The example manager jdmk.security file sets two
possible configurations to send requests from the user aSecureUser to the above agent. Again, the first configuration applies authentication
to requests from aSecureUser, and the second configuration,
which is currently commented out and is therefore inactive, applies both authentication
and privacy.
Note - The localEngineID for each of the manager and
the agent must be different. If two entities that communicate with each other
have the same local engine ID, behavior is unpredictable.
19.3.3.1 Adding Users to the Security Files
As you can see in Example 19-3 and Example 19-4,
every user that has access to an agent is represented by a userEntry row in each of the agent's and the manager's security files. The
example manager jdmk.security file is configured to send
requests from aSecureUser to the agent, either with authentication
only, or with privacy activated. The agent is configured to receive those
requests.
You configure userEntry as follows, with the parameters
separated commas:
userEntry=engine ID,user name,security name,authentication algorithm,authentication key, privacy algorithm,privacy key,storage type,template
The only mandatory parameters are the engine ID and the user name. All
the other parameters are optional.
The possible values for the parameters are as follows:
Engine ID | A local or remote SNMP
engine, defined in one of the following ways: The string localEngineID, to denote the
local engine
A hexadecimal string, as generated by EngineIdGenerator; for example, 0x8000002a05819dcb6e00001f95
A human readable string used to generate an engine ID, providing
any or all of the host name, port and IANA number, as shown in 19.3.2 Generating SNMPv3 Engine IDs
| User name | Any human-readable string
| Security name | Any human-readable
string
| Authentication algorithm | The following
algorithms are permitted: usmHMACMD5AuthProtocol
usmHMACSHAAuthProtocol
usmNoAuthProtocol
| Authentication key | Any text password
or any hexadecimal key starting with 0x; for example, 0x0098768905AB67EFAA855A453B665B12, of size:
| Privacy algorithm | The following
algorithms are permitted: usmDESPrivProtocol
usmNoPrivProtocol
If no algorithm is specified, the default is usmNoPrivProtocol.
| | Any text password or any hexadecimal
key starting with 0x; for example, 0x0098768905AB67EFAA855A453B665B12, of size 0 to 32 inclusive
If a hexadecimal string is provided, it must be a localized key
| Storage type | A value of 3 denotes non-volatile, meaning that the user entry is flushed in the security
file; any other value than 3 will be rejected, throwing an IllegalArgumentException
| template | Can be either true or false:
If true, the row is a template, not seen from USM
MIB. This kind of user is used when cloning users.
The default is false.
|
19.3.4 Enabling Privacy in SNMPv3 Agents
As shown in the example security
files given in 19.3.3 SNMPv3 USM Configuration, you can protect the communication
between your SNMPv3 entities by enabling encryption, otherwise known as privacy.
The privacy algorithms used by SNMPv3 are the data encryption
standard (DES) protocol from the Java Cryptography Extension (JCE) from the
Java 2 Platform, Standard Edition (J2SE) 1.4, as well as the secure hash algorithm (SHA) and message digest 5 (MD5) encryption
protocols provided since J2SE 1.2.
To run an SNMP entity with privacy enabled, you must configure both
the entity itself and its corresponding security file. The following example
shows the code for an SNMPv3 agent with privacy enabled, called AgentEncryptV3. This example is found in the examplesDir/current/Snmp/Agent directory.
Example 19-5 AgentEncryptV3 Agent with Privacy Enabled
public class AgentEncryptV3 {
static SnmpV3AdaptorServer snmpAdaptor = null;
private static int nbTraps = -1;
public static void main(String args[]) {
final MBeanServer server;
final ObjectName htmlObjName;
final ObjectName snmpObjName;
final ObjectName mibObjName;
final ObjectName trapGeneratorObjName;
int htmlPort = 8082;
int snmpPort = 161;
// Parse the number of traps to be sent.
[...]
// SNMP specific code:
[...]
// Set up encryption
//First create parameters.
SnmpEngineParameters parameters = new SnmpEngineParameters();
//Then activate encryption
parameters.activateEncryption();
//Create the SNMPv3 adaptor and pass it the parameters.
snmpAdaptor = new SnmpV3AdaptorServer(parameters,
null,
null,
snmpPort,
null);
// Register the SNMP Adaptor in the MBean Server
//
server.registerMBean(snmpAdaptor, snmpObjName);
// Register the USM MIB
snmpAdaptor.registerUsmMib(server, null);
// Start the adaptor.
snmpAdaptor.start();
// Send a coldStart SNMP Trap.
// Use port = snmpPort+1.
//
print("NOTE: Sending a coldStart SNMP trap to each " +
"destination defined in the ACL file...");
snmpAdaptor.setTrapPort(new Integer(snmpPort+1));
snmpAdaptor.snmpV1Trap(0, 0, null);
println("Done.");
// Create the MIB II (RFC 1213) and add it to the MBean server.
//
mibObjName= new ObjectName("snmp:class=RFC1213_MIB");
Trace.send(Trace.LEVEL_TRACE, Trace.INFO_MISC, "Agent", "main",
"Adding RFC1213-MIB to MBean server with name \n\t" +
mibObjName);
// Create an instance of the customized MIB
//
RFC1213_MIB mib2 = new RFC1213_MIB_IMPL();
server.registerMBean(mib2, mibObjName);
// Bind the SNMP adaptor to the MIB to make the MIB
// accessible through the SNMP protocol adaptor.
//
snmpAdaptor.addMib(mib2, "TEST-CONTEXT");
// Create a LinkTrapGenerator.
// Specify the ifIndex to use in the object name.
//
String trapGeneratorClass = "LinkTrapGenerator";
int ifIndex = 1;
trapGeneratorObjName = new ObjectName("trapGenerator" +
":class=LinkTrapGenerator,ifIndex=" + ifIndex);
Trace.send(Trace.LEVEL_TRACE, Trace.INFO_MISC, "Agent", "main",
"Adding LinkTrapGenerator to MBean server with name \n\t"+
trapGeneratorObjName);
LinkTrapGenerator trapGenerator =
new LinkTrapGenerator(nbTraps);
server.registerMBean(trapGenerator, trapGeneratorObjName);
println("\n>> Press Enter if you want to start sending traps."+
" SNMP V1 and SNMP V3 traps will be sent.");
println(" -or-");
println(">> Press Ctrl-C if you want to stop this agent.");
java.lang.System.in.read();
trapGenerator.start();
} catch (Exception e) {
e.printStackTrace();
}
}
}
|
|