Configuring autokey

Use the Autokey Configuration tab to configure the appliance to use the necessary algorithms, passwords, and encryption schemes to authenticate to your NTP servers that use autokey authentication.

About this task

Navigating in IPS Local Management Interface: Manage System Settings > Appliance > NTP Configuration

Navigating in SiteProtector™ Management: select the NTP Configuration policy

Autokey: If both the server and the client are located on the outside of the firewall, they can use autokey authentication. Autokey authentication uses certificate-based key exchanges that are also known as "challenge/response" exchanges. This method of authentication is best used to authenticate servers to clients. For example, this method works well if a central server outside the firewall authenticates to several lower strata servers that are also outside the firewall. These lower strata servers use internal hardware pieces (NICs) to provide NTP access to clients inside the firewall. This option is available for only NTP version 4.

The appliance uses the configurations on this tab for all your NTP servers using autokey exchanges.

FIPS mode: To be FIPS-compliant, use the following options:
Setting FIPS-compliant option
Message Digest Algorithm SHA-1
Encryption Scheme DSA-SHA-1

Procedure

  1. Click the Autokey Configuration tab.
  2. Select a Message Digest Algorithm. This option must match the message digest algorithm of the NTP server. The appliance uses this algorithm to communicate to all NTP servers that use autokey exchanges.
  3. In the Certificate and Host Key area, enable the Use Client Password feature, if needed. Use this option to protect the certificate of the client and the host key with a password.
  4. Select an Encryption Scheme. The client uses this scheme to generate its host key and certificate. The client needs the key and certificate to communicate with the NTP server. The NTP server also uses this scheme to verify the digital signature of the packets sent from the client.
  5. Click Enable identity scheme to use an identity scheme for authentication. Autokey exchanges use identity schemes to prove the identity of a remote system. Using identity schemes helps to prevent man-in-the-middle attacks. The appliance supports three identity schemes: Schnorr (IFF), Guillou-Quisquater (GQ), and Mu-Varadharajan (MV).
    Note: If you enable the use of identity schemes, you must import a group key for each NTP server or each group of NTP servers that uses autokey exchanges.
  6. In the Group keys area, click the Add icon to import a group key.
  7. In the Edit Group keys window, click the Select key file to import.
  8. Add or edit parameters for the group key file in the Server Identity Parameters field.
Parent topic: Configuring NTP