Data Encryption

The last link in the security chain is the integrity of data which is exchanged between agent and managers. There are two issues which need to be considered simultaneously:

• Identification - Both agent and manager must be certain of the other's identity.

• Privacy - The data of a management request should be tamper-proof and undecipherable to untrusted parties.

These issues are usually resolved by a combination of electronic signatures and data encryption. Again, the implementation is protocol-dependent.

SNMP Encoding

SNMP requests follow standardized encoding rules for translating management operations into data packets. At the communication level, an SNMP request is represented by an array of bytes in a UDP protocol packet. The SNMP components in the Java Dynamic Management Kit provide access to the byte encoding of these packets.

Your applications may customize the encoding and decoding of SNMP requests:

• On the manager side, after the request is translated into bytes, your encoding may add signature strings and then perform encryption.

• On the agent side, the bytes may be decoded and the signature can be verified before the bytes are translated into the SNMP request.

  A decoded SNMP request contains the manager's hostname and community string, the operation, the target object, and any values to be written. Like the context checking mechanism, you may insert code to filter requests based on any of these criteria.

In order to implement a secure SNMP management solution, you need to coordinate the security policy between the manager encoding and the agent decoding. However, SNMP request filtering may be performed unilaterally by the agent, to allow requests from unknown managers yet still be able to reject unauthorized operations.

HTTP/SSL

The HTTPS connector enables Java managers to access a Java Dynamic Management agent using HTTP over SSL (Secure Socket Layer). SSL security is implemented in the Java 2 platform. The HTTP/SSL connector provides identity authentication based on 'CRAM-MD5' (Challenge-Response Authentication Mechanism using MD5). The HTTPS connector server requires client identification by default.

The behavior of the HTTP/SSL connector is governed by the particular SSL implementation used in your applications. For data encryption, the default cipher suites of the SSL implementation are used. The SSL implementation must be compliant with the SSL Standard Extension API.

The Java Dynamic Management Kit is compliant with the Java Secure Socket Extension 1.0 (JSSE) API. JSSE provides an API framework and reference implementation for security protocols.