| Oracle® Access Manager Deployment Guide 10g (10.1.4.0.1) Part Number B25344-01 |
|
|
View PDF |
| Oracle® Access Manager Deployment Guide 10g (10.1.4.0.1) Part Number B25344-01 |
|
|
View PDF |
Correct operation of Oracle Access Manager depends on synchronizing the system clocks for all of its main components.
This chapter includes the following topics:
|
Note: This chapter provides a general discussion of NTP. It is provided for informational purposes only. Follow your own company's guidance for installing and configuring NTP. |
As discussed in Oracle Access Manager Installation Guide, if you plan to install Oracle Access Manager components across multiple machines, you must make sure all system clocks are synchronized. This is particularly important if you will be running the software in Cert or Simple mode.
Synchronization is important for normal operations. Extremely accurate synchronization can also be a factor in security. For example, a time-based attack can be performed by changing the time on an expired cookie so that it appears to be earlier than the real time. Closely synchronized computers make it difficult to forge the timestamp on a cookie
The Network Time Protocol (NTP) is a commonly-used tool for synchronizing system clocks. The following URL provides information on time synchronization.
Also, see the comp.protocols.time.ntp news group for information on time synchronization. NTP can typically synchronize the time on computers to within a few milliseconds. The following example shows the output of an ntp command on a typical workstation in an uncontrolled office environment. The example shows the high degree of synchronization that is achieved with this command:
ntpq -p remote refid st t when poll reach delay offset disp ============================================================================== -qa.mycompany.co clock.via.net 2 u 228 1024 377 1.33 0.121 5.13 #palantir.mycomp clock.via.net 2 u 254 1024 377 1.42 -1.518 5.12 -panacea.company clock.via.net 2 u 244 256 377 0.91 0.551 3.31 +test.mycompany. nist1.aol-ca.tr 2 u 175 256 376 0.96 3.760 5.41 +test.mycompany. pra3a.mycompany 3 u 441 256 372 1.12 3.043 65.31 +test.mycompany. pra3a.mycompany 3 u 232 256 377 0.81 3.736 2.85 +test.mycompany. pra3a.mycompany 3 u 27 256 377 0.93 3.787 3.34 +test2.mycompany nist1.aol-ca.tr 2 u 232 256 377 0.74 3.722 2.92 *nist1.abc-ca.tr .ACTS. 1 u 180 256 377 11.53 1.097 2.88 -ntp-cup.externa .GPS. 1 u 96 256 377 38.48 -0.694 4.45
The offset field is in milliseconds. Note that all of these computers are within 5 milliseconds of the same time. The nist1 workstation is about 1 millisecond slower (1.097 milliseconds) than the time that the U.S. National Institute of Standards provides. This compares favorably with some radio broadcasts, which can be limited to approximately 10 millisecond accuracy due to varying atmospheric propagation delays.
UNIX operating systems typically ship with a version of NTP. It takes a small amount of configuration to enable these shipped versions:
Solaris: you need to create an ntp.conf file.
After you create this file using the Solaris conventions, xntp is started automatically when the computer is restarted.
HP-UX: you can use sam to start ntp.
AIX: you need to create an ntp.conf file and enable or create a start script in /etc/init.d (or the equivalent directory on AIX).
For all versions of UNIX, you can also get a current (and more secure) version of the NTP daemon from http://www.ntp.org/.
All UNIX machines use UTC (the pedant's name for GMT) internally and convert to the local time for displaying the time to users.
Windows computers typically perform time synchronization automatically with their domain controller using a Microsoft version of NTP. While NTP can synchronize the times, you also need to synchronize the domain controller with an official time source.
You can obtain a time service from many Internet Service Providers (ISPs). There is a list of open stratum-1 servers available from http://www.ntp.org/. Some of the servers that are listed at this site are open, for example, the servers at NIST. Other servers require an e-mail request before you use them to synchronize your network.
Windows computers keep the clock in local time, but the NTP synchronization programs compensate to convert to the appropriate time in each time zone.
If having the best possible time match is important to your organization, you can purchase GPS-based clocks. The less expensive ones require some assembly. These clocks can be used to set your entire network to the same time. GPS technology requires very accurate times. Each GPS satellite contains 3 atomic clocks with continuous corrections provided from the ground to compensate for relativistic effects. In other words, an accurate estimate of the current time is developed as a side effect of determining where the GPS receiver is.
