[SNMP4J] SnmpV3 Encryption Provider as Configurable parameter
Hi Frank, Yes I have tried the provider with The Provider positions as 1 and it works. Sorry for the wrong message on this. Thanks Jones ___ SNMP4J mailing list SNMP4J@agentpp.org http://lists.agentpp.org/mailman/listinfo/snmp4j
Re: [SNMP4J] SnmpV3 Encryption Provider as Configurable parameter
Hi Peter, The Provider positions are 1-based. You wrote that you used 0 as position. That won't work (-1 is returned). Have you tried it with position 1? Best regards, Frank Am 03.11.2011 22:56, schrieb Frank Fock: Hi Peter, I will try to add the requested configurability. The ticket number is SFJ-52. Best regards, Frank Am 02.11.2011 13:36, schrieb Peter Verthez: Hi Frank, To elaborate on this (because the context wasn't really explained in the original mail of Jones): We found that in performance tests on our product (with a big number of agents) that there was a high thread contention for SNMPv3 managed agents. A jstack showed that a lot of our threads were running in the following stack frame at the moment of the jstack, which indicates that this functionality generates a relatively big load: JM-282 prio=3 tid=0x00013f032800 nid=0x391 runnable [0xfffc89f38000] java.lang.Thread.State: RUNNABLE at sun.security.pkcs11.wrapper.PKCS11.C_DestroyObject(Native Method) at sun.security.pkcs11.SessionKeyRef.dispose(P11Key.java:1070) at sun.security.pkcs11.SessionKeyRef.drainRefQueueBounded(P11Key.java:1046) at sun.security.pkcs11.SessionKeyRef.init(P11Key.java:1061) at sun.security.pkcs11.P11Key.init(P11Key.java:97) at sun.security.pkcs11.P11Key$P11SecretKey.init(P11Key.java:374) at sun.security.pkcs11.P11Key.secretKey(P11Key.java:266) at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:222) at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:131) at sun.security.pkcs11.P11Cipher.engineGetKeySize(P11Cipher.java:828) at javax.crypto.Cipher.b(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) - locked0xfffd81aa1ca8 (a java.lang.Object) at javax.crypto.Cipher.init(DashoA13*..) at javax.crypto.Cipher.init(DashoA13*..) at org.snmp4j.security.PrivDES.encrypt(PrivDES.java:111) at org.snmp4j.security.USM.generateResponseMessage(USM.java:461) at org.snmp4j.security.USM.generateRequestMessage(USM.java:215) at org.snmp4j.mp.MPv3.prepareOutgoingMessage(MPv3.java:767) at org.snmp4j.MessageDispatcherImpl.sendPdu(MessageDispatcherImpl.java:444) at org.snmp4j.Snmp.sendMessage(Snmp.java:1067) at org.snmp4j.Snmp.send(Snmp.java:895) - locked0xfffd81aa2068 (a org.snmp4j.Snmp$SyncResponseListener) at org.snmp4j.Snmp.send(Snmp.java:875) Originally, our performance team pointed in the direction of SNMP4J, saying that SNMP4J should probably not call Cipher.init() so much, but I could show them that section 8.1.1.1 in RFC 2574 requires to init the Cipher for each packet separately. So then we started looking at alternatives, and we found that if we hacked SNMP4J to use the Apache BouncyCastle security provider, the thread contention was gone and our application behaved properly. So presumably the Sun JCE security provider that is used by default by SNMP4J is not very optimally written. Now, we would not like to have to maintain our own patch on SNMP4J, so that is where the question from Jones came from: we tried to change the default security provider that SNMP4J uses without touching SNMP4J's code, but Security.insertProviderAt() apparently doesn't help in that even if we insert the provider at position 0. Could an API be added to permit applications to change the security provider that SNMP4J uses? Best regards, Peter. On 24/10/2011 9:00, jones vinu wrote: Hi Frank, We would want to change the Cipher encryption provider in our application used by snmp4j since the Sun JCE provider is heavy weight . But unfortunately we have not been able to change it without modifying snmp4j since the Sun JCE provider is considered as the default provider even when we insert Apache bouncy castle as the first priority provider. Hence it would be good if we have option to configure the provider as a Configurable parameter in some property file. Security.insertProviderAt(new BouncyCastleProvider(), 0); try { Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding); System.out.println(alg.getProvider()); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (NoSuchPaddingException e) { // TODO Auto-generated catch block e.printStackTrace(); } Output :SunJCE version 1.6 And using it as Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding,BC); Output :BC version 1.4 Thanks Jones ___ SNMP4J mailing list SNMP4J@agentpp.org
Re: [SNMP4J] SnmpV3 Encryption Provider as Configurable parameter
Hi Peter, I will try to add the requested configurability. The ticket number is SFJ-52. Best regards, Frank Am 02.11.2011 13:36, schrieb Peter Verthez: Hi Frank, To elaborate on this (because the context wasn't really explained in the original mail of Jones): We found that in performance tests on our product (with a big number of agents) that there was a high thread contention for SNMPv3 managed agents. A jstack showed that a lot of our threads were running in the following stack frame at the moment of the jstack, which indicates that this functionality generates a relatively big load: JM-282 prio=3 tid=0x00013f032800 nid=0x391 runnable [0xfffc89f38000] java.lang.Thread.State: RUNNABLE at sun.security.pkcs11.wrapper.PKCS11.C_DestroyObject(Native Method) at sun.security.pkcs11.SessionKeyRef.dispose(P11Key.java:1070) at sun.security.pkcs11.SessionKeyRef.drainRefQueueBounded(P11Key.java:1046) at sun.security.pkcs11.SessionKeyRef.init(P11Key.java:1061) at sun.security.pkcs11.P11Key.init(P11Key.java:97) at sun.security.pkcs11.P11Key$P11SecretKey.init(P11Key.java:374) at sun.security.pkcs11.P11Key.secretKey(P11Key.java:266) at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:222) at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:131) at sun.security.pkcs11.P11Cipher.engineGetKeySize(P11Cipher.java:828) at javax.crypto.Cipher.b(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) - locked0xfffd81aa1ca8 (a java.lang.Object) at javax.crypto.Cipher.init(DashoA13*..) at javax.crypto.Cipher.init(DashoA13*..) at org.snmp4j.security.PrivDES.encrypt(PrivDES.java:111) at org.snmp4j.security.USM.generateResponseMessage(USM.java:461) at org.snmp4j.security.USM.generateRequestMessage(USM.java:215) at org.snmp4j.mp.MPv3.prepareOutgoingMessage(MPv3.java:767) at org.snmp4j.MessageDispatcherImpl.sendPdu(MessageDispatcherImpl.java:444) at org.snmp4j.Snmp.sendMessage(Snmp.java:1067) at org.snmp4j.Snmp.send(Snmp.java:895) - locked0xfffd81aa2068 (a org.snmp4j.Snmp$SyncResponseListener) at org.snmp4j.Snmp.send(Snmp.java:875) Originally, our performance team pointed in the direction of SNMP4J, saying that SNMP4J should probably not call Cipher.init() so much, but I could show them that section 8.1.1.1 in RFC 2574 requires to init the Cipher for each packet separately. So then we started looking at alternatives, and we found that if we hacked SNMP4J to use the Apache BouncyCastle security provider, the thread contention was gone and our application behaved properly. So presumably the Sun JCE security provider that is used by default by SNMP4J is not very optimally written. Now, we would not like to have to maintain our own patch on SNMP4J, so that is where the question from Jones came from: we tried to change the default security provider that SNMP4J uses without touching SNMP4J's code, but Security.insertProviderAt() apparently doesn't help in that even if we insert the provider at position 0. Could an API be added to permit applications to change the security provider that SNMP4J uses? Best regards, Peter. On 24/10/2011 9:00, jones vinu wrote: Hi Frank, We would want to change the Cipher encryption provider in our application used by snmp4j since the Sun JCE provider is heavy weight . But unfortunately we have not been able to change it without modifying snmp4j since the Sun JCE provider is considered as the default provider even when we insert Apache bouncy castle as the first priority provider. Hence it would be good if we have option to configure the provider as a Configurable parameter in some property file. Security.insertProviderAt(new BouncyCastleProvider(), 0); try { Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding); System.out.println(alg.getProvider()); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (NoSuchPaddingException e) { // TODO Auto-generated catch block e.printStackTrace(); } Output :SunJCE version 1.6 And using it as Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding,BC); Output :BC version 1.4 Thanks Jones ___ SNMP4J mailing list SNMP4J@agentpp.org http://lists.agentpp.org/mailman/listinfo/snmp4j ___ SNMP4J mailing list SNMP4J@agentpp.org http://lists.agentpp.org/mailman/listinfo/snmp4j
Re: [SNMP4J] SnmpV3 Encryption Provider as Configurable parameter
Hi Frank, To elaborate on this (because the context wasn't really explained in the original mail of Jones): We found that in performance tests on our product (with a big number of agents) that there was a high thread contention for SNMPv3 managed agents. A jstack showed that a lot of our threads were running in the following stack frame at the moment of the jstack, which indicates that this functionality generates a relatively big load: JM-282 prio=3 tid=0x00013f032800 nid=0x391 runnable [0xfffc89f38000] java.lang.Thread.State: RUNNABLE at sun.security.pkcs11.wrapper.PKCS11.C_DestroyObject(Native Method) at sun.security.pkcs11.SessionKeyRef.dispose(P11Key.java:1070) at sun.security.pkcs11.SessionKeyRef.drainRefQueueBounded(P11Key.java:1046) at sun.security.pkcs11.SessionKeyRef.init(P11Key.java:1061) at sun.security.pkcs11.P11Key.init(P11Key.java:97) at sun.security.pkcs11.P11Key$P11SecretKey.init(P11Key.java:374) at sun.security.pkcs11.P11Key.secretKey(P11Key.java:266) at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:222) at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:131) at sun.security.pkcs11.P11Cipher.engineGetKeySize(P11Cipher.java:828) at javax.crypto.Cipher.b(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) - locked 0xfffd81aa1ca8 (a java.lang.Object) at javax.crypto.Cipher.init(DashoA13*..) at javax.crypto.Cipher.init(DashoA13*..) at org.snmp4j.security.PrivDES.encrypt(PrivDES.java:111) at org.snmp4j.security.USM.generateResponseMessage(USM.java:461) at org.snmp4j.security.USM.generateRequestMessage(USM.java:215) at org.snmp4j.mp.MPv3.prepareOutgoingMessage(MPv3.java:767) at org.snmp4j.MessageDispatcherImpl.sendPdu(MessageDispatcherImpl.java:444) at org.snmp4j.Snmp.sendMessage(Snmp.java:1067) at org.snmp4j.Snmp.send(Snmp.java:895) - locked 0xfffd81aa2068 (a org.snmp4j.Snmp$SyncResponseListener) at org.snmp4j.Snmp.send(Snmp.java:875) Originally, our performance team pointed in the direction of SNMP4J, saying that SNMP4J should probably not call Cipher.init() so much, but I could show them that section 8.1.1.1 in RFC 2574 requires to init the Cipher for each packet separately. So then we started looking at alternatives, and we found that if we hacked SNMP4J to use the Apache BouncyCastle security provider, the thread contention was gone and our application behaved properly. So presumably the Sun JCE security provider that is used by default by SNMP4J is not very optimally written. Now, we would not like to have to maintain our own patch on SNMP4J, so that is where the question from Jones came from: we tried to change the default security provider that SNMP4J uses without touching SNMP4J's code, but Security.insertProviderAt() apparently doesn't help in that even if we insert the provider at position 0. Could an API be added to permit applications to change the security provider that SNMP4J uses? Best regards, Peter. On 24/10/2011 9:00, jones vinu wrote: Hi Frank, We would want to change the Cipher encryption provider in our application used by snmp4j since the Sun JCE provider is heavy weight . But unfortunately we have not been able to change it without modifying snmp4j since the Sun JCE provider is considered as the default provider even when we insert Apache bouncy castle as the first priority provider. Hence it would be good if we have option to configure the provider as a Configurable parameter in some property file. Security.insertProviderAt(new BouncyCastleProvider(), 0); try { Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding); System.out.println(alg.getProvider()); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (NoSuchPaddingException e) { // TODO Auto-generated catch block e.printStackTrace(); } Output :SunJCE version 1.6 And using it as Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding,BC); Output :BC version 1.4 Thanks Jones ___ SNMP4J mailing list SNMP4J@agentpp.org http://lists.agentpp.org/mailman/listinfo/snmp4j -- Peter Verthez Systems Engineer Network Mgt. Alcatel-Lucent Bell NV ___ SNMP4J mailing list SNMP4J@agentpp.org http://lists.agentpp.org/mailman/listinfo/snmp4j
[SNMP4J] SnmpV3 Encryption Provider as Configurable parameter
Hi Frank, We would want to change the Cipher encryption provider in our application used by snmp4j since the Sun JCE provider is heavy weight . But unfortunately we have not been able to change it without modifying snmp4j since the Sun JCE provider is considered as the default provider even when we insert Apache bouncy castle as the first priority provider. Hence it would be good if we have option to configure the provider as a Configurable parameter in some property file. Security.insertProviderAt(new BouncyCastleProvider(), 0); try { Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding); System.out.println(alg.getProvider()); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (NoSuchPaddingException e) { // TODO Auto-generated catch block e.printStackTrace(); } Output :SunJCE version 1.6 And using it as Cipher alg = Cipher.getInstance(DESede/CBC/NoPadding,BC); Output :BC version 1.4 Thanks Jones ___ SNMP4J mailing list SNMP4J@agentpp.org http://lists.agentpp.org/mailman/listinfo/snmp4j