Manualshelf

NTP version 4 Release Notes HP-UX 11i v3 (5900-3073, March 2013)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Technical OE
12345678910
Autokey uses industry standard X.509 public certificates, which can be produced by commercial
services, utility programs in the OpenSSL software library, and the ntp-keygen utility program
in the NTP v4 software distribution.
Configuring Autokey
To configure Autokey in the IFF identity scheme, perform the following steps:
Server setup
1. Create a directory for the NTP Keys (for example, /etc/ntp).
2. Add the following lines to ntp.conf:
crypto pw serverpassword
keysdir /etc/ntp
3. Append autokey to the broadcast line in ntp.conf for the broadcast/multicast address
that you want to authenticate with Autokey.
broadcast my.broadcast.or.multicast.address autokey
The assigned NTP Multicast address is 224.0.1.1, but other valid multicast addresses may
be used.
4. The server key and certificate will be generated by ntp-keygen if they are missing when a
set of parameters are generated. The server certificate will be updated when existing parameters
are updated or additional parameters are generated.
NOTE: The -T option for ntp-keygen should be used only by a Trusted Authority (for
example, time-server) for an NTP Trust Group.
Generate the IFF parameters with the following commands:
cd/etc/ntp
ntp-keygen -T -I -p serverpassword
You must export an IFF Group Key for use by the members of the Trust Group. This Group
Key is unencrypted and may be handled in the same manner as a PGP/GPG public key.
Export the IFF Group Key using the following commands:
cd /etc/ntp
ntp-keygen -e -p serverpassword
The IFF Group Key will be directed to STDOUT unless you redirect it to a file. The target name
of the IFF Group Key file is on one of the first lines of the output.
IFF Group Keys may be distributed in any convenient manner. For example, on a web page
or even by pasting them across terminal windows.
IFF Group Keys may also be extracted and mailed with the following commands:
cd /etc/ntp
ntp-keygen -e -p serverpassword | mail timelord@client.domain
5. Restart ntpd. See the output of ntpq-p to make sure that the server is able to start.
6. The server key and certificate are valid only for one year and must be updated periodically
(for example, monthly). This is scripted using the following command:
cd /etc/ntp
ntp-keygen -T -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf
Client setup
1. Create a directory for the NTP Keys (for example, /etc/ntp).
2. Add the following lines to ntp.conf:
crypto pw clientpassword
keysdir /etc/ntp
10 What is new in NTP v4 ?