Network Time Protocol on Luna Network HSM 7

Network Time Protocol (NTP) corrects clock drift by synchronizing the appliance's internal clock with a reliable, consistent, and accurate time data server. This is the recommended method of keeping an accurate date and time on the appliance. Luna Network HSM 7 uses NTPv4.

NTP is available from a variety of public servers. We recommend using a more secure NTP server that supports symmetric or public-key authentication, as described in Securing Your NTP Connection. Alternatively, your organization might have established its own NTP server(s). Contact your IT manager or security officer for details. For more information about NTP authentication, see References.

NTP will automatically synchronize with the highest-stratum server you add. If none of these servers are accessible, NTP will synchronize with the local clock, and may be subject to drift. To make manual drift corrections, see Correcting Clock Drift Manually.

For command syntax, see sysconf ntp.

Connecting to a Public NTP Server

Connections to public NTP servers are unauthenticated and therefore less secure. See Securing Your NTP Connection for authenticated NTP procedures.

To connect to a public NTP server

1.Ensure that NTP is enabled on the appliance.

lunash:> sysconf ntp enable

2.Add an NTP server.

lunash:> sysconf ntp addserver <NTPserver>

3.Check the NTP connection.

lunash:> sysconf ntp status

NOTE It can take a few minutes to synchronize the NTP server. Checking immediately might return an error.

Securing Your NTP Connection

NTPv4 supports two types of trusted authentication: symmetric or public-key (AutoKey). Both methods require access to NTP servers configured to support authentication.

Using Symmetric-Key Authentication

This method uses a shared secret held by both the NTP server and its client to establish a trusted connection.

To connect to a trusted NTP server using symmetric-key authentication

1.Obtain the necessary key material from your NTP server administrator. For security purposes, this may be obtainable through non-electronic means only.

2.Add the symmetric key information using LunaSH:

lunash:> sysconf ntp symmetricAuth key add -id <keyID> -type <keytype> -value <NTPkey>

3.Add the key ID from step 2 to the list of trusted keys:

lunash:> sysconf ntp symmetricAuth trustedKeys add <keyID>

4.Add the trusted NTP server, using the -key option to enter the key ID for that server:

lunash:> sysconf ntp addserver <NTPserver> -key <keyID>

5.Check the NTP connection:

lunash:> sysconf ntp status

Using Public-Key (AutoKey) Authentication

This method uses asymmetric keys held by the NTP server and client. An identity scheme is used to prove the identity of the NTP server.

To connect to a trusted NTP server using public-key (Autokey) authentication

1.Obtain an identity scheme from the secure NTP server (IFF, GQ, or MV key). It must be sftp'd to the Luna Network HSM 7 and installed:

lunash:> sysconf ntp autokeyAuth install -idscheme <IDscheme> -keyfile <filename>

2.Restart NTP:

lunash:> service restart ntp

3.Generate an AutoKey and set a password:

lunash:> sysconf ntp autokeyAuth generate -password <password>

4.Restart NTP again:

lunash:> service restart ntp

5.Add the trusted NTP server using the -autokey option:

lunash:> sysconf ntp addserver <NTPserver> -autokey

6.Check the NTP connection:

lunash:> sysconf ntp status

Network Time Security

Network Time Security (NTS [RFC 8915]) enhances Network Time Protocol (NTP) and uses a separate TLS connection for initial parameter and key exchange.

Using Luna Appliance Software 7.9.0 or newer, NTS is supported with the sysconf ntp ntsAuth cert commands. The functionality of NTP remains as before.

NTS functions in NTP's "Unicast Client-Server Mode". If you prefer other NTP communication methods, then consider Symmetric Key Authentication or Autokey (see the sections immediately preceding this one).

To connect to a trusted NTP server using NTS authentication

1.Generate your key pair on your NTS server, and send over

•either the root CA that signed the TLS certificates

•or the public key if using self signed certificates.

2.Add this certificate to the appliance's list of trusted certificates

sysconf ntp ntsAuth cert add <certificate_sent_to_the_LNH>

3.Add a server with the nts authentication flag selected.

sysconf ntp addserver <hostnameoripaddress> -nts

4.Verify the status of the connection with sysconf ntp status", to see connection information and authentication information.

5.[Optional] Repeat the above steps at least 1 more time to have at least 2 NTP servers with NTS authentication.

TIP Generally recommended best practice is to have 3 NTP servers configured and connected, just as you would have multiple network paths for your Luna Network HSM 7 to avoid single points of failure in a production environment.

References

[1] NTP Documentation Page: http://www.ntp.org/documentation.html

[2] NTP FAQ: Authentication http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-AUTH

[3] NTP Public-Key Authentication: http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#Q-CONFIG-ADV-AUTH-AUTOKEY

[4] Autokey Identity Schemes: http://www.eecis.udel.edu/~mills/ident.html

[5] ntp-keygen tool: http://doc.ntp.org/4.2.6/keygen.html

[6] NTP Server configuration options http://doc.ntp.org/4.2.6/confopt.html



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2025, Thales Group Last Updated: 2025-04-04 10:57:59 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information