-- ********************************************************************
-- CISCO-COMMON-MGMT-MIB.my: Common Management Mib
--
-- July 2004, Vinay Gaonkar
-- June 2005, Sanjeev C Joshi
--
-- Copyright (c) 2004-2005, 2008 by cisco Systems Inc.
-- All rights reserved.
--
-- ********************************************************************CISCO-COMMON-MGMT-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,Unsigned32,dod
FROM SNMPv2-SMI
MODULE-COMPLIANCE,OBJECT-GROUPFROM SNMPv2-CONF
RowStatus,DisplayString,DateAndTime,AutonomousType,
TruthValue,StorageTypeFROM SNMPv2-TC
SnmpAdminStringFROM SNMP-FRAMEWORK-MIB
usmNoAuthProtocol,usmNoPrivProtocol
FROM SNMP-USER-BASED-SM-MIB
ciscoMgmt
FROM CISCO-SMI;ciscoCommonMgmtMIB MODULE-IDENTITYLAST-UPDATED"200806130000Z"ORGANIZATION"Cisco Systems Inc."CONTACT-INFO"Cisco Systems
Customer Service
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553 -NETS
E-mail: cs-san@cisco.com"
DESCRIPTION"MIB module for integrating different elements of
managing a device. For example, different device access
methods like SNMP, CLI, XML and so on have different set
of users which are used to communicate with the device.
The ccmCommonUserTable provides framework to create one
set of users which is common across all the device
access methods.
So, this MIB serves as a framework to integrate
management of different access methods."REVISION"200806130000Z"DESCRIPTION"Added the following.
- New mib object 'ccmCommonUserCacheTimeout'.
- New Compliance 'ciscoCommonMgmtMIBCompliances'
- New Object Group 'ccmCacheTimeoutConfigGroup'."REVISION"200506230000Z"DESCRIPTION
"Initial version of this MIB module."::={ ciscoMgmt 443}ciscoCommonMgmtNotifs OBJECTIDENTIFIER::={ ciscoCommonMgmtMIB 0}ciscoCommonMgmtMIBObjects OBJECTIDENTIFIER::={ ciscoCommonMgmtMIB 1}ciscoCommonMgmtMIBConform OBJECTIDENTIFIER::={ ciscoCommonMgmtMIB 2}ccmUserConfig OBJECTIDENTIFIER::={ ciscoCommonMgmtMIBObjects 1}
-- ccmCommonMaxUsersccmCommonMaxUsers OBJECT-TYPESYNTAXUnsigned32(0..65535)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Maximum number of common users that can be configured
on this device. i.e., the maximum number of entries in
the ccmCommonUserTable.
0 means maximum number of users is dynamically
determined, e.g., depending on memory availability."::={ ccmUserConfig 1}
ccmCommonUsers OBJECT-TYPESYNTAXUnsigned32(1..65535)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of common users that are currently configured on
this device. i.e., the number of entries in the
ccmCommonUserTable."::={ ccmUserConfig 2}ccmCommonUsersGlobalEnforcePriv OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrent
DESCRIPTION"This object specifies whether the SNMP agent enforces
the use of encryption for SNMPv3 messages globally on
all the users in the system.
The 'vacmAccessSecurityLevel' determines the acceptable
security levels per group and is set to noAuthnoPriv
default unless otherwise configured. The actual access
to the mib objects in a SNMP message is controlled by
vacmAccessTable. This object provides the configuration
at a higher level to enforce privacy without any
introspection of the mib objects in the SNMP message.
When the privacy is enforced globally, for any SNMPv3
PDU request with securityLevel of either 'noAuthNoPriv'
and 'authNoPriv', the SNMP agent responds with an
'authorizationError'."DEFVAL{ false }::={ ccmUserConfig 3}
ccmCommonUserLastChange OBJECT-TYPESYNTAXDateAndTimeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The local date and time when the user database -
ccmCommonUserTable configuration was last changed.
This object will be set to zero on power cycle or
on reboot of the system. Also, if the clock is
changed on local system it is set to zero."::={ ccmUserConfig 4}-- ccmCommonUserTableccmCommonUserTable OBJECT-TYPESYNTAXSEQUENCEOF CcmCommonUserEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This table lists all the common users configured on
this device. A common user is a user who is common
across SNMP, CLI and other device access methods.
Certain access methods might need the user created
to be standard compliant. For example - for SNMP, the
user created need to be compliant to RFC 3414
(SNMP-USER-BASED-SM-MIB). When a common user is
created in this table, a corresponding SNMP user is
created in the 'usmUserTable' with corresponding
instance of usmUserStorageType set to readOnly .
Similarly when a common user is deleted from this
table, the corresponding entry in the 'usmUserTable'
is deleted."::={ ccmUserConfig 5}
ccmCommonUserEntry OBJECT-TYPESYNTAX CcmCommonUserEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An entry (conceptual row) in the ccmCommonUserTable."INDEX{ ccmCommonUserName }::={ ccmCommonUserTable 1}
CcmCommonUserEntry ::=SEQUENCE{
ccmCommonUserName SnmpAdminString,
ccmCommonUserPassword DisplayString,
ccmCommonUserExpiryDate DateAndTime,
ccmCommonUserSshKeyFilename SnmpAdminString,
ccmCommonUserSshKeyConfigured TruthValue,
ccmCommonUserSNMPAuthProtocol AutonomousType,
ccmCommonUserSNMPPrivProtocol AutonomousType,
ccmCommonUserCredType INTEGER,
ccmCommonUserStorageType StorageType,
ccmCommonUserRowStatus RowStatus}ccmCommonUserName OBJECT-TYPESYNTAXSnmpAdminString(SIZE(1..32))
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Name of the common user."::={ ccmCommonUserEntry 1}ccmCommonUserPassword OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-createSTATUScurrentDESCRIPTION"Password of the common user.
For SNMP, this password is used for both authentication
and privacy. For CLI and XML, it is used for
authentication only.
A zero-length string is always returned when this
object is read."DEFVAL{ ''H }::={ ccmCommonUserEntry 2}ccmCommonUserExpiryDate OBJECT-TYPESYNTAXDateAndTimeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The date on which this user will expire. Note
that non-date related octets in this object are
ignored.
If the all the date related octets have value
'00'H, then user never expires."DEFVAL{ '0000000000000000000000'H }::={ ccmCommonUserEntry 3}ccmCommonUserSshKeyFilename OBJECT-TYPESYNTAXSnmpAdminString(SIZE(0..255))MAX-ACCESSread-createSTATUScurrentDESCRIPTION"The name of the file storing the SSH public key.
The SSH public key is used to authenticate the SSH
session for this user. Note that this object
applies to only CLI user.
The content within SSH Key file can be one of the
following:
- SSH Public Key in OpenSSH format
- SSH Public Key in IETF SECSH (Commercial
SSH public key format)
- SSH Client Certificate in PEM (privacy-enhanced
mail format) from which the public key will be
extracted
- SSH Client Certificate DN (Distinguished Name)
for certificate based authentication
This object is used to configure the SSH public key for
a user. When this object is read, the agent may return
a zero length string. However, the value of the
corresponding instance of ccmCommonUserSshKeyConfigured
should indicate if the key is configured or not."DEFVAL{ ''H }::={ ccmCommonUserEntry 4}ccmCommonUserSshKeyConfigured OBJECT-TYPESYNTAXTruthValue
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object specifies whether the user corresponding
to this entry is configured with SSH public key.
The value of 'true' indicates that the user is
configured with SSH public key. The value of 'false'
indicates the user is not configured with SSH public
key."::={ ccmCommonUserEntry 5}ccmCommonUserSNMPAuthProtocol OBJECT-TYPESYNTAXAutonomousTypeMAX-ACCESSread-createSTATUScurrent
DESCRIPTION"An indication of whether messages sent on behalf of
this user to/from the SNMP engine can be authenticated,
and if so, the type of authentication protocol which is
used.
An instance of this object is created concurrently
with the creation of any other object instance for
the same user (i.e., as part of the processing of
the set operation which creates the first object
instance in the same conceptual row).
If an initial set operation (i.e. at row creation time)
tries to set a value for an unknown or unsupported
protocol, then a 'wrongValue' error must be returned.
Once instantiated, the value of such an instance of
this object can only be changed via a set operation to
the value of the usmNoAuthProtocol.
If a set operation tries to change the value of an
existing instance of this object to any value other
than usmNoAuthProtocol, then an 'inconsistentValue'
error must be returned.
If a set operation tries to set the value to the
usmNoAuthProtocol while the
ccmCommonUserSNMPPrivProtocol value in the same row is
not equal to usmNoPrivProtocol, then an
'inconsistentValue' error must be returned. That means
that an SNMP command generator application must first
ensure that the usmUserPrivProtocol is set to the
usmNoPrivProtocol value before it can set the
usmUserAuthProtocol value to usmNoAuthProtocol.
The value of an instance of this object directly maps
to a corresponding instance of usmUserAuthProtocol in
the usmUserTable."DEFVAL{ usmNoAuthProtocol }::={ ccmCommonUserEntry 6}ccmCommonUserSNMPPrivProtocol OBJECT-TYPE
SYNTAXAutonomousTypeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"An indication of whether messages sent on behalf of
this user to/from the SNMP engine can be protected
from disclosure, and if so, the type of privacy
protocol which is used.
An instance of this object is created concurrently
with the creation of any other object instance for
the same user (i.e., as part of the processing of
the set operation which creates the first object
instance in the same conceptual row).
If an initial set operation (i.e. at row creation time)
tries to set a value for an unknown or unsupported
protocol, then a 'wrongValue' error must be returned.
Once instantiated, the value of such an instance of
this object can only be changed via a set operation to
the value of the usmNoPrivProtocol.
If a set operation tries to change the value of an
existing instance of this object to any value other
than usmNoPrivProtocol, then an 'inconsistentValue'
error must be returned.
Note that if any privacy protocol is used, then you
must also use an authentication protocol. In other
words, if usmUserPrivProtocol is set to anything else
than usmNoPrivProtocol, then the corresponding instance
of usmUserAuthProtocol cannot have a value of
usmNoAuthProtocol. If it does, then an
'inconsistentValue' error must be returned.
The value of an instance of this object directly maps
to a corresponding instance of usmUserPrivProtocol in
the usmUserTable."DEFVAL{ usmNoPrivProtocol }::={ ccmCommonUserEntry 7}
ccmCommonUserCredType OBJECT-TYPESYNTAXINTEGER{none(1),localCredentialStore(2),remoteCredentialStore(3)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the credential store of the user.
When a row is created in this table by a user, the
user entry is created in a credential store local to
the device.
In case of remote authentication mechanism like AAA
Server based authentication, credentials are stored
in other(remote) system/device."::={ ccmCommonUserEntry 8}ccmCommonUserStorageType OBJECT-TYPESYNTAXStorageTypeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The storage type for this conceptual row.
Conceptual rows having the value 'permanent' need
not allow write-access to any columnar objects in
the row."DEFVAL{ nonVolatile }::={ ccmCommonUserEntry 9}ccmCommonUserRowStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"Status of the user."::={ ccmCommonUserEntry 10}-- ccmCommonUserRoleListTableccmCommonUserRoleTable OBJECT-TYPESYNTAXSEQUENCEOF CcmCommonUserRoleEntry
MAX-ACCESSnot-accessible
STATUScurrentDESCRIPTION"This table provides a mechanism to map a common
user represented by ccmCommonUserName to one or
more roles. These roles provide access control
policies for a principal. Note that all the roles
used in the this table have to be present in the
commonRoleTable of CISCO-COMMON-ROLES-MIB.
For Common User - Role assignments created in this
table, for SNMP user access, the corresponding
entries are created in the vacmSecurityToGroupTable
(of SNMP-VIEW-BASED-ACM-MIB) in line with View-based
Access Control Model (RFC3415) and
cvacmSecurityToGroupTable (of CISCO-SNMP-VACM-EXT-MIB)
to represent all the mappings. All such instances in
SNMP tables are created with corresponding StorageType
set to readOnly.
Note that it is not necessary to update this table if
the user-role mapping data is changed using
corresponding access methods. e.g., if the SNMPv3
user-group mapping using vacmSecurityToGroupTable
and cvacmSecurityToGroupTable is changed, it is not
necessary to reflect that change in this table."::={ ccmUserConfig 6}ccmCommonUserRoleEntry OBJECT-TYPESYNTAX CcmCommonUserRoleEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An entry (conceptual row) in the
ccmCommonUserRoleTable."INDEX{
ccmCommonUserName,
ccmCommonUserRoleName
}::={ ccmCommonUserRoleTable 1}
CcmCommonUserRoleEntry ::=SEQUENCE{
ccmCommonUserRoleName SnmpAdminString,
ccmCommonUserRoleStorageType StorageType,
ccmCommonUserRoleRowStatus RowStatus}ccmCommonUserRoleName OBJECT-TYPESYNTAXSnmpAdminString(SIZE(1..32))MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"Name of the role."::={ ccmCommonUserRoleEntry 1}ccmCommonUserRoleStorageType OBJECT-TYPESYNTAXStorageTypeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The storage type for this conceptual row.
Conceptual rows having the value 'permanent' need
not allow write-access to any columnar objects in
the row."DEFVAL{ nonVolatile }::={ ccmCommonUserRoleEntry 2}
ccmCommonUserRoleRowStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"Status of the role list entry."::={ ccmCommonUserRoleEntry 3}-- timeout for caching user entries with remote authentication.ccmCommonUserCacheTimeout OBJECT-TYPESYNTAXUnsigned32(1..86400)UNITS"seconds"
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies maximum timeout value for
caching the user credentials in the local system.
Such caching is used in remote authentication
mechanism like AAA Server based authentication.
This applies to the common user entries as
represented by 'ccmCommonUserTable' where
the value of 'ccmCommonUserCredType' is
'remoteCredentialStore'."::={ ccmUserConfig 7}-- ConformanceciscoCommonMgmtMIBCompliances OBJECTIDENTIFIER::={ ciscoCommonMgmtMIBConform 1}
ciscoCommonMgmtMIBGroups OBJECTIDENTIFIER::={ ciscoCommonMgmtMIBConform 2}ciscoCommonMgmtMIBCompliance MODULE-COMPLIANCESTATUSobsoleteDESCRIPTION"The compliance statement for entities which
implement the CISCO-COMMON-MGMT-MIB."MODULE-- this moduleMANDATORY-GROUPS{ ccmConfigurationGroup }OBJECT ccmCommonUserRowStatus
SYNTAXINTEGER{
active(1),
createAndGo(4),
destroy(6)}DESCRIPTION"Only 'createAndGo', 'destroy' and 'active' need to be
supported."OBJECT ccmCommonUserRoleRowStatus
SYNTAXINTEGER{
active(1),
createAndGo(4),
destroy(6)}
DESCRIPTION"Only 'createAndGo', 'destroy' and 'active' need to be
supported."::={ ciscoCommonMgmtMIBCompliances 1}ciscoCommonMgmtMIBCompliance1 MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for entities which
implement the CISCO-COMMON-MGMT-MIB."MODULE-- this moduleMANDATORY-GROUPS{
ccmConfigurationGroup,
ccmCacheTimeoutConfigGroup
}OBJECT ccmCommonUserRowStatus
SYNTAXINTEGER{
active(1),
createAndGo(4),
destroy(6)}DESCRIPTION"Only 'createAndGo', 'destroy' and 'active' need to be
supported."OBJECT ccmCommonUserRoleRowStatus
SYNTAXINTEGER{
active(1),
createAndGo(4),
destroy(6)
}DESCRIPTION"Only 'createAndGo', 'destroy' and 'active' need to be
supported."::={ ciscoCommonMgmtMIBCompliances 2}-- Units of ConformanceccmConfigurationGroup OBJECT-GROUPOBJECTS{
ccmCommonMaxUsers,
ccmCommonUsers,
ccmCommonUsersGlobalEnforcePriv,
ccmCommonUserLastChange,
ccmCommonUserPassword,
ccmCommonUserExpiryDate,
ccmCommonUserSshKeyFilename,
ccmCommonUserSshKeyConfigured,
ccmCommonUserSNMPAuthProtocol,
ccmCommonUserSNMPPrivProtocol,
ccmCommonUserCredType,
ccmCommonUserStorageType,
ccmCommonUserRowStatus,
ccmCommonUserRoleStorageType,
ccmCommonUserRoleRowStatus
}STATUScurrentDESCRIPTION"A collection of objects for Common Management
configuration."::={ ciscoCommonMgmtMIBGroups 1}
ccmCacheTimeoutConfigGroup OBJECT-GROUPOBJECTS{ ccmCommonUserCacheTimeout }STATUScurrentDESCRIPTION"A collection of objects for configuring
timeout value for caching the user
credentials in the local system."::={ ciscoCommonMgmtMIBGroups 2}END