![]() |
|||
![]() |
![]() ![]() |
![]() |
![]() ![]() |
![]() |
![]() ![]() |
![]() |
| |||||||||||||||||||||
19.3 SNMPv3 User-Based Security ModelAs stated in the earlier SNMP chapters in this manual, SNMPv3 implements a much more sophisticated set of security mechanisms than the previous versions of SNMP. The SNMPv3 USM enables you to implement authentication and privacy in the communication that takes place between your SNMP agents and managers. SNMPv3 also introduces the concept of the authoritative SNMP engine and enables you to create authorized users for specific SNMPv3 agents. Chapter 16, Creating an SNMP Agent and Chapter 17, Developing an SNMP Manager provided just enough information about configuring SNMPv3 security to enable you to run the examples in those chapters. The following sections provide a more complete description of SNMPv3 security. 19.3.1 SNMPv3 EnginesSNMPv3 introduces the notion of the authoritative SNMP engine. The concept of authoritative is defined as follows:
Being authoritative means that entities have the ability to accept or deny requests from other entities, depending upon whether or not both sides of the exchange have been appropriately configured to communicate with each other, and whether the request itself arrives in a timely fashion. To check the timeliness of a request, the authoritative engine checks the time of sending included in the request against its own internal clock. If the difference between the time of sending and the time of receipt recorded by the authoritative engine exceeds 150 seconds, the request is not considered timely and is rejected. The authoritative engine also checks timeliness by reading the localEngineBoots value recorded in the request, and comparing it to the number of reboots that the sending engine has undergone. It checks this by calling the SnmpEngine.getEngineBoots. If the value recorded in the request and the value returned by SnmpEngine.getEngineBoots do not correspond, the request is rejected. In general, agents are authoritative, and managers are non-authoritative. However, when receiving informs, managers are authoritative, and can accept or deny the informs according to their timeliness. Java DMK 5.1 associates an SNMP engine with every SnmpV3AdaptorServer that is instantiated. Engines can be shared between several SNMP sessions. SNMP engines are identified by their engine ID. 19.3.2 Generating SNMPv3 Engine IDsSNMPv3 engine ID objects are generated in accordance with SNMP RFC 2571. An engine discovers its ID in one of the following ways, each of which is tried in the order shown:
In Java DMK 5.1, you can create new SNMP engine IDs either manually using a Java command line tool called EngineIdGenerator, or automatically in the code of your applications using the SnmpEngineId class. You can see the EngineIdGenerator tool in the examplesDir/current/Snmp/EngineId directory. You must provide either of EngineIdGenerator or SnmpEngineId with any of the following information:
The EngineIdGenerator uses the SnmpEngineId class when generating engine IDs (see the Javadoc entry for SnmpEngineId for details). The SnmpEngineId class simplifies the configuration of SNMP entities by enabling you to identify engines using information that is easily comprehensible to humans, such as host names and port numbers, which it then converts into system-oriented hexadecimal engine IDs for you. The SnmpEngineId class also generates SNMP object identifiers (OIDs) from the engine IDs it creates. This is particularly useful when computing USM MIB user table indexes, as seen in 19.3.6 Creating Users for SNMPv3 USM MIBs.
|
$ javac -classpath classpath EngineIdGenerator.java |
Start the EngineIdGenerator tool.
$ java -classpath classpath EngineIdGenerator Start making your engine Id construct:(h for help) #: |
Typing h will provide examples of information you can provide.
Provide the relevant information to create the engine ID.
Declare your information, using the appropriate separators, as follows:
address:port:IANA number | All three inputs are used |
address:port | The address and port you specify are used; the IANA number defaults to 42 (SUN Microsystems) |
address | The address you specify is used; the port defaults to 161 and the IANA number defaults to 42 (SUN Microsystems) |
:port | The port you specify is used; the host defaults to localhost and the IANA number defaults to 42 (SUN Microsystems) |
::IANA number | The IANA number you specify is used; the host defaults to localhost and the IANA number defaults to 42 (SUN Microsystems) |
:port:IANA number | The port and IANA number you specify are used; the host defaults to localhost |
address::IANA number | The address and IANA number you specify are used; the port defaults to 161 |
:: | The port defaults to 161, the address defaults to localhost and the IANA number defaults to 42 (SUN Microsystems) |
For example, to specify all three of the address, port and IANA number, when prompted you might type:
Start making your engine Id construct:(h for help) #:localhost:8087:42 Generated engine Id ******** [0x8000002a05819dcb6200001f97] ******** #: |
Press Control-C when you have finished generating engine IDs
The SNMPv3 USM is configured in a Java DMK text file, called jdmk.security. Every SNMP engine has an associated security file.
In a traditional agent and manager SNMP architecture, you will have one security file associated with the agent and one associated with the manager. Both files will have a very similar configuration.
The authoritative agent's security file contains all the security information users need when requests are received from the manager. The non-authoritative manager's security file contains all the security information users need when making requests of authoritative agents.
The following examples show typical security files for an agent and a manager.
Example 19-3 A Typical Agent jdmk.security File
localEngineID=myHost:8085 localEngineBoots=7 #Typical authenticated entry. Accepts requests from a user called #aSecureUser userEntry=localEngineID,aSecureUser,aSecureUser, usmHMACMD5AuthProtocol, mypasswd #Typical authenticated and encrypted entry. Accepts requests from #aSecureUser #userEntry=localEngineID,aSecureUser,aSecureUser, #usmHMACMD5AuthProtocol, #mypasswd,usmDESPrivProtocol,mypasswd |
The example agent jdmk.security file identifies the agent's associated SNMP engine using its host name and port number, records the number of times that engine has rebooted, and sets two possible security configurations for a user called aSecureUser. One possible configuration applies authentication to requests from aSecureUser. The second configuration, which is currently commented out and is therefore inactive, applies both authentication and privacy to requests from the same user.
Example 19-4 A Typical Manager jdmk.security File
#Typical authenticated entry. Makes requests to authoritative engine #myHost:8085 with some parameters. userEntry=myHost:8085,aSecureUser,aSecureUser,usmHMACMD5AuthProtocol, mypasswd #Typical authenticated and encrypted entry. Makes requests to authoritative #engine myHost:8085 with some parameters. #userEntry=myHost:8085,aSecureUser,aSecureUser,usmHMACMD5AuthProtocol, #mypasswd, #usmDESPrivProtocol,mypasswd # #####APPENDED PROPERTY#### localEngineBoots=5 # #####APPENDED PROPERTY#### localEngineID=myOtherHost:8087 |
![]() ![]() |