SNMP over TLS
The system supports SNMP v3 servers that use the Transport Security Model (TSM). Traps are sent to the SNMP server by using Transport Layer Security (TLS) and the Transmission Control Protocol (TCP). The system does not support DTLS (or TLS over UDP).
Before you begin
The system and the SNMP server use mutual TLS to establish a secure connection. The system must verify the SNMP server certificate, and the SNMP server must verify the certificate that is presented by the system.
The system uses the same certificate for all services that use certificate authentication. If changes are made to the system certificate, then services that use certificate authentication may be interrupted. If any services are interrupted, add the new certificate to the necessary trust stores.
Some SNMP managers may have requirements about details that must be included in the system certificate. The certificate may need to contain a username in a specific field (such as the Common Name field). The cluster’s fully qualified domain name, and the cluster IP address, should be included in the subject alternative name fields. See System Certificates for more details about generating a new system certificate.
The system and the SNMP server must agree to use a cipher suite that is supported by both parties. See Security protocol levels for more information about changing the system’s list of supported cipher suites.
Creating a new SNMP server that uses TLS using the management GUI
- In the management GUI, select .
- To configure a new server, select Add SNMP Server and select the TLS checkbox. When the TLS checkbox is selected, the SNMP certificate box appears.
- If the SNMP server’s certificate is signed by a CA, upload the root CA certificate. If the
server’s certificate is self-signed, upload the self-signed certificate.Note:
If the server certificate is signed by a chain of CAs that includes a root CA and intermediate CAs, then the server should be configured to present its server certificate and any intermediate CA certificates when establishing a connection.
When you create an SNMP server that uses TLS, the management GUI creates a new trust store that contains the uploaded server certificates. The CLI must be used to modify or remove trust store entries for existing servers. See Truststore management commands for more information.
Testing the SNMP server and resolving common problems
- In order to testing the SNMP server and resolving common problems, select Test to send a test trap to an SNMP server. When using TLS, this checks that the TLS connection can be established, and sends a trap to the server. , right-click a server and select
- The SNMP log on the server should be examined to verify that the test trap has arrived. If the
test returns an error, or the test trap has not arrived on the server, check the SNMP log on the
SNMP server for the following issues:
- If the log shows SSL or TLS errors at the time of the test trap, check that the correct certificates have been installed and trusted on the system and on the SNMP server. Also check that the system and the SNMP server are using compatible cipher suites.
- If there are no errors at the time of the test trap, check that the system can ping the SNMP server. See ping for information about running the command. If the system can ping the SNMP server, check that the system certificate contains any required usernames in the correct field of the certificate. Check that the user is configured correctly on the SNMP server.