Since version 23.0, SNMP4J and SNMP4J-Agent support TLS. This How-To describes how those SNMP4J APIs are configured to use TLS.
...
Code Block | ||
---|---|---|
| ||
keytool -keystore dtls-cert.ks -alias dtls-snmp4j-test -storepass snmp4j -keypass snmp4j -genkeypair -keyalg RSA -keysize 20484096 -validity 5000 -dname "CN=www.snmp4j.org, OU=Unit-Test, O=AGENTPP, L=Stuttgart, S=Baden-Wuerttemberg, C=DE" -ext "san=dns:localhost,ip:127.0.0.1" |
The following steps then prepare the SNMP4J API for TLS usage:
...
Code Block |
---|
String sn = "myTlsSecurityName"; CertifiedTarget ct = new CertifiedTarget(new OctetString(sn)); ct.setSecurityModel(SecurityModel.SECURITY_MODEL_TSM); ct.setAddress(GenericAddress.parse("tls:127.0.0.1/161"), new OctetString(sn), // server fingerprint (replace with the fingerprint of the server's certificate)); : OctetString.fromHexString("4a:48:60:20:35:10:97:92:de:62:79:ae:85:b9:49:65:e9:03:6d:5a:f8:f3:70:41:9d:db:50:5a:76:3c:de:b5"), // Client fingerprint could be empty string (no check) new OctetString()); ct.setSecurityModel(SecurityModel.SECURITY_MODEL_TSM); |
- If the SNMP instance is a command responder or if one of the following applies then configure the TlsSecurityCallback for the TLSTM instance (see RFC 5953):
- The Java virtual machine of the SNMP instance has a key store configured with more than one certificate (then a certificate has to be selected by the http://www.snmp4j.org/doc/org/snmp4j/transport/tls/TlsTmSecurityCallback.html#getLocalCertificateAlias(org.snmp4j.smi.Address) method).
- No trust key store has been configured or additional trusts (on top of the trust key store) should be established, for example through the mapping rules defined by RFC 5953.
...