[SNMP4J] Problem with identical user name

Vivi Zhang vzhang at anuesystems.com
Fri Oct 2 15:29:22 CEST 2009 

Frank:

I am new to SNMP,  SNMPv3.  Guess I missed something here.

RFC 3415 defines AccessNotifyViewName as follwing:

vacmAccessNotifyViewName OBJECT-TYPE
    SYNTAX       SnmpAdminString (SIZE(0..32))
    MAX-ACCESS   read-create
    STATUS       current
    DESCRIPTION "The value of an instance of this object identifies
                 the MIB view of the SNMP context to which this
                 conceptual row authorizes access for notifications.

                 The identified MIB view is that one for which the
                 vacmViewTreeFamilyViewName has the same value as the
                 instance of this object; if the value is the empty
                 string or if there is no active MIB view having this
                 value of vacmViewTreeFamilyViewName, then no access
                 is granted.
                "
    DEFVAL      { ''H }   -- the empty string
    ::= { vacmAccessEntry 7 }

And it defines vacmBasicGroup which contains the field of
vacmAccessNotifyViewName.

In the SNMP4J  TestAgent, a v3NotifyGroup is defined as:

    vacmMIB.addViewTreeFamily(new OctetString("fullNotifyView"), new
OID("1.3"),
            new OctetString(), VacmMIB.vacmViewIncluded,
            StorageType.nonVolatile);

    vacmMIB.addAccess(new OctetString("v3NotifyGroup"), new OctetString(),
            SecurityModel.SECURITY_MODEL_USM,
            SecurityLevel.NOAUTH_NOPRIV,
            MutableVACM.VACM_MATCH_EXACT,
            new OctetString("fullReadView"),
            new OctetString("fullWriteView"),
            new OctetString("fullNotifyView"),
            StorageType.nonVolatile);

I can easily add another access group with different notify view.

I interpreted that as SNMP agent can support  multiple notification
recipients with different access groups. For example,  an agent
application can have two notification targets, one for linkup|down
events,  no action for warm start events, another for warm start events
only.

Is there any clause in RFC prevent this kind of usage?

Is it common practice that agent application has one access view which
include root of the SNMP mib? Allowing or disabling a type of trap apply
to all notification recipients?

Thanks a lot.

Vivi


Frank Fock wrote:
> The VACM is used for the local SNMP entity
> only. Thus, there cannot be engine ID clashes.
>
> Regards,
> Frank
>
> Vivi Zhang wrote:
>> Frank.
>>
>> Thank you very much for quick response.
>>
>> I see the usmUserTable is keyed by usmUser's SecurityName, and 
>> engineId.   So the USM.addUser() api has no problem to put two users 
>> in the userTable, as long as they have different engine id.
>>
>> My next question is how to locate access group from vacmMib. In 
>> VacmMIB class, the addGroup api associates a securityName with a 
>> groupName.
>>  /    public void addGroup(int securityModel, OctetString 
>> securityName,  OctetString groupName, int storageType)
>> /The key of the access group is (securityModel, securityName).   How 
>> to avoid that the second addGroup call override the entry created by 
>> the first addGroup call in the case I gave in my previous email:  two 
>> notification targets share same V3 username?
>>
>> Thanks again.
>>
>> Vivi
>>
>> Frank Fock wrote:
>>> Hi Vivi,
>>>
>>> Yes, with SNMP4J you can use the same
>>> security/user name for different SNMPv3 entities
>>> (with different passphrases). In that case,
>>> you need to use localized keys instead of
>>> (clear text) passphrases.
>>>
>>> Best regards,
>>> Frank
>>>
>>> Vivi Zhang wrote:
>>>> Hi,
>>>>
>>>> I am working on an SNMP agent application using SNMP4J.
>>>>
>>>> I would like to support multiple V3 notification recipients, 
>>>> potentially, with identical user name.
>>>>
>>>> Here is an example of a special case,  I have two notification 
>>>> recipients:
>>>> V3 notification recipient
>>>>   Ip : 192.168.33.33 / 162
>>>>   engineId :    engineId33
>>>>   username :  bob
>>>>   Auth Protocol : MD5
>>>>   AuthPass :        MD5Pass
>>>>   Priv Protocol :  AES
>>>>   PrivPass:          AESPass
>>>>
>>>> V3 notification recipient
>>>>   Ip : 192.168.33.34 / 162
>>>>   engineId :    engineId34
>>>>   username :  bob
>>>>   Auth Protocol : MD5
>>>>   AuthPass :        MD5Pass
>>>>   Priv Protocol :  DES
>>>>   PrivPass:          DESPass
>>>>
>>>> Here since the privacy credential is different, I can not reuse 
>>>> same UsmUser objects.
>>>> I wonder if the SNMP4J support this kind of use case.
>>>>
>>>> Thanks.
>>>>
>>>> Vivi
>>>> _______________________________________________
>>>> SNMP4J mailing list
>>>> SNMP4J at agentpp.org
>>>> http://lists.agentpp.org/mailman/listinfo/snmp4j
>>>
>>
>

More information about the SNMP4J mailing list