Configure SNMP4J Agent for DTLS

losingsleeep · September 23, 2020, 8:04pm

Hi,

Is there any tutorial /example on enabling DTLS for SNMP4J Agent? I’m using SNMP4J 3.4.0 and SNMP4J -Agent 3.3.2.
I found this page, but seems like it does not cover the agent part:
How to configure SNMP4J for TLS usage?

Thanks

AGENTPP · September 24, 2020, 12:31am

The SampleAgent.java sample agent contains sample code for the command responder (agent) side. The quoted documentation refers to command responders too.
Basically for the SampleAgent, you only need to provide the trust and key stores as well as the local ID identifying the key from the supplied key-store that will be used by the agent:

-Dorg.snmp4j.arg.tlsLocalID=<your-key-alias> -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trust-store.jks -Djavax.net.ssl.trustStorePassword=<trust-pwd> -Djavax.net.ssl.keyStore=key-store.jks -Djavax.net.ssl.keyStorePassword=<key-pwd>

Hope this helps.

losingsleeep · October 14, 2020, 11:06pm

Thank you Frank for your help. Seems like the DTLS is working now by setting those values as well as some extra changes to the Agent like defining peer fingerprint & security name mapping in SnmpTlsTmMib etc. Regardless of the Agent configuration (right or wrong), I’m currently noticing the following message in Agent log:

INFO Dispatching message canceled due to security issue: statusInfo=1.3.6.1.6.3.11.2.1.3.0 = 4, status=-1415

Which I assume is the reason no response is sent back to the client in a simple GET command. Seems like contextEngineID must be defined for that PDU type somewhere somehow, but I could not find how.

AGENTPP · October 14, 2020, 11:21pm

The contextEngineID discovery needed for (D)TLS transport is described in RFC 5343 (https://www.rfc-editor.org/rfc/rfc5343.txt). Your client should use this mechanism to lookup the contextEngineID of the SNMP4J-Agent.

Hope this helps.

losingsleeep · October 16, 2020, 2:35pm

Hi,
I’m using snmpget CLI tool from net-snmp package to test this. I think engine ID discovery is implemented in this tool. When I run and debug the agent code after sending the request, I notice that a GET PDU with OID 1.3.6.1.6.3.10.2.1.1.0 is received by the agent which I assume the client is trying to discover the contextEngineID, but this flow fails because the OID cannot be fetched from the Agent’s MOServer (The query does not find a match or access problem etc.).
I’m lost here and not sure if I need to put some configuration somewhere else?

AGENTPP · October 16, 2020, 10:26pm

Have you created the USM security model and provided it to the SnmpFrameworkMIB constructor?

It might be a bit surprising that having a USM is required if you want to run (D)TLS only.
Yes, that is no optimal and I will change it. That is a dependency that is there because of the SNMPv3 history. But that is not really necessary. This will be fixed in SNMP4J-Agent 3.3.6.

But there might be another problem too. It would be helpful to have posted here the DEBUG log of the agent with the lines where the error is being generated…

losingsleeep · October 19, 2020, 11:27am

Hi, I’ll need to check the details and get back to you. Thanks.