HP OpenVMS Systems Documentation

Content starts here HP TCP/IP Services for OpenVMS

HP TCP/IP Services for OpenVMS
Management


Previous Contents Index

13.5.1 Sample NTP Log Files

The following sample shows a standard NTP log file that has no extra logging enabled. Each line of the NTP log file begins with the date, the time, the program name, and the process identification (PID). The following samples show the remainder of each log file line.


ntpd version = 4.1.0
precision = 976 usec
frequency initialized -66.795 from SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.DRIFT
time slew 0.148981 s
offset: 0.008022 sec  freq: 1.301 ppm  poll: 128 sec  error:    0.014056
offset: 0.003190 sec  freq: 4.218 ppm  poll: 256 sec  error:    0.007071
offset: -0.000622 sec  freq: 4.575 ppm  poll: 512 sec  error:    0.005358
offset: -0.003216 sec  freq: 3.749 ppm  poll: 1024 sec  error:   0.005610
offset: -0.000899 sec  freq: 2.823 ppm  poll: 1024 sec  error:   0.005710
offset: -0.000299 sec  freq: 2.510 ppm  poll: 1024 sec  error:   0.005468
time slew -0.156010 s
offset: 0.002615 sec  freq: 4.022 ppm  poll: 1024 sec  error:    0.005297
offset: -0.002466 sec  freq: 3.237 ppm  poll: 1024 sec  error:   0.005626
offset: 0.000100 sec  freq: 1.737 ppm  poll: 1024 sec  error:    0.006343
offset: 0.002842 sec  freq: 2.393 ppm  poll: 1024 sec  error:    0.006023
offset: 0.000089 sec  freq: 3.204 ppm  poll: 1024 sec  error:    0.006199
offset: 0.001094 sec  freq: 3.576 ppm  poll: 1024 sec  error:    0.005628

The next sample shows an NTP log file with all categories of logging enabled.


ntpd version = 4.1.0
precision = 976 usec
frequency initialized 3.157 from SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.DRIFT
system event 'event_restart' (0x01) status 'sync_alarm, sync_unspec, 1 event, event_unspec' (0xc010)
peer 204.123.2.70 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014)
peer 204.123.2.71 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014)
peer 16.140.0.12 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014)
system event 'event_peer/strat_chg' (0x04) status 'sync_alarm,sync_ntp, 2 events, event_restart'
(0xc621)
system event 'event_sync_chg' (0x03) status 'leap_none, sync_ntp, 3 events, event_peer/strat_chg'
(0x634)
system event 'event_peer/strat_chg' (0x04) status 'leap_none, sync_ntp, 4 events, event_sync_chg'
(0x643)
peer 16.141.40.135 event 'event_reach' (0x84) status 'unreach,conf, 1 event, event_reach' (0x8014)
peer 16.141.40.135 event 'event_unreach' (0x83) status 'unreach, conf, 2 events, event_unreach'
(0x8023)
peer 16.141.40.135 event 'event_reach' (0x84) status 'unreach,conf, 3 events, event_reach' (0x8034)
offset: 0.015558 sec  freq: 4.407 ppm  poll: 128 sec  error: 0.008575
peer 16.141.40.135 event 'event_unreach' (0x83) status 'unreach, conf, 4 events, event_unreach'
(0x8043)
offset: 0.021501 sec  freq: 8.734 ppm  poll: 512 sec  error: 0.015413
peer 16.141.40.135 event 'event_reach' (0x84) status 'unreach,conf, 5 events, event_reach' (0x8054)
offset: 0.016173 sec  freq: 25.014 ppm  poll: 1024 sec  error:0.011453
offset: -0.043169 sec  freq: 13.291 ppm  poll: 1024 sec  error: 0.024752
offset: -0.017786 sec  freq: 6.005 ppm  poll: 1024 sec  error:0.025309

13.6 NTP Authentication Support

Authentication support is implemented using the MD5 algorithm to compute a message digest. The servers involved in an association must agree on the key and key identifier used to authenticate their messages.

Keys and related information are specified in a key file. Keys are used for:

  • Ordinary NTP associations
  • The NTPQ utility program
  • The NTPDC utility program

13.6.1 NTP Authentication Commands

Table 13-3 describes additional configuration statements and options that support authentication.

Table 13-3 Authentication Commands
Command Description
keys keys-file Specifies the file name for the keys file, which contains the encryption keys and key identifiers used by NTP, NTPQ, and NTPDC when operating in authenticated mode.
trustedkey key-ID [...] Specifies the encryption key identifiers that are trusted for the purposes of authenticating peers suitable for synchronization, as well as keys used by the NTPQ and NTPDC programs. The authentication procedures require that the local and remote servers share the same key ID and key value for this purpose, although different key values can be used with different servers. The key-ID argument is a 32-bit unsigned decimal integer from 1 to 15. Note that the NTP key 0 indicates an invalid key value or key identifier; therefore, it should not be used for any other purpose.
requestkey key-ID Specifies the key identifier to use with the NTPDC program, which uses a proprietary protocol specific to this implementation of NTP. This program is useful in diagnosing and repairing problems that affect the operation of NTP. For information about NTPDC, see Section 13.7.3.

The key-ID argument to this command is an unsigned 32-bit decimal number that identifies the trusted key in the keys file. If the requestkey command is not included in the configuration file, or if the keys do not match, any request to change a server variable is denied.

controlkey key-ID Specifies the key identifier to use with the NTPQ program, which uses the standard protocol defined in RFC 1305. This program is useful in diagnosing and repairing problems that affect the operation of NTP. For more information about NTPQ, see Section 13.7.4.

The key-ID argument to this command is a 32-bit decimal integer that identifies a trusted key in the keys file. If the controlkey command is not included in the configuration file, or if the keys do not match, any request to change a server variable is denied.

Keys are defined in a keys file, as described in Section 13.6.2.

13.6.2 Authentication Key Format

The NTP service reads keys from a keys file that is specified using the keys command in the configuration file. You can supply one or more keys from 1 to 15 in the keys file.

Key entries use the following format:


key-ID key-type key-value

Each entry contains the following:

  • key-ID, which is an arbitrary, unsigned 32-bit number (in decimal). The range of possible values is 1 to 15. Key IDs are specified by the requestkey and controlkey statements in the configuration file. The key ID number 0 (56 zero bits) is reserved; it is used to indicate an invalid key ID or key value.
  • key-type, which identifies the type of key value. Only one key format, M, is currently supported. This indicates that the MD5 authentication scheme is being used.
  • key-value, which is an ASCII string up to 8 characters long. The following characters are not allowed:
    space
    pound sign (#)
    \t
    \n
    \0

Because this file contains authorization data, HP recommends that you limit read access to this file. In particular, you should disable world read access.

The following is a sample keys file:


   #
   #
   4       M    DonTTelL
   6       M    hElloWrl
   12      M    ImASecrt

13.7 NTP Utilities

NTP provides several utility programs that help you manage and make changes to the NTP server. These utilities include:

  • NTPDATE, the date and time utility that sets the local date and time by polling the specified server. Run NTPDATE manually or from the host startup script to set the clock at boot time before NTP starts.
    NTPDATE does not set the date if NTP is already running on the same host.
    For information about using NTPDATE, see Section 13.7.1.
  • NTPTRACE, the trace utility that follows the chain of NTP servers back to their master time source. For information about using NTPTRACE, see Section 13.7.2.
  • NTPDC, the special query program that provides extensive state and statistics information and allows you to set configuration options at run time. Run this program in interactive mode or with command-line arguments.
    For information about using NTPDC, see Section 13.7.3.
  • NTPQ, the standard query program that queries NTP servers about their current state and requests changes to that state.
    For information about using NTPQ, see Section 13.7.4.
  • NTP_GENKEYS, the random key generator program that generates random keys that are used by the NTP Version 3 and NTP Version 4 symmetric key authentication scheme.
    For information about using NTP_GENKEYS, see Section 13.7.5.
    To define the commands described in the following sections, run the following procedure:


    $ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS.COM
    

13.7.1 Setting the Date and Time with NTPDATE

The NTPDATE program sets the local date and time by polling a specified server or servers to determine the correct time. A number of samples are obtained from each of the servers specified, and a subset of the NTP clock filter and selection algorithms are applied to select the best samples. The accuracy and reliability of NTPDATE depends on the number of servers it polls, the number of polls it makes each time it runs, and the interval length between runs.

Run NTPDATE manually to set the host clock or from the host startup file to set the clock at boot time. In some cases, it is useful to set the clock manually before you start NTP. The NTPDATE program makes time adjustments (called "stepping the time") by calling the OpenVMS routine SYS$SETIME.

Note

NTPDATE does not set the date and time if an NTP server is running on the same host.

Enter specific commands using the following format:


NTPDATE [option...] host [host...]

For example, the following command sets the clock based on the time provided from one of the specified hosts (BIRDY, OWL, or FRED):


$ NTPDATE BIRDY OWL FRED

NTP sets the date and time by polling the servers you specify as arguments to the command. Samples are obtained from each of the specified servers. NTP then analyzes the results to select the best server to use as a time source. Table 13-4 describes the NTPDATE command options.

Table 13-4 NTPDATE Options
Option Description
-d Changes the time and prints information useful for debugging.
-o version Specifies the NTP version (1, 2, or 3) for outgoing packets (for compatibility with older versions of NTP). Version 4 is the default.
-p n Specifies the number of samples NTPDATE acquires from each server. The default is 4. You can specify from 1 to 8.
-q Specifies a query only; does not set the clock.

13.7.2 Tracing a Time Source with NTPTRACE

Use the NTPTRACE utility to determine the source from which an NTP server obtains its time. NTPTRACE follows the chain of time servers back to the master time source.

Use the following syntax when entering commands:


NTPTRACE [option...]

The following example shows output from an NTPTRACE command. In the following example, the chain of servers is from the local host to the stratum 1 server FRED, which is synchronizing to a GPS reference clock:



$ NTPTRACE

LOCALHOST: stratum 3, offset -0.000000, synch distance1.50948
parrot.birds.com: stratum 2, offset -0.126774, synch distance 0.00909
fred.birds.com: stratum 1, offset -0.129567, synch distance 0.00168,
refid 'GPS'

All times are in seconds. The output fields on each line are as follows:

  • Host name
  • Host stratum
  • Time offset between the host and the local host (not always zero for LOCALHOST).
  • Synchronization distance
  • Reference clock ID (only for stratum 1 servers)

Table 13-5 describes the NTPTRACE command options.

Table 13-5 NTPTRACE Options
Option Description
-d Enables debugging output.
-n Displays IP addresses instead of host names. This may be necessary if a name server is down.
-r retries Sets the number of retransmission attempts for each host. The default is 5.
-t timeout Sets the retransmission timeout (in seconds). The default is 2.
-v Displays additional information about the NTP servers.

13.7.3 Making Run-Time Requests with NTPDC

You can make run-time changes to NTP with query commands by running the NTPDC utility. NTPDC displays time values in seconds.

Run-time requests are always authenticated requests. Authentication not only provides verification that the requester has permission to make such changes, but also gives an extra degree of protection against transmission errors.

The reconfiguration facility works well with a server on the local host and between time-synchronized hosts on the same LAN. The facility works poorly for more distant hosts. Authenticated requests include a timestamp. The server compares the timestamp to its receive timestamp. If they differ by more than a small amount, the request is rejected for the following reasons:

  • To make it more difficult for an intruder to overhear traffic on your LAN.
  • To make it more difficult for topologically remote hosts to request configuration changes to your server.

To run NTPDC, enter the following command:


$ NTPDC
NTPDC>

At the NTPDC> prompt, enter the appropriate type of command from the following list:

  • Interactive commands
  • Control commands
  • Run-time configuration request commands

The following sections describe the NTPDC commands.

13.7.3.1 NTPDC Interactive Commands

Interactive commands consist of a command name followed by one or more keywords. The interactive commands include:

  • help [command-keyword]
    Enter a question mark (?) to display a list of all the command keywords known to this version of NTPDC. Enter a question mark followed by a command keyword to display information about the function and use of the command.
  • host hostname
    Sets the host to which future queries will be sent. The hostname can be either a host name or a numeric address.
  • hostnames [ yes | no ]
    If you specify yes , host names are displayed. If you specify no , numeric addresses are displayed. The default is yes unless you include the -n option on the command line, as described in Table 13-5.
  • keyid key-ID
    Specifies the key number to be used to authenticate configuration requests. This must correspond to a key number the server has been configured to use for this purpose.
  • quit
    Exits NTPDC.
  • passwd
    Prompts you to enter a password (not echoed) to be used to authenticate configuration requests. The password must correspond to the key configured for use by the NTP server for this purpose.
  • timeout milliseconds
    Specify a timeout period for responses to server queries. The default is about 8000 milliseconds (8 seconds). Because NTPDC retries each query once after a timeout, the total waiting time for a timeout is twice the timeout value set.

13.7.3.2 NTPDC Control Message Commands

Control message commands request information about the server. These are read-only commands in that they make no modification of the server configuration state.

The NTPDC control message commands include:

  • listpeers
    Displays a brief list of the peers for which the server is maintaining state. These include all configured peer associations as well as peers whose stratum is such that the server considers them to be possible future synchronization candidates.
  • peers
    Obtains a list of peers for which the server is maintaining state, along with a summary of that state. The summary information includes:
    • The address of the remote peer
    • The local interface address (0.0.0.0 if a local address has not been determined)
    • The stratum of the remote peer (a stratum of 16 indicates the remote peer is unsynchronized)
    • The polling interval (in seconds)
    • The reachability register (in octal)
    • The current estimated delay, offset, and dispersion of the peer (in seconds)

    In addition, the character in the left margin indicates the operating mode of this peer entry, as follows:
    Plus sign (+) denotes symmetric active.
    Minus sign (-) indicates symmetric passive.
    Equals sign (=) means the remote server is being polled in client mode.
    Up arrow (^) indicates that the server is broadcasting to this address.
    Tilde (~) denotes that the remote peer is sending broadcasts.
    Asterisk (*) marks the peer to which the server is currently synchronizing.

    The contents of the host field can be one of the following four forms:
    • Host name
    • IP address
    • Reference clock implementation name with its parameter
    • REFCLK (implementation number parameter)

    If you specify hostnames no , only IP addresses are displayed.
  • dmpeers
    Displays a slightly different peer summary list, identical to the output of the peers command except for the character in the leftmost column. Characters appear only beside peers that were included in the final stage of the clock selection algorithm:
    Dot (.) indicates that this peer was rejected in the "falseticker" detection.
    Plus sign (+) indicates that the peer was accepted.
    Asterisk (*) denotes the peer to which the server is currently synchronizing.
  • showpeer peer-address [...]
    Shows a detailed display of the current peer variables for one or more peers.
  • pstats peer-address [...]
    Shows per-peer statistics counters associated with the specified peers.
  • loopinfo [ oneline | multiline ]
    Displays the values of selected loop-filter variables. The loop filter is the part of NTP that adjusts the local system clock. These options include:
    • offset --- the last offset given to the loop filter by the packet processing code.
    • frequency --- the frequency error of the local clock (in parts per million).
    • time_const --- controls the stiffness of the phase-lock loop and, therefore, the speed at which it can adapt to oscillator drift.
    • watchdog timer --- the number of seconds that have elapsed since the last sample offset was given to the loop filter.

    The oneline and multiline options specify the format in which this information is to be displayed; multiline is the default.
  • sysinfo
    Displays a variety of system state variables, such as the state related to the local server. These variables include:
    • system flags --- shows various system flags, some of which can be set and cleared by the enable and disable configuration commands, respectively. These are the auth , bclient , monitor , ntp , and stats flags.
    • stability --- the residual frequency error remaining after the system frequency correction is applied. It is intended for maintenance and debugging.
    • broadcastdelay --- shows the default broadcast delay as set by the broadcastdelay configuration command.
    • authdelay --- shows the default authentication delay as set by the authdelay configuration command.
  • sysstats
    Displays statistics counters maintained in the protocol module.
  • memstats
    Displays statistics counters related to memory allocation code.
  • iostats
    Displays statistics counters maintained in the input/output module.
  • timerstats
    Displays statistics counters maintained in the timer/event queue support code.
  • reslist
    Displays the server's restriction list. This list is displayed in the order in which the restrictions are applied.
  • monlist [ version]
    Displays traffic counts collected. This information is maintained by the monitor facility. Normally you do not need to specify the version number.


Previous Next Contents Index