Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-2181438.1
Update Date:2018-04-03
Keywords:
Solution Type  Technical Instruction Sure

Solution  2181438.1 :   How-To - Change Default SNMP Community String on Engineered Systems  

Related Items 
    

  • Oracle SuperCluster M7 Hardware
    •  
  • Oracle Exadata Hardware
    •  
  • Oracle Exadata Storage Server Software
    •  
  • Oracle SuperCluster T5-8 Hardware
    •  
Related Categories 
    

  • PLA-Support>Eng Systems>Exadata/ODA/SSC>Oracle Exadata>DB: Exadata_EST
    •  




This documents provides instructions on how to change the SNMP community string on Engineered Systems such as SuperCluster and Exadata.

Created from <SR 3-13300247771>

Applies to:

Oracle SuperCluster M7 Hardware - Version All Versions and later
Oracle Exadata Storage Server Software - Version 11.2.3.1.1 and later
Oracle Exadata Hardware - Version 11.2.3.1.1 and later
Oracle SuperCluster T5-8 Hardware - Version All Versions and later
Linux x86-64

Goal

The goal of this document is to explain how to change the SNMP community string on compute nodes, cell nodes and their associated ILOMs within an Engineered system.  This is particularly useful when needing to change the string from the default "public" to meet security requirements.

  

While changing the community string does not explicitly require the cell, cluster and/or database to be down, it is recommended that the changes be made during a maintenance window.
After accomplishing the following steps it is important to test the configuration thoroughly to ensure there is no impact to EM monitoring, Automated Service Requests, etc.   Performing these changes on a test system first is highly recommended.

 

Solution

I. For a database node:

    Linux-based (Exadata, Oracle Database Appliance, etc)

     1. Change the community string by editing /etc/snmp/snmpd.conf and replacing all occurrences of the current string (for example, public) with your preferred string.

     2. Restart the snmp service via

     service snmpd restart

 

    Solaris-based (SuperCluster, Exadata SL6, etc)

     1. Change the community string by editing /etc/net-snmp/snmp/snmpd.conf and replacing all occurrences of the current string (for example, public) with your preferred string.

     2. Restart the snmp service via

     svcadm restart snmp-notify:default

  


II. For a cell node:

Applies to Linux-based storage on Exadata and SuperCluster.  Not applicable to ODA.

     1. Get a list of subscribers who use snmp.

     cellcli -e "list dbserver attributes snmpsubscriber"


     2. Change the community string by editing /etc/snmp/snmpd.conf and replacing all occurrences of the current string (for example, public) with your preferred string.

     3. Restart the snmp service.

     service snmpd restart


     4. For any subscribers found in step 1, change the community string that they use. Take special care not to overwrite settings for any existing snmpSubsriber. If there are existing subscribers, then append the agent subscriptions.

         For example, if the cellcli -e list cell attributes snmpSubscriber command returned:

     cellcli -e list cell attributes snmpSubscriber((host=ilm-asr1.example.com,port=162,community=public,type=asr))

         Then you must append the Agent subscriptions:

     cellcli -e "alter cell snmpSubscriber=((host='ilm-asr1.example.com',port=162, community=public,type=asr),(host='[host name]',port=[port]),(host='[host name]',port=[port]))"

         For example:              

     ALTER CELL snmpSubscriber=((host=ilm-asr1.example.com,port=162,community=public,type=asr),(host=host1.example.com,port=11852,community=public),(host=host2.example.com,port=1838))

 

 

III.  For an ILOM:

Applies to all Engineered Systems (Exadata, SuperCluster and ODA)


     1. Via the GUI, create the new community.

     2. Delete the public community.

 Further details on managing SNMP in an ILOM can be found in the "Configuring SNMP Settings in Oracle ILOM" section of the "Oracle ILOM Protocol Management Reference for SNMP and IPMI Firmware Release 3.2.x" document.

 

IV.  For an IB Switch

Applies to Exadata and SuperCluster.  Does not apply to ODA.

The default community strings "public", "private" and "ocadmin" may cause a scan to identify the IB switch as vulnerable to various exploits.  Resolve this by removing the community name(s) at fault.

     1.  Login to the switch ILOM.

     2.  At the SP console prompt, create a new SNMP community with the desired name.

     create /SP/services/snmp/communities/<newCommunityString> permission=rw

     3.  Delete the offending community string.

     delete /SP/services/snmp/communities/<string>

      If more than one offending community string exists, delete each of them.

     Further details on managing SNMP in an IB switch can be found in the "Managing SNMP Services (CLI)" section of the "Sun Datacenter InfiniBand Switch 36 HTML Document Collection for Firmware Version 2.1" document.

 

 

V.  For a PDU

Applies to Exadata and SuperCluster. Does not apply to ODA.

     The PDU does not have a community string.  It pushes alerts to designated SNMP servers.  To update the servers that alerts are sent to, see section VII below.

     To change the SNMP servers that a PDU will send alerts to, refer to the "Enabling and Configuring SNMP (Original PDU)" or "Enabling and Configuring SNMP (Enhanced PDU)" section of the PDU User's Guide.

 

 

VI. For a Cisco 4948 Switch

Applies to Exadata and SuperCluster. Does not apply to ODA.

To change the community name:

     1.  Log in to the switch.

     2.  Enter Enable mode.

     Router>enable

     3.  Enter Configuration mode.

     configure terminal

     4.  Remove the offending community string.

     no snmp-server community public RO

     5.  Create a new SNMP community string with the desired name.

     snmp-server community <newCommunityString> RO

     6.  Exit Configuration mode

     exit

     7.  Save the change.

     write memory

Further details on managing SNMP in a Cisco 4948 switch can be found at this Cisco support page.



VII.  Post-Change Actions

Applies to all Engineered Systems (Exadata, SuperCluster and ODA)

     If using Enterprise Manager, follow Doc ID 1968674.1 to make EM aware of the new community names.

     If using ASR and/or Platinum Services, contact your ACS representative to file a change request.


 

References

<NOTE:1968674.1> - How To Change SNMP Community String For Monitored Exadata Targets
Sun Datacenter InfiniBand Switch 36 HTML Document Collection for Firmware Version 2.1 - https://docs.oracle.com/cd/E36265_01/html/E36266/docinfo.html
<NOTE:2171362.1> - CVE-1999-0517 An SNMP community name is the default (e.g. public), null, or missing on an Infiniband Switch
Sun Rack II Power Distribution Units User's Guide - http://docs.oracle.com/cd/E19844-01/html/E23956/index.html
EM For Exadata Post-Discover - http://docs.oracle.com/cd/E24628_01/doc.121/e27442/ch4_post_discovery.htm
<NOTE:2098363.1> - Remote SNMP server replies to the private and public community on IB switches

Attachments 
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback