Real-time clock
The HSMAdmin API allows applications to access and adjust the real-time clock (RTC). Information about the RTC status, and how many times it has been adjusted, is also available.
The ctconf utility allows an administrator to configure adjustment access control for the RTC. The administrator can control the delta amount and the number of times the RTC can be adjusted within a configurable period of time. ctconf has two applicable command line options: one that sets the rule for adjustment access control and one that enables/disables adjustment access control.
Setting the rule for RTC Adjustment Access Control
The RTC Adjustment Access Control rule specifies the following guard parameters, which control modification of the RTC:
-
secs
Total amount of deviation (in seconds) within a guard duration. Range: 1-120.
-
count
Total number of adjustments that can be made within the guard duration. Range: any integer. Setting this variable to 0 allows an unlimited number of adjustments.
-
days
The guard duration in days. Range: 1-12
If modification of the RTC is attempted outside of these guard parameters, it will fail.
To set guard parameters
If applications accessing the RTC do not need to alter the RTC by more than 12 seconds, but can make as many adjustments as needed within a period of 1 day, the following command would set the rule for RTC Adjustment Access Control.
ctconf --rtc-adj-access-control-rule=12:0:1
If the guard duration is extended to 4 days, the following command would ensure the other access control rule parameters are not modified:
ctconf --rtc-adj-access-control-rule=::4
The current settings for the access control rule are displayed via the ctconf -v command.
Enabling and disabling RTC Adjustment Access Control
Once the RTC Adjustment Access Control Rule has been set, RTC Adjustment Access Control can be enabled. When RTC Adjustment Access Control is enabled, the functions provided by the HSMAdmin API (refer to the ProtectToolkit-C programming) are governed by the RTC Adjustment Access Control Rule. By disabling RTC Adjustment Access Control, unlimited adjustments to the RTC can be performed.
To enable RTC Adjustment Access Control
ctconf --rtc-adj-access-control=1
When access control is disabled, the parameters passed via the HSMADM_GetRtcAdjustAmount and HSMADM_GetRtcAdjustCount function calls are not valid. ctconf can be specified with both the --rtc-adj-access-control-rule and --rtc-adj-access-control command line parameters simultaneously. The RTC Adjustment Access Control Rule is given precedence over the RTC Access Control command.