It is vital, especially in a clustered environment, that the clocks on each PGP Encryption Server (Symantec Encryption Management Server) show the correct time.

The Encryption Management Server time is displayed in the administration console on the top right of the Reporting / Overview page.

To set the time, do the following after logging into the administration console:

1. Navigate to System / General Settings.
2. Click on the Set Time button.
3. Select the appropriate time zone.
4. Optionally change the Time Format from the default of AM/PM to 24-hour.
5. Optionally change the Date Format from the default of ddd MM DD YYYY (MM/DD/YYYY) to ddd DD MM YYYY (DD/MM/YYYY).
6. If you have an NTP server available, enable the Use NTP Server option and enter the DNS name or IP address of the NTP server.
7. If you do not have an NTP server available, enable the Set Time Manually option and enter the correct time and date.
8. Click the Save button.

If the Use NTP Server option is already enabled but the time displayed is inaccurate, it means either:

1. The NTP server name or IP is no longer valid. 
2. Encryption Management Server is a VMware Virtual Machine and the VMware ESXi server is attempting to set the time in addition to PGP Encryption Server setting the time using NTP.

Ensure that the NTP server name or IP address is valid. To do this, ssh to the PGP Encryption Server and enter the following command where ntp.server is the DNS name or IP address of the NTP server:

ntpdate -d ntp.server

The last line of the output should contain the word offset. For example:

 3 Feb 09:11:38 ntpdate[6526]: adjust time server 10.10.10.10 offset -0.001627 sec

If the word offset is missing then the NTP server is unreachable or incompatible.

When you have found a potentially valid NTP server, test it using the above command before updating the time settings in the administration console.

If the PGP Encryption Server is using a valid NTP server but the time is still inaccurate and if it is installed on a VMware Virtual Machine, check with your VMware administrator that the VMware Tools setting Synchronize guest time with host is disabled.

This is the default. Please see this VMware article for further details. Never enable both NTP and the Synchronize guest time with host setting because it will lead to erratic time keeping.

If the PGP Encryption Server is using the Set Time Manually option and if the PGP Encryption Server is a VMware Virtual Machine, consider requesting your VMware administrator to enable the VMware Tools setting Synchronize guest time with host providing that the time of the VMware ESXi host is accurate.

154069 - Best Practices: Environmental Requirements for Symantec Encryption Management Server clustering (AKA PGP Server)