Examples of configuration using net-snmp

The following example demonstrates the configuration settings used to create a connection to SNMP servers using Net-SNMP on Linux. In this example, the system certificate and the SNMP server certificate are both signed by the IBM Example CA. The storage system certificate contains the username flashsystem in the Common Name field. See System Certificates for more details about generating the system certificate.

Configuring the server

A configuration file must be at a location accessible to snmptrapd, and the following example illustrates this configuration file at /usr/local/share/snmp/snmptrapd.conf location:
# Logging Settings
[snmp] logOption f /var/log/SNMP/snmptraps.log
format 1 "%02.2h:%02.2j TRAP%w.%q from %B\n"
format 2 "%02.2h:%02.2j TRAP%w.%q from %B\n"
authCommunity log public
# TLS Settings
[snmp] localCert snmpd.crt
[snmp] tlsMinVersion tls1_2
[snmp] tlsMaxVersion tls1_3
[snmp] trustCert ibm-example-ca
certSecName 10 flashsystem.crt --cn flashsystem
authUser log -s tsm flashsystem
  • snmpd.crt is the signed server certificate and added to /usr/local/share/snmp/tls/certs/snmpd.crt location.

    The subject alternative name field should contain the fully qualified domain name and IP address of the SNMP server.

  • The private key that matches snmpd.crt is added to /usr/local/share/snmp/tls/private/snmpd.key location.

  • ibm-example-ca is the name of the root CA used to sign both snmpd.crt and flashsystem.crt. The root certificate has been added to /usr/local/share/snmp/tls/ca-certs/ibm-example-ca.crt

    If a chain of CA certificates is used in the signing process, then all of the CA certificates should be added to this directory, and an entry for each CA should be added to the configuration file.

  • flashsystem.crt is the signed system certificate that was exported from the Security > System Certificates panel on the storage system, and added to /usr/local/share/snmp/tls/certs/flashsystem.crt. --cn flashsystem indicates that the username flashsystem is located in the Common Name field of the certificate.

Configuring the storage system

  1. In this example we are signing the SNMP server’s certificate and the storage system’s certificate with our organization’s CA (The IBM Example CA). If the system’s certificate needs to be configured, use the Security > System Certificates panel in the management GUI to generate a new certificate request.
  2. In this example, we have added flashsystem to the Common Name field as username. We have also added the system’s fully qualified domain name, and the cluster IP, to the subject alternative name fields. The certificate request is then signed by the IBM Example CA, and the signed certificate is installed in Security > System Certificates.
  3. In the management GUI, navigate to Settings > Notifications > SNMP.
  4. Select Add SNMP Server.
  5. Enter the IP and port details for the server.
  6. Select the TLS checkbox.
  7. In the SNMP certificate box, upload the root CA certificate used to sign the SNMP server certificate. In this example, we are using ibm-example-ca.crt.
Now that the SNMP server and the storage system have both been configured, we can start snmptrapd on the server and have it listen for TLS connections. We are using the default trap port 10162
snmptrapd -c /usr/local/share/snmp/snmptrapd.conf -L o tlstcp:10162

We can now send a test trap to the server in Settings > Notifications > SNMP by right-clicking the server and selecting Test. In our example, the trap is logged in /var/log/SNMP/snmptraps.log on the server.