0% found this document useful (0 votes)

65 views84 pages

SSL (Sran8.0 02)

SSL

Uploaded by

tadjouamina

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

65 views84 pages

SSL (Sran8.0 02)

SSL

Uploaded by

tadjouamina

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 84

SingleRAN

SSL Feature Parameter Description

Issue 02
Date 2013-07-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://www.huawei.com
Email: support@huawei.com

Issue 02 (2013-07-30) Huawei Proprietary and Confidential i

Contents

1 About This Document..................................................................................................................1

1.1 Scope..............................................................................................................................................................................1
1.2 Intended Audience..........................................................................................................................................................1
1.3 Change History...............................................................................................................................................................1

2 Overview.........................................................................................................................................3
2.1 Introduction....................................................................................................................................................................3
2.2 Benefits...........................................................................................................................................................................3
2.3 Application.....................................................................................................................................................................3

3 Technical Description...................................................................................................................5
3.1 SSL Protocol Stack.........................................................................................................................................................5
3.2 Procedure for Establishing an SSL Connection.............................................................................................................6

4 SSL Application Scenarios..........................................................................................................9

4.1 OM Channel...................................................................................................................................................................9
4.1.1 OM Channel Between the Base Station and the M2000.............................................................................................9
4.1.2 OM Channel Between the Base Station Controller and the M2000..........................................................................16
4.2 FTP Transmission.........................................................................................................................................................18
4.3 HTTP Transmission......................................................................................................................................................19

5 Related Features...........................................................................................................................21
5.1 Features Related to SSL (eGBTS Side)........................................................................................................................21
5.2 Features Related to SSL (NodeB Side)........................................................................................................................21
5.3 Features Related to SSL (eNodeB Side).......................................................................................................................22
5.4 Features Related to SSL (Base Station Controller Side)..............................................................................................22

6 Network Impact...........................................................................................................................23
7 Engineering Guidelines on the Base Station Side................................................................24
7.1 When to Use SSL.........................................................................................................................................................24
7.2 Required Information...................................................................................................................................................24
7.3 Planning........................................................................................................................................................................24
7.4 Deployment..................................................................................................................................................................25
7.4.1 Requirements.............................................................................................................................................................25
7.4.2 Data Preparation........................................................................................................................................................25

Issue 02 (2013-07-30) Huawei Proprietary and Confidential ii

7.4.3 Precautions.................................................................................................................................................................31
7.4.4 Hardware Adjustment................................................................................................................................................31
7.4.5 Initial Configuration..................................................................................................................................................31
7.4.6 Activation Observation..............................................................................................................................................34
7.4.7 Reconfiguration.........................................................................................................................................................34
7.5 Configuring the OM Channel on the M2000................................................................................................................34
7.6 Performance Monitoring...............................................................................................................................................35
7.7 Parameter Optimization................................................................................................................................................35
7.8 Troubleshooting............................................................................................................................................................35

8 Engineering Guidelines on the Base Station Controller Side............................................36

8.1 When to Use SSL.........................................................................................................................................................36
8.2 Required Information...................................................................................................................................................36
8.3 Planning........................................................................................................................................................................36
8.4 Deployment..................................................................................................................................................................36
8.4.1 Requirements.............................................................................................................................................................37
8.4.2 Data Preparation........................................................................................................................................................37
8.4.3 Precautions.................................................................................................................................................................43
8.4.4 Hardware Adjustment................................................................................................................................................43
8.4.5 Initial Configuration..................................................................................................................................................43
8.4.6 Activation Observation..............................................................................................................................................44
8.4.7 Reconfiguration.........................................................................................................................................................45
8.5 Configuring the OM Channel on the M2000................................................................................................................45
8.6 Performance Monitoring...............................................................................................................................................45
8.7 Parameter Optimization................................................................................................................................................46
8.8 Troubleshooting............................................................................................................................................................46

9 Parameters.....................................................................................................................................47
10 Counters......................................................................................................................................78
11 Glossary.......................................................................................................................................79
12 Reference Documents...............................................................................................................80

Issue 02 (2013-07-30) Huawei Proprietary and Confidential iii

1 About This Document

1.1 Scope
This document describes SingleRAN Security Socket Layer (SSL),including its technical
principles, related features, network impact, and engineering guidelines.

This document covers the following features:

l GBFD-113522 Encrypted Network Management

l MRFD-210305 Security Management
l LBFD-004003 Security Socket Layer

1.2 Intended Audience

This document is intended for personnel who:

l Need to understand the features described herein

l Work with Huawei products

1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes, which are defined as follows:

l Feature change
Changes in features of a specific product version
l Editorial change
Changes in wording or addition of information that was not described in the earlier version

02 (2013-07-30)
This issue includes the following changes.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 1

Change Type Change Description Parameter

Change

Feature change None None

Editorial change Added section 5.4 Features Related to SSL None

(Base Station Controller Side).

Deleted the descriptions of SSL supported by

micro base stations.

01 (2013-04-28)
This issue does not include any changes.

Draft B (2013-04-10)
This issue includes the following changes.

Change Type Change Description Parameter Change

Feature change Implemented SSL on micro base None

stations.

Editorial change Improved document description. None

Draft A (2012-12-30)
This document is created for SRAN8.0.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 2

2 Overview

2.1 Introduction
SSL is a protocol that provides end-to-end communication security by encrypting segments of
network connections at the Application Layer for the Transport Layer that complies with the
TCP protocol. SSL provides security protection for high-layer application protocols, such as
Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Telecommunication
Network Protocol (Telnet).

The SSL protocol is the predecessor of Transport Layer Security (TLS). SSL/TLS versions
include SSL1.0, SSL2.0, SSL3.0, TLS1.0, TLS1.1, and TLS1.2. SRAN8.0 supports SSL3.0,
TLS1.0, TLS1.1, and TLS1.2. Higher versions are backward compatible with lower versions.

In this document, SSL is used as a collective name for SSL and TLS.

2.2 Benefits
SSL ensures secure communication between the client and the server by establishing an SSL
connection. SSL provides the following security functions:

l Confidentiality: SSL encrypts data transmitted between communication parties to prevent

eavesdropping.
l Authentication: The communication parties must authenticate each other before
establishing an SSL connection.
l Integrity: SSL provides integrity protection for data transmitted between the
communication parties so that the data is not tampered with during transmission.

2.3 Application
SSL can be used to provide protection for:

l The OM channel between the base station and the M2000 or between the base station
controller and the M2000

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 3

l The FTP connection between the base station and the M2000 or between the base station
controller and the M2000.
l The HTTP connection between the base station and the LMT or between the base station
controller and the LMT.
NOTE

Unless otherwise specified, the base station controller in this document is a generic term for GSM and
UMTS modes.
The FTPS components of the M2000 does not support TLS1.2. Therefore, the connection between an NE
and the M2000 does not support TLS1.2.

For detailed descriptions about the application scenarios, see 4 SSL Application Scenarios.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 4

3 Technical Description

3.1 SSL Protocol Stack

The SSL protocol stack consists of two protocol layers: the record layer and the handshake layer,
as shown in Figure 3-1 .

Figure 3-1 SSL protocol stack

l Record layer
The record layer receives data from the application layer or transmits data to the application
layer. In addition, the record layer performs security-related operations, such as
compression/decompression, encryption/decryption, and message authentication code
(MAC) computation.
l Handshake layer
The handshake layer consists of three protocols:
– Handshake protocol

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 5

The handshake protocol establishes a security channel between the communication

parties before data transmission begins. During the handshake procedure, the
communication parties authenticate each other, select encryption algorithms, generate
keys, and initialize vectors.
– ChangeCipherSpec protocol
After the communication parties agree on a set of new keys, each party sends a
ChangeCipherSpec message to notify the other party that subsequent messages will be
protected under the newly negotiated keys.
– Alert protocol
An alert message conveys the severity of the alert. If there is a fatal alert message, the
SSL connection is immediately terminated.

3.2 Procedure for Establishing an SSL Connection

The procedure for establishing an SSL connection consists of two phases: the handshake phase
and the data transmission phase. Before data transmission, the client initiates an SSL handshake
with the server. If the SSL handshake is successful, data is fragmented into protected records
for transmission.

The purposes of the SSL handshake are as follows:

1. The client and the server agree on a set of encryption algorithms, integrity check algorithms,
and keys for the algorithms to secure data transmission.
2. The communication parties can choose whether to authenticate each other.

Figure 3-2 describes the general message exchange process between the client and the server
during an SSL handshake.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 6

Figure 3-2 General message exchange process between the client and the server during an SSL
handshake

The general message exchange process is described as follows:

1. The client sends a ClientHello message to the server. This message contains the following
information: SSL version, encryption algorithms, signature algorithms, key exchange
algorithms, and MAC algorithms supported by the client.
2. Upon receiving the ClientHello message, the server responds with a ServerHello message.
The ServerHello message contains the SSL version and algorithms selected by the server.
3. (Optional) If the client requests server authentication, the key exchange algorithm field in
the ClientHello message sent in Step 1 instructs the server to send its certificate. The server
then sends a Certificate message containing its certificate to the client.
4. (Optional) If the client does not request server authentication, the server sends a
ServerKeyExchange message to the client. The key contained in this message is used to
encrypt the ClientKeyExchange message sent later in Step 8 . If the client requests server
authentication but the Certificate message sent by the server does not contain complete key
information, the server sends a ServerKeyExchange message to the client to supplement
the key information.
5. (Optional) If the server requests client authentication, the server sends a CertificateRequest
message to the client.
6. The server sends the client a ServerHelloDone message, notifying the client that the
handshake is complete.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 7

7. (Optional) If the client receives a CertificateRequest message from the server, the client
sends a Certificate message containing its certificate to the server.
8. The client sends a ClientKeyExchange message to the server. This message contains the
data for generating the keys for encryption algorithms and integrity check algorithms. The
data is encrypted using the key information described in Step 4 .
9. (Optional) If the client receives a CertificateRequest message from the server, the client
sends a CertificateVerify message which is signed by the private key associated with its
certificate to the server.
10. The client sends the server a ChangeCipherSpec message, notifying the server that the client
will use the negotiated algorithms for subsequent communications.
11. The client sends a Finished message to the server. The message is the first message that is
sent by the client and that is protected by using the negotiated algorithms. This message
contains the MAC of all messages transmitted during the handshake. The MAC is used to
check whether handshake messages have been tampered with during transmission.
12. The server sends the client a ChangeCipherSpec message, notifying the client that the server
will use the negotiated algorithms for subsequent communications.
13. The server sends the client a Finished message. The message is the first message that is
sent by the server and that is protected by using the negotiated algorithms.

After the handshake phase is complete, the client and the server begin to transmit data with SSL
protection.

For details about SSL, see the following protocols:

l RFC 6101 for SSL3.0

l RFC 2246 for TLS1.0
l RFC 4346 for TLS1.1
l RFC 5246 for TLS1.2

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 8

4 SSL Application Scenarios

4.1 OM Channel
SSL can be used to secure the data transmitted on the OM channel between the base station and
the M2000, and between the base station controller and the M2000.

4.1.1 OM Channel Between the Base Station and the M2000

Figure 4-1 shows a typical network topology in which SSL is applied to the OM channel between
the base station and the M2000. In this network topology, IPsec is not used to protect the OM
channel.

Figure 4-1 Network topology for SSL applied to the OM channel between the base station and
the M2000

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 9

CRL: certificate revocation list DMZ: demilitarized zone

RA: registration authority CA: certificate authority

Before you configure SSL in this application scenario, you must set the connection type between
the M2000 and the base station to SSL and set the authentication method to "authenticate the
peer end" on the M2000. In addition, preconfigure the operator-issued device certificate and the
operator's root certificate on the M2000.

NOTE

Before establishing an SSL connection, the base station needs to obtain the operator-issued device
certificate and the operator's root certificate from the operator's public key infrastructure (PKI) system. For
details about how to obtain the certificates, see PKI Feature Parameter Description.

The process of establishing an SSL connection is as follows:

Step 1 The base station and the M2000 establish a TCP connection.

Step 2 The M2000 functions as an SSL client and initiates an SSL handshake with the base station.

Step 3 The M2000 authenticates the base station using the specified authentication method during the
SSL handshake. Whether the base station authenticates the M2000 depends on the configuration
file of the base station. After the authentication is successful, the base station and the M2000
establish an OM channel protected by SSL.

----End

NOTE

When using plug and play (PnP) for base station deployment, the M2000 can choose whether to authenticate
the base station. The base station does not authenticate the M2000 by default.
When an OM channel is protected by IPSec, the process of establishing an SSL connection on the OM
channel is the same as the previously mentioned process.

The SSL authentication method of the OM channel between the base station and the M2000 is
determined by both the M2000 and the base station, as described in Table 4-1 .

Table 4-1 SSL authentication method of the OM channel between the base station and the M2000

SSL Configura Configuration on the Deployment Applicatio

Authenticati tion on the Base Station Side Requiremen n Scenario
on Method M2000 ts
Side

The base Anonymou The AUTHMODE None Routine

station and the s parameter is set to NONE maintenance
M2000 do not Authenticat (Verify None). and base
authenticate ion station
each other. deployment
by PnP

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 10

SSL Configura Configuration on the Deployment Applicatio

Authenticati tion on the Base Station Side Requiremen n Scenario
on Method M2000 ts
Side

Only the OSS The AUTHMODE Any of the Routine

M2000 Authenticat parameter is set to NONE following maintenance
authenticates ion NE (Verify None). conditions is and base
the base met: station
station. l The base deployment
station is by PnP
preconfigu
red with the
Huawei-
issued
device
certificate
and
Huawei
root
certificate.
The M2000
is
preconfigu
red with the
Huawei
root
certificate.
l The base
station is
preconfigu
red with the
operator-
issued
device
certificate
and the
operator's
root
certificate.
The M2000
is
preconfigu
red with the
operator's
root
certificate.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 11

SSL Configura Configuration on the Deployment Applicatio

Authenticati tion on the Base Station Side Requiremen n Scenario
on Method M2000 ts
Side

The base OSS The AUTHMODE Any of the Routine

station and the Authenticat parameter is set to PEER following maintenance
M2000 ion NE (Verify Peer Certificate). conditions is
authenticate met:
each other. l Both the
base station
and the
M2000 are
preconfigu
red with
Huawei-
issued
device
certificates
and
Huawei
root
certificates
.
l Both the
base station
and the
M2000 are
preconfigu
red with
operator-
issued
device
certificates
and
operator's
root
certificates
.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 12

SSL Configura Configuration on the Deployment Applicatio

Authenticati tion on the Base Station Side Requiremen n Scenario
on Method M2000 ts
Side

Only the base NE The AUTHMODE Any of the Routine

station Authenticat parameter is set to PEER following maintenance
authenticates ion OSS (Verify Peer Certificate). conditions is
the M2000. met:
l The base
station is
preconfigu
red with the
Huawei
root
certificate.
The M2000
is
preconfigu
red with the
Huawei-
issued
device
certificate
and
Huawei
root
certificate.
l The base
station is
preconfigu
red with the
operator's
root
certificate.
The M2000
is
preconfigu
red with the
operator-
issued
device
certificate
and the
operator's
root
certificate.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 13

NOTE

When the PKI system is deployed in the operator's network, it is recommended that the base station and
the M2000 use operator-issued device certificates to authenticate each other.
When no PKI system is deployed in the operator's network, the base station and the M2000 can use only
Huawei-issued device certificates to authenticate each other or they do not authenticate each other.

The configuration of SSL authentication on the base station side is as follows:

l The AUTHMODE parameter specifies the authentication method used by the SSL
handshake between the base station and the M2000.
– When AUTHMODE is set to NONE(Verify None), the base station does not
authenticate the M2000.
– When AUTHMODE is set to PEER(Verify Peer Certificate), the base station
authenticates the M2000.
l To use SSL on the OM channel, set the APPTYPE parameter to SSL, and set the
APPCERT parameter to specify the device certificates used for SSL authentication.

OM Channel of a Single-Mode Base Station (eGBTS, NodeB, or eNodeB)

Figure 4-2 shows a network topology in which SSL is applied to the OM channel between a
single-mode base station and the M2000. SSL is based on the TCP protocol, whereas the OM
data of the GBTS is encapsulated in UDP packets. Therefore, SSL does not apply to the GBTS.

Figure 4-2 Network topology for SSL applied to the OM channel between a single-mode base
station and the M2000

The WMPT, which is the main control board of the NodeB, does not support certificate
deployment. If the M2000 chooses to authenticate the NodeB, the WMPT must share the
certificates of the UTRPc. For details about certificate sharing, see PKI Feature Parameter
Description.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 14

OM Channel of a Separate-MPT Multimode Base Station

When SSL is applied to the OM channels of a separate-MPT multimode base station, an SSL
connection needs to be established between each mode and the M2000. If a certain mode of the
base station wants to use SSL authentication and no certificates are configured on the main
control board of the mode, this main control board must share certificates of another board
through backplane.

Figure 4-3 uses the scenario in which different modes of a separate-MPT GSM/UMTS/LTE
multimode base station share the same IPSec tunnel as an example to describe certificate sharing.

Figure 4-3 Network topology for SSL applied to the OM channels between the separate-MPT GSM/UMTS/LTE
multimode base station and the M2000

As shown in Figure 4-2, the operator-issued device certificate and the operator's root certificate
of multimode base station 1 are deployed on the UMPT_L. If the NodeB and the M2000 want
to establish an SSL connection and the operator-issued device certificate will be used for
authentication, the UMPT_U needs to share the certificates of the UMPT_L through backplane.
The operator-issued device certificate and the operator's root certificate of multimode base
station 2 are deployed on the UTRPc. If two SSL connections need to be established between
the NodeB and the M2000 and between the eNodeB and the M2000, and the operator-issued
device certificate will be used for authentication, then the UMPT_U and UMPT_L need to share
the certificates of the UTRPc through backplane.

OM Channel of a Co-MPT Multimode Base Station

When SSL is applied to the OM channel of a co-MPT multimode base station, there is only one
OM channel between the base station and the M2000, as shown in Figure 4-4 . In this scenario,
the SSL function is implemented by the UMPT_GUL.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 15

Figure 4-4 Network topology for SSL applied to the OM channel between the co-MPT multimode base station and
the M2000

For a hybrid-MPT multimode base station, OM channels need to be established between each
separate-MPT main control board and the M2000, and between the co-MPT main control board
and the M2000.

4.1.2 OM Channel Between the Base Station Controller and the

M2000
Whether SSL is applied to the OM channel between the base station controller and the M2000
depends on the setting of connection type on the M2000 side. The SSL authentication method
of the OM channel depends on the data configuration on both the M2000 and the base station
controller sides, as described in Table 4-2.

Table 4-2 SSL authentication method of the OM channel between the base station controller
and the M2000

SSL Configuration on Configuration on Deployment

Authentication the M2000 Side the Base Station Requirement
Method Controller Side

The base station Anonymous The AUTHMODE Both the base station
controller and the Authentication parameter is set to controller and the
M2000 do not NONE(Verify M2000 support the
authenticate each None). same anonymous
other. authentication
algorithm.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 16

SSL Configuration on Configuration on Deployment

Authentication the M2000 Side the Base Station Requirement
Method Controller Side

Only the M2000 OSS Authentication The AUTHMODE l The OMU board
authenticates the NE parameter is set to of the base station
base station NONE(Verify controller is
controller. None). preconfigured
with the Huawei-
issued device
certificate and the
Huawei root
certificate.
l The M2000 is
preconfigured
with the Huawei
root certificate.

The base station OSS Authentication The AUTHMODE Both the M2000 and
controller and the NE parameter is set to the OMU board of
M2000 authenticate PEER(Verify Peer the base station
each other. Certificate). controller are
preconfigured with
the Huawei-issued
device certificate and
the Huawei root
certificate.

Only the base station NE Authentication The AUTHMODE l The OMU board
controller OSS parameter is set to of the base station
authenticates the PEER(Verify Peer controller is
M2000. Certificate). preconfigured
with the Huawei
root certificate.
l The M2000 is
preconfigured
with the Huawei-
issued device
certificate and the
Huawei root
certificate.

From SRAN7.0 onwards, the base station controller is preconfigured with Huawei-issued device
certificate and Huawei root certificate before delivery. All base station controllers are
preconfigured with the same Huawei-issued device certificate and the same Huawei root
certificate.
If the base station controller is not preconfigured with Huawei-issued device certificate or
Huawei root certificate but the M2000 requests to authenticate the base station controller, the
base station controller and the M2000 first establish a non-SSL-protected OM channel or an OM

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 17

channel with SSL anonymous authentication. Then, the engineering personnel obtain the
Huawei-issued device certificate and Huawei root certificate for the base station controller from
the website http://support.huawei.com. Then, they configure these certificates on the base
station controller by using the certificate management function on the M2000. Finally, the
engineering personnel modify the SSL connection type and authentication method on both the
M2000 and the base station controller sides.

For details about certificates for the base station controller, see Base Station Controller
Equipment and OM Security Feature Parameter Description.

4.2 FTP Transmission

Both base stations and base station controllers support FTP over SSL (FTPS) and can be
configured with the FTPS state firewall function. When a state firewall is configured, this
function enables an FTP client to send the message, switching the transmission mode of the
control connection channel to plaintext. In this way, the state firewall can identify and
dynamically open the port required for FTPS transmission.

Table 4-3 describes the application scenarios for FTPS.

Table 4-3 Application scenarios for FTPS

Application Scenario Description

The base station functions as the FTPS client. l The ENCRYMODE parameter specifies
the transmission encryption mode of the
base station.
l The SSLCERTAUTH parameter
specifies whether to perform SSL
authentication on the FTPS server.
l The SPTSTATEFWL parameter
specifies whether an FTPS connection can
be set up when a state firewall is
configured.

The base station controller functions as the l The ENCRYMODE

FTPS client. (BSC6900,BSC6910) parameter specifies
the transmission encryption mode of the
base station controller.
l The SSLCERTAUTH
(BSC6900,BSC6910) parameter specifies
whether to perform SSL authentication on
the FTPS server.
l The SPTSTATEFWL
(BSC6900,BSC6910) parameter specifies
whether an FTPS connection can be set up
when a state firewall is configured.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 18

Application Scenario Description

The base station controller functions as the The ENCRYMODE(BSC6900,BSC6910)

FTPS server. parameter specifies the transmission
encryption mode of the base station
controller.

FTPS is mainly applicable to the file transmission between the base station and the M2000,
between the base station and the base station controller, and between the base station controller
and the M2000.

NOTE

The certificates used for FTPS authentication are the same as those used for SSL authentication of the OM
channel.

4.3 HTTP Transmission

Both the base station and the base station controller support HTTP over SSL (HTTPS). HTTPS
is applicable to the communication between the base station and the LMT and between the base
station controller and the LMT.
The POLICY parameter specifies the login policy of the LMT for the base station and the base
station controller.Table 4-4 provides the mapping between the value of the POLICY parameter
and the login policy of the LMT.

Table 4-4 Mapping between the value of the POLICY parameter and the login policy of the
LMT

Value of Input to the Displayed in Displayed in Policy

the .POLICY IE Address the Login the LMT Description
Parameter Bar Page Operation
Window

COMPATIBLE HTTP HTTP HTTP Compatibility

mode
HTTPS HTTPS HTTPS

HTTPS_ONLY HTTP HTTPS HTTPS HTTPS

connection is
HTTPS HTTPS HTTPS used for both the
login page and
the LMT
operation
window

LOGIN_HTTPS HTTP HTTPS HTTP HTTPS

_ONLY connection is
HTTPS HTTPS HTTP used only for the
login page

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 19

NOTE

The default value of the POLICY parameter is HTTPS_ONLY, indicating that HTTPS must be used in
both the login page and the LMT operation window.
The certificates used for HTTPS authentication are the same as those used for SSL authentication of the
OM channel. The corresponding root certificate must be preconfigured on the LMT. Otherwise, when you
attempt to log in to the LMT, a dialog box is displayed, indicating that the certificate is unreliable and
asking whether to continue. If you select Yes, you can log in to the LMT.

HTTPS can also apply to the Certificate Management Protocol v2 (CMPv2) message interaction
between the base station and the Certificate Authority (CA) server.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 20

5 Related Features

5.1 Features Related to SSL (eGBTS Side)

Prerequisite Features
This feature requires the GBFD-118601 Abis over IP feature.

When certificates are required for SSL authentication, this feature requires the GBFD-113526
BTS Supporting PKI feature.

Mutually Exclusive Features

None

Impacted Features
None

5.2 Features Related to SSL (NodeB Side)

Prerequisite Features
When certificates are required for SSL authentication, this feature requires the WRFD-140210
NodeB PKI Support feature.

Mutually Exclusive Features

None

Impacted Features
None

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 21

5.3 Features Related to SSL (eNodeB Side)

Prerequisite Features
When certificates are required for SSL authentication, this feature requires the LOFD-003010
Public Key Infrastructure(PKI) feature.

Mutually Exclusive Features

None

Impacted Features
None

5.4 Features Related to SSL (Base Station Controller Side)

Prerequisite Features
None

Mutually Exclusive Features

None

Impacted Features
None

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 22

6 Network Impact

System Capacity
No impact.

Network Performance
When SSL is used to provide encryption and integrity protection, the network bandwidth
utilization decreases slightly. For example, if the application-layer data length is 500 bytes and
the encryption algorithm and integrity check algorithm are 3DES and SHA1, respectively, the
network bandwidth utilization decreases by 4%. 3DES stands for Triple Data Encryption
Standard and SHA1 stands for Secure Hash Algorithm 1.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 23

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

7 Engineering Guidelines on the Base Station

Side

7.1 When to Use SSL

When operators use the public IP network to carry wireless services, the public IP network cannot
ensure transmission security. In this case, it is recommended that SSL be used to provide
transmission security for the OM channel.

When certificates are required for SSL authentication, the PKI feature must be activated on the
base station side. For details about how to activate the PKI feature, see PKI Feature Parameter
Description.

7.2 Required Information

If the operator-issued device certificate is required for SSL authentication, deploy the PKI system
in the network. For the data required for deploying the PKI feature, see PKI Feature Parameter
Description.

7.3 Planning
RF Planning
N/A

Network Planning
N/A

Hardware Planning
Table 7-1 describes the hardware required for deploying SSL on eGBTSs, NodeBs, and
eNodeBs.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 24

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

Table 7-1 Hardware required for deploying SSL on eGBTSs, NodeBs, and eNodeBs

NE Board Board That Provides a Port for Port Type

Configuration Connecting the Base Station to
the Transport Network

eGBTS UMPT UMPT Ethernet port

UMPT+UTRPc UTRPc Ethernet port

NodeB WMPT or UMPT WMPT or UMPT Ethernet port

WMPT+UTRPc or UTRPc Ethernet port

UMPT+UTRPc

eNodeB LMPT or UMPT LMPT or UMPT Ethernet port

LMPT+UTRPc or UTRPc Ethernet port

UMPT+UTRPc

7.4 Deployment

7.4.1 Requirements
l If the operator-issued device certificate is used for SSL authentication, the PKI system
needs to be deployed in the network and the PKI feature needs to be activated on the base
station side. For details about how to deploy the PKI system, see PKI Feature Parameter
Description.
l If the Huawei-issued device certificate is used for SSL authentication, the PKI feature needs
to be activated on the base station side but the PKI system is not required in the network.

7.4.2 Data Preparation

The SSL configuration data is the same for the eGBTS, NodeB, and eNodeB. This section
describes only the SSL configuration. For the configuration of the PKI feature, see PKI Feature
Parameter Description.

SSL Connection for the OM Channel

1. (Optional) Collect the data in the CONNTYPE managed object (MO). The CONNTYPE
parameter in this MO specifies the connection type supported by the base station. The
CONNTYPE MO can be configured and managed only on the M2000.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 25

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

Table 7-2 Connection type supported by the base station

MO Parameter Parameter ID Setting Notes Data Source

Name

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 26

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

MO Parameter Parameter ID Setting Notes Data Source

Name

l The
recommend
ed value of
this
parameter
is ALL(All
Type).

2. Collect data in the SSL MO for the SSL authentication method of the OM channel. The
most important parameter in this MO is described in the following table. The SSL MO can
be configured and managed only on the M2000.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 27

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

Table 7-3 SSL authentication method of the OM channel

MO Parameter Parameter ID Setting Notes Data Source

Name

3. Collect data in the APPCERT and APPCER MOs. The parameters in these MOs specify
the device certificate used for SSL authentication of the base station.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 28

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

Table 7-4 Certificate configuration

MO Parameter Parameter ID Setting Notes Data Source

Name

APPCERT Application APPTYPE Set this Network plan

Type parameter to
SSL(SSL).

NOTE

Before activating the SSL feature on a separate-MPT multimode base station, configure SSL data for each
mode separately.
Before activating the SSL feature on a co-MPT multimode base station, configure only a set of SSL data,
which is shared by different modes of the base station.

Base Station Functioning as the FTPS Client

Collect data in the FTPSCLT MO. The parameters in this MO specify the FTPS connection
between the M2000 and a base station functioning as the FTPS client.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 29

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

Table 7-5 Base station functioning as the FTPS client

MO Parameter Parameter ID Setting Notes Data Source

Name

FTPCLT Transport ENCRYMODE The Network plan

Encrypted recommended
Mode value of this
parameter is
AUTO
(AUTO).

FTPCLT Support State SPTSTATEFW Set this Network plan

Firewall L parameter based
on the network
plan.

FTPCLT Support SSL SSLCERTAUT If this parameter Network plan

Certificate H is set to YES
Authentication (Yes), the root
certificate used
on the FTP
server must be
preconfigured
on the base
station. This
root certificate
is used by the
base station to
authenticate the
device
certificate of the
FTP server.

Login Policy of the LMT

Collect data in the WEBLOGINPOLICY MO for the login policy of the LMT.

Table 7-6 Login policy of the LMT

MO Parameter Parameter ID Setting Notes Data Source

Name

WEBLMT Policy for login POLICY The Network plan

to LMT and recommended
transmission value of this
parameter is
HTTPS
(HTTPS Only).

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 30

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

7.4.3 Precautions
None

7.4.4 Hardware Adjustment

N/A

7.4.5 Initial Configuration

This section describes how to initially configure the SSL feature by using either MML commands
or the CME. If the PKI system has been deployed in the network and the operator-issued device
certificate is required for SSL authentication, you need to configure the PKI feature. For details
about how to configure the PKI feature, see PKI Feature Parameter Description.

Using MML Commands

l Configuring SSL for the OM channel
Run the MML command MOD APPCERT to configure the device certificate used for
SSL authentication.
l Setting the security policy for the FTP client
Run the MML command SET FTPSCLT to set the security policy for the FTP client.
l Setting the login policy of the LMT
Run the MML command SET WEBLOGINPOLICY to set the login policy of the LMT.

MML Command Examples

l Configuring SSL for the OM channel
//Configuring the device certificate used for SSL authentication
MOD APPCERT: APPTYPE=SSL, APPCERT="appcert.pem";

l Setting the security policy for the FTP client

//Setting the security policy for the FTP client
SET FTPSCLT: ENCRYMODE=Auto, SPTSTATEFWL=Yes, SSLCERTAUTH=Yes;

l Setting the login policy of the LMT

//Setting the login policy of the LMT
SET WEBLOGINPOLICY: POLICY=HTTPS_ONLY;

Using the CME to Perform Single Configuration

Set parameters on the CME configuration interface according to the MOs, parameters, and
application scenarios described in section 7.4.2 Data Preparation. For instructions on how to
perform the CME single configuration, see CME Single Configuration Operation Guide.

Using the CME to Perform Batch Configuration for Newly Deployed Base Stations
Enter the values of the parameters listed in Table 7-7 in a summary data file, which also contains
other data for the new base stations to be deployed. Then, import the summary data file into the
CME for batch configuration.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 31

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

The summary data file may be a scenario-specific file provided by the CME or a customized
file, depending on the following conditions:

l The MOs in Table 7-7 are contained in a scenario-specific summary data file. In this
situation, set the parameters in the MOs, and then verify and save the file.
l Some MOs in Table 7-7 are not contained in a scenario-specific summary data file. In this
situation, customize a summary data file to include the MOs before you can set the
parameters.

Table 7-7 MOs related to the SSL feature

MO Sheet in the Summary Parameter Group Remarks

Data File

SSL Common Data Connection Type, Connection Type,

Authentication Method Authentication
Method

FTPCLT Common Data ENCRYMODE, -

SPTSTATEFWL,
SSLCERTAUTH

WEBLMT Common Data POLICY -

NOTE

During base station deployment by PnP, you can also set the Connection Type and Authentication Type
parameters in the PnP Parameters MO on the Auto Deployment sheet of a scenario-specific summary
data file.

For detailed operations on each type of base station, see the following sections in 3900 Series
Base Station Initial Configuration Guide:

l For NodeBs, see section "Creating NodeBs in Batches."

l For eNodeBs, see section "Creating eNodeBs in Batches."
l For separate-MPT multimode base stations, see section "Creating Separate-MPT
Multimode Base Stations in Batches."
l For eGBTSs and co-MPT multimode base stations, see section "Creating Co-MPT Base
Stations in Batches."
NOTE

eGBTS refers to a base station deployed with UMPT_G.

NodeB refers to a base station deployed with WMPT or UMPT_U.
eNodeB refers to a base station deployed with LMPT or UMPT_L.
Co-MPT multimode base station refers to a base station deployed with UMPT_GU, UMPT_GL,
UMPT_UL, or UMPT_GUL, and it functionally corresponds to any combination of eGBTS, NodeB, and
eNodeB. For example, Co-MPT multimode base station deployed with UMPT_GU functionally
corresponds to the combination of eGBTS and NodeB.
Separate-MPT multimode base station refers to a base station on which different modes use different main
control boards. For example, base stations deployed with GTMU and WMPT are called separate-MPT
GSM/UMTS dual-mode base station.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 32

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple base stations in a single procedure. The procedure is as follows:

Step 1 Choose CME > Advanced > Customize Summary Data File from the main menu of an M2000
client, or choose Advanced > Customize Summary Data File from the main menu of a CME
client, to customize a summary data file for batch reconfiguration.
NOTE

For context-sensitive help on a current task in the client, press F1.

Step 2 Export the NE data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data from the
main menu of the M2000 client, or choose SRAN Application > MBTS Application >
Export Data > Export Base Station Bulk Configuration Data from the main menu of the
CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > eGBTS Bulk Configuration Data from the
main menu of the M2000 client, or choose GSM Application > Export Data > Export
eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data from the main menu of the M2000 client, or choose UMTS Application > Export
Data > Export Base Station Bulk Configuration Data from the main menu of the CME
client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Export Data > Export Base Station Bulk Configuration Data from
the main menu of the M2000 client, or choose LTE Application > Export Data > Export
Base Station Bulk Configuration Data from the main menu of the CME client.
Step 3 In the summary data file, set the parameters in the MOs listed in Table 7-7 and close the file.

Step 4 Import the summary data file into the CME.

l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Base Station Bulk Configuration Data from the main menu of the
M2000 client, or choose SRAN Application > MBTS Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
from the main menu of the M2000 client, or choose GSM Application > Import Data >
Import eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk Configuration
Data from the main menu of the M2000 client, or choose UMTS Application > Import
Data > Import Base Station Bulk Configuration Data from the main menu of the CME
client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Import Data > Import Base Station Bulk Configuration Data from

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 33

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

the main menu of the M2000 client, or choose LTE Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.

----End

7.4.6 Activation Observation

l SSL for the OM channel
In the SSL connection management window of the M2000 client, check whether the
connection between the base station and the M2000 is normal. If the connection is normal,
SSL has been successfully activated on the OM channel.
l FTPS connection between the base station and the M2000
Check whether log files are being transmitted between the base station and the M2000
based on FTPS as expected. If log file transmission is normal, an FTPS connection has
been successfully established between the base station and the M2000.
l HTTPS connection between the base station and the LMT
Set the login policy of the LMT for the base station to HTTPS and Log in to the base station
through the LMT. If you can successfully log in to the base station, an HTTPS connection
has been successfully established between the base station and the LMT.

7.4.7 Reconfiguration
N/A

7.5 Configuring the OM Channel on the M2000

Use the SSL connection management function on the M2000 to change the connection type and
authentication method used between the base station and the M2000. The detailed procedure is
as follows:

Step 1 Log in to the M2000, choose Security > Certificate Authentication Management > SSL
Connection Management (traditional style) or Security Management > NE Security >
Certificate Authentication Management > SSL Connection Management (application style)
to open the SSL connection management window.
Step 2 In the left pane, select the base station to configure. In the right pane, set the connection type
and authentication method, as shown in Figure 7-1.

----End

Figure 7-1 Changing the SSL configuration of an existing base station

For more information about managing NE certificates and preconfiguring certificates on the
M2000, see the "Procedure for Configuring Digital Certificates" section in M2000 Online
Help (Security Management > Data Management > Configuring Digital Certificates).
To check the status of an SSL connection between the base station and the M2000, select the
base station in the SSL connection management window and then check the value of the

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 34

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 7 Engineering Guidelines on the Base Station Side

Connection Status field. If the value of this field is Connected, an SSL connection has been
successfully established.

7.6 Performance Monitoring

N/A

7.7 Parameter Optimization

N/A

7.8 Troubleshooting
After the SSL feature is activated, the base station may report the following alarm:

ALM-25950 Excessive Flood Packet; the value of the Specific Problem parameter in the alarm
help is SSL Renegotiation.

After the PKI feature is activated, the base station may report the following alarms:

l ALM-26840 Imminent Certificate Expiry

l ALM-26841 Certificate Invalid
l ALM-26842 Automatic Certificate Update Failed
l ALM-26832 Peer Certificate Expiry

For details about how to locate and analyze the problem, see 3900 Series Base Station Alarm
Reference.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 35

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

8 Engineering Guidelines on the Base Station

Controller Side

8.1 When to Use SSL

When the base station controller and the M2000 are located in different networks, it is
recommended that the SSL feature be activated to secure the OM channel between the base
station controller and the M2000.

8.2 Required Information

None

8.3 Planning
RF Planning
N/A

Network Planning
N/A

Hardware Planning
N/A

8.4 Deployment

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 36

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

8.4.1 Requirements
If certificates are required to authenticate the SSL connection of the OM channel, ensure that
the device certificate and root certificate have been preconfigured on the OMU board of the base
station controller.

For details about how to config the certificates for the base station controller, see Configuring
the Digital Certificates in Base Station Controller Equipment and OM Security Feature
Parameter Description.

8.4.2 Data Preparation

SSL Connection for the OM Channel

1. (Optional) Collect the data in the CONNTYPE MO. The CONNTYPE parameter in this
MO specifies the connection type supported by the base station controller. The
CONNTYPE MO can be configured and managed only on the M2000.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 37

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

Table 8-1 Connection type supported by the base station controller

MO Parameter Paramet Setting Notes Data Source

Name er ID

2. Collect data in the SSLAUTHMODE MO for the SSL authentication method of the OM
channel. The most important parameter in this MO is described in the following table.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 38

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

Table 8-2 SSL authentication method of the OM channel

MO Parameter Parameter ID Setting Notes Data Source

Name

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 39

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

3. Collect data in the CERTFILE MO. The parameters in this MO specify the certificates
used for SSL authentication.

Table 8-3 Certificate configuration

MO Parameter Parameter ID Setting Notes Data Source

Name

CERTFILE Root ROOTCERT - Network plan

Certificate File
Name

CERTFILE Certificate File PUBCERT - Network plan

Name

CERTFILE Private Key PRIVKEY - Network plan

File Name

CERTFILE Private Key PWD Set this Network plan

Password parameter only
when the
PKPENABLES
TA parameter is
set to ENABLE
(Enabled).

CERTFILE Certificate CRLENABLES - Network plan

Revocation TA
List File State

CERTFILE Certificate CRL Set this Network plan

Revocation parameter only
List File Name when the
CRLENABLES
TA parameter is
set to ENABLE
(Enable).

CERTFILE Certificate CCAENABLE - Network plan

Chain File STA
Enabled State

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 40

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

MO Parameter Parameter ID Setting Notes Data Source

Name

CERTFILE Certificate CERTCHAIN Set this Network plan

Chain File parameter only
Name when the
CCAENABLE
STA parameter
is set to
ENABLE
(Enabled).

Base Station Controller Functioning as the FTPS Client

Collect data in the FTPSCLT MO. The parameters in this MO specify the FTPS connection
between the M2000 and the base station controller functioning as the FTPS client.

Table 8-4 Base station controller functioning as the FTPS client

MO Parameter Name Para Setting Notes Data Source

meter
ID

FTPSCLT The Encrypted Mode ENCR The Network plan

YMO recommended
DE value of this
( parameter is
BSC6 AUTO(AUTO).
900,
BSC6
910)

FTPSCLT Support State Firewall SPTS Set this parameter Network plan
TATE based on the
FWL network plan.
(
BSC6
900,
BSC6
910)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 41

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

MO Parameter Name Para Setting Notes Data Source

meter
ID

FTPSCLT Support SSL Certificate SSLC If this parameter is Network plan

Authentication ERTA set to YES(Yes),
UTH the root certificate
( used on the FTP
BSC6 server must be
900, preconfigured on
BSC6 the base station
910) controller. This
root certificate is
used by the base
station controller
to authenticate the
device certificate
of the FTP server.

Base Station Controller Functioning as the FTPS Server

Collect data in the FTPSSRV MO. The parameters in this MO specify the FTPS connection
between the M2000 and the base station controller functioning as the FTPS server.

Table 8-5 Base station controller functioning as the FTPS server

MO Parameter Parameter ID Setting Notes Data

Name Source

FTPSSRV The ENCRYMODE The recommended value of Network

Encrypted (BSC6900, this parameter is AUTO plan
Mode BSC6910) (Automatic).

FTPSSRV The Type DFTPORTSWT Set this parameter to the Network

of FTP (BSC6900, default port (port 21) or a plan
Server BSC6910) customized port number.
Command
Port

FTPSSRV The SRVCMDPORT Set this parameter only when Network

Command (BSC6900, the DFTPORTSWT plan
Port of BSC6910) (BSC6900,BSC6910)
FTP Server parameter is set to
CUSTOMPORT.

FTPSSRV The Source SRVDATAPOR Set this parameter only when Network
Data Port T the DFTPORTSWT plan
of FTP (BSC6900, (BSC6900,BSC6910)
Server BSC6910) parameter is set to
CUSTOMPORT.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 42

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

MO Parameter Parameter ID Setting Notes Data

Name Source

FTPSSRV Passive ACDPORTLWL - Network

mode data T plan
port lower (BSC6900,
limit BSC6910)

FTPSSRV Passive ACDPORTUPL - Network

mode data T plan
port upper (BSC6900,
limit BSC6910)

Login Policy of the LMT

Collect data in the WEBLOGINPOLICY MO for the login policy of the LMT.

Table 8-6 Setting the login policy of the LMT

MO Parameter Parameter ID Setting Notes Data Source

Name

WEBLOGINP Policy for login POLICY The Network plan

OLICY to LMT and (BSC6900, recommended
transmission BSC6910) value of this
parameter is
HTTPS
(HTTPS Only).

8.4.3 Precautions
None

8.4.4 Hardware Adjustment

N/A

8.4.5 Initial Configuration

This section describes how to initially configure the SSL feature on the base station controller
by using MML commands.

Using MML Commands

l Configuring SSL for the OM channel

Step 1 Run the MML command SET SSLAUTHMODE to set the SSL authentication method.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 43

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

Step 2 Run the MML command SET CERTFILE to configure the certificates used for SSL
authentication.

----End

l Setting the security policy for the FTP client

Run the MML command SET FTPSCLT to set the security policy for the FTP client.
l Setting the security policy for the FTP server
Run the MML command SET FTPSSRV to set the security policy for the FTP server.
l Setting the login policy of the LMT
Run the MML command SET WEBLOGINPOLICY to set the login policy of the LMT.

MML Command Examples

l Configuring SSL for the OM channel
//Setting the SSL authentication method
SET SSLAUTHMODE: AUTHMODE=PEER;

//Configuring the certificates used for SSL authentication

SET CERTFILE: RootCert="_RootCA.pem", PubCert="_ClientCer.pem",
PrivKey="_ClientPrivKey.pem";

l Setting the security policy for the FTP client

//Setting the security policy for the FTP client
SET FTPSCLT: ENCRYMODE=Auto, SPTSTATEFWL=Yes, SSLCERTAUTH=Yes;

l Setting the security policy for the FTP server

//Setting the security policy for the FTP server
SET FTPSSRV: ENCRYMODE=AUTO,
DFTPORTSWT=DEFAULTPORT,ACDPORTLWLT=25000,ACDPORTUPLT=30000;

l Setting the login policy of the LMT

//Setting the login policy of the LMT
SET WEBLOGINPOLICY: POLICY=HTTPS;

Using the CME to Perform Single Configuration

Set parameters on the CME configuration interface according to the MOs, parameters, and
application scenarios described in section 8.4.2 Data Preparation For instructions on how to
perform the CME single configuration, see CME Single Configuration Operation Guide.

Using the CME to Perform Batch Configuration

Not supported.

8.4.6 Activation Observation

l SSL for the OM channel
In the SSL connection management window of the M2000 client, check whether the
connection between the base station controller and the M2000 is normal. If the connection
is normal, SSL has been successfully activated on the OM channel.
l Base station controller functioning as the FTPS client

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 44

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

Check whether log files are being transmitted between the base station controller and the
M2000 as expected. If log file transmission is normal, an FTPS connection has been
successfully established between the base station controller and the M2000.
l Base station controller functioning as the FTPS server
Check whether log files are properly transmitted between the base station controller and
the M2000 based on FTPS. If log files are properly transmitted, an FTPS connection has
been successfully established between the base station controller and the M2000.
l HTTPS connection between the base station controller and the LMT
Set the login policy of the LMT for the base station controller to HTTPS and Log in to the
base station controller from the LMT. If you can successfully log in to the base station
controller, an HTTPS connection has been successfully established between the base station
controller and the LMT.

8.4.7 Reconfiguration
N/A

8.5 Configuring the OM Channel on the M2000

On the M2000, you can change the connection type and authentication method used between
the base station controller and the M2000 by using the SSL connection management function
on the M2000. The detailed procedure is as follows:

Step 1 Log in to the M2000, choose Security > Certificate Authentication Management > SSL
Connection Management (traditional style) or Security Management > NE Security >
Certificate Authentication Management > SSL Connection Management (application style)
to open the SSL connection management window.
Step 2 In the left pane, select the base station controller to be configured. In the right pane, set the
connection type and authentication method, as shown in Figure 8-1.

----End

Figure 8-1 Changing the SSL configuration of an existing base station controller

For more information about managing NE certificates and preconfiguring certificates on the
M2000, see the "Procedure for Configuring Digital Certificates" section in M2000 Online
Help (Security Management > Data Management > Configuring Digital Certificates >).
To check the status of an SSL connection between the base station controller and the M2000,
select the base station controller in the SSL connection management window and then check the
value of the Connection Status field. If the value of this field is Connected, an SSL connection
has been successfully established.

8.6 Performance Monitoring

N/A

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 45

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
SSL Feature Parameter Description 8 Engineering Guidelines on the Base Station Controller Side

8.7 Parameter Optimization

N/A

8.8 Troubleshooting
After the SSL feature is activated, the base station controller may report the following alarm:

l ALM-20732 SSL Certificate File Abnormity

For details about how to locate and analyze the problem, see the following documents:

l BSC6900 Alarm Reference

l BSC6910 Alarm Reference

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 46

9 Parameters

Table 9-1 UMTS: Parameter description

Parameter ID NE MML Feature ID Feature Name Description

Command

AUTHMODE BTS3900 SET MRFD-210305 Security Meaning:Indi-

SSLAUTHMO Management cates the
DE GBFD-113522 authentication
Encrypted mode of the SSL
LST SSLCONF LBFD-004003 Network connection.If
Management the
Security Socket authentication
Layer mode is set to
NONE, the NE
does not verify
the certificate of
the M2000 or
LMT during
setup of an SSL
connection. In
this case, both
parties must
support the same
algorithm for
anonymous
authentication.If
authentication
using the peer
certificate is
used, the NE
must verify the
certificate of the
M2000 or LMT
during setup of
an SSL
connection. If

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 47

Parameter ID NE MML Feature ID Feature Name Description

Command

the certificate
verification
fails, the SSL
connection
cannot be set up.
GUI Value
Range:NONE
(Verify None),
PEER(Verify
Peer Certificate)
Unit:None
Actual Value
Range:NONE,
PEER
Default
Value:NONE
(Verify None)

APPTYPE BTS3900 DSP APPCERT LOFD-003010 / Public Key Meaning:Indi-

LST APPCERT TDLOFD-0030 Infrastructure cates the
10 (PKI) application type
MOD of activated
APPCERT GBFD-113526 BTS Supporting device
TST APPCERT PKI certificate.
WRFD-140210
LST NodeB PKI There are two
CERTTYPE Support types: IKE and
SSL.
GUI Value
Range:IKE
(IKE), SSL
(SSL)
Unit:None
Actual Value
Range:IKE, SSL
Default
Value:None

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 48

Parameter ID NE MML Feature ID Feature Name Description

Command

APPCERT BTS3900 MOD LOFD-003010 / Public Key Meaning:Indi-

APPCERT TDLOFD-0030 Infrastructure cates the file
TST APPCERT 10 (PKI) name of an
activated device
DSP APPCERT GBFD-113526 BTS Supporting certificate. The
LST APPCERT PKI file name cannot
WRFD-140210
NodeB PKI include any of
Support the following
characters:
backslashes (\),
slashes (/),
colons (:),
asterisks (*),
question marks
(?), double
quotation marks
("), left angle
brackets (<),
right angle
brackets (>), and
bars (|).
GUI Value
Range:1~64
characters
Unit:None
Actual Value
Range:1~64
characters
Default
Value:None

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 49

Parameter ID NE MML Feature ID Feature Name Description

Command

ENCRYMODE BTS3900 SET FTPSCLT MRFD-210305 Security Meaning:Indi-

LST FTPSCLT Management cates the
LBFD-004003 transmission
Security Socket encryption
Layer mode of the FTP
client. If this
parameter is set
to Auto, the FTP
client first
attempts to
transmit data in
ciphertext. If the
attempt fails, the
FTP client
automatically
switches the
encryption
mode to
retransmit data
in plaintext.
However, if
there are faults
in transmission
equipment such
as the SeGW,
the FTP client
does not attempt
to retransmit
data in plaintext
even if the FTP
server supports
encrypted
transmission. In
this case, the
FTP connection
setup fails.
GUI Value
Range:Auto
(Auto), Plaintext
(Plaintext),
Encrypted(SSL
Encrypted)
Unit:None
Actual Value
Range:Auto,
Plaintext,
Encrypted

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 50

Parameter ID NE MML Feature ID Feature Name Description

Command

Default
Value:Auto
(Auto)

SSLCERTAUT BTS3900 SET FTPSCLT MRFD-210305 Security Meaning:Indi-

H LST FTPSCLT Management cates whether
LBFD-004003 the certificate
Security Socket authentication
Layer mode is
supported when
encrypted data is
being
transmitted.
GUI Value
Range:No(No),
Yes(Yes)
Unit:None
Actual Value
Range:No, Yes
Default
Value:No(No)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 51

Parameter ID NE MML Feature ID Feature Name Description

Command

SPTSTATEFW BTS3900 SET FTPSCLT MRFD-210305 Security Meaning:Indi-

L LST FTPSCLT Management cates whether
LBFD-004003 FTP
Security Socket connections in
Layer encrypted mode
can be
established
when there is a
state firewall. In
plaintext mode,
this parameter is
invalid. In
encrypted mode,
if this parameter
is set to Yes, the
FTP client sends
a command to
switch the
transmission
mode of the
control
connection
channel to
plaintext. In this
way, the state
firewall can
identify and
dynamically
open the port
required for FTP
transmission; if
this parameter is
set to No, the
FTP connection
may fail to be set
up due to port
restrictions
imposed by the
state firewall. If
security
requirements are
met, it is
recommended
that this
parameter be set
to Yes.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 52

Parameter ID NE MML Feature ID Feature Name Description

Command

GUI Value
Range:No(No),
Yes(Yes)
Unit:None
Actual Value
Range:No, Yes
Default
Value:Yes(Yes)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 53

Parameter ID NE MML Feature ID Feature Name Description

Command

ENCRYMODE BSC6900 SET FTPSCLT None None Meaning:Trans-

port encryption
mode supported
when the NE
serves as the
FTP client.
AUTO(Auto):
indicates that the
FTP server
selects the
encryption
mode.
PLAINTEXT
(Plain Text):
indicates that the
plaintext mode
must be used.
ENCRYPTED
(SSL
Encrypted):
indicates that the
encrypted mode
must be used.
GUI Value
Range:AUTO
(Auto),
PLAINTEXT
(Plain Text),
ENCRYPTED
(SSL
Encrypted)
Unit:None
Actual Value
Range:AUTO,
PLAINTEXT,
ENCRYPTED
Default
Value:AUTO
(Auto)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 54

Parameter ID NE MML Feature ID Feature Name Description

Command

ENCRYMODE BSC6910 SET FTPSCLT None None Meaning:Trans-

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 55

Parameter ID NE MML Feature ID Feature Name Description

Command

SSLCERTAUT BSC6900 SET FTPSCLT None None Meaning:Wheth

H er the FTP client
supports
authenticating
the FTP server.
GUI Value
Range:NO(No),
YES(Yes)
Unit:None
Actual Value
Range:YES, NO
Default
Value:NO(No)

SSLCERTAUT BSC6910 SET FTPSCLT None None Meaning:Wheth

H er the FTP client
supports
authenticating
the FTP server.
GUI Value
Range:NO(No),
YES(Yes)
Unit:None
Actual Value
Range:YES, NO
Default
Value:NO(No)

SPTSTATEFW BSC6900 SET FTPSCLT None None Meaning:Wheth

L er the FTP client
supports the
state firewall.
GUI Value
Range:YES
(Support), NO
(Not Support)
Unit:None
Actual Value
Range:YES, NO
Default
Value:YES
(Support)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 56

Parameter ID NE MML Feature ID Feature Name Description

Command

SPTSTATEFW BSC6910 SET FTPSCLT None None Meaning:Wheth

L er the FTP client
supports the
state firewall.
GUI Value
Range:YES
(Support), NO
(Not Support)
Unit:None
Actual Value
Range:YES, NO
Default
Value:YES
(Support)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 57

Parameter ID NE MML Feature ID Feature Name Description

Command

ENCRYMODE BSC6900 SET FTPSSRV None None Meaning:Trans-

port encryption
mode used when
the NE serves as
the FTP server.
If Transport
Encrypted Mode
is set to SSL
Encrypted, the
FTP client
should also
support SSL
encryption,
otherwise the
FTP connection
will fail. AUTO
(Automatic):
indicates that the
FTP client
selects the
encryption
mode.
PLAINTEXT
(Plain Text):
indicates that the
plaintext mode
must be used.
ENCRYPTED
(SSL
Encrypted):
indicates that the
encrypted mode
must be used.
GUI Value
Range:AUTO
(Automatic),
PLAINTEXT
(Plain Text),
ENCRYPTED
(SSL
Encrypted)
Unit:None
Actual Value
Range:AUTO,
PLAINTEXT,
ENCRYPTED

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 58

Parameter ID NE MML Feature ID Feature Name Description

Command

Default
Value:AUTO
(Automatic)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 59

Parameter ID NE MML Feature ID Feature Name Description

Command

ENCRYMODE BSC6910 SET FTPSSRV None None Meaning:Trans-

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 60

Parameter ID NE MML Feature ID Feature Name Description

Command

Default
Value:AUTO
(Automatic)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 61

Parameter ID NE MML Feature ID Feature Name Description

Command

POLICY BTS3900 SET LBFD-004003 Security Socket Meaning:Indi-

WEBLOGINPO LBFD-004001 Layer cates the policy
LICY Local for logging in to
LST Maintenance of the Web LMT.
WEBLOGINPO the LMT The value
LICY COMPATIBLE
indicates that if
http is entered in
the address bar
of an IE
browser, the
HTTP is used for
and after the
login. If https is
entered in the
address bar of an
IE browser, the
HTTPS is used
for and after the
login. The value
HTTPS_ONLY
indicates that the
HTTPS is used
for and after the
login no matter
whether http or
https is entered
in the address
bar of an IE
browser. The
value
LOGIN_HTTP
S_ONLY
indicates that the
HTTPS is used
for login and the
HTTP is used
after the login no
matter whether
http or https is
entered in the
address bar of an
IE browser.
GUI Value
Range:COMPA
TIBLE
(Compatible),

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 62

Parameter ID NE MML Feature ID Feature Name Description

Command

HTTPS_ONLY
(Https_only),
LOGIN_HTTP
S_ONLY
(Login_https_o
nly)
Unit:None
Actual Value
Range:COMPA
TIBLE,
HTTPS_ONLY,
LOGIN_HTTP
S_ONLY
Default
Value:HTTPS_
ONLY
(Https_only)

CONNTYPE BTS3900 SET MRFD-210305 Security Meaning:Indi-

CONNTYPE Management cates the
GBFD-113522 connection type
LST SSLCONF Encrypted
LBFD-004003 supported by the
Network NE.Compatible
Management connection
Security Socket mode indicates
Layer that the NE
supports both
the common
connection
mode and the
SSL connection
mode.
GUI Value
Range:ALL(All
Type), SSL
(Only SSL
Connection)
Unit:None
Actual Value
Range:ALL,
SSL
Default
Value:ALL(All
Type)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 63

Parameter ID NE MML Feature ID Feature Name Description

Command

DFTPORTSWT BSC6900 SET FTPSSRV None None Meaning:Wheth

er the FTP server
uses a default or
custom port.
DEFAULTPOR
T(Default 21
Port): indicates
that the FTP
server uses
default port 21
as the command
listening port
and port 20 as
the data port to
provide FTP
service.
CUSTOMPOR
T(Custom Port):
indicates that the
FTP server uses
a custom port to
provide FTP
service. If the
parameter
DFTPORTSWT
is set to
CUSTOMPOR
T, the NE must
have the same
port
configuration as
the NE
management
system.
Otherwise, the
FTP service
supplied by the
NE will be
unavailable.
GUI Value
Range:DEFAU
LTPORT
(Default 21
Port),
CUSTOMPOR
T(Custom Port)
Unit:None

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 64

Parameter ID NE MML Feature ID Feature Name Description

Command

Actual Value
Range:DEFAU
LTPORT,
CUSTOMPOR
T
Default
Value:DEFAUL
TPORT(Default
21 Port)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 65

Parameter ID NE MML Feature ID Feature Name Description

Command

DFTPORTSWT BSC6910 SET FTPSSRV None None Meaning:Wheth

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 66

Parameter ID NE MML Feature ID Feature Name Description

Command

Actual Value
Range:DEFAU
LTPORT,
CUSTOMPOR
T
Default
Value:DEFAUL
TPORT(Default
21 Port)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 67

Parameter ID NE MML Feature ID Feature Name Description

Command

SRVCMDPOR BSC6900 SET FTPSSRV None None Meaning:Numb

T er of the
command
listening port of
the FTP server.
The port cannot
be occupied by
other
applications. For
the method of
querying
occupied OMU
ports, see
section
"Querying
Occupied OMU
Ports" in the
OMU
Administration
Guide specific
to the working
mode of the
OMU in
question. You
are not advised
to use the ports
6000~7000,
8000~9000,
16000~17000,
and
18000~19000.
GUI Value
Range:
1024~65535
Unit:None
Actual Value
Range:
1024~65535
Default
Value:None

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 68

Parameter ID NE MML Feature ID Feature Name Description

Command

SRVCMDPOR BSC6910 SET FTPSSRV None None Meaning:Numb

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 69

Parameter ID NE MML Feature ID Feature Name Description

Command

SRVDATAPO BSC6900 SET FTPSSRV None None Meaning:Data

RT source port
number of the
FTP server in
active mode.
The port cannot
be occupied by
other
applications. For
the method of
querying
occupied OMU
ports, see
section
"Querying
Occupied OMU
Ports" in the
OMU
Administration
Guide specific
to the working
mode of the
OMU in
question. You
are not advised
to use the ports
6000~7000,
8000~9000,
16000~17000,
and
18000~19000.
GUI Value
Range:
1024~65535
Unit:None
Actual Value
Range:
1024~65535
Default
Value:None

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 70

Parameter ID NE MML Feature ID Feature Name Description

Command

SRVDATAPO BSC6910 SET FTPSSRV None None Meaning:Data

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 71

Parameter ID NE MML Feature ID Feature Name Description

Command

ACDPORTLW BSC6900 SET FTPSSRV None None Meaning:Start

LT data port
number on the
FTP server in
passive mode.
The FTP server
data ports in
passive mode
cannot be used
by other
applications. For
the method of
querying
occupied OMU
ports, see
section
"Querying
Occupied OMU
Ports" in the
OMU
Administration
Guide specific
to the working
mode of the
OMU in
question. You
are not advised
to use the ports
6000~7000,
8000~9000,
16000~17000,
and
18000~19000.
GUI Value
Range:
1024~65535
Unit:None
Actual Value
Range:
1024~65535
Default Value:
25001

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 72

Parameter ID NE MML Feature ID Feature Name Description

Command

ACDPORTLW BSC6910 SET FTPSSRV None None Meaning:Start

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 73

Parameter ID NE MML Feature ID Feature Name Description

Command

ACDPORTUPL BSC6900 SET FTPSSRV None None Meaning:End

T data port
number on the
FTP server in
passive mode.
The FTP server
data ports in
passive mode
cannot be used
by other
applications. For
the method of
querying
occupied OMU
ports, see
section
"Querying
Occupied OMU
Ports" in the
OMU
Administration
Guide specific
to the working
mode of the
OMU in
question. You
are not advised
to use the ports
6000~7000,
8000~9000,
16000~17000,
and
18000~19000.
GUI Value
Range:
1024~65535
Unit:None
Actual Value
Range:
1024~65535
Default Value:
30000

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 74

Parameter ID NE MML Feature ID Feature Name Description

Command

ACDPORTUPL BSC6910 SET FTPSSRV None None Meaning:End

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 75

Parameter ID NE MML Feature ID Feature Name Description

Command

POLICY BSC6900 SET None None Meaning:Policy

WEBLOGINPO for LMT login
LICY and data
transmission,
which includes
COMPATIBLE
(Both HTTP and
HTTPS),
HTTPS(HTTPS
Only),
LOGINHTTPS
(HTTPS for
Login Only).
GUI Value
Range:COMPA
TIBLE(Both
HTTP and
HTTPS),
HTTPS(HTTPS
Only),
LOGINHTTPS
(HTTPS for
Login Only)
Unit:None
Actual Value
Range:COMPA
TIBLE, HTTPS,
LOGINHTTPS
Default
Value:HTTPS
(HTTPS Only)

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 76

Parameter ID NE MML Feature ID Feature Name Description

Command

POLICY BSC6910 SET None None Meaning:Policy

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 77

10 Counters

UMTS:There are no specific counters associated with this feature.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 78

11 Glossary

For the acronyms, abbreviations, terms, and definitions, see Glossary.

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 79

12 Reference Documents

1. IETF RFC 6101

2. IETF RFC 2246
3. IETF RFC 4346
4. IETF RFC 5246
5. PKI Feature Parameter Description for SingleRAN
6. Base Station Controller Equipment and OM Security Feature Parameter Description for
SingleRAN
7. 3900 Series Base Station Initial Configuration Guide
8. BSC6900 Alarm Reference
9. BSC6910 Alarm Reference

Issue 02 (2013-07-30) Huawei Proprietary and Confidential 80

Uplink Scheduling (ERAN21.1 02)
No ratings yet
Uplink Scheduling (ERAN21.1 02)
246 pages
Admission and Congestion Control (eRAN7.0 - 01)
No ratings yet
Admission and Congestion Control (eRAN7.0 - 01)
104 pages
Pki (Sran15.1 02)
No ratings yet
Pki (Sran15.1 02)
129 pages
Standards Compliance (5G RAN9.1 - 02)
No ratings yet
Standards Compliance (5G RAN9.1 - 02)
67 pages
NB-IoT Radio and Performance Basics (ERAN12.1 - 05)
100% (3)
NB-IoT Radio and Performance Basics (ERAN12.1 - 05)
435 pages
EPC-based NSA Basics (SRAN20.0 - 05)
No ratings yet
EPC-based NSA Basics (SRAN20.0 - 05)
168 pages
Physical Channel Resource Management (ERAN21.1 - 02)
No ratings yet
Physical Channel Resource Management (ERAN21.1 - 02)
291 pages
Class 12 Maths Project - Helpful
No ratings yet
Class 12 Maths Project - Helpful
21 pages
Computer Application For Me
No ratings yet
Computer Application For Me
257 pages
BBU Interconnection (SRAN12.1 03)
No ratings yet
BBU Interconnection (SRAN12.1 03)
61 pages
Connection Management Feature Parameter Description: Issue Date
100% (1)
Connection Management Feature Parameter Description: Issue Date
51 pages
DP-100 s23 Sample
No ratings yet
DP-100 s23 Sample
31 pages
RAN Sharing
No ratings yet
RAN Sharing
55 pages
Ran Sharing
100% (2)
Ran Sharing
69 pages
Neighboring Checks: 1. Overall Principles For Setting Neighbor Cells
No ratings yet
Neighboring Checks: 1. Overall Principles For Setting Neighbor Cells
4 pages
ALD Management (SRAN12.1 07)
No ratings yet
ALD Management (SRAN12.1 07)
300 pages
Radio Network Optimization
88% (8)
Radio Network Optimization
18 pages
BBU Interconnection (SRAN16.1 02)
No ratings yet
BBU Interconnection (SRAN16.1 02)
54 pages
Access Control Based On 802.1x (SRAN12.1 - 03)
100% (1)
Access Control Based On 802.1x (SRAN12.1 - 03)
32 pages
Admission and Congestion Control (eRAN19.1 - 02)
No ratings yet
Admission and Congestion Control (eRAN19.1 - 02)
63 pages
BBU Interconnection (SRAN9.0 01)
No ratings yet
BBU Interconnection (SRAN9.0 01)
61 pages
Base Station RTOS Security (SRAN15.1 - 01)
No ratings yet
Base Station RTOS Security (SRAN15.1 - 01)
16 pages
Azure 900 Exam Questions
No ratings yet
Azure 900 Exam Questions
31 pages
Lab Report 1
No ratings yet
Lab Report 1
3 pages
Infinix Hot Hard Reset
No ratings yet
Infinix Hot Hard Reset
7 pages
Modulation Schemes (ERAN21.1 01)
No ratings yet
Modulation Schemes (ERAN21.1 01)
69 pages
Base Station Equipment Reliability (SRAN16.1 - Draft A)
No ratings yet
Base Station Equipment Reliability (SRAN16.1 - Draft A)
71 pages
OM Security (SRAN16.1 - Draft A)
100% (1)
OM Security (SRAN16.1 - Draft A)
60 pages
UMTS and LTE Zero Bufferzone (SRAN20.0 - 01)
No ratings yet
UMTS and LTE Zero Bufferzone (SRAN20.0 - 01)
67 pages
Common Transmission (SRAN12.0 01)
No ratings yet
Common Transmission (SRAN12.0 01)
253 pages
GSM and LTE Buffer Zone Optimization (SRAN20.0 - 01)
No ratings yet
GSM and LTE Buffer Zone Optimization (SRAN20.0 - 01)
31 pages
Admission and Congestion Control (ERAN15.1 - 01)
No ratings yet
Admission and Congestion Control (ERAN15.1 - 01)
56 pages
2G Handover Analysis and Improvement
100% (1)
2G Handover Analysis and Improvement
13 pages
Base Station Equipment Reliability (SRAN18.1 - 01)
No ratings yet
Base Station Equipment Reliability (SRAN18.1 - 01)
99 pages
OM Security (SRAN10.1 02)
No ratings yet
OM Security (SRAN10.1 02)
68 pages
SSH
No ratings yet
SSH
538 pages
Equipment Security (SRAN16.1 01)
No ratings yet
Equipment Security (SRAN16.1 01)
83 pages
Graphics Design Photoshop Optimized
No ratings yet
Graphics Design Photoshop Optimized
44 pages
Base Station Supporting Multi-Operator PKI (SRAN15.1 - 01)
No ratings yet
Base Station Supporting Multi-Operator PKI (SRAN15.1 - 01)
45 pages
Cs Fallback CSFB (Eran6.0 - 03)
No ratings yet
Cs Fallback CSFB (Eran6.0 - 03)
243 pages
Meridian2019 UG LTR
No ratings yet
Meridian2019 UG LTR
418 pages
BBU Interconnection (SRAN11.1 - 02)
No ratings yet
BBU Interconnection (SRAN11.1 - 02)
64 pages
Macsec Feature Parameter Description: Singleran
No ratings yet
Macsec Feature Parameter Description: Singleran
20 pages
Macsec Feature Parameter Description: Singleran Sran11.1
No ratings yet
Macsec Feature Parameter Description: Singleran Sran11.1
20 pages
BBU Interconnection (SRAN12.1 03)
No ratings yet
BBU Interconnection (SRAN12.1 03)
61 pages
Base Station Equipment Reliability (SRAN16.1 - 01)
No ratings yet
Base Station Equipment Reliability (SRAN16.1 - 01)
72 pages
Hitachi L100 Service Manual
No ratings yet
Hitachi L100 Service Manual
69 pages
BBU Interconnection (SRAN10.1 - 01)
No ratings yet
BBU Interconnection (SRAN10.1 - 01)
55 pages
Pki (Sran10.1 02)
No ratings yet
Pki (Sran10.1 02)
183 pages
Pki (Sran11.1 08)
No ratings yet
Pki (Sran11.1 08)
224 pages
Base Station Supporting Multi-Operator PKI (SRAN18.1 - Draft A)
No ratings yet
Base Station Supporting Multi-Operator PKI (SRAN18.1 - Draft A)
42 pages
NEW Ph.D.guideline Prospectus As Per July 2016
No ratings yet
NEW Ph.D.guideline Prospectus As Per July 2016
45 pages
Flow Control (eRAN7.0 - 01)
No ratings yet
Flow Control (eRAN7.0 - 01)
31 pages
MLB (eRAN6.0 02)
No ratings yet
MLB (eRAN6.0 02)
107 pages
Base Station Controller Equipment Reliability (SRAN12.1 - 01)
No ratings yet
Base Station Controller Equipment Reliability (SRAN12.1 - 01)
44 pages
Equipment Security (SRAN12.0 02)
No ratings yet
Equipment Security (SRAN12.0 02)
110 pages
2-Antenna Receive Diversity (GBSS16.0 - 01)
No ratings yet
2-Antenna Receive Diversity (GBSS16.0 - 01)
100 pages
BBU Interconnection (SRAN15.1 02)
No ratings yet
BBU Interconnection (SRAN15.1 02)
49 pages
Understanding and Applying Kalman Filtering
No ratings yet
Understanding and Applying Kalman Filtering
37 pages
Common Radio Resource Management (SRAN8.0 - 02) PDF
No ratings yet
Common Radio Resource Management (SRAN8.0 - 02) PDF
80 pages
Base Station Supporting Multi-Operator PKI (SRAN11.1 - 03)
No ratings yet
Base Station Supporting Multi-Operator PKI (SRAN11.1 - 03)
58 pages
OM Security (SRAN15.1 - 01)
No ratings yet
OM Security (SRAN15.1 - 01)
58 pages
Ms Word For Thesis Writing
100% (3)
Ms Word For Thesis Writing
6 pages
Configuration Management (SRAN16.1 01)
No ratings yet
Configuration Management (SRAN16.1 01)
22 pages
01 GU - SS1021 - E02 - 1 ZXSDR BTS Introduction P58 PDF
No ratings yet
01 GU - SS1021 - E02 - 1 ZXSDR BTS Introduction P58 PDF
58 pages
Actix Terminated
No ratings yet
Actix Terminated
130 pages
SSL (Sran9.0 01)
No ratings yet
SSL (Sran9.0 01)
65 pages
Base Station Controller Equipment Reliability (SRAN11.1 - 01) PDF
No ratings yet
Base Station Controller Equipment Reliability (SRAN11.1 - 01) PDF
44 pages
Configuration Management (SRAN16.1 - 01)
No ratings yet
Configuration Management (SRAN16.1 - 01)
24 pages
CDMA and LTE Zero Bufferzone (SRAN12.1 - 02)
No ratings yet
CDMA and LTE Zero Bufferzone (SRAN12.1 - 02)
40 pages
Common Transmission Resource Management On MBSC (SRAN7.0 - 01)
No ratings yet
Common Transmission Resource Management On MBSC (SRAN7.0 - 01)
25 pages
Common Transmission Resource Management On MBSC (SRAN7.0 - 01)
No ratings yet
Common Transmission Resource Management On MBSC (SRAN7.0 - 01)
23 pages
Unit 4 New
No ratings yet
Unit 4 New
60 pages
3rd Generation Partnership Project Technical Specification Group Services and System Aspects Vocabulary For 3GPP Specifications (Release 1999)
No ratings yet
3rd Generation Partnership Project Technical Specification Group Services and System Aspects Vocabulary For 3GPP Specifications (Release 1999)
41 pages
Creative SB Live Platinum Ct4760 Sound Card PCI 15l PDF
No ratings yet
Creative SB Live Platinum Ct4760 Sound Card PCI 15l PDF
4 pages
2G PS Call Setup
No ratings yet
2G PS Call Setup
23 pages
Transmission Security Overview (SRAN11.1 - 02)
No ratings yet
Transmission Security Overview (SRAN11.1 - 02)
21 pages
Sleeping Cell Detection and Recovery (RAN15.0 - 01)
No ratings yet
Sleeping Cell Detection and Recovery (RAN15.0 - 01)
34 pages
RRU Redundancy (RAN15.0 - 01)
No ratings yet
RRU Redundancy (RAN15.0 - 01)
25 pages
2G TCH Traffic and Congestion: NOVATEL - IT - Algeria - Internal - Document - V032016 RNO - Departement
No ratings yet
2G TCH Traffic and Congestion: NOVATEL - IT - Algeria - Internal - Document - V032016 RNO - Departement
16 pages
Cabinet Accessories Catalog V1277r4.2
No ratings yet
Cabinet Accessories Catalog V1277r4.2
23 pages
S02M01 V.5.6 Ed.1 ISAM L3 Forwarding Configuration
No ratings yet
S02M01 V.5.6 Ed.1 ISAM L3 Forwarding Configuration
40 pages
2G Paging Analysis: NOVATEL - IT - Algeria - Internal - Document - V032016 RNO - Departement
No ratings yet
2G Paging Analysis: NOVATEL - IT - Algeria - Internal - Document - V032016 RNO - Departement
10 pages
Quarter 1 Week 8
No ratings yet
Quarter 1 Week 8
43 pages
Drive Test (DT) Performing and Analysis
No ratings yet
Drive Test (DT) Performing and Analysis
11 pages
2G Call Setup Success Rate: NOVATEL - IT - Algeria - Internal - Document - V032016 RNO - Departement
No ratings yet
2G Call Setup Success Rate: NOVATEL - IT - Algeria - Internal - Document - V032016 RNO - Departement
13 pages
AI Based Exercise Prescription System
No ratings yet
AI Based Exercise Prescription System
11 pages
Finite Difference Proof
No ratings yet
Finite Difference Proof
7 pages
Chapter 15 Summary
No ratings yet
Chapter 15 Summary
3 pages
Ibwave Design 7.1.6 Installation Procedure - 2
No ratings yet
Ibwave Design 7.1.6 Installation Procedure - 2
1 page
2G SDCCH Traffic Follow Up
No ratings yet
2G SDCCH Traffic Follow Up
7 pages
QAECCIH-2024 Paper 41
No ratings yet
QAECCIH-2024 Paper 41
12 pages
Appendix R - APCO Project 25 Standards
No ratings yet
Appendix R - APCO Project 25 Standards
3 pages
TASK 1 - Integer Multiplication in The MIPS Assembly Language
No ratings yet
TASK 1 - Integer Multiplication in The MIPS Assembly Language
6 pages
The Energy Savings Potential of Using Dynamic External Louvers in An Office Building
No ratings yet
The Energy Savings Potential of Using Dynamic External Louvers in An Office Building
8 pages
DH-HCVR5104/5108/5116H-S2: 4/8/16CH Tribrid 720P-Pro Mini 1U HDCVI DVR
No ratings yet
DH-HCVR5104/5108/5116H-S2: 4/8/16CH Tribrid 720P-Pro Mini 1U HDCVI DVR
3 pages
590 Series DC Drives
No ratings yet
590 Series DC Drives
6 pages
C911fe78 5eaf 11ee 9ad2 0a5e36b
No ratings yet
C911fe78 5eaf 11ee 9ad2 0a5e36b
4 pages
Samsung Galaxy M31 Samsung Galaxy M21 Samsung Galaxy A21s: Differences
No ratings yet
Samsung Galaxy M31 Samsung Galaxy M21 Samsung Galaxy A21s: Differences
2 pages
QLearn Booklet
No ratings yet
QLearn Booklet
4 pages
Scrum Term Worksheet
No ratings yet
Scrum Term Worksheet
1 page
Cloud Computing : Beginners And Intermediate User Guide
From Everand
Cloud Computing : Beginners And Intermediate User Guide
David comer
No ratings yet
VMware View Security Essentials
From Everand
VMware View Security Essentials
Daniel Langenhan
No ratings yet
Basics of OAuth Securely Connecting Your Applications
From Everand
Basics of OAuth Securely Connecting Your Applications
A. Scholtens
No ratings yet
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
From Everand
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
Tim Speed
No ratings yet