Configuring SNMPv3 Security for Agents
Before you run the SNMPv3 agent examples, you require some information about how SNMPv3 security is configured. Below are brief descriptions of the SNMPv3 security files that provide you with the information you need to run the SNMPv3 examples in this chapter. Full descriptions of the SNMPv3 security mechanisms are given in SNMPv3 User-Based Security Model.
The SNMPv3 security mechanisms are defined in two text files:
-
jdmk.security
-
jdmk.uacl
The files used by the SNMPv3 agent examples are provided in the examplesDir/Snmp/Agent directory. These files are used by the examples in the subsequent sections of this chapter.
Example 18–3 A jdmk.security File for an SNMPv3 Agent
The jdmk.security identifies the SNMP engine, authorized user and the security settings for the SNMPv3 session:
#Local engine ID localEngineID=0x8000002a05819dcb6e00001f95 #Number of boots localEngineBoots=0 #User and security configuration userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,mypasswd
The local engine ID and the number of times that engine will boot are read by the agent when it is created.
The authorized users and the security levels for the SNMP session are defined by the userEntry. This particular jdmk.security file defines a user that implements authentication, but not privacy. Consequently, the settings are as follows:
- localEngineID
-
The identifier of the local engine, as specified earlier in the file
- defaultUser
-
The name of the authorized user
- usmHMACMD5AuthProtocol
-
The authentication algorithm; in this case, HMAC MD5
- myPasswd
-
The authentication password
Note –
User-based access control is not used by the examples in this chapter, so we do not examine the jdmk.uacl file here. See Chapter 20, Security Mechanisms in the SNMP Toolkit to find out how to implement user-based access control.
To Run the SMNPv3 AgentV3 Example
-
After building the example as described in MIB Development Process, start the simple SNMPv3 agent with the following command:
You have to direct the AgentV3 example to its security file to run it.
$ java -classpath classpath -Djdmk.security.file=./jdmk.security AgentV3 nbTraps
Set nbTraps to zero.
You should see some initialization messages, including our notification listener giving information about the two table entries that are created. Access this agent's HTML adaptor by pointing a web browser to the following URL: http://localhost:8082/.
-
Through the HTML adaptor, you can see the MBeans representing the MIB:
-
The SNMP_USER_BASED_SM_MIB domain contains information pertaining to the user-based security model implemented; see "Security Mechanisms in the SNMP Toolkit" for details of how to implement SNMPv3 user-based security.
-
The class=RFC1213_MIB MBean in the snmp domain is the MBean representing the MIB; it contains a name and information about the SNMP adaptor to which the MIB is bound
-
The RFC1213_MIB domain contains the MBeans for each group; both name=Snmp and name=System contain variables with values provided by our customizations
-
The ifTable domain contains the entries of the Interfaces table
-
The trapGenerator domain contains the class that sends traps periodically, as part of our sample MIB implementation
-
-
In any of these MBeans, you can write new values into the text fields of exposed attributes and click the “Apply” button.
This sets the corresponding SNMP variable, and thereafter, SNMP managers see the new value. This is an example of managing a MIB through a protocol other than SNMP.
For any SNMP agent application, you can turn on trace messages for the SNMP adaptor by specifying the -DINFO_ADAPTOR_SNMP property on the command line. The tracing mechanism is covered in the Java Dynamic Management Kit 5.0 Tools Reference guide and in the Javadoc API of the com.sun.jdmk.TraceManager class (for receiving traces) and the com.sun.jdmk.trace.Trace class (for producing traces).
-
Press Control-C when you have finished viewing the agent.
- © 2010, Oracle Corporation and/or its affiliates