It is possible to use certificates to restrict the Network Time Protocol (NTP) service on the TIE Server to communicate only with trusted sources if an internal server peer is available. The configuration procedure is similar to the basic one available at
http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm, and only requires extra changes to files under
/etc/ntp.
- The restrict keyword is already provided to limit remote queries or changes.
- It is recommended that you do not execute the reconfig-ntp command. This action could remove any prior customization.
Procedure
- Update permissions to enable storage of local time drift. Use the following command:
chown ntp.ntp /var/ntp
- Add keys and matching secrets inside the keystore located in /etc/ntp/keys as follows:
1 M secretkey
- Enable the following key store identifiers in /etc/ntp.conf:
trustedkey 1
requestkey 1
controlkey 1
- If necessary, configure a password decryption key. Use the following command:
crypto pw password
- To renew the certificate, run the ntp-keygen command again.
Testing
To test the functionality of the authentication, use the
ntpq shell to list server peers, associations, and others:
NOTES:
- By default, the daemon does not try to synchronize if the time difference is greater than 1000 seconds.
- Synchronization must be forced while the service is down to avoid conflicts on accessing the communication channel.
IMPORTANT: To force initial synchronization and check authentication status, run the following commands as root.
- Stop the service. Use the following command:
service ntpd stop
- Force the synchronization. Use the following command:
ntpd -dgq
- Check whether the last line of the output shows adjustment:
ntpd: time set -10445.381027s
- Confirm the smaller gaps. Use the following command:
ntpd: time slew -0.006611s
- Start the service. Use the following command:
service ntpd start
