Initialize the Compliance Clock
SnapLock uses the volume Compliance Clock to ensure against tampering that might alter the retention period for WORM files. You must first initialize the system ComplianceClock on each node that hosts a SnapLock aggregate.
Beginning with ONTAP 9.14.1, you can initialize or reinitialize the system Compliance Clock when there are no SnapLock volumes or no volumes with Snapshot copy locking enabled. The ability to reinitialize enables system administrators to reset the system Compliance Clock in instances where it might have been incorrectly initialized or to correct clock drift on the system. In ONTAP 9.13.1 and earlier releases, once you initialize the Compliance Clock on a node, you cannot initialize it again.
To reinitialize the Compliance Clock:
-
All nodes in the cluster must be in the healthy state.
-
All volumes must be online.
-
No volumes can be present the the recovery queue.
-
No SnapLock volumes can be present.
-
No volumes with Snapshot copy locking enabled can be present.
General requirements for initializing the Compliance Clock:
-
You must be a cluster administrator to perform this task.
The time on the system Compliance Clock is inherited by the volume Compliance Clock, the latter of which controls the retention period for WORM files on the volume. The volume Compliance Clock is initialized automatically when you create a new SnapLock volume.
The initial setting of the system Compliance Clock is based on the current hardware system clock. For that reason, you should verify that the system time and time zone are correct before initializing the system Compliance Clock on each node. Once you initialize the system Compliance Clock on a node, you cannot initialize it again when SnapLock volumes or volumes with locking enabled are present. |
You can use the ONTAP CLI to initialize the Compliance Clock or, beginning with ONTAP 9.12.1, you can use System Manager to initialize the Compliance Clock.
-
Navigate to Cluster > Overview.
-
In the Nodes section, click Initialize SnapLock Compliance Clock.
-
To display the Compliance Clock column and to verify that the Compliance Clock is initialized, in the Cluster > Overview > Nodes section, click Show/Hide and select SnapLock Compliance Clock.
-
Initialize the system Compliance Clock:
snaplock compliance-clock initialize -node node_name
The following command initializes the system Compliance Clock on
node1
:cluster1::> snaplock compliance-clock initialize -node node1
-
When prompted, confirm that the system clock is correct and that you want to initialize the Compliance Clock:
Warning: You are about to initialize the secure ComplianceClock of the node "node1" to the current value of the node's system clock. This procedure can be performed only once on a given node, so you should ensure that the system time is set correctly before proceeding. The current node's system clock is: Mon Apr 25 06:04:10 GMT 2016 Do you want to continue? (y|n): y
-
Repeat this procedure for each node that hosts a SnapLock aggregate.
Enable Compliance Clock resynchronization for an NTP-configured system
You can enable the SnapLock Compliance Clock time synchronization feature when an NTP server is configured.
-
This feature is available only at the advanced privilege level.
-
You must be a cluster administrator to perform this task.
-
This feature is available only for Cloud Volumes ONTAP, ONTAP Select, and VSIM platforms.
When the SnapLock secure clock daemon detects a skew beyond the threshold, ONTAP uses the system time to reset both the system and volume Compliance Clocks. A period of 24 hours is set as the skew threshold. This means that the system Compliance Clock is synchronized to the system clock only if the skew is more than a day old.
The SnapLock secure clock daemon detects a skew and changes the Compliance Clock to the system time. Any attempt at modifying the system time to force the Compliance Clock to synchronize to the system time fails, since the Compliance Clock synchronizes to the system time only if the system time is synchronized with the NTP time.
-
Enable the SnapLock Compliance Clock time synchronization feature when an NTP server is configured:
snaplock compliance-clock ntp
The following command enables the system Compliance Clock time synchronization feature:
cluster1::*> snaplock compliance-clock ntp modify -is-sync-enabled true
-
When prompted, confirm that the configured NTP servers are trusted and that the communications channel is secure to enable the feature:
-
Check that the feature is enabled:
snaplock compliance-clock ntp show
The following command checks that the system Compliance Clock time synchronization feature is enabled:
cluster1::*> snaplock compliance-clock ntp show Enable clock sync to NTP system time: true