000015717 - How to change or set the date  time  time zone  and NTP server on an RSA SecurID Appliance 3.0

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015717
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: SecurID Appliance
RSA Version/Condition: 3.0
Platform: Linux
Platform (Other): Common Appliance Platform (CAP), rpath Linux
IssueChange or set the date, time, time zone, or NTP server settings on an RSA SecurID Appliance 3.0 after it has been set up.
Change or update the NTP server for an Appliance.
RSA strongly recommends that all primary and replica instances be configured to use a known-good NTP server, and that all instances use the same NTP server. Synchronizing server times with an NTP server prevents authentication failures and replication issues.
CauseWhen you run Quick Setup on the RSA SecurID Appliance 3.0, you might not know the NTP server you want to use. If you want to specify an NTP server at a later date or change the NTP server you specified during Quick Setup, you must do so manually.
ResolutionHow to change or set the date, time, time zone, and NTP server settings on an RSA SecurID Appliance 3.0
Important: If you want to change the current time on the appliance and you already have tokens assigned and users authenticating, carefully consider changing the server UTC time, and be prepared to modify current token offsets with ./rsautil sync-tokens commands. See solution  a41725 for information on the sync-tokens utility. If you do not use the ./rsautil sync-tokens command, you can manually resynchronize individual tokens on the primary Appliance using the RSA Security Console.
To access the Appliance so that you can manage the date, time, time zone, and NTP server settings on the Appliance:
  1. Access the command line of the Appliance using either the console or an SSH client for remote access. (For remote access using an SSH client, the Appliance must be enabled for SSH connectivity. This configuration is in the RSA Operations Console under Administration > Networking > Configure Connectivity using SSH.)
  2. Log on to the Appliance using the emcsrv account and the Operating System password you created in Quick Setup.
  3. Run:
    sudo su
    This command requires the emcsrv account password. (If you have run this command recently, the system might have cached the previously entered password and does not prompt you to enter it again.)
    Run the desired commands using the information provided in the following sections.
Verify you know the Master Password
Certain functions of this process may require you to run commands with rsautil,  and you must know the Master Password as part of this.  After logging  in as emcsrv, run:
sudo su  rsaadmin         (the password will be the same as emcsrv, and this changes you to the rsaadmin user)
cd /usr/local/RSASecurity/RSAAuthenticationManager/utils
. ./rsaenv      (notice this starts with dot-space-dot-slash)
./rsautil manage-secrets -a list          (This will require you to enter the Master Password to run correctly.  Make sure you are able to do this successfully before continuing.)
exit        (this changes you back to root for the next steps)

Date and time
To view local time, run:

[root@appliance-name /]# date
The output should be similar to the following example:
Thu Feb 26 05:16:55 PST 2009

To view UTC time, run:

[root@appliance-name /]# date ?u
The output should be similar to the following example:
Thu Feb 26 13:16:55 UTC 2009

To set the local date and time, run:

[root@appliance-name /]# date MMDDHHMMYYYY
where MM is the 2-digit month, DD is the 2-digit day, HHMM is the current time in 24-hour format, and YYYY is the 4-digit year.
For example, to set the date and time to February 15, 2012 4:17 PM, run:
[root@appliance-name /]# date 021516172012
Note: Do not set the local time and date if an NTP server is specified.
The change is immediate, and the hardware clock is reset automatically.


Time zone

Time zone is determined by the file /etc/localtime. This file has a symbolic link to a coded time zone file. Time zone files are in /usr/share/zoneinfo and subdirectories (/usr/share/zoneinfo/*).

To set or change the time zone:

  1. Check the current time zone link. Run:
    [root@appliance-name etc]# ls -la | more
    Look for the localtime -> /usr/share/zoneinfo line, which indicates the current time zone.
  2. Go to /usr/share/zoneinfo to see the time zone files that are available. Also, view the files in the subdirectories.
  3. To change the symbolic link in the localtime file, run:
    [root@appliance-name etc]# ln -sf /usr/share/zoneinfo/time_zone_file /etc/localtime
    where time_zone_file is the time zone file name or relative path to the time zone file.
    For example:
    [root@appliance-name etc]# ln -sf /usr/share/zoneinfo/US/Pacific /etc/localtime
  4. To verify that the time zone has been updated, run:
    [root@appliance-name etc]# ls -la | more
    Look for the localtime -> /usr/share/zoneinfo line, which indicates the current time zone.
  5. Edit the /etc/sysconfig/clock file, and change the ZONE line to the appropriate time zone. For example, for the US Pacific time zone, this line would be:
  6. Reboot the Appliance so that the time zone changes can take effect in the RSA SecurID Appliance database. (The time zone change is immediate for the current environment and new logon sessions, but a reboot is required to update the Appliance database.)
    a. Shut down the RSA services. Run:
      [root@appliance-name etc]# /usr/local/RSASecurity/RSAAuthenticationManager/server/rsaam stop all
    b. Reboot the Appliance. Run one of the following:
      [root@appliance-name etc]# /sbin/shutdown -r now
      [root@appliance-name etc]# reboot

NTP server settings
  • If setting up or changing the NTP server is likely to change the time by more than a minute, this can cause problems with tokens that were synchronized based on the wrong time. For more information on the sync-tokens utility, see solution a41725.
  • For information on configuring the NTP Daemon to restart automatically on reboot, see solution a49766.
To change the NTP server or set one:
  1. Edit /etc/ntp.conf, and locate the server line.
    The server address that appears on this line is the current time server.
     - You can change it to a different IP address or the FQDN of an NTP server.
     - You may specify more than one NTP server, and the local host uses the first available NTP server in the list.
     - If only one server line occurs in the file and the line is commented with an example, then no NTP server is specified.
     - You can add lines after the commented line.

    For example:
    # server mytrustedtimeserverip
    server tick.example.com
    server tock.example.com
    server ntp2.example.com

    Note: If your environment has firewalls, ensure that the Appliance can accept UDP packets on port 123.
  2. Enable the NTPD service to start on reboot, and restart the NTPD service for the change to take effect. Run the following commands:
    [root@appliance-name /]# /sbin/chkconfig --levels 2345 ntpd on
    [root@appliance-name /]# /sbin/service ntpd restart

    The Appliance immediately synchronizes its time with the NTP server and sets the hardware clock automatically.
  3. Verify that the NTPD service is running. Run:
    ntpq -p


Advanced NTP troubleshooting

Check the /var/logs/messages file for NTPD events or to enable advanced NTP tracing. Also, the commands listed here allow you to make file changes to get a detailed analysis of NTP functionality on the Appliance. For more information on advanced NTP troubleshooting, go to: http://www.ntp.org/ntpfaq/NTP-s-trouble.htm#Q-TRB-MON-STATFIL

To check the NTP servers and also where the servers get updated from, run:

ntpdc -p

To find out how far off the system time is in seconds, based upon the last time the remote server was contacted, run:

ntpdc -c loopinfo

To display the current remaining correction, run:

ntpdc -c kerninfo

To check the status of an update server, run:

ntpdate -d <server ip>
This contacts an NTP server and determines the time difference but does not change the local host's time.

To enable extra NTP logging:

  1. Create the following directory on the Appliance: /var/logs/ntp
  2. Edit /etc/ntp.conf, and add these 4 lines:
    statistics loopstats
    statsdir /var/logs/ntp/
    filegen peerstats file peers type day link enable
    filegen loopstats file loops type day link enable
  3. Restart the NTP service. Run:
    /sbin/service ntpd restart

    After the service starts, the system begins logging peers, peer<date>, loops, loop<date> logs in /var/logs/ntp, which give you the detailed NTP heartbeat and results. These logs can be useful if you have configured the Appliance to use an NTP server but time drift is still an issue.

    You can find data on loopstats 3day, second, offset, drift compensation, polling interval4day, second, offset, drift compensation, estimated error, stability, and polling interval, as well as peerstats 3day, second, address, status, offset, delay, dispersion4day, second, address, status, offset, delay, dispersion, and skew (variance).
WorkaroundThe Appliance was moved to a new location, and the time settings need to be changed.
NotesAuthentication Manager 8.x includes tool to check and change time and NTP settings in the Operations Console
Legacy Article IDa44785