iReasoning SNMP Agent Builder FAQ
- 1. What's the difference between iReasoning Agent Builder and SNMP API?
- 2. How does iReasoning Agent Builder differentiate from other agent builder products?
- 3. What are the key features of Agent Builder?
- 4. Do SNMP security vulnerabilities reported by CERT affect iReasoning Agent Builder?
- 5. Which versions of SNMP are supported by iReasoning SNMP Agent Builder?
- 6. How's the SNMPv3 support?
- 7. Is agent compatible with JMX 1.2 spec?
- 8. Can I use other JMX implementations?
- 9. Can SNMP agent run as a JMX adaptor?
- 10. Can I stop/restart agent remotely?/ Can I change agent's port number at runtime?/ Can I change agent's logger's logging level at runtime?
- 11. What operating systems does iReasoning SNMP Agent Builder run on?
- 12. What is AgentX technology?
- 13. Are master/subagents interoperable with SMUX agents?
- 14. Are master or subagent interoperable with subagent or master agent from other vendors?
- 15. I understand that your agent is written in Java, so can it communicate with C/C++ or VB programs?
- 16. Can a subagent connect to multiple master agents?
- 17. Can multiple subagents run on one machine?
- 18. How do I migrate code from version 2.x to 3.x?
- 19. How do I migrate code from version 3.x to 4.0?
- 20. What's the difference between master agent and proxy forwarder?
- 21. I don't want to see log message, can I disable Logger?
- 22. Can I put config files in a directory other than "./config"?
- 23. I want to use agent config to persist more info. Can I add more entries to agent config file?
- 24. When I ran an SNMP agent built with agent builder on Solaris, I got "BindException: Permission denied ", why?
- 25. Can I use log4j for logging instead of your Logger?
- 26. How can I integrate iReasoning SNMP agent with JBoss?
- 27. The passwords are stored in plain text in the config file, this could pose a security risk if someone were to casually open them up or break into a machine that was the DMZ host and also running an agent. So how can I make passwords encrypted in config file?
- 28. Does your SNMP Agent Builder support IPv6?
- 29. What is AES standard? And how does 128-bit AES encryption compare to DES?
- 30. How can I store config settings in database?
- 31. I have a MIB table which can grow to thousands of rows so it can potentially use up all the memory. How can I handle it?
- 32. Do I need to write C/C++ code if I want to build a Windows Extension Agent?
- 33. Why sometimes java.lang.IllegalAccessError exception occurs if I put SNMP API and Agent Builder's jar files in the classpath?
- High performance agent
- The first Java SNMP product to support both DES and strong 128-bit AES encryption algorithms
- Conform to RFCs. Many competitors' do not really understand RFCs and have incorrect implementations
- Dramatically reduce the complexity of agent development. Most complex agent functionalities already built in to base classes
- Support master and subagent architecture based on standard AgentX protocol
- Agent has small footprint, compared with other Java based SNMP agents
- The first Java SNMP product to support both DES and strong 128-bit AES encryption algorithms
- Complete SNMPv1,v2c and v3 (USM and VACM) support
- Complete SNMPv3 USM support, including HMAC-MD5, HMAC-SHA, CBC-DES, CFB128-AES-128, CFB128-AES-192, CFB128-AES-256 algorithms
- Support for master/subagent architecture based on standard AgentX technology
- Support for building Windows Extension Agent
- Intuitive GUI tool for automatically generating java source code from MIBs
- Greatly reduces complexity of agent development. Many tricky SNMP issues are hidden from developers.
- Many optimization techniques are employed to create high performance agents
- Conformance to SNMP RFCs
- Support for dynamic row creation and deletion
- Small-footprint agents
- IPv6 support
- Easy-to-understand configuration file format
- Re-configurable at run time
- Multihome Interfaces support
Q. Do SNMP security vulnerabilities reported by CERT affect
iReasoning Agent Builder?
VU#107186 - Multiple
vulnerabilities in SNMPv1 trap handling
SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.
iReasoning SNMP agent builder successfully passed all the 24100 tests in OUSPG test suite! We conclude this advisory does not affect agent builder.
VU#854306 - Multiple
vulnerabilities in SNMPv1 request handling
SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.
For agents developed with agent builder, they successfully passed all tests in OUSPG test suite! We conclude this advisory does not affect agents built with iReasoning SNMP Agent Builder.
VU#878044 - SNMPv3 improper HMAC validation allows authentication bypass
Overview of this vulnerability:
A vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass. in the way many SNMP agents decode and process SNMP request messages.
For agents developed with all versions of SNMP agent builder, they are not affected by this vulnerability.
Q. How's the SNMPv3 support?
A. iReasoning SNMP Agent Builder fully supports SNMPv3, including the complete USM security model (HMAC-MD5, HMAC-SHA, CBC-DES, CFB128-AES-128, CFB128-AES-192, CFB128-AES-256) and VACM. It has successfully passed a number of interoperability tests with other SNMPv3 vendors and their SNMPv3 implementations. Now it is used as a de-facto reference SNMPv3 implementation for other implementers.
Q. Can I use other JMX implementations?
A. Yes. We currently use MX4J JMX implementation in Agent Builder. But it also works with other JMX implementations such as SUN JMX reference implementation. To switch to other JMX implementation, you just need to place its jar file before our snmpagent.jar in your classpath.
Q. Can SNMP agent run as a JMX adaptor?
A. iReasoning Agent architecture is based on JMX technology. Agent can run as a standalone application, an snmp agent service inside an application, or a JMX adaptor. Please refer to the example code at examples/agent/mib2/AgentMX4J.java for details. You can use web browser connecting to port 8000 to view the currently registered MBeans. (for instance, if your AgentMX4J runs at localhost, use browser pointing to http://localhost:8000 )
Q. Can I stop/restart agent remotely?/ Can I change agent's port number at runtime?/ Can I change agent's logger's logging level at runtime?
A. Yes to all these questions. First, you need to start a server which makes MBeans remotely accessible. One approach is to start an http adaptor such as HttpAdaptor (included in MX4J) or HtmlAdaptor (included in SUN's JMX RI), so you can use a web browser to remotely manage agents. Check out AgentMX4J.java and JMXAdaptor.java examples for details. Another approach is to start JRMP of MX4J (startJRMPAdaptor method in AgentMX4J.java) , and you can use a client such as MC4J to monitor and control agent via RMI. A screenshot of MC4J is shown below.
Q. What is AgentX technology?
A. Agent eXtensibility (AgentX) is a standard protocol that overcomes a very real need to dynamically extend the managed objects in a node. The protocol allows you having a single SNMP Agent and several Subagents that can connect and register several managed objects without having to interrupt the management service.
AgentX is the first IETF standard-track specification for extensible SNMP agents and is expected to gradually
replace all the other open and proprietary agent extensibility solutions (such as SMUX, DPI etc.).
For details about the AgentX, please refer to RFC 2741.
Q. Are master or subagents interoperable with subagent or master agent from other vendors?
A. Master or subagent built with agent builder should be able to interoperate with other AgentX based agents, no matter what language (C, Java, ...) they use. Net-snmp's snmpd verion 5+ are reported to interoperate successfully with our master/subagents. (Note: net-snmp's snmpd is an snmp daemon written in C, available on Windows and UNIX platforms)
Q. I understand that your agent is written in Java, so can it communicate with C/C++ or VB programs?
A. Yes, it is independent of language or platform. It is interoperable with other SNMP managers as long as they conform to SNMP protocol, or other master or subagents as long as they conform to AgentX protocol.
Q. How do I migrate code from version 2.x to 3.x?
A. AgentX support is one of the major new features in 3.x. If you don't need AgentX support, no code change is required. If you plan to add master or subagent support, just need to make Agent class extend SnmpAgentX instead of SnmpBaseAgent, and add a few lines of code to the main method. Check master and subagent sample code for details.
There are some minor changes in SnmpConfig.xml file. If you need to dynamically update config file, you have to replace "trapd" with "trapSink" and "snmpV3Trapd" with "snmpV3TrapSink".
Q. What's the difference between master agent and proxy forwarder?
A. An SNMP master agent can route parts of an SNMP request to multiple subagents. The subagents are completely hidden from the SNMP manager. The manager only sees a single SNMP entity, the master agent. On the contrary, in a proxy forwarder application, the manager needs to be aware of all the proxied agents. It needs to build a request targeted to a single specific subagent, and it needs to include in the request some information that enables the proxy forwarder application to determine which subagent is the targeted of the request.
Q. Can I put config files in a directory other than "./config"?
A. Yes. For instance, you want config files in "d:\config", just add one more java environment variable:
java -Dcom.ireasoning.configDir=d:\config ...
Q. I want to use agent config to persist more info. Can I add more entries to agent config file?
A. Yes. You can add more entries to properties, trapSink and snmpV3TrapSink sections. New entries will be loaded and saved automatically. You can use SnmpAgentConfig.getProperty and TrapSink.getProperty methods to retrieve those entries.
Q. When I ran an SNMP agent built with agent builder on Solaris, I got "BindException: Permission denied
A. The default agent port number is 161. You need root privilege on UNIX to run agent on this port. Or you can modify port number in agent config file.
Q. How can I integrate iReasoning SNMP agent with JBoss?
A. Check out java code and jboss config file (jboss-service.xml) contained in jboss.zip. Basically, a MBean is created and then registered during jboss startup. And SNMP agent is started in this MBean's start method. snmpagent.jar needs to be included in the classpath of JBoss, for example, it can be put in the .../server/default/lib directory. The MBeanServer object ("server") must be passed to Agent's constructor. Otherwise a new MBeanServer will be created during agent startup and it will cause JBoss to behave differently.
Q. The passwords are
stored in plain text in the config file, this could pose a security risk if
someone were to casually open them up or break into a machine that was the
DMZ host and also running an agent. So how can I make passwords encrypted in config file?
A. All the passwords and community names can be optionally encrypted. To do that, you need to set "encryptPasswordAndCommunity" to "yes" in config file. Enter your desired unencrypted passwords and community names. When the agent starts, all those values will be encrypted and saved to config file, so now all passwords and community names are secure in config file.
Q. Does your SNMP Agent Builder support IPv6?
A. Yes, if it's used with J2SDK/JRE 1.4. See "Networking IPv6 User Guide for J2SDK/JRE 1.4" for more information. As of JVM 1.4.2, supported operating systems are Solaris (ver 8 and up) and Linux (kernel 2.1.2 and up).
Q. What is AES standard? And how does 128-bit AES encryption compare to DES?
A. Excerpt from NIST (National Institute of Standards and Technology) website:
"The Advanced Encryption Standard (AES) is a new Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information. NIST also anticipates that the AES will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government - and outside of the United States - in some cases.
The AES is being developed to replace DES, but NIST anticipates that Triple DES will remain an approved algorithm (for U.S. Government use) for the foreseeable future. Single DES is being phased out of use, and is currently permitted in legacy systems, only.
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old."
See "The AES Cipher Algorithm in the SNMP User-based Security Model" for more details on AES in SNMP.
Q. How can I store config settings in database?
A. Config settings can be stored in XML file, database, or other datasources. You just need to create a sub class of DefaultAgentConfig.java and implement all the abstract methods. We provide a reference implementation of storing config settings in dababase at DbConfig.java. Config settings are stored in 8 tables: properties, trapsink, snmpv3trapsink, proxy, trapproxy, user, v3group, view. The column names are the same as the ones in the XML config file. The data types of all those columns are varchar for simplicity considerations.
Q. I have a MIB table which can grow to thousands of rows so it can potentially use up all the memory. How can I handle it?
A. For huge tables, it'd consume too much memory if all rows are stored in memory. Firstly, call setProcessSnmpRequestDirectly(true) to make this table handle SNMP requests itself. Then this table needs to implement getOID and getNextOID methods to tell base class the information about the OID tree. No corresponding table entry objects is created for each row. Each getter method in the table class fetches data from somewhere else and returns appropriate results. Please refer to the example code at examples/agent/mib2/AtTable.java.
Q. Do I have to write C/C++ code if I want to build a Windows Extension Agent?
A. No. You only need to write Java code to implement a Java SNMP agent. The subagent.dll module delegates SNMP requests from Windows SNMP service to your Java agent.
Q. Why sometimes java.lang.IllegalAccessError exception occurs if I put SNMP API and Agent Builder's jar files in the classpath?
A. All the jar files have been obfuscated so conflicts may occur if they are all present in the classpath. If you need both SNMP API and Agent Builder, we will send you a special edition that contains all the classes.