Академический Документы
Профессиональный Документы
Культура Документы
SEL-2488
Satellite-Synchronized
Network Clock
Instruction Manual
20141001
*PM2488-01*
CAUTION
CAUTION
In order
to avoidexternal
losing system
logs
factory
default
reset,
Do
not connect
voltages
to on
thearelay
contact
inputs.
configurethe
thecontact
SEL-2488
to forward
Syslogwetted,
messages.
Because
inputs
are internally
per-manent
damage to the relay or external equipment may result from
!
DANGER
DANGER
WARNING
WARNING
ATTENTION
ATTENTION
Pour
viter
de perdre
les enregistrements
sur un
Ne pas
raccorder
de tensions
externes sur du
lessystme
bornes des
redmarrage
dfini par
dfaut,
configurer
SEL-2488
pour
entres de contact.
Parce
que les
contactslesont
tremps
au
envoyer
de permanents
l'enregistreur
du systme
(Syslog).
mercure,les
desmessages
dommages
peuvent
rsulter
pour le
relais ou lquipement externe la suite du raccordement dune
!
DANGER
DANGER
AVERTISSEMENT
AVERTISSEMENT
Instruction Manual
Table of Contents
R.Instruction Manual
Section 4: Applications
Introduction ..................................................................................................................................................... 4.1
Time-Code Distribution................................................................................................................................... 4.1
Cable Delay Compensation ............................................................................................................................. 4.2
Network Time Protocol (NTP) ........................................................................................................................ 4.3
Section 5: Settings
Introduction ..................................................................................................................................................... 5.1
Reports............................................................................................................................................................. 5.1
Time Management ........................................................................................................................................... 5.3
Time-Code Outputs ......................................................................................................................................... 5.6
Network Settings ............................................................................................................................................. 5.9
Accounts ........................................................................................................................................................ 5.13
Security.......................................................................................................................................................... 5.14
System ........................................................................................................................................................... 5.15
Instruction Manual
ii
Table of Contents
Appendix E: Syslog
Introduction .....................................................................................................................................................E.1
Remote Syslog Servers....................................................................................................................................E.3
Open Source Syslog Servers ...........................................................................................................................E.3
SEL-2488 Event Logs .....................................................................................................................................E.4
Appendix F: X.509
Introduction ..................................................................................................................................................... F.1
Public Key Cryptography ................................................................................................................................ F.1
X.509 Certificates............................................................................................................................................ F.2
Digital Signatures ............................................................................................................................................ F.3
Public Key Infrastructure................................................................................................................................. F.3
Web of Trust .................................................................................................................................................... F.4
Simple Public Key Infrastructure .................................................................................................................... F.4
Online Certificate Status Protocol (OCSP) ..................................................................................................... F.5
Sample X.509 Certificate ................................................................................................................................ F.5
Instruction Manual
List of Tables
R.Instruction Manual
Table 1.1
Table 1.2
Table 1.3
Table 1.4
Table 1.5
Table 1.6
Table 1.7
Table 1.8
Table 1.9
Table 1.10
Table 1.11
Table 2.1
Table 2.2
Table 4.1
Table 5.1
Table 5.2
Table 5.3
Table 5.4
Table 5.5
Table 5.6
Table 5.7
Table 5.8
Table 5.9
Table 5.10
Table 5.11
Table 5.12
Table 5.13
Table 5.14
Table 5.15
Table 5.16
Table 5.17
Table 5.18
Table 5.19
Table 5.20
Table 5.21
Table 6.1
Table 6.2
Table 6.3
Table 6.4
Table A.1
Table A.2
Table E.1
Table E.2
Table E.3
Instruction Manual
List of Figures
R.Instruction Manual
Figure 1.1
Figure 1.2
Figure 1.3
Figure 2.1
Figure 2.2
Figure 2.3
Figure 2.4
Figure 2.5
Figure 2.6
Figure 2.7
Figure 2.8
Figure 2.9
Figure 2.10
Figure 2.11
Figure 2.12
Figure 2.13
Figure 2.14
Figure 2.15
Figure 2.16
Figure 2.17
Figure 2.18
Figure 2.19
Figure 2.20
Figure 2.21
Figure 3.1
Figure 3.2
Figure 3.3
Figure 3.4
Figure 3.5
Figure 3.6
Figure 3.7
Figure 3.8
Figure 3.9
Figure 4.1
Figure 4.2
Figure 4.3
Figure 5.1
Figure 5.2
Figure 5.3
Figure 5.4
Figure 5.5
Figure 5.6
Figure 5.7
Figure 5.8
Figure 5.9
Figure 5.10
Figure 5.11
Figure 5.12
Figure 5.13
Figure 5.14
Figure 5.15
Figure 5.16
Figure 6.1
Figure 6.2
Instruction Manual
vi
List of Figures
Figure 6.3
Figure 6.4
Figure 6.5
Figure 6.6
Figure 6.7
Figure B.1
Figure D.1
Figure E.1
Figure F.1
Figure F.2
Figure F.3
Figure F.4
Figure F.5
Instruction Manual
Preface
Manual Overview
This instruction manual describes the functionality and use of the SEL-2488
Satellite Synchronized Network Clock. It includes information necessary to
install, configure, test, and operate this device.
An overview of the manuals layout and the topics that are addressed follows.
Section 5: Settings. Lists and describes all the SEL-2488 settings and
commands.
Examples
This instruction manual uses several example illustrations and instructions to
explain how to effectively operate the SEL-2488. These examples are for
demonstration purposes only; the firmware identification information or
settings values these examples include may not necessarily match those in
your SEL-2488.
Instruction Manual
viii
Preface
Safety Information
Safety Information
This manual uses three kinds of hazard statements, defined as follows.
!
CAUTION
WARNING
DANGER
Technical Assistance
Obtain technical assistance from the following:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 U.S.A.
Phone: +1.509.332.1890
Fax: +1.509.332.7990
Internet: www.selinc.com
E-mail: info@selinc.com
Instruction Manual
Section 1
Connections, Installation, and
Specifications
Introduction
This section includes the following information about the SEL-2488 SatelliteSynchronized Network Clock.
Product Overview on page 1.1
Product Features on page 1.1
Connections, Reset Button, and LED Indicators on page 1.2
Software System Requirements on page 1.9
General Safety and Care Information on page 1.9
Front- and Rear-Panel Diagrams on page 1.10
Dimension Drawing on page 1.10
Specifications on page 1.13
Product Overview
The SEL-2488 Satellite-Synchronized Network Clock receives Global
Navigation Satellite System (GNSS) time signals and distributes precise time
via multiple output protocols, including IRIG-B and Network Time Protocol
(NTP). As of August 2014, only the United States NAVSTAR Global
Positioning System (GPS) and the Russian GLONASS are global operational
GNSSs. The SEL-2488 uses one or both GNSSs based on the setting for
Satellite Signal Verification, see Table 5.2. The advanced capabilities of the
SEL-2488 make it well suited for demanding applications, such as
synchrophasors and event recording, as well as for larger substations with
multiple time-synchronization requirements.
Product Features
Accurate. Synchronize with precise time accuracy to within
Instruction Manual
1.2
Figure 1.1 shows the front panel of the SEL-2488. The front panel includes all
of the device's status, port activity, and time status indicators. There are link
status and activity indicators for each of the 4 rear Ethernet ports. The LCD
display screen will display the present time, satellite information, critical log
events, and other diagnostic information. The front (local management)
Ethernet port has link and activity indicators built into the port itself. In
addition, there are status indications for the unit as a whole, as well as for the
power supply and optional backup power supply.
Figure 1.1
Front-Panel View
Instruction Manual
Status Indicators
1.3
Figure 1.1 shows the layout of the status indicators on the front of the
SEL-2488. After the device has turned on and is in a normal operating state, a
red ALARM LED or unlit ENABLED LED indicates a non-optimal condition
needing operator attention.
Lamp Test
The LAMP TEST button illuminates front-panel LED indicators and the LCD
screen when pressed.
LED State
Ethernet
Solid Green
Link up
Blinking Green
Port activity
Solid Amber
Extinguished Green
Link down
Blinking Amber
Collision
Extinguished Amber
LCD Display
The SEL-2488 is equipped with a multi-informational LCD display that
provides various information such as time, accuracy, satellite constellations
being used, latitude/longitude/altitude, and front Ethernet port (ETH F) IP
address. This information can be accessed by pressing the up and down push
buttons next to the display.
Instruction Manual
1.4
Label
Color
Description
Satellite Lock
Green
Amber
Off
Green
Flashing Green
Red
Green
Red
Off
PTP
Off
NTP
Green
Flashing Green
Off
Time Quality
Antenna
Rear Panel
DB-9 Port (IRIG-B Output Only)
Timer Output
and Alarm
Figure 1.2
4 Ethernet Ports:
10/100BASE-T
100BASE-FX
100BASE-LX10
Redundant, Hot-Swappable
Power Supply
Rear-Panel View
Instruction Manual
1.5
Contact Output
One Form C output mechanical alarm contact and one Form A solid state
timing contact is provided on the rear panel. The alarm contact operates for
one second to indicate a minor alarm and latches to indicate a major alarm.
Table 1.3 and Table 1.4 gives the pinout and ratings of the alarm contact.
Table 1.3
Pin
Description
C3
Normally Open
C4
Common
C5
Normally Closed
Table 1.4
Max Voltage
250 Vdc
Contact Protection
Max Current
2A
Pickup time
8 ms typical
Dropout time
8 ms typical
The timer contact is designed for testing external systems needing precise
timing to trigger the start of an event. The Form A contact can be used with
AC or DC voltages. The accuracies supplied below are only met using DC
voltages. Table 1.5 and Table 1.6 give the pinout and ratings of the timing
contact.
Table 1.5
Pin
Description
C1
Normally Open
C2
Common
Table 1.6
Max Voltage
250 Vdc
Contact Protection
Max Current
100 mA
Off Resistance
5 M
Minimum Voltage
12 Vdc
Time Outputs
The SEL-2488 comes standard with 8 BNC time outputs. When configured to
use demodulated outputs the SEL-2488 can be set to transmit IRIG-B002 or
IRIG-B004 timing formats. The IRIG-B004 output of the SEL-2488 transmits
the IEEE C37.118.1-2011 standard and is backwards compatible with the
previous IRIG-B000 C37.118-2005 standard as well as B000 without
C37.118-2005 extensions. The time outputs for the SEL-2488 are all software
configurable. Table 1.7 shows additional information on the available options
for time outputs.
Instruction Manual
1.6
Table 1.7
Time Output
Time Reference
Format
Description
TO1
TO2
TO3
TO4
Local Time
UTC Time
B002
B004
B122
B124
PPS
KPPS
B002
B004
PPS
KPPS
UTC Time
TO5
TO6
TO7
TO8
COM1
Local Time
UTC Time
UTC Time
Pin
Description
A+
B+
N/C
N/C
N/C
N/C
Instruction Manual
1.7
DB-9 Port
The rear COM1 is a female DB-9 port. You can use Pin 4 and Pin 6 to transmit
demodulated IRIG-B. This port is compatible with SEL-2812 Fiber-Optic
Transceivers for sending IRIG-B timing signals. The SEL-2812 will use Pin 7
of the DB-9 port as a power source. Table 1.9 shows the pinout for the port.
Table 1.9
Antenna
Pin
Description
N/C
9 Vdc
N/A
+IRIG-B
GND
-IRIG-B
+5 Vdc
N/C
N/C
Instruction Manual
1.8
915900378
Dual-Constellation
GPS Antenna Kit
(with N to TNC
adapter)
Building or Enclosure
91590043
Antenna Pipe
Mounting Kit
SEL-C961
(LMR-400
TNC to TNC)
SEL-2488
SEL-C961
(LMR-400 TNC to TNC)
915900139
Surge Protector Kit
(with mounting)
Common-Point
Earth Ground
Figure 1.3
Instruction Manual
1.9
Pin
Description
GND
/N
+/H
Pin
Description
GND
Cleaning Instructions
Instruction Manual
1.10
Dimension Drawing
(mm)
Instruction Manual
1.11
Warranty
The SEL-2488 meets or exceeds the IEEE 1613 Class 1, IEC 61850-3, and
IEC 60255 industry standards for communications devices in electrical
substations for vibration, electrical surges, fast transients, extreme
temperatures, and electrostatic discharge.
SEL manufactures the SEL-2488 through use of the same high standards as
those for SEL protective relays and backs it with the same 10-year worldwide
warranty.
Instruction Manual
1.12
Specifications
User-Based Accounts
Receiver
Satellite Tracking:
Acquisition Times
Warm Start:
Cold Start:
256
Password Length:
172 characters
Password Set:
User Roles:
Syslog
Storage for 60,000 local Syslog messages
Demodulated IRIG-B:
Modulated IRIG-B:
1 s peak
NTP Time-Stamp
Accuracy (Typical):
Maximum Local
Accounts:
<100 s
396 MHz
Memory:
512 MB
Storage:
512 MB
Communications Ports
Ethernet Ports
Ports:
TCXO:
Data Rate:
10 or 100 Mbps
Front Connector:
RJ45 Female
Rear Connectors:
Standard:
IEEE 802.3
OCXO:
Antenna Requirements
5 V, < 80 mA
32 dB preamp
Fiber-Optic Ports
Multimode Option (to 2 km)
4 rear, 1 front
5 V, 250 mA max
6.2 Vpp nominal
5 Vdc, 5 mA
General
RX Sensitivity:
31 dBm
System Gain:
11 dB
Source:
LED
Wavelength:
1310 nm
Connector Type:
LC (IEC 61754-20)
Operating Environment
Pollution Degree:
Overvoltage Category:
II
RX Sensitivity:
28 dBm
System Gain:
13 dB
Source:
Laser
Wavelength:
1310 nm
Connector Type:
LC (IEC 61754-20)
Dimensions
1U Rack Mount
Height:
Depth:
Width:
Alarm Output
Weight
1.96 kg (4.3 lbs)
Warranty
10 Years
24250 Vdc
Continuous Carry:
2A
Timing Output
Network Management
HTTPS Web User Interface
ACSELERATOR QuickSet Software
Settings Import/Export
Rated Operational
Voltage:
Instruction Manual
Rated Operational
Voltage:
12250 Vdc
Continuous Carry:
100 mA
Environmental
Power Supply
Immunity:
Operating Temperature
40 to +85C (40 to +185F)
Relative Humidity
0 to 95% noncondensing
Altitude
2000 m
Surge Immunity:
IEC 60255-22-5:2008
Severity Level: 1 kV line-to-line,
2 kV line-to-earth
IEC 61000-4-5:2005
Severity Level: 1 kV line-to-line,
2 kV line-to-earth
Surge Withstand
Capability:
IEC 60255-22-1:2007
Severity Level: 2.5 kV peak common
mode, 1.0 kV peak differential mode
IEEE C37.90.1:2002
Severity Level: 2.5 kV oscillatory,
4 kV fast transient waveform
Power Consumption:
AC: < 60 VA
DC: < 45 W
Input Voltage
Interruptions:
50 ms @ 125 Vac/Vdc
100 ms @ 250 Vac/Vdc
19.257.6 Vdc
Power Consumption:
< 45 W
Input Voltage
Interruptions:
50 ms @ 48 Vdc
Environmental
Cold:
IEC 60068-2-1:2007
Severity Level: 16 hours at 40C
IEC 60068-2-30:2005
Severity Level: 25 to 55C
Relative Humidity:
95%
Dry Heat:
IEC 60068-2-2:2007
Severity Level: 16 hours at +85C
Vibration (Front-Panel
Mount Only):
IEC 60255-21-1:1988
Severity Level: Class 2 endurance,
Class 2 response
IEC 60255-21-2:1988
Severity Level: Class 1 - Shock
withstand, bump, and Class 2 Shock response
IEC 60255-21-3:1993
Severity Level: Class 2 (quake
response)
Type Tests
Communication Product Testing
Power Frequency
Disturbances:
CFR 47 Part 15
Severity Level: Class A
Fast Transient/Burst
Immunity:
Magnetic Field
Immunity:
Safety
Dielectric Strength:
IEC 60255-5:2000
IEEE C37.90:2005
Power Supply: 3100 Vdc
Alarm Contact: 2500 Vac
IRIG-B Input: 2100 Vdc
Ethernet Ports: 1500 Vac
Timer Contact (OUT1): 3500 Vdc
Impulse:
IEC 60255-5:2000
Severity Level: 0.5 Joule, 5 kV (power
supply), 2.4 kV (Ethernet ports)
IEEE C37.90:2005
Severity Level: 0.5 Joule, 5 kV (power
supply), 2.4 kV (Ethernet ports)
IEC 60255-22-6:2001
Severity Level: 10 Vrms
IEC 61000-4-6:2006
Severity Level: 10 Vrms
IEC 60255-11:2008
IEC 61000-4-11:2004
IEC 61000-4-29:2000
Radiated Radio
IEC 60255-22-3:2007
Frequency Immunity:
Severity Level: 10 V/m
IEC 61000-4-3:2008
Severity Level: 10 V/m
IEEE C37.90.2:2004
Severity Level: 35 V/m
Power Supply
Rated Supply Voltage:
1.13
Certifications
ISO 9001:
EMC:
IEC 61000-4-10:2001
Severity Level: 100 A/m
IEC 61000-4-8:2009
Severity Level: 1000 A/m for 3
seconds, 100 A/m for 1 minute
IEC 61000-4-9:2001
Severity Level: 1000 A/m
Instruction Manual
Section 2
Getting Started
Introduction
This section includes the following information:
Connecting to the Device on page 2.1
Commissioning the Device on page 2.4
Navigating the User Interface on page 2.4
Device Dashboard on page 2.7
Physical Network
Connect the device to your computer as shown in Figure 2.1. Using a standard
RJ45 Ethernet cable, connect the Ethernet port of your computer to the front
Ethernet port (ETH F) of the device. The web management interface of an
uncommissioned SEL-2488 can only be reached through the front Ethernet
port. After commissioning, an additional IP interface can be configured. See
Network Settings on page 5.9 for information on enabling an additional IP
interface.
Ethernet
Cable
Figure 2.1
Ethernet
(DHCP Enabled)
Commissioning Network
Instruction Manual
2.2
Getting Started
Connecting to the Device
The default URL for the web server via the front port is https://192.168.1.2.
However, if your computer is configured as a DHCP client, the SEL-2488
captive port feature sends the necessary network configuration information
from the SEL-2488 to place your computer in the same subnet as the
SEL-2488. This will direct any entered URL to the SEL-2488. More
information about the captive port feature can be found in Network Settings on
page 5.9. If you prefer to use a static IP address, you can set these parameters
yourself, as described in Configuring a Static IP Address in Microsoft
Windows Networking on page 2.10.
The following steps show how to set your computer's network connection for
automatic configuration. If your computer is already set up to obtain an IP
address automatically, proceed to Commissioning the Device on page 2.4.
NOTE: If your PC is already set up to
obtain an IP address automatically,
proceed to Commissioning the Device
on page 2.4.
Figure 2.2
Figure 2.3
Instruction Manual
Getting Started
Connecting to the Device
Figure 2.4
2.3
Step 3. Select the Internet Protocol (TCP/IP) entry from the This
connection uses the following items list (this entry is usually
last in the list). Click the Properties button to show the
Internet Protocol (TCP/IP) Properties window (see
Figure 2.5).
Figure 2.5
Instruction Manual
2.4
Getting Started
Commissioning the Device
Figure 2.6
Step 2. Enter the account information for the first administrative user.
This requires both a username and a password. Password
characters do not display as you type, so it is necessary that you
type the password twice to confirm that it is entered correctly.
Step 3.
Instruction Manual
Getting Started
Navigating the User Interface
2.5
Figure 2.7
Device Dashboard
The far left frame of the device web interface is the navigation panel.
Selecting any link on this panel takes you to an associated page that includes
all settings and configurations for that part of the system. The navigation panel
is always present on the web interface. A first task in using the device might
be the creation of user accounts for personnel who will be configuring and
maintaining the device. Clicking on the Local Users link in the navigation
panel opens the Local Users page shown in Figure 2.8.
Instruction Manual
2.6
Getting Started
Navigating the User Interface
Figure 2.8
Local Users
The Local Users page shown in Figure 2.8 shows the main panel of the web
interface. This example shows the single administrative user created when the
device was configured. On this page, we can see the status of each user
account and details about each user.
The Local Users page has an Add New User button above the table. There is
also an Edit button for each user in the table. There will also be a Delete
button for each user, except for the situation in which only one administrative
user remains. The last administrative user cannot be deleted.
Clicking the Add New User button displays the Accounts form (see
Figure 2.9) in which you can change the role, description, password, or
enabled condition of a user. Clicking the Edit button displays the same form,
without the username box.
Figure 2.9
Instruction Manual
Getting Started
Device Dashboard
2.7
Device Dashboard
The device dashboard is the page that displays when a user logs on to the
device. The Dashboard page provides a quick overview of the state of the
device. To access the dashboard from another device web page, select the
Dashboard link on the left navigation panel.
Figure 2.10
Device Dashboard
Front-Panel Display
The front-panel display section at the top of the device dashboard contains
most data found directly on the front panel of the SEL-2488. The Dashboard
web page automatically updates every 10 seconds. The network interfaces
section at the top center of the dashboard contains icons representing each
physical Ethernet network interface on the device. By mousing over any of the
network interface port icons, you can see the present status information of a
Instruction Manual
2.8
Getting Started
Device Dashboard
port over which you hover the mouse. Clicking one of these icons adds a
status area to the dashboard and adds a line to it containing the information for
that interface. More information about network interface configuration can be
found in Section 5: Settings.
Figure 2.11
Network Interfaces
The network interface icons are color coded to indicate the configuration state
of that interface. Table 2.1 lists interface icon colors and their meanings.
Table 2.1
Interface Icon
Status
Satellite Status
The dashboard screen contains a satellite status bar graph and SkyView
(Figure 2.12). The satellite status shows the present GPS and GLONASS
satellite numbers, signal strength, and whether the satellite is visible or used
by the SEL-2488. The SkyView graph and satellite status display the same
information, but the SkyView indicates the physical location in the sky for
each satellite. The status is updated automatically every 10 seconds. These
graphs help aid when troubleshooting problems while getting the SEL-2488 to
lock. In order for the SEL-2488 to initially lock there needs to be a minimum
of four satellites being tracked at a level of 30 dB-Hz or higher.
Figure 2.12
Instruction Manual
Getting Started
Device Dashboard
2.9
The Time Input and Time Output status section of the dashboard represents
all available time inputs and time outputs for the device (see Figure 2.13). The
time input section includes GPS and the internal clock holdover as sources
when they are available. The time quality of each source is displayed and the
selected source will be identified in bold font. Below the time input section the
dashboard lists the current time zone offset with respect to UTC, the present
daylight-saving time (DST) status, and leap second status. This information
aids in troubleshooting if the clock does not show the correct time.
The time outputs section provides a quick reference showing the present state
of all device time outputs. Any incorrect time output settings can be changed
through use of the Time Code Outputs settings tab.
Figure 2.13
Device Information
Figure 2.14
System Statistics
Version Information
The System Statistics section (see Figure 2.15) of the dashboard provides
some basic statistics about device operations. This information can help you
quickly determine whether the device firmware is operating properly.
Figure 2.15
System Statistics
Table 2.2 explains each entry in the dashboard System Statistics section. The
CPU, RAM, and Storage statistics provide a visual indication of reserve
processing or storage capacity in the unit and should make any potential
problems related to system resource utilization readily apparent.
Instruction Manual
2.10
Getting Started
Device Dashboard
Table 2.2
Diagnostics
Statistic
Meaning
CPU
RAM
Storage
Active Session(s)
System Uptime
Time the unit has been running since the last time it was rebooted or
power was restored
Power Cycles
Number of times power has been cycled; increases by one every time
the unit is rebooted or power is removed and restored
Total Runtime
The Diagnostics section (see Figure 2.16) of the dashboard provides simple
status indications for the basic hardware systems of the SEL-2488. This
information can help you quickly determine the health of the device hardware
and whether it is operating properly.
Figure 2.16
Configuring a Static
IP Address in
Microsoft Windows
Networking
Diagnostics
Figure 2.17
System Statistics
Instruction Manual
Getting Started
Device Dashboard
2.11
Figure 2.18
Figure 2.19
Step 5. Select the Internet Protocol (TCP/IP) entry from the This
connection uses the following items list (usually located last
in the list). Click the Properties button.
Instruction Manual
2.12
Getting Started
Device Dashboard
Figure 2.20
Figure 2.21
Instruction Manual
Section 3
Managing Users
Introduction
This section includes the following:
User-Based Accounts on page 3.1
Adding a User on page 3.2
Editing a User and Resetting a Password on page 3.2
Removing a User on page 3.3
Enabling or Disabling a User on page 3.3
Changing a User Password on page 3.4
User-Based Accounts
The SEL-2488 has user-based access control to provide for greater
authentication, authorization, and accountability. Individuals responsible for
configuring, monitoring, or maintaining the device can have their own unique
user accounts. User-based access controls are organized to answer, Who did
what and when? and allow flexibility for detailed auditing. This structure
also eases the burden of password management for the operators by only
requiring users to remember their own personal passwords. This eliminates
the need for each operator to remember a new password every time an
employee leaves or no longer needs access as required in a global account
structure.
Permissions of the device are organized into roles, and access is granted
through role-based access controls (RBACs). The device has four roles:
Administrator, Engineer, User Manager, and Monitor. User account privileges
are based on the group (i.e., role) in which the user is a member. A brief
overview of each role is provided below.
Users with the Administrator role have full access to the device.
Users with the Engineer role have access to most settings and
Instruction Manual
3.2
Managing Users
User-Based Accounts
Adding a User
The device supports as many as 256 unique local user accounts. Please use the
following steps to create a new user account.
Step 1. Log on to the device with an account that is a member of either
the Administrator or the User Manager group. The account you
created during commissioning is one such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface. This link will open the User
Accounts page. From this page, a user with the Administrator
or the User Manager role can view, add, enable, disable, or
delete other users.
Step 3. Click Add New User.
Step 4. Enter the Username, Role, and Password of the new user. The
password must be entered twice to confirm that it has been
entered correctly.
Figure 3.1
Step 5. Click the Submit button. This will add the new user to the
device.
The device provides an Administrator or User Manager user with the ability to
edit account information for existing accounts. With this function, users can
reset forgotten passwords, reassign group membership, and enable or disable
an account. Please perform the following steps to reset an accounts password.
Step 1. Log on to the device with an account that is a member of the
Administrator or User Manager group. The account you created
during commissioning is one such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface. This link will open the User
Accounts page. From this page, a user with the Administrator
or the User Manager role can view, add, edit, enable, disable, or
delete other users.
Instruction Manual
Managing Users
User-Based Accounts
3.3
Step 3. Click the Edit button associated with the account that you want
to edit. This step will open the Edit User form.
Step 4. To change the users password, enter the new password,
confirm the new password, and click the Submit button.
Removing a User
In the case where an employee leaves the company, you should remove the
employees account to prevent security breaches. The device allows for the
easy removal of user accounts. Please follow these steps to remove an account.
Step 1. Log on to the device with an Administrator or User Manager
account. The account you created during commissioning is one
such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface. This link will open the User
Accounts page. From here, an Administrator or User Manager
can view, add, edit, enable, disable, or delete other users.
Step 3. Click the Delete button associated with the account that you
want to remove.
Step 4. Verify that the user to be deleted is the correct user.
Step 5. Once verified, click Yes. If this person is not the correct user,
click No to go back to the User Accounts page.
Enabling or Disabling
a User
Instruction Manual
3.4
Managing Users
Centralized User Accounts with LDAP
Changing a User
Password
Engineering Station
LDAP Server
SEL-2488
SEL-3354
SEL-2488
Log in as Alice
Is Alice an authorized user?
Yes
Connection Established
Log in as Bob
Is Bob an authorized user?
No
Connection Refused
Figure 3.2
Instruction Manual
Managing Users
Centralized User Accounts with LDAP
3.5
Server Standard/Enterprise
CentOS Directory Server 8.1 on CentOS 5.55.6
NOTE: This device is not compatible
with LDAP deployments that permit
commas in usernames.
SEL cannot guarantee that the device will be compatible with all possible
LDAP server architectures and implementations. Commissioning and
configuration of an LDAP server typically requires advanced knowledge of
certificate authority hierarchies and centralized user group configurations. It is
important that an organizations LDAP server administrators be involved
during the design and implementation process to ensure that the device
settings will be compatible with your organizations specific trust
management infrastructure.
Hosts
The device needs to know the name and IP address of your LDAP server in
order to know how to contact it. Select Hosts from the navigation panel on
your web page to view and edit the Hosts settings, see Figure 3.3.
Figure 3.3
Host Settings
The Host Settings page provides a method to statically map IP addresses with
external device hostnames such as your LDAP servers. To map an IP address
to a hostname, select Add Host. The SEL-2488 supports as many as 64 hosts.
LDAP Certificates
LDAP Settings
Now that your device knows who and where your LDAP servers are, we can
configure the device to access those servers. Select Accounts / LDAP in the
navigation panel on your web page to view the LDAP configuration (see
Figure 3.4).
Instruction Manual
3.6
Managing Users
Centralized User Accounts with LDAP
Figure 3.4
Figure 3.5 shows the LDAP Connection Settings form and all the options for
communicating with your LDAP servers. To simplify configuration, we have
included a form for your LDAP administrators to complete, which you can use
to populate all the LDAP fields. This form is located in Appendix D:
Lightweight Directory Access Protocol.
Instruction Manual
Managing Users
Centralized User Accounts with LDAP
Figure 3.5
3.7
The LDAP Enabled setting must be set checked in order to make centrally
managed accounts available to the SEL-2488 for logins. When LDAP is
enabled, if the credentials entered by the user are not found in the locally
configured accounts on the SEL-2488, it will next consult the enterprise
directory using LDAP to attempt to authenticate the user. If LDAP
authentication is successful, the directory service will supply user attributes
that indicate the privilege level of the user when logging onto this device.
The TLS Required setting determines whether the connection to the LDAP
server will be protected by a TLS session. Using TLS requires that the LDAP
server be provided with a suitable X.509 server certificate, and that the
SEL-2488 import a suitable CA or server certificate.
The Synchronization Interval setting exists to reduce the overhead
associated with pulling account information from an LDAP server. The device
locally caches the credentials and privileges of centralized users for the period
of time configured. The synchronization interval is settable from 0 to 24
hours. If the synchronization interval is set to 0, then the device will
resynchronize on every logon. The synchronization interval exists to speed up
the logon process. The SEL-2488 will continue to verify the authenticity of
users against the central directory even if their privilege information is locally
cached.
Group Membership Attribute, Search Base, User ID Filter, and Group
Filter settings are used by the SEL-2488 to construct queries to the LDAP
server to locate the user and then to verify his credentials. The exact form and
content of these items must be carefully entered from information supplied by
the LDAP administrator. Using the form in Appendix D: Lightweight
Directory Access Protocol is recommended to collect this information.
Instruction Manual
3.8
Managing Users
Centralized User Accounts with LDAP
The Search Base can be thought of as the root directory to begin your
user search from. It is formed by listing all the components of the search
base separated by commas going from the most specific component to the
broadest component. In the figure above, the Search Base is configured as
DC=centralauth,DC=local. In this search base, DC refers to domain
component. The domain components are later combined with . to create
the search domain. In this case the search domain is centralauth.local.
This search base can be interpreted to mean search the directory residing
on an LDAP server in the centralauth.local domain.
LDAP Servers
The Configured Servers section lists the LDAP servers that the SEL-2488
will use to authenticate logons.
To improve availability when the primary LDAP server may be inaccessible,
the device supports accessing a secondary LDAP server. To add an LDAP
server, click the plus (+) sign below the Configured Servers table. This will
add a new row to the table. Enter the hostname and port number of your
server, and click Submit (see Figure 3.6).
Instruction Manual
Managing Users
Centralized User Accounts with LDAP
Figure 3.6
3.9
LDAP servers are identified by their hostname and port numbers. Use
Port 389 unless a different port number is specified by your LDAP
administrator. This information should be obtained from your LDAP
Administrators using the form found in Appendix D: Lightweight Directory
Access Protocol.
The device allows for two LDAP servers to be configured for redundancy and
increased reliability. LDAP servers are assigned a priority and will be queried
in their order of priority until the user accessing the device is found, or the list
has been exhausted.
Group Mappings
The device has specific device roles that can be mapped to LDAP group
memberships on the Group Maps tab. The view shown in Figure 3.7 has a
single group defined for administrators.
Figure 3.7
Click the plus sign (+) at the end of the table to configure a new group
mapping in a new row of the table. On the new table row, select the device role
from the drop down list in the left column. You can enter the Mapped DN
string yourself, or you can click the list icon at the end of the Mapped DN
field. When you click the list icon, the SEL-2488 will query your LDAP
server and then show a hierarchical tree of directory groups that can be
searched using your Search Base. Scroll through the tree as necessary to find
the correct group, select it with a mouse click, and click Submit. Opening a
new row in the table is shown in Figure 3.8.
Figure 3.8
Instruction Manual
3.10
Managing Users
Centralized User Accounts with LDAP
To expand the tree of groups for a row of the table, click the list icon at the
right end of the Mapped DN field in the table. Clicking the icon again will
close the tree of groups. Figure 3.9 shows the tree of possible groups that
appears after clicking the list icon.
Figure 3.9
If you cannot find an appropriate group, your server administrator may need to
create new groups and assign members appropriate for these mappings. Work
with your LDAP administrator to determine group mappings using the form
found in Appendix D: Lightweight Directory Access Protocol.
The last tab on the LDAP page is Flush LDAP User Cache. Clicking the
Flush Cache button flushes the LDAP user cache, which will cause all LDAP
users to be logged out of the device and will force authentication information
to be refreshed from the server on each accounts next login.
Instruction Manual
Section 4
R.Instruction Manual
Applications
Introduction
This section includes the following:
Time-code Distribution
Cable Delay Compensation
Network Time Protocol (NTP)
Time-Code Distribution
The SEL-2488 has sufficient drive capacity to provide demodulated and
modulated time-code signals to many products simultaneously.
Demodulated Time
Code
Table 4.1
Table 4.1 shows typical drive capabilities per demodulated BNC output for the
SEL-2488 to other SEL equipment. The demodulated BNC outputs provide a
standard IRIG-B00X DC level-shift (TTL) signal. The drive capability of each
output is 250 mA at a nominal level of 5.0 V. A series/parallel connection of
SEL-100 and SEL-200 series products consists of two relays in series, with as
many as ten of the series pairs connected in parallel.
Input Impedance
(Ohms)
SEL-100 Series
56/82
2 parallel, 20 series/parallela
SEL-200 Series
AUX INPUT
56/82
2 parallel, 20 series/parallela
(DEMODULATED) IRIG-B
333
10b
IRIG-B
750
10b
(DEMODULATED) IRIG-B
333
10b
2.5K
20c
IRIG-B, BNC
>1K
20d
(DEMODULATED) IRIG-B
333
10b
SEL-651R
IRIG-B
1.33K
20c
SEL-700 Series
IRIG-B
4.5K or 2.5Ke
20c
SEL-734
IRIG-B
2.5K
20c
333
10b
SEL-2240
IRIG-B
2.5K
20c
SEL-2411
IRIG-B
4.5K or 2.5Ke
20c
SEL-2414
IRIG-B
4.5K or 2.5Ke
20c
Product
Instruction Manual
4.2
Applications
Cable Delay Compensation
Table 4.1
Input Impedance
(Ohms)
SEL-2431
IRIG-B
750
10b
SEL-2440
IRIG-B
2.5K
20c
SEL-2523, SEL-2533
IRIG-B
2.5K
20c
SEL-2810MT
IRIG-B
25K
20c
SEL-2812MT
IRIG-B
2K
20c
SEL-3031
IRIG-B
333
10b
IRIG-B
2.5K
20c
IRIG-B (In)
332
10b
IRIG-B (In)
1.33K
15b
Product
a
b
c
d
e
The maximum cable length is 152 m (500 feet). Connect multiple devices as
illustrated in Figure 4.1.
152 m (500 feet)
maximum
...
SEL-2488
Clock
50
*
...
Multiple-Device Connections
Instruction Manual
Applications
Network Time Protocol (NTP)
4.3
SEL-2488
6 meters, 30 ns Delay
IED
Figure 4.2
IED
The time output delay compensation can be set in the same manner as for the
satellite antenna cable delay compensation. If you use a time output connected
to multiple IEDs, you must take a few things into consideration. The
SEL-2488 has eight time outputs, so it is necessary to attempt grouping IEDs
according to their locations from the SEL-2488 (Figure 4.3). Grouping the
IEDs with respect to location helps minimize time inaccuracy for each device.
Once the IEDs are grouped, measure the distance to the farthest device and
measure the distance of the closest device all connected to one of the time
outputs. For example, assume that the farthest distance to the last IED is
60 meters and that the closest device is 40 meters. The setting should then be
at 50 meters. In this scenario, the last and first device would incur an
additional 50 ns of inaccuracy. This is very small, considering that the strictest
timing requirement is 500 ns.
SEL-2488
TO 1
Figure 4.3
TO 2
TO 3
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
Compensating for both the antenna cable and time output cable will help
maintain a very tight timing tolerance to all devices locally and to devices
distributed across the power system.
Instruction Manual
4.4
Applications
Network Time Protocol (NTP)
SEL-2488
NTP
Ethernet Switch
NTP
IRIG-B
IED
IED
IED
IED
IED
Figure 4.4 Functional Diagram for Utility Substation Time Synchronization
Instruction Manual
Section 5
Settings
Introduction
This section explains the settings and commands of the device.
Reports on page 5.1
Syslog Report
GNSS Settings
NTP Settings
Time-Code Outputs
IP Configuration
Static Routes
Syslog Settings
Hosts
Local Users
LDAP
X.509 Certificates
Global Settings
Front Panel
Date/Time
Contact I/O
Usage Policy
File Management
Device Reset
Reports
Syslog Report
The SEL-2488 uses the Syslog message format to record event data. The and
can store as many as 60,000 Syslog messages. The device can also forward
Syslog messages to three destinations.
Instruction Manual
5.2
Settings
Reports
Figure 5.1
Instruction Manual
Settings
Time Management
5.3
Device system logs display in the order of their generation. Select a field label
at the top of the list to reorder the messages according to the value of that
field. For example, selecting the Severity label reorders the list by severity.
Event messages in the device have two states: unacknowledged and
acknowledged. These two states exist to make identification of abnormal event
generation easier. Large numbers of unacknowledged messages can indicate
high levels of activity on the device.
Message acknowledgment also assists with log documentation. In your
periodic examination of logs, acknowledge existing logs. When you examine
logs in the future, the previously acknowledged logs will limit the logs of
concern to only those logs the device has generated since the last examination.
Click the Acknowledge Selected button to acknowledge selected system logs.
All system logs can be acknowledged by selecting the Acknowledge All
button. You cannot remove system logs from the device without issuing a
factory-default reset.
The Download button allows you to save log messages in an offline format.
Time Management
GNSS Settings
Table 5.1
Use the GNSS settings (Figure 5.2) to customize settings for the GNSS
receiver. Through use of these settings, you can enable or disable the receiver
and compensate for the antenna cable. The standard antenna cable used with
the SEL-2488 has a 3.9 nanosecond/meter delay. When you set the cable
length setting to the cable length used, the SEL-2488 automatically
compensates for the delay incurred because of the cable.
GNSS Settings
Field Name
Values
Default
Description
Enable, Disable
Enable
Antenna Cable
Length
0300 meters
25
Satellite Signal
Verification (SSV)
Enable, Disable
Disable
Failure Action
Enable Holdover
Alert
Enable, Disable
Enable
Holdover Alert
Pickup Delay
0120 minutes
Instruction Manual
5.4
Settings
Time Management
GNSS Used
GPS
Once the SEL-2488 is locked and signal verification is enabled, the Failure
Action setting determines what steps to take when a spoofing event is
detected. Once the setting is enabled the default action for the SEL-2488 is
Notify, but continue to use GNSS as a time source. This will create a syslog
event and change the Satellite Lock LED on the front panel to amber when
satellite signals can no longer be verified. In this mode, the clock continues to
use the suspect signals for timekeeping regardless of the satellite errors. When
Notify, and stop using GNSS as a time source is selected the clock goes
immediately into holdover, creates a syslog event, and does not use GNSS for
time keeping until the time from that source can be properly verified.
Figure 5.2
GNSS Settings
Notification
The holdover alert settings enable operation of the alarm contact when the
device is unable to synchronize to any external time sources. By default, the
Enable Holdover Alert is set to Enabled and Holdover Alert Pickup Delay is
Instruction Manual
Settings
Time Management
5.5
Network Time
Protocol Settings
(NTP)
Figure 5.3
NTP Settings
Instruction Manual
5.6
Settings
Time-Code Outputs
NTP Multicast
Mark the check box in Figure 5.3 to enable NTP Server Multicast. Once you
have enabled NTP server multicast, you can configure the multicast interval
and multicast address. The multicast interval sets the period of time during
which the SEL-2488 sends NTP time to the corresponding multicast address.
The multicast address must conform to "www.xxx.yyy.zzz," where www, xxx,
yyy, zzz = strings with as many as 13 digits representing values of 0255.
The multicast address must contain Class D (224.0.0.0239.255.255.255)
range IP addresses not allocated to other Ethernet ports.
Table 5.3
Field Name
Values
Default
Description
Enable NTP
Multicast
Enable, Disable
Disable
Enable NTP
Broadcast
Enable, Disable
Disable
Broadcast Interval
16131072 seconds
64
Multicast Interval
16131072 seconds
64
Multicast Address
Class D IP addresses
224.0.1.1
NTP Broadcast
To enable NTP server broadcast, enable the checkbox in Figure 5.3. Once you
have enabled NTP broadcast, you can set the broadcast interval. The broadcast
interval sets the period of time the SEL-2488 sends NTP time to the
corresponding broadcast address. The broadcast address will be the zero
network corresponding to the IP address of the corresponding Ethernet port.
Time-Code Outputs
The Time Code Outputs page allows setting of time outputs T01 through T08
and COM1 (see Figure 5.4). From this page, you can configure all of these
time outputs.
Instruction Manual
Settings
Time-Code Outputs
Figure 5.4
5.7
Time-Code Outputs
Table 5.4 lists all the settings in the time-code output settings. All time outputs
allow configuration of the ports as IRIG-B002, IRIG-B004, PPS, and KPPS.
Ports T01 through T04 can also be configured as modulated IRIG-B122 or
IRIG-B124. The first four ports, when configured as modulated time, can only
be set to one time code format and time reference.
Table 5.4
Field Name
Values
Default
Description
T01T04
IRIG-B004
T05T08
IRIG-B004
Time Reference
Local, UTC
UTC
0300 meters
IRIG-B122, IRIG-B124
IRIG-B124
UTC, Local
UTC
Even, Odd
Odd
IRIG-B
IRIG-B is a serial data time format consisting of a 1-second frame that
contains 100 pulses divided into fields. The time-synchronized device decodes
the second, minute, hour, and day fields and sets the device internal time clock
upon detecting valid time data in the IRIG time mode. The SEL-2488 provides
both modulated and demodulated IRIG-B outputs according to the IRIG
Instruction Manual
5.8
Settings
Time-Code Outputs
Control
Bit #
Designation
Description
Year, BCD 1
Year, BCD 2
Year, BCD 3
Year, BCD 4
Not Used
NA
Year, BCD 10
Year, BCD 20
Year, BCD 40
Year, BCD 80
P6
10
11
12
13
14
15
16
17
18
P7
19
20
21
22
23
Instruction Manual
Settings
Network Settings
Table 5.5
Control
Bit #
Designation
Description
24
Parity
25
26
27
P8
Table 5.6
Binary
Hex
Value
1111
1011
1010
1001
1000
0111
0110
0101
0100
0011
0010
0001
0000
Clock is locked
Table 5.7
5.9
Binary
Hex
Value
111
110
101
100
011
010
001
000
Network Settings
IP Configuration
The IP Configuration page provides the configuration options for the Internet
Protocol (IP) settings of the device. ETH F is used for initial commissioning and
local access.
Instruction Manual
5.10
Settings
Network Settings
Remote Network
SEL-3620
SEL-3354
Mgmt
SEL-2488
ETH F
Local Access
Figure 5.5
Table 5.8
IP Configuration
Field Name
Values
Default
Description
Hostnamea
163 characters
SEL<SERIAL#>
Domain Namea
0253 characters
N/A
Default Gateway
N/A
The Hostname and Domain Name combined length must be less than 255 characters.
Table 5.9
Field Name
Values
Default
Description
Enabled
Enabled, Disabled
Enabled
Alias
132 characters
ETH F
IP Address
Unicast IP address
192.168.1.2/24
HTTPS
Enabled, Disabled
Enabled
Captive Port
Enabled, Disabled
Enabled
The IP address and subnet for ETH F cannot be the same as for any of the other Ethernet ports on the device ports or for the Management
Network Interface.
Instruction Manual
Settings
Network Settings
Table 5.10
Field Name
Values
Default
Description
Enabled
Enabled, Disabled
Disabled
Alias
132 characters
IP Address
Unicast IP address
N/A
Determines the IP address of the interface. The device uses classless interdomain routing (CIDR) notation to assign the subnet mask.
HTTPS
Enabled, Disabled
Disabled
NTP Server
Enabled, Disabled
Disabled
Static Routes
Figure 5.6
5.11
Static Routes
Figure 5.6 displays the Static Routes page with as many as 32 different routes
for configuration. The remote network is the location of a device trying to
access the SEL-2488. The gateway is the address to which the SEL-2488 must
route data if access comes from a device on the specified remote network.
Syslog Settings
Syslog is a specification that describes both the method and format in which
the device stores logs locally and routes them to a collector. The device logs
many different types of events such as system startup, login attempts, and
configuration changes. The device can send its log information to three
destinations and store as many as 60,000 event logs locally in nonvolatile
Instruction Manual
5.12
Settings
Network Settings
Figure 5.7
Syslog Settings
Table 5.11
Field Name
Values
Default
Description
Local Logging
Threshold
Error
Warning
Notice
Informational
Notice
Setting the logging threshold too low can result in the device generating many
logs. Setting the threshold too high can result in the device failing to record
important messages.
The settings under Syslog Destinations are to configure remote Syslog
destinations. These destinations are the Syslog servers that will store the
Syslog events remotely. You can configure as many as three remote
destinations. To configure the device to send Syslog events to a remote Syslog
server, enter the Alias and IP Address of the remote Syslog server, and
specify the logging threshold of the Syslog events to be sent to the remote
Syslog server.
Table 5.12
Field Name
Values
Default
Description
Alias
132 characters
N/A
IP Address
Unicast IP Address
N/A
Logging
Threshold
Alert
Critical
Error
Warning
Notice
Informational
Warning
Instruction Manual
Settings
Accounts
Hosts
5.13
Use the Hosts page to add hosts for configured servers when you are using
LDAP. LDAP settings require a hostname identified from an X.509 certificate.
The SEL-2488 does not resolve host names to IP address automatically from
the X.509 certificate. The Hosts page allows you to define a hostname and
resolve it to an IP address so that LDAP can connect to a centralized server.
The SEL-2488 does not provide a DNS solution. Perform the following steps
to add a host or network:
Step 1. From the Hosts page, click Add Hosts. This will cause a page
such as that in Figure 5.8 to display.
Figure 5.8
Add Hosts
Step 2. Enter the hostname you want to use for the host you will be
adding.
Step 3. Enter the host IP address.
Step 4. Enter as many as 16 entries on the Hosts page.
Step 5. Click Submit to complete.
Table 5.13
Field Name
Values
Default
Description
Hostname
1 to 64 characters
N/A
IP Address
Host IP address
(e.g., 192.168.10.10)
N/A
Accounts
Local Users
Use the Local Users page to add, remove, and update local user accounts for
the device. Refer to Section 3: Managing Users for more information
regarding local user accounts.
LDAP
Use the LDAP page to set up, configure, and connect to a centralized
authentication server. Refer to Centralized User Accounts with LDAP on
page 3.4 for more information regarding LDAP.
Instruction Manual
5.14
Settings
Security
Security
X.509 Certificates
View
This option provides a detailed view of the installed certificate.
Rename
This option provides a form for renaming the certificate. The Certificate
Name field can contain as many as 128 characters.
Figure 5.9
Renaming Certificates
Import
This option provides a form to import a certificate generated or signed
externally to the device. You must enter the password for the private key
during import if the private key is encrypted.
For more information on X.509 certificates, see Appendix F: X.509.
Instruction Manual
Settings
System
5.15
System
Global Settings
Web Settings
Use web settings to modify settings related to the web management interface
of the device.
Table 5.14
Web Settings
Field Name
Values
Default
Description
Maximum Sessions
120
Sessions Timeout
160 minutes
Field Name
Values
Default
Description
Contact
0128 characters
Schweitzer Engineering
Laboratories, Inc.
(509) 332-1890
Location
0128 characters
Pullman, WA
System Date
The date format setting determines the date format the device uses when the
user enters date setting information in the web interface. The system date is
applied to the Timer Contact start date and to the Manual Date/Time
setting.
Table 5.16
Front Panel
Date Format
Field Name
Values
Default
Description
Date Format
Month/Day/Year
Day/Month/Year
Year/Month/Day
Month/Day/Year
Use the front-panel settings to configure how you want to use the front panel
of the SEL-2488.
Instruction Manual
5.16
Settings
System
Table 5.17
Figure 5.10
Front Panel
Field Name
Values
Default
Description
Date Display
Format
None
Month/Day/Year
Day/Month/Year
Year/Month/Day
Day of Year
None
Time Display
Format
12 hour
local time
Enable Timeout
Enable/Disable
Enable
Timeout
130 minutes
15
Contrast
18
Date/Time
Use the Date/Time page to set the local time zone, adjust for daylight-saving
time, and manually set the clock. The local time settings page must be
properly set before the clock can send local time.
Instruction Manual
Settings
System
5.17
Figure 5.11
The Start of Daylight Savings Time and End of Daylight Saving Time
settings are only configurable if Daylight Savings Time Mode is set to Custom
DST. Otherwise, these settings display the automatic daylight savings start/
end dates for the selected mode. See Table 5.18 for more information on local
time settings.
Table 5.18
Field Name
Values
Default
Description
13:00 to +13:00
08:00
United States
Start Time
00:0024:00
02:00
Start Month
January-December
March
Start Week
Second
SundaySaturday
Sunday
End Time
00:0024:00
02:00
End Month
JanuaryDecember
November
End Week
First
SundaySaturday
Sunday
Instruction Manual
5.18
Settings
System
Manual Date/Time
Use the Manual Date/Time page to configure the time when there is no
access to GNSS information and time display is needed for demonstration
purposes.
Figure 5.12
Field Name
Values
Default
Description
Manual Date
MM/DD/YYYY
N/A
Manual Time
HH:MM:SS
N/A
Table 5.19 shows the settings necessary to properly set manual time. Follow
these steps to enter into manual Date/Time mode:
Step 1. Disable the GNSS time source from the GNSS Settings page
on the web interface.
Step 2. Power cycle the device.
Step 3. Login to the device and go to the Date/Time settings page
under the System settings panel.
Step 4. Click the Manual Date/Time tab.
Step 5. Enter the Manual Date and Manual Time in the format shown
next to the settings fields.
Step 6. Hit the Submit button.
After the above steps are completed, the device enters into the Manual
Date/Time mode. In this mode all time outputs generate time codes
corresponding to the manual time. The front-panel display shows the
corresponding date/time.
To exit the manual time mode, enable the GNSS Time source on the GNSS
Settings page.
Contact I/O
Alarm Contact
Use the alarm contact as a means of alerting system personnel to system and
security-related events that have occurred on the device. The alarm contact
pulses for 1 a second if you have selected any of the alarm contact output
trigger categories and an event occurs that falls within the category you
selected. Table 5.20 lists each category with an explanation of the event types
that fall within each category.
Instruction Manual
Settings
System
Figure 5.13
5.19
Category
Default
Description
Authentication
Enabled
Authentication-related events
Chassis
Enabled
Configuration
Disabled
Link
Disabled
System Integrity
Disabled
Time Synchronization
Disabled
Timer Contact
The timer contact is a high-speed contact you can use to externally trigger
devices to start or measure timing of a contact closure. Figure 5.14 displays
the settings available for setting the contact.
Instruction Manual
5.20
Settings
System
Figure 5.14
Timer Contact
Through use of the contact, you can customize settings to configure the
contact start, time to hold contact close, and for a one time operation or
repeated operation. Table 5.21 shows the range and description of the settings.
Table 5.21
Field Name
Values
Default
Description
Enable, Disable
Disable
Pulse Duration:
0.013600
0.5 seconds
Single Pulse
Pulse Period:
00 (DD) 00:00:01.0
(HH:MM:SS.s)
Now, Scheduled
Now
Start Date:
01/01/200012/31/2035
01/01/2000
Start Time:
00:00:00.023:59:59.9
00:00:00.0
Usage Policy
The device presents a usage policy to all users accessing the login page. This
policy notifies users regarding what constitutes appropriate use of this device,
what actions are taken to ensure the device is not used inappropriately, and
what actions will be taken if abuse is discovered. The device comes with the
following default usage policy:
This system is for the use of authorized users only. Individuals using this
system without authority or in excess of their authority, are subject to
having all their activities on this system monitored and recorded by
system personnel. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the evidence
of such activity to law enforcement officials.
The usage policy is configurable to as many as 4095 characters. Select the
Usage Policy link from the navigation menu to modify the usage policy.
Instruction Manual
Settings
System
File Management
5.21
File management provides an interface from which you can import and export
settings, as well as perform firmware upgrades. Exporting system settings is
useful for providing device configuration backups for disaster recovery, as
well as for creating a template configuration that you can use in
commissioning large numbers of devices. For example, if all devices share the
same configuration, with the exception of a few device-specific configuration
items such as hostname and IP address, you can create the configuration once
and then export it as a template. When you import the configuration file into a
new device, you only need to make a couple of changes before the device is
fully configured.
Export Settings
You can export settings either encrypted or unencrypted in XML format. The
encrypted settings export is useful for creating an encrypted copy of the device
configuration as a device backup. You can use this backup for disaster
recovery purposes in the event that the device configuration. The other option
is to export the device settings in unencrypted XML format, which allows for
offline editing.
NOTE: Settings files should be
stored in a secure location, because
they contain sensitive information.
Figure 5.15
Step 6. Click the Click to Download button. The device downloads the
settings to your local computer.
Instruction Manual
5.22
Settings
System
Import Settings
Figure 5.16
The Import Settings page provides an interface to import settings from either
an encrypted or unencrypted settings file. Perform the following to import a
settings file:
Step 1. Log in to the device and browse to the File Management page.
Step 2. Select the Import Settings tab at the top of the page.
Step 3. Click Choose File and browse to the location of the settings file
you want to import.
!
Step 4. If the file was encrypted during the export process, enter the
encryption password into the Password field. If the file was not
encrypted during the export process, leave the Password field
blank.
WARNING
Firmware Upgrade
The Firmware Upgrade page provides an interface from which you can
upgrade device firmware. Refer to Appendix B: Firmware Upgrade
Instructions for more information on the firmware upgrade procedure.
Device Reset
Device Reboot
The device reboot function turns the device off and back on. The device
restarts its time acquisition process while the device reboots.
Factory Reset
The device provides the factory-reset function to restore the unit to its factory
configuration. You should only use this feature when you decommission the
device. The factory-reset function erases the device log files and returns
device settings back to the factory-default values. After a factory reset, you
must recommission the device. Refer to Section 2: Getting Started for details
on commissioning the device.
Instruction Manual
Section 6
Testing and Troubleshooting
Introduction
This section provides the following guidelines for testing and troubleshooting
the device.
Testing Philosophy on page 6.1
LED/LCD Indicators on page 6.2
Device Dashboard on page 6.5
Troubleshooting on page 6.5
Factory Assistance on page 6.7
Testing Philosophy
Device testing can be divided into three categories: acceptance,
commissioning, and maintenance. The categories are differentiated by when
they take place in the life cycle of the product and by test complexity. The
following paragraphs describe when you should perform each type of test, the
goals of testing at that time, and the functions that you need to test at each
point.
This information is intended as a guideline for testing a device.
Acceptance Testing
specifications.
Ensure that the device meets the requirements of the intended
application.
Improve your familiarity with device capabilities.
What to Test
Acceptance test all settings parameters critical to your intended application.
SEL performs detailed acceptance testing on all SEL-2488 models and
versions. It is important for you to perform acceptance testing on the
SEL-2488 if you are unfamiliar with device operating theory or settings. Such
testing helps you ensure that device settings are correct for your application.
Instruction Manual
6.2
Commissioning
Testing
your expectations.
What to Test
Perform commissioning testing on all connected time outputs, Ethernet ports,
fiber ports, and alarm contacts.
SEL performs a complete functional check of each device before shipment.
Device commissioning tests should verify that the power supply, Ethernet
cables, fiber cables, and alarm contacts are connected properly.
Maintenance Testing
LED/LCD Indicators
The SEL-2488 has extensive self-test capabilities. You can use the indicator
lights located on the front or rear panels to determine the status of your device.
These indicators are provided to show whether the device is enabled, whether
an alarm condition exists, whether the power supplies are healthy, and to show
the speed and link state for each of the communications interfaces. Figure 6.1
shows the locations of the LED indicators.
Figure 6.1
Table 6.1 describes the system status indicators. On the front panel, these are
located next to the LAMP TEST button.
Table 6.1
Indicator
Green Condition
Red Condition
ENABLED
Normal operation
ALARM
N/A
PWR A
PWR B
Instruction Manual
6.3
The communications interface indicators in Table 6.2 display the status of the
four rear Ethernet interfaces. Ethernet Ports 14 are 100 Mbps ports. The
amber 100 Mbps speed indicator is lit when these ports are operating at 100
Mbps, and unlit when operating at a reduced speed. For all of these ports (14)
the same two indicators are provided at the port connector on the rear panel.
Table 6.2
Indicator
Unlit Condition
Lit Condition
100 Mbps
LNK/ACT
Port is unconnected.
The time interface indicators in Figure 6.2 display the present status of GNSS
satellites, antenna status, and time output status.
Figure 6.2
The Satellite Lock, Time Quality, and ANT LED indicators work together to
provide you information about the status of time synchronization and when
the clock is locked on to a time source and transmitting. The NTP LED
informs the user if the NTP has been set up on a port and if it is
communicating with at least one NTP client. The PTP LED is for future use
when IEEE 1588 PTP is available as another time synchronization source.
Table 6.3 lists the time indicator LEDs and their descriptions.
Table 6.3
Indicator
LED Condition
Description
Satellite Lock
Green
Amber
Off
Green
Flashing Green
Red
Time Quality
Antenna
Green
Red
Off
Instruction Manual
6.4
Table 6.3
Indicator
LED Condition
Description
PTP
Off
NTP
Green
Flashing Green
Off
LCD Screen
The front-panel LCD screen displays the time, status information on the
satellites, time source and accuracy, firmware information, and location. The
LCD screen is a read-only interface that you can navigate through the use of
up/down arrows to scroll through the screens.
Figure 6.3
The default display is the time display. Figure 6.3 shows an example of this
display. The time display by default shows the local time in 12-hour format.
Corresponding settings to change the date/time format on the front-panel
display are located in the System tab under the Front Panel settings.
In addition to time, the front-panel display includes information on the present
time source for time synchronization and the present accuracy of the source.
The sources available are GPS, Holdover, and None. Upon power-up the
SEL-2488 will display NONE as the time source at the upper left hand corner of
the display. After the device achieves satellite lock, it will display GPS. In the
event of losing satellite lock, the device will display HOLDOVER. The frontpanel display also displays the accuracy of the source when tracking GPS or in
holdover in the top right hand corner.
Figure 6.4
If you press the down arrow, the device displays the firmware version (see
Figure 6.4). This screen provides easy access to information identifying the
present firmware the clock is using.
Instruction Manual
Figure 6.5
6.5
Front-Panel Location
The next screen in sequence displays location information (see Figure 6.5).
When locked to the GPS satellites, the SEL-2488 displays the present GPS
location of the device.
Figure 6.6
Figure 6.6 shows the subsequent screen, which displays information about the
present configuration of the front Ethernet port. By default, the front Ethernet
port is set to DHCP. This is so that you can plug your computer into the port
and have your computer route to the correct web interface. If you change this
screen to display a static IP address, then this screen is useful when you
connect to the configuration page.
Figure 6.7
Figure 6.7 displays the present status of all satellite constellations being
tracked by the SEL-2488. The SEL-2488 is capable of tracking GPS and
GLONASS satellite constellations simultaneously. The front-panel display
screen shown in Figure 6.7 shows the number of visible and used satellites for
SEL-2488 in real time for both constellations. This information is useful
during the commissioning of the device and setting up the antenna
connections to the unit. The visible satellites are always greater than or equal
to the used satellites by the SEL-2488.
Device Dashboard
See Device Dashboard on page 2.7 for more information on the use of this
feature.
Troubleshooting
Inspection Procedure
Complete the following procedure before disturbing the device. After you
finish your inspection, refer to Table 6.4.
Step 1. If the web interface is accessible, record the part number, serial
number, and firmware version from the Device Information
table in the device dashboard.
Step 2. Record a description of any problem you encountered.
Instruction Manual
6.6
Troubleshooting Procedure
Problem
Possible Causes
Solution
Verify that input power is present and that the power supply
assembly is fully inserted.
View the dashboard screen or the front panel. The clock must
track four or more satellites to obtain first lock. Reposition the
antenna so that it has a better view of the sky. If the clock
shows no visible satellites, then there may be an issue with the
antenna or cable.
If the Satellite Lock LED is green, then the clock must wait for
almanac data and ephemeris data before it can transmit time, as
long as 12.5 minutes. When the Time Quality LED turns solid
green, then time should function. If the Satellite Lock LED is
not green, then view the previous procedural steps.
Verify the physical and logical connection between the management computer and the SEL-2488.
Configure the IP address of the management computer to the
same network as the SEL-2488, or use DHCP as described in
Section 1: Connections, Installation, and Specifications and set
the computer network interface to autoconfigure the network.
Navigate to the Syslog Settings page and ensure that the proper
Syslog IP address and Logging Threshold settings are entered
there.
Check that Caps Lock is not active on the computer logging in.
If necessary, reset the users account from the Local Users page.
No Syslog messages
Instruction Manual
6.7
If you forget the IP address for which your SEL-2488 is configured, but do not
want to perform a full factory reset, the captive port feature provides you
access to the web management interface.
To activate the captive port feature on ETH F, insert a tool such as a straightened
paper clip into the pinhole reset located between the alarm contact and the
BNC connectors on the rear panel and press the recessed reset button for 5
seconds. This enables the front Ethernet port and turns on the captive port
feature.
The captive port feature provides special DHCP and DNS servers to the
computer connected to ETH F. The DHCP server assigns the computer an IP
address adjacent to the IP address of your SEL-2488, so the computer will be
on the same subnet and capable of communicating with it. This also sets the
DNS server for the computer to the IP address of your SEL-2488. Once this
occurs, any DNS requests from the computer resolve to the SEL-2488, so that
browsing to any host, such as www.selinc.com, results in opening the web
management interface of your SEL-2488.
Use of the captive port feature to gain access to your SEL-2488 reestablishes
network communication with it, but you must still know the credentials for an
administrative account. If you have lost all administrative account credentials,
you must perform a full factory-default reset.
Turn off power to your SEL-2488, insert a tool such as a straightened paper
clip into the pinhole reset located between the alarm contact and the BNC
connectors on the rear panel, and press the recessed reset button. Keeping the
button depressed, apply power. After two seconds, release the recessed reset
button.
Wait for the green ENABLED LED on the front panel to illuminate, indicating
that your SEL-2488 has reset to factory-default settings and is ready. ETH F
will be enabled, the captive port feature will be on, and the IP address for the
unit will be 192.168.1.2. You can access the Commissioning page by entering
a hostname, such as www.selinc.com, or you can browse directly to the IP
address for the unit at https://192.168.1.2.
Factory Assistance
We appreciate your interest in SEL products and services. If you have
questions or comments, please contact us at:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 U.S.A.
Tel: +1.509.332.1890
Fax: +1.509.332.7990
Internet: www.selinc.com
Email: info@selinc.com
Instruction Manual
Appendix A
Instruction Manual
Summary of Revisions
Manual
Date Code
SEL-2488-R100-V0-Z001001-D20140620
20141001
SEL-2488-R100-V0-Z001001-D20140620
Initial version.
20140818
Instruction Manual
The date code at the bottom of each page of this manual reflects the creation or
revision date.
Table A.2 lists the instruction manual release dates and a description of
modifications. The most recent instruction manual revisions are listed at the top.
Table A.2
Revision Date
20141001
Summary of Revisions
Section 1
Section 5
Initial version.
Instruction Manual
Appendix B
Firmware Upgrade Instructions
Introduction
SEL occasionally offers firmware upgrades to improve the performance of
your device. The SEL-2488 stores firmware in nonvolatile memory, so that
opening the case or changing physical components is not necessary. These
instructions give a step-by-step procedure to upgrade the device firmware by
uploading a file from a personal computer to the device via the web interface.
All firmware updates are logged.
Firmware releases are enhancements to improve functionality that change the
way your device is configured or maintained, and can be installed in
increasing or decreasing order. All existing settings will be transferred to
newer firmware. Settings may not be transferred to older firmware. After a
firmware update it is possible to revert to the previously installed firmware
version.
To perform an upgrade you will need the appropriate firmware upgrade file
and access to an administrative account on the device.
Firmware Files
Instruction Manual
B.2
Figure B.1
File Management
Step 4. Enter the path name for the upgrade file. To locate the file
instead using the Windows file browser, click the Browse
button, navigate to the location where the upgrade file is stored,
select it, and click Open.
Step 5. Click the Upgrade button at the bottom of the page to upload
and install the new firmware. The Upgrading Firmware status
display will appear and periodically update the shown progress
of the upgrade operation as it proceeds. Firmware update takes
about 10 minutes to complete.
Factory Assistance
We appreciate your interest in SEL products and services. If you have
questions or comments, please contact us at:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 U.S.A.
Tel: +1.509.332.1890
Fax: +1.509.332.7990
Internet: www.selinc.com
Email: info@selinc.com
Instruction Manual
Appendix C
User-Based Accounts
Introduction
Local accounts are the engineering access accounts that reside on SEL
products. SEL has historically used global accounts such as ACC and 2AC
and a password associated with each to control access to SEL devices. With
global accounts, every user has the same logon credentials (username and
password), which weakens the security of the system. To strengthen
authentication, authorization, and accountability, this SEL product uses a userbased account structure.
Instruction Manual
C.2
User-Based Accounts
Administration of User-Based Accounts
Accountability is the idea that individual users can be held responsible for
their actions on a system. The lack of authentication with global accounts
creates too much opportunity to cast doubt on ones activities, making
accountability difficult to enforce. The ability to clearly authenticate a user to
the individual level allows all actions to be assigned to specific users.
Accountability is very important to event tracking and forensic investigations.
Instruction Manual
User-Based Accounts
Passphrases
C.3
Passphrases
Passphrases provide a user the ability to create strong and easy-to-remember
passwords that protect access to a system. A strong passphrase includes many
different characters from many different character sets. Longer passphrases
provide greater security than shorter passphrases. SEL user-based accounts
support complex passphrases that must include at least one character from
each of the following character sets.
Uppercase letters
Lowercase letters
Digits
Special characters
Instruction Manual
Appendix D
Lightweight Directory Access Protocol
SEL-2488 LDAP Client Implementation
LDAP allows the SEL-2488 to bind with existing centralized account
directories, such as Microsoft Active Directory, for user authentication and
authorization. SELs specific LDAP implementation utilizes the StartTLS
method for securing LDAP data from the device to the centralized account
server. See Figure D.1 for information about the LDAP interaction between
the SEL LDAP client and the centralized server.
Figure D.1
LDAP Transaction
Certificate Chain
When an SEL device receives an X.509 certificate from an LDAP server
during a StartTLS exchange prior to LDAP bind, you will need to have the
certificate chain stored locally. The certificate chain, also known as the
certification path, is a list of certificates used to authenticate the LDAP server.
The chain, or path, begins with the certificate of the LDAP server (the one the
Date Code 20141001
Instruction Manual
D.2
SEL device receives), and each certificate in the chain is signed by the CA
identified by the next certificate in the chain. The chain terminates with a root
CA certificate. The root CA certificate is always signed by the CA itself. The
signatures of all certificates in the chain must be verified by the SEL LDAP
client until the root CA certificate is reached. The Distinguished Name (DN)
of the X.509 certificate the LDAP server uses to authenticate to the SEL
LDAP client must match the LDAP server name (i.e., LDAP server
3354.x509.local must match its certificate DN 3354.x509.local).
Hostname:
IP Address:
Hostname:
IP Address:
LDAP Settings
(Input these settings on the LDAP Settings page):
Search Base:
User ID Attribute:
Group Member Attribute:
Bind DN (optional, if left blank will use anonymous binds):
Bind DN Password (optional, required only if not using anonymous binds):
LDAP Servers
(Input these settings on the LDAP Settings page, need at least one):
Hostname:
Port Number:
Hostname:
Port Number:
Device Roles
(Required to map user privileges, input these settings on the LDAP settings page):
Instruction Manual
Appendix E
Syslog
Introduction
The Syslog protocol, defined in RFC 3164, provides a transport mechanism by
which a device can send system event notification messages across IP
networks to remote Syslog servers. Syslog is commonly used to send system
logs such as security events, system events, and status messages useful in
troubleshooting, auditing, and event investigations. The Syslog packet size is
limited to 1024 bytes and is formatted into three parts: PRI, HEADER, and
MSG.
1. PRI: The priority part of a Syslog packet is a number enclosed
in angle brackets that represents both the facility and severity of
the message. The priority value is calculated by multiplying the
facility numerical code by 8 and adding the numerical value of
the severity. For example, a kernel message (facility = 0) with a
severity of Emergency (severity = 0) would have a priority of 0.
Also, a local use 4 message (facility = 20) with a severity of
Notice (Severity = 5) would have a priority value of 165. In the
PRI part of the Syslog message, these values would be placed
between the angel brackets as <0> and <165>, respectively.
The severity code (Table E.1) is a number indicative of how critical the
message is.
Table E.1
Numerical Code
Severity
Emergency
Alert
Critical
Error
Warning
Notice
Informational
Debug
Instruction Manual
E.2
Syslog
Introduction
The facility code (Table E.2) defines the application group from the message
originated.
Table E.2
Numerical Code
Facility
Kernel messages
User-level messages
Mail system
System daemons
Security/authorization messagesa
UUCP subsystem
Clock daemonb
10
11
FTP daemon
12
NTP subsystem
13
Log audita
14
Log auditb
15
Clock daemonb
16
17
18
19
20
21
22
23
Various operating systems have been found to use Facilities 4, 10, 13, and 14 for security/
authorization, audit, and alert messages that seem to be similar.
Various operating systems have been found to use both Facilities 9 and 15 for clock (cron/at)
messages.
Source: http://www.faqs.org/rfcs/rfc3164.html
Instruction Manual
Syslog
Remote Syslog Servers
E.3
The Syslog message has been divided into each respective part, as shown in
the following table.
PRI
HEADER
MSG
<34>
PSTN
SEL-3025
SEL-2488
SEL-351
SEL-2730M
SEL-3620
SEL-351
Central Syslog
Server
SEL-351
Figure E.1
Instruction Manual
E.4
Syslog
SEL-2488 Event Logs
Message
Tag Name
Severity
Facility
CaptivePortConfig
Notice
USER
CaptivePortConfig
Notice
USER
ImportExport
Warning
USER
ImportExport
Notice
USER
ImportExport
Notice
USER
ImportExport
Warning
USER
ImportExport
Notice
USER
ImportExport
Notice
USER
AlarmContact
Notice
USER
Power
Notice
SYSTEM
Power
Error
USER
PushbuttonReset
Notice
USER
Commissioning
Notice
SECURITY
Commissioning
Notice
SECURITY
Power
Critical
SYSTEM
DateTime
Informational
CLOCK
DateTime
Informational
CLOCK
DateTime
Notice
CLOCK
Firmware
Error
SYSTEM
Firmware
Warning
USER
Firmware
Warning
SYSTEM
Firmware
Notice
USER
The firmware update from {0} to new version failed with an error of
"{1}"?. Please contact Schweitzer Engineering Laboratories, Inc. for
assistance
Firmware
Critical
SYSTEM
FrontPanelConfig
Notice
USER
FrontPanelConfig
Notice
USER
PushbuttonReset
Alert
USER
GNSSConfig
Notice
USER
Holdover Alert
TimeSync
Critical
CLOCK
Instruction Manual
Syslog
SEL-2488 Event Logs
Table E.3
E.5
Message
Tag Name
Severity
Facility
HostConfig
Notice
USER
HostConfig
Notice
USER
Host Settings: Changed hostname {0} with IP address {1} to {2} with IP
address {3} by {username} at {user_ip}
HostConfig
Notice
USER
LDAP
Error
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP: An error occurred when searching for the user's DN on the server
{0}:{1}
LDAP
Error
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP
Error
SECURITY
LDAP
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP: One or more of the user-configured DNs for server {0}:{1} contains syntax errors
LDAP
Error
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP
Error
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP
Error
SECURITY
LDAP
Error
SECURITY
LDAP
Error
SECURITY
LDAP
Error
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP: The hostname of the certificate presented by {0}:{1} does not match
LDAP
Error
SECURITY
LDAP
Error
SECURITY
LDAP
Error
SECURITY
LDAP
Error
SECURITY
LDAPConfig
Warning
SECURITY
LDAPConfig
Warning
SECURITY
LDAP
Error
SECURITY
Instruction Manual
E.6
Syslog
SEL-2488 Event Logs
Table E.3
Message
Tag Name
Severity
Facility
LDAP: Server {0}:{1} returned a DN that was longer than 4096 bytes.
That DN was ignored
LDAP
Error
SECURITY
LDAP
Error
SECURITY
LDAPConfig
Warning
SECURITY
LDAP
Error
SECURITY
LDAP
Error
SECURITY
DateTime
Informational
CLOCK
DateTime
Informational
CLOCK
DateTime
Notice
CLOCK
LinkUpDown
Notice
SYSTEM
LinkUpDown
Notice
SYSTEM
DateTimeConfig
Notice
USER
UserConfig
Notice
SECURITY
UserConfig
Warning
SECURITY
UserConfig
Warning
SECURITY
UserConfig
Notice
SECURITY
UserConfig
Notice
SECURITY
UserConfig
Warning
SECURITY
Login
Notice
SECURITY
Login
Notice
SECURITY
User account {0} locked out due to consecutive failed login attempts
Login
Warning
SECURITY
Login
Warning
SECURITY
Login
Notice
SECURITY
TimeSync
Notice
USER
NetworkConfig
Notice
USER
NetworkConfig
Notice
USER
NTPServerConfig
Notice
USER
NTPServerConfig
Notice
USER
NTPServerConfig
Notice
USER
The Part Number for the device has changed from {0} to {1}
PartNumber
Critical
SYSTEM
TimerContactConfig
Notice
USER
EventSystem
Error
SYSTEM
The {0} event queue left the overflow condition. Approximately {1}
events were lost
EventSystem
Notice
SYSTEM
Diagnostics
Error
SYSTEM
Failure: Flash
Diagnostics
Alert
SYSTEM
Failure: FPGA
Diagnostics
Alert
SYSTEM
Diagnostics
Alert
SYSTEM
Diagnostics
Alert
SYSTEM
Diagnostics
Alert
SYSTEM
Instruction Manual
Syslog
SEL-2488 Event Logs
Table E.3
E.7
Message
Tag Name
Severity
Facility
Failure: LCD
Diagnostics
Error
SYSTEM
Diagnostics
Alert
SYSTEM
Diagnostics
Alert
SYSTEM
Failure: RAM
Diagnostics
Alert
SYSTEM
Diagnostics
Critical
SYSTEM
Diagnostics
Warning
SYSTEM
Diagnostics
Alert
SYSTEM
Diagnostics
Alert
SYSTEM
SystemIntegrity
Error
CLOCK
SystemIntegrity
Warning
CLOCK
SystemIntegrity
Error
CLOCK
SystemIntegrity
Warning
CLOCK
NetworkConfig
Notice
USER
SyslogConfig
Notice
USER
SyslogConfig
Warning
USER
SyslogConfig
Warning
USER
Syslog
Notice
USER
Syslog
Warning
SYSTEM
Syslog
Critical
SYSTEM
Syslog
Notice
SYSTEM
Syslog
Notice
SYSTEM
SyslogConfig
Notice
USER
Config
Notice
USER
Time Quality 1s
TimeSync
Notice
CLOCK
TimeSync
Notice
CLOCK
TimeSync
Notice
CLOCK
TimeSync
Warning
CLOCK
TimeCodeOutputsConfig
Notice
USER
GNSSConfig
Notice
USER
Config
Notice
SECURITY
WebServerConfig
Warning
USER
WebServerConfig
Warning
USER
X509Config
Notice
SECURITY
X509Config
Notice
USER
X509Config
Notice
SECURITY
X509Config
Error
SYSTEM
X509Config
Notice
SECURITY
X509Config
Warning
SECURITY
X509Config
Notice
SECURITY
Instruction Manual
E.8
Syslog
SEL-2488 Event Logs
Table E.3
Message
Tag Name
Severity
Facility
X509Config
Warning
SYSTEM
X509Config
Informational
SYSTEM
X509Config
Notice
SYSTEM
Instruction Manual
Appendix F
X.509
Introduction
In cryptography, X.509 is an International Telecommunication Union standard
for public key infrastructure (PKI). X.509 specifies formats for public key
certificates and validation paths for authentication. The SEL-2488 uses X.509
certificates in the web server for secure device management, and for IPsec
authentication.
Figure F.1
52ED879E
70F71D92
Big Random
Number
Key Generation
Function
Asymmetric Keys
Symmetric key cryptography, which has been used in various forms for
thousands of years, uses a single key that both encrypts and decrypts the
message. This key must be shared between the sender and receiver in advance.
If the key cannot be shared securely, the confidentiality of any transmission
encrypted with that key cannot be known.
In public key cryptography, the encryption key is not the same as the
decryption key. If a message is encrypted with the publicly known key, only
the private key can be used to decrypt it. This private key is known only to the
owner of the key pair. Only the sender and the intended receiver will know the
message, ensuring confidentiality.
Instruction Manual
F.2
X.509
X.509 Certificates
Bob
Hello
Alice!
Encrypt
Alices Public Key
6EB69570
08E03CE4
Alice
Hello
Alice!
Decrypt
Alices Private Key
Figure F.2
Sign
(Encrypt)
Alices Private Key
DFCD3454
BBEA788A
Bob
I Will
Pay $500
Verify
(Decrypt)
Alices Public Key
Figure F.3
X.509 Certificates
Digital certificates, also known as public key certificates, provide a formal
method for associating pairs of asymmetric keys with their owners. You can
use these electronic documents, through the use of digital signatures, to bind
public keys to their owners.
Instruction Manual
X.509
Digital Signatures
F.3
Digital Signatures
A digital signature is a more formal method of authenticating data than an
electronic signature. They can be compared to the wax seals that were placed
on envelopes before email was available. To create a digital signature of data,
you would first compute a hash of the data to be signed and then encrypt that
hash with the signers private key. You would then attach this signature to the
data to be signed. To verify the authenticity of the data, the receivers system
first separates data and signature. The receiver computes a hash of the data and
then uses the issuers public key to decrypt the signature. We compare these
two hashes and, if they match, we know the data is authentic.
Signing
Verification
Hash Function
101100110101
Hash
Data
111101101110
Signature
Data
111101101110
Signature
Certificate
Attach
to Data
Hash
Function
Decrypt Hash
Using Signers
Public Key
101100110101
Hash
101100110101
Hash
Figure F.4
Digital Signatures
Instruction Manual
F.4
X.509
Web of Trust
Web of Trust
Another of the three common uses of digital certificates is in the web of trust.
This is a less formal method of authentication than PKI provides, but is still in
common use. The largest use of the web of trust model is in Pretty Good
Privacy (PGP) used for email security. This model is very similar to PKI in
that a trusted third party is verifying the authenticity of a certificate. The
difference is that this trusted third party is not a CA, but rather a person who
endorses the authenticity of another person. Signing the public key of the
person requiring endorsement (or trust) with the endorsers (trusted entity)
own private key establishes a web of trust. Figure F.5 below illustrates a
simple example of a web of trust. If Alice trusts Bob, and Bob trusts Charlie,
then Alice implicitly trusts Charlie.
Diane
Alice
Charlie
Trust
Implicit Trust
Bob
Figure F.5
Web of Trust
Instruction Manual
X.509
Online Certificate Status Protocol (OCSP)
F.5
in SPKI, because the owner and issuer of the certificate are the same entity.
For SPKI to be secure, certificates must be pre-shared among all entities who
communicate on that system. This ensures that all knowledge for security
decisions resides locally.
revoked
Revoked: Indicates that the certificate has been revoked
Unknown: Indicates that the responder does not know about the
Instruction Manual
F.6
X.509
Sample X.509 Certificate
Validity
Not Before: Aug 1 00:00:00 1996 GMT
Not After: Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting
cc,
OU=Certification Services Division,
CN=Thawte Server CA/Email=server-certs@thawte.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c:
68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da:
85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06:
6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2:
6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b:
29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90:
6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f:
5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36:
3a:c2:b5:66:22:12:d6:87:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:
a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88:
4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9:
8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5:
e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9:
b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
70:47
Instruction Manual