Top of Page

Installation Instructions  DTLinux Configuration
Domain Time DTLinux
Version 5.2

DTLinux configuration is simple and straightforward. All configuration (with the exception of configuring the dtlinux.keys file for symmetric authentication) is done by editing the dtlinux.conf file. See a sample here: dtlinux.conf.sample.txt.

Both the dtlinux.conf and dtlinux.keys files are heavily commented and are the primary documentation for DTLinux. You should always keep a copy of the original distribution files available for reference in case the comments in your running copies are inadvertently removed during editing. This online documentation page merely highlights a few of the topics for additional discussion.

The dtlinux.conf file

    The file is divided into functional sections:

    • NTP and DT2 Time Sources
      This section covers how to configure DTLinux to obtain time from NTP and/or DT2 time sources. You can manually specify the sources in the dtlinux.conf file and DTLinux can also obtain a list of sources from DHCP options.

        Selecting the correct time sources are critical for accurate timing. The Internet time sources specified in the default .conf file are intended as examples only. Choose servers that are optimal for your environment. Stable time sources on a local subnet are best.

        See the Planning for effective time distribution for help making the right choice.

    • Loop Variables
      You can set the time check intervals using the parameters in the section. You also control whether to keep ntp-style loopstats and peerstats files.

        A loop:checkInterval of 60 is recommended if you are using PTP to allow PTP time to collect enough valid samples to analyze statistically for best performance. Otherwise, if using NTP or DT2, set the value low enough to acheive the accuracy you require. Setting the value too low just increases overhead and network traffic.

        Also, set a reasonable loop:errorInterval. The value should normally be 30 seconds or less. This affects the period between DTLinux detecting a loss of sync with time sources and when it retries a connection. A relatively short error interval is desireable to restore sync quickly when sources become available again.

        The loop:checkAll setting determines whether all the configured NTP and DT2 time sources are included and analyzed in each time check or if the list is used for fallback, where the first server is used until it fails, at which point the next machine in the list is tried. You may set the log level to Trace (log:logLevel = Trace) if you want to see the details on which machines are used in each time synchronization.

    • PTP Settings
      Use this section to enable/disable PTP and set its basic parameters.

    • Domain Time II Real-Time Alerts
      If you are using Domain Time II Audit Server, we suggest you enable Real-Time Alerts in this section, even if you haven't yet configured any Real-Time Alerts in Audit Server. This will cause the DTLinux machine to display in the Real-Time Alerts page of Manager, giving you up-to-date information on synchronzation status and accuracy.

    • Cloning
      If you use cloned OS images to install machines, please read this article from our knowledgebase about configuring Domain Time properly on your clone image.

    • License: Commercial Proprietary (registration required)
      This section describes the evaluation period and how to register the software. The section will be removed when the software is registered.

The dtlinux.keys file

This file contains the authentication keys used for the DT2, NTP, and/or PTP v2.1 protocols. It's also referred to as your keyring. It's located in the /etc/opt/domtime/ folder.

    The keyring may contain a combination of trusted and untrusted keys. A trusted key means the key is available to be selected by the component, but trusted keys for DT2 and NTP are not active until their key number is specified when configuring a DT2 or NTP time source in the time sources list of the dtlinux.conf file (i.e. timesource = 192.168.1.3 protocol NTP key 5). Trusted keys for PTP v2.1 aren't active unless PTP Security has been enabled. Untrusted keys are ignored.

    Here are values from a sample keyring, with MD5 keys available for use by DT2 or NTP, and SHA256 keys available for PTP v2.1:

    Key #TypeSecret
    1MD5DomainTimeII
    2MD5TTnts200
    3SHA256bf14d67e2ddc8e6683ef574961ff698f61cdd11e9d9c167272e61df0844f4a71
    4SHA25648d38f75e6d91d2ae5c0f72b788187440e5f5000d4618dbe7b0515073b338211
    5MD5greyware

    The Trustedkey line in the file specifies which keys in the keyring are trusted, i.e.:

      Trustedkey 1 2 3 4 9909

    The file also contains additional settings required for PTP v2.1 authentication.

      ptpSPP sets the Security Parameter Pointer (SPP). PTP v2.1 requires that Masters and Slaves use the same SPP value to be able to authenticate. The SPP stored in the keyring may either be zero (which acts like a wildcard) or must match what the grandmaster sends. If there is a potential for your Slaves to discover more than one Master (such as with a fallback server), we recommend you use the wildcard setting (0) to avoid synchronization failure if each server has a different SPP.

      These entries specify the key number of the secret that Masters use for signing outgoing packet types. They are included here for compatibility when importing the .keys file into Domain Time Server. These parameters are ignored by Domain Time Client and DTLinux :

        ptpAnnounce[key #]
        ptpSync[key #]
        ptpDelayResp[key #]
        ptpPDelayResp[key #]

      These entries specify the key number of the secret used for signing packet types sent by the Slave:

        ptpDelayReq[key #]
        ptpPDelayReq[key #]

      Sharing the keyring file.

      For symmetric authentication to work, the keyring must be shared among all devices that wish to use it. The dtlinux.keys file uses a format compatible with most time daemons (i.e. ntpd's ntp.keys, chrony's chrony.keys, etc.). You can usually simply copy the /etc/opt/domtime/dtlinux.keys file to your target system (rename it if necessary).

        You can also copy the /etc/opt/domtime/dtlinux.keys file from one DTLinux machine to another.

        You may also share the dtlinux.keys file with Domain Time Servers and Clients on Windows (and vice versa). Use the Import/Export link on the Symmetric Keys property page of the Server or Client's applet to import or export the .keys file.

        If you are using Domain Time II Manager, you can use the Reset Keyring function to push out the keyring to all of your Windows Servers and Clients and DTLinux machines at once. The Reset Keyring function uses the keyring of the Domain Time Server on which Manager is installed. So, to easily share a DTLinux machine's keyring among all of your other Domain Time systems, you'd import the keyring file into Manager's Domain Time Server and then select the machines you want to update and use the Reset Keyring command from the right-click context menu.

 

Next Proceed to the Managing DTLinux Remotely page
Back Back to the Installation Instructions page

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2021 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.