Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

iDRAC9 Security Configuration Guide

PDF

Secure NTP

NTP is a protocol that is designed to synchronize the clocks of systems over a network. As part of secure NTP implementation, iDRAC has added options to upload security keys from external time servers. Secure NTP servers append a hash to the time information packet, which the iDRAC compares with a locally generated hash for the same data packet, with its locally stored key corresponding to that time-server. If the locally computed hash matches the received hash, then the time packet is accepted.

iDRAC secure NTP implementation uses symmetric key approach, since that is the only option that is supported as per the government agency NIST (National Institute of Standards and Technology). Details can be found at https://www.nist.gov/pml. NIST only guarantees time accuracy up to 50 milliseconds according to their documentation.

MD5 and SHA1 are the most commonly used key types, since they meet basic security and provides time accuracy in millisecond level with timeservers within the company infrastructure. In theory, any encryption type that is supported by openssl can be used for symmetric keys, but higher encryption can result in high CPU usage and high latency in processing the time data.

Secure NTP Configuration

iDRAC group and property name to enable NTP is “NTPConfigGroup.NTPEnable”. When this property is set to “Enabled”, iDRAC uses the properties NTP1, NTP2, NTP3 to set up to three timeserver FQDN or IP addresses (IPv4 or IPv6).

The new addition in iDRAC NTPConfigGroup to support secure NTP are:

  1. NTP1SecurityType
  2. NTP1SecurityKeyNumber
  3. NTP1SecurityKey
  4. NTP2SecurityType
  5. NTP2SecurityKeyNumber
  6. NTP2SecurityKey
  7. NTP3SecurityType
  8. NTP3SecurityKeyNumber
  9. NTP3SecurityKey
  • SecurityType is an enumeration with options Disabled, MD5, SHA1. Higher encryption options could be supported in the future.
  • SecurityKeyNumber is a number between 1 to 65534. It should be the same key number that is used in the NTP server corresponding to the selected key.
  • SecurityKey - The key is a hex-encoded ASCII string of up to 40 characters.

The key number, type and key value should match in the NTP server and iDRAC, for secure NTP to work.

The NTP configuration has a limitation that the key numbers must be unique. Hence NTP1SecurityKeyNumber, NTP2SecurityKeyNumber and NTP3SecurityKeyNumber should be different values. This limitation comes from open-source ntpd code usage on iDRAC, even though in theory, different NTP servers could issue the same key number. If the same key number is repeated in a configuration, the second instance of the key number is ignored.

Even though iDRAC can support up to three secure NTP server addresses, Dell guidance is to use only one secure NTP server and leave the other two entries that are not populated for best iDRAC performance. It is a common practice to use multiple timeservers when using plain unencrypted NTP, however the present secure NTP installations mostly use a single secure NTP server.

iDRAC allows mixing secure and unsecure NTP servers in the configuration. However, this is not advised, since unencrypted NTP packets always become the primary NTP source, with the current ntpd implementation.

For security reasons, the SecurityKey attribute is write-only. If SecurityType is set to Disabled (default setting), the corresponding key entry is ignored.

NOTE:For MX blade servers, there is also a “chassis” option, where NTP is set to synchronize time with the chassis Management Module (MM). Chassis option continues to use unencrypted NTP, to listen to chassis MM. This is already a secure path since the communication between iDRAC and MM is through a chassis private VLAN.

Example showing RACADM script to set security configuration in NTP group: 

racadm set idrac.ntpconfiggroup.NTPEnable 1
	 
racadm set idrac.ntpconfiggroup.ntp1 100.64.25.20
	 
racadm set idrac.ntpconfiggroup.NTP1SecurityKey calvin
racadm set idrac.ntpconfiggroup.NTP1SecurityType 1
	 
racadm set idrac.ntpconfiggroup.NTP1SecurityKeyNumber 65
	 
racadm set idrac.ntpconfiggroup.ntp2 100.64.24.202
	 
racadm set idrac.ntpconfiggroup.NTP2SecurityKey da39a3ee5e6b4b0d3255bfef95601890afd80709
	 
racadm set idrac.ntpconfiggroup.NTP2SecurityType 2
	 
racadm set idrac.ntpconfiggroup.NTP2SecurityKeyNumber 17
	 
racadm set idrac.ntpconfiggroup.ntp3 100.64.24.26
racadm set idrac.ntpconfiggroup.NTP3SecurityKey carlos
	 
racadm set idrac.ntpconfiggroup.NTP3SecurityType MD5
racadm set idrac.ntpconfiggroup.NTP3SecurityKeyNumber 13
Example showing RACADM script to disable secure NTP (default configuration in iDRAC)
	 
racadm set idrac.ntpconfiggroup.NTPEnable 0
	 
racadm set idrac.ntpconfiggroup.ntp1 ""
	 
racadm set idrac.ntpconfiggroup.NTP1SecurityKey ""
	 
racadm set idrac.ntpconfiggroup.NTP1SecurityType 0
racadm set idrac.ntpconfiggroup.NTP1SecurityKeyNumber 1
	 
racadm set idrac.ntpconfiggroup.ntp2 ""
	 
racadm set idrac.ntpconfiggroup.NTP2SecurityKey ""
	 
racadm set idrac.ntpconfiggroup.NTP2SecurityType 0
racadm set idrac.ntpconfiggroup.NTP2SecurityKeyNumber 1
racadm set idrac.ntpconfiggroup.ntp3 ""
	 
racadm set idrac.ntpconfiggroup.NTP3SecurityKey ""
	 
racadm set idrac.ntpconfiggroup.NTP3SecurityType 0
	 
racadm set idrac.ntpconfiggroup.NTP3SecurityKeyNumber 1

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\