SNMP giving authorization issues: Error in packet

Question

I have started jboss EAP 6.4 server with following parameter:

    JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc -Xloggc:"/home/sshekhar/EAP-6.4.0/test02/standalone/log/gc.log" 
-XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 
-XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Djava.awt.headless=true -XX:MaxPermSize=512m 
-XX:-UseGCOverheadLimit -Dcom.propFile=local_jboss -Dfile.encoding=UTF-8 -Dcom.sun.management.snmp.port=1610 
-Dcom.sun.management.snmp.acl.file=/home/sshekhar/.snmp/mibs/snmp.acl 
-Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager -Djava.awt.headless=true -Djava.util.logging.manager=org.jboss.logmanager.LogManager 
-Xbootclasspath/p:/home/sshekhar/EAP-6.4.0/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-1.5.4.Final-redhat-1.jar

Server starts successfully.

I am running command: snmpwalk -c public -v 2c 127.0.0.1:1610

It gives

Error in packet.
Reason: authorizationError (access denied to that object)

File: /home/sshekhar/.snmp/mibs/snmp.acl has 700 access set to it.

I am new to SNMP and all I am looking forward is to configure JBoss 6.4 to use SNMP for monitoring.

Also, there is no data written in file: /home/sshekhar/.snmp/mibs/snmp.acl

Also, I created a user using

net-snmp-create-v3-user -ro -A password -X password -a MD5 -x DES myUser

Now, when I am trying to run the command snmpwalk -c public -v3 -u myUser -a MD5 -x DES -X password -A password localhost:1610 it gives me error saying snmpwalk: Unknown user name

snmpwalk -v1 -c public localhost:1610 gives no result

snmpwalk -v1 -c groupv3 localhost:1610 gives End of MIB

Can anyone please help me in understanding what might be the error and what should be my next steps to debug/resolve the issue?

Answer 1

I'm afraid I don't have an exact answer for you, but I can give you a little context about the SNMP versions-

SNMPv1 and SNMPv2c only use community string for authentication

An example SNMPv1 walk is as follows (community string is "public):

snmpwalk -v1 -c public 192.168.1.1

And an example SNMPv2c walk:

snmpwalk -v2c -c public 192.168.1.1

SNMPv3 has quite configurable authentication, using up to:

• Security name (aka username)
• Security level (noAuthNoPriv, authNoPriv, noAuthPriv, authPriv)
• Auth protocol (e.g. SHA, AES)
• Auth key (string)
• Privacy protocol (e.g. MD5, DES)
• Privacy key (string)
• (optional) Context name
• (optional Engine ID

As you can see, it can be quite complex- the "security level" is a setting that sometimes needs to be specified, it defines how much of the SNMPv3 security model you're using- if you're using an auth protocol and key and a privacy protocol and key, you'll need to use authPriv; if you're using none of those, you'll need to use noAuthNoPriv (just the security name).

An example SNMPv3 walk is as follows:

snmpwalk -v3 -u some_username -a SHA -A 'some_auth_key' -l authPriv -x AES -X 'some_privacy_key' 192.168.1.1

Basically, I'd recommend trying to setup SNMPv1 or SNMPv2c until you can get everything working nicely- I can't speak for JBoss, but on most networking devices this is simply a matter of picking an SNMP version (e.g. v2c) and specifying the read only community string (e.g. "public").

When/if you get to configuring SNMPv3, you might just have to be flexible with some of the different settings I find (again, in the context of network devices) that you won't find one setting that'll work on lots of different vendors of devices, you'll have to try some different auth protocols, different privacy protocols etc.

Best of luck!