|
Home > |
|---|
Left to their own devices, all computer/hardware clocks are subject to some drift. These changes occur slowly and are usually small, but can be nevertheless significant in many applications. Thus it is desirable to be able to synchronize the appliance's internal clock with a known-to-be-accurate source of time information. Network Time Protocol (NTP) provides a means whereby your appliance (or any other network-connected digital device) can receive time signals from extremely accurate servers of time data.
Network Time Protocol (NTP) by default does not authenticate NTP servers. NTP version 3 provides an authentication option using symmetric keys shared between NTP clients and servers.
NTP version 4, in addition to supporting NTP v3 symmetric key authentication provides a public key authentication mechanism called ‘Autokey’. These authentication mechanisms enable NTP clients (SafeNet Network HSM) to authenticate trusted NTP servers. NTP servers do not authenticate clients.
SafeNet Network HSM can be configured as an NTP client, not sever or peer. Also Multicast and Manycast are not supported in SafeNet Network HSM at this time. A page of the Administration & Maintenance section of this Help explains configuring NTP authentication ( Example Using Secure NTP ) in SafeNet Network HSM using LunaSH (lunash:>) commands. The available configuration commands are described in the Reference section of this Help, under "Lunash Appliance Commands > sysconf Commands > sysconf ntp Commands" ( ).
For more information about NTP authentication please refer to the NTP v4 documentation [1][2].
SafeNet Network HSM uses NTP v4 (4.2.6p2) and supports both symmetric and public key authentication as described below. Compared with legacy SafeNet Network HSM implementation, new LunaSH(lunash:>) commands have been added and some of the previously-used commands (pre-2009) have been modified.
Using NTP authentication in SafeNet Network HSM requires NTP servers which have been properly configured to support authentication. Configuring NTP servers is beyond the scope of this document. For information about configuring NTP servers please refer to the standard NTP documentation [1][3].
Standard, non-secure NTP is available from a variety of public sites. For greater security and control, your organization might have established its own secure NTP server(s) or might have entered into agreement with a trusted supplier of secure NTP service. Contact your local IT manager or security officer for the particulars.
The short description is that you
• make note of the parameters of the certificate that the server provides, then
•configure your SafeNet Network HSM to use that NTP server and to accept the server's authentication certificate as identified by the parameters that you previously recorded (key ID, size, fingerprint, etc. as appropriate), and
•have your SafeNet Network HSM begin using the time signal supplied by that secure NTP server.
NTP is the most reliable and straightforward way to correct the time-drift inherent in computer systems, but your situation might preclude that solution. An alternate method of establishing and correcting the drift on your HSM appliance is to use the on-board drift-correction commands ( Correcting Time Drift ).
=========================================================
[1] NTP Documentation Page: http://www.ntp.org/documentation.html
[2] NTP FAQ: Authentication http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-AUTH
[3] NTP Public-Key Authentication: http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#Q-CONFIG-ADV-AUTH-AUTOKEY
[4] Autokey Identity Schemes: http://www.eecis.udel.edu/~mills/ident.html
[5] ntp-keygen tool: http://doc.ntp.org/4.2.6/keygen.html
[6] NTP Server configuration options http://doc.ntp.org/4.2.6/confopt.html