Sun Microsystems
Products & Services
 
Support & Training
 
 

Previous Previous     Contents     Index     Next Next

By default, a Java DMK 5.1 manager handles requests that are authenticated, but not encrypted. To activate encryption, you need to set certain parameters when you instantiate the SNMP session. As shown in Example 19-7, these parameters are passed to the engine using the SnmpEngineParameters class, as follows:

  • Firstly, the application creates new SNMP engine parameters, called parameters in this example, by calling SnmpEngineParameters:

    SnmpEngineParameters parameters = new SnmpEngineParameters();

  • Then it activates encryption by making parameters call the activateEncryption method:

    parameters.activateEncryption();

  • Finally, it then passes the parameters to the newly created SNMPv3 session:

    session= new SnmpSession(parameters, null, "SyncV3Manager session", null)

The SyncManagerEncryptV3 manager application then continues with the generation of a USM peer, defining the context and setting trap listeners in the same way as any other manager. Note, however, that in this manager, the security level is set to authPriv.

As well as the manager itself, you must also configure the security file associated with that manager. Example 19-8 shows the security file associated with SyncManagerEncryptV3.

Example 19-8 Manager jdmkencrypt.security File

#Authentication and encryption.
userEntry=0x8000002a05819dcb6e00001f95,defaultUser,,
usmHMACMD5AuthProtocol,mypasswd,usmDESPrivProtocol,mypasswd

# #####APPENDED PROPERTY####
localEngineBoots=2

# #####APPENDED PROPERTY####
localEngineID=0x8000002a05000000ebffd342ca

As was the case for the AgentEncryptV3 agent, in this file, you can see that the DES privacy protocol is specified.

ProcedureTo Run the SyncManagerEncryptV3 Example

  1. If you have not already done so, build and compile the AgentEncryptV3 example in examplesDir/current/Snmp/Agent.

    Type the following commands:

    $ mibgen -d . mib_II.txt
    $ javac -classpath classpath -d . *.java

  2. Start the AgentEncryptV3 agent, passing it its associated security file, jdmkencrypt.security.

    $ java -classpath classpath -Djdmk.security.file=jdmkencrypt.security 
    AgentEncryptV3

    Press Enter to start sending traps.

  3. Press Enter to start sending traps.

  4. In another window, if you have not already done so, build and compile the SyncManagerEncryptV3 example in examplesDir/current/Snmp/Manager.

    Type the following commands:

    $ mibgen -mo -d . mib_II.txt
    $ javac -classpath classpath -d . *.java

  5. Start the SyncManagerEncryptV3 manager, passing it its associated security file, jdmkencrypt.security, and specifying the host name and port number of the agent it is to communicate with.

    $ java -classpath classpath -Djdmk.security.file=jdmkencrypt.security 
    SyncManagerEncryptV3 localhost 8085

    You should see the manager start to receive encrypted traps from the agent.

    SyncManagerEncryptV3::main: 
    Send get request to SNMP agent on localhost at port 8085
    Result: 
    [Object ID : 1.3.6.1.2.1.1.1.0  (Syntax : String)
    Value : SunOS sparc 5.8]
    
    >> Press Enter if you want to stop this SNMP manager.
    
    NOTE: TrapListenerImpl received trap V3:
            ContextEngineId : 0x8000002a05819dcb6e00001f95
            ContextName : TEST-CONTEXT
            VarBind list :
    oid : 1.3.6.1.2.1.1.3.0 val : 0:0:40
    oid : 1.3.6.1.6.3.1.1.4.1.0 val : 1.2.3.4.5.6.7.8.9.0
    oid : 1.3.6.1.2.1.2.2.1.1.1 val : 1

  6. Press Control-C in each window to stop both the agent and the manager

19.3.6 Creating Users for SNMPv3 USM MIBs

The SNMPv3 USM implemented in Java DMK 5.1 enables you to create users remotely in an SNMPv3 agent by accessing a MIB that has been registered in the SNMPv3 adaptor server. By default, the USM MIB is not registered in the adaptor server. You can register a MIB in the adaptor server by calling registerUsmMib.

$ snmpV3AdaptorServer.registerUsmMib()


Caution Caution - You can use registerUsmMib to register your MIB in the MBean server, making it available via the HTML server. This can be useful for debugging purposes, but this can also represent a security breach.


The CreateUsmMibUser example in the examplesDir/current/Snmp/UsmMib directory is a tool that uses the SNMPv3 manager API to instantiate a new user in an agent USM MIB. CreateUsmMibUser performs authenticated and encrypted communication with the agent Agent, which is found in the same directory.

The complete code for the CreateUsmMibUser example is too long to show here, but the process that it goes through to create new users remotely can be summarized as follows:

  • The CreateUsmMibUser class uses a user template, called defaultUser, to bootstrap the remote configuration of the USM MIB. Because defaultUser is a template, it does not appear in the USM MIB, and therefore it is not visible to remote managers. CreateUsmMibUser knows of defaultUser because it is present in its configuration file, manager.security, as shown in the following example.

    Example 19-9 manager.security File for the CreateUsmMibUser Example

    localEngineID=0x8000002a05000000ec6c315f54
    localEngineBoots=0
    
    # User to create remotely in the agent.
    userEntry=0x000000000000000000000002,myNewUser,
    myNewUser,usmHMACMD5AuthProtocol,newsyrup,
    usmDESPrivProtocol,newsyrup
    
    # Template user to be used by the manager
    userEntry=0x000000000000000000000002,defaultUser,,
    usmHMACMD5AuthProtocol,maplesyrup,usmDESPrivProtocol,
    maplesyrup

    CreateUsmMibUser uses the defaultUser template to send an initial secure configuration request to create a new user, called myNewUser in this example. The newly created user will be a normal user, and will thus appear in the USM MIB.

  • CreateUsmMibUser implements the key-change mechanism defined in SNMP RFC 2574. This enables you to allocate new keys to the newly created users. Calling getUsmKeyHandler enables you to compute key localization and delta generation. An instance of SnmpUsmKeyHandler is associated to each SNMP engine object. When one of the standard authentication algorithms is used when computing the key. Because the CreateUsmMibUser example operates with authentication activated, the new peer agent has to perform timeliness checks on the incoming requests for the creation of new users. If proven timely, the request for a new user is granted and the creation process proceeds. Otherwise, the request is rejected.

  • Once the request has been accepted and the data provided by the user has been parsed and processed, the CreateUsmMibUser clones a new userEntry in the agent's jdmk.security file. The cloned entry is based on the defaultUser template entry, with the new information provided by the user added using the cloneFromUser variables.

  • In the CreateUsmMibUser example, the new user myNewUser is remotely granted access to the agent Agent. The agent's initial security configuration is set in the jdmk.security file for Agent, which is found in the examplesDir/current/Snmp/UsmMib directory, as shown below.

    Example 19-10 jdmk.securityFile for Agent in the CreateUsmMibUser Example

    localEngineID=0x000000000000000000000002
    localEngineBoots=0
    
    userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,
    maplesyrup,usmDESPrivProtocol,maplesyrup,3,true

    As you can see, the jdmk.security file currently only allows the defaultUser template to access the agent. The CreateUsmMibUser class will remotely add an extra row to this file to allow myNewUser to access the agent too.

ProcedureTo Run the CreateUsmMibUser Example

  1. If you have not already done so, build and compile the examples in examplesDir/current/Snmp/UsmMib.

    Type the following commands:

    $ javac -classpath classpath -d . *.java

  2. Make sure that no other agents are running in examplesDir/current/Snmp/UsmMib, and start Agent.

    $ java -classpath classpath -Djdmk.security.file=jdmk.security Agent


    Note - The jdmk.security file must be writable if CreateUsmMibUser is to be able to add new user entries.


  3. In another window, start the CreateUsmMibUser example.

    When starting CreateUsmMibUser, you must point it to the manager.security configuration file, and specify the user name, the security level, the agent's host name and the port on which the agent is running. In this example, the security level is authentication and privacy enabled, and the agent is running on the local host.

    $ java -classpath classpath -Djdmk.security.file=manager.security 
    CreateUsmMibUser defaultUser noAuthNoPriv localhost 8085

    You will see the following output:

    Initializing creator.
    Ready for new user inputs.

  4. When prompted, provide the configuration information for your new user.

    The information you provide must correspond to users that you have already configured into your manager's security file. In this example, we are remotely adding the user myNewUser that is defined in manager.security to the agent Agent. You therefore provide the following information, all of which is found in the manager.security file. You can enter any value for the auth key random and the priv key random.

    Type the engine Id :0x000000000000000000000002
    Type the new user name :myNewUser
    Type the clone from user name :defaultUser
    Type the security level :authPriv
    Type the old priv password :maplesyrup
    Type the new priv password :newsyrup
    Type the priv key random :00000000000000000000000000000000
    Type the auth protocol :usmHMACMD5AuthProtocol
    Type the old auth password :maplesyrup
    Type the new auth password :newsyrup
    Type the auth key random :00000000000000000000000000000000

    You will see the following output:

    ********** Input summary ************ 
    
            * Engine Id : 0x000000000000000000000002
            * New user name : myNewUser
            * Clone from : defaultUser
            * Security level : authPriv
            * Old priv password : maplesyrup
            * New priv password : newsyrup
            * Priv key random : 00000000000000000000000000000000
            * Auth protocol : usmHMACMD5AuthProtocol
            * Old auth password : maplesyrup
            * New auth password : newsyrup
            * Auth key random : 00000000000000000000000000000000
    Do you agree (yes, no) [yes]:

  5. Press Enter to confirm your inputs.

    You should see the following confirmation:

    ***** New user [myNewUser] created.
    ***** Doing Priv key change
    ***** Priv key change DONE.
    ***** Doing Auth key change
    ***** Auth key change DONE.
    ***** Setting row status to active.
    ***** Setting row status to active DONE.
    
    ***** SUCCESSFULLY CREATED NEW ROW IN AGENT FOR USER : [myNewUser]*****
    
    
    Send sanity check? Your manager.security file MUST contain the currently 
    created user (press return to do it, "no" to skip):

  6. Press Enter to perform the sanity check.

    You should see the following confirmation:

    SANITY CHECK SUCCESSFUL, SPIN LOCK VALUE IS: 5
    Ready for new user inputs.
    
    Type the engine Id (return to accept) [0x000000000000000000000002]:

    You are then invited to provide configuration information for any other users you want to allow to access Agent.

  7. Check that the new user has been granted access to the agent by looking at the agent's jdmk.security file.

    You should see a new userEntry for the new user in the jdmk.security file.

    Example 19-11 jdmk.security for Agent File after Running CreateUsmMibUser

    localEngineID=0x000000000000000000000002
    localEngineBoots=7
    
    userEntry=0x000000000000000000000002,myNewUser,myNewUser,
    usmHMACMD5AuthProtocol,0x87021D7BD9D101BA05EA6E3BF9D9BD4A,
    usmDESPrivProtocol,0x87021D7BD9D101BA05EA6E3BF9D9BD4A,3,
    
    userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,maplesyrup,
    usmDESPrivProtocol,maplesyrup,3,true

  8. When you have added all your new users, press Control C in both windows to stop both Agent and CreateUsmMibUser

Previous Previous     Contents     Index     Next Next