Child pages
  • How to configure SNMP4J for TLS usage?
Skip to end of metadata
Go to start of metadata

 

Since version 2.0, SNMP4J and SNMP4J-Agent support TLS. This How-To describes how those SNMP4J APIs are configured to use TLS.

How to configure SNMP4J to use TLS?

 The following steps prepare the SNMP4J API for TLS usage: 

  • The SNMP TLS Transport Model (TLSTM) uses certificate based authentication, thus we need to configure a trust store for client authentication (SNMP command generator) and a key store (SNMP command responder):  
-Djavax.net.ssl.trustStore=<trustStoreFilePath> -Djavax.net.ssl.trustStorePassword=<trustStorePassword> -Djavax.net.ssl.keyStore=<keyStoreFilePath> 
-Djavax.net.ssl.keyStorePassword=<keyStorePassword>
  • Create the TLSTM TransportMapping (which may be used with TlsAddress classes only) and set its SecurityCallback for authentication of remote certificates and selecting the local certificate to be used by the TLSTM for client authentication:
// create the TLS transport mapping:
AbstractTransportMapping transport = new TLSTM();

// set the security callback (only required for command responder, 
// but also recommended for command generators) - 
// the callback will be configured later:
DefaultTlsTmSecurityCallback securityCallback = new DefaultTlsTmSecurityCallback();
((TLSTM)transport).setSecurityCallback(securityCallback);
MessageDispatcher md = new MessageDispatcherImpl();
// we need MPv3 for TLSTM:
md.addMessageProcessingModel(new MPv3());

Snmp snmp = new Snmp(md, transport);

// create and initialize the TransportSecurityModel TSM:
SecurityModels.getInstance().addSecurityModel(new TSM(new OctetString(mpv3.getLocalEngineID()), false));

// do not forget to listen for responses:
snmp.listen();

  • Create a target and set its address if the SNMP instance is command generator:
String sn = "myTlsSecurityName";
CertifiedTarget ct = new CertifiedTarget(new OctetString(sn));
ct.setSecurityModel(SecurityModel.SECURITY_MODEL_TSM);
ct.setAddress(GenericAddress.parse("tls:127.0.0.1/161"));      
// add the distinguished name (DN) of the certificates we want to accept as peer:
securityCallback.addAcceptedSubjectDN(""EMAILADDRESS=info@company.com, C=US, CN=Foo Bar"");
// 

 

 

  • No labels