[SNMP4J] SnmpV3 Encryption Provider as Configurable parameter

Peter Verthez Peter.Verthez at alcatel-lucent.com
Wed Nov 2 13:36:34 CET 2011 

Hi Frank,

To elaborate on this (because the context wasn't really explained in the 
original mail of Jones):

We found that in performance tests on our product (with a big number of 
agents) that there was a high thread contention for SNMPv3 managed 
agents.   A jstack showed that a lot of our threads were running in the 
following stack frame at the moment of the jstack, which indicates that 
this functionality generates a relatively big load:

"JM-282" prio=3 tid=0x000000013f032800 nid=0x391 runnable 
[0xfffffffc89f38000]
    java.lang.Thread.State: RUNNABLE
     at sun.security.pkcs11.wrapper.PKCS11.C_DestroyObject(Native Method)
     at sun.security.pkcs11.SessionKeyRef.dispose(P11Key.java:1070)
     at 
sun.security.pkcs11.SessionKeyRef.drainRefQueueBounded(P11Key.java:1046)
     at sun.security.pkcs11.SessionKeyRef.<init>(P11Key.java:1061)
     at sun.security.pkcs11.P11Key.<init>(P11Key.java:97)
     at sun.security.pkcs11.P11Key$P11SecretKey.<init>(P11Key.java:374)
     at sun.security.pkcs11.P11Key.secretKey(P11Key.java:266)
     at 
sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:222)
     at 
sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:131)
     at sun.security.pkcs11.P11Cipher.engineGetKeySize(P11Cipher.java:828)
     at javax.crypto.Cipher.b(DashoA13*..)
     at javax.crypto.Cipher.a(DashoA13*..)
     at javax.crypto.Cipher.a(DashoA13*..)
     at javax.crypto.Cipher.a(DashoA13*..)
     - locked <0xfffffffd81aa1ca8> (a java.lang.Object)
     at javax.crypto.Cipher.init(DashoA13*..)
     at javax.crypto.Cipher.init(DashoA13*..)
     at org.snmp4j.security.PrivDES.encrypt(PrivDES.java:111)
     at org.snmp4j.security.USM.generateResponseMessage(USM.java:461)
     at org.snmp4j.security.USM.generateRequestMessage(USM.java:215)
     at org.snmp4j.mp.MPv3.prepareOutgoingMessage(MPv3.java:767)
     at 
org.snmp4j.MessageDispatcherImpl.sendPdu(MessageDispatcherImpl.java:444)
     at org.snmp4j.Snmp.sendMessage(Snmp.java:1067)
     at org.snmp4j.Snmp.send(Snmp.java:895)
     - locked <0xfffffffd81aa2068> (a org.snmp4j.Snmp$SyncResponseListener)
     at org.snmp4j.Snmp.send(Snmp.java:875)

Originally, our performance team pointed in the direction of SNMP4J, 
saying that SNMP4J should probably not call Cipher.init() so much, but I 
could show them that section 8.1.1.1 in RFC 2574 requires to init the 
Cipher for each packet separately.

So then we started looking at alternatives, and we found that if we 
hacked SNMP4J to use the Apache BouncyCastle security provider, the 
thread contention was gone and our application behaved properly.   So 
presumably the Sun JCE security provider that is used by default by 
SNMP4J is not very optimally written.

Now, we would not like to have to maintain our own patch on SNMP4J, so 
that is where the question from Jones came from: we tried to change the 
default security provider that SNMP4J uses without touching SNMP4J's 
code, but Security.insertProviderAt() apparently doesn't help in that 
even if we insert the provider at position 0.

Could an API be added to permit applications to change the security 
provider that SNMP4J uses?

Best regards,
Peter.


On 24/10/2011 9:00, jones vinu wrote:
> Hi Frank,
>               We would want to change the Cipher encryption provider in our application used by snmp4j since the Sun JCE provider is heavy weight . But unfortunately we have not been able to change it without modifying snmp4j since the Sun JCE provider is considered as the default provider even when we  insert Apache bouncy castle as the first priority provider. Hence it would be good if we have option to configure the provider as a Configurable parameter in some property file.
>
> Security.insertProviderAt(new BouncyCastleProvider(), 0);
>          try {
>              Cipher alg = Cipher.getInstance("DESede/CBC/NoPadding");
>              System.out.println(alg.getProvider());
>          } catch (NoSuchAlgorithmException e) {
>              // TODO Auto-generated catch block
>              e.printStackTrace();
>          } catch (NoSuchPaddingException e) {
>              // TODO Auto-generated catch block
>              e.printStackTrace();
>          }
> Output :SunJCE version 1.6
>
> And using it as
>   Cipher alg = Cipher.getInstance("DESede/CBC/NoPadding","BC");
> Output :BC version 1.4
>
> Thanks
> Jones
>
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j


-- 
Peter Verthez
Systems Engineer Network Mgt.
Alcatel-Lucent Bell NV

More information about the SNMP4J mailing list