Show the Table of Contents

You are here: Administration & Maintenance Manual > Appliance Administration > NTP and Drift Correction > Example Using Secure NTP

Example Using Secure NTP

We suggest that you use secure NTP (as opposed to the non-secure standard variety) for your Luna SA.

Secure NTP:

Secure NTP can be mixed with regular/simple NTP. For this example, any simple NTP will be removed for now:

[kuso] lunash:>sysc ntp list

=================================================================

NTP Servers:

server 127.127.1.0

server ntp.cpsc.ucalgary.ca

=================================================================

Command Result : 0 (Success)

[kuso] lunash:>sysc ntp delete ntp.cpsc.ucalgary.ca

NTP server ntp.cpsc.ucalgary.ca deleted

NTP is enabled

Shutting down ntpd: [ OK ]

Starting ntpd: [ OK ]

Please wait to see the result ......

NTP is running

===========================================================

NTP Associations Status:

ind assID status conf reach auth condition last_event cnt

===========================================================

1 7095 9014 yes yes none reject reachable 1

===========================================================

Please look at the ntp log to see any potential problem.

Command Result : 0 (Success)

[kuso] lunash:>

 

Obtain an identity scheme from the secure NTP server (IFF, GQ or MV key). Check with the site of the server for the particulars. For this example, an IFF key is used. It must be scp’d to the Luna SA server and installed:

 

[kuso] lunash:>sysconf ntp autokeyAuth install -idscheme IFF -keyfile ntpkey_IFFkey_tor1-jprobe.upn.local.3436099994

------- Installing Imported Identity Scheme File -------

Configured Autokey IFF Identity Scheme.

You must restart NTP for the changes to take effect.

Check NTP status after restarting it to make sure that the client is able to start and sync with the server.

Command Result : 0 (Success)

[kuso] lunash:>

 

As instructed, restart NTP:

 

[kuso] lunash:>service restart ntp

Shutting down ntp: [ OK ]

Starting ntp: [ OK ]

Command Result : 0 (Success)

[kuso] lunash:>

 

 

The Secure NTP used for this example uses the default parameters, so only the password is specified:

 

[kuso] lunash:>sysconf ntp autokeyAuth generate -p myPas$w0rd!

Generate new keys and certificates using ntp-keygen

Using OpenSSL version 9070df

Random seed file /root/.rnd 1024 bytes

Generating RSA keys (512 bits)...

RSA 0 1 5 1 11 24 3 1 2

Generating new host file and link

ntpkey_host_kuso->ntpkey_RSAkey_kuso.3437830225

Using host key as sign key

Generating certificate RSA-MD5

X509v3 Basic Constraints: critical,CA:TRUE

X509v3 Key Usage: digitalSignature,keyCertSign

Generating new cert file and link

ntpkey_cert_kuso->ntpkey_RSA-MD5cert_kuso.3437830225

ntp-keygen Result: 0

You must restart NTP for the changes to take effect.

Check NTP status after restarting it to make sure that the client is able to start and sync with the server.

Command Result : 0 (Success)

[kuso] lunash:>

 

As instructed, restart NTP at this time:

 

kuso] lunash:>service restart ntp

Shutting down ntp: [ OK ]

Starting ntp: [ OK ]

Command Result : 0 (Success)

[kuso] lunash:>

 

Check the status of NTP. Like standard NTP, this may take a few minutes for a proper synchronization to occur:

 

[kuso] lunash:>sysconf ntp status

NTP is running

NTP is enabled

Peers:

==============================================================================

remote refid st t when poll reach delay offset jitter

==============================================================================

LOCAL(0) .LOCL. 10 l 6 64 77 0.000 0.000 0.001
*tor1-jprobe.upn 206.248.171.198 2 u 59 64 3 0.341 -554.47 3.309

==============================================================================

Associations:

==============================================================================

ind assID status conf reach auth condition last_event cnt

===========================================================

1 56812 9614 yes yes ok sys.peer sys_peer 1
2 5725 f63a yes yes ok sys.peer sys_peer 3

==============================================================================

NTP Time:

==============================================================================

ntp_gettime() returns code 0 (OK)

time cce922c5.76cdb000 Tue, Dec 9 2008 12:00:53.464, (.464076),

maximum error 452335 us, estimated error 0 us

ntp_adjtime() returns code 0 (OK)

modes 0x0 (),

offset 0.000 us, frequency 0.000 ppm, interval 4 s,

maximum error 452335 us, estimated error 0 us,

status 0x1 (PLL),

time constant 2, precision 1.000 us, tolerance 512 ppm,

==============================================================================

Command Result : 0 (Success)

[kuso] lunash:>

 

 

See Also

 

 

 

 

Show the Table of Contents