[SNMP4J] vacm.addAccess not adding entry properly causing Access denied by VACM for traps (view not found)
Alex Punnen
alexcpn at gmail.com
Wed Dec 8 15:29:17 CET 2010
Hi ,
I am getting the error
"WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl - Access denied
by VACM for 1.3.6.1.6.3.1.1.5.1" (coldStartTrap) when I use the test agent
But am able to get this trap while using SampleAgent
I debugged a bit and was trying to compare the output of *TestAgent
*and *SampleAgent
*.
In TestAgent though I create VACm with exact contect match , in the trace I
am getting
vacm.addAccess(new OctetString("v1v2cgroup"), new OctetString("public"),
SecurityModel.SECURITY_MODEL_SNMPv2c,
SecurityLevel.NOAUTH_NOPRIV,
* MutableVACM.VACM_MATCH_EXACT*,
new OctetString("fullReadView"),
new OctetString("fullWriteView"),
new OctetString("fullNotifyView"),
StorageType.permanent);
Because of this I guess the method *getViewNameByGroup *in *Vacmib *is
failing to find a match
System.out.println("Matching against access entry "+row+
" with exactContextMatch="+exactContextMatch+
", prefixMatch="+prefixMatch+
", matchSecModel="+matchSecModel+
" and matchSecLevel="+matchSecLevel);
Basically it does not go into the if loop of the mehtod (if(false & true)=
if(false))
if ((exactContextMatch || prefixMatch) &&
(matchSecModel) &&
matchSecLevel) {
Hence it does not go into
if (possibleMatch != null) {
case VACM.VIEW_NOTIFY: {
viewName = (OctetString)
possibleMatch.getValue(idxVacmAccessNotifyViewName);
break;
Just to test I put, this as true and I am seeing the trap
System.out.println("Matching against access entry "+row+
" with exactContextMatch="+exactContextMatch+
", prefixMatch="+prefixMatch+
", matchSecModel="+matchSecModel+
" and matchSecLevel="+matchSecLevel);
* //ToDO: ACP *
* exactContextMatch = true; //just a test*
*1* .So the question is why does not setting
MutableVACM.VACM_MATCH_EXACT,in vacm.addAccess giving the desired result
*2* .Also I was wondering how the SampleAgent created this properly using
the propery file ; Is it also not calling the same VacmMIB methods as
TestAgent
*3*. We need to write an SNMP agent; which approach is suggested, the
SampleAgent way via the config file or extending from the BaseAgent
.Thanks in advance for the response; else I continue to grope and post :)
*Test Agent*
*Orginal flow*
A;'';';CM access requested for context=, securityName=public,
securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
Gropuname=v1v2cgroup
Got views
[DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
'v1v2cgroup'
Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1] with
exactContextMatch=false, prefixMatch=false, matchSecModel=true and
matchSecLevel=true
297 [main] WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl -
Access denied by VACM for 1.3.6.1.6.3.1.1.5.1
*Test flow with exactContextMatch= true*
VA;'';';CM access requested for context=, securityName=public,
securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
Gropuname=v1v2cgroup
Got views
[DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
'v1v2cgroup'
Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 4, 1] with
exactContextMatch=false, prefixMatch=false, matchSecModel=true and
matchSecLevel=true
234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for
group name 'v1v2cgroup' is 'fullNotifyView'
234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access allowed for view
'fullNotifyView' by subtree 1.3 for OID 1.3.6.1.6.3.1.1.5.1
234 [main] INFO org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl - Test
-Trap Sending to address 7f:00:00:01:00:a2
234 [main] DEBUG org.snmp4j.Snmp - Running pending sync request with handle
PduHandle[1360809839] and retry count left 1
*Sample Agent*
Orginal Flow
VA;'';';CM access requested for context=, securityName=public,
securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
Gropuname=v1v2cgroup
Got views
[DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,
values=[1, unrestrictedReadView, unrestrictedWriteView,
unrestrictedNotifyView, 4, 1],
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,
values=[1, unrestrictedReadView, unrestrictedWriteView,
unrestrictedNotifyView, 4, 1]] for group name 'v1v2cgroup'
Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,values=[1,
unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4, 1]
with exactContextMatch=true, prefixMatch=false, matchSecModel=false and
matchSecLevel=true
Matching against access entry
DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,values=[1,
unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4, 1]
with exactContextMatch=true, prefixMatch=false, matchSecModel=true and
matchSecLevel=true
------------
Best Regards,
Alex.C.P
-----------------------------------------
Nokia Siemens Network India Pvt Ltd,
-----------------------------------------
More information about the SNMP4J
mailing list