HP TCP/IP Services for OpenVMS

Previous Contents Index

logconfig +sysevents +syncstatus 

This configuration would list the synchronization state of the NTP server and the major system events.
For a simple reference server, the following minimum message configuration might be useful:

logconfig +syncall +clockall 

This configuration lists all clock information and synchronization information. All other events and messages about peers, system events, and so forth, are suppressed.

  • tinker [panic panic| dispersion dispersion| freq freq| minpoll minpoll | allan allan| huffpuff huffpuff]
    This statement can be used to alter several system variables in exceptional circumstances. It should occur in the configuration file before any other configuration options. The default values of these options have been carefully optimized for a wide range of network speeds and reliability expectations. In general, they interact in intricate ways that are hard to predict, and some combinations can result in unpredictable behavior. It is rarely necessary to change the default values.
    The options operate as follows: NTP Monitoring Options

    TCP/IP Services NTP includes a comprehensive monitoring facility that is suitable for continuous, long-term recording of server and client timekeeping performance. Statistics files are managed using file generation sets and scripts.

    You can specify the following monitoring commands in your configuration file: Access Control Options

    TCP/IP Services NTP implements a general-purpose address-and-mask based restriction list. The list is sorted by address and by mask, and the list is searched in this order for matches. The last match to be found defines the restriction flags associated with the incoming packets. The source address of incoming packets is used for the match. The 32-bit address is and'ed with the mask associated with the restriction entry, and then is compared with the entry's address (which has also been and'ed with the mask) to look for a match.

    Although this facility might be useful for keeping unwanted or broken remote time servers from affecting your own, it is not considered an alternative to the standard NTP authentication facility. The Kiss-of-Death Packet

    Ordinarily, packets denied service are simply dropped with no further action except incrementing statistics counters. Sometimes a more proactive response is needed, such as a server message that explicitly requests the client to stop sending and leave a message for the system operator. A special packet format has been created for this purpose called the kiss-of-death (kod) packet. kod packets have the leap bits set unsynchronized and stratum set to zero and the reference identifier field set to a four-byte ASCII code. If the noserve or notrust flag of the matching restrict list entry is set, the code is DENY; if the limited flag is set and the rate limit is exceeded, the code is RATE. Finally, if a cryptographic violation occurs, the code is CRYP.

    A client receiving a kod performs a set of sanity checks to minimize security exposure, then updates the stratum and reference identifier peer variables, sets the access denied (TEST4) bit in the peer flash variable and sends a message to the log. As long as the TEST4 bit is set, the client will send no further packets to the server. The only way at present to recover from this condition is to restart the protocol at both the client and server. This happens automatically at the client when the association times out. It will happen at the server only if the server operator cooperates. Access Control Statements and Flags

    The syntax for the restrict statement is as follows: Sample NTP Configuration File

    A sample of the NTP configuration template follows:

    # File name:      TCPIP$NTP.CONF 
    # Product:        HP TCP/IP Services for OpenVMS 
    # Version:        V5.6 
    # © Copyright 1976, 2006 Hewlett-Packard Development Company, L.P. 
    # NTP server configuration file 
    #    This file contains configuration information  for  the  NTP  server. 
    #    Before  starting the NTP server, you must edit this  file  and  copy 
    #    Refer  to  the HP TCP/IP Services for OpenVMS Management  guide  for 
    #    instructions on editing and using this file. 
    #    The Network Time Protocol (NTP) provides synchronized timekeeping among 
    #    a set of distributed time servers and clients. The local OpenVMS host 
    #    maintains an NTP configuration file, TCPIP$NTP.CONF, of participating peers. 
    #    TCPIP$NTP.CONF is maintained in the SYS$SPECIFIC:[TCPIP$NTP] directory. 
    #    Determine the peer hosts with which the local hosts should negotiate 
    #    and  synchronize.  Include at least one (but preferably three) hosts 
    #    that you are certain have the following characteristics: 
    #      1. provide accurate time 
    #      2. synchronize to Internet Time Servers 
    #      (if they are not themselves Internet Time Servers) 
    #    The NTP configuration file is not dynamic, and therefore requires 
    #    restarting NTP  after being edited to make the changes take effect. 
    #    However, you can make run-time configuration requests interactively 
    #    using the NTPDC utility. 
    #    Your NTP configuration file should always include the following 
    #    driftfile entry.  The driftfile is the name of the file that stores 
    #    the clock drift (also known as frequency error) of the system clock. 
    #    Samples entries follow below.  Replace them with your  own  list  of 
    #    hosts and identify the appropriate association mode.  If you specify 
    #    multiple hosts, NTP  can  choose  the  best  source  with  which  to 
    #    synchronize.  This also provides redundancy in case one of the hosts 
    #    becomes unavailable. 
    #    Client/Server Mode 
    #    Client/Server mode indicates that the local  host  wants  to  obtain 
    #    time  from  the  remote server and is willing to supply time to  the 
    #    remote server.  Indicate Client/Server mode with a  peer  statement. 
    #    Identify each peer with a fully-qualified DNS host name  or  with an 
    #    IP address in dotted-decimal notation. 
    peer ntp0.myorg.mycorp.com 
    peer ntp1.myorg.mycorp.com 
    #    Client Mode 
    #    Client mode indicates that the local host wants to obtain time  from 
    #    the  remote server but it is not willing  to  provide  time  to  the 
    #    remote server.  Indicate client  mode  with  the  server  statement. 
    #    Identify each server with a fully-qualified DNS host name or with an 
    #    IP address in dotted-decimal notation. 
    server ntp3.myorg.mycorp.com 
    #    The following commands allow interoperation of NTP with another time 
    #    service such as DTSS.  If enabled (by removing #), NTP will not  set 
    #    the system clock. 
    # server prefer 
    # fudge stratum 0 
    #    The following commands allow this node to act as a backup NTP server 
    #    (or as the sole NTP server on an isolated network),  using  its  own 
    #    system clock as  the  reference source.  If enabled (by removing #), 
    #    this NTP server will  become  active  only  when  all  other  normal 
    #    synchronization sources are unavailable. 
    # server 
    # fudge stratum 8 

    13.4.3 Using NTP with Another Time Service

    A local host can run more than one time service. For example, a host can have both NTP and DTSS (Digital Time Synchronization Service) installed. However, only one of these time services is allowed to set the system clock.

    If you are running a time service in addition to NTP, you must stop either the other time source or NTP from setting the system clock. You can stop NTP from setting the system clock by adding the following statements to the configuration file:

    server prefer 
    fudge stratum 0 

    In these statements, the hardware address of the local clock (LOCAL) is These statements force NTP to use its own system clock as a reference clock. The host continues to respond to NTP time queries but does not make any adjustments to the system clock, thereby allowing the other time service to make those changes.

    13.5 Configuring NTP as Backup Time Server

    You can configure the NTP service as a backup time server. In this case, if all other network synchronization sources become unavailable, the NTP service becomes active. You can also use this method to allow the local node to act as the NTP server in an an isolated network. To configure the NTP service as the backup server or the sole NTP server, enter the following commands in the NTP configuration file:

    fudge stratum 8 

    In this example, the stratum is set to a high number (8) so that it will not interfere with any other, possibly better, time synchronization source. You should set the stratum to a number that is higher than the stratum of all other time synchronization sources.

    13.6 NTP Event Logging

    NTP maintains a record of system clock updates in the file SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP_RUN.LOG. NTP reopens this log file daily, each time creating a new version of the file (older versions are not automatically purged). Events logged to this file can include the following messages:

    Logging can be increased by using the logconfig option in TCPIP$NTP.CONF. For more information, see Section 13.4.2.

    In addition, you can enable debugging diagnostics by defining the following logical name with /SYSTEM and a value from 1 through 6, where 6 specifies the most detailed logging:


    Table 13-2 describes the messages most frequently included in the NTP log file.

    Table 13-2 NTP Log File Messages
    Message Description
    Time slew time Indicates that NTP has set the local clock by slewing the local time to match the synchronization source. This happens because the local host is no longer synchronized. For example:
    time slew -0.218843 s
    Synchronization lost This usually occurs after a time reset. All peer filter registers are cleared, for example, for that particular peer; all state variables are reset along with the polling interval; and the clock selection procedure is once again performed.
    Couldn't resolve hostname, giving up on it Indicates that the host name could not be resolved. This peer will not be considered for the candidate list of peers. For example:
    couldn't resolve 'fred', giving up on it
    Send to IP-address: reason Indicates that a problem occurred while sending a packet to its destination. The most common reason logged is "connection refused." For example:
    sendto( connection refused
    Time Correction of delta-time seconds exceeds sanity limit (1000); set clock manually to the correct UTC time NTP has detected a time difference greater than 1000 seconds between the local clock and the server clock. You must set the clock manually or use the NTPDATE program and then restart NTP. Once NTP sets the clock, it continuously tracks the discrepancy between the local time and NTP time and adjusts the clock accordingly.
    offset: n sec freq x ppm poll: y sec error z An hourly message, in which:
    • offset is the offset (in seconds) of the peer clock relative to the local clock (that is, the amount to adjust the local clock to bring it into correspondence with the reference clock).
    • freq is the computed error in the intrinsic frequency of the local clock (also known as "drift") (in parts per million).
    • poll is the minimum interval (in seconds) between transmitted messages (that is, messages sent between NTP peers, as in a client to a server).
    • error is the measure of network jitter (that is, latencies in computer hardware and software).
    No clock adjustments will be made, DTSS is active Indicates that the DTSS time service is running on the system. The DTSS time service should be disabled if you would like NTP to set the system time. To disable the DTSS time service, follow these steps:
    1. Boot up normally, allowing DTSS to come up.
    2. Set the TDF using NET$CONFIGURE OPTION 5 (set timezone).
    3. Enter the NCL DISABLE DTSS command.
    4. Enter the NCL DELETE DTSS command.
    5. Put the following command in the SYLOGICALS.COM file:

    Alternatively, you can configure the NTP server not to make clock adjustments, as described in Section 13.4.3. NTP dynamically detects whether the DTSS time service is enabled at any time and will log this message if appropriate.

    Clock adjustments will resume. DTSS no longer active Indicates that the DTSS time service has been disabled on the system. NTP will now handle clock adjustments. NTP dynamically detects whether the DTSS time service is enabled at any time and will log this message if appropriate.

    Previous Next Contents Index