[SNMP4J] SNMP v3 USM issue
Robert Pierce
rpierce at actionpacked.com
Tue Sep 20 05:12:33 CEST 2011
Hi,
Thank guys for your help. So I tried getting the authorization ID via the
snmp class, that seemed to help for the most part. However, I'm seeing
something strange on a pair of devices. If I execute the code below, on the
first request the data comes back ok but on all subsequent request one of
the device will always return null. If I run the same code with only one
device, be it either one, everything works ok. I also tried rediscovering
the AuthoritativeEngineID on every request but I did not readd the user.For
whatever reason that seemed to solve the issue. However, it doesnt seem
right that I would have to rediscover on each request? Is there another
setting I'm missing? Has anyone else experienced a similar issue?
Thanks,
Robert
Sample Code:
Snmp snmp = new Snmp(transport);
USM usm = new USM(SecurityProtocols.getInstance(),
new OctetString(MPv3.createLocalEngineID()), 0);
SecurityModels.getInstance().addSecurityModel(usm);
snmp.listen();
List<String> ipAddresses = new ArrayList<String>();
ipAddresses.add("192.168.1.13");
ipAddresses.add("192.168.1.197");
List<UserTarget> target = new ArrayList<UserTarget>();
for (String ipAddress : ipAddresses) {
UserTarget userTarget = new UserTarget();
userTarget.setAddress(GenericAddress.parse("udp:"+ipAddress+"/161"));
userTarget.setSecurityName(new OctetString("authPrivMd5Aes"));
userTarget.setVersion(SnmpConstants.version3);
userTarget.setSecurityLevel(SecurityLevel.AUTH_PRIV);
userTarget.setTimeout(10000);
userTarget.setRetries(0);
target.add(userTarget);
}
UsmUser user1 = new UsmUser(new OctetString("authPrivMd5Aes"),
AuthMD5.ID,
new OctetString("qazxswed"),
PrivAES128.ID,
new OctetString("qazxswed"));
UsmUser user2 = new UsmUser(new OctetString("authPrivMd5Aes"),
AuthMD5.ID,
new OctetString("qazxswed"),
PrivAES128.ID,
new OctetString("qazxswed"));
byte[] authEngineId0 =
snmp.discoverAuthoritativeEngineID(target.get(0).getAddress(), 5000);
byte[] authEngineId1 =
snmp.discoverAuthoritativeEngineID(target.get(1).getAddress(), 5000);
System.out.println(authEngineId0);
System.out.println(authEngineId1);
snmp.getUSM().addUser(new OctetString("authPrivMd5Aes"), new
OctetString(authEngineId0),user1);
snmp.getUSM().addUser(new OctetString("authPrivMd5Aes"), new
OctetString(authEngineId1),user2);
for (int j = 0; j < 1000; j++) {
for (int i = 0; i < ipAddresses.size(); i++) {
//If I rediscover again, the requests works fine but If I
dont one of the device always returns null after the first request
//snmp.discoverAuthoritativeEngineID(target.get(i).getAddress(), 5000);
PDU pdu = new ScopedPDU();
pdu.setNonRepeaters(1);
pdu.setType(PDU.GETBULK);
pdu.add(new VariableBinding(sysUpTime.getOid()));
//one device always returns null. However if run independently
both devices work ok.
event = snmp.getBulk(pdu, target.get(i));
if (event != null) {
if (event.getResponse() != null) {
System.out.println(event.getResponse() + " " +
event.getResponse().getErrorStatusText());
}
else {
System.out.println("event.getResponse() is null " +
event.getError());
}
}
else {
System.out.println("event is null");
}
}
try {
Thread.sleep(5000);
} catch (InterruptedException ex) {
java.util.logging.Logger.getLogger(TestPoller4j2.class.getName()).log(Level.SEVERE,
null, ex);
}
}
System.exit(0);
}
On Mon, Sep 19, 2011 at 9:26 AM, Frank Fock <fock at agentpp.com> wrote:
> Hi,
>
> Of course, you can have two users with different passphrases
> but same security name for different targets.
> As you correctly assumed, you must then use the addUser
> methods and provide the authoritative engine ID each
> the respective target.
>
> I guess here is the cause of the error, because you
> called UserTarget.getAuthoritativeEngineID().
> That method returns an empty engine ID by default.
> To discover the engine ID of a target, you would have
> to use Snmp.discoverAuthoritativeEngineID(..).
>
> Best regards,
> Frank
>
> Am 19.09.2011 12:33, schrieb Robert Pierce:
> > Hi,
> > I'm encountering an issue with V3 and the USM. I'm trying to request
> > information from two different devices via snmpv3 but they have the same
> > user name but different passwords.
> >
> > When I try the following approach, one returns the values ok but the
> other
> > device returns an authentication error.
> >
> > UsmUser user1 = new UsmUser(new OctetString("authPrivMd5Des"),
> > AuthMD5.ID,
> > new OctetString("qazwsxed"),
> > PrivDES.ID,
> > new OctetString("qazwsxed"));
> >
> > UsmUser user2 = new UsmUser(new OctetString("authPrivMd5Des"),
> > AuthMD5.ID,
> > new OctetString("dewsxzaq"),
> > PrivDES.ID,
> > new OctetString("dewsxzaq"));
> >
> > snmp.getUSM().addUser(new OctetString("authPrivMd5Des"),user1);
> > snmp.getUSM().addUser(new OctetString("authPrivMd5Des"),user2);
> > ......
> > event = snmp.getBulk(pdu, target1);
> > event = snmp.getBulk(pdu, target2);
> >
> >
> > I also tried setting the engine ID but that resulted in the same thing,
> one
> > was ok but the other had an authentication error.
> >
> > byte[] authEngineId1 = target1..getAuthoritativeEngineID();
> > byte[] authEngineId2 = target2..getAuthoritativeEngineID();
> >
> > snmp.getUSM().addUser(new OctetString("authPrivMd5Des"), new
> > OctetString(authEngineId1),user1);
> > snmp.getUSM().addUser(new OctetString("authPrivMd5Des"), new
> > OctetString(authEngineId2),user2);
> >
> >
> > Am I doing something wrong or is this a limitation of the api?
> >
> > Also is there an easy way to check if the response is an error and not
> valid
> > data. For example, the following response is returning an authentication
> > failure.
> > REPORT[reqestID=2147483647, errorStatus=0, errorIndex=0,
> > VBS[1.3.6.1.6.3.15.1.1.5.0 = 31]]
> > Should I be checking the returned oid with what I requested? Is there a
> > utility that maps the oid to the appropriate error type?
> >
> >
> > Thank you in advance.
> >
> > Robert
> > _______________________________________________
> > SNMP4J mailing list
> > SNMP4J at agentpp.org
> > http://lists.agentpp.org/mailman/listinfo/snmp4j
>
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j
>
More information about the SNMP4J
mailing list