Examples of configuration using net-snmp
The following example demonstrates the configuration settings used to create a connection to SNMP servers using Net-SNMP on Linux. In this example, the system certificate and the SNMP server certificate are both signed by the IBM Example CA. The storage system certificate contains the username flashsystem in the Common Name field. See System Certificates for more details about generating the system certificate.
Configuring the server
# Logging Settings
[snmp] logOption f /var/log/SNMP/snmptraps.log
format 1 "%02.2h:%02.2j TRAP%w.%q from %B\n"
format 2 "%02.2h:%02.2j TRAP%w.%q from %B\n"
authCommunity log public
# TLS Settings
[snmp] localCert snmpd.crt
[snmp] tlsMinVersion tls1_2
[snmp] tlsMaxVersion tls1_3
[snmp] trustCert ibm-example-ca
certSecName 10 flashsystem.crt --cn flashsystem
authUser log -s tsm flashsystem
-
snmpd.crt is the signed server certificate and added to /usr/local/share/snmp/tls/certs/snmpd.crt location.
The subject alternative name field should contain the fully qualified domain name and IP address of the SNMP server.
- The private key that matches snmpd.crt is added to /usr/local/share/snmp/tls/private/snmpd.key location.
-
ibm-example-ca is the name of the root CA used to sign both snmpd.crt and flashsystem.crt. The root certificate has been added to /usr/local/share/snmp/tls/ca-certs/ibm-example-ca.crt
If a chain of CA certificates is used in the signing process, then all of the CA certificates should be added to this directory, and an entry for each CA should be added to the configuration file.
- flashsystem.crt is the signed system certificate that was exported from the /usr/local/share/snmp/tls/certs/flashsystem.crt. --cn flashsystem indicates that the username flashsystem is located in the Common Name field of the certificate. panel on the storage system, and added to
Configuring the storage system
- In this example we are signing the SNMP server’s certificate and the storage system’s certificate with our organization’s CA (The IBM Example CA). If the system’s certificate needs to be configured, use the panel in the management GUI to generate a new certificate request.
- In this example, we have added flashsystem to the Common Name field as username. We have also added the system’s fully qualified domain name, and the cluster IP, to the subject alternative name fields. The certificate request is then signed by the IBM Example CA, and the signed certificate is installed in .
- In the management GUI, navigate to .
- Select Add SNMP Server.
- Enter the IP and port details for the server.
- Select the TLS checkbox.
- In the SNMP certificate box, upload the root CA certificate used to sign the SNMP server certificate. In this example, we are using ibm-example-ca.crt.
snmptrapd -c /usr/local/share/snmp/snmptrapd.conf -L o tlstcp:10162
We can now send a test trap to the server in /var/log/SNMP/snmptraps.log on the server.
by right-clicking the server and selecting Test. In our example, the trap is logged in