Professional Documents
Culture Documents
SRAN11.1
Issue 08
Date 2018-01-08
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
2 Overview....................................................................................................................................... 10
3 PKI Architecture.......................................................................................................................... 12
3.1 Introduction.................................................................................................................................................................. 12
3.2 CA.................................................................................................................................................................................13
3.3 RA.................................................................................................................................................................................14
3.4 Certificate & CRL Database.........................................................................................................................................14
6 Related Features...........................................................................................................................41
6.1 GBFD-113526 BTS Supporting PKI............................................................................................................................41
6.2 WRFD-140210 NodeB PKI Support............................................................................................................................ 41
6.3 LOFD-003010 Public Key Infrastructure (PKI)...........................................................................................................42
6.4 TDLOFD-003010 Public Key Infrastructure (PKI)..................................................................................................... 42
6.5 GBFD-160211 BSC Supporting PKI............................................................................................................................42
6.6 WRFD-160276 RNC Supporting PKI.......................................................................................................................... 43
6.7 GBFD-160210 BTS Supporting PKI Redundancy.......................................................................................................43
6.8 GBFD-160208 BSC Supporting PKI Redundancy...................................................................................................... 44
6.9 WRFD-160275 NodeB Supporting PKI Redundancy..................................................................................................44
6.10 WRFD-160277 RNC Supporting PKI Redundancy................................................................................................... 44
6.11 LOFD-070212 eNodeB Supporting PKI Redundancy............................................................................................... 45
6.12 TDLOFD-070212 eNodeB Supporting PKI Redundancy..........................................................................................45
6.13 GBFD-181202 BTS Supporting Digital Certificate Whitelist Management..............................................................46
6.14 WRFD-181220 NodeB Supporting Digital Certificate Whitelist Management.........................................................46
6.15 LOFD-111203 eNodeB Supporting Digital Certificate Whitelist Management........................................................ 46
6.16 eCoordinator Supporting PKI..................................................................................................................................... 47
7 Network Impact........................................................................................................................... 48
8 Engineering Guidelines for PKI...............................................................................................49
8.1 When to Use................................................................................................................................................................. 49
8.2 Required Information................................................................................................................................................... 49
8.3 Hardware Planning....................................................................................................................................................... 51
8.4 Requirements................................................................................................................................................................ 52
8.5 Deployment of PKI on the eGBTS/NodeB/eNodeB/Multimode Base Station............................................................ 55
8.5.1 Data Preparation........................................................................................................................................................ 56
8.5.2 Initial Configuration.................................................................................................................................................. 69
8.5.2.1 Using the CME....................................................................................................................................................... 69
8.5.2.2 Using MML Commands......................................................................................................................................... 75
8.5.2.3 MML Command Examples.................................................................................................................................... 76
8.5.3 Activation Observation..............................................................................................................................................78
8.5.4 Deactivation...............................................................................................................................................................79
8.6 Deployment of PKI on the eGBTS using a GTMUb....................................................................................................79
8.6.1 Data Preparation........................................................................................................................................................ 79
8.6.2 Initial Configuration.................................................................................................................................................. 83
8.6.2.1 Using MML Commands......................................................................................................................................... 83
8.6.2.2 MML Command Examples.................................................................................................................................... 84
8.6.3 Activation Observation..............................................................................................................................................84
8.6.4 Deactivation...............................................................................................................................................................85
8.7 Deployment of PKI on a NodeB Using a WMPT........................................................................................................ 85
8.7.1 Data Preparation........................................................................................................................................................ 86
10 Parameters................................................................................................................................. 151
11 Counters.................................................................................................................................... 216
12 Glossary..................................................................................................................................... 217
13 Reference Documents............................................................................................................. 218
1.1 Scope
This document describes the public key infrastructure (PKI), including its technical principles,
related features, network impact, and engineering guidelines.
Unless otherwise specified, in this document, LTE, eNodeB, and eRAN always include both
FDD and TDD. The "L" and "T" in RAT acronyms refer to LTE FDD and LTE TDD,
respectively.
NOTE
The eCoordinator does not support PKI-related optional features. It only supports manual configuration
of digital certificates.
Separate-MPT A base station on which each mode uses its separate main control board.
multimode base For example, a base station configured with a GTMU providing GSM
station services and a WMPT providing UMTS services, is called a separate-
MPT GSM/UMTS dual-mode base station.
NOTE
A UMDU board cannot be used in a separate-MPT base station.
The universal switching unit (USU) is configured with an SMPT or UEFU board. A USU can
be either a USU3900 configured with an SMPT board, or a USU3910 configured with a
UEFU board. Unless otherwise specified, the feature implementation of a USU is the same as
that of a base station. The licenses mentioned in this document are not applicable to USUs.
l Feature change
Changes in features of a specific product version
l Editorial change
Changes in wording or addition of information that was not described in the earlier
version
SRAN11.1 08 (2018-01-08)
This issue includes the following changes.
Editorial Modified the description that the base station does not None
changes apply for a new device certificate when the base station
automatically obtains a certificate (for example, during
base station deployment) in which the issuer is
inconsistent with the CA information. For details, see 5.2
Certificate Management During Base Station
Deployment.
SRAN11.1 07 (2017-04-21)
This issue includes the following changes.
SRAN11.1 06 (2017-03-30)
This issue includes the following changes.
SRAN11.1 05 (2016-10-08)
This issue includes the following changes.
SRAN11.1 04 (2016-06-23)
This issue includes the following changes.
SRAN11.1 03 (2016-05-26)
This issue includes the following changes.
SRAN11.1 02 (2016-04-20)
This issue includes the following changes.
Editorial Added the LTE CN devices (MME and S-GW) to Figure None
change 2-1.
SRAN11.1 01 (2016-02-29)
This issue does not include any changes.
Feature Supported the GTMUc in an eGBTS. For details, see the None
change following sections:
l 1.1 Scope
l 2 Overview
l 5.6 PKI Networking Reliability
l 8.3 Hardware Planning
l 8.5 Deployment of PKI on the eGBTS/NodeB/
eNodeB/Multimode Base Station
Editorial Added descriptions that base stations cannot apply for None
change certificates through E1/T1 ports. For details, see 5.5.1
Certificate Application.
The LampSite base stations referenced in this document are distributed base stations designed
for indoor coverage. These base stations work in UMTS or LTE mode but do not work in
GSM mode.
The micro base stations referenced in this document are all integrated entities that work in
UMTS or LTE mode but do not work in GSM mode. Descriptions of boards, cabinets,
subracks, slots, and RRUs do not apply to micro base stations.
NOTE
The multimode micro base station BTS3911E is used in UMTS+LTE FDD co-MPT scenarios but not in
separate-MPT scenarios.
Co-MPT and separate-MPT applications are not relevant to single-mode micro base stations.
2 Overview
PKI is a type of security infrastructure that provides information security and digital
certificate management. It uses an asymmetric cryptographic algorithm to allow client and
server applications to trust each other's authentication credentials and perform authentication.
In multi-operator PKI scenarios, each operator can deploy an independent PKI server and use
the certificate issued by the operator's PKI server to perform authentication on Internet
Protocol Security (IPsec) tunnels. In this way, secondary operators do not depend on the PKI
of the primary operator, and services of each operator can be securely isolated.
A digital certificate identifies a specific device. The device is created by a trusted certificate
authority (CA), which digitally signs the device and public key. A digital certificate includes
the following information:
l Serial number and validity period of the certificate
l Organization that issued the certificate
l Public key
l Extension fields of the certificate
The SubjectAltName extension field in a digital certificate contains the base station's/
base station controller's/eCoordinator's identity information, such as the electronic serial
number (ESN) of the NodeB's main control board.
Asymmetric keys are used to authenticate devices during digital certificate authentication.
The sender uses a private key to sign data, and the receiver uses a public key in the certificate
to verify signature validity. With digital certificates, both the receiver and the sender confirm
each other's identities to protect against communication fraud and eavesdropping.
Huawei base stations/base station controllers/eCoordinators use a PKI-based end-to-end
certificate management solution. This solution facilitates the deployment and use of digital
certificates.
For Huawei products, digital certificates apply to the following scenarios:
l Authentication during the setup of an IPsec tunnel between a base station and an SeGW
on a radio bearer network
l Authentication during the setup of a Secure Sockets Layer (SSL) connection between an
eGBTS/NodeB/eNodeB/RNC/BSC/eCoordinator and the U2000 to protect data
transmission at the application layer
l 802.1x-based access control for the eGBTS/NodeB/eNodeB, which uses digital
certificates for identity authentication
l Setup of separate IPsec tunnels for each operator, thereby implementing secure service
isolation in RAN sharing scenarios when multiple operators share a base station and each
operator deploys a separate PKI server.
NOTE
l For a GBTS configured with a GTMUb/GTMUc, PKI-based authentication is not supported by SSL,
Base Station Supporting Multi-operator PKI, or Access Control based on 802.1x.
l For an eGBTS configured with a GTMUb, PKI-based authentication is not supported by Access
Control based on 802.1x.
l The eGBTS configured with a GTMUb/GTMUc does not support Base Station Supporting Multi-
operator PKI.
l For details about IPsec, see IPsec Feature Parameter Description.
l For details about SSL, see SSL Feature Parameter Description.
l For details about 802.1x, see Access Control based on 802.1x Feature Parameter Description.
l For details about base station supporting multi-operator PKI in RAN sharing scenarios, see Base
Station Supporting Multi-operator PKI Feature Parameter Description.
3 PKI Architecture
3.1 Introduction
A PKI system manages digital certificates for network devices. This enables operators to
establish a trusted security domain so that they have a trust relationship with devices from
different vendors.
As shown in Figure 3-1, a PKI system on a wireless network generally consists of the
following network elements (NEs):
l NEs that use certificates, including the base station, base station controller, security
gateway (SeGW), and U2000.
l PKI server that manages certificates, including the CA, registration authority (RA), and
certificate & CRL database. CRL stands for certificate revocation list.
NOTE
For more information about PKI, see IETF RFC 5280 and IETF RFC 2585. Certificates and CRLs
comply with X.509v3 and X.509v2, respectively, but do not comply with earlier specifications. For
details, see IETF RFC 5280.
The eCoordinator cannot directly apply for and update certificates from the PKI system. The
eCoordinator's certificates must be manually maintained on the U2000.
3.2 CA
A CA serves as a central management node in a PKI system. As shown in Figure 3-1, a CA
manages certificates as follows:
On a live network, a CA system can use a layered structure to meet the requirements for CA
deployment across different areas. The root CA is responsible for managing all certificates on
the entire network. The layered structure helps share the load of the root CA. Figure 3-2
shows an example of the CA system architecture.
When building a PKI system, an operator determines the root CA domain based on the
operator's business scale and global network distribution.
l Root CA: The root CA is located at the top level and has the highest security and
reliability.
l Subordinate CA: Operators usually use the root CA to authorize important subordinate
CAs. CAs at each level can be authorized to sign and issue certificates for their lower-
level CAs or for end users. All certificates from end users to the root CA form a
certificate chain. As long as a user obtains the peer's root CA certificate and certificates
of subordinate CAs at different levels, the user can authenticate the certificates in the
certificate chain. This method facilitates certificate deployment because the root CA is
no longer required for signing and issuing certificates for all end users.
l Cross-certification CA: issues a cross-certificate to a peer CA under another root CA
when a trust relationship must be set up with the peer CA.
l Device CA: issues digital certificates to network devices within its service scope.
NOTE
There is no strict limitation imposed on the number of layers in a CA system. Operators can
divide the CA system into layers according to their requirements. Generally, a three-layer CA
system can meet the requirements of most operators. However, a two-layer CA system is
recommended, considering the management cost and complexity.
3.3 RA
An RA is a certificate registration and approval authority. As shown in Figure 3-1, an RA
interacts with communication entities such as base stations and base station controllers,
collects certificate applicants' information, and verifies their qualifications. The RA then
determines whether to issue a certificate to an applicant based on the verification result. If the
application is approved, the RA sends the application information to the CA which then issues
the certificate.
A CA incorporates the functions of an RA, thereby making the RA an optional component.
An RA is not required in a small-sized PKI system because the CA itself can handle
interactions with base stations and base station controllers. In a large-sized PKI system, the
CA focuses on certificate management and an RA takes over the functions of interacting with
base stations and base station controllers.
NOTE
NOTE
The Huawei-issued device certificate preconfigured on the GTMUc in a GBTS can only be used for SSL
connections between the GBTS and the site maintenance terminal (SMT). It cannot be used for PKI or
IPsec authentication.
The Huawei-issued device certificate preconfigured on the GTMUc in an eGBTS can only be used for
PKI and SSL authentication. It cannot be used for IPsec authentication.
Each Huawei base station controller is preconfigured with a Huawei-issued device certificate
before delivery. The certificate is bound with the ESN of the OMU board and is named
hwusercert.pem. The key of a Huawei-issued device certificate is 2048 bits long. Huawei-
issued device certificates for base station controllers are activated before base station
controllers are delivered.
All Huawei eCoordinators are preconfigured with the same certificate issued by Huawei CA
before delivery. The certificate is stored on the OMU board.
NOTE
The certificate preconfigured on an eCoordinator, in a strict sense, is not a device certificate because it is
not bound with the ESN of the OMU. If the preconfigured certificate on one Huawei eCoordinator is
cracked, the preconfigured certificates on all Huawei eCoordinators are cracked. Therefore, it is
recommended that an operator-issued device certificate be applied for an eCoordinator after the
eCoordinator connects to a network.
The Huawei root certificate is preconfigured in each Huawei base station as the trust
certificate before delivery. The certificate is stored on the main control board (UMPT/LMPT/
UMDU/GTMUc) or UTRPc board and can be used to verify Huawei-issued device
certificates. The Huawei root certificate is named caroot.pem.
The Huawei root certificate is preconfigured on each Huawei base station controller/
eCoordinator as the trust certificate before delivery. The certificate can be used to verify
Huawei-issued device certificates and is named rootca.pem.
NOTE
Huawei wireless-network CA system is a 2-layer CA system. caroot.pem and rootca.pem are files in
the 2-layer certificate chain.
Figure 4-1 shows an example of how a CA uses the Huawei root certificate to authenticate a
Huawei-issued device certificate. The CA is preconfigured with the Huawei root certificate.
During authentication, a base station sends its Huawei-issued device certificate to the CA
which then uses the Huawei root certificate to verify the device certificate.
Certificate Chain
If there are multiple layers of CAs in a PKI system, certificates of the CAs form a certificate
chain, which is used to verify the validity of device certificates issued by the bottom-level CA
in the chain.
If there is a certificate chain from the base station's device certificate up to the root CA, the
peer device must be preconfigured with the certificate chain so that the device can verify the
validity of the device certificate sent by the base station during Internet Key Exchange (IKE)
authentication.
Trust Certificate
A trust certificate is the root certificate or certificate chain that is loaded on NEs.
NOTE
A base station/base station controller/eCoordinator reloads the device certificate and verifies its validity
each time the base station/base station controller/eCoordinator restarts.
4.3 Cross-Certificate
A cross-certificate is issued by one CA to another in order to establish a trust relationship
between them.
Cross-certification is a process in which two devices use the cross-certificate for
authentication. Figure 4-2 shows the procedure for cross-certification before and during base
station deployment.
Figure 4-2 Procedure for cross-certification before and during base station deployment
NOTE
The eGBTS, NodeB, and eNodeB support cross-certificates, whereas the GBTS, BSC, eCoordinator, and
RNC do not.
Before using the cross-certificate for authentication, the operator's CA and the Huawei CA
must issue a cross-certificate to each other. This is a cumbersome procedure and hence is not
recommended.
4.4 CRL
CRL is used to verify the validity of the peer certificate. Certificates need to be revoked when
certificates are disclosed or when devices that use the certificates are replaced or discarded.
Revoked certificates are recorded in a CRL. An NE uses a CRL to check the validity of the
certificate sent by a peer device when authenticating the peer device. The peer device is not
trustworthy if its certificate is recorded in a CRL.
l O&M personnel can run the SET BTSCRLPOLICY command to set a CRL usage
policy for the GBTS.
l O&M personnel can run the SET CRLPOLICY command to set a CRL usage policy
for the eGBTS/NodeB/eNodeB/eCoordinator/base station controller.
The setting of CRLPOLICY is as follows:
l If this parameter is set to NOVERIFY, the base station/base station controller/
eCoordinator does not perform CRL-based certificate validity checks.
l If this parameter is set to ALARM, the base station reports ALM-26832 Peer Certificate
Expiry and the base station controller/eCoordinator reports ALM-20854 Peer Certificate
Invalid, Expiry, or Damage when the peer's device certificate is detected in the CRL.
l If this parameter is set to DISCONNECT, the base station/base station controller/
eCoordinator reports the preceding alarms and disconnects the communication with the
peer end when the peer's device certificate is detected in the CRL.
Figure 5-2 shows the certificate application procedure during automatic base station
deployment.
Figure 5-2 Certificate application procedure during automatic base station deployment
l If the base station has obtained CA information from the DHCP server or USB flash
drive, the operator requires the base station to use an operator-issued device certificate
for authentication. The CA information includes the IP address of the CA and is used to
obtain certificates.
– If the base station has a valid operator-issued device certificate, the base station
directly uses this certificate.
– If the base station fails to obtain the operator-issued device certificate or if the
request for the device certificate times out, the base station uses the preconfigured
Huawei-issued device certificate. If the base station cannot be automatically
deployed by using the Huawei-issued device certificate, it restarts and attempts to
obtain the operator-issued device certificate again.
l If the base station fails to obtain the CA information, the base station uses the
preconfigured Huawei-issued device certificate.
NOTE
l If an operator's network is deployed with a PKI system, it is recommended that the same operator-
issued device certificate be used for IPsec authentication, SSL authentication, and 802.1x-based
access control.
l During automatic base station deployment by plug and play (PnP), only Huawei-issued device
certificates can be used for authentication during 802.1x-based access control.
l By default, the same certificate is used for 802.1x-based access control and SSL authentication in
the operation phase.
l The name of the operator-issued device certificate used by a base station during base station
deployment must be OPKIDevCert.cer.
For details about CMPv2-based and manual certification application procedures, see 8.12.2
Initial Configuration.
eCoordinators can be classified into standalone ECO6910s and built-in ECO6910s. These two
types of eCoordinators use different certification application methods.
l Built-in ECO6910:
– If the POLICY parameter in the SET CERTPOLICY command is set to
SHARE(Share), the built-in ECO6910 synchronizes certificates from the host base
station controller, and you cannot manage certificates for the ECO6910. In this
case, configuring and querying the following MOs of the ECO6910 will fail:
TRUSTCERT, CERTMK, APPCERT, CRL, and CRLTSK.
For a built-in ECO6910, you only need to ensure deployment of the host base
station controller. For details, see 5.3 Certificate Management During Base
Station Controller Deployment.
– If the POLICY parameter in the SET CERTPOLICY command is set to
INDEPENDENCY(Independency), certificates for the built-in ECO6910 are
independently configured and managed.
l Standalone ECO6910: Certificates for a standalone ECO6910 are independently
configured and managed.
When certificates for an eCoordinator can be independently configured and managed, an
SSL connection must be established between the eCoordinator and the U2000 using the
Huawei-issued device certificate, and then an operator-issued device certificate must be
manually applied for through the U2000, as illustrated in Figure 5-5.
For details about the manual certification application procedure, see 8.10.2 Initial
Configuration.
To ensure that the device certificate can be used to successfully establish secure channels between
the base station and the peer end, it is recommended that the TST APPCERT command be
executed to check whether the operator-issued device certificate can be used for IKE and SSL
connections before running the MOD APPCERT command. Then, run the CFM CB command to
enable automatic configuration data rollback. For details, see the CFM CB command help.
l Automatic mode
The base station obtains information about the certificate deployment location, CA,
certificate request, and active certificate from the configuration file. After the base
station restarts, it automatically triggers a CMPv2-based certificate application procedure
based on CA information. If the application fails, the base station automatically
reinitiates a CMPv2-based certificate application procedure.
NOTE
After an IKE negotiation succeeds, the base station checks IKE negotiation status every 7 minutes.
If an IKE negotiation fails and digital certificates are used for identity authentication, the base
station checks the digital certificates used by the IKE negotiation. If a digital certificate is
abnormal (for example, the digital certificate has been revoked or expired, or the certificate file
does not exist), a certificate application procedure is automatically triggered.
For the CMPv2-based certificate application procedure, see 5.5.8 CMPv2-based Certificate
Management.
NOTE
Base Station
The certificate that is applied for during base station deployment is configured on the board
that connects the base station to the transport network. SSL authentication applies only to the
main control board of a base station. If no certificate is deployed on the main control board
for SSL authentication, the main control board must share the certificate with the board that
connects the base station to the transport network.
Certificate sharing applies to the following scenarios:
l A certificate is deployed on a UTRPc board of a single-mode base station, and the main
control board shares the certificate with the UTRPc board. As indicated by (1) in Figure
5-6, the WMPT board shares the certificate with the UTRPc board.
l In co-transmission scenarios with a separate-MPT multimode base station, a certificate is
deployed on a main control board connecting to the transport network and is shared
between this main control board and the main control board of a different radio system.
As indicated by (2) in Figure 5-6, a certificate is deployed on the UMPT_L board and
shared between the UMPT_U and UMPT_L boards.
l In co-transmission scenarios with a separate-MPT multimode base station, a certificate is
deployed on a UTRPc board, and the main control board shares the certificate with the
UTRPc board. As shown by (3) in Figure 5-6, the UMPT_U and UMPT_L boards share
the certificate with the UTRPc board.
Only active certificates can be shared. For example, SSL certificates, root certificates, and
CRLs can be shared.
NOTE
Huawei base stations support certificate sharing in backplane interconnection and BBU interconnection
scenarios but do not support this function in panel interconnection scenarios.
BBU3910As do not support certificate sharing.
l Active and standby OMU boards are switched over. The currently active OMU board can
use the digital certificate on the previously active OMU board to set up an SSL
connection with the U2000.
l The SAU board needs the digital certificate on the active OMU board to set up an SSL
connection with the Nastar. This scenario occurs only for base station controllers.
NOTE
During base station controller deployment, use the ESN of the active OMU board to apply for a digital
certificate. If the active OMU board becomes faulty and is removed, use the ESN of a functional OMU
board to apply for a new digital certificate.
l Upon detecting that the period remaining until a certificate expires is less than the value
of the ALMRNG parameter, the base station/base station controller/eCoordinator
determines that the certificate is about to expire.
l Upon detecting that the expiration time of a certificate is earlier than the current time, the
base station/base station controller/eCoordinator determines that the certificate has
expired.
Table 5-1 describes the processing performed by the base station/base station controller/
eCoordinator when it detects that the device certificate is abnormal.
NOTE
During an automatic certificate update procedure, if the certificate update fails due to intermittent
transmission or network congestion, the system automatically retries certificate update for at most
twice with an interval of 10 minutes.
l Manual mode
O&M personnel can run the UPD DEVCERT command to manually trigger a CMPv2-
based certificate update. In this command, the APPCERT parameter specifies a
NOTE
Bidirectional authentication is used for SSL certificate testing. That is, the base station/base station
controller and U2000 authenticate the device certificates of each other. The SSL certificate testing result
reflects whether the certificates can be used.
In IPsec scenarios, a new certificate is tested by using the certificate for authentication during
IKE renegotiation. In SSL scenarios, a new certificate is tested by using the certificate for
authentication during SSL reconnection. If the IKE renegotiation or SSL reconnection fails,
the base station uses the original certificate. The base station controller only supports the SSL
scenarios. If SSL reconnection fails, the base station controller uses the original certificate.
NOTE
The eGBTS configured with a GTMUb does not support SSL certificate testing.
If the base station finds that the operator-issued device certificate was revoked based on the
CRL file, the base station initiates a certificate application procedure. If the base station is
discarded, the certificate application request will be rejected by the CA and no new device
certificate will be issued.
l If the CRL is obtained using LDAP, the CONNMODE (eGBTS, BSC6900, BSC6910)
and AUTHPEER (eGBTS, BSC6900, BSC6910) parameters must be set. If the
AUTHPEER (eGBTS, BSC6900, BSC6910) parameter is set to ENABLE, ensure that
both the base station/base station controller and the CRL server are configured with the
peer device certificate and the peer CA trust certificate.
NOTE
If the CRL is obtained using LDAP and the base station/base station controller supports only
LDAPv3, the CRL server must support LDAPv3. For details, see IETF RFC 4511 Lightweight
Directory Access Protocol (LDAP).
l If the CRL is obtained using FTP over SSL (FTPS), set ENCRYMODE (eGBTS,
BSC6900, BSC6910) to AUTO(Auto) or ENCRYPTED(SSL Encrypted) on the base
station/base station controller/eCoordinator side, and enable the FTPS function on the
CRL server side. If this parameter is set to ENCRYPTED(SSL Encrypted), ensure that
all FTP servers communicating with the base station/base station controller/eCoordinator
support FTPS.
If the CRL server needs to be authenticated, set the SSLCERTAUTH (BSC6900,
eGBTS, BSC6910) parameter to YES(Yes). In addition, ensure that the base station/base
station controller/eCoordinator has been configured with the peer CA trust certificate and
the CRL server has been configured with a device certificate.
NOTE
l If the FTPS client is not configured with a device certificate, the CRL server cannot
authenticate the FTPS client.
l Each time a base station is reset, a periodical CRL update task is added.
NOTE
Basic information about abnormal certificates will be saved on the U2000 for 30 days and then be
automatically removed. The purpose is to avoid repeatedly exporting certificate information.
l The certificate does not exist, for example, when the board is returned for repair.
l The U2000 deletes the NE where the certificate is deployed.
l The U2000 cannot communicate with the NE, where the certificate is deployed, for a
long time (for example, when the NE leaves the network).
l The certificate is deleted manually. The operator needs to ensure that a manually deleted
certificate has been revoked by the CA. The information about a deleted certificate will
be saved on the U2000 for a period. After the period expires, the information is
automatically deleted.
In the following scenarios, the device certificate on the base station does not need to be
revoked although the device certificate status is abnormal on the U2000:
l The base station operates normally but cannot communicate with the U2000 for a long
time.
l The base station or its board is transferred to another U2000 for management. In this
case, the device certificate of the base station or board is recorded as abnormal on the
original U2000.
l The value of DEPLOYTYPE is changed to NULL, which indicates that the device
certificate on the base station is not applied. In this situation, the certificate status on the
U2000 is that the certificate does not exist.
If the certificate must be revoked, you need to manually run the certificate revocation
command on the CA.
The offline certificate monitoring function cannot be used in the following conditions:
l This function does not take effect for the preconfigured Huawei-issued device
certificates. The name of the issuer of the preconfigured Huawei-issued device
certificates starts with "Huawei". Therefore, it is not recommended that the name of the
issuer of operator-issued device certificates start with "Huawei".
l If the base station cannot communicate with the U2000 after obtaining a device
certificate, the U2000 cannot record the information about the device certificate. In this
case, the U2000 cannot monitor the device certificate.
l During the period when base station software is rolled back to a version not supporting
offline certificate monitoring, the U2000 cannot update certificate status. After base
station software is upgraded to a version supporting offline certificate monitoring, the
U2000 can update certificate status.
The offline certificate monitoring function does not need to be activated. You can query and
export the basic information about abnormal certificates on the U2000. For details, see 8.5.3
Activation Observation and 8.6.3 Activation Observation.
CMPv2 complies with IETF RFC 4210, IETF RFC 4211, and draft-ietf-pkix-cmp-transport-
protocols-07. The base station/base station controller/U2000 uses Hypertext Transfer
Protocol/Hypertext Transfer Protocol Secure (HTTP/HTTPS) as the bearer protocol for
CMPv2. Figure 5-9 shows the transport protocol stack for CMPv2.
Figure 5-10 shows the topology for managing certificates in base stations and base station
controllers based on CMPv2.
As shown in Figure 5-10, base stations or base station controllers communicate with the
operator's PKI server for CMPv2-based certificate management. The PKI server can be a CA,
RA, or certificate & CRL database.
When the base stations or base station controllers apply for operator-issued device certificates
for the first time, the operator's CA is preconfigured with the Huawei root certificate. The root
certificate is used to verify Huawei-issued device certificates carried in CMPv2 messages sent
by the base stations or base station controllers. The operator's CA also includes operator-
issued device certificates and root certificates or certificate chains in CMPv2 response
messages sent to the base stations or base station controllers.
When the base stations or base station controllers update certificates, the operator's CA and
the base stations or base station controllers authenticate each other using operator-issued
device certificates and operator's root certificates or certificate chains. In this case, Huawei-
issued device certificates and Huawei root certificates are no longer used.
Figure 5-11 shows how a base station or base station controller applies for a certificate based
on CMPv2.
Figure 5-11 Certificate application process for a base station or base station controller
NOTE
After sending a CMPv2-based certificate request message, the base station waits for a response from the
CA. The waiting timeout interval is 60s in single-operator PKI scenarios and 20s for each PKI in multi-
operator PKI scenarios. If the base station does not receive any response from the CA before the waiting
timeout interval elapses, the certificate application fails.
In step 2, the message contains information such as the generated public key, SubjectName
field of the certificate, backup SubjectName field of the certificate, certificate signature
algorithm, and Huawei-issued device certificate.
l The SubjectName field in the certificate request message contains the Common Name
field. Some CAs require that the Common Name field in certificate request messages be
the same as that in Huawei-issued device certificate. If they are not the same, these CAs
will not issue device certificates (also known as operator-issued device certificates).
l In Huawei-issued device certificates preconfigured on some LMPT boards, the Common
Name field uses the format of ESN+space+eNodeB. In this case, to meet the preceding
CA requirement, a space is automatically added to the Common Name field in the
certificate request message if the values of the COMMNAME and USERADDINFO
parameters are ESN and eNodeB, respectively. In this way, the Common Name field in
the message is in the format of ESN+space+eNodeB. If the LOCALNAME parameter is
not specified, the DNSName field in the backup SubjectName field also uses the format
of ESN+space+eNodeB.
Figure 5-12 shows how a base station or base station controller updates its certificate based
on CMPv2.
Figure 5-12 CMPv2-based certificate update process for a base station or base station
controller
In step 2, the key update request message is also the certificate update request. This message
includes the new public key and the operator-issued device certificate to be updated.
In step 5, the CA uses the public key of the operator-issued device certificate carried in the
key update request message to verify the signature in the message. In addition, the CA uses
the operator's root certificate or certificate chain to verify the operator-issued device
certificate.
For details about the structure of a CMPv2 message and the process of exchanging CMPv2
messages, see IETF RFC 4210 and IETF RFC 4211.
For both the base station and base station controller, the SLVURL (BSC6900, eGBTS,
BSC6910) and SLVINITREQURL parameters have been added to the CA MO to specify the
URL of the standby CA; the SLVIP (eGBTS, BSC6900, BSC6910), SLVPORT (eGBTS,
BSC6900, BSC6910), SLVUSR (eGBTS, BSC6900, BSC6910), and SLVPWD (eGBTS,
BSC6900, BSC6910) parameters have been added to the CRLTSK MO to specify the login
information of the standby CRL server.
During certificate updates or CRL acquisitions, the base station/base station controller reports
ALM-26842 Automatic Certificate Update Failed only when the sessions between the base
station/base station controller and both the active and standby PKI servers fail.
The following network elements support PKI redundancy: eGBTS, NodeB, eNodeB, GBTS
(configured with GTMUb/GTMUc and UMPT_L/LMPT boards), BSC, and RNC.
PKI redundancy has the following application limitations:
PKI redundancy is not supported during base station deployment by PnP. The operator must
ensure that the active PKI server works properly during base station deployment by PnP.
NOTE
For the description of UMPT cold backup and the definition of logical slot numbers, see Base Station
Equipment Reliability Feature Parameter Description.
UMDUs cannot be used in UMPT+UMPT cold backup mode.
During the deployment phase, apply for the operator-issued device certificate only for the
active UMPT.
During the operation phase, a CMPv2-based certificate application is triggered if all the
following conditions are met:
l The active UMPT becomes faulty.
l The active and standby UMPT boards are switched over.
l The standby UMPT determines that an operator-issued device certificate must be applied
for based on the configuration file.
The two UMPT boards manage and use their own certificates.
NOTE
In UMPT+UMPT cold backup mode, if both IPsec and PKI are deployed, the IDTYPE parameter in the
IKEPEER MO can be set to IP or FQDN on the base station side. If this parameter is set to FQDN, the
SeGW should not check the ID of the base station.
NOTE
To support the digital certificate whitelist management, both the base station and SeGW must be Huawei
equipment and be preconfigured with Huawei-issued device certificates.
A digital certificate whitelist is configured on the U2000 and then loaded onto the base
station. During IKE negotiation for IPsec tunnel establishment, the base station uses the
digital certificate whitelist to authenticate each piece of equipment that expects to establish an
IPsec tunnel with the base station. The base station can perform IKE negotiation and establish
IPsec tunnels only with the equipment in the whitelist. IPsec tunnels cannot be established
between the base station and any equipment not in the whitelist.
NOTE
The digital certificate whitelist is used for authentication between base stations only when there are links
(for example, the X2 interface) between them or base stations are cascaded.
6 Related Features
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
Feature ID Feature Name Impact
Impacted Features
Feature ID Feature Name Description
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
Impacted Features
None
7 Network Impact
System Capacity
No impact.
Network Performance
During base station or base station controller deployment, the certificate application process
takes about 10s.
Before deploying the PKI feature for an eCoordinator, engineering personnel must obtain CA
information from CA maintenance personnel. The following table lists the CA information
that needs to be collected.
Before deploying the PKI redundancy feature, engineering personnel also need to collect the
following information.
GBTS l GTMUb/GTMUc+UMPT_L/LMPT
l GTMUb+UTRPc
eGBTS UMPT_G/UMDU_G/GTMUb/GTMUc
NodeB UMPT_U/UTRPc/UMDU_U
eNodeB UMPT_L/UMPT_T/LMPT/UTRPc/UMDU_L/UMDU_T
Multimode UMPT_G/UMDU_G/UMPT_U/UMDU_U/UMPT_L/UMPT_T/
base station UMDU_L/UMDU_T/LMPT/UTRPc
eCoordinator OMU
8.4 Requirements
PKI Deployment Requirements
l Other Features
See Related Features.
l Hardware
GBTS l GTMUb/GTMUc+UMPT_L/LMPT
l GTMUb+UTRPc
eGBTS UMPT_G/UMDU_G/GTMUb/GTMUc
NodeB UMPT_U/UTRPc/UMDU_U
eNodeB UMPT_L/UMPT_T/LMPT/UTRPc/UMDU_L/UMDU_T
Multimode UMPT_G/UMDU_G/UMPT_U/UMDU_U/UMPT_L/UMPT_T/
base station UMDU_L/UMDU_T/LMPT/UTRPc
eCoordinator OMU
l License
The licenses for the PKI feature have been activated for the base station and base station
controller. To support the PKI feature, the eCoordinator does not require a license. The
following table lists the licenses controlling PKI.
Feature ID Feature License License NE Sales
Name Control Control Unit
Item ID Item Name
NOTE
The rules for activating the license controlling PKI for a multimode base station are as follows:
l In co-transmission scenarios with a separate-MPT multimode base station, the license controlling
PKI needs to be activated for the mode that provides a transmission port. If another mode requires
certificate sharing, the license controlling PKI must also be activated for this mode.
l If a UTRPc board is used to connect to the transport network, the license controlling PKI must be
activated for the mode that manages the board.
For a BSC6900 GU or BSC6910 GU, the license controlling PKI only needs to be activated for one
mode, that is, you can activate either the license for the BSC Supporting PKI feature or the license for
the RNC Supporting PKI feature.
l Other Requirements
– A PKI server is deployed on the operator's network.
– Operator-issued device certificates and CRLs comply with IETF RFC 5280.
– The operator's CA supports CMPv2 defined in IETF RFC 4210, and the format of
certificate request messages complies with IETF RFC 4211.
– As stipulated in 3GPP TS 33.310, the Initialization Response message sent by the
operator's CA contains the operator's root certificate or certificate chain.
– The operator's CA is preconfigured with the Huawei root certificate.
l Other Requirements
– Two PKI servers are deployed on the operator's network. For the requirements for
PKI servers, see PKI Deployment Requirements.
– The two PKI servers have the same CA name and root certificate or certificate
chain and synchronize certificate management databases between them.
– There are reachable routes between the base station/base station controller/
eCoordinator and the two PKI servers.
NOTE
A UMDU can be used in a co-MPT multimode base station in the secure networking shown in Figure
8-1. However, a UMDU cannot be used in a separate-MPT multimode base station.
This section describes how to deploy PKI on an eGBTS using a GTMUc, UMPT, or UMDU. For details
about how to deploy PKI on an eGBTS using a GTMUb, see 8.6 Deployment of PKI on the eGBTS
using a GTMUb.
In the following tables, "N/A" indicates that there is no special requirement for the parameter setting.
You can set the parameter based on site requirements.
Table 8-3 lists the data to be prepared for the deployment location of a certificate on the base
station (the CERTDEPLOY MO in MML and CME configurations).
Slot No. SN
Table 8-4 lists the data to be prepared for a certificate request template (the CERTREQ MO
in MML and CME configurations).
The base station must be configured with CA information to apply for a certificate from the
CA. Table 8-5 lists the data to be prepared for the CA (the CA MO in MML and CME
configurations).
NOTE
If O&M data flows are transmitted by the IPsec tunnel, the O&M IP address cannot be used for data that
is not protected by IPsec. If O&M data flows are not transmitted by the IPsec tunnel, the O&M IP
address cannot be used for data that is protected by IPsec.
Table 8-6 lists the data to be prepared for a device certificate (the CERTMK MO in MML
and CME configurations).
Table 8-7 lists the data to be prepared for an active certificate (the APPCERT MO in MML
and CME configurations). Active certificates are device certificates that are currently used by
a base station.
Table 8-8 lists the data to be prepared for a trust certificate (the TRUSTCERT MO in MML
and CME configurations).
Table 8-9 lists the data to be prepared for a periodic certificate validity check task (the
CERTCHKTSK MO in MML and CME configurations).
Table 8-9 Data to be prepared for a periodic certificate validity check task
(Optional) Prepare CRL data if the base station needs to obtain CRL information from the
CA. Table 8-10 lists the data to be prepared for a CRL (the CRL MO in MML and CME
configurations).
(Optional) Prepare data related to CRL usage policies. Table 8-11 lists the data to be prepared
for these policies (the CRLPOLICY MO in MML and CME configurations).
(Optional) Prepare data related to a periodic CRL download task. Table 8-12 lists the data to
be prepared for the task (the CRLTSK MO in MML and CME configurations).
Source IP SIP If this parameter is not set, the base station Netwo
uses the O&M IP address as the source IP rk plan
address to update a CRL.
(Optional) Prepare data to manually download an operator's root certificate or CRL from an
FTP server. Table 8-13 lists the data to be prepared for downloading a certificate file. The
corresponding MML command is DLD CERTFILE.
Table 8-14 Data to be prepared for applying for a device certificate based on CMPv2
Parameter Parameter ID Setting Notes Data
Name Source
Table 8-15 lists the data to be prepared for updating a device certificate (the DEVCERT MO
in MML configurations) based on CMPv2. The corresponding MML command is UPD
DEVCERT.
Table 8-15 Data to be prepared for updating a device certificate based on CMPv2
Parameter Parameter ID Setting Notes Data
Name Source
Single configuration CME Management > CME Guidelines > Getting Started with
the CME > Introduction to Data Configuration Operations
Batch eGBTS CME Management > CME Guidelines > GSM Application
configuration Management > Base Station Related Operations > Importing
and Exporting eGBTS Data for Batch Reconfiguration
Batch NodeB CME Management > CME Guidelines > UMTS Application
configuration Management > NodeB Related Operations > Importing and
Exporting NodeB Data for Batch Configuration
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
Figure 8-3 Procedure for configuring data using the CME transport security wizard
After configurations on the CME transport security wizard are complete, the IPsec and PKI
parameter setting tables are exported, displaying the IPsec and KPI parameters that have been
configured and the parameters that need to be manually configured in the summary data file.
You can adjust the configured parameters in the summary data file based on the actual
conditions.
The CME transport security wizard has the following restrictions on configuring PKI:
l PKI redundancy cannot be configured.
l SSL transmission cannot be configured for obtaining the CRL.
l Base station supporting multi-operator PKI cannot be configured.
l PKI parameters for the eGBTS, NodeB, and eNodeB can be configured. PKI parameters
can be configured for the GBTS only when it is configured with GTMUb/GTMUc
+UMPT_L/LMPT.
l The following figure shows the PKI attribute selection in the CME transport security
wizard.
NOTE
For the IPsec attribute selection, see section 10.6.1 Using the CME in Batch Configuration for
Newly Deployed Base Stations in IPsec Feature Parameter Description.
l The following table lists the PKI parameters to be configured.
MO Parameter Sheet in Setting Notes
Group the
Summary
Data File
For the configuration path and interface for the transport security wizard, see Transport
Security Wizard in the "Introduction to the Wizards for Customizing a Data File" section of
CME Product Documentation.
NOTE
If multi-level CAs are deployed in an operator's PKI system, a complete certificate chain must be added.
If the certificates of different levels of CAs in the certificate chain are stored separately, run the ADD
TRUSTCERT command for each certificate you want to add.
Step 1 Run the MML command SET CERTDEPLOY to set the deployment position of a certificate
on the base station. You need to reset the base station to make the configuration take effect.
Step 2 Run the MML command MOD CERTREQ to modify configurations of a certificate request
template.
Step 3 Run the MML command ADD CA to add an operator's CA.
Step 4 (Optional) Run the MML command DLD CERTFILE to download a trusted operator's root
certificate from the operator's certificate & CRL database. This step is required only when a
manual certificate application procedure is used.
Step 5 Run the MML command ADD TRUSTCERT to add an operator's trust certificate.
Step 6 (Optional) Run the MML command REQ DEVCERT to set information required for the base
station to apply for an operator-issued device certificate. This step is required only when a
manual certificate application procedure is used. After the setting takes effect, a certificate
application procedure is triggered.
Step 7 Run the MML command MOD APPCERT to modify configurations of an active certificate.
Step 8 Run the MML command SET CERTCHKTSK to set a periodic certificate validity check
task.
Step 9 (Optional) Run the MML command DLD CERTFILE to download a CRL from the
operator's certificate & CRL database.
Step 10 (Optional) Run the MML command ADD CRL to add a CRL. This step is required only
when a manual certificate application procedure is used.
Step 11 (Optional) Run the MML command SET CRLPOLICY to set a CRL usage policy.
Step 12 (Optional) Run the MML command ADD CRLTSK to add a periodic CRL download task.
----End
In addition to the preceding steps, perform the following step to manually trigger a certificate
update:
Step 1 Run the MML command UPD DEVCERT to set information about a certificate update. After
the setting takes effect, a CMPv2-based certificate update procedure is triggered.
----End
Perform the following step to configure certificate sharing:
Step 1 Run the MML command SET CERTDEPLOY to set a board whose certificate is shared.
----End
NOTE
If you run the SET CERTDEPLOY command to set the deployment location of a certificate on a base
station online, the setting takes effect only after the base station is reset.
//Modifying configurations of a certificate request template
MOD CERTREQ: COMMNAME=ESN, USERADDINFO=".huawei.com", COUNTRY="cn", ORG="ITEF",
ORGUNIT="Hw", STATEPROVINCENAME="sc", LOCALITY="cd",
KEYUSAGE=DATA_ENCIPHERMENT-1&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMENT-
1, SIGNALG=SHA256, KEYSIZE=KEYSIZE1024, LOCALNAME="abcdefghijklmn.huawei.com",
LOCALIP="10.20.20.188";
//Adding an operator's CA
//If the base station can access the CA either through an external network or
through the intranet and O&M data is protected by IPsec, you are advised to set
the source IP addresses for certificate application and update to an interface IP
address and an O&M IP address (for example, 10.31.31.188), respectively. The
following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.31.31.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//If the base station can access the CA either through an external network or
through the intranet, and O&M data is not protected by IPsec, you are advised to
set the source IP addresses for certificate application and update to an
interface IP address and an intranet IP address(for example, 10.45.45.45),
respectively.
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.45.45.45",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//If the base station can access the CA through only an external network, you are
advised to set the source IP addresses for both certificate application and
update to interface IP addresses. The following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.20.20.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//Downloading an operator's root certificate from an FTP server (assume that the
FTP server is deployed on the U2000, indicating that the IP address of the FTP
server is the same as that of the U2000)
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="OperationCA.cer",DSTF="Ope
rationCA.cer";
//Adding an operator's root certificate as the trust certificate
ADD TRUSTCERT: CERTNAME="OperationCA.cer";
//Setting information required for the base station to apply for an operator-
issued device certificate based on CMPv2 when the certificate application needs
to be manually triggered
//(Skip this step when the certificate application is automatically triggered.)
REQ DEVCERT: CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd, CN=eca1",
APPCERT="OPKIDevCert.cer";
//Modifying configurations of an active certificate
MOD APPCERT: APPTYPE=IKE, APPCERT="OPKIDevCert.cer";
NOTE
After the active IKE certificate is changed by running the MOD APPCERT command, if IKE
authentication uses the new certificate and the current IKE SA is normal, the base station automatically
initiates IKE renegotiation.
//Setting a periodic certificate validity check task
SET CERTCHKTSK: ISENABLE=ENABLE, PERIOD=7, ALMRNG=30, UPDATEMETHOD=CMP;
//(Optional) Downloading the CRL file from the FTP server. If the FTP server is
deployed on the U2000, the IP address of the FTP server is the same as that of
the U2000.
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="eNodeB.crl",DSTF="eNodeB.c
rl";
//(Optional) Loading the CRL file
NOTE
When you run the UPD DEVCERT command to update a certificate, if the base station is performing
IKE or SSL negotiation, the certificate update fails. You need to execute this command after the
negotiation is complete.
If the values of Certificate File Name, Issuer, and Common Name are correct and the value
of Status is Normal in the query result, the device certificate has been loaded to the base
station.
Step 2 Run the MML command DSP TRUSTCERT to check the status of trust certificates.
If the value of Status is Normal in the query result, the trust certificate has been loaded to the
base station.
Step 3 (Optional) Run the MML command DSP CRL to check the CRL status.
If the value of Status is Normal in the query result, the CRL has been loaded to the base
station.
----End
If the value of Status is Normal in the query result, certificate sharing is successful.
----End
Step 2 (Optional) To import information of device certificates in abnormal states, click Export. If the
On disconnected NE or On deleted NE check box is selected, you also need to set the
duration in which the device certificates remain in the state.
----End
8.5.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
Figure 8-4 Example of the secure networking for the eGBTS using a GTMUb
NOTE
In the following tables, "N/A" indicates that there is no special requirement for the parameter setting.
You can set the parameter based on site requirements.
Table 8-16 lists the data to be prepared for applying for a certificate from the CA (the SSL
MO in MML configurations).
Table 8-16 Data to be prepared for applying for a certificate from the CA
Parameter Parameter ID Setting Notes Data
Name Sour
ce
Common Name This parameter is The value of the Common Name field in Netw
manually set on the a certificate request file consists of ork
CA and it does not Common Name+Common Name plan
have a parameter ID. Additional Info. The recommended
value of the Common Name field is
XXX.huawei.com (XXX indicates the
ESN of the board connecting to the
transport network).
Table 8-17 lists the data to be prepared for the deployment location of a certificate on the base
station (the CERTDEPLOY MO in MML and CME configurations).
Slot No. SN
Table 8-18 lists the data to be prepared for downloading an operator's root certificate, public
key, private key, or CRL file from an FTP server. The corresponding MML command is DLD
GENFILE.
NOTE
If multi-level CAs are deployed in the operator's PKI system and the local certificate chain is different
from the peer certificate chain, you also need to run the SET CERTFILE command to configure the
peer certificate chain.
Step 1 Upload the operator's root certificate and CRL file to the FTP server.
Step 2 Based on the data plan listed in Table 8-16, apply for a device certificate from the CA, and
upload the public key certificate (device certificate) and private key file generated by the CA
to the FTP server.
Step 3 Run the SET CERTDEPLOY command to set Certification Deploy Position Type to
NULL(NULL).
Step 4 Run the DLD GENFILE command to download the operator's root certificate, public key
certificate, private key file, and CRL file from the FTP server.
Step 5 Run the SET CERTFILE command to set the operator's root certificate, public key
certificate, private key file, and CRL file.
----End
Step 2 On the U2000 client in tradition style, choose Security > Certificate Authentication
Management > SSL Connection Management to open the SSL Connection Management
window. Alternatively, on the Application Center tab page of the U2000 client in application
style, double-click Security Management. Then, choose NE Security > Certificate
Authentication Management > SSL Connection Management to open the SSL
Connection Management window.
Then, observe Connection Status of the base station. If the value of Connection Status is
Connected, an SSL connection has been successfully established.
Step 3 Run the MML command SET CONNTYPE to set Connection Type to SSL(Only SSL
Connection).
Step 4 In the SSL Connection Management window, select the base station, and then observe the
SSL connection status.
Then, observe Connection Status of the base station. If the value of Connection Status is
Connected, an SSL connection has been successfully established.
----End
8.6.4 Deactivation
None
Figure 8-5 Example of the secure networking for the NodeB that uses a WMPT as the main
control board and is not configured with a UTRPc
NOTE
In the following tables, "N/A" indicates that there is no special requirement for the parameter setting.
You can set the parameter based on site requirements.
Table 8-19 lists the data to be prepared for applying for a certificate from the CA (the SSL
MO in MML configurations).
Table 8-19 Data to be prepared for applying for a certificate from the CA
Parameter Parameter ID Setting Notes Data
Name Sour
ce
Common Name This parameter is The value of the Common Name field in Netw
manually set on the a certificate request file consists of ork
CA and it does not Common Name+Common Name plan
have a parameter ID. Additional Info. The recommended
value of the Common Name field is
XXX.huawei.com (XXX indicates the
ESN of the board connecting to the
transport network).
Table 8-20 lists the data to be prepared for the deployment location of a certificate on the base
station (the CERTDEPLOY MO in MML and CME configurations).
Slot No. SN
Table 8-21 lists the data to be prepared for downloading an operator's root certificate, public
key, private key, or CRL file from an FTP server. The corresponding MML command is DLD
GENFILE.
NOTE
If multi-level CAs are deployed in the operator's PKI system and the local certificate chain is different
from the peer certificate chain, you also need to run the SET CERTFILE command to configure the
peer certificate chain.
Step 1 Upload the operator's root certificate and CRL file to the FTP server.
Step 2 Based on the data plan listed in Table 8-19, apply for a device certificate from the CA, and
upload the public key certificate (device certificate) and private key file generated by the CA
to the FTP server.
Step 3 Run the SET CERTDEPLOY command to set Certification Deploy Position Type to
NULL(NULL).
Step 4 Run the DLD GENFILE command to download the operator's root certificate, public key
certificate, private key file, and CRL file from the FTP server.
Step 5 Run the SET CERTFILE command to set the operator's root certificate, public key
certificate, private key file, and CRL file.
----End
----End
8.7.4 Deactivation
None
NOTE
This section only describes how to deploy the PKI feature by using MML commands or the CME. For
details about how to deploy the PKI feature on the U2000 client, see the U2000 Help.
Figure 8-6 Example of the secure networking for the GBTS (GTMUb+UTRPc)
In the following tables, the hyphen (-) indicates that there is no special requirement for the parameter
setting. You can set the parameter based on site requirements.
Table 8-22 lists the data to be prepared for the deployment location of a certificate on the
GBTS (the BTSCERTDEPLOY MO in MML configurations and the BTSCERTDEPLOY
or BTS Certification Deploy Position MO in CME configurations).
Table 8-22 Data to be prepared for the deployment location of a certificate on the GBTS
Parameter Parameter ID Setting Notes Data
Name Source
GBTSs must be configured with information about a CA so that they can apply for certificates
from the CA. Table 8-23 lists the data to be prepared for the CA (the BTSCA MO in MML
configurations and the BTSCA or BTS Certificate Authority MO in CME configurations).
Table 8-24 lists the data to be prepared for a certificate request template (the BTSCERTREQ
MO in MML configurations and the BTSCERTREQ or BTS Certreq File Configuration
MO in CME configurations).
Table 8-25 lists the data to be prepared for a device certificate (the BTSCERTMK MO in
MML configurations and the BTSCERTMK or BTS Device Certificate MO in CME
configurations).
Table 8-26 lists the data to be prepared for an active certificate (the BTSAPPCERT MO in
MML configurations and the BTSAPPCERT or BTS Application's Certificate MO in CME
configurations). Active certificates are device certificates that are currently used by a GBTS.
Table 8-27 lists the data to be prepared for a trust certificate (the BTSTRUSTCERT MO in
MML configurations and the BTSTRUSTCERT or BTS Trust Certificate MO in CME
configurations).
Table 8-28 lists the data to be prepared for a periodic certificate validity check task (the
BTSCERTCHKTSK MO in MML configurations and the BTSCERTCHKTSK or BTS
Certificate Checking Task MO in CME configurations).
Table 8-28 Data to be prepared for a periodic certificate validity check task
Parameter Parameter ID Setting Notes Data
Name Source
(Optional) Prepare CRL data if GBTSs need to obtain CRL information from the CA. Table
8-29 lists the data to be prepared for a CRL (the BTSCRL MO in MML configurations and
the BTSCRL or BTS CRL MO in CME configurations).
(Optional) Prepare data related to CRL usage policies. Table 8-30 lists the data to be prepared
for these policies (the BTSCRLPOLICY MO in MML configurations and the
BTSCRLPOLICY or BTS CRL Using Policy MO in CME configurations).
(Optional) Prepare data related to a periodic CRL download task. Table 8-31 lists the data to
be prepared for the task (the BTSCRLTSK MO in MML configurations and the
BTSCRLTSK or BTS CRL Updating Task MO in CME configurations).
(Optional) Prepare data to manually download an operator's root certificate or CRL from an
FTP server. Table 8-32 lists the data to be prepared for downloading a certificate file.
Table 8-33 Data to be prepared for applying for a device certificate based on CMPv2
Parameter Parameter ID Setting Notes Data
Name Source
(Optional) Prepare data to manually trigger a CMPv2-based certificate update. Table 8-34
lists the data to be prepared for updating a device certificate (the BTSDEVCERT MO in
MML configurations) based on CMPv2.
Table 8-34 Data to be prepared for updating a device certificate based on CMPv2
Parameter Parameter ID Setting Notes Data
Name Source
Single configuration CME Management > CME Guidelines > Getting Started with
the CME > Introduction to Data Configuration Operations
Batch eGBTS CME Management > CME Guidelines > GSM Application
configuration Management > Base Station Related Operations > Importing
and Exporting eGBTS Data for Batch Reconfiguration
Batch NodeB CME Management > CME Guidelines > UMTS Application
configuration Management > NodeB Related Operations > Importing and
Exporting NodeB Data for Batch Configuration
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
Step 1 Run the MML command SET BTSCERTDEPLOY to set the deployment position of a
certificate on the GBTS.
Step 2 Run the MML command MOD BTSCERTREQ to modify configurations of a certificate
request template.
Step 3 Run the MML command ADD BTSCA to add an operator's CA.
Step 4 Run the MML command DLD BTSCERTFILE to download a trusted operator's root
certificate from the operator's certificate & CRL database.
Step 5 Run the MML command ADD BTSTRUSTCERT to add an operator's trust certificate.
Step 6 Run the MML command REQ BTSDEVCERT to set information required for the GBTS to
apply for an operator-issued device certificate. After the setting takes effect, a certificate
application procedure is triggered. If a certificate application procedure is automatically
triggered, skip this step.
Step 7 Run the MML command MOD BTSAPPCERT to modify configurations of an active
certificate.
Step 8 Run the MML command SET BTSCERTCHKTSK to set a periodic certificate validity
check task.
Step 9 (Optional) Run the MML command DLD BTSCERTFILE to download a CRL from the
operator's certificate & CRL database.
Step 10 (Optional) Run the MML command ADD BTSCRL to add a CRL.
Step 11 (Optional) Run the MML command SET BTSCRLPOLICY to set a CRL usage policy.
Step 12 (Optional) Run the MML command ADD BTSCRLTSK to add a periodic CRL download
task.
----End
In addition to the preceding steps, perform the following step to manually trigger a certificate
update:
Step 1 Run the MML command UPD BTSDEVCERT to set information about a certificate update.
After the setting takes effect, a CMPv2-based certificate update procedure is triggered.
----End
NOTE
l If you run the MML command SET BTSCERTDEPLOY to set the deployment location of a
certificate on a base station online, the setting takes effect only after the base station is reset.
//Modifying configurations of a certificate request template
MOD BTSCERTREQ: IDTYPE=BYID, BTSID=0, COMMNAME=ESN, USERADDINFO=".huawei.com",
COUNTRY="cn", ORG="ITEF", ORGUNIT="hw", STATEPROVINCENAME="sc", LOCALITY="cd",
KEYUSAGE=DATA_ENCIPHERMENT-1&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMENT-
1, SIGNALG=SHA256, KEYSIZE=KEYSIZE1024, LOCALNAME="abcdefghijklmn.huawei.com",
LOCALIP="10.20.20.188";
//Adding an operator's CA
ADD BTSCA: IDTYPE=BYID, BTSID=0, CANAME="C = AU, S = Some-State, O = Internet
Widgits Pty Ltd, CN = eca1", URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256;
//Downloading an operator's root certificate from the operator's certificate &
CRL database
DLD BTSCERTFILE: IDTYPE=BYID, BTSID=0, IP="10.86.86.86", USR="admin",PWD="*****",
SRCF="OperationCA.cer", DSTF="OperationCA.cer", CT=TRUSTCERT;
//Adding an operator's root certificate as the trust certificate
ADD BTSTRUSTCERT: IDTYPE=BYID, BTSID=0, CERTNAME="OperationCA.cer";
//Setting information required for the base station to apply for an operator-
issued device certificate based on CMPv2 when the certificate application needs
to be manually triggered
//(skip this step when the certificate application is automatically triggered)
REQ BTSDEVCERT: IDTYPE=BYID, BTSID=0, CANAME="C=AU, S=Some-State, O=Internet
Widgits Pty Ltd, CN=eca1", APPCERT="OPKIDevCert.cer";
//Modifying configurations of an active certificate
MOD BTSAPPCERT: IDTYPE=BYID, BTSID=0, APPTYPE=IKE, APPCERT="OPKIDevCert.cer";
//Setting a periodic certificate validity check task
SET BTSCERTCHKTSK: IDTYPE=BYID, BTSID=0,ISENABLE=ENABLE, PERIOD=7, ALMRNG=30,
UPDATEMETHOD=CMP;
//Downloading a CRL from the operator's certificate & CRL database
DLD BTSCERTFILE: IDTYPE=BYID, BTSID=0, IP="10.86.86.86", USR="admin",PWD="*****",
SRCF="BTS.crl", DSTF="BTS.crl", CT=CRL;
//(Optional) Adding a CRL
ADD BTSCRLPOLICY: IDTYPE=BYID, BTSID=0, CERTNAME="BTS.crl";
//Setting a CRL usage policy
SET BTSCRL: IDTYPE=BYID, BTSID=0, CRLPOLICY=NOVERIFY;
//Adding a periodic CRL download task
ADD BTSCRLTSK: IDTYPE=BYID, BTSID=0,IP="10.86.86.86", USR="admin", PWD="*****",
FILENAME="BTS.crl", ISCRLTIME=DISABLE, PERIOD=24, TSKID=0, CRLGETMETHOD=FTP;
Run the MML command DSP BTSAPPCERT and check the value of Status in the query
result. If Normal is displayed, the device certificate has been loaded to the GBTS.
Run the MML command DSP BTSTRUSTCERT and check the value of Status in the query
result. If Normal is displayed, the trust certificate has been loaded to the GBTS. The
following is an example.
Run the MML command DSP BTSCRL and check the value of Status in the query result. If
Normal is displayed, the CRL has been loaded to the GBTS. The following is an example.
----End
8.8.4 Deactivation
For details, see 8.5.4 Deactivation.
Figure 8-7 Example of the secure networking for the base station controller
In the following tables, "N/A" indicates that there is no special requirement for the parameter setting.
You can set the parameter based on site requirements.
Table 8-35 lists the data to be prepared for a certificate request template (the CERTREQ MO
in MML configurations and the CERTREQ or Certificate Request Configuration MO in
CME configurations).
Common Name COMMNAME The default value of the Common Name Net
(BSC6900, field in a certificate request file is work
BSC6910) XXX.huawei.com (XXX indicates the ESN plan
of the board connecting to the transport
network). Therefore, the recommended
value of this parameter is ESN. Currently,
this parameter cannot be set to MAC or
IP.
The base station controller must be configured with CA information to apply for a certificate
from the CA. The following table lists the data to be prepared for the CA (the CA MO in
MML configurations and the CA or Certificate Authority MO in CME configurations).
Table 8-37 lists the data to be prepared for a device certificate (the CERTMK MO in MML
configurations and the CERTMK or Device Certificate MO in CME configurations).
Table 8-38 lists the data to be prepared for an active certificate (the APPCERT MO in MML
configurations and the APPCERT or Device Certificate in Use MO in CME configurations).
Active certificates are device certificates that are currently used by a base station controller.
Table 8-39 lists the data to be prepared for a trust certificate (the TRUSTCERT MO in MML
configurations and the TRUSTCERT or Trusted Certificate MO in CME configurations).
Table 8-40 lists the data to be prepared for a periodic certificate validity check task (the
CERTCHKTSK MO in MML configurations and the CERTCHKTSK or Certificate
Validity Check Task MO in CME configurations).
Table 8-40 Data to be prepared for a periodic certificate validity check task
Parameter Parameter ID Setting Notes Data
Name Sour
ce
(Optional) Prepare CRL data if the base station controller needs to obtain the CRL
information from the CA. Table 8-41 lists the data to be prepared for a CRL (the CRL MO in
MML configurations and the CRL or Certificate Revocation List MO in CME
configurations).
(Optional) Prepare data related to CRL usage policies. Table 8-42 lists the data to be prepared
for these policies (the CRLPOLICY MO in MML configurations and the CRLPOLICY or
CRL Check Policy MO in CME configurations).
(Optional) Prepare data related to a periodic CRL download task. Table 8-43 lists the data to
be prepared for the task (the CRLTSK MO in MML configurations and the CRLTSK or
CRL Updating Obtaining Task MO in CME configurations).
(Optional) Prepare data to manually download an operator's root certificate or CRL from an
FTP server. Table 8-44 lists the data to be prepared for downloading a certificate file (the
DLD CERTFILE in MML configurations).
Table 8-45 Data to be prepared for applying for a device certificate based on CMPv2
Parameter Parameter ID Setting Notes Data
Name Sourc
e
(Optional) Prepare data to manually trigger a CMPv2-based certificate update. Table 8-46
lists the data to be prepared for updating a device certificate (the UPD DEVCERT in MML
configurations) based on CMPv2.
Table 8-46 Data to be prepared for updating a device certificate based on CMPv2
Parameter Parameter ID Setting Notes Data
Name Sour
ce
Step 1 Run the MML command MOD CERTREQ to modify configurations of a certificate request
template.
Step 3 Run the MML command LST APPCERT to check whether the base station controller has
been configured with a device certificate for identity authentication. If the value of
Certificate File Name in the command output is usercert.pem, the preconfigured Huawei-
issued device certificate is used. In this case, go to step 4. If the value is hwusercert.pem, the
preconfigured Huawei-issued device certificate which is bound to the OMU ESN is used. In
this case, go to step 5.
Step 4 Perform the following steps to manually configure an operator-issued device certificate for
the base station controller on the U2000:
1. Run the MML command CRE CERTREQFILE to generate the certificate request file.
2. Run the MML command ULD CERTFILE to send the local certificate request file to
the U2000 to apply for the device certificate.
3. The U2000 applies to the operator's CA for a certificate. You can manually operate the
U2000 to submit the certificate request file to the operator's CA for an operator-issued
device certificate. Then, the CA returns the operator-issued device certificate to the
U2000 by manual operation. The certificate request file and operator-issued device
certificate are saved in the following directory of the U2000: /export/home/sysm/
ftproot/ftptmp.
4. Run the MML command DLD CERTFILE to download the operator's root certificate.
5. Run the MML command ADD TRUSTCERT to add an operator's trust certificate.
6. Run the MML command DLD CERTFILE to download the requested device
certificate.
7. Run the MML command ADD CERTMK to add the device certificate to the base
station controller.
8. Go to step 6.
Step 5 Run the MML command REQ DEVCERT to apply an operator-issued device certificate for
the base station controller.
NOTE
If the certificate application succeeds, running the MML command REQ DEVCERT will return a
message about successful execution. In addition, running the MML command DSP CERTMK can
query whether a certificate has been applied.
Step 6 On the U2000, choose Security > Certificate Authentication Management > Certificate
Management. In the displayed interface, click Test to check whether SSL connection can be
established between the base station controller and the U2000.
NOTE
Bidirectional authentication is used for SSL certificate testing. That is, the base station controller and
U2000 authenticate the device certificates of each other. The SSL certificate testing result reflects
whether the certificates can be used.
Step 7 Run the MML command MOD APPCERT to modify configurations of an active certificate.
Step 8 Run the MML command SET CERTCHKTSK to set a periodic certificate validity check
task.
Step 9 (Optional) Run the MML command DLD CERTFILE to download a CRL from the
operator's certificate & CRL database.
Step 10 (Optional) Run the MML command ADD CRL to add a CRL.
Step 11 (Optional) Run the MML command SET CRLPOLICY to set a CRL usage policy.
Step 12 (Optional) Run the MML command ADD CRLTSK to add a periodic CRL download task.
----End
In addition to the preceding steps, perform the following step to manually trigger a certificate
update:
Step 1 Run the MML command UPD DEVCERT to set information about a certificate update. After
the setting takes effect, a CMPv2-based certificate update procedure is triggered.
----End
//Setting information required for the base station controller to apply for an
Run the MML command DSP CRL and check the value of Status in the query result. If
Normal is displayed, the CRL has been loaded to the base station controller.
----End
8.9.4 Deactivation
For details, see 8.5.4 Deactivation.
l Managed objects (MOs) include parameters and MML commands related to the MOs. For details,
see ECO6910 Parameter Reference.
l In the following tables, "N/A" indicates that there is no special requirement for the parameter
setting. You can set the parameter based on site requirements.
Table 8-47 lists the data to be prepared for a certificate request template (the CERTREQ MO
in MML configurations).
Common Name COMMNAME The common name can only be the Network
electronic serial number (ESN). plan
Enumeration values such as MAC and
IP are not supported. Upon the
generation of a certificate request file,
the value of the ESN is used as the
common name of the certificate
request file.
NOTE
There is a Common Name field in both the certificate request message sent from the U2000 to the
CA/RA and the obtained digital certificate. The value of this field is a combination of the values for
Common Name and Common Name Additional Info., for example,
03021377001000001.huawei.com.
Table 8-48 lists the data to be prepared for a device certificate (the CERTMK MO in MML
configurations).
NOTE
You can run the LST CERTFILE command to query all certificates on the eCoordinator. If the query
result shows that a certificate is inactive, run the ADD CERTMK command to activate it.
Table 8-49 lists the data to be prepared for an active certificate (the APPCERT MO in MML
configurations). Active certificates are device certificates that are currently used by the
eCoordinator.
Application Type APPTYPE This parameter must be set to SSL because Network
the eCoordinator does not support IKE plan
currently.
Certificate File APPCERT The certificate file name must have been
Name configured in a CERTMK MO.
Table 8-50 lists the data to be prepared for a trust certificate (the TRUSTCERT MO in MML
configurations).
Table 8-51 lists the data to be prepared for a periodic certificate validity check task (the
CERTCHKTSK MO in MML configurations).
Table 8-51 Data to be prepared for a periodic certificate validity check task
(Optional) If the eCoordinator needs to obtain CRL information from the CA, the following
data must be prepared:
l Data to be prepared for a CRL (the CRL MO in MML configurations). For details, see
Table 8-52.
l Data to be prepared for CRL usage policies (the CRLPOLICY MO in MML
configurations). For details, see Table 8-53.
l Data to be prepared for a periodic CRL download task (the CRLTSK MO in MML
configurations). For details, see Table 8-54.
(Optional) Prepare data to manually download an operator's root certificate or CRL from an
FTP server. Table 8-55 lists the data to be prepared for downloading a certificate file (the
CERTFILE MO in MML configurations).
Step 1 For details, see Operation and Maintenance > Security Management > Data Management
> Configuring Digital Certificates > Importing CA Certificates in U2000 Product
Documentation.
Step 2 Configure and activate an operator-issued device certificate. For details, see Operation and
Maintenance > Security Management > Data Management > Configuring Digital
Certificates > Manually Installing a Device Certificate in U2000 Product Documentation.
Obtain a CRL.
Step 3 For details, see Operation and Maintenance > Security Management > Data Management
> Obtaining the Certificate Revocation List in U2000 Product Documentation.
----End
Step 1 Run the MML command MOD CERTREQ to modify configurations of a certificate request
template.
Step 2 Run the MML command CRE CERTREQFILE to generate the certificate request file.
Step 3 Run the MML command ULD CERTFILE to upload the certificate request file to the
U2000.
Step 4 O&M personnel submit the certificate request file uploaded to the U2000 in Step 3 to the
operator's CA, obtain the operator-issued device certificate from the operator's CA, and save
the device certificate to the U2000. The certificate request file and operator-issued device
certificate are saved in the following directory of the U2000: /export/home/sysm/ftproot/
ftptmp.
Step 5 Run the MML command DLD CERTFILE to download the operator's root certificate from
the U2000 to the eCoordinator.
Step 6 Run the MML command ADD TRUSTCERT to add the operator's trust certificate.
Step 7 Run the MML command DLD CERTFILE to download the operator-issued device
certificate to the eCoordinator.
Step 8 Run the MML command ADD CERTMK to add the operator-issued device certificate to the
eCoordinator.
Step 9 On the U2000, choose Security > Certificate Authentication Management > Certificate
Management. In the certificate management window, select the requested operator-issued
device certificate. Click Test to test whether an SSL connection can be established between
the eCoordinator and the U2000 by using this device certificate.
NOTE
Bidirectional authentication is used for SSL certificate testing. That is, the eCoordinator and U2000
authenticate the device certificates of each other. The SSL certificate testing result reflects whether the
certificates can be used.
Step 10 Run the MML command MOD APPCERT to modify configurations of an active certificate.
Step 11 Run the MML command SET CERTCHKTSK to set a periodic certificate validity check
task.
Step 12 (Optional) Run the MML command DLD CERTFILE to download a CRL from the
operator's certificate & CRL database.
Step 13 (Optional) Run the MML command ADD CRL to add a CRL.
Step 14 (Optional) Run the MML command SET CRLPOLICY to set a CRL usage policy.
Step 15 (Optional) Run the MML command ADD CRLTSK to add a periodic CRL download task.
----End
Step 1 Run the MML command DSP APPCERT to check the status of device certificates. If the
values of Certificate File Name, Issuer, and Common Name are correct and the value of
Status is Normal, the device certificate has been loaded to the eCoordinator.
Step 2 Run the MML command DSP TRUSTCERT to check the status of trust certificates. If the
value of Status is Normal in the query result, the trust certificate has been loaded to the
eCoordinator.
Step 3 (Optional) Run the MML command DSP CRL to check the CRL status. If the value of Status
is Normal in the query result, the CRL has been loaded to the eCoordinator.
----End
8.10.4 Deactivation
This feature does not need to be deactivated.
NOTE
This section only describes how to deploy PKI redundancy by using the MML commands or the CME.
For details about how to deploy PKI on the U2000 client, see the U2000 Help.
A UMDU can be used in a co-MPT multimode base station in the secure networking shown in Figure
8-10. However, a UMDU cannot be used in a separate-MPT multimode base station.
(Optional) The following table lists the additional data to be prepared for a periodic CRL
download task.
UPDSIP="10.31.31.188", INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188",SLVURL="http://10.98.98.98:80/
pkix/",SLVINITREQURL="http://10.99.99.99:80/pkix/";
//If the base station can access the CA either through an external network or
through the intranet and O&M data is not protected by IPsec, you are advised to
set the source IP addresses for certificate application and update to an
interface IP address and an intranet IP address(for example, 10.45.45.45),
respectively. The following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.45.45.45", INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188",SLVURL="http://10.98.98.98:80/
pkix/",SLVINITREQURL="http://10.99.99.99:80/pkix/";
//If the base station can access the CA only through an external network, you are
advised to set the source IP addresses for both certificate application and
update to interface IP addresses. The following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",URL="http://10.88.88.88:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.20.20.188",INITREQURL="htt
p://10.89.89.89:80/pkix/",INITREQSIP="10.20.20.188",SLVURL="http://10.98.98.98:80/
pkix/",SLVINITREQURL="http://10.99.99.99:80/pkix/",CERTREQSW=DEFAULT;
//(Optional) Adding a periodic CRL download task
ADD CRLTSK: IP="10.86.86.86", USR="admin", PWD="*****", FILENAME="eNodeB.crl",
ISCRLTIME=DISABLE, PERIOD=24, TSKID=0, CRLGETMETHOD=FTP, SLVIP="10.96.96.96",
SLVUSR="admin2", SLVPWD="*****";
----End
8.11.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
(Optional) The following table lists the additional data to be prepared for a periodic CRL
download task.
----End
8.12.4 Deactivation
Step 1 Run the MML command RMV CA to remove the CA.
Step 2 (Optional) Run the MML command RMV CRLTSK to remove the task of automatically
updating CRL whose CRLGETMETHOD is set to LDAP.
----End
Figure 8-11 Example of reconstructing a PKI-based secure network into a PKI redundancy network on the
eGBTS, NodeB, eNodeB, or multimode base station
NOTE
A UMDU can be used in a co-MPT multimode base station in the secure networking shown in Figure
8-11. However, a UMDU cannot be used in a separate-MPT multimode base station.
General Procedure
Data Planning
In additional to the original configuration data, you need to configure data for the standby CA
and standby CRL server.
The following table lists the data to be prepared for the standby CA.
(Optional) The following table lists the data to be prepared for a periodic CRL download task.
For details about how to modify PKI redundancy configurations, see 8.5.2.1 Using the CME.
1. On the main menu of the U2000, click in the upper left corner.
2. On the Application Center tab page, double-click the CME icon to start the CME.
3. On the CME, choose CM Express > Planned Area, and click to export the
incremental script.
4. In the Export Incremental Scripts dialog box, choose a specific base station to which
the script is exported, specify Output Path and Script Executor Operation, and click
OK.
5. On the displayed Script Executor page, observe the export progress.
Activation Observation
For details, see section 8.11.3 Activation Observation.
Figure 8-12 Example of reconstructing a PKI-based secure network into a PKI redundancy
network on the base station controller
General Procedure
Data Planning
In additional to the original configuration data, you need to configure data for the standby CA
and standby CRL server.
The following table lists the data to be prepared for the standby CA.
(Optional) The following table lists the data to be prepared for a periodic CRL download task.
Slave User Name SLVUSR (BSC6910, This parameter needs to be set Network
BSC6900) when PKI redundancy is plan
enabled.
Slave Port No. SLVPORT This parameter can be set only Network
(BSC6910, BSC6900) when PKI redundancy is plan
enabled.
3. On the CME, choose CM Express > Planned Area, and click to export the
incremental script.
4. In the Export Incremental Scripts dialog box, choose a specific base station controller
to which the script is exported, specify Output Path and Script Executor Operation,
and click OK.
5. On the displayed Script Executor page, observe the export progress.
6. After the export is complete, restart the base station controller to make the script take
effect.
Activation Observation
For details, see section 8.12.3 Activation Observation.
8.15 Reconfiguration
In Certificate Authority Name, the S and ST fields are regarded as the same field. Services
can be properly provided if the S field is used at one end but the ST field is used at the peer
end.
To reconfigure the S or ST field, perform the following steps:
----End
MML command examples are as follows:
RMV CA:CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd, CN=eca1";
ADD CA:CANAME="C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=eca1",
URL="http://10.88.88.88:80/pkix/";
9.3 Deployment
9.3.1 Process
Figure 9-1 shows the process of deploying Digital Certificate Whitelist Management.
9.3.2 Requirements
Other Features
For details, see 6 Related Features.
Hardware
l For an eGBTS, only the Ethernet ports on the UMPT, BBU3910A, and UTRPc support
this feature.
l For a NodeB, only the UMPT, BBU3910A, and UTRPc support this feature.
l For an LTE FDD eNodeB, only the UMPT, BBU3910A, LMPT, and UTRPc support this
feature.
License
Feature Feature License License NE Sales Unit
ID Name Control Item Control Item
ID Name
Other Requirements
SeGWs must be Huawei devices and support Digital Certificate Whitelist Management.
9.3.3 Precautions
None
Password PWD
Guage Option GA
Single configuration CME Management > CME Guidelines > Getting Started with
the CME > Introduction to Data Configuration Operations
Batch eGBTS CME Management > CME Guidelines > GSM Application
configuration Management > Base Station Related Operations > Importing
and Exporting eGBTS Data for Batch Reconfiguration
Batch NodeB CME Management > CME Guidelines > UMTS Application
configuration Management > NodeB Related Operations > Importing and
Exporting NodeB Data for Batch Configuration
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
This section describes how to activate a digital certificate whitelist using MML command on
the base station.
Step 1 Run the DLD CERTFILE command to download a digital certificate whitelist from the
U2000 to the base station.
Step 2 Run the ACT CERTWHITELSTFILE command to activate the digital certificate whitelist.
Step 3 Run the SET CERTCFG command to turn on the IKE check switch.
----End
Step 1 Run the DSP IPSECSA command to check the IPsec SA status.
Step 2 Check whether services protected by the IPsec tunnel are normal.
l Initiate a voice service and a data service and then check whether the two services are
running normally.
l Check whether the corresponding base station is online on the topology view of the
U2000.
----End
9.3.6 Deactivation
Table 9-4 lists the data to be prepared for deactivating this feature.
10 Parameters
LOCAL BTS390 MOD LOFD-0 Public Meaning: Indicates the IP address of the subject
IP 0, CERTR 03010 / Key alternative name of a certificate.
BTS390 EQ TDLOF Infrastru GUI Value Range: Valid IP address
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CERTF
A, ILE Actual Value Range: Valid IP address
BTS390 GBFD-1 BTS
LST 13526 Supporti Default Value: 0.0.0.0
0 LTE
CERTR ng PKI
EQ WRFD-
140210 NodeB
PKI
Support
CRLPO BTS390 SET LOFD-0 Public Meaning: Indicates the policy type. There are three
LICY 0, CRLPO 03010 / Key policies using CRLs: (1) The BS does not perform
BTS390 LICY TDLOF Infrastru CRL-based certificate checks. (2) The BS performs
0 LST D-00301 cture(P CRL-based certificate checks and reports alarms when
WCDM CRLPO 0 KI) the checks fail. (3) The BS performs CRL-based
A, LICY certificate checks, and it reports alarms and
BTS390 GBFD-1 BTS disconnects from the peer device when the checks fail.
0 LTE 13526 Supporti The value NOVERIFY indicates that the BS does not
ng PKI perform CRL-based certificate checks on the peer
WRFD-
140210 NodeB device. The value ALARM indicates that the BS
PKI performs CRL-based certificate checks on the peer
Support device and reports ALM-26832 Peer Certificate
Expiry if the peer certificate has been revoked. The
value DISCONNECT indicates that the BS performs
CRL-based certificate checks on the peer device. If
the BS finds that the peer certificate has been revoked,
the BS stops the link negotiation with the peer device
and reports ALM-26832 Peer Certificate Expiry. If the
BS finds that the CRL expires, the BS stops the link
negotiation with the peer device.
GUI Value Range: NOVERIFY(No Verifying),
ALARM(Send an Alarm If Verifying CRL Failed),
DISCONNECT(Disconnect If Verifying CRL Failed)
Unit: None
Actual Value Range: NOVERIFY, ALARM,
DISCONNECT
Default Value: NOVERIFY(No Verifying)
DEPLO BTS390 SET LOFD-0 Public Meaning: Indicates the deployment position of a
YTYPE 0, CERTD 03010 / Key digital certificate. If this parameter is set to
BTS390 EPLOY TDLOF Infrastru DEFAULT, the certificate is configured on the main
0 LST D-00301 cture(P control board. If this parameter is set to SPECIFIC,
WCDM CERTD 0 KI) the certificate is configured on the board in the
A, EPLOY specified slot. If this parameter is set to NULL, no
BTS390 GBFD-1 BTS certificate is configured on the BS.
0 LTE 13526 Supporti
ng PKI GUI Value Range: DEFAULT(Default),
WRFD- SPECIFIC(Specific), NULL(NULL)
140210 NodeB Unit: None
PKI
Support Actual Value Range: DEFAULT, SPECIFIC, NULL
Default Value: DEFAULT(Default)
DEPLO BSC690 SET GBFD-1 BTS Meaning: Deploying position type of the BTS
YTYPE 0 BTSCE 13526 Supporti certificate.
RTDEP ng PKI GUI Value Range: DEFAULT(Default Position),
LOY SPECIFIC(Specifig Position), NULL(No Certification
Deploy)
Unit: None
Actual Value Range: DEFAULT, SPECIFIC, NULL
Default Value: NULL(No Certification Deploy)
DEPLO BSC691 SET GBFD-1 BTS Meaning: Deploying position type of the BTS
YTYPE 0 BTSCE 13526 Supporti certificate.
RTDEP ng PKI GUI Value Range: DEFAULT(Default Position),
LOY SPECIFIC(Specifig Position), NULL(No Certification
Deploy)
Unit: None
Actual Value Range: DEFAULT, SPECIFIC, NULL
Default Value: NULL(No Certification Deploy)
CN BTS390 SET LOFD-0 Public Meaning: Indicates the number of the cabinet where a
0, CERTD 03010 / Key board is located.
BTS390 EPLOY TDLOF Infrastru GUI Value Range: 0~7
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CERTD
A, EPLOY Actual Value Range: 0~7
BTS390 WRFD- NodeB
140210 PKI Default Value: 0
0 LTE
Support
CN BSC690 SET GBFD-1 O&M of Meaning: Number of the cabinet where the BTS board
0 BTSCE 11202 BTS is located.
RTDEP GUI Value Range: 0~62
LOY
Unit: None
Actual Value Range: 0~62
Default Value: None
CN BSC691 SET GBFD-1 O&M of Meaning: Number of the cabinet where the BTS board
0 BTSCE 11202 BTS is located.
RTDEP GUI Value Range: 0~62
LOY
Unit: None
Actual Value Range: 0~62
Default Value: None
SRN BTS390 SET LOFD-0 Public Meaning: Indicates the number of the subrack where a
0, CERTD 03010 / Key board is located.
BTS390 EPLOY TDLOF Infrastru GUI Value Range: 0~1
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CERTD
A, EPLOY Actual Value Range: 0~1
BTS390 WRFD- NodeB
140210 PKI Default Value: 0
0 LTE
Support
SRN BSC690 SET GBFD-1 O&M of Meaning: Number of the subrack where the BTS
0 BTSCE 11202 BTS board is located.
RTDEP GUI Value Range: 0~254
LOY
Unit: None
Actual Value Range: 0~254
Default Value: None
SRN BSC691 SET GBFD-1 O&M of Meaning: Number of the subrack where the BTS
0 BTSCE 11202 BTS board is located.
RTDEP GUI Value Range: 0~254
LOY
Unit: None
Actual Value Range: 0~254
Default Value: None
SN BTS390 SET LOFD-0 Public Meaning: Indicates the number of the slot where a
0, CERTD 03010 / Key board is located.
BTS390 EPLOY TDLOF Infrastru GUI Value Range: 0~7
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CERTD
A, EPLOY Actual Value Range: 0~7
BTS390 WRFD- NodeB
140210 PKI Default Value: 0
0 LTE
Support
SN BSC691 SET GBFD-1 O&M of Meaning: Number of the slot where the BTS board is
0 BTSCE 11202 BTS located.
RTDEP GUI Value Range: 0~23
LOY
Unit: None
Actual Value Range: 0~23
Default Value: None
SN BSC690 SET GBFD-1 O&M of Meaning: Number of the slot where the BTS board is
0 BTSCE 11202 BTS located.
RTDEP GUI Value Range: 0~23
LOY
Unit: None
Actual Value Range: 0~23
Default Value: None
ISENA BTS390 SET LOFD-0 Public Meaning: Indicates whether a task of certificate
BLE 0, CERTC 03010 / Key validity checking is started.
BTS390 HKTSK TDLOF Infrastru GUI Value Range: DISABLE(Disable),
0 LST D-00301 cture(P ENABLE(Enable)
WCDM CERTC 0 KI)
A, Unit: None
HKTSK GBFD-1 BTS
BTS390 Actual Value Range: DISABLE, ENABLE
0 LTE 13526 Supporti
ng PKI Default Value: ENABLE(Enable)
WRFD-
140210 NodeB
PKI
Support
PERIO BTS390 SET LOFD-0 Public Meaning: Indicates the interval between certificate
D 0, CERTC 03010 / Key validity checking tasks.
BTS390 HKTSK TDLOF Infrastru GUI Value Range: 1~15
0 LST D-00301 cture(P
WCDM 0 KI) Unit: day
CERTC
A, HKTSK Actual Value Range: 1~15
BTS390 GBFD-1 BTS
13526 Supporti Default Value: 7
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
ALMR BTS390 SET LOFD-0 Public Meaning: Indicates the threshold for a certificate
NG 0, CERTC 03010 / Key expiration alarm. If the base station detects that the
BTS390 HKTSK TDLOF Infrastru interval between its current time and the expiration
0 LST D-00301 cture(P date of an activated device certificate is shorter than
WCDM CERTC 0 KI) the threshold, an Imminent Certificate Expiry alarm is
A, HKTSK reported.
BTS390 GBFD-1 BTS
13526 Supporti GUI Value Range: 7~180
0 LTE
ng PKI Unit: day
WRFD-
140210 NodeB Actual Value Range: 7~180
PKI Default Value: 30
Support
UPDAT BSC690 SET GBFD-1 BSC Meaning: Update policy for an expired certificate. If
EMET 0 CERTC 60211 Supporti PROXY or MANUAL is selected, the system will
HOD HKTSK ng PKI disable the automatic device certificate update
function. In this case, you need to manually update the
device certificate.
GUI Value Range: PROXY(Proxy), CMP(CMP),
MANUAL(Manual)
Unit: None
Actual Value Range: PROXY, CMP, MANUAL
Default Value: PROXY(Proxy)
UPDAT BSC691 SET GBFD-1 BSC Meaning: Update policy for an expired certificate. If
EMET 0 CERTC 60211 Supporti PROXY or MANUAL is selected, the system will
HOD HKTSK ng PKI disable the automatic device certificate update
function. In this case, you need to manually update the
device certificate.
GUI Value Range: PROXY(Proxy), CMP(CMP),
MANUAL(Manual)
Unit: None
Actual Value Range: PROXY, CMP, MANUAL
Default Value: PROXY(Proxy)
UPDAT BTS390 SET LOFD-0 Public Meaning: Indicates the method for updating a
EMET 0, CERTC 03010 / Key certificate that has expired or is about to expire. There
HOD BTS390 HKTSK TDLOF Infrastru are three methods: PROXY, CMP and MANUAL. If
0 LST D-00301 cture(P the PROXY method is used, the BS uses the U2000 as
WCDM CERTC 0 KI) the proxy to update the certificate from the Certificate
A, HKTSK Authority (CA). If the CMP method is used, the BS
BTS390 GBFD-1 BTS directly updates the certificate from the CA. If the
0 LTE 13526 Supporti MANUAL method is used, the certificate needs to be
ng PKI updated manually instead of automatically.
WRFD-
140210 NodeB GUI Value Range: PROXY(Proxy), CMP(CMP),
PKI MANUAL(Manual)
Support Unit: None
Actual Value Range: PROXY, CMP, MANUAL
Default Value: CMP(CMP)
UPDAT BSC690 SET GBFD-1 BTS Meaning: Certificate updating mode used when the
EMET 0 BTSCE 13526 Supporti certificate detecting task detects that a certificate has
HOD RTCH ng PKI expired or is about to expire. There are two modes:
KTSK PROXY and CMP. In the PROXY mode, the BTS
updates the certificate through the CA on the U2000.
In CMP mode, the BTS updates the certificate through
the CA configured by the user.
GUI Value Range: PROXY(Proxy), CMP(CMP)
Unit: None
Actual Value Range: PROXY, CMP
Default Value: PROXY(Proxy)
UPDAT BSC691 SET GBFD-1 BTS Meaning: Certificate updating mode used when the
EMET 0 BTSCE 13526 Supporti certificate detecting task detects that a certificate has
HOD RTCH ng PKI expired or is about to expire. There are two modes:
KTSK PROXY and CMP. In the PROXY mode, the BTS
updates the certificate through the CA on the U2000.
In CMP mode, the BTS updates the certificate through
the CA configured by the user.
GUI Value Range: PROXY(Proxy), CMP(CMP)
Unit: None
Actual Value Range: PROXY, CMP
Default Value: PROXY(Proxy)
APPCE BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of a device
RT 0, CERT 03010 / Key certificate. The file name cannot include any of the
BTS390 MK TDLOF Infrastru following characters: backslashes (\), slashes (/),
0 DSP D-00301 cture(P colons (:), asterisks (*), question marks (?), double
WCDM CERT 0 KI) quotation marks ("), left angle brackets (<), right angle
A, MK brackets (>), and bars (|).
BTS390 GBFD-1 BTS
MOD 13526 Supporti GUI Value Range: 1~64 characters
0 LTE
CERT ng PKI Unit: None
MK WRFD-
140210 NodeB Actual Value Range: 1~64 characters
REQ PKI Default Value: None
DEVCE Support
RT
RMV
CERT
MK
UPD
DEVCE
RT
DSP
CMPSE
SSION
LST
CERT
MK
KEYSI BTS390 MOD LOFD-0 Public Meaning: Indicates the length of a key, which can be
ZE 0, CERTR 03010 / Key 1024 bits or 2048 bits.
BTS390 EQ TDLOF Infrastru GUI Value Range: KEYSIZE1024(KEYSIZE1024),
0 UPD D-00301 cture(P KEYSIZE2048(KEYSIZE2048)
WCDM DEVCE 0 KI)
A, Unit: None
RT GBFD-1 BTS
BTS390 Actual Value Range: KEYSIZE1024, KEYSIZE2048
0 LTE LST 13526 Supporti
CERTR ng PKI Default Value: KEYSIZE2048(KEYSIZE2048)
EQ WRFD-
140210 NodeB
PKI
Support
IP BTS390 ADD LOFD-0 Public Meaning: Indicates the IP address of the master FTP
0, CRLTS 03010 / Key server or master LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: Valid IP address
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CRLTS
A, K Actual Value Range: Valid IP address
BTS390 GBFD-1 BTS
13526 Supporti Default Value: None
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
CRLGE BTS390 ADD LOFD-0 Public Meaning: Indicates the method using which the BS
TMET 0, CRLTS 03010 / Key periodically obtains a CRL.
HOD BTS390 K TDLOF Infrastru GUI Value Range: FTP(FTP), LDAP(LDAP)
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CRLTS
A, K Actual Value Range: FTP, LDAP
BTS390 GBFD-1 BTS
13526 Supporti Default Value: FTP(FTP)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
SEARC BTS390 ADD LOFD-0 Public Meaning: Indicates the name of a node found in an
HDN 0, CRLTS 03010 / Key LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: 0~255 characters
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CRLTS
A, K Actual Value Range: 0~255 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
PORT BTS390 ADD LOFD-0 Public Meaning: Indicates the port number of an LDAP
0, CRLTS 03010 / Key server.
BTS390 K TDLOF Infrastru GUI Value Range: 0~65535
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CRLTS
A, K Actual Value Range: 0~65535
BTS390 GBFD-1 BTS
13526 Supporti Default Value: 389
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
ISCRL BTS390 ADD LOFD-0 Public Meaning: Indicates whether to update the CRL at the
TIME 0, CRLTS 03010 / Key next update time specified in the CRL that is obtained
BTS390 K TDLOF Infrastru during the latest update. If this parameter is set to
0 LST D-00301 cture(P ENABLE, the BS automatically updates the CRL
WCDM CRLTS 0 KI) when the next update time specified in the CRL
A, K arrives. If this parameter is set to DISABLE, the BS
BTS390 GBFD-1 BTS automatically updates the CRL based on the
0 LTE 13526 Supporti configured updating period.
ng PKI
WRFD- GUI Value Range: DISABLE(Disable),
140210 NodeB ENABLE(Enable)
PKI Unit: None
Support
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
PERIO BTS390 ADD LOFD-0 Public Meaning: Indicates the interval at which the BS
D 0, CRLTS 03010 / Key automatically obtains the CRL from the FTP server or
BTS390 K TDLOF Infrastru LDAP server.
0 LST D-00301 cture(P GUI Value Range: 8~240
WCDM CRLTS 0 KI)
A, Unit: h
K GBFD-1 BTS
BTS390 Actual Value Range: 8~240
0 LTE 13526 Supporti
ng PKI Default Value: 24
WRFD-
140210 NodeB
PKI
Support
CONN BTS390 ADD None None Meaning: Indicates whether to use the SSL to protect
MODE 0, CRLTS the security of the connection.
BTS390 K GUI Value Range: PLAINTEXT(Plaintext),
0 LST SSL(SSL)
WCDM CRLTS
A, Unit: None
K
BTS390 Actual Value Range: PLAINTEXT, SSL
0 LTE Default Value: PLAINTEXT(Plaintext)
CONN BSC690 ADD GBFD-1 BSC Meaning: Mode of connection to the CRL server.
MODE 0 CRLTS 60211 Supporti GUI Value Range: PLAINTEXT(Plaintext),
K ng PKI SSL(SSL)
Unit: None
Actual Value Range: PLAINTEXT, SSL
Default Value: PLAINTEXT(Plaintext)
CONN BSC691 ADD GBFD-1 BSC Meaning: Mode of connection to the CRL server.
MODE 0 CRLTS 60211 Supporti GUI Value Range: PLAINTEXT(Plaintext),
K ng PKI SSL(SSL)
Unit: None
Actual Value Range: PLAINTEXT, SSL
Default Value: PLAINTEXT(Plaintext)
AUTHP BTS390 ADD None None Meaning: Indicates whether to authenticate the
EER 0, CRLTS certificate of the peer end when SSL connection is
BTS390 K used.
0 LST GUI Value Range: DISABLE(Disable),
WCDM CRLTS ENABLE(Enable)
A, K
BTS390 Unit: None
0 LTE Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
AUTHP BSC690 ADD GBFD-1 BSC Meaning: Whether to authenticate the identity of the
EER 0 CRLTS 60211 Supporti peer end.
K ng PKI GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
AUTHP BSC691 ADD GBFD-1 BSC Meaning: Whether to authenticate the identity of the
EER 0 CRLTS 60211 Supporti peer end.
K ng PKI GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
ENCRY BTS390 SET MRFD- Security Meaning: Indicates the transmission encryption mode
MODE 0, FTPSC 210305 Manage of the FTP client. If this parameter is set to Auto, the
BTS390 LT ment FTP client first attempts to transmit data in ciphertext.
0 LBFD-0 If the attempt fails, the FTP client automatically
LST 04003 Security
WCDM FTPSC switches the encryption mode to retransmit data in
A, Socket plaintext. Therefore, setting this parameter to Auto
LT Layer
BTS390 may pose security risks. However, if there are faults in
0 LTE transmission equipment, the FTP client does not
attempt to retransmit data in plaintext even if the FTP
server supports encrypted transmission. In this case,
the FTP connection setup fails.
GUI Value Range: Auto(Auto), Plaintext(Plaintext),
Encrypted(SSL Encrypted)
Unit: None
Actual Value Range: Auto, Plaintext, Encrypted
Default Value: Auto(Auto)
SSLCE BSC690 SET GBFD-1 O&M of Meaning: Whether the FTP client supports
RTAUT 0 FTPSC 11203 BSC authenticating the FTP server.
H LT GUI Value Range: NO(No), YES(Yes)
Unit: None
Actual Value Range: YES, NO
Default Value: NO(No)
SSLCE BTS390 SET MRFD- Security Meaning: Indicates whether the certificate
RTAUT 0, FTPSC 210305 Manage authentication mode is supported when encrypted data
H BTS390 LT ment is being transmitted.
0 LBFD-0
LST 04003 Security GUI Value Range: No(No), Yes(Yes)
WCDM FTPSC
A, Socket Unit: None
LT Layer
BTS390 Actual Value Range: No, Yes
0 LTE Default Value: No(No)
SSLCE BSC691 SET GBFD-1 O&M of Meaning: Whether the FTP client supports
RTAUT 0 FTPSC 11203 BSC authenticating the FTP server.
H LT GUI Value Range: NO(No), YES(Yes)
Unit: None
Actual Value Range: YES, NO
Default Value: NO(No)
SLVUR BSC690 ADD GBFD-1 BSC Meaning: URL of the secondary CA.
L 0 CA 60208 Supporti GUI Value Range: 1~128 characters
MOD ng PKI
Redunda Unit: None
CA
ncy Actual Value Range: 1~128 characters
Default Value: None
SLVUR BTS390 ADD None None Meaning: Indicates the slave URL of the CA. The
L 0, CA URL can be either an HTTP or HTTPS URL. The IP
BTS390 MOD address in the URL must be a valid IP address. The
0 CA default port number is 80 for HTTP or 443 for
WCDM HTTPS. If the certificate fails to be obtained using the
A, LST CA URL, the slave CA URL can be used to obtain the
BTS390 CA certificate only when this parameter is set.
0 LTE GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: NULL(empty string)
SLVUR BSC691 ADD GBFD-1 BSC Meaning: URL of the secondary CA.
L 0 CA 60208 Supporti GUI Value Range: 1~128 characters
MOD ng PKI
Redunda Unit: None
CA
ncy Actual Value Range: 1~128 characters
Default Value: None
SLVINI BTS390 ADD None None Meaning: Indicates the slave URL of the CA that is
TREQU 0, CA used during site deployment. The URL can be either
RL BTS390 MOD an HTTP or HTTPS URL. In the URL, the IP address
0 CA must be a valid IP address, and the default port
WCDM number is 80 for HTTP or 443 for HTTPS. If the
A, LST certificate fails to be obtained using the CA URL
BTS390 CA during site deployment, the slave CA URL during site
0 LTE deployment can be used to obtain the certificate only
when this parameter is set.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: NULL(empty string)
SLVIP BTS390 ADD None None Meaning: Indicates the IP address of the slave FTP
0, CRLTS server or slave LDAP server. If the certificate fails to
BTS390 K be obtained using the IP address of the master CRL
0 LST server, the IP address of the slave CRL server is used
WCDM CRLTS only when this parameter is not set to 0.0.0.0. If the IP
A, K address of the slave CRL server is used, the slave port
BTS390 number, slave user name, and slave password need be
0 LTE configured.
GUI Value Range: Valid IP address
Unit: None
Actual Value Range: Valid IP address
Default Value: 0.0.0.0
SLVIP BSC690 ADD GBFD-1 BSC Meaning: IP address of the secondary CRL server.
0 CRLTS 60208 Supporti GUI Value Range: Valid IP Address
K ng PKI
Redunda Unit: None
ncy Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
SLVIP BSC691 ADD GBFD-1 BSC Meaning: IP address of the secondary CRL server.
0 CRLTS 60208 Supporti GUI Value Range: Valid IP Address
K ng PKI
Redunda Unit: None
ncy Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
SLVPO BTS390 ADD None None Meaning: Indicates the port number of a slave LDAP
RT 0, CRLTS server.
BTS390 K GUI Value Range: 0~65535
0 LST
WCDM Unit: None
CRLTS
A, K Actual Value Range: 0~65535
BTS390 Default Value: 389
0 LTE
SLVPO BSC690 ADD GBFD-1 BSC Meaning: Port number of the standby CRL server.
RT 0 CRLTS 60208 Supporti This parameter does not need to be specified when
K ng PKI CRLGETMETHOD is set to FTP. The system uses the
Redunda port which is configured by command "ADD
ncy FTPSCLTDPORT" as the default port number. This
parameter must be specified when
CRLGETMETHOD is set to LDAP. The default value
is 389.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
SLVPO BSC691 ADD GBFD-1 BSC Meaning: Port number of the standby CRL server.
RT 0 CRLTS 60208 Supporti This parameter does not need to be specified when
K ng PKI CRLGETMETHOD is set to FTP. The system uses the
Redunda port which is configured by command "ADD
ncy FTPSCLTDPORT" as the default port number. This
parameter must be specified when
CRLGETMETHOD is set to LDAP. The default value
is 389.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
SLVUS BTS390 ADD None None Meaning: Indicates the user name for logging in to the
R 0, CRLTS slave FTP server or slave LDAP server.
BTS390 K GUI Value Range: 0~255 characters
0 LST
WCDM Unit: None
CRLTS
A, K Actual Value Range: 0~255 characters
BTS390 Default Value: NULL(empty string)
0 LTE
SLVUS BSC690 ADD GBFD-1 BSC Meaning: User name for accessing the secondary CRL
R 0 CRLTS 60208 Supporti server.
K ng PKI GUI Value Range: 0~128 characters
Redunda
ncy Unit: None
Actual Value Range: 0~128 characters
Default Value: None
SLVUS BSC691 ADD GBFD-1 BSC Meaning: User name for accessing the secondary CRL
R 0 CRLTS 60208 Supporti server.
K ng PKI GUI Value Range: 0~128 characters
Redunda
ncy Unit: None
Actual Value Range: 0~128 characters
Default Value: None
SLVPW BTS390 ADD None None Meaning: Indicates the password for logging in to the
D 0, CRLTS slave FTP server or slave LDAP server.
BTS390 K GUI Value Range: 0~32 characters
0
WCDM Unit: None
A, Actual Value Range: 0~32 characters
BTS390 Default Value: NULL(empty string)
0 LTE
SLVPW BSC690 ADD GBFD-1 BSC Meaning: Password for accessing the secondary CRL
D 0 CRLTS 60208 Supporti server.
K ng PKI GUI Value Range: 1~32 characters
Redunda
ncy Unit: None
Actual Value Range: 1~32 characters
Default Value: None
SLVPW BSC691 ADD GBFD-1 BSC Meaning: Password for accessing the secondary CRL
D 0 CRLTS 60208 Supporti server.
K ng PKI GUI Value Range: 1~32 characters
Redunda
ncy Unit: None
Actual Value Range: 1~32 characters
Default Value: None
SIGNA BTS390 MOD LOFD-0 Public Meaning: Indicates the signature algorithm for a
LG 0, CERTR 03010 / Key certificate request file. The signature algorithm can be
BTS390 EQ TDLOF Infrastru Secure Hash Algorithm 1 (SHA1), Message-Digest
0 LST D-00301 cture(P Algorithm 5 (MD5) or Secure Hash Algorithm 256
WCDM CERTF 0 KI) (SHA256).
A, ILE GUI Value Range: SHA1(SHA1), MD5(MD5),
BTS390 GBFD-1 BTS
LST 13526 Supporti SHA256(SHA256)
0 LTE
CERTR ng PKI Unit: None
EQ WRFD-
140210 NodeB Actual Value Range: SHA1, MD5, SHA256
PKI Default Value: SHA256(SHA256)
Support
SIGNA BSC690 MOD GBFD-1 BTS Meaning: Signature algorithm of the certificate
LG 0 BTSCE 13526 Supporti request file. Currently, the SHA1, MD5 and SHA256
RTREQ ng PKI algorithms are supported. The MD5 and SHA1
algorithms have security risks. If the Certificate
Authority (CA) supports the SHA256 algorithm, it is
recommended that SHA256 be used as the signature
algorithm of the certificate.
GUI Value Range: SHA1(SHA1), MD5(MD5),
SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, MD5, SHA256
Default Value: SHA256(SHA256)
SIGNA BSC691 MOD GBFD-1 BTS Meaning: Signature algorithm of the certificate
LG 0 BTSCE 13526 Supporti request file. Currently, the SHA1, MD5 and SHA256
RTREQ ng PKI algorithms are supported. The MD5 and SHA1
algorithms have security risks. If the Certificate
Authority (CA) supports the SHA256 algorithm, it is
recommended that SHA256 be used as the signature
algorithm of the certificate.
GUI Value Range: SHA1(SHA1), MD5(MD5),
SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, MD5, SHA256
Default Value: SHA256(SHA256)
SIGNA BSC690 MOD MRFD- Security Meaning: Signature algorithm used by the device
LG 0 CERTR 210305 Manage certificate.
EQ ment GUI Value Range: SHA1(SHA1), MD5(MD5),
SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, MD5, SHA256
Default Value: SHA256(SHA256)
SIGNA BSC691 MOD MRFD- Security Meaning: Signature algorithm used by the device
LG 0 CERTR 210305 Manage certificate.
EQ ment GUI Value Range: SHA1(SHA1), MD5(MD5),
SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, MD5, SHA256
Default Value: SHA256(SHA256)
CANA BTS390 ADD LOFD-0 Public Meaning: Indicates the name of the CA. The CA name
ME 0, CA 03010 / Key must not contain the following invalid characters:
BTS390 LST TDLOF Infrastru backslashes (\), slashes (/), colons (:), asterisks (*),
0 CA D-00301 cture(P question marks (?), double quotation marks ("), left
WCDM 0 KI) angle brackets (<), right angle brackets (>), bars (|)
A, MOD and underscores (_). Otherwise, an error occurs when
BTS390 CA GBFD-1 BTS you run the REQ DEVCERT command to apply for a
0 LTE REQ 13526 Supporti device certificate.
DEVCE ng PKI
WRFD- GUI Value Range: 1~127 characters
RT 140210 NodeB Unit: None
RMV PKI
CA Support Actual Value Range: 1~127 characters
Default Value: None
URL BTS390 ADD LOFD-0 Public Meaning: Indicates the URL of the CA. The URL can
0, CA 03010 / Key be either an HTTP or HTTPS URL. The IP address in
BTS390 MOD TDLOF Infrastru the URL must be a valid IP address. The default port
0 CA D-00301 cture(P number is 80 for HTTP or 443 for HTTPS.
WCDM 0 KI) GUI Value Range: 1~128 characters
A, LST
BTS390 CA GBFD-1 BTS Unit: None
0 LTE 13526 Supporti Actual Value Range: 1~128 characters
ng PKI
WRFD- Default Value: None
140210 NodeB
PKI
Support
URL BSC690 ADD GBFD-1 BSC Meaning: URL of the CA. The URL can be either an
0 CA 60211 Supporti HTTP or HTTPS URL. The IP address in the URL
MOD ng PKI must be a valid IPv4 address. The default port number
CA is 80 for an HTTP URL and 443 for an HTTPS URL.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
URL BSC691 ADD GBFD-1 BSC Meaning: URL of the CA. The URL can be either an
0 CA 60211 Supporti HTTP or HTTPS URL. The IP address in the URL
MOD ng PKI must be a valid IPv4 address. The default port number
CA is 80 for an HTTP URL and 443 for an HTTPS URL.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
INITRE BTS390 ADD LOFD-0 Public Meaning: Indicates the URL of the CA that is used
QURL 0, CA 03010 / Key during site deployment. The URL can be either an
BTS390 MOD TDLOF Infrastru HTTP or HTTPS URL. In the URL, the IP address
0 CA D-00301 cture(P must be a valid IP address, and the default port
WCDM 0 KI) number is 80 for HTTP or 443 for HTTPS. This
A, LST parameter is mandatory when the CA uses different
BTS390 CA GBFD-1 BTS URLs during site deployment or certificate update.
0 LTE 13526 Supporti
ng PKI GUI Value Range: 1~128 characters
WRFD- Unit: None
140210 NodeB
PKI Actual Value Range: 1~128 characters
Support Default Value: None
SIGNA BTS390 ADD LOFD-0 Public Meaning: Indicates the signature algorithm for
LG 0, CA 03010 / Key message of CMP. The signature algorithm can be
BTS390 MOD TDLOF Infrastru Secure Hash Algorithm 1 (SHA1) or Secure Hash
0 CA D-00301 cture(P Algorithm 256 (SHA256).
WCDM 0 KI) GUI Value Range: SHA1(SHA1), SHA256(SHA256)
A, LST
BTS390 CA GBFD-1 BTS Unit: None
0 LTE 13526 Supporti Actual Value Range: SHA1, SHA256
ng PKI
WRFD- Default Value: SHA256(SHA256)
140210 NodeB
PKI
Support
SIGNA BSC691 ADD GBFD-1 BSC Meaning: Signature algorithm used by the Certificate
LG 0 CA 60211 Supporti Management Protocol (CMP) to request for a
MOD ng PKI certificate. The algorithm includes SHA1 and
CA SHA256.
GUI Value Range: SHA1(SHA1), SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, SHA256
Default Value: SHA256(SHA256)
SIGNA BSC690 ADD GBFD-1 BSC Meaning: Signature algorithm used by the Certificate
LG 0 CA 60211 Supporti Management Protocol (CMP) to request for a
MOD ng PKI certificate. The algorithm includes SHA1 and
CA SHA256.
GUI Value Range: SHA1(SHA1), SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, SHA256
Default Value: SHA256(SHA256)
KEYSI BSC691 MOD MRFD- Security Meaning: Size of the key used by the device
ZE 0 CERTR 210305 Manage certificate file.When this parameter is set to
EQ ment "KEYSIZE1024", security risks exist. It is
recommended that this parameter be set to
"KEYSIZE2048".
GUI Value Range: KEYSIZE1024(1024 Bits),
KEYSIZE2048(2048 Bits)
Unit: None
Actual Value Range: KEYSIZE1024, KEYSIZE2048
Default Value: KEYSIZE2048(2048 Bits)
KEYSI BSC690 MOD MRFD- Security Meaning: Size of the key used by the device
ZE 0 CERTR 210305 Manage certificate file.When this parameter is set to
EQ ment "KEYSIZE1024", security risks exist. It is
recommended that this parameter be set to
"KEYSIZE2048".
GUI Value Range: KEYSIZE1024(1024 Bits),
KEYSIZE2048(2048 Bits)
Unit: None
Actual Value Range: KEYSIZE1024, KEYSIZE2048
Default Value: KEYSIZE2048(2048 Bits)
KEYUS BTS390 MOD LOFD-0 Public Meaning: Indicates the usage for a key, including
AGE 0, CERTR 03010 / Key KEY_AGREEMENT (key negotiation),
BTS390 EQ TDLOF Infrastru DATA_ENCIPHERMENT (data encryption),
0 LST D-00301 cture(P KEY_ENCIPHERMENT (key encryption), and
WCDM CERTF 0 KI) DIGITAL_SIGNATURE (digital signature). This
A, ILE parameter can be set to one or multiple values.
BTS390 GBFD-1 BTS
LST 13526 Supporti GUI Value Range:
0 LTE DATA_ENCIPHERMENT(DATA_ENCIPHERMEN
CERTR ng PKI
EQ WRFD- T),
140210 NodeB DIGITAL_SIGNATURE(DIGITAL_SIGNATURE),
PKI KEY_AGREEMENT(KEY_AGREEMENT),
Support KEY_ENCIPHERMENT(KEY_ENCIPHERMENT)
Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: DATA_ENCIPHERMENT:ON,
DIGITAL_SIGNATURE:ON,
KEY_AGREEMENT:ON,
KEY_ENCIPHERMENT:ON
KEYUS BSC691 MOD MRFD- Security Meaning: Key usage. The options are key agreement,
AGE 0 CERTR 210305 Manage data encryption, key encryption, and digital signature.
EQ ment Each time, more than one option can be selected. At
least one usage must be selected for this parameter.
GUI Value Range: DATA_ENCIPHERMENT(Data
Encipherment), DIGITAL_SIGNATURE(Digital
Signature), KEY_AGREEMENT(Key Agreement),
KEY_ENCIPHERMENT(Key Encipherment)
Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: None
KEYUS BSC690 MOD MRFD- Security Meaning: Key usage. The options are key agreement,
AGE 0 CERTR 210305 Manage data encryption, key encryption, and digital signature.
EQ ment Each time, more than one option can be selected. At
least one usage must be selected for this parameter.
GUI Value Range: DATA_ENCIPHERMENT(Data
Encipherment), DIGITAL_SIGNATURE(Digital
Signature), KEY_AGREEMENT(Key Agreement),
KEY_ENCIPHERMENT(Key Encipherment)
Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: None
LOCAL BTS390 MOD LOFD-0 Public Meaning: Indicates the local name of a BS. This
NAME 0, CERTR 03010 / Key parameter is used to generate the DNS name of the
BTS390 EQ TDLOF Infrastru subject alternative name of a certificate, to verify the
0 LST D-00301 cture(P peer's identification in IKE negotiation. If this
WCDM CERTF 0 KI) parameter is not configured, the BS automatically uses
A, ILE the common name and its additional information to
BTS390 GBFD-1 BTS generate the DNS name.
0 LTE LST 13526 Supporti
CERTR ng PKI GUI Value Range: 0~128 characters
EQ WRFD- Unit: None
140210 NodeB
PKI Actual Value Range: 0~128 characters
Support Default Value: NULL(empty string)
LOCAL BSC691 MOD MRFD- Security Meaning: Local name of the device. If this parameter
NAME 0 CERTR 210305 Manage is not configured, set this parameter to the same value
EQ ment as "COMMNAME". If this parameter is configured,
use the actually configured value. The parameter
value can contain only letters, digits, spaces, and the
following characters: ()+-./:?. The original parameter
settings remain unchanged if the parameter is left
unspecified. The original parameter settings are
cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC690 MOD MRFD- Security Meaning: Local name of the device. If this parameter
NAME 0 CERTR 210305 Manage is not configured, set this parameter to the same value
EQ ment as "COMMNAME". If this parameter is configured,
use the actually configured value. The parameter
value can contain only letters, digits, spaces, and the
following characters: ()+-./:?. The original parameter
settings remain unchanged if the parameter is left
unspecified. The original parameter settings are
cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
CERTN BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of the trusted
AME 0, TRUST 03010 / Key certificate. The file name cannot include any of the
BTS390 CERT TDLOF Infrastru following characters: backslashes (\), slashes (/),
0 DSP D-00301 cture(P colons (:), asterisks (*), question marks (?), double
WCDM TRUST 0 KI) quotation marks ("), left angle brackets (<), right angle
A, CERT brackets (>), and bars (|).
BTS390 GBFD-1 BTS
RMV 13526 Supporti GUI Value Range: 1~64 characters
0 LTE
TRUST ng PKI Unit: None
CERT WRFD-
140210 NodeB Actual Value Range: 1~64 characters
LST PKI Default Value: None
TRUST Support
CERT
IP BSC691 ADD MRFD- Security Meaning: IP address of the server where the CRL file
0 CRLTS 210305 Manage is saved.
K ment GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
IP BSC690 ADD MRFD- Security Meaning: IP address of the server where the CRL file
0 CRLTS 210305 Manage is saved.
K ment GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
USR BTS390 ADD LOFD-0 Public Meaning: Indicates the user name used to log in to an
0, CRLTS 03010 / Key FTP server or LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: 0~255 characters
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CRLTS
A, K Actual Value Range: 0~255 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
PWD BTS390 ADD LOFD-0 Public Meaning: Indicates the password used to log in to an
0, CRLTS 03010 / Key FTP server or LDAP server.
BTS390 K TDLOF Infrastru GUI Value Range: 0~32 characters
0 D-00301 cture(P
WCDM 0 KI) Unit: None
A, Actual Value Range: 0~32 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
PWD BSC690 ADD MRFD- Security Meaning: Password for logging in to the server.
0 CRLTS 210305 Manage GUI Value Range: 0~32 characters
K ment
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
PWD BSC691 ADD MRFD- Security Meaning: Password for logging in to the server.
0 CRLTS 210305 Manage GUI Value Range: 0~32 characters
K ment
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
FILEN BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of a CRL. File name
AME 0, CRLTS 03010 / Key with path is supported when the access method is set
BTS390 K TDLOF Infrastru to FTP.
0 LST D-00301 cture(P GUI Value Range: 1~128 characters
WCDM CRLTS 0 KI)
A, Unit: None
K GBFD-1 BTS
BTS390 Actual Value Range: 1~128 characters
0 LTE 13526 Supporti
ng PKI Default Value: None
WRFD-
140210 NodeB
PKI
Support
FILEN BSC691 ADD MRFD- Security Meaning: Name of the CRL file on the server. The file
AME 0 CRLTS 210305 Manage name can contain the save path of this file on the
K ment server. You can use a slash (/) or a backslash (\) as a
separator for the save path. When the Access Method
is set to LDAP, only the file name should be specified.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
FILEN BSC690 ADD MRFD- Security Meaning: Name of the CRL file on the server. The file
AME 0 CRLTS 210305 Manage name can contain the save path of this file on the
K ment server. You can use a slash (/) or a backslash (\) as a
separator for the save path. When the Access Method
is set to LDAP, only the file name should be specified.
GUI Value Range: 1~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
CRLGE BSC690 ADD GBFD-1 BSC Meaning: Method for obtaining the CRL file.
TMET 0 CRLTS 60211 Supporti GUI Value Range: FTP(FTP), LDAP(LDAP)
HOD K ng PKI
Unit: None
Actual Value Range: FTP, LDAP
Default Value: FTP(FTP)
CRLGE BSC691 ADD GBFD-1 BSC Meaning: Method for obtaining the CRL file.
TMET 0 CRLTS 60211 Supporti GUI Value Range: FTP(FTP), LDAP(LDAP)
HOD K ng PKI
Unit: None
Actual Value Range: FTP, LDAP
Default Value: FTP(FTP)
SEARC BSC691 ADD GBFD-1 BSC Meaning: Distinct name of CRL files saved on the
HDN 0 CRLTS 60211 Supporti LDAP server.
K ng PKI GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
SEARC BSC690 ADD GBFD-1 BSC Meaning: Distinct name of CRL files saved on the
HDN 0 CRLTS 60211 Supporti LDAP server.
K ng PKI GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 1~128 characters
Default Value: None
PORT BSC691 ADD MRFD- Security Meaning: Number of the port used by the protocol.
0 CRLTS 210305 Manage This parameter does not need to be specified when
K ment "CRLGETMETHOD" is set to FTP. The system uses
the port which is configured by command "ADD
FTPSCLTDPORT" as the default port number. When
"CRLGETMETHOD" is set to LDAP, ensure that the
LDAP service on the port supports LDAP V3.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
PORT BSC690 ADD MRFD- Security Meaning: Number of the port used by the protocol.
0 CRLTS 210305 Manage This parameter does not need to be specified when
K ment "CRLGETMETHOD" is set to FTP. The system uses
the port which is configured by command "ADD
FTPSCLTDPORT" as the default port number. When
"CRLGETMETHOD" is set to LDAP, ensure that the
LDAP service on the port supports LDAP V3.
GUI Value Range: 0~65535
Unit: None
Actual Value Range: 0~65535
Default Value: None
COMM BTS390 MOD LOFD-0 Public Meaning: Indicates the common name of the
NAME 0, CERTR 03010 / Key certificate request file, which can be the electronic
BTS390 EQ TDLOF Infrastru serial number (ESN), media access control (MAC)
0 LST D-00301 cture(P address, or IP address of a board.
WCDM CERTR 0 KI) GUI Value Range: ESN(ESN), MAC(MAC), IP(IP)
A, EQ
BTS390 GBFD-1 BTS Unit: None
0 LTE 13526 Supporti Actual Value Range: ESN, MAC, IP
ng PKI
WRFD- Default Value: ESN(ESN)
140210 NodeB
PKI
Support
USERA BTS390 MOD LOFD-0 Public Meaning: Indicates the additional information about a
DDINF 0, CERTR 03010 / Key certificate common name. The information will be
O BTS390 EQ TDLOF Infrastru added behind the value of the COMMNAME
0 LST D-00301 cture(P parameter to compose a complete common name for a
WCDM CERTR 0 KI) certificate request file. The default value
A, EQ is .huawei.com. A space is not supported before the
BTS390 GBFD-1 BTS value of this parameter, that is, a space is not
0 LTE 13526 Supporti supported before the character string. However, to
ng PKI meet requirements of consistency checks performed
WRFD-
140210 NodeB by some CA servers to the certificate common name
PKI in a certificate request packet and that in a Huawei
Support device certificate, the certificate common name in a
certificate request packet is displayed as "Board
ESN"+space+"Common Name Additional Info" only
when the certificate common name in a Huawei
device certificate is "Board ESN"+space+"Common
Name Additional Info". For example, when the value
of this parameter is "eNodeB" and the certificate
common name in a Huawei device certificate is "ESN
eNodeB", a space is automatically added before
"eNodeB", that is, the certificate common name in a
certificate request packet is displayed as "ESN
eNodeB".
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: NULL(empty string)
COUN BTS390 MOD LOFD-0 Public Meaning: Indicates the country where a BS is located.
TRY 0, CERTR 03010 / Key GUI Value Range: 0~0,2~2 characters
BTS390 EQ TDLOF Infrastru
0 D-00301 cture(P Unit: None
LST
WCDM CERTR 0 KI) Actual Value Range: 0~0,2~2 characters
A, EQ Default Value: NULL(empty string)
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti
ng PKI
WRFD-
140210 NodeB
PKI
Support
ORG BTS390 MOD LOFD-0 Public Meaning: Indicates the organization that owns a BS.
0, CERTR 03010 / Key GUI Value Range: 0~64 characters
BTS390 EQ TDLOF Infrastru
0 D-00301 cture(P Unit: None
LST
WCDM CERTR 0 KI) Actual Value Range: 0~64 characters
A, EQ Default Value: NULL(empty string)
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti
ng PKI
WRFD-
140210 NodeB
PKI
Support
ORGU BTS390 MOD LOFD-0 Public Meaning: Indicates the organization unit that owns a
NIT 0, CERTR 03010 / Key BS.
BTS390 EQ TDLOF Infrastru GUI Value Range: 0~64 characters
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CERTR
A, EQ Actual Value Range: 0~64 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
STATE BTS390 MOD LOFD-0 Public Meaning: Indicates the state or province where a BS is
PROVI 0, CERTR 03010 / Key located.
NCENA BTS390 EQ TDLOF Infrastru GUI Value Range: 0~128 characters
ME 0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CERTR
A, EQ Actual Value Range: 0~128 characters
BTS390 GBFD-1 BTS
13526 Supporti Default Value: NULL(empty string)
0 LTE
ng PKI
WRFD-
140210 NodeB
PKI
Support
LOCAL BTS390 MOD LOFD-0 Public Meaning: Indicates the location of a BS.
ITY 0, CERTR 03010 / Key GUI Value Range: 0~128 characters
BTS390 EQ TDLOF Infrastru
0 D-00301 cture(P Unit: None
LST
WCDM CERTR 0 KI) Actual Value Range: 0~128 characters
A, EQ Default Value: NULL(empty string)
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti
ng PKI
WRFD-
140210 NodeB
PKI
Support
IDTYP BTS390 ADD LOFD-0 IPsec Meaning: Indicates the type of the identification
E 0, IKEPE 03009 / payload that the local end transmits. The
BTS390 ER TDLOF BTS authentication can be performed based on IP or fully
0 D-00300 Integrate qualified domain name (FQDN).
MOD d Ipsec
WCDM IKEPE 9 GUI Value Range: IP(IP Identify), FQDN(Name
A, ER NodeB Identify)
BTS390 GBFD-1
DSP 13524 Integrate Unit: None
0 LTE d IPSec
IKEPE Actual Value Range: IP, FQDN
ER WRFD-
140209 Default Value: None
LST
IKEPE
ER
MODE BTS390 ADD LOFD-0 Public Meaning: Indicates the policy for configuring the
0, CA 03010 / Key following parameters: Certificate Update Source IP,
BTS390 MOD TDLOF Infrastru CA URL During Site Deployment, and Source IP for
0 CA D-00301 cture(P Applying for a Certificate During Site Deployment.
WCDM 0 KI) When the parameter is set to DEFAULT_MODE, the
A, LST UPDSIP, INITREQURL, INITREQSIP and
BTS390 CA GBFD-1 BTS SLVINITREQURL parameters do not need to be
0 LTE 13526 Supporti configured. When a certificate is initially obtained
ng PKI during site deployment, is manually applied for, or is
WRFD-
140210 NodeB automatically or manually updated, the base station
PKI uses the effective IP address of the local OM channel
Support as the source address, and the URL as the destination
address. When this parameter is set to
CFG_INIT_UPD_ADDR, the base station uses
INITREQSIP and INITREQURL as the source and
destination addresses for initially obtaining a
certificate during site deployment and UPDSIP and
URL as the source and destination addresses for
automatically and manually updating a certificate and
for manually applying for a certificate. When the
parameter is set to CFG_UPD_SIP, the
INITREQURL, INITREQSIP and SLVINITREQURL
parameters do not need to be configured. When a
certificate is initially obtained during site deployment,
is manually applied for, or is automatically or
manually updated, the base station uses the UPDSIP
and URL address as the source and destination
addresses, respectively.
GUI Value Range:
DEFAULT_MODE(DEFAULT_MODE),
CFG_UPD_SIP(CFG_UPD_SIP),
CFG_INIT_UPD_ADDR(CFG_INIT_UPD_ADDR)
Unit: None
Actual Value Range: DEFAULT_MODE,
CFG_UPD_SIP, CFG_INIT_UPD_ADDR
Default Value:
DEFAULT_MODE(DEFAULT_MODE)
UPDSI BTS390 ADD LOFD-0 Public Meaning: Indicates the source address for certificate
P 0, CA 03010 / Key management, such as automatic certificate update,
BTS390 MOD TDLOF Infrastru manual certificate update, and manual certificate
0 CA D-00301 cture(P application. If the source address for certificate
WCDM 0 KI) application in site deployment is not configured, the
A, LST address will be used as the source address for
BTS390 CA GBFD-1 BTS acquiring the certificate for the first time.
0 LTE 13526 Supporti
ng PKI GUI Value Range: Valid IP address
WRFD- Unit: None
140210 NodeB
PKI Actual Value Range: Valid IP address
Support Default Value: 0.0.0.0
APPTY BTS390 DSP LOFD-0 Public Meaning: Indicates the application type of activated
PE 0, APPCE 03010 / Key device certificate. There are two types: IKE and SSL.
BTS390 RT TDLOF Infrastru When APPTYPE is set to IKE and CERTSOURCE in
0 LST D-00301 cture(P IKEPEER MO is set to Appcert, the device certificate
WCDM APPCE 0 KI) being used during IKE negotiation is the certificate
A, RT configured in APPCERT MO. When APPTYPE is set
BTS390 GBFD-1 BTS to SSL, the device certificate being used is the
0 LTE MOD 13526 Supporti certificate used during SSL connection or 802.1x
APPCE ng PKI authentication.
RT WRFD-
140210 NodeB GUI Value Range: IKE(IKE), SSL(SSL)
TST PKI
APPCE Unit: None
Support
RT Actual Value Range: IKE, SSL
LST Default Value: None
CERTT
YPE
APPCE BTS390 MOD LOFD-0 Public Meaning: Indicates the file name of an activated
RT 0, APPCE 03010 / Key device certificate. The file name cannot include any of
BTS390 RT TDLOF Infrastru the following characters: backslashes (\), slashes (/),
0 TST D-00301 cture(P colons (:), asterisks (*), question marks (?), double
WCDM APPCE 0 KI) quotation marks ("), left angle brackets (<), right angle
A, RT brackets (>), and bars (|).
BTS390 GBFD-1 BTS
DSP 13526 Supporti GUI Value Range: 1~64 characters
0 LTE
APPCE ng PKI Unit: None
RT WRFD-
140210 NodeB Actual Value Range: 1~64 characters
LST PKI Default Value: None
APPCE Support
RT
CERTN BTS390 ADD LOFD-0 Public Meaning: Indicates the file name of a CRL. The file
AME 0, CRL 03010 / Key name cannot include any of the following characters:
BTS390 DSP TDLOF Infrastru backslashes (\), slashes (/), colons (:), asterisks (*),
0 CRL D-00301 cture(P question marks (?), double quotation marks ("), left
WCDM 0 KI) angle brackets (<), right angle brackets (>), and bars
A, RMV (|).
BTS390 CRL GBFD-1 BTS
13526 Supporti GUI Value Range: 1~64 characters
0 LTE LST
CRL ng PKI Unit: None
WRFD-
140210 NodeB Actual Value Range: 1~64 characters
PKI Default Value: None
Support
TSKID BTS390 ADD LOFD-0 Public Meaning: Indicates the ID of the task for periodically
0, CRLTS 03010 / Key obtaining the CRL.
BTS390 K TDLOF Infrastru GUI Value Range: 0~5
0 LST D-00301 cture(P
WCDM 0 KI) Unit: None
CRLTS
A, K Actual Value Range: 0~5
BTS390 GBFD-1 BTS
RMV 13526 Supporti Default Value: None
0 LTE
CRLTS ng PKI
K WRFD-
140210 NodeB
PKI
Support
SIP BTS390 ADD LOFD-0 Public Meaning: Indicates the source IP address for
0, CRLTS 03010 / Key downloading CRLs. When this parameter is set to
BTS390 K TDLOF Infrastru 0.0.0.0, the effective local OM IP address serves as
0 LST D-00301 cture(P the source IP address to access the CRL server for
WCDM CRLTS 0 KI) updating CRL files.
A, K GUI Value Range: Valid IP address
BTS390 GBFD-1 BTS
0 LTE 13526 Supporti Unit: None
ng PKI Actual Value Range: Valid IP address
WRFD-
140210 NodeB Default Value: 0.0.0.0
PKI
Support
BTSID BSC690 SET None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTDEP GUI Value Range: 0~2047
LOY
Unit: None
Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 SET None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTDEP GUI Value Range: 0~7999
LOY
Unit: None
Actual Value Range: 0~7999
Default Value: None
IDTYP BSC690 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSCA 11202 BTS BYID: query by index.
MOD GUI Value Range: BYNAME(By Name), BYID(By
BTSCA Index)
RMV Unit: None
BTSCA Actual Value Range: BYNAME, BYID
Default Value: None
IDTYP BSC691 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSCA 11202 BTS BYID: query by index.
MOD GUI Value Range: BYNAME(By Name), BYID(By
BTSCA Index)
RMV Unit: None
BTSCA Actual Value Range: BYNAME, BYID
Default Value: None
BTSID BSC690 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCA BTS in a BSC.
MOD GUI Value Range: 0~2047
BTSCA Unit: None
RMV Actual Value Range: 0~2047
BTSCA
Default Value: None
BTSID BSC691 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCA BTS in a BSC.
MOD GUI Value Range: 0~7999
BTSCA Unit: None
RMV Actual Value Range: 0~7999
BTSCA
Default Value: None
SIGNA BSC690 ADD GBFD-1 BTS Meaning: Signature algorithm of the CMPV2
LG 0 BTSCA 13526 Supporti message. Currently, the SHA1 and SHA256
MOD ng PKI algorithms are supported. The SHA1 algorithm has
BTSCA security risks. If the Certificate Authority (CA)
supports the SHA256 algorithm, it is recommended
that SHA256 be used as the signature algorithm used
by the Certificate Management Protocol (CMP) to
request for a certificate.
GUI Value Range: SHA1(SHA1), SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, SHA256
Default Value: SHA256(SHA256)
SIGNA BSC691 ADD GBFD-1 BTS Meaning: Signature algorithm of the CMPV2
LG 0 BTSCA 13526 Supporti message. Currently, the SHA1 and SHA256
MOD ng PKI algorithms are supported. The SHA1 algorithm has
BTSCA security risks. If the Certificate Authority (CA)
supports the SHA256 algorithm, it is recommended
that SHA256 be used as the signature algorithm used
by the Certificate Management Protocol (CMP) to
request for a certificate.
GUI Value Range: SHA1(SHA1), SHA256(SHA256)
Unit: None
Actual Value Range: SHA1, SHA256
Default Value: SHA256(SHA256)
BTSID BSC690 MOD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTREQ GUI Value Range: 0~2047
Unit: None
Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 MOD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTREQ GUI Value Range: 0~7999
Unit: None
Actual Value Range: 0~7999
Default Value: None
COMM BSC690 MOD GBFD-1 BTS Meaning: Common name of the certificate request
NAME 0 BTSCE 13526 Supporti file. The common name can be the Electronic Serial
RTREQ ng PKI Number (ESN), MAC address, or IP address of the
board. When a certificate request file is generated, the
corresponding content of the specified type is used as
the common name of the file.
GUI Value Range: ESN(ESN), MAC(MAC), IP(IP)
Unit: None
Actual Value Range: ESN, MAC, IP
Default Value: ESN(ESN)
COMM BSC691 MOD GBFD-1 BTS Meaning: Common name of the certificate request
NAME 0 BTSCE 13526 Supporti file. The common name can be the Electronic Serial
RTREQ ng PKI Number (ESN), MAC address, or IP address of the
board. When a certificate request file is generated, the
corresponding content of the specified type is used as
the common name of the file.
GUI Value Range: ESN(ESN), MAC(MAC), IP(IP)
Unit: None
Actual Value Range: ESN, MAC, IP
Default Value: ESN(ESN)
USERA BSC690 MOD GBFD-1 BTS Meaning: Equipment description in the generic
DDINF 0 BTSCE 13526 Supporti certificate name. It is defined by operators. The
O RTREQ ng PKI default value of this parameter is .huawei.com before
BTS delivery.
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
USERA BSC691 MOD GBFD-1 BTS Meaning: Equipment description in the generic
DDINF 0 BTSCE 13526 Supporti certificate name. It is defined by operators. The
O RTREQ ng PKI default value of this parameter is .huawei.com before
BTS delivery.
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
COUN BSC690 MOD GBFD-1 BTS Meaning: Country where the equipment is located.
TRY 0 BTSCE 13526 Supporti GUI Value Range: 2 characters
RTREQ ng PKI
Unit: None
Actual Value Range: 2 characters
Default Value: None
COUN BSC691 MOD GBFD-1 BTS Meaning: Country where the equipment is located.
TRY 0 BTSCE 13526 Supporti GUI Value Range: 2 characters
RTREQ ng PKI
Unit: None
Actual Value Range: 2 characters
Default Value: None
ORG BSC690 MOD GBFD-1 BTS Meaning: Organization that owns the equipment.
0 BTSCE 13526 Supporti GUI Value Range: 0~64 characters
RTREQ ng PKI
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORG BSC691 MOD GBFD-1 BTS Meaning: Organization that owns the equipment.
0 BTSCE 13526 Supporti GUI Value Range: 0~64 characters
RTREQ ng PKI
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORGU BSC690 MOD GBFD-1 BTS Meaning: Organizational unit that owns the
NIT 0 BTSCE 13526 Supporti equipment.
RTREQ ng PKI GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORGU BSC691 MOD GBFD-1 BTS Meaning: Organizational unit that owns the
NIT 0 BTSCE 13526 Supporti equipment.
RTREQ ng PKI GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
STATE BSC690 MOD GBFD-1 BTS Meaning: State or province where the equipment is
PROVI 0 BTSCE 13526 Supporti located.
NCENA RTREQ ng PKI GUI Value Range: 0~128 characters
ME
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
STATE BSC691 MOD GBFD-1 BTS Meaning: State or province where the equipment is
PROVI 0 BTSCE 13526 Supporti located.
NCENA RTREQ ng PKI GUI Value Range: 0~128 characters
ME
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
KEYUS BSC690 MOD GBFD-1 BTS Meaning: Key usage. The options are key agreement,
AGE 0 BTSCE 13526 Supporti data encryption, key encryption, and digital signature.
RTREQ ng PKI Each time, more than one option can be selected.
GUI Value Range: DATA_ENCIPHERMENT(Data
Encryption), DIGITAL_SIGNATURE(Digital
Signature), KEY_AGREEMENT(Key Negotiation),
KEY_ENCIPHERMENT(Key Encryption)
Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: DATA_ENCIPHERMENT:1,
DIGITAL_SIGNATURE:1, KEY_AGREEMENT:1,
KEY_ENCIPHERMENT:1
KEYUS BSC691 MOD GBFD-1 BTS Meaning: Key usage. The options are key agreement,
AGE 0 BTSCE 13526 Supporti data encryption, key encryption, and digital signature.
RTREQ ng PKI Each time, more than one option can be selected.
GUI Value Range: DATA_ENCIPHERMENT(Data
Encryption), DIGITAL_SIGNATURE(Digital
Signature), KEY_AGREEMENT(Key Negotiation),
KEY_ENCIPHERMENT(Key Encryption)
Unit: None
Actual Value Range: DATA_ENCIPHERMENT,
DIGITAL_SIGNATURE, KEY_AGREEMENT,
KEY_ENCIPHERMENT
Default Value: DATA_ENCIPHERMENT:1,
DIGITAL_SIGNATURE:1, KEY_AGREEMENT:1,
KEY_ENCIPHERMENT:1
KEYSI BSC690 MOD GBFD-1 BTS Meaning: Key size. The size can be 1,024 bits or
ZE 0 BTSCE 13526 Supporti 2,048 bits. When this parameter is set to
RTREQ ng PKI KEYSIZE1024, security risks exist. It is
recommended that this parameter be set to
KEYSIZE2048.
GUI Value Range: KEYSIZE1024(KEYSIZE1024),
KEYSIZE2048(KEYSIZE2048)
Unit: None
Actual Value Range: KEYSIZE1024, KEYSIZE2048
Default Value: KEYSIZE2048(KEYSIZE2048)
KEYSI BSC691 MOD GBFD-1 BTS Meaning: Key size. The size can be 1,024 bits or
ZE 0 BTSCE 13526 Supporti 2,048 bits. When this parameter is set to
RTREQ ng PKI KEYSIZE1024, security risks exist. It is
recommended that this parameter be set to
KEYSIZE2048.
GUI Value Range: KEYSIZE1024(KEYSIZE1024),
KEYSIZE2048(KEYSIZE2048)
Unit: None
Actual Value Range: KEYSIZE1024, KEYSIZE2048
Default Value: KEYSIZE2048(KEYSIZE2048)
LOCAL BSC690 ADD GBFD-1 BTS Meaning: Mode in which the local end authenticates
IDTYP 0 BTSIK 13524 Integrate the peer end. This parameter can be set to IP or
E EPEER MRFD- d IPsec FQDN.
MOD 211602 Multi- GUI Value Range: IP(IP Identify), FQDN(Name
BTSIK mode Identify)
EPEER BS Unit: None
Commo
n Actual Value Range: IP, FQDN
IPSec(G Default Value: None
SM)
LOCAL BSC691 ADD GBFD-1 BTS Meaning: Mode in which the local end authenticates
IDTYP 0 BTSIK 13524 Integrate the peer end. This parameter can be set to IP or
E EPEER MRFD- d IPsec FQDN.
MOD 211602 Multi- GUI Value Range: IP(IP Identify), FQDN(Name
BTSIK mode Identify)
EPEER BS Unit: None
Commo
n Actual Value Range: IP, FQDN
IPSec(G Default Value: None
SM)
IDTYP BSC690 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSCE 11202 BTS BYID: query by index.
RTMK GUI Value Range: BYNAME(By Name), BYID(By
RMV Index)
BTSCE Unit: None
RTMK
Actual Value Range: BYNAME, BYID
Default Value: None
IDTYP BSC691 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSCE 11202 BTS BYID: query by index.
RTMK GUI Value Range: BYNAME(By Name), BYID(By
RMV Index)
BTSCE Unit: None
RTMK
Actual Value Range: BYNAME, BYID
Default Value: None
BTSID BSC690 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTMK GUI Value Range: 0~2047
RMV Unit: None
BTSCE
RTMK Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTMK GUI Value Range: 0~7999
RMV Unit: None
BTSCE
RTMK Actual Value Range: 0~7999
Default Value: None
APPCE BSC690 ADD GBFD-1 BTS Meaning: File name of the device certificate. The file
RT 0 BTSCE 13526 Supporti name cannot contain any of the following characters:
RTMK ng PKI \, /, :, *, ?, ", <, >, and |.
RMV GUI Value Range: 1~64 characters
BTSCE Unit: None
RTMK
Actual Value Range: 1~64 characters
Default Value: None
APPCE BSC691 ADD GBFD-1 BTS Meaning: File name of the device certificate. The file
RT 0 BTSCE 13526 Supporti name cannot contain any of the following characters:
RTMK ng PKI \, /, :, *, ?, ", <, >, and |.
RMV GUI Value Range: 1~64 characters
BTSCE Unit: None
RTMK
Actual Value Range: 1~64 characters
Default Value: None
BTSID BSC690 MOD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSAP BTS in a BSC.
PCERT GUI Value Range: 0~2047
Unit: None
Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 MOD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSAP BTS in a BSC.
PCERT GUI Value Range: 0~7999
Unit: None
Actual Value Range: 0~7999
Default Value: None
APPTY BSC690 MOD GBFD-1 BTS Meaning: Application type of the device certificate in
PE 0 BTSAP 13526 Supporti use. IKE and SSL are supported.
PCERT ng PKI GUI Value Range: IKE(IKE), SSL(SSL)
Unit: None
Actual Value Range: IKE, SSL
Default Value: None
APPTY BSC691 MOD GBFD-1 BTS Meaning: Application type of the device certificate in
PE 0 BTSAP 13526 Supporti use. IKE and SSL are supported.
PCERT ng PKI GUI Value Range: IKE(IKE), SSL(SSL)
Unit: None
Actual Value Range: IKE, SSL
Default Value: None
APPCE BSC690 MOD GBFD-1 BTS Meaning: File name of the device certificate. The file
RT 0 BTSAP 13526 Supporti name cannot contain any of the following characters:
PCERT ng PKI \, /, :, *, ?, ", <, >, and |.
GUI Value Range: 1~64 characters
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
APPCE BSC691 MOD GBFD-1 BTS Meaning: File name of the device certificate. The file
RT 0 BTSAP 13526 Supporti name cannot contain any of the following characters:
PCERT ng PKI \, /, :, *, ?, ", <, >, and |.
GUI Value Range: 1~64 characters
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
IDTYP BSC690 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSTR 11202 BTS BYID: query by index.
USTCE GUI Value Range: BYNAME(By Name), BYID(By
RT Index)
RMV Unit: None
BTSTR
USTCE Actual Value Range: BYNAME, BYID
RT Default Value: None
IDTYP BSC691 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSTR 11202 BTS BYID: query by index.
USTCE GUI Value Range: BYNAME(By Name), BYID(By
RT Index)
RMV Unit: None
BTSTR
USTCE Actual Value Range: BYNAME, BYID
RT Default Value: None
BTSID BSC690 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSTR BTS in a BSC.
USTCE GUI Value Range: 0~2047
RT
Unit: None
RMV
BTSTR Actual Value Range: 0~2047
USTCE Default Value: None
RT
BTSID BSC691 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSTR BTS in a BSC.
USTCE GUI Value Range: 0~7999
RT
Unit: None
RMV
BTSTR Actual Value Range: 0~7999
USTCE Default Value: None
RT
CERTN BSC690 ADD GBFD-1 BTS Meaning: File name of the trust certificate or
AME 0 BTSTR 13526 Supporti certificate chain. The file name cannot contain any of
USTCE ng PKI the following characters: \, /, :, *, ?, ", <, >, and |.
RT GUI Value Range: 1~64 characters
RMV Unit: None
BTSTR
USTCE Actual Value Range: 1~64 characters
RT Default Value: None
CERTN BSC691 ADD GBFD-1 BTS Meaning: File name of the trust certificate or
AME 0 BTSTR 13526 Supporti certificate chain. The file name cannot contain any of
USTCE ng PKI the following characters: \, /, :, *, ?, ", <, >, and |.
RT GUI Value Range: 1~64 characters
RMV Unit: None
BTSTR
USTCE Actual Value Range: 1~64 characters
RT Default Value: None
BTSID BSC690 SET None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTCH GUI Value Range: 0~2047
KTSK
Unit: None
Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 SET None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCE BTS in a BSC.
RTCH GUI Value Range: 0~7999
KTSK
Unit: None
Actual Value Range: 0~7999
Default Value: None
ISENA BSC690 SET GBFD-1 BTS Meaning: Whether the task of checking the certificate
BLE 0 BTSCE 13526 Supporti validity is started.
RTCH ng PKI GUI Value Range: DISABLE(Disable),
KTSK ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: ENABLE(Enable)
ISENA BSC691 SET GBFD-1 BTS Meaning: Whether the task of checking the certificate
BLE 0 BTSCE 13526 Supporti validity is started.
RTCH ng PKI GUI Value Range: DISABLE(Disable),
KTSK ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: ENABLE(Enable)
PERIO BSC690 SET GBFD-1 BTS Meaning: Period of checking the certificate validity.
D 0 BTSCE 13526 Supporti GUI Value Range: 1~15
RTCH ng PKI
KTSK Unit: day
Actual Value Range: 1~15
Default Value: 7
PERIO BSC691 SET GBFD-1 BTS Meaning: Period of checking the certificate validity.
D 0 BTSCE 13526 Supporti GUI Value Range: 1~15
RTCH ng PKI
KTSK Unit: day
Actual Value Range: 1~15
Default Value: 7
ALMR BSC690 SET GBFD-1 BTS Meaning: Alarm threshold of certificate expiry. When
NG 0 BTSCE 13526 Supporti the BTS detects that the time between the current time
RTCH ng PKI and the expiry time of the loaded certificate is less
KTSK than this threshold, a certificate expiry alarm is
reported.
GUI Value Range: 7~180
Unit: day
Actual Value Range: 7~180
Default Value: 30
ALMR BSC691 SET GBFD-1 BTS Meaning: Alarm threshold of certificate expiry. When
NG 0 BTSCE 13526 Supporti the BTS detects that the time between the current time
RTCH ng PKI and the expiry time of the loaded certificate is less
KTSK than this threshold, a certificate expiry alarm is
reported.
GUI Value Range: 7~180
Unit: day
Actual Value Range: 7~180
Default Value: 30
IDTYP BSC690 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSCR 11202 BTS BYID: query by index.
L GUI Value Range: BYNAME(By Name), BYID(By
RMV Index)
BTSCR Unit: None
L
Actual Value Range: BYNAME, BYID
Default Value: None
IDTYP BSC691 ADD GBFD-1 O&M of Meaning: Index type. BYNAME: query by name;
E 0 BTSCR 11202 BTS BYID: query by index.
L GUI Value Range: BYNAME(By Name), BYID(By
RMV Index)
BTSCR Unit: None
L
Actual Value Range: BYNAME, BYID
Default Value: None
BTSID BSC690 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCR BTS in a BSC.
L GUI Value Range: 0~2047
RMV Unit: None
BTSCR
L Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCR BTS in a BSC.
L GUI Value Range: 0~7999
RMV Unit: None
BTSCR
L Actual Value Range: 0~7999
Default Value: None
CERTN BSC690 ADD GBFD-1 BTS Meaning: Indicates the file name of the CRL. The
AME 0 BTSCR 13526 Supporti name cannot contain any of the following characters:
L ng PKI backslashes (\), slashes (/), colons (:), asterisks (*),
RMV question marks (?), double quotation marks ("), left
BTSCR angle brackets (<), right angle brackets (>), and bars
L (|).
GUI Value Range: 1~64 characters
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
CERTN BSC691 ADD GBFD-1 BTS Meaning: Indicates the file name of the CRL. The
AME 0 BTSCR 13526 Supporti name cannot contain any of the following characters:
L ng PKI backslashes (\), slashes (/), colons (:), asterisks (*),
RMV question marks (?), double quotation marks ("), left
BTSCR angle brackets (<), right angle brackets (>), and bars
L (|).
GUI Value Range: 1~64 characters
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
BTSID BSC690 SET None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCR BTS in a BSC.
LPOLI GUI Value Range: 0~2047
CY
Unit: None
Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 SET None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCR BTS in a BSC.
LPOLI GUI Value Range: 0~7999
CY
Unit: None
Actual Value Range: 0~7999
Default Value: None
BTSID BSC690 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCR BTS in a BSC.
LTSK GUI Value Range: 0~2047
RMV Unit: None
BTSCR
LTSK Actual Value Range: 0~2047
Default Value: None
BTSID BSC691 ADD None None Meaning: Index of the BTS, uniquely identifying a
0 BTSCR BTS in a BSC.
LTSK GUI Value Range: 0~7999
RMV Unit: None
BTSCR
LTSK Actual Value Range: 0~7999
Default Value: None
IP BSC690 ADD GBFD-1 BTS Meaning: The IP address of an FTP server or LDAP
0 BTSCR 13526 Supporti server.
LTSK ng PKI GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
IP BSC691 ADD GBFD-1 BTS Meaning: The IP address of an FTP server or LDAP
0 BTSCR 13526 Supporti server.
LTSK ng PKI GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
USR BSC690 ADD GBFD-1 BTS Meaning: The user name used to log in to an FTP
0 BTSCR 13526 Supporti server or LDAP server.
LTSK ng PKI GUI Value Range: 0~255 characters
Unit: None
Actual Value Range: 0~255 characters
Default Value: None
USR BSC691 ADD GBFD-1 BTS Meaning: The user name used to log in to an FTP
0 BTSCR 13526 Supporti server or LDAP server.
LTSK ng PKI GUI Value Range: 0~255 characters
Unit: None
Actual Value Range: 0~255 characters
Default Value: None
PWD BSC690 ADD GBFD-1 BTS Meaning: The password used to log in to an FTP
0 BTSCR 13526 Supporti server or LDAP server.
LTSK ng PKI GUI Value Range: 0~255 characters
Unit: None
Actual Value Range: 0~255 characters
Default Value: None
PWD BSC691 ADD GBFD-1 BTS Meaning: The password used to log in to an FTP
0 BTSCR 13526 Supporti server or LDAP server.
LTSK ng PKI GUI Value Range: 0~255 characters
Unit: None
Actual Value Range: 0~255 characters
Default Value: None
FILEN BSC690 ADD GBFD-1 BTS Meaning: Revoked device certificate. The file name
AME 0 BTSCR 13526 Supporti cannot contain any of the following characters: \, /, :,
LTSK ng PKI *, ?, ", <, >, and |.
GUI Value Range: 1~64 characters
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
FILEN BSC691 ADD GBFD-1 BTS Meaning: Revoked device certificate. The file name
AME 0 BTSCR 13526 Supporti cannot contain any of the following characters: \, /, :,
LTSK ng PKI *, ?, ", <, >, and |.
GUI Value Range: 1~64 characters
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
ISCRL BSC690 ADD GBFD-1 BTS Meaning: Whether to update the CRL at the next
TIME 0 BTSCR 13526 Supporti update time specified in the CRL that is obtained
LTSK ng PKI during the latest update. If this parameter is set to
ENABLE, the BTS automatically updates the CRL
when the next update time specified in the CRL
arrives. If this parameter is set to DISABLE, the BTS
automatically updates the CRL based on the
configured updating period.
GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
ISCRL BSC691 ADD GBFD-1 BTS Meaning: Whether to update the CRL at the next
TIME 0 BTSCR 13526 Supporti update time specified in the CRL that is obtained
LTSK ng PKI during the latest update. If this parameter is set to
ENABLE, the BTS automatically updates the CRL
when the next update time specified in the CRL
arrives. If this parameter is set to DISABLE, the BTS
automatically updates the CRL based on the
configured updating period.
GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
PERIO BSC690 ADD GBFD-1 BTS Meaning: Interval for updating the CRL.
D 0 BTSCR 13526 Supporti GUI Value Range: 8~240
LTSK ng PKI
Unit: h
Actual Value Range: 8~240
Default Value: 24
PERIO BSC691 ADD GBFD-1 BTS Meaning: Interval for updating the CRL.
D 0 BTSCR 13526 Supporti GUI Value Range: 8~240
LTSK ng PKI
Unit: h
Actual Value Range: 8~240
Default Value: 24
CRLGE BSC690 ADD GBFD-1 BTS Meaning: Method of getting the CRL file.
TMET 0 BTSCR 13526 Supporti GUI Value Range: FTP(FTP), LDAP(LDAP)
HOD LTSK ng PKI
Unit: None
Actual Value Range: FTP, LDAP
Default Value: FTP(FTP)
CRLGE BSC691 ADD GBFD-1 BTS Meaning: Method of getting the CRL file.
TMET 0 BTSCR 13526 Supporti GUI Value Range: FTP(FTP), LDAP(LDAP)
HOD LTSK ng PKI
Unit: None
Actual Value Range: FTP, LDAP
Default Value: FTP(FTP)
SEARC BSC690 ADD GBFD-1 BTS Meaning: Distinguish name when search on LDAP
HDN 0 BTSCR 13526 Supporti server.
LTSK ng PKI GUI Value Range: 0~255 characters
Unit: None
Actual Value Range: 1~255 characters
Default Value: None
SEARC BSC691 ADD GBFD-1 BTS Meaning: Distinguish name when search on LDAP
HDN 0 BTSCR 13526 Supporti server.
LTSK ng PKI GUI Value Range: 0~255 characters
Unit: None
Actual Value Range: 1~255 characters
Default Value: None
COMM BSC690 MOD MRFD- Security Meaning: Common name of the certificate request
NAME 0 CERTR 210305 Manage file. When a certificate request file is generated, the
EQ ment corresponding content of the specified type is used as
the common name of the file. The common name can
only be the electronic serial number (ESN).
GUI Value Range: ESN(ESN)
Unit: None
Actual Value Range: ESN
Default Value: ESN(ESN)
COMM BSC691 MOD MRFD- Security Meaning: Common name of the certificate request
NAME 0 CERTR 210305 Manage file. When a certificate request file is generated, the
EQ ment corresponding content of the specified type is used as
the common name of the file. The common name can
only be the electronic serial number (ESN).
GUI Value Range: ESN(ESN)
Unit: None
Actual Value Range: ESN
Default Value: ESN(ESN)
USERA BSC691 MOD MRFD- Security Meaning: Equipment description in the generic
DDINF 0 CERTR 210305 Manage certificate name. The parameter value can contain
O EQ ment only letters, digits, spaces, and the following
characters: ()+-./:?. The original parameter settings
remain unchanged if the parameter is left unspecified.
The original parameter settings are cleared if a space
is entered.
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
USERA BSC690 MOD MRFD- Security Meaning: Equipment description in the generic
DDINF 0 CERTR 210305 Manage certificate name. The parameter value can contain
O EQ ment only letters, digits, spaces, and the following
characters: ()+-./:?. The original parameter settings
remain unchanged if the parameter is left unspecified.
The original parameter settings are cleared if a space
is entered.
GUI Value Range: 0~32 characters
Unit: None
Actual Value Range: 0~32 characters
Default Value: None
COUN BSC691 MOD MRFD- Security Meaning: Country where the device is located. The
TRY 0 CERTR 210305 Manage parameter value must be two English characters or
EQ ment one space. The original parameter settings remain
unchanged if the parameter is left unspecified. The
original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~2 characters
Unit: None
Actual Value Range: 0~2 characters
Default Value: None
COUN BSC690 MOD MRFD- Security Meaning: Country where the device is located. The
TRY 0 CERTR 210305 Manage parameter value must be two English characters or
EQ ment one space. The original parameter settings remain
unchanged if the parameter is left unspecified. The
original parameter settings are cleared if a space is
entered.
GUI Value Range: 0~2 characters
Unit: None
Actual Value Range: 0~2 characters
Default Value: None
ORG BSC691 MOD MRFD- Security Meaning: Organization to which the device belongs.
0 CERTR 210305 Manage The parameter value can contain only letters, digits,
EQ ment spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORG BSC690 MOD MRFD- Security Meaning: Organization to which the device belongs.
0 CERTR 210305 Manage The parameter value can contain only letters, digits,
EQ ment spaces, and the following characters: ()+-./:?. The
original parameter settings remain unchanged if the
parameter is left unspecified. The original parameter
settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORGU BSC691 MOD MRFD- Security Meaning: Organization unit to which the device
NIT 0 CERTR 210305 Manage belongs. The parameter value can contain only letters,
EQ ment digits, spaces, and the following characters: ()+-./:?.
The original parameter settings remain unchanged if
the parameter is left unspecified. The original
parameter settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
ORGU BSC690 MOD MRFD- Security Meaning: Organization unit to which the device
NIT 0 CERTR 210305 Manage belongs. The parameter value can contain only letters,
EQ ment digits, spaces, and the following characters: ()+-./:?.
The original parameter settings remain unchanged if
the parameter is left unspecified. The original
parameter settings are cleared if a space is entered.
GUI Value Range: 0~64 characters
Unit: None
Actual Value Range: 0~64 characters
Default Value: None
STATE BSC690 MOD MRFD- Security Meaning: State or province where the device is
PROVI 0 CERTR 210305 Manage located. The parameter value can contain only letters,
NCENA EQ ment digits, spaces, and the following characters: ()+-./:?.
ME The original parameter settings remain unchanged if
the parameter is left unspecified. The original
parameter settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
STATE BSC691 MOD MRFD- Security Meaning: State or province where the device is
PROVI 0 CERTR 210305 Manage located. The parameter value can contain only letters,
NCENA EQ ment digits, spaces, and the following characters: ()+-./:?.
ME The original parameter settings remain unchanged if
the parameter is left unspecified. The original
parameter settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC690 MOD MRFD- Security Meaning: Specific position where the device is
ITY 0 CERTR 210305 Manage located. The parameter value can contain only letters,
EQ ment digits, spaces, and the following characters: ()+-./:?.
The original parameter settings remain unchanged if
the parameter is left unspecified. The original
parameter settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC691 MOD MRFD- Security Meaning: Specific position where the device is
ITY 0 CERTR 210305 Manage located. The parameter value can contain only letters,
EQ ment digits, spaces, and the following characters: ()+-./:?.
The original parameter settings remain unchanged if
the parameter is left unspecified. The original
parameter settings are cleared if a space is entered.
GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
LOCAL BSC690 MOD MRFD- Security Meaning: Local IP address of the device. The original
IP 0 CERTR 210305 Manage parameter settings remain unchanged if the parameter
EQ ment is left unspecified. The original parameter settings are
cleared if 0.0.0.0 is entered.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
LOCAL BSC691 MOD MRFD- Security Meaning: Local IP address of the device. The original
IP 0 CERTR 210305 Manage parameter settings remain unchanged if the parameter
EQ ment is left unspecified. The original parameter settings are
cleared if 0.0.0.0 is entered.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: None
MODE BSC690 ADD GBFD-1 BSC Meaning: Configuration mode of the source IP
0 CA 60211 Supporti address that is used for updating the certificate. When
MOD ng PKI this parameter is set to DEFAULT_MODE, the source
CA IP address used for updating the certificate does not
need to be configured. The system uses the OM IP to
apply for and update the certificate. When this
parameter is set to CFG_UPD_SIP, the source IP
address used for updating the certificate must be
configured. The system uses the configured source IP
address to apply for and update the certificate.
GUI Value Range:
DEFAULT_MODE(DEFAULT_MODE),
CFG_UPD_SIP(CFG_UPD_SIP)
Unit: None
Actual Value Range: DEFAULT_MODE,
CFG_UPD_SIP
Default Value:
DEFAULT_MODE(DEFAULT_MODE)
MODE BSC691 ADD GBFD-1 BSC Meaning: Configuration mode of the source IP
0 CA 60211 Supporti address that is used for updating the certificate. When
MOD ng PKI this parameter is set to DEFAULT_MODE, the source
CA IP address used for updating the certificate does not
need to be configured. The system uses the OM IP to
apply for and update the certificate. When this
parameter is set to CFG_UPD_SIP, the source IP
address used for updating the certificate must be
configured. The system uses the configured source IP
address to apply for and update the certificate.
GUI Value Range:
DEFAULT_MODE(DEFAULT_MODE),
CFG_UPD_SIP(CFG_UPD_SIP)
Unit: None
Actual Value Range: DEFAULT_MODE,
CFG_UPD_SIP
Default Value:
DEFAULT_MODE(DEFAULT_MODE)
APPCE BSC690 ADD MRFD- Security Meaning: File name of the device certificate file.
RT 0 CERT 210305 Manage GUI Value Range: 1~64 characters
MK ment
Unit: None
RMV
CERT Actual Value Range: 1~64 characters
MK Default Value: None
APPCE BSC691 ADD MRFD- Security Meaning: File name of the device certificate file.
RT 0 CERT 210305 Manage GUI Value Range: 1~64 characters
MK ment
Unit: None
RMV
CERT Actual Value Range: 1~64 characters
MK Default Value: None
APPTY BSC690 MOD MRFD- Security Meaning: Application type of the device certificate.
PE 0 APPCE 210305 Manage Only SSL is supported at present.
RT ment GUI Value Range: SSL(SSL)
Unit: None
Actual Value Range: SSL
Default Value: SSL(SSL)
APPTY BSC691 MOD MRFD- Security Meaning: Application type of the device certificate.
PE 0 APPCE 210305 Manage Only SSL is supported at present.
RT ment GUI Value Range: SSL(SSL)
Unit: None
Actual Value Range: SSL
Default Value: SSL(SSL)
APPCE BSC691 MOD MRFD- Security Meaning: File name of the device certificate file.
RT 0 APPCE 210305 Manage GUI Value Range: 1~64 characters
RT ment
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
APPCE BSC690 MOD MRFD- Security Meaning: File name of the device certificate file.
RT 0 APPCE 210305 Manage GUI Value Range: 1~64 characters
RT ment
Unit: None
Actual Value Range: 1~64 characters
Default Value: None
CERTN BSC691 ADD MRFD- Security Meaning: File name of the trust certificate or
AME 0 TRUST 210305 Manage certificate chain.
CERT ment GUI Value Range: 1~64 characters
RMV Unit: None
TRUST
CERT Actual Value Range: 1~64 characters
Default Value: None
CERTN BSC690 ADD MRFD- Security Meaning: File name of the trust certificate or
AME 0 TRUST 210305 Manage certificate chain.
CERT ment GUI Value Range: 1~64 characters
RMV Unit: None
TRUST
CERT Actual Value Range: 1~64 characters
Default Value: None
ISENA BSC690 SET MRFD- Security Meaning: Whether the task of checking the certificate
BLE 0 CERTC 210305 Manage validity is started.
HKTSK ment GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: ENABLE(Enable)
ISENA BSC691 SET MRFD- Security Meaning: Whether the task of checking the certificate
BLE 0 CERTC 210305 Manage validity is started.
HKTSK ment GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: ENABLE(Enable)
PERIO BSC690 SET MRFD- Security Meaning: Period of checking the certificate validity.
D 0 CERTC 210305 Manage The value of this parameter must be smaller than or
HKTSK ment equal to the value of the ALMRNG parameter.
GUI Value Range: 1~15
Unit: day
Actual Value Range: 1~15
Default Value: 7
PERIO BSC691 SET MRFD- Security Meaning: Period of checking the certificate validity.
D 0 CERTC 210305 Manage The value of this parameter must be smaller than or
HKTSK ment equal to the value of the ALMRNG parameter.
GUI Value Range: 1~15
Unit: day
Actual Value Range: 1~15
Default Value: 7
ALMR BSC690 SET MRFD- Security Meaning: When the MBSC detects that the time
NG 0 CERTC 210305 Manage between the current time and the expiry time of the
HKTSK ment loaded certificate is less than this threshold, a
certificate expiry alarm is reported.
GUI Value Range: 7~180
Unit: day
Actual Value Range: 7~180
Default Value: 30
ALMR BSC691 SET MRFD- Security Meaning: When the MBSC detects that the time
NG 0 CERTC 210305 Manage between the current time and the expiry time of the
HKTSK ment loaded certificate is less than this threshold, a
certificate expiry alarm is reported.
GUI Value Range: 7~180
Unit: day
Actual Value Range: 7~180
Default Value: 30
CERTN BSC690 ADD MRFD- Security Meaning: File name of the CRL.
AME 0 CRL 210305 Manage GUI Value Range: 1~64 characters
RMV ment
Unit: None
CRL
Actual Value Range: 1~64 characters
Default Value: None
CERTN BSC691 ADD MRFD- Security Meaning: File name of the CRL.
AME 0 CRL 210305 Manage GUI Value Range: 1~64 characters
RMV ment
Unit: None
CRL
Actual Value Range: 1~64 characters
Default Value: None
USR BSC690 ADD MRFD- Security Meaning: User name for logging in to the server
0 CRLTS 210305 Manage where the CRL file is saved.
K ment GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
USR BSC691 ADD MRFD- Security Meaning: User name for logging in to the server
0 CRLTS 210305 Manage where the CRL file is saved.
K ment GUI Value Range: 0~128 characters
Unit: None
Actual Value Range: 0~128 characters
Default Value: None
ISCRL BSC690 ADD MRFD- Security Meaning: Whether to update the CRL file at the next
TIME 0 CRLTS 210305 Manage update time recorded in the file. If this parameter is set
K ment to ENABLE, the task will update the CRL file at the
next update time recorded in the file. If this parameter
is set to DISABLE, the task will periodically update
the CRL file at an interval specified by
[CRLTSK:PERIOD].
GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
ISCRL BSC691 ADD MRFD- Security Meaning: Whether to update the CRL file at the next
TIME 0 CRLTS 210305 Manage update time recorded in the file. If this parameter is set
K ment to ENABLE, the task will update the CRL file at the
next update time recorded in the file. If this parameter
is set to DISABLE, the task will periodically update
the CRL file at an interval specified by
[CRLTSK:PERIOD].
GUI Value Range: DISABLE(Disable),
ENABLE(Enable)
Unit: None
Actual Value Range: DISABLE, ENABLE
Default Value: DISABLE(Disable)
PERIO BSC690 ADD MRFD- Security Meaning: Interval for updating the CRL (unit: hour).
D 0 CRLTS 210305 Manage If ISCRLTIME is set to DISABLE(Disable), the CRL
K ment is updated at the interval specified by this parameter.
GUI Value Range: 8~240
Unit: h
Actual Value Range: 8~240
Default Value: 24
PERIO BSC691 ADD MRFD- Security Meaning: Interval for updating the CRL (unit: hour).
D 0 CRLTS 210305 Manage If ISCRLTIME is set to DISABLE(Disable), the CRL
K ment is updated at the interval specified by this parameter.
GUI Value Range: 8~240
Unit: h
Actual Value Range: 8~240
Default Value: 24
SIP BSC690 ADD GBFD-1 BSC Meaning: Source IP address for downloading CRL
0 CRLTS 60211 Supporti files. The setting of this parameter must ensure proper
K ng PKI communication between the OMU and the CA. If not,
use the default value 0.0.0.0. If the OMU works in
active/standby mode, the external fixed IP address
cannot be set. If it is set, the OMU cannot
communicate properly with the CA after a switchover
between the active and standby OMUs.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
SIP BSC691 ADD GBFD-1 BSC Meaning: Source IP address for downloading CRL
0 CRLTS 60211 Supporti files. The setting of this parameter must ensure proper
K ng PKI communication between the OMU and the CA. If not,
use the default value 0.0.0.0. If the OMU works in
active/standby mode, the external fixed IP address
cannot be set. If it is set, the OMU cannot
communicate properly with the CA after a switchover
between the active and standby OMUs.
GUI Value Range: Valid IP Address
Unit: None
Actual Value Range: Valid IP Address
Default Value: 0.0.0.0
11 Counters
12 Glossary
13 Reference Documents