Setting Up SNTP Time Synchronization on an i5/OS Box
Published: October 21, 2009
For PCI Data Security Standard (PCI DSS) auditing, I need to ensure that my System i 550 time is synchronized with other network system clocks. How do I set up time synchronization on an i5/OS V5R4 box?
PCI DSS is a security standard being pushed by the credit card providers to encourage companies to adopt consistent security measures for protecting customer account data. Requirement 10.4 of the standard specifies that all critical system clocks and times must be synchronized. For an iSeries, System i, or Power i box, this means that your partitions must automatically synchronize their system clocks with a Network Time Protocol (NTP) server. i5/OS performs NTP time synchronization through its built-in Synchronized Network Time Protocol (SNTP) server. It's easy to configure an i5/OS partition for time synchronization through SNTP. Here's how to do it.
- If your machine resides behind a firewall and you're connecting to an external NTP server for updates, be sure the firewall is configured to pass User Datagram Protocol (UDP) packets through port 123.
- An i5/OS box can be set up as an SNTP client (where the partition synchronizes its clock with an external server), an SNTP server (where the partition serves as an NTP server for synchronizing other machine's clocks) or as both an SNTP client and a server. For our purposes, we are only configuring your partition as an SNTP client. The instructions here have only been tested for an i5/OS V5R4 machine.
- From a green-screen 5250 command line, enter the Change SNTP Attributes command (CHGNTPA) and press the F4 key to prompt for its parameters. This screen will be displayed.
For this example, I've filled in the following parameters for setting up your partition as an SNTP client.
Remote system (RMTSYS)--Specifies the TCP/IP address, host name, or URL of the NTP server(s) to synchronize time with. You can enter up to three different NTP system addresses. The SNTP client will select the first remote system that provides NTP time service.
Client autostart (AUTOSTART)--Specifies whether you want the TCP/IP SNTP client job to start whenever TCP/IP starts. Enter *YES.
Client Poll Interval (POLLITV)--Specifies how often the SNTP client will contact the NTP server for updates. The default is 60 minutes.
Client Activity Log (ACTLOG)--Specifies which NTP activities are written to the SNTP activity log. The default value is *NONE (no logging). I usually set ACTLOG value to *CHANGE, which creates log entries whenever the system clock is changed.
Leave all the other settings at their defaults. Press ENTER to save your settings. To start the SNTP client server, enter the following Start TCP/IP Server (STRTCPSVR) command from a command line.
STRTCPSVR SERVER(*NTP) NTPSRV(*CLIENT)
1. To configure the SNTP client from iSeries Navigator (OpsNav), open the Network→Servers→TCP/IP node for your partition in OpsNav, right-click on the SNTP entry on the right-hand side of the screen and select Properties from the pop-up menu that appears. This displays the SNTP Properties panel. Select the Client tab to display the following screen.
Adjust the SNTP client properties just as you did on the green-screen.
To ensure that the SNTP client starts whenever TCP/IP is started, select the General tab from the SNTP Properties screen. Make sure that the Client check box is checked under "SNTP services to start when TCP/IP is started." Click on OK to save your changes.
Be sure to start the SNTP TCP/IP client server after configuring the client. The server is started in OpsNav by right-clicking on the SNTP entry under Network→Servers→TCP/IP and selecting Start→Client from the pop-up menu.
2. After starting SNTP, the following messages will appear in the partition's History Log. Use the Display Log (DSPLOG) command to view these messages.
TCP9105 -- SNTP Activity Log is active.
The TCP9105 message informs you that SNTP logging has been started. It also displays the name and location of the audit file that stores system time changes. This file is usually stored in the /QIBM/USERDATA/OS400/TCPIP/NTP folder in the AS/400 IFS.
CPF1806 -- System value QTIMADJ changed from *NONE to QIBM_OS400_SNTP.
CPF1806 tells you that the Time Adjustment (QTIMADJ) system value has been set to QIBM_OS400_SNTP, which specifies that SNTP will be responsible for synchronizing the system clock with an external time source. This value will revert to *NONE whenever you end the SNTP server.
And that's all there is to configuring and starting SNTP on an i5/OS machine.
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot