RE: Problem with SNMPv3 traps with authentication

[Michał Tarczyński]

I have found that there is a problem with msgAuthoritativeEngineBoot and
msgAuthoritativeEngineTime parameters.

The LogFactory was very helpful.

Thanks all for help,

Michael

___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

RE: Problem with SNMPv3 traps with authentication

[Atkins, Brian]

But with noAuthNoPriv, the encoded passphrases aren’t being sent, and the 
receiver is not trying to decode them.  When an authPriv trap is received, the 
trap receiver uses the authoritative engine ID to decode the passphrases and 
ensure they match the preconfigured USM user’s passphrases, which must have 
been encoded using the trap sender’s engine ID (which is authoritative).  
Perhaps snmp4j in your receiver is using its own generated engine ID by 
default, so you may need to ensure the creation of the USM users on the trap 
receiver actually used the engine ID of the trap sender (and the correct 
passphrases, of course).

I would also look into whether snmp4j has diagnostic/debug logging that can be 
enabled while your developing.  That might reveal were the problem lies.

Brian

From: Michał Tarczyński 
Sent: Wednesday, March 31, 2021 2:44 AM
To: 'Frank Fock' 
Cc: net-snmp-users@lists.sourceforge.net
Subject: RE: Problem with SNMPv3 traps with authentication

NetApp Security WARNING: This is an external email. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.


Hi Frank,

I think it’s not a problem with engine ID because when the noAuthNoPriv SNMPv3 
trap is sent then the engine ID is also used and when I set incorrect engine ID 
then the noAuthNoPriv trap is not received.
I have to use trap messages in my project, not INFORM messages.

Best regards,
Michael

From: Frank Fock mailto:f...@agentpp.com>>
Sent: Wednesday, March 31, 2021 12:15 AM
To: Michał Tarczyński 
mailto:michal.tarczyn...@radmor.com.pl>>
Cc: 
net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net>
Subject: Re: Problem with SNMPv3 traps with authentication

Hi Michael,

I guess you need to check your SNMPv3 engine ID configuration (i.e. use unique 
SNMPv3 engine IDs for all SNMPv3 entities) when you test using SNMP4J only.
In addition, when using the NET-SNMP snmptrap or any other notification sender 
with the SNMP4J trap listener or any other notification receiver, you need to 
add the USM auth(No)Priv user with the engine ID of the snmptrap entity to the 
USM of the SNMP4J notification receiver.

This is required, because for SNMPv3 traps/notifications, the notification 
sender is authoritative.

Hope this helps.

Best regards,
Frank
___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

RE: Problem with SNMPv3 traps with authentication

[Michał Tarczyński]

Hi Brian,

The engine ID is set in the USM on Java appliaction and in the Wireshark it 
looks like it is correct and the snmptrapd daemon receives authPriv traps (with 
defined engine ID) from Java app correctly.

I will try to use snmp4j logging to detect the error.

Best regards,

Michael

 

From: Atkins, Brian  
Sent: Wednesday, March 31, 2021 2:47 PM
To: Michał Tarczyński ; 'Frank Fock' 

Cc: net-snmp-users@lists.sourceforge.net
Subject: RE: Problem with SNMPv3 traps with authentication

 

But with noAuthNoPriv, the encoded passphrases aren’t being sent, and the 
receiver is not trying to decode them.  When an authPriv trap is received, the 
trap receiver uses the authoritative engine ID to decode the passphrases and 
ensure they match the preconfigured USM user’s passphrases, which must have 
been encoded using the trap sender’s engine ID (which is authoritative).  
Perhaps snmp4j in your receiver is using its own generated engine ID by 
default, so you may need to ensure the creation of the USM users on the trap 
receiver actually used the engine ID of the trap sender (and the correct 
passphrases, of course).

 

I would also look into whether snImp4j has diagnostic/debug logging that can be 
enabled while your developing.  That might reveal were the problem lies.

 

Brian

___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

RE: Problem with SNMPv3 traps with authentication

[Michał Tarczyński]

Hi Frank,

 

I think it’s not a problem with engine ID because when the noAuthNoPriv SNMPv3 
trap is sent then the engine ID is also used and when I set incorrect engine ID 
then the noAuthNoPriv trap is not received.

I have to use trap messages in my project, not INFORM messages.

 

Best regards,

Michael

 

From: Frank Fock  
Sent: Wednesday, March 31, 2021 12:15 AM
To: Michał Tarczyński 
Cc: net-snmp-users@lists.sourceforge.net
Subject: Re: Problem with SNMPv3 traps with authentication

 

Hi Michael,

 

I guess you need to check your SNMPv3 engine ID configuration (i.e. use unique 
SNMPv3 engine IDs for all SNMPv3 entities) when you test using SNMP4J only. 

In addition, when using the NET-SNMP snmptrap or any other notification sender 
with the SNMP4J trap listener or any other notification receiver, you need to 
add the USM auth(No)Priv user with the engine ID of the snmptrap entity to the 
USM of the SNMP4J notification receiver. 

 

This is required, because for SNMPv3 traps/notifications, the notification 
sender is authoritative.

 

Hope this helps.

 

Best regards,

Frank 

___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Re: Problem with SNMPv3 traps with authentication

[Frank Fock]

Hi Michael,

I guess you need to check your SNMPv3 engine ID configuration (i.e. use unique 
SNMPv3 engine IDs for all SNMPv3 entities) when you test using SNMP4J only.
In addition, when using the NET-SNMP snmptrap or any other notification sender 
with the SNMP4J trap listener or any other notification receiver, you need to 
add the USM auth(No)Priv user with the engine ID of the snmptrap entity to the 
USM of the SNMP4J notification receiver.

This is required, because for SNMPv3 traps/notifications, the notification 
sender is authoritative.

Hope this helps.

Best regards,
Frank


> On 30. Mar 2021, at 11:03, Michał Tarczyński 
>  wrote:
> 
> Hello,
> 
> I have a problem with receiving SNMPv3 authPriv traps on my own Java trap 
> receiver.
> When using snmptrap command on the Linux terminal with authPriv option then 
> the trap is never received on my Java trap receiver regardless of which 
> authentication is used: MD5, SHA or SHA-256. Only if there is noAuthNoPriv 
> used then the trap is received.
> In my Java trap receiver the snmp4j library is used. An important note is 
> that my Java traps receiver receives authPriv trap,regardless of which 
> authentication is used, only when the trap is sent from my own Java trap 
> sender with snmp4j (for all authentication protocol). Also snmptrapd daemon 
> receives authPriv trap which are sent from own Java application with snmp4j.
> 
> I’m using Net-SNMP 5.9 on Linux Mint and „snmp4j-2.7.0”.
> 
> Could someone help me in receiving the authPriv traps on Java application 
> with snmp4j?
> 
> Best regards,
> Michael
> 
> ___
> Net-snmp-users mailing list
> Net-snmp-users@lists.sourceforge.net 
> 
> Please see the following page to unsubscribe or change other options:
> https://lists.sourceforge.net/lists/listinfo/net-snmp-users 
> 


signature.asc
Description: Message signed with OpenPGP
___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Re: Problem with SNMPv3 traps with authentication

[Wes Hardaker via Net-snmp-users]

Michał Tarczyński  writes:

> I have a problem with receiving SNMPv3 authPriv traps on my own Java
> trap receiver.

So I don't *know* what your particular problem might be; but I can
recommend a few things to look at:

1) try INFORMs instead of TRAPs and see if you get more interesting
results.

2) Make sure you understanding SNMPv3 trans with respect to the
authoratative engineID to be used -- see the
http://www.net-snmp.org/wiki/index.php/TUT:snmptrap_SNMPv3 web page for
some long but very important details on the subject.
-- 
Wes Hardaker
USC/ISI


___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Problem with SNMPv3 traps with authentication

[Michał Tarczyński]

Hello,

 

I have a problem with receiving SNMPv3 authPriv traps on my own Java trap
receiver.

When using snmptrap command on the Linux terminal with authPriv option then
the trap is never received on my Java trap receiver regardless of which
authentication is used: MD5, SHA or SHA-256. Only if there is noAuthNoPriv
used then the trap is received.

In my Java trap receiver the snmp4j library is used. An important note is
that my Java traps receiver receives authPriv trap, regardless of which
authentication is used, only when the trap is sent from my own Java trap
sender with snmp4j (for all authentication protocol). Also snmptrapd daemon
receives authPriv trap which are sent from own Java application with snmp4j.

 

I'm using Net-SNMP 5.9 on Linux Mint and "snmp4j-2.7.0".

 

Could someone help me in receiving the authPriv traps on Java application
with snmp4j?

 

Best regards,

Michael

 

___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users