Enabling Privacy in SNMPv3 Agents
As shown in the example security files given in SNMPv3 USM Configuration, you can protect the communication between your SNMPv3 entities by enabling encryption, otherwise known as privacy.
The privacy algorithms used by SNMPv3 are the data encyption standard (DES) protocol from the Java Cryptography Extension (JCE) from the Java Development Kit (JDK) 1.4, as well as the secure hash algorithm (SHA) and message digest 5 (MD5) encryption protocols provided since JDK 1.2.
To run an SNMP entity with privacy enabled, you must configure both the entity itself and its corresponding security file. The following example shows the code for an SNMPv3 agent with privacy enabled, called AgentEncryptV3. This example is found in the examplesDir/Snmp/Agent directory.
Example 20–5 AgentEncryptV3 Agent with Privacy Enabled
public class AgentEncryptV3 {
static SnmpV3AdaptorServer snmpAdaptor = null;
private static int nbTraps = -1;
public static void main(String args[]) {
final MBeanServer server;
final ObjectName htmlObjName;
final ObjectName snmpObjName;
final ObjectName mibObjName;
final ObjectName trapGeneratorObjName;
int htmlPort = 8082;
int snmpPort = 161;
// Parse the number of traps to be sent.
[...]
// Initialize trace property.
[...]
// SNMP specific code:
// Set up encryption
//First create parameters.
SnmpEngineParameters parameters = new SnmpEngineParameters();
//Then activate encryption
parameters.activateEncryption();
//Create the SNMPv3 adaptor and pass it the parameters.
snmpAdaptor = new SnmpV3AdaptorServer(parameters,
null,
null,
snmpPort,
null);
// Register the SNMP Adaptor in the MBean Server
//
server.registerMBean(snmpAdaptor, snmpObjName);
// Register the USM MIB
snmpAdaptor.registerUsmMib(server, null);
// Start the adaptor.
snmpAdaptor.start();
// Send a coldStart SNMP Trap.
// Use port = snmpPort+1.
//
print("NOTE: Sending a coldStart SNMP trap to each " +
"destination defined in the ACL file...");
snmpAdaptor.setTrapPort(new Integer(snmpPort+1));
snmpAdaptor.snmpV1Trap(0, 0, null);
println("Done.");
// Create the MIB II (RFC 1213) and add it to the MBean server.
//
mibObjName= new ObjectName("snmp:class=RFC1213_MIB");
Trace.send(Trace.LEVEL_TRACE, Trace.INFO_MISC, "Agent", "main",
"Adding RFC1213-MIB to MBean server with name \n\t" +
mibObjName);
// Create an instance of the customized MIB
//
RFC1213_MIB mib2 = new RFC1213_MIB_IMPL();
server.registerMBean(mib2, mibObjName);
// Bind the SNMP adaptor to the MIB to make the MIB
// accessible through the SNMP protocol adaptor.
//
snmpAdaptor.addMib(mib2, "TEST-CONTEXT");
// Create a LinkTrapGenerator.
// Specify the ifIndex to use in the object name.
//
String trapGeneratorClass = "LinkTrapGenerator";
int ifIndex = 1;
trapGeneratorObjName = new ObjectName("trapGenerator" +
":class=LinkTrapGenerator,ifIndex=" + ifIndex);
Trace.send(Trace.LEVEL_TRACE, Trace.INFO_MISC, "Agent", "main",
"Adding LinkTrapGenerator to MBean server with name \n\t"+
trapGeneratorObjName);
LinkTrapGenerator trapGenerator =
new LinkTrapGenerator(nbTraps);
server.registerMBean(trapGenerator, trapGeneratorObjName);
println("\n>> Press Enter if you want to start sending traps."+
" SNMP V1 and SNMP V3 traps will be sent.");
println(" -or-");
println(">> Press Ctrl-C if you want to stop this agent.");
java.lang.System.in.read();
trapGenerator.start();
} catch (Exception e) {
e.printStackTrace();
}
}
}
|
By default, a Java DMK 5.0 agent handles requests that are authenticated, but not encrypted. To activate encryption, you need to set certain parameters when you instantiate the SNMP engine. As shown inExample 20–5, these parameters are passed to the engine using the SnmpEngineParameters class, as follows:
-
Firstly, the application creates new SNMP engine parameters, called parameters in this example, by calling SnmpEngineParameters:
SnmpEngineParameters parameters = new SnmpEngineParameters();
-
Then it activates encryption by making parameters call the activateEncryption method:
parameters.activateEncryption();
-
Finally, it then passes the parameters to the newly created SNMPv3 adaptor server:
snmpAdaptor = new SnmpV3AdaptorServer(parameters, null, null, snmpPort, null)
The AgentEncryptV3 application then continues with the registration of the SNMP adaptor server in the MBean server, binding the MIBs and calling LinkTrapGenerator in the same way as any other agent.
As well as the agent itself, you must also configure the security file associated with that agent. Example 20–6 shows the security file associated with AgentEncryptV3.
Example 20–6 Agent jdmkencrypt.security File
#Local engine Id. Will be read by the agent to configure the engine. localEngineID=0x8000002a05819dcb6e00001f95 #Number of boots. Will be read by the agent to configure the engine. localEngineBoots=0 #defaultUser configuration. Authentication and encryption. userEntry=localEngineID,defaultUser,null,usmHMACMD5AuthProtocol,mypasswd, usmDESPrivProtocol,mypasswd,3, |
In this file, you can see that the DES privacy protocol is specified.
To Run the AgentEncryptV3 Example
-
If you have not already done so, build and compile the AgentEncryptV3 example in examplesDir/Snmp/Agent.
Type the following commands:
$ mibgen -d . mib_II.txt $ javac -classpath classpath -d . *.java
-
Start the AgentEncryptV3 agent, passing it its associated security file, jdmkencrypt.security.
$ java -classpath classpath -Djdmk.security.file=./jdmkencrypt.security AgentEncryptV3
-
Press Enter to start sending traps
NOTE: Sending a linkDown SNMP trap for the Interface 1 to each destination defined in the ACL file...Done. NOTE: Sending a linkDown SNMP trap for the Interface 1 to each destination defined in the ACL file...Done.
-
Press Control-C to stop the agent
- © 2010, Oracle Corporation and/or its affiliates