[SNMP4J] Wrong digest is a right digest

Frank Fock fock at agentpp.com
Mon Nov 22 23:02:16 CET 2004 

Hello Chris,

The digest is not the password but rather a hash on the messages payload.
If the digest matches the digest computed by the receiving entity, that 
entity
has proven that the message is authentic. If it does not match, the message
has either been altered or the authentication keys are not the same.
Of course, it could be a problem on the SNMP4J side, but I have also
seen SNMP agents that have BER encoding flaws causing them to compute
an incorrect digest.

In your case the problem is probably caused, because you  use several Snmp
instances. By creating a Snmp instance a new MPv3 instance is added to
the message dispatcher and a new USM instance replaces an existing USM
in the security protocols singleton (which is bad).

I am currently changing the code so that existing security protocols 
will not be
changed by new Snmp instances. Until these changes can be made available,
you can try to create all the Snmp instances before the threads are 
started or
to share a single Snmp instance.

Another option would be to create an unique engine ID for each Snmp instance
and to create a USM for each instance and subclass SecurityProtocols to add
that new USM to it and then assign the each SecurityProtocols subclass 
instance
to the MPv3 of each Snmp instance. OK, this is a bit complicated so I do not
recommend it ;-)

Best regards,
Frank

chk-world at gmx.de wrote:

>Hello,
>
>I don't know if this is related to the USM class case (see
>http://p15141779.pureserver.info/pipermail/snmp4j/2004-November/000215.html)
>but the following problems occured in further test with the 1.0.4b and
>frequent calling of sendPDU():
>
>WARN [Thread-28] snmp4j.MessageDispatcherImpl (dispatchMessage:226) -
>1.3.6.1.6.3.15.1.1.5.0 = 1 <- counts up
>
>Also I more often get as result a "Wrong digest" error from the agent. 
>
>The background for better understanding: I have setup a test network with
>two switches which are on ip 192.168.0.4 and 192.168.0.5 in this network.
>They both have simmiliar but different engineIDs. The error sometimes comes
>from switch 1, after a few queries which work ok from the other switch.
>
>I poll the two switches with about 6 oids every second from different
>threads with different snmp instances.
>
>This error seem strange to me since the "digest" (which means the password I
>guess?) can't be wrong because it's working in 5 of 10 querys.
>
>Best regards,
>Chris
>
>  
>

More information about the SNMP4J mailing list