跳转到主内容

在符合FIPS的环境中启用SNMPv3失败、并且无法自动删除不符合FIPS的SNMP用户和SNMP陷阱主机

Views:
2
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core<a>FIPS</a><a>SNMP</a><a>ONTAP</a><a>1086216</a><a>用于转换</a>
Last Updated:

状态信息

适用场景

  • ONTAP 9.x
  • FIPS兼容模式
  • SNMPv3

问题描述

  • 无法启用符合FIPS的SNMPv3:

Cluster01::> set advanced
Cluster01::*> system snmp enable-snmpv3

Warning: If you enable SNMPv3 using this command, any SNMP users and SNMP traphosts that are non-compliant to FIPS will be deleted automatically, since cluster FIPS mode is enabled. Any SNMPv1 user, SNMPv2c user or SNMPv3 user (with none or MD5 as authentication protocol or none or DES as encryption protocol or both) is non-compliant to FIPS. Any SNMPv1 traphost or SNMPv3 traphost (configured with an SNMPv3 user non-compliant to FIPS) is non-compliant to FIPS.
Do you want to continue? {y|n}: y

Error: command failed: Failed to automatically delete SNMP users and SNMP traphosts that are not compliant with FIPS.

Manually delete all SNMP users and SNMP traphosts that are not compliant with FIPS before rerunning the "system snmp enable-snmpv3" command:
 
1. Delete the remaining noncompliant SNMP traphosts by using the "system snmp traphost delete" command. Use the "system snmp traphost show" command to list all configured traphosts. The following SNMP traphosts are not FIPS compliant:
   a. SNMPv1 traphosts: SNMPv1 traphosts are configured with "Community" strings.
   b. SNMPv3 traphosts configured with a user that is not FIPS compliant. SNMPv3 traphosts are configured with a "USM User". Any "USM User" that is listed by running the commands in sections 2b and 2c below are not FIPS compliant.
2. Delete the remaining noncompliant SNMP users by using the "security login delete" command. The following SNMP users are not FIPS compliant:
   a. SNMPv1 users and SNMPv2c users. Use the "security login show -authentication-method community" command to list all SNMPv1 users and SNMPv2c users.
   b. SNMPv3 users having "none" or "MD5" as the authentication method. Use the "security snmpusers -authmethod usm-authprotocol none|md5" command to list all SNMPv3 users having "none" or "MD5" as the authentication method.
   c. SNMPv3 users having "none" or "DES" as the encryption protocol. Use the "security snmpusers -authmethod usm-privprotocol none|des" command to list all SNMPv3 users having "none" or "DES" as the encryption protocol.

  • 运行错误中引用的命令不会返回任何内容:

Cluster01::*> system snmp traphostshow
-

Cluster01::*> security login show -authentication-method community
There are no entries matching your query.

Cluster01::*> security snmpusers show
There are no entries matching your query.
 
Cluster01::*> security snmpusers -authmethod usm-authprotocol none|md5
There are no entries matching your query.
 
Cluster01::*> security snmpusers -privprotocol none|des
There are no entries matching your query.

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.