Synchronizing the Cluster Date and Time with the NTP Server

Policy Manager supports both authenticated NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. (Network Time Protocol) and NTP without authentication.

To synchronize the date and time on the nodes in a cluster with an NTP (Network Time Protocol) server.

 

The option to change the date and time for the Policy Manager cluster is available only on the publisher. subscriber nodes in a cluster will synchronize the date and time from the publisher. Users should be aware that ClearPass can time sync with any of the configured NTP servers in any order. It does not need to prefer the primary NTP server first and then the secondary as per configuration.

1. Log in to the publisher.

2. Navigate to the Administration > Server Manager > Server Configuration page.

3. Select the Set Date & Time link.

The Change Date and Time dialog opens.

Figure 1  Change Date and Time > Date & Time Tab

 

The Key ID, Key Value, and Algorithm parameters apply only when using authenticated NTP. If you are employing unauthenticated NTP, you do not need to specify the NTP primary and secondary server parameters.

4. To add additional Secondary NTP servers, scroll down to see the Add More NTP Servers link:

Figure 2  Adding Additional NTP Servers

See Table 1 for configuration details on adding more NTP servers.

5. Specify the Date & Time parameters as described Table 1:

Table 1: Changing Date and Time Parameters

Parameter

Action/Description

Synchronize time with NTP server

To synchronize with a Network Time Protocol (NTP) server, enable this check box (enabled by default).

Manually Setting the Date and Time

NOTE: You can also specify the date and time for the cluster manually by disabling the Synchronize time with NTP server check box and entering the current date and time in the dialog provided:

Primary Server and Secondary Server

NTP Server

Specify the IP address or host name for the Primary NTP server and the Secondary NTP server. The IP address can be an IPv4 or IPv6 address.

Key ID

The Key ID must be in the range from 1 to 65535.

NOTE: The Key ID should match Key ID configured for the NTP server.

NOTE: Key ID applies only to authenticated NTP.

Key Value

Key Value is a form of shared secret, which both the client and the Policy Manager server use for authenticating NTP messages.

The Key Value ASCII American Standard Code for Information Interchange. An ASCII code is a numerical representation of a character or an action. string must start and end with one of the following characters:

- (hyphen)

' (apostrophe)

" (quotation mark)

The Key Value can be:

Up to a 20-character printable ASCII string

Up to a 40-character hex value

When entering an ASCII string for the Key Value, note that it cannot contain the following characters:

& (ampersand)

; (semicolon)

` (grave accent)

| (pipe)

< (left angle bracket)

> (right angle bracket)

( (left parenthesis)

) (right parenthesis)

NOTE: Key Value applies only to authenticated NTP.

Algorithm

ClearPass supports the SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and SHA1 encryption types. If upgrading to ClearPass 6.11, keep in mind if there are any NTP servers configured with the SHA algorithm, the algorithm corresponding to those servers will be automatically changed to SHA1 as part of upgrade procedure. Only SHA1 is supported as a cluster NTP authentication algorithm going forward from ClearPass 6.11.

NOTE: Algorithm applies only to authenticated NTP.

Add More NTP Servers

You can configure up to five NTP servers. To add additional NTP servers:

1. Scroll to the bottom of the Change Date and Time configuration dialog.

2. Click the Add More NTP Servers link.

3. Specify the newly added Secondary NTP Server fields as needed.

NOTE: Common Criteria Mode cannot be enabled if there are less than three NTP servers configured.

4. Click Save.

Restarting Policy Manager Services

Once you have saved the Date & Time configuration, you must restart Policy Manager services.

 

The Audit Viewer (Monitoring > Audit Viewer) tracks NTP configuration changes.

To restart Policy Manager services:

1. Navigate to Administration > Server Manager > Server Configuration.

2. Select the Policy Manager publisher.

3. From the Server Configuration page, select the Services Control tab.

Figure 3  Restarting Stopped Services

4. From the Action column, click Start for each service that needs to be restarted.

For each restarted service, the Start button is changed to Stop.

Specifying the Time Zone on the Publisher Node

To specify the time zone on the publisher:

1. From the publisher, click the Time Zone on Publisher tab.

The time zones are listed in alphabetical order.

Figure 4  Time Zone on Publisher Dialog

2. Select the time zone where the publisher resides, then click Save.

 

This option is available only on the publisher. To set the time zone on a subscriber node, select the specific server and set the time zone from the server-specific page.