如何在SNMP4J中使用非对称密钥或证书身份验证？ [英] How do you use asymmetric keys or certificate authentication in SNMP4J?

问题描述

我正在开发一个项目，希望能够使用证书或密钥作为SNMPv3的身份验证方法。我们正在使用java库 SNMP4J 。

I am working on a project that would like to be able to use certificates or keys as a method of authentication for SNMPv3. We are using the java library SNMP4J.

期间我的研究我发现SNMP使用TLS / DTLS进行消息加密，并且据称也用于身份验证。 来源1 | 来源2 | 来源3

During my research I have found that SNMP uses TLS/DTLS for message encryption and supposedly also for authentication. Source 1 | Source 2 | Source 3

展望我发现SNMP4J的文档很少，它允许使用TLS证书来加密流量。但我不确定如何使用公钥/私钥对进行身份验证。 TLS流量加密示例 | SNMP4J文档

Looking into the little documentation SNMP4J has, I found that it allows the usage of TLS certificates for encrypting traffic. But I am not sure how the authentication is done, if possible, using a public/private key pair. TLS Traffic Encryption Example | SNMP4J Documentation

任何帮助将不胜感激。

推荐答案

我能够使用示例中描述的类似方法进行身份验证 TLS流量加密示例。

I was able to authenticate using a similar method as described in the example TLS Traffic Encryption Example.

正如人们所期望的那样，我可以确认SNMP4J使用了Java属性 javax.net.ssl.keystore 中设置的密钥库， javax .net.ssl.keyStorePassword ， javax.net.ssl.trustStore 和 javax.net.ssl.trustStorePassword 。

So as one would expect from the example, I can confirm that SNMP4J uses the keystore set in the Java Property javax.net.ssl.keystore, javax.net.ssl.keyStorePassword, javax.net.ssl.trustStore, and javax.net.ssl.trustStorePassword.

以下是我对示例所做的更改，以使其正常工作。

Below are the changes I made to the example to make it work.

需要在 CertifiedTarget 构造函数中设置别名（或文档中的安全名称），以便它知道要使用哪个证书。

The alias (or security name in the documentation) needs to be set in the CertifiedTarget constructor so it knows which certificate to use.

 CertifiedTarget ct = new CertifiedTarget(new OctetString(alias));

必须设置安全级别，否则SNMP代理会投诉并且验证失败。

The security level must be set or the SNMP agent will complain and fail authentication.

 ct.setSecurityLevel(SecurityLevel.AUTH_PRIV);

SecurityCallback 主题DN必须与服务器匹配证书主题完全按照它想要的方式否则它将拒绝所有回复。

The SecurityCallback subject DN must match the server certificate subject EXACTLY the way it wants otherwise it will deny all responses.

 securityCallback.addAcceptedSubjectDN("EMAILADDRESS=admin@net-snmp.org, CN=snmpagent, OU=Development, O=Net-SNMP, L=Davis, ST=CA, C=US");

最后，您必须使用地址注册服务器公共证书别名（安全名称）。

Lastly, you must register the server public certificate alias (Security Name) with the address.

 securityCallback.addLocalCertMapping(ct.getAddress(), "snmpagent");

它结合在一起看起来像这样。

It comes together to look something like this.

// Set java keystore manually
System.setProperty("javax.net.ssl.keyStore", KEYSTORE_DIR);
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", KEYSTORE_DIR);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

// create the TLS transport mapping:
TLSTM transport = new TLSTM();

// set the security callback (only required for command responder,
// but also recommended for command generators) -
// the callback will be configured later:
DefaultTlsTmSecurityCallback securityCallback = new DefaultTlsTmSecurityCallback();
((TLSTM) transport).setSecurityCallback(securityCallback);
MessageDispatcher md = new MessageDispatcherImpl();
// we need MPv3 for TLSTM:
MPv3 mpv3 = new MPv3();
md.addMessageProcessingModel(mpv3);

Snmp snmp = new Snmp(md, transport);

// create and initialize the TransportSecurityModel TSM:
SecurityModels.getInstance().addSecurityModel(new TSM(new OctetString(mpv3.getLocalEngineID()), false));

// do not forget to listen for responses:
snmp.listen();

CertifiedTarget ct = new CertifiedTarget(new OctetString("alias"));
ct.setVersion(SnmpConstants.version3);
ct.setSecurityModel(SecurityModel.SECURITY_MODEL_TSM);
ct.setAddress(GenericAddress.parse(myAddress));
ct.setSecurityLevel(SecurityLevel.AUTH_PRIV);

securityCallback.addAcceptedSubjectDN("EMAILADDRESS=admin@net-snmp.org, CN=snmpagent, OU=Development, O=Net-SNMP, L=Davis, ST=CA, C=US");
securityCallback.addLocalCertMapping(ct.getAddress(), "snmpagentalias");

PDU pdu = new ScopedPDU();
pdu.add(new VariableBinding(new OID(someOid)));
pdu.setType(PDU.GET);

ResponseEvent response = snmp.send(pdu, ct);

您还必须确保所有证书都已正确配置，以便实际使用它们。

You also have to make sure all the certificates are properly configured so that it actually takes them.

作为旁注，在发现我的团队时，我发现了SNMP4J在TLS处理中的一些错误，主要是在传输层。这似乎是一个时间问题（竞争条件可能？），它将获取SNMP数据，但随后忽略它。我们能够通过设置 CertifiedTarget 超时来解决它，并重试非常高。当我们获得更多信息时，我们将正式报告此事。

As a side-note, in the discovery of this my team and I discovered several bugs in the TLS handling by SNMP4J, mostly in the transport layer. It seems to be a timing issue (race condition maybe?) where it will get the SNMP data but then ignore it. We were able to get around it by setting the CertifiedTarget timeout and retries really high. We will officially report on this when we have more information.

这篇关于如何在SNMP4J中使用非对称密钥或证书身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！