Skip to main content
NetApp Knowledge Base

Enabling SNMPv3 in a FIPS-compliant environment fails with failed to automatically delete SNMP users and SNMP traphosts that are not compliant with FIPS

Views:
2,543
Visibility:
Public
Votes:
5
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.x
  • FIPS-compliant mode
  • SNMPv3

Issue

  • FIPS-compliant SNMPv3 cannot be enabled:

Cluster01::> set advanced
Cluster01::*> system snmp enable-snmpv3

Warning: If you enable SNMPv3 using this command, any SNMP users and SNMP traphosts that are non-compliant to FIPS will be deleted automatically, since cluster FIPS mode is enabled. Any SNMPv1 user, SNMPv2c user or SNMPv3 user (with none or MD5 as authentication protocol or none or DES as encryption protocol or both) is non-compliant to FIPS. Any SNMPv1 traphost or SNMPv3 traphost (configured with an SNMPv3 user non-compliant to FIPS) is non-compliant to FIPS.
Do you want to continue? {y|n}: y

Error: command failed: Failed to automatically delete SNMP users and SNMP traphosts that are not compliant with FIPS.

Manually delete all SNMP users and SNMP traphosts that are not compliant with FIPS before rerunning the "system snmp enable-snmpv3" command:
 
1. Delete the remaining noncompliant SNMP traphosts by using the "system snmp traphost delete" command. Use the "system snmp traphost show" command to list all configured traphosts. The following SNMP traphosts are not FIPS compliant:
    a. SNMPv1 traphosts: SNMPv1 traphosts are configured with "Community" strings.
    b. SNMPv3 traphosts configured with a user that is not FIPS compliant. SNMPv3 traphosts are configured with a "USM User". Any "USM User" that is listed by running the commands in sections 2b and 2c below are not FIPS compliant.
2. Delete the remaining noncompliant SNMP users by using the "security login delete" command. The following SNMP users are not FIPS compliant:
    a. SNMPv1 users and SNMPv2c users. Use the "security login show -authentication-method community" command to list all SNMPv1 users and SNMPv2c users.
    b. SNMPv3 users having "none" or "MD5" as the authentication method. Use the "security snmpusers -authmethod usm-authprotocol none|md5" command to list all SNMPv3 users having "none" or "MD5" as the authentication method.
    c. SNMPv3 users having "none" or "DES" as the encryption protocol. Use the "security snmpusers -authmethod usm-privprotocol none|des" command to list all SNMPv3 users having "none" or "DES" as the encryption protocol.

  • Running the commands referenced in the error returns nothing:

Cluster01::*> system snmp traphostshow
-

Cluster01::*> security login show -authentication-method community
There are no entries matching your query.

Cluster01::*> security snmpusers show
There are no entries matching your query.
 
Cluster01::*> security snmpusers -authmethod usm-authprotocol none|md5
There are no entries matching your query.
 
Cluster01::*> security snmpusers -privprotocol none|des
There are no entries matching your query.

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.