SNMPv3 GET ok but have "Authorization error" for SET

Hi Frank,

Hope you are well. I implemented SNMPv3 GET using snmp4j but the same SNMP initialization, usmUser, and userTarget found no success for SNMPv3 SET. Here is my error messages:

**ErrorStatusText:Authorization error **
**ErrorIndex:0 **
ErrorStatus:16

Based on what I found online, it seemed to be that the SNMP manager might not have the same priv/auth level or passphrase as the SNMP agent. However, I’ve tried to initialize SNMP request before every SET request to ensure SNMP communication setting are the same. Don’t know if I miss something???

Here is my code snippets:

public class OIDEntryV3{

// snmpV3 preset: user name, password, delay... etc
public static int	 pduOutlet_num  	= 8;
public static String securityName       = "V3user1";
public static String authPassphrase     = "HelloWorld";
public static String privPassphrase     = "Qwert12345";
public static String single_oid 	    = "00000";
public static String setNum		   		= "3";
public static int    requestDelay 	   	= 3;    
public static int    delayOn 	   	    = 1;
public static int    delayOff 	   	    = 2;   
public static String init_contextName	= "OHHHYeah";

public UsmUser usmUser = new UsmUser(new OctetString(securityName),
		AuthMD5.ID, new OctetString(authPassphrase),
		PrivDES.ID, new OctetString(privPassphrase));

public Snmp snmp;	
public USM usm;
public static Target<Address> userTarget  = new UserTarget<>();


private static boolean	snmpv3SetCommSetup = false; 
private static boolean	snmpv3GetCommSetup = false; 


private String udpAddressInfo;
private int 		timeIndex = requestDelay;
private String 		contextName = init_contextName;
private String [] 	oids;


private ScopedPDU setScopedPDU, getScopedPDU;
private int attempt_num = 1; // how many time the for loop to do snmpV3 comm






//constructor of OIDEntryV3 input
public OIDEntryV3(String udpAddressInfo, int timeIndex, String contextName, String... oids) 
{
	this.udpAddressInfo	= 	udpAddressInfo;
    this.timeIndex 	 	= 	timeIndex;
    this.contextName 	= 	contextName;
    this.oids			= 	oids;
}


public OIDEntryV3(String udpAddressInfo, String... oids) 
{
	this.udpAddressInfo	= 	udpAddressInfo;
    this.oids			= 	oids;
}


private static Logger logger = LoggerFactory.getLogger(OIDEntryV3.class);




// initialize SNMPV3 communication 
public void initSnmpV3() throws IOException {
	
	
	
    snmp = new Snmp();
    snmp.getMessageDispatcher().addCommandResponder(new CommandResponder() {
        @Override
        public <A extends Address> void processPdu(CommandResponderEvent<A> commandResponderEvent) {

        }
    });
    // Very important to add snmp as command responder which will finally process the PDU:
    snmp.getMessageDispatcher().addCommandResponder(snmp);


    snmp.addTransportMapping(new DefaultUdpTransportMapping(new UdpAddress(0)));
    snmp.getMessageDispatcher().addMessageProcessingModel(new MPv3());
   

    SecurityProtocols.getInstance().addAuthenticationProtocol(new AuthMD5());
    SecurityProtocols.getInstance().addAuthenticationProtocol(new AuthSHA());
    
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivDES());
    SecurityProtocols.getInstance().addPrivacyProtocol(new Priv3DES());
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES128());
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES192());
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES256());
    

    OctetString localEngineID = new OctetString(MPv3.createLocalEngineID());        
    usm = new USM(SecurityProtocols.getInstance(), localEngineID, 0);
    
    

    snmp.getMessageDispatcher().addMessageProcessingModel(new MPv3(usm.getLocalEngineID().getValue()));

    snmp.listen();
	
    usm.addUser(usmUser);
    

	Address targetAddress = GenericAddress.parse(udpAddressInfo);
    userTarget.setAddress(targetAddress);
    userTarget.setVersion(SnmpConstants.version3);
    userTarget.setSecurityLevel(SecurityLevel.AUTH_PRIV);
    userTarget.setSecurityName(usmUser.getSecurityName());
    

    userTarget.setRetries(3);
    userTarget.setTimeout(500);
    

      		 
}


//SCOPED PDU for SNMP GET
public ScopedPDU getScopedPDU(){
	
    List<VariableBinding> oidList = new ArrayList<>(oids.length);
	
	
	// only need to assign ScopedPDU once
	if(getScopedPDU == null){

	    getScopedPDU = new ScopedPDU();
        
		for (String objectID : oids){	
			oidList.add(new VariableBinding(new OID(objectID)));
		}
		
	    
		getScopedPDU.addAll(oidList);
        getScopedPDU.setType(PDU.GET);	 
    
	}
	
	return getScopedPDU;
}

// ScopedPDU for snmpV3 SET
public ScopedPDU setScopedPDU(){
	
    List<VariableBinding> oidList = new ArrayList<>(oids.length);
   
	// only need to assign ScopedPDU once
	if(setScopedPDU == null){
		


	    setScopedPDU = new ScopedPDU();
	    
		for (String objectID : oids){
			oidList.add(new VariableBinding( new OID(objectID), new Integer32(timeIndex) ));            
		}
		setScopedPDU.addAll(oidList);
		
		//set port name etc... 
        setScopedPDU.setContextName(new OctetString(contextName));
        setScopedPDU.setType(PDU.SET);
	}
    
	return setScopedPDU;
}    

private String getVal;


public String getSnmpV3Req()throws IOException {

	
	if(!snmpv3GetCommSetup)
	{
		try
		{
			initSnmpV3();
			//snmpv3GetCommSetup = true;
		}
		catch(IOException e)
		{
			System.err.println("SNMPV3 GET initial comm setup fail");
			throw e;
		}
	}
	
	// initialize v3 get scopedPDU
	getScopedPDU();
	


    // A ResponseListener object is created to handle the response from the SNMP agent. 
    // The onResponse method is implemented to extract the variable bindings from the response 
    // and print the values to the console.
	
	
	// attempts for snmpv3 get
	for (int i = 0; i < attempt_num ; i++) 
	{
		getVal = "Waiting for get value";
		
		try{
    		//System.out.println("*** for loop i = "+i);
    		
	        ResponseListener responseListener = new ResponseListener() 
	        {
	            @Override
	            
	            // The synchronized block is used to ensure that the responseListener object is not notified 
	            // before it has finished processing the response.
	            public synchronized  <A extends Address> void onResponse(ResponseEvent<A> responseEvent) 
	            {
	        		// cancel the pending SNMP request that was associated with the ResponseEvent object responseEvent, 
	        		// and informs the object (this) that was listening for the response that the request has been cancelled
	                snmp.cancel(responseEvent.getRequest(), this);
	                // Process response here: gotta format the output values nicely
	                List<? extends VariableBinding> vBindings = responseEvent.getResponse().getVariableBindings();  
	                
	        		System.out.println("----- variable Binding = "+vBindings);
	                
	                for (VariableBinding vb:vBindings) 
	                {
	                	if (vb.getVariable() != null) 
	                	{
	                		getVal = vb.getVariable().toString();
	                		//System.out.println("----- V3 get value = "+vb.getVariable().toString());
	                		
	                	}
	                	else 
	                	{
	                		//getSNMPCommError = true;
	                		
	                		if(responseEvent.getError() != null) 
	                		{
	                			System.err.println("Error: "+responseEvent.getError());
	                		}
	                		else 
	                		{
	                			System.err.println("Timed out.");
	                		}
	                	}
	                }
	                notify();
	                
	            }
	        };
	        
	        synchronized (responseListener) 
	        {
	        	// send snmpv3 get request, using responseListener to catch the response
	            snmp.get(getScopedPDU, userTarget, null, responseListener);
	           
		        
				System.out.println("~~~ ResponseListener = "+responseListener);
	            
	            try{
	            	responseListener.wait(500000);
	            	
	            }
	            catch(InterruptedException eee) 
	            {	
	            	eee.printStackTrace();
	            	
	            }
	            
	            
	        }
			
			
		}
		
		catch (IOException ioe) 
		{
			ioe.printStackTrace();
			System.err.println("OIDEntryV3.java: IOException occurred during SNMPv3 GET Communication: " + ioe.getMessage());
			try {Thread.sleep(2000);} 
			catch (InterruptedException e1) 
			{	
				e1.printStackTrace();
				System.err.println("OIDEntryV3.java: InterruptedException occurred during SNMPv3 GET Communication: " + e1.getMessage());
				throw ioe;
			}
		}
	}
	
	/*
	if(getSNMPCommError)
	{
		e.printStackTrace();
		throw e;
	}*/
	
	return getVal;
}


// set snmpV3 requests
public void setSnmpV3Req() throws IOException 
{
	//IOException e = null;
	//setSNMPCommError = false;
	
	if(!snmpv3SetCommSetup)
	{
		try
		{
			initSnmpV3();
			//snmpv3SetCommSetup = true;
		}
		catch(IOException e)
		{
			System.err.println("SNMPV3 SET initial comm setup fail");
			throw e;
		}
	}
	
	
	
	// initialize v3 set scopedPDU
	setScopedPDU();


	// attempts for snmpv3 set
	for (int i = 0; i < attempt_num ; i++) 
	{
		System.out.println("***** setset ");
		try 
		{
	        ResponseEvent<Address> responseEvent = snmp.send(setScopedPDU, userTarget);
	        PDU response = responseEvent.getResponse();
	        List<? extends VariableBinding> response_msg = response.getVariableBindings();
	        			
	        			
	        if (response != null)
	        {
	        	if (response.getErrorStatus() == PDU.noError) 
	        	{
	        		//System.out.println("***** set req = " +response_msg);
	        		System.err.println("***** OID command = " +response_msg.get(0).getOid());
	        		System.err.println("***** set command time = " +response_msg.get(0).getVariable());				
	        	} 
	        	else
	        	{			
	        		
	        		System.err.println("ErrorStatusText:" + response.getErrorStatusText());
	        		System.err.println("ErrorIndex:" + response.getErrorIndex());
	        		System.err.println("ErrorStatus:" + response.getErrorStatus());
	        	}
	        }

		}
		
		catch (IOException ioe) 
		{
			ioe.printStackTrace();
			System.err.println("OIDEntryV3.java: IOException occurred during SNMPv3 SET Communication: " + ioe.getMessage());
			try {Thread.sleep(2000);} 
			catch (InterruptedException e1) 
			{	
				e1.printStackTrace();
				System.err.println("OIDEntryV3.java: InterruptedException occurred during SNMPv3 SET Communication: " + e1.getMessage());
				throw ioe;
			}
		}
	}
	
	/*if(setSNMPCommError)
	{
		catch(IOException e) 
		{
			System.err.println("OIDEntryV3.java: IOException occurred during SNMPv3 SET Communication: " + e.getMessage());
			throw e;
		}
		
	}*/
}

}

Sorry for the messy code alignments. Looking forward for your suggestions about this matter. Thank you so much!!

Chester

same error message when changing to noAuth and noPriv for snmpv3 comm

This code is working standing alone but doesn’t work after integrating onto our system…

I guess that it is the VACM (view access control model) of the agent that does not allow write operations (SET) with the user (security name) you are using for the SET operation.

the error message for “import org.snmp4j.security.MutableVACM;” is that org.snmp4j.security.MutableVACM can’t be resolved in Eclipse. The coding environment is snmp4j.jar is 4.7.3 and Java-17.

Thank you so much for getting back to me Frank. Hope you had a nice Easter holidays. To add VACM to allow snmpv3 agents to do both SET and GET, I tried to do add in:

Vacm vacm = new Vacm();
vacm.addGroup(SecurityModel.SECURITY_MODEL_USM, usmUser.getSecurityName(),
new OctetString(“v3group”), StorageType.nonVolatile);
vacm.addAccess(new OctetString(usmUser.getSecurityName()), new OctetString(“v3group”),
SecurityModel.SECURITY_MODEL_USM, SecurityLevel.AUTH_PRIV,
MutableVACM.VACM_MATCH_EXACT, null,
MutableVACM.VACM_MODE_READ_WRITE, null,
MutableVACM.VACM_MODE_READ_WRITE);

and also add

snmp.setVacm(vacm);

however, I can’t use VACM because I can’t import “org.snmp4j.security.MutableVACM”. I’m using snmp4j.jar (ver 3.7.4) which supposed to support VACM. This is where I am at the moment. Don’t know if I’m on the right track? Looking forward to your feedback. Thank you so much.

I am confused by your postings.
The VACM is relevant on the agent side only. That is why the MutableVACM is part of the SNMP4J-Agent API only.
If your SNMP4J manager (command generator) is not able to access the agent (command responder) with a SET request, then you need to fix the VACM configuration of the agent or use the right user credentials (security name, security model, protocols, and keys).
The VACM configuration you posted above, will be not work in an agent either, because it is inconsistent and does not define valid views and their access rules.

Hi Frank, my apology for the confusion. Let me clarify what’s going on with more background. I am using snmp4j to control an electronic device from a server, which means I am designing a SNMPv3 manager that sents commands to SET and GET information from that device (v3 agent). The first code snippet I posted was actually working for both snmpv3 SET and GET commands when executing by itself with manually setting all parameters (OIDs, privphase, authphase, authprotocol, privprotocol, security name,… etc). That’s why I think my design for this snmpv3 manager is correct and ready to be integrated into our platform.

However, the same code does not work for snmpv3 SET but only work for snmpv3 GET. Moreover, I always get the error messages while doing snmpv3 SET: ErrorStatusText = Authorization error, ErrorIndex:0, ErrorStatus:16.

I’m upgrading snmp communication from v1 to v3 on our platform. Noted that our platform was much older and I’ve changed the build library from snmp4j-1.x.x.jar to snmp4j-3.7.4.jar and upgrading java JDK to JDK17.

The findings now are:

1. The code works independently by itself which means the VACM on the device side (agent side) is allowing both SET and GET from the server (manager).

2. I’ve printed all the parameters (auth/priv protocol, auth/priv passphase, security name, security level,…) to ensure they are correct before sending v3 SET command. So the auth error would not from setting mismatches.

Given 1&2, I don’t know how come the code design still having the same error messages at the snmpv3 manager side? Do I use the wrong snmp4j.jar file or what could be the issues?
I can’t find much reference or manual online to construct my code. It would be great to know where I can find any resource about this. Hope this back story helps and looking forward for your comments. Thank you.

Ok, thanks for providing more background information. So the overall setup is now clear.
Still unclear is: Is the SNMPV3 USM SET operation sent by the manager successful or not?

If always not, have you checked the allowed VACM views yet?
Is the used security name included in the write view or not?

the debug log I got until error messages:

---- EatonPDUV3.java: outlet numbers from edgeModules.xml: 2
2023-04-12 16:28:04.011 Timer-1 DEBUG Initialized Salt to f575359faa4e3461.
2023-04-12 16:28:04.024 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG UDP receive buffer size for socket 10.16.101.29/0 is set to: 65536
2023-04-12 16:28:04.025 DefaultUDPTransportMapping_10.16.101.29/53522 INFO Listening on socket 10.16.101.29/53522
2023-04-12 16:28:04.032 Timer-1 DEBUG Firing transport state event: org.snmp4j.transport.TransportStateEvent[source=org.snmp4j.transport.DefaultUdpTransportMapping@1b65b1c9,peerAddress=10.16.101.29/53522,newState=1,cancelled=false,causingException=null]
2023-04-12 16:28:04.041 Timer-1 DEBUG Adding user V3user1 = UsmUser[secName=V3user1,authProtocol=1.3.6.1.6.3.10.1.1.2,authPassphrase={secretSHA256=87:2e:4e:50:ce:99:90:d8:b0:41:33:0c:47:c9:dd:d1:1b:ec:6b:50:3a:e9:38:6a:99:da:85:84:e9:bb:12:c4},privProtocol=1.3.6.1.6.3.10.1.2.2,privPassphrase={secretSHA256=32:7c:11:3e:04:24:9b:c3:e5:12:90:27:ef:91:15:be:41:3a:12:73:8a:6b:31:8b:8b:41:ed:a7:f2:1a:9d:f2},localizationEngineID=null]
2023-04-12 16:28:04.043 Timer-1 DEBUG org.snmp4j.transport.unix.UnixDomainAddress not found in classpath, unix domain address not added to GenericAddress types
----------OIDEntryV3.java initialize snmp
userTarget SNMP Ver: 3 (22)
userTarget SecurityModel: 3 (27)
userTarget SecurityLevel: 3 (27)
userTarget SecurityName: V3user1 (32)
udpAddress: udp:10.6.5.157/161 (30)
usmUser SecurityModel: 3 (24)
usmUser SecurityName: V3user1 (29)
usmUser Auth passphrase: HelloWorld (35)
usmUser AuthenticationProtocol: 1.3.6.1.6.3.10.1.1.2 (52)
usmUser Auth PrivacyProtocol: 1.3.6.1.6.3.10.1.2.2 (50)
usmUser Auth PrivacyPassphrase: Qwert12345 (42)
usmUser LocalizationEngineID: null (34)

***** setset OID command = [1.3.6.1.4.1.534.6.6.7.6.6.1.3.0.1 = 3]
***** SET address: 10.6.5.157/161
***** SET version:3
***** SET security lvl: 3
***** SET security name: V3user1
***** SET retries: 3
***** SET retries: 500
***** SET retries: 3
***** setset
2023-04-12 16:28:04.051 Timer-1 DEBUG RFC3414 §3.1.4.b Outgoing message is not encrypted
2023-04-12 16:28:04.062 Timer-1 DEBUG Adding cache entry: StateReference[msgID=1869171308,pduHandle=PduHandle[687742790],securityEngineID=,securityModel=org.snmp4j.security.USM@60b40a00,securityName=V3user1,securityLevel=1,contextEngineID=,contextName=OHHHYeah,retryMsgIDs=null]
2023-04-12 16:28:04.065 Timer-1 DEBUG Running pending sync request with handle PduHandle[687742790] and retry count left 3
2023-04-12 16:28:04.069 Timer-1 DEBUG Sending message to 10.6.5.157/161 from 10.16.101.29/53522 with length 69: 30:43:02:01:03:30:11:02:04:6f:69:4a:6c:02:03:00:ff:ff:04:01:04:02:01:03:04:10:30:0e:04:00:02:01:00:02:01:00:04:00:04:00:04:00:30:19:04:00:04:08:4f:48:48:48:59:65:61:68:a3:0b:02:01:00:02:01:00:02:01:00:30:00
2023-04-12 16:28:04.069 Timer-1 DEBUG Sending packet to 10.6.5.157/161
2023-04-12 16:28:04.076 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Received message from /10.6.5.157/161 with length 132: 30:81:81:02:01:03:30:11:02:04:6f:69:4a:6c:02:03:00:ff:ff:04:01:00:02:01:03:04:27:30:25:04:15:80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d:02:01:01:02:03:08:02:34:04:00:04:00:04:00:30:40:04:15:80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d:04:08:4f:48:48:48:59:65:61:68:a8:1d:02:01:00:02:01:00:02:01:00:30:12:30:10:06:0a:2b:06:01:06:03:0f:01:01:04:00:41:02:09:22
2023-04-12 16:28:04.078 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG SNMPv3 header decoded: msgId=1869171308, msgMaxSize=65535, msgFlags=00, secModel=3
2023-04-12 16:28:04.079 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Removed cache entry: StateReference[msgID=1869171308,pduHandle=null,securityEngineID=,securityModel=org.snmp4j.security.USM@60b40a00,securityName=V3user1,securityLevel=1,contextEngineID=,contextName=OHHHYeah,retryMsgIDs=null]
2023-04-12 16:28:04.081 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG RFC3412 §7.2.10 - Received PDU (msgID=1869171308) is a response or an internal class message. PduHandle.transactionID = 687742790
2023-04-12 16:28:04.081 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG MPv3 finished
2023-04-12 16:28:04.082 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Searching pending request with handlePduHandle[687742790]
2023-04-12 16:28:04.082 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Send new request after report 1.3.6.1.6.3.15.1.1.4.0
2023-04-12 16:28:04.082 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Context engine ID of scoped PDU is empty! Setting it to authoritative engine ID: 80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d
2023-04-12 16:28:04.082 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG getUser(engineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d, securityName=V3user1)
2023-04-12 16:28:04.112 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG MD5 first digest: {secretSHA256=af:1d:3d:b1:29:99:eb:93:3e:d9:22:62:b7:07:b9:af:f3:83:08:dc:bf:d5:31:62:50:62:6d:5f:dc:25:2c:34}
2023-04-12 16:28:04.112 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG MD5 localized key: {secretSHA256=39:e9:76:28:bc:dd:8e:66:a7:e0:70:cb:76:2e:3c:0b:63:6f:7e:ca:ca:ff:18:50:0c:70:c2:a4:42:82:b3:6b}
2023-04-12 16:28:04.116 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG MD5 first digest: {secretSHA256=06:f5:82:0a:65:4c:be:f8:2b:dc:34:5e:ab:b0:b2:06:68:61:1f:6c:0c:48:64:6d:f2:69:07:c7:e9:84:f6:b7}
2023-04-12 16:28:04.116 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG MD5 localized key: {secretSHA256=9c:bd:1e:a0:ca:70:ba:0a:eb:92:57:0d:cc:58:55:b2:f0:1d:64:a5:99:22:a2:f9:73:c0:d2:02:fb:6a:bd:d0}
2023-04-12 16:28:04.118 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Adding user V3user1 = UsmUser[secName=V3user1,authProtocol=1.3.6.1.6.3.10.1.1.2,authPassphrase={secretSHA256=39:e9:76:28:bc:dd:8e:66:a7:e0:70:cb:76:2e:3c:0b:63:6f:7e:ca:ca:ff:18:50:0c:70:c2:a4:42:82:b3:6b},privProtocol=1.3.6.1.6.3.10.1.2.2,privPassphrase={secretSHA256=9c:bd:1e:a0:ca:70:ba:0a:eb:92:57:0d:cc:58:55:b2:f0:1d:64:a5:99:22:a2:f9:73:c0:d2:02:fb:6a:bd:d0},localizationEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d]
2023-04-12 16:28:04.118 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG RFC3414 §3.1.4.a Outgoing message needs to be encrypted
2023-04-12 16:28:04.118 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Preparing decrypt_params.
2023-04-12 16:28:04.118 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Preparing iv for encryption.
2023-04-12 16:28:04.148 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Using padding.
2023-04-12 16:28:04.149 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Encryption finished.
2023-04-12 16:28:04.149 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Adding cache entry: StateReference[msgID=1869171309,pduHandle=PduHandle[687742790],securityEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,securityModel=org.snmp4j.security.USM@60b40a00,securityName=V3user1,securityLevel=3,contextEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,contextName=OHHHYeah,retryMsgIDs=null]
2023-04-12 16:28:04.149 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Sending message to 10.6.5.157/161 from 10.16.101.29/53522 with length 175: 30:81:ac:02:01:03:30:11:02:04:6f:69:4a:6d:02:03:00:ff:ff:04:01:07:02:01:03:04:42:30:40:04:15:80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d:02:01:01:02:03:08:02:34:04:07:56:33:75:73:65:72:31:04:0c:b5:51:46:78:08:21:37:ba:7d:b2:3d:5f:04:08:00:00:00:01:aa:4e:34:61:04:50:ba:79:f1:00:59:92:11:50:28:17:04:da:c8:0a:10:6d:c4:f2:70:14:39:50:b1:47:c0:31:d2:c8:90:3d:ac:66:eb:5a:74:0f:ce:5b:e9:76:95:64:dd:df:28:93:c5:56:d3:68:7f:23:16:38:b7:e8:fc:ae:22:b0:f6:26:d6:bc:47:7c:e4:e3:dd:1f:ca:12:dd:e3:d0:96:86:39:14:bb
2023-04-12 16:28:04.150 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Sending packet to 10.6.5.157/161
2023-04-12 16:28:04.153 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Received message from /10.6.5.157/161 with length 153: 30:81:96:02:01:03:30:11:02:04:6f:69:4a:6d:02:03:00:ff:ff:04:01:01:02:01:03:04:3a:30:38:04:15:80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d:02:01:01:02:03:08:02:eb:04:07:56:33:75:73:65:72:31:04:0c:91:5c:94:ce:bd:06:f8:c1:3c:d3:2e:e1:04:00:30:42:04:15:80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d:04:08:4f:48:48:48:59:65:61:68:a8:1f:02:04:28:fe:1f:46:02:01:00:02:01:00:30:11:30:0f:06:0a:2b:06:01:06:03:0f:01:01:02:00:41:01:1d
2023-04-12 16:28:04.153 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG SNMPv3 header decoded: msgId=1869171309, msgMaxSize=65535, msgFlags=01, secModel=3
2023-04-12 16:28:04.153 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG getUser(engineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d, securityName=V3user1)
2023-04-12 16:28:04.153 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG CheckTime: time ok (non authoritative)
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Removed cache entry: StateReference[msgID=1869171309,pduHandle=null,securityEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,securityModel=org.snmp4j.security.USM@60b40a00,securityName=V3user1,securityLevel=3,contextEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,contextName=OHHHYeah,retryMsgIDs=null]
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG RFC3412 §7.2.10 - Received PDU (msgID=1869171309) is a response or an internal class message. PduHandle.transactionID = 687742790
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG MPv3 finished
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Searching pending request with handlePduHandle[687742790]
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Send new request after report 1.3.6.1.6.3.15.1.1.2.0
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG getUser(engineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d, securityName=V3user1)
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG RFC3414 §3.1.4.a Outgoing message needs to be encrypted
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Preparing decrypt_params.
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Preparing iv for encryption.
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Using padding.
2023-04-12 16:28:04.154 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Encryption finished.
2023-04-12 16:28:04.155 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Adding cache entry: StateReference[msgID=1869171310,pduHandle=PduHandle[687742790],securityEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,securityModel=org.snmp4j.security.USM@60b40a00,securityName=V3user1,securityLevel=3,contextEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,contextName=OHHHYeah,retryMsgIDs=null]
2023-04-12 16:28:04.155 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Sending message to 10.6.5.157/161 from 10.16.101.29/53522 with length 175: 30:81:ac:02:01:03:30:11:02:04:6f:69:4a:6e:02:03:00:ff:ff:04:01:07:02:01:03:04:42:30:40:04:15:80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d:02:01:01:02:03:08:02:eb:04:07:56:33:75:73:65:72:31:04:0c:d3:34:97:bc:a9:61:cf:fe:8d:74:72:dc:04:08:00:00:00:01:aa:4e:34:62:04:50:1d:19:00:65:58:2c:2e:2b:e0:cd:e8:19:c2:2e:c9:e7:21:b4:cf:53:08:8f:7e:5d:9a:a8:ad:90:05:46:d4:32:55:bb:63:25:c8:5f:bd:3f:6f:3c:84:d8:e8:a9:13:9b:7a:40:1c:7b:32:e0:ed:2c:ce:71:3c:97:6d:4b:04:3b:1f:25:50:74:2d:a9:86:25:24:c2:28:8b:74:f9:17:fb
2023-04-12 16:28:04.155 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Sending packet to 10.6.5.157/161
2023-04-12 16:28:04.159 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Received message from /10.6.5.157/161 with length 175: 30:81:ac:02:01:03:30:11:02:04:6f:69:4a:6e:02:03:00:ff:ff:04:01:03:02:01:03:04:42:30:40:04:15:80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d:02:01:01:02:03:08:02:eb:04:07:56:33:75:73:65:72:31:04:0c:85:29:3f:24:a0:ba:b9:4f:f2:49:2c:7d:04:08:00:00:00:01:73:c7:b6:37:04:50:90:fb:ce:52:60:c3:40:09:21:c9:9e:94:9d:4a:d9:3f:99:80:1c:e3:58:bb:1c:66:cb:47:c3:12:8d:14:6d:94:00:f8:1d:c6:96:3e:1c:45:46:63:b2:18:cf:b4:09:a2:78:f6:3b:77:56:dd:7b:f9:64:7b:61:2b:92:e4:9f:16:ae:bb:23:95:94:14:5c:59:e1:df:32:21:0d:d4:7e:a6
2023-04-12 16:28:04.159 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG SNMPv3 header decoded: msgId=1869171310, msgMaxSize=65535, msgFlags=03, secModel=3
2023-04-12 16:28:04.159 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG getUser(engineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d, securityName=V3user1)
2023-04-12 16:28:04.159 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG CheckTime: time ok (non authoritative)
2023-04-12 16:28:04.160 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Removed cache entry: StateReference[msgID=1869171310,pduHandle=null,securityEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,securityModel=org.snmp4j.security.USM@60b40a00,securityName=V3user1,securityLevel=3,contextEngineID=80:00:80:9d:02:00:00:00:00:00:00:00:00:00:00:ff:ff:0a:06:05:9d,contextName=OHHHYeah,retryMsgIDs=null]
2023-04-12 16:28:04.160 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG RFC3412 §7.2.10 - Received PDU (msgID=1869171310) is a response or an internal class message. PduHandle.transactionID = 687742790
2023-04-12 16:28:04.160 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG MPv3 finished
2023-04-12 16:28:04.160 DefaultUDPTransportMapping_10.16.101.29/53522 DEBUG Looking up pending request with handle PduHandle[687742790]
2023-04-12 16:28:04.161 Timer-1 DEBUG Removed pending request with handle: PduHandle[687742790]
ErrorStatusText:Authorization error
ErrorIndex:0
ErrorStatus:16

Hi Frank, glad the last information helps. The long code snippet in the beginning of this post is working fine for both v3 SET and GET by itself. My goal is to add this code onto our bigger control system to upgrade snmp communication from v1 to v3, but this code only works for v3 GET after adding onto our system. Since this code design is working for both SET and GET as long as it is running without any interaction with the in-house system platform, I think the VACM setting on the device side is actually allowing both SET and GET controls. Otherwise I would not be able to do v3 SET successfully when this code is running outside of our system, right?

Also, the device has a homepage to set the security name, auth/priv passphase, security level, …etc and I am sure the snmpv3 parameter settings are the exactly same on the device and during each SET/GET commands. I assume if I can see write/read are both enable on the device, that means the VACM setting on the device (agent) is also allowing both SET and GET, right? I initialize usmUser for v3 manager exactly as the setting on the v3 agent side each time to ensure there’s no errors. Here is the snmpv3 initialization code design. (I know it’s unnecessary to initialize usmUser for each snmpv3 SET/GET request and I only do this for debugging)

    snmp = new Snmp();
    snmp.getMessageDispatcher().addCommandResponder(new CommandResponder() {
        @Override
        public <A extends Address> void processPdu(CommandResponderEvent<A> commandResponderEvent) {

        }
    });
   
    snmp.getMessageDispatcher().addCommandResponder(snmp);

   
    snmp.addTransportMapping(new DefaultUdpTransportMapping(new UdpAddress(0)));
    snmp.getMessageDispatcher().addMessageProcessingModel(new MPv3());
   
    SecurityProtocols.getInstance().addAuthenticationProtocol(new AuthMD5());
    SecurityProtocols.getInstance().addAuthenticationProtocol(new AuthSHA());
    
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivDES());
    SecurityProtocols.getInstance().addPrivacyProtocol(new Priv3DES());
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES128());
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES192());
    SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES256());
    

    OctetString localEngineID = new OctetString(MPv3.createLocalEngineID());        

    usm = new USM(SecurityProtocols.getInstance(), localEngineID, 0);
    usmUser = new UsmUser(new OctetString(securityName),
    AuthMD5.ID, new OctetString(authPassphrase),
    PrivDES.ID, new OctetString(privPassphrase));

    usm.addUser(usmUser);
    
    SecurityModels.getInstance().addSecurityModel(usm); 

    snmp.getMessageDispatcher().addMessageProcessingModel(new MPv3(usm.getLocalEngineID().getValue()));

    snmp.listen();
	


	Address targetAddress = GenericAddress.parse(udpAddressInfo);
    userTarget.setAddress(targetAddress);
    userTarget.setVersion(SnmpConstants.version3);
    userTarget.setSecurityLevel(SecurityLevel.AUTH_PRIV);
    userTarget.setSecurityName(usmUser.getSecurityName());
    
    userTarget.setRetries(3);
    userTarget.setTimeout(500);

Each v3 communication is using the new usm and usmUser with the right setting but still having
ErrorStatusText = Authorization error, ErrorIndex = 0, ErrorStatus = 16 while doing v3 SET. Don’t know if there’s anything I miss?

The code seems to be a bit chaotic. Why are adding a command responder that does nothing?
Why are there two MPv3 instances added with different engine IDs?

Again, the authorisation error is returned by the agent. That means the USM config is fine, but VACM does not allow access for this user, context, message processing model, etc.

If you would have not done any mistake it would have worked. I still not understand the differences of the two different setups. If one of them is working, why are you doing it differently in the other setup?

I’m coding another version of v3 SET/GET by using the codes that are working outside of our platform. I’ll keep it posted to see how it goes. Thank you so much Frank.

Thanks Frank. Turned out the context name had a mismatch between different versions. The code is functioning now.

However, I encounter a potential memory leak issue while transfer this code onto the Linux platform. This code monitors a few device every 2s and only needs about 200MB memory running on Eclipse but this code would use close to 1G and slowly creeps up on more memory usage on the Linux platform. I have been using counter to make sure snmp communications are properly close after finishing v3GET or v3SET. Don’t know if there has been known issues running snmp4j-4.7.4.jar and JDK17 on an older Linux environment like UBuntu 18.04.6LTS? Thank you.

There isn’t any memory leak (known) with latest SNMP4J (3.7.7). SNMP4J 4.7.4 does not (yet) exists. Is it a typo?
Maybe you have to check your code, if you are collecting too much data? Otherwise, as you know, in Java memory usage highly depends on garbage collection strategy…

Closing and opening sockets for each SNMP message is a kind of memory leak itself, as it is very slow and needs a lot of overhead memory for creating the new sockets. Maybe you need to optimise that?