Meinberg LANTIME/GPS Operating Instructions Manual page 60

A LANTIME can be a trusted authority / trusted host combination and also a "non-
trusted" host in such a secure group.
To configure the LANTIME as a TA / trusted host, enable the AUTOKEY feature
and initialise the group key via the HTTPS web interface ("Generate groupkey") or
CLI setup program. In order to create such a group key, a crypto password has to be
used in order to encrypt / decrypt the certificate. This crypto password is shared
between all group members and can be entered in the web interface and CLI setup
program, too. After generating the group key, you have to distribute it to all members
of your secure group (and setup these systems to use AUTOKEY, too). In the
ntp.conf file of all group members you have to add the following lines (or change
them, if they are already included):
crypto pw cryptosecret
keysdir /etc/ntp/
In the above example "cryptosecret" is the crypto password, that has been used to
create the group key and the public key. Please note that the crypto password is
included as a plain text password in the ntp.conf, therefore this file should not be
world-readable (only root should have read access to it).
On the clients, the server entries must be altered to enable the AUTOKEY feature for
the connections to the NTP servers of the group. This looks like:
server time.meinberg.de autokey version 4
server time2.meinberg.de
You find the server time.meinberg.de which is using the AUTOKEY feature, while
time2.meinberg.de is used without any authentic checks.
If you want to setup the LANTIME server as a trusted host, but need to use a
different trusted authority, please create your own group key with this TA and include
it with the web interface of your LANTIME (on page "Security Management" see
section "NTP autokey" , function "Upload groupkey").
If you want to setup the LANTIME as a "non-trusted" NTP server, you have to
upload the group key of your secure group ( "Security Management" / "NTP autokey"
/ "Upload groupkey") and create your own, self-signed certificate (without marking it
as "trusted"). Because every certificate which is creating by using the web interface
and/or CLI setup is marked "trusted", you have to execute the tool "ntp-keygen"
manually on your LANTIME by using shell access (via SSH).
LantimeGpsV4:/etc/ntp # ntp-keygen -q cryptosecret
Here, too, "cryptosecret" is the crypto password used in the ntp.conf entry. Then you
have to copy the new ntpkeys to the flash disk with:
cp /etc/ntp/ntpkey_*
A detailed description about ntp-keygen can be found on the NTP website
(http://www.ntp.org).
/mnt/flash/config/ntp/uploaded_groupkeys
60