[SNMP4J] vacm.addAccess not adding entry properly causing Access denied by VACM for traps (view not found)

Alex Punnen alexcpn at gmail.com
Fri Dec 10 18:32:55 CET 2010 

Hi,
 I am using  snmp4j-agent-1.4.1,

However got the problem after checking how the match was made; No problem
with snmp4j

Basically the context string given should match; Here  it is null

notificationOriginator.notify(*new OctetString(),* SnmpConstants.coldStart,
                                  new VariableBinding[0]);

So the context should be null in the vacm mib also

   vacm.addAccess(new OctetString("v1v2cgroup"),
     *new OctetString(),* // ACP contex -- 3 which connects here,this should
be empty

SecurityModel.SECURITY_MODEL_ANY,//SecurityModel.SECURITY_MODEL_SNMPv2c,
            SecurityLevel.NOAUTH_NOPRIV,
            MutableVACM.VACM_MATCH_EXACT,
            new OctetString("fullReadView"),
            new OctetString("fullWriteView"),
            new OctetString("fullNotifyView"), // ACP 4 which checks the
access here
            StorageType.permanent);

Thanks;

A related question ; We need to do a custom filtering based on the contents
of the trap (not the oid- so filter in notify table is not effective). This
means that if 2 NMS is connected ( in the target mib) the SNMP trap should
be forwarded to only one NMS.

One way of doing this is extending NotificationOrginatorImpl class so that
it can check the content of the trap pdu ( where destination NMS is set as a
varbind) and see if the value of destination matches the entry from the
target mib. This looks crude

Is there any better way to achieve this; I thought of another crude way,
removing temporarily the entry from the target mib for the NMS to which it
need not be routed; This also looks problematic.

Thanks for any suggestions or hints; I feel this is a regular use case and
is something obvious I am missing

Regards
Alex.C.P





On Thu, Dec 9, 2010 at 4:23 AM, Frank Fock <fock at agentpp.com> wrote:

> Hi,
>
> Which version of SNMP4J-Agent are you using?
>
> Best regards,
> Frank
>
> On 08.12.2010 15:29, Alex Punnen wrote:
> > Hi ,
> >
> >   I am getting the error
> > "WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl  - Access
> denied
> > by VACM for 1.3.6.1.6.3.1.1.5.1" (coldStartTrap) when I use the test
> agent
> > But am able to get this trap while using SampleAgent
> >
> > I debugged a bit and was trying to compare the output of  *TestAgent
> > *and *SampleAgent
> > *.
> >
> > In TestAgent though I create VACm with exact contect match , in the trace
> I
> > am getting
> >
> >   vacm.addAccess(new OctetString("v1v2cgroup"), new
> OctetString("public"),
> >              SecurityModel.SECURITY_MODEL_SNMPv2c,
> >              SecurityLevel.NOAUTH_NOPRIV,
> >          *    MutableVACM.VACM_MATCH_EXACT*,
> >              new OctetString("fullReadView"),
> >              new OctetString("fullWriteView"),
> >              new OctetString("fullNotifyView"),
> >              StorageType.permanent);
> >
> > Because of this I guess the method  *getViewNameByGroup *in *Vacmib *is
> > failing to find a match
> >
> >   System.out.println("Matching against access entry "+row+
> >                " with exactContextMatch="+exactContextMatch+
> >                ", prefixMatch="+prefixMatch+
> >                ", matchSecModel="+matchSecModel+
> >                " and matchSecLevel="+matchSecLevel);
> >
> > Basically it does not go into the if loop of the mehtod  (if(false&
>  true)=
> > if(false))
> >
> >        if ((exactContextMatch || prefixMatch)&&
> >            (matchSecModel)&&
> >            matchSecLevel)  {
> >
> > Hence it does not go into
> >
> >   if (possibleMatch != null) {
> >     case VACM.VIEW_NOTIFY: {
> >            viewName = (OctetString)
> >                possibleMatch.getValue(idxVacmAccessNotifyViewName);
> >            break;
> >
> > Just to test I put, this as true and I am seeing the trap
> >
> >      System.out.println("Matching against access entry "+row+
> >                " with exactContextMatch="+exactContextMatch+
> >                ", prefixMatch="+prefixMatch+
> >                ", matchSecModel="+matchSecModel+
> >                " and matchSecLevel="+matchSecLevel);
> >      *  //ToDO: ACP *
> > *      exactContextMatch = true; //just a test*
> >
> >
> > *1* .So the question is why does not setting
> >   MutableVACM.VACM_MATCH_EXACT,in vacm.addAccess giving the desired
> result
> >
> > *2* .Also I was wondering how the SampleAgent created this properly using
> > the propery file ; Is it also not calling the same VacmMIB methods as
> > TestAgent
> >
> > *3*. We need to write an SNMP agent; which approach is suggested, the
> > SampleAgent way via the config file or extending from the BaseAgent
> >
> > .Thanks in advance for the response; else I continue to grope and post :)
> >
> >
> > *Test Agent*
> >
> > *Orginal flow*
> >
> > A;'';';CM access requested for context=, securityName=public,
> > securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
> > Gropuname=v1v2cgroup
> > Got views
> >
> [DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> > fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
> > 'v1v2cgroup'
> >
> > Matching against access entry
> >
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> > fullReadView, fullWriteView, fullNotifyView, 4, 1] with
> > exactContextMatch=false, prefixMatch=false, matchSecModel=true and
> > matchSecLevel=true
> > 297 [main] WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl  -
> > Access denied by VACM for 1.3.6.1.6.3.1.1.5.1
> >
> >
> > *Test flow with exactContextMatch= true*
> >
> > VA;'';';CM access requested for context=, securityName=public,
> > securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
> > Gropuname=v1v2cgroup
> > Got views
> >
> [DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> > fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
> > 'v1v2cgroup'
> > Matching against access entry
> >
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> > fullReadView, fullWriteView, fullNotifyView, 4, 1] with
> > exactContextMatch=false, prefixMatch=false, matchSecModel=true and
> > matchSecLevel=true
> > 234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Matching view found
> for
> > group name 'v1v2cgroup' is 'fullNotifyView'
> > 234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Access allowed for
> view
> > 'fullNotifyView' by subtree 1.3 for OID 1.3.6.1.6.3.1.1.5.1
> > 234 [main] INFO org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl  -
> Test
> > -Trap Sending to address 7f:00:00:01:00:a2
> > 234 [main] DEBUG org.snmp4j.Snmp  - Running pending sync request with
> handle
> > PduHandle[1360809839] and retry count left 1
> >
> > *Sample Agent*
> >
> > Orginal Flow
> >
> > VA;'';';CM access requested for context=, securityName=public,
> > securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
> > Gropuname=v1v2cgroup
> > Got views
> >
> [DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,
> > values=[1, unrestrictedReadView, unrestrictedWriteView,
> > unrestrictedNotifyView, 4, 1],
> >
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,
> > values=[1, unrestrictedReadView, unrestrictedWriteView,
> > unrestrictedNotifyView, 4, 1]] for group name 'v1v2cgroup'
> >
> >
> > Matching against access entry
> >
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,values=[1,
> > unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4,
> 1]
> > with exactContextMatch=true, prefixMatch=false, matchSecModel=false and
> > matchSecLevel=true
> >
> > Matching against access entry
> >
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,values=[1,
> > unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4,
> 1]
> > with exactContextMatch=true, prefixMatch=false, matchSecModel=true and
> > matchSecLevel=true
> >
> >
> >
> > ------------
> >
> >
> >
> > Best Regards,
> > Alex.C.P
> > -----------------------------------------
> > Nokia Siemens Network India Pvt Ltd,
> > -----------------------------------------
> > _______________________________________________
> > SNMP4J mailing list
> > SNMP4J at agentpp.org
> > http://lists.agentpp.org/mailman/listinfo/snmp4j
>
> --
> AGENT++
> http://www.agentpp.com
> http://www.snmp4j.com
> http://www.mibexplorer.com
> http://www.mibdesigner.com
>
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j
>

More information about the SNMP4J mailing list