Resetting the ComplianceClock for an NTP-configured system

When the SnapLock secure clock daemon detects a skew beyond the threshold, the system time is used to reset both the system and volume ComplianceClocks.

Before you begin

About this task

When the SnapLock secure clock daemon detects a skew beyond the threshold, the system time is used to reset both the system and volume ComplianceClocks. A period of 24 hours is set as the skew threshold. This means that the system ComplianceClock is synchronized to the system clock only if the skew is more than a day old.

The SnapLock secure clock daemon detects a skew and changes the ComplianceClock to the system time. Any attempt at modifying the system time to force the ComplianceClock to synchronize to the system time fails, since the ComplianceClock synchronizes to the system time only if the system time is synchronized with the NTP time.

Procedure

  1. Enable the SnapLock ComplianceClock time synchronization feature when an NTP server is configured: snaplock compliance-clock ntp

    The following command enables the system ComplianceClock time synchronization feature:

    cluster1::*> snaplock compliance-clock ntp modify -is-sync-enabled true
  2. When prompted, confirm that the configured NTP servers are trusted and that the communications channel is secure to enable the feature:
    Warning: If Data ONTAP has been configured to use NTP server based system time, then this operation will 
    make it possible for the SnapLock ComplianceClock to be synchronized to the system time. You must ensure that the 
    configured NTP servers are trusted and the communication channel to them is secure. Failure to do this may result 
    in SnapLock retention periods being compromised and compliance mandates being violated.
    
    Do you want to continue? {y|n}: y
  3. Check that the feature is enabled: snaplock compliance-clock ntp show
    The following command checks that the system ComplianceClock time synchronization feature is enabled:
    cluster1::*> snaplock compliance-clock ntp show 
    
    Enable clock sync to NTP system time: true