SNMP Profiles

SNMP profiles contain the information necessary to enable secure queries of device MIBs. SNMP profiles provide SNMP parameters to data sources and ensure data security. capm  supports SNMPv1, SNMPv2c, and SNMPv3. Community strings and credentials are encrypted in capm.
capm310
HID_View_the_SNMP_Profiles_List
SNMP profiles contain the information necessary to enable secure queries of device MIBs. SNMP profiles provide SNMP parameters to data sources and ensure data security. 
CA Performance Management
  supports SNMPv1, SNMPv2c, and SNMPv3. Community strings and credentials are encrypted in 
CA Performance Management
.
CA Performance Management
 uses SNMP profiles during inventory discovery to determine what credentials to use when accessing a device. Each profile is ranked for device access. During discovery, each profile is tried for device access. The profile with the highest rank that can access a device is used. If a device that uses an SNMPv1/SNMPv2c profile responds to SNMPv1 and SNMPv2c, the 
CA Performance Management
uses SNMPv2c.
Polling devices with SNMPv3 adds an extra load of about 30 percent to the CPU of Data Collectors. 
To limit the SNMP profiles that are used during discovery, use a specific list of assigned SNMP profiles. For more information, see Discovery Profiles.
CA Application Delivery Analysis
,
CA Network Flow Analysis
, and CA Unified Communications Monitor use SNMP profiles to query the MIBs of managed items for performance information. When you register one of these data sources, any profiles that were created in that data source are added to
CA Performance Management
. Naming conflicts are resolved automatically. Any changes to SNMP profile in 
Performance Center
are propagated to these data sources during synchronization.
Users with the Administrator role can create, edit, and delete SNMP profiles. SNMP profiles are specific to tenants. The Default Tenant Administrator sees a list of SNMP profiles that are associated with the Default Tenant. In multi-tenant environments, each tenant administrator sees only the SNMP profiles for that tenant.
To view the list of SNMP profiles, go to
Administration
,
System Settings
, and click
SNMP Profiles
. The list includes high-level information about the contents of each profile.
Create an SNMP Profile
To enable the system to query devices through SNMP, define SNMP profiles with communication credentials.
This procedure requires the Administrator role.
Supply an authentication password that is at least eight characters. Some data sources do not support authentication passwords or privacy passwords that fall below this minimum length. These data sources treat the SNMP profile as invalid, and some data is not collected.
When using SNMPv3 community names,
CA Performance Management
requires that any authentication passwords or privacy passwords are greater than eight characters in length. If the passwords are shorter than eight characters in length, SNMPv3 profiles might be unsuccessful in communicating with devices. Blank passwords are not supported for SNMP v3 profiles with MD5 or SHA as the Authentication Protocol.
Follow these steps:
  1. Select
    Administration
    ,
    SNMP Profiles
    .
  2. Click
    New
    .
  3. Complete the fields, and change any default settings. Some fields apply only to SNMPv3.
    • Profile Name
      SNMP profile names must be unique, cannot be duplicated across SNMP versions, and are not case-sensitive.
    • SNMP Version
      Specifies whether the profile uses SNMPv1/v2c or SNMPv3.
    • Port
      The port that is used to make SNMP connections to devices associated with this profile. 
      Default
      : 161
    • User Name
      (SNMPv3 Only) Identifies the user for the profile, whose secret keys were used to authenticate and encrypt the SNMPv3 packets.
    • Context Name
      (SNMPv3 Only) Identifies the collection of management information that is accessible by an SNMP entity. An octet string that is necessary for providing end-to-end identification and for retrieving data from an SNMPv3 agent.
      The Data Aggregator does not use Context Name on the SNMPv3 profiles to communicate with the device.
    • Community Name
      (SNMPv1/v2C Only) Defines a secure string that lets the data source query the MIB of the associated device. The community that you supply must provide read access to the device MIB.
      : In the default SNMP profile, the community is 'public'.
    • Authentication Protocol
      (SNMPv3 Only) Specifies the authentication protocol to use when contacting devices associated with this profile. The following algorithms for authenticating SNMPv3 packets are supported:
      • None
      • MD5 (Message Digest 5)
      • SHA (Secure Hash Algorithm)
    • Authentication Password
      (SNMPv3 Only) Specifies the password for authentication using SNMPv3 and the selected authentication protocol.
    • Privacy Protocol
      (SNMPv3 Only) Specifies the encryption protocol to use for data flows sent to any devices or servers.
      The privacy protocol option is enabled when authentication is enabled for the profile.
    • Privacy Password
      (SNMPv3 Only) Defines the password that is used when exchanging encryption keys.
    • Use by default for new devices
      Specifies whether 
      CA Application Delivery Analysis
      CA Network Flow Analysis
      , and CA Unified Communications Monitor use this profile to contact any new items. To stop these data sources from using this SNMP profile for discovery, disable this parameter.
    • Use for SNMP SET
      The profile provides write credentials on the discovered devices. Profiles with this property
      do not
      participate in device discovery. Associate this profile with devices which require SET authorization, for example, to configure RTT tests. For more information, see Configure Round Trip Time (RTT) Tests.
  4. Click
    Save
    .
    The SNMP profile is added to the system and used for discovery and polling.
    Performance Center
    automatically performs a global synchronization to send the profile information to registered data sources.
Change SNMP Profile Order
To determine the selection order of SNMP profiles for discovery and polling, change the priority order of the SNMP profiles. The
Order
parameter determines which profile
CA Performance Management
uses for polling when the device responds to multiple profiles. 
Changes to the order do not affect existing polled devices.
CA Performance Management
continues to use the associated SNMP profile to poll those devices.
The new order takes effect in the following situations:
  • A new device is discovered.
  • An existing device becomes unreachable through SNMP for at least two poll cycles.
  • The SNMP profile for a device is deleted.
Administrator users can modify the priority order of SNMP profiles.
Follow these steps:
  1. Select
    Administration
    ,
    SNMP Profiles
    .
  2. Click and drag or use the
    Move Up
    and
    Move Down
    buttons to change the order.
    CA Performance Management
    uses the new order for unreachable devices.
SNMP Profile Changes
When the SNMP credentials on a polled device change, add the new SNMP profile information to
CA Performance Management
. When the device becomes unreachable with the deprecated SNMP profile for two poll cycles,
CA Performance Management
attempts to contact the device with other profiles. When
CA Performance Management
successfully contacts the device with an SNMP profile, that profile is assigned to the device for future polling.
To see the SNMP profile that
CA Performance Management
uses to poll the device, go to the administration page for the device. For more information, see Manage Devices.
Modify the Timeout and Retries Parameters
You can modify the timeout and retries parameters for each SNMP profile on your system using a REST client. If SNMP requests go across a WAN or across a slow network connection, they might time out. The timeouts can cause missing polled data or device discovery failure.
  • Timeout
    The amount of time a device is given to respond to an SNMP request per try
    Default: 3000 milliseconds
  • Retries
    The number of times an SNMP query is reissued before it times out
    Default: 2 retries
For example, by default, an SNMP request is given the following amount of time:
  • 3 seconds x (first attempt + 2 retries)= 3 seconds x 3 tries = 9 seconds to respond before it times outs
Modifying these parameters without careful consideration can result in unintended consequences. For example, modifications could result in resource starvation (CPU / Memory) and unnecessary traffic on the Data Collector. Modify these parameters only if you have a basic understanding of SNMP communication.
Follow these steps:
  1. Set up a REST client with a connection to the Data Aggregator server.
  2. Specify the following URL:
    http://
    da_hostname
    :8581/rest/profiles/
    profile_item_id
  3. PUT the XML for modifying the parameters:
    <?xml version="1.0" encoding="UTF-8"?>
    <CommunicationProfile version="1.0.0">
        <CommunicationFailurePolicy version="1.0.0">
            <Timeout>3000</Timeout>
            <Retries>2</Retries>
        </CommunicationFailurePolicy>
    </CommunicationProfile>
Show Secure SNMP Data in Clear Text
By default, secure data is encrypted in the Add and Edit SNMP Profiles pages. To enable an administrator to troubleshoot issues with SNMP polling, allow that administrator to view secure data in clear text.
By default, this role right is not assigned to any roles. Only the predefined Administrator role can have this role right. Only Administrator users can modify role rights.
Follow these steps:
  1. Select
    Administration
    ,
    Roles
    .
  2. Select the
    Administrator
    role, and click
    Edit
    .
  3. Select
    Performance Center
    , and click
    Edit
    .
  4. Add the
    SNMP Clear Text
    role right to the
    Selected Rights
    list, and click
    OK
    .
  5. Click
    Save
    .
    Users with the Administrator role are now able to view secure SNMP data in clear text. By default, the predefined Administrator role is assigned only to the global administrator. To allow another user to view secure SNMP data, assign the Administrator role to another user account.