- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- play_arrow Overview
- play_arrow Installation
- play_arrow Installation Tasks Overview
-
- Installing or Upgrading the CTPView Server OS
- Saving the CTPView Configuration Settings and Data (CTPView Server Menu)
- Creating More Disk Space on the CTPView Server (CTPView)
- Creating More Disk Space on the CTPView Server (CTPView Server Menu)
- Installing the CTPView Server OS (CTPView Server CLI)
- Restoring CTPView Software Configuration Settings and Data (CTPView)
- Restoring CTPView Software Configuration Settings and Data with the Restore Utility (CTPView Server Menu)
- Restoring CTPView Software Data by Manually Synchronizing the CTPView Server (CTPView)
- Reviewing the Installation Log for Errors (CTPView Server CLI)
- Verifying the CTPView Server OS Installation (CTPView)
- Validating the CTPView Server Configuration (CTPView)
- play_arrow Upgrade Tasks for Only the CTPView Software
-
- Configuring the CTPView Administrative Settings
- Preparing a New Server
- Changing the BIOS Menu Password (CTPView Server CLI)
- Changing the Server's Default User Account Password (CTPView Server CLI)
- Changing the Server's Root Account Password (CTPView Server CLI)
- Changing the GRUB Boot Loader Password (CTPView Server Menu)
- Changing the PostgreSQL Apache Account Password (CTPView Server Menu)
- Changing the PostgreSQL Administrator Account Password (CTPView Server Menu)
- Configuring IP ACLs for Restricting Access to Resources (CTPView Server Menu)
- Configuring the Network Access (CTPView Server Menu)
- Creating a Self-Signed Web Certificate (CTPView Server Menu)
- Enabling OpenSSL Authentication of Users by Creating a Self-Signed Web Certificate (CTPView Server Menu)
- Importing Certificates Issued by a Third-Party CA (CTPView Server Menu)
- Updating the CTPView Software
- Logging In with a Browser (CTPView)
- Changing the CTPView GUI Default User Account Password (CTPView)
- Creating a New Global_Admin Account (CTPView)
- Configuring Subdomains in Hostnames (CTPView Server Menu)
- play_arrow Upgrade Tasks for CTPOS
- play_arrow Default Accounts and Passwords
- play_arrow Understanding CTPView Upgrade Files
- play_arrow Administration
- play_arrow Managing and Displaying Users (CTPView)
- Managing CTPView Users with the CTPView Admin Center
- Accessing the CTPView Admin Center (CTPView)
- Monitoring CTPView Users (CTPView)
- Adding New CTPView Users (CTPView)
- Modifying CTPView User Properties (CTPView)
- Monitoring CTPView Groups (CTPView)
- Modifying CTPView User Group Affiliation (CTPView)
- Adding a New CTPView User Group (CTPView)
- Modifying CTPView User Group Default Properties (CTPView)
- play_arrow Deleting Users and Groups (CTPView)
- play_arrow Managing User Passwords (CTPView)
- play_arrow Configuring User Login Properties (CTPView)
- Logging Out a CTPView User (CTPView)
- Configuring Automatic Logout for a CTPView User (CTPView)
- Configuring the Number of Login Attempts Allowed Before Lockout (CTPView)
- Configuring a Lockout Period for CTPView Users (CTPView)
- Clearing CTPView User Counters (CTPView)
- Reinstating Locked-Out IP Addresses (CTPView)
- Creating an Access Filter to Allow or Deny IP Addresses (CTPView)
- Removing an IP Access Filter (CTPView)
- Understanding CTPView GUI User Levels
- CTPOS and CTPView Software Password Requirements
- play_arrow Managing the CTPView Server (CTPView)
- Adding and Removing CTP Platforms Managed by CTPView Software (CTPView)
- Adding and Removing Host Groups (CTPView)
- Adding and Removing SNMP Communities (CTPView)
- Managing CTP Platforms in the Network (CTPView)
- Configuring Email Notifications (CTPView)
- Setting the CTPView Server Start-Up Banner (CTPView)
- Setting the CTP Platforms Login Banner (CTPView)
- Configuring an SSH Connection to a CTP Platform that Persists Through the Session (CTPView)
- Setting the CTPView Server Clock (CTPView)
- Setting the CTPOS Clock (CTP Menu)
-
- Accessing the NTP Server Settings Window (CTPView)
- Stopping the NTP Daemon (CTPView)
- Adding an NTP Peer (CTPView)
- Removing an NTP Peer (CTPView)
- Synchronizing the CTPView Server to an NTP Peer (CTPView)
- Adding NTP Network Clients (CTPView)
- Removing an NTP Network Client (CTPView)
- Modifying the Netmask of an NTP Network Client (CTPView)
- play_arrow NTP Authentication Overview on CTP Devices
- Configuring NTP Authentication Using the System Query Page (CTPView)
- Configuring NTP Authentication Using the System Configuration Page (CTPView)
- Configuring NetRef Settings (CTPView)
- Setting a Limit on File Transfer Bandwidth Between the CTPView Server and CTP Platforms (CTPView)
- Restoring CTPView Software Configuration Settings and Data (CTPView)
- Restoring CTPView Software Data by Manually Synchronizing the CTPView Server (CTPView)
- play_arrow Monitoring CTP Platforms (CTPView)
- Monitoring the Network with the CTPView Software (CTPView)
- Changing the Display Settings for CTPView Network Monitoring (CTPView)
- Displaying Runtime Query Results for a CTP Platform (CTPView)
- Overriding CTP Platform Network Status and Adding Comments (CTPView)
- Saving CTP Platform Configurations (CTPView)
- Setting an Audible Alert for CTP Platform Status (CTPView)
- Displaying CTPView Network Reports (CTPView)
- Field Descriptions in CTPView Network Reports (CTPView)
- Displaying Network Statistics (CTPView)
- Displaying the Management and Circuit Interface Settings (CTP Menu)
- play_arrow Changing CTPView GUI Settings
-
- Accessing the CTPView Server Configuration Menu (CTPView Server Menu)
- play_arrow Managing CTPView Users (CTPView Server Menu)
- Unlocking a User Account (CTP Menu)
- play_arrow Adding a VLAN Interface to a Node (CTP Menu)
- Configuring Separate Interfaces for Management and Circuit Traffic (CTP Menu)
- Accessing the Security Profile Configuration Menu (CTP Menu)
- Classification of CTPView Shell Account Users
-
- Setting the CTPView Server Start-Up Banner (CTPView Server Menu)
- Establishing an SSH Connection (CTP Menu)
- Saving the CTPView Configuration Settings and Data (CTPView Server Menu)
- Creating More Disk Space on the CTPView Server (CTPView Server Menu)
- Restoring CTPView Software Configuration Settings and Data with the Restore Utility (CTPView Server Menu)
- Restarting the PostgreSQL Server (CTPView Server Menu)
- Setting the Logging Level (CTPView Server Menu)
-
- Resetting the Default System Administrator Account (CTPView Server Menu)
- Resetting the Data File Permissions (CTPView Server Menu)
- Resetting the CTPView System Files to the Default Values (CTPView Server Menu)
- Burning an Image of CTPOS to a CompactFlash Card (CTPView Server Menu)
- Resetting the Default Firewall Settings (CTPView Server Menu)
-
- Changing Passwords to Improve Access Security
- Changing the BIOS Menu Password (CTPView Server CLI)
- Changing the Server's Root Account Password (CTPView Server CLI)
- Changing the GRUB Boot Loader Password (CTPView Server Menu)
- Changing the PostgreSQL Apache Account Password (CTPView Server Menu)
- Changing the PostgreSQL Administrator Account Password (CTPView Server Menu)
- play_arrow Troubleshooting
- play_arrow Restoring CLI Access to the CTPView Server
- Restoring Access to a CTPView Server
- Accessing a Shell on the CTPView Server (CTPView Server CLI)
- Setting a New Password for a Nonroot User Account (CTPView Server CLI)
- Setting a New Password for a Root User Account (CTPView Server CLI)
- Creating a Nonroot User Account and Password (CTPView Server CLI)
- play_arrow Restoring Browser Access to a CTPView Server
- play_arrow Changing a CTPOS User Password
NTP Authentication Overview on CTP Devices
Network Time Protocol (NTP) is a UDP protocol for IP networks. It is a protocol designed to synchronize the clock on client machines with the clock on NTP servers. NTP uses Coordinated Universal Time (UTC) as the reference time.
The implementation of NTP requires separate client and server applications. Superficially, NTP is a software daemon operating in a client mode and server mode. Using NTP packets, the client and server exchange time stamp data, ultimately setting the clock on the client machine similar to that of the NTP server. Starting with CTPOS Release 7.2R1, NTP authentication is supported. NTP authentication checks the authenticity of NTP server before synchronizing local time with server. This phenomenon helps you to identify secure servers from unauthorized or illegal servers. NTP authentication works with a symmetric key configured by user. The key is shared by the client and an external NTP server. The servers and clients must agree on the key to authenticate NTP packets. Currently NTP is already supported in CTP devices but NTP authentication is not supported. Authentication support allows the NTP client to verify that the server is in fact known and trusted and not an intruder intending accidentally or on purpose to masquerade as that server.
The following are the different operating modes used by NTP:
Client/Server—In a common client/server model, a client sends an NTP message to one or more servers and processes the replies as received. The server interchanges addresses and ports, overwrites certain fields in the message, recalculates the checksum, and returns the message immediately. Information included in the NTP message allows the client to determine the server time with respect to local time and adjust the local clock.
Symmetric Active/Passive—Configuring a peer in symmetric-active mode indicates remote server that one wish to obtain time from the remote server and that one is also willing to supply time to the remote server if necessary. This mode is appropriate in configurations involving a number of redundant time servers interconnected through diverse network paths. Symmetric modes are most often used between two or more servers operating as a mutually redundant group.
Broadcast—The advantage is that clients do not need to be configured for a specific server, as this mode is intended for configurations involving one or a few servers and a possibly very large client population. Broadcast mode requires a broadcast server on the same subnet. Since broadcast messages are not propagated by routers, only broadcast servers on the same subnet are used. Since an intruder can impersonate a broadcast server and inject false time values, this mode should always be authenticated.
In the CTPView server, the Client/Server mode is implemented, which is the use case of the CTP device and CTPView or any other Linux machine within the same network as that of the CTP device will act as NTP servers for authentication.
Although you can configure NTP using the CTPView server in CTPView releases earlier than Release 7.2, you can configure NTP authentication starting from CTPView Release 7.2R1. NTP can only be configured from the CTPView server by using the System Configuration > Node Settings page of the CTPView server. NTP authentication allows the NTP client to verify that servers are known and trusted. Symmetric key authentication will be used to authenticate the packets. It is assumed that the shared secret key is already being communicated between client and server and it is the responsibility of the server to have the shared secret keys already configured in their configuration and keys files. The client then adds the required key id and shared secret key to their configuration and keys files through CTPView or through syscfg commands. The Key ID and Key Value fields must be left blank in CTPView to disable NTP authentication.
NTP Authentication Procedure
It is assumed that the shared secret key is already being communicated between client and server and it is the responsibility of the server to have the shared secret keys already configured in their configuration and keys files. Also, the “trustedkey keyid” attribute must be mentioned in the server’s ntp.conf file and the NTP process (ntpd) must be started in the server side for successful authentication.
The user provides the communicated key id and key values through the CTPView server or syscfg commands. The CTPView server adds the key value and key id to the conf and keys files of the CTP device and starts the NTP daemon. The NTP servers and clients involved must agree on the key, key ID, and key type to authenticate the NTP packets.
When the NTP daemon is started, it reads the key file specified by the keys command and installs the keys in the key cache. It then exchanges packets with its configured servers at poll intervals. The NTP authentication packet adds the key ID and the MAC address in its header, and the packets are accepted by the server only if the key ID matches a trusted key and the message digest is verified with this key. After authentication is successful, the NTP server stores its own timestamp and a transmit timestamp into the packet and send it back to the client. In the case of authentication failure, time is not synchronized.
The following is the example of NTP authentication assuming that the key received from NTP server is 12345 and the key number and corresponding key value is added to the conf and key files of the CTP device.
Command - ntpdate -d –a <Key Id> -k /etc/ntp/keys <Server Ip>
Example - ntpdate -d –a 12345 -k /etc/ntp/keys 10.216.118.101
[root@ctp_74 ctp_cmd 36]# ntpdate -d -a 12345 -k /etc/ntp/keys 10.216.118.101
27 May 16:13:41 ntpdate[11935]: ntpdate 4.2.8@1.3265-o Tue Jan 6 05:50:59 UTC 2015 (3)
Looking for host 10.216.118.101 and service ntp
host found : 10.216.118.101
transmit(10.216.118.101)
receive(10.216.118.101)
receive: authentication passed
transmit(10.216.118.101)
receive(10.216.118.101)
receive: authentication passed
transmit(10.216.118.101)
receive(10.216.118.101)
receive: authentication passed
transmit(10.216.118.101)
receive(10.216.118.101)
receive: authentication passed
server 10.216.118.101, port 123
stratum 11, precision -21, leap 00, trust 000
refid [10.216.118.101], delay 0.02577, dispersion 0.00006
transmitted 4, in filter 4
reference time: d9101e66.08f2fe3d Wed, May 27 2015 10:43:50.034
originate timestamp: d9101e68.fbd8b5c6 Wed, May 27 2015 10:43:52.983
transmit timestamp: d9106bbb.82aca793 Wed, May 27 2015 16:13:47.510
filter delay: 0.02580 0.02579 0.02577 0.02579
0.00000 0.00000 0.00000 0.00000
filter offset: -19794.5 -19794.5 -19794.5 -19794.5
0.000000 0.000000 0.000000 0.000000
delay 0.02577, dispersion 0.00006
offset -19794.526903
27 May 16:13:47 ntpdate[11935]: step time server 10.216.118.101 offset -19794.526903 sec
The preceding command, when run without “-d” option, synchronizes the time of CTP device with the NTP server. The “-d” option runs in debug mode, prints the intermediate results, and does not adjust the clock. If the key number or key value are not correct, then the message “authentication passed” is replaced with “authentication failed” and time is not synchronized.
