Академический Документы
Профессиональный Документы
Культура Документы
Issue 02
Date 2015-05-20
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
2 Overview.........................................................................................................................................5
3 PKI Architecture............................................................................................................................7
3.1 Introduction....................................................................................................................................................................7
3.2 CA...................................................................................................................................................................................8
3.3 RA...................................................................................................................................................................................9
3.4 Certificate & CRL Database...........................................................................................................................................9
10 Parameters.................................................................................................................................134
11 Counters....................................................................................................................................176
12 Glossary.....................................................................................................................................177
13 Reference Documents.............................................................................................................178
1.1 Scope
This document describes the public key infrastructure (PKI), including its technical principles,
related features, network impact, and engineering guidelines.
In this document, the following naming conventions apply for LTE terms.
In addition, the "L" and "T" in RAT acronyms refer to LTE FDD and LTE TDD, respectively.
NOTE
The eCoordinator does not support PKI-related optional features. It only supports manual configuration of
digital certificates.
GBTS GBTS refers to a base station deployed with a GTMU and maintained
through a base station controller.
Co-MPT Co-MPT multimode base station refers to a base station deployed with
multimode base a UMPT_GU, UMDU_GU, UMPT_GL, UMDU_GL, UMPT_GT,
station UMDU_GT, UMPT_UL, UMDU_UL, UMPT_UT, UMDU_UT,
UMPT_LT, UMDU_LT, UMPT_GUL, UMDU_GUL, UMPT_GUT,
UMDU_GUT, UMPT_ULT, UMDU_ULT, UMPT_GLT,
UMDU_GLT, UMPT_GULT, or UMDU_GULT. A co-MPT
multimode base station functionally corresponds to any combination of
eGBTS, NodeB, and eNodeB. For example, a co-MPT multimode base
station deployed with a UMPT_GU functionally corresponds to the
combination of eGBTS and NodeB.
NOTE
Unless otherwise specified, the descriptions and examples of the UMPT in a co-MPT base station also
apply to the UMDU in a co-MPT base station.
l Feature change
Changes in features of a specific product version
l Editorial change
Changes in wording or addition of information that was not described in the earlier version
SRAN10.1 02(2015-05-20)
This issue includes the following changes.
SRAN10.1 01 (2015-03-23)
This issue includes the following changes.
Feature In RAN Sharing scenarios, when multiple operators share a base None
change station, the base station supports independent deployment of a
PKI system for each operator.
Feature Added PKI descriptions for a new type of BBU: BBU3910A. None
change
Added descriptions of eGBTSs configured with GTMUb boards. None
For details, see 9.6 Deployment of PKI on the eGBTS using a
GTMUb.
Modified the display format of the Common Name field in the None
SubjectName and backup SubjectName fields of eNodeBs'
certificate request messages. For details, see the following
section:
6 CMPv2-based Certificate Management
2 Overview
PKI is a security infrastructure that provides information security and digital certificate
management. It uses an asymmetric cryptographic algorithm to allow client and server
applications to trust each other's authentication credentials and perform authentication.
In multi-operator PKI scenarios, each operator can deploy an independent PKI server and use
the certificate issued by the operator's PKI server to perform authentication on Internet Protocol
Security (IPsec) tunnels. In this way, secondary operators do not depend on the PKI of the
primary operator, and services of each operator can be securely isolated.
A digital certificate identifies a piece of equipment and is created by a trusted certificate authority
(CA), which digitally signs the equipment information and public key. A digital certificate
includes the following information:
Asymmetric keys are used to authenticate equipment identities during digital certificate
authentication. The sender uses a private key to sign data, and the receiver uses a public key in
the certificate to verify signature validity. With digital certificates, both the receiver and the
sender confirm each other's identities to protect against communication fraud and eavesdropping.
l Authentication during the setup of an IPsec tunnel between a base station and an SeGW in
a radio bearer network
l Authentication during the setup of a Secure Sockets Layer (SSL) connection between an
eGBTS/NodeB/eNodeB and the U2000 at the application layer
l 802.1x-based access control for the eGBTS/NodeB/eNodeB, which uses digital certificates
for identity authentication
l Authentication during the setup of an SSL connection when the RNC/BSC/eCoordinator
uses the SSL connection to protect application data transmission.
l In RAN Sharing scenarios, when multiple operators share a base station and each operator
deploys a separate PKI server, digital certificates can be used to establish separate IPsec
tunnels for each operator, thereby implementing secure service isolation.
NOTE
l The GBTS does not support SSL or Access Control based on 802.1x.
l The eGBTS configured with a GTMUb does not support Access Control based on 802.1x.
l The eGBTS configured with a GTMUb and GBTS do not support multi-operator PKI.
l For details about IPsec, see IPsec Feature Parameter Description.
l For details about SSL, see SSL Feature Parameter Description.
l For details about 802.1x, see Access Control based on 802.1x Feature Parameter Description.
l For details about base station supporting multi-operator PKI in RAN Sharing scenarios, see Base
Station Supporting Multi-operator PKI Feature Parameter Description.
3 PKI Architecture
3.1 Introduction
A PKI system manages digital certificates for network equipment. This enables operators to
establish a trusted security domain so that they have a trustworthy relationship with equipment
from other vendors.
As shown in Figure 3-1, a PKI system in a wireless network generally consists of the following
network elements (NEs):
l NEs that use certificates, including the base station, base station controller, SeGW, and
U2000.
l PKI server that manages certificates, including the CA, registration authority (RA), and
certificate & CRL database. CRL stands for certificate revocation list.
NOTE
The CRL enables the base station and base station controller to verify the certificate sent by the peer
equipment (such as an SeGW), but the base station and base station controller cannot verify their own
certificates. The CRL is obtained by the base station and base station controller from the operator's PKI
system. For more information about PKI, see IETF RFC 5280 and IETF RFC 2585. Certificates and CRLs
comply with X.509v3 and X.509v2, respectively, but do not comply with earlier specifications. For details,
see IETF RFC 5280.
The eCoordinator cannot directly apply for and update certificates from the PKI system. The eCoordinator's
certificates must be manually maintained on the U2000.
3.2 CA
A CA serves as a central management node in a PKI system. As shown in Figure 3-1, a CA
manages certificates as follows:
On a live network, a CA system can use a layered structure to meet the requirements for CA
deployment across different areas. The root CA is responsible for managing all certificates on
the entire network. The layered structure helps share the load of the root CA. Figure 3-2 shows
an example of the CA system architecture.
When building a PKI system, an operator determines the root CA domain based on the operator's
business scale and global network distribution. The root CA is located at the top level and has
the highest security and reliability. Operators usually use the root CA to authorize important
subordinate CAs. CAs at each level can be authorized to sign and issue certificates for their
lower-level CAs or for end users. This method facilitates certificate deployment because the root
CA is no longer required for signing and issuing certificates for all end users.
NOTE
Related Concepts
l Device CA: issues digital certificates to network devices within its service scope.
l Cross-certification CA: issues a cross-certificate to a peer CA under another root CA when
a trustworthy relationship must be set up with the peer CA.
l Subordinate CA: issues a user certificate or authorizes its lower-level CAs, which then issue
user certificates to O&M personnel who need to access equipment.
There is no strict limitation imposed on the number of layers in a CA system. Operators can
divide the CA system into layers according to their requirements. Generally, a three-layer CA
system can meet the requirements of most operators. However, a two-layer CA system is
recommended, considering the management cost and complexity of a three-layer system.
3.3 RA
An RA is a certificate registration and approval authority. As shown in Figure 3-1, an RA
interacts with communication entities such as base stations and base station controllers, collects
certificate applicants' information, and verifies their qualifications. The RA then determines
whether to issue a certificate to an applicant based on the verification result. If the application
is approved, the RA sends the application to the CA, which then issues the certificate and
publishes it in the certificate database.
On a live network, a certificate & CRL database is an independent entity deployed on a server
in a demilitarized zone (DMZ). This allows users on the network to obtain CRLs online, without
imposing any security threat on the CA system.
A certificate & CRL database is generally deployed on an FTP server or Lightweight Directory
Access Protocol (LDAP) server.
NOTE
Huawei base station controllers of versions earlier than SRAN9.0 are called old Huawei base station
controllers. Huawei base station controllers of SRAN9.0 or later are called new Huawei base station
controllers.
All Huawei eCoordinators are preconfigured with the same certificate issued by Huawei CA
before delivery. The certificate is stored on the OMU board.
NOTE
The certificate preconfigured on an eCoordinator, in a strict sense, is not a device certificate because it is
not bound with the ESN of the OMU. If the preconfigured certificate on one Huawei eCoordinator is
cracked, the preconfigured certificates on all Huawei eCoordinators are cracked. Therefore, it is
recommended that an operator-issued device certificate be applied for an eCoordinator after it connects to
a network.
The Huawei root certificate is preconfigured in each Huawei base station as the trust certificate
before delivery. The certificate is stored on the main control board (UMPT/LMPT/UMDU) or
UTRPc board and can be used to verify Huawei-issued device certificates. The Huawei root
certificate is named caroot.pem.
The Huawei root certificate is preconfigured in each Huawei base station controller/
eCoordinator as the trust certificate before delivery. The certificate can be used to verify Huawei-
issued device certificates and is named rootca.pem.
NOTE
Huawei wireless-network CA system is a layer-two CA system. caroot.pem and rootca.pem are files in
the layer-two certificate chain.
Figure 4-1 shows an example of how an operator's CA uses the Huawei root certificate to
authenticate a Huawei-issued device certificate.
The operator's CA is preconfigured with the Huawei root certificate. During authentication, the
base station sends its Huawei-issued device certificate to the operator's CA, which then uses the
Huawei root certificate to verify the device certificate.
If there are multiple layers of CAs in a PKI system, certificates of the CAs form a certificate
chain, which is used to verify the validity of device certificates issued by the bottom-level CA
in the chain.
If there is a certificate chain from the base station's device certificate up to the root CA, the peer
equipment must be preconfigured with the certificate chain so that the equipment can verify the
validity of the device certificate sent by the base station during Internet Key Exchange (IKE)
authentication.
NOTE
A base station/base station controller/eCoordinator reloads the device certificate and verifies its validity
each time the base station/base station controller/eCoordinator restarts.
During an authentication process, the communication parties use their respective trust
certificates to verify the validity of the peer's device certificate.
O&M personnel can run the ADD BTSTRUSTCERT command to add a root certificate or
certificate chain as the trust certificate of the GBTS. They can also run the ADD TRUSTCERT
command to add a root certificate or certificate chain as the trust certificate of the eGBTS/NodeB/
eNodeB/RNC/BSC/eCoordinator.
4.4 Cross-Certificate
A cross-certificate is issued by one CA to another in order to establish a trustworthy relationship
between them.
Cross-certification is a process in which two pieces of equipment use the cross-certificate for
authentication. Figure 4-2 shows the procedure for cross-certification before and during base
station deployment.
Figure 4-2 Procedure for cross-certification before and during base station deployment
Before base station deployment, the following prerequisites for cross-certification must be met:
1. The base station obtains cross-certificate 2 issued by the Huawei CA to the operator's CA
from the operator's certificate & CRL database.
2. The base station uses the Huawei root certificate to verify cross-certificate 2.
3. The base station and SeGW exchange their device certificates.
4. The base station uses cross-certificate 2 to verify the operator-issued device certificate, and
the SeGW uses cross-certificate 1 to verify the Huawei-issued device certificate.
5. If both the base station and SeGW pass the verification, the authentication succeeds.
NOTE
The eGBTS, NodeB, and eNodeB support cross-certificates, whereas the GBTS, BSC, eCoordinator, and
RNC do not.
Before using the cross-certificate for authentication, the operator's CA and the Huawei CA must
issue a cross-certificate to each other. This is a cumbersome procedure and hence is not
recommended.
4.5 CRL
CRL is used to verify the validity of a peer certificate. Certificates are revoked when keys are
disclosed or when devices that use the certificates are replaced or discarded.
Revoked certificates are recorded in a CRL. An NE uses a CRL to check the validity of the
certificate sent by a peer device during authentication of the peer device. The peer device is not
trustworthy if its certificate is recorded in a CRL.
l O&M personnel can run the SET BTSCRLPOLICY command to set a CRL usage policy
for the GBTS.
l O&M personnel can run the SET CRLPOLICY command to set a CRL usage policy for
the eGBTS/NodeB/eNodeB/eCoordinator/base station controller.
– If the CRLPOLICY parameter is set to NOVERIFY, the base station/base station
controller/eCoordinator does not perform CRL-based certificate validity checks.
– If CRLPOLICY(NodeB,BSC6900,BSC6910) is set to ALARM, the base station reports
ALM-26832 Peer Certificate Expiry and the base station controller/eCoordinator
reports ALM-20854 Peer Certificate Invalid, Expiry, or Damage when the peer's device
certificate is detected in the CRL.
– If CRLPOLICY(NodeB,BSC6900,BSC6910) is set to DISCONNECT, the base
station/base station controller/eCoordinator reports the preceding alarms and
disconnects the communication with the peer end when the peer's device certificate is
detected in the CRL.
On the base station side, the deployment locations for all the preceding types of certificates and
CRLs can be queried and modified by running MML commands:
l For the GBTS, run the LST BTSCERTDEPLOY and SET BTSCERTDEPLOY
commands to display and modify the certificate deployment location, respectively.
l For the eGBTS/NodeB/eNodeB, run the LST CERTDEPLOY and SET
CERTDEPLOY commands to display and modify the certificate deployment location,
respectively.
Old Huawei base station controllers are not preconfigured with Huawei-issued device certificates
before delivery. The Huawei-issued device certificates on the base station controllers are
preconfigured by using software.
Each new Huawei base station controller is preconfigured with a Huawei-issued device certificate
before delivery. The Huawei-issued device certificate on the base station controller is bound with
the ESN of the OMU board.
Each Huawei eCoordinator is preconfigured with a Huawei-issued device certificate before delivery.
The certificate is not bound with the ESN of the OMU board. That is, all Huawei eCoordinators are
preconfigured with the same Huawei-issued device certificate before delivery.
5.2.1 Introduction
A base station is preconfigured with a vendor's device certificate before delivery. If equipment
from multiple operators coexists on an operator's network, there are multiple certificates issued
by different CAs. To meet the operator's requirements for unified certificate management, the
base station must automatically replace the preconfigured device certificate with an operator-
issued device certificate when it connects to the operator's network for the first time. In this
manner, base stations from different vendors all use device certificates issued by the operator's
CA.
Each Huawei base station is preconfigured with a Huawei-issued device certificate before
delivery. To access an operator's network deployed with a PKI system, the Huawei base station
must apply for an operator-issued device certificate during base station deployment.
To implement automatic base station deployment in IPsec networking, the operator's CA and
the SeGW must meet both the following conditions:
l The operator's CA has been preconfigured with the Huawei root certificate and a CRL,
which are used to verify Huawei-issued device certificates.
l The SeGW has been preconfigured with an operator's root certificate, a CRL, and an
operator-issued device certificate, which are used for mutual authentication between the
SeGW and the Huawei base station.
1. During automatic base station deployment in plug and play (PnP) mode, the base station
exchanges Dynamic Host Configuration Protocol (DHCP) packets with the DHCP server
and obtains CA information. A CMPv2-based certificate application procedure is triggered
if the base station does not have an operator-issued device certificate, or it has an invalid
operator-issued device certificate.
2. During automatic base station deployment by USB, a CMPv2-based certificate application
procedure is triggered based on CA information when both of the following are true:
l The configuration file requires an operator-issued device certificate for IKE
authentication.
l The base station does not have an operator-issued device certificate, or it has an invalid
operator-issued device certificate.
3. The base station sends a certificate request message to the CA based on CMPv2.
4. The CA uses the preconfigured Huawei root certificate to verify the Huawei-issued device
certificate carried in the message.
5. After the verification succeeds, the CA issues an operator-issued device certificate and an
operator's root certificate to the base station.
6. The base station and SeGW perform two-way authentication.
They send their respective operator-issued digital certificates to each other and then use
the operator's root certificate to confirm each other's identities.
During automatic base station deployment, the Huawei-issued device certificate preconfigured
on the base station is used as follows:
l If the base station has obtained CA information from the DHCP server or USB flash drive,
the operator requires the base station to use an operator-issued device certificate for
authentication. The CA information includes the IP address of the CA and is used to obtain
certificates.
– If the base station has a valid operator-issued device certificate in which issuer
information is consistent with the CA information, the base station directly uses this
certificate.
– If the base station has an operator-issued device certificate but information about the
issuer is inconsistent with the CA information, this certificate is considered invalid and
cannot be used. In this case, the base station uses the preconfigured Huawei-issued
device certificate to apply for a new operator-issued device certificate.
– If the base station fails to obtain the operator-issued device certificate or if the request
for the device certificate times out, the base station uses the preconfigured Huawei-
issued device certificate. If the base station cannot be automatically deployed by using
the Huawei-issued device certificate, it restarts and attempts to obtain the operator-
issued device certificate again.
l If the base station fails to obtain the CA information, the base station uses the preconfigured
Huawei-issued device certificate.
NOTE
l If an operator's network is deployed with a PKI system, it is recommended that the same operator-
issued device certificate be used for IPsec authentication, SSL authentication, and 802.1x-based access
control.
l During automatic base station deployment in PnP mode, only Huawei-issued device certificates can
be used for authentication during 802.1x-based access control.
l By default, the same certificate is used for 802.1x-based access control and SSL authentication in the
operation phase.
l The name of the operator-issued device certificate used by a base station during base station deployment
must be OPKIDevCert.cer.
In the deployment and operation phases, O&M personnel can run the LST CERTFILE
command to query certificates on the eGBTS/NodeB/eNodeB, including certificates that are not
in use and loaded certificates and CRLs.
O&M personnel can run the RMV CERTFILE command to remove a certificate that is not in
use on the eGBTS/NodeB/eNodeB. However, they must run the RMV CERTMK command to
remove a loaded device certificate from the eGBTS/NodeB/eNodeB or run the RMV
TRUSTCERT command to remove a loaded root certificate from the eGBTS/NodeB/eNodeB.
5.3.1 Introduction
To access an operator's network deployed with a PKI system, the Huawei base station controller
must apply for a device certificate from the operator's CA. The method of applying for the
operator's device certificate depends on the device certificate preconfigured on the base station
controller.
1. The base station controller sets up an SSL connection with the U2000 by using the Huawei-
issued device certificate.
2. O&M personnel run the LST APPCERT command to check whether the base station
controller has an identifiable device certificate:
l If Certificate File Name in the command output is usercert.pem, the base station
controller has a preconfigured Huawei-issued device certificate and O&M personnel
must perform step 3.
l If Certificate File Name in the command output is hwusercert.pem, the base station
controller has a preconfigured Huawei-issued device certificate that is bound with the
ESN of the OMU board. In this case, the base station controller obtains the operator-
issued device certificate from the operator's CA by using CMPv2 messages as described
in step 4.
3. O&M personnel send the certificate request file through the U2000 to the operator's CA.
O&M personnel run the following commands:
l Run the MOD CERTREQ command to modify configurations of a certificate request
template.
l Run the CRE CERTREQFILE command to generate the certificate request file.
l Run the ULD CERTFILE command to send the certificate request file locally saved
to the U2000.
l The U2000 sends the certificate request to the operator's CA. The certificate request is
manually sent to the operator's CA. The operator-issued device certificate is manually
sent to the U2000. O&M personnel must store the certificate request file and the
operator-issued device certificate in the /export/home/sysm/ftproot/ftptmp directory
of the U2000.
Figure 5-2 shows the certificate application procedure.
l Run the DLD CERTFILE command to download the operator's root certificate from
the U2000.
l Run the ADD TRUSTCERT command to add the operator's root CA certificate.
l Run the DLD CERTFILE command to download the operator-issued device certificate
from the U2000.
l Run the ADD CERTMK command to add the device certificate to the base station
controller.
l On the U2000, choose Security > Certificate Authentication Management >
Certificate Management. In the certificate management window, select the requested
operator-issued device certificate. Click Test to test whether an SSL connection can be
established between the base station controller and the U2000 by using this device
certificate.
NOTE
Bidirectional authentication is used for SSL certificate testing. That is, the base station controller
and U2000 authenticate the device certificates of each other. The SSL certificate testing result
reflects whether the certificates can be used.
l Run the MOD APPCERT command to modify configurations of an active certificate.
4. The base station controller obtains the operator-issued device certificate from the operator's
CA by using CMPv2 messages. The OM personnel perform the following operations:
l Run the MOD CERTREQ command to modify configurations of a certificate request
template.
l Run the ADD CA command to add the operator's CA server. If the operator's CA server
works in active/standby mode, add both the active and standby CA servers to improve
reliability of certificate requests and updates.
l Run the REQ DEVCERT command to apply for a device certificate issued by the
operator's CA server.
l On the U2000, choose Security > Certificate Authentication Management >
Certificate Management. In the certificate management window, select the requested
operator-issued device certificate. Click Test to test whether an SSL connection can be
established between the base station controller and the U2000 by using this device
certificate.
5.4.1 Introduction
The eCoordinator does not support CMPv2. During eCoordinator deployment, the operator-
issued device certificate must be applied for through the U2000 so that the eCoordinator can
access the operator's network.
l Built-in ECO6910:
– If the POLICY parameter in the SET CERTPOLICY command is set to SHARE
(Share), the built-in ECO6910 synchronizes certificates from the host base station
controller, and you cannot manage certificates for the ECO6910. In this case,
configuring and querying the following MOs of the ECO6910 will fail:
TRUSTCERT, CERTMK, APPCERT, CRL, and CRLTSK.
For a built-in ECO6910, you only need to ensure deployment of the host base station
controller. For details, see 5.3 Certificate Management During Base Station
Controller Deployment.
– If the POLICY parameter in the SET CERTPOLICY command is set to
INDEPENDENCY(Independency), certificates for the built-in ECO6910 can be
independently configured and managed.
l Standalone ECO6910: Certificates for a standalone ECO6910 can be independently
configured and managed.
When certificates for an eCoordinator can be independently configured and managed, the
procedure for applying for the operator-issued device certificate is as follows:
1. The eCoordinator sets up an SSL connection with the U2000 by using the Huawei-issued
device certificate.
2. O&M personnel send the certificate request file through the U2000 to the operator's CA.
O&M personnel run the following commands:
l Run the MML command MOD CERTREQ to modify configurations of a certificate
request template.
l Run the MML command CRE CERTREQFILE to generate the certificate request file.
l Run the MML command ULD CERTFILE to send the local certificate request file to
the U2000 to apply for the device certificate.
l The U2000 applies to the operator's CA for a certificate. The certificate request is
manually sent to the operator's CA. The operator-issued device certificate is manually
sent to the U2000. O&M personnel must store the certificate request file and the
operator-issued device certificate in the /export/home/sysm/ftproot/ftptmp directory
of the U2000.
Figure 5-3 shows the certificate application procedure.
l Run the DLD CERTFILE command to download the CRL from the U2000.
l Run the ADD CRLTSK command to create a CRL update task.
l Run the DLD CERTFILE command to download the operator's root certificate from
the U2000.
l Run the MML command ADD TRUSTCERT to add an operator's trust certificate.
l Run the MML command DLD CERTFILE to download the requested device
certificate.
l Run the MML command ADD CERTMK to add the device certificate to the
eCoordinator.
l On the U2000, choose Security > Certificate Authentication Management >
Certificate Management. In the certificate management window, select the requested
operator-issued device certificate. Click Test to test whether an SSL connection can be
established between the eCoordinator and the U2000 by using this device certificate.
NOTE
Bidirectional authentication is used for SSL certificate testing. That is, the eCoordinator and
U2000 authenticate the device certificates of each other. The SSL certificate testing result reflects
whether the certificates can be used.
l Run the MML command MOD APPCERT to modify configurations of an active
certificate.
l The eCoordinator sets up another SSL connection by using the operator-issued device
certificate.
Before running the MOD APPCERT command, run the TST APPCERT command to check
whether the operator-issued device certificate can be used for IKE and SSL connections. Ensure that
the device certificate can be used to successfully establish security channels between the base station
and the peer end. It is recommended that the CFM CB command be executed to enable automatic
configuration data rollback before running the MOD APPCERT command. For details, see the
CFM CB command help.
l Automatic mode
The base station obtains information about the certificate deployment location, CA,
certificate request, and active certificate from the configuration file. After the base station
restarts, it automatically triggers a CMPv2-based certificate application based on CA
configuration. If the application fails, the base station automatically reinitiates a CMPv2-
based certificate application.
For the CMPv2-based certificate application procedure, see Figure 6-3.
l A certificate is deployed on a UTRPc board of a single-mode base station, and the main
control board shares the certificate with the UTRPc board. As indicated by (1) in Figure
5-4, the WMPT board shares the certificate with the UTRPc board.
l In co-transmission scenarios with a separate-MPT multimode base station, a certificate is
deployed on a main control board connecting to the transport network and is shared between
this main control board and another main control board of a different radio system. As
indicated by (2) in Figure 5-4, a certificate is deployed on the UMPT_L board and shared
between the UMPT_U and UMPT_L boards.
l In co-transmission scenarios with a separate-MPT multimode base station, a certificate is
deployed on a UTRPc board, and the main control board shares the certificate with the
UTRPc board. As shown by (3) in Figure 5-4, the UMPT_U and UMPT_L boards share
the certificate with the UTRPc board.
To implement certificate sharing on a base station, set the DEPLOYTYPE parameter in the
CERTDEPLOY MO to SPECIFIC. Then, set CN, SRN, and SN parameters in the
CERTDEPLOY MO to specify the board that provides a certificate for sharing.
Only active certificates can be shared. For example, IKE and SSL certificates, root certificates,
and CRLs can be shared.
NOTE
Huawei base stations support certificate sharing in backplane interconnection and BBU interconnection
scenarios but do not support this function in panel interconnection scenarios.
BBU3910As do not support certificate sharing.
l Active and standby OMU boards are switched over. The currently active OMU board can
use the digital certificate on the previously active OMU board to set up an SSL connection
with the U2000.
l The SAU board needs the digital certificate on the active OMU board to set up an SSL
connection with the Nastar.
NOTE
During base station controller deployment, use the ESN of the active OMU board to apply for a digital
certificate. If the active OMU board becomes faulty, use the ESN of a functional OMU board to apply for
a new digital certificate.
eCoordinator
If the eCoordinator uses the ESN of the active OMU board to apply for the digital certificate
during eCoordinator deployment, the standby OMU board must share the digital certificate on
the active OMU board.
Certificate sharing needs to be performed when active and standby OMU boards are switched
over. The currently active OMU board can use the digital certificate on the previously active
OMU board to set up an SSL connection with the U2000.
NOTE
During eCoordinator deployment, use the ESN of the active OMU board to apply for a digital certificate.
If the active OMU board becomes faulty, use the ESN of a functional OMU board to apply for a new digital
certificate.
NOTE
Certificate validity checks require that the time of the base station/base station controller/eCoordinator be
the same as the local time. If they are different, alarms may fail to be reported.
During an automatic certificate update procedure, if the certificate update fails due to intermittent
transmission or network congestion, the system automatically retries certificate update for at most
twice with an interval of 10 minutes.
l Manual mode
O&M personnel can run the UPD DEVCERT command to manually trigger a CMPv2-
based certificate update. In this command, the APPCERT parameter specifies a certificate
to be updated, the REKEY parameter specifies whether to update a private-public key pair,
and the KEYSIZE parameter specifies a key length. After this command is executed, the
base station or base station controller reports the progress of the certificate update.
During the certificate update, the base station or base station controller automatically configures
a new certificate and tests it. If the configuration or test of the new certificate fails, the base
station reports ALM-26842 Automatic Certificate Update Failed or the base station controller
reports ALM-20803 Certificate Auto-update Failed. In this scenario, the original certificate will
be used until a successful certificate update occurs.
NOTE
Bidirectional authentication is used for SSL certificate testing. That is, the base station/base station
controller and U2000 authenticate the device certificates of each other. The SSL certificate testing result
reflects whether the certificates can be used.
In IPsec scenarios, a new certificate is tested by using the certificate for authentication during
IKE renegotiation. In SSL scenarios, a new certificate is tested by using the certificate for
authentication during SSL reconnection. If the IKE renegotiation or SSL reconnection fails, the
base station uses the original certificate. The base station controller only supports the SSL
scenarios. If SSL reconnection fails, the base station controller uses the original certificate.
NOTE
The eGBTS configured with a GTMUb does not support SSL certificate testing.
l Built-in ECO6910
– If the POLICY parameter in the SET CERTPOLICY command is set to SHARE
(Share), the built-in ECO6910 synchronizes certificate updates from the host base
station controller.
– If the POLICY parameter in the SET CERTPOLICY command is set to
INDEPENDENCY(Independency), certificates for the built-in ECO6910 can be
independently configured and managed.
l Standalone ECO6910
Certificates for a standalone ECO6910 can be independently configured and managed.
When certificates for an eCoordinator can be independently configured and managed, the
procedure for certificate update is as follows:
1. Run the MML command SET CERTCHKTSK to set a periodic certificate validity check
task.
2. The eCoordinator does not support CMPv2. When the eCoordinator reports a certificate
expiry alarm, the certificate needs to be manually updated. The manual update procedure
is the same as a certificate application procedure. For details, see 5.4.2 Application for an
Operator-Issued Device Certificate.
Manual FTP server Users run MML commands to enable the base station
or base station controller to obtain the CRLs from the
FTP server.
Automatic LDAP server Base stations and base station controllers are
configured with scheduled tasks for periodically
FTP server obtaining CRLs.
The base station/base station controller/eCoordinator supports both manual mode and automatic
mode. However, the eCoordinator can only obtain CRLs from the FTP server. If the base station/
base station controller/eCoordinator automatically obtain CRLs, set IP to the IP address of the
CRL server and set CRLGETMETHOD to the method of obtaining CRLs. In addition, if the
LDAP server is used, set SEARCHDN(NodeB,BSC6900,BSC6910) and PORT
(NodeB,BSC6900,BSC6910) to specify the name of the LDAP server. The ISCRLTIME
(NodeB,BSC6900,BSC6910) parameter specifies whether to automatically download CRLs
after an update period (specified by the PERIOD(NodeB,BSC6900,BSC6910) parameter) has
elapsed.
From SRAN9.0 onwards, the CRL can be obtained by using SSL-protected transmission mode.
If the CRL is obtained using LDAP, the base station and base station controller support only LDAPv3.
For details, see IETF RFC 4511 Lightweight Directory Access Protocol (LDAP).
l If the CRL is obtained using FTP over SSL (FTPS), run the SET FTPSCLT command on
the base station/base station controller/eCoordinator side with ENCRYMODE set to
AUTO(Auto) or ENCRYPTED(SSL Encrypted), and enable the FTPS function on the
CRL server side. If this parameter is set to ENCRYPTED(SSL Encrypted), ensure that
all FTP servers communicated with the base station support FTPS.
If the CRL server needs to be authenticated, set the SSLCERTAUTH parameter to YES
(Yes). In addition, ensure that the base station/base station controller/eCoordinator has been
configured with the peer CA trust certificate and the CRL server has been configured with
a device certificate.
NOTE
If the FTPS client is not configured with a device certificate, the CRL server cannot authenticate the
FTPS client.
To achieve PKI redundancy, two PKI servers must be deployed on the network. The two PKI
servers have the same CA name and root certificate or certificate chain and synchronize
certificate management database between them. There should be reachable routes between the
base station/base station controller and the two PKI servers.
Every time before certificate application, certificate update, and CRL acquisition, the base
station or base station controller first initiates a session with the active PKI server. If the session
fails, the base station or base station controller reinitiates a session with the standby PKI server.
This mechanism ensures success certificate applications and updates as well as CRL
acquisitions. Active and standby CAs must have different IP addresses, and so do active and
standby CRL servers.
For both the base station and base station controller, the SLVURL
(NodeB,BSC6900,BSC6910)and SLVINITREQURL(NodeB,BSC6900,BSC6910) parameters
have been added to the CA MO to specify the URL of the standby CA; the SLVIP
(NodeB,BSC6900,BSC6910), SLVPORT(NodeB,BSC6900,BSC6910), SLVUSR
(NodeB,BSC6900,BSC6910), and SLVPWD parameters have been added to the CRLTSK MO
to specify the login information of the standby CRL server.
During certificate updates or CRL acquisitions, the base station reports ALM-26842 Automatic
Certificate Update Failed and the base station controller reports ALM-20803 Certificate Auto-
update Failed only when the sessions between the base station/base station controller and both
the active and standby PKI servers fail.
The following network elements support PKI redundancy: eGBTS, NodeB, eNodeB, GBTS
(configured with GTMUb+UMPT_L/LMPT), BSC, and RNC.
NOTE
PKI redundancy is not supported when base stations are deployed using plug and play (PnP). The operator
must ensure that the active PKI server works properly when base stations are deployed using PnP.
NOTE
For details about UMPT+UMPT cold backup, see section 4.1 in Base Station Equipment Reliability Feature
Parameter Description. For the definition of logical slot numbers, see section 8.4.2 in Base Station
Equipment Reliability Feature Parameter Description.
UMDUs cannot be used in UMPT+UMPT cold backup mode.
During the deployment phase, apply for the operator-issued device certificate only for the active
UMPT.
During the operation phase, a CMPv2-based certificate application is triggered if all the
following conditions are met:
The two UMPT boards manage and use their own certificates.
NOTE
In UMPT+UMPT cold backup mode, if both IPsec and PKI are deployed, the IDTYPE parameter in the
IKEPEER MO can be set to IP or FQDN on the base station side. If this parameter is set to FQDN, the
SeGW should not check the ID of the base station.
Certificates in Huawei base stations and base station controllers are managed based on CMPv2.
With CMPv2, base stations and base station controllers on secure networks can automatically
apply for operator-issued device certificates and update certificates.
CMPv2 complies with IETF RFC 4210, IETF RFC 4211, and draft-ietf-pkix-cmp-transport-
protocols-07. Base stations, base station controllers, or the U2000 use Hypertext Transfer
Protocol/Hypertext Transfer Protocol Secure (HTTP/HTTPS) as the bearer protocol for CMPv2.
Figure 6-1 shows the transport protocol stack for CMPv2.
NOTE
Figure 6-2 shows the topology for managing certificates in base stations and base station
controllers based on CMPv2.
As shown in Figure 6-2, base stations or base station controllers communicate with the operator's
PKI server for CMPv2-based certificate management. The PKI server can be a CA, RA, or
certificate & CRL database.
When the base stations or base station controllers apply for operator-issued device certificates
for the first time, the operator's CA is preconfigured with the Huawei root certificate. The root
certificate verifies Huawei-issued device certificates carried in CMPv2 messages sent by the
base stations or base station controllers. The operator's CA also includes operator-issued device
certificates and root certificates or certificate chains in CMPv2 response messages sent to the
base stations or base station controllers.
When the base stations or base station controllers update certificates, the operator's CA and the
base stations or base station controllers authenticate each other using operator-issued device
certificates and operator's root certificates or certificate chains. In this case, Huawei-issued
device certificates and Huawei root certificates are no longer used.
Figure 6-3 shows how a base station or base station controller applies for a certificate based on
CMPv2.
Figure 6-3 Certificate application process for a base station or base station controller
As shown in Figure 6-3, a base station or base station controller applies for a certificate based
on CMPv2 as follows:
1. The base station or base station controller generates a private-public key pair for an
operator-issued device certificate.
2. The base station or base station controller generates a certificate request message. This
message contains information such as the generated public key, SubjectName field of the
certificate, backup SubjectName field of the certificate, certificate signature algorithm, and
Huawei-issued device certificate.
NOTE
The SubjectName field in the certificate request message contains the Common Name field. Some
CAs require that the Common Name field in certificate request messages be the same as that in
Huawei-issued device certificate. If they are not the same, these CAs will not issue device certificates
(also known as operator-issued device certificates).
In Huawei-issued device certificates preconfigured on some LMPT boards, the Common Name field
uses the format of ESN+space+eNodeB. In this case, to meet the preceding CA requirement, a space
is automatically added to the Common Name field in the certificate request message if the values
of the COMMNAME and USERADDINFO parameters are ESN and eNodeB, respectively. In this
way, the Common Name field in the message is in the format of ESN+space+eNodeB. If the
LOCALNAME parameter is not specified, the DNSName field in the backup SubjectName field
also uses the format of ESN+space+eNodeB.
3. The base station or base station controller uses the generated private key to sign the
certificate request message.
4. The base station or base station controller sends the certificate request message to the CA
by using HTTP.
5. The CA uses the public key in the message to verify the signature, and uses the Huawei
root certificate to verify a Huawei-issued device certificate carried in the message.
6. After the verification succeeds, the CA generates a device certificate for the base station
or base station controller, and uses the private key corresponding to the CA certificate to
sign the generated certificate.
7. The CA generates and then signs an Initialization Response message. This message contains
the device certificate issued by the CA to the base station or base station controller and the
operator's root certificate or certificate chain.
8. The CA sends an Initialization Response message to the base station or base station
controller by using HTTP.
9. The base station or base station controller verifies the signature carried in the response
message.
10. The base station or base station controller verifies the operator's root certificate or certificate
chain and the operator-issued device certificate.
11. After the verification succeeds, the base station or base station controller generates a
confirmation message, indicating that the operator-issued device certificate is accepted.
Then, the base station or base station controller signs the confirmation message.
12. The base station or base station controller sends the confirmation message to the CA using
HTTP.
13. The CA verifies the signature contained in the confirmation message.
14. The CA generates and then signs a confirmation message.
15. The CA sends the confirmation message to the base station or base station controller using
HTTP.
16. The base station or base station controller verifies the signature carried in the confirmation
message and completes the certificate application.
Figure 6-4 shows how a base station or base station controller updates its certificate based on
CMPv2.
Figure 6-4 CMPv2-based certificate update process for a base station or base station controller
As shown in Figure 6-4, a base station or base station controller updates its certificate as follows:
1. The base station or base station controller generates a new private-public key pair.
2. The base station or base station controller generates a key update request message, which
is also the certificate update request. This message includes the new public key and the
operator-issued device certificate to be updated.
3. The base station or base station controller uses the private key corresponding to the device
certificate to sign the key update request message.
4. The base station or base station controller sends the key update request message to the CA
by using HTTP.
5. The CA uses the public key of the operator-issued device certificate carried in the message
to verify the signature in the message. In addition, the CA uses the operator's root certificate
or certificate chain to verify the operator-issued device certificate.
6. After the verification succeeds, the CA generates a new device certificate for the base
station or base station controller. The CA then uses the private key corresponding to the
CA certificate to sign the new certificate.
7. The CA generates and then signs a key update response message. This message contains
the new device certificate.
8. The CA sends the key update response message to the base station or base station controller
by using HTTP.
9. The base station or base station controller verifies the signature contained in the message.
10. The base station or base station controller verifies the new operator-issued device
certificate.
11. After the verification succeeds, the base station or base station controller generates a
confirmation message, indicating that the new operator-issued device certificate is
accepted. Then, the base station or base station controller signs the confirmation message.
12. The base station or base station controller sends the confirmation message to the CA using
HTTP.
13. The CA verifies the signature contained in the confirmation message.
14. The CA generates and then signs a confirmation message.
15. The CA sends the confirmation message to the base station or base station controller using
HTTP.
16. The base station or base station controller verifies the signature carried in the confirmation
message and completes the certificate update.
NOTE
When applying for a certificate for the first time, the base station or base station controller uses a Huawei-
issued device certificate for authentication, and the CA or RA uses the Huawei root certificate to
authenticate the base station or base station controller. During a certificate update procedure, the base
station or base station controller uses an operator-issued device certificate for authentication.
For details about the structure of a CMPv2 message and the process of exchanging CMPv2 messages, see
IETF RFC 4210 and IETF RFC 4211.
7 Related Features
Prerequisite Features
Base Station:
eCoordinator
None
None
eCoordinator
None
Impacted Features
Base Station:
None
eCoordinator
None
8 Network Impact
System Capacity
No impact.
Network Performance
During base station or base station controller deployment, the certificate application process
takes about 10s.
This chapter describes how to deploy the PKI feature on a newly deployed base station.
To interconnect the operator's base stations and base station controllers on the live network with
the PKI system, enable the PKI feature for the base stations and base station controllers.
CA name CANAME(NodeB,BSC6900,BSC6910)
Before deploying the PKI feature for an eCoordinator, engineering personnel must obtain CA
information from CA maintenance personnel. The following table lists the CA information that
needs to be collected.
Before deploying the PKI redundancy feature, engineering personnel also need to collect the
following information.
NodeB
3900 series WCDMA base stations must be configured with a UMPT_U/UTRPc board or a
UMDU board to support the PKI feature.
eNodeB
3900 series LTE base stations must be configured with a UMPT_L/UMPT_T/LMPT/UTRPc
board or a UMDU_L/UMDU_T board to support the PKI feature.
eCoordinator
eCoordinators must be configured with an OMU board to support the PKI feature.
9.4 Requirements
The PKI feature has the following deployment requirements:
NOTE
The rules for activating the license controlling PKI for a multimode base station are as follows:
l In co-transmission scenarios with a separate-MPT multimode base station, the license controlling PKI
needs to be activated for the mode that provides a transmission port. If another mode requires certificate
sharing, the license controlling PKI must also be activated for this mode.
l If a UTRPc board is used to connect to the transport network, the license controlling PKI must be
activated for the mode that manages the board.
For a BSC6900 GU or BSC6910 GU, the license controlling PKI only needs to be activated for one mode,
that is, you can activate either the license for the BSC Supporting PKI feature or the license for the RNC
Supporting PKI feature.
l Two PKI servers are deployed in the operator's network. The requirements for the PKI
servers are the same as those specified for the PKI feature.
l The two PKI servers have the same CA name and root certificate or certificate chain and
synchronize certificate management data between them.
l There are reachable routes between the base station/base station controller and the two PKI
servers.
l The licenses for the PKI redundancy feature have been activated for the base station and
base station controller. The following table lists the licenses controlling PKI redundancy.
NOTE
This section only describes how to deploy the PKI feature by using MML commands or the Configuration
Management Express (CME). For details about how to deploy the PKI feature on the U2000 client, see the
U2000 Help.
A UMDU can be used in a co-MPT multimode base station in the secure networking shown in Figure
9-1. However, a UMDU cannot be used in a separate-MPT multimode base station.
This section describes how to deploy PKI on an eGBTS using a UMPT or UMDU. For details about how
to deploy PKI on an eGBTS using a GTMUb, see 9.6 Deployment of PKI on the eGBTS using a
GTMUb.
Figure 9-1 Example of the secure networking for the eGBTS/NodeB/eNodeB/multimode base
station
You can set the parameter based on site requirements. Table 9-1 lists the data to prepare for the
deployment location of a certificate on the base station (the CERTDEPLOY MO in MML
configurations and the CERTDEPLOY or Certification Deploy Position MO in CME
configurations).
Cabinet No. CN -
Slot No. SN
Table 9-2 lists the data to prepare for a certificate request template (the CERTREQ MO in
MML configurations and the CERTREQ or Certificate Request Configuration MO in CME
configurations).
Common Name COMMNAME The default value of the Common Name Netw
field in a certificate request file is ork
XXX.huawei.com (XXX indicates the plan
ESN of the board connecting to the
transport network). Therefore, the
recommended value of this parameter is
ESN. Currently, this parameter cannot
be set to MAC or IP.
Country COUNTRY -
Organization ORG -
Organization ORGUNIT -
Unit
State or STATEPROVINCE- -
Province NAME
Locality LOCALITY -
The base station must be configured with CA information to apply for a certificate from the CA.
Table 9-3 lists the data to prepare for the CA (the CA MO in MML configurations and the CA
or Certificate Authority MO in CME configurations).
Signature SIGNALG -
Algorithm
NOTE
If O&M data flows are transmitted by the IPsec tunnel, the O&M IP address cannot be used for data that
is not protected by IPsec. If O&M data flows are not transmitted by the IPsec tunnel, the O&M IP address
cannot be used for data that is protected by IPsec.
Table 9-4 lists the data to prepare for a device certificate (the CERTMK MO in MML
configurations and the CERTMK or Device Certificate MO in CME configurations).
Table 9-5 lists the data to prepare for an active certificate (the APPCERT MO in MML
configurations and the APPCERT or Device Certificate in Use MO in CME configurations).
Active certificates are device certificates that are currently used by a base station.
Table 9-6 lists the data to prepare for a trust certificate (the TRUSTCERT MO in MML
configurations and the TRUSTCERT or Trust Certificate MO in CME configurations).
Table 9-7 lists the data to prepare for a periodic certificate validity check task (the
CERTCHKTSK MO in MML configurations and the CERTCHKTSK or Certificate Validity
Check Task MO in CME configurations).
Table 9-7 Data to prepare for a periodic certificate validity check task
(Optional) Prepare CRL data if the base station needs to obtain CRL information from the CA.
Table 9-8 lists the data to prepare for a CRL (the CRL MO in MML configurations and the
CRL or Certificate Revocation List MO in CME configurations).
(Optional) Prepare data related to CRL usage policies. Table 9-9 lists the data to prepare for
these policies (the CRLPOLICY MO in MML configurations and the CRLPOLICY or CRL
Check Policy MO in CME configurations).
(Optional) Prepare data related to a periodic CRL download task. Table 9-10 lists the data to
prepare for the task (the CRLTSK MO in MML configurations and the CRLTSK or CRL
Updating Obtaining Task MO in CME configurations).
Password PWD -
Source IP SIP If this parameter is not set, the base station Netwo
uses the O&M IP address as the source IP rk plan
address to update a CRL.
(Optional) Prepare data to manually download an operator's root certificate or CRL from an FTP
server. Table 9-11 lists the data to prepare for downloading a certificate file (the CERTFILE
MO in MML configurations).
Certificate CT - Network
Type plan
Table 9-12 Data to prepare for applying for a device certificate based on CMPv2
Table 9-13 lists the data to prepare for updating a device certificate (the DEVCERT MO in
MML configurations) based on CMPv2. The corresponding MML command is UPD
DEVCERT.
Table 9-13 Data to prepare for updating a device certificate based on CMPv2
NOTE
If multi-level CAs are deployed in the operator's PKI system, a complete certificate chain must be added.
If the certificates of different levels of CAs in the certificate chain are stored separately, run the ADD
TRUSTCERT command for each certificate you want to add.
Step 1 Run the MML command SET CERTDEPLOY to set the deployment position of a certificate
on the base station. You need to reset the base station to make the configuration take effect.
Step 2 Run the MML command MOD CERTREQ to modify configurations of a certificate request
template.
Step 4 (Optional) Run the MML command DLD CERTFILE to download a trusted operator's root
certificate from the operator's certificate & CRL database. If a certificate application procedure
is automatically triggered, skip this step.
Step 5 Run the MML command ADD TRUSTCERT to add an operator's trust certificate.
Step 6 Run the MML command REQ DEVCERT to set information required for the base station to
apply for an operator-issued device certificate. After the setting takes effect, a certificate
application procedure is triggered. If a certificate application procedure is automatically
triggered, skip this step.
Step 7 Run the MML command MOD APPCERT to modify configurations of an active certificate.
Step 8 Run the MML command SET CERTCHKTSK to set a periodic certificate validity check task.
Step 9 (Optional) Run the MML command DLD CERTFILE to download a CRL from the operator's
certificate & CRL database.
Step 10 (Optional) Run the MML command ADD CRL to add a CRL. If a certificate application
procedure is automatically triggered, skip this step.
Step 11 (Optional) Run the MML command SET CRLPOLICY to set a CRL usage policy.
Step 12 (Optional) Run the MML command ADD CRLTSK to add a periodic CRL download task.
----End
In addition to the preceding steps, perform the following step to manually trigger a certificate
update:
Step 1 Run the MML command UPD DEVCERT to set information about a certificate update. After
the setting takes effect, a CMPv2-based certificate update procedure is triggered.
----End
Step 1 Run the MML command SET CERTDEPLOY to set a board whose certificate is shared.
----End
NOTE
If you run the SET CERTDEPLOY command to set the deployment location of a certificate on a base
station online, the setting takes effect only after the base station is reset.
//Modifying configurations of a certificate request template
MOD CERTREQ: COMMNAME=ESN, USERADDINFO=".huawei.com", COUNTRY="cn", ORG="ITEF",
ORGUNIT="Hw", STATEPROVINCENAME="sc", LOCALITY="cd",
KEYUSAGE=DATA_ENCIPHERMENT-1&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMENT-
1, SIGNALG=SHA256, KEYSIZE=KEYSIZE1024, LOCALNAME="abcdefghijklmn.huawei.com",
LOCALIP="10.20.20.188";
//Adding an operator's CA
//If the base station can access the CA either through an external network or
through the intranet and O&M data is protected by IPsec, you are advised to set the
source IP addresses for certificate application and update to an interface IP
address and an O&M IP address (for example, 10.31.31.188), respectively. The
following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.31.31.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//If the base station can access the CA either through an external network or
through the intranet, and O&M data is not protected by IPsec, you are advised to
set the source IP addresses for certificate application and update to an interface
IP address and an intranet IP address(for example, 10.45.45.45), respectively.
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.45.45.45",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//If the base station can access the CA through only an external network, you are
advised to set the source IP addresses for both certificate application and update
to interface IP addresses. The following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.20.20.188";
//Downloading an operator's root certificate from an FTP server (assume that the
FTP server is deployed on the U2000, indicating that the IP address of the FTP
server is the same as that of the U2000)
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="OperationCA.cer",DSTF="Ope
rationCA.cer";
//Adding an operator's root certificate as the trust certificate
ADD TRUSTCERT: CERTNAME="OperationCA.cer";
//Setting information required for the base station to apply for an operator-issued
device certificate based on CMPv2 when the certificate application needs to be
manually triggered
//(skip this step when the certificate application is automatically triggered)
REQ DEVCERT: CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd, CN=eca1",
APPCERT="OPKIDevCert.cer";
//Modifying configurations of an active certificate
MOD APPCERT: APPTYPE=IKE, APPCERT="OPKIDevCert.cer";
NOTE
After the active IKE certificate is changed by running the MOD APPCERT command, if IKE
authentication uses the new certificate and the current IKE SA is normal, the base station automatically
initiates IKE renegotiation.
//Setting a periodic certificate validity check task
SET CERTCHKTSK: ISENABLE=ENABLE, PERIOD=7, ALMRNG=30, UPDATEMETHOD=CMP;
//(Optional) Downloading the CRL file from the FTP server. If the FTP server is
deployed on the U2000, the IP address of the FTP server is the same as that of the
U2000.
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="eNodeB.crl",DSTF="eNodeB.c
rl";
//(Optional) Loading the CRL file
ADD CRL: CERTNAME="eNodeB.crl";
//(Optional) Setting a CRL usage policy
SET CRLPOLICY:CRLPOLICY= NOVERIFY;
//(Optional) Adding a task of periodically downloading the CRL
ADD CRLTSK: IP="10.86.86.86", USR="admin", PWD="*****", FILENAME="eNodeB.crl",
ISCRLTIME=DISABLE, PERIOD=24, TSKID=0, CRLGETMETHOD=FTP;
NOTE
When you run the UPD DEVCERT command to update a certificate, if the base station is performing IKE
or SSL negotiation, the certificate update fails. You need to execute this command after the negotiation is
complete.
Using the CME in Batch Configuration for Newly Deployed Base Stations
You can use either of the following methods to deploy the PKI feature for newly deployed base
stations: CME Summary batch configuration and CME transport security wizard configuration.
Fill the settings of the parameters listed in Table 9-14 into a summary data file, which also
contains data for the base stations to be deployed. Then, import the summary data file into the
CME.
l If the MOs listed in Table 9-14 are contained in a scenario-specific summary data file,
verify the parameters related to the MOs and save the file.
l If some MOs listed in Table 9-14 are not contained in a scenario-specific summary data
file, customize a summary data file to include these MOs.
For instructions about performing batch configuration for each type of base station, see the
following sections in 3900 Series Base Station Initial Configuration Guide for diffident base
stations:
You can use the transport security wizard to configure the parameters for the PKI and IPsec
features on the CME. The wizard will guide you to configure most of the key parameters for
PKI and IPsec networking. After the wizard configuration is completed, the CME automatically
imports the configured parameters to the Summary data file and prompts which parameters
should be manually configured in the Summary data file (for example, the UPDSIP parameter
in the CA MO).
Figure 9-2 shows the procedure for configuring data using the CME transport security wizard.
Figure 9-2 Procedure for configuring data using the CME transport security wizard
After completing configurations on the CME transport security wizard, the IPsec and PKI
parameter setting tables are exported, displaying the IPsec and KPI parameters that have been
configured and the parameters that need to be manually configured in the summary data file.
You can adjust the configured parameters in the summary data file based on the actual conditions.
The CME transport security wizard has the following restrictions for configuring PKI:
NOTE
For the IPsec attribute selection, see section 10.6.1 Using the CME in Batch Configuration for Newly
Deployed Base Stations in IPsec Feature Parameter Description.
l The following table lists the PKI parameters to be configured.
For the configuration path and interface for the transport security wizard, see Transport Security
Wizard in the "Introduction to the Wizards for Customizing a Data File" section of CME Product
Documentation.
the main menu of the U2000 client, or choose LTE Application > Export Data > Export
Base Station Bulk Configuration Data from the main menu of the CME client.
Step 3 After filling the MO data listed in Table 9-14 into the summary data file, close the file.
Step 4 Import the summary data file into the CME.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Base Station Bulk Configuration Data from the main menu of the
U2000 client, or choose SRAN Application > MBTS Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
from the main menu of the U2000 client, or choose GSM Application > Import Data >
Import eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk Configuration
Data from the main menu of the U2000 client, or choose UMTS Application > Import
Data > Import Base Station Bulk Configuration Data from the main menu of the CME
client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Import Data > Import Base Station Bulk Configuration Data from
the main menu of the U2000 client, or choose LTE Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.
----End
For details about how to import and export data, see the U2000 Help.
Step 1 Run the MML command DSP APPCERT to check the status of device certificates.
If the values of Certificate File Name, Issuer, and Common Name are correct and the value
of Status is Normal in the query result, the device certificate has been loaded to the base station.
Step 2 Run the MML command DSP TRUSTCERT to check the status of trust certificates.
If the value of Status is Normal in the query result, the trust certificate has been loaded to the
base station.
Step 3 (Optional) Run the MML command DSP CRL to check the CRL status.
If the value of Status is Normal in the query result, the CRL has been loaded to the base station.
----End
Step 1 Run the MML command DSP CERTSYNCINFO to check the status of certificate sharing.
If the value of Status is Normal in the query result, certificate sharing is successful.
----End
9.5.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
Figure 9-3 Example of the secure networking for the eGBTS using a GTMUb
NOTE
In the following tables, the hyphen (-) indicates that there is no special requirement for the parameter setting.
You can set the parameter based on site requirements.
Table 9-15 lists the data to prepare for applying for a certificate from the CA (the SSL MO in
MML configurations).
Table 9-15 Data to prepare for applying for a certificate from the CA
Common Name This parameter is The value of the Common Name field in Netw
manually set on the a certificate request file consists of ork
CA and it does not Common Name+Common Name plan
have a parameter ID. Additional Info. The recommended
value of the Common Name field is
XXX.huawei.com (XXX indicates the
ESN of the board connecting to the
transport network).
Key Usage This parameter is This parameter can be set to one or more
manually set on the of the following values:
CA and it does not DIGITAL_SIGNATURE,
have a parameter ID. KEY_ENCIPHERMENT,
KEY_AGREEMENT, and
DATA_ENCIPHERMENT. The
recommended values are
DIGITAL_SIGNATURE and
KEY_ENCIPHERMENT. If this
parameter is set to DIGITAL_SIGNA-
TURE, the key is used to verify the peer's
digital signature during a CMPv2-based
certificate application or update, IKE
negotiation, and SSL authentication. If
this parameter is set to
KEY_ENCIPHERMENT, the key is
used to encrypt transmission data during
IKE negotiation, IPsec negotiation, or
SSL-based key exchange.
Local Name This parameter is l If this parameter is not set, the default
manually set on the value of the Common Name field in a
CA and it does not certificate is used.
have a parameter ID. l If this parameter is set, the value of the
Local Name field in a certificate must
be the same as the value of this
parameter.
Public PUBCERT -
Certificate File
Name
Certificate CRLENABLESTA -
Revocation List
File Enabled
State
Certificate CRL -
Revocation List
File Name
Certificate CERTCHAIN -
Chain File
Name
Table 9-16 lists the data to prepare for the deployment location of a certificate on the base station
(the CERTDEPLOY MO in MML configurations and the CERTDEPLOY or Certification
Deploy Position MO in CME configurations).
Cabinet No. CN -
Slot No. SN
Table 9-17 lists the data to prepare for downloading an operator's root certificate, public key,
private key, or CRL file from an FTP server. The corresponding MML command is DLD
GENFILE.
NOTE
If multi-level CAs are deployed in the operator's PKI system and the local certificate chain is different from
the peer certificate chain, you also need to run the SET CERTFILE command to configure the peer
certificate chain.
Step 1 Upload the operator's root certificate and CRL file to the FTP server.
Step 2 Based on the data plan listed in Table 9-15, apply for a device certificate from the CA, and
upload the public key certificate (device certificate) and private key file generated by the CA to
the FTP server.
Step 3 Run the SET CERTDEPLOY command to set Certification Deploy Position Type to NULL
(NULL).
Step 4 Run the DLD GENFILE command to download the operator's root certificate, public key
certificate, private key file, and CRL file from the FTP server.
Step 5 Run the SET CERTFILE command to set the operator's root certificate, public key certificate,
private key file, and CRL file.
----End
Step 2 On the U2000 client in tradition style, choose Security > Certificate Authentication
Management > SSL Connection Management to open the SSL Connection Management
window. Alternatively, on the Application Center tab page of the U2000 client in application
style, double-click Security Management. Then, choose NE Security > Certificate
Authentication Management > SSL Connection Management to open SSL Connection
Management window. Then, observe Connection Status of the base station.
If the value of Connection Status is Connected, an SSL connection has been successfully
established.
Step 3 Run the MML command SET CONNTYPE to set Connection Type to SSL(Only SSL
Connection).
Step 4 In the SSL Connection Management window, select the base station, and then observe the SSL
connection status.
If the value of Connection Status is Connected, an SSL connection has been successfully
established.
----End
9.6.4 Deactivation
None
NOTE
This section only describes how to deploy the PKI feature by using MML commands or the CME. For
details about how to deploy the PKI feature on the U2000 client, see the U2000 Help.
Figure 9-4 Example of the secure networking for the GBTS (GTMUb+UTRPc)
In the following tables, the hyphen (-) indicates that there is no special requirement for the parameter setting.
You can set the parameter based on site requirements.
Table 9-18 lists the data to prepare for the deployment location of a certificate on the GBTS
(the BTSCERTDEPLOY MO in MML configurations and the BTSCERTDEPLOY or BTS
Certification Deploy Position MO in CME configurations).
Table 9-18 Data to be prepared for the deployment location of a certificate on the GBTS
Cabinet No. CN -
Slot No. SN
GBTSs must be configured with information about a CA so that they can apply for certificates
from the CA. Table 9-19 lists the data to prepare for the CA (the BTSCA MO in MML
configurations and the BTSCA or BTS Certificate Authority MO in CME configurations).
Table 9-20 lists the data to prepare for a certificate request template (the BTSCERTREQ MO
in MML configurations and the BTSCERTREQ or BTS Certreq File Configuration MO in
CME configurations).
Country COUNTRY -
Organizati ORG -
on
Organizati ORGUNIT -
on Unit
State or STATEPROVINCENAME -
Province
Locality LOCALITY -
Table 9-21 lists the data to prepare for a device certificate (the BTSCERTMK MO in MML
configurations and the BTSCERTMK or BTS Device Certificate MO in CME configurations).
Table 9-22 lists the data to prepare for an active certificate (the BTSAPPCERT MO in MML
configurations and the BTSAPPCERT or BTS Application's Certificate MO in CME
configurations). Active certificates are device certificates that are currently used by a GBTS.
Table 9-23 lists the data to prepare for a trust certificate (the BTSTRUSTCERT MO in MML
configurations and the BTSTRUSTCERT or BTS Trust Certificate MO in CME
configurations).
Table 9-24 lists the data to prepare for a periodic certificate validity check task (the
BTSCERTCHKTSK MO in MML configurations and the BTSCERTCHKTSK or BTS
Certificate Checking Task MO in CME configurations).
Table 9-24 Data to be prepared for a periodic certificate validity check task
(Optional) Prepare CRL data if GBTSs need to obtain CRL information from the CA. Table
9-25 lists the data to prepare for a CRL (the BTSCRL MO in MML configurations and the
BTSCRL or BTS CRL MO in CME configurations).
(Optional) Prepare data related to CRL usage policies. Table 9-26 lists the data to prepare for
these policies (the BTSCRLPOLICY MO in MML configurations and the
BTSCRLPOLICY or BTS CRL Using Policy MO in CME configurations).
(Optional) Prepare data related to a periodic CRL download task. Table 9-27 lists the data to
prepare for the task (the BTSCRLTSK MO in MML configurations and the BTSCRLTSK or
BTS CRL Updating Task MO in CME configurations).
Password PWD -
(Optional) Prepare data to manually download an operator's root certificate or CRL from an FTP
server. Table 9-28 lists the data to prepare for downloading a certificate file.
Table 9-29 Data to be prepared for applying for a device certificate based on CMPv2
(Optional) Prepare data to manually trigger a CMPv2-based certificate update. Table 9-30 lists
the data to prepare for updating a device certificate (the BTSDEVCERT MO in MML
configurations) based on CMPv2.
Table 9-30 Data to be prepared for updating a device certificate based on CMPv2
Step 1 Run the MML command SET BTSCERTDEPLOY to set the deployment position of a
certificate on the GBTS.
Step 2 Run the MML command MOD BTSCERTREQ to modify configurations of a certificate
request template.
Step 3 Run the MML command ADD BTSCA to add an operator's CA.
Step 4 Run the MML command DLD BTSCERTFILE to download a trusted operator's root certificate
from the operator's certificate & CRL database.
Step 5 Run the MML command ADD BTSTRUSTCERT to add an operator's trust certificate.
Step 6 Run the MML command REQ BTSDEVCERT to set information required for the GBTS to
apply for an operator-issued device certificate. After the setting takes effect, a certificate
application procedure is triggered. If a certificate application procedure is automatically
triggered, skip this step.
Step 7 Run the MML command MOD BTSAPPCERT to modify configurations of an active
certificate.
Step 8 Run the MML command SET BTSCERTCHKTSK to set a periodic certificate validity check
task.
Step 9 (Optional) Run the MML command DLD BTSCERTFILE to download a CRL from the
operator's certificate & CRL database.
Step 10 (Optional) Run the MML command ADD BTSCRL to add a CRL.
Step 11 (Optional) Run the MML command SET BTSCRLPOLICY to set a CRL usage policy.
Step 12 (Optional) Run the MML command ADD BTSCRLTSK to add a periodic CRL download task.
----End
In addition to the preceding steps, perform the following step to manually trigger a certificate
update:
Step 1 Run the MML command UPD BTSDEVCERT to set information about a certificate update.
After the setting takes effect, a CMPv2-based certificate update procedure is triggered.
----End
NOTE
l If you run the MML command SET BTSCERTDEPLOY to set the deployment location of a certificate
on a base station online, the setting takes effect only after the base station is reset.
//Modifying configurations of a certificate request template
MOD BTSCERTREQ: IDTYPE=BYID, BTSID=0, COMMNAME=ESN, USERADDINFO=".huawei.com",
COUNTRY="cn", ORG="ITEF", ORGUNIT="hw", STATEPROVINCENAME="sc", LOCALITY="cd",
KEYUSAGE=DATA_ENCIPHERMENT-1&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMENT-
1, SIGNALG=SHA256, KEYSIZE=KEYSIZE1024, LOCALNAME="abcdefghijklmn.huawei.com",
LOCALIP="10.20.20.188";
//Adding an operator's CA
ADD BTSCA: IDTYPE=BYID, BTSID=0, CANAME="C = AU, S = Some-State, O = Internet
Widgits Pty Ltd, CN = eca1", URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256;
//Downloading an operator's root certificate from the operator's certificate & CRL
database
DLD BTSCERTFILE: IDTYPE=BYID, BTSID=0, IP="10.86.86.86", USR="admin",PWD="*****",
SRCF="OperationCA.cer", DSTF="OperationCA.cer", CT=TRUSTCERT;
//Adding an operator's root certificate as the trust certificate
ADD BTSTRUSTCERT: IDTYPE=BYID, BTSID=0, CERTNAME="OperationCA.cer";
//Setting information required for the base station to apply for an operator-issued
device certificate based on CMPv2 when the certificate application needs to be
manually triggered
//(skip this step when the certificate application is automatically triggered)
REQ BTSDEVCERT: IDTYPE=BYID, BTSID=0, CANAME="C=AU, S=Some-State, O=Internet
Widgits Pty Ltd, CN=eca1", APPCERT="OPKIDevCert.cer";
//Modifying configurations of an active certificate
MOD BTSAPPCERT: IDTYPE=BYID, BTSID=0, APPTYPE=IKE, APPCERT="OPKIDevCert.cer";
//Setting a periodic certificate validity check task
SET BTSCERTCHKTSK: IDTYPE=BYID, BTSID=0,ISENABLE=ENABLE, PERIOD=7, ALMRNG=30,
UPDATEMETHOD=CMP;
//Downloading a CRL from the operator's certificate & CRL database
DLD BTSCERTFILE: IDTYPE=BYID, BTSID=0, IP="10.86.86.86", USR="admin",PWD="*****",
SRCF="BTS.crl", DSTF="BTS.crl", CT=CRL;
//(Optional) Adding a CRL
ADD BTSCRLPOLICY: IDTYPE=BYID, BTSID=0, CERTNAME="BTS.crl";
//Setting a CRL usage policy
SET BTSCRL: IDTYPE=BYID, BTSID=0, CRLPOLICY=NOVERIFY;
//Adding a periodic CRL download task
ADD BTSCRLTSK: IDTYPE=BYID, BTSID=0,IP="10.86.86.86", USR="admin", PWD="*****",
FILENAME="BTS.crl", ISCRLTIME=DISABLE, PERIOD=24, TSKID=0, CRLGETMETHOD=FTP;
Using the CME in Batch Configuration for Newly Deployed Base Stations
Fill the settings of the parameters listed in Table 9-31 into a summary data file, which also
contains data for the base stations to be deployed. Then, import the summary data file into the
CME.
l If the MOs listed in Table 9-31 are contained in a scenario-specific summary data file,
verify the parameters related to the MOs and save the file.
l If some MOs listed in Table 9-31 are not contained in a scenario-specific summary data
file, customize a summary data file to include these MOs.
Step 1 Choose CME > Advanced > Customize Summary Data File from the main menu of a U2000
client, or choose Advanced > Customize Summary Data File from the main menu of a CME
client, to customize a summary data file for batch reconfiguration.
Step 2 Export the NE data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data from the
main menu of the U2000 client, or choose SRAN Application > MBTS Application >
Export Data > Export Base Station Bulk Configuration Data from the main menu of the
CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > eGBTS Bulk Configuration Data from the
main menu of the U2000 client, or choose GSM Application > Export Data > Export
eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data from the main menu of the U2000 client, or choose UMTS Application > Export Data
> Export Base Station Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Export Data > Export Base Station Bulk Configuration Data from
the main menu of the U2000 client, or choose LTE Application > Export Data > Export
Base Station Bulk Configuration Data from the main menu of the CME client.
Step 3 After filling the MO data listed in Table 9-31 into the summary data file, close the file.
For details about how to import and export data, see the U2000 Help.
----End
Run the MML command DSP BTSAPPCERT and check the value of Status in the query result.
If Normal is displayed, the device certificate has been loaded to the GBTS.
Run the MML command DSP BTSTRUSTCERT and check the value of Status in the query
result. If Normal is displayed, the trust certificate has been loaded to the GBTS. The following
is an example.
Run the MML command DSP BTSCRL and check the value of Status in the query result. If
Normal is displayed, the CRL has been loaded to the GBTS. The following is an example.
----End
9.7.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
NOTE
This section only describes how to deploy the PKI feature by using MML commands or the CME. For
details about how to deploy the PKI feature on the U2000 client, see the U2000 Help.
Figure 9-5 Example of the secure networking for the base station controller
In the following tables, the hyphen (-) indicates that there is no special requirement for the parameter setting.
You can set the parameter based on site requirements.
Table 9-32 lists the data to be prepared for a certificate request template (the CERTREQ MO
in MML configurations and the CERTREQ or Certificate Request Configuration MO in
CME configurations).
Common Name COMMNAME The default value of the Common Name Net
(BSC6900, field in a certificate request file is work
BSC6910) XXX.huawei.com (XXX indicates the ESN plan
of the board connecting to the transport
network). Therefore, the recommended
value of this parameter is ESN. Currently,
this parameter cannot be set to MAC or
IP.
Country COUNTRY -
(BSC6900,
BSC6910)
Organization ORG -
(BSC6900,
BSC6910)
Organizational ORGUNIT -
Unit (BSC6900,
BSC6910)
Locality LOCALITY -
(BSC6900,
BSC6910)
Local Name LOCALNAME If this parameter is not set, the default value
(BSC6900, of the Common Name field in a certificate
BSC6910) is used. If this parameter is set, the value of
the Common Name field in a certificate
must be the same as the value of this
parameter.
The base station controller must be configured with CA information to apply for a certificate
from the CA. The following table lists the data to be prepared for the CA (the CA MO in MML
configurations and the CA or Certificate Authority MO in CME configurations).
Signature SIGNALG -
Algorithm (BSC6900,
BSC6910)
Table 9-34 lists the data to be prepared for a device certificate (the CERTMK MO in MML
configurations and the CERTMK or Device Certificate MO in CME configurations).
Table 9-35 lists the data to be prepared for an active certificate (the APPCERT MO in MML
configurations and the APPCERT or Device Certificate in Use MO in CME configurations).
Active certificates are device certificates that are currently used by a base station controller.
Table 9-36 lists the data to be prepared for a trust certificate (the TRUSTCERT MO in MML
configurations and the TRUSTCERT or Trusted Certificate MO in CME configurations).
Table 9-37 lists the data to be prepared for a periodic certificate validity check task (the
CERTCHKTSK MO in MML configurations and the CERTCHKTSK or Certificate Validity
Check Task MO in CME configurations).
Table 9-37 Data to be prepared for a periodic certificate validity check task
(Optional) Prepare CRL data if the base station controller needs to obtain the CRL information
from the CA. Table 9-38 lists the data to be prepared for a CRL (the CRL MO in MML
configurations and the CRL or Certificate Revocation List MO in CME configurations).
(Optional) Prepare data related to CRL usage policies. Table 9-39 lists the data to be prepared
for these policies (the CRLPOLICY MO in MML configurations and the CRLPOLICY or
CRL Check Policy MO in CME configurations).
(Optional) Prepare data related to a periodic CRL download task. Table 9-40 lists the data to be
prepared for the task (the CRLTSK MO in MML configurations and the CRLTSK or CRL
Updating Obtaining Task MO in CME configurations).
Password PWD -
(BSC6900,BSC6910
)
(Optional) Prepare data to manually download an operator's root certificate or CRL from an FTP
server. Table 9-41 lists the data to be prepared for downloading a certificate file (the DLD
CERTFILE in MML configurations).
Table 9-42 Data to be prepared for applying for a device certificate based on CMPv2
Parameter Parameter ID Setting Notes Data
Name Sourc
e
(Optional) Prepare data to manually trigger a CMPv2-based certificate update. Table 9-43 lists
the data to be prepared for updating a device certificate (the UPD DEVCERT in MML
configurations) based on CMPv2.
Table 9-43 Data to be prepared for updating a device certificate based on CMPv2
Step 1 Run the MML command MOD CERTREQ to modify configurations of a certificate request
template.
Step 3 Run the MML command LST APPCERT to check whether the base station controller has been
configured with a device certificate for identity authentication. If the value of Certificate File
Name in the command output is usercert.pem, the preconfigured Huawei-issued device
certificate is used. In this case, go to step 4. If the value is hwusercert.pem, the preconfigured
Huawei-issued device certificate which is bound to the OMU ESN is used. In this case, go to
step 5.
Step 4 Perform the following steps to manually configure an operator-issued device certificate for the
base station controller on the U2000:
1. Run the MML command CRE CERTREQFILE to generate the certificate request file.
2. Run the MML command ULD CERTFILE to send the local certificate request file to the
U2000 to apply for the device certificate.
3. The U2000 applies to the operator's CA for a certificate. You can manually operate the
U2000 to submit the update request file to the operator's CA for an operator-issued device
certificate. Then, the CA returns the operator-issued device certificate to the U2000 by
manual operation.
4. Run the MML command DLD CERTFILE to download the operator's root certificate.
5. Run the MML command ADD TRUSTCERT to add an operator's trust certificate.
6. Run the MML command DLD CERTFILE to download the requested device certificate.
7. Run the MML command ADD CERTMK to add the device certificate to the base station
controller.
8. Go to step 6.
Step 5 Run the MML command REQ DEVCERT to apply an operator-issued device certificate for
the base station controller.
NOTE
If the certificate application succeeds, running the MML command REQ DEVCERT will return a message
about successful execution. In addition, running the MML command DSP CERTMK can query whether
a certificate has been applied.
Step 6 On the U2000, choose Security > Certificate Authentication Management > Certificate
Management. In the displayed interface, click Test to check whether SSL connection can be
established between the base station controller and the U2000.
NOTE
Bidirectional authentication is used for SSL certificate testing. That is, the base station controller and U2000
authenticate the device certificates of each other. The SSL certificate testing result reflects whether the
certificates can be used.
Step 7 Run the MML command MOD APPCERT to modify configurations of an active certificate.
Step 8 Run the MML command SET CERTCHKTSK to set a periodic certificate validity check task.
Step 9 (Optional) Run the MML command DLD CERTFILE to download a CRL from the operator's
certificate & CRL database.
Step 10 (Optional) Run the MML command ADD CRL to add a CRL.
Step 11 (Optional) Run the MML command SET CRLPOLICY to set a CRL usage policy.
Step 12 (Optional) Run the MML command ADD CRLTSK to add a periodic CRL download task.
----End
In addition to the preceding steps, perform the following step to manually trigger a certificate
update:
Step 1 Run the MML command UPD DEVCERT to set information about a certificate update. After
the setting takes effect, a CMPv2-based certificate update procedure is triggered.
----End
KEYUSAGE=DATA_ENCIPHERMENT-1&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMENT-
1, SIGNALG=SHA256, KEYSIZE=KEYSIZE1024, LOCALNAME="abcdefghijklmn.huawei.com",
LOCALIP="10.120.20.188";
//Adding the operator's CA
//Adding the operator's CA If the base station controller can access the CA only
through an external network, you are advised to set the external virtual IP address
of the base station controller for certificate application and update. The
following is an example: ADD CA: CANAME="C = AU, S = Some-State, O = Internet
Widgits Pty Ltd, CN = eca1", URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256,
MODE= CFG_UPD_SIP, UPDSIP="10.120.20.188";
//Setting information required for the base station controller to apply for an
operator-issued device certificate based on CMPv2 when the application needs to be
manually triggered
REQ DEVCERT: CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd, CN=eca1",
APPCERT="OPKIDevCert.cer";
Run the MML command DSP APPCERT and check the values of the Certificate File Name,
Issuer, Common Name, and Status parameters in the query result. If the values of Certificate
File Name, Issuer, and Common Name are correct and the value of Status is Normal, the
device certificate has been loaded to the base station controller. The following is an example.
----End
9.8.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
NOTE
This section only describes how to deploy the PKI feature by using MML commands or the CME. For
details about how to deploy the PKI feature on the U2000 client, see the U2000 Help.
l Managed objects (MOs) include parameters and MML commands related to the MOs. For details, see
ECO6910 Parameter Reference.
l In the following tables, the hyphen (-) indicates that there is no special requirement for the parameter
setting. You can set the parameter based on site requirements.
Table 9-44 lists the data to prepare for a certificate request template (the CERTREQ MO in
MML configurations).
Common Name COMMNAME The common name can only be the Network
electronic serial number (ESN). plan
Enumeration values such as MAC and
IP are not supported. Upon the
generation of a certificate request file,
the value of the ESN is used as the
common name of the certificate request
file.
Country COUNTRY -
Organization ORG -
Organizational ORGUNIT -
Unit
Locality LOCALITY -
Local IP LOCALIP -
NOTE
There is a Common Name field in both the certificate request message sent from the U2000 to the CA/RA
and the obtained digital certificate. The value of this field is a combination of the values for Common
Name and Common Name Additional Info., for example, 03021377001000001.huawei.com.
Table 9-45 lists the data to prepare for a device certificate (the CERTMK MO in MML
configurations).
NOTE
You can run the LST CERTFILE command to query all certificates on the eCoordinator. If the query
result shows that a certificate is inactive, run the ADD CERTMK command to activate it.
Table 9-46 lists the data to prepare for an active certificate (the APPCERT MO in MML
configurations). Active certificates are device certificates that are currently used by the
eCoordinator.
Application Type APPTYPE This parameter must be set to SSL because Network
the eCoordinator does not support IKE plan
currently.
Certificate File APPCERT The certificate file name must have been
Name configured in a CERTMK MO.
Table 9-47 lists the data to prepare for a trust certificate (the TRUSTCERT MO in MML
configurations).
Table 9-48 lists the data to prepare for a periodic certificate validity check task (the
CERTCHKTSK MO in MML configurations).
Table 9-48 Data to prepare for a periodic certificate validity check task
(Optional) If the eCoordinator needs to obtain CRL information from the CA, the following data
must be prepared:
l Data to prepare for a CRL (the CRL MO in MML configurations). For details, see Table
9-49.
l Data to prepare for CRL usage policies (the CRLPOLICY MO in MML configurations).
For details, see Table 9-50.
l Data to prepare for a periodic CRL download task (the CRLTSK MO in MML
configurations). For details, see Table 9-51.
CRL Using Policy CRLPOLICY The default value of this parameter is Network
NOVERIFY. Operators can set this plan
parameter based on site requirements.
Password PWD -
(Optional) Prepare data to manually download an operator's root certificate or CRL from an FTP
server. Table 9-52 lists the data to prepare for downloading a certificate file (the CERTFILE
MO in MML configurations).
Step 1 Configure an operator's root certificate. For details, see Operation and Maintenance > Security
Management > Data Management > Configuring Digital Certificates > Importing CA
Certificates in U2000 Product Documentation.
Step 2 Configure and activate an operator-issued device certificate. For details, see Operation and
Maintenance > Security Management > Data Management > Configuring Digital
Certificates > Manually Installing a Device Certificate in U2000 Product Documentation.
Step 3 Obtain a CRL. For details, see Operation and Maintenance > Security Management > Data
Management > Obtaining the Certificate Revocation List in U2000 Product
Documentation.
----End
Step 1 Run the MML command MOD CERTREQ to modify configurations of a certificate request
template.
Step 2 Run the MML command CRE CERTREQFILE to generate the certificate request file.
Step 3 Run the MML command ULD CERTFILE to upload the certificate request file to the U2000.
Step 4 O&M personnel submit the certificate request file uploaded to the U2000 in Step 3 to the
operator's CA, obtain the operator-issued device certificate from the operator's CA, and save the
device certificate to the U2000.
Step 5 Run the MML command DLD CERTFILE to download the operator's root certificate from the
U2000 to the eCoordinator.
Step 6 Run the MML command ADD TRUSTCERT to add an operator's trust certificate.
Step 7 Run the MML command DLD CERTFILE to download the operator-issued device certificate
to the eCoordinator.
Step 8 Run the MML command ADD CERTMK to add the operator-issued device certificate to the
eCoordinator.
Step 9 Run the MML command MOD APPCERT to modify configurations of an active certificate.
Step 10 Run the MML command SET CERTCHKTSK to set a periodic certificate validity check task.
Step 11 (Optional) Run the MML command DLD CERTFILE to download a CRL from the operator's
certificate & CRL database.
Step 12 (Optional) Run the MML command ADD CRL to add a CRL.
Step 13 (Optional) Run the MML command SET CRLPOLICY to set a CRL usage policy.
Step 14 (Optional) Run the MML command ADD CRLTSK to add a periodic CRL download task.
----End
Step 1 Run the MML command DSP APPCERT to check the status of device certificates. If the values
of Certificate File Name, Issuer, and Common Name are correct and the value of Status is
Normal, the device certificate has been loaded to the eCoordinator.
Step 2 Run the MML command DSP TRUSTCERT to check the status of trust certificates. If the value
of Status is Normal in the query result, the trust certificate has been loaded to the eCoordinator.
Step 3 (Optional) Run the MML command DSP CRL to check the CRL status. If the value of Status
is Normal in the query result, the CRL has been loaded to the eCoordinator.
----End
9.9.4 Deactivation
This feature does not need to be deactivated.
NOTE
This section only describes how to deploy PKI redundancy by using the MML commands or the CME. For
details about how to deploy PKI on the U2000 client, see the U2000 Help.
A UMDU can be used in a co-MPT multimode base station in the secure networking shown in Figure
9-7. However, a UMDU cannot be used in a separate-MPT multimode base station.
Figure 9-7 Example of the secure networking for the eGBTS/NodeB/eNodeB/multimode base
station
The following table lists the additional data to prepare for the CA (the CA MO).
(Optional) The following table lists the additional data to prepare for a periodic CRL download
task.
//If the base station can access the CA only through an external network, you are
advised to set the source IP addresses for both certificate application and update
to interface IP addresses. The following is an example:
ADD CA:CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",URL="http://10.88.88.88:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.20.20.188",SLVURL="http://
10.98.98.98:80/pkix/",CERTREQSW=DEFAULT;
//(Optional) Adding a periodic CRL download task
ADD CRLTSK: IP="10.86.86.86", USR="admin", PWD="*****", FILENAME="eNodeB.crl",
ISCRLTIME=DISABLE, PERIOD=24, TSKID=0, CRLGETMETHOD=FTP, SLVIP="10.96.96.96",
SLVUSR="admin2", SLVPWD="*****";
----End
9.10.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
The following table lists the additional data to prepare for the CA (the CA MO).
(Optional) The following table lists the additional data to prepare for a periodic CRL download
task.
In the PKI redundancy scenario, the configurations of the CA and periodic CRL download task
are as follows:
//Adding the operator's CA
//If the base station controller can access the CA only through an external
network, you are advised to set the virtual IP address of the base station
controller in the external network for certificate update. The following is an
example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_UPD_SIP,
UPDSIP="10.120.20.188",SLVURL="http://10.98.98.98:80/pkix/";
//(Optional) Adding a periodic CRL download task
ADD CRLTSK: TSKID=1, IP="10.86.86.86", CRLGETMETHOD=LDAP, PORT=389, USR="admin",
PWD="*****", FILENAME="bsc.crl", ISCRLTIME=ENABLE, SIP="10.120.20.188",
SLVIP="10.86.86.90", SLVPORT=389, SLVUSR="test", SLVPWD="*****", SEARCHDN="C = AU,
S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1";
Run the MML command DSP CERTMK. In the command output, CA URL Last Used
indicates the URL of the standby CA, and Last Update Time of Certificate indicates the time
of the latest certificate update.
Run the MML command DSP CRL. In the command output, CRL Server IP Address Last
Used indicates the IP address of the standby CRL, and Last Update Time of CRL indicates the
time of the latest CRL obtaining.
----End
9.11.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
Figure 9-8 Example of reconstructing a PKI-based secure network into a PKI redundancy network on the eGBTS,
NodeB, eNodeB, or multimode base station
NOTE
A UMDU can be used in a co-MPT multimode base station in the secure networking shown in Figure
9-8.
General Procedure
Data Planning
In additional to the original configuration data, you need to configure data for the standby CA
and standby CRL server.
The following table lists the data to prepare for the standby CA.
(Optional) The following table lists the data to prepare for a periodic CRL download task.
Slave Port No. SLVPORT This parameter can be set only Network
when PKI redundancy is plan
enabled.
For details, see "Using the CME in Batch Configuration for Existing Base Stations" in section
9.5.2 Initial Configuration.
2. On the Application Center tab page, double-click the CME icon to start the CME.
3. On the CME, choose CM Express > Planned Area, and click to export the
incremental script.
4. In the Export Incremental Scripts dialog box, choose a specific base station to which the
script is exported, specify Output Path and Script Executor Operation, and click OK.
5. On the displayed Script Executor page, observe the export progress.
Activation Observation
For details, see section 9.10.3 Activation Observation.
Figure 9-9 Example of reconstructing a PKI-based secure network into a PKI redundancy
network on the base station controller
General Procedure
Data Planning
In additional to the original configuration data, you need to configure data for the standby CA
and standby CRL server.
The following table lists the data to prepare for the standby CA.
(Optional) The following table lists the data to prepare for a periodic CRL download task.
Slave Port No. SLVPORT This parameter can be set only Network
(BSC6900,BSC6910) when PKI redundancy is plan
enabled.
For details, see "Using the CME in Batch Configuration for Existing Base Station Controllers"
in section 9.8.2 Initial Configuration.
1. On the main menu of the U2000, click in the upper left corner.
2. On the Application Center tab page, double-click the CME icon to start the CME.
3. On the CME, choose CM Express > Planned Area, and click to export the
incremental script.
4. In the Export Incremental Scripts dialog box, choose a specific base station controller to
which the script is exported, specify Output Path and Script Executor Operation, and
click OK.
5. On the displayed Script Executor page, observe the export progress.
6. After the export is complete, restart the base station controller to make the script take effect.
Activation Observation
For details, see section 9.11.3 Activation Observation.
9.16 Troubleshooting
After any of the preceding alarms is reported, O&M personnel need to find the cause and clear
the alarm according to the alarm information. For details about how to clear these alarms for
each type of base station, see 3900 Series Base Station Alarm Reference.
After any of the preceding alarms is reported, O&M personnel need to find the cause and clear
the alarm according to the alarm information. For details about how to clear these alarms for the
base station controller, see BSC6900 GU Alarm Reference and BSC6910 GU Alarm
Reference. For details about how to clear these alarms for the eCoordinator, see ECO6910 Alarm
Reference.
When an SSL connection and device certificates are used for authentication between the base
station controller/eCoordinator and U2000, the base station controller/eCoordinator may get out
of control from the U2000 if faults occur on the base station controller/eCoordinator side, for
example, the certificate is damaged.
In this case, check the alarm on the U2000 first, and then clear the alarm according to related
handling suggestions. If the alarm cannot be cleared on the U2000, O&M personnel need to log
in to the base station controller/eCoordinator LMT as local users to check the alarm information.
If ALM-20851 Digital Certificate Loss, Expiry, or Damage is generated, re-apply for a device
certificate for the base station controller/eCoordinator according to the alarm information, and
then replace the certificate.
10 Parameters
AUTH BTS390 SET MRFD- Security Meaning: If Authentication Mode to is set to PEER
MODE 0, SSLAU 210305 Manage (Verify Peer Certificate), the NE must verify the
BTS390 THMO ment certificate of the U2000 or LMT during SSL connection
0 DE GBFD-1 setup. If the certificate verification fails, the SSL
WCDM 13522 Encrypt connection cannot be set up.
LST ed
A, SSLCO LBFD-0 GUI Value Range: NONE(Verify None), PEER(Verify
BTS390 Network
NF 04003 Manage Peer Certificate)
0 LTE
ment Unit: None
SIGNA BTS390 MOD LOFD-0 Public Meaning: Indicates the signature algorithm for a
LG 0, CERTR 03010 / Key certificate request file. The signature algorithm can be
BTS390 EQ TDLOF Infrastru Secure Hash Algorithm 1 (SHA1), Message-Digest
0 LST D-00301 cture Algorithm 5 (MD5) or Secure Hash Algorithm 256
WCDM CERTFI 0 (PKI) (SHA256).
A, LE GUI Value Range: SHA1(SHA1), MD5(MD5),
BTS390 GBFD-1 BTS
LST 13526 Supporti SHA256(SHA256)
0 LTE
CERTR ng PKI Unit: None
EQ WRFD-
140210 NodeB Actual Value Range: SHA1, MD5, SHA256
PKI Default Value: SHA256(SHA256)
Support
SIGNA BSC690 MOD MRFD- Security Meaning: Signature algorithm used by the device
LG 0 CERTR 210305 Manage certificate.
EQ ment GUI Value Range: SHA1(SHA1), MD5(MD5),
SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, MD5, SHA256
Default Value: SHA256(SHA256)
SIGNA BSC691 MOD MRFD- Security Meaning: Signature algorithm used by the device
LG 0 CERTR 210305 Manage certificate.
EQ ment GUI Value Range: SHA1(SHA1), MD5(MD5),
SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, MD5, SHA256
Default Value: SHA256(SHA256)
MODE BTS390 ADD LOFD-0 Public Meaning: Indicates the policy for configuring the
0, CA 03010 / Key following parameters: Certificate Update Source IP, CA
BTS390 MOD TDLOF Infrastru URL During Site Deployment, and Source IP for
0 CA D-00301 cture Applying for a Certificate During Site Deployment.
WCDM 0 (PKI) When the parameter is set to DEFAULT_MODE, the
A, LST CA UPDSIP, INITREQURL, INITREQSIP and
BTS390 GBFD-1 BTS SLVINITREQURL parameters do not need to be
0 LTE 13526 Supporti configured. When a certificate is initially obtained
ng PKI during site deployment, is manually applied for, or is
WRFD-
140210 NodeB automatically or manually updated, the base station uses
PKI the effective IP address of the local OM channel as the
Support source address, and the URL as the destination address.
When this parameter is set to CFG_INIT_UPD_ADDR,
the base station uses INITREQSIP and INITREQURL
as the source and destination addresses for initially
obtaining a certificate during site deployment and
UPDSIP and URL as the source and destination
addresses for automatically and manually updating a
certificate and for manually applying for a certificate.
When the parameter is set to CFG_UPD_SIP, the
INITREQURL, INITREQSIP and SLVINITREQURL
parameters do not need to be configured. When a
certificate is initially obtained during site deployment,
is manually applied for, or is automatically or manually
updated, the base station uses the UPDSIP and URL
address as the source and destination addresses,
respectively.
GUI Value Range: DEFAULT_MODE
(DEFAULT_MODE), CFG_UPD_SIP
(CFG_UPD_SIP), CFG_INIT_UPD_ADDR
(CFG_INIT_UPD_ADDR)
Unit: None
Actual Value Range: DEFAULT_MODE,
CFG_UPD_SIP, CFG_INIT_UPD_ADDR
Default Value: DEFAULT_MODE
(DEFAULT_MODE)
CONN BTS390 ADD None None Meaning: Indicates whether to use the SSL to protect
MODE 0, CRLTS the security of the connection.
BTS390 K GUI Value Range: PLAINTEXT(Plaintext), SSL(SSL)
0 LST
WCDM Unit: None
CRLTS
A, K Actual Value Range: PLAINTEXT, SSL
BTS390 Default Value: PLAINTEXT(Plaintext)
0 LTE
CONN BSC690 ADD WRFD- RNC Meaning: Mode of connection to the CRL server.
MODE 0 CRLTS 160276 Supporti GUI Value Range: PLAINTEXT(Plaintext), SSL(SSL)
K ng PKI
Unit: None
Actual Value Range: PLAINTEXT, SSL
Default Value: PLAINTEXT(Plaintext)
CONN BSC691 ADD WRFD- RNC Meaning: Mode of connection to the CRL server.
MODE 0 CRLTS 160276 Supporti GUI Value Range: PLAINTEXT(Plaintext), SSL(SSL)
K ng PKI
Unit: None
Actual Value Range: PLAINTEXT, SSL
Default Value: PLAINTEXT(Plaintext)
AUTHP BTS390 ADD None None Meaning: Indicates whether to authenticate the
EER 0, CRLTS certificate of the peer end when SSL connection is used.
BTS390 K GUI Value Range: DISABLE(Disable), ENABLE
0 LST (Enable)
WCDM CRLTS
A, Unit: None
K
BTS390 Actual Value Range: DISABLE, ENABLE
0 LTE Default Value: DISABLE(Disable)
AUTHP BSC690 ADD WRFD- RNC Meaning: Whether to authenticate the identity of the
EER 0 CRLTS 160276 Supporti peer end.
K ng PKI GUI Value Range: DISABLE(Disable), ENABLE
(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
AUTHP BSC691 ADD WRFD- RNC Meaning: Whether to authenticate the identity of the
EER 0 CRLTS 160276 Supporti peer end.
K ng PKI GUI Value Range: DISABLE(Disable), ENABLE
(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
SLVUR BTS390 ADD None None Meaning: Indicates the slave URL of the CA. The URL
L 0, CA can be either an HTTP or HTTPS URL. The IP address
BTS390 MOD in the URL must be a valid IP address. The default port
0 CA number is 80 for HTTP or 443 for HTTPS. If the
WCDM certificate fails to be obtained using the CA URL, the
A, LST CA slave CA URL can be used to obtain the certificate only
BTS390 when this parameter is set.
0 LTE GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: NULL(empty string)
SLVINI BTS390 ADD None None Meaning: Indicates the slave URL of the CA that is used
TREQU 0, CA during site deployment. The URL can be either an
RL BTS390 MOD HTTP or HTTPS URL. In the URL, the IP address must
0 CA be a valid IP address, and the default port number is 80
WCDM for HTTP or 443 for HTTPS. If the certificate fails to
A, LST CA be obtained using the CA URL during site deployment,
BTS390 the slave CA URL during site deployment can be used
0 LTE to obtain the certificate only when this parameter is set.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: NULL(empty string)
SLVIP BTS390 ADD None None Meaning: Indicates the IP address of the slave FTP
0, CRLTS server or slave LDAP server. If the certificate fails to be
BTS390 K obtained using the IP address of the master CRL server,
0 LST the IP address of the slave CRL server is used only when
WCDM CRLTS this parameter is not set to 0.0.0.0. If the IP address of
A, K the slave CRL server is used, the slave port number,
BTS390 slave user name, and slave password need be
0 LTE configured.
GUI Value Range: Valid IP address
Unit: None
Actual Value Range: Valid IP address
Default Value: 0.0.0.0
SLVPO BTS390 ADD None None Meaning: Indicates the port number of a slave LDAP
RT 0, CRLTS server.
BTS390 K GUI Value Range: 0~65535
0 LST
WCDM Unit: None
CRLTS
A, K Actual Value Range: 0~65535
BTS390 Default Value: 389
0 LTE
SLVUS BTS390 ADD None None Meaning: Indicates the user name for logging in to the
R 0, CRLTS slave FTP server or slave LDAP server.
BTS390 K GUI Value Range: 0~255 characters
0 LST
WCDM Unit: None
CRLTS
A, K Actual Value Range: 0~255 characters
BTS390 Default Value: NULL(empty string)
0 LTE
SLVPW BTS390 ADD None None Meaning: Indicates the password for logging in to the
D 0, CRLTS slave FTP server or slave LDAP server.
BTS390 K GUI Value Range: 0~32 characters
0
WCDM Unit: None
A, Actual Value Range: 0~32 characters
BTS390 Default Value: NULL(empty string)
0 LTE
SLVUR BSC690 ADD WRFD- RNC Meaning: URL of the secondary CA.
L 0 CA 160277 Supporti GUI Value Range: 1~128 characters
MOD ng PKI
Redunda Unit: None
CA
ncy Actual Value Range: 1~128 characters
Default Value: None
SLVUR BSC691 ADD WRFD- RNC Meaning: URL of the secondary CA.
L 0 CA 160277 Supporti GUI Value Range: 1~128 characters
MOD ng PKI
Redunda Unit: None
CA
ncy Actual Value Range: 1~128 characters
Default Value: None
SLVIP BSC690 ADD WRFD- RNC Meaning: IP address of the secondary CRL server.
0 CRLTS 160277 Supporti GUI Value Range: Valid IP Address
K ng PKI
Redunda Unit: None
ncy Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
SLVIP BSC691 ADD WRFD- RNC Meaning: IP address of the secondary CRL server.
0 CRLTS 160277 Supporti GUI Value Range: Valid IP Address
K ng PKI
Redunda Unit: None
ncy Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
SLVPO BSC690 ADD WRFD- RNC Meaning: Port number of the standby CRL server. This
RT 0 CRLTS 160277 Supporti parameter does not need to be specified when
K ng PKI CRLGETMETHOD is set to FTP. The system uses the
Redunda port which is configured by command "ADD
ncy FTPSCLTDPORT" as the default port number. This
parameter must be specified when CRLGETMETHOD
is set to LDAP. The default value is 389.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
SLVPO BSC691 ADD WRFD- RNC Meaning: Port number of the standby CRL server. This
RT 0 CRLTS 160277 Supporti parameter does not need to be specified when
K ng PKI CRLGETMETHOD is set to FTP. The system uses the
Redunda port which is configured by command "ADD
ncy FTPSCLTDPORT" as the default port number. This
parameter must be specified when CRLGETMETHOD
is set to LDAP. The default value is 389.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
SLVUS BSC690 ADD WRFD- RNC Meaning: User name for accessing the secondary CRL
R 0 CRLTS 160277 Supporti server.
K ng PKI GUI Value Range: 0~128 characters
Redunda
ncy Unit: None
Actual Value Range: 0~128 characters
Default Value: None
SLVUS BSC691 ADD WRFD- RNC Meaning: User name for accessing the secondary CRL
R 0 CRLTS 160277 Supporti server.
K ng PKI GUI Value Range: 0~128 characters
Redunda
ncy Unit: None
Actual Value Range: 0~128 characters
Default Value: None
SLVPW BSC690 ADD WRFD- RNC Meaning: Password for accessing the secondary CRL
D 0 CRLTS 160277 Supporti server.
K ng PKI GUI Value Range: 1~32 characters
Redunda
ncy Unit: None
Actual Value Range: 1~32 characters
Default Value: None
SLVPW BSC691 ADD WRFD- RNC Meaning: Password for accessing the secondary CRL
D 0 CRLTS 160277 Supporti server.
K ng PKI GUI Value Range: 1~32 characters
Redunda
ncy Unit: None
Actual Value Range: 1~32 characters
Default Value: None
CRLPO BTS390 SET LOFD-0 Public Meaning: Indicates the policy type. There are three
LICY 0, CRLPO 03010 / Key policies using CRLs: (1) The BS does not perform CRL-
BTS390 LICY TDLOF Infrastru based certificate checks. (2) The BS performs CRL-
0 LST D-00301 cture based certificate checks and reports alarms when the
WCDM CRLPO 0 (PKI) checks fail. (3) The BS performs CRL-based certificate
A, LICY checks, and it reports alarms and disconnects from the
BTS390 GBFD-1 BTS peer device when the checks fail. The value
0 LTE 13526 Supporti NOVERIFY indicates that the BS does not perform
ng PKI CRL-based certificate checks on the peer device. The
WRFD-
140210 NodeB value ALARM indicates that the BS performs CRL-
PKI based certificate checks on the peer device and reports
Support ALM-26832 Peer Certificate Expiry if the peer
certificate has been revoked. The value DISCONNECT
indicates that the BS performs CRL-based certificate
checks on the peer device. If the BS finds that the peer
certificate has been revoked, the BS stops the link
negotiation with the peer device and reports
ALM-26832 Peer Certificate Expiry. If the BS finds that
the CRL expires, the BS stops the link negotiation with
the peer device.
GUI Value Range: NOVERIFY(No Verifying),
ALARM(Send an Alarm If Verifying CRL Failed),
DISCONNECT(Disconnect If Verifying CRL Failed)
Unit: None
Actual Value Range: NOVERIFY, ALARM,
DISCONNECT
Default Value: NOVERIFY(No Verifying)
AUTH BSC690 SET None None Meaning: Authentication mode for SSL connections.
MODE 0 SSLAU GUI Value Range: NONE(Verify None), PEER(Verify
THMO Peer Certificate)
DE
Unit: None
Actual Value Range: NONE, PEER
Default Value: NONE(Verify None)
AUTH BSC691 SET None None Meaning: Authentication mode for SSL connections.
MODE 0 SSLAU GUI Value Range: NONE(Verify None), PEER(Verify
THMO Peer Certificate)
DE
Unit: None
Actual Value Range: NONE, PEER
Default Value: NONE(Verify None)
DEPLO BTS390 SET LOFD-0 Public Meaning: Indicates the deployment position of a digital
YTYPE 0, CERTD 03010 / Key certificate. If this parameter is set to DEFAULT, the
BTS390 EPLOY TDLOF Infrastru certificate is configured on the main control board. If
0 LST D-00301 cture this parameter is set to SPECIFIC, the certificate is
WCDM CERTD 0 (PKI) configured on the board in the specified slot. If this
A, EPLOY parameter is set to NULL, no certificate is configured
BTS390 GBFD-1 BTS on the BS.
0 LTE 13526 Supporti
ng PKI GUI Value Range: DEFAULT(Default), SPECIFIC
WRFD- (Specific), NULL(NULL)
140210 NodeB Unit: None
PKI
Support Actual Value Range: DEFAULT, SPECIFIC, NULL
Default Value: DEFAULT(Default)
ISENA BTS390 SET LOFD-0 Public Meaning: Indicates whether a task of certificate validity
BLE 0, CERTC 03010 / Key checking is started.
BTS390 HKTSK TDLOF Infrastru GUI Value Range: DISABLE(Disable), ENABLE
0 LST D-00301 cture (Enable)
WCDM CERTC 0 (PKI)
A, Unit: None
HKTSK GBFD-1 BTS
BTS390 Actual Value Range: DISABLE, ENABLE
0 LTE 13526 Supporti
ng PKI Default Value: ENABLE(Enable)
WRFD-
140210 NodeB
PKI
Support
ALMR BTS390 SET LOFD-0 Public Meaning: Indicates the threshold for a certificate
NG 0, CERTC 03010 / Key expiration alarm. If the eNodeB detects that the interval
BTS390 HKTSK TDLOF Infrastru between its current time and the expiration date of an
0 LST D-00301 cture activated device certificate is shorter than the threshold,
WCDM CERTC 0 (PKI) an Imminent Certificate Expiry alarm is reported.
A, HKTSK GUI Value Range: 7~180
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti Unit: day
ng PKI Actual Value Range: 7~180
WRFD-
140210 NodeB Default Value: 30
PKI
Support
UPDAT BTS390 SET LOFD-0 Public Meaning: Indicates the method for updating a certificate
EMETH 0, CERTC 03010 / Key that has expired or is about to expire. There are three
OD BTS390 HKTSK TDLOF Infrastru methods: PROXY, CMP and MANUAL. If the PROXY
0 LST D-00301 cture method is used, the BS uses the U2000 as the proxy to
WCDM CERTC 0 (PKI) update the certificate from the Certificate Authority
A, HKTSK (CA). If the CMP method is used, the BS directly
BTS390 GBFD-1 BTS updates the certificate from the CA. If the MANUAL
0 LTE 13526 Supporti method is used, the certificate needs to be updated
ng PKI manually instead of automatically.
WRFD-
140210 NodeB GUI Value Range: PROXY(Proxy), CMP(CMP),
PKI MANUAL(Manual)
Support Unit: None
Actual Value Range: PROXY, CMP, MANUAL
Default Value: CMP(CMP)
UPDAT BSC690 SET WRFD- RNC Meaning: Update policy for an expired certificate. If
EMETH 0 CERTC 160276 Supporti PROXY or MANUAL is selected, the system will
OD HKTSK ng PKI disable the automatic device certificate update function.
In this case, you need to manually update the device
certificate.
GUI Value Range: PROXY(Proxy), CMP(CMP),
MANUAL(Manual)
Unit: None
Actual Value Range: PROXY, CMP, MANUAL
Default Value: PROXY(Proxy)
UPDAT BSC691 SET WRFD- RNC Meaning: Update policy for an expired certificate. If
EMETH 0 CERTC 160276 Supporti PROXY or MANUAL is selected, the system will
OD HKTSK ng PKI disable the automatic device certificate update function.
In this case, you need to manually update the device
certificate.
GUI Value Range: PROXY(Proxy), CMP(CMP),
MANUAL(Manual)
Unit: None
Actual Value Range: PROXY, CMP, MANUAL
Default Value: PROXY(Proxy)
APPCE BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of a device certificate.
RT 0, CERTM 03010 / Key The file name cannot include any of the following
BTS390 K TDLOF Infrastru characters: backslashes (\), slashes (/), colons (:),
0 DSP D-00301 cture asterisks (*), question marks (?), double quotation
WCDM CERTM 0 (PKI) marks ("), left angle brackets (<), right angle brackets
A, K (>), and bars (|).
BTS390 GBFD-1 BTS
MOD 13526 Supporti GUI Value Range: 1~64 characters
0 LTE
CERTM ng PKI Unit: None
K WRFD-
140210 NodeB Actual Value Range: 1~64 characters
REQ PKI Default Value: None
DEVCE Support
RT
RMV
CERTM
K
UPD
DEVCE
RT
DSP
CMPSE
SSION
LST
CERTM
K
KEYSIZ BTS390 MOD LOFD-0 Public Meaning: Indicates the length of a key, which can be
E 0, CERTR 03010 / Key 1024 bits or 2048 bits.
BTS390 EQ TDLOF Infrastru GUI Value Range: KEYSIZE1024(KEYSIZE1024),
0 UPD D-00301 cture KEYSIZE2048(KEYSIZE2048)
WCDM DEVCE 0 (PKI)
A, Unit: None
RT GBFD-1 BTS
BTS390 Actual Value Range: KEYSIZE1024, KEYSIZE2048
0 LTE LST 13526 Supporti
CERTR ng PKI Default Value: KEYSIZE2048(KEYSIZE2048)
EQ WRFD-
140210 NodeB
PKI
Support
IP BTS390 ADD LOFD-0 Public Meaning: Indicates the IP address of the master FTP
0, CRLTS 03010 / Key server or master LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: Valid IP address
0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CRLTS
A, K Actual Value Range: Valid IP address
BTS390 GBFD-1 BTS
13526 Supporti Default Value: None
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
CRLGE BTS390 ADD LOFD-0 Public Meaning: Indicates the method using which the BS
TMETH 0, CRLTS 03010 / Key periodically obtains a CRL.
OD BTS390 K TDLOF Infrastru GUI Value Range: FTP(FTP), LDAP(LDAP)
0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CRLTS
A, K Actual Value Range: FTP, LDAP
BTS390 GBFD-1 BTS
13526 Supporti Default Value: FTP(FTP)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
SEARC BTS390 ADD LOFD-0 Public Meaning: Indicates the name of a node found in an
HDN 0, CRLTS 03010 / Key LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: 0~255 characters
0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CRLTS
A, K Actual Value Range: 0~255 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
SEARC BSC690 ADD WRFD- RNC Meaning: Distinct name of CRL files saved on the
HDN 0 CRLTS 160276 Supporti LDAP server.
K ng PKI GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
SEARC BSC691 ADD WRFD- RNC Meaning: Distinct name of CRL files saved on the
HDN 0 CRLTS 160276 Supporti LDAP server.
K ng PKI GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
PORT BTS390 ADD LOFD-0 Public Meaning: Indicates the port number of an LDAP server.
0, CRLTS 03010 / Key GUI Value Range: 0~65535
BTS390 K TDLOF Infrastru
0 D-00301 cture Unit: None
LST
WCDM CRLTS 0 (PKI) Actual Value Range: 0~65535
A, K Default Value: 389
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti
ng PKI
WRFD-
140210 NodeB
PKI
Support
PORT BSC690 ADD MRFD- Security Meaning: Number of the port used by the protocol. This
0 CRLTS 210305 Manage parameter does not need to be specified when
K ment "CRLGETMETHOD" is set to FTP. The system uses
the port which is configured by command "ADD
FTPSCLTDPORT" as the default port number. When
"CRLGETMETHOD" is set to LDAP, ensure that the
LDAP service on the port supports LDAP V3.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
PORT BSC691 ADD MRFD- Security Meaning: Number of the port used by the protocol. This
0 CRLTS 210305 Manage parameter does not need to be specified when
K ment "CRLGETMETHOD" is set to FTP. The system uses
the port which is configured by command "ADD
FTPSCLTDPORT" as the default port number. When
"CRLGETMETHOD" is set to LDAP, ensure that the
LDAP service on the port supports LDAP V3.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
ISCRLT BTS390 ADD LOFD-0 Public Meaning: Indicates whether to update the CRL at the
IME 0, CRLTS 03010 / Key next update time specified in the CRL that is obtained
BTS390 K TDLOF Infrastru during the latest update. If this parameter is set to
0 LST D-00301 cture ENABLE, the BS automatically updates the CRL when
WCDM CRLTS 0 (PKI) the next update time specified in the CRL arrives. If this
A, K parameter is set to DISABLE, the BS automatically
BTS390 GBFD-1 BTS updates the CRL based on the configured updating
0 LTE 13526 Supporti period.
ng PKI
WRFD- GUI Value Range: DISABLE(Disable), ENABLE
140210 NodeB (Enable)
PKI Unit: None
Support
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
ISCRLT BSC690 ADD MRFD- Security Meaning: Whether the next update time in the CRL is
IME 0 CRLTS 210305 Manage used. If this parameter is set to ENABLE(Enable), the
K ment CRL file will be updated at the next update time
recorded in the CRL file.
GUI Value Range: DISABLE(Disable), ENABLE
(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
ISCRLT BSC691 ADD MRFD- Security Meaning: Whether the next update time in the CRL is
IME 0 CRLTS 210305 Manage used. If this parameter is set to ENABLE(Enable), the
K ment CRL file will be updated at the next update time
recorded in the CRL file.
GUI Value Range: DISABLE(Disable), ENABLE
(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
PERIO BTS390 ADD LOFD-0 Public Meaning: Indicates the interval at which the BS
D 0, CRLTS 03010 / Key automatically obtains the CRL from the FTP server or
BTS390 K TDLOF Infrastru LDAP server.
0 LST D-00301 cture GUI Value Range: 8~240
WCDM CRLTS 0 (PKI)
A, Unit: h
K GBFD-1 BTS
BTS390 Actual Value Range: 8~240
0 LTE 13526 Supporti
ng PKI Default Value: 24
WRFD-
140210 NodeB
PKI
Support
PERIO BSC690 ADD MRFD- Security Meaning: Interval for updating the CRL (unit: hour). If
D 0 CRLTS 210305 Manage ISCRLTIME is set to DISABLE(Disable), the CRL is
K ment updated at the interval specified by this parameter.
GUI Value Range: 8~240
Unit: h
Actual Value Range: 8~240
Default Value: 24
PERIO BSC691 ADD MRFD- Security Meaning: Interval for updating the CRL (unit: hour). If
D 0 CRLTS 210305 Manage ISCRLTIME is set to DISABLE(Disable), the CRL is
K ment updated at the interval specified by this parameter.
GUI Value Range: 8~240
Unit: h
Actual Value Range: 8~240
Default Value: 24
ENCRY BTS390 SET MRFD- Security Meaning: Indicates the transmission encryption mode
MODE 0, FTPSCL 210305 Manage of the FTP client. If this parameter is set to Auto, the
BTS390 T ment FTP client first attempts to transmit data in ciphertext.
0 LBFD-0 If the attempt fails, the FTP client automatically
LST 04003 Security
WCDM FTPSCL switches the encryption mode to retransmit data in
A, Socket plaintext.Therefore, setting this parameter to Auto may
T Layer
BTS390 pose security risks. However, if there are faults in
0 LTE transmission equipment, the FTP client does not attempt
to retransmit data in plaintext even if the FTP server
supports encrypted transmission. In this case, the FTP
connection setup fails.
GUI Value Range: Auto(Auto), Plaintext(Plaintext),
Encrypted(SSL Encrypted)
Unit: None
Actual Value Range: Auto, Plaintext, Encrypted
Default Value: Auto(Auto)
CANA BTS390 ADD LOFD-0 Public Meaning: Indicates the name of the CA.The CA name
ME 0, CA 03010 / Key must not contain the following invalid characters:
BTS390 LST CA TDLOF Infrastru backslashes (\), slashes (/), colons (:), asterisks (*),
0 D-00301 cture question marks (?), double quotation marks ("), left
WCDM MOD 0 (PKI) angle brackets (<), right angle brackets (>), bars (|) and
A, CA underscores (_). Otherwise, an error occurs when you
BTS390 REQ GBFD-1 BTS run the REQ DEVCERT command to apply for a device
0 LTE DEVCE 13526 Supporti certificate. For the valid characters of the CA name, see
RT ng PKI IETF RFC5280.
WRFD-
RMV 140210 NodeB GUI Value Range: 1~127 characters
CA PKI Unit: None
Support
Actual Value Range: 1~127 characters
Default Value: None
URL BTS390 ADD LOFD-0 Public Meaning: Indicates the URL of the CA. The URL can
0, CA 03010 / Key be either an HTTP or HTTPS URL. The IP address in
BTS390 MOD TDLOF Infrastru the URL must be a valid IP address. The default port
0 CA D-00301 cture number is 80 for HTTP or 443 for HTTPS.
WCDM 0 (PKI) GUI Value Range: 1~128 characters
A, LST CA
BTS390 GBFD-1 BTS Unit: None
0 LTE 13526 Supporti Actual Value Range: 1~128 characters
ng PKI
WRFD- Default Value: None
140210 NodeB
PKI
Support
URL BSC690 ADD WRFD- RNC Meaning: URL of the CA. The URL can be either an
0 CA 160276 Supporti HTTP or HTTPS URL. The IP address in the URL must
MOD ng PKI be a valid IPv4 address. The default port number is 80
CA for an HTTP URL and 443 for an HTTPS URL.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
URL BSC691 ADD WRFD- RNC Meaning: URL of the CA. The URL can be either an
0 CA 160276 Supporti HTTP or HTTPS URL. The IP address in the URL must
MOD ng PKI be a valid IPv4 address. The default port number is 80
CA for an HTTP URL and 443 for an HTTPS URL.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
INITRE BTS390 ADD LOFD-0 Public Meaning: Indicates the URL of the CA that is used
QURL 0, CA 03010 / Key during site deployment. The URL can be either an
BTS390 MOD TDLOF Infrastru HTTP or HTTPS URL. In the URL, the IP address must
0 CA D-00301 cture be a valid IP address, and the default port number is 80
WCDM 0 (PKI) for HTTP or 443 for HTTPS. This parameter is
A, LST CA mandatory when the CA uses different URLs during site
BTS390 GBFD-1 BTS deployment or certificate update.
0 LTE 13526 Supporti
ng PKI GUI Value Range: 1~128 characters
WRFD- Unit: None
140210 NodeB
PKI Actual Value Range: 1~128 characters
Support Default Value: None
SIGNA BTS390 ADD LOFD-0 Public Meaning: Indicates the signature algorithm for message
LG 0, CA 03010 / Key of CMP. The signature algorithm can be Secure Hash
BTS390 MOD TDLOF Infrastru Algorithm 1 (SHA1) or Secure Hash Algorithm 256
0 CA D-00301 cture (SHA256).
WCDM 0 (PKI) GUI Value Range: SHA1(SHA1), SHA256(SHA256)
A, LST CA
BTS390 GBFD-1 BTS Unit: None
0 LTE 13526 Supporti Actual Value Range: SHA1, SHA256
ng PKI
WRFD- Default Value: SHA256(SHA256)
140210 NodeB
PKI
Support
SIGNA BSC690 ADD WRFD- RNC Meaning: Signature algorithm used by the Certificate
LG 0 CA 160276 Supporti Management Protocol (CMP) to request for a
MOD ng PKI certificate. The algorithm includes SHA1 and SHA256.
CA GUI Value Range: SHA1(SHA1), SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, SHA256
Default Value: SHA256(SHA256)
SIGNA BSC691 ADD WRFD- RNC Meaning: Signature algorithm used by the Certificate
LG 0 CA 160276 Supporti Management Protocol (CMP) to request for a
MOD ng PKI certificate. The algorithm includes SHA1 and SHA256.
CA GUI Value Range: SHA1(SHA1), SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, SHA256
Default Value: SHA256(SHA256)
KEYSIZ BSC690 MOD MRFD- Security Meaning: Size of the key used by the device certificate
E 0 CERTR 210305 Manage file.
EQ ment GUI Value Range: KEYSIZE1024(1024 Bits),
KEYSIZE2048(2048 Bits)
Unit: None
Actual Value Range: KEYSIZE1024, KEYSIZE2048
Default Value: KEYSIZE2048(2048 Bits)
KEYSIZ BSC691 MOD MRFD- Security Meaning: Size of the key used by the device certificate
E 0 CERTR 210305 Manage file.
EQ ment GUI Value Range: KEYSIZE1024(1024 Bits),
KEYSIZE2048(2048 Bits)
Unit: None
Actual Value Range: KEYSIZE1024, KEYSIZE2048
Default Value: KEYSIZE2048(2048 Bits)
KEYUS BTS390 MOD LOFD-0 Public Meaning: Indicates the usage for a key, including
AGE 0, CERTR 03010 / Key KEY_AGREEMENT (key negotiation),
BTS390 EQ TDLOF Infrastru DATA_ENCIPHERMENT (data encryption),
0 LST D-00301 cture KEY_ENCIPHERMENT (key encryption), and
WCDM CERTFI 0 (PKI) DIGITAL_SIGNATURE (digital signature). This
A, LE parameter can be set to one or multiple values.
BTS390 GBFD-1 BTS
LST 13526 Supporti GUI Value Range: DATA_ENCIPHERMENT
0 LTE (DATA_ENCIPHERMENT), DIGITAL_SIGNA-
CERTR ng PKI
EQ WRFD- TURE(DIGITAL_SIGNATURE),
140210 NodeB KEY_AGREEMENT(KEY_AGREEMENT),
PKI KEY_ENCIPHERMENT(KEY_ENCIPHERMENT)
Support Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: DATA_ENCIPHERMENT:ON,
DIGITAL_SIGNATURE:ON,
KEY_AGREEMENT:ON,
KEY_ENCIPHERMENT:ON
KEYUS BSC690 MOD MRFD- Security Meaning: Key usage. The options are key agreement,
AGE 0 CERTR 210305 Manage data encryption, key encryption, and digital signature.
EQ ment Each time, more than one option can be selected. At
least one usage must be selected for this parameter.
GUI Value Range: DATA_ENCIPHERMENT(Data
Encipherment), DIGITAL_SIGNATURE(Digital
Signature), KEY_AGREEMENT(Key Agreement),
KEY_ENCIPHERMENT(Key Encipherment)
Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: None
KEYUS BSC691 MOD MRFD- Security Meaning: Key usage. The options are key agreement,
AGE 0 CERTR 210305 Manage data encryption, key encryption, and digital signature.
EQ ment Each time, more than one option can be selected. At
least one usage must be selected for this parameter.
GUI Value Range: DATA_ENCIPHERMENT(Data
Encipherment), DIGITAL_SIGNATURE(Digital
Signature), KEY_AGREEMENT(Key Agreement),
KEY_ENCIPHERMENT(Key Encipherment)
Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: None
LOCAL BTS390 MOD LOFD-0 Public Meaning: Indicates the local name of a BS. This
NAME 0, CERTR 03010 / Key parameter is used to generate the DNS name of the
BTS390 EQ TDLOF Infrastru subject alternative name of a certificate, so as to verify
0 LST D-00301 cture the peer's identification in IKE negotiation. If this
WCDM CERTFI 0 (PKI) parameter is not configured, the BS automatically uses
A, LE the common name and its additional information to
BTS390 GBFD-1 BTS generate the DNS name.
0 LTE LST 13526 Supporti
CERTR ng PKI GUI Value Range: 0~128 characters
EQ WRFD- Unit: None
140210 NodeB
PKI Actual Value Range: 0~128 characters
Support Default Value: NULL(empty string)
LOCAL BSC690 MOD MRFD- Security Meaning: Local name of the device. If this parameter is
NAME 0 CERTR 210305 Manage not configured, set this parameter to the same value as
EQ ment "COMMNAME". If this parameter is configured, use
the actually configured value. The parameter value can
contain only letters, digits, spaces, and the following
characters: ()+-./:?. The original parameter settings
remain unchanged if the parameter is left unspecified.
The original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC691 MOD MRFD- Security Meaning: Local name of the device. If this parameter is
NAME 0 CERTR 210305 Manage not configured, set this parameter to the same value as
EQ ment "COMMNAME". If this parameter is configured, use
the actually configured value. The parameter value can
contain only letters, digits, spaces, and the following
characters: ()+-./:?. The original parameter settings
remain unchanged if the parameter is left unspecified.
The original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
CERTN BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of the trusted
AME 0, TRUST 03010 / Key certificate. The file name cannot include any of the
BTS390 CERT TDLOF Infrastru following characters: backslashes (\), slashes (/), colons
0 DSP D-00301 cture (:), asterisks (*), question marks (?), double quotation
WCDM TRUST 0 (PKI) marks ("), left angle brackets (<), right angle brackets
A, CERT (>), and bars (|).
BTS390 GBFD-1 BTS
RMV 13526 Supporti GUI Value Range: 1~64 characters
0 LTE
TRUST ng PKI Unit: None
CERT WRFD-
140210 NodeB Actual Value Range: 1~64 characters
LST PKI Default Value: None
TRUST Support
CERT
CERTN BSC690 ADD MRFD- Security Meaning: File name of the trust certificate or certificate
AME 0 TRUST 210305 Manage chain.
CERT ment GUI Value Range: 1~64 characters
RMV Unit: None
TRUST
CERT Actual Value Range: 1~64 characters
Default Value: None
CERTN BSC691 ADD MRFD- Security Meaning: File name of the trust certificate or certificate
AME 0 TRUST 210305 Manage chain.
CERT ment GUI Value Range: 1~64 characters
RMV Unit: None
TRUST
CERT Actual Value Range: 1~64 characters
Default Value: None
IP BSC690 ADD MRFD- Security Meaning: IP address of the server where the CRL file is
0 CRLTS 210305 Manage saved.
K ment GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
IP BSC691 ADD MRFD- Security Meaning: IP address of the server where the CRL file is
0 CRLTS 210305 Manage saved.
K ment GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
USR BTS390 ADD LOFD-0 Public Meaning: Indicates the user name used to log in to an
0, CRLTS 03010 / Key FTP server or LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: 0~255 characters
0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CRLTS
A, K Actual Value Range: 0~255 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
USR BSC690 ADD MRFD- Security Meaning: User name for logging in to the server where
0 CRLTS 210305 Manage the CRL file is saved. Parameters USR and PWD must
K ment be specified or left unspecified at the same time. If USR
is not specified, the RNC connects to a specified server
using an anonymous account and a blank password.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
USR BSC691 ADD MRFD- Security Meaning: User name for logging in to the server where
0 CRLTS 210305 Manage the CRL file is saved. Parameters USR and PWD must
K ment be specified or left unspecified at the same time. If USR
is not specified, the RNC connects to a specified server
using an anonymous account and a blank password.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
PWD BTS390 ADD LOFD-0 Public Meaning: Indicates the password used to log in to an
0, CRLTS 03010 / Key FTP server or LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: 0~32 characters
0 D-00301 cture
WCDM 0 (PKI) Unit: None
A, Actual Value Range: 0~32 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
PWD BSC690 ADD MRFD- Security Meaning: Password for logging in to the server.
0 CRLTS 210305 Manage GUI Value Range: 0~32 characters
K ment
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
PWD BSC691 ADD MRFD- Security Meaning: Password for logging in to the server.
0 CRLTS 210305 Manage GUI Value Range: 0~32 characters
K ment
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
FILENA BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of a CRL. File name
ME 0, CRLTS 03010 / Key with path is supported when the access method is set to
BTS390 K TDLOF Infrastru FTP.
0 LST D-00301 cture GUI Value Range: 1~128 characters
WCDM CRLTS 0 (PKI)
A, Unit: None
K GBFD-1 BTS
BTS390 Actual Value Range: 1~128 characters
0 LTE 13526 Supporti
ng PKI Default Value: None
WRFD-
140210 NodeB
PKI
Support
FILENA BSC690 ADD MRFD- Security Meaning: Name of the CRL file on the server. The file
ME 0 CRLTS 210305 Manage name can contain the save path of this file on the server.
K ment You can use a slash (/) or a backslash (\) as a separator
for the save path. When the Access Method is set to
LDAP, only the file name should be specified.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
FILENA BSC691 ADD MRFD- Security Meaning: Name of the CRL file on the server. The file
ME 0 CRLTS 210305 Manage name can contain the save path of this file on the server.
K ment You can use a slash (/) or a backslash (\) as a separator
for the save path. When the Access Method is set to
LDAP, only the file name should be specified.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
CRLGE BSC690 ADD WRFD- RNC Meaning: Method for obtaining the CRL file.
TMETH 0 CRLTS 160276 Supporti GUI Value Range: FTP(FTP), LDAP(LDAP)
OD K ng PKI
Unit: None
Actual Value Range: FTP, LDAP
Default Value: FTP(FTP)
CRLGE BSC691 ADD WRFD- RNC Meaning: Method for obtaining the CRL file.
TMETH 0 CRLTS 160276 Supporti GUI Value Range: FTP(FTP), LDAP(LDAP)
OD K ng PKI
Unit: None
Actual Value Range: FTP, LDAP
Default Value: FTP(FTP)
COMM BTS390 MOD LOFD-0 Public Meaning: Indicates the common name of the certificate
NAME 0, CERTR 03010 / Key request file, which can be the electronic serial number
BTS390 EQ TDLOF Infrastru (ESN), media access control (MAC) address, or IP
0 LST D-00301 cture address of a board.
WCDM CERTR 0 (PKI) GUI Value Range: ESN(ESN), MAC(MAC), IP(IP)
A, EQ
BTS390 GBFD-1 BTS Unit: None
0 LTE 13526 Supporti Actual Value Range: ESN, MAC, IP
ng PKI
WRFD- Default Value: ESN(ESN)
140210 NodeB
PKI
Support
USERA BTS390 MOD LOFD-0 Public Meaning: Indicates the additional information about a
DDINF 0, CERTR 03010 / Key certificate common name. The information will be
O BTS390 EQ TDLOF Infrastru added behind the value of the COMMNAME parameter
0 LST D-00301 cture to compose a complete common name for a certificate
WCDM CERTR 0 (PKI) request file. The default value is .huawei.com. A space
A, EQ is not supported before the value of this parameter, that
BTS390 GBFD-1 BTS is, a space is not supported before the character string.
0 LTE 13526 Supporti However, to meet requirements of consistency checks
ng PKI performed by some CA servers to the certificate
WRFD-
140210 NodeB common name in a certificate request packet and that in
PKI a Huawei device certificate, the certificate common
Support name in a certificate request packet is displayed as
"Board ESN"+space+"Common Name Additional
Info" only when the certificate common name in a
Huawei device certificate is "Board ESN"+space
+"Common Name Additional Info". For example, when
the value of this parameter is "eNodeB" and the
certificate common name in a Huawei device certificate
is "ESN eNodeB", a space is automatically added before
"eNodeB", that is, the certificate common name in a
certificate request packet is displayed as "ESN
eNodeB".
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: NULL(empty string)
COUNT BTS390 MOD LOFD-0 Public Meaning: Indicates the country where a BS is located.
RY 0, CERTR 03010 / Key GUI Value Range: 0~0,2~2 characters
BTS390 EQ TDLOF Infrastru
0 D-00301 cture Unit: None
LST
WCDM CERTR 0 (PKI) Actual Value Range: 0~0,2~2 characters
A, EQ Default Value: NULL(empty string)
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti
ng PKI
WRFD-
140210 NodeB
PKI
Support
ORG BTS390 MOD LOFD-0 Public Meaning: Indicates the organization that owns a BS.
0, CERTR 03010 / Key GUI Value Range: 0~64 characters
BTS390 EQ TDLOF Infrastru
0 D-00301 cture Unit: None
LST
WCDM CERTR 0 (PKI) Actual Value Range: 0~64 characters
A, EQ Default Value: NULL(empty string)
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti
ng PKI
WRFD-
140210 NodeB
PKI
Support
ORGUN BTS390 MOD LOFD-0 Public Meaning: Indicates the organization unit that owns a
IT 0, CERTR 03010 / Key BS.
BTS390 EQ TDLOF Infrastru GUI Value Range: 0~64 characters
0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CERTR
A, EQ Actual Value Range: 0~64 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
STATE BTS390 MOD LOFD-0 Public Meaning: Indicates the state or province where a BS is
PROVI 0, CERTR 03010 / Key located.
NCENA BTS390 EQ TDLOF Infrastru GUI Value Range: 0~128 characters
ME 0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CERTR
A, EQ Actual Value Range: 0~128 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
LOCAL BTS390 MOD LOFD-0 Public Meaning: Indicates the location of a BS.
ITY 0, CERTR 03010 / Key GUI Value Range: 0~128 characters
BTS390 EQ TDLOF Infrastru
0 D-00301 cture Unit: None
LST
WCDM CERTR 0 (PKI) Actual Value Range: 0~128 characters
A, EQ Default Value: NULL(empty string)
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti
ng PKI
WRFD-
140210 NodeB
PKI
Support
LOCAL BTS390 MOD LOFD-0 Public Meaning: Indicates the IP address of the subject
IP 0, CERTR 03010 / Key alternative name of a certificate.
BTS390 EQ TDLOF Infrastru GUI Value Range: Valid IP address
0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CERTR
A, EQ Actual Value Range: Valid IP address
BTS390 GBFD-1 BTS
13526 Supporti Default Value: 0.0.0.0
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
UPDSIP BTS390 ADD LOFD-0 Public Meaning: Indicates the source address for certificate
0, CA 03010 / Key management, such as automatic certificate update,
BTS390 MOD TDLOF Infrastru manual certificate update, and manual certificate
0 CA D-00301 cture application. If the source address for certificate
WCDM 0 (PKI) application in site deployment is not configured, the
A, LST CA address will be used as the source address for acquiring
BTS390 GBFD-1 BTS the certificate for the first time.
0 LTE 13526 Supporti
ng PKI GUI Value Range: Valid IP address
WRFD- Unit: None
140210 NodeB
PKI Actual Value Range: Valid IP address
Support Default Value: 0.0.0.0
APPTY BTS390 DSP LOFD-0 Public Meaning: Indicates the application type of activated
PE 0, APPCE 03010 / Key device certificate. There are two types: IKE and SSL.
BTS390 RT TDLOF Infrastru When APPTYPE is set to IKE and CERTSOURCE in
0 LST D-00301 cture IKEPEER MO is set to Appcert, the device certificate
WCDM APPCE 0 (PKI) being used during IKE negotiation is the certificate
A, RT configured in APPCERT MO. When APPTYPE is set
BTS390 GBFD-1 BTS to SSL, indicates the device certificate being used
0 LTE MOD 13526 Supporti during SSL connection.
APPCE ng PKI
RT WRFD- GUI Value Range: IKE(IKE), SSL(SSL)
140210 NodeB Unit: None
TST PKI
APPCE Support Actual Value Range: IKE, SSL
RT Default Value: None
LST
CERTT
YPE
APPCE BTS390 MOD LOFD-0 Public Meaning: Indicates the file name of an activated device
RT 0, APPCE 03010 / Key certificate. The file name cannot include any of the
BTS390 RT TDLOF Infrastru following characters: backslashes (\), slashes (/), colons
0 TST D-00301 cture (:), asterisks (*), question marks (?), double quotation
WCDM APPCE 0 (PKI) marks ("), left angle brackets (<), right angle brackets
A, RT (>), and bars (|).
BTS390 GBFD-1 BTS
DSP 13526 Supporti GUI Value Range: 1~64 characters
0 LTE
APPCE ng PKI Unit: None
RT WRFD-
140210 NodeB Actual Value Range: 1~64 characters
LST PKI Default Value: None
APPCE Support
RT
PERIO BTS390 SET LOFD-0 Public Meaning: Indicates the interval between certificate
D 0, CERTC 03010 / Key validity checking tasks.
BTS390 HKTSK TDLOF Infrastru GUI Value Range: 1~15
0 LST D-00301 cture
WCDM 0 (PKI) Unit: day
CERTC
A, HKTSK Actual Value Range: 1~15
BTS390 GBFD-1 BTS
13526 Supporti Default Value: 7
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
CERTN BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of a CRL. The file
AME 0, CRL 03010 / Key name cannot include any of the following characters:
BTS390 DSP TDLOF Infrastru backslashes (\), slashes (/), colons (:), asterisks (*),
0 CRL D-00301 cture question marks (?), double quotation marks ("), left
WCDM 0 (PKI) angle brackets (<), right angle brackets (>), and bars (|).
A, RMV
CRL GBFD-1 BTS GUI Value Range: 1~64 characters
BTS390
0 LTE LST 13526 Supporti Unit: None
CRL ng PKI Actual Value Range: 1~64 characters
WRFD-
140210 NodeB Default Value: None
PKI
Support
TSKID BTS390 ADD LOFD-0 Public Meaning: Indicates the ID of the task for periodically
0, CRLTS 03010 / Key obtaining the CRL.
BTS390 K TDLOF Infrastru GUI Value Range: 0~5
0 LST D-00301 cture
WCDM 0 (PKI) Unit: None
CRLTS
A, K Actual Value Range: 0~5
BTS390 GBFD-1 BTS
RMV 13526 Supporti Default Value: None
0 LTE
CRLTS ng PKI
K WRFD-
140210 NodeB
PKI
Support
SIP BTS390 ADD LOFD-0 Public Meaning: Indicates the source IP address for
0, CRLTS 03010 / Key downloading CRLs. When this parameter is set to
BTS390 K TDLOF Infrastru 0.0.0.0, the effective local OM IP address serves as the
0 LST D-00301 cture source IP address to access the CRL server for updating
WCDM CRLTS 0 (PKI) CRL files.
A, K GUI Value Range: Valid IP address
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti Unit: None
ng PKI Actual Value Range: Valid IP address
WRFD-
140210 NodeB Default Value: 0.0.0.0
PKI
Support
COMM BSC690 MOD MRFD- Security Meaning: Common name of the certificate request file.
NAME 0 CERTR 210305 Manage When a certificate request file is generated, the
EQ ment corresponding content of the specified type is used as
the common name of the file. The common name can
only be the electronic serial number (ESN).
GUI Value Range: ESN(ESN)
Unit: None
Actual Value Range: ESN
Default Value: ESN(ESN)
COMM BSC691 MOD MRFD- Security Meaning: Common name of the certificate request file.
NAME 0 CERTR 210305 Manage When a certificate request file is generated, the
EQ ment corresponding content of the specified type is used as
the common name of the file. The common name can
only be the electronic serial number (ESN).
GUI Value Range: ESN(ESN)
Unit: None
Actual Value Range: ESN
Default Value: ESN(ESN)
USERA BSC690 MOD MRFD- Security Meaning: Equipment description in the generic
DDINF 0 CERTR 210305 Manage certificate name. The parameter value can contain only
O EQ ment letters, digits, spaces, and the following characters: ()
+-./:?. The original parameter settings remain
unchanged if the parameter is left unspecified. The
original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
USERA BSC691 MOD MRFD- Security Meaning: Equipment description in the generic
DDINF 0 CERTR 210305 Manage certificate name. The parameter value can contain only
O EQ ment letters, digits, spaces, and the following characters: ()
+-./:?. The original parameter settings remain
unchanged if the parameter is left unspecified. The
original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
COUNT BSC690 MOD MRFD- Security Meaning: Country where the device is located. The
RY 0 CERTR 210305 Manage parameter value must be two English characters or one
EQ ment space. The original parameter settings remain
unchanged if the parameter is left unspecified. The
original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~2 characters
Unit: None
Actual Value Range: 0~2 characters
Default Value: None
COUNT BSC691 MOD MRFD- Security Meaning: Country where the device is located. The
RY 0 CERTR 210305 Manage parameter value must be two English characters or one
EQ ment space. The original parameter settings remain
unchanged if the parameter is left unspecified. The
original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~2 characters
Unit: None
Actual Value Range: 0~2 characters
Default Value: None
ORG BSC690 MOD MRFD- Security Meaning: Organization to which the device belongs.
0 CERTR 210305 Manage The parameter value can contain only letters, digits,
EQ ment spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORG BSC691 MOD MRFD- Security Meaning: Organization to which the device belongs.
0 CERTR 210305 Manage The parameter value can contain only letters, digits,
EQ ment spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORGUN BSC690 MOD MRFD- Security Meaning: Organization unit to which the device
IT 0 CERTR 210305 Manage belongs. The parameter value can contain only letters,
EQ ment digits, spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORGUN BSC691 MOD MRFD- Security Meaning: Organization unit to which the device
IT 0 CERTR 210305 Manage belongs. The parameter value can contain only letters,
EQ ment digits, spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
STATE BSC690 MOD MRFD- Security Meaning: State or province where the device is located.
PROVI 0 CERTR 210305 Manage The parameter value can contain only letters, digits,
NCENA EQ ment spaces, and the following characters: ()+-./:?. The
ME original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
STATE BSC691 MOD MRFD- Security Meaning: State or province where the device is located.
PROVI 0 CERTR 210305 Manage The parameter value can contain only letters, digits,
NCENA EQ ment spaces, and the following characters: ()+-./:?. The
ME original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC690 MOD MRFD- Security Meaning: Specific position where the device is located.
ITY 0 CERTR 210305 Manage The parameter value can contain only letters, digits,
EQ ment spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC691 MOD MRFD- Security Meaning: Specific position where the device is located.
ITY 0 CERTR 210305 Manage The parameter value can contain only letters, digits,
EQ ment spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC690 MOD MRFD- Security Meaning: Local IP address of the device. The original
IP 0 CERTR 210305 Manage parameter settings remain unchanged if the parameter
EQ ment is left unspecified. The original parameter settings are
cleared if 0.0.0.0 is entered.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
LOCAL BSC691 MOD MRFD- Security Meaning: Local IP address of the device. The original
IP 0 CERTR 210305 Manage parameter settings remain unchanged if the parameter
EQ ment is left unspecified. The original parameter settings are
cleared if 0.0.0.0 is entered.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
MODE BSC690 ADD WRFD- RNC Meaning: Configuration mode of the source IP address
0 CA 160276 Supporti that is used for updating the certificate. When this
MOD ng PKI parameter is set to DEFAULT_MODE, the source IP
CA address used for updating the certificate does not need
to be configured. The system uses the OM IP to apply
for and update the certificate. When this parameter is set
to CFG_UPD_SIP, the source IP address used for
updating the certificate must be configured. The system
uses the configured source IP address to apply for and
update the certificate.
GUI Value Range: DEFAULT_MODE
(DEFAULT_MODE), CFG_UPD_SIP
(CFG_UPD_SIP)
Unit: None
Actual Value Range: DEFAULT_MODE,
CFG_UPD_SIP
Default Value: DEFAULT_MODE
(DEFAULT_MODE)
MODE BSC691 ADD WRFD- RNC Meaning: Configuration mode of the source IP address
0 CA 160276 Supporti that is used for updating the certificate. When this
MOD ng PKI parameter is set to DEFAULT_MODE, the source IP
CA address used for updating the certificate does not need
to be configured. The system uses the OM IP to apply
for and update the certificate. When this parameter is set
to CFG_UPD_SIP, the source IP address used for
updating the certificate must be configured. The system
uses the configured source IP address to apply for and
update the certificate.
GUI Value Range: DEFAULT_MODE
(DEFAULT_MODE), CFG_UPD_SIP
(CFG_UPD_SIP)
Unit: None
Actual Value Range: DEFAULT_MODE,
CFG_UPD_SIP
Default Value: DEFAULT_MODE
(DEFAULT_MODE)
APPCE BSC690 ADD MRFD- Security Meaning: File name of the device certificate file.
RT 0 CERTM 210305 Manage GUI Value Range: 1~64 characters
K ment
Unit: None
RMV
CERTM Actual Value Range: 1~64 characters
K Default Value: None
APPCE BSC691 ADD MRFD- Security Meaning: File name of the device certificate file.
RT 0 CERTM 210305 Manage GUI Value Range: 1~64 characters
K ment
Unit: None
RMV
CERTM Actual Value Range: 1~64 characters
K Default Value: None
APPTY BSC690 MOD MRFD- Security Meaning: Application type of the device certificate.
PE 0 APPCE 210305 Manage Only SSL is supported at present.
RT ment GUI Value Range: SSL(SSL)
Unit: None
Actual Value Range: SSL
Default Value: SSL(SSL)
APPTY BSC691 MOD MRFD- Security Meaning: Application type of the device certificate.
PE 0 APPCE 210305 Manage Only SSL is supported at present.
RT ment GUI Value Range: SSL(SSL)
Unit: None
Actual Value Range: SSL
Default Value: SSL(SSL)
APPCE BSC690 MOD MRFD- Security Meaning: File name of the device certificate file.
RT 0 APPCE 210305 Manage GUI Value Range: 1~64 characters
RT ment
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
APPCE BSC691 MOD MRFD- Security Meaning: File name of the device certificate file.
RT 0 APPCE 210305 Manage GUI Value Range: 1~64 characters
RT ment
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
ISENA BSC690 SET MRFD- Security Meaning: Whether the task of checking the certificate
BLE 0 CERTC 210305 Manage validity is started.
HKTSK ment GUI Value Range: DISABLE(Disable), ENABLE
(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: ENABLE(Enable)
ISENA BSC691 SET MRFD- Security Meaning: Whether the task of checking the certificate
BLE 0 CERTC 210305 Manage validity is started.
HKTSK ment GUI Value Range: DISABLE(Disable), ENABLE
(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: ENABLE(Enable)
PERIO BSC690 SET MRFD- Security Meaning: Period of checking the certificate validity.
D 0 CERTC 210305 Manage The value of this parameter must be smaller than or
HKTSK ment equal to the value of the ALMRNG parameter.
GUI Value Range: 1~15
Unit: day
Actual Value Range: 1~15
Default Value: 7
PERIO BSC691 SET MRFD- Security Meaning: Period of checking the certificate validity.
D 0 CERTC 210305 Manage The value of this parameter must be smaller than or
HKTSK ment equal to the value of the ALMRNG parameter.
GUI Value Range: 1~15
Unit: day
Actual Value Range: 1~15
Default Value: 7
ALMR BSC690 SET MRFD- Security Meaning: When the MBSC detects that the time
NG 0 CERTC 210305 Manage between the current time and the expiry time of the
HKTSK ment loaded certificate is less than this threshold, a certificate
expiry alarm is reported.
GUI Value Range: 7~180
Unit: day
Actual Value Range: 7~180
Default Value: 30
ALMR BSC691 SET MRFD- Security Meaning: When the MBSC detects that the time
NG 0 CERTC 210305 Manage between the current time and the expiry time of the
HKTSK ment loaded certificate is less than this threshold, a certificate
expiry alarm is reported.
GUI Value Range: 7~180
Unit: day
Actual Value Range: 7~180
Default Value: 30
CERTN BSC690 ADD MRFD- Security Meaning: File name of the CRL.
AME 0 CRL 210305 Manage GUI Value Range: 1~64 characters
RMV ment
Unit: None
CRL
Actual Value Range: 1~64 characters
Default Value: None
CERTN BSC691 ADD MRFD- Security Meaning: File name of the CRL.
AME 0 CRL 210305 Manage GUI Value Range: 1~64 characters
RMV ment
Unit: None
CRL
Actual Value Range: 1~64 characters
Default Value: None
SIP BSC690 ADD WRFD- RNC Meaning: Source IP address for downloading CRL files.
0 CRLTS 160276 Supporti The setting of this parameter must ensure proper
K ng PKI communication between the OMU and the CA. If not,
use the default value 0.0.0.0. If the OMU works in
active/standby mode, the external fixed IP address
cannot be set. If it is set, the OMU cannot communicate
properly with the CA after a switchover between the
active and standby OMUs.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
SIP BSC691 ADD WRFD- RNC Meaning: Source IP address for downloading CRL files.
0 CRLTS 160276 Supporti The setting of this parameter must ensure proper
K ng PKI communication between the OMU and the CA. If not,
use the default value 0.0.0.0. If the OMU works in
active/standby mode, the external fixed IP address
cannot be set. If it is set, the OMU cannot communicate
properly with the CA after a switchover between the
active and standby OMUs.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
11 Counters
12 Glossary
13 Reference Documents