USM as global creds storage

Vardok · October 16, 2024, 9:16pm

Hello,

I have one Snmp object for the whole application to send request to different v3 devices.
USM is set only once:

OctetString engineId = new OctetString(MPv3.createLocalEngineID());
USM usm = new USM(securityProtocols, engineId, 0);

During every v3 request (GET/WALK) I prepare new UsmUser and add it to the USM’s users table:

UsmUser usmUser = new UsmUser(octetUser, authProtocolOid, octetAuthPass, privProtocolOid, octetPrivPass);
snmp.getUSM().addUser(usmUser);

There are some doubts from my side:

Is add method works correct if different devices have the same username but different protocols/passes? Or it override map items by username every time?
How I can correctly delete previous usmUser if credentials is changed on device (don’t want to collect unused creds in memory)?

Thank you in advance.

AGENTPP · October 16, 2024, 9:28pm

Please use localised USM user when possible to avoid clashes of users with the same name but different protocols and passphrases on different systems:

Using the new DirectUserTarget (SNMP4J 3.8.2) is very easy and you do not need to deal with the USM for handling authentication and privacy keys and protocols.

Vardok · October 20, 2024, 9:41pm

Hello,

Does snmp.discoverAuthoritativeEngineID(target.getAddress(), target.getTimeout()) not only return engineId for current target, but also add it to core engineIds table?

Because if it not, how does get/walk request understand that set target is known and creds (to it) are known inside Snmp object?

Regards.

AGENTPP · October 20, 2024, 9:43pm

It does not (like ping does not use any authentication or privacy). It simply checks if the agent is there and responding and if in theory SNMPv3 can be used (anything else should be used in production anyway).

Vardok · November 12, 2024, 8:19pm

Hello,

Am I understand correct, that if we have DirectUserTarget based on engineID = snmp.discoverAuthoritativeEngineID(address, timeout) we don’t need additional step “prepareUsmLocalizedUser” at all, cause DirectUserTarget does all under the stage?

Regards.

AGENTPP · November 12, 2024, 11:35pm

Yes, that is correct.
See also the fluent example on snmp4j.org main page. It is using the DirectUserTarget internally too.

Vardok · November 13, 2024, 7:32pm

Thanks for info above.

If we speak about SNMPv3 “context”, does UserTarget can store it somehow or only PDU should?

Regards.

AGENTPP · November 13, 2024, 8:15pm

Only the ScopedPDU stores context information.

Vardok · November 16, 2024, 6:35am

Hi,

Fluent is good, but how to set non-standard protocols in addition to “maxCompatibility”?
Snmp snmp = snmpBuilder.udp().v2c().v3(MPv3.createLocalEngineID()).securityProtocols(SecurityProtocolSet.maxCompatibility).usm().build();

Thanks!

AGENTPP · November 16, 2024, 2:16pm

You can add/remove security protocols still at any time on the returned Snmp object with classic method calls.
I will add some fluent calls if necessary as well for the next release (3.9.0).

Vardok · November 17, 2024, 12:23am

Good news)

Cause having such code below after getting Snmp object with the help of “fluent” looks painfully:

Snmp snmp = snmpBuilder
                    ...
                    .securityProtocols(SecurityProtocolSet.maxCompatibility)
                    .build();
SecurityProtocols securityProtocols = snmp.getUSM().getSecurityProtocols();
            securityProtocols.addPrivacyProtocol(new Priv3DES());
            securityProtocols.addPrivacyProtocol(new PrivAES192With3DESKeyExtension());
            securityProtocols.addPrivacyProtocol(new PrivAES256With3DESKeyExtension());

Thank you!