).

4. Restart the master server.

When the MultiNet SNMP agent starts, it obtains configuration data from the MULTINET:SNMPD.CONF file. Since the SNMPD.CONF file does not exist, you need to edit it using a text editor.

Enabling the SNMP Service

To enable the SNMP service using the SERVER-CONFIG utility:

1. Start SERVER-CONFIG:

$ MULTINET CONFIGURE /SERVERS

2. Enable the SNMP service:

SERVER-CONFIG>ENABLE SNMP

3. If desired, enable SNMP service on specific VMScluster nodes, or restrict access to the service as described in Chapter 12.

4. Save the modified service configuration.

SERVER-CONFIG>SAVE
[Writing configuration to MULTINET_COMMON_ROOT:[MULTINET]SERVICES.MASTER_SERVER]

5. Restart the MULTINET-SERVER process:

SERVER-CONFIG>RESTART

6. Exit the utility:

SERVER-CONFIG>RESTART

 

Private MIB Application Program Interface

In addition to SMUX and AgentX, MultiNet’s SNMP agent supports subagents serving private MIBs through an application programming interface (API). Under this scheme, anyone willing to have their private MIBs served by MultiNet’s SNMP agent should develop a shareable image that exports the APIs in them in addition to the routines they may need for accessing the MIB variables.

The SNMP API routines are described in Chapter 5 of the MultiNet for OpenVMS Programmer's Reference, SNMP Extensible Agent API Routines.

 

Configuring SNMP Subagents (except AgentX)

To configure an SNMP subagent on your host using the SERVER-CONFIG utility:

1. Start SERVER-CONFIG:

$ MULTINET CONFIGURE /SERVERS

2. Select the SNMP service:

SERVER-CONFIG>SELECT SNMP

3. Set the subagent-image:

SERVER-CONFIG>SET SUBAGENT-IMAGE

You can now delete old entries or add new ones. Enter the name of one subagent per prompt, until finished. When finished, press Return at the prompt. Do not enter the .EXE extension.

4. Save the modified server configuration and exit.

SEVER-CONFIG>SAVE
[Writing configuration to MULTINET_COMMON_ROOT:[MULTINET]SERVICES.MASTER_SERVER

5. Restart the MULTINET-SERVER process:

SERVER-CONFIG>RESTART

6. Exit the utility:

SERVER-CONFIG>EXIT

 

SNMP Multiplexing Peers

The SNMP Multiplexing (SMUX) protocol is an SNMP subagent extension protocol. Each subagent or peer registers a MIB subtree with the SNMP Agent. Requests for objects residing in a registered MIB subtree are passed from the SNMP Agent using the SMUX protocol to the subagent. The subagent passes the results of an SNMP query back to the SNMP Agent. The practical limit to the number of peers is 30.

Enabling SMUX (DEFINE/SYSTEM/EXEC MULTINET_SNMP_SMUX 1) when there are no SMUX subagents to use it can interfere with walking of the SNMP management base due to the SMUX MIB returning NoSuchName when no subagents exist. SMUX is an historical protocol, and should not be enabled unless there are subagents that will be using it. Specific items in the SNMP management base that appear after the SMUX MIB can still be queried when they are accessed from the start of their management base.

The SNMP server only accepts SMUX connections from peers listed by IP address in the SNMPD.CONF file. To enable SMUX support, issue the following command before starting SNMP:

$ DEFINE/SYSTEM/EXECUTIVE MULTINET_SNMP_SMUX 1

 

SMUX_PEER  ip-address

The SNMP agent listens on TCP port 199 for peer connections, while the connection to the SNMP client is over UDP port 161, with traps sent over UDP port 162. Multiple peers registering the same subtree are each assigned a priority, and the agent can send multiple variables in a single request. The SMUX protocol is described in RFC 1227.

 

SNMP Agent Extensibility (AgentX) Peers

The SNMP agent listens on TCP port 705 for subagent connections. The AgentX framework consists of a single processing entity called the master agent. This master agent, available on the standard transport address, sends and receives SNMP protocol messages in an agent role but has little or no direct access to management information. While some of the AgentX protocol messages appear similar in syntax and semantics to the SNMP, remember that AgentX is not SNMP. Refer to RFCs 2741 and 2742 for complete AgentX information. The SNMP server only accepts AgentX connections from peers listed in the SNMPD.CONF file. To enable AgentX support, issue the following command before starting SNMP:

$ DEFINE/SYSTEM/EXECUTIVE MULTINET_SNMP_AGENTX 1

or

$ MULTINET CONFIGURE/NET
NET-CONFIG>SET SNMP-AGENTX TRUE

 

Setting Up MultiNet to Use HP Insight Manager

HP Insight Manager support has been added to MultiNet. The HP Insight Manager (CIM) uses the SNMP extensibility provided by Agent X to allow remote examination and notification of system conditions that may need attention. Remote management agents like CIM allow systems administration personnel to manage more systems while still meeting response time goals by providing access to critical information from a central location. The remote management agent communicates with the SNMP agent on the system being managed, which then sends the request to a program specifically designed to manage a particular component of the system.

Customers desiring to run HP Insight Manager (OpenVMS 7.1 and later) need to obtain TCP/IP Services v5.1 or greater for OpenVMS from HP in order to get the TCPIP$ESNMP_SHR.EXE, and TCPIP$HR_MIB.EXE images. Contact HP Enterprise (www.hpe.com) to get the kit for TCP/IP Services v5.1 or greater.

HP Insight Manager is only available on Alpha and Itanium systems with VMS 7.1 or higher. Please follow these instructions.

1. Install MultiNet

2. Install HP Management Agents

3. Copy the TCP/IP Services kit from HP’s site, checking for latest patches

4. Extract TCPIP$ACCESS_SHR.EXE and TCPIP$ESNMP_SHR.EXE (PRODUCT EXTRACT FILE/SELECT=filename) from the TCPIP Services kit and place them in SYS$SHARE:.

5. Copy TCPIP$ESNMP_SHR.EXE to SYS$SHARE:UCX$ESNMP_SHR.EXE

6. Extract TCPIP$HR_MIB.EXE from the TCPIP Services kit and place in SYS$SYSTEM:

$ DEFINE/SYSTEM/EXECUTIVE MULTINET_SNMP_AGENTX 1
$ DEFINE/SYSTEM TCPIP$AGENTX_INET_PORT 705
$ DEFINE/SYSTEM TCPIP$AGENTX_LOCAL_PORT 705

 

Note: Make sure all files extracted from the TCP/IP Services kit have WORLD:RE protection.

 

 

7. Add the following to MULTINET:SNMPD.CONF:

AGENTX_PEER 127.0.0.1
community elmginkgo 127.0.0.1 read (and other community strings as needed)

8. Comment out SMUX_PEER from MULTINET:SNMPD.CONF

9. Restart SNMP with this command:

$ MULTINET NETCONTROL SNMP RELOAD

or

$ START MULTINET

10. Start HP Insight Manager

11. Run /process=HR_MIB SYS$SYSTEM:TCPIP$HR_MIB

The Host Resources MIB (RFC 1514) supplied with TCP/IP Services will now work with SNMP.

The new ESNMP client interface in HP's TCP/IP services v5.1 or greater uses Agent X to allow others to provide additional objects for SNMP to manage. HP's Insight Management Agents for OpenVMS are written to use the ESNMP client interface, hence the addition of Agent X protocol allows them to be used with MultiNet.

By using the ESNMP library, or Agent X directly, writers of TCP/IP services can allow the state of the service to be queried and controlled remotely. This can be useful if the service does not have a user interface, or runs under batch, or as a detached process.

 

Configuration File

The SNMP configuration file SNMPD.CONF is located in the MULTINET_ROOT directory. The SNMP file defines:

·         Values for a subset of MIB management objects

·         Clients and communities who can access the SNMP agent

·         MIB access privileges for each client and community

·         Authentication Failure, Link Up, and Link Down traps' status

·         Originating addresses for traps

·         SMUX peer details

·         Agent X peer details

After editing the configuration to fit your needs, stop and restart the SNMP agent so that the changes can take effect. If you do not edit the configuration file, the SNMP agent uses default values.

 

File Format

Follow these guidelines when entering data in the SNMP configuration file:

·         Allow one line for each item.

·         Enter information in any order, in upper- or lowercase.

·         Enter variable string information (id-string and contact-name) in upper- or lowercase, depending on the operating system. Some SNMP clients on your network (such as those running UNIX) might require information in a specific case.

·         Use a pound sign (#) or an exclamation point (!) to denote comments. SNMP ignores all information following these characters.

·         Place quotation marks (" ") around strings that contain spaces or that require more than one line in the file, and around the comment characters when used as regular characters.

 

Values for MIB Objects

To define the values of several MIB objects in the SNMP configuration file, use the corresponding keywords listed in the below table.

MIB object name...

Has keyword...

system.sysDescr

SYSDESCR

system.sysContact

SYSCONTACT

system.sysLocation

SYSLOCATION

if.ifTable.ifEntry.ifDescr and if.ifTable.ifEntry.ifSpeed

INTERFACE

system.sysServices

SYSSERVICES

 

The following paragraphs explain how to define each item.

SYSDESCR [ id-string ]

The id-string is the full name of the hardware, operating system, and networking software. For example:

SYSDESCR "AlphaServer 8400, VMS V7.1, Process Software MultiNet for OpenVMS"

If you omit the id-string, MultiNet tries to obtain this information from your current system. If the attempt fails, the default is System description is unknown. Try again, entering a different id-string.

 

SYSCONTACT [ contact-name ]

The contact-name specifies the person to contact for the host, and how you can contact this person (such as by mailbox address). For example:

SYSCONTACT "John Smith, X 1234, smith@process.com"

The default is System contact is unknown at this time. Try again, entering a different  contact-name.

 

SYSLOCATION [ system-location ]

The system-location specifies the geographical location of the host. For example:

SYSLOCATION "Main Street, Anytown, MA"

The default is: System location is unknown at this time. Try again, entering a different  system-location.

 

INTERFACE [ line-id  line-speed  description ]

The line-id specifies the line identification for the IP layer network device. The line-speed specifies the line speed in bits per second. The description is the manufacturer's name, product name, and hardware version for the interface. For example:

INTERFACE SE0-1 10000000 "DELQA Ethernet Controller Version 1.0"

 

SYSSERVICES [ services-set-number ]

The services-set-number default is 72. RFC 1213, Management Information Base for Network Management of TCP/IP-based Internets: MIB-II, explains how to calculate the value of services-set-number.

 

HOSTID ip-address

Specifies the IP address to use as the source address for traps sent either from the SNMP Agent or from the TRAP_GEN program.  If this is not specified the address of the first interface (often SE0) is used.  When this is specified it is checked against the addresses of the interfaces present on the system.

 

Community Parameters

The SNMP configuration file must contain the following information for each client permitted access to the SNMP agent:

COMMUNITY community-name internet-address type

 

community-name

Specifies the name of the community to which the client belongs.

internet-address

Specifies the client's internet address.

 

If you enter 0.0.0.0, any address can use the community. The internet address can be optionally followed by /mask for READ and WRITE.

type

Defines the access profile as one of the following:

 

·         READ - The client can retrieve data from the MIB on this host.

·         WRITE - The client can retrieve data from and write data to the MIB on this host.

·         TRAPS - The client will receive all enabled traps.

 

The following is an example of some community parameters defined in the configuration file.

community northeast  192.168.4.56  READ
community northeast  192.168.220.1 WRITE
community southwest  192.168.23.1  WRITE
community southwest  192.168.23.1  TRAPS

·         Client 192.168.4.56 in the northeast community has READ access to the MIB, while client 192.168.220.1 in the same community has WRITE access.

·         Client 192.168.23.1 belongs to the southwest community. This community has WRITE access to the MIB and can receive all traps.

 

Template Configuration File

SNMP Services provides a TEMPLATE_SNMPD.CONF  file in MULTINET_COMMON:[MULTINET] that you can use as a basis:

! SNMP Agent (SNMPD) Configuration File (template)
!
! System description: sysdescr <id string>
! Typically the id string would include:
! VAX cpu model (such as MicroVAX II, VAX 8650, etc)
! VMS and version number
! "Process Software MultiNet for OpenVMS Version 5.5"
!
sysdescr "place system description string here"
!

! System Contact: syscontact <contact name>
!
syscontact "place name, phone number, and mail address of administrator
here"
!
! System Location: syslocation <location>
!
syslocation "place system location information here"

! Line Interfaces Information: interface <line-id> <line speed>
! <description>
! Note: You usually need not define these. SNMPD provides good defaults.
!
! <line-id> is one of LPB-, ETHER-, UNA-, QNA-, BNA-, SVA-, MNA-,ISA-,KFE,
! MXE-, ERA-, EWA-,CEC-, EIA-, CLIP-, ELA-,FDDI-,MFA-,FZA-, FAA-, FEA-,
! FQA-, FPA-, TR-, TRA-,TRE-, TRW-,PRO-, HYP-, DSV-, DSB-,DST-, X25-,SLIP,
! DECnet-, PPP-,PSD- followed by a unit number. Note that the unit number

! may be an encoding of the controller when the device is an ethernet
! adapter.
!
! (A = 0, B= 1, C=2, etc.)
!
! <line-speed> is an integer in bits per second of the data rate of the
! device
!
! <description> is a quoted string describing the device.
!
!interface una-0 10000000 "HEWLETT-PACKARD DELUA Ethernet controller"
!
! Communities:
! community <community name> <internet address>
! <READ | WRITE | TRAPS>
!
community readers   192.168.1.2   READ
community netman    192.168.2.3   WRITE
community nettraps  192.168.3.4   TRAPS
!
! To disable authentication traps, remove the "!" from the following
! line.
!no-auth-traps
!
! To disable link status traps, remove the "!" from the following
!line.
!no-link-traps
!
! SMUX Peers:
! AGENTX_PEER <ip-address>
! SMUX_PEER <ip-address>
!
AGENTX_PEER 192.168.6.7
SMUX_PEER 192.168.4.5
SMUX_PEER 192.168.5.6

 

AGENTX_PEER ip-address - The SNMP server only accepts AGENT X connections from peers listed by IP address in the SNMPD.CONF file. Use the following syntax in the file:

AGENTX_PEER ip-address

The COMMUNITY, SMUX_PEER, and AGENTX_PEER statements in the SNMPD.CONF file can take an optional mask after the internet address. The mask should be separated from the internet address with a / (slash). Valid values are from 0 to 32, with 32 being the default. Although the TRAPS community accepts a mask, it is not used currently.

For example:

community ournet 192.168.1.10 write   !implied /32
community ourmgr 192.168.1.0/24 read

The /24 specifies that only the first 24 bits must match. In this example, IP addresses from 192.168.1.0 to 192.168.1.255 can use the community ourmgr. The mask should be separated from the internet address with a / (slash). Valid values are from 0 to 32, with 32 being the default. A more restrictive IP address may be used within a less restrictive one. For example:

community process 192.168.6.0/24 READ
community process 192.168.6.42 WRITE

This allows all nodes in 192.168.6 to have READ access with the community name process and 192.168.6.42 to have WRITE access with the community name process.

The following command can be used to display enabled SNMP Agent X subagents in the output of the SHOW command:

$ MULTINET CONFIGURE /NETWORK
$ SET SNMP-AGENTX TRUE
$ SET SNMP-AGENTX FALSE

TRUE enables SNMP Agent X service; FALSE disables SNMP Agent X service. A line displays in the output of the SHOW command if SNMP Agent X subagents are enabled.

 

Sending SNMP Traps from MultiNet

SNMP traps can be sent from MultiNet in the following manner:

Define the symbol:

$ trap_gen :== $multinet:trap_gen


Then type:

$ trap_gen enterprise generic-trap specific-trap [trap-specific-values....]

enterprise identifies the location in the MIB tree that this trap pertains to. An example would be 1.3.6.1.4.105.3, which denotes a location in Process Software's portion of the MIB tree.

generic-trap is an integer representing the generic trap value.

specific-trap is an integer representing the specific trap value.

trap-specific-values are arbitrary strings separated by spaces that are passed to the agent receiving the trap as octet strings.

The TRAP_GEN program uses the trap community definitions in the MULTINET:SNMPD.CONF file to determine where to send the trap.

There is also a program available that will listen for traps and format them for display. In order to invoke this program, run MULTINET:TRAP_LISTEN.  It prompts for an optional file to log information to (default is the terminal) and the port number to listen on (default is 162).

 

Disabling Traps

All traps that the SNMP agent supports are initially enabled. You can disable traps by editing the configuration file. These changes take effect the next time you start the agent. This table shows how to disable traps.

Disable this trap...

By entering...

Authentication Failure

no-auth-traps

Link Up

no-link-traps

Link Down

no-link-traps

 

 

Note: SNMP clients can enable or disable the Authentication Failure trap while the SNMP agent is running. These clients must have WRITE community access.

 

 

Generating Traps

To generate an SNMP trap, define the symbol:

$ TRAP_GEN :== $MULTINET:TRAP_GEN

Then type:

$ TRAP_GEN ENTERPRISE GENERIC-TRAP SPECIFIC-TRAP [TRAP-SPECIFIC-VALUES....]

 

enterprise

Identifies the location in the MIB tree that this trap pertains to. An example would be:  1.3.6.1.4.105.3, denoting a location in Process Software's portion of the MIB tree.

generic-trap

Is an integer representing the generic trap value.

specific-trap

Is an integer representing the specific trap value.

trap-specific-values

Are arbitrary strings separated by spaces that are passed to the agent receiving the trap as octet strings.

 

The TRAP_GEN program uses the trap community definitions in the MULTINET:SNMPD.CONF file to determine where to send the trap.

To specify a particular ip-address for SNMP traps to originate from put the following line in MULTINET:SNMPD.CONF

HOSTID ip_address

The ip_address specified is checked against those on the system when the line is parsed.

 

SNMP Log File

When the SNMP agent starts up, it creates a log file called MULTINET:SNMPSERVER.LOG. This file contains information about the activities of the SNMP agent, such as:

·         The time the agent starts up and shuts down.

·         When SMUX peers open or close a connection, and register or de-register a MIB tree.

·         Any errors found in the SNMP configuration file.

·         Any errors that occur when the agent is running.

 

Start, Shutdown, or Reload the SNMP Configuration without Rebooting

To start, shutdown, or reload the SNMP configuration using NETCONTROL:

$ MULTINET NETCONTROL SNMP START
$ MULTINET NETCONTROL SNMP SHUTDOWN
$ MULTINET NETCONTROL SNMP RELOAD

MultiNet has a separate SNMP_AGENT process. Once the SNMP service is enabled via the MULTINET CONFIGURE/SERVERS command, the SNMP_AGENT process can be accessible via the NETCONTROL commands. You can also enable the SNMP service using the MULTINET CONFIGURE/MENU command.

Performing SNMP Functions with MultiNet

The MULTINET SET and MULTINET SHOW commands accept the /SNMP_HOST qualifier for using remote host information.

The below table shows qualifiers you can use with the /SNMP_HOST qualifier in MULTINET SHOW commands to obtain information from remote SNMP agents.

Qualifier

Description

/COMMUNITY_NAME=”string

Specifies the community name string sent with this command to the remote host. The default is public.

 

 

Note: The case of the community name must match what is specified in SNMPD.CONF. The name must be specified in quotes unless it is all uppercase.

 

/CONNECTIONS[=ALL]

Displays network connections. If you use the =ALL argument, MULTINET SHOW also displays sockets on which servers are listening.

/ARP

Displays the Ethernet Address Resolution Protocol tables. This qualifier (or /ROUTE) must precede all other qualifiers.

/MIB_VAR[=variable_name]

Displays the value of the SNMP MIB variable, variable_name. The value can be any MIB-II variable described in RFC-1213. If you omit variable_name, all MIB variables are displayed.

/ROUTE

Displays routing information for the IP protocol. This qualifier (or /ARP) must precede all other qualifiers.

/STATISTICS[=protocol]

Causes MULTINET SHOW to display either network interface statistics or protocol statistics or both, as defined in MIB-II. If you specify /STATISTICS without a value, INTERFACE statistics are displayed.