![]() |
|||
![]() |
![]() ![]() |
![]() |
![]() ![]() |
![]() |
![]() ![]() |
![]() |
| ||||||||||||||||||
By default, a Java DMK 5.1 manager handles requests that are authenticated, but not encrypted. To activate encryption, you need to set certain parameters when you instantiate the SNMP session. As shown in Example 19-7, these parameters are passed to the engine using the SnmpEngineParameters class, as follows:
The SyncManagerEncryptV3 manager application then continues with the generation of a USM peer, defining the context and setting trap listeners in the same way as any other manager. Note, however, that in this manager, the security level is set to authPriv. As well as the manager itself, you must also configure the security file associated with that manager. Example 19-8 shows the security file associated with SyncManagerEncryptV3. Example 19-8 Manager jdmkencrypt.security File
As was the case for the AgentEncryptV3 agent, in this file, you can see that the DES privacy protocol is specified.
|
$ mibgen -d . mib_II.txt $ javac -classpath classpath -d . *.java |
Start the AgentEncryptV3 agent, passing it its associated security file, jdmkencrypt.security.
$ java -classpath classpath -Djdmk.security.file=jdmkencrypt.security AgentEncryptV3 |
Press Enter to start sending traps.
Press Enter to start sending traps.
In another window, if you have not already done so, build and compile the SyncManagerEncryptV3 example in examplesDir/current/Snmp/Manager.
Type the following commands:
$ mibgen -mo -d . mib_II.txt $ javac -classpath classpath -d . *.java |
Start the SyncManagerEncryptV3 manager, passing it its associated security file, jdmkencrypt.security, and specifying the host name and port number of the agent it is to communicate with.
$ java -classpath classpath -Djdmk.security.file=jdmkencrypt.security SyncManagerEncryptV3 localhost 8085 |
You should see the manager start to receive encrypted traps from the agent.
SyncManagerEncryptV3::main: Send get request to SNMP agent on localhost at port 8085 Result: [Object ID : 1.3.6.1.2.1.1.1.0 (Syntax : String) Value : SunOS sparc 5.8] >> Press Enter if you want to stop this SNMP manager. NOTE: TrapListenerImpl received trap V3: ContextEngineId : 0x8000002a05819dcb6e00001f95 ContextName : TEST-CONTEXT VarBind list : oid : 1.3.6.1.2.1.1.3.0 val : 0:0:40 oid : 1.3.6.1.6.3.1.1.4.1.0 val : 1.2.3.4.5.6.7.8.9.0 oid : 1.3.6.1.2.1.2.2.1.1.1 val : 1 |
Press Control-C in each window to stop both the agent and the manager
The SNMPv3 USM implemented in Java DMK 5.1 enables you to create users remotely in an SNMPv3 agent by accessing a MIB that has been registered in the SNMPv3 adaptor server. By default, the USM MIB is not registered in the adaptor server. You can register a MIB in the adaptor server by calling registerUsmMib.
$ snmpV3AdaptorServer.registerUsmMib() |
Caution - You can use registerUsmMib to register
your MIB in the MBean server, making it available via the HTML server. This
can be useful for debugging purposes, but this can also represent a security
breach.
The CreateUsmMibUser example in the examplesDir/current/Snmp/UsmMib directory is a tool that uses the SNMPv3 manager API to instantiate a new user in an agent USM MIB. CreateUsmMibUser performs authenticated and encrypted communication with the agent Agent, which is found in the same directory.
The complete code for the CreateUsmMibUser example is too long to show here, but the process that it goes through to create new users remotely can be summarized as follows:
The CreateUsmMibUser class uses a user template, called defaultUser, to bootstrap the remote configuration of the USM MIB. Because defaultUser is a template, it does not appear in the USM MIB, and therefore it is not visible to remote managers. CreateUsmMibUser knows of defaultUser because it is present in its configuration file, manager.security, as shown in the following example.
Example 19-9 manager.security File for the CreateUsmMibUser Example
localEngineID=0x8000002a05000000ec6c315f54 localEngineBoots=0 # User to create remotely in the agent. userEntry=0x000000000000000000000002,myNewUser, myNewUser,usmHMACMD5AuthProtocol,newsyrup, usmDESPrivProtocol,newsyrup # Template user to be used by the manager userEntry=0x000000000000000000000002,defaultUser,, usmHMACMD5AuthProtocol,maplesyrup,usmDESPrivProtocol, maplesyrup |
CreateUsmMibUser uses the defaultUser template to send an initial secure configuration request to create a new user, called myNewUser in this example. The newly created user will be a normal user, and will thus appear in the USM MIB.
CreateUsmMibUser implements the key-change mechanism defined in SNMP RFC 2574. This enables you to allocate new keys to the newly created users. Calling getUsmKeyHandler enables you to compute key localization and delta generation. An instance of SnmpUsmKeyHandler is associated to each SNMP engine object. When one of the standard authentication algorithms is used when computing the key. Because the CreateUsmMibUser example operates with authentication activated, the new peer agent has to perform timeliness checks on the incoming requests for the creation of new users. If proven timely, the request for a new user is granted and the creation process proceeds. Otherwise, the request is rejected.
Once the request has been accepted and the data provided by the user has been parsed and processed, the CreateUsmMibUser clones a new userEntry in the agent's jdmk.security file. The cloned entry is based on the defaultUser template entry, with the new information provided by the user added using the cloneFromUser variables.
In the CreateUsmMibUser example, the new user myNewUser is remotely granted access to the agent Agent. The agent's initial security configuration is set in the jdmk.security file for Agent, which is found in the examplesDir/current/Snmp/UsmMib directory, as shown below.
Example 19-10 jdmk.securityFile for Agent in the CreateUsmMibUser Example
localEngineID=0x000000000000000000000002 localEngineBoots=0 userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol, maplesyrup,usmDESPrivProtocol,maplesyrup,3,true |
As you can see, the jdmk.security file currently only allows the defaultUser template to access the agent. The CreateUsmMibUser class will remotely add an extra row to this file to allow myNewUser to access the agent too.
If you have not already done so, build and compile the examples in examplesDir/current/Snmp/UsmMib.
Type the following commands:
$ javac -classpath classpath -d . *.java |
Make sure that no other agents are running in examplesDir/current/Snmp/UsmMib, and start Agent.
$ java -classpath classpath -Djdmk.security.file=jdmk.security Agent |
Note - The jdmk.security file must be writable if CreateUsmMibUser is to be able to add new user entries.
In another window, start the CreateUsmMibUser example.
When starting CreateUsmMibUser, you must point it to the manager.security configuration file, and specify the user name, the security level, the agent's host name and the port on which the agent is running. In this example, the security level is authentication and privacy enabled, and the agent is running on the local host.
$ java -classpath classpath -Djdmk.security.file=manager.security CreateUsmMibUser defaultUser noAuthNoPriv localhost 8085 |
You will see the following output:
Initializing creator. Ready for new user inputs. |
When prompted, provide the configuration information for your new user.
The information you provide must correspond to users that you have already configured into your manager's security file. In this example, we are remotely adding the user myNewUser that is defined in manager.security to the agent Agent. You therefore provide the following information, all of which is found in the manager.security file. You can enter any value for the auth key random and the priv key random.
Type the engine Id :0x000000000000000000000002 Type the new user name :myNewUser Type the clone from user name :defaultUser Type the security level :authPriv Type the old priv password :maplesyrup Type the new priv password :newsyrup Type the priv key random :00000000000000000000000000000000 Type the auth protocol :usmHMACMD5AuthProtocol Type the old auth password :maplesyrup Type the new auth password :newsyrup Type the auth key random :00000000000000000000000000000000 |
You will see the following output:
********** Input summary ************ * Engine Id : 0x000000000000000000000002 * New user name : myNewUser * Clone from : defaultUser * Security level : authPriv * Old priv password : maplesyrup * New priv password : newsyrup * Priv key random : 00000000000000000000000000000000 * Auth protocol : usmHMACMD5AuthProtocol * Old auth password : maplesyrup * New auth password : newsyrup * Auth key random : 00000000000000000000000000000000 Do you agree (yes, no) [yes]: |
Press Enter to confirm your inputs.
You should see the following confirmation:
***** New user [myNewUser] created. ***** Doing Priv key change ***** Priv key change DONE. ***** Doing Auth key change ***** Auth key change DONE. ***** Setting row status to active. ***** Setting row status to active DONE. ***** SUCCESSFULLY CREATED NEW ROW IN AGENT FOR USER : [myNewUser]***** Send sanity check? Your manager.security file MUST contain the currently created user (press return to do it, "no" to skip): |
Press Enter to perform the sanity check.
You should see the following confirmation:
SANITY CHECK SUCCESSFUL, SPIN LOCK VALUE IS: 5 Ready for new user inputs. Type the engine Id (return to accept) [0x000000000000000000000002]: |
You are then invited to provide configuration information for any other users you want to allow to access Agent.
Check that the new user has been granted access to the agent by looking at the agent's jdmk.security file.
You should see a new userEntry for the new user in the jdmk.security file.
Example 19-11 jdmk.security for Agent File after Running CreateUsmMibUser
localEngineID=0x000000000000000000000002 localEngineBoots=7 userEntry=0x000000000000000000000002,myNewUser,myNewUser, usmHMACMD5AuthProtocol,0x87021D7BD9D101BA05EA6E3BF9D9BD4A, usmDESPrivProtocol,0x87021D7BD9D101BA05EA6E3BF9D9BD4A,3, userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,maplesyrup, usmDESPrivProtocol,maplesyrup,3,true |
When you have added all your new users, press Control C in both windows to stop both Agent and CreateUsmMibUser
![]() ![]() |