Spectracom - Essential Ingenuity


Dirty COW Vulnerability

Spectracom products running LINUX are only susceptible if an attacker is able to successfully authenticate with the product and gain shell access.

NTP Vulnerabilities Prior to Version 4.2.8p9

NTP version ntp-4.2.8p9 has been released to address multiple vulnerabilities in ntpd. Spectracom will implement NTP version 4.2.8p9 in its next release cycle.

How do I manually configure a leap second in SecureSync and NetClock 9400

Typically GPS provides these products indications of an upcoming leap second to the timing engine so all generated signals can resolve it correctly. In the case of prolonged GPS outage, or when these products are using a reference signal that is leap-second-unaware, then you can manually add the leap second indicator through the user interface.

SecureSync and NetClock 9400 Compliance Testing for Dec 31 2016 Leap Second

SecureSync and NetClock 9400 synchronization systems have been tested for proper handling of the leap second event at UTC midnight on December 31, 2016. This article summarizes the configurations tested.

How to configure STANAG 4430 PORT for SGDH application - on SECURESYNC 1204-11 or 1204-25 board

1204-11 or 1204-25 STANAG board can be configurable but are set to HQ 4246 by default. This article describes - How to configure STANAG 4430 PORT for SGDH application - on SECURESYNC 1204-11 or 1204-25 board

Why is there a 1 second time error from my GPS reference

When GPS started broadcasting the leap second notification on July 19, 2016 for activation on Dec 31, some GPS timing receivers erroneously inserted the leap second resulting in a 1 second time error.

How do I determine the offsets between timescales in SecureSync or NetClock 9400

In the web interface, navigate to Time Management from the Management menu and view the Timescale Offset pane

How do I determine the GPS receiver type in a SecureSync or NetClock 9400

To see the GNSS/GPS Receiver version navigate to Tools >Update/Backup for the GNSS Receiver Manufacturer/Model/Version info.

NTP Throughput

SecureSync and NetClock 9400 units can process over 7,500 NTP requests per second. This capability is per system based on its main network processor. The model 1204-06 Gb Ethernet Option Module simply splits this bandwidth across its four different network interfaces.

Securesync doesn't display information on LCD screen at startup when temperature is cold

The SecureSync LCD may not display information on the LCD screen at startup in cold temperatures.

Grounding SecureSync

How is the SecureSync grounded?

Freeing Up Disk Space Before a Software Update

When performing a software upgrade, a SecureSync or NetClock 9400 requires additional disk space. It is recommended to ensure memory usage is less than 70% before upgrading. If memory usage is more than 70%, save and delete logs and previous update files

Required Update for SecureSync / NetClock 9400 Running v5.0.2

Spectracom SecureSync and NetClock 9400 units need a certain amount of free space on its compact flash memory. A bug in version 5.0.2 continuously creates log entries during normal operation which over a long period of time will consume memory that will compromise correct operation of the unit.

SNMP MIB files for the SecureSync

The SecureSync's SNMP MIB files can be downloaded here, extracted out of the SecureSync using FTP/SCP or we can email them to you.

Synchronizing Windows Computers

Microsoft Windows PCs (such as Windows XP, 2000, 2003, 2008, 7, etc) can be configured to sync to a Spectracom NTP time server. Many newer versions of Windows use the built-in "Windows Time Service (aka W32Time) for external time synchronization. Spectracom's "Synchronizing Windows Computers" Tech Note assists with configuring Windows computers..

NTP Vulnerabilities Prior to Version 4.2.8p4

Thirteen low and medium severity vulnerabilities were identified in NTP versions 4.2.8p3 and earlier. This affects SecureSync and NetClock 9400 products running SW versions 5.3.0 and earlier, and all NetClock 9200/9300 product versions.

NTP access restriction

By factory default configuration, all nodes and subnets on the time server's network (s) have access to NTP. However, it may be desired to restrict NTP access from/to only one or more individual nodes or subnets. The Time server supports this capability of limiting access to NTP via its available"NTP Access Restriction" configuration

Interpreting free memory reported in the "top" command for SecureSync and NetClock 9400

The "top" command can report the free RAM memory for one of the processors in the unit.

"Ref ID" field for NTP references

NTP reports a "Ref ID" for each configured reference that it can sync with. With the System Reference, this will start out as ".GPS", or some other value based on the sycnhronizing reference, but it may also change to ".PPS." later on in systems with SecureSync/NetClock SW versions 5.2.0 and earlier.

Reading Internal Temperature via SNMP or the web browser

Do the time servers have an SNMP MIB variable to provide temperature? Or is there any other means of obtaining the internal temperature?

What accuracy can I expect from SecureSync IRIG Outputs?

IRIG outputs from SecureSync are very accurate in digital form (DCLS, Fiber), but can vary based on format in analog form (AM).

How Does a Leap Second Affect My GPS Time Server

Spectracom GPS time servers automatically manage the leap second correction. They follow GPS, NTP, and PTP specifications so no user interaction is required. We recommend evaluation and testing your NTP clients' ability to correctly manage a leap second event.

"FORBIDDEN" message displayed when attempting to access the Web Browser

After firmware update there is a possibility the web UI will not open correctly in a SecureSync or a NetClock 9400

Using Log Files to Troubleshoot Synchronization

SecureSync and NetClock units have extensive logging capabilities that are very useful when troubleshooting issues with synchronization

Skylight SecureSync software update to versions newer than 4.7L

Skylight SecureSyncs with software version 4.7L installed cannot be software updated to versions newer than 4.7L without a factory hardware modification being performed on the SecureSync unit. For a small fee, the GPS receiver installed in the Skylight SecureSync can be replaced and a license key installed, thus allowing the SecureSync to be upgraded to software versions newer than 4.7L.

Verifying NTP Queries are Disabled in SecureSync and NetClock 9400

Several NTP vulnerabilities are associated NTP’s NTPQ or NTPDC functionality. The Spectracom SecureSync and NetClock 9400 defaults NTPQ/NTDC to be disabled which mitigates these types of vulnerabilities. Note that NTPQ and NTPDC being disabled does not affect the operation of NTP synchronizing clients on the network.

NTP Vulnerabilities Prior to Version 4.2.8

On December 18, 2014, several NTP vulnerabilities were published as CVE-2014-9293 thru 9296. The vulnerabilities are based on queries from an unknown entity. By default external queries are turned off in SecureSync and NetClock products and are appropriate mitigation against these vulnerabilities.

Amber/Orange Sync LED Indication

The SecureSync or NetClock 9400 needs to be synced to either itself or to an external reference such as GPS in order for it to be a useable time server among other master clock functions. When it's synced to a reference such as GPS, the Sync LED is green. But if had been synced to GPS, and reception is lost (with no other input references available), the SecureSync will go into Holdover mode (as indicated by the Sync LED changing to amber).

Troubleshooting Holdover

If a SecureSync or NetClock 9400 either loses all of its input reference or if the TFOM value ever exceeds the user-configurable MAXTFOM value, it will go into Holdover mode and assert the Holdover alarm (and the associated Minor alarm).

Check the Installed Version of Software for SecureSync or NetClock 9400

via web browser and versions web page, front panel display or command line interface

About MaxTFOM

The NTP server has an available field called "MaxTFOM" (Maximum Time Figure Of Merit). This is a user-configurable field that can be used to alert to the TFOM (Time Figure Of Merit) exceeding this value.

Bash Bug Susceptibility

Bash is used in Spectracom's NetClock 9200, 9300, 9400 and SecureSync network applicance although the risk is minimal. This article describes the patch schedule, analysis of risk, and recommendations for those who are concerned about the vulnerability.

Alignment of 10MHz and 1PPS outputs

Except during power-up, there are always 10 million cycles of 10MHz between each 1PPS output.

POODLE Vulnerability

How to mitigate the POODLE vulnerability by disabling SSLv3, before Spectracom software fixes for SecureSync and 9400 models will eliminate the issue.

Are Spectracom Products Susceptible to the Heartbleed Bug?

The vulnerability in Open SSL, known as the Heartbleed bug, makes some Spectracom products susceptible. A software patch fixes the bug. Alternatively network access controls, shutting down the management port, and changing user passwords are mitigating actions.

FIPS-140 compliancy

Per http://en.wikipedia.org/wiki/FIPS_140-2, The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2),[1][2] is a U.S. Government computer security standard used to accredit cryptographic modules.

How to set a login inactivity or "Idle Timeout" on the Securesync or NetClock 9400

Setting the Idle Timeout is done only from the Classic Interface of the web UI. There is currently no setting in the new web UI.

Disable Classic Interface browser

Starting in software update version 5.1.4, the "Classic Interface" web browser can be disabled as desired, via the newer web browser.

Outputting position information

Time servers can output position info (consisting of latitude, longitude and altitude) using various methods. These include the ability to it display it on the front panel LCD, or outputting it via SNMP, an available CLI command, or an available RS-485/RS-232 ASCII output Option Card installed in the rear panel Option Bays (not available on all Models).

Manually Setting the System Time

SecureSync and NetClock time servers have the ability to sync to several types of external time references (such as GPS and/or IRIG for examples). But they also have the ability to sync to itself, using the "User" mode. The User mode allows the time server to go to NTP Stratum 1 without the need for external references to be applied.

Version 5.1.2 disabled user-level access to internal services

Version 5.1.2 disabled user-level access to internal services

HTTPS Certificate Request will not accept my Passphrase

Non- Alpha numeric characters are not accepted in the Certificate Request in the new SecureSync or 9400 web browser firmware versions 5.1.4.

Password expires today

While logging into the web browser using LDAP or Radius, "Password expires today" is displayed.

How to Connect Frequency or 1PPS signal on 1204-01 module

This article helps identify the names of the 3 connectors available on the 1204-01 FREQ/1PPS Module of the SecureSync.

How to Replace the Battery in a SecureSync or NetClock 9400

SecureSync time and frequency synchronization system and NetClock 9400 time server/master clock contains a Lithium Battery for the purpose of providing power to the real time clock on the processor board. This keeps the time and date for the system BIOS when the SecureSync is powered down. When replacing the battery, the BIOS clock power will be temporarily interrupted and the BIOS clock will stop counting. This is not a problem if the interruption in battery power is for a short time period. The battery life is rated for at least five years of continuous power down condition. It will not drain if the unit is powered up.

SecureSync/9400 3D CAD Drawing

A .stp CD CAD file and .pdf is available for the SecureSync

Operation of Model 1204-0F Alarm Relay Option Card

The Model 1204-0F Option card provides three available dry contact closure relays that can be activated upon a Minor or Major alarm being asserted.

Local Time display in browser

Starting in Archive software version 5.1.2, Local Time can also be displayed in the upper-left corner of the web browser, in addition to UTC time.

Compliance of Spectracom Time Servers with RFC 2783 - Operating System Time Discipling by 1PPS

List NTP Clients Receiving Time from SecureSync/NetClock 9400 Using Monlist

ntpdc monlist command can be run from the command line interface to ID the NTP Clients

NTP's "Local (0)" Clock reference

NTP's "Local (0)" Clock reference listed in the Status-> NTP page of the browser In Archive software versions prior to version 5.0.0, a "Local (0)" clock reference may be listed in the Status-> NTP page of the browser. In software versions 5.0.0 and above, this "Local (0)" clock reference is only momentarily listed, when the time server is exiting Sync state (going out of sync). Then its removed again.

"No Licenses" displayed on the front panel LCD

Unless the time server is purchased with Glonass or other satellite tracking capability enabled, or unless a License file has been installed in the time server, the Home - > System -> Lic menu on the front panel LCD window will display "No Licenses".

Reporting the time offset between a Windows PC and NTP server

Windows w32tm has a utility called "stripchart" which can provide periodic (such as every two seconds by default) time differences between a Windows PC and an NTP server on the network. This can either be the same NTP server that it normally syncs with, or any other NTP server on the network.

List of NTP clients getting time from the NTP server

Starting in Archive software version 5.1.0, the web browser can display a list of up to about 600 NTP clients on the network that have obtained time from the NTP server.

Factory Default Login Credentials

Default username and password for SecureSync and NetClock 9400.

Front panel and Web User Interface show the IP address as ""

In Archive Software Versions 5.0.0 through 5.1.0, the IP address will be displayed as "" on the front panel and in the Web UI, if the corresponding Ethernet port (Eth0, and/or Eth1/Eth2/Eth3 – if installed) is not connected to a network hub, switch or a stand-alone PC. This indicates this Ethernet interface is currently "down" because its not detecting a connection to another network device (hub/switch or computer). Note: Archive software version 5.1.2 improves this indication by now also displaying the word "Unplugged" on the front panel and showing "Cable Unplugged" in the web browser.

Why does "NTP" indicate "Not Valid" in the NTP Reference Status table

The Reference Status table (Status -> Time and Frequency page of the browser) reports the validity of the input references (not outputs). NTP output status is indicated at the top of the Status -> NTP page of the browser.

Reported CPU usage

In SecureSync and NetClock 9400, the microprocessor for the Operating System can report its percentage of usage. This processor is for the OS, the web browser and daemons that are running. This is not the same processor that is used for the rest of the core functionality of the NTP server.

Redundant NTP Servers for Automatic Failover

Most newer Models of NTP time servers can be NTP peered together for continued NTP operation upon loss of GPS reception. NTP clients can often be configured to get time from more than one NTP server for automatic fail-over capability (this is dependent upon the NTP client software running on the clients).

How to Configure a 5MHz/1PPS Composite Clock Signal

Certain Simulcast Radio systems like the Motorola MLC-8000/GTR Radio System may require a 5 MHz square wave / 1PPS composite signal for synchronization. This can be produced by using the 1204-17 Square wave output option card in a Securesync. Using the following configuration the resulting signal will consist of a 5 MHz TTL with 50nS pulse width including a 150nS pulse on the 1PPS interval as a marker.

How to Display GPS Information on the Front Panel

If desired, the NTP server can display information about the GPS receiver on the front panel LCD. The information it can display includes the number of satellites being tracked, their relative signal strengths and

Shock and Vibe Certifications for SecureSync

SecureSync's shock and vibe certifications used testing methods according to MIL-STD-810F.

SecureSync AC Power Draw

What is the SecureSync AC power draw?

Skylight SecureSync A-GPS (Assisted GPS)

Skylight SecureSyncs are designed for use with an internal GPS antenna. Skylights with Archive software version 4.7L installed (as reported in the Tools -> Versions page of the browser) have additional, unique configurations to help then better operate with a GPS antenna installed indoors. These configurations are for A-GPS (Assisted GPS) functionality.

Default BIOS date/time are displayed after each power-up

Default BIOS date/time are displayed after each power-up

Using Automachron to Test a Spectracom NTP Server

Automachron (freeware) is a great utility for testing the NTP output of a Spectracom NTP time server.

Reset the spadmin account password

The spadmin account password, if not known, can be reset back to the factory default value using the time server's front panel LCD/keypad. The factory default password is "admin123" (case-sensitive). This is available in SecureSync and NetClock 9400 products only.

Web browser is displaying "failed to insert the session"

Configuration back-ups performed with Archive version 4.8.x software installed are not compatible with the configurations in Archive versions 5.0.0 and higher. A "clean" needs to be performed to restore operation.

How to view the SecureSync's logs (log entries) with the CLI interface

The SecureSync's logs can be viewed via a telnet/ssh connection, in addition to viewing them in the web browser.

Humidity Specification

What is the humidity rating for the SecureSync?

Redundant AC Input

What are the specifications for the redundant AC Input?

SecureSync Locking Device

Is the SecureSync DC input available with a locking connector?

Input AC current (amps)

What is the AC input current draw?

Altitude limitations for the internal power supply

What is the altitude limitations for the internal power supply (AC and DC)?


Does SecureSync comply with MIL STD 461F for submarine or STANAG 4370?

Gravity Center of the equipment

Where is the center of gravity in the Securesync?

Regulation of the front panel lightning

Is there any automatic regulation (for example against temperature variations) of the lightning of the front panel?

Chassis Coating

What type of coating covers the SecureSync chassis?

Rack-mount (rackmount) slides

Does Spectracom recommend rack-mount slides that can be used with SecureSync?

SecureSync Rack Ears/Handles

What hardware is supplied with SecureSync rack ears?

Available/Optional Rear Support Mounting Bracket

Is there an optional rear support mounting bracket available for the SecureSync?

Rack mount slides

Does Spectracom offer a rack mount slide?

Indoor GPS Timing


Software upgrade for SecureSync or NetClock 9400

Update using the web browser interface