Skip to main content

Resetting the ComplianceClock for an NTP-configured system

When the SnapLock secure clock daemon detects a skew beyond the threshold, the system time is used to reset both the system and volume ComplianceClocks.

Before you begin

  • This feature is available only at the advanced privilege level.

  • You must be a cluster administrator to perform this task.

  • The SnapLock license must be installed on the node.

  • This feature is available only for Cloud Volumes ONTAP, ONTAP Select, and VSIM platforms.

About this task

When the SnapLock secure clock daemon detects a skew beyond the threshold, the system time is used to reset both the system and volume ComplianceClocks. A period of 24 hours is set as the skew threshold. This means that the system ComplianceClock is synchronized to the system clock only if the skew is more than a day old.

The SnapLock secure clock daemon detects a skew and changes the ComplianceClock to the system time. Any attempt at modifying the system time to force the ComplianceClock to synchronize to the system time fails, since the ComplianceClock synchronizes to the system time only if the system time is synchronized with the NTP time.
  1. Enable the SnapLock ComplianceClock time synchronization feature when an NTP server is configured: snaplock compliance-clock ntp

    Example

    The following command enables the system ComplianceClock time synchronization feature:

    cluster1::*> snaplock compliance-clock ntp modify -is-sync-enabled true
  2. When prompted, confirm that the configured NTP servers are trusted and that the communications channel is secure to enable the feature:

    Example

    Warning: If Data ONTAP has been configured to use NTP server based system time, then this operation will 
    make it possible for the SnapLock ComplianceClock to be synchronized to the system time. You must ensure 
    that the configured NTP servers are trusted and the communication channel to them is secure. Failure to 
    do this may result in SnapLock retention periods being compromised and compliance mandates being violated.

    Do you want to continue? {y|n}: y
  3. Check that the feature is enabled: snaplock compliance-clock ntp show

    Example

    The following command checks that the system ComplianceClock time synchronization feature is enabled:
    cluster1::*> snaplock compliance-clock ntp show 

    Enable clock sync to NTP system time: true