Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

Enabling SNMPv3 in a FIPS-compliant environment fails with failed to automatically delete SNMP users and SNMP traphosts that are not compliant with FIPS

Views:
213
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.x
  • FIPS-compliant mode
  • SNMPv3

Issue

  • FIPS-compliant SNMPv3 cannot be enabled:

Cluster01::> set advanced
Cluster01::*> system snmp enable-snmpv3

Warning: If you enable SNMPv3 using this command, any SNMP users and SNMP traphosts that are non-compliant to FIPS will be deleted automatically, since cluster FIPS mode is enabled. Any SNMPv1 user, SNMPv2c user or SNMPv3 user (with none or MD5 as authentication protocol or none or DES as encryption protocol or both) is non-compliant to FIPS. Any SNMPv1 traphost or SNMPv3 traphost (configured with an SNMPv3 user non-compliant to FIPS) is non-compliant to FIPS.
Do you want to continue? {y|n}: y

Error: command failed: Failed to automatically delete SNMP users and SNMP traphosts that are not compliant with FIPS.

Manually delete all SNMP users and SNMP traphosts that are not compliant with FIPS before rerunning the "system snmp enable-snmpv3" command:
 
1. Delete the remaining noncompliant SNMP traphosts by using the "system snmp traphost delete" command. Use the "system snmp traphost show" command to list all configured traphosts. The following SNMP traphosts are not FIPS compliant:
    a. SNMPv1 traphosts: SNMPv1 traphosts are configured with "Community" strings.
    b. SNMPv3 traphosts configured with a user that is not FIPS compliant. SNMPv3 traphosts are configured with a "USM User". Any "USM User" that is listed by running the commands in sections 2b and 2c below are not FIPS compliant.
2. Delete the remaining noncompliant SNMP users by using the "security login delete" command. The following SNMP users are not FIPS compliant:
    a. SNMPv1 users and SNMPv2c users. Use the "security login show -authentication-method community" command to list all SNMPv1 users and SNMPv2c users.
    b. SNMPv3 users having "none" or "MD5" as the authentication method. Use the "security snmpusers -authmethod usm-authprotocol none|md5" command to list all SNMPv3 users having "none" or "MD5" as the authentication method.
    c. SNMPv3 users having "none" or "DES" as the encryption protocol. Use the "security snmpusers -authmethod usm-privprotocol none|des" command to list all SNMPv3 users having "none" or "DES" as the encryption protocol.

  • Running the commands referenced in the error returns nothing:

Cluster01::*> system snmp traphostshow
-

Cluster01::*> security login show -authentication-method community
There are no entries matching your query.

Cluster01::*> security snmpusers show
There are no entries matching your query.
 
Cluster01::*> security snmpusers -authmethod usm-authprotocol none|md5
There are no entries matching your query.
 
Cluster01::*> security snmpusers -privprotocol none|des
There are no entries matching your query.

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support