HSS Avg PDF

AVG LDAP Interface Description
Ericsson Home Subscriber Server
INTERWORK DESCRIPTION
1/155 19-CSA 113 098/36 Uen A

Copyright
© Ericsson AB 2016. All rights reserved. No part of this document may be

reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use
of this document.
Trademark List
All trademarks mentioned herein are the property of their respective owners.
These are shown in the document Trademark Information.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Contents
Contents
1 Introduction 1
1.1 Related Information 1
2 LDAP Overview 2
2.1 LDAP v3 Supported Features 3
2.2 Limitations 3
3 Running LDAP Clients 3

3.1 LDAP Commands 3
3.1.1 LDAP Add Operation 4
3.1.2 LDAP Modify Operation 5
3.1.3 LDAP Delete Operation 5
3.1.4 LDAP Search Operation 5
4 Class Containment Hierarchy 6

4.1 Provisioning Management 7
4.2 Configuration Management 7
4.3 Security Management 8
5 Object Classes and Attributes 9

5.1 Object Classes and Conventions 9
5.1.1 Introduction 9
5.1.2 Conventions 10
5.2 Attributes and Error Codes Common to All the Object
Classes 14
5.3 Configuration Object Classes 16
5.3.1 HSS AVG Application Object Class 16
5.3.2 HSS AVG License Object Class 16
5.3.3 HSS AVG Configuration Container Object Class 17
5.3.4 HSS AVG A4KeysContainer Data Object Class 17
5.3.5 HSS AVG A4Key Object Class 18
5.3.6 HSS AVG Restricted Configuration 19
5.3.7 HSS AVG Requesting Node Type Container Object Class 20
5.3.8 HSS AVG Usim Requesting Node Type Object Class 21
5.3.9 HSS AVG Isim Requesting Node Type Object Class 21
5.3.10 HSS AVG Function Set Container Object Class 22
5.3.11 HSS AVG FSet Object Class 23
5.3.12 HSS AVG GlobalConfiguration Object Class 26
5.3.13 HSS AVG External Database Configuration Object Class 27
5.3.14 HSS AVG A4KeyDes64Container Data Object Class 31
5.4 Security and Administration 31
1/155 19-CSA 113 098/36 Uen A | 2017-01-24

5.4.1 HSS AVG Security Container Object Class 33

5.4.2 HSS AVG Access Group Object Class 34
5.4.3 HSS AVG Administrator Object Class 35
5.5 Provisioning Object Classes 38
5.5.1 HSS AVG Provisioning Container Object Class 38
5.5.2 HSS AVG IsimUserContainer Object Class 38
5.5.3 HSS AVG Isim User Object Class 38
5.5.4 HSS AVG UsimUserContainer Object Class 40
5.5.5 HSS AVG Usim User Object Class 41
5.6 Initialization Values 42
5.6.1 Specific HSS AVG Object Classes 43
Reference List 45
1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Introduction
1 Introduction
This document describes the Lightweight Directory Access Protocol (LDAP)

server included in the Authentication Vectors Generator (AVG) module for
provisioning, configuration, and security data management.
This document explains the LDAP interface for use with AVG in Monolithic
configuration. It describes object creation, modification, retrieval, and deletion;
as well as object attributes and their internal database hierarchy for LDAP. The
AVG Front-End (FE) configuration is outside the scope of this document. For
information on AVG FE, refer to LDAP Interface Description for Accessing
External Database in HSS-FE.
It is intended to be used as reference for AVG operators that have to use the
LDAP v3 protocol (refer to Lightweight Directory Access Protocol (v3) (RFC
2251)) for AVG data management purposes.
1.1 Related Information

Definition and explanation of acronyms and terminology, trademark information,
and typographic conventions can be found in the following documents:
• Glossary of Terms and Acronyms
• Trademark Information
• Typographic Conventions
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 1

2 LDAP Overview
Figure 1 AVG LDAP Architecture
AVG has an LDAP server for configuration, provisioning, and security data
management.
This interface handles the creation, retrieval, update, and deletion (CRUD)
of AVG data.
The LDAP uses the OpenLDAP LDAP server front-end, augmented with the
necessary functionality to communicate with the Database where AVG data are
stored. For more information, refer to www.openldap.org.
The LDAP clients use the LDAP interface to allow the operator to manage AVG
data. There can be several types of LDAP clients:
• CM Browser (refer to User Administration User Guide) included in the

Telecom Server Platform (TSP) Toolbox (refer to Node Management
Toolbox User Guide).
• Command-line clients
2 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Running LDAP Clients
• Any commercial LDAP client
2.1 LDAP v3 Supported Features

The following features are supported by AVG. For a detailed description of the
features, refer to Lightweight Directory Access Protocol (v3) (RFC 2251):
• Transport Layer Security (TLS) support.
• ISO 10646 Character Set with UTF-8 encoding.
• Published schema with object classes and attribute types supported by the
server.
• Referrals to other servers that could attend the requests.
• Numerical OIDs for attribute types and object classes.
2.2 Limitations
In HSS Monolithic configuration, during provisioning procedure a delay occurs
between LDAP success response and changes becoming accessible. This
ensues as a result of JIM using asynchronous commit to DBN and necessity
to update POT redundancy replica. Time imperative for update to take place
depends on network characteristics, but is estimated not to exceed 500 ms for
normal scenarios. During this period messages attempting to access recently
modified POTs are answered with Unable to comply as a result of database
inconsistency.
3 Running LDAP Clients
This section provides information on how to run LDAP clients.
3.1 LDAP Commands

The OpenLDAP distribution includes several commands, which are documented
in the LDAP manual pages (refer to www.openldap.org).
If a command runs without error, the result code 0 (success) is returned to

the client. If there are errors, an error result code and an error message are
sent back to the client with information about the source of the problem. The
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 3

ldapsearch tool returns the objects in the directory that match the search
request, with the specified attributes (if any).
3.1.1 LDAP Add Operation

A typical invocation of ldapaddmay be:
ldapadd -H "ldaps://IP_ADDRESS:TLS_LDAP_PORT/" \
-D "administratorName=HSS-AvgProvisioningAdministrator,\
nodeName=jambala" \
-w "Wanda123" -Z -f file\
-P 3
The options are:
• -H specifies the protocol, machine, and port where slapd is running
• -D specifies the Distinguish Name (DN) to use for binding.
• -w specifies the password to use for binding.
• –P specifies the LDAP version used.
• -Z forces the tool to use the TLS protocol for secure communications.
• -f specifies a file that defines one or more directory entries to add. The
entries are separated by blank lines, and each entry consists of a DN,
followed by zero or more attribute values. Example:
dn=HSS-AvgImpi=user@realm.com,\
HSS-AvgIsimUserContainerName=\
HSS-AvgIsimUserContainer,\
HSS-AvgProvisioningContainerName=\
HSS-AvgProvisioningContainer,\
applicationName=HSS_AVG,nodeName=jambala
objectClass:HSS-AvgIsimUser
HSS-AvgEncryptedK:24AAAFFF8787695BCCF4376BBFFC3892
HSS-AvgA4KeyInd:3
HSS-AvgFSetInd:3
HSS-AvgAmf:1001
Apart from this format, the LDIF (LDAP Data Interchange Format) format
can be also used. For a proper description of the format accepted, consult
Slapd manual (refer to www.openldap.org). For an 'add' operation, it looks
like:
dn=HSS-AvgImpi=user@realm.com,\
HSS-AvgIsimUserContainerName=\
HSS-AvgIsimUserContainer,\
HSS-AvgProvisioningContainerName=\
HSS-AvgProvisioningContainer,\
4 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Running LDAP Clients
objectClass:HSS-AvgIsimUser
HSS-AvgEncryptedK:42AAAFFF8787695BCCF4376BBFFC3892
HSS-AvgA4KeyInd:3
HSS-AvgFSetInd:3
HSS-AvgAmf:1000
3.1.2 LDAP Modify Operation

The command arguments are almost the same for ldapmodify. Example:
ldapmodify -H "ldaps://IP_ADDRESS:LDAP_PORT/" \
nodeName=jambala" \
-x -c -r \
-w "Wanda123" -f file\
-P 3
The -H, -D, -w, -P, and -f flags are described for ldapadd. In addition:
• -x specifies that simple authentication can be used.
• -c The ldapmodify can continue with modifications although errors

have occurred.
• -r specifies that the existing values can be replaced by default.
3.1.3 LDAP Delete Operation

For ldapdelete, the file or command-line argument contains only the DN to
delete. Example:
ldapdelete -H "ldaps://IP_ADDRESS:LDAP_PORT/" \
nodeName=jambala" \
-w "Wanda123" -x -f file\
-P 3
All the flags are described in ldapadd and ldapmodify commands.
3.1.4 LDAP Search Operation

A typical ldapsearch command:
ldapsearch -H "ldaps://IP_ADDRESS:LDAP_PORT/" \
nodeName=jambala" \
-w "Wanda123" \
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 5

-b "applicationName=HSS_AVG, nodename=jambala" \
-s sub \
-x \
-P 3
The -H, -D, -x, -P, and -w flags are as described for ldapadd. In addition:
• -b specifies the DN of the base object for the search (the root of the
subtree to search)
• -s specifies the scope. Valid scopes are "base", "one" and "sub", for "base
object only", "first-level children" and "entire subtree".
The first non-flag argument is the filter (required). Complex filters are allowed,
for example: "(HSS-AvgImpi=*)" is used to retrieve all the user impi values.
For objects with multi-valued attributes, if any value matches the filter criteria
then the object is returned.
Following the filter is an optional list of attributes to retrieve. By default all

attributes are retrieved. The behavior can be the same if all user attributes are
requested, through the * character.
The output of ldapsearch is printed to stdout, in a format similar to the input

format of ldapadd.
4 Class Containment Hierarchy
The following diagrams show the architectural design of AVG application

database that could be managed through the LDAP interface.
The relations shown in the diagram have the following meaning:
• Aggregation: the two objects are related by a parent-child relationship.

The parent object (acting as a container) can hold the children, and can
be responsible on any operation that involves managing the child (creation
or deletion).
This relation is represented by:
6 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Class Containment Hierarchy
4.1 Provisioning Management

Figure 2 depicts the AVG Managed Objects Classes model for provisioning
purposes:
All the attributes related to those objects are listed in Section 5 on page 9.
Figure 2 Provisioning Management Object Class Model
4.2 Configuration Management

Figure 3 depicts the AVG Object Classes model for configuration purposes:
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 7

Figure 3 Configuration Management Object Class Model
4.3 Security Management

Figure 4 depicts the AVG Object Classes model f security purposes:
8 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Object Classes and Attributes
Figure 4 Security Management Object Class Model
5 Object Classes and Attributes
This section provides information about object classes and attributes.
5.1 Object Classes and Conventions

This section provides information about object classes and conventions.
5.1.1 Introduction
The tables in the following chapters specify all AVG object classes and their
attributes.
As shown in Section 4 on page 6, the LDAP hierarchy has a tree pattern. This
tree is called the Directory Information Tree (DIT) and it is composed of entries
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 9

that have one or more key attributes. Those attributes names and its value
form the Relative Distinguish Name (RDN) of an object. The concatenation of
the RDNs of the sequence of entries from a particular object to the root entry
of the tree forms the Distinguish Name (DN). This DN uniquely identifies an
object inside the tree. For example, the DN of an HSS-AvgIsimUser object
(see Page 7) is:
HSS-AvgImpi=user@realm.com,
HSS-AvgIsimUserContainerName=HSS-AvgIsimUserContainer,
HSS-AvgProvisioningContainerName=HSS-AvgProvisioningContainer,
The format of the tables (that appears from ) has a header and three different
columns with the following information:
Table 1 Object Class Table Format

object class name
For more details, refer to Lightweight Directory Access Protocol (v3): Attribute Syntax
Definitions (RFC 2252).
Attributes Format, Remarks, Constraints Examples
Brief description of the Description of the LDAP syntax
attributes characteristics of the attributes.
5.1.2 Conventions
The following data types in the Ericsson AVG Server Managed Object LDAP
hierarchy have special conventions:
Types
• String: Printable string. Example: “HSS-AvgFSetContainerName:FsetCont

ainer1". It is always considered as case insensitive
• Unsigned: Value of an unsigned integer number represented as a

numeric string in printable format. Range is [0,4294967295]. Example:
“HSS-AvgA4KeyInd: 512".
• Boolean: Represented as a case-sensitive string with one of the following

values: “TRUE" or “FALSE". Example: “HSS-AvgServicesLogStatus:
TRUE".
• Enum: Enumerated values are represented as strings. Example:

“HSS-AvgReqNodeTypeInfo = {”AAA”,”CSCF”, “MME”}.
• Struct: A string representing a structured attribute, where the “:" (colon)

character is used to separate the different fields, for example: “0:1"; in
TSP attriFields containing “:", the colon is escaped by a preceding '\', for
example “0\:1". Example: "512\:1\:23".
10 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

• Struct Array: An attribute where each array member is represented as a

structured attribute value. The first field in the structure is the array index
(first array index is 0) and the remaining (one or more) fields constitute the
different values. A Struct Array is used when element order is significant
or several array members have the same value. Example: "0:512:1:23"
for groups.
• NAI: The NAI format definition is username or username@realm. An

example of a valid NAI is user1@hss.org, and an example of an invalid
one is user1@hss. For more information about NAI format, refer to The
Network Access Identifier (RFC 2486).
• DN: Distinguished Name, a comma-separated list containing the complete

Relative Distinguished Name (RDN) hierarchy for an object. Distinguished
Names are stored in the database using all-lowercase.
In the LDAP v3 protocol, a backslash "\" character in a DN is escaped

with a backslash.
• Restricted LDAP URL: The restrictedLDAPURL format definition is:
“ldap://” [hostport]
hostport = hostname [port]
hostname = Domain name or IP address
port = “:” 1* DIGIT
Note: If an IP address is used in the hostname field, its format can be

either IPv4 or IPv6.
• Restricted SIP URI: The restricted SIP URI has the format
sip:userinfo host. userinfo follows the format:userinfo =
( user / telephone-subscriber ) "@" where the user or
telephone-subscriber category includes one or more of the following
characters:
mark - _ . ! ~ * ' ( )
ALPHA a b c d e f g h i j
k l m n o p q r s t
u v w x y z
A B C D E F G H I J
K L M N O P Q R S T
U V W X Y Z
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 11

DIGIT 0 1 2 3 4 5 6 7 8 9
user-u
nreser & = + $ , ; ? /
ved
An example of valid restricted SIP URI is sip:user1@ericsson.
com. For more information, refer to SIP: Session Initiation Protocol (RFC
3261).
Note: Any other character is not supported. Escaped characters, such

as% HEX HEX, are not supported. So if %23 is received, it is
interpreted as three independent characters: "%", "2" and "3",
it is not interpreted using its corresponding ASCII translation.
• HEX string: HEX representation of an octet array in which every character

in the HEX string is the HEX representation of 4 bits in the octet array.
Example: HSS-AvgA4Key=“012345678901234567890123456789AF”.
General Conventions
• All attribute values are printable ASCII.
• All time intervals are in seconds, whenever something different is not

specified.
• IP Addresses are dotted-decimal.
• '*' indicates attributes that form part of the DN.

• ”“ indicates empty value, the attribute is shown when a search LDAP
operation is made on it, although with empty values.
• — indicates no value. In this case, the attribute is not shown when a search
LDAP operation is made on it.
• Those attributes qualified as optional, which do not have an associated

Creation Value, are created by default as <empty> (see corresponding
<empty> convention).
• Attributes qualified as optional, with an associated default Creation
Value, take that value at creation-time. These attributes cannot be
modified to have an <empty> value unless specified for the attribute.
• When creating instances of the object classes, all attributes marked as
"mandatory" must be present.
• There are four types of attributes concerning write-protection or visibility:
0 read-only: the attribute can be read but it cannot be modified.
0 read-write: the attribute can be read and modified at any time.

0 write-once: the attribute is written only at creation time of the object
class. After that no modification is possible, although it can be read.
12 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

0 write-only: the attribute can be written at creation time and modified at

any time, but it is not possible to retrieve it through search operations.
• The objects created automatically at installation time does not have the
"Required" field since it is not possible to create them later on.
• Key attributes can be marked in the “Format, Remarks, Constraints" field

as primary key, secondary key, or pseudo key. When there is more than
one key, the primary key is listed first.
Parameter Categories
The parameters are divided into four categories; Internal Parameters, Solution
Integration Parameters, Site Specific Parameters, and Operator Configurable
Parameters. The different categories are, as follows:
• Internal Parameters: Internal parameters are constants. The intention is

that these parameters cannot be changed.
• Solution Integration Parameters: Solution integration parameters are

delivered with recommended default settings and changes must normally
be performed by Ericsson trained personnel only. There are a few
different reasons that make a parameter classified as solution integration
dependent, as follows:
0 The parameter value selection has a visible impact on the

characteristics of the Network Element (such as capacity and latency)
in a way that is not reasonable to foresee.
0 The parameter value selection depends on other parameters, possibly

including parameters in other Network Elements. That is, a parameter
setting coordination is required.
0 The parameter value selection is an important element of achieving a

required system behavior, for example, redundancy.
• Site-Specific Parameters: The site-specific parameters depend on network

topology and the physical location of the IMS equipment. These parameters
are given values that are unique for each deployment; some of the settings
must be coordinated with other deployed Network Elements. For a specific
deployment scenario, the operator (preferably in collaboration with the BU
Global Services personnel especially for change operations) selects the
parameter value. In general, the site-specific parameters are configured
during the initial installation.
• Operator Configurable Parameters: Operator configurable parameters

can be freely configured by the operator to achieve the expected system
behavior.
Conventions Related to Integer Attributes
• Integer values are represented as string where each character is a digit.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 13

• Integer attributes have unsigned integer 8 bit (uint8), 16 bit (uint16), and
32 bit (uint32) values.
Convention Related to String Attributes
• Default length is 255 characters, whenever something different is not

specified.
• Case-sensitive strings are stored in the database as they are entered.
• Case independent strings (for example administrator name and access

group name) are stored in the database as all-lowercase.
• Special characters must be introduced between quotes (" "). This

convention applies to special characters except to "," and "=". For more
information, refer to Lightweight Directory Access Protocol (LDAP): String
Representation of Distinguished Names (RFC 4514).
5.2 Attributes and Error Codes Common to All the Object

Classes
All LDAP-managed objects in the database include general attributes common
to any object in the LDAP tree. These attributes include the objectClass, and
attributes related to the object permissions for every object instance.
The owner, group, and permissions attributes are similar to the corresponding
attributes of a Unix file system.
Table 2 Common Attributes

All Objects
objectClass Type: case-sensitive string "HSS-AvgFSet"
The name of the object in the Visibility: read-only
hierarchy tree.
ownerId Type: uint32 111
This attribute identifies the Range: jambala or any other
administrator that owns the HSS-Administrator
object. At object creation,
it is automatically set to the Visibility: read-write
administratorId of the
Required: optional
authenticated administrator if
the attribute is not specified. Creation Value: seeSection 5.4 on
page 31
14 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Table 2 Common Attributes

All Objects
groupId Type: uint32 111
This attribute identifies Range: any HSS-AccessGroup
an access group, whose
administrators have group Visibility: read-write
permissions over the object.
Required: optional
At object creation, it is
automatically set to the Creation Value: seeSection 5.4 on
primary Access Group of the page 31
authenticated administrator if
the attribute is not specified.
shareTree Type: DN "nodeName=jambala
"
This attribute refers to Visibility: read-write
a container object. All
administrators defined as part Creation Value: seeSection 5.4 on
of the shareTree have share page 31
permissions for the container
(1)
and its leaf objects.
permissions Type: uint8, bitmask 9
This attribute specifies the Range: [0-63]
operations group members
are allowed to perform Values:
on an object class (group
• groupReadBit := 0x01
permissions). It also specifies
the operations allowed for • groupUpdateBit := 0x02
other administrators (share
permissions). • groupManageBit := 0x04
It is treated as a bitmap: in • shareReadBit := 0x08
the creation value, the integer
value "9" is equivalent to • shareUpdateBit := 0x10
having set to '1' the first and
• shareManageBit := 0x20
fourth lower bits: 0 0 0 1 0 0 0
1 which translates to the group Visibility: read-write
and others being allowed only
to Read. Required: optional
Creation Value: seeSection 5.4 on
page 31
(1) Do not use this parameter, it is deprecated and only retained for backward compatibility.
Common errors are provided by the platform and also specific errors are
provided by AVG. The specific errors are collected as OAM logging events in
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 15

AVG Logging Events. For information about common errors, refer to LDAP
Interface Description.
5.3 Configuration Object Classes

This section provides information about configuration object classes.
5.3.1 HSS AVG Application Object Class

As any other application, AVG module needs to have an application class to
serve as a container for the objects belonging to that application.
This object is created automatically at installation time.
Table 3 HSS AVG Application Object Class

HSS-AvgApplication
*applicationName Type: case-sensitive string "HSS_AVG"
This attribute identifies the Category: Internal
application object. This name is
defined during the installation and Visibility: read-only
cannot be changed.
Creation Value: "HSS_AVG"
Primary key
5.3.2 HSS AVG License Object Class

HSS AVG License object contains information related to the availability state
of a license.
16 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Table 4 HSS AVG License Object Class

HSS-AvgLicense
*HSS-AvgLicenseName Type: case-sensitive string HSS-AvgLicense
This attribute identifies the Category: Internal

AVG License object class.
Visibility: read-only
Creation Value: HSS-AvgLicense
Primary key
HSS-AvgIsActive Type: boolean TRUE
This attribute states whether Category: Site Specific

the AVG module is enabled
or not. Visibility: read-only
Creation Value: FALSE
5.3.3 HSS AVG Configuration Container Object Class

The HSS-Avg Configuration Container object is used to contain the objects
related to different configurations.
This object is created automatically at installation time
Table 5 HSS AVG Configuration Container Object Class

HSS-AvgConfigurationContainer
*HSS-AvgConfigurationC Type: case-sensitive string "HSS-AvgConfiguration
ontainerName Container"
Category: Internal
This attribute identifies the
configuration container. Visibility: read-only
Creation Value: HSS-AvgConfigura
tionContainer
Primary key
5.3.4 HSS AVG A4KeysContainer Data Object Class
The HSS-Avg A4Keys Container object is used to contain all the objects related
to different A4keys.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 17

Table 6 HSS AVG A4KeysContainer Data Object Class

HSS-AvgA4KeyContainer
*HSS-AvgA4KeyContainer Type: case-sensitive string "HSS-AvgA4KeyCont
Name ainer"
Category: Internal
This attribute identifies
the A4Key configuration Visibility: read-only
container.
Creation Value: HSS-AvgA4KeyCon
tainer
Primary key
5.3.5 HSS AVG A4Key Object Class

The HSS-Avg A4Key object contains the keys needed to cipher/decipher the
subscriber key.
Before deleting an HSS-AvgA4Key object class, verify that there are no users
in HSS-Avg still using it.
Constraints
It is not possible to modify any attribute. Only it is possible the complete

deletion of the object class
It is possible to define A4keys only if HSS-AvgCustomerKey is defined
The HSS-AvgA4Key only can be used if HSS-AvgKeyPlainTextEnable a

ttribute is TRUE
Both HSS-AvgA4Key and HSS-AvgEncryptedA4Key cannot be present at

the same time. Only one of them must be present.
Table 7 HSS AVG A4Key Object Class

HSS-AvgA4Key
*HSS-AvgA4KeyInd Type: uint16 "1"
This attribute identifies the Category: Site Specific
A4Key indication.
Visibility: write-once
Range: [1–512]
Primary key
18 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Table 7 HSS AVG A4Key Object Class

HSS-AvgA4Key
HSS-AvgA4Key Type: HEX string “0123456789
0123456789
The A4Key is in plain text. Format: 32 characters 0123456789AF”
It cannot be read by default Category: Site Specific
since the plain text cannot
be retrieved” Visibility: write-once
Required: optional
HSS-AvgEncryptedA4Key Type: HEX string “88AAAFFF8
787695BCCF
The encrypted A4Key value Format: 32 characters 4376BBFFC389”
Category: Site Specific
Required: optional
5.3.6 HSS AVG Restricted Configuration

The HSS-Avg Restricted Configuration objects contain the information related
to sensitive data encryption. An instance of this object is automatically created
at installation time by the application.
Constraints
HSS-AvgCustomerKey can be modified only if OPs, A4Keys, and R1-R5

values have not been defined
Table 8 HSS AVG Restricted Configuration

HSS-AvgRestrictedConfiguration
*HSS-AvgRestrictedConfi Type: case-sensitive string "HSS-AvgRestrictedCo
gurationName nfiguration"
Category: Internal
the restricted configuration Visibility: read-only
name.
Creation Value: HSS-AvgRestricte
dConfiguration
Primary key
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 19

Table 8 HSS AVG Restricted Configuration

HSS-AvgRestrictedConfiguration
HSS-AvgCustomerKey Type: HEX string “878964578D
FDE1DCEFF
The Customer Key value Category: Site Specific 112233448BAAA”
Visibility: write-only
Format: 32 characters
HSS-AvgKeyPlainTextEn Type: Boolean "TRUE"
able
This attribute indicates that
the A4Key and the OP can Visibility: read-write
be introduced in plain text.
Creation Value: "FALSE"
HSS-AvgSecurityLogStat Type: Boolean “FALSE”
us
Category: Customer Configurable
A flag that states whether
Security Log is active or not. Visibility: read-write
Creation Value: "TRUE"
5.3.7 HSS AVG Requesting Node Type Container Object Class

The HSS-Avg Requesting Node Type Container is used to group all the
requesting node types.
Table 9 HSS AVG Requesting Node Type Container Object Class

HSS-AvgReqNodeTypeContainer
*HSS-AvgReqNodeTypeC Type: case-sensitive string "HSS-AvgReqNodeTy
ontainerName peContainer"
Category: Internal
the requesting node type Visibility: read-only
container.
Creation Value: HSS-AvgReqNodeTy
peContainer
Primary key
20 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

5.3.8 HSS AVG Usim Requesting Node Type Object Class

The HSS-Avg Usim Requesting Node Type objects contain information related
to the requesting node type that is supported when the HSS-Avg User Identity
is a USIM type. Each object specifies a requesting node type and the valid
range for IND values. It is possible to create, retrieve, modify, and delete these
objects.
Table 10 HSS AVG Usim Requesting Node Type Object Class

HSS-AvgUsimReqNodeType
*HSS-AvgUsimReqNodeT Type: enum "MME"
ypeName
(AAA, CSCF, MME, BSF, EPSAAA)
Attribute used to identify the
requesting node type. Category: Solution Integration
Primary key
HSS-AvgInitialIndValue Type: uint8 "1"
Attribute used to identify the Category: Site Specific
initial value for IND range.
Visibility: read-write
Range: [0-31]
Required: mandatory
HSS-AvgEndIndValue Type: uint8 "5"
end value for Requesting
Node Type Index (IND) Visibility: read-write
range.
Range: [0-31]
Required: mandatory
Constraints: This value is
recommended to be greater than or
equal to HSS-AvgInitialIndValue
5.3.9 HSS AVG Isim Requesting Node Type Object Class

The HSS-Avg Isim Requesting Node Type objects contain information related
to the requesting node type that is supported when the HSS-Avg User Identity
is an ISIM type. Each object specifies a requesting node type and the valid
range for IND values. It is possible to create, retrieve, modify, and delete these
objects.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 21

Table 11 HSS AVG Isim Requesting Node Type Object Class

HSS-AvgIsimReqNodeType
*HSS-AvgIsimReqNodeTy Type: enum "CSCF"
peName
(AAA, CSCF, MME, BSF)
requesting node type. Category: Solution Integration
Primary key
HSS-AvgInitialIndValue Type: uint8 "6"
Attribute used to identify the Category: Solution Integration
initial value for (IND) range.
Range: [0-31]
Required: mandatory
HSS-AvgEndIndValue Type: uint8 "9"
Attribute used to identify the Category: Solution Integration
end value for IND range.
Range: [0-31]
Required: mandatory
Constraints: This value is
recommended to be greater than or
equal to HSS-AvgInitialIndValue
5.3.10 HSS AVG Function Set Container Object Class

The HSS-Avg Function Set Container is used to contain below itself all the
objects related to function set identifiers and their associated data.
22 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Table 12 HSS AVG Function Set Container Object Class

HSS-AvgFSetContainer
*HSS-AvgFSetContainerN Type: case-sensitive string "HSS-AvgFSetContain
ame er"
Category: Internal
Function Set container. Visibility: read-only
Creation Value: HSS-AvgFSetCont
ainer
Primary key
5.3.11 HSS AVG FSet Object Class

The HSS-Avg FSet object contains information related to the algorithm name
and the OP values used by the algorithm.
Before creating an HSS-Avg FSet object, the HSS-AvgCustomerKey value

must be defined. Before deleting an HSS-Avg FSet object, verify that there
are no users in HSS-Avg still using it.
Constraints
No more than 17 instances of HSS-AvgFSet object can be created.
An instance of HSS-AvgFSet with HSS-AVGFSetInd set to 0 and

HSS-AvgFSetName set to Test is created at installation time. This instance is
reserved (instances with the same name are not allowed). This instance cannot
be modified (OPs cannot be modified) nor deleted.
Both HSS-AvgFSetOp and HSS-AvgFSetEncryptedOp attributes cannot be

present simultaneously. Only one of them must be present in each instance
of HSS-AvgFSet
The HSS-AvgFSetOp attribute can be used if AvgKeyPlainTextEnable

attribute is TRUE
Table 13 HSS AVG FSet Object Class

HSS-AvgFSet
*HSS-AvgFSetInd Type:uint8 “1”
function set identifier.
Primary key
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 23


HSS-AvgFSet
HSS-AvgFSetName Type: enum "Milenage"
Attribute used to identify the (Test, Milenage)
algorithm.
Required: mandatory
HSS-AvgFSetOp Type: HEX string “0123456789
0123456789
Attribute used to define the Category: Site Specific AB0123456789”
Operator variant algorithm.
It cannot be read by default
since the plain text cannot Format: 32 characters
be retrieved”
Required: optional
HSS-AvgFSetEncryptedOp Type: HEX string “01234BBFF9
AAAB456789
Attribute used to manage the Category: Site Specific AB0123456789”
encrypted Operator variant
algorithm. Visibility: read-write
Format: 32 characters
Required: optional
HSS-AvgR1 Type: uint8 "64"
R1 constant.
Only applicable to Milenage
algorithm. Required: optional
If this attribute is left empty, Range: [0–127]

the default value for the
Constraint: This attribute, HSS-AvgR2,
Milenage applies.
HSS-AvgR3, HSS-AvgR4, and
HSS-AvgR5 must be modified within
the same LDAP operation
24 1/155 19-CSA 113 098/36 Uen A | 2017-01-24


HSS-AvgFSet
R2 constant.
algorithm. Range: [0–127]
If this attribute is left empty, Constraint: This attribute, HSS-AvgR1,

the default value for the HSS-AvgR3, HSS-AvgR4, and
Milenage applies. HSS-AvgR5 must be modified within
R3 constant.

Milenage applies.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 25


HSS-AvgFSet
R4 constant.

Milenage applies.
R5 constant.

Milenage applies.
Note: The values supported for HSS-AvgFsetName are Test and Milenage.
Any other value depends on commercial agreements.
5.3.12 HSS AVG GlobalConfiguration Object Class

The HSS-Avg Global object contains information related to the configuration
of AVG module. An instance of this object is automatically created by the
application at installation time.
26 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Table 14 HSS AVG GlobalConfiguration Object Class

HSS-AvgGlobalConfiguration
*HSS-AvgGlobalConfigura Type: case-sensitive string "HSS-AvgGlobalConfi
tionName guration"
Category: Internal
Creation Value: HSS-AvgGlobalCon
figuration
Primary key
HSS-AvgServicesLogStat Type: Boolean “FALSE”
us
A flag that states whether
Services Log is active or not. Visibility: read-write
Creation Value: TRUE
HSS-AvgOAMLogStatus Type: Boolean “FALSE”
A flag that states whether Category: Customer Configurable
OAM Log is active or not.
HSS-AvgInstallationType Type: enumerated value “Monolithic”
This attribute identifies the (Monolithic, Front-End)
HSS type of configuration.
The visibility of some Category: Internal
attributes/objects depends
on the value of this attribute
as it is specified along the This attribute is set at installation time
document. using configuration parameters.
5.3.13 HSS AVG External Database Configuration Object Class
The HSS External Database Configuration object is used to store the necessary
information for accessing the external database using LDAP protocol as
specified in LDAP Interface Description for Accessing External Database in
HSS-FE.
The visibility of this object depends on the HSS type of configuration defined in
HSS-AvgInstallationType attribute, see Page 27. This object only applies
to HSS FE configuration.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 27

Table 15 HSS AVG External Database Configuration Object Class

HSS-AvgExtDbConfiguration
Attributes Format, Remarks, Examples
Constraints
*HSS-AvgExtDbConfigNam Type: case-sensitive string HSS-AvgExtDbConfigura
e tion
the External Database Visibility: read-only
configuration.
Creation Value: HSS-AvgExt
DbConfiguration
Primary key
HSS-AvgExtDbConfigLogA Type: boolean “FALSE”
ctive
Category: Customer
This attribute indicates Configurable
whether the log information
related to the external Visibility: read-write
database access, is logged or
not.
28 1/155 19-CSA 113 098/36 Uen A | 2017-01-24


Constraints
HSS-AvgExtDbConfigUrlLi Type: Array "0:ldap://159.107.25.60:389$
st ericsson$Ericsson123xvz$si
Category: Solution Integration mple” (Write example IPv4)
This attribute is an array of
case-sensitive strings each Format: “Array "0:ldap://159.107.25.60:389$
one containing the necessary index:ExtDbConn” ericsson$***$simple” (Read
information to access an example IPv4)
• Array index: Type: uint
external database. Each
string contains the following ”1:ldap://159.107.34.77:389$
• ExtDbConn: Type:
information: ericsson$***$simple” (Read
case-sensitive string
example IPv4)
• URL: IP address and port of The format of each
LDAP server. "2:ldap://[2000::4:1]:9000$c
ExtDbConn is:
n=manager,dc=operator,dc
• User name: the DN “URL$UserName$Password$ =com$***$simple" (Read
administrator name to be AuthenticationMethod” example IPv6)
used in the authentication
of LDAP protocol as • URL: restrictedLDAPURL
specified in LDAP Interface
Description for Accessing • UserName DN
External Database in
• Password
HSS-FE.
• AuthenticationMethod:
• Password: it is the
simple
password to be used in
the authentication of LDAP The character "$" is used as
protocol as specified in separator, so it is forbidden in
LDAP Interface Description the fields.
for Accessing External
Database in HSS-FE. The same URL value cannot
be repeated in the array.
• Authentication method: The
supported authentication The password mask (“***”)
method, set to “simple” cannot be used as password.
The index of the string in Retype the password when
the array is an indication of modifying any field.
the priority of the external
database connection Visibility: read-write
represented by the string. (Password is write-only
A lower array index indicates and its value is shown as ***)
a higher priority. The value
set is internally converted
into relative priorities, starting
with value 0. The priority is
applied for the failover and
fallback execution. For more
information, refer to Data
Layered Architecture Support
in HSS.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 29


Constraints
HSS-AvgExtDbConfigOrigV Type: bag "159.10.1.20"
ipList
Category: Site Specific "159.10.1.21"
This attribute contains a
bag of IP addresses to be Format: enumerated value "159.10.1.22"
randomly used as originating containing IP addresses
IP address when HSS acts
as LDAP client towards the
(1)
external database.
HSS-AvgExtDbConfigRoot Type: bag 1:ou=associations,rootDN
DnList
Category: Site Specific 2:ou=multiSCs,rootDN
This attribute contains a
bag defining which are Format: “uint: 3:dc=impi,ou=identities,rootD
the root DNs to be used case-insensitive string” N
when accessing the external
• rootDN number: Type: uint 4:dc=impu,ou=identities,root
database.
DN
• rootDN: Type:
The root DNs that HSS
case-insensitive string 5:dc=imsi,ou=identities,rootD
FE is using are in LDAP
N
Interface Description for The format of the rootDN
Accessing External Database part must be as specified 6:dc=msisdn,ou=identities,ro
in HSS-FE. in Lightweight Directory otDN
Access Protocol (LDAP):
String Representation of 7:dc=ipaddress,ou=identities
Distinguished Names (RFC ,rootDN
4514).
8:dc=wimpu,ou=identities,root
Visibility: read-write DN
Whenever HSS is deployed 9:ou=mscCommonData,root

in an UDC solution this DN
attribute must be populated
10:ou=ApplicationCounter
according to UDC Data
Model Description. The list of
rootDNs HSS-FE can be using
depends on the functions and
modules installed, but it
is highly recommended to
populate this complete list.
rootDN number cannot be
changed and should be kept
even if some of the rootDNs
are not populated.
1:ou=associations,rootDN
2:ou=multiSCs,rootDN
3:dc=impi,ou=identities,rootD
30 N 1/155 19-CSA 113 098/36 Uen A | 2017-01-24
4:dc=impu,ou=identities,root
DN

(1) This attribute is deprecated (IP addresses populated in this attribute are not used by HSS).
5.3.14 HSS AVG A4KeyDes64Container Data Object Class

The HSS-Avg A4KeyDes64 Container object is not supported in current release
and cannot be used.
Table 16 HSS AVG A4KeyDesContainer Data Object Class

HSS-AvgA4KeyDes64Container
*HSS-AvgA4KeyDes64Co Type: case-sensitive string "HSS-AvgA4KeyDes6
ntainerName 4Container"
Category: Internal
A4KeyDes64 configuration Visibility: read-only
container.
Creation Value: HSS-AvgA4KeyDes6
4Container
Primary key
5.4 Security and Administration

The purpose of security management is to control access to system resources
using local guidelines. Secure access prevents system sabotage (intentional
or not), and prevents unauthorized access to sensitive information. Security
and Administration function in AVG module is managed in two ways.
External Authentication, authenticates users in the system on an external
server. For more information, refer to User Administration User Guide. Local
Authentication, authenticates users using administrators and access groups.
Administrators and Access Groups
Data ownership and access privileges are controlled by a scheme similar to

the one in UNIX file system. Similar to UNIX, there are administrators who
have access to the system, and access groups that control how the system
is accessed.
The Administrators have access to ISM, and perform operations with the data.
Each Administrator has a name and password, and is a member of one or more
Access Groups. Before a client can issue any request to read, write, create,
or delete objects, it must be authenticated by providing an administrator DN
and a password.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 31

The Access Group defines the capabilities of its members, specifically whether
they are permitted to create Administrator, Access Group, and Organization
entries. When an entry is created, it has several attributes that indicate which
administrator can read, update (write attribute values), or manage (create or
delete) that object class. These attributes are:
• ownerId
The administrator with full permissions to read, update, and manage that
object.
• groupId
Identifier of a group of administrators with group permissions over the

object.
• shareTree
This attribute refers to a container object. All administrators defined as

part of this shareTree, have share permissions for the container and
its leaf objects.
• permissions
It is a mask stored in every entry. It defines the permission that the

groupId and the shareTree of administrators have in the following way:
groupReadBit := 0x01, groupUpdateBit := 0x02, groupManageBit := 0x04,
shareReadBit := 0x08, shareUpdateBit := 0x10, shareManageBit := 0x20.
For AVG application, the following considerations related to the attributes are
applicable:
• ownerId
The default ownerId for those object classes created automatically at

installation time is 514 (HSS-AvgKeyAdministrator). Exceptions are:
0 HSS-AvgApplication, HSS-AvgConfigurationContainer,
and HSS-AvgLicense object classes, owned by the Ericsson
Administrator, and set as read-only for other administrators
0 HSS-AvgGlobalConfiguration and HSS-AvgExtDbConfigurat

ion object classes, owned by the HSS-AvgConfigurationAdmin
istrator
0 HSS-AvgProvisioningContainer, HSS-AvgIsimUserContaine
r, and HSS-AvgUsimUserContainer object classes, owned by the
HSS-AvgProvisioningAdministrator
At object creation, the ownerId is automatically set to the

administratorId of the authenticated administrator if the attribute is
not specified.
32 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

• groupId
The default groupId for those object classes created automatically at

installation time is 514 (HSS-AvgKeyGroup). Exceptions are:
0 HSS-AvgApplication, HSS-AvgConfigurationContainer, and

HSS-License object classes, owned by Ericsson Personnel, and set
as read-only for other administrators
0 HSS-AvgGlobalConfiguration and HSS-AvgExtDbC

onfiguration object classes, which have the groupId
HSS-AvgConfigurationGroup
0 HSS-AvgProvisioningContainer, HSS-AvgIsimUserContain
er, and HSS-AvgUsimUserContainer object classes, which have
the groupId HSS-AvgProvisioningGroup
At object creation, groupId is automatically set to the primary Access

Group of the authenticated administrator if the attribute is not specified.
• shareTree
This attribute is read-only. The default shareTree is “nodeName=jambala”.
• permissions
The default permissions for object classes automatically created

at installation time is 7 (no permissions for others, and read, update,
and manage group permissions for administrators). Objects capable of
containing child objects have default permissions of 15 (read and share
permissions for others, and read, update, and manage group permissions
for administrators). Manage group permissions are required for creating or
deleting child objects. At object creation, permissions is automatically
set to the defaultPermissions of the authenticated administrator if
the attribute is not specified.
5.4.1 HSS AVG Security Container Object Class

The HSS-Avg Security Container object is used to contain below itself HSS-Avg
Administrator and HSS-Avg Access Group objects.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 33

Table 17 HSS AVG Security Container Object Class

HSS-AvgSecurityContainer
*HSS-AvgSecurityContai Type: case-sensitive string "HSS-AvgSecurityContai
nerName ner"
Category: Internal
security container. Visibility: read-only
Creation Value: HSS-AvgSecurit
yContainer
Primary key
5.4.2 HSS AVG Access Group Object Class
Before a client can issue any request to retrieve, update, create, or delete
objects, authentication using an administrator DN and a password is required.
Administrators are defined as HSS-AvgAdministrators. Each administrator is
associated with at least one access group. Access Groups are defined as
HSS-AvgAccessGroups.
Some of these objects are created automatically at installation time by the

application. It is possible create, retrieve, modify, and delete these objects.
Table 18 HSS AVG Access Group Object Class

HSS-AvgAccessGroup
*accessGroupId Type: uint32 512
The identifier of the Access Category: Customer Configurable
Group
Primary key
Required: Mandatory
accessGroupName Type: case independent string "HSS-Avgaccessgroup"
The name of the Access Category: Customer Configurable
Group
Required: Mandatory
34 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

5.4.3 HSS AVG Administrator Object Class

Some of these objects are created automatically at installation time by the
application. It is possible create, retrieve, modify, and delete these objects.
Table 19 HSS AVG Administrator Object Class

HSS-AvgAdministrator
*administratorId Type: uint32 512
The identifier of the Category: Customer Configurable
administrator
Required: mandatory
Primary key
administratorName Type: case independent string "HSS-Avgsystemadmini
strator"
The name of the Category: Customer Configurable
administrator
Required: mandatory
password Type: case-sensitive string (at least "Admin952"
one non-alphabetic, and one upper
Administrator password case character are required)
Format: refer to User Administration
User Guide.
Required: mandatory
groups Type: struct array "0:512:1:23"
This attribute is a list of Format: "0:uint32:1:uint32:...."
the different groups an
administrator belongs to. • Array Index: Type: uint
It is an array instead of a
bag, because the first group • AccessGroupId: Type: uint32
in the list is considered Category: Customer Configurable
the primary group for the
administrator. Visibility: read-write
Required: mandatory
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 35


defaultPermissions Type: uint8, bitmask 9
The default permissions that Values:
apply to all objects created
by this administrator. • groupReadBit := 0x01
For example, if the • groupUpdateBit:= 0x02

permissions are
• groupManageBit:= 0x04
GroupUpdate and Group
Manage, the value is "6". • shareReadBit := 0x08 (always set
to 1)
In HSS-Avg objects share
tree permissions are always • shareUpdateBit:= 0x10 (always set
set to read and cannot be to 0)
changed.
• shareManageBit:= 0x20 (always
set to 0)
Creation Value: 9
Required: optional
maxSeconds Type: uint32 120
The duration of the (minimum value: 120)
authenticated session
when an administrator is Category: Customer Configurable
logged in to the system.
After the elapsed time, the
session becomes invalid Creation Value:3600
and is terminated. Refer to
Node Management Toolbox Required: optional
User Guide.
36 1/155 19-CSA 113 098/36 Uen A | 2017-01-24


attributes Type: case sensitive-string "toolbox.all=true"
This attribute is used to Format: "toolbox.<applicationname
customize the appearance >=Boolean (or toolbox.all = true);tool
of the TSP Toolbox for box.<applicationname>=Boolean”
the current administrator.
It specifies the different <applicationname> is the name
applications shown to the of the application included in the
administrator. toolbox (for example: JXplorer)
For more information, refer to User
Administration User Guide.
Creation Value: "toolbox.all=true"
Required: optional
failedCount Type: uint32 3
Number of failed login Category: Customer Configurable
attempts. When an
administrator has failed Visibility: read-write
the authentication three
Creation value: 0
times, only the root
administrator can unlock Required: optional
that administrator by setting
this attribute to 0.
isAnonymous Type: boolean "TRUE"
Specifies if the administrator Category: Customer Configurable
can act as anonymous
through CM Browser or Visibility: read-write
other LDAP client.
Creation Value: "FALSE"
Required: optional
appNames Type: case-sensitive string “”
A multivalued attribute Format: case-sensitive string
that specifies which
applications the anonymous “<applicationname>”
Administrator has access to.
Required: optional
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 37

5.5 Provisioning Object Classes

This section provides information about provisioning object classes.
5.5.1 HSS AVG Provisioning Container Object Class

The HSS-Avg Provisioning Container is used to group all the HSS-Avg Users
containers.
Table 20 HSS AVG Provisioning Container Object Class

HSS-AvgProvisioningContainer
*HSS-AvgProvisioningCo Type: case-sensitive string "HSS-AvgProvisioning
ntainerName Container
provisioning container. Creation Value: HSS-AvgProvision
ingContainer"
Primary key
5.5.2 HSS AVG IsimUserContainer Object Class

The HSS-Avg Isim User Container object contains information related to
HSS-Avg Isim Users.
Table 21 HSS AVG IsimUserContainer Object Class

HSS-AvgIsimUserContainer
*HSS-AvgIsimUserContain Type: case-sensitive string "HSS-AvgIsimUserCo
erName ntainer"
isim user container name. Creation Value: HSS-AvgIsimUserC
ontainer
Primary key
5.5.3 HSS AVG Isim User Object Class

The HSS-Avg Isim user object contains information related to HSS-Avg Isim
users. It is possible create, retrieve, modify, and delete these objects.
38 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Table 22 HSS AVG Isim User Object Class

HSS-AvgIsimUser
*HSS-AvgImpi Type: case-sensitive string user@realm.c
om
It represents the IMs Private Format: NAI or restricted sip uri
User Identity number assigned
to a user. Visibility: write-once
Primary key
HSS-AvgEncryptedK Type: HEX string “24AAAF
FF8787695B
This attribute is used for Format: 32 characters CCF4376BBF
storing the encrypted K value FC3892”
for authentication service Visibility: read-write
purposes.
Required: mandatory
Constraint: This attribute and
HSS-AvgA4KeyInd must be modified
within the same LDAP operation
HSS-AvgEncryptedOPc Type: HEX string “44AAAF
FF8787695B
This attribute is used to store Format: 32 characters CCF4376BBF
the encrypted value of the FC3892”
operator variant algorithm Visibility: read-write
parameter for OPc.
Required: optional
algorithm.
If this attribute is left empty,
the OP value of the associated
Function Set is used.
HSS-AvgA4KeyInd Type: uint16 “1”
This attribute contains Visibility: read-write
the identifier of the key
used for encrypting the Required: mandatory
key and the OPc of the
Range: [1–512]
subscriber. It is a reference
to HSS-AvgA4KeyInd of Constraints: This attribute and
HSS-AvgA4Key object class. HSS-AvgEncryptedK must be modified
See Section 5.3.5 on page 18. within the same LDAP operation. If
HSS-AvgEncryptedOPc is present
and HSS-AvgA4KeyInd is modified,
HSS-AvgEncryptedOPc must also be
modified within the same LDAP operation.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 39

Table 22 HSS AVG Isim User Object Class

HSS-AvgIsimUser
HSS-AvgFSetInd Type: uint8 "1”
The key identifier of the Visibility: write-once
HSS-AvgFSet that identifies
the algorithm of generation Required: mandatory
of vectors associated
with the user, for this
object. It is a reference
to HSS-AvgFSetInd of
HSS-AvgFSet object class.
See Section 5.3.11 on page
23.
HSS-AvgAmf Type: HEX string “0010”
This attribute is used for Visibility: read-write

storing the Authentication
Management Field for Format: 4 characters
authentication service
Creation Value: "0000"
purposes.
Required: optional
The most significant octet of
the field is reserved for 3GPP
standardization purpose and
must not be changed.
5.5.4 HSS AVG UsimUserContainer Object Class

The HSS-Avg Usim User Container object contains information related to
HSS-Avg Usim Users.
Table 23 HSS AVG UsimUserContainer Object Class

HSS-AvgUsimUserContainer
*HSS-AvgUsimUserConta Type: case-sensitive string "HSS-AvgUsimUserC
inerName ontainer"
usim user container name. Creation Value: HSS-AvgUsimUserC
ontainer
Primary key
40 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

5.5.5 HSS AVG Usim User Object Class

The HSS-Avg Usim user object contains information related to HSS-Avg Usim
users. It is possible create, retrieve, modify, and delete these objects.
Table 24 HSS AVG Usim User Object Class

HSS-AvgUsimUser
*HSS-AvgImsi Type: case-sensitive string "314102"
It identifies the International Format: only digits
Mobile Subscriber Identity
(IMSI) associated to the user. Range: IMSI is checked to be 6–15 digits
long.
Primary key
HSS-AvgEncryptedK Type: HEX string “44AAAF
FF8787695B
This attribute is used to Format: 32 characters CCF4376BBF
store the encrypted K value FC3892”
for authentication service Visibility: read-write
purposes.
Required: mandatory
Constraint: This attribute and
HSS-AvgA4KeyInd must be modified
within the same LDAP operation
HSS-AvgEncryptedOPc Type: HEX string “44AAAF
FF8787695B
This attribute is used to store Format: 32 characters CCF4376BBF
the encrypted value of the FC3892”
operator variant algorithm Visibility: read-write
parameter for OPc.
Required: optional
algorithm.
If this attribute is left empty,
the OP value of the associated
Function Set is used.
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 41

Table 24 HSS AVG Usim User Object Class

HSS-AvgUsimUser
HSS-AvgA4KeyInd Type: uint16 “1”
This attribute contains Visibility: read-write
the identifier of the key
used for encrypting the Required: mandatory
key and the OPc of the
Range: [1–512]
subscriber. It is a reference
to HSS-AvgA4KeyInd of Constraints: This attribute and
HSS-AvgA4Key object class. HSS-AvgEncryptedK must be modified
See Section 5.3.5 on page 18. within the same LDAP operation. If
HSS-AvgEncryptedOPc is present
and HSS-AvgA4KeyInd is modified,
HSS-AvgEncryptedOPc must also be
modified within the same LDAP operation.
HSS-AvgFSetInd Type: uint8 "1”
The key identifier of the Visibility: write-once
HSS-AvgFSet that identifies
the algorithm of generation Required: mandatory
of vectors associated
with the user, for this
object. It is a reference
to HSS-AvgFSetInd of
HSS-AvgFSet object class.
See Section 5.3.11 on page
23.
HSS-AvgAmf Type: HEX string “0010”
This attribute is used to Visibility: read-write

store the Authentication
Management Field for Format: 4 characters
authentication service
Creation Value: "0000"
purposes.
Required: optional
The most significant octet of
the field is reserved for 3GPP
standardization purpose and
must not be changed.
5.6 Initialization Values

This section provides information about initialization values.
42 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

5.6.1 Specific HSS AVG Object Classes

At initial installation, an instance of the following objects is created automatically
at installation time:
• One HSS-AvgApplication (RDN: "applicationName = HSS_AVG).

This application is below a JIM–Node object whose RDN is "nodeName
= jambala".
• One HSS-AvgLicense (RDN: HSS-AvgLicenseName =

HSS-AvgLicense).
An instance of the following objects is created automatically when the AVG

module becomes active (see Section 5.3.2 on page 16):
• One HSS-AvgSecurityContainer (RDN: "AVG–SecurityContainer

Name = HSS-AvgSecurityContainer")
• Four HSS-AvgAdministrators (RDNs: "administratorId =512”,

"administratorId =514”, "administratorId =515” and "administratorId =516“).
0 HSS-Avg Browser Administrator (administratorName=HSS-AvgBrows

erAdministrator, password=Anonymous123)
0 HSS-Avg Key Administrator (administratorName=HSS-AvgKeyAdmi

nistrator, password=Wanda123)
0 HSS-Avg Configuration Administrator (administratorName=HSS-AvgC

onfigurationAdministrator, password=Wanda123)
0 HSS-Avg Provisioning Administrator (administratorName=HSS-AvgPro

visioningAdministrator, password=Wanda123)
Note: Change the default passwords after the node is installed.
• Four HSS-AvgAccessGroups (RDNs: "accessGroupId = 512",

"accessGroupId =514”, "accessGroupId = 515", "accessGroupId =516”).
0 HSS-Avg Browser Group. This group is the access group for

HSS-AvgBrowserAdministrator
0 HSS-Avg Key Group. This group is the access group for

HSS-AvgKeyAdministrator
0 HSS-Avg Configuration Group. This group is the access group for

HSS-AvgConfigurationAdministrator
0 HSS-Avg Provisioning Group. This group is the access group for

HSS-AvgProvisioningAdministrator
• One HSS-AvgProvisioningContainer (RDN: "HSS-AvgProvisi

oningContainerName=HSS-AvgProvisioningContainer"). And within
this HSS-Avg object the following ones are also automatically created at
installation:
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 43

0 One HSS-AvgIsimUserContainer (RDN: "HSS-AvgIsimUserCon

tainerName = HSS-AvgIsimUser").
0 One HSS-AvgUsimUserContainer (RDN: "HSS-AvgUsimUserCon

tainerName = HSS-AvgUsimUser").
• One HSS-AvgConfigurationContainer (RDN: "HSS-Avgconfigur

ationContainerName=HSS-AvgConfigurationContainer). And within
this HSS-Avg object the following ones are also automatically created at
installation:
0 One HSS-AvgA4KeyContainer (RDN: "HSS-AvgA4KeyContainer

Name = HSS-AvgA4KeyContainer").
0 One HSS-AvgReqNodeTypeContainer (RDN: ”HSS-AvgReqNodeT

ypeContainerName=HSS-AvgReqNodeTypeContainer”).
0 One HSS-AvgFSetContainer (RDN: "HSS-AvgFSetContainerNa

me = HSS-AvgFSetContainer").
0 One HSS-AvgFSet(RDN: "HSS-AvgFSetInd=0","HSS-AvgFSetNa

me=Test").
0 One HSS-AvgGlobalConfiguration (RDN: "HSS-AvgGlobalCon

figuration = HSS-AvgGlobalConfiguration").
0 One HSS-AvgRestrictedConfiguration (RDN: "HSS-AvgRestr

ictedConfigurationName = HSS-AvgRestrictedConfiguration"
• One HSS-AvgExtDbConfiguration (RDN: "HSS-AvgExtDbConfigNa

me = HSS-AvgExtDbConfiguration").
44 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Reference List
Reference List
HSS Documents
[1] AVG Logging Events
[2] Data Layered Architecture Support in HSS
[3] Glossary of Terms and Acronyms
[4] LDAP Interface Description
[5] LDAP Interface Description for Accessing External Database in HSS-FE
[6] Trademark Information
[7] Typographic Conventions
Other Ericsson Documents
[8] Node Management Toolbox User Guide
[9] User Administration User Guide
[10] UDC Data Model Description
Standards
[11] Lightweight Directory Access Protocol (v3) (RFC 2251)
[12] Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions

(RFC 2252)
[13] Lightweight Directory Access Protocol (LDAP): String Representation of

Distinguished Names (RFC 4514)
[14] SIP: Session Initiation Protocol (RFC 3261)
[15] The Network Access Identifier (RFC 2486)
Online References
[16] www.openldap.org
1/155 19-CSA 113 098/36 Uen A | 2017-01-24 45

HSS Avg PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HSS Avg PDF

Uploaded by

Copyright:

Available Formats

AVG LDAP Interface Description

Ericsson Home Subscriber Server

1/155 19-CSA 113 098/36 Uen A

© Ericsson AB 2016. All rights reserved. No part of this document may be

1/155 19-CSA 113 098/36 Uen A | 2017-01-24

3 Running LDAP Clients 3

4 Class Containment Hierarchy 6

5 Object Classes and Attributes 9

1/155 19-CSA 113 098/36 Uen A | 2017-01-24

5.4.1 HSS AVG Security Container Object Class 33

1/155 19-CSA 113 098/36 Uen A | 2017-01-24

This document describes the Lightweight Directory Access Protocol (LDAP)

1.1 Related Information

• Glossary of Terms and Acronyms

1/155 19-CSA 113 098/36 Uen A | 2017-01-24 1

Figure 1 AVG LDAP Architecture

• CM Browser (refer to User Administration User Guide) included in the

2 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

• Any commercial LDAP client

2.1 LDAP v3 Supported Features

• Transport Layer Security (TLS) support.

• ISO 10646 Character Set with UTF-8 encoding.

• Referrals to other servers that could attend the requests.

• Numerical OIDs for attribute types and object classes.

3 Running LDAP Clients

This section provides information on how to run LDAP clients.

3.1 LDAP Commands

If a command runs without error, the result code 0 (success) is returned to

1/155 19-CSA 113 098/36 Uen A | 2017-01-24 3

3.1.1 LDAP Add Operation

The options are:

• -H specifies the protocol, machine, and port where slapd is running

• -D specifies the Distinguish Name (DN) to use for binding.

• -w specifies the password to use for binding.

• –P specifies the LDAP version used.

4 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

3.1.2 LDAP Modify Operation

• -x specifies that simple authentication can be used.

• -c The ldapmodify can continue with modifications although errors

• -r specifies that the existing values can be replaced by default.

3.1.3 LDAP Delete Operation

All the flags are described in ldapadd and ldapmodify commands.

3.1.4 LDAP Search Operation

1/155 19-CSA 113 098/36 Uen A | 2017-01-24 5

Following the filter is an optional list of attributes to retrieve. By default all

The output of ldapsearch is printed to stdout, in a format similar to the input

4 Class Containment Hierarchy

The following diagrams show the architectural design of AVG application

The relations shown in the diagram have the following meaning:

• Aggregation: the two objects are related by a parent-child relationship.

This relation is represented by:

6 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

4.1 Provisioning Management

Figure 2 Provisioning Management Object Class Model

4.2 Configuration Management

1/155 19-CSA 113 098/36 Uen A | 2017-01-24 7

Figure 3 Configuration Management Object Class Model

4.3 Security Management

8 1/155 19-CSA 113 098/36 Uen A | 2017-01-24

Figure 4 Security Management Object Class Model

5 Object Classes and Attributes

This section provides information about object classes and attributes.

5.1 Object Classes and Conventions