[SNMP4J] Using TLS for SNMPv3

Nick Chang nick.chang at serimaconsulting.com
Tue Nov 14 04:07:57 CET 2017 

Hi Frank,

Thanks for your reply. I did use “System.setProperty("javax.net.debug", "all");” to view the handshaking traffic between the device and the client. I found out that I need to add the following lines to get it working with Java 1.8 since it supports TLSv1.2 by default

            String[] tlsProtocols = new String[]{"TLSv1.2"};
            ((TLSTM) transport).setTlsProtocols(tlsProtocols);

I currently got stuck at *** ServerHello, TLSv1.2 step, the error is
“sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”

I think that it might have something to do with the incorrect setup of keystore and truststore that I have, but I have not been able to figure out what exactly I should construct them to make it pass this error.

Here are certificates and keys that I have, 
• CACert
• DeviceCert: whose alias is “device”
• ClientCert: whose alias is “client”
• DeviceKey: private key of device
• ClientKey : private key of client
which I could connect to the device by using such a command: 
openssl s_client -connect <Device’s IPv6 Addr>:<port no> -tls1_2 -cert ClientCert -CAfile CACert -key ClientKey

The keystore is created by adding ClientCert,  CACert and ClientKey together.

Then I imported the CACert and DeviceCert into Java’s default truststore in JAVA_HOME/lib/security/cacerts

And in the client code, I have            

CertifiedTarget ct = new CertifiedTarget(new OctetString(“device”));

and 

securityCallback.addLocalCertMapping(ct.getAddress(), “client”);

Any pointer on what keystore and truststore should be and the correct way to construct CertifiedTarget and use securityCallback.addLocalCertMapping() is greatly appreciated.

Thanks very much,

Nick

On 11/13/17, 6:34 PM, "Frank Fock" <fock at agentpp.com> wrote:

    Hi Nick,
    
    Do you have enabled debug logging? This should give more detailed information about the TLS handshake.
    
    Best regards,
    Frank
    
    
    > On 11. Nov 2017, at 17:14, Nick Chang <nick.chang at serimaconsulting.com> wrote:
    > 
    > Hi Frank,
    > 
    > I am using snmp4j to build a client with functionality similar to that of net-snmp’s snmpget. The device is using IPv6 and configured with TLS.
    > I followed the instruction carefully given on this page, https://oosnmp.net/confluence/pages/viewpage.action?pageId=3834144, but the response always comes back with null from the device.
    > Do you have any suggestion how I should trouble this further. I am using JDK 1.8 and snmp4j v2.5.6
    > 
    > Thanks,
    > 
    > Nick
    > 
    > 
    > _______________________________________________
    > SNMP4J mailing list
    > SNMP4J at agentpp.org
    > https://oosnmp.net/mailman/listinfo/snmp4j

More information about the SNMP4J mailing list