CA API Gateway 9.1

9.4 9.1

Configuring the Net-SNMP Agent

On the , snmpd is the executable SNMP agent. The configuration of snmpd is found in the /etc/snmp/snmpd.conf file. The appliance ships with a default configuration defined by CA Technologies. This default provides the following:
gateway91
On the
API Gateway
,
snmpd
 is the executable SNMP agent. The configuration of
snmpd
 is found in the /etc/snmp/snmpd.conf file. The
API Gateway
 appliance ships with a default configuration defined by CA Technologies. This default provides the following:
  • Allows access by the localhost system only
  • Provides information from the basic system MIB (Management Information Base)
  • Provides information from the extended UCD MIB for monitoring OS level parameters
  • Provides a CA Technologies MIB for monitoring services.
Configuring a Net-SNMP Agent is intended for system administrators or other advanced technical users.
Contents:
Access Rules
It is very important that only authorized systems have access to the SNMP information. SNMP relies upon either
Authentication Model
 (version 3 only) or
View-based Access Control Model
 (VACM) (version 1 and 2) to grant access to information. The default configuration only listens on
localhost,
 but there are template examples in the configuration file for allowing other security contexts.
Authentication Model
When an SNMP Manager connects to the Agent, it presents a username and password for client authentication. The credentials can also be used to encrypt the data being transferred. This encryption is required for users accessing the SNMP Agent. Follow these steps:
  1. Open a privileged shell on your Gateway.
  2. Stop the
    snmpd
     daemon:
    # service snmpd stop
  3. Generate a read-only user account for querying the SNMP information. Run the appropriate command, depending on whether you need to generate an encrypted or standard user account:
    Encrypted Data User Command:
     
    # net-snmp-config --create-snmpv3-user -ro -a MD5 -A 
    <user password>
     -x DES -X 
    <privacy password for data encryption>
    <username>
     
    Standard User Command:
     
    # net-snmp-config --create-snmpv3-user -ro -a MD5 -A 
    <user password> <username>
  4. If you are using only the
    Authentication Model
    , comment out the settings for
    View-based Access Control Model
     (VACM). Follow these steps:
    1. Open this file in a text editor:
      /etc/snmp/snmpd.conf 
    2. Add the '
      #
      ' character to comment out all the
      com2sec
       entries. 
  5. Restart the snmpd daemon:
    # service snmpd start
View-base Access Control Model
  1. When an SNMP Manager connects to the Agent, it presents a "community" name. For Gateway usage, the community is "l7" (lowercase "L"). The com2sec directive maps a community and IP source to a security name. In this case, only the
    localhost
     source is allowed. There are templates for a subnet and host security context.
    sec.name        source          community
    com2sec  localsec        localhost       l7
    #com2sec subnetsec       192.168.1.0/24  l7
    #com2sec hostsec         192.168.1.100   l7
    The first matched combination of community and source (tuple) is used to define the security name. If none is found, then no security name is defined and access is denied.
  2. Map the security names to groups with security models (v1, v2c or usm) using the
    group
     directive. You define a single group:
    monitors
    #       groupName      securityModel securityName
    group   monitors        v1            localsec
    group   monitors        v2c           localsec
    group   monitors        usm           localsec
    #group  monitors        v1            subnetsec
    #group  monitors        v2c           subnetsec
    #group  monitors        usm           subnetsec
    #group  monitors        v1            hostsec
    #group  monitors        v2c           hostsec
    #group  monitors        usm           hostsec
  3. Define the views that groups have access to:
    You can refer to entities by their numeric OID or by a hierarchical name.
    #       name            incl/excl       subtree         mask(optional)
    # Present entire "system.*" tree from SNMPv2-MIB (.1.3.6.1.2.1.1)
    view    systemview      included        system
    # Present host.hrSystem.hrSystemUptime from HOST-RESOURCES-MIB (.1.3.6.1.2.1.25.1.1)
    view    systemview      included        host.hrSystem.hrSystemUptime
    # Present extended MIB from UCD-SNMP-MIB (.1.3.6.1.4.1.2021)
    view    systemview      included        enterprises.ucdavis
    #view   systemview      excluded        enterprises.ucdavis.dskTable
    #view   systemview      excluded        enterprises.ucdavis.fileTable
    #view   systemview      excluded        enterprises.ucdavis.laTable
    #view   systemview      excluded        enterprises.ucdavis.logMatch
    #view   systemview      excluded        enterprises.ucdavis.memory
    #view   systemview      excluded        enterprises.ucdavis.prTable
    #view   systemview      excluded        enterprises.ucdavis.snmperrs
    #view   systemview      excluded        enterprises.ucdavis.systemStats
    view    systemview      excluded        enterprises.ucdavis.ucdExperimental
    #view   systemview      excluded        enterprises.ucdavis.version
    # Present L7 MIB
    view    systemview              included        .1.3.6.1.4.1.17304
  4. Grant read-only access to the views for the groups:
    #       group           context sec.model sec.level prefix read         write notif
    access  monitors        ""      any       noauth    exact  systemview   none  none
System Information
It is important to define the
syscontact
 and
syslocation
 for the agent:
syscontact Joe Administrator <jadministrator@mycompany.com>
syslocation Test system in lab
Standard System MIB
The standard system MIB provides minimal information about the system. The default RHEL configuration file only displays information from this MIB, such as the system contact, system location and up time.
UCD Extended MIB
Net-SNMP was originally developed as UCD-SNMP and changed its name in 2000. One of the early features built into the UCD-SNMP system was to provide for monitoring access to system attributes that was configured directly in the Sample snmpd.conf File. This information is accessed via the UCD Extended MIB (UCD-SNMP-MIB).
Configuring net-snmp agent to check that specific processes are running
The
proc
directive is used to check for running processes on the agent system:
###############################################################################
# Process checks.
#
# Checks to see if processes called NAME are running on the agent
# machine. An error flag (1) and a description message are then
# passed to the 1.3.6.1.4.1.2021.2.1.100 and
# 1.3.6.1.4.1.2021.2.1.101 MIB columns (respectively) if the
# NAME’d program is not found in the process table as reported by
# "/bin/ps -e".
#
# If MAX and MIN are not specified, MAX is assumed to be infinity
# and MIN is assumed to be 1.
#
# If MAX is specified but MIN is not specified, MIN is assumed to
# be 0.
#
#  The following are examples of how to use the agent to check for
#  processes running on the host.  The syntax looks something like:
#
#  proc NAME [MAX=0] [MIN=0]
#
#  NAME:  the name of the process to check for.  It must match
#         exactly (ie, http will not find httpd processes).
#  MAX:   the maximum number allowed to be running.  Defaults to 0.
#  MIN:   the minimum number to be running.  Defaults to 0.
 
#  Make sure java is running
proc java
 
# make sure mysqld is running
proc mysqld
 
# make sure bogus is running (error condition test)
#proc bogus
The default CA SNMP configuration monitors to make sure that
java, mysqld
 and
sshd
 are all running.
Configuring net-snmp agent to check disk space
The
disk
directive is used to configure disk monitoring on the agent system:
###############################################################################
# disk checks
#
# Checks  the  named  disks  mounted  at  PATH for available disk
# space.  If the disk space is less than MINSPACE (kB) if  speci-
# fied  or  less than MINPERCENT (%) if a % sign is specified, or
# DEFDISKMINIMUMSPACE (kB) if not specified, the associated entry
# in  the  1.3.6.1.4.1.2021.9.1.100  MIB table will be set to (1)
# and a descriptive error message will be returned to queries  of
# 1.3.6.1.4.1.2021.9.1.101.
 
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
 
# disk PATH [MIN=100000]
#
# PATH:  mount path to the disk in question.
# MIN:   Disks with space below this value will have the Mib's errorFlag set.
#        Default value = 100000.
 
# Check the / partition and make sure it contains at least 10 gig
disk / 10485760
Configuring net-snmp agent to check load average
The
load
 directive is used to configure load monitoring on the agent system:
###############################################################################
# load average checks
#
# Checks the load average of the machine  and  returns  an  error
# flag  (1),  and  an  text-string  error  message  to queries of
# 1.3.6.1.4.1.2021.10.1.100     and     1.3.6.1.4.1.2021.10.1.101
# (respectively)  when the 1-minute, 5-minute, or 15-minute aver-
# ages exceed the associated maximum values.  If any of the MAX1,
# MAX5,  or MAX15 values are unspecified, they default to a value
# of DEFMAXLOADAVE.
 
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
#
# 1MAX:   If the 1 minute load average is above this limit at query
#         time, the errorFlag will be set.
# 5MAX:   Similar, but for 5 min average.
# 15MAX:  Similar, but for 15 min average.
 
# Check for loads:
load 6 5 4
Configuring net-snmp agent to check file size
The
file
 directive is used to configure specific file monitoring on the agent system:
###############################################################################
# file size checks
#
# Monitors file sizes and makes sure they  don’t  grow  beyond  a
# certain  size  (in kilobytes).  MAXSIZE defaults to infinite if
# not specified, and only monitors  the  size  without  reporting
# errors about it.  A maximum of 20 files can be monitored.
 
# file FILE [MAXSIZE]
#
# FILE:    Full path to file
# MAXSIZE: Maximum file size (in kilobytes)
 
# ibdata starts at 1.0 GB. Set error if it exceeds 10.0 GB.
file /var/lib/mysql/ibdata 10485760
# Report on the default ssg log file
file /ssg/logs/default_-ssg_0_0.log
# Report on /var/log/messages
file /var/log/messages
On the Gateway, the size of
/var/lib/mysql/ibdata
 file is indicative of the size of the Gateway database. If ibdata increases rapidly, then your Gateway database may be growing too large.
The
API Gateway
 MIB
There are three ways to add a MIB to an agent:
  1. The agent can invoke an external command or shell script to return the necessary information.
  2. The agent can pass the request off to another (sub)agent, which already implements the required MIB.
  3. You can write code to implement the new MIB objects, and include this within the agent by recompiling the agent.
You access the
API Gateway
 MIB using the first method. The pass directive passes control to the
/ssg/bin/passServiceUsage.sh
 script, which in turn uses the
wget
 utility to make calls to the Gateway listening on localhost. For more information, see "About SNMP MIBs" in Monitor the Gateway Using SNMP
passServiceUsage.sh
As of version 4.0, the shell script to query the Gateway for the MIB is as follows:
#!/bin/sh
# CA Technologies, Inc
# This belongs in /ssg/bin
#
PATH=$PATH:/bin:/usr/bin
PLACE=".1.3.6.1.4.1.17304.7.1"
if [ "$1" = "-g" ]; then
    VERB="get";
elif [ "$1" = "-n" ]; then
    VERB="getnext";
elif [ "$1" = "-s" ]; then
    VERB="set";
fi
wget -q -O- http://127.0.0.1:8080/ssg/management/$VERB/$2
exit 0

Content feedback and comments