NAME

mgr.pty - party configuration for SNMPv2 managers

SYNOPSIS

PartyName PartyDiscriminator

TDomain TAddress Port Lifetime MaxMsgSize

partyIndex partyStorageType partyLocal partyAuthClock

AuthPublicSecret | -

AuthPrivateSecret | -

PrivPublicSecret | -

PrivPrivateSecret | -

DESCRIPTION

The configuration file mgr.pty is one of several configuration files required by the SNMPv2 entities. The default location of mgr.pty is /etc/opt/snm/manager for Solaris 2.x and /etc/snm/manager for Solaris 1.x, but can be specified by the environment variable SR_MGR_CONF_DIR.

The mgr.pty file is similar to the agt.pty(5) file used by agents; it defines the party table entries for the parties associated with the managers.

Each entry in the file consists of 7 lines:

PartyName PartyDiscriminator

TDomain TAddress Port Lifetime MaxMsgSize

partyIndex partyStorageType partyLocal partyAuthClock

AuthPublicSecret | -

AuthPrivateSecret | -

PrivPublicSecret | -

PrivPrivateSecret | -

where

PartyName

is a unique name for the party.

This field is required and must map to an OID in the MIB.

PartyDiscriminator

defines the authentication protocol to be used by this party:

1 or 2 defines this party as noauth/nopriv

3 or 4 defines this party as auth/nopriv

5 or 6 defines this party as auth/priv

This field is an integer and must be present for SNMPv2 parties. If the corresponding TDomain is rfc1157Domain, this field is ignored. However, a value must be present, and an entry of 1 would be reasonable.

TDomain

defines the transport domain for the party. There are two valid entries for the TDomain:

rfc1157Domain -- indicates this is a SNMPv1 community entry in the party table.

snmpUDPDomain -- indicates this is a SNMPv2 party entry.

Note: A party can be rfc1157Domain only if the entity is a bilingual entity, i. e., understands both SNMPv1 and SNMPv2. This file is not consulted when the entity is compiled to be SNMPv1 only.

TAddress

used in conjunction with the Port field to define the destination address.

This field must be present and is an IP address in dotted decimal form; i. e., 128.169.4.4.

Port

used in conjunction with the TAddress field to define the destination address.

This field must be present and is an integer.

partyIndex

used by the aclTable to match a party entry with its access privileges.

Note: This must be a unique value for each party table entry.

This field is an integer in the range of 1 to 65535, inclusive.

partyStorageType

indicates the storage type for this row in the party table. Possible values are:

other

volatile

nonVolatile

permanent

According to RFC1447,

volatile is lost upon reboot, e. g., in RAM,

nonVolatile is backed up by stable storage, e. g., in NVRAM, permanent cannot be changed or deleted, e. g., in ROM,

and "other" is provided in the unlikely event that someone will find a need for a storage type not covered by the other three.

This field is a case-sensitive string corresponding to one of the above values.

partyLocal

When TDomain is rfc1157Domain, this field is ignored.

When TDomain is snmpUDPDomain, indicates whether this party represents the "local" end of a transmission.

This field has two possible values:

true: it is "local,"

or

false: it is not "local,"

Note: When the party is "not local," and the TDomain is snmpUDPDomain (i. e., SNMPv2), the TAddress and Port either may be used by a proxy entity to

determine which address/port pair should receive proxy requests or to indicate which address/port pair should receive traps.

This field is required (whether representing a SNMPv1 or SNMPv2 party) and is a case-sensitive string corresponding to one of the above values.

Note: When the TDomain indicates a SNMPv2 party, the term "local" does not mean local in the sense of location or address, but rather in the sense of origin. This means that on outgoing packets, the source party must be a "local" party-one representing the local entity as the source of the packet; on incoming packets, the source party must be a "remote" party-one representing a valid source party for sending packets to the local entity. In this sense, local means representing the local entity. "Non-local" or "remote" parties are ones that are logically remote to the entity; i. e., the source party of an incoming packet-the party that sent the packet-and the destination party of an outgoing packet-the party that will be receiving the packet at the other end of the transmission.

In other words, packets are received from and sent to "non-local" (or remote) parties, and packets are sent from and received by local parties.

Note: entries that are "shared" with another entity will have partyLocal fields that are opposite. For instance, an entry for a local party ( partyLocal = true ) in the agent's party file would be configured as a non-local ( partyLocal = false ) in the manager's party file.

partyAuthClock

defines the current notion of time for the entity.

On startup a pre-defined adjustment, TIME_WARP in secure.h, is added to this value---unless the resulting value would exceed the maximum possible time. This is done to help prevent replay attacks across reboots.

This field is an integer in the range 0 to 4294967295, inclusive. A perfectly valid initial value is 0; the security software should adjust and "synch" clocks once everything is up and running.

AuthPublicSecret

is unused by the entity at this time. Will represent the "secret" as a series of hexadecimal numbers, each digit representing the corresponding ASCII value for the character in the string. A value of - represents the null string. The string can range from 0 to 16 bytes.

Note: This field should be null ( - ) for now.

AuthPrivateSecret

represents the "secrets" string for the authentication protocol. The secret is stored as a series of hexadecimal numbers; each digit is the ASCII value for the corresponding character in the string. A value of - represents the null string. The string can range from 0 to 16 bytes, depending on the TDomain:

If the party is an auth/nopriv or auth/priv party, this field must have a

length of 16 bytes (i.e., 16 hexadecimal numbers in the configuration file). Both digits of each number must be represented. In other words, 1 would be entered as 01.

If the corresponding TDomain field is equal to rfc1157Domain, contains a community string name as an encoded string of characters and can be any length. For example, if using the community name public the entry would be "70 75 62 6c 69 63". The command

echo string | od -x

is very useful for acquiring the correct encoding.

It would be practical to mirror entries in the snmpv2d.conf(5) file, but not necessary

Note: Valid only when the PartyDiscriminator indicates authentication (i. e., PartyDiscriminator > 2), or TDomain indicates SNMPv1 community.

PrivPublicSecret

is unused by the entity at this time. Will store the "secret" as a series of hexadecimal numbers, each digit representing the ASCII value for the character in the string. A value of - represents the null string. The string can range from 0 to 16 bytes.

Note: This field should be null ( - ) for now.

PrivPrivateSecret

represents the "secrets" string for the authentication protocol. The secret is stored as a series of hexadecimal numbers; each digit is the ASCII value for the corresponding character in the string. A value of - represents the null string.

If the party is an auth/priv party, this field must have a length of 16 bytes (i.e., 16 hexadecimal numbers in the configuration file). Both digits of each number must be represented. In other words, 1 would be entered as 01.

Note: Valid only when the PartyDiscriminator indicates privacy, i. e., PartyDiscriminator > 4).

EXAMPLES

The party table entry:

initialPartyId.192.147.142.16.1 3

snmpUDPDomain 192.147.142.16 161 300 1458

1 nonVolatile false 0

-

74 68 69 73 74 68 69 73 74 68 69 73 74 68 69 34

-

-

defines a party as follows:

The name of this party is initialPartyId.192.147.142.16.1, and it is an auth/nopriv party.

TDomain is snmpUDPDomain, indicating this is a SNMPv2 party.

TAddress and Port fields indicate traps or proxy messages will be sent to

192. 147.142.16/161.

The Lifetime of the message is set to 300, indicating that the message will be valid as long

as it is received by the target at a time greater than the target's idea of "now" minus 300 seconds.

The message can be no longer than 1458 bytes.

The unique party index is 1.

Store this party in non-volatile storage (e. g., NVRAM).

This party is not local to the SNMPv2 entity.

The initial clock will be 0 plus TIME_WARP.

The AuthPublicSecret is unused, so there is a null string for its value.

The AuthPrivateSecret is initialized to

74 68 69 73 74 68 69 73 74 68 69 73 74 68 69 34

which decodes to thisthisthisthi4.

The PrivPublicSecret is unused, so there is a null string for its value.

Since the PartyDiscriminator indicates nopriv, the PrivPrivateSecret is unused, and there is a

null string for its value.

Example of a Community Entry

The party table entry:

# public

initialPartyId.192.147.142.16.31 1

rfc1157Domain 192.147.142.16 162 300 1458

31 nonVolatile true 0

-

70 75 62 6c 69 63

-

-

defines a party as follows:

The name of this party is initialPartyId.192.147.142.16.31, and the PartyDiscriminator is

ignored since this is a community.

There must be value in the PartyDiscriminator field; a reasonable entry would be 1 (noauth/nopriv in the SNMPv2 world). This is essentially a noauth/nopriv since it is a SNMPv1 community, but the actual values of the partyAuthProtocol will be rfc1157noAuth and partyPrivProtocol will be noPriv.

Since the TDomain is rfc1157Domain, this is a SNMPv1 community entry in the party table.

The partyLocal is field is ignored since this is a community, but a value must be present.

The TAddress and Port fields indicate the destination address is port 162 at IP address

192. 147.142.16.

The Lifetime is unused since this is a community record, but a value must be present.

The message can be no longer than 1458 bytes.

The unique party index is 31.

Store this party in non-volatile storage (e. g., NVRAM).

The partyLocal and initial clock are both ignored since this is a SNMPv1 community, but

there must be entries in those fields.

The AuthPublicSecret, PrivPublicSecret, and PrivPrivateSecret fields are also unused, and

therefore null strings represent their values.

AuthPrivateSecret contains the community name:

70 75 62 6c 69 63

which decodes to public.

This entry may be mirrored in the snmpv2d.conf(5) file.

FILES

Additional SNMPv2 Configuration Files

When the entity is compiled with either SNMPv2 or both SNMPv1 and SNMPv2 defined (bilingual), the configuration files acl.pty, context.pty, mgr.cnf, and view.pty are required.

acl.pty Access control privileges for the SNMPv2 parties.

context.pty

Context information for the SNMPv2 parties.

mgr.cnf

Clustername configurations for the managers.

view.pty

MIB view information for the SNMPv2 parties.

For Solaris 2.x, the files are located under:

/etc/opt/snm/manager/acl.pty
/etc/opt/snm/manager/context.pty
/etc/opt/snm/manager/manager.cnf
/etc/opt/snm/manager/manager.pty
/etc/opt/snm/manager/view.pty

For Solaris 1.x, the files are located under:

/etc/snm/manager/acl.pty
/etc/snm/manager/context.pty
/etc/snm/manager/manager.cnf
/etc/snm/manager/manager.pty
/etc/snm/manager/view.pty

SEE ALSO

v2install(1), acl.pty(5), agt.pty(5), context.pty(5), mgr.cnf(5), snmpv2d.conf(5), view.pty(5),

SNMP RFCs (RFC1155 RFC1157 RFC1212 RFC1213 RFC1215, RFCs 1441-1452)