NTP on Luna Network HSM

Network Time Protocol (NTP) corrects clock drift by synchronizing the appliance's internal clock with a reliable, consistent, and accurate time data server. This is the recommended method of keeping an accurate date and time on the appliance. Luna Network HSM uses NTPv4.

NTP is available from a variety of public servers. We recommend using a more secure NTP server that supports symmetric or public-key authentication, as described in Securing Your NTP Connection. Alternatively, your organization might have established its own NTP server(s). Contact your IT manager or security officer for details. For more information about NTP authentication, see References.

NTP will automatically synchronize with the highest-stratum server you add. If none of these servers are accessible, NTP will synchronize with the local clock, and may be subject to drift. To make manual drift corrections, see Correcting Clock Drift Manually.

For command syntax, see sysconf ntp.

Connecting to a Public NTP Server

Connections to public NTP servers are unauthenticated and therefore less secure. See Securing Your NTP Connection for authenticated NTP procedures.

To connect to a public NTP server:

1.Ensure that NTP is enabled on the appliance.

lunash:>sysconf ntp enable

2.Add an NTP server.

lunash:>sysconf ntp addserver <NTPserver>

3.Check the NTP connection.

lunash:>sysconf ntp status

NOTE   It may take a few minutes to synchronize the NTP server. Checking immediately may return an error.

Securing Your NTP Connection

NTPv4 supports two types of trusted authentication: symmetric or public-key (AutoKey). Both methods require access to NTP servers configured to support authentication.

Using Symmetric-Key Authentication

This method uses a shared secret held by both the NTP server and its client to establish a trusted connection.

To connect to a trusted NTP server using symmetric-key authentication:

1.Obtain the necessary key material from your NTP server administrator. For security purposes, this may be obtainable through non-electronic means only.

2.Add the symmetric key information using LunaSH:

lunash:>sysconf ntp symmetricauth key add -id <keyID> -type <keytype> -value <NTPkey>

3.Add the key ID from step 2 to the list of trusted keys:

lunash:>sysconf ntp symmetricauth trustedkeys add <keyID>

4.Add the trusted NTP server, using the -key option to enter the key ID for that server:

lunash:>sysconf ntp addserver <NTPserver> -key <keyID>

5.Check the NTP connection:

lunash:>sysconf ntp status

Using Public-Key (AutoKey) Authentication

This method uses asymmetric keys held by the NTP server and client. An identity scheme is used to prove the identity of the NTP server.

To connect to a trusted NTP server using public-key (Autokey) authentication:

1.Obtain an identity scheme from the secure NTP server (IFF, GQ, or MV key). It must be scp'd to the Luna Network HSM and installed:

lunash:>sysconf ntp autokeyAuth install -idscheme <IDscheme> -keyfile <filename>

2.Restart NTP:

lunash:>service restart ntp

3.Generate an AutoKey and set a password:

lunash:>sysconf ntp autokeyauth generate -password <password>

4.Restart NTP again:

lunash:>service restart ntp

5.Add the trusted NTP server using the -autokey option:

lunash:>sysconf ntp addserver <NTPserver> -autokey

6.Check the NTP connection:

lunash:>sysconf ntp status

References

[1] NTP Documentation Page: http://www.ntp.org/documentation.html

[2] NTP FAQ: Authentication http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-AUTH

[3] NTP Public-Key Authentication: http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#Q-CONFIG-ADV-AUTH-AUTOKEY

[4] Autokey Identity Schemes: http://www.eecis.udel.edu/~mills/ident.html

[5] ntp-keygen tool: http://doc.ntp.org/4.2.6/keygen.html

[6] NTP Server configuration options http://doc.ntp.org/4.2.6/confopt.html