Professional Documents
Culture Documents
Pki (Sran15.1 02) PDF
Pki (Sran15.1 02) PDF
Issue 02
Date 2019-08-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
1 Change History.............................................................................................................................. 1
1.1 SRAN15.1 02 (2019-08-30)........................................................................................................................................... 1
1.2 SRAN15.1 01 (2019-06-06)........................................................................................................................................... 1
1.3 SRAN15.1 Draft B (2019-03-18)................................................................................................................................... 1
1.4 SRAN15.1 Draft A (2018-12-30)................................................................................................................................... 2
3 Overview......................................................................................................................................... 6
4 PKI.................................................................................................................................................... 8
4.1 Principles........................................................................................................................................................................ 8
4.1.1 PKI Architecture..........................................................................................................................................................8
4.1.1.1 Introduction.............................................................................................................................................................. 8
4.1.1.2 CA.............................................................................................................................................................................9
4.1.1.3 RA...........................................................................................................................................................................10
4.1.1.4 Certificate & CRL Database...................................................................................................................................10
4.1.2 Certificates and Files Used by NEs........................................................................................................................... 10
4.1.2.1 Device Certificate................................................................................................................................................... 10
4.1.2.2 Root Certificate, Certificate Chain, and Trust Certificate...................................................................................... 12
4.1.2.3 Cross-Certificate..................................................................................................................................................... 14
4.1.2.4 CRL........................................................................................................................................................................ 15
4.1.2.5 CMPv2-based Certificate Management..................................................................................................................15
4.1.3 Certificate Management and Application Scenarios................................................................................................. 18
4.1.3.1 Certificate Preconfiguration Phase......................................................................................................................... 19
4.1.3.2 Certificate Management During Base Station Deployment................................................................................... 19
4.1.3.3 Certificate Management During Base Station Controller Deployment..................................................................21
4.1.3.4 Certificate Management During eCoordinator Deployment.................................................................................. 23
4.1.3.5 Certificate Management During the Operation Phase............................................................................................ 23
4.1.3.5.1 Certificate Application........................................................................................................................................ 23
4.1.3.5.2 Certificate Sharing............................................................................................................................................... 24
4.1.3.5.3 Certificate Validity Check................................................................................................................................... 26
5.4.3 Reconstruction from a PKI-based Secure Network to a PKI Redundancy Network on the eGBTS/NodeB/eNodeB/
gNodeB/Multimode Base Station..................................................................................................................................... 102
5.4.3.1 Data Preparation................................................................................................................................................... 103
5.4.3.2 Data Configuration............................................................................................................................................... 104
5.4.3.3 Activation Observation.........................................................................................................................................105
5.4.4 Deployment of PKI Redundancy on the Base Station Controller........................................................................... 105
5.4.4.1 Data Preparation................................................................................................................................................... 105
5.4.4.2 Using MML Commands....................................................................................................................................... 105
5.4.4.3 Activation Observation.........................................................................................................................................106
5.4.5 Reconstruction from a PKI-based Secure Network to a PKI Redundancy Network on the Base Station Controller
.......................................................................................................................................................................................... 106
5.4.5.1 Data Preparation................................................................................................................................................... 108
5.4.5.2 Data Configuration............................................................................................................................................... 109
5.4.5.3 Activation Observation......................................................................................................................................... 110
5.4.6 Network Monitoring................................................................................................................................................ 110
7 Parameters................................................................................................................................... 119
8 Counters...................................................................................................................................... 120
9 Glossary....................................................................................................................................... 121
1 Change History
This chapter describes changes not included in the "Parameters", "Counters", "Glossary", and
"Reference Documents" chapters. These changes include:
l Technical changes
Changes in functions and their corresponding parameters
l Editorial changes
Improvements or revisions to the documentation
Technical Changes
Change Description Parameter Change
Editorial Changes
None
Technical Changes
Change Description Parameter Change
Editorial Changes
None
Technical Changes
Change Description Parameter Change
Editorial Changes
Reorganized this document using a new template.
This document only provides guidance for feature activation. Feature deployment and feature
gains depend on the specifics of the network scenario where the feature is deployed. To achieve
the desired gains, contact Huawei professional service engineers.
Software Interfaces
Any parameters, alarms, counters, or managed objects (MOs) described in Feature Parameter
Description documents apply only to the corresponding software release. For future software
releases, refer to the corresponding updated product documentation.
3 Overview
PKI is a security infrastructure that provides information security and digital certificate
management. It uses an asymmetric cryptographic algorithm to allow client and server
applications to trust each other's authentication credentials and perform authentication.
A digital certificate identifies a device and is created by a trusted certificate authority (CA),
which digitally signs the device information and public key. A digital certificate includes the
following information:
Asymmetric keys are used to authenticate equipment identities during digital certificate
authentication. The sender uses a private key to sign data, and the receiver uses a public key
in the certificate to verify signature validity. With digital certificates, both the receiver and the
sender confirm each other's identities to protect against communication fraud and
eavesdropping.
Each Huawei base station/base station controller is preconfigured with a device certificate on
its board issued by Huawei factory PKI system before delivery. You can view the certification
practice statement (CPS) of Huawei factory PKI system in the RootCA CPS.pdf document
obtained at http://support.huawei.com/support/pki. If operators deploy their own PKI
systems, Huawei recommends referring to the technical and management requirements of
Huawei factory PKI system in the document.
l Authentication during the setup of an IPsec tunnel between a base station and an SeGW
on a radio bearer network. For details, see IPsec.
l Authentication during the setup of a Secure Sockets Layer (SSL) connection between an
eGBTS/NodeB/eNodeB/gNodeB/RNC/BSC/eCoordinator and the U2020 to protect data
transmission at the application layer. For details, see SSL.
l 802.1x-based access control for the eGBTS/NodeB/eNodeB/gNodeB, which uses digital
certificates for identity authentication. For details, see Access Control based on 802.1x.
l Setup of separate IPsec tunnels for each operator, thereby implementing secure service
isolation in RAN sharing scenarios when multiple operators share a base station and each
operator deploys a separate PKI server. For details, see Base Station Supporting Multi-
operator PKI.
4 PKI
4.1 Principles
4.1.1.1 Introduction
A PKI system manages digital certificates for network devices. This enables operators to
establish a trusted security domain so that they have a trust relationship with devices from
different vendors.
As shown in Figure 4-1, a PKI system on a wireless network generally consists of the
following network elements (NEs):
l NEs that use certificates, including the base station, base station controller, security
gateway (SeGW), and U2020.
l PKI server that manages certificates, including the CA, registration authority (RA), and
certificate & CRL database. CRL stands for certificate revocation list.
NOTE
For more information about PKI, see IETF RFC 5280 and IETF RFC 2585. Certificates and CRLs
comply with X.509v3 and X.509v2, respectively, but do not comply with earlier specifications. For
details, see IETF RFC 5280.
The eCoordinator cannot directly apply for or update certificates from the PKI system. The
eCoordinator's certificates must be manually maintained on the U2020.
4.1.1.2 CA
A CA serves as a central management node in a PKI system. As shown in Figure 4-1, a CA
manages certificates as follows:
l Approves or rejects certificate applications and issues certificates for approved
applications.
l Handles requests for certificate updates, verifications, revocations, and queries.
l Generates certificates and CRLs and publishes them in the certificate & CRL database.
On a live network, a CA system can use a layered structure to meet the requirements for CA
deployment across different areas. The root CA is not required to manage all certificates on
the entire network. The layered structure helps share the load of the root CA. Figure 4-2
shows an example of the CA system architecture.
When building a PKI system, an operator determines the root CA domain based on the
operator's business scale and global network distribution.
l Root CA: The root CA is located at the top level and has the highest security and
reliability.
l Subordinate CA: Operators usually use the root CA to authorize important subordinate
CAs. CAs at each level can be authorized to sign and issue certificates for their lower-
level CAs or for end users. All certificates from end users to the root CA form a
certificate chain. As long as a user obtains the peer's root CA certificate and certificates
of subordinate CAs at different levels, the user can authenticate the certificates in the
certificate chain. This method facilitates certificate deployment because the root CA is
no longer required for signing and issuing certificates for all end users.
There is no strict limitation imposed on the number of layers in a CA system. Operators can
divide the CA system into layers according to their requirements. Generally, a three-layer CA
system can meet the requirements of most operators. However, a two-layer CA system is
recommended, considering the management cost and complexity.
4.1.1.3 RA
An RA is a certificate registration and approval authority. As shown in Figure 4-1, an RA
interacts with communication entities such as base stations and base station controllers,
collects certificate applicants' information, and verifies their qualifications. The RA then
determines whether to issue a certificate to an applicant based on the verification result. If the
application is approved, the RA sends the application information to the CA which then issues
the certificate.
On a live network, a certificate & CRL database is an independent entity deployed on a server
in a demilitarized zone (DMZ). This allows users on the network to obtain certificates and
CRLs online, without imposing any security threat on the CA system.
l The Huawei-issued device certificate preconfigured on the GTMUc in a GBTS can only be
used for SSL connections between the GBTS and the site maintenance terminal (SMT). It
cannot be used for PKI or IPsec authentication.
l The Huawei-issued device certificate preconfigured on the GTMUc in an eGBTS can only be
used for PKI and SSL authentication. It cannot be used for IPsec authentication.
l Each Huawei base station controller is preconfigured with a Huawei-issued device
certificate before delivery. The certificate is bound with the ESN of the OMU board and
is named hwusercert.pem. The key of a Huawei-issued device certificate is 2048 bits
long. Huawei-issued device certificates for base station controllers are activated before
base station controller delivery.
l All Huawei eCoordinators are preconfigured with the same certificate issued by Huawei
CA before delivery. The certificate is stored on the OMU board. The certificate
preconfigured on an eCoordinator, in a strict sense, is not a device certificate because it
is not bound with the ESN of the OMU. If the preconfigured certificate on one Huawei
eCoordinator is cracked, the preconfigured certificates on all Huawei eCoordinators are
cracked. Therefore, it is recommended that an operator-issued device certificate be
applied for an eCoordinator after the eCoordinator connects to a network.
The application scenarios of Huawei-issued device certificates are as follows:
l If a PKI system is deployed in an operator's network, Huawei-issued device certificates
are used for authentication during the operator-issued device certificate application
process.
– When a base station/base station controller accesses the operator's network, it
applies for a device certificate from the operator's CA by sending a CMPv2
message. The operator-issued device certificate is then used for authentication
during the subsequent communication process.
– When an eCoordinator accesses the operator's network, a device certificate must be
manually applied for from the operator's CA through the U2020. The operator-
issued device certificate is then used for authentication during the subsequent
communication process.
l If no PKI system is deployed in an operator's network, the peer equipment of a base
station/base station controller/eCoordinator can be preconfigured with the Huawei root
certificate. Huawei-issued device certificates are used for authentication between the
base station/base station controller/eCoordinator and peer equipment.
If the preconfigured Huawei-issued device certificate of a base station/base station controller/
eCoordinator is lost (the base station uses a UMPT/UMDU/MDUC as the main control board
or uses a UTRPc as the transmission board), the base station reports ALM-26841 Certificate
Root Certificate
A root certificate is the certificate of the root CA and is used to verify the validity of device
certificates issued by the root CA.
The Huawei root certificate is preconfigured in each Huawei base station as the trust
certificate before delivery. The certificate is stored on the main control board (UMPT/LMPT/
UMDU/GTMUc), baseband processing unit, or UTRPc board and can be used to verify
Huawei-issued device certificates. The Huawei root certificate is named caroot.pem.
The Huawei root certificate is preconfigured on each Huawei base station controller/
eCoordinator as the trust certificate before delivery. The certificate can be used to verify
Huawei-issued device certificates and is named rootca.pem.
NOTE
Huawei wireless-network CA system is a 2-layer CA system. caroot.pem and rootca.pem are files in
the 2-layer certificate chain.
Certificate Chain
If there are multiple layers of CAs in a PKI system, certificates of the CAs form a certificate
chain, which is used to verify the validity of device certificates issued by the bottom-level CA
in the chain.
If there is a certificate chain from the base station's device certificate up to the root CA, the
peer device must be preconfigured with the certificate chain so that the peer device can verify
the validity of the device certificate sent by the base station during Internet Key Exchange
(IKE) authentication.
Trust Certificate
A trust certificate is the root certificate or certificate chain that is loaded on NEs.
A base station/base station controller/eCoordinator reloads the device certificate and verifies
its validity each time the base station/base station controller/eCoordinator restarts.
4.1.2.3 Cross-Certificate
A cross-certificate is issued by one CA to another in order to establish a trust relationship
between them. The eGBTS, NodeB, eNodeB, and gNodeB support cross-certificates, whereas
the GBTS, RNC/BSC, and eCoordinator do not.
Before using the cross-certificate for authentication, the operator's CA and the Huawei CA
must issue a cross-certificate to each other. This is a cumbersome procedure and hence is not
recommended.
4.1.2.4 CRL
CRL is used to verify the validity of the peer certificate. Certificates need to be revoked when
they are disclosed or when devices that use the certificates are replaced or discarded.
Revoked certificates are recorded in a CRL. An NE uses a CRL to check the validity of the
certificate sent by a peer device when authenticating the peer device. The peer device is not
trustworthy if its certificate is recorded in a CRL.
l O&M personnel can run the SET BTSCRLPOLICY command to set a CRL usage
policy for the GBTS.
l O&M personnel can run the SET CRLPOLICY command to set a CRL usage policy
for the eGBTS/NodeB/eNodeB/gNodeB/eCoordinator/base station controller.
The settings of the CRLPOLICY.CRLPOLICY (for the eGBTS/NodeB/eNodeB/gNodeB) or
BTSCRLPOLICY.CRLPOLICY parameter (for the GBTS) are as follows:
l If the parameter is set to NOVERIFY, the base station/base station controller/
eCoordinator does not perform CRL-based certificate validity checks.
l If the parameter is set to ALARM, the base station reports ALM-26832 Peer Certificate
Expiry and the base station controller/eCoordinator reports ALM-20854 Peer Certificate
Invalid, Expiry, or Damage when the peer's device certificate is detected in the CRL.
l If the parameters are set to DISCONNECT, the base station/base station controller/
eCoordinator reports the preceding alarms and disconnects the communication with the
peer end when the peer's device certificate is detected in the CRL.
Figure 4-6 shows the topology for managing certificates in base stations and base station
controllers based on CMPv2.
As shown in Figure 4-6, base stations or base station controllers communicate with the
operator's PKI server for CMPv2-based certificate management. The PKI server can be a CA,
RA, or certificate & CRL database.
When the base stations or base station controllers apply for operator-issued device certificates
for the first time, the operator's CA is preconfigured with the Huawei root certificate. The root
certificate is used to verify Huawei-issued device certificates carried in CMPv2 messages sent
by the base stations or base station controllers. The operator's CA also includes operator-
issued device certificates and root certificates or certificate chains in CMPv2 response
messages sent to the base stations or base station controllers.
When the base stations or base station controllers update certificates, the operator's CA and
the base stations or base station controllers authenticate each other using operator-issued
device certificates and operator's root certificates or certificate chains. In this case, Huawei-
issued device certificates and Huawei root certificates are no longer used.
Figure 4-7 shows how a base station or base station controller applies for a certificate based
on CMPv2.
Figure 4-7 Certificate application process for a base station or base station controller
NOTE
After sending a CMPv2-based certificate request message, the base station waits for a response from the
CA. The waiting timeout interval is 60s in single-operator PKI scenarios and 20s for each PKI in multi-
operator PKI scenarios. If the base station does not receive any response from the CA before the waiting
timeout interval elapses, the certificate application fails.
In step 2, the message contains information such as the generated public key, SubjectName
field of the certificate, alternative SubjectName field of the certificate, certificate signature
algorithm, and Huawei-issued device certificate.
l The SubjectName field in the certificate request message contains the Common Name
field. Some CAs require that the Common Name field in certificate request messages be
the same as that in Huawei-issued device certificate. If they are not the same, these CAs
will not issue device certificates (also known as operator-issued device certificates).
l In Huawei-issued device certificates preconfigured on some LMPT boards, the Common
Name field uses the format of ESN+space+eNodeB. In this case, to meet the preceding
CA requirement, a space is automatically added to the Common Name field in the
certificate request message if the values of the CERTREQ.COMMNAME and
CERTREQ.USERADDINFO parameters are ESN and eNodeB, respectively. In this
way, the Common Name field in the message is in the format of ESN+space+eNodeB.
Figure 4-8 shows how a base station or base station controller updates its certificate based on
CMPv2.
Figure 4-8 CMPv2-based certificate update process for a base station or base station
controller
In step 2, the key update request message is also the certificate update request. This message
includes the new public key and the operator-issued device certificate to be updated.
In step 5, the CA uses the public key of the operator-issued device certificate carried in the
key update request message to verify the signature in the message. In addition, the CA uses
the operator's root certificate or certificate chain to verify the operator-issued device
certificate.
For details about the structure of a CMPv2 message and the process of exchanging CMPv2
messages, see IETF RFC 4210 and IETF RFC 4211.
l Each of the following boards is configured with a Huawei root certificate and a Huawei-
issued device certificate:
– Main control board or UTRPc of a base station
– OMU board of a base station controller/eCoordinator
NOTE
This section describes a scenario where IPsec is used and digital certificates are used for
authentication. Figure 4-9 shows such an example.
Figure 4-10 shows the certificate application procedure during automatic base station
deployment.
Figure 4-10 Certificate application procedure during automatic base station deployment
NOTE
l If an operator's network is deployed with a PKI system, it is recommended that the same operator-
issued device certificate be used for IPsec authentication, SSL authentication, and 802.1x-based
access control.
l During automatic base station deployment by plug and play (PnP), only Huawei-issued device
certificates can be used for authentication during 802.1x-based access control.
l By default, the same certificate is used for 802.1x-based access control and SSL authentication in
the operation phase.
l The name of the operator-issued device certificate used by a base station during base station
deployment must be OPKIDevCert.cer.
For details about CMPv2-based and manual certification application procedures, see 5.4.4.2
Using MML Commands.
When certificates for an eCoordinator can be independently configured and managed, an SSL
connection must be established between the eCoordinator and the U2020 using the Huawei-
issued device certificate, and then an operator-issued device certificate must be manually
applied for through the U2020, as illustrated in Figure 4-13.
For details about the manual certificate application procedure, see 5.4.4 Deployment of PKI
Redundancy on the Base Station Controller.
In the operation phase, if a base station needs to use an operator-issued device certificate for
IKE authentication but it does not have such a certificate, the base station must apply for an
operator-issued device certificate from the operator's CA based on CMPv2.
l Manual mode
To manually trigger the application, O&M personnel can configure information such as
the certificate deployment location, CA, trust certificate, and certificate request on the
base station, and then run the REQ DEVCERT command to trigger a CMPv2-based
certificate application procedure. After this command is executed, the base station
reports the progress of the certificate application. If an operator-issued device certificate
is obtained, O&M personnel can run the MOD APPCERT command to change the
active certificate to the operator-issued device certificate.
To ensure that the device certificate can be used to successfully establish security
channels between the base station and the peer end, it is recommended that the TST
APPCERT command be executed to check whether the operator-issued device
certificate can be used for IKE and SSL connections before running the MOD
APPCERT command. Then, run the CFM CB command to enable automatic
configuration data rollback. For details, see the CFM CB command help.
l Automatic mode
The base station obtains information about the certificate deployment location, CA,
certificate request, and active certificate from the configuration file. After the base
station restarts, it automatically triggers a CMPv2-based certificate application procedure
based on CA information. If the application fails, the base station automatically
reinitiates a CMPv2-based certificate application procedure.
NOTE
After the IKE negotiation succeeds, the base station starts checking the IKE negotiation status
every 7 minutes. If an IKE negotiation fails and digital certificates are used for identity
authentication, the base station checks the digital certificates used for the IKE negotiation. If a
digital certificate is abnormal (for example, the digital certificate has been revoked or expired, the
certificate file does not exist, or the digital certificate issuer information differs from the CA
information), a certificate application procedure is automatically triggered.
NOTE
Base Station
The certificate that is applied for during base station deployment is configured on the board
that connects the base station to the transport network. SSL authentication applies only to the
main control board of a base station. If no certificate is deployed on the main control board
for SSL authentication, the main control board must share the certificate with the board that
connects the base station to the transport network.
l A certificate is deployed on a UTRPc board of a single-mode base station, and the main
control board shares the certificate with the UTRPc board. As indicated by (1) in Figure
4-14, the WMPT board shares the certificate with the UTRPc board.
l In a separate-MPT multimode base station using co-transmission, a certificate is
deployed on the main control board connecting to the transport network and is shared
between this main control board and the main control boards of other RATs. As indicated
by (2) in Figure 4-14, a certificate is deployed on the UMPT_L board and shared
between the UMPT_U and UMPT_L boards.
l In a separate-MPT multimode base station using co-transmission, a certificate is
deployed on a UTRPc board, and the main control boards share the certificate with the
UTRPc board. As indicated by (3) in Figure 4-14, the UMPT_U and UMPT_L boards
share the certificate with the UTRPc board.
When a base station uses certificate sharing, the following parameters must be set:
l CERTDEPLOY.DEPLOYTYPE (for the eGBTS/NodeB/eNodeB/gNodeB)
l BTSCERTDEPLOY.DEPLOYTYPE (for the GBTS)
Set these parameters to SPECIFIC.
Base station certificate sharing has the following restrictions:
l Only active certificates can be shared. For example, SSL certificates, root certificates,
and CRLs can be shared.
l Huawei base stations support certificate sharing only in backplane interconnection and
BBU interconnection scenarios but do not support this function in panel interconnection
scenarios.
l BBU3910As do not support certificate sharing.
l Active and standby OMU boards are switched over. The currently active OMU board can
use the digital certificate on the previously active OMU board to set up an SSL
connection with the U2020.
l The SAU board needs the digital certificate on the active OMU board to set up an SSL
connection with the Nastar. This scenario can occur only for base station controllers.
l Upon detecting that the period remaining until a certificate expires is less than the value
of the CERTCHKTSK.ALMRNG parameter, the base station/base station controller/
eCoordinator determines that the certificate is about to expire.
l Upon detecting that the expiration time of a certificate is earlier than the current time, the
base station/base station controller/eCoordinator determines that the certificate has
expired.
Table 4-1 describes the processing performed by the base station/base station controller/
eCoordinator when it detects that the device certificate is abnormal.
NOTE
During an automatic certificate update procedure, if the certificate update fails due to intermittent
transmission or network congestion, the system automatically retries certificate update for at most
twice with an interval of 10 minutes.
l Manual mode
O&M personnel can run the UPD DEVCERT command to manually trigger a CMPv2-
based certificate update. In this command, the CERTMK.APPCERT parameter
specifies a certificate to be updated, the REKEY parameter specifies whether to update a
private-public key pair, and the CERTREQ.KEYSIZE parameter specifies a key length.
After this command is executed, the base station or base station controller reports the
progress of the certificate update.
During the certificate update, the base station or base station controller automatically
configures a new certificate and tests it. If the configuration or test of the new certificate fails,
the base station reports ALM-26842 Automatic Certificate Update Failed or the base station
controller reports ALM-20803 Certificate Auto-update Failed. In this scenario, the original
certificate will be used until a successful certificate update occurs.
In IPsec scenarios, a new certificate is tested by using the certificate for authentication during
IKE renegotiation. In SSL scenarios, a new certificate is tested by using the certificate for
authentication during SSL reconnection. If the IKE renegotiation or SSL reconnection fails,
the base station uses the original certificate. The base station controller only supports the SSL
scenarios. If SSL reconnection fails, the base station controller uses the original certificate.
Bidirectional authentication is used for SSL certificate testing. That is, the NE and U2020
authenticate the device certificates of each other. The SSL certificate testing result reflects
whether the certificates can be used.
is the same as a certificate application procedure. For details, see 4.1.3.4 Certificate
Management During eCoordinator Deployment.
If the base station finds that the operator-issued device certificate was revoked based on the
CRL file, the base station initiates a certificate application procedure. If the base station is
discarded, the certificate application request will be rejected by the CA and no new device
certificate will be issued.
If the CRL is obtained using LDAP and the base station/base station controller supports only
LDAPv3, the CRL server must support LDAPv3. For details, see IETF RFC 4511 Lightweight
Directory Access Protocol (LDAP).
l If the CRL is obtained using FTP over SSL (FTPS), set FTPCLT.ENCRYMODE (for
the eGBTS/NodeB/eNodeB/gNodeB) or FTPSCLT.ENCRYMODE (for the GBTS/
GBSC/RNC/eCoordinator) to AUTO(Auto) or ENCRYPTED(SSL Encrypted), and
enable the FTPS function on the CRL server side. If this parameter is set to
ENCRYPTED(SSL Encrypted), ensure that all FTP servers communicating with the
base station/base station controller/eCoordinator support FTPS.
If the CRL server needs to be authenticated, set the FTPCLT.SSLCERTAUTH (for the
eGBTS/NodeB/eNodeB/gNodeB) or FTPSCLT.SSLCERTAUTH (for the GBTS/
GBSC/RNC/eCoordinator) parameter to YES(Yes). In addition, ensure that the base
station/base station controller/eCoordinator has been configured with the peer CA trust
certificate and the CRL server has been configured with a device certificate.
NOTE
Basic information about abnormal certificates will be saved on the U2020 for 30 days and then be
automatically removed. The purpose is to avoid repeated exporting of certificate information.
In the following scenarios, the device certificate on the base station does not need to be
revoked although the device certificate status is abnormal on the U2020:
l The base station operates normally but cannot communicate with the U2020 for a long
time.
l The base station or its board is transferred to another U2020 for management. In this
case, the device certificate of the base station or board is recorded as abnormal on the
original U2020.
l The value of CERTDEPLOY.DEPLOYTYPE is changed to NULL, which indicates
that the device certificate on the base station is not applied. In this situation, the
certificate status on the U2020 is that the certificate does not exist.
If the certificate must be revoked, you need to manually run the certificate revocation
command on the CA.
The offline certificate monitoring function cannot be used in the following conditions:
l This function does not take effect for the preconfigured Huawei-issued device
certificates. The name of the issuer of the preconfigured Huawei-issued device
certificates starts with "Huawei". Therefore, it is not recommended that the name of the
issuer of operator-issued device certificates start with "Huawei".
l If the base station cannot communicate with the U2020 after obtaining a device
certificate, the U2020 cannot record the information about the device certificate. In this
case, the U2020 cannot monitor the device certificate.
l During the period when base station software is rolled back to a version not supporting
offline certificate monitoring, the U2020 cannot update certificate status. After base
station software is upgraded to a version supporting offline certificate monitoring, the
U2020 can update certificate status.
The offline certificate monitoring function does not need to be activated. You can query and
export the basic information about abnormal certificates on the U2020. For details, see 4.4.3.4
Activation Verification and 4.4.4.4 Activation Verification.
During the deployment phase, apply for the operator-issued device certificate only for the
active UMPT.
During the operation phase, a CMPv2-based certificate application is triggered if all the
following conditions are met:
The two UMPT boards manage and use their own certificates.
In UMPT+UMPT cold backup mode, if both IPsec and PKI are deployed, the
IKEPEER.IDTYPE parameter can be set to IP or FQDN on the base station side. If this
parameter is set to FQDN, the SeGW should not check the ID of the base station.
l Check whether the value of Local IP in the certificate request is the same as the value of
Local IP in the effective IKEPEER MO before running any of the following
commands:
– MOD CERTREQ
– ADD CA
– MOD CA
– MOD APPCERT
– MOD CERTMK
– MOD IKEPEER
– ADD IPSECBIND (old model)/ADD IPSECBINDITF (new model)
– ADD IPSECPOLICY
– MOD IPSECPOLICY
If the two Local IP values are different, certificate reconfiguration impact cannot be
estimated.
l Check whether the effective IKE/SSL certificate is using the local trust certificate to be
deleted (by running the RMV TRUSTCERT command).
NOTE
This function cannot determine whether the peer trust certificate is deleted.
This function does not apply to base stations using a WMPT, LMPT, GTMUb, or GTMUc as
the main control board.
It is required that the AAU be added to the whitelist of the CA and the BBU be configured as
the RA to ensure that the AAU can successfully apply for an operator-issued device
certificate. During the certificate application and update, the BBU functions as the RA and
should have applied for an operator-issued device certificate. The private key file of the AAU
is not transferred out of the AAU.
Currently, an AAU does not support manual application for an operator-issued device
certificate. It can only use CMPv2 to apply for an operator-issued device certificate from the
operator's CA through the BBU proxy.
Step 1 An AAU generates the certificate private key and certificate request file based on the
parameters in the CERTREQ MO.
For an AAU, the certificate common name is always the ESN, the signature algorithm is
always SHA256, the key size is always 2048 bits, and the local name and local IP address do
not take effect.
Step 2 The AAU sends the certificate request file to the BBU.
Step 3 The BBU uses the certificate request file to apply for an operator-issued device certificate for
the AAU from the CA, and then delivers the certificate to the AAU.
----End
The BBU can control whether to allow AAUs to use Huawei certificates for connection. After
the certificates of all AAUs are replaced with the operator-issued device certificates, you can
run the SET RRUSECPOLICY command to disable authentication based on Huawei-issued
device certificates. In this case, the BBU accepts only the connection requests of AAUs using
operator-issued device certificates. In secure networking using certificate-based
authentication, if a new AAU is connected to the network, authentication based on Huawei-
issued device certificates must be enabled on the BBU. Otherwise, the AAU may fail to apply
for an operator-issued device certificate.
ALM-26565 RF Unit Certificate Fault is reported one hour after an AAU certificate
application or update fails or the AAU authentication mode is changed to anonymous
authentication.
4.2.1 Benefits
A PKI system manages digital certificates for network equipment. This helps operators
establish a trusted security domain and gain trust relationships with different vendors to
jointly establish a secure network environment.
4.2.2 Impacts
Network Impacts
A certificate application process prolongs base station deployment by approximately 10s.
Function Impacts
l GBFD-113526 BTS Supporting PKI
None
l WRFD-140210 NodeB PKI Support
None
l GBFD-160211 BSC Supporting PKI
Function Function Switch Reference
Name
4.3 Requirements
4.3.1 Licenses
The licenses for the PKI feature have been activated for the base station and base station
controller. The eCoordinator/gNodeB does not require a license to support the PKI feature.
The following table lists the licenses controlling PKI.
NOTE
The rules for activating the license controlling PKI for a multimode base station are as follows:
l In co-transmission scenarios with a separate-MPT multimode base station, the license controlling
PKI needs to be activated for the mode that provides a transmission port. If another mode requires
certificate sharing, the license controlling PKI must also be activated for this mode.
l If a UTRPc board is used to connect to the transport network, the license controlling PKI must be
activated for the managing mode of the UTRPc board.
For a BSC6900 GU or BSC6910 GU, the license controlling PKI only needs to be activated for one
mode, that is, you can activate either the license for the BSC Supporting PKI feature or the license for
the RNC Supporting PKI feature.
4.3.2 Software
Before activating this function, ensure that its prerequisite functions have been activated and
mutually exclusive functions have been deactivated. For detailed operations, see the relevant
feature documents.
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
None
Prerequisite Functions
None
Prerequisite Functions
None
Prerequisite Functions
None
Prerequisite Functions
None
Prerequisite Functions
None
Prerequisite Functions
None
4.3.3 Hardware
NR l 3900 and 5900 series base stations. 3900 series base stations must be
configured with the BBU3910.
l DBS3900 LampSite and DBS5900 LampSite. DBS3900 LampSite
must be configured with the BBU3910.
Boards
The following table lists the hardware to be configured in base stations to support PKI.
NE Hardware
GBTS GTMUb/GTMUc+UMPT_L/LMPT
eGBTS UMPT_G/UMDU_G/MDUC_G/GTMUb/GTMUc
NodeB UMPT_U/UTRPc/UMDU_U/MDUC_U
eNodeB UMPT_L/UMPT_T/LMPT/UTRPc/UMDU_L/UMDU_T
gNodeB UMPT_N
Multimode UMPT_G/UMDU_G/MDUC_G/UMPT_U/UMDU_U/MDUC_U/
base station UMPT_L/UMPT_T/UMDU_L/UMDU_T/LMPT/UTRPc
eCoordinator OMU
For details about the boards that support eCPRI, see the "Hardware" section in eCPRI.
RF Modules
This function does not depend on RF modules.
4.3.4 Others
l A PKI server is deployed on the operator's network.
l Operator-issued device certificates and CRLs comply with IETF RFC 5280.
l The operator's CA supports CMPv2 defined in IETF RFC 4210, and the format of
certificate request messages complies with IETF RFC 4211.
l As stipulated in 3GPP TS 33.310, the Initialization Response message sent by the
operator's CA contains the operator's root certificate or certificate chain.
l The operator's CA is preconfigured with the Huawei root certificate.
If the base stations and base station controllers on the live network need to interconnect with
the PKI system, enable the PKI feature for the base stations and base station controllers.
4.4.2 Precautions
Before deploying the PKI feature for a base station or base station controller, engineering
personnel must obtain CA information from CA maintenance personnel. The following table
lists the CA information that needs to be collected.
CA name CA.CANAME
RA name CA.RANAME
Before deploying the PKI feature for an eCoordinator, engineering personnel must obtain CA
information from CA maintenance personnel. The following table lists the CA information
that needs to be collected.
In the following tables, "-" indicates that there is no special requirement for the parameter setting. You
can set the parameter based on site requirements.
Table 4-4 lists the data to be prepared for the deployment location of a certificate on the base
station (the CERTDEPLOY MO in MML configurations).
Table 4-5 lists the data to be prepared for a certificate request template of the base station (the
CERTREQ MO in MML configurations).
Country CERTREQ.COUNTRY -
Organization CERTREQ.ORG -
Organizational CERTREQ.ORGUNIT -
Unit
State or CERTREQ.STATEPRO -
Province VINCENAME
Locality CERTREQ.LOCALITY -
Local Name CERTREQ.LOCALNA If this parameter is not set, the default value
ME of the Common Name field in a certificate
is used. If this parameter is set, the value of
the Local Name field in a certificate must
be the same as the value of this parameter.
The base station must be configured with CA information to apply for a certificate from the
CA. Table 4-6 lists the data to be prepared for the CA (the CA MO in MML configurations).
Certificate CA.CANAME -
Authority Name
Signature CA.SIGNALG -
Algorithm
Certificate CA.UPDSIP -
Update Source
IP
CA URL CA.INITREQURL -
During Site
Deployment
Slave CA.SLVURL -
Certificate
Authority URL
Certificate CA.CERTREQSW -
Request Switch
Local IP CA.LOCALIP -
NOTE
If O&M data flows are transmitted by the IPsec tunnel, the O&M IP address cannot be used for data that
is not protected by IPsec. If O&M data flows are not transmitted by the IPsec tunnel, the O&M IP
address cannot be used for data that is protected by IPsec.
Table 4-7 lists the data to be prepared for a device certificate (the CERTMK MO in MML
configurations).
Table 4-8 lists the data to be prepared for an active certificate (the APPCERT MO in MML
configurations). Active certificates are device certificates that are currently used by a base
station.
Table 4-9 lists the data to be prepared for a trust certificate (the TRUSTCERT MO in MML
configurations).
Table 4-10 lists the data to be prepared for a periodic certificate validity check task (the
CERTCHKTSK MO in MML configurations).
Table 4-10 Data to be prepared for a periodic certificate validity check task
(Optional) Prepare CRL data if the base station needs to obtain CRL information from the
CA. Table 4-11 lists the data to be prepared for a CRL (the CRL MO in MML
configurations).
(Optional) Prepare data related to CRL usage policies. Table 4-12 lists the data to be prepared
for these policies (the CRLPOLICY MO in MML configurations).
(Optional) Prepare data related to a periodic CRL download task. Table 4-13 lists the data to
be prepared for the task (the CRLTSK MO in MML configurations).
Password CRLTSK.PWD -
Task ID CRLTSK.TSKID -
(Optional) Prepare data to manually download an operator's root certificate or CRL from an
FTP server. Table 4-14 lists the data to be prepared for downloading a certificate file (the
DLD CERTFILE in MML configurations).
FTP Server IP IP -
Password PWD -
Certificate Type CT -
Table 4-15 Data to be prepared for applying for a device certificate based on CMPv2
Parameter Parameter ID Setting Notes
Name
Certificate CA.CANAME -
Authority Name
(Optional) Prepare data to manually trigger a CMPv2-based certificate update. Table 4-16
lists the data to be prepared for updating a device certificate (the UPD DEVCERT in MML
configurations) based on CMPv2.
Table 4-16 Data to be prepared for updating a device certificate based on CMPv2
Parameter Parameter ID Setting Notes
Name
//Adding an operator's CA
//If the base station can access the CA either through an external network or
through the intranet and O&M data is protected by IPsec, you are advised to set
the source IP addresses for certificate application and update to an interface IP
address and an O&M IP address (for example, 10.31.31.188), respectively. The
following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.31.31.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//If the base station can access the CA either through an external network or
through the intranet, and O&M data is not protected by IPsec, you are advised to
set the source IP addresses for certificate application and update to an
interface IP address and an intranet IP address(for example, 10.45.45.45),
respectively.
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.45.45.45",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//If the base station can access the CA only through an external network, you are
advised to set the source IP addresses for both certificate application and
update to interface IP addresses. The following is an example:
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.20.20.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//Downloading an operator's root certificate from an FTP server (assume that the
FTP server is deployed on the U2020, indicating that the IP address of the FTP
server is the same as that of the U2020)
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="OperationCA.cer",DSTF="Ope
rationCA.cer";
//Adding an operator's root certificate as the trust certificate
ADD TRUSTCERT: CERTNAME="OperationCA.cer";
//Setting information required for the base station to apply for an operator-
issued device certificate based on CMPv2 when the certificate application needs
to be manually triggered
//(Skip this step when the certificate application is automatically triggered.)
REQ DEVCERT: CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd, CN=eca1",
APPCERT="OPKIDevCert.cer";
//Modifying configurations of an active certificate
MOD APPCERT: APPTYPE=IKE, APPCERT="OPKIDevCert.cer";
NOTE
After the active IKE certificate is changed by running the MOD APPCERT command, if IKE
authentication uses the new certificate and the current IKE SA is normal, the base station automatically
initiates an IKE renegotiation.
//Setting a periodic certificate validity check task
SET CERTCHKTSK: PERIOD=7, ALMRNG=30, UPDATEMETHOD=CMP;
//(Optional) Downloading the CRL file from the FTP server (If the FTP server is
deployed on the U2020, the IP address of the FTP server is the same as that of
the U2020.)
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="eNodeB.crl",DSTF="eNodeB.c
rl";
//(Optional, required only when a manual certificate application procedure is
used) Loading a CRL file
ADD CRL: CERTNAME="eNodeB.crl";
//(Optional) Setting a CRL usage policy
SET CRLPOLICY:CRLPOLICY= NOVERIFY;
//(Optional) Adding a task of periodically downloading the CRL
ADD CRLTSK: IP="10.86.86.86", USR="admin", PWD="*****", FILENAME="eNodeB.crl",
ISCRLTIME=DISABLE, PERIOD=24, TSKID=0, CRLGETMETHOD=FTP;
In addition to the preceding steps, perform the following step to manually trigger a certificate
update. When you run the UPD DEVCERT command to update a certificate, the certificate
update will fail if the base station is performing an IKE or SSL negotiation. You need to run
this command after the negotiation is completed.
----End
Single configuration CME Management > CME Guidelines > Getting Started with
the CME > Introduction to Data Configuration Operations
Batch eGBTS CME Management > CME Guidelines > GSM Application
configuration Management > Base Station Related Operations > Importing
and Exporting eGBTS Data for Batch Reconfiguration
Batch NodeB CME Management > CME Guidelines > UMTS Application
configuration Management > NodeB Related Operations > Importing and
Exporting NodeB Data for Batch Configuration
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
PKI and IPsec networking. After the wizard configuration is completed, the CME
automatically imports the configured parameters to the Summary data file and prompts which
parameters must be manually configured in the Summary data file (for example, the UPDSIP
parameter in the CA MO).
Figure 4-18 shows the procedure for configuring data using the CME transport security
wizard.
Figure 4-18 Procedure for configuring data using the CME transport security wizard
Figure 4-19 shows the PKI attribute selection in the CME transport security wizard.
For details on how to configure the PKI parameters in the CME transport security wizard, see
4.4.3.1 Data Preparation. For details on how to configure IPsec parameters, see the "Using
the CME" section in IPsec.
After configurations on the CME transport security wizard are complete, the IPsec and PKI
parameter setting tables are exported, displaying the IPsec and KPI parameters that have been
configured and the parameters that need to be manually configured in the summary data file.
You can adjust the configured parameters in the summary data file based on actual conditions.
For the configuration path and interface for the transport security wizard, see "Customizing a
Summary Data File Using the Transmission Security Wizard" in the "Customizing a Summary
Data File" section of CME Product Documentation.
The CME transport security wizard has the following restrictions for configuring PKI:
If the values of Certificate File Name, Issuer, and Common Name are correct and the value
of Status is Normal in the query result, the device certificate has been loaded to the base
station.
Step 2 Run the MML command DSP TRUSTCERT to check the status of trust certificates.
If the value of Status is Normal in the query result, the trust certificate has been loaded to the
base station.
Step 3 (Optional) Run the MML command DSP CRL to check the CRL status.
If the value of Status is Normal in the query result, the CRL has been loaded to the base
station.
----End
If the value of Status is Normal in the query result, certificate sharing is successful.
----End
Step 2 (Optional) To export information of device certificates in abnormal states, click Export. If the
On disconnected NE or On deleted NE check box is selected, you also need to set the
duration in which the device certificates remain in the state.
----End
Figure 4-20 Example of the secure networking for the eGBTS using a GTMUb
In the following tables, "-" indicates that there is no special requirement for the parameter setting. You
can set the parameter based on site requirements.
Table 4-17 lists the data to be prepared for applying for a certificate from the CA (the SSL
MO in MML configurations).
Table 4-17 Data to be prepared for applying for a certificate from the CA
Parameter Parameter ID Setting Notes
Name
Common Name This parameter is The value of the Common Name field in a
manually set on the CA certificate request file consists of Common
and it does not have a Name+Common Name Additional Info.
parameter ID. The recommended value of the Common
Name field is XXX.huawei.com (XXX
indicates the ESN of the board connecting
to the transport network).
Local Name This parameter is l If this parameter is not set, the default
manually set on the CA value of the Common Name field in a
and it does not have a certificate is used.
parameter ID. l If this parameter is set, the value of the
Local Name field in a certificate must be
the same as the value of this parameter.
Certificate SSL.CRLENABLESTA -
Revocation List
File Enabled
State
Certificate SSL.CRL -
Revocation List
File Name
Certificate SSL.CERTCHAIN -
Chain File
Name
Table 4-18 lists the data to be prepared for the deployment location of a certificate on the base
station (the CERTDEPLOY MO in MML configurations).
Table 4-19 lists the data to be prepared for downloading an operator's root certificate, public
key, private key, or CRL file from an FTP server. The corresponding MML command is DLD
GENFILE.
FTP Server IP IP -
Password PWD -
NOTE
If multi-level CAs are deployed in the operator's PKI system and the local certificate chain is different
from the peer certificate chain, you also need to run the SET CERTFILE command to configure the
peer certificate chain.
//There are no MML commands for steps 1 and 2.
//Upload the operator's root certificate and CRL file to the FTP server.
//Based on the data plan, apply for a device certificate from the CA, and upload
the public key certificate (device certificate) and private key file generated by
the CA to the FTP server.
//Downloading the operator's root certificate, public key certificate, private
key file, and CRL file from the FTP server (assume that the FTP server is on the
U2020 and the FTP server and U2020 have the same IP address)
//Setting the certification deployment position so that the certificate is not
deployed on the base station
SET CERTDEPLOY:DEPLOYTYPE=NULL;
//Downloading the operator's root certificate from the FTP server
DLD
GENFILE:SRCF="OperationCA.cer",TYPE=SSL,DSTF="OperationCA.cer",MODE=IPV4,IP="10.60
.60.60",USR="admin",PWD="*****";
//Downloading the public key certificate from the FTP server
DLD
GENFILE:SRCF="OperationDev.cer",TYPE=SSL,DSTF="OperationDev.cer",MODE=IPV4,IP="10.
60.60.60",USR="admin",PWD="*****";
//Downloading the private key file from the FTP server
DLD
GENFILE:SRCF="OperationDevPri.cer",TYPE=SSL,DSTF="OperationDevPri.cer",MODE=IPV4,I
P="10.60.60.60",USR="admin",PWD="*****";
//Downloading the CRL file from the FTP server
DLD
GENFILE:SRCF="eGBTS.crl",TYPE=SSL,DSTF="eGBTS.crl",MODE=IPV4,IP="10.60.60.60",USR=
"admin",PWD="*****";
//Setting the operator's root certificate, public key certificate, private key
file, and CRL file
SET CERTFILE:ROOTCERT="OperationCA.cer ",PUBCERT="OperationDev.cer ",PRIVKEY="
OperationDevPri.cer",PKPENABLESTA=DISABLE,CRLENABLESTA=ENABLE,CRL="eNodeB.crl
",CCAENABLESTA=DISABLE;
----End
Figure 4-21 Example of the secure networking for the NodeB that uses a WMPT as the main
control board and is not configured with a UTRPc
In the following tables, "-" indicates that there is no special requirement for the parameter setting. You
can set the parameter based on site requirements.
Table 4-20 lists the data to be prepared for applying for a certificate from the CA (the SSL
MO in MML configurations).
Table 4-20 Data to be prepared for applying for a certificate from the CA
Parameter Parameter ID Setting Notes
Name
Common Name This parameter is The value of the Common Name field in a
manually set on the CA certificate request file consists of Common
and it does not have a Name+Common Name Additional Info.
parameter ID. The recommended value of the Common
Name field is XXX.huawei.com (XXX
indicates the ESN of the board connecting to
the transport network).
Local Name This parameter is l If this parameter is not set, the default
manually set on the CA value of the Common Name field in a
and it does not have a certificate is used.
parameter ID. l If this parameter is set, the value of the
Local Name field in a certificate must be
the same as the value of this parameter.
Certificate SSL.CRLENABLEST -
Revocation List A
File Enabled
State
Certificate SSL.CRL -
Revocation List
File Name
Table 4-21 lists the data to be prepared for the deployment location of a certificate on the base
station (the CERTDEPLOY MO in MML configurations).
Table 4-22 lists the data to be prepared for downloading an operator's root certificate, public
key, private key, or CRL file from an FTP server. The corresponding MML command is DLD
GENFILE.
FTP Server IP IP -
Password PWD -
NOTE
If multi-level CAs are deployed in the operator's PKI system and the local certificate chain is different
from the peer certificate chain, you also need to run the SET CERTFILE command to configure the
peer certificate chain.
//There are no MML commands for steps 1 and 2.
//Upload the operator's root certificate and CRL file to the FTP server.
//Based on the data plan, apply for a device certificate from the CA, and upload
the public key certificate (device certificate) and private key file generated by
the CA to the FTP server.
//Downloading the operator's root certificate, public key certificate, private
key file, and CRL file from the FTP server (assume that the FTP server is on the
U2020 and the FTP server and U2020 have the same IP address)
//Setting the certification deployment position so that the certificate is not
deployed on the base station
SET CERTDEPLOY:DEPLOYTYPE=NULL;
//Downloading the operator's root certificate from the FTP server
DLD
GENFILE:SRCF="OperationCA.cer",TYPE=SSL,DSTF="OperationCA.cer",MODE=IPV4,IP="10.60
.60.60",USR="admin",PWD="*****";
//Downloading the public key certificate from the FTP server
DLD
GENFILE:SRCF="OperationDev.cer",TYPE=SSL,DSTF="OperationDev.cer",MODE=IPV4,IP="10.
60.60.60",USR="admin",PWD="*****";
//Downloading the private key file from the FTP server
DLD
GENFILE:SRCF="OperationDevPri.cer",TYPE=SSL,DSTF="OperationDevPri.cer",MODE=IPV4,I
P="10.60.60.60",USR="admin",PWD="*****";
//Downloading the CRL file from the FTP server
DLD
GENFILE:SRCF="NodeB.crl",TYPE=SSL,DSTF="NodeB.crl",MODE=IPV4,IP="10.60.60.60",USR=
"admin",PWD="*****";
//Setting the operator's root certificate, public key certificate, private key
file, and CRL file
SET CERTFILE:ROOTCERT="OperationCA.cer ",PUBCERT="OperationDev.cer ",PRIVKEY="
OperationDevPri.cer",PKPENABLESTA=DISABLE,CRLENABLESTA=ENABLE,CRL="NodeB.crl
",CCAENABLESTA=DISABLE;
----End
Figure 4-22 Example of the secure networking for the base station controller
In the following tables, "-" indicates that there is no special requirement for the parameter setting. You
can set the parameter based on site requirements.
Table 4-23 lists the data to be prepared for a certificate request template (the CERTREQ MO
in MML configurations).
Country CERTREQ.COUNTRY -
Organization CERTREQ.ORG -
Organizational CERTREQ.ORGUNIT -
Unit
State or CERTREQ.STATEPRO -
Province VINCENAME
Locality CERTREQ.LOCALITY -
Local Name CERTREQ.LOCALNA If this parameter is not set, the default value
ME of the Common Name field in a certificate
is used. If this parameter is set, the value of
the Local Name field in a certificate must be
the same as the value of this parameter.
The base station controller must be configured with CA information to apply for a certificate
from the CA. Table 4-24 lists the data to be prepared for the CA (the CA MO).
Signature CA.SIGNALG -
Algorithm
Table 4-25 lists the data to be prepared for a device certificate (the CERTMK MO).
Table 4-26 lists the data to be prepared for an active certificate (the APPCERT MO). Active
certificates are device certificates that are currently used by a base station controller.
Table 4-27 lists the data to be prepared for a trust certificate (the TRUSTCERT MO).
Table 4-28 lists the data to be prepared for a periodic certificate validity check task (the
CERTCHKTSK MO).
Table 4-28 Data to be prepared for a periodic certificate validity check task
Parameter Parameter ID Setting Notes
Name
(Optional) Prepare CRL data if the base station controller needs to obtain CRL information
from the CA. Table 4-29 lists the data to be prepared for a CRL (the CRL MO).
(Optional) Prepare data related to CRL usage policies. Table 4-30 lists the data to be prepared
for these policies (the CRLPOLICY MO).
(Optional) Prepare data related to a periodic CRL download task. Table 4-31 lists the data to
be prepared for the task (the CRLTSK MO).
Task ID CRLTSK.TSKID -
Password CRLTSK.PWD -
(Optional) Prepare data to manually download an operator's root certificate or CRL from an
FTP server. Table 4-32 lists the data to be prepared for downloading a certificate file (the
DLD CERTFILE in MML configurations).
FTP Server IP IP -
Password PWD -
Certificate Type CT -
Table 4-33 Data to be prepared for applying for a device certificate based on CMPv2
Parameter Parameter ID Setting Notes
Name
Certificate CA.CANAME -
Authority Name
(Optional) Prepare data to manually trigger a CMPv2-based certificate update. Table 4-34
lists the data to be prepared for updating a device certificate (the UPD DEVCERT in MML
configurations) based on CMPv2.
Table 4-34 Data to be prepared for updating a device certificate based on CMPv2
Parameter Parameter ID Setting Notes
Name
Function Activation
Perform the following steps to activate an operator-issued device certificate on the base
station controller side:
Step 1 Run the MOD CERTREQ command to modify configurations of a certificate request
template.
Step 2 Run the ADD CA command to add an operator's CA.
Step 3 Run the LST APPCERT command to check whether the base station controller has been
configured with a device certificate for identity authentication. If "Certificate File Name" in
the command output is usercert.pem, the base station has a preconfigured Huawei-issued
device certificate. Go to the next step. If "Certificate File Name" in the command output is
hwusercert.pem, the base station has a preconfigured Huawei-issued device certificate that is
bound with the ESN of the OMU board. Go to step 5.
Step 4 Perform the following steps to manually configure an operator-issued device certificate for
the base station controller on the U2020:
1. Run the CRE CERTREQFILE command to generate the certificate request file.
2. Run the ULD CERTFILE command to send the local certificate request file to the
U2020 to apply for the device certificate.
3. The U2020 sends the certificate request to the operator's CA. You can manually operate
the U2020 to submit the certificate request file to the operator's CA for an operator-
issued device certificate. Then, the CA returns the operator-issued device certificate to
the U2020 by manual operation. The certificate request file and operator-issued device
certificate are saved in the following directory of the U2020: /export/home/sysm/
ftproot/ftptmp.
4. Run the DLD CERTFILE command to download the operator's root certificate from the
U2020.
5. Run the ADD TRUSTCERT command to add an operator's trust certificate.
6. Run the DLD CERTFILE command to download the operator-issued device certificate
from the U2020.
7. Run the ADD CERTMK command to add the device certificate to the base station
controller.
8. Go to step 6.
Step 5 Run the REQ DEVCERT command to apply an operator-issued device certificate for the
base station controller.
NOTE
If the certificate application succeeds, running the REQ DEVCERT command will return a message
about successful execution. You can run the DSP CERTMK command to query whether a certificate
has been applied.
Step 6 On the U2020, choose Security > Certificate Authentication Management > Certificate
Management. In the displayed interface, click Test to check whether SSL connection can be
established between the base station controller and the U2020.
Bidirectional authentication is used for SSL certificate testing. That is, the base station
controller and U2020 authenticate the device certificates of each other. The SSL certificate
testing result reflects whether the certificates can be used.
Step 7 Run the MOD APPCERT command to modify configurations of an active certificate.
Step 8 Run the SET CERTCHKTSK command to set a periodic certificate validity check task.
Step 9 (Optional) Run the DLD CERTFILE command to download a CRL from the operator's
certificate & CRL database.
Step 11 (Optional) Run the SET CRLPOLICY command to set a CRL usage policy.
Step 12 (Optional) Run the ADD CRLTSK command to add a periodic CRL download task.
----End
In addition to the preceding steps, perform the following step to manually trigger a certificate
update:
Step 1 Run the UPD DEVCERT command to set information about a certificate update. After the
setting takes effect, a CMPv2-based certificate update procedure is triggered.
----End
Step 2 (Optional) Run the RMV CRLTSK command to remove the task of automatically updating
CRL whose CRLGETMETHOD is set to LDAP.
----End
Run the MML command DSP APPCERT and check the values of the Certificate File
Name, Issuer, Common Name, and Status parameters in the query result. If the values of
Certificate File Name, Issuer, and Common Name are correct and the value of Status is
Normal, the device certificate has been loaded to the base station controller.
----End
You can set the parameter based on site requirements. Table 4-35 lists the data to be prepared
for a certificate request template (the CERTREQ MO in MML configurations).
Country COUNTRY -
Organization ORG -
Organizational ORGUNIT -
Unit
State or STATEPROVINCENA -
Province ME
Locality LOCALITY -
Local Name LOCALNAME If this parameter is not set, the value of the
Common Name field in a certificate is used
(for example,
03021377001000001.huawei.com). If this
parameter is set, the value of this parameter
is the configured value.
Local IP LOCALIP -
Table 4-36 lists the data to be prepared for a device certificate (the CERTMK MO in MML
configurations).
Table 4-37 lists the data to be prepared for an active certificate (the APPCERT MO in MML
configurations). Active certificates are device certificates that are currently used by the
eCoordinator.
Certificate File APPCERT The certificate file name must have been
Name configured in a CERTMK MO.
Table 4-38 lists the data to be prepared for a trust certificate (the TRUSTCERT MO in MML
configurations).
Table 4-39 lists the data to be prepared for a periodic certificate validity check task (the
CERTCHKTSK MO in MML configurations).
Table 4-39 Data to be prepared for a periodic certificate validity check task
(Optional) If the eCoordinator needs to obtain CRL information from the CA, the following
data must be prepared:
l Data to be prepared for a CRL (the CRL MO in MML configurations). For details, see
Table 4-40.
l Data to be prepared for CRL usage policies (the CRLPOLICY MO in MML
configurations). For details, see Table 4-41.
l Data to be prepared for a periodic CRL download task (the CRLTSK MO in MML
configurations). For details, see Table 4-42.
Password PWD -
Task ID TSKID -
(Optional) Prepare data to manually download an operator's root certificate or CRL from an
FTP server. Table 4-43 lists the data to be prepared for downloading a certificate file (the
CERTFILE MO in MML configurations).
Certificate Type CT -
FTP Server IP IP -
Password PWD -
//The administrator applies for a device certificate on the U2020 based on the certificate
request file. For details, see section "Manually Applying For a Device Certificate" in U2020
MBB Network Management System Product Documentation.
//Downloading an operator's root certificate from an FTP server (assume that the
FTP server is deployed on the U2020, indicating that the IP address of the FTP
server is the same as that of the U2020)
DLD
CERTFILE:CT=TRUSTCERT,SRCF="OperationCA.cer",DSTF="OperationCA.cer",IP="10.86.86.8
6",USR="admin",PWD="*****";
//Adding an operator's root certificate as the trust certificate
ADD TRUSTCERT:CERTNAME="OperationCA.cer";
//Downloading an operator-issued device certificate from the CA (assume that the
device certificate is saved on the FTP server of the U2020)
DLD CERTFILE:CT=DEVCERT,SRCF="/Cert/
OPKIDevCert.cer",DSTF="OPKIDevCert.cer",IP="10.86.86.86",USR="admin",PWD="*****";
//Adding a device certificate
ADD CERTMK:APPCERT="OPKIDevCert.cer";
//On the U2020, choose Security > Certificate Authentication Management >
Certificate Management. In the certificate management window, select the
requested operator-issued device certificate. Click Test to test whether an SSL
connection can be established between the NE and the U2020 by using this device
certificate.
//Modifying configurations of an active certificate
MOD APPCERT:APPTYPE=SSL,APPCERT="OPKIDevCert.cer";
//Setting a periodic certificate validity check task
SET CERTCHKTSK:PERIOD=7,ALMRNG=30,UPDATEMETHOD=CMP;
//(Optional) Downloading the CRL file from the FTP server (If the FTP server is
deployed on the U2020, the IP address of the FTP server is the same as that of
the U2020.)
DLD
CERTFILE:CT=CRL,SRCF="ECO.crl",DSTF="ECO.crl",IP="10.86.86.86",USR="admin",PWD="**
***";
//(Optional) Loading the CRL file
ADD CRL:CERTNAME="ECO.crl";
//(Optional) Setting a CRL usage policy
SET CRLPOLICY:CRLPOLICY=NOVERIFY;
//(Optional) Adding a task of periodically downloading the CRL
ADD
CRLTSK:TSKID=0,IP="10.86.86.86",USR="admin",PWD="*****",FILENAME="ECO.crl",ISCRLTI
ME=DISABLE;
Step 1 Run the MML command DSP APPCERT to check the status of device certificates. If the
values of Certificate File Name, Issuer, and Common Name are correct and the value of
Status is Normal, the device certificate has been loaded to the eCoordinator.
Step 2 Run the MML command DSP TRUSTCERT to check the status of trust certificates. If the
value of Status is Normal in the query result, the trust certificate has been loaded to the
eCoordinator.
Step 3 (Optional) Run the MML command DSP CRL to check the CRL status. If the value of Status
is Normal in the query result, the CRL has been loaded to the eCoordinator.
----End
Single CME Management > CME Guidelines > Getting Started with
configuration the CME > Introduction to Data Configuration Operations
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
Step 1 Run the SET RRUSECPOLICY command to disable Huawei certificate authentication for
an RRU.
Step 2 Check whether the eCPRI connection is normal.
l Initiate a voice service and a data service and then check whether the two services are
running normally.
l Check whether the corresponding base station is online on the topology view of the
U2020.
----End
4.4.9 Reconfiguration
Reconfiguration of CA Name
In Certificate Authority Name, the S and ST fields are regarded as the same field. Services
can be properly provided if the S field is used at one end but the ST field is used at the other
end.
To change the S field to the ST field, perform the following steps:
//Removing the original CA configuration
RMV CA:CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd, CN=eca1";
//Adding a CA
ADD CA:CANAME="C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=eca1",
URL="http://10.88.88.88:80/pkix/";
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca2",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE=
CFG_INIT_UPD_ADDR, UPDSIP="10.31.31.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
Run the following commands:
//Adding a CA
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",RANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca2",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.31.31.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
//Turning on the CA switch
MOD CERTMK:APPCERT="opki1.cer",CASW=ON,CANAME="C = AU, S = Some-State, O =
Internet Widgits Pty Ltd, CN = eca1";
//Removing the original CA configuration
RMV CA:CANAME="C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=eca2";
//Turning off the CA switch
MOD CERTMK:APPCERT="opki1.cer",CASW=OFF;
//Turning on the automatic certificate reapplication switch
SET CERTCHKTSK:PERIOD=7, ALMRNG=30, UPDATEMETHOD=CMP, AUTOREAPPLYSW = ON;
5.1 Principles
To improve the reliability of PKI-based secure networks, PKI redundancy is introduced to
both the base station and base station controller. The eCoordinator does not support PKI
redundancy.
To achieve PKI redundancy, two PKI servers must be deployed on the network. There should
be reachable routes between the base station/base station controller and the two PKI servers.
In addition, the following conditions should be met:
l The two PKI servers have the same CANAME and root certificate or certificate chain
and synchronize certificate management databases between them.
l The two CAs must have different IP addresses, and so do active and standby CRL
servers.
Every time before certificate application, certificate update, and CRL acquisition, the base
station or base station controller first initiates a session with the active PKI server. If the
session fails, the base station or base station controller reinitiates a session with the standby
PKI server. This mechanism ensures successful certificate applications and updates as well as
CRL acquisitions.
The following parameters specify the URL of the standby CA on the base station and base
station controller sides:
l CA.SLVURL
l CA.SLVINITREQURL
The following parameters specify the login information of the standby CRL server on the base
station and base station controller sides:
l CRLTSK.SLVIP
l CRLTSK.SLVPORT
l CRLTSK.SLVUSR
l CRLTSK.SLVPWD
During certificate updates or CRL acquisitions, the base station/base station controller reports
ALM-26842 Automatic Certificate Update Failed only when the sessions between the base
station/base station controller and both the active and standby PKI servers fail.
PKI redundancy has the following application limitations: PKI redundancy is not supported
during base station deployment by PnP. The operator must ensure that the active PKI server
works properly during base station deployment by PnP.
5.2.1 Benefits
This feature improves networking reliability
5.2.2 Impacts
Network Impacts
None
Function Impacts
None
5.3 Requirements
5.3.1 Licenses
The following table lists the licenses controlling PKI Redundancy.
Feature Feature Name Model License NE Sales
ID Control Item Unit
Name
5.3.2 Software
Before activating this function, ensure that its prerequisite functions have been activated and
mutually exclusive functions have been deactivated. For detailed operations, see the relevant
feature documents.
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
None
5.3.3 Hardware
For details, see 4.3.3 Hardware.
5.3.4 Networking
l Two PKI servers are deployed on the operator's network. For the requirements for PKI
servers, see 4.3.4 Others.
l The two PKI servers have the same CA name and root certificate or certificate chain and
synchronize certificate management databases between them.
l There are reachable routes between the base station/base station controller and the two
PKI servers.
5.4.1 Precautions
Before deploying the PKI redundancy feature, engineering personnel need to collect the
following information besides that listed in 4.4.2 Precautions.
The following table lists the additional data to be prepared for the CA (the CA MO).
(Optional) The following table lists the additional data to be prepared for a periodic CRL
download task.
Run the MML command DSP CERTMK. In the command output, CA URL Last Used
indicates the URL of the standby CA, and Last Update Time of Certificate indicates the
time of the latest certificate update.
Run the MML command DSP CRL. In the command output, CRL Server IP Address Last
Used indicates the IP address of the standby CRL, and Last Update Time of CRL indicates
the time of the latest CRL obtaining.
----End
Figure 5-3 Example of reconstructing a PKI-based secure network into a PKI redundancy
network on the eGBTS/NodeB/eNodeB/gNodeB/multimode base station
General Procedure
Data Planning
In additional to the original configuration data, you need to configure data for the standby CA
and standby CRL server.
The following table lists the data to be prepared for the standby CA.
(Optional) The following table lists the data to be prepared for a periodic CRL download task.
1. On the main menu of the U2020, click in the upper left corner.
2. On the Application Center tab page, double-click the CME icon to start the CME.
3. On the CME, choose CM Express > Planned Area, and click to export the
incremental script.
4. In the Export Incremental Scripts dialog box, choose a specific base station controller
to which the script is exported, specify Output Path and Script Executor Operation,
and click OK.
(Optional) The following table lists the additional data to be prepared for a periodic CRL
download task (the CRLTSK MO).
Slave Port No. CRLTSK.SLVPORT This parameter can be set only when PKI
redundancy is enabled.
Run the MML command DSP CERTMK. In the command output, CA URL Last Used
indicates the URL of the standby CA, and Last Update Time of Certificate indicates the
time of the latest certificate update.
Run the MML command DSP CRL. In the command output, CRL Server IP Address Last
Used indicates the IP address of the standby CRL, and Last Update Time of CRL indicates
the time of the latest CRL obtaining.
----End
Figure 5-4 Example of reconstructing a PKI-based secure network into a PKI redundancy
network on the base station controller
General Procedure
Data Planning
In additional to the original configuration data, you need to configure data for the standby CA
and standby CRL server.
The following table lists the data to be prepared for the standby CA.
(Optional) The following table lists the data to be prepared for a periodic CRL download task.
Slave Port No. CRLTSK.SLVPORT This parameter can be set only when PKI
redundancy is enabled.
1. On the main menu of the U2020, click in the upper left corner.
2. On the Application Center tab page, double-click the CME icon to start the CME.
3. On the CME, choose CM Express > Planned Area, and click to export the
incremental script.
4. In the Export Incremental Scripts dialog box, choose a specific base station controller
to which the script is exported, specify Output Path and Script Executor Operation,
and click OK.
6.1 Principles
If no PKI system is deployed on an operator's network, the base station cannot use an
operator-issued device certificate to access the operator's network. In this case, the base
station can use the digital certificate whitelist management function to access the operator's
network. To support the digital certificate whitelist management, both the base station and
SeGW must be Huawei equipment and be preconfigured with Huawei-issued device
certificates. A digital certificate whitelist is a list of Common Name in the Huawei-issued
device certificates preconfigured on the base station and SeGW.
A digital certificate whitelist is configured on the U2020 and then loaded onto the base
station. During IKE negotiation for IPsec tunnel establishment, the base station uses the
digital certificate whitelist to authenticate each piece of equipment that expects to establish an
IPsec tunnel with the base station. The base station can perform IKE negotiation and establish
IPsec tunnels only with the equipment in the whitelist. IPsec tunnels cannot be established
between the base station and any equipment not in the whitelist. The digital certificate
whitelist is used for authentication between base stations only when there are links (for
example, the X2 interface) between them or base stations are cascaded.
Digital certificate whitelist management has the following application limitations:
l Only Huawei-issued device certificates can be used for authentication. Security risks
exist if Huawei-issued device certificates are always used for authentication. For details,
see 4.1.2.1 Device Certificate.
l The digital certificate whitelist management function supports only IKE/IPsec
negotiation and does not support other types of security channels (such as SSL).
6.2.1 Benefits
The base station can use the digital certificate whitelist management function to access the
operator's network.
6.2.2 Impacts
None
6.3 Requirements
6.3.1 Licenses
Feature Feature Name Model License NE Sales Unit
ID Control Item
Name
6.3.2 Software
Before activating this function, ensure that its prerequisite functions have been activated and
mutually exclusive functions have been deactivated. For detailed operations, see the relevant
feature documents.
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
Function Function Switch Reference
Name
Prerequisite Functions
None
6.3.3 Hardware
NR l 3900 and 5900 series base stations. 3900 series base stations must be
configured with the BBU3910.
l DBS3900 LampSite and DBS5900 LampSite. DBS3900 LampSite
must be configured with the BBU3910.
Boards
l For an eGBTS, only the Ethernet ports on the UMPT, BBU3910A, and UTRPc support
this function.
l For a NodeB, only the UMPT, BBU3910A, and UTRPc support this function.
l For an LTE FDD eNodeB, only the UMPT, BBU3910A, LMPT, and UTRPc support this
function.
l For a gNodeB, only the UMPT supports this function.
RF Modules
This function does not depend on RF modules.
6.3.4 Others
SeGWs must be Huawei devices and support Digital Certificate Whitelist Management.
Password PWD
Guage Option GA
Single configuration CME Management > CME Guidelines > Getting Started with
the CME > Introduction to Data Configuration Operations
Batch eGBTS CME Management > CME Guidelines > GSM Application
configuration Management > Base Station Related Operations > Importing
and Exporting eGBTS Data for Batch Reconfiguration
Batch NodeB CME Management > CME Guidelines > UMTS Application
configuration Management > NodeB Related Operations > Importing and
Exporting NodeB Data for Batch Configuration
Batch eNodeB CME Management > CME Guidelines > LTE Application
configuration Management > eNodeB Related Operations > Importing and
Exporting eNodeB Data for Batch Configuration
Step 1 Run the DSP IPSECSA command to check the IPsec SA status.
Step 2 Check whether services protected by the IPsec tunnel are normal.
l Initiate a voice service and a data service and then check whether the two services are
running normally.
l Check whether the corresponding base station is online on the topology view of the
U2020.
----End
7 Parameters
The following hyperlinked EXCEL files of parameter reference match the software version
with which this document is released.
l Node Parameter Reference: contains device and transport parameters.
l gNodeBFunction Parameter Reference: contains all parameters related to radio access
functions, including air interface management, access control, mobility control, and radio
resource management.
NOTE
You can find the EXCEL files of parameter reference for the software version used on the live network
from the product documentation delivered with that version.
FAQ: How do I find the parameters related to a certain feature from parameter
reference?
Step 2 On the Parameter List sheet, filter the Feature ID column. Click Text Filters and choose
Contains. Enter the feature ID, for example, FBFD-020100.
Step 3 Click OK. All parameters related to the feature are displayed.
----End
8 Counters
The following hyperlinked EXCEL files of performance counter reference match the software
version with which this document is released.
l Node Performance Counter Summary: contains device and transport counters.
l gNodeBFunction Performance Counter Summary: contains all counters related to radio
access functions, including air interface management, access control, mobility control,
and radio resource management.
NOTE
You can find the EXCEL files of performance counter reference for the software version used on the live
network from the product documentation delivered with that version.
FAQ: How do I find the counters related to a certain feature from performance counter
reference?
Step 2 On the Counter Summary(En) sheet, filter the Feature ID column. Click Text Filters and
choose Contains. Enter the feature ID, for example, FBFD-020100.
Step 3 Click OK. All counters related to the feature are displayed.
----End
9 Glossary
10 Reference Documents