SNMP Profiles

SNMP profiles contain the information necessary to enable secure queries of device MIBs. SNMP profiles provide SNMP parameters to data sources and ensure data security. capm  supports SNMPv1, SNMPv2c, and SNMPv3. Community strings and credentials are encrypted in capm.
capm360
HID_View_the_SNMP_Profiles_List
SNMP profiles contain the information necessary to enable secure queries of device MIBs. SNMP profiles provide SNMP parameters to data sources and ensure data security. 
CA Performance Management
  supports SNMPv1, SNMPv2c, and SNMPv3. Community strings and credentials are encrypted in 
CA Performance Management
.
 
 
 
CA Performance Management
 uses SNMP profiles during inventory discovery to determine what credentials to use when accessing a device. Each profile is ranked for device access. During discovery, each profile is tried for device access. The profile with the highest rank that can access a device is used. If a device that uses an SNMPv1/SNMPv2c profile responds to SNMPv1 and SNMPv2c, the 
CA Performance Management
 uses SNMPv2c.
Polling devices with SNMPv3 adds an extra load of about 30 percent to the CPU of Data Collectors. 
 To limit the SNMP profiles that are used during discovery, use a specific list of assigned SNMP profiles. For more information, see Discovery Profiles.
 
CA Application Delivery Analysis
CA Network Flow Analysis
, and CA Unified Communications Monitor use SNMP profiles to query the MIBs of managed items for performance information. When you register one of these data sources, any profiles that were created in that data source are added to 
CA Performance Management
. Naming conflicts are resolved automatically. Any changes to SNMP profile in 
Performance Center
 are propagated to these data sources during synchronization.
Users with the Administer SNMP Profiles role right can create, edit, and delete SNMP profiles. SNMP profiles are specific to tenants. The Default Tenant Administrator sees a list of SNMP profiles that are associated with the Default Tenant. In multi-tenant environments, each tenant administrator sees only the SNMP profiles for that tenant.
To view the list of SNMP profiles, go to 
Administration
Configuration Settings
, and click 
SNMP Profiles
. The list includes high-level information about the contents of each profile.
Create an SNMP Profile
To enable the system to query devices through SNMP, define SNMP profiles with communication credentials.
This procedure requires the Administer SNMP Profiles role rights.
 
Follow these steps:
 
  1. Select 
    Administration
    Configuration Settings
    SNMP Profiles
    .
  2. Click 
    New
    .
  3. Complete the fields, and change any default settings. Some fields apply only to SNMPv3.
    •  
      Profile Name
      SNMP profile names must be unique, cannot be duplicated across SNMP versions, and are not case-sensitive.
    •  
      SNMP Version
      Specifies whether the profile uses SNMPv1/v2c or SNMPv3.
    •  
      Port
      The port that is used to make SNMP connections to devices associated with this profile.
      Default
      : 161
      This port can also be used to send SNMP traps to trap receivers associated with this profile through notifications. In this scenario, use 162 by default. For more information, see Configure Notifications.
    •  
      User Name
      (SNMPv3 Only) Identifies the user for the profile, whose secret keys were used to authenticate and encrypt the SNMPv3 packets.
    •  
      Context Name
      (SNMPv3 Only) Identifies the collection of management information that is accessible by an SNMP entity. An octet string that is necessary for providing end-to-end identification and for retrieving data from an SNMPv3 agent.
       The Data Aggregator does not use Context Name on the SNMPv3 profiles to communicate with the device.
    •  
      Community Name
      (SNMPv1/v2c Only) Defines a secure string that lets the data source query the MIB of the associated device. The community that you supply must provide read access to the device MIB.
      : In the default SNMP profile, the community is 'public'.
    •  
      Authentication Protocol
      (SNMPv3 Only) Specifies the authentication protocol to use when contacting devices associated with this profile. The following algorithms for authenticating SNMPv3 packets are supported:
      • None
      • MD5 (Message Digest 5)
      • SHA (Secure Hash Algorithm)
    •  
      Authentication Password
      (SNMPv3 Only) Specifies the password for authentication using SNMPv3 and the selected authentication protocol.
    •  
      Privacy Protocol
      (SNMPv3 Only) Specifies the encryption protocol to use for data flows sent to any devices or servers:
       The privacy protocol option is enabled when authentication is enabled for the profile.
      • None
      • DES
      • AES 128
      • Triple DES
      • AES 256 with 3DES key
    •  
      Privacy Password
      (SNMPv3 Only) Defines the password that is used when exchanging encryption keys.
    •  
      Use by default for new devices
      Specifies whether 
      CA Application Delivery Analysis
      CA Network Flow Analysis
      , and CA Unified Communications Monitor use this profile to contact any new items. To stop these data sources from using this SNMP profile for discovery, disable this parameter.
    •  
      Use for SNMP SET
      The profile provides write credentials on the discovered devices. Profiles with this property 
      do not
       participate in device discovery. Associate this profile with devices which require SET authorization, for example, to configure RTT tests. For more information, see Configure Round Trip Time (RTT) Tests.
  4. Click 
    Save
    .
    The SNMP profile is added to the system and used for discovery and polling.
    Performance Center
     automatically performs a global synchronization to send the profile information to registered data sources.
Change SNMP Profile Order
To determine the selection order of SNMP profiles for discovery and polling, change the priority order of the SNMP profiles. The 
Order
 parameter determines which profile 
CA Performance Management
 uses for polling when the device responds to multiple profiles. 
Changes to the order do not affect existing polled devices. 
CA Performance Management
 continues to use the associated SNMP profile to poll those devices.
The new order takes effect in the following situations:
  • A new device is discovered.
  • An existing device becomes unreachable through SNMP for at least two poll cycles.
  • The SNMP profile for a device is deleted.
Administrator users can modify the priority order of SNMP profiles.
 
Follow these steps:
 
  1. Select 
    Administration
    Configuration Settings
    SNMP Profiles
    .
  2. Click and drag or use the 
    Move Up
     and 
    Move Down
     buttons to change the order.
    CA Performance Management
     uses the new order for unreachable devices.
SNMP Profile Changes
When the SNMP credentials on a polled device change, add the new SNMP profile information to 
CA Performance Management
. When the device becomes unreachable with the deprecated SNMP profile for two poll cycles, 
CA Performance Management
 attempts to contact the device with other profiles. When 
CA Performance Management
 successfully contacts the device with an SNMP profile, that profile is assigned to the device for future polling.
 To see the SNMP profile that 
CA Performance Management
 uses to poll the device, go to the administration page for the device. For more information, see Manage Devices.
Modify the Timeout and Retries Parameters
You can modify the timeout and retries parameters for each SNMP profile on your system using a REST client. If SNMP requests go across a WAN or across a slow network connection, they might time out. The timeouts can cause missing polled data or device discovery failure.
  •  
    Timeout
    The amount of time a device is given to respond to an SNMP request per try
    Default: 3000 milliseconds
  •  
    Retries
    The number of times an SNMP query is reissued before it times out
    Default: 2 retries
For example, by default, an SNMP request is given the following amount of time:
  • 3 seconds x (first attempt + 2 retries)= 3 seconds x 3 tries = 9 seconds to respond before it times outs
Modifying these parameters without careful consideration can result in unintended consequences. For example, modifications could result in resource starvation (CPU / Memory) and unnecessary traffic on the Data Collector. Modify these parameters only if you have a basic understanding of SNMP communication.
 
Follow these steps:
 
  1. Set up a REST client with a connection to the Data Aggregator server.
  2. Specify the following URL:
    http://
    da_hostname
    :8581/rest/profiles/
    profile_item_id
     
     
  3. PUT the XML for modifying the parameters:
    <?xml version="1.0" encoding="UTF-8"?>
    <CommunicationProfile version="1.0.0">
    <CommunicationFailurePolicy version="1.0.0">
    <Timeout>3000</Timeout>
    <Retries>2</Retries>
    </CommunicationFailurePolicy>
    </CommunicationProfile>
Show Secure SNMP Data in Clear Text
By default, secure data is encrypted in the Add and Edit SNMP Profiles pages. To enable an administrator to troubleshoot issues with SNMP polling, allow that administrator to view secure data in clear text.
By default, this role right is not assigned to any roles. Only the predefined Administrator role can have this role right. Only Administrator users can modify role rights.
 
Follow these steps:
 
  1. Select 
    Administration
    User Settings
    Roles
    .
  2. Select the 
    Administrator
     role, and click 
    Edit
    .
  3. Select 
     
    Performance Center
     
    , and click 
    Edit
    .
  4. Add the 
    SNMP Clear Text
     role right to the 
    Selected Rights
     list, and click 
    OK
    .
  5. Click 
    Save
    .
    Users with the Administrator role are now able to view secure SNMP data in clear text. By default, the predefined Administrator role is assigned only to the global administrator. To allow another user to view secure SNMP data, assign the Administrator role to another user account.