[SNMP4J] vacm.addAccess not adding entry properly causing Access denied by VACM for traps (view not found)

Alex Punnen alexcpn at gmail.com
Wed Dec 8 15:29:17 CET 2010 

Hi ,

 I am getting the error
"WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl  - Access denied
by VACM for 1.3.6.1.6.3.1.1.5.1" (coldStartTrap) when I use the test agent
But am able to get this trap while using SampleAgent

I debugged a bit and was trying to compare the output of  *TestAgent
*and *SampleAgent
*.

In TestAgent though I create VACm with exact contect match , in the trace I
am getting

 vacm.addAccess(new OctetString("v1v2cgroup"), new OctetString("public"),
            SecurityModel.SECURITY_MODEL_SNMPv2c,
            SecurityLevel.NOAUTH_NOPRIV,
        *    MutableVACM.VACM_MATCH_EXACT*,
            new OctetString("fullReadView"),
            new OctetString("fullWriteView"),
            new OctetString("fullNotifyView"),
            StorageType.permanent);

Because of this I guess the method  *getViewNameByGroup *in *Vacmib *is
failing to find a match

 System.out.println("Matching against access entry "+row+
              " with exactContextMatch="+exactContextMatch+
              ", prefixMatch="+prefixMatch+
              ", matchSecModel="+matchSecModel+
              " and matchSecLevel="+matchSecLevel);

Basically it does not go into the if loop of the mehtod  (if(false & true)=
if(false))

      if ((exactContextMatch || prefixMatch) &&
          (matchSecModel) &&
          matchSecLevel)  {

Hence it does not go into

 if (possibleMatch != null) {
   case VACM.VIEW_NOTIFY: {
          viewName = (OctetString)
              possibleMatch.getValue(idxVacmAccessNotifyViewName);
          break;

Just to test I put, this as true and I am seeing the trap

    System.out.println("Matching against access entry "+row+
              " with exactContextMatch="+exactContextMatch+
              ", prefixMatch="+prefixMatch+
              ", matchSecModel="+matchSecModel+
              " and matchSecLevel="+matchSecLevel);
    *  //ToDO: ACP *
*      exactContextMatch = true; //just a test*


*1* .So the question is why does not setting
 MutableVACM.VACM_MATCH_EXACT,in vacm.addAccess giving the desired result

*2* .Also I was wondering how the SampleAgent created this properly using
the propery file ; Is it also not calling the same VacmMIB methods as
TestAgent

*3*. We need to write an SNMP agent; which approach is suggested, the
SampleAgent way via the config file or extending from the BaseAgent

.Thanks in advance for the response; else I continue to grope and post :)


*Test Agent*

*Orginal flow*

A;'';';CM access requested for context=, securityName=public,
securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
Gropuname=v1v2cgroup
Got views
[DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
'v1v2cgroup'

Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1] with
exactContextMatch=false, prefixMatch=false, matchSecModel=true and
matchSecLevel=true
297 [main] WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl  -
Access denied by VACM for 1.3.6.1.6.3.1.1.5.1


*Test flow with exactContextMatch= true*

VA;'';';CM access requested for context=, securityName=public,
securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
Gropuname=v1v2cgroup
Got views
[DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
'v1v2cgroup'
Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1] with
exactContextMatch=false, prefixMatch=false, matchSecModel=true and
matchSecLevel=true
234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Matching view found for
group name 'v1v2cgroup' is 'fullNotifyView'
234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Access allowed for view
'fullNotifyView' by subtree 1.3 for OID 1.3.6.1.6.3.1.1.5.1
234 [main] INFO org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl  - Test
-Trap Sending to address 7f:00:00:01:00:a2
234 [main] DEBUG org.snmp4j.Snmp  - Running pending sync request with handle
PduHandle[1360809839] and retry count left 1

*Sample Agent*

Orginal Flow

VA;'';';CM access requested for context=, securityName=public,
securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
Gropuname=v1v2cgroup
Got views
[DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,
values=[1, unrestrictedReadView, unrestrictedWriteView,
unrestrictedNotifyView, 4, 1],
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,
values=[1, unrestrictedReadView, unrestrictedWriteView,
unrestrictedNotifyView, 4, 1]] for group name 'v1v2cgroup'


Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,values=[1,
unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4, 1]
with exactContextMatch=true, prefixMatch=false, matchSecModel=false and
matchSecLevel=true

Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,values=[1,
unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4, 1]
with exactContextMatch=true, prefixMatch=false, matchSecModel=true and
matchSecLevel=true



------------



Best Regards,
Alex.C.P
-----------------------------------------
Nokia Siemens Network India Pvt Ltd,
-----------------------------------------

More information about the SNMP4J mailing list