December 14, 2022 | Author: Anonymous | Category: N/A
SingleRAN
SSL Feature Parameter Description Issue
02
Date
2013-07-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned mentioned in this document are the property of of their respective respective holders. holders.
Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. recommendations
Huawei Technologies Co., Ltd. Address:
Huawei Industrial Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China
Website:
http://www.huawei.com
Email:
[email protected]
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
i
SingleRAN SSL Feature Parameter Description
Contents
Contents This Document......................... 1 About This Document.......................................................................... .........................................................................................1 ........................................1 1.1 Scope..............................................................................................................................................................................1 Scope..............................................................................................................................................................................1 1.2 Intended Audience..........................................................................................................................................................1 1.3 Change History...............................................................................................................................................................1 History...............................................................................................................................................................1
2 Overview.............................. Overview.................................................................. ........................................................................ .......................................................................3 ...................................3 2.1 Introduction....................................................................................................................................................................3 Introduction....................................................................................................................................................................3 2.2 Benefits...........................................................................................................................................................................3 Benefits...........................................................................................................................................................................3 2.3 Application.....................................................................................................................................................................3 Application.....................................................................................................................................................................3
3 Technical Technical Description.......... Description....................................... .......................................................... .......................................................... ...............................................5 ..................5 3.1 SSL Protocol Protocol Stack.........................................................................................................................................................5 3.2 Procedure for Procedure for Establishing an SSL Connection.............................................................................................................6
4 SSL Application Application Scenarios.......................... Scenarios..........................................................................................................9 ................................................................................9 4.1 OM Channel...................................................................................................................................................................9 Channel...................................................................................................................................................................9 4.1.1 OM Channel Channel Between the Base Station and the M2000.............................................................................................9 4.1.2 OM Channel Channel Between the Base Station Controller and the M2000..........................................................................16 4.2 FTP Transmission.........................................................................................................................................................18 Transmission.........................................................................................................................................................18 4.3 HTTP Transmission......................................................................................................................................................19 Transmission......................................................................................................................................................19
5 Related Features.......... Features...................................... ........................................................ ........................................................ ........................................................ .............................21 .21 5.1 Features R elated elated to SSL (eGBTS Side)........................................................................................................................21 5.2 Features R elated elated to SSL (NodeB Side)........................................................................................................................21 5.3 Features R elated elated to SSL (eNodeB Side)................................................................................... Side).......................................................................................................................22 ....................................22 5.4 Features R elated elated to SSL (Base Station Controller Side)..............................................................................................22
6 Network Network Impact....................... Impact.................................................................... ........................................................................................... .......................................................23 .........23 7 Engineering Engineering Guidelines on the Base Station Side................................................................24 7.1 When to Use Use SSL.........................................................................................................................................................24 7.2 Required Information...................................................................................................................................................24 Information...................................................................................................................................................24 7.3 Planning........................................................................................................................................................................24 7.4 Deployment..................................................................................................................................................................25 7.4.1 Requirements.............................................................................................................................................................25 7.4.2 Data Preparation........................................................................................................................................................25 Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
ii
SingleRAN SSL Feature Parameter Description
Contents
7.4.3 Precautions............................................................................................. Precautions.................................................................................................................................................................31 ....................................................................31 7.4.4 Hardware Adjustment................................................................................................................................................31 7.4.5 Initial Configuration..................................................................................................................................................31 7.4.6 Activation Observation..............................................................................................................................................34 7.4.7 Reconfiguration.........................................................................................................................................................34 7.5 Configuring the OM Channel on the M2000................................................................................................................34 7.6 Performance Monitoring........................................................................................... Monitoring...............................................................................................................................................35 ....................................................35 7.7 Parameter Optimization................................................................................................................................................35 7.8 Troubleshooting............................................................................................................................................................35
8 Engineering Guidelines on the Base Station Controller Side............................................36 8.1 When to Use SSL.........................................................................................................................................................36 8.2 Required Information...................................................................................................................................................36 8.3 Planning........................................................................................................................................................................36 8.4 Deployment..................................................................................................................................................................36 8.4.1 Requirements.............................................................................................................................................................37 8.4.2 Data Pre paration........................................................................................................................................................37 8.4.3 Precautions.................................................................................................................................................................43 Precautions.................................................................................................................................................................43 8.4.4 Hardware Adjustment................................................................................................................................................43 8.4.5 Initial Configuration..................................................................................................................................................43 Configuration..................................................................................................................................................43 8.4.6 Activation Activation Observation..............................................................................................................................................44 8.4.7 Reconfiguration.........................................................................................................................................................45 Reconfiguration.........................................................................................................................................................45 8.5 Configuring Configuring the OM Channel on the M2000................................................................................................................45 8.6 Performance Performance Monitoring........................................................................................... Monitoring...............................................................................................................................................45 ....................................................45 8.7 Parameter Optimization................................................................................................................................................46 Optimization................................................................................................................................................46 8.8 Troubleshooting............................................................................................................................................................46 Troubleshooting............................................................................................................................................................46
9 Parameters................. Parameters............................................... ............................................................ ............................................................ ........................................................47 ..........................47 10 Counters................... Counters........................................................................... ................................................................................................................. ...........................................................78 ..78 11 Glossary......................... Glossary...................................................... ........................................................... ............................................................ ...................................................79 .....................79 12 Reference Reference Documents........... Documents................................................ .......................................................................... ...............................................................80 ..........................80
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
iii
SingleRAN SSL Feature Parameter Description
1 About This Document
1
About This Document
1.1 Scope This document describes SingleRAN Security Socket Layer (SSL),including its technical principles, related features, features, network impact, impact, and engineering guidelines. guidelines. This document covers the following features: l
GBFD-113522 Encrypted Network Management
l
MRFD-210305 Security Management
l
LBFD-004003 Security Socket Layer
1.2 Intended Audience This document is intended for personnel who: l l
Need to understand the features described described herein Work with Huawei products
1.3 Change History This section provides information about the changes in different document versions. There are two types of changes, which are defined as follows: l
Feature change Changes in features of a specific product version
l
Editorial change Changes in wording or addition of information that was not described in the earlier version
02 (2013-07-30) This issue includes the following changes. Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
1
SingleRAN SSL Feature Parameter Description
1 About This Document
Change Type
Change Description
Parameter Change
Feature change
None
None
Editorial change
Added section 5.4 Features Related to SSL (Base Station Controller Side).
None
Deleted the descriptions of SSL supported by micro base stations.
01 (2013-04-28) This issue does not include any changes.
Draft B (2013-04-10) This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
Implemented SSL on micro base stations.
None
Editorial change
Improved document description.
None
Draft A (2012-12-30) This document is created for SRAN8.0.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2
SingleRAN SSL Feature Parameter Description
2 Overview
2
Overview
2.1 Introduction SSL is a protocol that provides end-to-end communication security by encrypting segments of network connections at the Application Layer for the Transport Layer that complies with the TCP protocol. SSL provides security protection for high-layer application protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Telecommunication Network Protocol (Telnet). (Telnet). The SSL protocol is the predecessor of Transport Layer Security (TLS). SSL/TLS versions include SSL1.0, SSL2.0, SSL3.0, TLS1.0, TLS1.1, and TLS1.2. SRAN8.0 supports SSL3.0, TLS1.0, TLS1.1, and TLS1.2. Higher versions are backward compatible with lower versions. In this document, SSL is used as a collective name for SSL and TLS.
2.2 Benefits SSL ensures secure communication between the client and the server by establishing an SSL connection. SSL provides the following security functions: l
Confidentiality: SSL encrypts data transmitted between communication parties to prevent eavesdropping.
l
Authentication: The communication parties must authenticate each other before establishing an SSL connection.
l
Integrity: SSL provides integrity protection for data transmitted between the communication parties so that the data is not tampered with during transmission.
2.3 Application SSL can be used to provide protection for: l
The OM channel between the base station and the M2000 or between the base station controller and the M2000
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
3
SingleRAN SSL Feature Parameter Description
2 Overview
l
The FTP connection between the base station and the M2000 or between the base station controller and the M2000.
l
The HTTP connection between the base station and the LMT or between the base station controller and the LMT. NOTE
Unless otherwise specified, the base station controller in this document is a generic term for GSM and UMTS modes. The FTPS components of the M2000 does not support TLS1.2. Therefore, the connection between an NE and the M2000 does not support TLS1.2.
For detailed descriptions about the application scenarios, see 4 SSL Application Scenarios.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
4
SingleRAN SSL Feature Parameter Description
3 Technical Description
3
Technical Description
3.1 SSL Protocol Stack The SSL protocol stack consists of two protocol layers: the record layer and the handshake layer, as shown in Figure 3-1 . Figure 3-1 SSL protocol stack
l
Record layer The record layer receives data from the application layer or transmits data to the application layer. In addition, the record layer performs security-related operations, such as compression/decompression, compression/decompre ssion, encryption/decryption, and message authentication code (MAC) computation.
l
Handshake layer The handshake layer consists of three protocols:
– Handshake protocol Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
5
SingleRAN SSL Feature Parameter Description
3 Technical Description
The handshake protocol establishes a security channel between the communication parties before data data transmission begins. During During the handshake procedure, procedure, the communication parties authenticate each other, select encryption algorithms, generate keys, and initialize vectors.
– ChangeCipherSpec protocol After the communication parties agree on a set of new keys, each party sends a ChangeCipherSpec message message to notify the other party that subsequent messages will be protected under the newly negotiated keys. keys.
– Alert protocol An alert message conveys the severity of the alert. If there is a fatal alert message, the SSL connection is immediately terminated.
3.2 Procedure for Establishing an SSL Connection The procedure for establishing an SSL connection consists of two phases: the handshake phase and the data transmission phase. Before data transmission, the client initiates an SSL handshake with the server. If the SSL handshake is successful, data is fragmented into protected records for transmission. The purposes of the SSL handshake are as follows: 1.
The client client and and the server server agree agree o on n a set of encr encryption yption algori algorithms, thms, integri integrity ty check check algorithm algorithms, s, and keys for the algorithms to secure data transmission.
2.
The commun communicati ication on pa parties rties can choose choose whether whether to authent authenticate icate each other. other.
Figure 3-2 describes the general message exchange process between the client and the server during an SSL handshake.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
6
SingleRAN SSL Feature Parameter Description
3 Technical Description
Figure 3-2 General message exchange process between the client and the server during an SSL handshake
The general message exchange process is described as follows: 1.
The client client ssends ends a ClientHell ClientHello o mess message age to the se server rver.. This messa message ge contains contains the the followin following g information: SSL version, encryption algorithms, signature algorithms, key exchange algorithms, and MAC algorithms supported by the client.
2.
Upon recei receiving ving the the Clie ClientHel ntHello lo mes message, sage, the server server respo responds nds with with a Server ServerHello Hello message. message.
3.
The ServerHello message contains the SSL version and algorithms selected by the server. (Optional) (Optional) If the client client requ requests ests serve serverr authentic authentication ation,, the key key exchange exchange aalgorit lgorithm hm field field in the ClientHello message sent in Step 1 instructs the server to send its certificate. The server then sends a Certificate message containing its certificate to the client.
4.
(Optional) (Optional) If the the client client does does not reque request st server server authen authenticat tication, ion, the the server server sends sends a ServerKeyExchange ServerKeyExc hange message to the client. The key contained in this message is used to encrypt the ClientKeyExchange message sent later in Step 8 . If the client requests server authentication but the Certificate message sent by the server does not contain complete key information, the server sends a ServerKeyExchange ServerKeyExchange message to the client to supplement the key information.
5.
(Optional) (Optional) IIff the server server reques requests ts clie client nt authentic authentication ation,, the server server sends sends a Certific CertificateRe ateRequest quest message to the client.
6.
The server server sends the client client a ServerHe ServerHelloDo lloDone ne message, message, notifying notifying the the client client that that the handshake is complete.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
7
SingleRAN SSL Feature Parameter Description
3 Technical Description
7.
(Optional) (Optional) IIff the cl client ient re receive ceivess a Cert Certifica ificateReq teRequest uest message message from the the server, server, the the client client sends a Certificate message containing its certificate to the server.
8.
The client client sends sends a Clie ClientKey ntKeyExcha Exchange nge me message ssage to the server. server. This This message message contain containss the data for generating the keys for encryption algorithms and integrity check algorithms. The data is encrypted using the key information described in Step 4 .
9.
(Optional) (Optional) IIff the cl client ient re receive ceivess a Cert Certifica ificateReq teRequest uest message message from the the server, server, the the client client sends a CertificateVerify message which is signed by the private key associated with its certificate to the server.
10. The client sends the server a ChangeCipherSpec message, notifying notifying the server that that the client will use the negotiated algorithms for subsequent communications. 11. The client client sends a Fini Finished shed message message to the server server.. The message message is the first message message that that is sent by the client and that is protected by using the negotiated algorithms. This message contains the MAC of all messages transmitted during the handshake. The MAC is used to check whether handshake messages have been tampered with during transmission. 12. The server server sends the client a ChangeCipherSpec ChangeCipherSpec message, notifying notifying the client that the server will use the negotiated algorithms for subsequent communications. 13. The server server sends the client client a Finished Finished mes message sage.. The message message is the first message message that that is sent by the server and that is protected by using the negotiated algorithms. After the handshake phase is complete, the client and the server begin to transmit data with SSL protection. For details about SSL, see the following protocols: l
RFC 6101 for SSL3.0
l
RFC 2246 for TLS1.0
l
RFC 4346 for TLS1.1
l
RFC 5246 for TLS1.2
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
8
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
4
SSL Application Scenarios
4.1 OM Channel SSL can be used to secure the data transmitted on the OM channel between the base station and the M2000, and between the base station controller and the M2000.
4.1.1 OM Channel Between the Base Station and the M2000 Figure 4-1 shows a typical network topology in which SSL is applied to the OM channel between the base station and the M2000. In this network topology, IPsec is not used to protect the OM channel. Figure 4-1 Network topology for SSL applied to the OM channel between the base station and the M2000
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
9
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
CRL: certificate revocation list
DMZ: demilitarized zone
RA: registration authority
CA: certificate authority
Before you configure SSL in this application scenario, you must set the connection type between the M2000 and the base station to SSL and set the authentication method to "authenticate the peer end" end" on the M2000. In addition, preconfigure the oper operator-issued ator-issued device certificate and the operator's root certificate on the M2000. NOTE
Before establishing an SSL connection, the base station needs to obtain the operator-issued device certificate and the operator's root certificate from the operator's public key infrastructure (PKI) system. For details about how to obtain the certificates, see PKI see PKI Feature Parameter Parameter De Description scription..
The process of establishing an SSL connection is as follows:
Step 1 The base station and the M2000 establish a TCP connection. Step 2 The M2000 functions as an SSL client and initiates an SSL handshake with the base station. Step 3 The M2000 authenticates the base station using the specified authentication method during the
SSL handshake. Whether the base station authenticates the M2000 depends on the configurat configuration ion file of the base station. After the authentication is successful, the base station and the M2000 establish an OM channel protected by SSL. ----End NOTE
When using plug and play (PnP) for base station stat ion deployment, the M2000 can choose whether to aut authenticate henticate the base station. The base station does not authenticate the M2000 by default. When an OM channel is protected by IPSec, the process of establishing an SSL connection on the OM channel is the same as the previously mentioned process.
The SSL authentication method of the OM channel between the base station and the M2000 is determined by both the M2000 and the base station, as described in Table 4-1 . Table 4-1 SSL authentication method of the OM channel between the base station and the M2000
Issue 02 (2013-07-30)
Configuration on the Base Station Side
Deployment Requiremen ts
SSL Authenticati on Method
Configura tion on the M2000 Side
The base station and the M2000 do not authenticate each other.
None Anonymou The AUTHMODE parameter is set to NONE s Authenticat (Verify None). ion
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Applicatio n Scenario
Routine maintenance and base station deployment by PnP
10
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
Deployment Requiremen ts
Applicatio n Scenario
OSS The AUTHMODE Authenticat parameter is set to NONE
Any of the following
Routine maintenance
ion NE
conditions is met:
and base station deployment by PnP
SSL Authenticati on Method
Configura tion on the M2000 Side
Only the M2000 authenticates the base station.
Configuration on the Base Station Side
(Verify None).
l
The base station is preconfigu red with the Huaweiissued device certificate and Huawei root certificate. The M2000 is preconfigu red with the Huawei root certificate.
l
The base station is preconfigu red with the operatorissued device certificate and the operator's root certificate. The M2000 is preconfigu red with the operator's root certificate.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
11
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
SSL Authenticati on Method
Configura tion on the M2000 Side
The base station and the M2000 authenticate each other.
Configuration on the Base Station Side
Deployment Requiremen ts
Applicatio n Scenario
OSS The AUTHMODE Authenticat parameter is set to PEER
Any of the following
Routine maintenance
ion NE
conditions is met:
(Verify Peer Certificate).
l
Both the base station and the M2000 are preconfigu red with Huaweiissued device certificates and Huawei root certificates .
l
Both the base station and the M2000 are preconfigu red with operatorissued device certificates and operator's root certificates .
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
12
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
SSL Authenticati on Method
Configura tion on the M2000 Side
Only the base station authenticates the M2000.
Configuration on the Base Station Side
Deployment Requiremen ts
Applicatio n Scenario
NE The AUTHMODE Authenticat parameter is set to PEER
Any of the following
Routine maintenance
ion OSS
conditions is met:
(Verify Peer Certificate).
l
The base station is preconfigu red with the Huawei root certificate. The M2000 is preconfigu red with the Huaweiissued device certificate and Huawei root certificate.
l
The base station is preconfigu red with the operator's root certificate. The M2000 is preconfigu red with the operatorissued device certificate and the operator's root certificate.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
13
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
NOTE
When the PKI system is deployed in the operator's network, it is recommended that the base station and the M2000 use operator-issued device certificates to authenticate each other. When no PKI system is deployed in the operator's network, the base station and the M2000 can use only Huawei-issued device certificates to authenticate each other or they do not authenticate each other.
The configuration of SSL authentication on the base station side is as follows: l
The AUTHMODE parameter parameter specifies the authentication method used by the SSL handshake between the base station and the M2000.
– When AUTHMODE is set to NONE(Verify None), the base station does not authenticate the M2000.
– When AUTHMODE is set to PEER(Verif PEER(Verify y Peer Certificate), the base station authenticates the M2000. l
To use SSL on the OM channel, set the APPTYPE parameter to SSL, and set the APPCERT parameter to specify specify the device certificates certificates used for SSL SSL authentication.
OM Channel of a Single-Mode Base Station (eGBTS, NodeB, or eNodeB) Figure 4-2 shows a network topology in which SSL is applied to the OM channel between a single-mode base station and the M2000. SSL is based on the TCP protocol, whereas the OM
data of the GBTS is encapsulated in UDP packets. Therefore Therefore,, SSL does not apply to the GBTS. Figure 4-2 Network topology for SSL applied to the OM channel between a single-mode base station and the M2000
The WMPT, which is the main control board of the NodeB, does not support certificate deployment. If the M2000 chooses to authenticate the NodeB, the WMPT must share the certificates of see PKI PKI Feature Parameter Parameter Description Description. . the UTRPc. For details about certificate sharing, see Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
14
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
OM Channel of a Separate-MPT Multimode Base Station When SSL is applied to the OM channels of a separate-MPT multimode base station, an SSL connection needs to be established between each mode and the M2000. If a certain mode of the base station wants to use SSL SSL authentication and and no certificates are are configured on the main main control board of the mode, this main control board must share certificates of another board through backplane. Figure 4-3 uses the scenario in which different modes of a separate-MPT GSM/UMTS/LTE multimode base station share the same IPSec tunnel as an example to describe certificate certificate sharing. Figure 4-3 Network topology for SSL applied to the OM channels between the separate-MPT GSM/UMTS/LTE multimode base station and the M2000
As shown in Figure 4-2, the operator-issued device certificate and the operator's root certificate of multimode base station 1 are deployed on the UMPT_L. If the NodeB and the M2000 want to establish an SSL connection and the operator-issued device certificate will be used for authentication, the UMPT_U needs to share the certificates of the UMPT_L through backplane. The operator-issued device certificate and the operator's root certificate of multimode base station 2 are deployed on the UTRPc. If two t wo SSL connections need to be established between the NodeB and the M2000 and between the eNodeB and the t he M2000, and the operator-issued device certificate will be used for authentication, then the UMPT_U and UMPT_L need to share the certificates of the UTRPc through backplane.
OM Channel of a Co-MPT Multimode Base Station When SSL is applied to the OM channel of a co-MPT multimode base station, there is only one OM channel between the base station and the M2000, as shown in Figure 4-4 . In this scenario, the SSL function is implemented by the UMPT_GUL.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
15
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
Figure 4-4 Network topology for SSL applied to the OM channel between the co-MPT multimode base station and the M2000
For a hybrid-MPT multimode base station, OM channels need to be established between each separate-MPT main control board and the M2000, and between the co-MPT main control board and the M2000.
4.1.2 OM Channel Between the Base Station Controller and the M2000 Whether SSL appliedoftoconnection the OM channel the base controller and themethod M2000 depends on theissetting type onbetween the M2000 side.station The SSL authentication of the OM channel depends on the data configuration on both the M2000 and the base station controller sides, as described in Table 4-2. Table 4-2 SSL authentication method of the OM channel between the base station controller and the M2000
SSL Authentication Method
Configuration on Configuration the M2000 Side
Configuration on the Base Station Controller Side
Deployment Requirement
The base station controller and the M2000 do not
Anonymous Authentication
The AUTHMODE parameter is set to NONE(Verify
Both the base station controller and the M2000 support the
None).
same anonymous authentication algorithm.
authenticate each other.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
16
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
SSL Authentication Method
Configuration on Configuration the M2000 Side
Configuration on the Base Station Controller Side
Only the M2000 authenticates the base station
OSS Authentication NE
The AUTHMODE parameter is set to NONE(Verify
controller.
Deployment Requirement l
None).
preconfigured with the Huaweiissued device certificate and the Huawei root certificate. l
The base station controller and the M2000 authenticate
OSS Authentication NE
The OMU board of the base station controller is
The M2000 is preconfigured with the Huawei root certificate.
The AUTHMODE parameter is set to PEER(Verify Peer
Both the M2000 and the OMU board of the base station
each other.
Certificate).
controller are preconfigured with the Huawei-issued device certificate and the Huawei root certificate.
Only the base station NE Authentication controller OSS authenticates the M2000.
The AUTHMODE parameter is set to PEER(Verify Peer Certificate).
l
The OMU board of the base station controller is preconfigured with the Huawei root certificate.
l
The M2000 is preconfigured with the Huaweiissued device certificate and the Huawei root certificate.
From SRAN7.0 onwards, the base station controller is preconfigured with Huawei-issued device certificate and Huawei root certificate before delivery. All base station controllers are preconfigured with the same Huawei-issued Huawei-issued device certificate certificate and the same Huawei Huawei root certificate. If the base station controller is not preconfigured with Huawei-issued device cer certificate tificate or Huawei root certificate but the M2000 requests to authenticate the base station controller, the base station controller and the M2000 first establish a non-SSL-protected non-SSL-protected OM OM channel channel or an an OM OM Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
17
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
channel with SSL anonymous authentication. Then, the engineering personnel obtain the Huawei-issued device certificate and Huawei root certificate for the base station controller from the website http://support.huawei.com. Then, they configure these certificates on the base station controller by using the certificate management function on the M2000. Finally, the engineering personnel modify the SSL connection type and authentication method on both the M2000 and the base station controller sides. For details about certificates the base stationr controller, see see Base Equipment and OM Security for Security Feature Parameter Paramete Description. Description . Base Station Controller
4.2 FTP Transmission Both base stations and base station controllers support FTP over SSL (FTPS) and can be configured with the FTPS state firewall function. When a state firewall is configured, this function enables an FTP client to send the message, switching the transmission mode of the control connection channel to plaintext. In this way, the state firewall can identify and dynamically open the port required for FTPS transmission. Table 4-3 describes the application scenarios for FTPS. Table 4-3 Application scenarios for FTPS
Application Scenario The base station functions as the FTPS client.
Description l
l
The base station controller functions as the FTPS client.
Issue 02 (2013-07-30)
The ENCRYMODE parameter specifies specifies the transmission encryption mode of the base station. The SSLCERTA SSLCERTAUTH UTH parameter specifies whether to perform SSL authentication on the FTPS server.
l
The SPTSTATEF SPTSTATEFWL WL parameter specifies whether an FTPS connection can be set up when a state state firewall is configured.
l
The ENCRYMODE (BSC6900,BSC6910) parameter specifies the transmission encryption mode of the base station controller. controller.
l
The SSLCERTA SSLCERTAUTH UTH (BSC6900,BSC6910) parameter specifies whether to perform SSL authentication on the FTPS server.
l
The SPTSTATEF SPTSTATEFWL WL (BSC6900,BSC6910) parameter specifies whether an FTPS connection can be set up when a state firewall is configured.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
18
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
Application Scenario
Description
The base station controller functions as the FTPS server.
The ENCRYMODE ENCRYMODE(BSC6900,BS (BSC6900,BSC6910) C6910) parameter specifies specifies the transmission encryption mode of the base station controller.
FTPS is mainly applicable to the file transmission between the base station and the M2000, between the base station and and the base base station controller, controller, and between between the base station controller and the M2000. NOTE
The certificates used for FTPS authentication are the same as those used for SSL authentication of the OM channel.
4.3 HTTP Transmission Both the base station and the base station controller support HTTP over SSL (HTTPS). HTTPS is applicable to the communication between the base station and the LMT and between the base station controller and the LMT. The POLICY parameter specifies specifies the login policy of of the LMT for the base station and the base station controller.Table 4-4 provides the mapping between the value of the POLICY parameter and the login policy of the LMT. Table 4-4 Mapping between the value of the POLICY parameter parameter and the login policy of the LMT
Value of the . POLICY Parameter
Input to the IE Address Bar
Displayed in the Login Page
Displayed in the LMT Operation Window
Policy Description
COMPATIBLE
HTTP
HTTP
HTTP
HTTPS
HTTPS
HTTPS
Compatibility mode
HTTP
HTTPS
HTTPS
HTTPS
HTTPS
HTTPS
HTTP
HTTPS
HTTP
HTTPS
HTTPS
HTTP
HTTPS_ONLY
LOGIN_HTTPS _ONLY
HTTPS connection is used for both the login page and the LMT operation window HTTPS connection is used only for the login page
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
19
SingleRAN SSL Feature Parameter Description
4 SSL Application Scenarios
NOTE
The default value of the POLICY parameter parameter is HTTPS_ONLY, indicating that HTTPS must be used in both the login login page an and d the LMT ope operation ration windo window. w. The certificates used for HTTPS authentication are the same as those used for SSL authentication of the OM channel. The corresponding root certificate must be preconfigured on the LMT. Otherwise, when you attempt to log in to the LMT, a dialog box is displayed, indicating that the certificate is unreliable and asking whether to continue. If you select Yes, you can log in to the LMT.
HTTPS can also apply to the Certificate Management Protocol v2 (CMPv2) message interaction between the base station station and the Certificate Authority (CA) server. server.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
20
SingleRAN SSL Feature Parameter Description
5 Related Features
5
Related Features
5.1 Features Related to SSL (eGBTS Side) Prerequisite Features This feature requires the GBFD-118601 Abis over IP feature. When certificates are required for SSL authentication, this feature requires the GBFD-113526 BTS Supporting PKI feature.
Mutually Exclusive Features None
Impacted Features None
5.2 Features Related to SSL (NodeB Side) Prerequisite Features When certificates are required for SSL authentication, this feature requires the WRFD-140210 NodeB PKI Support Support feature.
Mutually Exclusive Features None
Impacted Features None Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
21
SingleRAN SSL Feature Parameter Description
5 Related Features
5.3 Features Related to SSL (eNodeB Side) Prerequisite Features When certificates are required for SSL authentication, this feature requires the LOFD-003010 Public Key Infrastructure(PKI) Infrastructure(PKI) feature.
Mutually Exclusive Features None
Impacted Features None
5.4 Features Related to SSL (Base Station Controller Side) Prerequisite Features None
Mutually Exclusive Features None
Impacted Features None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
22
SingleRAN SSL Feature Parameter Description
6 Network Impact
6
Network Impact
System Capacity No impact.
Network Performance When SSL is used to provide encryption and integrity protection, the network bandwidth utilization decreases slightly. For example, if the application-layer data length is 500 bytes and the encryption algorithm and integrity check algorithm are 3DES and SHA1, respectively, the network bandwidth utilization decreases by 4%. 3DES stands for Triple Data Encryption Standard and SHA1 stands for Secure Hash Algorithm 1.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
23
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
7
Engineering Guidelines on the Base Station Side
7.1 When to Use SSL When operators use the public IP network to carry wireless services, the public IP network cannot ensure transmission security. In this case, it is recommended that SSL be used to provide transmission security for the OM channel. When certificates are required for SSL authentication, the PKI feature must be activated on the base station side. side. For details details about how to activate the PKI feature, feature, see PKI see PKI Feature Parameter Description.. Description
7.2 Required Information If the operator-issued device certificate is required for SSL authentication, deploy the PKI system in the network. For the data required for deploying the PKI feature, see PKI see PKI Feature Parameter Description.. Description
7.3 Planning RF Planning N/A
Network Planning N/A
Hardware Planning Table 7-1 describes the hardware required for deploying SSL on eGBTSs, NodeBs, and eNodeBs. Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
24
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
Table 7-1 Hardware required for deploying SSL on eGBTSs, NodeBs, and eNodeBs
NE
Board Configuration
Board That Provides a Port for Connecting the Base Station to the Transport Network
Port Type
eGBTS
UMPT
UMPT
Ethernet port
UMPT+UTRPc
UTRPc
Ethernet port
WMPT or UMPT
WMPT or UMPT
Ethernet port
WMPT+UTRPc or UMPT+UTRPc
UTRPc
Ethernet port
LMPT or UMPT
LMPT or UMPT
Ethernet port
LMPT+UTRPc or UMPT+UTRPc
UTRPc
Ethernet port
NodeB
eNodeB
7.4 Deployment 7.4.1 Requirements l
If the operator-issued device certificate is used for SSL authentication, the PKI system needs to be deployed in the network and the PKI feature needs to be activated on the base station side. For details about how to deploy the PKI system, see see PKI PKI Feature Parameter Parameter Description.. Description
l
If the Huawei-issued device certificate is used for SSL authentication, the PKI feature needs to be activated on the base station side but the PKI system is not required in the network.
7.4.2 Data Preparation The SSL configuration data is the same for the eGBTS, NodeB, and eNodeB. This section describes only the SSL configuration. For the configuration of the PKI feature, see PKI see PKI Feature Parameter Description. Description.
SSL Connection for the OM Channel 1.
Issue 02 (2013-07-30)
(O (Opt ptio iona nal) l) Co Colle llect ct the the d dat ataa iin n tthe he CONNTYPE managed object (MO). The CONNTYPE parameter in this MO specifies specifies the connection type supported by the base base station. The CONNTYPE MO can be configured and managed only on the M2000.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
25
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
Table 7-2 Connection type supported by the base station
MO
Parameter Name
Pa Para rame metter ID Se Settti ting ng Not otes es Dat ata a Sou Sourc rce e
SSL
Connection Type
CONNTYPE
l
The default Network plan value of this parameter is ALL(All Type), which indicates that all connection types, including SSL connections , are supported.
l
If this parameter is set to ONLY_SS L(Only SSL Connectio n), all application data transmitted over the TCP layer is protected by SSL. In this case, if the peer end does not support SSL, the communica tion parties cannot establish a connection. Therefore, exercise caution when setting this parameter.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
26
SingleRAN SSL Feature Parameter Description
MO
7 Engineering Guidelines on the Base Station Side
Parameter Name
Pa Para rame metter ID Se Settti ting ng Not otes es Dat ata a Sou Sourc rce e l
The recommend ed value of this parameter is ALL(All Type).
2.
Issue 02 (2013-07-30)
Coll Collec ectt data data in the the SSL MO for the SSL authentication method of the OM channel. The most important parameter in this MO is described in the following table. The SSL MO can be configured and managed managed only on the M2000. M2000.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
27
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
Table 7-3 SSL authentication method of the OM channel
MO
Parameter Name
Pa Para rame metter ID Se Settti ting ng Not otes es Dat ata a Sou Sourc rce e
SSL
Authenticatio n Mode
AUTHMODE
Set this parameter based on the network plan. l
If the SSL authenticati on method is bidirectiona l authenticati on, set this parameter to PEER (Verify Peer Certificate ).
l
If the SSL authenticati on method is anonymous authenticati on or is that only the M2000 authenticat es the base station, set this parameter to NONE (Verify None). The default value of this parameter is NONE (Verify None).
Network plan
3.
Issue 02 (2013-07-30)
Coll Collec ectt data data in the the APPCERT and APPCER MOs. The parameters in these MOs specify the device certificate used for SSL authentication of the base station.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
28
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
Table 7-4 Certificate configuration
MO
Parameter Name
Parameter IID D
Setting No Notes
Data So Source
APPCERT
Application Type
APPTYPE
Set this parameter to SSL(SSL).
Network plan
APPCERT
Certificate File APPCERT Name
Network plan Set this parameter based based on the network plan. If the Huaweiissued device certificate is used for SSL authentication, set this parameter to appcert.pem . If the operatorissued device certificate is used for SSL authentication,s et this parameter to the name of the certificate..
NOTE
Before activating the SSL feature on a separate-MPT multimode base station, configure SSL data for each mode separately. Before activating the SSL feature on a co-MPT multimode base station, configure only a set of SSL data, which is shared by different modes of the base station.
Base Station Functioning as the FTPS Client Collect data in the FTPSCLT MO. The parameters in this MO specify the FTPS connection between the M2000 and and a base station functioning functioning as the FTPS client. client.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
29
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
Table 7-5 Base station functioning as the FTPS client
MO
Parameter Name
Parameter IID D
Setting No Notes
Data So Source
FTPCLT
Transport Encrypted Mode
ENCRYMODE The recommended value of this parameter is AUTO (AUTO).
FTPCLT
Support State Firewall
SPTSTATEFW Set this SPTSTATEFW Network plan L parameter based based on the network plan.
FTPCLT
SSLCERTAUT SSLCERTA UT Support SSL H Certificate Authentication
Network plan
If this parameter Network plan is set to YES (Yes), the root certificate used on the FTP server must be preconfigured on the base station. This root certificate is used by the base station to authenticate the device certificate of the FTP server.
Login Policy of the LMT Collect data in the WEBLOGINPOLICY MO for the login policy of the LMT. Table 7-6 Login policy of the LMT
MO
Parameter Name
Parameter IID D
WEBLMT
Policy for login POLICY to LMT and transmission
Setting No Notes
Data So Source
The Network plan recommended value of this parameter is HTTPS (HTTPS Only).
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
30
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
7.4.3 Precautions None
7.4.4 Hardware Adjustment N/A
7.4.5 Initial Configuration This section describes how to initially configure the SSL feature by using either MML commands or the CME. If the PKI system has been deployed in the network and the operator-issued device certificate is required for SSL authentication, you need to configure the PKI feature. For details about how to configure the PKI feature, see PKI see PKI Featur e Parameter Description. Description.
Using MML Commands l
Configuring SSL for the OM channel Run the MML command MOD APPCERT to configure the device certificate used for SSL authentication.
l
Setting the security policy for the FTP client Run the MML command SET FTPSCLT to set the security policy for the FTP client.
l
Setting the login policy of the LMT Run the MML command SET WEBLOGINPOLICY to set the login policy of the LMT.
MML Command Examples l
Configuring SSL for the OM channel //Configuring the device certificate used for SSL authentication MOD APPCERT: APPTYPE=SSL, APPCERT="appcert.pem";
l
Setting the security policy for the FTP client //Setting the security policy for the FTP client SET FTPSCLT: ENCRYMODE=Auto, SPTSTATEFWL=Yes, SSLCERTAUTH=Yes;
l
Setting the login policy of the LMT //Setting the login policy of the LMT SET WEBLOGINPOLICY: POLICY=HTTPS_ONLY;
Using the CME to Perform Single Configuration Set parameters on the CME configuration interface according to the MOs, parameters, and application scenarios described in section 7.4.2 Data Preparation. For instructions on how to perform the CME single configuration, configuration, see CME Single Single Configuration Operation Operation Guide.
Using the CME to Perform Batch Configuration for Newly Deployed Base Stations Enter the values of the parameters listed in Table 7-7 in a summary data file, which also contains other data for the new base stations to be deployed. Then, import the summary data file into the CME for batch configuration. Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
31
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
The summary data file may be a scenario-specific file provided by the CME or a customized file, depending on the following conditions: l
l
The MOs in Table 7-7 are contained in a scenario-specific summary data file. In this situation, set the parameters in the MOs, and then verify and save the file. Some MOs in Table 7-7 are not contained in a scenario-specific summary data file. In this situation, customize a summary data file to include the MOs before you can set the parameters.
Table 7-7 MOs related to the SSL feature
MO
Sheet in the Summary Data File
Parameter Gr Group
Remarks
SSL
Common Data
Connection Type, Authentication Method
Connection Type, Authentication Method
FTPCLT
Common Data
ENCRYMODE, SPTSTATEFWL, SSLCERTAUTH
-
WEBLMT
Common Data
POLICY
-
NOTE
During base station deployment by PnP, you can also set the Connection Type and Authentication Type Type parameters in the PnP Parameters MO on the Auto Deployment sheet of a scenario-specific summary data file.
For detailed operations on each type of base station, see the following sections in 3900 Series Base Station Initial Configuration Guide: Guide: l
For NodeBs, see section "Creating NodeBs in Batches."
l
For eNodeBs, see section "Creating eNodeBs in Batches."
l
For separate-MPT multimode base stations, see section "Creating Separate-MPT Multimode Base Stations in Batches."
l
For eGBTSs and co-MPT multimode base stations, see section "Creating Co-MPT Base Stations in Batches." NOTE
eGBTS refers to a base station deployed with UMPT_G. NodeB refers refers to a base sta station tion deploy deployed ed with WMPT o orr UMPT_U. eNodeB refers to a base station deployed with LMPT or UMPT_L. Co-MPT multimode base station refers to a base station deployed with UMPT_GU, UMPT_GL, UMPT_UL, or UMPT_GUL, and it functionally corresponds to any combination of eGBTS, NodeB, and eNodeB. For example, Co-MPT multimode base station deployed with UMPT_GU functionally corresponds to the combination of eGBTS and NodeB. Separate-MPT multimode base station refers to a base station on which different modes use different main control boards. For example, base stations deployed with GTMU and WMPT are called separate-MPT GSM/UMTS dual-mode base station.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
32
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
Using the CME to Perform Batch Configuration for Existing Base Stations Batch reconfiguration using the CME is the recommended method to activate a feature on existing base stations. This method reconfigures all data, except neighbor relationships, for multiple base stations in a single procedure. The procedure is as follows:
Step 1 Choose CME > Advanced > Customize Summary Data File from the main menu of an M2000 client, or choose Advanced > Customize Summary Data File from the main menu of a CME client, to customize a summary data file for batch reconfiguration. NOTE
For context-sensitive help on a current task in the client, press F1.
Step 2 Export the NE data stored on the CME into the customized summary data file. l
For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS Application > Export Data > Export Base Station Bulk Configuration Data from the main menu of the M2000 client, or choose SRAN Application > MBTS Application > Export Data > Export Base Station Bulk Configuration Data from the main menu of the CME client.
l
For separate-MPT GSM-involved multimode base stations or GO base stations: Choose CME > GSM Application > Export Data > eGBTS Bulk Configuration Data from the main menu of the M2000 client, or choose GSM Application > Export Data > Export eGBTS Bulk Configuration Data from the main menu of the CME client.
l
For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose CME > UMTS Application > Export Data > Export Base Station Bulk Configuration Configuration Data from the main menu of the M2000 client, or choose UMTS Application > Export Data > Export Base Station Bulk Configuration Data from the main menu of the CME client.
l
For separate-MPT LTE-involved LTE-involved multimode base stations or LO base stations: Choose CME > LTE Application > Export Data > Export Base Station Bulk Configuration Data from the main menu of the M2000 client, or choose LTE Application > Export Data > Export Base Station Bulk Configuration Data from the main menu of the CME client.
Step 3 In the summary data file, set the parameters in the MOs listed in Table 7-7 and close the file. Step 4 Import the summary data file into the CME. l
For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS Application > Import Base Station Bulk Configuration Data from the main menu of the M2000 client, or choose SRAN Application Applicatio n > MBTS Application Applicati on > Import Data > Import Base Station Bulk Configuration Data from the main menu of the CME client.
l
For separate-MPT GSM-involved multimode base stations or GO base stations: Choose CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data from the main menu of the M2000 client, or choose GSM Application > Import Data > Import eGBTS Bulk Configuration Data from the main menu of the CME client.
l
For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose CME > UMTS Application > Import Data > Import Base Station Bulk Configuration Data from the main menu of the M2000 client, or choose UMTS Application > Import Data > Import Base Station Bulk Configuration Data from the main menu of the CME client.
l
For separate-MPT LTE-involved LTE-involved multimode base stations or LO base stations: Choose CME > LTE Application > Import Data > Import Base Station Bulk Configuration Data from
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
33
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
the main menu of the M2000 client, or choose LTE Application > Import Data > Import Base Station Bulk Configuration Data from the main menu of the CME client. ----End
7.4.6 Activation Observation l
l
SSL for the OM channel In the SSL connection management window of the M2000 client, check whether the connection between the base station and the M2000 is normal. If the connection is normal, SSL has been successfully activated on the OM channel. FTPS connection between the base station and the M2000 Check whether log files are being transmitted between the base station and the M2000 based on FTPS as as expected. If log file transmission is normal, an FTPS FTPS connection has has been successfully established established between the base base station and the M2000.
l
HTTPS connection between the base station and the LMT Set the login policy of the LMT for the base station to HTTPS and Log in to the base station through the LMT. If you can successfully log in to the base station, an HTTPS connection has been successfully established between the base station and the LMT.
7.4.7 Reconfiguration N/A
7.5 Configuring the OM Channel on the M2000 Use the SSL connection management function on the M2000 to change the connection type and authentication method used between the base station and the M2000. The detailed procedure is as follows:
Step 1 Log in to the M2000, choose Security > Certificate Authentication Management > SSL Connection Management (traditional style) or Security Management > NE Security > Certificate Authentication Management Management > SSL Connection Management (application style) to open the SSL connection management window.
Step 2 In the left pane, select the base station to configure. In the right pane, set the connection type and authentication method, as shown in Figure 7-1. ----End Figure 7-1 Changing the SSL configuration of an existing base station
For more information about managing NE certificates and preconfiguring certificates on the M2000, see the " Procedure for Configuring Digital Certificates" section in M2000 in M2000 Online Help ( Help (Security Management > Data Management > Configuring Digital Certificates). To check the status of an SSL connection between the base station and the M2000, select the base station in the SSL connection management management window and then check check the value of the Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
34
SingleRAN SSL Feature Parameter Description
7 Engineering Guidelines on the Base Station Side
Connection Status field. If the value of this field is Connected, an SSL connection has been successfully established.
7.6 Performance Monitoring N/A
7.7 Parameter Optimization N/A
7.8 Troubleshooting Troubleshooting After the SSL feature is activated, the base station may report the following alarm: ALM-25950 Excessive Flood Packet; the value of the Specific Problem parameter in the alarm help is SSL Renegotiation. After the PKI feature is activated, the base station may report the following alarms: l
ALM-26840 Imminent Certificate Expiry
l
ALM-26841 Certificate Invalid
l
ALM-26842 Automatic Certificate Update Failed
l
ALM-26832 Peer Certificate Expiry
For details about how to locate and analyze the problem, see 3900 Series Base Station Alarm Reference.. Reference
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
35
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
8
Engineering Guidelines on the Base Station Controller Side
8.1 When to Use SSL When the base station controller and the M2000 are located in different networks, it is recommended that the SSL feature be activated to secure the OM channel between the base station controller and the M2000.
8.2 Required Information None
8.3 Planning RF Planning N/A
Network Planning N/A
Hardware Planning N/A
8.4 Deployment
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
36
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
8.4.1 Requirements If certificates are required to authenticate the SSL connection of the OM channel, ensure that the device certificate and root certificate have been preconfigured on the OMU board of the t he base station controller. For details about how to config the certificates for the base station controller, see Configuring the Digital Certificates in Base Base Station Controller Equipment Equipment and OM Security Feature Feature Parameter Description. Description.
8.4.2 Data Preparation SSL Connection for the OM Channel 1.
Issue 02 (2013-07-30)
(O (Opt ptio iona nal) l) Co Colle llect ct the the d dat ataa iin n tthe he CONNTYPE MO. The CONNTYPE parameter parameter in this MO specifies the connection type supported by the base station controller. The CONNTYPE MO can be configured and managed only on the M2000.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
37
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
Table 8-1 Connection type supported by the base station controller
MO
Parameter Name
Paramet er ID
Setting Notes
Data Source
SSL
Connection Type CONNTY The default value Network plan PE of this parameter is ALL(All Type), which indicates that all connection types, including SSL connections, are supported.
If this parameter is set to ONLY_SSL (Only SSL Connection), all application data transmitted over the TCP layer is protected by SSL. SSL. In this case, if not the peer end does support SSL, the communication parties cannot establish a connection. Therefore, exercise caution when setting this parameter. The recommended value of this parameter is ALL (All Type).
2.
Issue 02 (2013-07-30)
Coll Collec ectt data data in the the SSLAUTHMODE MO for the SSL authentication method of the OM channel. The most important parameter in this MO is described in the following table.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
38
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
Table 8-2 SSL authentication method of the OM channel
MO
Parameter Name
Pa Para rame metter ID Se Settti ting ng Not otes es Dat ata a Sou Sourc rce e
SSLAUTHM ODE
Authenticatio n Mode
AUTHMODE
Set this parameter
Network plan
based onplan. the network l
If the SSL authenticati on method is bidirectiona l authenticati on, set this parameter to PEER (Verify Peer Certificate ).
l
If the SSL authenticati on method is anonymous authenticati on or is that only the M2000 authenticat es the base station controller, set this parameter to NONE (Verify None). The recommend ed value of this parameter is PEER (Verify Peer Certificate ).
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
39
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
3.
Coll Collec ectt data data in the the CERTFILE MO. The parameters in this MO specify the certificates used for SSL authentication.
Table 8-3 Certificate configuration
MO
Parameter Name
CERTFILE
Parameter IID D
Setting No Notes
Data So Source
Root ROOTCERT ROOTCER T Certificate File Name
-
Network plan
CERTFILE
Certificate File PUBCERT Name
-
Network plan
CERTFILE
Private Key File Name
PRIVKEY
-
Network plan
CERTFILE
Private Key Password Enabled State
PKPENABLES The PKPENABLES TA recommended value of this
Network plan
parameter is DISABLE (Disabled) if the private key file has been configured.
Issue 02 (2013-07-30)
Set this Network plan parameter only when the PKPENABLES PKPENABLE S TA parameter is set to ENABLE (Enabled) .
CERTFILE
Private Key Password
PWD
CERTFILE
Certificate Revocation List File State
CRLENABLES TA
CERTFILE
Certificate Revocation List File Name
CRL
Network plan Set this parameter only when the CRLENABLES TA parameter is set to ENABLE (Enable) .
CERTFILE
Certificate Chain File Enabled State
CCAENABLE STA
-
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Network plan
Network plan
40
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
MO
Parameter Name
Parameter IID D
Setting No Notes
Data So Source
CERTFILE
Certificate Chain File Name
CERTCHAIN
Network plan Set this parameter only when the CCAENABLE STA parameter is set to ENABLE (Enabled) .
Base Station Controller Functioning as the FTPS Client Collect data in the FTPSCLT MO. The parameters in this MO specify the FTPS connection between the M2000 and and the base station controller controller functioning as the FTPS FTPS client. Table 8-4 Base station controller functioning as the FTPS client
Para meter ID
Data Source
Parameter Name
FTPSCLT
The Encrypted Mode
FTPSCLT
Support S Sttate Fi Firewall SPTS Set this parameter Network plan TATE based on the
ENCR The YMO recommended DE value of this ( parameter is BSC6 AUTO(AUTO). 900, BSC6 910)
FWL ( BSC6 900, BSC6 910)
Issue 02 (2013-07-30)
Setting Notes
MO
Network plan
network plan.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
41
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
MO
Parameter Name
Para meter ID
FTPSCLT
Support SSL Certificate SSLC ERTA Authentication UTH ( BSC6 900, BSC6 910)
Setting Notes
Data Source
If this parameter is Network plan set to YES(Yes) , the root certificate used on the FTP server must be preconfigured on on the base station controller. This root certificate is used by the base station controller to authenticate the device certificate of the FTP server.
Base Station Controller Functioning as the FTPS Server Collect data in the FTPSSRV MO. The parameters in this MO specify the FTPS connection between the M2000 and and the base station controller controller functioning as the FTPS FTPS server. Table 8-5 Base station controller functioning as the FTPS server
Issue 02 (2013-07-30)
MO
Parameter Name
Parameter ID
Setting Notes
Data Source
FTPSSRV
The Encrypted Mode
ENCRYMODE (BSC6900, BSC6910)
The recommended value of this parameter is AUTO (Automatic).
Network plan
FTPSSRV
The Type of FTP Server Command Port
DFTPORTSWT (BSC6900, BSC6910)
Set this parameter to the default port (port 21) or a customized port number.
Network plan
FTPSSRV
The SRVCMDPORT SRVCMDPOR T Set this parameter only when (BSC6900, the DFTPORTSW DFTPORTSWT T Command BSC6910) (BSC6900,BSC6910) Port of FTP Server parameter is set to CUSTOMPORT.
Network plan
FTPSSRV
The Source SRVDATAP SRVDATAPOR OR Data Port T of FTP (BSC6900, BSC6910) Server
Set this parameter only when the DFTPORTSW DFTPORTSWT T (BSC6900,BSC6910) parameter is set to CUSTOMPORT.
Network plan
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
42
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
MO
Parameter Name
Parameter ID
Setting Notes
Data Source
FTPSSRV
Passive mode data port lower limit
ACDPORTLWL T (BSC6900, BSC6910)
-
Network plan
FTPSSRV
Passive mode data port upper limit
ACDPORTUPL T (BSC6900, BSC6910)
-
Network plan
Login Policy of the LMT Collect data in the WEBLOGINPOLICY MO for the login policy of the LMT. Table 8-6 Setting the login policy of the LMT
MO
Parameter Name
Parameter IID D
WEBLOGINP OLICY
Policy for login POLICY (BSC6900, to LMT and transmission BSC6910)
Setting No Notes
Data So Source
Network plan The recommended value of this parameter is HTTPS (HTTPS Only).
8.4.3 Precautions None
8.4.4 Hardware Adjustment N/A
8.4.5 Initial Configuration This section describes how to initially configure the SSL feature on the base station controller by using MML commands.
Using MML Commands l
Configuring SSL for the OM channel
Step 1 Run the MML command SET SSLAUTHMODE to set the SSL authentication method. Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
43
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
Step 2 Run the MML command SET CERTFILE to configure the certificates used for SSL authentication. ----End l
Setting the security policy for the FTP client Run the MML command SET FTPSCLT to set the security policy for the FTP client.
l
Setting the security policy for the FTP server Run the MML command SET FTPSSRV to set the security policy for the FTP server.
l
Setting the login policy of the LMT Run the MML command SET WEBLOGINPOLICY to set the login policy of the LMT.
MML Command Examples l
Configuring SSL for the OM channel //Setting the SSL authentication method SET SSLAUTHMODE: AUTHMODE=PEER;
//Configuring the certificates used for SSL authentication SET CERTFILE: RootCert="_RootCA.pem", PubCert="_ClientCer.pem", PrivKey="_ClientPrivKey.pem"; l
Setting the security policy for the FTP client //Setting the security policy for the FTP client SET FTPSCLT: ENCRYMODE=Auto, SPTSTATEFWL=Yes, SSLCERTAUTH=Yes;
l
Setting the security policy for the FTP server //Setting the security policy for the FTP server SET FTPSSRV: ENCRYMODE=AUTO, DFTPORTSWT=DEFAULTPORT,ACDPORTLWLT=25000,ACDPORTUPLT=30000;
l
Setting the login policy of the LMT //Setting the login policy of the LMT SET WEBLOGINPOLICY: POLICY=HTTPS;
Using the CME to Perform Single Configuration Set parameters on the CME configuration interface according to the MOs, parameters, and application scenarios described in section 8.4.2 Data Preparation For instructions on how to perform the CME single configuration, configuration, see CME Single Single Configuration Operation Operation Guide Guide.
Using the CME to Perform Batch Configuration Not supported.
8.4.6 Activation Observation l
SSL for the OM channel In the SSL connection management window of the M2000 client, check whether the connection between the base station controller and the M2000 is normal. If the connection
l
Issue 02 (2013-07-30)
is normal, SSL has been successfully activated on the OM channel. Base station controller functioning as the FTPS client Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
44
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
Check whether log files are being transmitted between the base station controller and the M2000 as expected. If log file transmission is normal, an FTPS connection has been successfully established between the base station controller and the M2000. l
Base station controller functioning as the FTPS server Check whether log files are properly transmitted between the base station controller and the M2000 based on FTPS. If log files are properly transmitted, an FTPS connection has
l
been successfully established established between the base base station controller and and the M2000. HTTPS connection between the base station controller and the LMT Set the login policy of the LMT for the base station controller to HTTPS and Log in to the base station controller from from the LMT. If you can can successfully log in to the base base station controller, an HTTPS connection has been successfully established between the base station controller and the LMT.
8.4.7 Reconfiguration N/A
8.5 Configuring the OM Channel on the M2000 On the M2000, you can change the connection type and authentication method used between the base station controller and the M2000 by using the SSL connection management function on the M2000. The detailed procedure is as follows:
Step 1 Log in to the M2000, choose Security > Certificate Authentication Management > SSL Connection Management (traditional style) or Security Management > NE Security > Certificate Authentication Management Management > SSL Connection Management (application style) to open the SSL connection management window.
Step 2 In the left pane, select the base station controller to be configured. In the right pane, set the connection type and authentication method, as shown in Figure 8-1. ----End Figure 8-1 Changing the SSL configuration of an existing base station controller
For more information about managing NE certificates and preconfiguring certificates on the M2000, see the " Procedure for Configuring Digital Certificates" section in M2000 in M2000 Online Help ( Help (Security Management > Data Management > Configuring Digital Certificates >). To check the status of an SSL connection between the base station controller and the M2000, select the base station controller in the SSL connection management window and then check the value of the Connection Status field. If the value of this field is Connected , an SSL connection has been successfully established.
8.6 Performance Monitoring N/A Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
45
SingleRAN SSL Fe Feature Parameter Description
8 Engineering Guidelines on the Base Station Controller Side
8.7 Parameter Optimization N/A
8.8 Troubleshooting Troubleshooting After the SSL feature is activated, the base station controller may report the following alarm: l
ALM-20732 SSL Certificate File Abnormity
For details about how to locate and analyze the problem, see the following documents: l
BSC6900 Alarm Reference
l
BSC6910 Alarm Reference
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
46
SingleRAN SSL Feature Parameter Description
9 Parameters
9
Parameters
Table 9-1 UMTS: Parameter description
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
AUTHMODE
BTS3900
SET
MRFD-210305
Security
Meaning:Indi-
SSLAUTHMO DE
GBFD-113522
LST SSLCONF
LBFD-004003
Management Encrypted Network Management
cates the authentication mode of the SSL connection.If the authentication mode is set to NONE, the NE does not verify the certificate of the M2000 or LMT during setup of an SSL connection. In this case, both parties must support the same algorithm for anonymous authentication.If authentication using the peer certificate is used, the NE must verify the certificate of the M2000 or LMT during setup of an SSL
Security Socket Layer
connection. If
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
47
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description the certificate verification fails, the SSL connection cannot be set up. GUI Value Range:NONE (Verify None), PEER(Verify Peer Certificate) Unit:None Actual Value Range:NONE, PEER Default Value:NONE (Verify None)
APPTYPE
BTS3900
DSP APPCERT LST APPCERT MOD APPCERT TST APPCERT LST CERTTYPE
LOFD-003010 / TDLOFD-0030 10
Public Key Infrastructure (PKI)
GBFD-113526
BTS Supporting PKI
WRFD-140210
NodeB PKI Support
Meaning:Indicates the application type of activated device certificate. There are two types: IKE and SSL. GUI Value Range:IKE (IKE), SSL (SSL) Unit:None Actual Value Range:IKE, SSL Default Value:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
48
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
APPCERT
BTS3900
MOD APPCERT
LOFD-003010 / TDLOFD-0030 10
Public Key Infrastructure (PKI)
TST APPCERT DSP APPCERT LST APPCERT
GBFD-113526 WRFD-140210
Description
Meaning:Indicates the file name of an activated device BTS Supporting certificate. The PKI file name cannot include any of NodeB PKI the following Support characters: backslashes (\), slashes (/), colons (:), asterisks (*), question marks (?), double quotation marks ("), left angle brackets (), and bars (|). GUI Value Range:1~64 characters Unit:None Actual Value Range:1~64 characters Default Value:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
49
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ENCRYMODE
BTS3900
SET FTPSCLT
MRFD-210305
LST FTPSCLT
LBFD-004003
Security Management
Meaning:Indicates the transmission encryption mode of the FTP client. If this parameter is set to Auto, the FTP client first attempts to transmit data in ciphertext. If the attempt fails, the FTP client automatically switches the encryption mode to
Security Socket Layer
retransmit data in plaintext. However, if there are faults in transmission equipment such as the SeGW, the FTP client does not attempt to retransmit data in plaintext even if the FTP server supports encrypted transmission. In this case, the FTP connection setup fails. GUI Value Range:Auto (Auto), Plaintext (Plaintext), Encrypted(SSL Encrypted) Unit:None Actual Value Range:Auto, Plaintext, Encrypted
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
50
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description Default Value:Auto (Auto)
SSLCERTAUT H
BTS3900
SET FTPSCLT LST FTPSCLT
MRFD-210305 LBFD-004003
Security Management Security Socket Layer
Meaning:Indicates whether the certificate authentication mode is supported when encrypted data is being transmitted. GUI Value Range:No(No), Yes(Yes) Unit:None Actual Value Range:No, Yes Default Value:No(No)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
51
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
SPTSTATEFW L
BTS3900
SET FTPSCLT
MRFD-210305
LST FTPSCLT
LBFD-004003
Security Management
Meaning:Indicates whether FTP connections in encrypted mode can be established when there is a state firewall. In plaintext mode, this parameter is invalid. In encrypted mode, if this parameter is set to Yes, the FTP client sends a command to switch the
Security Socket Layer
transmission mode of the control connection channel to plaintext. In this way, the state firewall can identify and dynamically open the port required for FTP transmission; if this parameter is set to No, the FTP connection may fail to be set up due to port restrictions imposed by the state firewall. If security requirements are met, it is recommended that this parameter be set set to Yes.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
52
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description GUI Value Range:No(No), Yes(Yes) Unit:None Actual Value Range:No, Yes Default Value:Yes(Yes)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
53
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ENCRYMODE
BSC6900
SET FTPSCLT
None
None
Meaning:Trans port encryption mode supported when the NE serves as the FTP client. AUTO(Auto): indicates that the FTP server selects the encryption mode. PLAINTEXT (Plain Text): indicates that the plaintext mode must be used. ENCRYPTED (SSL Encrypted): indicates that the encrypted mode must be used. GUI Value Range:AUTO (Auto), PLAINTEXT (Plain Text), ENCRYPTED (SSL Encrypted) Unit:None Actual Value Range:AUTO, PLAINTEXT, ENCRYPTED Default Value:AUTO (Auto)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
54
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ENCRYMODE
BSC6910
SET FTPSCLT
None
None
Meaning:Trans port encryption mode supported when the NE serves as the FTP client. AUTO(Auto): indicates that the FTP server selects the encryption mode. PLAINTEXT (Plain Text): indicates that the plaintext mode must be used. ENCRYPTED (SSL Encrypted): indicates that the encrypted mode must be used. GUI Value Range:AUTO (Auto), PLAINTEXT (Plain Text), ENCRYPTED (SSL Encrypted) Unit:None Actual Value Range:AUTO, PLAINTEXT, ENCRYPTED Default Value:AUTO (Auto)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
55
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
SSLCERTAUT H
BSC6900
SET FTPSCLT
None
None
Meaning:Wheth er the FTP client supports authenticating the FTP server. GUI Value Range:NO(No), YES(Yes) Unit:None Actual Value Range:YES, NO Default Value:NO(No)
SSLCERTAUT H
BSC6910
SET FTPSCLT
None
None
Meaning:Wheth er the FTP client supports authenticating the FTP server. GUI Value Range:NO(No), YES(Yes) Unit:None Actual Value Range:YES, NO Default Value:NO(No)
SPTSTATEFW L
BSC6900
SET FTPSCLT
None
None
Meaning:Wheth er the FTP client supports the state firewall. GUI Value Range:YES (Support), NO (Not Support) Unit:None Actual Value Range:YES, NO Default Value:YES (Support)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
56
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
SPTSTATEFW L
BSC6910
SET FTPSCLT
None
None
Meaning:Wheth er the FTP client supports the state firewall. GUI Value Range:YES (Support), NO (Not Support) Unit:None Actual Value Range:YES, NO Default Value:YES (Support)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
57
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ENCRYMODE
BSC6900
SET FTPSSRV
None
None
Meaning:Trans port encryption mode used when the NE serves as the FTP server. If Transport Encrypted Mode is set to SSL Encrypted, the FTP client should also support SSL encryption, otherwise the FTP connection will fail. AUTO (Automatic): indicates that the FTP client selects the encryption mode. PLAINTEXT (Plain Text): indicates that the plaintext mode must be used. ENCRYPTED (SSL Encrypted): indicates that the encrypted mode must be used. GUI Value Range:AUTO (Automatic), PLAINTEXT (Plain Text), ENCRYPTED (SSL Encrypted) Unit:None Actual Value Range:AUTO, PLAINTEXT, ENCRYPTED
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
58
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description Default Value:AUTO (Automatic)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
59
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ENCRYMODE
BSC6910
SET FTPSSRV
None
None
Meaning:Trans port encryption mode used when the NE serves as the FTP server. If Transport Encrypted Mode is set to SSL Encrypted, the FTP client should also support SSL encryption, otherwise the FTP connection will fail. AUTO (Automatic): indicates that the FTP client selects the encryption mode. PLAINTEXT (Plain Text): indicates that the plaintext mode must be used. ENCRYPTED (SSL Encrypted): indicates that the encrypted mode must be used. GUI Value Range:AUTO (Automatic), PLAINTEXT (Plain Text), ENCRYPTED (SSL Encrypted) Unit:None Actual Value Range:AUTO, PLAINTEXT, ENCRYPTED
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
60
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description Default Value:AUTO (Automatic)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
61
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
POLICY
BTS3900
SET WEBLOGINPO LICY
LBFD-004003
Security Socket Layer
LBFD-004001
LST WEBLOGINPO LICY
Description
Meaning:Indicates the policy for logging in to Local the Web LMT. Maintenance of The value the LMT COMPATIBLE indicates that if http is entered in the address bar of an IE browser, the HTTP is used for and after the login. If https is entered in the address bar of an IE browser, the HTTPS is used for and after the login. The value HTTPS_ONLY indicates that the HTTPS is used for and after the login no matter whether http or https is entered in the address bar of an IE browser. The value LOGIN_HTTP S_ONLY indicates that the HTTPS is used for login and the HTTP is used after the login no matter whether http or https is entered in the address bar of an IE browser. GUI Value Range:COMPA TIBLE (Compatible),
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
62
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description HTTPS_ONLY (Https_only), LOGIN_HTTP S_ONLY (Login_https_o nly) Unit:None Actual Value Range:COMPA TIBLE, HTTPS_ONLY, LOGIN_HTTP S_ONLY Default Value:HTTPS_ ONLY (Https_only)
CONNTYPE
BTS3900
SET CONNTYPE LST SSLCONF
MRFD-210305 GBFD-113522 LBFD-004003
Security Management Encrypted Network Management Security Socket Layer
Meaning:Indicates the connection type supported by the NE.Compatible connection mode indicates that the NE supports both the common connection mode and the SSL connection mode. GUI Value Range:ALL(All Type), SSL (Only SSL Connection) Unit:None Actual Value Range:ALL, SSL Default Value:ALL(All Type)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
63
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
DFTPORTSWT
BSC6900
SET FTPSSRV
None
None
Meaning:Wheth er the FTP server uses a default or custom port. DEFAULTPOR T(Default 21 Port): indicates that the FTP server uses default port 21 as the command listening port and port 20 as the data port to provide FTP service. CUSTOMPOR T(Custom Port): indicates that the FTP server uses a custom port to provide FTP service. If the parameter DFTPORTSWT is set to CUSTOMPOR T, the NE must have the same port configuration as the NE management system. Otherwise, the FTP service supplied by the NE will be unavailable. GUI Value Range:DEFAU LTPORT (Default 21 Port), CUSTOMPOR T(Custom Port) Unit:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
64
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description Actual Value Range:DEFAU LTPORT, CUSTOMPOR T Default Value:DEFAUL TPORT(Default 21 Port)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
65
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
DFTPORTSWT
BSC6910
SET FTPSSRV
None
None
Meaning:Wheth er the FTP server uses a default or custom port. DEFAULTPOR T(Default 21 Port): indicates that the FTP server uses default port 21 as the command listening port and port 20 as the data port to provide FTP service. CUSTOMPOR T(Custom Port): indicates that the FTP server uses a custom port to provide FTP service. If the parameter DFTPORTSWT is set to CUSTOMPOR T, the NE must have the same port configuration as the NE management system. Otherwise, the FTP service supplied by the NE will be unavailable. GUI Value Range:DEFAU LTPORT (Default 21 Port), CUSTOMPOR T(Custom Port) Unit:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
66
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
Parameter ID
NE
9 Parameters
MML Command
Feature ID
Feature Name
Description Actual Value Range:DEFAU LTPORT, CUSTOMPOR T Default Value:DEFAUL TPORT(Default 21 Port)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
67
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
SRVCMDPOR T
BSC6900
SET FTPSSRV
None
None
Meaning:Numb er of the command listening port of the FTP server. The port cannot be occupied by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
68
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
SRVCMDPOR T
BSC6910
SET FTPSSRV
None
None
Meaning:Numb er of the command listening port of the FTP server. The port cannot be occupied by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
69
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
SRVDATAPO RT
BSC6900
SET FTPSSRV
None
None
Meaning:Data source port number of the FTP activeserver mode.in The port cannot be occupied by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
70
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
SRVDATAPO RT
BSC6910
SET FTPSSRV
None
None
Meaning:Data source port number of the FTP activeserver mode.in The port cannot be occupied by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value:None
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
71
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ACDPORTLW LT
BSC6900
SET FTPSSRV
None
None
Meaning:Start data port number on the FTP server in passive mode. The FTP server data ports in passive mode cannot be used by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value: 25001
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
72
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ACDPORTLW LT
BSC6910
SET FTPSSRV
None
None
Meaning:Start data port number on the FTP server in passive mode. The FTP server data ports in passive mode cannot be used by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value: 25001
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
73
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ACDPORTUPL T
BSC6900
SET FTPSSRV
None
None
Meaning:End data port number on the FTP server in passive mode. The FTP server data ports in passive mode cannot be used by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value: 30000
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
74
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Parameter ID
NE
MML Command
Feature ID
Feature Name
Description
ACDPORTUPL T
BSC6910
SET FTPSSRV
None
None
Meaning:End data port number on the FTP server in passive mode. The FTP server data ports in passive mode cannot be used by other applications. For the method of querying occupied OMU ports, see section "Querying Occupied OMU Ports" in the OMU Administration Guide specific to the working mode of the OMU in question. You are not advised to use the ports 6000~7000, 8000~9000, 16000~17000, and 18000~19000. GUI Value Range: 1024~65535 Unit:None Actual Value Range: 1024~65535 Default Value: 30000
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
75
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Feature ID
Parameter ID
NE
MML Command
POLICY
BSC6900
SET None WEBLOGINPO LICY
Feature Name
Description
None
Meaning:Policy for LMT login and data transmission, which includes COMPATIBLE (Both HTTP and HTTPS), HTTPS(HTTPS Only), LOGINHTTPS (HTTPS for Login Only). GUI Value Range:COMPA TIBLE(Both HTTP and HTTPS), HTTPS(HTTPS Only), LOGINHTTPS (HTTPS for Login Only) Unit:None Actual Value Range:COMPA TIBLE, HTTPS, LOGINHTTPS Default Value:HTTPS (HTTPS Only)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
76
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
9 Parameters
Feature ID
Parameter ID
NE
MML Command
POLICY
BSC6910
SET None WEBLOGINPO LICY
Feature Name
Description
None
Meaning:Policy for LMT login and data transmission, which includes COMPATIBLE (Both HTTP and HTTPS), HTTPS(HTTPS Only), LOGINHTTPS (HTTPS for Login Only). GUI Value Range:COMPA TIBLE(Both HTTP and HTTPS), HTTPS(HTTPS Only), LOGINHTTPS (HTTPS for Login Only) Unit:None Actual Value Range:COMPA TIBLE, HTTPS, LOGINHTTPS Default Value:HTTPS (HTTPS Only)
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
77
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
10 Counters
10
Counters
UMTS:There are no specific counters associated with this feature.
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
78
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
11 Glossary
11
Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary Glossary..
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
79
Copyright © Huawei Technologies Co., Ltd.
SingleRAN SSL Feature Parameter Description
12 Reference Documents
12
Reference Documents
1.
IETF RFC 6101
2.
IETF RFC 2246
3.
IETF RFC 4346
4.
IETF RFC 5246
5. 6.
PKI Feature Parameter Parameter Description for Description for SingleRAN Base Station Controller Equipment and and OM Security Feature Feature Parameter Description for Description for SingleRAN
7.
3900 Series Base Station Initial Configuration Guide
8.
BSC6900 Alarm Reference Reference
9.
BSC6910 Alarm Reference Reference
Issue 02 (2013-07-30)
Huawei Proprietary and Confidential
80
