FIPS準拠環境でSNMPv3を有効にすると、FIPSに準拠していないSNMPユーザおよびSNMPトラップホストを自動的に削除できませんでした
のしんだ
環境
- ONTAP 9.x
- FIPS準拠モード
- SNMPv3
問題
- FIPS準拠SNMPv3を有効にできません。
Cluster01::> set advanced
Cluster01::*> system snmp enable-snmpv3
Warning: If you enable SNMPv3 using this command, any SNMP users and SNMP traphosts that are non-compliant to FIPS will be deleted automatically, since cluster FIPS mode is enabled. Any SNMPv1 user, SNMPv2c user or SNMPv3 user (with none or MD5 as authentication protocol or none or DES as encryption protocol or both) is non-compliant to FIPS. Any SNMPv1 traphost or SNMPv3 traphost (configured with an SNMPv3 user non-compliant to FIPS) is non-compliant to FIPS.
Do you want to continue? {y|n}: y
Error: command failed: Failed to automatically delete SNMP users and SNMP traphosts that are not compliant with FIPS.
Manually delete all SNMP users and SNMP traphosts that are not compliant with FIPS before rerunning the "system snmp enable-snmpv3" command:
1. Delete the remaining noncompliant SNMP traphosts by using the "system snmp traphost delete" command. Use the "system snmp traphost show" command to list all configured traphosts. The following SNMP traphosts are not FIPS compliant:
a. SNMPv1 traphosts: SNMPv1 traphosts are configured with "Community" strings.
b. SNMPv3 traphosts configured with a user that is not FIPS compliant. SNMPv3 traphosts are configured with a "USM User". Any "USM User" that is listed by running the commands in sections 2b and 2c below are not FIPS compliant.
2. Delete the remaining noncompliant SNMP users by using the "security login delete" command. The following SNMP users are not FIPS compliant:
a. SNMPv1 users and SNMPv2c users. Use the "security login show -authentication-method community" command to list all SNMPv1 users and SNMPv2c users.
b. SNMPv3 users having "none" or "MD5" as the authentication method. Use the "security snmpusers -authmethod usm-authprotocol none|md5" command to list all SNMPv3 users having "none" or "MD5" as the authentication method.
c. SNMPv3 users having "none" or "DES" as the encryption protocol. Use the "security snmpusers -authmethod usm-privprotocol none|des" command to list all SNMPv3 users having "none" or "DES" as the encryption protocol.
- エラーで参照されているコマンドを実行しても、何も返されません。
Cluster01::*> system snmp traphostshow
-
Cluster01::*> security login show -authentication-method community
There are no entries matching your query.
Cluster01::*> security snmpusers show
There are no entries matching your query.
Cluster01::*> security snmpusers -authmethod usm-authprotocol none|md5
There are no entries matching your query.
Cluster01::*> security snmpusers -privprotocol none|des
There are no entries matching your query.