2. Overview of SNMP
● With SNMP, a manager sends a request for information about
managed resources to an agent. The agent gathers the requested data
and returns a response. You can also configure agents to issue
unsolicited reports (notifications) to managers when they detect
predefined thresholds or conditions on a managed resource.
● To request data about a specific managed resource, a manager must be
able to uniquely identify the resource. In SNMP, each type of
managed resource is described in a Management Information Base
(MIB) as a managed object with a unique object identifier (OID).
Individual organizations define their specific managed objects in MIB
modules. Both manager and agent must have access to the same MIB
module to communicate about specific managed resources.
3. WebLogic Server SNMP Agents
WebLogic Server SNMP agentsquery theWebLogic Server managementsystemand
communicatetheresultstomanagersover theSNMP protocol. TheWebLogic Server
managementsystemexposesmanagementdatathroughacollectionof managedbeans(MBeans).
WhenaWebLogic Server SNMP agentreceivesarequestfromamanager, itdetermineswhich
MBeancorrespondstotheOID inthemanager'srequest. Thenitretrievesthedataandwrapsitin
anSNMP response.
YoucanuseWebLogic Server SNMP agentsto:
RespondtosimpleGET requestsfromanSNMP manager for thecurrentvalueof WebLogic
Server MBeanattributes.
■UseJMX monitorstopoll WebLogic Server MBeansperiodically andsendnotificationsto
SNMP managerswhentheMBeanattributeschangeinaway thatyouspecify.
■SendnotificationstoSNMP managerswhentheAdministrationServer or any ManagedServer
startsor shutsdown.
■Listenfor specific logmessagesandsendnotificationstoSNMP managerswhenWebLogic
Server generatesthem.
■Actasaproxy agentthatpassesrequestsfromanSNMP manager toother (non-WebLogic)
SNMP agents(suchasanOracledatabaseagent) onthesamemachine.
5. Configuring SNMP Protocols
A WebLogicServer SNMP agentcanalwayscommunicatewith
managersusingtheSNMPv3protocol. Youcanconfigurewhether
theagentalsosupportstheSNMPv1andSNMPv2protocols. While
youcannotpreventanagentfromreceivingSNMPv3requests, an
agentprocessesonly requestsfromknownusersthatyouconfigure
throughtheWebLogicServer security realm.
6. Configuring UDP and TCP Ports
● AnSNMP agentcommunicatesthroughaportthatacceptsUDP
trafficandanother portthatacceptsTCP traffic.
● By default, all TCP trafficusesthehostserver'slistenport. For
example, if youtargetthisagenttoaserver namedManagedServer1
andManagedServer1listensfor requestsonport7001, thentheSNMP
agentlistensfor TCP requestsonport7001.
● WhencommunicatingthroughaTCP port, WebLogicServer protects
SNMP communicationfromdenial of service(DOS) attacks. If you
wanttoseparateSNMP TCP trafficfrombusinesstraffic, youcan
createacustomnetwork channel.
7. Narrowing the Scope of a
Request
WhenanSNMP manager sendsarequesttoanagentontheAdministrationServer, theagent'sresponsecan
potentially containdatathatdescribesmultipleinstancesof theobject. For example, theobject
serverUptime existsfor eachWebLogicServer instanceinadomain. If amanager sendsarequestfor
serverUptime toanagentonanAdministrationServer, theresponsecontainsoneserverUptime
instancefor eachserver inthedomain.
Youcannarrow thescopeof arequestby encodingadditional informationinthemanager'srequest. The
informationthatyouencodedependsonwhichSNMP protocol youuse:
InarequestthatusestheSNMPv1or SNMPv2protocol, appendthenameof theserver instancetothe
SNMP community namethatitsendswiththerequestasfollows:
community_prefix@server_name
wherecommunity_prefix istheSNMP community nameandserver_name isthenameof the
targetedManagedServer. Thecommunity_prefix valuesentby themanager mustmatchthevaluethat
yousetintheCommunity Prefix fieldwhenyouconfiguretheSNMP agent.
Torequestamanagedobjectfor all server instancesinadomain, sendacommunity nametotheWebLogic
SNMP agentwiththefollowingform:
community_prefix
InarequestthatusestheSNMPv3protocol, encodethenameof theManaged
Server intherequest'scontextnamefield.
8. MonitoringSNMPAgents
For eachSNMP agentinadomain, theSNMP: Monitoringtabof
theWebLogicServer AdministrationConsoleprovidessuch
informationashow many notificationstheagenthassentto
managersandhow many authenticationattemptshavefailed.
YoucanalsoaccessthismonitoringinformationusingWebLogic
ScriptingTool (WLST) or aJMX clienttoaccessthenew
SNMPAgentRuntimeMBean.
9. Security for SNMP
● Community Names for SNMPv1 and
SNMPv2
● Disabling SNMPv1 and SNMPv2
● Configuring Security for SNMPv3
● Invalidating the SNMPv3 Credential Cache
10. Community Names for SNMPv1 and SNMPv2
● ToensurethatanSNMP manager requestingdatafromtheWebLogic
SNMP agenthaspermissiontoobtainthedata, andtoverify thatthe
agenthaspermissiontosendnotificationstoatargetmanager,
SNMPv1andSNMPv2useclear-textpasswordscalledcommunity
names.
● WhenyoucreateanSNMP agent, youspecify thecommunity name
thattheagentexpectsfromtheSNMP manager.
11. Disabling SNMPv1 and SNMPv2
● BecauseSNMPv1andSNMPv2useclear-text
passwords, thelevel of security isweak. If youcan
useSNMPv3tocommunicatewithmanagers,
consider disablingSNMPv1andSNMPv2by
disablingcommunity basedaccessfor eachSNMP
agent.
12. Configuring Security for SNMPv3
● IntheSNMPv3protocol, bothSNMP agentandmanager mustencodeidentical
credentialsintheir PDUsfor thecommunicationtosucceed. Thecredentialsinclude
several tokens: auser name, anSNMP engineID, anauthorizationprotocol, andan
optional privacy password, all of whichareencryptedbeforebeingtransportedover
thenetwork.
● InWebLogicServer, SNMP agentswork withthedomain'ssecurity realmtosecure
communication. TheSNMP agentdecodesSNMP credentialsinrequestsandpasses
theSNMP user nametothesecurity realm. Thesecurity realmmapstheSNMP user
nametoaWebLogicServer user, authenticatestheuser, andauthorizesaccessto
monitoringdatainthedomain. TomaptheSNMP credentialstoauser ina
WebLogicServer security realm, youcreateacredential map.
13. Invalidating the SNMPv3
Credential Cache
● Tooptimizeperformance, anSNMP agentcachesthecredential mapsthat
correlateWebLogicServer userswithSNMP credentials. Tomakesurethat
thecachecontainsthelatestsetof SNMP credentials, anagentperiodically
invalidatesitscache. After thecacheisinvalidated, thenexttimetheagent
requestscredentials, itregeneratesitscache.
● Notethatmakingachangetothecredential mapdoesnotautomatically
updatethecachefor SNMP agents. Instead, thecacheisupdatedonly after it
hasbeeninvalidated. For example, if youupdateaprivacy passwordinan
existingentry intheSNMP credential map, SNMP agentsarenotawareof
thenew passworduntil their cachesareinvalidatedandregenerated. An
SNMP user withtheoldsecurity passwordcanstill usetheagentstoaccess
WebLogicServer datauntil thecacheisinvalidated.
● After youmodify acredential map, youcaneither waitfor eachSNMP agent
toinvalidateitscache, or youcaninvalidateitimmediately.