Left to their own devices, all computer/hardware clocks are subject to some drift. These changes occur slowly and are usually small, but can be nevertheless significant in many applications. Thus it is desirable to be able to synchronize the appliance's internal clock with a known-to-be-accurate source of time information. Network Time Protocol (NTP) provides a means whereby your appliance (or any other network-connected digital device) can receive time signals from extremely accurate servers of time data.
Network Time Protocol (NTP) by default does not authenticate NTP servers. NTP version 3 provides an authentication option using symmetric keys shared between NTP clients and servers.
NTP version 4, in addition to supporting NTP v3 symmetric key authentication provides a public key authentication mechanism called ‘Autokey’. These authentication mechanisms enable NTP clients (Luna SA) to authenticate trusted NTP servers. NTP servers do not authenticate clients.
Luna SA can be configured as an NTP client, not sever or peer. Also Multicast and Manycast are not supported in Luna SA at this time. A page of the Administration & Maintenance section of this Help explains configuring NTP authentication ( "Example Using Secure NTP" ) in Luna SA using Luna shell (lunash:>) commands. The available configuration commands are described in the Reference section of this Help, under "Lunash Appliance Commands > sysconf Commands > sysconf ntp Commands" ( "sysconf ntp commands" ).
For more information about NTP authentication please refer to the NTP v4 documentation [1][2].
Luna SA uses NTP v4 (4.2.6p2) and supports both symmetric and public key authentication as described below. Compared with legacy Luna SA implementation, new Luna shell (lunash:>) commands have been added and some of the previously-used commands (pre-2009) have been modified.
Using NTP authentication in Luna SA requires NTP servers which have been properly configured to support authentication. Configuring NTP servers is beyond the scope of this document. For information about configuring NTP servers please refer to the standard NTP documentation [1][3].
Standard, non-secure NTP is available from a variety of public sites. For greater security and control, your organization might have established its own secure NTP server(s) or might have entered into agreement with a trusted supplier of secure NTP service. Contact your local IT manager or security officer for the particulars.
The short description is that you
What If I Can't Use NTP?
NTP is the most reliable and straightforward way to correct the time-drift inherent in computer systems, but your situation might preclude that solution. An alternate method of establishing and correcting the drift on your HSM appliance is to use the onboard drift-correction commands ( "Correcting Time Drift" ).
References
=========================================================
[1] NTP Documentation Page: http://www.ntp.org/documentation.html
[2] NTP FAQ: Authentication http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-AUTH
[3] NTP Public-Key Authentication: http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#Q-CONFIG-ADV-AUTH-AUTOKEY
[4] Autokey Identity Schemes: http://www.eecis.udel.edu/~mills/ident.html
[5] ntp-keygen tool: http://doc.ntp.org/4.2.6/keygen.html
[6] NTP Server configuration options http://doc.ntp.org/4.2.6/confopt.html