Configuring Authenticated NTP Using Symmetric Keys on ESXi Host
search cancel

Configuring Authenticated NTP Using Symmetric Keys on ESXi Host

book

Article ID: 313168

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides steps for configuring symmetric authentication for NTP time synchronization on ESXi hosts.


Resolution

Please follow the steps mentioned below to configure symmetric authentication for NTP time synchronization on ESXi hosts:

  • To configure symmetric authentication using a key, the ESXi NTP '/etc/ntp.conf' file should include the following settings:

keys /etc/ntp.keys
trustedkey <keyno>
server ... key <keyno>

  • The keys need to be stored in the '/etc/ntp.keys' file in the format: <keyno> <type> <key>. Here, 'keyno' should be a positive integer (between 1 and 65535), 'type' should be the message digest or cipher algorithm, and 'key' should be the key itself.(Collect the key details from your Organization internal team)

  • To add or remove keys, the ESXi '/etc/ntp.keys' file needs to be edited directly using a text editor, such as vi.

    • Example:
      • [root@localhost:~] vi /etc/ntp.keys

                           5 MD5 abcdxxxxxxxxxxx

  • For ESXi 7.0 Update 2 and previous versions, the '/etc/ntp.conf' file needs to be edited directly using a text editor, such as vi.
    • Take a backup of '/etc/ntp.conf'
      • [root@localhost:~] cp /etc/ntp.conf /etc/ntp.conf.bak
    • Append the below settings to the  '/etc/ntp.conf' file using vi (get the <keyno> from the '/etc/ntp.keys' file) 
      • [root@localhost:~] vi /etc/ntp.conf

             keys /etc/ntp.keys
             trustedkey <keyno>
             server ... key <keyno>

    • Restart NTP after applying the settings on ESXi:
      • [root@localhost:~] esxcli system ntp set -e 1

 

  • For ESXi 7.0 Update 3 and later versions, a text file needs to be created containing the NTP configuration commands and load it to the ESXi NTP configuration file('/etc/ntp.conf')
    • Take a backup of  '/etc/ntp.conf' 
      • [root@localhost:~] cp /etc/ntp.conf /etc/ntp.conf.bak
    • Create a text file with the below contents(get the <keyno> from the '/etc/ntp.keys' file):
      • [root@localhost:~] vi temp.txt

             ... <snip>
             keys /etc/ntp.keys
             trustedkey <keyno>
             server ... key <keyno>
             server <ntp.server1.ip>
             server <ntp.server2.ip>

      • Note : Add the existing ntp servers to the above text file or the existing ntp servers will be removed from the '/etc/ntp.conf'
    • Load the text file contents to the '/etc/ntp.conf'
      • [root@localhost:~] esxcli system ntp set -f temp.txt
    • Restart NTP after applying the settings on ESXi:
      • [root@localhost:~] esxcli system ntp set -e 1

 

  • Please ensure the NTP server also has the following settings in its configuration file:

keys <path-to-server-keys-file>
trustedkey <keyno>

  • Please note that the client and server key files must both contain identical copies of the line specified by keyno.

  • To ensure that authenticated NTP is connecting successfully, please check that the 'auth' value for the server in the 'ntpq -c associations' output is 'ok'.

Example:
root@localhost:~] ntpq -c as
ind assid status  conf reach auth condition  last_event cnt
===========================================================
1 52115  f61a   yes   yes   ok   sys.peer    sys_peer  1
2 52116  c011   yes    no   bad    reject    mobilize  1
3 52117  9014   yes   yes  none    reject   reachable  1

Powered by Wolken Software