19.3.6 Creating Users for SNMPv3 USM MIBs
The SNMPv3 USM implemented in Java DMK 5.1 enables you to create users remotely in an SNMPv3 agent by accessing a MIB that has been registered in the SNMPv3 adaptor server. By default, the USM MIB is not registered in the adaptor server. You can register a MIB in the adaptor server by calling registerUsmMib.
$ snmpV3AdaptorServer.registerUsmMib() |
Caution – You can use registerUsmMib to register your MIB in the MBean server, making it available via the HTML server. This can be useful for debugging purposes, but this can also represent a security breach.
The CreateUsmMibUser example in the examplesDir/current/Snmp/UsmMib directory is a tool that uses the SNMPv3 manager API to instantiate a new user in an agent USM MIB. CreateUsmMibUser performs authenticated and encrypted communication with the agent Agent, which is found in the same directory.
The complete code for the CreateUsmMibUser example is too long to show here, but the process that it goes through to create new users remotely can be summarized as follows:
-
The CreateUsmMibUser class uses a user template, called defaultUser, to bootstrap the remote configuration of the USM MIB. Because defaultUser is a template, it does not appear in the USM MIB, and therefore it is not visible to remote managers. CreateUsmMibUser knows of defaultUser because it is present in its configuration file, manager.security, as shown in the following example.
Example 19–9 manager.security File for the CreateUsmMibUser Example
localEngineID=0x8000002a05000000ec6c315f54 localEngineBoots=0 # User to create remotely in the agent. userEntry=0x000000000000000000000002,myNewUser, myNewUser,usmHMACMD5AuthProtocol,newsyrup, usmDESPrivProtocol,newsyrup # Template user to be used by the manager userEntry=0x000000000000000000000002,defaultUser,, usmHMACMD5AuthProtocol,maplesyrup,usmDESPrivProtocol, maplesyrup
CreateUsmMibUser uses the defaultUser template to send an initial secure configuration request to create a new user, called myNewUser in this example. The newly created user will be a normal user, and will thus appear in the USM MIB.
-
CreateUsmMibUser implements the key-change mechanism defined in SNMP RFC 2574. This enables you to allocate new keys to the newly created users. Calling getUsmKeyHandler enables you to compute key localization and delta generation. An instance of SnmpUsmKeyHandler is associated to each SNMP engine object. When one of the standard authentication algorithms is used when computing the key. Because the CreateUsmMibUser example operates with authentication activated, the new peer agent has to perform timeliness checks on the incoming requests for the creation of new users. If proven timely, the request for a new user is granted and the creation process proceeds. Otherwise, the request is rejected.
-
Once the request has been accepted and the data provided by the user has been parsed and processed, the CreateUsmMibUser clones a new userEntry in the agent's jdmk.security file. The cloned entry is based on the defaultUser template entry, with the new information provided by the user added using the cloneFromUser variables.
-
In the CreateUsmMibUser example, the new user myNewUser is remotely granted access to the agent Agent. The agent's initial security configuration is set in the jdmk.security file for Agent, which is found in the examplesDir/current/Snmp/UsmMib directory, as shown below.
Example 19–10 jdmk.securityFile for Agent in the CreateUsmMibUser Example
localEngineID=0x000000000000000000000002 localEngineBoots=0 userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol, maplesyrup,usmDESPrivProtocol,maplesyrup,3,true
As you can see, the jdmk.security file currently only allows the defaultUser template to access the agent. The CreateUsmMibUser class will remotely add an extra row to this file to allow myNewUser to access the agent too.
To Run the CreateUsmMibUser Example
-
If you have not already done so, build and compile the examples in examplesDir/current/Snmp/UsmMib.
Type the following commands:
$ javac -classpath classpath -d . *.java
-
Make sure that no other agents are running in examplesDir/current/Snmp/UsmMib, and start Agent.
$ java -classpath classpath -Djdmk.security.file=jdmk.security Agent
Note –The jdmk.security file must be writable if CreateUsmMibUser is to be able to add new user entries.
-
In another window, start the CreateUsmMibUser example.
When starting CreateUsmMibUser, you must point it to the manager.security configuration file, and specify the user name, the security level, the agent's host name and the port on which the agent is running. In this example, the security level is authentication and privacy enabled, and the agent is running on the local host.
$ java -classpath classpath -Djdmk.security.file=manager.security CreateUsmMibUser defaultUser noAuthNoPriv localhost 8085
You will see the following output:
Initializing creator. Ready for new user inputs.
-
When prompted, provide the configuration information for your new user.
The information you provide must correspond to users that you have already configured into your manager's security file. In this example, we are remotely adding the user myNewUser that is defined in manager.security to the agent Agent. You therefore provide the following information, all of which is found in the manager.security file. You can enter any value for the auth key random and the priv key random.
Type the engine Id :0x000000000000000000000002 Type the new user name :myNewUser Type the clone from user name :defaultUser Type the security level :authPriv Type the old priv password :maplesyrup Type the new priv password :newsyrup Type the priv key random :00000000000000000000000000000000 Type the auth protocol :usmHMACMD5AuthProtocol Type the old auth password :maplesyrup Type the new auth password :newsyrup Type the auth key random :00000000000000000000000000000000
You will see the following output:
********** Input summary ************ * Engine Id : 0x000000000000000000000002 * New user name : myNewUser * Clone from : defaultUser * Security level : authPriv * Old priv password : maplesyrup * New priv password : newsyrup * Priv key random : 00000000000000000000000000000000 * Auth protocol : usmHMACMD5AuthProtocol * Old auth password : maplesyrup * New auth password : newsyrup * Auth key random : 00000000000000000000000000000000 Do you agree (yes, no) [yes]: -
Press Enter to confirm your inputs.
You should see the following confirmation:
***** New user [myNewUser] created. ***** Doing Priv key change ***** Priv key change DONE. ***** Doing Auth key change ***** Auth key change DONE. ***** Setting row status to active. ***** Setting row status to active DONE. ***** SUCCESSFULLY CREATED NEW ROW IN AGENT FOR USER : [myNewUser]***** Send sanity check? Your manager.security file MUST contain the currently created user (press return to do it, "no" to skip):
-
Press Enter to perform the sanity check.
You should see the following confirmation:
SANITY CHECK SUCCESSFUL, SPIN LOCK VALUE IS: 5 Ready for new user inputs. Type the engine Id (return to accept) [0x000000000000000000000002]:
You are then invited to provide configuration information for any other users you want to allow to access Agent.
-
Check that the new user has been granted access to the agent by looking at the agent's jdmk.security file.
You should see a new userEntry for the new user in the jdmk.security file.
Example 19–11 jdmk.security for Agent File after Running CreateUsmMibUser
localEngineID=0x000000000000000000000002 localEngineBoots=7 userEntry=0x000000000000000000000002,myNewUser,myNewUser, usmHMACMD5AuthProtocol,0x87021D7BD9D101BA05EA6E3BF9D9BD4A, usmDESPrivProtocol,0x87021D7BD9D101BA05EA6E3BF9D9BD4A,3, userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,maplesyrup, usmDESPrivProtocol,maplesyrup,3,true
-
When you have added all your new users, press Control C in both windows to stop both Agent and CreateUsmMibUser
- © 2010, Oracle Corporation and/or its affiliates