Example Using Secure NTP

We suggest that you use secure NTP (as opposed to the non-secure standard variety) for your SafeNet Network HSM. Secure NTP can be mixed with regular/simple NTP. For this example, any simple NTP will be removed for now:

[kuso] lunash:>sysc ntp list

=================================================================

NTP Servers:

server 127.127.1.0

server ntp.cpsc.ucalgary.ca

=================================================================

Command Result : 0 (Success)

[kuso] lunash:>sysc ntp delete ntp.cpsc.ucalgary.ca

NTP server ntp.cpsc.ucalgary.ca deleted

NTP is enabled

Shutting down ntpd:                                        [  OK  ]

Starting ntpd:                                             [  OK  ]

Please wait to see the result ......

NTP is running

===========================================================

NTP Associations Status:

ind assID status  conf reach auth condition  last_event cnt

===========================================================

1  7095  9014   yes   yes  none    reject   reachable  1

===========================================================

Please look at the ntp log to see any potential problem.

Command Result : 0 (Success)

[kuso] lunash:>

Obtain an identity scheme from the secure NTP server (IFF, GQ or MV key). Check with the site of the server for the particulars. For this example, an IFF key is used. It must be scp’d to the SafeNet Network HSM server and installed:

[kuso] lunash:>sysconf ntp  autokeyAuth install -idscheme IFF -keyfile ntpkey_IFFkey_tor1-jprobe.upn.local.3436099994

------- Installing Imported Identity Scheme File -------

Configured Autokey IFF Identity Scheme.

You must restart NTP for the changes to take effect.

Check NTP status after restarting it to make sure that the client is able to start and sync with the server.

Command Result : 0 (Success)

[kuso] lunash:>

As instructed, restart NTP:

[kuso] lunash:>service restart ntp

Shutting down ntp:                                         [  OK  ]

Starting ntp:                                              [  OK  ]

Command Result : 0 (Success)

[kuso] lunash:>

The Secure NTP used for this example uses the default parameters, so only the password is specified:

[kuso] lunash:>sysconf ntp autokeyAuth generate -p myPas$w0rd!

Generate new keys and certificates using ntp-keygen

Using OpenSSL version 9070df

Random seed file /root/.rnd 1024 bytes

Generating RSA keys (512 bits)...

RSA 0 1 5       1 11 24                         3 1 2

Generating new host file and link

ntpkey_host_kuso->ntpkey_RSAkey_kuso.3437830225

Using host key as sign key

Generating certificate RSA-MD5

X509v3 Basic Constraints: critical,CA:TRUE

X509v3 Key Usage: digitalSignature,keyCertSign

Generating new cert file and link

ntpkey_cert_kuso->ntpkey_RSA-MD5cert_kuso.3437830225

ntp-keygen Result: 0

You must restart NTP for the changes to take effect.

Check NTP status after restarting it to make sure that the client is able to start and sync with the server.

Command Result : 0 (Success)

[kuso] lunash:>

As instructed, restart NTP at this time:

kuso] lunash:>service restart ntp

Shutting down ntp:                                         [  OK  ]

Starting ntp:                                              [  OK  ]

Command Result : 0 (Success)

[kuso] lunash:>

Check the status of NTP. Like standard NTP, this may take a few minutes for a proper synchronization to occur:

[kuso] lunash:>sysconf ntp status

NTP is running

NTP is enabled

Peers:

==============================================================================

remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

LOCAL(0)        .LOCL.          10 l    6   64   77    0.000    0.000   0.001
*tor1-jprobe.upn 206.248.171.198  2 u   59   64    3    0.341  -554.47   3.309

==============================================================================

Associations:

==============================================================================

ind assID status  conf reach auth condition  last_event cnt

===========================================================

1 56812  9614   yes   yes  ok  sys.peer   sys_peer  1
2  5725  f63a   yes   yes   ok   sys.peer    sys_peer  3

==============================================================================

NTP Time:

==============================================================================

ntp_gettime() returns code 0 (OK)

time cce922c5.76cdb000  Tue, Dec  9 2008 12:00:53.464, (.464076),

maximum error 452335 us, estimated error 0 us

ntp_adjtime() returns code 0 (OK)

modes 0x0 (),

offset 0.000 us, frequency 0.000 ppm, interval 4 s,

maximum error 452335 us, estimated error 0 us,

status 0x1 (PLL),

time constant 2, precision 1.000 us, tolerance 512 ppm,

==============================================================================

Command Result : 0 (Success)

[kuso] lunash:>

SafeNet PCI-E HSM 6.2 Product Documentation
007-011329-009 Rev. A 18 December 2015 Copyright 2015 Gemalto NV All rights reserved.