Configuring NTP on Address Manager - BlueCat Integrity - 26.1.0

Network time protocol (NTP) service is essential to some of the more complex Address Manager functions, such as xHA and DHCP failover, and differential deployment. Address Manager v26.1.0 introduces support for the Network Time Security (NTS) extension for NTP. NTS extends NTP with cryptographic authentication, ensuring time synchronization is trusted, accurate, and tamper-proof.

1. Select the Settings tab in the sidebar, then select Service configuration.
2. Under Server management and configuration, locate the NTP service panel and select Edit service.
3. On the General tab, set the following parameters:
   • Enabled—select this check box to enable the NTP service; deselect this check box to disable the NTP service.
   • Enable NTS—select this check box to enable NTS for NTP; deselect this check box to disable NTS. If you select Enable NTS, the following additional fields appear:
     • Use previously configured private key—select to use the previously configured private key stored in the Address Manager database.
       Note: Deselect this check box only if you want to upload a new private key. Address Manager will warn you that uploading a new private key will overwrite the key already stored in the Address Manager database.
     • If Use previously configured private key is not selected, the following fields appear:
       • Upload private key—use the upload box to select or drag and drop the private key file (<common_name>.key) associated with the server certificate on your local machine or workstation.
         Attention:

         • The private key must comply with PKCS #8 standards.
         • The private key must be an RSA private key. The following cipher suites are supported for Address Manager HTTPS configurations (TLS 1.2):
           • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
           • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
         • The private key must be in PEM format and must only contain one key. It can't contain multiple keys or certificates. You can validate the key using openssl and the following command (if there's no password, omit the --passin pass:<password> parameter):

           openssl rsa -noout -modulus -in <private key file> --passin pass:<password>

           If the beginning of the output contains Modulus=, the key is valid.

     • Upload signed certificate—use the upload box to select or drag and drop the signed server certificate (<common_name>.crt) on your local machine or workstation.
       Attention: The certificate must be in PEM format and must only contain one certificate. It can't contain multiple certificates or keys. You can validate the certificate using openssl and the following command:

       openssl x509 -noout -modulus -in <certificate file>

       If the beginning of the output contains Modulus=, the key is valid.

     • Upload intermediate bundle certificate—use the upload box to select or drag and drop the associated CA certificate bundle (<common_name>.ca-bundle) on your local machine or workstation. The CA certificate bundle must include the root and any intermediary CA certificates required to authenticate the CA signature of the server certificate.
       Attention: The bundle must be in PEM format, and must only contain one root certificate and the chain of intermediate certificates that match the domain certificate. You can validate the bundle using openssl and the following command:

       openssl x509 -noout -modulus -in <bundle file>

       If the beginning of the output contains Modulus=, the key is valid.

4. On the NTP servers tab:
   • In the Server field, enter the fully-qualified domain name or IP address for a remote NTP server from which Address Manager or BDDS will reference the time.
     Note: If configuring NTS with an IPv6 NTS server, you must supply a FQDN for the IPv6 NTS server in this field.
   • In the Stratum drop-down menu, select a stratum value for the NTP server being added. This value will be associated to an individual NTP server specified in the Server field. Select Default to use the stratum value set on the remote NTP server.
     Note: Stratum values indicate the hierarchy level for the NTP server, which is the number of servers to a reference clock. This is used by the NTP client to avoid synchronization loops by preferring servers with a lower stratum.
   • Use NTS—select this check box to use NTS with the remote NTP server; deselect this check box if you do not want to use NTS.
     • If you select Use NTS, the CA certificate upload field appears. Under CA certificate upload, drag and drop or select the CA certificate (trusted third party or self-signed) that will be used to authenticate the CA signature on the TLS server certificate of the remote host. If you do not upload a CA certificate, Integrity uses default CAs.
       Note: The file containing the CA certificate or certificate bundle must be in .pem, .cer, .cert, or .crt format. To ensure a successful TLS handshake, the CA certificate uploaded to the client (BDDS) should be the same CA certificate (and intermediate certificates if applicable) used by the server to authenticate the CA signature of its TLS server certificate. The CA certificate can be acquired via browser export or other trusted source, and converted to PEM format.
   • Select the Add server to table button to associate a stratum value to a server and add them to the list. To remove a server, click the Remove (Trash icon) button. The top-most NTP server will be queried first, then the second, and continues down the list.
     Note: By default, the NTP Server list contains at least the following IP addresses:

     • Address Manager NTP list:
       • the Local Reference Clock (127.127.1.0) on the connected server
     • DNS/DHCP Server NTP list:
       • the IP address for the Address Manager appliance managing the DNS/DHCP Server
5. Select Save.