How to configure SNMP v1 access communities in the CA SystemEDGE agent.

Document ID : KB000023380
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

How do I configure the SNMP V1 communities the CA SystemEDGE agent will respond to and restrict this to specific hosts?

Environment:  

ANY

Answer: 

The CA SystemEDGE installation lets you define read-only and read-write communities.

You can modify those communities or define additional communities manually in the sysedge.cf file.

The configuration file defines access communities using the following format:

 

community community-name permissions access-list

Definition of parameters above,

community-name : Can be any octet string.You can use any ASCII characters for the community name. Defaults are public and admin

permissions : Specifies what level of permissions to grant, either read-only or read-write.

access-list : Specifies a space-separated list of IP addresses (in dotted decimal notation) that defines the systems that have access using the given community string. Access lists are not totally secure because systems can still spoof IP addresses. Access lists do, however, provide the ability to restrict legitimate use. You can provide IPv4 or IPv6 addresses as access lists. If the access list is empty, CA eHealth SystemEDGE grants access to any system that uses this community string.

--------------------------------------------------------------------------------------------------------------------------------------------

In the following example, CA eHealth SystemEDGE permits read-write access using the community-string private only to systems with one of the following IP addresses: 45.0.4.10, 45.0.8.12, 198.130.5.7, orea2f:fe90:abcd:0000:230:a2f:200:ad01. CA SystemEDGE treats any other system that attempts to use private as an authentication failure:

 

community private read-write 45.0.4.10 45.0.8.12 198.130.5.7 ea2f:fe90:abcd:0000:230:a2f:200:ad01

 

------------------------------------------------------------------------------------------------------------------------------------------

Steps to implement the updated community statement,

Modify the CA SystemEDGE agents run-time sysedge.cf in the data_directory  

 

Windows default location,

 

C:\Users\Public\CA\SystemEDGE\port1691

 

Unix default location,

 

/opt/CA/SystemEDGE/config/port1691

 

Make the modifications of your custom community keyword in the sysedge.cf file.

 

(All changes will not take affect until the agent is restarted)

On Windows the Agent can be restarted by bringing up the windows services gui,

services.msc

 

CA SystemEDGE (Choose restart)

 

Or on Unix you can restart systemedge

 

by using /etc/init.d/CA-Systemedge restart

 

Additional Information:

- IP addresses must be separated by a space character; you cannot use any other characters, including the newline.

- The maximum length of a community string statement (including any access list) is 1024 characters, which provides enough space for about 60 IPv4 addresses and even less for IPv6 addresses. To configure longer access lists, define separate communities.