Follow the procedures presented in this page to enable EMS access to the DSC and to configure community directives.
Enabling EMS Access
Enabling the EMS access on the DSC modifies the snmpd configuration (snmpd.conf) and adds a new community string, ins_ems, which allows external and internal access to the system to modify the following Object Identifiers (OIDs):
- .220.127.116.11.4.1.1518.104.22.16822.214.171.124 this is single interval stats files
- .126.96.36.199.4.1.15188.8.131.52184.108.40.206 this is active traps
- .220.127.116.11.4.1.1518.104.22.1686.308.316.1 this is the trap host table
The OIDs are only available for modification after the EMS is enable.
The ins_ems community string is the only external access allowed to the system through SNMP commands. This string is read-only, and, therefore, the OID values cannot be modified.
You can enable EMS access using the following methods:
- executing the the initial configuration procedure. For more information about this procedure, see the following references.
- for the DSC 8000, see Executing the Initial Configuration
- for the DSC SWe on KVM hypervisor, see Executing the Initial Configuration
- for the DSC SWe on VMware hypervisor, see Executing the Initial Configuration (on VMware Hypervisor)
- for the DSC SWe on OpenStack hypervisor, see Executing the Initial Configuration for the DSC SWe (on OpenStack)
For the EMS version supported on this platform, see DSC Interoperability Matrix.
To enable EMS access on the Web UI
- Logon to the Web UI.
- Under Systems, click IP Networking.
- Click SNMP.
- Click Enable | Disable EMS Access as required.
False Positives Security Vulnerabilities
Third party scans such as the Nessus plugins may report some false positives vulnerabilities such as:
- SNMP Agent Default Community Name (public)
- SNMP 'GETBULK' Reflection DDoS
The default community names on the SNMP server can be guessed. An attacker may use this information to gain access to the system or cause a denial of service attack by issuing ‘GETBULK’ requests which returns large amount of data.
To resolve this issue, and reduce public vulnerability so data can be protected, you can change the default community name string. The procedure to perform this task is documented in the following section.
Naming Convention Limitations for Community Strings
You must comply with some naming convention limitations when configuring the ro and rw community strings for the DSC 8000 and DSC SWe. These limitations are as follows.
- community strings are limited to 64 characters for backwards compatibility
- alphanumeric characters are allowed
- hyphens and underscores are allowed
Configuring snmpv2 Community Directives
The following procedure provides you with the steps to configure snmpv2 community directives
To configure SNMPv2 community directives
- From the Main Menu, click IP Networking.
- Click SNMP.
- Enter the required information in the SNMPv2 Read Only Community Name and SNMPv2 Read/Write Community Name.
- Click Commit.
Read/Write Community allows SNMPv2 commands to change a specific set of attributes. These attributes are listed in oid form in the snmpd.conf file. The attributes can only be changed on the local system (localhost).
Read Only Community allows SNMPv2 commands to read any attribute from inside or outside of the system but they are not authorized to make changes. As such, using snmpset commands with this community string type do not work.