IBM Support

Cloud Pak for Security: Clock is not synchronizing

Troubleshooting


Problem

Receiving NTP error on Cloud Pak for Security:
"Clock on <HOST> is not synchronizing. Ensure NTP is configured on this host
machine <HOST> is in phase: Failed"

Cause

  • The controller nodes are not in sync with the NTP server configured.
  • If the system is installed on VMware, the VMtools daemon populates that information from the ESXi host. Both the domain error and the NTP sync error are affected by the VMtools daemon. 
  • By default, unless explicitly overridden, the control plane & worker nodes ignition are configured to use public NTP servers. Although NTP servers can be overridden at ignition file generation time, if it isn't, it is then hardcoded going forward. The configuration can be overridden by using a DHCP providing NTP records. If default NTP servers were never changed, time lookups might be blocked by internal Firewall.

Resolving The Problem

Check Firewalls

Verify with your Network Administrator that your Firewall isn't blocking:

  1. Either outbound NTP port UDP 323 or UDP 123.
  2. Default NTP servers of Red Hat OpenShift: 
    0.rhel.pool.ntp.org
1.rhel.pool.ntp.org
2.rhel.pool.ntp.org
3.rhel.pool.ntp.org

Verify Correct NTP Servers

Use internal NTP addresses to resolve the issue in chrony node.

  1. Log in to servers command-line interface (CLI).
  2. Backup time service configuration: 
    cp -p /etc/chrony.conf <BACKUP>
    Note: Replace <BACKUP> with your remote, or local, backup location.
  3. Verify that configuration contains server definitions and the lines with "server" are correct: 
    sudo vi /etc/chrony.conf
  4. If changes were made, restart time service: 
    sudo systemctl restart chronyd

Hypervisor Special Instructions

Disable all-time synchronization from chronyd, as well as real-time clock updates, on hypervisor-based nodes:

  1. Log in to app host as user "appadmin"
  2. Backup time service configuration: 
    cp -p /etc/chrony.conf <BACKUP>
    Note: Replace <BACKUP> with your remote, or local, backup location.
  3. Comment out the lines that start with "server" and "rtcsync": 
    sudo vi /etc/chrony.conf
  4. Restart time service: 
    sudo systemctl restart chronyd

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m3p0000000rbnAAA","label":"Administration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
17 July 2023

UID

ibm16962363

Page Feedback