SNMP over TLS

The system supports SNMP v3 servers that use the Transport Security Model (TSM). Traps are sent to the SNMP server by using Transport Layer Security (TLS) and the Transmission Control Protocol (TCP). The system does not support DTLS (or TLS over UDP).

One benefit of using TLS and TCP is that the TCP protocol handles timeouts and retries to improve delivery of traps. This can be compared to the User-based Security Model (USM) where traps are sent from the system by using UDP, with no confirmation that a trap has reached the SNMP server. Using SNMP over TLS may be preferable if your organization already has an existing public-key infrastructure in place.
Note: IPv6 is not supported with SNMP over TLS. Ensure that the system and SNMP servers are using IPv4 addresses.

Before you begin

The system and the SNMP server use mutual TLS to establish a secure connection. The system must verify the SNMP server certificate, and the SNMP server must verify the certificate that is presented by the system.

The SNMP server certificate must be installed in a trust store on the system, with the snmp tag turned on. If the SNMP server’s certificate is signed by a Certificate Authority (CA), then the CA certificate must be installed in a trust store with the snmp tag that is turned on. See Trust Stores for more information about creating and managing trust stores.
Note: The system only supports the use of one CA to sign the server certificates. All server certificates must be signed by the same CA. If using self-signed certificates, then all servers must use the same certificate.
The system’s certificate must be installed on the SNMP server. If the system’s certificate is signed by a Certificate Authority (CA), then the CA certificates must be installed on the SNMP server too.
Note:

The system uses the same certificate for all services that use certificate authentication. If changes are made to the system certificate, then services that use certificate authentication may be interrupted. If any services are interrupted, add the new certificate to the necessary trust stores.

Some SNMP managers may have requirements about details that must be included in the system certificate. The certificate may need to contain a username in a specific field (such as the Common Name field). The cluster’s fully qualified domain name, and the cluster IP address, should be included in the subject alternative name fields. See System Certificates for more details about generating a new system certificate.

The system and the SNMP server must agree to use a cipher suite that is supported by both parties. See Security protocol levels for more information about changing the system’s list of supported cipher suites.

Creating a new SNMP server that uses TLS using the management GUI

  1. In the management GUI, select Setting > Notifications > SNMP.
  2. To configure a new server, select Add SNMP Server and select the TLS checkbox. When the TLS checkbox is selected, the SNMP certificate box appears.
  3. If the SNMP server’s certificate is signed by a CA, upload the root CA certificate. If the server’s certificate is self-signed, upload the self-signed certificate.
    Note:

    If the server certificate is signed by a chain of CAs that includes a root CA and intermediate CAs, then the server should be configured to present its server certificate and any intermediate CA certificates when establishing a connection.

    When you create an SNMP server that uses TLS, the management GUI creates a new trust store that contains the uploaded server certificates. The CLI must be used to modify or remove trust store entries for existing servers. See Truststore management commands for more information.

Testing the SNMP server and resolving common problems

  1. In order to testing the SNMP server and resolving common problems, select Settings > Notifications > SNMP, right-click a server and select Test to send a test trap to an SNMP server. When using TLS, this checks that the TLS connection can be established, and sends a trap to the server.
  2. The SNMP log on the server should be examined to verify that the test trap has arrived. If the test returns an error, or the test trap has not arrived on the server, check the SNMP log on the SNMP server for the following issues:
    1. If the log shows SSL or TLS errors at the time of the test trap, check that the correct certificates have been installed and trusted on the system and on the SNMP server. Also check that the system and the SNMP server are using compatible cipher suites.
    2. If there are no errors at the time of the test trap, check that the system can ping the SNMP server. See ping for information about running the command. If the system can ping the SNMP server, check that the system certificate contains any required usernames in the correct field of the certificate. Check that the user is configured correctly on the SNMP server.