000033603 - Troubleshooting tips on testing and configuring NTP for time synchronization on RSA Identity Governance & Lifecycle servers

Document created by RSA Customer Support Employee on Jul 25, 2016Last modified by RSA Customer Support on Sep 13, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033603
Applies ToRSA Product Set: Identity Governance & Lifecycle 
RSA Version/Condition: All
O/S Version: SuSE Enterprise/Red Hat Enterprise Server
IssueThis article gives some tips on testing and configuring NTP for time synchronization.
ResolutionThere are a lot of commands that can be used to check your current time.  These include:
  • hwclock: This will show you the motherboard's clock value
  • date: This will show you the server's time, with the timezone offset applied.
  • date -u: This will show you what the server time is in GMT / UTC time.
  • ls -l /etc/localtime: This will often show a soft link to a file under the /usr/share/zoneinfo path.

The commands listed above are good for looking at what the current time is, but if you want to automate the time being correct you would configure NTP.

NTP configuration is stored within the /etc/ntp.conf file.  The entries of interest are the lines that start with server. For instance:

server time.nist.gov

After you make changes to the /etc/ntp.conf file, you need to restart the daemon for the changes to be re-read. For example, as the root user:

  • For SuSE:

service ntp restart

  • For Red Hat:

service ntpd restart

To check to see if the server is reachable you would run the commands:

# ntpq -n
ntpq> as
ntpq> pe

Here is an example of what the output looks like:
User-added image

In the as output above, the #1 server is the first server entry in the ntp.conf file. It is local and it is reachable. The second server is the second server entry in the ntp.conf file. It is web-based and not reachable.

The pe command not only shows that the server was queried, but it also gives some information into the offset of how far off this system's time is in comparison to the NTP server's time.

If none of your servers are reachable but you have a Windows domain that is reachable, most Windows domain controllers answer to NTP time requests.  You can add a server line for one or more servers, restart the service, then attempt the ntpq commands to verify connectivity.