[
https://issues.apache.org/jira/browse/NIFI-14231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924206#comment-17924206
]
Peter Turcsanyi edited comment on NIFI-14231 at 2/5/25 6:29 PM:
----------------------------------------------------------------
[~oplamminen] [~Lehel44] Please note that the SNMP processors in NiFi 2.x do
not support SHA-1 auth protocol anymore (see NIFI-13966).
This USM Users JSON Content should work in ListenTrapSNMP:
{code:json}
[
{
"securityName": "snmpuser",
"authProtocol": "HMAC192SHA256",
"authPassphrase": "authsecret",
"privProtocol": "AES128",
"privPassphrase": "privsecret"
}
]
{code}
Also, the client has to use SHA-256 in this case.
[~oplamminen] Could you please test it in your environment?
The other issue, that ListenTrapSNMP with authPriv security level accepts
noAuthNoPriv requests, is more problematic, I think.
was (Author: turcsanyip):
[~oplamminen] [~Lehel44] Please note that the SNMP processors in NiFi 2.x do
not support SHA-1 auth protocol anymore (see NIFI-13966).
This USM Users JSON Content should work in ListenTrapSNMP:
{code:json}
[
{
"securityName": "snmpuser",
"authProtocol": "HMAC192SHA256",
"authPassphrase": "authsecret",
"privProtocol": "AES128",
"privPassphrase": "privsecret"
}
]
{code}
Also the, client has to use SHA-256 in this case.
[~oplamminen] Could you please test it in your environment?
The other issue, that ListenTrapSNMP with authPriv security level accepts
noAuthNoPriv requests, is more problematic, I think.
> ListenTrapSNMP processor does not respect SNMP v3 security levels
> -----------------------------------------------------------------
>
> Key: NIFI-14231
> URL: https://issues.apache.org/jira/browse/NIFI-14231
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.28.1, 2.2.0
> Reporter: O-P Lamminen
> Assignee: Lehel Boér
> Priority: Major
>
> NiFi *ListenTrapSNMP* processor _(nifi-snmp-nar)_ does not properly handle
> security levels with SNMP v3 traps.
> In NiFi 1.x the processor processes all SNMP v3 traps regardless of security
> level.
> In NiFi 2.x the processor processes only {{noAuthNoPriv}} traps - other
> security levels are not processed.
> NiFi 1.x functionality tested with {{apache/nifi}} container tags:
> {*}1.23.2{*}, *1.28.1*
> NiFi 2.x functionality tested with {{apache/nifi}} container tags:
> {*}2.0.0{*}, *2.2.0*
> h2. To reproduce
> # Add *ListenTrapSNMP* processor _(org.apache.nifi - nifi-snmp-nar)_
> ** Set following properties
> *** SNMP Manager Port: 16230
> *** SNMP Version: v3
> *** SNMP Security Level: authPriv
> *** USM Users Source: Json Content
> *** USM Users JSON content:
> {code:java}
> [
> {
> "securityName": "snmpuser",
> "authProtocol": "SHA",
> "authPassphrase": "authsecret",
> "privProtocol": "AES128",
> "privPassphrase": "privsecret"
> }
> ]
> {code}
> # Add *LogAttribute* processor _(org.apache.nifi - nifi-standard-nar)_
> ** Use default properties
> ** Set success relationship to terminate
> # Create Connection from *ListenTrapSNMP* to *LogAttribute* for all
> relationships
> # Start processors
> # Send two SNMP traps from command line {{snmptrap}} _(net-snmp)_ using
> commands
> {code:java}
> snmptrap -v 3 -n "" \
> -e 0x010203040506070809 \
> -l noAuthNoPriv -u snmpuser \
> localhost:16230 '' \
> .1.3.6.1.2.1.192 \
> .1.3.6.1.2.1.192.1.2.1.11 s "noAuthNoPriv"
> snmptrap -v 3 -n "" \
> -e 0x010203040506070809 \
> -l authPriv -u snmpuser \
> -a SHA -A authsecret \
> -x AES -X privsecret \
> localhost:16230 '' \
> .1.3.6.1.2.1.192 \
> .1.3.6.1.2.1.192.1.2.1.11 s "authPriv"
> {code}
> h3. Expected behaviour
> * First trap contents are not logged
> * Second trap contents are logged as FlowFile Properties and show
> {code:java}
> Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
> Value: 'authPriv'
> {code}
> h3. Actual behaviour in NiFi 1.28.1
> * First trap contents are logged as FlowFile Properties and show
> {code:java}
> Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
> Value: 'noAuthNoPriv'
> {code}
> * Second trap contents are logged as FlowFile Properties and show
> {code:java}
> Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
> Value: 'authPriv'
> {code}
> h3. Actual behaviour in NiFi 2.2.0
> * First trap contents are logged as FlowFile Properties and show
> {code:java}
> Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
> Value: 'noAuthNoPriv'
> {code}
> * Second trap contents are not logged
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
