HPE Community
Operating System - HP-UX
1822895 Members
3398 Online
109645 Solutions
New Discussion юеВ

Different community name for SNMP ?

 
Michael Resnick
Advisor

тАО01-11-2008 08:34 PM

тАО01-11-2008 08:34 PM

Different community name for SNMP ?

Hello - Our SysAdmin says that our snmp configuration must use a community name of public because the HP-UX EMS requires it that way. I'm not a SysAdmin, but from what I've read, looks like the community name can be something other than public or private.

Can a custom community name be used? Is that difficut to configure? Will that impact other items besides EMS? (Forgive me - I'm unfamiliar with snmp.)

System is an rx84xx machine running HP-UX11i.

Thanks in advance,

mike
0 Kudos
Reply
4 REPLIES 4
Patrick Wallek
Honored Contributor

тАО01-11-2008 09:07 PM

тАО01-11-2008 09:07 PM

Re: Different community name for SNMP ?

Yes, you can use community names other than public/private. In fact it is recommended to do so since those are defaults and could potentially be exploited.

On HP-UX, you set the SNMP community names in the /etc/snmpd.conf file. Once you set them, you will have to stop/start all SNMP related daemons. Do an 'ls /sbin/init.d/*snmp*' (possible *Snmp*) to the appropriate startup routines for those daemons.

As far as EMS and other programs go, yes they would be effected, BUT you SHOULD be able change the SNMP community names they use. Any well behaved application that uses SNMP should permit this.
0 Kudos
Reply
VK2COT
Honored Contributor

тАО01-11-2008 09:37 PM

тАО01-11-2008 09:37 PM

Re: Different community name for SNMP ?

Hello,

Patrick is right. It is certainly
recommended to change the default SNMP
community strings.

The SNMP strings need to be changed
at two places:

a) The SNMP agents,
b) The SNMP managers.

The SNMP agent reads its configuration
information from the /etc/SnmpAgent.d/snmpd.conf
configuration file.

The SNMP agent is either the snmpd (included
with HP-UX) or the snmpd.ea(1M)(purchased
with the OpenView product).

The agent side is almost always the time-consuming
part because you often have to do it by hand
on each node (unless using scripts on your
Unix machines or something like CiscoWorks to
schedule updates).

Personally, when I audit servers for
customers, I give them poor rating if
they use default SNMP read and/or write
community strings.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Michael Resnick
Advisor

тАО01-11-2008 09:43 PM

тАО01-11-2008 09:43 PM

Re: Different community name for SNMP ?

Thank you both. Yes, an audit finding which states we need to change the community name prompted me to post this question.

For years, the SysAdmin has stated "Snmp must be configured as public to allow the EMS (Event Monitoring System), software to function correctly."

The previous tech lead just accepted that. I didn't think it was correct thus posted this thread. Again though, I'm not the sysadmin and need to search for specific documents that will provide me the needed info to include in my response. Do you have any links that could save me some time?

mike
0 Kudos
Reply
VK2COT
Honored Contributor

тАО01-12-2008 08:12 PM

тАО01-12-2008 08:12 PM

Re: Different community name for SNMP ?

Hello Mike,

At least your IT audit is now helping you
improve your security.

There is a document ID emr_na-c00997763-1
(original KMine RCEN 4000106938).

Here is what you need to do:

a) Edit /etc/snmpd.conf in order to change
the community names. Look for strings:

get-community-name
set-community-name

b) Stop SNMP and EMS services:

/sbin/init.d/emsa stop
/sbin/init.d/SnmpHpunix stop
/sbin/init.d/SnmpMaster stop

c) Execute "snmpd" to start the SNMP
master agent and subagents:

# /sbin/init.d/SnmpMaster start
# /sbin/init.d/SnmpHpunix start

d) Edit the following two files to add the
"-c " string in each line
starting MONITOR:
/etc/opt/resmon/dictionary/mibmond.dict /etc/opt/resmon/dictionary/rdbmsmond.dict

WARNING: Make sure not to save a backup
copy of the original dictionary files in the
/etc/opt/resmon/dictionary directory or in
any subdirectory of it.

e) Kill any remaining HA Monitors
(mibmond, fsmond, pkgmond, and so on).

These processes will be restarted
automatically if needed.

f) Restart EMS:

/sbin/init.d/emsa start

g) Test with:

resls -s /system/jobQueue15Min

I think this should do it...

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.