SNMPv3 Notifications and VACM access

SNMP4J
1

I have created a notification in MIB designer and generated the corresponding code in AgenPro.

The debug logs shows the following access error as such:

Notification 1.3.6.1.4.1.1.2.1 reported with [1.3.6.1.4.1.1.1.7.1.2 = 1, 1.3.6.1.4.1.1.1.7.1.3 = 2, 1.3.6.1.4.1.1.1.7.1.5 = 3] for context public
VACM access requested for context=public, securityName=v3notify, securityModel=3, securityLevel=1, viewType=0, OID=1.3.6.1.4.1.1.2.1
Found group name 'v3notify' for secName 'v3notify' and secModel 3
Got views [DefaultMOMutableRow2PC[index=8.118.51.110.111.116.105.102.121.8.118.51.110.111.116.105.102.121.3.3,values=[1, fullReadView, fullWriteView, fullNotifyView, 2, 1]] for group name 'v3notify'
Matching against access entry DefaultMOMutableRow2PC[index=8.118.51.110.111.116.105.102.121.8.118.51.110.111.116.105.102.121.3.3,values=[1, fullReadView, fullWriteView, fullNotifyView, 2, 1] with exactContextMatch=false, prefixMatch=false, matchSecModel=true and matchSecLevel=false
Access denied by VACM for 1.3.6.1.4.1.1.2.1

This is what I’ve written in the addViews operation in Agent:

protected void addViews(VacmMIB vacm) {
	// SNMPv3
	if (securityName != null && !securityName.equals("")) {
		
		System.out.println("Test");
	      vacm.addGroup(
	        SecurityModel.SECURITY_MODEL_USM,
	        new OctetString(securityName),
	        new OctetString("v3group"),
	        StorageType.volatile_
	      );

	      
	      vacm.addAccess(
	        new OctetString("v3group"),
	        new OctetString(ALLCONTEXT),
	        SecurityModel.SECURITY_MODEL_USM,
	        SecurityLevel.AUTH_PRIV,
	        MutableVACM.VACM_MATCH_EXACT,
	        new OctetString("fullReadView"),
	        new OctetString("fullWriteView"),
	        new OctetString("fullNotifyView"),
	        StorageType.volatile_
	      );
	      
	      vacm.addGroup(
			        SecurityModel.SECURITY_MODEL_USM,
			        new OctetString("v3notify"),
			        new OctetString("v3notify"),
			        StorageType.volatile_
			      );
	      
	      vacm.addAccess(
			        new OctetString("v3notify"),
			        new OctetString("v3notify"),
			        SecurityModel.SECURITY_MODEL_USM,
			        SecurityLevel.AUTH_PRIV,
			        MutableVACM.VACM_MATCH_EXACT,
			        new OctetString("fullReadView"),
			        new OctetString("fullWriteView"),
			        new OctetString("fullNotifyView"),
			        StorageType.volatile_
			      );
	    }
	
	vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"),
			new OctetString(), VacmMIB.vacmViewIncluded,
			StorageType.nonVolatile);
	
	vacm.addViewTreeFamily(new OctetString("fullWriteView"), new OID("1.3"),
			new OctetString(), VacmMIB.vacmViewIncluded,
			StorageType.nonVolatile);
	
	vacm.addViewTreeFamily(new OctetString("fullNotifyView"), new OID("1.3"),
			new OctetString(), VacmMIB.vacmViewIncluded,
			StorageType.nonVolatile);
	  
}

In the addNotificationTargets:

protected void addNotificationTargets(SnmpTargetMIB targetMIB,
		SnmpNotificationMIB notificationMIB) {
	targetMIB.addDefaultTDomains();

    targetMIB.addTargetAddress(new OctetString("notificationV3"),
                               TransportDomains.transportDomainUdpIpv4,
                               new OctetString(new UdpAddress("127.0.0.1/1162").getValue()),
                               200, 1,
                               new OctetString("notify"),
                               new OctetString("v3notify"),
                               StorageType.permanent);
    targetMIB.addTargetParams(new OctetString("v3notify"),
                              MessageProcessingModel.MPv3,
                              SecurityModel.SECURITY_MODEL_USM,
                              new OctetString("v3notify"),
                              SecurityLevel.NOAUTH_NOPRIV,
                              StorageType.permanent);
    notificationMIB.addNotifyEntry(new OctetString("default"),
                                   new OctetString("notify"),
                                   SnmpNotificationMIB.SnmpNotifyTypeEnum.inform,
                                   StorageType.permanent);
}

The section where notification is sent

VariableBinding[] array = {new VariableBinding(MYMib.oidTrapVarAId,
					new Integer32(1)),
            new VariableBinding(MYMib.oidTrapVarBId,
            		new Integer32(2)),
            new VariableBinding(MYMib.oidTrapVarCId,
            		new Integer32(3))};
	
	
	MYMib.wfDataLinkStatusUpdateEvent(this.getNotificationOriginator(),
			new OctetString("public"), 
			array);

Possible to help me identify the error?

2

Please check your access entry in the VACM for the fullNotifyView. It does not seem to include the notification ID that of the notification to be sent: 1.3.6.1.4.1.1.2.1.

The log output

exactContextMatch=false, prefixMatch=false, matchSecModel=true and matchSecLevel=false

Means that:

  1. The SNMPv3 context of the selected access entry does not match with the notification to be sent. :exclamation:
  2. The security model matches :white_check_mark:
  3. The security level does not match (notification has noAuthNoPriv but access entry has authPriv) :exclamation:
3

Thanks for the reply.

I have updated the access to:

vacm.addAccess(
    new OctetString("public"),
    new OctetString("v3notify"),
    SecurityModel.SECURITY_MODEL_USM,
    SecurityLevel.NOAUTH_NOPRIV ,
    MutableVACM.VACM_MATCH_EXACT,
    new OctetString("fullReadView"),
    new OctetString("fullWriteView"),
    new OctetString("fullNotifyView"), 
    StorageType.volatile_
  );

The access is still denied. See log:

Notification 1.3.6.1.4.1.1.2.1 reported with [1.3.6.1.4.1.1.1.7.1.2 = 1, 1.3.6.1.4.1.1.1.7.1.3 = 2, 1.3.6.1.4.1.1.1.7.1.5 = 3] for context public
VACM access requested for context=public, securityName=v3notify, securityModel=3, securityLevel=1, viewType=0, OID=1.3.6.1.4.1.1.2.1
Found group name 'v3notify' for secName 'v3notify' and secModel 3
Got views [] for group name 'v3notify'
Access denied by VACM for 1.3.6.1.4.1.1.2.1
4

There is no matching view for the specified group and request parameters. You need to fix that.

1 Like
5

Thanks!

I finally realized my mistake.

The securityname from the group is associated with the target notification
ie.

vacm.addGroup(
	        SecurityModel.SECURITY_MODEL_USM,
	        new OctetString(securityName),
	        new OctetString("v3group"),
	        StorageType.nonVolatile
	      );




protected void addNotificationTargets(SnmpTargetMIB targetMIB,
		SnmpNotificationMIB notificationMIB) 
{
    targetMIB.addDefaultTDomains();
    targetMIB.addTargetAddress(new OctetString("notificationV3"),
                               TransportDomains.transportDomainUdpIpv4,
                               new OctetString(new UdpAddress("127.0.0.1/1162").getValue()),
                               200, 1,
                               new OctetString("notify"),
                               new OctetString(securityName),
                               StorageType.nonVolatile);
    targetMIB.addTargetParams(new OctetString(securityName),
                              MessageProcessingModel.MPv3,
                              SecurityModel.SECURITY_MODEL_USM,
                              new OctetString(securityName),
                              SecurityLevel.AUTH_PRIV,
                              StorageType.nonVolatile);
    notificationMIB.addNotifyEntry(new OctetString("default"),
                                   new OctetString("notify"),
                                   SnmpNotificationMIB.SnmpNotifyTypeEnum.inform,
                                   StorageType.nonVolatile);

In this way, the group name is “v3group”, security name is “securityName”.

Thanks Frank!!!