Oracle® Access Manager Deployment Guide 10g (10.1.4.3) Part Number E12490-01 |
|
|
View PDF |
Correct operation of Oracle Access Manager depends on synchronizing the system clocks for all of its main components.
This chapter includes the following topics:
Note:
This chapter provides a general discussion of NTP. It is provided for informational purposes only. Follow your own company's guidance for installing and configuring NTP.As discussed in Oracle Access Manager Installation Guide, if you plan to install Oracle Access Manager components across multiple computers, you must make sure all system clocks are synchronized. This is particularly important if you are running the software in Cert or Simple mode.
Synchronization is important for normal operations. Extremely accurate synchronization can also be a factor in security. For example, a time-based attack can be performed by changing the time on an expired cookie so that it appears to be earlier than the real time. Closely synchronized computers make it difficult to forge the timestamp on a cookie
The Network Time Protocol (NTP) is a commonly-used tool for synchronizing system clocks. The following URL provides information on time synchronization.
Also, see the comp.protocols.time.ntp news group for information on time synchronization. NTP can typically synchronize the time on computers to within a few milliseconds. The following example shows the output of an ntp command on a typical workstation in an uncontrolled office environment. The example shows the high degree of synchronization that is achieved with this command:
ntpq -p remote refid st t when poll reach delay offset disp ============================================================================== -qa.mycompany.co clock.via.net 2 u 228 1024 377 1.33 0.121 5.13 #palantir.mycomp clock.via.net 2 u 254 1024 377 1.42 -1.518 5.12 -panacea.company clock.via.net 2 u 244 256 377 0.91 0.551 3.31 +test.mycompany. nist1.aol-ca.tr 2 u 175 256 376 0.96 3.760 5.41 +test.mycompany. pra3a.mycompany 3 u 441 256 372 1.12 3.043 65.31 +test.mycompany. pra3a.mycompany 3 u 232 256 377 0.81 3.736 2.85 +test.mycompany. pra3a.mycompany 3 u 27 256 377 0.93 3.787 3.34 +test2.mycompany nist1.aol-ca.tr 2 u 232 256 377 0.74 3.722 2.92 *nist1.abc-ca.tr .ACTS. 1 u 180 256 377 11.53 1.097 2.88 -ntp-cup.externa .GPS. 1 u 96 256 377 38.48 -0.694 4.45
The offset field is in milliseconds. Note that all of these computers are within 5 milliseconds of the same time. The nist1 workstation is about 1 millisecond slower (1.097 milliseconds) than the time that the U.S. National Institute of Standards provides. This compares favorably with some radio broadcasts, which can be limited to approximately 10 millisecond accuracy due to varying atmospheric propagation delays.
UNIX operating systems typically ship with a version of NTP. It takes a small amount of configuration to enable these shipped versions:
Solaris: Ceate an ntp.conf file.
After you create this file using the Solaris conventions, xntp is started automatically when the computer is restarted.
HP-UX: Use sam to start ntp.
AIX: Create an ntp.conf file and enable or create a start script in /etc/init.d (or the equivalent directory on AIX).
For all versions of UNIX, you can also get a current (and more secure) version of the NTP daemon from http://www.ntp.org/
.
All UNIX computers use UTC (the pedant's name for GMT) internally and convert to the local time for displaying the time to users.
Windows computers typically perform time synchronization automatically with their domain controller using a Microsoft version of NTP. While NTP can synchronize the times, you must also synchronize the domain controller with an official time source.
You can obtain a time service from many Internet Service Providers (ISPs). There is a list of open stratum-1 servers available from http://www.ntp.org/
. Some of the servers that are listed at this site are open, for example, the servers at NIST. Other servers require an e-mail request before you use them to synchronize your network.
Windows computers keep the clock in local time, but the NTP synchronization programs compensate to convert to the appropriate time in each time zone.
If having the best possible time match is important to your organization, you can purchase GPS-based clocks. The less expensive ones require some assembly. These clocks can be used to set your entire network to the same time. GPS technology requires very accurate times. Each GPS satellite contains 3 atomic clocks with continuous corrections provided from the ground to compensate for relativistic effects. In other words, an accurate estimate of the current time is developed as a side effect of determining where the GPS receiver is.
As discussed in the Oracle Access Manager Installation Guide, Oracle Access Manager relies on synchronized time clocks and each host computers' Operating System to correctly manage time. When the Operating System time clock is operating properly, Oracle Access Manager operates properly. Usually, network time protocol (NTP) is used to manage and synchronize Operating System time clocks.
Note:
Time management includes changes for daylight savings time. Daylight savings time changes have no impact on Oracle Access Manager.USA 2007 Daylight Saving Time (DST) Compliance for Oracle Database and Oracle Fusion Middleware Products: In calendar year 2007, the effective dates for daylight savings are going to change. In the United States, the Energy Policy Act of 2005 was signed into law to extend daylight saving time. Under the new rules, DST in the U.S. starts on the second Sunday in March and end the first Sunday in November. In the past, daylight savings time started on the first Sunday in April and ended the last Sunday in October.
Under the new rules for 2007, DST starts on March 11, 2007 and end on November 04, 2007. This change also affects Canada. Unless the required patches are applied, the database may report incorrect time zone data between March 11, 2007 and April 1, 2007 and between October 28, 2007 and November 4, 2007 (and on different dates in subsequent years). Mexico is still using the old DST rules.
For more information about the impact of USA 2007 DST compliance for Oracle Database and Oracle Fusion Middleware products, see Note: 397281.1 on the My Oracle Support (formerly MetaLink) Web Site: https://metalink.oracle.com
.
US 2007 DSTChanges For Oracle Internet Directory and Oracle Application Server: only the database has potential DST issues with the 2007 DST change, and then only if timezones are set up. A compliant Operating System is needed. For more information, review the following notes on the My Oracle Support (formerly MetaLink) Web Site: https://metalink.oracle.com
.
Note 357056.1—Impact of changes to daylight saving time (DST) rules on the Oracle database
Note 359145.1—Impact of 2007 USA daylight saving changes on the Oracle database
Note 360803.1—AU Timezone Database and Fusion Middleware Recommendations
Note 397281.1—USA 2007 Daylight Saving Time (DST) Compliance for Database and Fusion Middleware
Note 401010.1—Western Australia Daylight Saving Time Changes Database and Fusion Middleware Recommendations
To locate knowledge base articles on My Oracle Support (formerly MetaLink)
Go to https://metalink.oracle.com
.
Log in as directed.
Click the Knowledge tab.
From the Quick Find list, choose Knowledge Base, enter the number of the note, click the Go button.
From the results list, click the name of the note you want to view.