Re: [SNMP4J] Consecutive SNMPv3 GET Requests using same User
Hi Ulrich, If you need highest security, then use localised users only. With non-localised users, you can use a single user entry for several SNMP entities. To be able to do so, the agent must know the passphrase which is stored unencrypted in the local persistent storage. With localised users, you will not have this security drawback. The stored key, is only usable with a target it has been localised for. No passphrase is stored persistently (only the localised key). SNMP4J offers both approaches, users have to choose which one best fits to their requirements. You can mix both approaches too, but that would require more additional management overhead, because localised instances of a generic user need to be explicitly deleted if the generic user is updated. Best regards, Frank > On 7. Aug 2018, at 14:30, ulrich berl wrote: > > Take the following: > > A SnmpManager application creates one (global) instance of class > org.snmp4j.Snmp after startup. > > SnmpManager application will do consecutive SNMPv3 GET Requests (sysDescr) > with user MD5 using global snmp instance. > The authPassphrase for user MD5 is changeable between GET Requests. > > > If i do an snmp.getUSM().addUser(...) in the getRequest(...): > > [OK] Request 1 - CorrectAuthPassphrase -> sysDescr returned > --- change authPassphrase in SnmpManager application > [NOK] Request 2 - WrongAuthPassphrase -> sysDescr returned <-- should be an > authentication failure > > > If i do an snmp.getUSM().addLocalizedUser(...) in the getRequest(...): > > [OK] Request 1 - CorrectAuthPassphrase -> sysDescr returned > --- change authPassphrase in SnmpManager application > [OK] Request 2 - WrongAuthPassphrase -> error > > So for such an application i should always use localized users > (https://oosnmp.net/confluence/pages/viewpage.action?pageId=1441800) or > clearing the user table before next request ? > What about the snmp.getUSM().addUser(...) method - when to use this method ? > > br, Ulrich > > > ___ > SNMP4J mailing list > SNMP4J@agentpp.org > https://oosnmp.net/mailman/listinfo/snmp4j ___ SNMP4J mailing list SNMP4J@agentpp.org https://oosnmp.net/mailman/listinfo/snmp4j
[SNMP4J] Consecutive SNMPv3 GET Requests using same User
Take the following: A SnmpManager application creates one (global) instance of class org.snmp4j.Snmp after startup. SnmpManager application will do consecutive SNMPv3 GET Requests (sysDescr) with user MD5 using global snmp instance. The authPassphrase for user MD5 is changeable between GET Requests. If i do an snmp.getUSM().addUser(...) in the getRequest(...): [OK] Request 1 - CorrectAuthPassphrase -> sysDescr returned --- change authPassphrase in SnmpManager application [NOK] Request 2 - WrongAuthPassphrase -> sysDescr returned <-- should be an authentication failure If i do an snmp.getUSM().addLocalizedUser(...) in the getRequest(...): [OK] Request 1 - CorrectAuthPassphrase -> sysDescr returned --- change authPassphrase in SnmpManager application [OK] Request 2 - WrongAuthPassphrase -> error So for such an application i should always use localized users (https://oosnmp.net/confluence/pages/viewpage.action?pageId=1441800) or clearing the user table before next request ? What about the snmp.getUSM().addUser(...) method - when to use this method ? br, Ulrich ___ SNMP4J mailing list SNMP4J@agentpp.org https://oosnmp.net/mailman/listinfo/snmp4j
Re: [SNMP4J] Unit Test SNMP v3 Agent with TestSnmpManager
Hi Frank! As i use one instance of a TestSnmpManager in my unit test now i use 'Key Localization' AND 'USM Separation' because following series of unit test will fail (WrongDigest): Unit Test 1 - TEST V3 GET SysDescr for USER 'MD5' WITH WRONG AuthPassPhrase Unit Test 2 - TEST V3 GET SysDescr for USER 'MD5' WITH CORRECT AuthPassPhrase or without 'Key Localization' i have to call snmp.getUSM().removeAllUsers(securityName) before adding same use again (snmp.getUSM().addUser) br, Ulrich ___ SNMP4J mailing list SNMP4J@agentpp.org https://oosnmp.net/mailman/listinfo/snmp4j
Re: [SNMP4J] Unit Test SNMP v3 Agent with TestSnmpManager
Hi Frank! I think i have to use the USM Separation case from https://oosnmp.net/confluence/pages/viewpage.action?pageId=1441800 - correct ? Seems to work.. br, Ulrich ___ SNMP4J mailing list SNMP4J@agentpp.org https://oosnmp.net/mailman/listinfo/snmp4j
Re: [SNMP4J] Unit Test SNMP v3 Agent with TestSnmpManager
Hi Frank! For the TestSnmpManager i tried the Key Localization as described in https://oosnmp.net/confluence/pages/viewpage.action?pageId=1441800. But same result as before: using a wrong auth password results in a successful snmp request. This is the block from get request in the TestSnmpManager: SecurityProtocols secProtocols = SecurityProtocols.getInstance(); Target t = getTarget(); byte[] engineID = snmp.discoverAuthoritativeEngineID(t.getAddress(), t.getTimeout()); OctetString authKey = new OctetString(authPassphrase); byte[] bytesAuthKey = secProtocols.passwordToKey(authProtocol, authKey, engineID); OctetString privKey = new OctetString(privPassphrase); byte[] bytesPrivKey = secProtocols.passwordToKey(privProtocol, authProtocol, privKey, engineID); snmp.getUSM().addLocalizedUser(engineID, securityName, authProtocol, bytesAuthKey, privProtocol, bytesPrivKey); Maybe I'll do something wrong ... br, Ulrich ___ SNMP4J mailing list SNMP4J@agentpp.org https://oosnmp.net/mailman/listinfo/snmp4j
