Setting the System Date and Time
You can set the date and time manually using the appliance's internal clock, or by synchronizing the appliance with a network time protocol (NTP) server. NTP provides a reliable, consistent, and accurate timing mechanism using Coordinated Universal Time (UTC), and is the recommended option for providing an accurate date and time. Accurate time is important for security auditing and troubleshooting using the logs.
New HSM
When setting up a new HSM, ensure that you set the HSM server’s system date, time and time zone as appropriate for your network before generating the server certificate. The certificate becomes valid at the time of its creation, which is recorded as part of the certificate, as a GMT value. If your local time is set with an inappropriate local time zone, then the GMT time on the certificate could be incorrect by several hours. When other systems (Clients) attempt to reference your certificate, they might find that it has not yet become valid.
Setting the Time Zone
You must set the time zone before setting the date and time, regardless of whether you are manually configuring the date and time, or using NTP.
To set the time zone
Use the following command:
lunash:> sysconf timezone set <time_zone_code>
Time Zone codes
You can view a list of all available time zone codes using lunash:> sysconf timezone list. See Setting the Time Zone.
If a code is depicted in the list as a major name (such as a country) followed by a list of minor names (such as city names), then write the major name followed by a forward slash ("/"), followed by the minor name, for example America/Boston.
The code that you enter may not look exactly like the code displayed by lunash:> status date or status zone. For example, status date shows EDT (i.e. Eastern Daylight Time), but to set that you must type "EST5EDT," or "Canada/Eastern" or "America/Montreal" - a number of values produce the same setting.
HSM SO login might be required
While attempting to set the time or zone, you might encounter a message saying that you must log into the HSM first.
lunash:>sysconf timezone set Europe/London This HSM has been initialized to require that the SO is logged in
prior to running this command. Verifying that the SO is logged in... The SO is not currently logged in. Please login as SO and try again.
That message appears only if the HSM has been previously initialized with the -authtimeconfig option set. The work-around at this stage is to run the command hsm init -label <yourlabeltext> without the -authtimeconfig option. This way, you can perform your intended initialization out of order, and set the appliance time and zone later. We chose an order for these configuration instructions that is usually convenient and easy to understand, but having the system time set before initializing is not required. However, it is important to have the time set before you create certificates later on.
Manually Configuring the Appliance Date and Time
If the Luna Network HSM 7 has been used before, then it might have been initialized with the option -authtimeconfig, which requires that the HSM SO be logged in before you are allowed to set time/time zone. If that is the case, then you will need to log in with the old HSM SO credentials, or initialize the HSM first, before you can set time and time zone.
NOTE Manual adjustment of the time may cause events to appear out of order. It is highly recommended that you use NTP to synchronize the appliance time.
To set the date and time
1.Verify the currently configured date, time, and time zone on the appliance, using the status date command. The command returns the current settings for date, time, and time zone. If desired, you can also use status time and status zone.
lunash:> status date
lunash:> status time
lunash:> status zone
2.If the date, time, or time zone are incorrect for your location, change them using the following command:
lunash:> sysconf timezone set <time_zone>
lunash:>sysconf timezone set Canada/Eastern Timezone set to Canada/Eastern
lunash:> sysconf time <time> [<date>]
lunash:>sysconf time 15:54 20170427 Thu Apr 27 15:54:00 EDT 2017
NOTE You must set the time zone before setting the time and date, otherwise the time zone change adjusts the time that you just set.
Drift correction for the system clock
If you require that your appliance's system clock be as correct as is practical, but are unable to use NTP for the most accurate timekeeping possible, use the system's clock-drift correction protocol. See Correcting Clock Drift Manually.
Synchronizing the Appliance With a Network Time Protocol (NTP) Server
You can optionally configure the appliance to synchronize its date and time with a network time protocol (NTP) server. NTP provides a reliable, consistent, and accurate timing mechanism for the appliance using Coordinated Universal Time (UTC), and is the recommended option for providing an accurate date and time for the appliance. The appliance automatically selects the highest stratum NTP server with which it can reliably communicate. If the appliance loses communications with an NTP server, it automatically selects the next best available server.
NOTE If you wish to use Network Time Protocol (NTP),
you must set the system time to within 15 minutes of the time given by
the servers that you select. If the difference between NTP server time
and the HSM appliance time is greater than 15 minutes, the NTP daemon
ignores the servers and quits. To ensure that you are within the 15-minute window, we recommend setting the date and time by fetching it from an NTP server, using the sysconf ntp ntpdate command.
To configure the appliance to use NTP
To use NTP, you must add one or more NTP servers to the appliance's NTP server list, and then enable the appliance to synchronize its time to the servers.
1.If you have not already done so, configure the appliance's DNS server settings. See Configuring IP and Network Parameters.
2.Ensure that the correct time zone is set on the appliance:
lunash:> sysconf timezone show
If the appliance does not have the correct time zone configured, set it before continuing. See Setting the Time Zone.
3.You must now set the correct date and time. You can do this:
•manually; see Manually Configuring the Appliance Date and Time
•by fetching it from an NTP server, using the command:
lunash:> sysconf ntp ntpdate <NTP_server_IP_or_hostname>
4.Add one or more NTP servers to the appliance's NTP server list, using the command:
lunash:> sysconf ntp addserver <NTP_server_IP_or_hostname>
This command automatically starts the NTP service and enables time synchronization with the NTP server.
5.Verify the NTP status, using the command:
lunash:> sysconf ntp status
[myLuna] lunash:>sysconf ntp status
NTP is running
NTP is enabled
Peers:
==============================================================================
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) .LOCL. 10 l 8 64 1 0.000 0.000 0.000
time-c.timefreq .ACTS. 1 u 7 64 1 78.306 -55560. 0.000
==============================================================================
Associations:
==============================================================================
ind assid status conf reach auth condition last_event cnt
=============================================================
1 21859 963a yes yes none sys.peer sys_peer 3
2 21860 9024 yes yes none reject reachable 2
==============================================================================
NTP Time:
==============================================================================
ntp_gettime() returns code 0 (OK)
time d1504c28.95777000 Wed, Apr 14 2014 12:22:00.583, (.583854),
maximum error 7951596 us, estimated error 0 us
ntp_adjtime() returns code 0 (OK)
modes 0x0 (),
offset 0.000 us, frequency 0.000 ppm, interval 1 s,
maximum error 7951596 us, estimated error 0 us,
status 0x1 (PLL),
time constant 2, precision 1.000 us, tolerance 512 ppm,
==============================================================================
Command Result : 0 (Success)
NOTE The return code "5 (ERROR)" indicates a gap between your system time and the NTP server's time. If the initial time-gap between your appliance and the server is greater than 15 minutes, the appliance gives up and never synchronizes with that server. If the initial time-gap is less than 15 minutes, the appliance synchronizes with the server, slowly, over several minutes; this ensures that there is no sudden jump in system time which would be unwelcome in your system logging.