000032169 - Setting additional NTP sources on RSA Security Analytics core appliances running 10.5.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032169
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Broker, Concentrator, Decoder, Log Decoder, Log Collector, ESA, Archiver, Malware Analysis
RSA Version/Condition: 10.5.1
IssueAs of version 10.5.1 a change to the handling of NTP time sources has been implemented in the Security Analytics stack.  Going forward, all SA core appliances will be automatically configured with the SA server as their only NTP source.  The SA server is in turn configured with additional NTP sources. 
In some customer environments there are restrictive firewall rules between data centers and there is a possibility that core appliances will not be able to access the SA server as an NTP source.
Under this new configuration the SA server becomes a single point of failure for NTP sync.
ResolutionIf necessary a puppet module on the SA server can be modified to add additional NTP sources to core appliances. 
The necessary steps for performing this change are listed below.
  1. Open the following file in a text editor:  /etc/puppet/modules/base/manifests/init.pp
  2. Find the section below:
    } else { # Agents' NTP point to puppetmaster.local
        $ntp_server = ['puppetmaster.local']
        class { '::ntp':
          servers => [$ntp_server],
          keys_enable => true,
          iburst_enable => true,

  3. Modify the line "$ntp_server = ['puppetmaster.local']" to include additional NTP sources similar to the following example:
    } else { # Agents' NTP point to puppetmaster.local
        $ntp_server = ['puppetmaster.local','','someNTPserverName']
        class { '::ntp':
          servers => [$ntp_server],
          keys_enable => true,
          iburst_enable => true,

  4. Save changes and exit.
Upon the next run of puppet agent on core appliances the NTP change will be applied and the nptd service will be automatically restarted.

To quickly verify the affect of the changes:
  1. Connect to a core appliance via SSH as the root user and issue the command below.
    puppet agent -t

  2. Once the puppet agent completes, cat ntp.conf and verify that the additional time server have been added.
    cat /etc/ntp.conf

    The following is sample output of the ntp.conf file:
    # Set up servers for ntpd with next options:
    # server - IP address or DNS name of upstream NTP server
    # iburst - allow send sync packages faster if upstream unavailable
    # prefer - select preferrable server
    # minpoll - set minimal update frequency
    # maxpoll - set maximal update frequency
    server puppetmaster.local iburst
    server iburst
    server someNTPserverName iburst

  3. To further verify the change, the following commands can be used:
    ntpq -p 

NotesAny changes to /etc/puppet/modules/base/manifests/init.pp will likely be lost on subsequent upgrades. 
Therefore, the workaround would need to be reapplied after an upgrade.