Start agent with our own security data

SNMP4J
#1

Hi Frank

  1. Is there a way to removeAll rows under vacmMIB? I looked into vacmMIB.remove: it seems like I can remove access, group, view one by one. I was hoping to remove all entries and replace with my own set. If removing one by one is the only option, is there a way to get the list of the group/view names?
  2. Will the following flow work to get the snmp agent running with my security info?
    First, I comment out snmp community, vacm and usm related data in the SnmpAgentConfig.properies and pass in an empty vacmMIB object when I create the agentConfigMgr to start agent. Second, I update the snmp community, vacm and usm mibs with my security strings in the AgentConfigMgr object.
  3. Is there a way to start the snmp agent with my own snmp community, vacm, usm objects? Judging by the API, we can only pass in vacmMib object and usm/community mibs are generated internally.

Thanks
Agnes

#2

Hi Agnes,

Regarding

  1. You can remove all entries in each VACM table with vacm.getVacmSecurityToGroupTable().getModel().clear(); for example (for the securityToGroupTable)
  2. Yes, that will work.
  3. You can create your own AgentConfigManager (subclass), no problem and use your own initialisation process.

Hope this helps.

Best regards,
Frank

#3

Thanks Frank.
I have additional question. I loaded my own snmp community, vacm and usm mibs, but I am still getting “Error in packet. Reason: authorizationError (access denided to that object)” error when doing “snmpbulkwalk”. Do you have any suggestions on how/where to debug on what is missing for the security?

Thanks
Agnes

#4

The DEBUG log of the agent will provide enough hints.

#5

Frank,
I am unable to find the clear() under getModel() on VacmMIB object which I retrieved from agentConfigMgr
agentConfigMgr.getVacmMIB().getVacmSecurityToGroupTable().getModel().clear() <-- I got compilation error
I also don’t see any API to clear the vacmview without knowing the context, security model, level, view type.
I am using snmp4j-agent 2.7.1 and snmp4j 2.8.1.
Could the methods you mentioned are in a different version? We are using java 8. If we use snmp4j 3.x, will we see the module issue? I understand that snmp4j 3.x is for Java 9.
Thanks
Agnes

#6

I enabled debug and found “Community name ‘agnes’ not found in SNMP-COMMUNITY-MIB”,.However, when I print out each row in the SnmpCommunityMIB, I could see “agnes”. Do I need to refresh snmpagent ? Will snmp agent load the updated MIBs?

Iterator it = SnmpAgent.getInstance().getAgentConfigManager().getSnmpCommunityMIB()
.getSnmpCommunityEntry().getModel().iterator();
while (it.hasNext()) {
LOGGER.info("---- AGNES: community name: " + it.next().getSnmpCommunityName() + " sec-name: "
+ it.next().getSnmpCommunitySecurityName());
}

Another question, is snmp-community-mib only allow one entry per security name?

#7

Try

((DefaultMutableTableModel)agentConfigMgr.getVacmMIB().getVacmSecurityToGroupTable().getModel()).clear();

instead.

#8

The MIB data is used instantly, no separate refresh or “data loading” needed.

If the community name is not found, then the corresponding entry is not “active”, i.e. its RowStatus column has to be 1 in order to be used by the lookup.

You can have more than one community -> security name mapping for the same community string. But the behaviour will be undefined then (i.e. which security name/context engine ID pair is used).
In case, you are using non-zero-length snmpCommunityTransportTag it does not makes any sense at all to have more than one mapping entry (= row) per community.

#9

Hi Frank

Thanks for the info.
What puzzles me is that I am actually using
getSnmpCommunityMIB().addSnmpCommunityEntry(…) to create my entry.
I looked at the source code, apparently addSnmpCommunityEntry will add " new Integer32(RowStatus.active)" which should take care the row status, right?
I wonder if there is another API that I should use some to add rows to the SnmpCommunityMIB.

Thanks
Agnes

#10

No, that API is the correct one. BTW, your test code loop

Iterator it = SnmpAgent.getInstance().getAgentConfigManager().getSnmpCommunityMIB()
.getSnmpCommunityEntry().getModel().iterator();
while (it.hasNext()) {
LOGGER.info("---- AGNES: community name: " + it.next().getSnmpCommunityName() + " sec-name: "
+ it.next().getSnmpCommunitySecurityName());
}

has an error, because you call it.next() twice in the body.

#11

That’s true! thanks for pointing it out.
I fixed the printing issue and I don’t see the not found error. I attached the log when I tried snmpbulkwalk. I don’t see obvious error message. Also, I am not quite sure what the following indicates

  1. [DEBUG] 07-Jan-2020::15:07:51,567 … errorIndex=10, VBS[1.3.6.1.2.1.1.1 = Null]
  2. [DEBUG] 07-Jan-2020::15:07:51,567 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Address 127.0.0.1/54607 passes filter, because source address filtering is disabled
  3. [DEBUG] 07-Jan-2020::15:07:51,568 Log4j2LogAdapter SnmpApp.0: - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=agnes,lowerBound=1.3.6.1.2.1.1.1,lowerIncluded=false,upperBound=null,upperIncluded=false] from 1.3.6.1.2.1.1.1 = Null

[root@virt-020f]$ snmpbulkget -c agnes -v 2c 127.0.0.1 1.3.6.1.2.1.1.1
Error in packet.
Reason: authorizationError (access denied to that object)
Failed object: SNMPv2-MIB::sysDescr

enabled debug:

[DEBUG] 07-Jan-2020::15:07:51,566 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Received message from /127.0.0.1/54607 with length 41: 30:27:02:01:01:04:05:61:67:6e:65:73:a5:1b:02:04:3e:d1:cb:fd:02:01:00:02:01:0a:30:0d:30:0b:06:07:2b:06:01:02:01:01:01:05:00
[DEBUG] 07-Jan-2020::15:07:51,567 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1053936637], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1053936637],securityEngineID=null,securityModel=null,securityName=agnes,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GETBULK[requestID=1053936637, errorStatus=Success(0), errorIndex=10, VBS[1.3.6.1.2.1.1.1 = Null]], messageProcessingModel=1, securityName=agnes, processed=false, peerAddress=127.0.0.1/54607, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@cd9e3a0, tmStateReference=null]
[DEBUG] 07-Jan-2020::15:07:51,567 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Looking up coexistence info for ‘agnes’
[DEBUG] 07-Jan-2020::15:07:51,567 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Found coexistence info for ‘agnes’=CoexistenceInfo[securityName=public,contextEngineID=80:00:13:70:01:0a:00:02:0f:3b:41:33:7a,contextName=agnes,transportTag=]
[DEBUG] 07-Jan-2020::15:07:51,567 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Address 127.0.0.1/54607 passes filter, because source address filtering is disabled
[DEBUG] 07-Jan-2020::15:07:51,568 Log4j2LogAdapter SnmpApp.0: - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=agnes,lowerBound=1.3.6.1.2.1.1.1,lowerIncluded=false,upperBound=null,upperIncluded=false] from 1.3.6.1.2.1.1.1 = Null
[DEBUG] 07-Jan-2020::15:07:51,568 Log4j2LogAdapter SnmpApp.0: - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=agnes,lowerBound=1.3.6.1.2.1.1.1,lowerIncluded=false,upperBound=null,upperIncluded=false],vb=1.3.6.1.2.1.1.1 = Null,status=RequestStatus{processed=false, phaseComplete=false, errorStatus=0},query=null,index=0,targetMO=null]]
[DEBUG] 07-Jan-2020::15:07:51,568 Log4j2LogAdapter SnmpApp.0: - Sending message to 127.0.0.1/54607 with length 41: 30:27:02:01:01:04:05:61:67:6e:65:73:a2:1b:02:04:3e:d1:cb:fd:02:01:10:02:01:01:30:0d:30:0b:06:07:2b:06:01:02:01:01:01:05:00

#12

You are right, you do not see any debug output because there is no VACM group for the security name “public” in your VACM. That is why an authorisation error is returned. So there is a very basic configuration error!

Are you sure that you want to map the community “agnes” to the SNMPv3 context “agnes”? Using SNMPv3 contexts is an advanced concept and needs additional care during the configuration.

#13

Frank
I suspect it could be vacm not taking/getting the latest value. Hence, I compared the logs side-by-side when start agent with my configuration and start agent with your original AgentConfig properties file.

Here is what I found
with properties file contains vacm mib

[INFO] 07-Jan-2020::22:59:32,284 SnmpAgent pool-2-thread-3: - ---------------- debug --------------
[INFO] 07-Jan-2020::22:59:32,284 SnmpAgent pool-2-thread-3: - ---- AGNES: community name: public sec-name: public
[INFO] 07-Jan-2020::22:59:32,284 SnmpAgent pool-2-thread-3: - ---- AGNES: dump vacm: Dump of org.snmp4j.agent.mo.DefaultMOMutableTableModel:
1.6.112.117.98.108.105.99 # DefaultMOMutableRow2PC[index=1.6.112.117.98.108.105.99,values=[v1v2cgroup, 4, 1]
2.6.112.117.98.108.105.99 # DefaultMOMutableRow2PC[index=2.6.112.117.98.108.105.99,values=[v1v2cgroup, 4, 1]
3.3.83.72.65 # DefaultMOMutableRow2PC[index=3.3.83.72.65,values=[v3group, 4, 1]
3.5.117.110.115.101.99 # DefaultMOMutableRow2PC[index=3.5.117.110.115.101.99,values=[v3group, 4, 1]
3.6.83.72.65.68.69.83 # DefaultMOMutableRow2PC[index=3.6.83.72.65.68.69.83,values=[v3group, 4, 1]
3.12.83.72.65.50.53.54.65.69.83.49.50.56 # DefaultMOMutableRow2PC[index=3.12.83.72.65.50.53.54.65.69.83.49.50.56,values=[v3group, 4, 1]
3.12.83.72.65.53.49.50.65.69.83.50.53.54 # DefaultMOMutableRow2PC[index=3.12.83.72.65.53.49.50.65.69.83.50.53.54,values=[v3group, 4, 1]
4.7.84.76.83.80.82.73.86 # DefaultMOMutableRow2PC[index=4.7.84.76.83.80.82.73.86,values=[v3group, 4, 1]

[DEBUG] 07-Jan-2020::22:59:32,270 Log4j2LogAdapter pool-2-thread-3: - VACM access requested for context=, securityName=public, securityModel=1, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
[DEBUG] 07-Jan-2020::22:59:32,270 Log4j2LogAdapter pool-2-thread-3: - Found group name ‘v1v2cgroup’ for secName ‘public’ and secModel 1

with properties file does not contain vacm mib

[DEBUG] 08-Jan-2020::09:14:56,256 Log4j2LogAdapter pool-2-thread-3: - VACM access requested for context=, securityName=public, securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
[DEBUG] 08-Jan-2020::09:14:56,256 Log4j2LogAdapter pool-2-thread-3: - No group name for securityName=public and securityModel=2
[WARN] 08-Jan-2020::09:14:56,256 Log4j2LogAdapter pool-2-thread-3: - Access denied by VACM for 1.3.6.1.6.3.1.1.5.1

despite I added vacm later on, it didn’t seem to take my later value

[INFO] 08-Jan-2020::09:16:10,095 KafkaConsumer pool-6-thread-1: - ---------------- debug --------------
[INFO] 08-Jan-2020::09:16:10,096 KafkaConsumer pool-6-thread-1: - ---- AGNES: community name: agnes sec-name: public
[INFO] 08-Jan-2020::09:16:10,096 KafkaConsumer pool-6-thread-1: - ---- AGNES: dump vacm: Dump of org.snmp4j.agent.mo.DefaultMOMutableTableModel:
1.6.112.117.98.108.105.99 # DefaultMOMutableRow2PC[index=1.6.112.117.98.108.105.99,values=[public, 4, 1]
1.6.112.117.98.115.101.116 # DefaultMOMutableRow2PC[index=2.6.112.117.98.108.105.99,values=[public, 4, 1]
2.6.112.117.98.115.101.116 #
[DEBUG] 08-Jan-2020::09:16:39,404 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Received message from /127.0.0.1/50669 with length 37: 30:23:02:01:01:04:05:61:67:6e:65:73:a5:17:02:04:19:1c:c5:59:02:01:00:02:01:0a:30:09:30:07:06:03:2b:06:01:05:00
[DEBUG] 08-Jan-2020::09:16:39,409 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[421315929], stateReference=StateReference[msgID=0,pduHandle=PduHandle[421315929],securityEngineID=null,securityModel=null,securityName=agnes,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GETBULK[requestID=421315929, errorStatus=Success(0), errorIndex=10, VBS[1.3.6.1 = Null]], messageProcessingModel=1, securityName=agnes, processed=false, peerAddress=127.0.0.1/50669, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@5dca4728, tmStateReference=null]
[DEBUG] 08-Jan-2020::09:16:39,409 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Looking up coexistence info for ‘agnes’
[DEBUG] 08-Jan-2020::09:16:39,410 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Found coexistence info for ‘agnes’=CoexistenceInfo[securityName=public,contextEngineID=32473,contextName=,transportTag=]
[DEBUG] 08-Jan-2020::09:16:39,411 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Address 127.0.0.1/50669 passes filter, because source address filtering is disabled
[DEBUG] 08-Jan-2020::09:16:39,415 Log4j2LogAdapter SnmpApp.0: - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1,lowerIncluded=false,upperBound=null,upperIncluded=false] from 1.3.6.1 = Null
[DEBUG] 08-Jan-2020::09:16:39,416 Log4j2LogAdapter SnmpApp.0: - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1,lowerIncluded=false,upperBound=null,upperIncluded=false],vb=1.3.6.1 = Null,status=RequestStatus{processed=false, phaseComplete=false, errorStatus=0},query=null,index=0,targetMO=null]]
[DEBUG] 08-Jan-2020::09:16:39,419 Log4j2LogAdapter SnmpApp.0: - Sending message to 127.0.0.1/50669 with length 37: 30:23:02:01:01:04:05:61:67:6e:65:73:a2:17:02:04:19:1c:c5:59:02:01:10:02:01:01:30:09:30:07:06:03:2b:06:01:05:00

I wonder if the API, vacmMib.addGroup(), vacmMib.addAccess(), vacmMib.addViewTreeFamily(), I use to add the VACM is correct. Are there other API which I should use? Can we change or add VACM after agent started?

Here is the value I use for the public

[INFO] 08-Jan-2020::09:16:10,090 UserSecurity pool-6-thread-1: - ---- groupName: public securityName: public securityModel: 1
[INFO] 08-Jan-2020::09:16:10,090 UserSecurity pool-6-thread-1: - ---- groupName: public securityName: public securityModel: 2
[INFO] 08-Jan-2020::09:16:10,091 UserSecurity pool-6-thread-1: - ---- groupName: public contextPrefix: securityModel: 0 readView: internet writeView:
view added for internet is subtree 1.3.6.1 included

Appreciate if you could provide some tips as I am running out of ideas on why given the value and agent doesn’t work as expected.

Thanks
Agnes

#14

Frank
Could you also explain what debug message I should pay attention to? Where gives you the info on vacm group is missing? I am also curious about the debug message, e.g. there are many attribute=null, is this normal and would any of the missing/not configured attributes cause any issues?

Thanks
Agnes

#15

I am actually not sure what to use for context. I will change to SNMPv3 context. I will look into why vacm was not loaded.
Because I could see data in the vacmMIB as I printed the object

debug:

ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
((DefaultMOMutableTableModel) ((DefaultMOTable<DefaultMOMutableRow2PC, MOColumn, DefaultMOMutableTableModel>) SnmpAgent
.getInstance().getAgentConfigManager().getVacmMIB().getVacmSecurityToGroupTable()).getModel())
.dump(out);

        LOGGER.info("dump vacm: " + out.toString());
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }

dump vacm: Dump of org.snmp4j.agent.mo.DefaultMOMutableTableModel:
1.5.76.73.77.73.66 # DefaultMOMutableRow2PC[index=1.5.76.73.77.73.66,values=[LIMIB, 4, 1]
1.6.112.117.98.108.105.99 # DefaultMOMutableRow2PC[index=1.6.112.117.98.108.105.99,values=[public, 4, 1]
1.6.112.117.98.115.101.116 # DefaultMOMutableRow2PC[index=1.6.112.117.98.115.101.116,values=[pubset, 4, 1]
2.5.76.73.77.73.66 # DefaultMOMutableRow2PC[index=2.5.76.73.77.73.66,values=[LIMIB, 4, 1]
2.6.112.117.98.108.105.99 # DefaultMOMutableRow2PC[index=2.6.112.117.98.108.105.99,values=[public, 4, 1]
2.6.112.117.98.115.101.116 # DefaultMOMutableRow2PC[index=2.6.112.117.98.115.101.116,values=[pubset, 4, 1]
3.7.105.110.105.116.105.97.108 # DefaultMOMutableRow2PC[index=3.7.105.110.105.116.105.97.108,values=[initial, 4, 1]

code to update vacmMIB

VacmMIB vacmMIB = SnmpAgent.getInstance().getAgentConfigManager().getVacmMIB();
((DefaultMOMutableTableModel) vacmMIB.getVacmSecurityToGroupTable().getModel()).clear();

    for (VACM_GROUP_ONE_INFO g : vacmGroupList) {
        OctetString groupName = SnmpAgentUtils.convertToOctetString(g.getGroupName());
        List<VACM_MEMBER_INFO> memberList = g.getMemberInfoList();
        for (VACM_MEMBER_INFO m : memberList) {
            OctetString securityName = SnmpAgentUtils.convertToOctetString(m.getSecName());
            List<Integer> securityModelList = m.getSecurityModelList();
            for (Integer securityModel : securityModelList) {
                vacmMIB.addGroup(securityModel, securityName, groupName, StorageType.permanent);
            }
        }

        List<VACM_ACCESS_ONE_INFO> accessList = g.getAccessInfoList();
        for (VACM_ACCESS_ONE_INFO a : accessList) {
            OctetString contextPrefix = OctetString.fromByteArray(new byte[0]);
            int match = 1;
            int securityModel = a.getSecMode();
            int securityLevel = a.getSecLevel();
            OctetString readView = SnmpAgentUtils.convertToOctetString(a.getReadViewName());
            OctetString writeView = SnmpAgentUtils.convertToOctetString(a.getWriteViewName());
            OctetString notifyView = null;
            vacmMIB.addAccess(groupName, contextPrefix, securityModel, securityLevel, match, readView, writeView,
                notifyView, StorageType.permanent);
        }
    }

    for (VACM_VIEW_ONE_INFO v : vacmViewList) {
        OctetString viewName = SnmpAgentUtils.convertToOctetString(v.getViewName());

        for (OID_MSG msg : v.getSubtreeList()) {
            int type = msg.getOidOp().getNumber();

            OID subtree = toOid(msg.getSubOidList());
            OctetString mask = null;

            vacmMIB.addViewTreeFamily(viewName, subtree, mask, type, StorageType.permanent);
        }
    }
#16

Everything is OK and the APIs can be used at any time and instantly update the agent.

The error is caused by inconsistencies in your configuration.

But I cannot help with that as I get only small snippets of information which seems to change over time. You will know best how to debug your configuration. In most cases, starting with a single community/user mapping and the matching VACM for a single SNMP version and context can be constructed on paper and then transferred to agent configuration.

In your case, one of the problems seems to be the VACM config being not consistent with the community mapping. The latter uses a non-empty SNMPv3 context and the first requires an empty context (using exact match).
Another problem might be using security model 0 in an row index (that does not work - see also the corresponding RFC, definition of vacmSecurityModel)

#17

Thanks for the tips, Frank. I will look into our configuration.

#18

Frank
It seems like every time I see the follow message, my snmpwalk request will fail. Why is the agent looking for public, SHADES at the beginning?

[DEBUG] 09-Jan-2020::11:32:42,248 Log4j2LogAdapter pool-2-thread-3: - VACM access requested for context=, securityName=public, securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
[DEBUG] 09-Jan-2020::11:32:42,248 Log4j2LogAdapter pool-2-thread-3: - No group name for securityName=public and securityModel=2
[WARN] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - Access denied by VACM for 1.3.6.1.6.3.1.1.5.1
[DEBUG] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - VACM access requested for context=, securityName=public, securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
[DEBUG] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - No group name for securityName=public and securityModel=2
[WARN] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - Access denied by VACM for 1.3.6.1.6.3.1.1.5.1
[DEBUG] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - VACM access requested for context=, securityName=SHADES, securityModel=3, securityLevel=3, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
[DEBUG] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - No group name for securityName=SHADES and securityModel=3
[WARN] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - Access denied by VACM for 1.3.6.1.6.3.1.1.5.1
[DEBUG] 09-Jan-2020::11:32:42,249 Log4j2LogAdapter pool-2-thread-3: - VACM access requested for context=, securityName=public, securityModel=1, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
[DEBUG] 09-Jan-2020::11:32:42,250 Log4j2LogAdapter pool-2-thread-3: - No group name for securityName=public and securityModel=1
[WARN] 09-Jan-2020::11:32:42,250 Log4j2LogAdapter pool-2-thread-3: - Access denied by VACM for 1.3.6.1.6.3.1.1.5.1

I also tried the following

  1. if I use your AgentConfig properties file and only change the community to “agnes”, then my snmpwalk will work
snmp4j.agent.cfg.index.1.3.6.1.6.3.18.1.1.1.0={o}'agnes'
snmp4j.agent.cfg.value.1.3.6.1.6.3.18.1.1.1.0.0={s}agnes
  1. If I use your agentconfig properties file and after agent starts I add my security vacm/community on top of your config in the properties, I get more logging

[DEBUG] 09-Jan-2020::11:28:50,616 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Received message from /127.0.0.1/49419 with length 41: 30:27:02:01:01:04:05:61:67:6e:65:73:a1:1b:02:04:35:3a:b4:31:02:01:00:02:01:00:30:0d:30:0b:06:07:2b:06:01:02:01:01:01:05:00
[DEBUG] 09-Jan-2020::11:28:50,616 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[893039665], stateReference=StateReference[msgID=0,pduHandle=PduHandle[893039665],securityEngineID=null,securityModel=null,securityName=agnes,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GETNEXT[requestID=893039665, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1 = Null]], messageProcessingModel=1, securityName=agnes, processed=false, peerAddress=127.0.0.1/49419, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@51de9ef4, tmStateReference=null]
[DEBUG] 09-Jan-2020::11:28:50,616 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Looking up coexistence info for ‘agnes’
[DEBUG] 09-Jan-2020::11:28:50,616 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Found coexistence info for ‘agnes’=CoexistenceInfo[securityName=public,contextEngineID=32473,contextName=null,transportTag=]
[DEBUG] 09-Jan-2020::11:28:50,617 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Address 127.0.0.1/49419 passes filter, because source address filtering is disabled
[DEBUG] 09-Jan-2020::11:28:50,617 Log4j2LogAdapter SnmpApp.0: - Found group name ‘public’ for secName ‘public’ and secModel 2
[DEBUG] 09-Jan-2020::11:28:50,617 Log4j2LogAdapter SnmpApp.0: - Got views [DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.2.1,values=[1, internet, null, internet, 4, 1]] for group name ‘public’
[DEBUG] 09-Jan-2020::11:28:50,617 Log4j2LogAdapter SnmpApp.0: - Matching against access entry DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.2.1,values=[1, internet, null, internet, 4, 1] with exactContextMatch=false, prefixMatch=false, matchSecModel=true and matchSecLevel=true
[DEBUG] 09-Jan-2020::11:28:50,617 Log4j2LogAdapter SnmpApp.0: - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=null,lowerBound=1.3.6.1.2.1.1.1,lowerIncluded=false,upperBound=null,upperIncluded=false] from 1.3.6.1.2.1.1.1 = Null
[DEBUG] 09-Jan-2020::11:28:50,617 Log4j2LogAdapter SnmpApp.0: - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=null,lowerBound=1.3.6.1.2.1.1.1,lowerIncluded=false,upperBound=null,upperIncluded=false],vb=1.3.6.1.2.1.1.1 = Null,status=RequestStatus{processed=false, phaseComplete=false, errorStatus=0},query=null,index=0,targetMO=null]]
[DEBUG] 09-Jan-2020::11:28:50,618 Log4j2LogAdapter SnmpApp.0: - Sending message to 127.0.0.1/49419 with length 41: 30:27:02:01:01:04:05:61:67:6e:65:73:a2:1b:02:04:35:3a:b4:31:02:01:10:02:01:01:30:0d:30:0b:06:07:2b:06:01:02:01:01:01:05:00
[DEBUG] 09-Jan-2020::11:28:50,618 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Received message from /127.0.0.1/49419 with length 41: 30:27:02:01:01:04:05:61:67:6e:65:73:a0:1b:02:04:35:3a:b4:32:02:01:00:02:01:00:30:0d:30:0b:06:07:2b:06:01:02:01:01:01:05:00
[DEBUG] 09-Jan-2020::11:28:50,619 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[893039666], stateReference=StateReference[msgID=0,pduHandle=PduHandle[893039666],securityEngineID=null,securityModel=null,securityName=agnes,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=893039666, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1 = Null]], messageProcessingModel=1, securityName=agnes, processed=false, peerAddress=127.0.0.1/49419, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@51de9ef4, tmStateReference=null]
[DEBUG] 09-Jan-2020::11:28:50,619 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Looking up coexistence info for ‘agnes’
[DEBUG] 09-Jan-2020::11:28:50,619 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Found coexistence info for ‘agnes’=CoexistenceInfo[securityName=public,contextEngineID=32473,contextName=null,transportTag=]
[DEBUG] 09-Jan-2020::11:28:50,619 Log4j2LogAdapter DefaultUDPTransportMapping_127.0.0.1/161: - Address 127.0.0.1/49419 passes filter, because source address filtering is disabled
[DEBUG] 09-Jan-2020::11:28:50,619 Log4j2LogAdapter SnmpApp.0: - Found group name ‘public’ for secName ‘public’ and secModel 2
[DEBUG] 09-Jan-2020::11:28:50,620 Log4j2LogAdapter SnmpApp.0: - Got views [DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.2.1,values=[1, internet, null, internet, 4, 1]] for group name ‘public’
[DEBUG] 09-Jan-2020::11:28:50,620 Log4j2LogAdapter SnmpApp.0: - Matching against access entry DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.2.1,values=[1, internet, null, internet, 4, 1] with exactContextMatch=false, prefixMatch=false, matchSecModel=true and matchSecLevel=true
[DEBUG] 09-Jan-2020::11:28:50,620 Log4j2LogAdapter SnmpApp.0: - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=null,lowerBound=1.3.6.1.2.1.1.1,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1,upperIncluded=true] from 1.3.6.1.2.1.1.1 = Null
[DEBUG] 09-Jan-2020::11:28:50,620 Log4j2LogAdapter SnmpApp.0: - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=null,lowerBound=1.3.6.1.2.1.1.1,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1,upperIncluded=true],vb=1.3.6.1.2.1.1.1 = Null,status=RequestStatus{processed=false, phaseComplete=false, errorStatus=0},query=null,index=0,targetMO=null]]
[DEBUG] 09-Jan-2020::11:28:50,620 Log4j2LogAdapter SnmpApp.0: - Sending message to 127.0.0.1/49419 with length 41: 30:27:02:01:01:04:05:61:67:6e:65:73:a2:1b:02:04:35:3a:b4:32:02:01:10:02:01:01:30:0d:30:0b:06:07:2b:06:01:02:01:01:01:05:00
Could you tell me what are the necessary group names required for the agent to work?

Thanks
Agnes

#19

Frank

I found the 0 was from the other internal mapping which means “any” another word it could be v1, v2 and usm. I made the change to addAccess to add v1,v2, and usm individually. However, fixing that still not giving me the positive result. I also commented out all but leaving v2. I also changed context to null instead of using my community string. I only removed community, usm and vacm from the AgentConfig properties file.
I run “snmpwalk -v 2c -c agnes 127.0.0.1 1.3.6.1.2.1.1.1” as my test string.
I have attached my testcode below. I am not sure where in my VACM config is not consistent based on my code below.

public void run() {
agentConfigMgr.initialize();
agentConfigMgr.setupProxyForwarder();
registerMIBs();
agentConfigMgr.run();
if (agentConfigMgr.getState() == AgentConfigManager.STATE_RUNNING) {
LOGGER.info("agent is in running state now. ");
} else {
LOGGER.error("agent state is " + agentConfigMgr.getState() + “, not running!”);
}
SnmpAgentUtils.handleControllerScalars();

    configSecurity();
}

private void configSecurity() {
    // add snmp-community
    OctetString community = new OctetString("agnes".getBytes());
    OctetString secName = new OctetString("public".getBytes());
    getAgentConfigManager().getSnmpCommunityMIB().addSnmpCommunityEntry(community, community, secName,
        SnmpAgent.getInstance().getAgnetEngineId(), null, new OctetString(), StorageType.permanent);

    // add vacm
    OctetString groupName = new OctetString("public".getBytes());
    OctetString securityName = new OctetString("public".getBytes());
    // getAgentConfigManager().getVacmMIB().addGroup(1, securityName, groupName, StorageType.permanent);
    getAgentConfigManager().getVacmMIB().addGroup(2, securityName, groupName, StorageType.permanent);

    OctetString contextPrefix = OctetString.fromByteArray(new byte[0]);
    int match = 1;
    int securityLevel = 1;
    OctetString readView = new OctetString("internet".getBytes());
    OctetString writeView = null;
    OctetString notifyView = new OctetString("internet".getBytes());
    // getAgentConfigManager().getVacmMIB().addAccess(groupName, contextPrefix, 1, securityLevel, match, readView,
    // writeView, notifyView, StorageType.permanent);
    getAgentConfigManager().getVacmMIB().addAccess(groupName, contextPrefix, 2, securityLevel, match, readView,
        writeView, notifyView, StorageType.permanent);
    // getAgentConfigManager().getVacmMIB().addAccess(groupName, contextPrefix, 3, securityLevel, match, readView,
    // writeView, notifyView, StorageType.permanent);

    // 1.3.6.1
    int[] oids = { 1, 3, 6, 1 };
    getAgentConfigManager().getVacmMIB().addViewTreeFamily(new OctetString("internet".getBytes()), new OID(oids),
        null, 1, StorageType.permanent);

    // add usm
    // UsmUser user = new UsmUser(new OctetString("initial".getBytes()), AuthSHA.ID,
    // new OctetString("GoTellMom".getBytes()), PrivDES.ID, new OctetString("GoTellMom".getBytes()),
    // getAgnetEngineId());
    // getAgentConfigManager().getUsm().addUser(user);
}
#20

You define the group names yourself freely. There are no standard group names.