Volume10-6802800U60 AuthentEncrypAndProvis D60SERRevD

Dimetra IP 2006
System release 6.0
Volume 10:
Authentication, Encryption
and Provisioning
6802800U60-D
When printed by Motorola March 2007
Copyrights
The Motorola products described in this document may include copyrighted Motorola computer programs. Laws in the United States and other countries
preserve for Motorola certain exclusive rights for copyrighted computer programs. Accordingly, any copyrighted Motorola computer programs contained in
the Motorola products described in this document may not be copied or reproduced in any manner without the express written permission of Motorola.
Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or by implication, estoppel or otherwise, any license under the
copyrights, patents or patent applications of Motorola, except for the normal nonexclusive, royalty-free license to use that arises by operation of law in the sale
of a product.
Disclaimer
Please note that certain features, facilities and capabilities described in this document may not be applicable to or licensed for use on a particular system, or
may be dependent upon the characteristics of a particular mobile subscriber unit or configuration of certain parameters. Please refer to your Motorola contact
for further information.
Trademarks
Motorola, the Motorola logo, and all other trademarks identified as such herein are trademarks of Motorola, Inc. All other product or service names are the
property of their respective owners.
Copyrights
© 2006 - 2007 Motorola, Inc. All rights reserved.
No part of this document may be reproduced, transmitted, stored in a retrieval system, or translated into any language or computer language, in any form or by
any means, without the prior written permission of Motorola, Inc.
CMM labeling and disclosure table
The People’s Republic of China requires that Motorola’s products comply with
China Management Methods (CMM) environmental regulations. (China
Management Methods refers to the regulation Management Methods for
Controlling Pollution by Electronic Information Products.) Two items are used to
demonstrate compliance; the label and the disclosure table.
The label is placed in a customer visible position on the product.
• Logo 1 means that the product contains no substances in excess of the
maximum concentration value for materials identified in the China
Management Methods regulation.
• Logo 2 means that the product may contain substances in excess of the
Management Methods regulation, and has an Environmental Friendly
Use Period (EFUP) in years, fifty years in the example shown.
Logo 1 Logo 2
The Environmental Friendly Use Period (EFUP) is the period (in years) during
which the Toxic and Hazardous Substances (T&HS) contained in the Electronic
Information Product (EIP) will not leak or mutate causing environmental pollution
or bodily injury from the use of the EIP. The EFUP indicated by the Logo 2 label
applies to a product and all its parts. Certain field-replaceable parts, such as
battery modules, can have a different EFUP and are marked separately.
The Disclosure Table is intended only to communicate compliance with China
requirements; it is not intended to communicate compliance with EU RoHS or any
other environmental requirements.
© 2007 Motorola, Inc.

Dimetra IP System Release 6.0
System Documentation
Booklet 3-1: Managing Zone Infrastructure
Booklet 3-2: Managing Radio Users
Volume 1 Volume 2 Volume 3 Booklet 3-3: Administering Servers, Volume 4
Understanding Fault Configuration Controllers and Gateways Accounting
your Dimetra IP Management Management Booklet 3-4: Managing Network Transport Equipment Management
System Booklet 3-5: Administering Databases
Booklet 3-6: Feature Configuration
6802800U51 6802800U52 6802800U53 Booklet 3-7: Fleetmap Management 6802800U54
Volume 5 Volume 7 Volume 8

Booklet 5-1: Monitoring System Volume 6
Performance High Level Field Replace-
Performance Security
Management Diagnostics and able Units
Booklet 5-2: Managing Network Transport Management
Troubleshooting and Entities
Equipment Performance
6802800U55 6802800U56 6802800U57 6802800U58
Booklet 9-1: Master Site

Hardware Installation Booklet 10-1: Authentication, Encryption and
Installation and Authentication, End-to-End
Booklet 9-2: Master Site Provisioning - Installation and
Configuration Encryption and Secure
Software Installation Configuration
Provisioning Communications
Booklet 9-3: Network Transport Applications Booklet 10-2: Managing Authentication,
6802800U59 Installation and Configuration 6802800U60 Encryption and Provisioning 6802800U61
Security/Authentication Feature Manuals
PCI Short Form PCI Crypto KMF Crypto Alias Integrated MultiCADI UCS
Crypto Card Card Upgrade Card Instruction Solution (AIS) Feature Synchronisation
Service Manual Manual Manual Feature Manual Manual Tool Manual
6802700U92 6881132E24 6881003Y85 6802800U66 6802800U67 6802800U62
AUC Crypto End to End Air Interface Backup/Restore Network Telephone

Card Instruction Encryption Encryption Collector Security Interconnect
Manual KVL3000 Plus KVL3000 Plus Application Feature Manual Feature Manual
User Guide User Guide User Guide
6802800U71 6802800U14 6802800U15 6802800U22 6802800U70 6802800U65
KVL 3000 Plus Provisioning Data MCC 7500

key Variable Centre Users Feature Manual Feature Manual
Loader Service Manual
Manual
6802800U69 6802800U64
6802800U68 6802800U40
Online Help
Affiliation Application Authentication Performance FullVision RCM RCM

Display launcher Centre Reports Online Help Online Help Reports
Online Help Online Help Online Help Online Help Online Help
Software UCM ZCM ZoneWatch System and KMF TESS

Download Online Help Online Help Online Help Zone Profile Online Help Online Help
Online Help Online Help
Service Information
EMEA Systems Support Centre (ESSC)
The EMEA Systems Support Centre provides a Technical Consulting service. This service is accessed via the Call
Management Centre.
Jays Close, Viables Industrial State

Basingstoke, Hampshire RG22 4PD,
United Kingdom
Contact via Call Management Centre
Telephone: +44 (0) 1256 484448
Email: ESSC@motorola.com
European Systems Component Centre (ESCC)
The European System Component Centre provides a repair service for infrastructure equipment, including the
MBTS. Customers requiring repair service should contact the Call Management Centre to obtain a Return
Authorisation number. The equipment should then be shipped to the following address unless advised otherwise.
Motorola GmbH CGISS

European Systems Component Centre
Am Borsigturm 130
13507 Berlin
Germany
Telephone: +49 (0) 30 66861414
Telefax: +49 (0) 30 66861426
E-Mail: ESCC@motorola.com
Parts Identification and Ordering
Request for help in identification of non-referenced spare parts should be directed to the Customer Care
Organization of Motorola’s local area representation. Orders for replacement parts, kits and assemblies should be
placed directly on Motorola’s local distribution organization or via the Extranet site Motorola Online at
https://emeaonline.motorola.com.
EMEA Test Equipment Support
Information related to support and service of Motorola Test Equipment is available by calling the Motorola Test
Equipment Service Group in Germany at +49 (0) 6128 702179, Telefax +49 (0) 6128 951046, through the
Customer Care Organization of Motorola’s local area representation, or via the Internet at
http://www.gd-decisionsystems.com/cte/.
Your Input
...is much appreciated. If you have any comments, corrections, suggestions or ideas for this publication or any
other requiremens regarding Motorola publications, please send an e-mail to doc.emea@motorola.com.
Updated Versions of this Manual

......are available at our Extranet site Motorola Online. Contact us at doc.emea@motorola.com for access.
Document
History
Document History
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The following major changes have been implemented in this manual since the previous edition:
Edition Description Date

6802800U60-A Initial Edition Jun. 06
6802800U60-B • Booklet 1, Chapter 14: Paradyne sections removed Jul. 06
• Procedure 14–6 updated
6802800U60-C Booklet 1: Dec. 06
• In “Database Backup Files”, wrong statement on standby database
removed.
• Procedure “How to Configure Standby Database Using the AuC
Configuration Assistant” updated to distinguish between standby
and primary AuC.
• In “How to Start the AUC Service with the New User”, note about
updating AuC Service password added.
6802800U60-D Booklet 1: Hardware replacement of HP xw4300 PC to HP xw4400 PC. Mar. 07
6802800U60-D March 2007 i

Document History
ii 6802800U60-D March 2007

Table
Of
Contents
CONTENTS
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Volume 10: Authentication, Encryption and Provisioning
Booklet 1: Authentication, Encryption and Provisioning - In-

stallation and Configuration
Icon Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg -xl
Chapter 1: Authentication Centre and Provisioning Centre Overview

AuC and PrC Description and System Diagram . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-1
Authentication Server Configuration Versions . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-3
AuC - Equipment Rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-3
AuC Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-5
AC Power Input Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-5
AuC Crypto Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-5
Chapter 2: AuC Hardware Installation and Configuration

AuC Hardware Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-1
General Hardware Installation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-3
Equipment Inspection and Inventory . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-3
Environmental Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-3
Placement Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-3
Weight Distribution within a Rack . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-4
Rack Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-4
Cabling Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-4
General Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-5
General Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-5
Human Exposure Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-6
Static Sensitive Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-7
Electrostatic Discharge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-8
AuC Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-9
AuC Hardware Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-10
Restoring the Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-10
HP Firmware Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-10
AuC ROM Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-11
RAID Configuration for AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-12
Installing Network Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 2-12
Chapter 3: AuC Software Installation and Uninstallation

Software Preinstallation Requirements and Considerations . . . . . . . . . . . . . . . . . bk 10-1 pg 3-1
6802800U60-D March 2007 iii

Contents
Installing the AuC Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-2

Installing the AuC Client Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-6
Uninstalling the AuC Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-6
Uninstalling the AuC Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-7
Uninstalling the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-7
Uninstalling the AuC Database Manually . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-9
Chapter 4: System, Master, and Unique Key Encryption Keys

and KVL Configuration
Changing System and Master Keys in an Existing System . . . . . . . . . . . . . . . . . bk 10-1 pg 4-2
System Key Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-3
Master Key Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-3
Unique Key Encryption Key Configuration . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-4
Other KVL Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-5
AuC Communications (Comm) Key . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-6
AuC Hosts File Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-6
Chapter 5: Primary and Standby AuC Configuration

Initial AuC Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-1
AuC Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-3
IP Settings Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-3
NM Settings Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-4
Standby Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-4
Standby AuC IP Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-10
Activating the Standby Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-11
Chapter 6: AuC Database Backup and Restore

Backup Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-1
Verifying if the Database is in Archive Log Mode . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-2
Preparations for Storing Backup Files on a Remote Computer . . . . . . . . . . . . . . . bk 10-1 pg 6-3
Creating a New User on a Remote Computer . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-3
Creating a Shared Backup Folder on a Remote Computer . . . . . . . . . . . . . . . bk 10-1 pg 6-3
Starting the AuC Service with the New User . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-4
Performing Database Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-5
Database Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-5
Restoring the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-5
Restarting the Restored AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-8
Cleaning up the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-9
Chapter 7: PrC Hardware

PrC Hardware Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 7-1
Chapter 8: PrC Software Installation and Uninstallation

Before Beginning the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 8-1
Installing the PrC Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 8-2
Uninstalling the PrC Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 8-3
Chapter 9: PrC Database Backup and Restore

Database Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-1
Configuring the PrC Database for Hot Backups . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-1
iv 6802800U60-D March 2007

Authentication, Encryption and Provisioning Contents
Performing the Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-3

Database Backup files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-4
Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-5
Restoring the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-5
Database Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-6
Restarting the PrC Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-7
Ensuring the PrC Service is not Running . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-8
Cleaning up the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-8
Chapter 10: Troubleshooting the AuC

Basic Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-1
Common AuC Start-Up Error Messages . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-2
AuC Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-2
Worst case AuC Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-7
Scenarios when Performing Key Updates . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-8
Scenario 1 (Nationwide and Single Cluster). . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-9
Scenario 3 (Nationwide only) . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-10
Scenario 5 (Nationwide only) . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-11
Scenario 7 (Nationwide & Single Cluster) . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-13
Scenario 8 (Nationwide Only) . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-14
Scenario 9 (KEKz) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-14
Scenario 10 (KEKz). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-15
Scenario 13 (Authentication Material) . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-17
Manual SCK Map Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-18
Adding a New AuC to an Existing Nationwide System . . . . . . . . . . . . . bk 10-1 pg 10-18
How to Restart the AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-18
Troubleshooting Standby AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-19
Site and System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-20
Key Distribution Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-20
Key Distributions do not Complete. . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-21
AuC Client Appears to Hang. . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-22
Follow-Up Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-22
KVL Download or Upload Fails on AuC . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-22
Site Does Not Take Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-23
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-24
SCK/CCK NACKs (KEK not present, Decryption Failure) Handled Incorrectly . . . . bk 10-1 pg 10-24
Resolution/Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-25
Have to Reset AuC if Previous KVL Download Fails During Ki Provisioning . . . . . bk 10-1 pg 10-25
AuC Client does not Update Zone Object after Receipt of Authentication Material Decryption Failure
NACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-25
SCK Crypto Schedule doesn’t Notify User When Next Active SCK Not Set . . . . . . bk 10-1 pg 10-25
AuC Reports 127.0.0.1 to FullVision if Ethernet Cable Disconnected . . . . . . . . . bk 10-1 pg 10-26
MNI Change During Key Distribution Should Stop Distribution . . . . . . . . . . . bk 10-1 pg 10-26
6802800U60-D March 2007 v

Contents

Multiple Key Type Distributions May Cause AuC Application Deadlock . . . . . . . bk 10-1 pg 10-27
Add New Site, AuC Distributes KEKz and then Waits One Hour to Send SCK . . . . bk 10-1 pg 10-27
Wrong or Incomplete NM Connection Checks to Start KEKz/SCK/CCK Updates . . . bk 10-1 pg 10-27
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-27
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-28
Remote AuC Clients not Updated/Informed of Server State Changes . . . . . . . . . bk 10-1 pg 10-28
Chapter 11: Troubleshooting the PrC

Common PrC Client Start-Up Error Messages . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 11-1
PrC Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 11-2
PrC Worst Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 11-4
How to Restart the PrC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 11-5
Chapter 12: Handling Compromised Units

Temporary Disabling/Enabling a Subscriber Mobile Station . . . . . . . . . . . . . . . bk 10-1 pg 12-1
Chapter 13: Authentication Centre Field Replaceable Units

Authentication Centre Field Replaceable Units . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 13-1
Authentication Centre Periodic Maintenance Inspection . . . . . . . . . . . . . . . . . bk 10-1 pg 13-2
Chapter 14: Setup Procedures for External Modems

Windows® Setup for MultiTech MT5634ZBA Modem . . . . . . . . . . . . . . . . . . bk 10-1 pg 14-1
Configuring the AuC/PrC to Work with a Modem . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 14-3
Configuring the KVL to Operate with the Modem Option . . . . . . . . . . . . . . . . bk 10-1 pg 14-3
Booklet 2: Managing Authentication, Encryption and Provisioning

Icon Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 14-xxvi
Chapter 1: Authentication and Air Interface Encryption Overview

Authentication and Air Interface Encryption Functionality . . . . . . . . . . . . . . . . . bk 10-2 pg 1-1
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-1
Explicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-2
Implicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-3
Air Interface Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-3
DCK Air Interface Encryption (Security Class 3) . . . . . . . . . . . . . . . . . bk 10-2 pg 1-4
SCK Air Interface Encryption (Security Class 2) . . . . . . . . . . . . . . . . . bk 10-2 pg 1-5
No AI Encryption (Security Class 1) . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-6
Security Class and Air Interface Encryption Key Changes . . . . . . . . . . . . . bk 10-2 pg 1-6
Authentication and Air Interface Encryption Key Management . . . . . . . . . . . . . . . bk 10-2 pg 1-7
Key Management in Non–Nationwide Systems . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-7
Key Management in Nationwide Systems . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-8
Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-8
System Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-9
Subscriber Mobile Stations . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-13
Key Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-13
Key Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-14
vi 6802800U60-D March 2007

Chapter 2: Authentication and Air Interface Encryption Configuration

Configuring Authentication and Air Interface Encryption Operation. . . . . . . . . . . . . bk 10-2 pg 2-1
System Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-3
EBTS Site Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-8
Configuring Devices for Authentication and Air Interface Encryption . . . . . . . . . . . bk 10-2 pg 2-15
Radio Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-15
KVL Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-17
Chapter 3: Introduction to Authentication Centre

AuC, PrC and AIE Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-2
Authentication Centre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-4
What is the Authentication Centre? . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-4
Authentication Centre Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-5
Automatic Detection of Network Problems . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-6
Authentication Centre Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-6
Authentication Centre Database . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-6
Implementing Your Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-7
Planning Your Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-7
Technical Implementation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-7
First Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-8
Starting the Authentication Centre Client Application . . . . . . . . . . . . . . . . . bk 10-2 pg 3-8
Changing a User Account Password . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-11
Verifying Authentication Centre Status . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-12
Displaying Key and Entity Information . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-13
Logging out of the Authentication Centre Client Application . . . . . . . . . . . . . bk 10-2 pg 3-14
The Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-15
Authentication Centre Main Window Structure . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-15
The Work Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-16
The Events Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-19
The Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-20
The Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-22
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-22
Using Context Sensitive Help . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-23
Using Full Text Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-23
Chapter 4: Authentication and Air Interface Encryption Key Management

Entity Status and Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-1
Viewing Mobile Station Key Information . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-2
Generating Mobile Station (MS) Report . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-5
Viewing a List of Unmatched K-REF Pairs . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-6
Generating an Unmatched K-Ref Pairs Report. . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-8
Viewing Zone Status and Key Information . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-10
Viewing BTS Site Status and Key Information . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-12
Viewing UCS Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-14
Viewing KVL Key Information and Status . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-15
Entering and Modifying Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-17
Entering K-REF Pairs into the Authentication Centre . . . . . . . . . . . . . . . . bk 10-2 pg 4-17
Importing a K-REF Pair File into the Authentication Centre . . . . . . . . . . . . . bk 10-2 pg 4-20
Importing a SCK-TMO Key File into the Authentication Centre . . . . . . . . . . . bk 10-2 pg 4-21
Modifying an SCK-TMO Key in the Authentication Centre . . . . . . . . . . . . . bk 10-2 pg 4-25
Setting the Next Active SCK-TMO Key . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-27
Entering the AuC Communications Key . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-30
Entering a Dimetra Distribution Key . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-32
6802800U60-D March 2007 vii

Contents
Entering a UKEK Key for a KVL Device . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-33

Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-35
Provisioning Zone or BTS Site Entity with an Infrastructure Key . . . . . . . . . . . bk 10-2 pg 4-36
Loading an Infrastructure Key (Ki) to a BTS Site Entity . . . . . . . . . . . . . bk 10-2 pg 4-36
Reprovisioning Zone or BTS Site Entity with an Existing Infrastructure Key . . . . . bk 10-2 pg 4-38
Refreshing a Ki for Selected Zone or BTS Site Entity . . . . . . . . . . . . . . bk 10-2 pg 4-39
Reprovisioning Zone or BTS Site Entity with a New Infrastructure Key . . . . . . . . bk 10-2 pg 4-41
Updating a Ki Key for a Zone or BTS Site Entity . . . . . . . . . . . . . . . . bk 10-2 pg 4-42
Clearing an Infrastructure Key from a Zone or BTS Site Entity . . . . . . . . . . . . bk 10-2 pg 4-43
Scheduling Key Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-44
Performing Immediate Key Updates . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-47
Assigning New Authentication Material for a Mobile Station . . . . . . . . . . . . . bk 10-2 pg 4-49
Enabling and Disabling Key Updates . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-52
Enabling/Disabling Key Updates for a Mobile Station . . . . . . . . . . . . . . . . bk 10-2 pg 4-52
Enabling/Disabling Key Updates for a Zone. . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-56
Enabling/Disabling Key Updates for an EBTS Site . . . . . . . . . . . . . . . . . bk 10-2 pg 4-57
Enabling/Disabling Key Updates By Key Type . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-59
Enabling/Disabling KVL Access to the Authentication Centre . . . . . . . . . . . . bk 10-2 pg 4-62
Chapter 5: Nationwide AuC Configuration

Viewing AuC Connection Information and Status . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-2
Nationwide AuC System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-7
Configuring Nationwide Master AuC . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-8
Configuring Nationwide Slave AuC . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-10
Rejected Key Update Event Log Messages . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-13
Key Updates in the Nationwide System . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-13
Slave AuCs Reconfiguration in the Nationwide System . . . . . . . . . . . . . . . . . bk 10-2 pg 5-15
Adding a New Slave AuC to the Nationwide System . . . . . . . . . . . . . . . . bk 10-2 pg 5-15
Changing Expected Slave AuC. . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-16
Removing Expected Slave AuC . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-16
Removing Slave AuC form the Nationwide System . . . . . . . . . . . . . . . . . bk 10-2 pg 5-17
Returning to the Single Cluster Mode . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-17
Nationwide AuC System Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-18
Connecting Slave AuC to Another Master . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-18
Changing Master in the Nationwide System . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-19
Chapter 6: Events Pane

Viewing Authentication Centre Server Events . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 6-1
Removing Authentication Centre Events . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 6-2
Chapter 7: Audit Trail

Viewing an Event Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-1
Removing Audit Trail Data from the Database. . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-4
Chapter 8: User Management

Creating an AuC User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 8-1
Modifying an AuC User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 8-4
Deleting an AuC User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 8-5
Chapter 9: System Management

Configuring Authentication Centre Operation Settings . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-2
viii 6802800U60-D March 2007

The KVL Port Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-2

The Miscellaneous Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-3
The User Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-4
The Standby Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-6
Turning Standby Connection Monitoring On . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-6
Turning Standby Connection Monitoring Off . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-9
Viewing Encryption Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-10
Loading a Master Key into an Encryption Device . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-12
Changing Authentication Centre Operating State . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-16
Scheduling Authentication Centre Database Backups . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-16
Starting a Manual Authentication Centre Database Backup . . . . . . . . . . . . . . . . bk 10-2 pg 9-18
Updating CCK Version after a Database Restore . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-19
Creating Standby Status Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-21
Viewing Authentication Centre Version Information . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-23
Chapter 10: FAQ

Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-1
How are Keys Provisioned in the Dimetra IP System? . . . . . . . . . . . . . . . . bk 10-2 pg 10-2
How are Keys Stored in the Dimetra IP System? . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-2
How are Keys Updated in the Dimetra IP System?. . . . . . . . . . . . . . . . . . bk 10-2 pg 10-2
What Do I Do if a Key is not Current? . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-2
When Should I Perform an Audit Trail Search? . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-3
Key Update Stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-3
Mobile Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-4
What Do I Do if a K-REF Pair is Unmatched?. . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-4
When Should I Delete Unmatched K-REF Pairs? . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-4
General Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-5
How to Trigger Full Synchronization with the UCS . . . . . . . . . . . . . . . . . bk 10-2 pg 10-5
How to Trigger Full Synchronization with the ZDS . . . . . . . . . . . . . . . . . bk 10-2 pg 10-6
How to Resolve the Error ’Licence Limit Exceeded’? . . . . . . . . . . . . . . . . bk 10-2 pg 10-7
What Happens if a Key Update Fails? . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-8
What Do I Do if the Database Fails? . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-8
What Do I Do if an Encryption Device Fails? . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-8
What Do I Do if I get an Error Message when Starting the Client? . . . . . . . . . . bk 10-2 pg 10-8
Chapter 11: Screen Reference

Main Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-1
AuC Comm Key (Communication Key) . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-1
AuC Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-2
AuC Net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-4
Audit Search and Purge Form . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-5
Audit Trail Information Display . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-6
DDK (Dimetra Distribution Key). . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-6
EBTS Site Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-7
Events Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
General Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-9
K-REF Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-10
Key Database Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-12
Key Schedule Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-13
Key Schedules Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-14
Key Status tree view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-15
KVL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-16
KVL Status list view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-17
Mobile Stations List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-17
6802800U60-D March 2007 ix

Contents
Mobile Stations Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-19

SCK-Trunked Mode Operation Information . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-20
Security Group Selection Tree View . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-21
UCS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-21
User Account Selection tree view . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-22
User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-23
Zone Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-25
Secondary Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-26
Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-26
AuC Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-28
AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-29
AuC Database Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-30
Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-31
Encryption Devices Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-32
Key Update Lock Details Information Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-33
Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-35
Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-36
Modify Schedule Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-37
Port Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-38
Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
Standby Settings Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Update Common Cipher Key (CCK) Version . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-41
User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-43
Main Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-44
Appendix A: TETRA/Dimetra Glossary
x 6802800U60-D March 2007

List
Of
Figures
List Of Figures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Figure 1-1: The AuC and PrC System Diagram . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-2
Figure 1-2: The AuC Equipment Rack . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 1-4
Figure 9-1: The Provisioning Centre Login Dialog Box . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-2
Figure 9-2: The PrC Main Client Window. . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-2
Figure 9-3: The PrC Database Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-3
Figure 9-4: The Start PrC Database Backup Dialog Box . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-4
Figure 9-5: The Status Bar During Database Backup . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-4
Figure 9-6: The Services Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-7
Figure 10-1: Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-9
Figure 10-9: Scenario 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-15
Figure 10-10: Scenario 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-16
Figure 10-11: Scenario 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-17
Figure 12-1: The NT Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 12-2
Figure 12-2: Example of Zone Applications in the Application Launcher . . . . . . . . . bk 10-1 pg 12-2
Figure 12-3: The Radio Control Manager Window. . . . . . . . . . . . . . . . . . . . bk 10-1 pg 12-3
Figure 12-4: The Radio Commands Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 12-3
Figure 12-5: The Command Monitor Window Pane . . . . . . . . . . . . . . . . . . . bk 10-1 pg 12-4

Figure 1-1: Explicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-2
Figure 1-2: Air Interface Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-4
Figure 1-3: Security Class 3 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-5
Figure 1-4: Security Class 2 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-6
Figure 1-5: AuC in a Non-Nationwide Dimetra IP system . . . . . . . . . . . . . . . . . bk 10-2 pg 1-8
Figure 1-6: AuC in a Nationwide Dimetra IP system . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-8
Figure 1-7: Infrastructure Key (Ki) distribution . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-10
Figure 1-8: Key Encryption Key (KEK) distribution . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-11
Figure 1-9: Authentication Material Distribution . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-11
6802800U60-D March 2007 xi

List of Figures
Figure 1-10: Common Cipher Key (CCK)/Static Cipher Key–Trunked Mode Operation (SCK-TMO) key
distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-12
Figure 1-11: Derived Cipher Key (DCK) key distribution . . . . . . . . . . . . . . . . bk 10-2 pg 1-12
Figure 2-1: PRNM Suite Application Launcher Window . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-3
Figure 2-2: User Configuration Manager Window . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-4
Figure 2-3: Open System Object Configuration Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 2-5
Figure 2-4: System Object Configuration Dialog Box . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-6
Figure 2-5: System Object Security Parameters . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-7
Figure 2-6: PRNM Suite Application Launcher Window . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-9
Figure 2-7: Zone Applications in PRNM Suite Application Launcher Window. . . . . . . . bk 10-2 pg 2-9
Figure 2-8: Zone Configuration Manager — Zone Object . . . . . . . . . . . . . . . . bk 10-2 pg 2-10
Figure 2-9: Zone Configuration Manager — EBTS Site Object . . . . . . . . . . . . . . bk 10-2 pg 2-11
Figure 2-10: Zone Configuration Manager — Open EBTS Site Object . . . . . . . . . . bk 10-2 pg 2-12
Figure 2-11: Zone Configuration Manager — EBTS Authentication tab . . . . . . . . . . bk 10-2 pg 2-13
Figure 2-12: User Configuration Manager — Radio Object. . . . . . . . . . . . . . . . bk 10-2 pg 2-16
Figure 2-13: Radio Object Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-17
Figure 2-14: User Configuration Manager — KVL Object . . . . . . . . . . . . . . . . bk 10-2 pg 2-18
Figure 2-15: KVL Object Dialog Box — Basic Tab . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-19
Figure 2-16: KVL Object Dialog Box — Configuration Tab . . . . . . . . . . . . . . . bk 10-2 pg 2-19
Figure 3-1: The Nationwide Only Icon . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-1
Figure 3-2: AuC and PrC System Diagram . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-3
Figure 3-3: AuC in the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-5
Figure 3-4: The Reconnecting Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-6
Figure 3-5: The AuC Splash Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-9
Figure 3-6: The Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-9
Figure 3-7: The AuC Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-10
Figure 3-8: The Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-11
Figure 3-9: The Main Window Status Bar . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-12
Figure 3-10: UCS Status and Version Information . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-13
Figure 3-11: Zone/EBTS Key and Status Information . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-14
Figure 3-12: The Exit Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-14
Figure 3-13: The AuC Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-15
Figure 3-14: The Work Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-16
Figure 3-15: The Events Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-19
Figure 3-16: The Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-20
Figure 3-17: The Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-22
Figure 4-1: The Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-3
Figure 4-2: The Mobile Station Search Form . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-4
Figure 4-3: The Mobile Stations List . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-4
Figure 4-4: Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-5
Figure 4-5: Mobile Stations List Export Progress . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-5
Figure 4-6: The Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-6
Figure 4-7: The Delete Unmatched K-REF Pair Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 4-7
Figure 4-8: The Delete All Unmatched K-REF Pairs Dialog Box . . . . . . . . . . . . . . bk 10-2 pg 4-7
Figure 4-9: The Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-8
Figure 4-10: The Save Unmatched K-REF Pairs Report Dialog Box . . . . . . . . . . . . bk 10-2 pg 4-9
Figure 4-11: The Save Unmatched K-REF Pairs Report Confirmation Dialog Box . . . . . . bk 10-2 pg 4-9
Figure 4-12: Unmatched K-REF Pairs Report Completed . . . . . . . . . . . . . . . . . bk 10-2 pg 4-9
Figure 4-13: The Zones Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-11
Figure 4-14: The Zone Information Display . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-12
Figure 4-15: The BTS Site Information Display . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-13
Figure 4-16: The UCS Status and Version Information . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-15
Figure 4-17: The KVLs Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-16
Figure 4-18: Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-18
Figure 4-19: K-REF Pairs Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-19
xii 6802800U60-D March 2007

Authentication, Encryption and Provisioning List of Figures
Figure 4-20: Duplicate Ref in K-REF Pair . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-19

Figure 4-21: Import Keys form File Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-20
Figure 4-22: Import Key Confirmation Dialog Box . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-21
Figure 4-23: Key File Scanning Status Alert Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-21
Figure 4-24: Key Database Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-22
Figure 4-25: SCK-Trunked Mode Operation Display. . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-23
Figure 4-26: Import Keys Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-23
Figure 4-27: Import Key Confirmation Dialog Box . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-24
Figure 4-28: Key File Scanning Status Alert Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-24
Figure 4-30: SCK-Trunked Mode Operation display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-26
Figure 4-31: Modify SCK Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-26
Figure 4-33: SCK-Trunked Mode Operation display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-29
Figure 4-34: Change Next Active SCK Number Dialog Box . . . . . . . . . . . . . . . bk 10-2 pg 4-29
Figure 4-36: AuC CommKey Information Display. . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-31
Figure 4-38: DDK Information Display . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-33
Figure 4-39: KVLs Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-34
Figure 4-40: UKEK Key Assignment Dialog Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-34
Figure 4-41: Zones Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-39
Figure 4-42: Zones Tabbed Pane, Refresh Ki . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-40
Figure 4-43: Refresh Ki Information . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-40
Figure 4-45: Zones Tabbed Pane, Update Ki . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-43
Figure 4-46: Update Ki Information . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-43
Figure 4-47: Key Schedules Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-45
Figure 4-48: Key Schedule Information display . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-46
Figure 4-49: SCK-TMO Modify Schedule Dialog Box . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-46
Figure 4-51: Start Update Now Dialog Box . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-49
Figure 4-52: Key Update Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-49
Figure 4-53: Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-50
Figure 4-54: Mobile Station Search Form . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-51
Figure 4-55: Mobile Stations List. . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-51
Figure 4-56: Update Authentication Material Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 4-52
Figure 4-57: Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-53
Figure 4-58: Mobile Station Search Form . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-54
Figure 4-59: Mobile Stations List. . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-55
Figure 4-60: Disable Mobile Station Dialog Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-55
Figure 4-62: Disable Key Updates Button . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-57
Figure 4-64: Disable Key Updates Button . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-59
Figure 4-66: SCK—TMO Modify Schedule Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 4-61
Figure 4-67: KVLs Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-62
Figure 4-68: Deny Access to KVL Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-63
Figure 5-1: AuC Connectivity Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-3
Figure 5-2: AuC Net Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-4
Figure 5-3: General Network Information Display . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-5
Figure 5-4: AuC Connection Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-8
Figure 5-5: Expected AuC Slave in AuC Net Structure Display . . . . . . . . . . . . . . . bk 10-2 pg 5-9
Figure 5-6: Connected AuC Slave in AuC Net Window . . . . . . . . . . . . . . . . . bk 10-2 pg 5-10
6802800U60-D March 2007 xiii

List of Figures
Figure 5-7: AuC Connection Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-11

Figure 5-8: AuC Master Connecting . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-11
Figure 5-9: AuC Master Connected . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-12
Figure 5-10: AuC Master Unknown . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-19
Figure 6-1: Events Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 6-2
Figure 6-2: Events Pane Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 6-3
Figure 6-3: Remove All Events Confirmation Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 6-3
Figure 7-1: Audit Trail Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-2
Figure 7-2: Audit Trail Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-3
Figure 7-3: Audit Trail Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-4
Figure 7-4: Audit Trail Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-5
Figure 7-5: Audit Trail Purge Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-5
Figure 7-6: Audit Trail Purge in Progress . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-6
Figure 7-7: Audit Trail Purge Completed . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-6
Figure 8-1: User Management Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 8-2
Figure 8-2: Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 8-2
Figure 8-5: Delete User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 8-5
Figure 9-1: Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-2
Figure 9-3: Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-4
Figure 9-4: Debug Log Enabled Information . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-4
Figure 9-6: User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-5
Figure 9-8: Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-7
Figure 9-9: Monitor Standby Status Turned On . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-8
Figure 9-10: Settings Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-9
Figure 9-11: Monitor Standby Status Turned On . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-9
Figure 9-12: Monitor Standby Status Turned Off . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-10
Figure 9-13: Encryption Device Dialog Box. . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-11
Figure 9-14: Encryption Device Dialog Box. . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-13
Figure 9-15: Load Master Key First Time . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-14
Figure 9-16: Load Master Key Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-14
Figure 9-20: AuC Database Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-17
Figure 9-21: AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 9-17
Figure 9-22: AuC Database Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-18
Figure 9-23: Start AuC Database Backup Confirmation . . . . . . . . . . . . . . . . . bk 10-2 pg 9-18
Figure 9-24: Update CCK Version Display . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-19
Figure 9-25: Save Standby Status Report Dialog Box . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-22
Figure 9-26: Save Standby Status Report Progress . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-23
Figure 9-27: About Authentication Centre Window . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-23
Figure 10-1: Full Synchronization with UCS . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-6
Figure 10-2: Full Synchronization with ZDS . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-7
Figure 11-1: AuC Comm Key (Communication Key) Display . . . . . . . . . . . . . . bk 10-2 pg 11-1
Figure 11-2: AuC Connectivity display . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-2
Figure 11-3: AuC Net Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-4
Figure 11-4: Audit Search & Purge Form . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-5
Figure 11-5: DDK Information display . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-6
Figure 11-6: EBTS Site Information display. . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-7
Figure 11-7: Events Information display . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
xiv 6802800U60-D March 2007

List of Figures
Figure 11-8: General Network Information Display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-9

Figure 11-9: K-REF Pairs Information display. . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-10
Figure 11-10: Key Database Selection display . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-12
Figure 11-11: Key Schedule Information Display . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-13
Figure 11-12: Key Schedules Selection display . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-14
Figure 11-13: Key Status tree view display . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-15
Figure 11-14: KVL Information display. . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-16
Figure 11-15: Key Status list view display . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-17
Figure 11-16: Mobile Stations List Display . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-17
Figure 11-17: Mobile Stations Search Display . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-19
Figure 11-18: SCK-Trunked Mode Operation Information display . . . . . . . . . . . . bk 10-2 pg 11-20
Figure 11-19: Security Group Selection Tree View. . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-21
Figure 11-20: UCS Information display . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-21
Figure 11-21: User Account Selection display . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-22
Figure 11-22: User Information display . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-23
Figure 11-23: Zone Information display. . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-25
Figure 11-24: Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-26
Figure 11-25: Set Expected Slave Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-28
Figure 11-26: Connect to Master AuC Dialog Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-28
Figure 11-27: AuC Database Backup Schedule Display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-29
Figure 11-28: AuC Database Display . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-30
Figure 11-29: Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-31
Figure 11-30: Encryption Devices Dialog Box. . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-32
Figure 11-31: Key Update Lock Details Information Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-33
Figure 11-32: Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
Figure 11-33: KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
Figure 11-34: AuC Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-35
Figure 11-35: Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-36
Figure 11-36: Modify Schedule display . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-37
Figure 11-37: Port Settings Display. . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-38
Figure 11-38: Purge Audit Trail Dialog Box. . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
Figure 11-39: SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
Figure 11-40: Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Figure 11-41: Update CCK Version display . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-41
Figure 11-42: User Settings Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-43
6802800U60-D March 2007 xv

List of Figures
This page intentionally left blank.
xvi 6802800U60-D March 2007

List
Of
Tables
List Of Tables
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Table 10-1: Common Client Startup Error Messages and Descriptions . . . . . . . . . . bk 10-1 pg 10-2
Table 10-2: Troubleshooting the AuC . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-2
Table 10-3: AuC Worst-Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-7
Table 10-4: Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-9
Table 10-10: Scenario 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-13
Table 10-11: Scenario 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-14
Table 10-12: Scenario 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-15
Table 10-15: Troubleshooting Standby AuC . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-19
Table 11-1: Common PrC Client Start-Up Error Messages and Descriptions . . . . . . . . bk 10-1 pg 11-1
Table 11-2: Troubleshooting the PrC . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 11-2
Table 11-3: PrC Worst Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 11-4
Table 13-1: Authentication Centre FRUs . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 13-1
Table 13-2: Authentication Centre Periodic Maintenance Inspection . . . . . . . . . . . bk 10-1 pg 13-2

Table 1-1: Recommended Key Update Periods . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-14
Table 1-2: Encryption Keys and their Source Materials. . . . . . . . . . . . . . . . . . bk 10-2 pg 1-15
Table 2-1: Air Interface Encryption and Authentication Feature Operational Mode Settings . . bk 10-2 pg 2-1
Table 3-1: Security Planning Questions . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-7
Table 3-2: Procedures and Screen References Related to Tabs . . . . . . . . . . . . . . bk 10-2 pg 3-17
Table 3-3: Authentication Centre (AuC) States of Operation . . . . . . . . . . . . . . . bk 10-2 pg 3-20
Table 3-4: AuC Connection Status Icons . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-21
Table 3-5: Standby Database Connection States . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-21
Table 3-6: Using Context Sensitive Help . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-23
Table 5-1: Rejected Key Update Event Log Messages . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-13
Table 10-1: Overview: FAQ Section . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-1
Table 10-2: Key Update Stages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-3
Table 10-3: Common Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 10-8
6802800U60-D March 2007 xvii

List of Tables
Table 11-1: Fields in the AuC Comm Key (Communication Key) Display . . . . . . . . . bk 10-2 pg 11-1
Table 11-2: Buttons in the AuC Comm Key (Communication Key) Display . . . . . . . . bk 10-2 pg 11-2
Table 11-3: Fields in the AuC Connectivity Information Display . . . . . . . . . . . . . bk 10-2 pg 11-2
Table 11-4: AuC Server Status Information and Icons . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-4
Table 11-5: Fields in the Audit Search & Purge Form display. . . . . . . . . . . . . . . bk 10-2 pg 11-5
Table 11-6: Buttons in the Audit Search & Purge Form display . . . . . . . . . . . . . . bk 10-2 pg 11-5
Table 11-7: Fields in the Audit Trail Information display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-6
Table 11-8: Fields in the DDK Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-6
Table 11-9: Buttons in the DDK Information display. . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-7
Table 11-10: Fields in the EBTS Site Information display . . . . . . . . . . . . . . . . bk 10-2 pg 11-7
Table 11-11: Buttons in the EBTS Site Information display . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
Table 11-12: Fields in the Events Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
Table 11-13: Buttons in the Events Information display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
Table 11-14: Fields in the General Network Information Display . . . . . . . . . . . . . bk 10-2 pg 11-9
Table 11-15: Fields in the K-REF Pairs Information display . . . . . . . . . . . . . . . bk 10-2 pg 11-11
Table 11-16: Buttons in the K-REF Pairs Information display. . . . . . . . . . . . . . . bk 10-2 pg 11-11
Table 11-17: Fields in the Key Database Selection display . . . . . . . . . . . . . . . . bk 10-2 pg 11-12
Table 11-18: Fields in the Key Schedule Information Display. . . . . . . . . . . . . . . bk 10-2 pg 11-13
Table 11-19: Buttons in the Key Schedule Information Display . . . . . . . . . . . . . . bk 10-2 pg 11-13
Table 11-20: Fields in the Key Update Selection display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-14
Table 11-21: Key Status Icons (Zones and BTS sites) . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-15
Table 11-22: Fields in the KVL Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-16
Table 11-23: Buttons in the KVL Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-16
Table 11-24: Key Status Icons (KVLs) . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-17
Table 11-25: Fields in the Mobile Stations List display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-18
Table 11-26: Buttons in the Mobile Stations List display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-18
Table 11-27: Fields in the Mobile Stations Search display . . . . . . . . . . . . . . . . bk 10-2 pg 11-19
Table 11-28: Buttons in the Mobile Stations Search display . . . . . . . . . . . . . . . bk 10-2 pg 11-20
Table 11-29: Fields in the SCK-Trunked Mode Operation Information display . . . . . . . bk 10-2 pg 11-20
Table 11-30: Buttons in the SCK-Trunked Mode Operation Information display . . . . . . bk 10-2 pg 11-21
Table 11-31: Fields in the UCS Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-22
Table 11-32: Buttons in the UCS Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-22
Table 11-33: Fields in the User Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-23
Table 11-34: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-24
Table 11-35: Buttons in the User Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-24
Table 11-36: Fields in the Zone Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-25
Table 11-37: Buttons in the Zone Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-25
Table 11-38: Fields in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-26
Table 11-39: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-27
Table 11-40: Buttons in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-27
Table 11-41: Fields in the AuC Connection display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-28
Table 11-42: Buttons in the AuC Connection display. . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-28
Table 11-43: Fields in the AuC Database Backup Schedule Dialog Box . . . . . . . . . . bk 10-2 pg 11-29
Table 11-44: Buttons in the AuC Database Backup Schedule Dialog Box . . . . . . . . . bk 10-2 pg 11-29
Table 11-45: Fields in the AuC Database Dialog Box . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-30
Table 11-46: Buttons in the AuC Database Dialog Box. . . . . . . . . . . . . . . . . . bk 10-2 pg 11-30
Table 11-47: Fields in the Change Password Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-31
Table 11-48: Buttons in the Change Password Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-31
Table 11-49: Fields in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-32
Table 11-50: Buttons in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . bk 10-2 pg 11-33
Table 11-51: Field in the Key Update Lock Details Information Box . . . . . . . . . . . bk 10-2 pg 11-33
Table 11-52: Buttons in the Key Update Lock Details Information Box . . . . . . . . . . bk 10-2 pg 11-33
Table 11-53: Field in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
Table 11-54: Buttons in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
Table 11-55: Fields in the KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . bk 10-2 pg 11-34
xviii 6802800U60-D March 2007

List of Tables
Table 11-56: Buttons in the KVL UKEK Assignment Dialog Box. . . . . . . . . . . . . bk 10-2 pg 11-34
Table 11-57: Fields in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-35
Table 11-58: Buttons in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-35
Table 11-59: Fields in the Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . bk 10-2 pg 11-36
Table 11-60: Buttons in the Miscellaneous Settings Dialog Box. . . . . . . . . . . . . . bk 10-2 pg 11-36
Table 11-61: Fields in the Modify Schedule display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-37
Table 11-62: Buttons in the Modify Schedule display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-37
Table 11-63: Fields in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-38
Table 11-64: Buttons in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-38
Table 11-65: Fields in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
Table 11-66: Buttons in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
Table 11-67: Fields in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Table 11-68: Buttons in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Table 11-69: Fields in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Table 11-70: Buttons in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-41
Table 11-71: Fields in the Update CCK Version display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-42
Table 11-72: Buttons in the Update CCK Version display . . . . . . . . . . . . . . . . bk 10-2 pg 11-42
Table 11-73: Fields in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-43
Table 11-74: Buttons in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-44
Table 11-75: Main Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-44
Table A-1: Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg A-1
Table A-2: Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg A-i
6802800U60-D March 2007 xix

List of Tables
xx 6802800U60-D March 2007

List
Of
Procedures
List Of Procedures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Procedure 2-1: How to Install Hardware for Primary AuC and Standby AuC . . . . . . . . bk 10-1 pg 2-9
Procedure 2-2: How to Restore the Factory Default Settings . . . . . . . . . . . . . . . bk 10-1 pg 2-10
Procedure 2-3: How to Update Firmware on the HP ProLiant DL360 G4P. . . . . . . . . bk 10-1 pg 2-10
Procedure 2-4: How to Configure ROM Based Set Up for Primary and Standby AuC . . . bk 10-1 pg 2-11
Procedure 2-5: How to Configure RAID for Primary AuC and Standby AuC . . . . . . . bk 10-1 pg 2-12
Procedure 3-1: How to Install the AuC Server — Part 1 . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-2
Procedure 3-2: How to ensure that the AuC is operational after installation process . . . . . bk 10-1 pg 3-5
Procedure 3-3: How to Install a Remote AuC Client Component . . . . . . . . . . . . . . bk 10-1 pg 3-6
Procedure 3-4: How to Uninstall the AuC Server . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-7
Procedure 3-5: How to Uninstall the AuC Database . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-8
Procedure 3-6: How to Uninstall the AuC Database Manually . . . . . . . . . . . . . . . bk 10-1 pg 3-9
Procedure 4-1: How to Configure a System Key . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-3
Procedure 4-2: How to Configure a Master Key . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-4
Procedure 4-3: How to Configure a Unique Key Encryption Key . . . . . . . . . . . . . . bk 10-1 pg 4-4
Procedure 4-4: How to Configure Other KVL Configurations. . . . . . . . . . . . . . . . bk 10-1 pg 4-5
Procedure 4-5: How to Change the AuC Comm Key . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 4-6
Procedure 5-1: How to Perform Initial Configuration of the Primary Authentication Centre . . bk 10-1 pg 5-1
Procedure 5-2: How to Configure the IP settings using the AuC Configuration Assistant . . . bk 10-1 pg 5-3
Procedure 5-3: How to Configure the Network Management (NM) Settings Using the AuC Configuration
Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-4
Procedure 5-4: How to Configure Standby Database Using the AuC Configuration Assistant . . bk 10-1 pg 5-5
Procedure 5-5: How to Configure a Standby Database . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-7
Procedure 5-6: How to Change the Standby IP using the AuC Configuration Assistant when It Incorrectly
Points to the Primary AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-10
Procedure 5-7: How to Configure Standby IP using the AuC Configuration Assistant. . . . bk 10-1 pg 5-10
Procedure 5-8: How to Activate Standby AuC Database Using the AuC Configuration
Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-12
Procedure 5-9: How to Activate the Standby Database . . . . . . . . . . . . . . . . . . bk 10-1 pg 5-13
Procedure 6-1: How to Verify if the Database is in Archive Log Mode . . . . . . . . . . . bk 10-1 pg 6-2
Procedure 6-2: How to Create a New User on a Remote Computer . . . . . . . . . . . . . bk 10-1 pg 6-3
Procedure 6-3: How to Create a Shared Backup Folder on a Remote Computer. . . . . . . . bk 10-1 pg 6-3
Procedure 6-4: How to Start the AUC Service with the New User. . . . . . . . . . . . . . bk 10-1 pg 6-4
Procedure 6-5: How to Restore the AuC Database Using the AuC Configuration Assistant . . bk 10-1 pg 6-6
Procedure 6-6: How to Restore the AuC Database . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-7
Procedure 6-7: How to Restart the Restored AuC . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-8
Procedure 6-8: How to Clean Up the AuC Database . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 6-9
6802800U60-D March 2007 xxi

List of Procedures
Procedure 8-1: How to Install the PrC Database . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 8-2

Procedure 8-2: How to Install the PrC Server and Client . . . . . . . . . . . . . . . . . . bk 10-1 pg 8-3
Procedure 8-3: How to Uninstall the PrC Server and Client. . . . . . . . . . . . . . . . . bk 10-1 pg 8-4
Procedure 8-4: How to Uninstall the PrC Database . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 8-4
Procedure 8-5: How to Uninstall the PrC Database Manually . . . . . . . . . . . . . . . . bk 10-1 pg 8-5
Procedure 9-1: How to Configure the PrC Database for Hot Backups . . . . . . . . . . . . bk 10-1 pg 9-2
Procedure 9-2: How to Perform the PrC Database Backup . . . . . . . . . . . . . . . . . bk 10-1 pg 9-3
Procedure 9-3: How to Restore the PrC Database . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-6
Procedure 9-4: How to Restart the PrC Service . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-7
Procedure 9-5: How to Ensure the PrC Service is not Running . . . . . . . . . . . . . . . bk 10-1 pg 9-8
Procedure 9-6: How to Clean Up the PrC Database . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-9
Procedure 10-1: How to Add a New AuC to an Existing Nationwide System . . . . . . . bk 10-1 pg 10-18
Procedure 10-2: How to Restart the AuC — Method 1 Go Out of Service and Operational . . bk 10-1 pg 10-18
Procedure 10-3: How to Restart the AuC — Method 2 (Full reset of the AuC) . . . . . . . bk 10-1 pg 10-19
Procedure 10-4: How to Test the Communication Between the Primary Database and the Standby
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-19
Procedure 10-5: How to Complete Key Updates from the AuC to Infrastructure entities . . bk 10-1 pg 10-20
Procedure 10-6: How to Complete Authentication Material, KEKm, KEKz, CCK and SCK_TMO
Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-21
Procedure 10-7: How to Solve the AuC Client that Appears to Hang . . . . . . . . . . . bk 10-1 pg 10-22
Procedure 10-8: How to Solve a KVL Download or Upload Fails on AuC . . . . . . . . . bk 10-1 pg 10-22
Procedure 10-9: How to Solve a Site that does not Take Keys . . . . . . . . . . . . . . bk 10-1 pg 10-23
Procedure 11-1: How to Restart the PrC — Method 1 Go Out of Service and Operational . . bk 10-1 pg 11-5
Procedure 11-2: How to Restart the PrC — Method 2 Stop/Start PrC Server . . . . . . . . bk 10-1 pg 11-5
Procedure 12-1: How to Temporarily Disable a Radio from Operating on the System. . . . bk 10-1 pg 12-2
Procedure 14-1: How to Setup Windows® for MultiTech MT5634ZBA Modem for Connection with
PrC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 14-1
Procedure 14-2: How to Configure the AuC/PrC Modem. . . . . . . . . . . . . . . . . bk 10-1 pg 14-3
Procedure 14-3: How to Configure the KVL to Operate with the Modem Option . . . . . . bk 10-1 pg 14-3

Procedure 2-1: How to Configure the System Object for AI Encryption and Authentication
Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-3
Procedure 2-2: How to Configure the EBTS Site Object for AI Encryption and Authentication
Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-9
Procedure 2-3: Transitioning from Security Class 2 to 3 . . . . . . . . . . . . . . . . . bk 10-2 pg 2-14
Procedure 2-4: How to Configure the Radio Object for Authentication Purposes . . . . . . bk 10-2 pg 2-15
Procedure 2-5: How to Configure the Key Variable Loader (KVL) Object . . . . . . . . . bk 10-2 pg 2-17
Procedure 3-1: How to Start the AuC Client. . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-9
Procedure 3-2: How to Change a User Account Password . . . . . . . . . . . . . . . . bk 10-2 pg 3-11
Procedure 3-3: How to Check the Status of the UCS, Zone or a Site. . . . . . . . . . . . bk 10-2 pg 3-13
Procedure 3-4: How to Log Out of the AuC . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-14
Procedure 4-1: How to View a Mobile Station’s Key Information . . . . . . . . . . . . . . bk 10-2 pg 4-3
Procedure 4-2: How to Generate Mobile Station (MS) Report . . . . . . . . . . . . . . . bk 10-2 pg 4-5
Procedure 4-3: How to View/Delete a List of Unmatched K-REF Pairs in the Authentication
Centre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-6
Procedure 4-4: How to Generate an Unmatched K-Ref Pairs Report . . . . . . . . . . . . bk 10-2 pg 4-8
Procedure 4-5: How to View Zone Status and Key Information . . . . . . . . . . . . . . bk 10-2 pg 4-11
Procedure 4-6: How to view BTS site’s status and encryption key information . . . . . . . bk 10-2 pg 4-13
Procedure 4-7: How to view UCS Status Information . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-14
Procedure 4-8: How to View KVL Status and Key Information . . . . . . . . . . . . . . bk 10-2 pg 4-16
Procedure 4-9: How to Enter K-REF Pairs into the Authentication Centre via Keyboard . . bk 10-2 pg 4-18
Procedure 4-10: How to Import K-REF Pairs into the Authentication Centre. . . . . . . . bk 10-2 pg 4-20
Procedure 4-11: How to Import SCK-TMO Keys into the Authentication Centre . . . . . . bk 10-2 pg 4-22
xxii 6802800U60-D March 2007

List of Procedures
Procedure 4-12: How to Modify an SCK-TMO Key in the Authentication Centre . . . . . bk 10-2 pg 4-25
Procedure 4-13: How to Reset an Active SCK-TMO Key in the Authentication Centre . . . bk 10-2 pg 4-28
Procedure 4-14: Entering a AuC CommKey into the AuC Database . . . . . . . . . . . . bk 10-2 pg 4-30
Procedure 4-15: Entering a DDK key into the AuC database . . . . . . . . . . . . . . . bk 10-2 pg 4-32
Procedure 4-16: How to Assign a UKEK Key to a KVL Device . . . . . . . . . . . . . bk 10-2 pg 4-34
Procedure 4-17: How to Load an Infrastructure Key (Ki) to a BTS Site Entity . . . . . . . bk 10-2 pg 4-36
Procedure 4-18: How to Refresh a Ki for Selected Zone or BTS Site Entity in the AuC
Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-39
Procedure 4-19: How to Update a Ki Key for a Zone or BTS Site Entity in AuC Client. . . bk 10-2 pg 4-42
Procedure 4-20: How to Schedule Key Updates based on Key Type . . . . . . . . . . . . bk 10-2 pg 4-45
Procedure 4-21: How to Perform Immediate Key Updates based on Key Type . . . . . . . bk 10-2 pg 4-48
Procedure 4-22: How to Assign New Authentication Material for a Mobile Station . . . . bk 10-2 pg 4-50
Procedure 4-23: How to Enable/Disable Key Updates for a Mobile Station . . . . . . . . bk 10-2 pg 4-53
Procedure 4-24: How to Enable/Disable Key Updates for a Zone . . . . . . . . . . . . . bk 10-2 pg 4-56
Procedure 4-25: How to Enable/Disable Key Updates for a BTS Site . . . . . . . . . . . bk 10-2 pg 4-58
Procedure 4-26: How to Enable/Disable Key Updates based on Key Type . . . . . . . . . bk 10-2 pg 4-60
Procedure 4-27: How to Enable/Disable KVL Access to the Authentication Centre . . . . bk 10-2 pg 4-62
Procedure 5-1: Viewing AuC Connection Information and Status . . . . . . . . . . . . . . bk 10-2 pg 5-3
Procedure 5-2: How to Configure Nationwide Master AuC . . . . . . . . . . . . . . . . . bk 10-2 pg 5-8
Procedure 5-3: How to Configure Nationwide Slave AuC . . . . . . . . . . . . . . . . bk 10-2 pg 5-10
Procedure 5-4: How to Add New Slave AuC to the AuC Net . . . . . . . . . . . . . . . bk 10-2 pg 5-15
Procedure 5-5: How to Change Expected Slave AuC. . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-16
Procedure 5-6: How to Remove Expected Slave AuC . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-16
Procedure 5-7: How to Remove Slave AuC form the AuC System . . . . . . . . . . . . bk 10-2 pg 5-17
Procedure 5-8: How to Return to Single Cluster Mode from Master AuC . . . . . . . . . bk 10-2 pg 5-17
Procedure 5-9: How to Connect Slave AuC to Another Master . . . . . . . . . . . . . . bk 10-2 pg 5-18
Procedure 5-10: How to Change Master in Nationwide AuC System . . . . . . . . . . . bk 10-2 pg 5-19
Procedure 6-1: How to View AuC Server Events . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 6-2
Procedure 6-2: Removing One or More Events from the AuC Events Display . . . . . . . . bk 10-2 pg 6-3
Procedure 7-1: Creating an Audit Trail of Authentication Centre (AuC) Events. . . . . . . . bk 10-2 pg 7-2
Procedure 7-2: Removing Audit Trail Data from the Authentication Centre (AuC) Database for Archival File
Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-4
Procedure 8-1: Creating a new Authentication Centre (AuC) User Account . . . . . . . . . bk 10-2 pg 8-2
Procedure 8-2: Modifying an existing Authentication Centre (AuC) User Account . . . . . . bk 10-2 pg 8-4
Procedure 8-3: Deleting an existing Authentication Centre User Account . . . . . . . . . . bk 10-2 pg 8-5
Procedure 9-1: How to Configure KVL Port Settings . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-2
Procedure 9-2: How to Configure Miscellaneous Operation Settings . . . . . . . . . . . . bk 10-2 pg 9-3
Procedure 9-3: How to Configure the User Settings . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-5
Procedure 9-4: How to Turn Standby Connection Monitoring On . . . . . . . . . . . . . . bk 10-2 pg 9-7
Procedure 9-5: How to Turn Standby Connection Monitoring Off. . . . . . . . . . . . . . bk 10-2 pg 9-9
Procedure 9-6: How to View the Status of AuC Encryption Devices . . . . . . . . . . . bk 10-2 pg 9-11
Procedure 9-7: How to Load a Master Key into an Encryption Device. . . . . . . . . . . bk 10-2 pg 9-13
Procedure 9-8: How to Change the State of the Authentication Centre (AuC) Server . . . . bk 10-2 pg 9-16
Procedure 9-9: How to Schedule Authentication Centre Database Backups . . . . . . . . bk 10-2 pg 9-16
Procedure 9-10: How to Start a Manual Authentication Centre Database Backup. . . . . . bk 10-2 pg 9-18
Procedure 9-11: How to Manually Update the CCK Version Number . . . . . . . . . . . bk 10-2 pg 9-20
Procedure 9-12: Updating a CCK Version by Connecting to the Nationwide System . . . . bk 10-2 pg 9-21
Procedure 9-13: How to Create a Standby Status Report . . . . . . . . . . . . . . . . . bk 10-2 pg 9-22
Procedure 9-14: Viewing Authentication Centre Version Information . . . . . . . . . . . bk 10-2 pg 9-23
Procedure 10-1: How to Trigger Full Synchronization with the UCS . . . . . . . . . . . bk 10-2 pg 10-5
Procedure 10-2: How to Trigger Full Synchronization with the ZDS . . . . . . . . . . . bk 10-2 pg 10-7
6802800U60-D March 2007 xxiii

List of Procedures
xxiv 6802800U60-D March 2007

List
Of
Processes
List Of Processes
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Process 9-1: PrC - Database Restore Overview . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-6

Process 4-1: How to Provision Zone or BTS Site Entity with an Infrastructure Key . . . . bk 10-2 pg 4-36
Process 4-2: How to Reprovision Zone or BTS Site Entity with an Existing Infrastructure
Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-38
Process 4-3: How to Reprovision a Zone or BTS Site Entity with a New Infrastructure Key . . bk 10-2 pg 4-41
Process 5-1: Nationwide AuC System configuration . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-7
Process 5-2: Key Update in the Nationwide System . . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-14
6802800U60-D March 2007 xxv

List of Processes
xxvi 6802800U60-D March 2007

Dimetra IP 2006
System Release 6.0
Volume 10:
and Provisioning
Booklet 1
and Provisioning - Installation
and Configuration
6802800U60-D
Copyrights
of a product.
Disclaimer
Trademarks
Copyrights
Logo 1 Logo 2


6802800U55 6802800U56 6802800U57 6802800U58

6802700U92 6881132E24 6881003Y85 6802800U66 6802800U67 6802800U62

6802800U71 6802800U14 6802800U15 6802800U22 6802800U70 6802800U65

Manual
6802800U69 6802800U64
6802800U68 6802800U40
Online Help


Service Information
Management Centre.

United Kingdom
Telephone: +44 (0) 1256 484448
Motorola GmbH CGISS

Am Borsigturm 130
13507 Berlin
Germany
Telephone: +49 (0) 30 66861414
Telefax: +49 (0) 30 66861426
Your Input

Table
of
Contents
Contents
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Authentication, Encryption and Provisioning - Installation and Configuration

Icon Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xl
Chapter 1: Authentication Centre and Provisioning Centre Overview

AuC and PrC Description and System Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Authentication Server Configuration Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
AuC - Equipment Rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
AuC Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
AC Power Input Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
AuC Crypto Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Chapter 2: AuC Hardware Installation and Configuration

AuC Hardware Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
General Hardware Installation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Equipment Inspection and Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Environmental Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Placement Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Weight Distribution within a Rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Rack Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Cabling Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
General Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
General Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Human Exposure Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Static Sensitive Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Electrostatic Discharge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
AuC Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
AuC Hardware Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Restoring the Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
HP Firmware Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
AuC ROM Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
RAID Configuration for AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Installing Network Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Chapter 3: AuC Software Installation and Uninstallation

Software Preinstallation Requirements and Considerations . . . . . . . . . . . . . . . . . . . . . . 3-1
Installing the AuC Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Installing the AuC Client Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Uninstalling the AuC Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
6802800U60-D March 2007 xxvii

Contents
Uninstalling the AuC Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

Uninstalling the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Uninstalling the AuC Database Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Chapter 4: System, Master, and Unique Key Encryption Keys

and KVL Configuration
Changing System and Master Keys in an Existing System . . . . . . . . . . . . . . . . . . . . . . 4-2
System Key Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Master Key Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Unique Key Encryption Key Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Other KVL Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
AuC Communications (Comm) Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
AuC Hosts File Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Chapter 5: Primary and Standby AuC Configuration

Initial AuC Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
AuC Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
IP Settings Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
NM Settings Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Standby Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Standby AuC IP Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Activating the Standby Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Chapter 6: AuC Database Backup and Restore

Backup Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Verifying if the Database is in Archive Log Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Preparations for Storing Backup Files on a Remote Computer . . . . . . . . . . . . . . . . . . . . 6-3
Creating a New User on a Remote Computer . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Creating a Shared Backup Folder on a Remote Computer . . . . . . . . . . . . . . . . . . . . 6-3
Starting the AuC Service with the New User . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Performing Database Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Database Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Restoring the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Restarting the Restored AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Cleaning up the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Chapter 7: PrC Hardware

PrC Hardware Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Chapter 8: PrC Software Installation and Uninstallation

Before Beginning the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Installing the PrC Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Uninstalling the PrC Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Chapter 9: PrC Database Backup and Restore

Database Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Configuring the PrC Database for Hot Backups . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Performing the Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Database Backup files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
xxviii 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Contents
Restoring the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

Database Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Restarting the PrC Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Ensuring the PrC Service is not Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Cleaning up the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Chapter 10: Troubleshooting the AuC

Basic Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Common AuC Start-Up Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
AuC Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Worst case AuC Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Scenarios when Performing Key Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Scenario 1 (Nationwide and Single Cluster). . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Scenario 2 (Nationwide and Single Cluster). . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Scenario 3 (Nationwide only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Scenario 4 (Nationwide and Single Cluster). . . . . . . . . . . . . . . . . . . . . . . . 10-11
Scenario 5 (Nationwide only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Scenario 6 (Nationwide and Single Cluster). . . . . . . . . . . . . . . . . . . . . . . . 10-12
Scenario 7 (Nationwide & Single Cluster) . . . . . . . . . . . . . . . . . . . . . . . . 10-13
Scenario 8 (Nationwide Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
Scenario 9 (KEKz) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
Scenario 10 (KEKz). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15
Scenario 11 (KEKz). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
Scenario 12 (KEKz). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Scenario 13 (Authentication Material) . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Manual SCK Map Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18
Adding a New AuC to an Existing Nationwide System . . . . . . . . . . . . . . . . . . 10-18
How to Restart the AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18
Troubleshooting Standby AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
Site and System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20
Key Distribution Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20
Key Distributions do not Complete. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21
AuC Client Appears to Hang. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
Follow-Up Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
KVL Download or Upload Fails on AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
Follow-Up Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23
Site Does Not Take Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23
Follow-Up Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24
SCK/CCK NACKs (KEK not present, Decryption Failure) Handled Incorrectly . . . . . . . . . 10-24
Resolution/Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25
Have to Reset AuC if Previous KVL Download Fails During Ki Provisioning . . . . . . . . . . 10-25
AuC Client does not Update Zone Object after Receipt of Authentication Material Decryption Failure
NACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25
SCK Crypto Schedule doesn’t Notify User When Next Active SCK Not Set . . . . . . . . . . . 10-25
AuC Reports 127.0.0.1 to FullVision if Ethernet Cable Disconnected . . . . . . . . . . . . . . 10-26
MNI Change During Key Distribution Should Stop Distribution . . . . . . . . . . . . . . . . 10-26
Multiple Key Type Distributions May Cause AuC Application Deadlock . . . . . . . . . . . . 10-27
6802800U60-D March 2007 xxix

Contents
Add New Site, AuC Distributes KEKz and then Waits One Hour to Send SCK . . . . . . . . . 10-27
Wrong or Incomplete NM Connection Checks to Start KEKz/SCK/CCK Updates . . . . . . . . 10-27
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28
Remote AuC Clients not Updated/Informed of Server State Changes . . . . . . . . . . . . . . 10-28
Chapter 11: Troubleshooting the PrC

Common PrC Client Start-Up Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
PrC Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
PrC Worst Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
How to Restart the PrC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Chapter 12: Handling Compromised Units

Temporary Disabling/Enabling a Subscriber Mobile Station . . . . . . . . . . . . . . . . . . . . . 12-1
Chapter 13: Authentication Centre Field Replaceable Units

Authentication Centre Field Replaceable Units . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Authentication Centre Periodic Maintenance Inspection . . . . . . . . . . . . . . . . . . . . . . . 13-2
Chapter 14: Setup Procedures for External Modems

Windows® Setup for MultiTech MT5634ZBA Modem . . . . . . . . . . . . . . . . . . . . . . . . 14-1
Configuring the AuC/PrC to Work with a Modem . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
Configuring the KVL to Operate with the Modem Option . . . . . . . . . . . . . . . . . . . . . . 14-3
xxx 6802800U60-D March 2007

List
of
Figures
List of Figures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Figure 1-1: The AuC and PrC System Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Figure 1-2: The AuC Equipment Rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Figure 9-1: The Provisioning Centre Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . 9-2
Figure 9-2: The PrC Main Client Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Figure 9-3: The PrC Database Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Figure 9-4: The Start PrC Database Backup Dialog Box . . . . . . . . . . . . . . . . . . . . . . . 9-4
Figure 9-5: The Status Bar During Database Backup . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Figure 9-6: The Services Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Figure 10-1: Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Figure 10-2: Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Figure 10-3: Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Figure 10-4: Scenario 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Figure 10-5: Scenario 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Figure 10-6: Scenario 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
Figure 10-7: Scenario 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13
Figure 10-8: Scenario 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
Figure 10-9: Scenario 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15
Figure 10-10: Scenario 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
Figure 10-11: Scenario 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Figure 12-1: The NT Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Figure 12-2: Example of Zone Applications in the Application Launcher . . . . . . . . . . . . . . . 12-2
Figure 12-3: The Radio Control Manager Window. . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Figure 12-4: The Radio Commands Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Figure 12-5: The Command Monitor Window Pane . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
6802800U60-D March 2007 xxxi

List of Figures
xxxii 6802800U60-D March 2007

List
of
Tables
List of Tables
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 10-1: Common Client Startup Error Messages and Descriptions . . . . . . . . . . . . . . . . 10-2
Table 10-2: Troubleshooting the AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Table 10-3: AuC Worst-Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Table 10-4: Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Table 10-5: Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Table 10-6: Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Table 10-7: Scenario 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Table 10-8: Scenario 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Table 10-9: Scenario 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
Table 10-10: Scenario 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13
Table 10-11: Scenario 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
Table 10-12: Scenario 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15
Table 10-13: Scenario 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
Table 10-14: Scenario 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Table 10-15: Troubleshooting Standby AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
Table 11-1: Common PrC Client Start-Up Error Messages and Descriptions . . . . . . . . . . . . . . 11-1
Table 11-2: Troubleshooting the PrC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Table 11-3: PrC Worst Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Table 13-1: Authentication Centre FRUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Table 13-2: Authentication Centre Periodic Maintenance Inspection . . . . . . . . . . . . . . . . . 13-2
6802800U60-D March 2007 xxxiii

List of Tables
xxxiv 6802800U60-D March 2007

List
of
Procedures
List of Procedures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Procedure 2-1: How to Install Hardware for Primary AuC and Standby AuC . . . . . . . . . . . . . 2-9
Procedure 2-2: How to Restore the Factory Default Settings . . . . . . . . . . . . . . . . . . . . . 2-10
Procedure 2-3: How to Update Firmware on the HP ProLiant DL360 G4P. . . . . . . . . . . . . . . 2-10
Procedure 2-4: How to Configure ROM Based Set Up for Primary and Standby AuC . . . . . . . . . 2-11
Procedure 2-5: How to Configure RAID for Primary AuC and Standby AuC . . . . . . . . . . . . . 2-12
Procedure 3-1: How to Install the AuC Server — Part 1 . . . . . . . . . . . . . . . . . . . . . . . 3-2
Procedure 3-2: How to ensure that the AuC is operational after installation process . . . . . . . . . . 3-5
Procedure 3-3: How to Install a Remote AuC Client Component . . . . . . . . . . . . . . . . . . . 3-6
Procedure 3-4: How to Uninstall the AuC Server . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Procedure 3-5: How to Uninstall the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Procedure 3-6: How to Uninstall the AuC Database Manually . . . . . . . . . . . . . . . . . . . . 3-9
Procedure 4-1: How to Configure a System Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Procedure 4-2: How to Configure a Master Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Procedure 4-3: How to Configure a Unique Key Encryption Key . . . . . . . . . . . . . . . . . . . 4-4
Procedure 4-4: How to Configure Other KVL Configurations. . . . . . . . . . . . . . . . . . . . . 4-5
Procedure 4-5: How to Change the AuC Comm Key . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Procedure 5-1: How to Perform Initial Configuration of the Primary Authentication Centre . . . . . . . 5-1
Procedure 5-2: How to Configure the IP settings using the AuC Configuration Assistant . . . . . . . . 5-3
Procedure 5-3: How to Configure the Network Management (NM) Settings Using the AuC Configuration
Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Procedure 5-4: How to Configure Standby Database Using the AuC Configuration Assistant . . . . . . 5-5
Procedure 5-5: How to Configure a Standby Database . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Procedure 5-6: How to Change the Standby IP using the AuC Configuration Assistant when It Incorrectly
Points to the Primary AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Procedure 5-7: How to Configure Standby IP using the AuC Configuration Assistant. . . . . . . . . . 5-10
Procedure 5-8: How to Activate Standby AuC Database Using the AuC Configuration Assistant . . . . 5-12
Procedure 5-9: How to Activate the Standby Database . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Procedure 6-1: How to Verify if the Database is in Archive Log Mode . . . . . . . . . . . . . . . . 6-2
Procedure 6-2: How to Create a New User on a Remote Computer . . . . . . . . . . . . . . . . . . 6-3
Procedure 6-3: How to Create a Shared Backup Folder on a Remote Computer. . . . . . . . . . . . . 6-3
Procedure 6-4: How to Start the AUC Service with the New User. . . . . . . . . . . . . . . . . . . 6-4
Procedure 6-5: How to Restore the AuC Database Using the AuC Configuration Assistant . . . . . . . 6-6
Procedure 6-6: How to Restore the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Procedure 6-7: How to Restart the Restored AuC . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Procedure 6-8: How to Clean Up the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Procedure 8-1: How to Install the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Procedure 8-2: How to Install the PrC Server and Client . . . . . . . . . . . . . . . . . . . . . . . 8-3
Procedure 8-3: How to Uninstall the PrC Server and Client. . . . . . . . . . . . . . . . . . . . . . 8-4
Procedure 8-4: How to Uninstall the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Procedure 8-5: How to Uninstall the PrC Database Manually . . . . . . . . . . . . . . . . . . . . . 8-5
Procedure 9-1: How to Configure the PrC Database for Hot Backups . . . . . . . . . . . . . . . . . 9-2
Procedure 9-2: How to Perform the PrC Database Backup . . . . . . . . . . . . . . . . . . . . . . 9-3
6802800U60-D March 2007 xxxv

List of Procedures
Procedure 9-3: How to Restore the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Procedure 9-4: How to Restart the PrC Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Procedure 9-5: How to Ensure the PrC Service is not Running . . . . . . . . . . . . . . . . . . . . 9-8
Procedure 9-6: How to Clean Up the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Procedure 10-1: How to Add a New AuC to an Existing Nationwide System . . . . . . . . . . . . 10-18
Procedure 10-2: How to Restart the AuC — Method 1 Go Out of Service and Operational . . . . . . 10-18
Procedure 10-3: How to Restart the AuC — Method 2 (Full reset of the AuC) . . . . . . . . . . . . 10-19
Procedure 10-4: How to Test the Communication Between the Primary Database and the Standby
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
Procedure 10-5: How to Complete Key Updates from the AuC to Infrastructure entities . . . . . . . 10-20
Procedure 10-6: How to Complete Authentication Material, KEKm, KEKz, CCK and SCK_TMO
Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21
Procedure 10-7: How to Solve the AuC Client that Appears to Hang . . . . . . . . . . . . . . . . 10-22
Procedure 10-8: How to Solve a KVL Download or Upload Fails on AuC . . . . . . . . . . . . . . 10-22
Procedure 10-9: How to Solve a Site that does not Take Keys . . . . . . . . . . . . . . . . . . . 10-23
Procedure 11-1: How to Restart the PrC — Method 1 Go Out of Service and Operational . . . . . . . 11-5
Procedure 11-2: How to Restart the PrC — Method 2 Stop/Start PrC Server . . . . . . . . . . . . . . 11-5
Procedure 12-1: How to Temporarily Disable a Radio from Operating on the System. . . . . . . . . . 12-2
Procedure 14-1: How to Setup Windows® for MultiTech MT5634ZBA Modem for Connection with
PrC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
Procedure 14-2: How to Configure the AuC/PrC Modem. . . . . . . . . . . . . . . . . . . . . . . 14-3
Procedure 14-3: How to Configure the KVL to Operate with the Modem Option . . . . . . . . . . . . 14-3
xxxvi 6802800U60-D March 2007

List
of
Processes
List of Processes
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Process 9-1: PrC - Database Restore Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
6802800U60-D March 2007 xxxvii

List of Processes
xxxviii 6802800U60-D March 2007

About
This
Booklet
Authentication, Encryption and

Provisioning - Installation and Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This booklet is intended for those involved with the installation and configuration of the
Authentication Centre (AuC) and Provisioning Centre (PrC).
What Is Covered In This Booklet?

This document will cover hardware installation and configuration instructions for:
• Authentication Centre server
• RAID controller
• Authentication Centre Crypto Card
• Modem
• Cabling
This document also details initial installation and configuration of all software for:
• Authentication Centre
• Provisioning Centre
This manual also includes procedures for configuring the Authentication Centre to work
properly with the other parts of the Dimetra system including:
• User Configuration Server (UCS)
• Zone Database Server (ZDS)
• Air Traffic Router (ATR)
• Full Vision (FV)
• Key Variable Loader (KVL)
Finally, this document will include troubleshooting procedures for common field problems.
6802800U60-D March 2007 xxxix

Icon Conventions
Helpful Background Information

See Volume 1, Understanding Your Dimetra IP System for an overview of the sys-
tem and the entire document set.
Related Information
The following manuals will be referenced from this manual:
• Authentication Centre Crypto Card Instruction Manual
• Provisioning Centre User Manual
• Key Variable Loader User’s Guide
• Key Variable Loader Service Manual
• Network Security Feature Manual
Icon Conventions
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The document set is designed to give the reader more visual cues. The following graphic icons are used
throughout the documentation set. These icons and their associated meanings are described below.
SUGGESTION
A suggestion implies a recommendation or tip from Motorola, that does not have to be followed,
but which might be helpful. There is no warning level associated with a Suggestion.
Notes contain information more important than the surrounding text, such as exceptions or
preconditions. They also refer the reader elsewhere for additional information, remind the reader
how to complete an action (when it’s not part of the current procedure, for instance), or tell the
reader where something is located on the screen. There is no warning level associated with a Note.
xl 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Icon Conventions
Information that is crucial to the discussion at hand, but that is not a Caution or Warning, receives
an Important icon. There is no warning level associated with the Important icon.
The caution icon implies information that must be carried out in a certain manner
to avoid problems, procedures that may or may not be necessary as determined by
the reader’s system configuration, and so on. Although no damage will occur if
the reader does not heed the caution, some steps may need repeating.
The warning icon implies potential system damage if the instructions or

procedures are not carried out exactly, or if the warning is not heeded.
The danger icon implies information that, if disregarded, may result in severe
injury or death of personnel. This is the highest level of warning.
6802800U60-D March 2007 xli

Icon Conventions
xlii 6802800U60-D March 2007

Chapter
1
Authentication Centre and Provisioning
Centre Overview
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter provides a overview of the Authentication Centre (AuC) and Provisioning Centre (PrC)
components installed in an Dimetra IP system, an introduction regarding the requirements and considerations
for mechanical installation, and an overview of the physical interface and cabling requirements for the AuC.
This chapter covers the following topics:
• "AuC and PrC Description and System Diagram"
• "Authentication Server Configuration Versions"
• "AuC Crypto Card"
AuC and PrC Description and System Diagram

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The AuC provides the authentication and key management material for devices related to
air interface security functions in Dimetra IP. It is responsible for generating the cipher
keys used for key management throughout the infrastructure, and accountable for scheduled
key changes, including changing the SCK and CCK. One AuC is required for each cluster.
Infrastructure Keys are provisioned via the Key Variable Loader (KVL). Other keys and infrastructure
data are distributed via TCP/IP network to infrastructure servers. These servers are:
• FullVision (FV)
The PrC generates, stores, and tracks delivery of K and SCK-TMO keys to the subscriber Mobile Stations
(MSs), using the Key Variable Loader (KVL) as a proxy to transport and confirm delivery. In addition, the
PrC generates and exports a file containing K-REF pairs to the Authentication Centre (AuC).
6802800U60-D March 2007 1-1

AuC and PrC Description and System Diagram Chapter 1: Authentication Centre and Provisioning Centre Overview
Figure 1-1 shows how the Dimetra IP infrastructure devices interface with the Authentication
Centre (AuC) and the Provisioning Centre (PrC).
Figure 1-1 The AuC and PrC System Diagram
1-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Authentication Server Configuration Versions
Authentication Server Configuration Versions

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
There are two alternative AuC configurations:

• Dual-server configuration with all software components on both primary and secondary
servers. This provides an active/standby configuration.
• Single-server configuration with all software components installed and configured as
the primary server. This provides an active-only configuration.
The AuC hardware is rack-mounted. A KVM switch is included to change be-

tween active and standby hardware.
Up to two remote AuC clients can also exist within the Dimetra IP network. These can
be installed on any available desktop PCs as required, see Chapter 3, "AuC Software
Installation and Uninstallation" for more details.
AuC - Equipment Rack

The AuC is secured to a 600 mm by 900 mm NON EMC EURORACK before shipment, unless otherwise
requested. Figure 1-2 shows a standard AuC equipment rack, which contains:
• Primary AuC Server (with Crypto Card)
• Standby AuC Server (with Crypto Card) — optional
• KVM Switch (with monitor keyboard and touchpad)
6802800U60-D March 2007 1-3

AuC - Equipment Rack Chapter 1: Authentication Centre and Provisioning Centre Overview
Figure 1-2 The AuC Equipment Rack
The AuC rack may vary from the one shown in Figure 1-2.
1-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration AuC Cable Connections
AuC Cable Connections
• AuC Server (Primary and Standby) is connected to the UCS VLAN (part of the Dimetra
IP Network) via the patch panel installed on the AuC rack.
Please use Ethernet port labeled as NIC1.
For LAN connections, use only Category 5e shielded twisted pair

or higher cabling and connectors. Motorola® has engineered
this system to meet specific performance requirements and EMC
standards. Using other cabling and connectors may result in
unpredictable system performance or catastrophic failure.
• The DIAL port on an external modem (if provided) is connected to PSTN via
the patch panel. The DTE port on the modem is connected to the serial port A
(COM1) on the rear of the Primary AuC server.
• A direct connection with KVL is established via a null-modem cable connected to
the serial port B (COM2) on the rear of the Primary AuC Server.. If there is no
second COM, please refer to: step 9 in Procedure 2-1, "How to Install Hardware
for Primary AuC and Standby AuC," on page 2-9
• Each AuC server is connected to KVM Switch.
AC Power Input Requirements

The nominal AC input is 230 V AC Use a three-wire, grounded electrical outlet as the AC source.
AuC Crypto Card

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre Crypto Card is a PCI bus card that is inserted in the AuC server work station
and provides the actual encryption and decryption services for the Authentication Centre (AuC).
For more information please see the following manuals:
• Authentication Centre Crypto Card - Instruction Manual
• Authentication Centre Crypto Card - Service Manual
6802800U60-D March 2007 1-5

AuC Crypto Card Chapter 1: Authentication Centre and Provisioning Centre Overview
Follow the information in the Service manual “Authentication Centre Crypto Card” to
troubleshoot the battery circuitry on the AuC Crypto Card.
Failure to install and/or replace the lithium battery correctly may result in an
explosion. Replace the battery only with the same or equivalent type of battery.
Dispose of used batteries at an authorized metals/batteries reclamation dealer.
1-6 6802800U60-D March 2007

Chapter
2
AuC Hardware Installation and
Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "AuC Hardware Equipment"
• "General Hardware Installation Guidelines"
• "AuC Hardware Installation"
• "AuC Hardware Configuration"
• "Installing Network Security Software"
AuC Hardware Equipment

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
AuC Hardware consists of the following elements:

• Primary AuC
◦ AuC Server
◦ AuC Crypto Card
• Standby AuC (optional)
◦ AuC Server
◦ AuC Crypto Card
• KVM Switch
• Modem (optional)
• KVL 3000 Plus, with
◦ Key Loading Cable
◦ RS-232 Null Modem Cable
6802800U60-D March 2007 2-1

AuC Hardware Equipment Chapter 2: AuC Hardware Installation and Configuration
The AuC Server platform is based on:

HP ProLiant ML370 G4
The platform consists of the following components:
• 2 x 512 MB RAM memory cards
• Smart Array 6400 controller card
• CD-RW/DVD-ROM Combo Drive
• 2 x 72.8 GB Hard Disk Drives
HP ProLiant ML370 G3 (system upgrade only)

• 2 x 512 MB SDRAM memory cards
• Smart Array 532 controller card
• 48 x IDE CD-ROM Drive
• 3 x 36.4 GB Hard Disk Drives (or compatible)
HP NetServer LC2000 (system upgrade only)

• 2 x 512 MB SDRAM memory cards
• NetRAID-1M controller card
• 32 x Max EIDE CD-ROM Drive
• 2 x 18.2 GB Hard Disk Drives (or compatible)
HP ProLiant DL360 G4P

• 2 x 1 GB RAM memory cards
• Smart Array 6i controller
• CD-RW/DVD-ROM Combo Drive
• 2 x 72.8 GB Ultra320 SCSI Hard Disk Drives
2-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration General Hardware Installation Guidelines
General Hardware Installation Guidelines

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Use the following guidelines for system installation.
Equipment Inspection and Inventory

The customer and the Motorola service representatives are to ensure that all racks, cables and other
equipment are present. Conduct a careful inspection to verify that all equipment and accessories are in
good condition. Damaged or missing items should be noted and reported to Motorola promptly.
Do not tamper with factory configuration settings for these devices. This
includes software configuration, firmware release, password, and physical
connections. Motorola has configured and connected these devices to meet
very specific performance requirements. Tampering with these devices may
result in unpredictable system performance or catastrophic failure.
Environmental Considerations
Most of the Master Site equipment is designed to be rack mounted and is normally supplied in 19" equipment
cabinets. These cabinets are intended to be installed in an equipment room with an appropriate Heating,
Ventilation, and Air Conditioning (HVAC) system installed. The ambient temperature of the equipment room
should be maintained in the range of 18°C to 24°C and the relative humidity maintained within the range 30%
to 55% (non-condensing). If feet are supplied, ensure that they are installed under the equipment cabinets to
allow sufficient airflow through the cabinet. See also "Placement Recommendations". If you have a FAN
system in a cabinet without any alarm system, it needs yearly inspection. If necessary, replacement is needed.
Placement Recommendations
Use the following suggestions for placing the equipment at the site.
• Place each rack in a stable area on a firm surface. Use the correct mounting
hardware and shims to prevent rack movement.
• Install the system safely. Use strain relief when installing and positioning cables and
cords to help ensure that no interruption of service occurs.
• Allow at least one meter of space at the front and rear of the system for proper
air flow for cooling and for safe access.
• Locate the site racks and other equipment with ease of service and access in mind.
Service personnel require access to the front and the rear of the rack.
6802800U60-D March 2007 2-3

Weight Distribution within a Rack Chapter 2: AuC Hardware Installation and Configuration
• Locate the system in an area free of heat, dust, smoke, and Electrostatic Discharge (ESD).
• If feet are supplied with your equipment, make sure they are fitted under the cabinet to
provide as least 15 mm between the bottom of the rack and the floor. Additional clearance
will be required for compressible floor surfaces such as carpet tiles.
• External cables coming into the cabinets must not significantly reduce airflow
within the cabinets. Cables are expected to be grouped together and secured
along the side of the cabinets using the vertical rails.
Environmental operating and storage requirement data for individual components

is available in product documentation.
Weight Distribution within a Rack

To avoid hazards or damage arising from uneven loading of the rack, distribute the weight of
the equipment evenly in the rack. Consider the limitations of equipment and cables. When
possible, mount the heaviest components in the bottom of the rack.
See the rack manufacturer’s documentation for special mounting requirements and speci-
fications for equipment not provided by Motorola.
Rack Requirements
Most equipment is installed on a standard 19" rack. If you need to install additional equipment, see the
Site Configuration Guide for your system or consult your Motorola Field Representative.
Cabling Guidelines
See the Quality Standards - Fixed Network Equipment (FNE) Installation Manual, Motorola R56 Manual -
Standards and Guidelines for Communication Sites (68P81089E50) for cabling standards.
2-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration General Safety Precautions
• To prevent emission problems, use only Motorola shielded cables. Do

not substitute other cable types.
• Ensure equipment is positioned to avoid excessive tension on cables and connectors. Cables
must be loose with absolutely no stress on the connectors. Maintenance loops are recommended.
• Dress the cables neatly using cable ties. Do not tighten the cable ties until you
are sure that the required service length and bend radius requirements are met.
Cable ties should be loose enough to allow adjustment.
• Verify that all cables are properly labelled to match Site Configuration Guide documentation.
• Ensure that cables do not exceed the minimum bend radius as outlined in the Motorola R56
Manual - Standards and Guidelines for Communication Sites (68P81089E50).
Use only Category 5 Shielded Twisted Pair (or higher) for cabling Ethernet
connections. Motorola has engineered this system to meet specific performance
requirements and EMC standards. Using other cabling and connectors may
result in unpredictable system performance or catastrophic failure.
General Safety Precautions

Safety should always be the primary concern whenever working around system communications electronic
components. Those working around system equipment are solely responsible for being aware of specific
safety considerations associated with the system, its components, and its operation.
General Safety Information

The following general safety precautions must be observed during all phases of operation, service, and
repair of the equipment described in this manual. The safety precautions listed below represent warnings of
certain dangers of which we are aware. You should follow these warnings and all other safety precautions
necessary for the safe operation of the equipment in your operating environment.
The equipment and installation instruction are designed to comply with various International Safety Standards,
such as EN60950 and should be installed to comply with any local regulatory requirements.
Read and follow all warning notices and instructions marked on the product or included in this
manual before installing, servicing or operating the equipment. Retain these safety instructions
for future reference. Also, all applicable safety procedures, local code requirements, safe working
practices, and good judgement must be used by personnel.
Refer to appropriate section of the product service manual for additional pertinent safety information.
Because of danger of introducing additional hazards, do not install substitute parts or
perform any unauthorized modifications of equipment.
6802800U60-D March 2007 2-5

Human Exposure Compliance Chapter 2: AuC Hardware Installation and Configuration
Maintenance actions may require two people or more persons. The appropriate activity risk assessment should
be completed prior to the activity being conducted. Examples of item that should be considered are:
• Repairs where the risk of injury would require second person to perform first aid or call for
emergency support. An example would be work around high voltage sources.
• Manual handling of rack and some system components may require more than one
person; therefore the appropriate risk assessments should be conducted.
• The stability of the equipment should be considered when removing system
element(s) from a rack or other equipment.
If troubleshooting the equipment while power is applied, be aware of the live circuits.
DO NOT operate the transmitter of any radio unless all RF connectors are secure and
all connectors are properly terminated.
All equipment must be properly grounded in accordance with Motorola Standards and Guideline for
Communications Sites “56” (68P81089E50) and specified installation instructions for safe operation.
Racks may need to be secured to the ground (or by other methods) to prevent tipping
over when units are being removed.
Slots and openings in the cabinet are provided for ventilation. To ensure reliable operation of the product
and to protect it from overheating, these slots and openings must not be blocked or covered.
The cabinets are fitted with feet to raise them off the floor and to provide ventila-
tion. These feet should not be removed.
Never store combustible materials in or near the rack. The combination of combustible material,
heat and electrical energy increases the risk of a fire safety hazard.
Only a qualified technician familiar with similar electronic equipment should service equipment.
Some equipment components can become extremely hot during operation. Turn off all power
to the equipment and wait until sufficiently cool before touching.
Possible electrical shock hazard. Before attempting removal or installation,

make sure the primary power and batteries are disconnected.
The Dimetra IP system contains CMOS devices. Proper troubleshoot-

ing and installation techniques require grounding precautions by
personnel prior to handling equipment.
Human Exposure Compliance

This equipment is designed to generate and radiate radio frequency (RF) energy by means of an
external antenna. When terminated into a non-radiating RF load, the base station equipment is
certified to comply with R&TTE regulations and ICNIRP Guidelines.
2-6 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Static Sensitive Precautions
Antenna installation should be designed to comply with the ICNIRP (International Commission on
Non-Ionizing Radiation Protection), or the local regulatory requirements which pertain to human exposure to
RF (Non Ionizing) radiation Further information on ICNIRP guidelines can be found at http://www.icnirp.org/
Determining the compliance of transmitter sites of various complexities may be accomplished by
means of computational methods. For more complex sites direct measurement of the power density
may be more expedient. Additional information on the topic of electromagnetic exposure is contained
in the Motorola Standards and Guideline for Communications Sites publication. Persons responsible
for installation of this equipment are urged to consult the listed reference material to assist in
determining whether a given installation complies with the applicable limits.
In general the following guidelines should be observed when working in or around radio transmitter sites:
• All personnel should have electromagnetic energy awareness training.
• All personnel entering the site must be authorized.
• Obey all posted signs.
• Assume all antennas are active.
• Before working on antennas notify owners and disable appropriate transmitters.
• Maintain minimum 1 meter clearance from all antennas.
• Do not stop in front of antennas.
• Use personal RF monitors while working near antennas.
• Never operate transmitters without shields during normal operation.
• Do not operate base station antennas in equipment rooms.
For installations outside of the U.S., consult with the applicable governing body and standards for RF energy
human exposure requirements and take the necessary steps for compliance with local regulations.
References:
• TIA/EIA TSB92 "Report on EME Evaluation for RF Cabinet Emissions Under FCC MPE
Guidelines", Global Engineering Documents: http://global.ihs.com/
• FCC OET Bulletin 65 “Evaluating Compliance with FCC Guidelines for Human Exposure
to Radio Frequency Electromagnetic Fields”: http://www.fcc.gov/oet/rfsafety/.
• Motorola Standards and Guideline for Communications Sites, R56 Mo-
torola manual (68P81089E50).
• IEEE Recommended Practice for the Measure of Potentially Hazardous Electromagnetic
Fields – RF and Microwave, IEEE Std C95.3-1991, Publication Sales, 445 Hoes
Lane, P.O. Box 1331, Piscattaway, NJ 08855-1331.
• IEEE Standard for Safety Levels with Respect to Human Exposure to Radio Frequency
Electromagnetic Fields, 3 kHz to 300 GHz, IEEE C95.1-1991, Publication Sales, 445
Hoes Lane, P.O. Box 1331, Piscattaway, NJ 08855-1331.
Static Sensitive Precautions

The static grounding wrist strap (Motorola p/n 42-80385A59) supplied with the equipment must
always be used when handling any board or module. Many of the boards or modules used in
the equipment are vulnerable to damage from static charges.
6802800U60-D March 2007 2-7

Electrostatic Discharge Chapter 2: AuC Hardware Installation and Configuration
Extreme care must be taken while handling, shipping, and servicing these boards or modules.
To avoid static damage, observe the following precautions:
• Prior to handling, shipping, and servicing equipment, connect a wrist strap to the
grounding clip. This discharges any accumulated static charges.
Use extreme caution when wearing a conductive wrist strap near

sources of high voltage. The low impedance provided by the
wrist strap also increases the danger of lethal shock, should
accidental contact with high voltage sources occur.
• Avoid touching any conductive parts of the module with your hands.
• Never remove boards or modules with power applied to the unit (hot-pull) unless
you have verified it is safe to do for a particular board or module. Make sure the
unit will not be damaged by this. Several boards and modules require that power
be turned off before any boards or modules are removed.
• Avoid carpeted areas, dry environments, and certain types of clothing (silk, nylon, etc.)
during service or repair due to the possibility of static buildup.
• Apply power to the circuit under test before connecting low impedance test equipment
(such as pulse generators, etc.). When testing is complete, disconnect the test
equipment before power is removed from the circuit under test.
• Be sure to ground all electrically powered test equipment. Connect a ground lead (-) from
the test equipment to the board or module before connecting the test probe (+). When
testing is complete, remove the test probe first, then remove the ground lead.
• Lay all circuit boards and modules on a conductive surface when removed from the system.
The conductive surface must be connected to ground through 100Kohm.
Never use non-conductive material for packaging modules being transported. All modules
should be wrapped with static sensitive (conductive) material. Replacement modules shipped
from the factory are packaged in a conductive material.
Electrostatic Discharge
Electronic components such as circuit boards and memory modules

can be extremely sensitive to Electrostatic Discharge (ESD). Motorola
recommends that you use an antistatic wrist strap and a conductive
foam pad when installing or upgrading the system.
If an ESD station is not available, wear an antistatic wrist strap. Wrap one end strap around
your wrist. Attach the ground end (usually a piece of copper foil or an alligator clip) to the same
electrical ground as the equipment under repair or the equipment chassis.
2-8 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration AuC Hardware Installation
AuC Hardware Installation

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section describes the Authentication Centre hardware installation Follow Procedure 2-1 to
install AuC hardware. This procedure applies only for new installations.
Procedure 2-1 How to Install Hardware for Primary AuC and Standby AuC
1 Open the top of the case and, following the manufacturer’s installation instructions, install the
memory cards in the first free sockets.
2 Install the Combo Drive in slot B.
3 Install the two hard drives in slots 0 and 1.
4 Install the AuC Crypto Card in PCI-X Slot 2.
Slot 2 is the one located above Ethernet sockets.
The Crypto Card should have a battery installed on it before it is installed in the
server. For instructions on how to prepare the Crypto Card, before installing it,
see “AuC Crypto Card” manual.
5 Close the server’s case, then, following the manufacturer’s installation instructions, mount it
in the rack.
Do not connect the power cable.

6 Connect each AuC server to KVM Switch.
7 Attach the power cords to the rear of the server.
8 The external modem installation in covered in Chapter 14.
9 Optional: Usually it is not necessary to use both COM ports at the same time. If your COM1
port is occupied by the modem and you don’t have any other serial ports (for instance in HP
ProLiant DL360 G4P) you can either:
• Connect you KVL via modem.
• Disconnect your modem, connect the KVL to COM1.
• Install USB — COM adapter provided with the AuC. Connect the KVL to the adapter. The
adapter usually appears as COM3, depending on system configuration.
6802800U60-D March 2007 2-9

AuC Hardware Configuration Chapter 2: AuC Hardware Installation and Configuration
AuC Hardware Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section describes Authentication Centre hardware configuration as well as other procedures
to be performed before installing AuC software. To configure AuC hardware properly before
AuC software installation, perform following procedures:
• Restore the factory default settings, see Procedure 2-2
• Update firmware, see Procedure 2-3
• Configure ROM Based Setup, see Procedure 2-4
• Configure RAID card, see Procedure 2-5
Restoring the Factory Default Settings

Follow Procedure 2-2 to restore the factory default settings on the AuC server.
Procedure 2-2 How to Restore the Factory Default Settings
1 Power up the server.

2 Press the F9 key when prompted during system startup.
Result: The main ROM-Based Setup Utility screen is displayed.
3 Select Advanced Options.
4 Select Erase NVRAM/Boot Disk.
5 Press Enter and select Yes, Select to Erase.
Result: Server will reboot.
HP Firmware Update
Follow Procedure 2-3 to update the HP firmware.
Procedure 2-3 How to Update Firmware on the HP ProLiant DL360 G4P
1 Download Firmware Maintenance CD 7.40 from:
http://h18000.www1.hp.com/support/files/server/us/download/23331.html
2 Burn the downloaded CD.
3 Insert the CD into the drive during the system startup.
Result: The server starts booting from the CD.
4 Select the display language and keyboard layout. Click Continue.
2-10 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration AuC ROM Based Configuration
Procedure 2-3 How to Update Firmware on the HP ProLiant DL360 G4P (Continued)
5 Agree to the User License Agreement.
6 Click the Launch ROM Update utility. The system will be scanned. This may take a while.
7 If possible, update the firmware for:
• System ROM
• Array Controllers
• Hard Drives
• Management Processors
by clicking the Update Now button. If the button is grayed out, no updates are necessary. In such
case exit by clicking EXIT, click OK to confirm and EXIT to reboot.
AuC ROM Based Configuration

Follow Procedure 2-4 to configure ROM based set up for primary and standby AuC.
Procedure 2-4 How to Configure ROM Based Set Up for Primary and Standby AuC
1 Press F9 key when prompted during system startup.

Result: The main ROM-Based Setup Utility screen is displayed.
2 Select System Options and set:
• Embedded NIC 1 PXE Support: to Disabled
• Embedded NIC 2 PXE Support: to Disabled
• Virtual Serial Port: to Disabled
3 Select BIOS Serial Console/EMS Support and set:
• BIOS Serial Console Port to Disabled
• EMS Console to Disabled
4 Select Standard Boot Order and change the boot sequence as below:
1. CD-ROM
2. Hard Drive
3. Floppy Drive
4. USB Drivekey
5 Select Server Availability and set Wake on LAN to Disabled.
You should leave the rest of the BIOS options unchanged.

6 Exit the main ROM-Based Setup utility and press F10 to confirm.
Result: Server will reboot.
6802800U60-D March 2007 2-11

RAID Configuration for AuC Chapter 2: AuC Hardware Installation and Configuration
RAID Configuration for AuC

Follow Procedure 2-5 to configure RAID for primary AuC and standby AuC.
Procedure 2-5 How to Configure RAID for Primary AuC and Standby AuC
1 Power up the server.

2 Press the F8 key when
Press to run the Option ROM Configuration for Arrays Utility
is displayed.
Result: The main Option ROM Configuration for Arrays Utility screen is displayed.
This prompt is only displayed for a few seconds after which it disappears. If you
do not press the F8 key before the prompt is gone, then you must restart the server
to display it again.
3 Delete all logical drives, if any exist.
4 Create a logical drive using the default option: RAID 1 Configuration (1+0).
5 Save the configuration.
6 Select Select as Boot Controller (use the F8 key to confirm).
Select as Boot Controller will not be displayed if the Smart Array controller is
already set up to be the boot controller. If that is the case, ignore this step.
7 Exit the Option ROM Configuration for Arrays Utility.
Installing Network Security Software

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
If you have the optional feature of Anti Virus, you need to install the A/V client on the AuC clients.
See the ”Installation and Configuration” chapter of the Network Security Feature Manual.
2-12 6802800U60-D March 2007

Chapter
3
AuC Software Installation and Uninstallation
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) software application can be installed on both active (primary) and standby
(secondary) PCs. The complete AuC software application consists of the following software components:
• AuC Server software component
• AuC Client software component
You can install the AuC Server and Client components together on the same PC, or separately where the
AuC Client is installed on a remote PC that can access the AuC Server over the Dimetra IP network.
• "Software Preinstallation Requirements and Considerations"
• "Installing the AuC Server"
• "Installing the AuC Client Only"
• "Uninstalling the AuC Server"
• "Uninstalling the AuC Client"
• "Uninstalling the AuC Database"
• "Uninstalling the AuC Database Manually"
Software Preinstallation Requirements and Considerations

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
You should review the following list of requirements and considerations prior to installing
software. If you do not have any of the following information, contact your system
administrator or the local Motorola field representative.
• Make sure you have appropriate network administrative rights or privileges
required to install the software.
• Make sure that all CD-ROMs and other software media are available before
starting any software installation activity.
6802800U60-D March 2007 3-1

Installing the AuC Server Chapter 3: AuC Software Installation and Uninstallation
• Identify and review all appropriate installation procedures required to complete

the software installation process being implemented prior to installation to become
familiar with its characteristics and requirements.
• Obtain all required system information and configuration data (IP addresses,
hostnames, and so forth) before installing any software.
• Make sure the software installation process will not negatively affect the operating
condition of the system during critical or heavy system usage.
• Notify your regional support centre and your operations group prior to starting
any procedures that would impact system performance.
• Notify your administration group that you are performing system maintenance,
and features will be affected and unavailable.
Installing the AuC Server

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
In case of the AuC Server the complete image of system partition containing both operating system and AuC
software is installed within one procedure. Follow Procedure 3-1 to perform a new installation of the AuC
Server. To ensure that the AuC is operational after the installation process follow Procedure 3-2.
Procedure 3-1 How to Install the AuC Server — Part 1
1 Insert the Dimetra IP 2006 AuC Installation, CD1 into the drive during the system startup.
Result: The server starts booting from the CD.
2 Select the Install AuC Image option and press Enter.
Result: Norton Ghost application starts.
3 If the Continue without marking drives button appears, press it to continue.
Result: Norton Ghost starts restoring the disc images.
4 When Norton Ghost asks for next CD insert Dimetra IP 2006 AuC Installation, CD2.
5 When Norton Ghost asks for next CD insert Dimetra IP 2006 AuC Installation, CD3.
6 Wait until server automatically reboots.
It is recommended to remove CD from the CD drive during reboot.

Result: Windows® setup appears.
7 Click Next.
Result: Licence agreement window appears.
3-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Installing the AuC Server
Procedure 3-1 How to Install the AuC Server — Part 1 (Continued)

8 Set I accept this agreement and click Next.
Result: The Regional and Language Options screen is displayed.
9
To change the location click Customize button.

To customize the keyboard choose Details...
Click Next.
10 Enter User Name and Organization Name and click Next.
11 Enter Product Key and click Next.
For HP ProLiant ML 370 G4 use the OEM key.

12 Enter appropriate time, date and time zone. Click Next.
Result: Server reboots automatically.
13 The logon message: Your password expires today, Do you want to change it now? appears.
Click Yes.
Result: Change password dialog appears.
14 Enter the password in the New Password and Confirm New Password fields and accept it.
The old password is motorola

Result: The following message appears:Your password has been changed
15 Click OK.
Result: The AuC Configuration Assistant starts.
16 Go to AuC Configuration Assistant welcome wizard window and click Next.
Result: You will be prompted for database administrator password.
17 In Current password field type the default password:
change_on_install
Type the new password in New password and Confirm new password fields. Click Next.
This password will be used during database recoveries.

The password specified during Standby AuC installation in this step should be set on
a Primary AuC in settings for Standby AuC.
Result: The information screen appears.
18 Click Next.
Result: You will be prompted for the AuC Server IP address.
6802800U60-D March 2007 3-3

Installing the AuC Server Chapter 3: AuC Software Installation and Uninstallation
Procedure 3-1 How to Install the AuC Server — Part 1 (Continued)

19 Enter the AuC Server IP address:
• for Primary AuC: 10.0.<cluster-ID>.219
• for Standby AuC :10.0.<cluster-ID>.220
and Zone IDs for the hosts.
Use IP plan to obtain correct values for IP addresses and Zone IDs.
20 Read the information and click Next.
Result: You will be prompted for supported Network Management Database version.
21 Enter supported Network Management Database version using Add, Modify and Delete buttons.
Click Next to continue.
Result: The summary screen appears.
22 Click Finish.
Result: The first stage of AuC Server installation is completed.
23 • When installing the AuC server on the primary machine go to Procedure 3-2;
• When installing the AuC server on the standby machine follow the steps below;
24 Click Start on the Windows® task bar. Select Settings> Control Panel>System.
Result: The System Properties dialog box appears.
25 Select the Computer Name tab.
26 On the Computer Name tab press Change... button.
Result: The Computer Name Changes dialog box appears.
27 In the Computer Name field type:auc02 and press OK.
Result: The confirmation dialog box appears.
28 Press OK.
29 On the Computer Name tab press OK.
30 Reboot the computer.
Result: The AuC Server installation process is complete.
3-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Installing the AuC Server
Procedure 3-2 How to ensure that the AuC is operational after installation process
1 Make sure that the startup type of the AuC, Master and Subagent services is set to Automatic.
If the startup type for these services is not Automatic, start these services and then
change the startup type to Automatic.
2 Log into the AuC Client. For more information on how to login go to the AuC Online Help.
When logging into the AuC client for the first time, the user name and password are
admin and changeme1 (numeral 1) respectively.
3 Make sure the Crypto Card has been detected and is usable. From the main menu select
System>Encryption Devices. The CCC and CCE version must be correct, and the device status
must be Working. If these requirements are not fulfilled, the problem MUST be resolved before
proceeding.
The possible causes of Crypto Card failure are as follows:

• no Master Key has been loaded into the Crypto Card
• Windows® driver for the Crypto Card has not been installed
4 Make sure the AuC operational state is set to Operational.
If the AuC operational service is Out of Service, from the main menu select System>
Go Operational.
6802800U60-D March 2007 3-5

Installing the AuC Client Only Chapter 3: AuC Software Installation and Uninstallation
Installing the AuC Client Only

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 3-3 to perform a new installation of the Authentication Centre

(AuC) Client component on a remote PC.
The Microsoft® Windows® 2000 Professional, Service Pack 2 (or higher),

Microsoft® Windows XP Professional, Service Pack 1a (or higher) or Microsoft®
Windows® 2003 operating system is required.
Procedure 3-3 How to Install a Remote AuC Client Component
1 Insert the Dimetra AuC Software CD into CD drive.
Result: The install program will automatically launch. If it does not, use Windows® Explorer
and run the AuCSetup.exe program. The welcome window will appear.
2 Click Next.
Result: The setup type screen appears.
3 Select Client and click Next.
Result: The window with a prompt for a server IP address appears.
4 Enter the IP address of the Primary AuC Server for the Client to connect to and click Next.
The format is 10.0.<Cluster-ID>.219.
Result: A progress bar displaying the status of the installation appears. Once completed, you
will see a confirmation message.
5 Click Finish to exit.
Result: The AuC client component installation is completed.
Uninstalling the AuC Server

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
You can uninstall the AuC Server but you cannot install it without executing partition
image installation described in Procedure 3-1 again.
3-6 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Uninstalling the AuC Client
To uninstall the AuC Server follow Procedure 3-4.

Procedure 3-4 How to Uninstall the AuC Server
1 Click Start on the Windows® task bar. Select Settings> Control Panel>Add/Remove
Programs.
Result: The Add/Remove Programs dialog box appears.
2 Select the Authentication Centre then click Change/Remove.
Result: The InstallWizard welcome screen appears.
3 Click Next.
Result: A summary screen appears.
4 Click Next.
Result: The uninstallation process will start.
5 When the uninstallation process is completed, click Finish.
Result: The AuC Server uninstallation process is completed.
Uninstalling the AuC Client

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
To uninstall the AuC Client follow Procedure 3-4.
Uninstalling the AuC Database

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
You can uninstall the AuC Database but you cannot install it without executing partition
image installation described in Procedure 3-1 again.
Follow Procedure 3-5 to uninstall the AuC Database.
6802800U60-D March 2007 3-7

Uninstalling the AuC Database Chapter 3: AuC Software Installation and Uninstallation
Procedure 3-5 How to Uninstall the AuC Database
1 Click Start on the Windows® task bar. Select Settings> Control Panel>Add/Remove
Programs.
Result: The Add/Remove Programs dialog box appears.
2 Select the Authentication Centre Database then click Change/Remove.
Result: The InstallWizard welcome screen appears.
3 Click Next.
4 Click Next.
Result: An information screen appears.
The screen contains instructions which should be followed when Oracle® Universal
Installer launches. These instructions are repeated in consecutive steps of this
procedure.
5 Click Next.
Result: The uninstallation process will start.
If the Remove Existing File window appears click Yes to All.

6 The Oracle® Universal Installer window appears. Click Deinstall Products….
7 Under Oracle Homes top level tree element, select Oracle10g checkbox and click Remove…
8 Click Yes.
9 Wait while Oracle components are uninstalled then click Close.
10 Click Cancel and then Yes to close the Oracle® Universal Installer window.
11 Click Next.
If error messages appear on the screen, look at the log file for details (the file name
is displayed on the screen). Then follow Procedure 3-6 to manually remove the
database. Please note that some steps of the procedure might not be necessary if some
actions have been already performed by the uninstaller.
12 Select if you want to restart your computer now or later and click Finish.
Result: The AuC Database has now been successfully uninstalled.
3-8 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Uninstalling the AuC Database Manually
Uninstalling the AuC Database Manually

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
In case of a failed or stopped installation or uninstallation, it may be necessary to manually delete the
AuC database components. Follow Procedure 3-6 to manually uninstall the AuC database.
Procedure 3-6 How to Uninstall the AuC Database Manually
1 Click Start on the Windows® task bar. Select Settings> Control Panel> Administrative Tools>
Services.
Result: The Services dialog box appears.
2 Select all Oracle services one by one and click Stop.
3 Close the Services dialog box.
4 Click Start on the Windows® task bar and then Run...
5 Enter regedit and click OK.
6 In the Registry Editor window go to HKEY_CLASSES_ROOT and delete any keys that begin
with Oracle, Ora, EnumOra or ORCL.
7 Delete the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key.
8 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key and delete
any keys that begin with Oracle.
9 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Appli-
cation key and delete any keys that begin with Oracle.
10 Delete the HKEY_CURRENT_USER\Software\Oracle key.
11 Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Esplorer\Men-
uOrder\StartMenu\Programs\Oracle — Oracle 10g key.
12 Delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Unin-
stall\2ab7faa6c76dba2fdaf675d6f89b63e8 key.
13 Close the Registry Editor.
14 Click Start on the Windows® taskbar. Select Settings> Control Panel> System and then
Advanced> Environment Variables…
15 Select System variables> Path and Edit.
16 Delete any Oracle entries from the variable and click OK.
17 Click OK to close the Environment Variables window.
18 Click OK to close the System Properties window.
19 Open the Windows® profiles directory for all users and select Start Menu and Programs
(system dependent location, but for example D:\Profiles\All Users\Start Menu\Programs).
6802800U60-D March 2007 3-9

Uninstalling the AuC Database Manually Chapter 3: AuC Software Installation and Uninstallation
Procedure 3-6 How to Uninstall the AuC Database Manually (Continued)

20 Delete:
• Oracle — Oracle10g directory
• C:\Oracle directory
• C:\Program Files\Oracle directory
• C:\Motorola\AuC\Database directory
21 Optionally: Delete the C:\WINNT\vpd.properties file.
22 Restart the computer.
3-10 6802800U60-D March 2007

Chapter
4
System, Master, and Unique Key Encryption
Keys and KVL Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter describes how to configure the Authentication Centre (AuC), Provisioning Centre (PrC), and
Key Variable Loader (KVL) with a consistent set of keys for correct Dimetra IP system operation.
The KVL is used to communicate with the Authentication Centre, the Provisioning Centre, and their
respective Crypto Cards for the secure transmission of keys. The communication between the Crypto
Card and the KVL use the DVI-XL encryption which is not used elsewhere in the Dimetra IP system.
• "Changing System and Master Keys in an Existing System"
• "System Key Configuration"
• "Master Key Configuration"
• "Unique Key Encryption Key Configuration"
• "Other KVL Configurations"
• "AuC Communications (Comm) Key"
• "AuC Hosts File Changes"
If a KVL is to be shared between an AuC and a PrC then it is a system requirement

that every AuC, PrC, and KVL in a customer’s network have an identical system key
loaded, especially if the AuCs are going to be upgraded to Dimetra IP 5.1 or later,
where they may become part of a Nationwide Network. If identical System Keys are
not loaded into each AuC, PrC, and KVL, data will be lost as a direct result!
The System Key is loaded into the AuC and PrC via the KVL when the Master Key is loaded into each machine’s
Crypto Card. The Master Key in each AuC and PrC must not be changed after initial installation and startup.
If the wrong Master Key is loaded into an AuC or PrC, and any system
data is entered into the application software, either manually via the
Client GUI or automatically via PNM, that data will be lost when the
Master Key is changed to the correct Master Key!
6802800U60-D March 2007 4-1

Changing System and Master Keys in an Existing System Chapter 4: System, Master, and Unique Key Encryption Keysand KVL Configuration
Changing System and Master Keys in an Existing System

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Before changing System and Master Keys in an existing system it is rec-

ommended to contact the ESSC.
To change System Key and/or Master Key in an existing system, the following steps must be performed:
System Key Change
1. All Master Keys in the AuC and PrC Crypto Cards will need to be erased by
pushing the reset button on the rear of the Crypto Card
2. A clean—up of the AuC database and a clean—up of the PrC Database
3. Loading the new System Key and Master Key (even if it’s the same as the old
Master Key) into every KVL on the system
4. Loading the new Master Key into each of the AuC and PrC Crypto Cards
5. Reprovisioning of all EBTS sites and Zone Controllers and loading all data into the PrC.
Master Key Change

1. All Master Keys in the AuC and PrC Crypto Cards will need to be erased by
pushing the reset button on the rear of the Crypto Card
2. A clean—up of the AuC database and a clean—up of the PrC Database
3. Loading the new Master Key into every KVL on the system
4. Loading the new Master Key into each of the AuC and PrC Crypto Cards
5. Reprovisioning all EBTS sites and Zone Controllers and loading all data into the PrC.
4-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration System Key Configuration
System Key Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Key Variable Loader 3000+ requires a 128-digit System Key to communicate in
DVI-XL systems. Each KVL 3000+ is shipped from the factory with a default System
Key. FollowProcedure 4-1 to change the System Key.
Procedure 4-1 How to Configure a System Key
1 Switch on the KVL and navigate to the CONFIG menu by pressing the Left Arrow key once
and then press the Left dotted key under CONFIG on the display.
2 Navigate to the SYSKEY option by pressing the Left Arrow key once and then press the Left
dotted key under SYSKEY.
3 Press the Left dotted key under EDIT. The following warning will be displayed
ALL DVI-XL KEYS WILL BE LOST! CONT?
Press the Left dotted key under YES.
4 The display will show SYSKEY BYTE 01, enter the 128-digit (64 bytes) System Key. The display
will then show SLOT FILLED. Press the Enter key.
5 The display will show BUSY... ERASING KEYS while the keys and the UKEK are erased.
6 When finished, the display will show THE SYSKEY IS READY. The previous System Key has
been overwritten. Press the Esc key to go up a menu level.
7 The Default System Key can always be restored by repeating steps 1 and 2 and then pressing the
Right dotted key under DEFAULT.
Master Key Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre and Provisioning Centre Crypto Cards require a 16-digit (8
bytes) Master Key to communicate in DVI-XL systems with their respective applications.
Follow Procedure 4-2 to change the Master Key.
6802800U60-D March 2007 4-3

Unique Key Encryption Key Configuration Chapter 4: System, Master, and Unique Key Encryption Keysand KVL Configuration
Procedure 4-2 How to Configure a Master Key
1 Turn on the KVL and navigate to the Au/PrC menu by pressing the Right Arrow key once and
then press the Left dotted key under Au/PrC on the display.
2 Navigate to the SETUP option by pressing the Left Arrow key once and then press the Left
dotted key under SETUP.
3 Press the Right dotted key under MKEY.
Result: The following message will be displayed KVL-MKEY ALGID: DVI-XL ERASED.
4 Press the Left dotted key under EDIT.
Result: The display will show MKEY DVI-XL BYTE 01.
5 Enter the 16-digit (8 bytes) Master Key.
Result: The display will then show FILLED.
6 Press the Enter key.
Result: The display will show KVL-MKEY ALGID: DVI-XL READY. The previous Master
Key has been overwritten.
7 Press the Esc key to go up a menu level.
Unique Key Encryption Key Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre and Provisioning Centre require a 16-digit (8 bytes) UKEK to communicate
in DVI-XL systems with a KVL. Follow Procedure 4-3 to change the UKEK.
Procedure 4-3 How to Configure a Unique Key Encryption Key
1 Turn on the KVL and navigate to the Au/PrC menu by pressing the Right Arrow key once and
then press the Left dotted key under Au/PrC on the display.
2 Navigate to the SETUP option by pressing the Left Arrow key once and then press the Left
dotted key under SETUP.
3 Press the Left dotted key under UKEK.
Result: The following message will be displayed KVL-UKEK ALGID: DVI-XL ERASED.
4 Press the Left dotted key under EDIT.
Result: The display will show UKEK DVI-XL BYTE 01.
5 Enter the 16-digit (8 bytes) UKEK Key.
Result: The display will then show FILLED.
4-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Other KVL Configurations
Procedure 4-3 How to Configure a Unique Key Encryption Key (Continued)

6 Press the Enter key.
Result: The display will show KVL-UKEK ALGID: DVI-XL READY. The previous UKEK
has been overwritten.
7 Press the Esc key to go up a menu level.
8 On the AuC client, select the Key Loaders tab. Select the KVL from the list on the left of
the screen.
9 Click on Assign New UKEK...
Result: A pop-up input screen will appear.
10 Enter the same 16-digit UKEK as in step 5.
Result: The Status line should now show:
This KVL has a UKEK
11 If PrC is a part of your system, repeat step 8 to step 10 for the PrC client.
Other KVL Configurations

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The checklist presented in Procedure 4-4 details the required settings for a KVL to work with
the Authentication Centre and/or the Provisioning Centre.
Procedure 4-4 How to Configure Other KVL Configurations
1 Verify in the Au/PrC->SETUP menu that the A/P ID and KVLID match what the AuC/PrC has
assigned.
2 • For KVL downloading of Ki’s (infrastructure keys) from the AuC via direct connect to the
Serial Port, the KVL must be set to 19200.
• To change/verify the baud rate, go to the CONFIG->BAUDR option on the KVL.
• To change/verify the baud rate on the AuC or PrC, go to the System>Settings drop-down
menu on the AuC or PrC client.
For KVL downloading via a modem, the KVL must be set to 9600. After the modem download
has completed, the KVL must be reset to 19200. To change/verify the baud rate go to the
CONFIG->BAUDR option on the KVL, please see Chapter 14, "Setup Procedures for External
Modems".
3 The CONFIG menu also allows for configuring the time, date, password, and timeout period for
the KVL.
6802800U60-D March 2007 4-5

AuC Communications (Comm) Key Chapter 4: System, Master, and Unique Key Encryption Keysand KVL Configuration
AuC Communications (Comm) Key

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre requires a 16-digit (8 bytes) Communications Key to communicate

using DVI-XL encryption with other AuCs in a nationwide system.
All AuCs in a nationwide system must use the same Comm Key, so a change of Comm Key
needs to be coordinated to ensure proper system operation. It is also necessary to temporarily
disable key schedules while an AuC Comm Key change takes place.
It is strongly recommended that you enter a Comm Key into the AuC, BE-
FORE connecting to a nationwide system.
Follow Procedure 4-5 to change the Comm Key.
Procedure 4-5 How to Change the AuC Comm Key
1 From the AuC client, select the Key Database tab. Select AuC Comm Key (Communications
Key) from the selections on the left of the screen.
2 Enter the 16-digit Comm Key and press Enter button.
Result: The status line should now read:
The AuC has a Comm Key
AuC Hosts File Changes

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
If the nominal Dimetra IP address configuration is not used on the network, the AuC Server hosts file
must be changed to reflect the IP Address configuration that is used. The hosts file is located:
• For Microsoft® Windows® 2000 Server: c:\WINNT\system32\drivers\etc\hosts
• For Microsoft® Windows® Server 2003 : c:\Windows\system32\drivers\etc\hosts
The file can be edited with Notepad or WordPad. It lists the host names and IP addresses for the system:
• UCS
• SSS
• AuC Server
4-6 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration AuC Hosts File Changes
• AuC Database
• AuC Standby database
• The ZDS, ZSS, ATR, and FullVision servers for each Zone
6802800U60-D March 2007 4-7

AuC Hosts File Changes Chapter 4: System, Master, and Unique Key Encryption Keysand KVL Configuration
4-8 6802800U60-D March 2007

Chapter
5
Primary and Standby AuC Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Initial AuC Configuration"
• "AuC Reconfiguration"
• "Standby Database Configuration"
• "Activating the Standby Database"
Initial AuC Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 5-1 to perform initial configuration of the Primary Authentication Centre (AUC01).
Procedure 5-1 How to Perform Initial Configuration of the Primary Authentication Centre
1 The AuC Server automatically starts as a Windows® service. The server needs about two
minutes to initialize.
2 Start the AuC Client:
• double click on the Authentication Centre icon on the desktop or
• click Start on the Windows® task bar and select Programs>Motorola>Authentication
Centre
and log in.
Until initialization is completed the AuC Client will report an error when an attempt
is made to log in.
6802800U60-D March 2007 5-1

Initial AuC Configuration Chapter 5: Primary and Standby AuC Configuration
Procedure 5-1 How to Perform Initial Configuration of the Primary Authentication Centre
(Continued)
3 Create the initial user(s). See Online Help for instructions how to create new users.
Only users with user management permission can add users to the system and assign
their initial passwords. It is a requirement that the first user created must have full
permissions, including user management.
4 Restart the AuC Client and log in with the new user name just created. Change the new user
password as prompted.
5 Load the Master Key, according to instructions in Online Help.
6 Go to the NM-Client. Add each KVL to the System. Assign each KVL to one or more Zones.
Under UCS Configuration>Key Variable Loader>Setup a new KVL configure KVL Alias
with ID and System. Add all zones under Configuration. Each Zone must have at least one
KVL assigned to it.
Each KVL must be configured to zones that have no more than 237 entities (EBTS
and ZC).
7 Return to the AuC Client. Select Go Operational from the System menu.
The AuC will establish connections to the UCS, each ZDS and ATR. At this time, the AuC will
also synchronize itself with the UCS and each Zone Database. All Mobiles, KVLs, Base Sites,
Zones, Security Groups, and KVL-Zone assignments will be updated in the AuC. The audit trail
and events log can be reviewed to verify that all records have been added to the AuC database.
Each respective tab: Local Zones, Key Loaders, and Mobile Stations should display all records.
The Mobile Stations tab Search button will have to be clicked to update its display.
8 Check if each KVL has an UKEK assigned to it. If not, assign an appropriate UKEK. See Online
Help for instructions how to assign UKEK key to a KVL.
9 Import or manually enter SCK-TMO keys, for instructions see Online Help.
When only the Security Class 1 (no Air Interface Encryption, optional authentication)
is to be used, there is no need to import and assign any SCK-TMO keys. Continue
the procedure starting from step 11.
10 Set the next active SCK-TMO key, for instructions see Online Help.
11 Provision each infrastructure entity with a Ki, for instructions see Online Help.
12 Perform necessary key updates, according to Online Help instructions.
5-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration AuC Reconfiguration
AuC Reconfiguration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The following settings can be changed using the AuC Configuration Assistant, when necessary:
• IP settings, see Procedure 5-2
• Network Management (NM) settings, see Procedure 5-3
IP Settings Reconfiguration
Follow Procedure 5-2 to reconfigure IP settings using the AuC Configuration Assistant.
Procedure 5-2 How to Configure the IP settings using the AuC Configuration Assistant
1 Double click on the AuC Configuration Assistant icon on the desktop.
Alternatively you can run the following executable:

C:\Motorola\AuC\AuCServer\server\default\ca\aucca.exe
Result: The InstallShield welcome screen appears.
2 Click Next.
Result: The setup type dialog box appears.
3 Choose Configure IP settings and click Next.
4 Click Next.
Result: You are prompted for the AuC Server IP address.
Result: The summary information screen appears.
7 Click Finish.
Result: The IP settings configuration is completed.
6802800U60-D March 2007 5-3

NM Settings Reconfiguration Chapter 5: Primary and Standby AuC Configuration
NM Settings Reconfiguration
Follow Procedure 5-3 to reconfigure Network Management (NM) settings using
the AuC Configuration Assistant.
Procedure 5-3 How to Configure the Network Management (NM) Settings
Using the AuC Configuration Assistant

2 Click Next.
3 Choose Configure NM settings and click Next.
Result: You are prompted for the supported Network Management Database version.
5 Click Finish.
Result: The NM settings configuration is completed.
Standby Database Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
A Standby AuC can be used in order to protect against loss of data. A standby database is a second
database that continuously runs transactions that were completed on the primary database. It receives
redo logs from the primary database. Redo logs are used by the Oracle® database to record all of the
transactions that are completed on the server. When a redo log fills up, it is archived at the primary
database and also sent to the standby machine. The standby machine then plays the transactions
in the redo log so that it can synchronize with the primary database.
Follow Procedure 5-4 to configure the standby database using the AuC Configuration Assistant.
In case of encountering any problems while performing Procedure 5-4, execute Procedure 5-5
to configure the Oracle® database on a standby AuC database.
5-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Standby Database Configuration
Before executing Procedure 5-4 or Procedure 5-5 make sure that the Master Key is already
loaded on standby AuC and is identical to the one on primary AuC.
To minimize the number of archive files that need to be copied to the standby database it is
advised to perform the AuC database backup before configuring the standby AuC machine.
Procedure 5-4 How to Configure Standby Database Using the AuC Configuration Assistant
1 To ensure correct startup settings on the standby AuC, click Start on the Windows® task bar and
select Settings>Control Panel>Administrative Tools>Services.
2 Stop and set Startup type parameter to Manual for the following services:
• AUC
• AUC Master Agent
• AUC Sub Agent
In order to change Startup type parameter right click on the service and then choose
Properties. Choose required value for Startup type and press OK.
If FullVision discovered the Standby AuC before disabling the agent, then the
contents of the APCO cloud container (aucAgent_10.0.<Cluster-ID>.220
and AuthenticationCentre_10.0.<Cluster-ID>.220) and the
APCO cloud container must be deleted from both the FullVision and FullVision
Administration Dimetra maps.
3 Close the Services window.
4 On the primary AuC, double click on the AuC Configuration Assistant icon on the desktop
to start configuration.

5 Click Next.
6 Choose Configure primary and standby and click Next.
Result: The standby IP dialog box appears.
6802800U60-D March 2007 5-5

Standby Database Configuration Chapter 5: Primary and Standby AuC Configuration
Procedure 5-4 How to Configure Standby Database Using the AuC Configuration Assistant
(Continued)
7 IF... THEN...
The standby IP address is 1. Abort this procedure.
incorrect because it points to the
2. Execute Procedure 5-6.
primary AuC.
3. Execute Procedure 5-4 form the beginning once again.
The standby IP address is 1. Abort this procedure.
incorrect for any other reason.
2. Execute Procedure 5-7.
3. Execute Procedure 5-4 form the beginning once again.
The standby IP address is correct. Continue with current procedure.
8 Select Continue standby configuration and click Next.
Result: The Standby info panel appears.
9 Click Next.
Result: You are prompted for database administrator password on the primary machine.
10 Enter the primary machine database administrator password and click Next.
Result: You are prompted for database administrator password on the standby machine.
11 Enter the standby machine database administrator password and click Next.
Result: You are prompted for the system’s user password on the standby machine.
12 Enter the standby machine system’s user password and click Next.
If the passwords are identical on both machines: primary and standby, you can
leave this field empty.
Result: The standby database configuration process starts.
13 Wait while the standby database configuration is being performed.
Result: The summary of the standby configuration process appears.
14 Click Next.
15 Click Finish.
Result: The standby database configuration process is completed.
In case of encountering any problems while performing Procedure 5-4, follow Procedure 5-5
to configure the Oracle® database on a standby AuC database.
5-6 6802800U60-D March 2007

Procedure 5-5 How to Configure a Standby Database
1 If a previous installation of the Authentication Centre database exists, you must delete the folder
standby_files from all PCs before carrying out this procedure.
2 Verify the hosts file that auc01 has the IP address of 10.0.<Cluster-ID>.220. The hosts
file is located:
• on Microsoft® Windows®Server 2003 in folder:
C:\Windows\system32\drivers\etc
• on Microsoft® Windows 2000 Server in folder:
C:\WINNT\system32\drivers\etc
The file may be edited with Notepad or WordPad.
3 On the Standby AuC machine, click Start on the Windows® task bar and select Settings>Control
Panel>Administrative Tools>Services.
4 Stop and set Startup type parameter to Manual for the following services:
• AUC
• AUC Sub Agent
If FullVision discovered the Standby AuC before disabling the agent, then the
contents of the APCO cloud container (aucAgent_10.0.<Cluster-ID>.220
and AuthenticationCentre_10.0.<Cluster-ID>.220) and the
APCO cloud container must be deleted from both the FullVision and FullVision
Administration Dimetra maps.
5 Start the AUC service.
7 Start the AuC Client:
• double click on the Authentication Centre icon on the desktop or
• click Start on the Windows® task bar and select Programs>Motorola>Authentication
Centre
and log in.
The AuC Server automatically starts as a Windows® service. The Server needs about
two minutes to initialize. Until initialization is completed the AuC Client will report
an error when an attempt is made to log in.
6802800U60-D March 2007 5-7

Standby Database Configuration Chapter 5: Primary and Standby AuC Configuration
Procedure 5-5 How to Configure a Standby Database (Continued)
8 Create the initial user(s). See Online Help for instructions how to create new users.
Only users with user management permission can add users to the system and assign
their initial passwords. It is a requirement that the first user created must have full
permissions, including user management.
9 Restart the AuC Client and log in with the new user name just created. Change the new user
password as prompted.
10 Load the Master Key, according to instructions in Online Help.
11 Reboot the Standby AuC.
12 On the Primary AuC close the AuC Client if opened.
13 Click Start on the Windows® task bar and select Settings>Control Panel>Administrative
Tools>Services.
14 Right click on the AUC service and choose Stop.
16 Click Start on the Windows® task bar and select Programs>Accessories>Command Prompt to
open a command prompt window.
17 In the command prompt window type:
C:\>cd C:\Motorola\AuC\database\data\prod
and press Enter.
18 Type:
C:\Motorola\AuC\database\data\prod>production <password>
where password is the database administrator password specified during installation. Press Enter.
19 The system will perform several operations. Wait for these operations to finish. If the command
prompt cursor does not appear in twenty (20) minutes, type Ctrl-C to stop the process. Then try
executing the process again.
20 Return to the root folder of the C: drive by typing
C:\Motorola\AuC\database\data\prod>cd \
Press Enter.
21 Type:
C:\>dir
and check if a directory called standby_files exists. If the directory does not exist, repeat
step 17 through step 21.
22 Close the command prompt window.
23 On the Standby AuC click Start on the Windows® task bar and select Programs>Acces-
sories>Windows Explorer.
24 Click on the Tools menu and then click on Map Network Drive...
5-8 6802800U60-D March 2007

Procedure 5-5 How to Configure a Standby Database (Continued)

25 Enter the IP address of the Primary AuC in the following format:
\\<IP address>\C$ in the designated area in the dialog box. Choose P: as the drive
letter and click Finish.
If a different password is used for the standby PC and the primary PC, then it may be
necessary to enter it after clicking Finish button.
26 Make sure that you now have access to the file system on the Primary AuC via the mapped drive.
27 Click Start on the Windows® task bar and select Programs>Accessories>Command Prompt.
C:\>cd C:\Motorola\AuC\database\data\standby
Press Enter.
29 Type:
C:\Motorola\AuC\database\data\standby>standby
<password> P:\standby_files
where password is the database administrator password specified during installation. Press Enter.
SQL>quit
and press Enter.
31 Copy the Primary AuC hosts file to the Standby AuC hosts file. The hosts file is located:
• on Microsoft® Windows® Server 2003 in folder
C:\Windows\system32\drivers\etc
• on Microsoft® Windows® 2000 Server in folder
C:\WINNT\system32\drivers\etc
32 On the Primary AuC click Start on the Windows® task bar and select Programs>Acces-
sories>Command Prompt.
C:\>sqlplus sys/<password> as sysdba
Where password is database administrator password specified during installation. Press Enter.
34 Type:
SQL>alter system switch logfile;
and press Enter.
35 Type:
SQL>quit
and press Enter.
37 Reboot the Primary AuC and log in to the AuC Client as usually.
6802800U60-D March 2007 5-9

Standby AuC IP Reconfiguration Chapter 5: Primary and Standby AuC Configuration
Standby AuC IP Reconfiguration

To change the standby AuC IP address follow:
• Procedure 5-6 if the standby IP address is incorrect because it points to the primary AuC
• Procedure 5-7 if the standby IP address is incorrect for any other reason
Procedure 5-6 How to Change the Standby IP using the AuC Configuration Assistant
when It Incorrectly Points to the Primary AuC

2 Click Next.
Result: You are prompted for the IP address of the standby machine.
4 Enter the IP address of the standby AuC and click Next.
Result: Information about changing IP address of the standby machine appears in the dialog box.
5 Click Next.
Result: A summary information screen appears.
6 Click Finish.
Result: The IP address of the standby machine is configured.
Procedure 5-7 How to Configure Standby IP using the AuC Configuration Assistant

2 Click Next.
Result: The standby IP dialog box appears.
4 Select Change IP of standby machine and click Next.
Result: You are prompted for the IP address of the standby machine.
5-10 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Activating the Standby Database
Procedure 5-7 How to Configure Standby IP using the AuC Configuration Assistant (Continued)
5 Enter the IP address of the standby AuC and click Next.
Result: Information about changing IP address of the standby machine appears in the dialog box.
6 Click Next.
Result: A summary information screen appears.
7 Click Finish.
Result: The IP address of the standby machine is configured.
Activating the Standby Database

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Procedure 5-8 and Procedure 5-9 will stop the Standby Mode and the
copying of logs from the primary database! Activation of the Standby Database
should only occur when the Primary AuC has failed!
The standby database will remain in standby mode and continue copying logs from the primary database
until standby mode is cancelled. Once the standby database is active, the Authentication Centre server
will need to be redirected to the new database and then restarted. Follow Procedure 5-8 to activate the
standby AuC database using the AuC Configuration Assistant. In case of encountering any problems
while performing Procedure 5-8, execute Procedure 5-9 to activate the standby AuC database.
Procedure 5-8 and Procedure 5-9 assume that the Primary AuC is powered
down or has been shut down.
6802800U60-D March 2007 5-11

Activating the Standby Database Chapter 5: Primary and Standby AuC Configuration
Procedure 5-8 How to Activate Standby AuC Database Using the AuC Configuration Assistant
Alternatively you can run the following executable:C:\Motorola\AuC\AuC-

Server\server\default\ca\aucca.exe
2 Click Next.
3 Select Activate standby database and click Next.
Result: You are prompted for the database administrator password.
4 Enter the database administrator password and click Next.
Result: The standby database activation process starts.
5 Wait while the activation proceeds.
Result: You are prompted for the AuC Server IP address.
Result: You will be prompted for supported Network Management Database version.
9 Click Finish.
Result: The standby AuC database activation process is completed.
In case of encountering any problems while performing Procedure 5-8, follow Proce-
dure 5-9 to activate the standby AuC database.
5-12 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Activating the Standby Database
Procedure 5-9 How to Activate the Standby Database
1 Power down the Primary AuC.

2 On the Standby AuC click Start on the Windows® task bar and select Programs>Acces-
sories>Command Prompt.
Where password is database administrator password specified during installation. Press Enter.
4 Once you have established a connection, enter the following command:
SQL>recover managed standby database cancel;
and press Enter.
Result: You should see Media Recovery Complete message.
5 In order to fully activate the database and use it in place
of the primary database, type the following command:
SQL>alter database activate standby database;
then press Enter.
6 Type:
SQL>quit
and press Enter.
8 Change the IP address of the Standby AuC in the Local Area Connection to the original Primary
AuC address, for example: 10.0.<Cluster-ID>.219.
Tools>Services.
10 Set Startup type parameter to Automatic for the following services:
• AUC
• AUC Sub Agent
12 Restart the new Primary AuC. When rebooting is complete, the primary machine will be ready
for use.
13 Open and log into the AuC client application as if you were working on the original primary
machine. You should find your data.
14 After another machine is acquired or the old one is repaired, setup the machine as the new
Standby AuC according to "Standby Database Configuration" on page 5-4.
6802800U60-D March 2007 5-13

Activating the Standby Database Chapter 5: Primary and Standby AuC Configuration
5-14 6802800U60-D March 2007

Chapter
6
AuC Database Backup and Restore
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Oracle® database provides the capability to perform a backup without shutting down the database. This
backup procedure, also known as a hot backup, allows the database to be available at all times for mission
critical applications. Even though a hot backup can be taken at any time, it is recommended that they are
planned for times when there is minimal database activity. The procedures for configuring the database for a
hot backup, performing the backup, and restoring the backup are presented in the following sections. If the
intention is to backup the AuC database via a network connection to a machine that is external to the database
server, it is suggested that the Standby AuC machine be used for this. This is an effective approach
since this machine already has an established network connection to the database server.

• "Backup Guidelines"
• "Verifying if the Database is in Archive Log Mode"
• "Preparations for Storing Backup Files on a Remote Computer"
• "Performing Database Backup"
• "Restoring the AuC Database"
• "Restarting the Restored AuC"
• "Cleaning up the AuC Database"
Backup Guidelines
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The AuC should be backed up in the following circumstances:

• At the end of every week
• At the end of every day when new sites are added
• At the end of every day after a bulk load of radios
• At the end of every day when a key distribution has taken place
6802800U60-D March 2007 6-1

Verifying if the Database is in Archive Log Mode Chapter 6: AuC Database Backup and Restore
It is important to manage the number of backups located on a single AuC. It is currently advised
that no more than 3 backups should reside on a single AuC in order to prevent memory issues.
Therefore, the fourth (oldest) backup should always be completely deleted from the AuC.
Verifying if the Database is in Archive Log Mode

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
In order to perform hot backups, the database must be in archive log mode. Follow Procedure 6-1
to verify if the database is in archive log mode.
The database was put into archive log mode during the Authentication Centre database installation.
Procedure 6-1 How to Verify if the Database is in Archive Log Mode
where password is database administrator password specified during installation. Press Enter.
3 Type:
SQL>archive log list
and press Enter.
4 Make sure that the database log mode is Archive Mode.
5 Type:
SQL>quit
and press Enter.
6-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Preparations for Storing Backup Files on a Remote Computer
Preparations for Storing Backup Files on a Remote

Computer
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
It is recommended to perform backups directly to a remote computer. In order to enable storing

backup files on remote machine, perform the following procedures:
• Create a new user on a remote computer, see Procedure 6-2
• Create a shared backup folder on a remote computer, see Procedure 6-3
• Start the AUC Service with a new user, see Procedure 6-4
Creating a New User on a Remote Computer

When performing backups directly to a remote computer, the user logged on the AuC Server and the user
present on the remote computer must be identical. If there is no such user, create it according to Procedure 6-2.
Procedure 6-2 How to Create a New User on a Remote Computer
1 On the remote computer, click Start on the Windows® task bar and select Settings>Control
Panel>Administrative Tools>Computer Management.
2 In the navigation tree, expand Local Users and Groups.
3 Right click on Users and select New User...
4 Enter the information for the user and press Create.
5 Close the Computer Management window.
Creating a Shared Backup Folder on a Remote Computer

Follow Procedure 6-3 to create a shared folder on a remote computer.
Procedure 6-3 How to Create a Shared Backup Folder on a Remote Computer.
1 On the remote computer create a folder.

2 Right click on the created folder and enable sharing.
3 Enter the information for the shared folder in the Sharing tab.
4 Click the Permissions button.
Depending on the operating system version, it may say Security instead of

Permissions.
6802800U60-D March 2007 6-3

Starting the AuC Service with the New User Chapter 6: AuC Database Backup and Restore
Procedure 6-3 How to Create a Shared Backup Folder on a Remote Computer. (Continued)
5 Click the Add button.
6 Select the user created in Procedure 6-2 and then click OK.
7 Give full control to the added user.
8 Click OK to save the shared folder properties.
Starting the AuC Service with the New User

The AUC Service must be running with the user that is used to log on the AuC Server. Follow
Procedure 6-4 to start the AuC service with the new user.
Procedure 6-4 How to Start the AUC Service with the New User
1 Close the AuC Client if opened.

2 On the AuC Server, click Start on the Windows® task bar and select Settings>Control
Panel>Administrative Tools>Services.
3 Double click on AUC service to open its Properties window.
4 Select the Log On tab and click on the radio button This account.
5 Click on the Browse... button.
6 Find the user that is used to log on the AuC Server and click OK.
7 Enter the password in the two fields provided and then click OK.
When changing the Windows password, remember to update this password

accordingly.
8 Start the AUC service.
6-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Performing Database Backup
Performing Database Backup

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
A user that has database management permissions can start a backup on demand from the AuC client. The
client can also be used to set the database backup schedule. See Online Help for more information about:
• setting destination for backup files
• setting database backup schedule
• starting database backup
Database Backup Files

A new folder is created for each backup. The folder format uses the system date and time, and it follows
the following pattern: YYYYMMDD_HHMMSS. The time is in 24-hour clock format. If the backup is
taken on May 6, 2005 at 12:00 a.m., then the backup procedure will create the folder 20050506_000000.
A typical database backup set contains the following files and the archive directory:
• CONTROL.BAK
• INDX01.DBF
• KeyVersions.TXT
• PWDAUC.ORA
• SPFILEAUC.ORA
• SYSAUX01.DBF
• SYSTEM01.DBF
• UNDOTBS01.DBF
• USERS01.DBF
Restoring the AuC Database

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Several situations would require an AuC database restore. The most common is that either the hard drive
containing the database stops functioning, or one or more of the files containing data becomes corrupt.
The Authentication Centre database uses a RAID 1 configuration with hot-swap drives, so if one hard
drive fails, the operator is notified to replace the bad hard drive and the system will automatically recover.
However, if both drives were unavailable, an AuC database restore would be needed.
6802800U60-D March 2007 6-5

Restoring the AuC Database Chapter 6: AuC Database Backup and Restore
The AuC Service must be stopped before performing the database restore. The files
from the backup folder with the latest time stamp should be used for the restoration.
Follow Procedure 6-5 to restore the AuC database using the AuC Configuration Assistant. In case of
encountering any problems while performing Procedure 6-5, execute Procedure 6-6 to restore the AuC database.
Procedure 6-5 How to Restore the AuC Database Using the AuC Configuration Assistant
Alternatively you can run the following executable:C:\Motorola\AuC\AuC-

Server\server\default\ca\aucca.exe
2 Click Next.
3 Select Database management and click Next.
Result: The database management setup type dialog box appears.
4 Select Restore database and click Next.
Result: You are prompted for the directory containing the backup files.
5 Enter the directory containing the backup files and click Next.
The backup directory is named in the form YYYYMMDD_HHMMSS. For example:

restore dir = C:\AucBackup20050508_104551\
would be selecting a previous backup taken on the 8th May 2005 at
10:45:51 a.m.
The backup directory will depend on where the current valid backup is stored. If
the Backup was stored remotely, then it must first be restored to the AuC backup
directory.
6 Enter the database administrator password and click Next.
Result: The database restoration process starts.
7 Wait while the database is being restored.
Result: Information window with a summary of the restoration process appears.
8 Click Next.
9 Click Finish.
Result: The AuC database restoration process is completed.
6-6 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Restoring the AuC Database
In case of encountering any problems while performing Procedure 6-5, follow Proce-
dure 6-6 to restore the AuC database.
Procedure 6-6 How to Restore the AuC Database
1 If the AuC Client is running, select System from menu bar and select Go Out of Service.
2 Log out of the AuC Client.
Tools>Services.
4 Stop the AUC service.
restore dir = <path to backup directory>
and press Enter.
The backup directory is named in the form YYYYMMDD_HHMMSS. For example:

restore dir = C:\AucBackup20050508_104551\
would be selecting a previous backup taken on the 8th May 2005 at
10:45:51 a.m.
The backup directory will depend on where the current valid backup is stored. If
the Backup was stored remotely, then it must first be restored to the AuC backup
directory.
Result: A password dialog box for oracle SYS appears.
8 Type the database administrator password and press Enter.
Result: Another command window appears and then closes – be patient. A message appears
when the database restore is complete. Check for error messages during the restore. If an error
occurs, repeat the restore procedure.
6802800U60-D March 2007 6-7

Restarting the Restored AuC Chapter 6: AuC Database Backup and Restore
Restarting the Restored AuC

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 6-7 to restart the restored AuC database.

Procedure 6-7 How to Restart the Restored AuC
Tools>Services.
2 Right click on the AUC service and choose Start.
4 Log in to the AuC Client.
The service needs about two minutes to initialize. Until initialization is completed the
AuC Client will report an error when an attempt is made to log in.
Result:
• If operating in stand-alone mode, e.g. Non-nationwide, a Update CCK Version screen will
be presented.
• If operating in Nationwide mode, no splash screen will be seen, as the Master AuC will
automatically synchronize the nationwide keys (KEKm and CCK). Move to step 6.
If operating in Nationwide mode and the Update CCK Version screen is seen,
check the AuC connectivity to the network as there will be a fault. Repair the
fault before executing following steps.
5 If operating in stand-alone mode select Option 1 and use the value suggested for Modify CCK
Version plus 2.
6 The AuC should now be back in an operational state, if not then select the System option in the
top tool bar and select Go Operational. The event is logged in the Events window.
It is ESSENTIAL that a new AuC backup is taken. A criterion for restoration is that the
restoration database contains the same KEKz as the operation system.
6-8 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Cleaning up the AuC Database
Cleaning up the AuC Database

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 6-8 to clean up the AuC database.
The clean up procedure should only be executed as a last resort as it

will erase the AuC database. If instructed to execute this procedure,
please verify that you have current database backup file or be prepared
to reprovision all zones and EBTS in the system!
Procedure 6-8 How to Clean Up the AuC Database
1 Click on the AuC Configuration Assistant icon on the desktop.
Alternatively, you can run the following executable:

2 Click Next.
3 Choose Database management and click Next.
Result: The database management setup type dialog box appears.
4 Choose Clean and initialize database with default values and click Next.
5 Type the database administrator password and click Next.
6 Wait while the database is cleaned up until a summary screen appears. Click Finish.
Result: The database is cleaned up.
7 Configure the AuC according to "Initial AuC Configuration" on page 5-1.
6802800U60-D March 2007 6-9

Cleaning up the AuC Database Chapter 6: AuC Database Backup and Restore
6-10 6802800U60-D March 2007

Chapter
7
PrC Hardware
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter provides the PrC hardware configuration description.
PrC Hardware Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
PrC hardware consists of the following elements, only one of the PC models is used:
• DELL OptiPlex GX270 PC
◦ 1 GB RAM memory
◦ CD-RW/DVD-ROM Drive
◦ 40+ GB Hard Disk
• HP xw4300 PC
◦ 1 GB RAM memory
◦ CD-RW/DVD-ROM Drive
◦ 40 GB+ Hard Disk
• HP xw4400 PC
◦ 2 GB RAM memory
◦ DVD-Rw Drive
◦ 160 GB Hard Disk
• PrC Crypto Card
• Modem (optional)
• KVL 3000 Plus, with
◦ Key Loading Cable
◦ RS-232 Null Modem Cable
6802800U60-D March 2007 7-1

PrC Hardware Configuration Chapter 7: PrC Hardware
7-2 6802800U60-D March 2007

Chapter
8
PrC Software Installation and Uninstallation
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Provisioning Centre (PrC) is a Windows® based, client/server software application. The PrC
generates, stores, and tracks delivery of K and SCK-TMO keys to the subscriber Mobile Stations
(MSs), using the Key Variable Loader (KVL) as a proxy to transport and confirm delivery of the
keys to the Mobile Stations. In addition, the PrC generates and exports a file containing K-REF
pairs to the Authentication Centre (AuC). The file can be written to a CD.
The Provisioning Centre (PrC) is an optional feature of a Dimetra IP system.

• "Before Beginning the Installation"
• "Installing the PrC Software"
• "Uninstalling the PrC Software"
Before Beginning the Installation

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Before installing the PrC the Microsoft® Windows XP, Service Pack 1 or 2 operating system must be installed.
6802800U60-D March 2007 8-1

Installing the PrC Software Chapter 8: PrC Software Installation and Uninstallation
Installing the PrC Software

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The complete PrC software applications consists of:

• PrC Database, for installation information see Procedure 8-1
• PrC Server and Client application, for installation information see Procedure 8-2
Procedure 8-1 How to Install the PrC Database
1 Insert the Provisioning Centre CD into the CD drive.

Result: The InstallShield wizard welcome screen appears.
2 Click Next.
3 Leave the default selection (Database) and click Next.
Result: Next setup type screen appears.
4 Leave the default selection (Install Database) and click Next.
5 Click Next.
Result: You will be prompted for database administrator password.
6 Type the database administrator password twice in the Password and Confirm Password
fields and click Next.
This password will be used during database recoveries.

Result: The Oracle® Universal Installer screen appears.
7 Wait until it finishes.
Result: The Database Creation Progress screen appears.
8 Wait until the Oracle® Database Configuration Assistant Alert screen appears. Click OK.
9 Wait while the installation proceeds until the summary screen appears. Click Finish.
Result: The PrC Database installation is completed.
8-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Uninstalling the PrC Software
Procedure 8-2 How to Install the PrC Server and Client
1 Insert the Provisioning Centre CD into the CD drive.

Result: The InstallShield wizard welcome screen appears.
2 Click Next.
3 Select Server and Client and click Next.
Result: The installation process starts.
4 Wait while the installation proceeds until the summary screen appears. Click Finish.
After completing PrC software installation it is recommended to backup your

database. This and other procedures relating to the PrC Databases can be found
in Chapter 9, "PrC Database Backup and Restore".
Uninstalling the PrC Software

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
To uninstall the PrC software you need to uninstall:

• PrC Server and Client, see Procedure 8-3
• PrC Database, see Procedure 8-4
This procedure applies only to unistallation of 5.5SER or 6.0 PrC Database. In case
of uninstallation of older release of PrC Database please follow Procedure 8-5.
In case of failed or stopped installation or uninstallation it might be necessary to manually remove
the PrC Database components. To perform it follow Procedure 8-5.
6802800U60-D March 2007 8-3

Uninstalling the PrC Software Chapter 8: PrC Software Installation and Uninstallation
Procedure 8-3 How to Uninstall the PrC Server and Client
1 Click the Start button on the windows task bar.

2 Select Settings>Control Panel>Add/Remove Programs.
Result: The Add/Remove Programs window is displayed.
3 Select Provisioning Centre, then click Change/Remove.
Result: The InstallShield welcome dialog box is displayed.
4 Click Next.
Result: The tree with installed PrC components appears.
5 Select Provisioning Centre Client and Provisioning Centre Server. Click Next.
6 Click Next.
7 Wait while the uninstallation proceeds. Click Finish.
Result: The uninstallation of the PrC Server and Client is completed.
Procedure 8-4 How to Uninstall the PrC Database

2 Select Settings>Control Panel>Add/Remove Programs.
Result: The Add/Remove Programs window is displayed.
3 Select Provisioning Centre, then click Change/Remove.
Result: The InstallShield welcome dialog box is displayed.
4 Click Next.
Result: The tree with installed PrC components appears.
5 Select Product Uninstallation. Provisioning Centre Database will be automatically selected.
Click Next.
6 Click Next.
Result: An information screen appears, The screen contains instructions which should be
followed when Oracle® Universal Installer launches, The instructions are repeated in
consecutive steps of this procedure.
7 Click Next.
8 Wait while the uninstallation proceeds.
If the Remove Existing File window appears click Yes to All.

Result: The Oracle® Universal Installer window appears.
9 Click Deinstall Products...
8-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Uninstalling the PrC Software
Procedure 8-4 How to Uninstall the PrC Database (Continued)

10 Under Oracle Homes top level tree element, select the Oracle10g (or Oracle8i, respectively)
checkbox and click Remove...
11 Click Yes.
12 Wait while Oracle components are uninstalled. Click Close.
13 Click Cancel and then Yes to close the Oracle® Universal Installer window.
14 Click Next.
If error message appears on the screen, look at the log file for details (the file name
is displayed on the screen). Then follow the Procedure 8-5 to manually remove
database. Please note that some steps of the procedure might not be necessary if some
actions have been already performed by the uninstaller.
15 Choose if you want to restart your computer now or at later time and click Finish.
Procedure 8-5 How to Uninstall the PrC Database Manually

2 Select Settings>Control Panel>Administrative Tools>Services.
Result: The Services dialog box appears.
3 Select all Oracle and PrC services one by one and click Stop.
4 Close the Services dialog box.
5 Click Start on the Windows® task bar and then Run...
6 Enter regedit and click OK.
7 In the Registry Editor window go to HKEY_CLASSES_ROOT and delete any keys that begin
with Oracle, Ora, EnumOra or ORCL.
8 Delete the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key.
9 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key and delete any
keys that begin with Oracle or PrC.
10 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Applica-
tion key and delete any keys that begin with Oracle.
11 Delete the HKEY_CURRENT_USER\Software\Oracle key.
12 Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Esplorer\Men-
uOrder\StartMenu\Programs\Oracle — Oracle10g or 8i key.
13 Delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Unin-
stall\a28923fa7b248519e90d74eac5f0e40b key.
14 Close the Registry Editor.
15 Click Start in the Windows® taskbar, Settings> Control Panel> System and then Advanced>
Environment Variables…
6802800U60-D March 2007 8-5

Uninstalling the PrC Software Chapter 8: PrC Software Installation and Uninstallation
Procedure 8-5 How to Uninstall the PrC Database Manually (Continued)

16 Select System variables> Path and Edit.
17 Delete any Oracle entries from the variable and click OK.
18 Click OK to close the Environment Variables window.
19 Click OK to close the System Properties window.
20 Open the Windows® profiles directory for all users and select Start Menu and Programs (system
dependent location, but for example D:\Profiles\All Users\Start Menu\Programs).
21 Delete:
• Oracle — Oracle10g or 8i directory
• C:\Oracle directory
• C:\Program Files\Oracle directory
• C:\Motorola\PrC directory
22 Optionally: remove the C:\WINNT\vpd.properties file.
8-6 6802800U60-D March 2007

Chapter
9
PrC Database Backup and Restore
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Database Backup"
• "Restoring the PrC Database"
• "Cleaning up the PrC Database"
Database Backup
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Oracle® database provides the capability to perform a backup without shutting down
the database. This backup procedure, also known as a ’hot’ backup, allows the database to
be available at all times for mission critical applications.
Even though a hot backup can be made at any time, it is recommended that it be
planned for times when there is minimal database activity.
Configuring the PrC Database for Hot Backups

The PrC Database will be backed up to a local drive. During installation the database is placed
into archived log mode, so that hot backups may be taken.
Archived log mode generates files in c:\oracle\oradata\prc\archive directory. The contents

of this directory will be removed when a backup is performed, and it is important to perform
backups regularly so that these files do not take up excessive hard disk space.
Follow Procedure 9-1 to configure the PrC Database for hot backups.
6802800U60-D March 2007 9-1

Configuring the PrC Database for Hot Backups Chapter 9: PrC Database Backup and Restore
Procedure 9-1 How to Configure the PrC Database for Hot Backups
1 Create a folder for the backups. Open windows explorer. From the File menu, choose the New
option, and select Folder. Type the name of the database backup destination.
The default database backup destination for the PrC is C:\PrCBackup. Using the
default path is recommended, as this will save a step later on in the configuration
process.
2 Click on the PrC Client desktop icon.
Result: First the PrC Splash screen shows up. Then the Provisioning Centre Login dialog box
appears (see Figure 9-1).
Figure 9-1 The Provisioning Centre Login Dialog Box
3 Type the User Name and the Password and then click OK to log in.
Result: The PrC Client main window appears (see Figure 9-2).
Figure 9-2 The PrC Main Client Window
9-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Performing the Backup
Procedure 9-1 How to Configure the PrC Database for Hot Backups (Continued)
4 Select the System>PrC Database from the main PrC Client menu.
Result: The PrC Database dialog box appears (see Figure 9-3).
Figure 9-3 The PrC Database Dialog Box
5 Enter the name of the database backup destination in the Path field and click OK.
Result: The PrC will attempt to validate the path to ensure that it exists. If the path does not exist
an error message will appear, if it does the PrC Database dialog box will close.
The next time the PrC Database dialog box is opened, the most recently specified
path will be displayed.
Performing the Backup

A backup can be started on demand from the PrC client. Follow Procedure 9-2 to
perform the PrC Database backup.
Procedure 9-2 How to Perform the PrC Database Backup
1 Click on the shortcut for the PrC Client.

Result: First the PrC Splash screen shows up. Then the Provisioning Centre Login dialog box
appears (see Figure 9-1, on page 9-2).
2 Type the User Name and the Password and then click OK to log in.
Result: The PrC Client main window appears (see Figure 9-2, on page 9-2).
6802800U60-D March 2007 9-3

Database Backup files Chapter 9: PrC Database Backup and Restore
Procedure 9-2 How to Perform the PrC Database Backup (Continued)

3 Select the System>PrC Database from the main PrC Client menu.
Result: The PrC Database dialog box appears.
See Figure 9-3, on page 9-3.
4 Click Start Backup Now.
Result: The Start PrC Database Backup dialog box appears (see Figure 9-4).
Figure 9-4 The Start PrC Database Backup Dialog Box
5 Click Yes. The backup of the database starts. The Backup in Progress field in PrC Database
dialog box changes to Yes. The backup icon appears in the Status Bar (see Figure 9-5) and
there is "PrC Backup Started" event displayed in the Events Pane at the bottom of the
PrC Client window.
You can continue to perform other operations on the PrC Client, but they may run
slightly slower due to the backup operation taking place. You will not be able to
start a new backup, until the current backup is complete. Once backup is initiated it
cannot be canceled.
Figure 9-5 The Status Bar During Database Backup
6 After about 2 minutes, when the PrC database backup process is completed the backup icon
disappears for the Status Bar, and there is "PrC Backup Complete" event displayed
in the Events Pane.
Database Backup files

A new folder will be created for each backup that is made.
The folder format uses the system date and time, and it follows the patters: YYYYMMDD_HHMMSS
The time is in an 24 hour format. If the backup is taken on May 6, 2002 at 12:00 am, then
the backup procedure will create the folder 20020506_000000.
A typical database backup set contains the following files and the archive directory:
• PRC.ORA
• CONTROL.BAK
• INDX01.DBF
• INIT.ORA
• PWDPRC.ORA
9-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Verification
• RBS01.DBF
• SYSTEM01.DBF
• TEMP01.DBF
• TOOLS01.DBF
• USER01.DBF
Verification
You can verify that the backup was successful by making sure that all of the files and the archive directory
are present in the backup destination directory when the backup has completed.
Once the backup is complete, the directory and its contents can be burned to a CD.
Restoring the PrC Database

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Several situations may require a database restore. Some of the more common problems are the following:
• Hard drive failure
• A data file becomes corrupt
• A user accidentally deletes a large amount of data
It is recommended that the latest backup set taken be used for the database restore since all of the data that
was entered since the backup will be lost. In order to perform a database restore you will need the password
for the sys user. Remember that this is the password that was set at the end of the PrC Database installation.
6802800U60-D March 2007 9-5

Database Restore Chapter 9: PrC Database Backup and Restore
Database Restore
The database restore will restore all data that was committed up to the point of the database failure.
The PrC database restore requires the procedures listed in Process 9-1.
Process 9-1 PrC - Database Restore Overview
1 Ensure the PrC Service is not running. See Procedure 9-5

2 If necessary, install the Oracle® database and database schema. See Chapter 8, "PrC
Software Installation and Uninstallation".
3 Perform a database restore. See Procedure 9-3
4 Restart the PrC Service. See Procedure 9-4
5 Wait one minute, then log into the PrC service to verify that all the data has been restored.
Follow Procedure 9-3 to restore the PrC database.

Procedure 9-3 How to Restore the PrC Database
1 Click on the Start button on the windows task bar, click Run, then click OK
Result: The Run dialog box appears.
2 Enter cmd in the Open field and click OK
Result: The command prompt window appears.
3 Enter:
restore dir = <backup directory>
If the backup files are on a CD, then insert the CD at this point.
An example of using the restore command is:

restore dir=E:\prc_backups\2002200506_000000
Result: A password dialog box appears.
4 Enter the database administrator password and press Enter.
Result: The restore process is initiated. When the restore is complete, the message below will
appear:
Database recover complete
9-6 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Restarting the PrC Service
Restarting the PrC Service

Follow Procedure 9-4 to restart the PrC service.
Make sure that the PrC Client is closed before executing Procedure 9-4.
Procedure 9-4 How to Restart the PrC Service
1 Click on the Start button on the task bar, then select Settings>Control Panel>Administrative
Tools>Services.
Result: The Services window appears.
Figure 9-6 The Services Window
2 Locate the name PrC in the Name column.

3 Right click the PRC and select the Start option from the menu.
When the status is stopped the status column will be empty.
Result: The PrC Status column will change to Started.

4 Close the Services window when you have started the PrC service.
6802800U60-D March 2007 9-7

Ensuring the PrC Service is not Running Chapter 9: PrC Database Backup and Restore
Ensuring the PrC Service is not Running

Follow Procedure 9-5 to stop the PrC service, in case it is running.
Procedure 9-5 How to Ensure the PrC Service is not Running
1 Click on the Start button on the task bar, then select Settings>Control Panel>Administrative
Tools>Services.
Result: The Services window appears.
See Figure 9-6, on page 9-7
2 Locate the name PrC in the Name column.
3 If the PrC status column shows the status Started, right click and select the Stop option.
When the status is stopped the status column will be empty.

4 Close the Services window when you have stopped the PrC service.
Cleaning up the PrC Database

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
If necessary, it is possible to clean up the PrC’s database. Doing so erases all of the data stored
in the database and resets the database to its initial preinstallation state.
Cleaning up the database erases the PrC Database. It should

only be done as a last resort.
Follow Procedure 9-6 to clean up the PrC database:
9-8 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Cleaning up the PrC Database
Procedure 9-6 How to Clean Up the PrC Database
1 Load the Provisioning Centre CD into the PC’s CD ROM drive.

Result: The InstallShield wizard welcome window appears.
2 Click Next.
3 Leave the default selection (Database) and click Next.
Result: Next setup type screen appears.
4 Select Clean Database and click Next.
Result: If the identical version of the database is found, an information window confirming
this appears.
5 Click Next.
6 Wait while the database is cleaned up until the summary screen appears. Click Finish.
6802800U60-D March 2007 9-9

Cleaning up the PrC Database Chapter 9: PrC Database Backup and Restore
9-10 6802800U60-D March 2007

Chapter
10
Troubleshooting the AuC
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Basic Troubleshooting"
• "Known Issues"
Basic Troubleshooting
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section covers the following topics:

• "Common AuC Start-Up Error Messages"
• "AuC Troubleshooting Scenarios"
• "Worst case AuC Scenarios"
• "Scenarios when Performing Key Updates"
• "Manual SCK Map Synchronization"
• "How to Restart the AuC"
• "Troubleshooting Standby AuC"
• "Site and System Management"
• "AuC Client Appears to Hang"
• "KVL Download or Upload Fails on AuC"
• "Site Does Not Take Keys"
6802800U60-D March 2007 10-1

Common AuC Start-Up Error Messages Chapter 10: Troubleshooting the AuC
Common AuC Start-Up Error Messages

Troubleshooting the Authentication Centre (AuC) client application, you may encounter
one or more error messages. These messages are displayed in an alert box. The most
common error messages are listed in Table 10-1.
Table 10-1 Common Client Startup Error Messages and Descriptions
Error Message Description

Server not available. Please ensure the server is Displayed when the AuC server machine cannot be
running correctly. If the server is rebooting, please located on the network by the client. Make sure that
wait until it finishes this process. the client has the proper IP address in its host file. The
default entry for the AuC server is auc01 10.0.1.219.
This will need to be modified if using a different IP
address schema than outlined in the IP plan.
This client is incompatible with the server. Please Displayed when the AuC client and server application
install a server compatible version of the client. versions are not compatible.
Root cause of error: Unknown. Please ensure Displayed when the AuC server machine is located,
the server is running correctly. If the server is but the server application is not running correctly.
rebooting, please wait until it finishes this process.
There are numerous other error messages that may display during start-up of the AuC client application.
These other messages will indicate the root cause and are self-descriptive.
If you are unsuccessful at resolving your client start-up problem, please contact the ESSC for assistance.
AuC Troubleshooting Scenarios
Table 10-2 Troubleshooting the AuC
Symptom Possible Cause Resolution

AuC becomes stuck in a KEKm The AuC has been freshly • Contact the ESSC for
or KEKz update installed or restored from a very assistance.
old backup.
The Crypto Card (CC) software The crypto card did not initialize • Make sure that the proper
is installed. Fresh install of AuC properly software is installed on the
with crypto card. The AuC is crypto card, that is AuC
being started up for the first software.
time and never completes startup
• Check the debug log to
properly. The operator starts the
make sure the crypto card
client but the client indicates that
initializes properly.
the AuC server is not available.
10-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration AuC Troubleshooting Scenarios
Table 10-2 Troubleshooting the AuC (Continued)

The AuC icon does not appear in Master Agent and Sub Agent are • Make sure the AuC SNMP
the FullVision manager under the not properly started. master agent and the AuC
"Dimetra" branch. SNMP sub agent are started
(in that order) in the AuC
servers management dialog.
• Once the AuC host’s
Icon shows up under the
"Internet" branch of the
FullVision management
(may be labelled with
either IP addresses or
"auc01"), right click that
icon in FullVision and select
Discover > One Agent.
• Check the
nmaMgrRegTable.txt file
in the aucagent directory to
make sure an entry is placed
when the manager registers
with AuC’s SNMP agent.
The AuC icon shows up but traps The Manager has not registered • Make sure the AuC SNMP
are not promptly received in the with the Master Agent yet to master agent and the
Alarm Browser when the AuC receive traps. AuC SNMP sub agent are
goes in and out of service or starts started (in that order) in
a database backup. the AuC servers services
management dialog.
• Once the AuC host’s
Icon shows up under the
"Internet" branch of the
FullVision management
(may be labelled with
either IP addresses or
"auc01"), right click that
icon in FullVision and select
Discover> One Agent.
• Check the
nmaMgrRegTable.txt file
in the aucagent directory to
make sure an entry is placed
when the manager registers
with AuC’s SNMP agent.
Mobile stations, zones, base sites, AuC-NM communication • Log in to the problem PNM
KVLs, etc.) are not showing up at problem server as admin. Disable the
the AuC when added to the NM server and then re-enable it.
Client. Wait 3 hours. The missing
entities should appear in
the AuC client after this
procedure.
6802800U60-D March 2007 10-3

AuC Troubleshooting Scenarios Chapter 10: Troubleshooting the AuC

Attempting to download • This could be that the • Click on the respective
provisioning material and the entity does not need to be entity’s Update Ki or
KVL appears to be successful but provisioned. Refresh Ki button and
nothing is displayed in the KVL download again.
• Another cause is that the
list.
KVL does not have a zone • On the NM Client open the
assigned to it in the NM KVL record and assign the
client. proper zone to it.
KVL displays "Bad Response • This means that the KVL • Check the AuC for the KVL
from AuC" when attempting to ID is not recognized by the ID. If the KVL does not
download provisioning material. AuC and is denied access. reside in the AuC, add the
KVL at the NM Client and
it will appear in the AuC
client shortly.
• Otherwise it could be that
the KVL does not have the
correct ID assigned to it.
This can be changed under
the AuC>SETUP>KVL ID
Menu.
KVL displays an error about • Either the KVL’s UKEK is • On the AuC, go to the Key
the Unique Key Encryption Key not correct or Loaders tab and highlight
(UKEK) when attempting to the appropriate KVL. Click
• The AuC has not assigned
download provisioning material. on the Assign the UKEK
the correct KVL UKEK or
button and enter a UKEK.
• No KVL UKEK has been On the KVL, select the
assigned. AuC>SETUP>UKEK
menu and edit the UKEK to
be what was entered in the
AuC.
KVL displays "No Response from • The baud rates on the AuC • Usually the AuC serial
AuC" error when attempting to and KVL do not match. connection is set to
download provisioning material. 9600 baud. This can be
set on the KVL at the
CONFIG>BAUDR Menu.
Select to edit and modify the
baud rate to 9600.
• Check the AuC setting for
KVL baud rate. This can be
done by selecting System
> Settings> KVL port
settings on the AuC client.
10-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration AuC Troubleshooting Scenarios

KVL displays an error with the The AuC ID and the KVL setting • On the AuC, select the
AuC ID when attempting to for the AuC ID do not match. Settings option from the
download provisioning material. System menu. On the
resulting dialog box, click
on the Miscellaneous tab
and note the displayed AuC
ID. Then on the KVL go to
the AUC>SETUP- AuC ID
option and edit the AuC ID.
The Zone Encryption Key (KEKz) This could mean that no Static • Either manually enter each
update remains at stage 2. Cipher Key- Trunked Mode slot or Import SCK-TMO
Operation Key (SCK-TMO) slots key from a file into each slot
have been assigned. under the Key Database tab
of the AuC.
Error messages such as "Unknown Oracle® database is failing. • The customer should
server exception occurred while follow the procedures in
communicating with server.", "Activating the Standby
"Database exception occurred Database" section. If a
while communicating with standby database is not
server". Other than the available, then see the
explicit "Database section on restoring the AuC
Exception." message, database from a backup.
the source of the
problem can be
with the database
or the AuC server.
It is difficult from a
client perspective
to distinguish
server/database
problems from one
another.
Error message: "Server returned a This will occur when the AuC • Log the actions performed
Remote Exception" server is having technical before the error occurred,
problems or when the client has the error message itself, and
disconnected from the server after the time of error.
initial log in (cable disconnect,
• If the cause of action is not
server shutdown, etc.)
apparent, restart the AuC,
and then, as the last resort,
the server and the database.
• If the problem persists,
contact the Motorola
European Systems Support
Centre (ESSC).
6802800U60-D March 2007 10-5

AuC Troubleshooting Scenarios Chapter 10: Troubleshooting the AuC

AuC database backup fails Configuration error with database • If the backup files are
backups being copied to a network
drive, make sure that the
appropriate AUC services
have been modified to run
as a user that can access
the mapped drive. See
Chapter 6, "AuC Database
Backup and Restore" for
more information about
configuring the AuC for
backups.
AuC user interface appears to AuC client, AuC server, or • Wait 5 minutes. For some
hang. database is having technical problems the system will
problems. time out and return control
back to the client. In other
rare cases, the system could
just be overloaded, and
needs a few more seconds to
finish.
• Use the task manager to
close down the application
and log back in.
• Check for connectivity
problems. The AuC may
have been disconnected
from the network.
• Use Registry Editor
(Regedt32.exe) to view
the following key in the
registry: HKEY_LO-
CAL_MACHINE\Sys-
tem\CurrentControlSet\Ser-
vices\Tcpip\Parameters
Confirm that the follow-
ing registry value exists
(add/modify as necessary
): Value Name: DisableD-
HCPMediaSense Data
Type: REG_DWORD
-Boolean Value Data
Range: 0, 1 (False,
True) Default: 0 (False)
After making changes to
the registry, reboot the AuC
server.
10-6 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Worst case AuC Scenarios

Connections to infrastructure AuC may have synchronization • Check the Event Log. If
entities are shown as disconnected problems with UCS and/or ZDS the log has an event which
on the AuC, but the entity appears states ’Start synchronizing
to be working correctly. with UCS/ZDS’ and
later there is an event
which says ’UCS/ZDS is
disconnected’, it means
that a synchronization
problem occurred. In this
case, contact the ESSC
for assistance. Otherwise,
stop and restart the AuC
Client/Server.
In general, if the user is concerned that the AuC client is showing invalid or
incorrect data, the user should restart the client.
Worst case AuC Scenarios

If the AuC were to be taken down intentionally or due to a fault, FullVision will immediately be notified
and the status will be displayed. During this time, if radios, base sites, zones, KVLs, Security Groups,
KVL-Valid-Zones, etc. are modified at the NM Client, notifications to the AuC will not be received.
Similarly, notifications (ACKs or NACKs) from each ATR will not be received by the AuC.
Upon restarting the AuC, the AuC will reconnect with each ZDS and the UCS and synchronize with
their respective databases. Connections will be re-established with each ATR, and will immediately
begin receiving ACKs and NACKs from the ATR as they occur.
Table 10-3 AuC Worst-Case Scenarios
Symptom Possible Cause Recommended actions

The AuC will show up as disabled • Power Failure. • Check the power connections on the
at FullVision. The AuC operator AuC server.
will be unable to connect via the
AuC client.
The AuC will show up as disabled • Database • Ensure the database server is functional.
at FullVision. The disabled reason Failure. If the problem persists more than 10
should show that the AuC failed minutes, reset the database server. Wait
due to a database (DB) failure. 10 minutes for the DB server to become
The AuC operator will be unable active, and then reset the AuC server.
to connect to the AuC server via
the AuC client.
6802800U60-D March 2007 10-7

Scenarios when Performing Key Updates Chapter 10: Troubleshooting the AuC
Table 10-3 AuC Worst-Case Scenarios (Continued)

The AuC will show up as disabled • Crypto Card • Ensure the proper master key is loaded.
at FullVision. The disabled reason Failure. To do this, perform the Load Master Key
should show that the AuC failed steps as documented in the online help.
due to an Encryption Device The same master key must be used if
Failure. The AuC operator will be one was previously loaded. If the status
able to connect to the AuC server of the crypto card returns to "Working"
via the AuC Client. From the AuC then from the "System" pull-down menu
client, the operator should notice select Go Operational. If an error
that the AuC is in "Out of Service" occurs indicating the wrong master key
state. Under the pull- down was loaded, then load the appropriate
menu System, select Encryption master key. If the old master key is lost,
Devices. The status of the crypto then the entire AuC database is lost.
card will read "Failed".
The AuC will show up as disabled • Network • Ensure the AuC is properly connected
at FullVision. The AuC operator Connectivity to the network.
will only be able to connect to Failure.
the AuC server from an AuC
client located on the AuC server.
From the AuC client, the operator
should notice that under the
"Zones" tab the UCS shows up
as "Disconnected". Under each
zone, the ATR and Zone Manager
will show up as "Disconnected".
Scenarios when Performing Key Updates

There are a number of general scenarios that can happen when performing nationwide and non-nationwide
key updates. The nationwide key types are System KEK (KEKm), Static Cipher Key, Trunked
Mode Only (SCK-TMO), and Common Cipher Key (CCK). The non-nationwide keys are Zone
KEK (KEKz) and Authentication Material. The first scenarios covered will be the nationwide keys.
These scenarios will be designated as valid for nationwide mode and single cluster mode. Then
the non-nationwide key scenarios will be covered. Each scenario is described using the Local and
Nationwide progress bars of the particular key type being updated.
10-8 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Scenario 1 (Nationwide and Single Cluster)
Scenario 1 (Nationwide and Single Cluster)

In this scenario, the AuC sends out activation messages for the nationwide key type being updated. This stage of
the update makes the key already held in the future slot for the relevant key type the new active key. As can be
seen in this scenario, the local cluster (or single cluster) is waiting for responses from all infrastructure entities.
Figure 10-1 Scenario 1
Table 10-4 Scenario 1
Possible Cause Resolution

• A communication problem exists • First, click on the Zones tab on the AuC client.
between the AuC and PNM (UCS or Verify that the AuC has made successful connections
ZDS(s)) or between the UCS and Zone with the UCS, each ZDS and each ATR. If any box
Controller or ZDS and Base Site/Zone shows up as disconnected, there are a number of
Controller. things that can be checked: the cable connections, the
switch/router setup, the PNM box status via the admin
• The AuC has been restored to an older
menu, or the C:\WINNT\System32\drivers\etc\hosts
version and PNM will not forward on
file for proper IP addresses and aliases.
update messages due to “replaying” of
a version number. • If you have recently restored the AuC database,
please contact ESSC for assistance.

In this scenario, the AuC sends out activation messages for the nationwide key type being updated.
This stage of the update makes the key already held in the future slot for the relevant key type
the new active key. As can be seen in this scenario, the local cluster (or single cluster) is waiting
for responses from one or more (but not all) infrastructure entities.
6802800U60-D March 2007 10-9

Scenario 3 (Nationwide only) Chapter 10: Troubleshooting the AuC
Possible Causes Resolution

• One or more Zones/Base Sites • If all Zone Controllers/TSCs are provisioned and one or
may not be responding to the more is simply not responding, the first step is to click
activation message. on the Local Zones tab on the AuC. Then highlight each
infrastructure entity relevant to the respective update and
determine which entity or entities are not updated for the
key activation taking place. For each not updated entity
perform an audit trail search based upon that entity type and
its ID. Check for negative acknowledgements (NACKs).
The AuC will automatically respond to NACKs with the
appropriate key message. If no NACKs are visible in the
audit trail, the Zone Controller/TSC has not responded yet.
Either disable and re-enable the entity for key updates or
wait an hour. In either case, the AuC will then resend the
key activation message to infrastructure entities that have
not yet responded.
• The operator can proceed with the update by opting the
problem entity out of the update.
Scenario 3 (Nationwide only)

In this scenario, the local AuC has received all of its activation acknowledgment messages
from the infrastructure entities being updated. It’s just waiting for the rest of the nationwide
system to complete this stage so it can move on.
Possible Cause Resolution

One or more clusters may be experiencing If one or more clusters has not received acknowledgments
Scenario 1 or 2. from all infrastructure entities being updated in the key
update in progress, each AuC will have to be logged into to
determine which AuCs have not completed Stage 1 of an
update. When that AuC(s) is/are determined, then follow the
resolution of Scenario 1 or 2.
10-10 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Scenario 4 (Nationwide and Single Cluster)

In this scenario, the local AuC has not sent out all Authentication Material Refresh messages in a KEKm update.

• In large systems, there might be a large number of • Check the events log. If the Home Zone
radios. If this is the case, the AuC will take a long Map has not been entered yet, the AuC
period of time for this stage of the System KEK will record an error in the events log.
update, therefore a degree of patience is necessary. The Home Zone Map will then have to
be entered at the Network Management
• Home zone maps have not been entered at the local
Client (NM-client).
NM-client.
Scenario 5 (Nationwide only)

The only time this situation is possible is during a nationwide KEKm update. In this scenario, the local AuC
has sent out all Authentication Material Refresh messages, but one or more clusters have not.

• Home zone maps have not been entered • First, find the Authentication Centre(s) that do not
at another cluster’s NM-client. show “Stage 2 – 100%”. Then check the events log.
If the Home Zone Map has not been entered yet, the
AuC will record an error in the events log. The Home
Zone Map will then have to be entered at the Network
Management Client (NM-client) for that cluster.
6802800U60-D March 2007 10-11

Scenario 6 (Nationwide and Single Cluster) Chapter 10: Troubleshooting the AuC

In this scenario, the AuC sends out update messages for the key type being updated. This
places a new key into the future slot. As can be seen in this scenario, the local cluster (or single
cluster) is waiting for responses from all infrastructure entities.

• A communication problem exists between • See the resolution for Scenario 1.
the AuC and PNM (UCS or ZDS(s)) or
• If parent key is not present, you need to opt
between the UCS and Zone Controller or
the entity in order for the update to complete.
ZDS and Base Site/Zone Controller.
Following this, the entity should be opted back in
• The AuC has been restored to an older and an update on the parent key initiated, so that
version and PNM appears to not forward the entity will now have the parent key and can
on the update messages. successfully participate in future updates of the
child key.
• If the AuC has been restored to an older version
that includes backing up to older key version
numbers, PNM is likely to not forward on key
messages due to a known protocol issue. The
correct recovery steps to follow involve running a
script on each UCS and ZDS in the cluster in which
the restored AuC resides. See PNM procedures for
the procedure to run this script.
10-12 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Scenario 7 (Nationwide & Single Cluster)
Scenario 7 (Nationwide & Single Cluster)

In this scenario, the AuC sends out update messages for the key type being updated. This puts a
new key into the future slot. As can be seen in this scenario, the local cluster (or single cluster) is
waiting for responses from one or more (but not all) infrastructure entities.

• Not all Zones/Base Sites are • If one or more Zones aren’t provisioned yet, the
provisioned yet or the parent key Local Zones tab will show "Not Provisioned" for both
is not present in one or more primary and secondary Zone Controllers when a Zone is
infrastructure entities. highlighted. If this is the case, the user should follow
outlined procedures for provisioning Ki. (Download
• One or more Zones/Base Sites may
from the AuC with the KVL, attach the KVL to each
not be responding to the update
infrastructure entity needing to be provisioned, provision
message.
each entity, attach the KVL back to the AuC, and upload
the responses.)
• If, on the other hand, all Zone Controllers are provisioned
and one or more Zone Controller or TSC is not responding,
the first step is to click on the Local Zones tab on the
AuC. Then highlight each infrastructure entity relevant
to the respective update and determine which entity or
entities are not updated for the key update taking place.
For each entity that is not updated perform an audit trail
search based upon that entity type and its ID. Check for
negative acknowledgements (NACKs). The AuC will
automatically respond to NACKs with the appropriate key
message. If three consecutive NACKs are received with a
reject reason of “Decryption Failure”, the infrastructure
entity will need to refresh its parent key (KEKm –> Ki,
SCK-TMO -> KEKz, CCK -> KEKz.) For Ki refreshing,
see the steps on provisioning Ki. For SCK-TMO and CCK
Decryption Failure NACKs, the AuC will automatically
send out key updates for the parent key. If no NACKs are
visible in the audit trail, the Zone Controller/TSC hasn’t
responded yet. Either disable and re-enable the entity
for key updates or wait an hour (timeout). In either case,
the AuC will then resend the key activation message to
infrastructure entities that have not yet responded.
6802800U60-D March 2007 10-13

Scenario 8 (Nationwide Only) Chapter 10: Troubleshooting the AuC
Scenario 8 (Nationwide Only)

In this scenario, the local AuC has received all acknowledgements from its respective infrastructure
entities, and is waiting for the rest of the nationwide system to complete the update.

• The Comm Key has not been entered or • If an AuC has an incorrect or no Comm Key entered,
an incorrect Comm Key exists in one or the AuC icon will be yellow in the AuC Connections
more AuCs. tab. Determine which AuC or AuCs are failing.
Then on that AuC or AuCs enter in the same Comm
• One or more clusters may experience
Key as the remaining AuCs. Once the Comm Key is
Scenario 7.
entered, encrypted AuC to AuC communication can
occur and the key update will resume shortly.
• If parent key is not present, you need to opt the
entity of the update to complete. Then, opt the entity
back in and initiate an update on the parent key, so
that the entity will now have the parent key and can
successfully participate in future updates of the child
key.
Scenario 9 (KEKz)
In the event that no Zone Controllers or TSCs have responded for a particular zone (that is
the progress bar shows 0% for any stage), it could be that the connection to a PNM box is
down or cannot be reached. See the resolution for Scenario 1.
10-14 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Scenario 10 (KEKz)
Scenario 10 (KEKz)
In this scenario, one or more zones have infrastructure entities (Zones or Base Sites) not responding to the
activation message. In the above figure, both Zone 1 and Zone 2 are waiting for one or more acknowledgements
Possible Causes Resolutions

• Not all Zones/Base Sites are provisioned • If one or more Zones/Base Sites aren’t provisioned
yet. yet, the Local Zones tab on that AuC will show "Not
Provisioned" for both primary and secondary Zone
• One or more Zones/Base Sites may not
Controllers/TSCs when a Zone Site is highlighted.
be responding to the update message.
If this is the case, the user should follow outlined
procedures for provisioning Ki. (Download from
the AuC with the KVL, attach the KVL to each
infrastructure entity needing to be provisioned,
provision each entity, attach the KVL back to the
AuC, and upload the responses.)
• If, on the other hand, all Zone Controllers/TSCs
are provisioned and one or more is just not
responding, the first step is to click on the Local
Zones tab on the AuC. Then highlight each
infrastructure entity relevant to the respective
update and determine which entity or entities are
not updated for the key update taking place. For
each not update entity perform an audit trail search
based upon that entity type and its ID. Check for
negative acknowledgements (NACKs). The AuC
will automatically respond to NACKs with the
appropriate key message. For Ki refreshing, see the
steps on provisioning Ki. If no NACKs are visible in
the audit trail, the Zone Controller/TSC just hasn’t
responded yet. Either disable and re-enable the
entity for key updates or wait an hour. In either case,
the AuC will then resend the key activation message
to infrastructure entities that have not yet responded.
• The operator can proceed with the update by opting
the problem entity out of the update.
6802800U60-D March 2007 10-15

Scenario 11 (KEKz) Chapter 10: Troubleshooting the AuC
Scenario 11 (KEKz)
In this scenario, one or more zones have Base Sites not responding to the SCK-TMO and CCK refresh
messages. In Figure 10-10, Zone 1 is waiting for one or more Base Sites to acknowledge the SCK-TMO
and CCK refreshes. If the AuC doesn’t have an SCK-TMO map loaded (or a Next Active SCK-TMO
Slot selected) and no CCK updates have been completed, the AuC will skip stage 2.

One or more Zones/Base Sites may not be • If one or more base sites are just not responding, the
responding to the update message first step is to click on the Audit Trail tab. Perform
a search on Key Type CCK or SCK-TMO and ID.
Check for positive and negative acknowledgements.
Each AuC should display a record for the successful
refresh of each slot of each base site (TSC). Any
NACKs received should be handled by the AuC. If
no NACKs are visible in the audit trail, the Zone
Controller/TSC just hasn’t responded yet. Either
disable and re-enable the entity for key updates or
wait an hour. In either case, the AuC will then resend
the key activation message to infrastructure entities
that have not yet responded.
10-16 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Scenario 12 (KEKz)
Scenario 12 (KEKz)
In this scenario, one or more zones have infrastructure entities (Zones or Base Sites) not responding to the
update message. In Figure 10-11, both Zone 1 and Zone 2 are waiting for one or more acknowledgements.

• Not all Zones/Base Sites are • If one or more Zones/Base Sites aren’t provisioned
provisioned yet. yet, the Local Zones tab on that AuC will show "Not
Provisioned" for both primary and secondary Zone
• One or more Zones/Base Sites may
Controllers/TSCs when a Zone Site is highlighted.
not be responding to the update
If this is the case, the user should follow outlined
message.
procedures for provisioning Ki. (Download from
the AuC with the KVL, attach the KVL to each
infrastructure entity needing to be provisioned,
provision each entity, attach the KVL back to the AuC,
and upload the responses.)
• If, on the other hand, all Zone Controllers/TSCs are
provisioned and one or more is just not responding,
the first step is to click on the Local Zones tab on
the AuC. Then highlight each infrastructure entity
relevant to the respective update and determine which
entity or entities are not update for the key update
taking place. For each not update entity perform
an audit trail search based upon that entity type
and its ID. Check for negative acknowledgements
(NACKs). The AuC will automatically respond with
the appropriate key message. If three consecutive
NACKs are received with a reject reason of “Decryption
Failure”, the infrastructure entity will need to refresh its
Infrastructure key (Ki) For Ki refreshing, see the steps
on provisioning Ki. If no NACKs are visible in the audit
trail, the Zone Controller/TSC just hasn’t responded
yet. Either disable and re-enable the entity for key
updates or wait an hour. In either case, the AuC will
then resend the key update message to infrastructure
entities that have not yet responded.
Scenario 13 (Authentication Material)

If an Authentication Material update appears not to complete, follow the resolutions for Scenario 4. This is
almost the same as the Refresh stage during a KEKm update except that it is stage 3 instead of stage 2.
6802800U60-D March 2007 10-17

Manual SCK Map Synchronization Chapter 10: Troubleshooting the AuC
Manual SCK Map Synchronization

Prior to connecting an Authentication Centre (AuC) into a nationwide system, SCK maps must be
synchronized. SCK can be manually entered or imported from a file. Using either method, all AuCs in a
nationwide system must have the same keys in their SCK tables. This means key slot, value, and version
must be the same. Differences will prevent AuC to connect to a nationwide system.
Adding a New AuC to an Existing Nationwide System

An AuC that is about to be introduced into a nationwide system for the first
time, requires the same set of SCK that is currently in use in the nationwide
system. As such the SCK must be synchronized to the new AuC as follows:
Procedure 10-1 How to Add a New AuC to an Existing Nationwide System
1 Disable CCK, SCK, and KEKm updates on the nationwide network. This can be accomplished
from any ONE AuC that is currently participating in the nationwide network.
2 Disable CCK, SCK, and KEKm updates on the new AuC. This step requires that the new AuC
already have the application software installed.
3 Physically connect the new AuC to the network, but do not logically add it to the nationwide
network.
4 Enter the SCK map into the new AuC.
5 Logically add the new AuC to the nationwide network (provide it with a Master AuC IP Address).
This allows AuC-AuC synchronization to occur.
6 Enable nationwide CCK, SCK, and KEKm updates on the network. This can be accomplished
from any ONE AuC that is currently participating in the nationwide network.
Key updates on the new AuC will automatically be enabled at this time.
How to Restart the AuC

If the AuC shows up as disabled at FullVision then a restart is necessary. There are two ways to do this.
Follow the instructions below to restart the AuC:
Procedure 10-2 How to Restart the AuC — Method 1 Go Out of Service and Operational
1 With the Client up, select Go out of Service from the System menu.
2 Select Go Operational.
10-18 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Troubleshooting Standby AuC
Procedure 10-3 How to Restart the AuC — Method 2 (Full reset of the AuC)
1 Click the Start button in the task bar and select the Control Panel
2 Select the Administrative Tools, followed by Services.
3 In the Services section, click on the service labelled AuC.
4 Right-click on that service after it is highlighted, and click on Stop.
5 Right-click on the AuC service and select Start.
6 Wait a few minutes, then restart the client
Troubleshooting Standby AuC

Table 10-15 Troubleshooting Standby AuC
Symptom Possible Causes Recommended Actions

The Standby AuC database • The hosts file on the Primary Test the communication between
is not receiving archive logs AuC has an incorrect IP address the primary database and
from the primary database. for the standby host name the standby database. See
Procedure 10-4
• Part of the procedure to setup
the standby database wasn’t
followed correctly or something
was left out of the process
Procedure 10-4 How to Test the Communication Between the Primary Data-
base and the Standby Database
1 Open a command prompt on the Primary AuC and enter:

tnsping stby
Result: If the connection was successful, you will see the message OK (n msec) where ’n’
is the number of milliseconds that it took to contact and receive a response from the standby
database. If the connection is not OK (the message above is not seen), then proceed to step 2.
2 Open the hosts file on the Primary AuC with note pad or another editor. The file is found in the
directory: c:\windows\system32\drivers\etc\hosts.
3 Check the IP address that is listed next to the hostname standby.
4 Modify the IP address accordingly so that it matches the IP address of the Standby AuC.
5 Open a new command prompt and execute the tnsping stby command again to verify
that the problem is cured.
6802800U60-D March 2007 10-19

Site and System Management Chapter 10: Troubleshooting the AuC
Procedure 10-4 How to Test the Communication Between the Primary Database and the Standby
Database (Continued)
6 If there does not appear to be a problem with the hosts file then it is possible that the procedure to
setup the standby database was not carried out correctly. In that case, return to the setup procedure
in Chapter 3, "AuC Software Installation and Uninstallation", and perform the procedure again.
Before starting the procedure again, be sure to remove the standby files directories
created in the previous attempt to setup the configuration. Also, make sure to
close command prompt windows used previously on both the standby and primary
databases.
Site and System Management
Key Distribution Failure

When a Dimetra system is fielded, not all the infrastructure components will be installed at the same
time. The majority of the PNM components will be installed, for example, UCS, SSS, ZDS, ATR,
ZSS, FullVision, and Zone Controllers, along with the AuC. However, the network connections and
the EBTS site components, TSCs and BRCs, may not be fielded until weeks or months later. This is
a problem because, when the AuC starts up, it checks with the UCS and ZDSs for all system entities,
which may exist only as database entries and may not have been fielded yet.
When the AuC sends out Key Updates, it will not complete an update, if it does not receive all the
Acknowledgement (ACKs) or Negative Acknowledgements (NACKs) from every entity in its database. This
is evident when the AuC client displays Key Updates that are ‘stuck’ at Stage 1, 2, or 3 with any percentage
less than 100%. In that situation the following procedure should be performed to complete update.
Procedure 10-5 How to Complete Key Updates from the AuC to Infrastructure entities
1 Initial AuC start-up.

2 In the process of setting up the Authentication Centre, the following step should be performed
BEFORE any Key Distributions are done.
3 From the AuC client, Local Zones tab, select each Zone, and Disable Key Updates for each
Site that does not physically exist in that Zone.
Normal Operation
After initial set up, a number of issues could arise while performing key updates
that require operator intervention.
In the event that not all site hardware is available upon initial set up and the site has to be disabled for
key updates on the AuC, the site will have to be brought online after the initial sites are already operating
with a set of keys. When this occurs, the site will have to be provisioned prior to any other key update
operation. Once provisioned, the AuC will attempt to update the site with all the current keys. The progress
10-20 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Follow Up Action
bar in the key schedules tab of the AuC will not reflect the update operations for this site. The site can
be monitored in the Local Zones tab and will be represented by a green, circular icon with a yellow
key in it when all key types for that site are current for both present and future keys.
In the event that the site fails in a key update in the first scenario, the first course of action is to "wobble" the
site by selecting the site in the AuC client under the Local Zones tab and selecting Disable Key Updates and
then selecting Enable Key Updates. This will cause the AuC to resend the keys for that site only. If that
fails, try resetting the failing entity, base radio or TSC or both. Alternatively, if the site is still not updated
for all keys, the AuC can be taken Out of Service and brought back to the Operational state by selecting
appropriately from the System menu. Normally, the AuC will send out key update messages to non-updated
entities once an hour. Taking the AuC Out of Service and making it Operational again causes the AuC to
send the updates immediately unless the entity has already responded with three (3) NACKs.
In the event that an update appears to be completed for all infrastructure entities except the entity disabled
in the third scenario, contact ESSC through the normal channels for assistance.
Follow Up Action
Check all other Key distribution Failure Resolution/Workarounds. Then contact
ESSC/TDACC if distribution still fails.
Key Distributions do not Complete

Authentication Material, KEKm, KEKz, CCK and SCK_TMO distributions do not complete.
Possible causes: The AuC has been freshly installed or restored from a very old backup or
not all entities are acknowledging the receipt of the keys.
Procedure 10-6 How to Complete Authentication Material, KEKm, KEKz,
CCK and SCK_TMO Distributions
1 Start the AuC debug log and check that all entities on the AuC are set correctly for key updates:
All sites currently not commissioned are set to Key Updates Disabled.
All sites that are set to updates enabled are green on both the AuC and the Zone Watch.
Check to see if any of the sites have received the expected update.
2 If no sites have received any new keys, then there may be an issue where the NM is not
forwarding the distribution; this can be the case if the distribution is stuck at 0%.
3 • This can be cleared by running the clearance script on the NM (contact ESSC/TDACC) or,
• Backup the AuC, restore to this backup then move the next update forward at least 2 keys
and distribute again
4 Start logging on ZoneWatch (ATIA stream), and take the logs for 1 hour and 10 minutes.
5 Check the logs for negative ACKs and note down the sites that are sending them.
6 Establish why these sites are not accepting the keys.
7 You can either fix these sites now, or disconnect them from the SwMI to fix later (see "Site Does
Not Take Keys" on page 10-23). Disconnect them using the Nortel (”lock fruni/<aabbcc>” a =
slot, b = port, c = channel)
8 Wait 1 hour and check if distribution has completed or not.
9 If distribution completes, stop the debug logging.
6802800U60-D March 2007 10-21

Follow-Up Action Chapter 10: Troubleshooting the AuC
Follow-Up Action
Check all other Key distribution Failure Resolution/Workarounds. Then contact
ESSC/TDACC if distribution still fails.
AuC Client Appears to Hang

Actions performed on the client appear to have no effect or loss of network connectivity alarm seen.
The AuC is busy in other processes and the client/server connection times out.
Procedure 10-7 How to Solve the AuC Client that Appears to Hang
1 Start logging on Zone Watch (ATIA stream), and take the logs for 1 hour and 10 minutes.
5 Removing these sites, and therefore the NACKs, from the system will stop the AuC client hanging.
Follow-Up Action
If this has no effect, contact ESSC/TDACC.
KVL Download or Upload Fails on AuC

If any of the following occur:
• The KVL disconnects from the AuC and an error message appears in the events viewer
• The KVL does not successfully upload site receipts to the AuC
• The AuC is receiving Negative ACKs which tie down the process the AuC
needs to hold a successful session with the KVL
Procedure 10-8 How to Solve a KVL Download or Upload Fails on AuC
1 Start logging on ZoneWatch (ATIA stream), and take the logs for 1 hour and 10 minutes.
10-22 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Follow-Up Action
Procedure 10-8 How to Solve a KVL Download or Upload Fails on AuC (Continued)
5 Removing these sites, and therefore the NACKs, from the system will allow the AuC to perform
a successful connection to the KVL.
Follow-Up Action
If this has no effect, contact ESSC/TDACC.
Site Does Not Take Keys

Symptoms:
Newly Ki’d site will not turn green. During key distribution, site returns Negative ACKs.
Possible causes:
No WAN connectivity to the site.
Site has been reconfigured and still holds old site key information.
Site is incorrectly configured.
Site has a BR problem.
Procedure 10-9 How to Solve a Site that does not Take Keys
1 • Check the site status on ZoneWatch

• Check WAN connectivity to the site
• Check site status and site link status on FullVision
• Attempt to ping the site
2 Establish, in the case of a new site, that the TSC being used has never been configured as
another site, as this can result in key information from the old site being installed in the AuC
and Negative ACKs being sent to the AuC.
3 Upload the site configure and check for anomalies.
4 Check the BR status on FullVision.
5 Get permission to reset the Site (the whole site) FOUR times as it has been reported from the
field that some TSCs and BRs need three or four resets before they accept the Ki values.
Follow-Up Action
If these actions do not correct the issue, contact ESSC/TDACC.
6802800U60-D March 2007 10-23

Known Issues Chapter 10: Troubleshooting the AuC
Known Issues
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "SCK/CCK NACKs (KEK not present, Decryption Failure) Handled Incorrectly"
• "Have to Reset AuC if Previous KVL Download Fails During Ki Provisioning"
• "AuC Client does not Update Zone Object after Receipt of Authentication
Material Decryption Failure NACK "
• "SCK Crypto Schedule doesn’t Notify User When Next Active SCK Not Set"
• "AuC Reports 127.0.0.1 to FullVision if Ethernet Cable Disconnected"
• "MNI Change During Key Distribution Should Stop Distribution"
• "Multiple Key Type Distributions May Cause AuC Application Deadlock"
• "Add New Site, AuC Distributes KEKz and then Waits One Hour to Send SCK"
• "Wrong or Incomplete NM Connection Checks to Start KEKz/SCK/CCK Updates"
• "Remote AuC Clients not Updated/Informed of Server State Changes"
In the event that the resolutions/workarounds stated below do not work, please contact
the ESSC through normal channels for assistance.
Whenever a cluster is being integrated into an existing network, the corresponding AuC must also be
integrated with the existing network of AuC(s). However, prior to these integration steps, all EBTSs
belonging to the cluster being integrated must be configured to operate in Security Class 2. Once
all integration activities have been completed (including the change of Mobile Network Identity
on the air interface), the newly integrated cluster may be configured to operate in Security Class 3.
From the MS perspective, the system will look homogenous (same Mobile Network Identity used on
all cells), and therefore the AuCs must synchronize their cryptographic data in order to ensure the
same CCK is in use between all MSs and all cells belonging to the SwMI.
SCK/CCK NACKs (KEK not present, Decryption Failure) Handled

Incorrectly
One of the following SCK/CCK NACKs is received
• KEK not present
• Decryption Failure
The KEKz update is sent due to this failure. When KEKz is completed SCK/CCK is not send immediately.
10-24 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Resolution/Workaround
Resolution/Workaround
Disable and enable key updates for the EBTS that returned the NACK. If no action is taken,
SCK/CCK update will continue automatically after one (1) hour.
Have to Reset AuC if Previous KVL Download Fails During Ki

Provisioning
An AuC is configured with at least one zone with at least 20 sites. Operator has a KVL with software
version R4.01.15. Operator attempts to download KIs for all those sites and zones (initial infrastructure
provisioning) over a modem connection. Operator is using an external modem with the KVL. The
AuC to KVL session fails after initial connection, and the server becomes “stuck”.
This problem occurs with an old version of the KVL software. Upgrade the KVL software to the latest valid
version. In addition, the operator can get around this by utilizing a direct connection to the AuC. Stop and
restart the AuC service through the operating system’s services window to clear the locked up state.
AuC Client does not Update Zone Object after Receipt of

Authentication Material Decryption Failure NACK
The AuC receives an authentication material decryption failure NACK either during or after an update. The
AuC is forced to respond by refreshing the KEKm, which encrypts the authentication material. Since the AuC
is only refreshing the KEKm it does not change the client display to indicate any activity with KEKm. This
defect exists because of the expectation of being able to see the activity on the Local Zones tab of the client.
There is already an audit event that indicates the failure. In other words, the impact is only that you will not
see a "not current" status for a Zone if an authentication material message is causing decryption failures.
None, since the recovery is automatic and the problem only visual. If necessary a search can be
performed on the audit trail to detect the presence of decryption failures.
SCK Crypto Schedule doesn’t Notify User When Next Active SCK
Not Set
The scheduled time for an SCK update arrives and the AuC attempts to initiate the update. However, the
next active SCK is not set and so the AuC is unable to begin the update. The update will be rescheduled
to try again in approximately 1 hour. No notification of this status is presented to the user.
6802800U60-D March 2007 10-25

Resolution/Workaround Chapter 10: Troubleshooting the AuC
This situation would typically occur either following the initial configuration of the SCK crypto schedule,
or after the SCK has been advanced through several updates such that slot 31 is currently active. On
initial configuration of the SCK crypto schedule, the operator should ensure that the next active pointer
is set. The operator should also note when the end of the map is reached and take appropriate action
to load a new map (if desired) and reset the next active slot to the desired value. After the next active
pointer has been set, the next retry to initiate the SCK update (within one hour) should successfully
initiate the update (assuming all AuCs in a nationwide configuration are able to proceed).
AuC Reports 127.0.0.1 to FullVision if Ethernet Cable

Disconnected
During the first start up of the AuC after installation, the Ethernet cable is disconnected. The AuC and
its SNMP agents are started. The cable is later connected. The AuC reports the local host IP address
(127.0.0.1) to FullVision. FullVision displays the wrong IP address for the AuC.
Ensure the Ethernet cable is properly connected at both ends before starting the AuC. Verify/configure
the network parameters on the AuC server and shut down the AuC Sub Agent service and restart it.
The correct IP address for the AuC will now be displayed in FullVision.
MNI Change During Key Distribution Should Stop Distribution

MNI is changed at the UCS, which may occur before/during/after an authentication material
key update for subscribers. The AuC does not immediately use the MNI value when sending
Authentication Material. As a result, subscribers will not be able to authenticate, and will
be given access to the system using delayed authentication.
Restart the AuC service following an MNI change. Once the AuC is operational and connected to
the UCS, start an update of Authentication Material. This will ensure that Authentication Material
containing the new MNI value has been distributed for all subscribers.
10-26 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Multiple
Key Type Distributions May Cause AuC Application Deadlock
Multiple Key Type Distributions May Cause AuC Application

Deadlock
Making multiple key updates of, for example, KEKz, KEKm and CCK may cause updates to “stick”.
Avoid making multiple key distributions at the same time (especially two dependent key updates, for example,
KEKz and CCK). Take the AuC Out of Service and then back to the Operational state. If it is not completed
and this is a nationwide system then AuC must be delisted to allow remaining AuCs complete key updates.
The act of delisting must always be preceded by transitioning the whole cluster
down to SC2 before the associated AuC is delisted. Otherwise, if key distributions
are performed for CCK then key mismatches can occur between the SwMI and
MS, which would lead to complete loss of communications between SwMI and all
MSs serviced by the cluster. The cluster can only be reconfigured back to SC3
following re-integration of the delisted AuC to the nationwide AuC network.
The delisted AuCs have to be operated in single cluster mode to complete their updates
and then joined again to the nationwide network.
Add New Site, AuC Distributes KEKz and then Waits One Hour
to Send SCK
After disabling EBTS(s) for key updates. An update of KEKz and SCK is performed, after which the
EBTS is enabled for key updates. The EBTS does not update SCK immediately.
Disable and then enable the affected EBTSs for key updates. If no further action is taken,
key distributions will complete after one (1) hour.
Wrong or Incomplete NM Connection Checks to Start

KEKz/SCK/CCK Updates
Scenario 1
CCK and SCK are keys provided to sites and are written to the ZDS. Currently, the AuC checks if the UCS
is connected before starting these two types of key updates. So if the UCS is disconnected, CCK and SCK
updates cannot be started and a message indicating UCS or ATR disconnected will be displayed to the user (at
6802800U60-D March 2007 10-27

Scenario 2 Chapter 10: Troubleshooting the AuC
least in the case of a manual update). Instead the ZDS should be checked and the message should be expanded
to indicate that the ZDS is disconnected. Unable to send out CCK/SCK keys to sites if UCS is down. Should
still be able to send these keys out to sites since it is only the ZDS connectivity that matters for this case.
If UCS needs to be taken down, avoid CCK/SCK key updates (manual or scheduled). If update
occurs and UCS connection unavailable, update will get stuck until UCS returns.
Scenario 2
Also on a KEKz update, UCS connectivity is being checked, but ZDS connectivity is not being checked.
This would allow a KEKz update to start and attempt to write site-secure information to a disconnected
ZDS. However, if a zone is opted out again like the ATR it shouldn’t matter whether the ZDS is up or
down for either of the two above cases. Won’t be able to send. Will go to 1 hour retry timer.
If the UCS and ZDS are disconnected, get both working/connected again. If only the ZDS is down and an
update is stuck, get the ZDS working/connected again. Once this is completed, may need to wobble sites.
Remote AuC Clients not Updated/Informed of Server State

Changes
When the AuC Service is stopped and then started by the Windows® Services Screen or when
switching over to Standby AuC does not provide any feedback to remote clients. You will see an
out-of-date screens and will receive error messages when attempting to perform most operations.
Error message will indicate Network Error or Remote Client Error.
Shut down the client during a switch over and restart the client if receiving specified errors.
10-28 6802800U60-D March 2007

Chapter
11
Troubleshooting the PrC
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Common PrC Client Start-Up Error Messages"
• "PrC Troubleshooting Scenarios"
• "PrC Worst Case Scenarios"
• "How to Restart the PrC"
Common PrC Client Start-Up Error Messages

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
During start up you may encounter one or more error messages that are displayed in an alert
box. The most common error messages are listed in Table 11-1.
Table 11-1 Common PrC Client Start-Up Error Messages and Descriptions

Connection refused: connect. Please ensure the The server application is not running or is running
server is set up and running correctly. incorrectly.
Unknown. Please ensure the server is running Displayed most commonly when starting the client
correctly. If the server is rebooting, please wait until while the server application is during started up
it finishes this process. process.
Database problem: Please ensure the server’s The database application is not running or running
database is set up and running correctly. incorrectly.
There are other error messages that may display during start-up of the PrC client application. These
other messages will indicate the root cause and are self-descriptive.
If you are unsuccessful at resolving your client start-up problem, please contact the ESSC for assistance.
6802800U60-D March 2007 11-1

PrC Troubleshooting Scenarios Chapter 11: Troubleshooting the PrC
PrC Troubleshooting Scenarios

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 11-2 describes PrC troubleshooting scenarios.
In general, if the user is concerned that the PrC client is showing invalid or
incorrect data, the user should restart the client.
Table 11-2 Troubleshooting the PrC

Operator is unable to load You may have the wrong • Stop the PrC server (the PrC
master key because there is version of the crypto card Service).
no encryption device listed in software on the crypto card.
• Check that the Windows®
the client encryption device
driver version is 1.0.0.0
management dialog.
and that the crypto card
firmware (CCC/CE) version
is 0200:0201. See the AuC
Crypto Card Instruction
Manual.
Attempt to download K or SCK • No K in repository For K there are three options to add
TMO and PrC displays no K or K to the repository:
• No SCK TMO assigned
SCK downloaded.
• Auto generate.
• Import from file.
• Manual entry.
For SCK there are two options to
define SCK:
• Import from file.
• Manual entry.
KVL displays "Bad Response • The KVL ID is • Check the PrC for the KVL
from PrC" when attempting to mismatched ID. If the KVL does not reside
download provisioning material. in the PrC, add the KVL at the
• wrong KVL software
PrC displays an error about an client.
version
unknown KVL trying to connect.
• Check if the KVL has the
correct ID assigned to it.
This can be checked and
changed in the KVL under the
Au/PrC>SETUP>KVL ID
Menu.
11-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration PrC Troubleshooting Scenarios
Table 11-2 Troubleshooting the PrC (Continued)

• Verify the correct KVL

software is installed. This is
shown at the KVL power up.
PrC displays an error about the • Either the KVL’s UKEK • On the PrC, go to the
Unique Key Encryption Key is not correct or KVLs tab and highlight
(UKEK) when attempting to the perspective KVL. Click
• The PrC has not assigned
download provisioning material. on the Assign the UKEK
the correct KVL UKEK or
button and enter a UKEK.
• No KVL UKEK has been On the KVL, select the
assigned. Au/PrC>SETUP>UKEK
menu end edit the UKEK to
be what was entered in the
PrC.
KVL does not give a "No K or The baud rates on the PrC and • Usually the PrC serial
SCK downloaded" message. KVL do not match. connection is set to 9600 baud.
This can be set on the KVL
at the CONFIG>BAUDR
Menu. Select to edit and
modify the baud rate to 9600.
• Check the PrC setting for
KVL baud rate. This can be
done by selecting System
> Settings > KVL Port
Settings on the PrC client.
KVL displays an error about a PrC The PrC ID and the KVL • On the PrC, select the Settings
ID mismatch when attempting to setting for the AuC/PrC ID do option from the System menu.
download provisioning material. not match. On the resulting dialog box,
click on the miscellaneous tab
and read the displayed PrC ID.
Then on the KVL go to the
Au/PrC>SETUP- PrC ID
option and edit the PrC ID.
Modify the PrC ID so that it is
identical with the PrC ID read
form PrC application.
PrC Database backup fails. (In Not enough disk space to copy • See Chapter 9, "PrC Database
events log see Database Backup backup files Backup and Restore" for
failed) instructions on how to
configure the PrC for backups.
• Delete unnecessary files from
the hard disk to increase the
available space.
6802800U60-D March 2007 11-3

PrC Worst Case Scenarios Chapter 11: Troubleshooting the PrC
PrC Worst Case Scenarios

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 11-3 shows the PrC worst case scenarios.

Table 11-3 PrC Worst Case Scenarios

The PrC operator is unable to Database Failure • Ensure the database is
connect to the PrC Server via the functional. If the problem
PrC client. persists more than 10
minutes, reset the database
server.
• Wait 10 minutes for the
database server to become
active, and then reset the PrC
Server.
The PrC operator will be able to Crypto Card Failure • Ensure the proper master
connect to the PrC Server via the key is loaded. To do this,
PrC Client. From the PrC client, perform the Load Master Key
the operator should notice that the steps as documented in the
PrC is in Out of Service state. PrC User Guide. The same
(Check events log for Encryption master key must be used if
Device Failure description and one was previously loaded.
state change record.) Under If the status of the crypto
the pull-down menu System, card returns to Working then
select Encryption Devices. The from the System pull-down
status of the crypto card will read menu select Go Operational.
Failed. If an error occurs indicating
the wrong master key
was loaded, then load the
appropriate master key. If the
old master key is lost, then
the entire PrC Database is
lost.
11-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration How to Restart the PrC
How to Restart the PrC

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 11-1 or Procedure 11-2 to restart the PrC.

Procedure 11-1 How to Restart the PrC — Method 1 Go Out of Service and Operational
1 With the client up, select Go out of Service from the System pull-down menu.
2 Then select Go Operational.
The PrC is still able to reload the Master Key while Out of Service.
Procedure 11-2 How to Restart the PrC — Method 2 Stop/Start PrC Server
1 Shutdown PrC client.

2 Click the Start button in the task bar and select the Control Panel.
3 Then select Administrative Tools, followed by Services.
4 In the Services section, click on the service labelled PrC.
5 Right-click on that service after it is highlighted, and click on Stop.
6 Right-click on the PrC service and select Start.
7 Restart the client.
6802800U60-D March 2007 11-5

How to Restart the PrC Chapter 11: Troubleshooting the PrC
11-6 6802800U60-D March 2007

Chapter
12
Handling Compromised Units
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter describes how the Dimetra IP system can handle compromised subscriber units.
Temporary Disabling/Enabling a Subscriber Mobile Station

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
When a subscriber mobile station (MS) is lost or its encryption keys are compromised, you
can temporarily disable the MS until the problem is resolved.
This task allows you to submit a temporary disable command to radios throughout the system
using the Radio Control Manager (RCM) application. Perform this task when you want to
temporarily disable a subscriber MS from operating on the system.
Follow Procedure 12-1 to submit a temporary disable command to a subscriber mobile station (MS).
6802800U60-D March 2007 12-1

Temporary Disabling/Enabling a Subscriber Mobile Station Chapter 12: Handling Compromised Units
Procedure 12-1 How to Temporarily Disable a Radio from Operating on the System
1 Double-click the Motorola Private Radio Network Management Suite icon on the desktop (if
the RCM application is not running). If the RCM application is running, go to step 4.
Result: The NT Explorer window appears (Figure 12-1). This example shows a three-zone
system.
Figure 12-1 The NT Explorer
2 Click the icon for the Zone from which you want to issue the temporary disable command.
Result: The applications associated with the selected zone appear in the contents pane
(Figure 12-2).
Figure 12-2 Example of Zone Applications in the Application Launcher
12-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Temporary Disabling/Enabling a Subscriber Mobile Station
Procedure 12-1 How to Temporarily Disable a Radio from Operating on the System (Continued)
3 Double-click the Radio Control Manager icon.
Result: The Radio Control Manager window appears (Figure 12-3).
Figure 12-3 The Radio Control Manager Window
4 Select Radio Commands from the Commands menu.

Result: The Radio Commands dialog box appears (Figure 12-4).
Figure 12-4 The Radio Commands Dialog Box
5 Select the Temporary Disable command from the Command drop-down combo box.
6802800U60-D March 2007 12-3

6 Type a radio alias or ID in the Radio field and click the right arrow button to move the entry to
the Radios Selected list. Use the following guidelines:
• You can enter either an alias or an ID. An ID must be within the valid ID range for the
system. Otherwise, it is considered an alias.
• You cannot enter duplicate radio entries within a single command.
• You can select only 100 radios. Each radio represents an individual task in a command.
To remove a radio from the Radios Selected list, select the radio and then click the left arrow
button.
7 Type a comment in the Comment field. Comments can be used for future reference (for example,
to describe the purpose of the command and the reason that it was submitted).
8 Click Submit.
Result: After a command is submitted, it appears in the Command Monitor window pane.
Subsequent actions on the command are monitored via the Command Monitor window pane.
After you click Submit, you cannot modify a command. The radios in the Radios
Selected list are the default selection for a new command. If you do not want a new
command to be issued to the same radio, you need to remove it from the list.
Due to radio system limitations and the impact on call traffic, radio commands are
sent to radios at a rate of two per second. In case of sending two or more commands
to the same radio, a command is send every two seconds.
9 Select Command Monitor from the View menu (if the Command Monitor window pane
is not currently displayed).
Result: The Command Monitor window pane appears (Figure 12-5).
Figure 12-5 The Command Monitor Window Pane
12-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Temporary Disabling/Enabling a Subscriber Mobile Station
10 Examine the Command Monitor window pane columns for information about the Temporary
Disable command (see the Radio Control Manager Reference booklet for details). The following
columns provide key information:
The Status column provides an overview of the state of all of the radio tasks for that
command. After a radio command is submitted, it transitions through a number of
states before completing. See the Radio Control Manager Reference booklet for a
description of command status states as listed in the Status column.
The Reason’ column shows the reject or failure reasons for failed commands. See
the Radio Control Manager Reference booklet for a description of reject reasons
as listed in the Reason column.
6802800U60-D March 2007 12-5

12-6 6802800U60-D March 2007

Chapter
13
Authentication Centre Field Replace-
able Units
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Authentication Centre Field Replaceable Units"
• "Authentication Centre Periodic Maintenance Inspection"
Authentication Centre Field Replaceable Units

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Field Replaceable Units (FRUs) are sub assemblies that can be replaced in the field and returned
to Motorola for repair. Table 13-1 lists the AuC FRUs. Repair of a failed or functionally limited
module is limited to removal of the failed FRU and installation of a functional replacement
FRU. Return all failed FRUs to Motorola for further repair.
Table 13-1 Authentication Centre FRUs
Component Name Field Replaceable Unit Part Number

Modem (Multitech ZBA) GMDN1157A
KVM Switch, Keyboard, Display GMLN4204A
AuC Crypto Card CLN7612A or DLN1236
Authentication Server GMDN0275C or GMDN1093A
HD for GMDN0275C GMLN1156A (HP sparepart no: 286778-B22)
HD for GMDN1093A TG00085AA or TG00086AA
92MM FAN FOR GMDN0275C GMLN1148A (HP sparepart no: 231213-001)
Processor Fan for GMDN1093A WAPN4025A
Power Supply Fan for GMDN1093A WAPN4026A
POWER SUPPLY FOR GMDN0275C WAPN4023A (HP sparepart no: 347883-001)
POWER SUPPLY FOR GMDN1093A WAPN4024A
6802800U60-D March 2007 13-1

Authentication Centre Periodic Maintenance Inspection Chapter 13: Authentication Centre Field Replaceable Units
For more information see:

• "Authentication Server Configuration Versions"
• "AuC - Equipment Rack"
• "AuC Cable Connections"
• "AuC Crypto Card"
Authentication Centre Periodic Maintenance Inspection

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
See Table 13-2 for information on recommended maintenance period under normal operating conditions.
Table 13-2 Authentication Centre Periodic Maintenance Inspection
Motorola
recommended
period under
Com- PMI Re- normal operating PMI Action
Part Number Description ment quired conditions Required
GMDN0275C Authentication Model n/a
Server ML370 number
GMDN1093A DIMETRA n/a
DL360
SERVER
CLN7612A or Authentication FRU yes 8 years Replace battery. Part
DLN1236 Centre Crypto number CNN6002A
Card
GMLN4204A Display, FRE yes as required if on continuously,
Keyboard and turn off periodically
KVM Switch to cycle the degauss
mechanism. Also,
clean screen.
GMDN1157A Modem FRE no PMI n/a n/a
(Multitech ZBA) encounter required
specific
13-2 6802800U60-D March 2007

Chapter
14
Setup Procedures for External Modems
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Windows® Setup for MultiTech MT5634ZBA Modem"
• "Configuring the AuC/PrC to Work with a Modem"
• "Configuring the KVL to Operate with the Modem Option"
Windows® Setup for MultiTech MT5634ZBA Modem

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 14-1 when preparing MultiTech MT5634ZBA Modem for connection with Provisioning
Centre. For connection with the Authentication Centre no changes in Windows® setup are required.
Procedure 14-1 How to Setup Windows® for MultiTech MT5634ZBA
Modem for Connection with PrC
1 Download MultiTech MT5634ZBA modem driver from MultiTech Website:

• Go to Multitech Website driver download page at:
http://multitech.com/SUPPORT/Families/MultiModemZBA/drivers.asp
• Download The latest Windows certified version of these drivers.
• The drivers are provided as a self-extracting archive. Unpack them to a location on a hard
disk drive.
2 Stop AuC/PrC services:
• On PrC computer select Programs> Administrative Tools>Services from Windows®
Start menu.
• Right click on the PrC services and stop them.
6802800U60-D March 2007 14-1

Windows® Setup for MultiTech MT5634ZBA Modem Chapter 14: Setup Procedures for External Modems
Procedure 14-1 How to Setup Windows® for MultiTech MT5634ZBA Modem for Connection
with PrC (Continued)
3 Install New Modem in Windows®:
• In the Control Panel double click on the Modems or the Phone and Modem Options icon.
•
If the "Location Information" dialog windows appears, please fill in the fields.
You will get the Modems Properties panel. Click the Add button and you will see the
Install New Modem window. Check the Don’t detect my modem box and then click Next.
• A list of modems and manufacturers will be displayed. Click the Have disk... button.
• Browse to the location where you extracted the files from the Zip archive, select the
5634.inf and click OK in the Install from Disk box.
• You will then be shown a selection box of the MultiTech modems. Pick your modem from
the list and click Next.
•
If you are uncertain about your particular model, please refer to the label located
at the bottom of the modem.
• Next pick COM1 port (where the modem should be plugged in) and click Next.
Result: Windows® will now set up the modem.
14-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Configuring the AuC/PrC to Work with a Modem
Configuring the AuC/PrC to Work with a Modem

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Procedure 14-2 How to Configure the AuC/PrC Modem
1 Double click on the AuC application shortcut and log in with the appropriate user name and
password.
2 From the menu bar at the top of the Authentication Centre select the System option and from
the drop down menu select Settings option.
3 Click on the KVL Port Settings tab and set the following parameters:
• Port: COM1 (where the modem should be plugged in)
• Bit Rate: 9600
• Connection Type: Modem
Then click on OK button.
Result: The Authentication Centre is configured to work with a modem.
Configuring the KVL to Operate with the Modem Option

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Procedure 14-3 How to Configure the KVL to Operate with the Modem Option
1 Connect the KVL serial port to the Modem using a 9 to 25 way all wired cable (Motorola part
number CKN6324A).
2 Check that the CTS led on the modem is illuminated.
3 Scroll through the initial menu and select AUC/PRC.
4 Scroll through the menu and select Setup.
5 Select AUC/PRCSEL from the menu and then select Main. The KVL should display that the
ACTIVE AUC/PRC SETTING IS MAIN. Press Esc to move up one menu level.
6 Scroll through the menu and select DIAL. Select the appropriate dial method for the phone line
you are using and then press Esc to move back one menu level.
7 Scroll through the menu and select PHONE. Select MAIN and then EDIT. Enter the
Authentication/Provisioning centre phone number in here and then press Enter when finished.
6802800U60-D March 2007 14-3

Configuring the KVL to Operate with the Modem Option Chapter 14: Setup Procedures for External Modems
Procedure 14-3 How to Configure the KVL to Operate with the Modem Option (Continued)
8 Press Esc several times until you return to the top level of the menu tree. Then scroll through
the options until you find CONFIG option. Select this option.
9 Scroll through the options and select BAUDR. This should be set to 9600, if it is not then select
EDIT and edit to 9600.
10 Press Esc several times to return to the top level menu.
Result: The KVL should now be correctly configured to connect to the Authentication Centre via
a modem.
14-4 6802800U60-D March 2007

Index
Index
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Activating standby database - AuC . . . . . . . 5-11 Authentication Centre (AuC) (contd.)

AuC Communications (Comm) Key . . . . . . . 4-6 hardware (contd.)
Authentication Centre . . . . . . . . . . . . . 13-1 installation . . . . . . . . . . . . . . . . 2-9
Field Replaceable Units . . . . . . . . . . . 13-1 RAID configuration . . . . . . . . . . . . 2-12
Authentication Centre (AuC) ROM based setup . . . . . . . . . . . . . 2-11
adding to system . . . . . . . . . . . . . . 10-18 hosts file. . . . . . . . . . . . . . . . . . . 4-6
cable connections . . . . . . . . . . . . . . 1-5 network security
Client installation . . . . . . . . . . . . . . . . 2-12
installation . . . . . . . . . . . . . . . . 3-6 overview . . . . . . . . . . . . . . . . . . 1-1
uninstallation . . . . . . . . . . . . . . . 3-7 power requirements . . . . . . . . . . . . . 1-5
Crypto Card . . . . . . . . . . . . . . . . . 1-5 reconfiguration. . . . . . . . . . . . . . . . 5-3
database restart . . . . . . . . . . . . . . . . . . . 10-18
Archive Log Mode. . . . . . . . . . . . . 6-2 Server
backup . . . . . . . . . . . . . . . . 6-1, 6-5 installation . . . . . . . . . . . . . . . . 3-2
backup files . . . . . . . . . . . . . . 6-3, 6-5 uninstallation . . . . . . . . . . . . . . . 3-6
cleaning up . . . . . . . . . . . . . . . . 6-9 software
creating user. . . . . . . . . . . . . . . . 6-3 installation . . . . . . . . . . . . . . . . 3-1
hot backups . . . . . . . . . . . . . . . . 6-2 standby
manual uninstallation . . . . . . . . . . . 3-9 configuration . . . . . . . . . . . . . . . 5-4
restart . . . . . . . . . . . . . . . . . . . 6-8 database activating. . . . . . . . . . . . . 5-11
restore . . . . . . . . . . . . . . . . 6-1, 6-5 database configuration . . . . . . . . . . . 5-4
start services . . . . . . . . . . . . . . . 6-4 reconfiguration . . . . . . . . . . . . . . 5-10
uninstallation . . . . . . . . . . . . . . . 3-7 troubleshooting . . . . . . . . . . . . . 10-19
equipment rack . . . . . . . . . . . . . . . 1-3 start-up procedure, initial . . . . . . . . . . . 5-1
hardware system diagram . . . . . . . . . . . . . . . 1-1
configuration . . . . . . . . . . . . . . . 2-10 troubleshooting . . . . . . . . . . . . . . . 10-1
configuration versions . . . . . . . . . . . 1-3 scenarios . . . . . . . . . . . . . . . . . 10-2
equipment. . . . . . . . . . . . . . . . . 2-1 start-up errors . . . . . . . . . . . . . . . 10-2
factory default settings . . . . . . . . . . . 2-10 worst case scenarios . . . . . . . . . . . . . 10-7
Backup Backup (contd.)

AuC. . . . . . . . . . . . . . . . . . . . . 6-1 PrC . . . . . . . . . . . . . . . . . . . . . 9-3
6802800U60-D March 2007 IX-1

Index
Cable connections - AuC Configuration

cable connections . . . . . . . . . . . . . . 1-5 AuC
cabling guidelines . . . . . . . . . . . . . . . 2-4 initial, start-up . . . . . . . . . . . . . . . 5-1
Client standby . . . . . . . . . . . . . . . . . . 5-4
installation - AuC standby database. . . . . . . . . . . . . . 5-4
installation . . . . . . . . . . . . . . . . 3-6 KVL . . . . . . . . . . . . . . . . . . . . 4-5
uninstallation master key. . . . . . . . . . . . . . . . . . 4-3
AuC . . . . . . . . . . . . . . . . . . . 3-7 system key . . . . . . . . . . . . . . . . . 4-3
PrC . . . . . . . . . . . . . . . . . . . . 8-4 Unique Key Encryption Key (UKEK) . . . . . 4-4
Compromised units Crypto Card . . . . . . . . . . . . . . . . . . 1-5
handling . . . . . . . . . . . . . . . . . . . 12-1
Database Database (contd.)

activating standby - AuC . . . . . . . . . . . 5-11 installation - PrC
Archive Log Mode - AuC installation . . . . . . . . . . . . . . . . 8-2
hot backups . . . . . . . . . . . . . . . . 6-2 manual uninstallation
backup AuC . . . . . . . . . . . . . . . . . . . 3-9
AuC . . . . . . . . . . . . . . . . . 6-1, 6-5 PrC . . . . . . . . . . . . . . . . . . . . 8-5
PrC . . . . . . . . . . . . . . . . . . 9-1, 9-3 restart - AuC
backup files restore . . . . . . . . . . . . . . . . . . 6-8
AuC . . . . . . . . . . . . . . . . . 6-3, 6-5 restore
PrC . . . . . . . . . . . . . . . . . . . . 9-4 AuC . . . . . . . . . . . . . . . . . 6-1, 6-5
cleaning up PrC . . . . . . . . . . . . . . . . . . 9-1, 9-5
AuC . . . . . . . . . . . . . . . . . . . 6-9 standby AuC IP reconfiguration . . . . . . . . 5-10
PrC . . . . . . . . . . . . . . . . . . . . 9-8 standby configuration - AuC . . . . . . . . . 5-4
creating user - AuC start services - AuC
Archive Log Mode. . . . . . . . . . . . . 6-3 backup files . . . . . . . . . . . . . . . . 6-4
hot backups uninstallation
AuC . . . . . . . . . . . . . . . . . . . 6-2 AuC . . . . . . . . . . . . . . . . . . . 3-7
PrC . . . . . . . . . . . . . . . . . . . . 9-1 PrC . . . . . . . . . . . . . . . . . . . . 8-4
Electrostatic Discharge (ESD) . . . . . . . . . . 2-8 Equipment rack - AuC (contd.)

Equipment rack - AuC equipment rack . . . . . . . . . . . . . . . 1-3
Failure
key distribution . . . . . . . . . . . . . . 10-20
guidelines guidelines (contd.)

cabling . . . . . . . . . . . . . . . . . . . 2-4 hardware installation . . . . . . . . . . . . . 2-3
IX-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Index
Hardware . . . . . . . . . . . . . . . . 2-9 to 2-10 hardware installation (contd.)

AuC configuration versions . . . . . . . . . . 1-3 guidelines . . . . . . . . . . . . . . . . . . 2-3
equipment - AuC. . . . . . . . . . . . . . . 2-1 safety precautions . . . . . . . . . . . . . . 2-5
equipment - PrC . . . . . . . . . . . . . . . 7-1 Host files - AuC
factory default settings . . . . . . . . . . . . 2-10 hosts file. . . . . . . . . . . . . . . . . . . 4-6
firmawere update HP NetServer LC2000 . . . . . . . . . . . . . 2-2
HP ProLiant ML370 G4 . . . . . . . . . . 2-10 HP ProLiant DL360 . . . . . . . . . . . . . . 2-2
RAID confinguration - AuC. . . . . . . . . . 2-12 HP ProLiant DL360 G4P . . . . . . . . . . . . 2-10
ROM based setup - AuC . . . . . . . . . . . 2-11 HP ProLiant ML370 G3 . . . . . . . . . . . . 2-2
hardware installation . . . . . . . . . . . . . . 2-5 HP ProLiant ML370 G4 . . . . . . . . . . . . 2-2
Installation Installation (contd.)

AuC. . . . . . . . . . . . . . . . . . . . . 3-1 PrC
Client . . . . . . . . . . . . . . . . . . . 3-6 database. . . . . . . . . . . . . . . . . . 8-2
Server . . . . . . . . . . . . . . . . . . 3-2 Server . . . . . . . . . . . . . . . . . . 8-3
Key Key Variable Loader (KVL)

database . . . . . . . . . . . . . . . . . . . 4-6 configuration . . . . . . . . . . . . . . . . 4-1
distribution not completed . . . . . . . . . 10-21 configuration, other . . . . . . . . . . . . . 4-5
updates - worst case scenarios. . . . . . . . . 10-8 modem option . . . . . . . . . . . . . . . . 14-3
Manual SCK synchronisation . . . . . . . . . 10-18 Mobile station (MS)

Master key temporarily disabling / enabling . . . . . . . . 12-1
changing . . . . . . . . . . . . . . . . . . 4-2 modems
configuration . . . . . . . . . . . . . . . . 4-3 setup . . . . . . . . . . . . . . . . . . . . 14-1
Nationwide
adding a new AuC . . . . . . . . . . . . . 10-18
periodic maintenance inspection Provisioning Centre (PrC) (contd.)

AuC. . . . . . . . . . . . . . . . . . . . . 13-2 database (contd.)
Power requirements - AuC backup files . . . . . . . . . . . . . . . . 9-4
cable connections . . . . . . . . . . . . . . 1-5 cleaning up . . . . . . . . . . . . . . . . 9-8
preinstallation requirements . . . . . . . . . . . 3-1 full restore . . . . . . . . . . . . . . . . 9-5
Provisioning Centre (PrC). . . . . . . . . . . . 8-1 hot backups . . . . . . . . . . . . . . . . 9-1
database installation . . . . . . . . . . . . . . . . 8-2
backup . . . . . . . . . . . . . . . . 9-1, 9-3 manual uninstallation . . . . . . . . . . . 8-5
6802800U60-D March 2007 IX-3

Index
Provisioning Centre (PrC) (contd.) Provisioning Centre (PrC) (contd.)

database (contd.) Server and Client
restore . . . . . . . . . . . . . . . . 9-1, 9-5 installation . . . . . . . . . . . . . . . . 8-3
uninstallation . . . . . . . . . . . . . . . 8-4 uninstallation . . . . . . . . . . . . . . . 8-4
hardware system diagram . . . . . . . . . . . . . . . 1-1
equipment. . . . . . . . . . . . . . . . . 7-1 troubleshooting . . . . . . . . . . . . . . . 11-1
installation. . . . . . . . . . . . . . . . . . 8-1 scenarios . . . . . . . . . . . . . . . . . 11-2
overview . . . . . . . . . . . . . . . . . . 1-1 start-up error messages . . . . . . . . . . . 11-1
restart . . . . . . . . . . . . . . . . . . . . 11-5 uninstallation . . . . . . . . . . . . . . . . 8-3
restart service . . . . . . . . . . . . . . . . 9-7 worst case scenarios . . . . . . . . . . . . . 11-4
rack requirements
requirements. . . . . . . . . . . . . . . . . 2-4 rack . . . . . . . . . . . . . . . . . . . . . 2-4
rack placement . . . . . . . . . . . . . . . . . 2-3 Restart
Reconfiguration AuC. . . . . . . . . . . . . . . . . . . . 10-18
AuC. . . . . . . . . . . . . . . . . . . . . 5-3 PrC . . . . . . . . . . . . . . . . . . . . . 11-5
IP settings . . . . . . . . . . . . . . . . . . 5-3 Restore
NM settings . . . . . . . . . . . . . . . . . 5-4 AuC. . . . . . . . . . . . . . . . . . . . . 6-1
standby AuC IP . . . . . . . . . . . . . . . 5-10 PrC . . . . . . . . . . . . . . . . . . . . . 9-5
safety information . . . . . . . . . . . . . . . 2-5 Software

safety precautions . . . . . . . . . . . . . . . 2-5 installation
Server AuC . . . . . . . . . . . . . . . . . . . 3-1
installation PrC . . . . . . . . . . . . . . . . . . . . 8-1
AuC . . . . . . . . . . . . . . . . . . . 3-2 static sensitive precautions . . . . . . . . . . . 2-7
PrC . . . . . . . . . . . . . . . . . . . . 8-3 System diagram
uninstallation AuC and PrC . . . . . . . . . . . . . . . . 1-1
AuC . . . . . . . . . . . . . . . . . . . 3-6 System key
PrC . . . . . . . . . . . . . . . . . . . . 8-4 changing . . . . . . . . . . . . . . . . . . 4-2
Shared folder. . . . . . . . . . . . . . . . . . 6-3 configuration . . . . . . . . . . . . . . . . 4-3
Troubleshooting Troubleshooting (contd.)

AuC. . . . . . . . . . . . . . . . . . . . . 10-1 start-up error messages
PrC . . . . . . . . . . . . . . . . . . . . . 11-1 AuC . . . . . . . . . . . . . . . . . . . 10-2
scenarios PrC . . . . . . . . . . . . . . . . . . . . 11-1
AuC . . . . . . . . . . . . . . . . . . . 10-2 worst case scenarios
PrC . . . . . . . . . . . . . . . . . . . . 11-2 AuC . . . . . . . . . . . . . . . . . . . 10-7
standby AuC. . . . . . . . . . . . . . . . 10-19 PrC . . . . . . . . . . . . . . . . . . . . 11-4
Uninstallation Uninstallation (contd.)

AuC AuC (contd.)
Client . . . . . . . . . . . . . . . . . . . 3-7 database. . . . . . . . . . . . . . . . . . 3-7
IX-4 6802800U60-D March 2007

Authentication, Encryption and Provisioning - Installation and Configuration Index
Uninstallation (contd.) Uninstallation (contd.)

AuC (contd.) PrC (contd.)
database - manual . . . . . . . . . . . . . 3-9 database - manually . . . . . . . . . . . . 8-5
Server . . . . . . . . . . . . . . . . . . 3-6 Server . . . . . . . . . . . . . . . . . . 8-4
PrC . . . . . . . . . . . . . . . . . . . . . 8-3 Unique Key Encryption Keys (UKEKs) . . . . . 4-1
Client . . . . . . . . . . . . . . . . . . . 8-4 configuration . . . . . . . . . . . . . . . . 4-4
database. . . . . . . . . . . . . . . . . . 8-4 System and Master Keys . . . . . . . . . . . 4-2
6802800U60-D March 2007 IX-5

Index
IX-6 6802800U60-D March 2007

Dimetra IP 2006
System Release 6.0
Volume 10:
and Provisioning
Booklet 2
Managing Authentication,
Encryption and Provisioning
6802800U60-D
Copyrights
of a product.
Disclaimer
Trademarks
Copyrights
Logo 1 Logo 2


6802800U55 6802800U56 6802800U57 6802800U58

6802700U92 6881132E24 6881003Y85 6802800U66 6802800U67 6802800U62

6802800U71 6802800U14 6802800U15 6802800U22 6802800U70 6802800U65

Manual
6802800U69 6802800U64
6802800U68 6802800U40
Online Help


Service Information
Management Centre.

United Kingdom
Telephone: +44 (0) 1256 484448
Motorola GmbH CGISS

Am Borsigturm 130
13507 Berlin
Germany
Telephone: +49 (0) 30 66861414
Telefax: +49 (0) 30 66861426
Your Input

Table
of
Contents
Contents
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Managing Authentication, Encryption and Provisioning

Icon Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-xxvi
Chapter 1: Authentication and Air Interface Encryption Overview

Authentication and Air Interface Encryption Functionality . . . . . . . . . . . . . . . . . . . . . . 1-1
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Explicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Implicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Air Interface Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
DCK Air Interface Encryption (Security Class 3) . . . . . . . . . . . . . . . . . . . . . . 1-4
SCK Air Interface Encryption (Security Class 2) . . . . . . . . . . . . . . . . . . . . . . 1-5
No AI Encryption (Security Class 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Security Class and Air Interface Encryption Key Changes . . . . . . . . . . . . . . . . . . 1-6
Authentication and Air Interface Encryption Key Management . . . . . . . . . . . . . . . . . . . . 1-7
Key Management in Non–Nationwide Systems . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Key Management in Nationwide Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
System Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Subscriber Mobile Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Key Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Key Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Chapter 2: Authentication and Air Interface Encryption Configuration

Configuring Authentication and Air Interface Encryption Operation. . . . . . . . . . . . . . . . . . 2-1
System Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
EBTS Site Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configuring Devices for Authentication and Air Interface Encryption . . . . . . . . . . . . . . . . . 2-15
Radio Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
KVL Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Chapter 3: Introduction to Authentication Centre

AuC, PrC and AIE Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Authentication Centre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
What is the Authentication Centre? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Authentication Centre Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Automatic Detection of Network Problems . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Authentication Centre Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Authentication Centre Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
6802800U60-D March 2007 vii

Contents
Implementing Your Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

Planning Your Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Technical Implementation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
First Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Starting the Authentication Centre Client Application . . . . . . . . . . . . . . . . . . . . . . 3-8
Changing a User Account Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Verifying Authentication Centre Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Displaying Key and Entity Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Logging out of the Authentication Centre Client Application . . . . . . . . . . . . . . . . . . . 3-14
The Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Authentication Centre Main Window Structure . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
The Work Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
The Events Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
The Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
The Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Using Context Sensitive Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Using Full Text Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Chapter 4: Authentication and Air Interface Encryption Key Management

Entity Status and Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Viewing Mobile Station Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Generating Mobile Station (MS) Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Viewing a List of Unmatched K-REF Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Generating an Unmatched K-Ref Pairs Report. . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Viewing Zone Status and Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Viewing BTS Site Status and Key Information . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Viewing UCS Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Viewing KVL Key Information and Status . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
Entering and Modifying Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17
Entering K-REF Pairs into the Authentication Centre . . . . . . . . . . . . . . . . . . . . . . 4-17
Importing a K-REF Pair File into the Authentication Centre . . . . . . . . . . . . . . . . . . . 4-20
Importing a SCK-TMO Key File into the Authentication Centre . . . . . . . . . . . . . . . . . 4-21
Modifying an SCK-TMO Key in the Authentication Centre . . . . . . . . . . . . . . . . . . . 4-25
Setting the Next Active SCK-TMO Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Entering the AuC Communications Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30
Entering a Dimetra Distribution Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Entering a UKEK Key for a KVL Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Provisioning Zone or BTS Site Entity with an Infrastructure Key . . . . . . . . . . . . . . . . . 4-36
Loading an Infrastructure Key (Ki) to a BTS Site Entity . . . . . . . . . . . . . . . . . . . 4-36
Reprovisioning Zone or BTS Site Entity with an Existing Infrastructure Key . . . . . . . . . . . 4-38
Refreshing a Ki for Selected Zone or BTS Site Entity . . . . . . . . . . . . . . . . . . . . 4-39
Reprovisioning Zone or BTS Site Entity with a New Infrastructure Key . . . . . . . . . . . . . . 4-41
Updating a Ki Key for a Zone or BTS Site Entity . . . . . . . . . . . . . . . . . . . . . . 4-42
Clearing an Infrastructure Key from a Zone or BTS Site Entity . . . . . . . . . . . . . . . . . . 4-43
Scheduling Key Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
Performing Immediate Key Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47
Assigning New Authentication Material for a Mobile Station . . . . . . . . . . . . . . . . . . . 4-49
Enabling and Disabling Key Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
Enabling/Disabling Key Updates for a Mobile Station . . . . . . . . . . . . . . . . . . . . . . 4-52
Enabling/Disabling Key Updates for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . 4-56
Enabling/Disabling Key Updates for an EBTS Site . . . . . . . . . . . . . . . . . . . . . . . 4-57
Enabling/Disabling Key Updates By Key Type . . . . . . . . . . . . . . . . . . . . . . . . . 4-59
viii 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Contents
Enabling/Disabling KVL Access to the Authentication Centre . . . . . . . . . . . . . . . . . . 4-62
Chapter 5: Nationwide AuC Configuration

Viewing AuC Connection Information and Status . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Nationwide AuC System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Configuring Nationwide Master AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Configuring Nationwide Slave AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Rejected Key Update Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Key Updates in the Nationwide System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Slave AuCs Reconfiguration in the Nationwide System . . . . . . . . . . . . . . . . . . . . . . . 5-15
Adding a New Slave AuC to the Nationwide System . . . . . . . . . . . . . . . . . . . . . . 5-15
Changing Expected Slave AuC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
Removing Expected Slave AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
Removing Slave AuC form the Nationwide System . . . . . . . . . . . . . . . . . . . . . . . 5-17
Returning to the Single Cluster Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Nationwide AuC System Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
Connecting Slave AuC to Another Master . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
Changing Master in the Nationwide System . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Chapter 6: Events Pane

Viewing Authentication Centre Server Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Removing Authentication Centre Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Chapter 7: Audit Trail

Viewing an Event Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Removing Audit Trail Data from the Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Chapter 8: User Management

Creating an AuC User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Modifying an AuC User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Deleting an AuC User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Chapter 9: System Management

Configuring Authentication Centre Operation Settings . . . . . . . . . . . . . . . . . . . . . . . . 9-2
The KVL Port Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
The Miscellaneous Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
The User Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
The Standby Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Turning Standby Connection Monitoring On . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Turning Standby Connection Monitoring Off . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Viewing Encryption Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Loading a Master Key into an Encryption Device . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Changing Authentication Centre Operating State . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Scheduling Authentication Centre Database Backups . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Starting a Manual Authentication Centre Database Backup . . . . . . . . . . . . . . . . . . . . . . 9-18
Updating CCK Version after a Database Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19
Creating Standby Status Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Viewing Authentication Centre Version Information . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
6802800U60-D March 2007 ix

Contents
Chapter 10: FAQ

Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
How are Keys Provisioned in the Dimetra IP System? . . . . . . . . . . . . . . . . . . . . . . 10-2
How are Keys Stored in the Dimetra IP System? . . . . . . . . . . . . . . . . . . . . . . . . 10-2
How are Keys Updated in the Dimetra IP System?. . . . . . . . . . . . . . . . . . . . . . . . 10-2
What Do I Do if a Key is not Current? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
When Should I Perform an Audit Trail Search? . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Key Update Stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Mobile Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
What Do I Do if a K-REF Pair is Unmatched?. . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
When Should I Delete Unmatched K-REF Pairs? . . . . . . . . . . . . . . . . . . . . . . . . 10-4
General Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
How to Trigger Full Synchronization with the UCS . . . . . . . . . . . . . . . . . . . . . . . 10-5
How to Trigger Full Synchronization with the ZDS . . . . . . . . . . . . . . . . . . . . . . . 10-6
How to Resolve the Error ’Licence Limit Exceeded’? . . . . . . . . . . . . . . . . . . . . . . 10-7
What Happens if a Key Update Fails? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
What Do I Do if the Database Fails? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
What Do I Do if an Encryption Device Fails? . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
What Do I Do if I get an Error Message when Starting the Client? . . . . . . . . . . . . . . . . 10-8
Chapter 11: Screen Reference

Main Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
AuC Comm Key (Communication Key) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
AuC Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
AuC Net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Audit Search and Purge Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Audit Trail Information Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
DDK (Dimetra Distribution Key). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
EBTS Site Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Events Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8
General Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
K-REF Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Key Database Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
Key Schedule Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Key Schedules Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
Key Status tree view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
KVL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16
KVL Status list view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Mobile Stations List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Mobile Stations Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-19
SCK-Trunked Mode Operation Information . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20
Security Group Selection Tree View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21
UCS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21
User Account Selection tree view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22
User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Zone Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-25
Secondary Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
AuC Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-28
AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 11-29
AuC Database Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31
Encryption Devices Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-32
Key Update Lock Details Information Box . . . . . . . . . . . . . . . . . . . . . . . . . . 11-33
x 6802800U60-D March 2007

Contents
Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34

KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34
Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36
Modify Schedule Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37
Port Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38
Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39
SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39
Standby Settings Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-40
Update Common Cipher Key (CCK) Version . . . . . . . . . . . . . . . . . . . . . . . . . 11-41
User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-43
Main Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-44
6802800U60-D March 2007 xi

Contents
xii 6802800U60-D March 2007

List
of
Figures
List of Figures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Figure 1-1: Explicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Figure 1-2: Air Interface Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Figure 1-3: Security Class 3 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Figure 1-4: Security Class 2 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Figure 1-5: AuC in a Non-Nationwide Dimetra IP system . . . . . . . . . . . . . . . . . . . . . . 1-8
Figure 1-6: AuC in a Nationwide Dimetra IP system . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Figure 1-7: Infrastructure Key (Ki) distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Figure 1-8: Key Encryption Key (KEK) distribution . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Figure 1-9: Authentication Material Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Figure 1-10: Common Cipher Key (CCK)/Static Cipher Key–Trunked Mode Operation (SCK-TMO) key
distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Figure 1-11: Derived Cipher Key (DCK) key distribution . . . . . . . . . . . . . . . . . . . . . . 1-12
Figure 2-1: PRNM Suite Application Launcher Window . . . . . . . . . . . . . . . . . . . . . . . 2-3
Figure 2-2: User Configuration Manager Window . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Figure 2-3: Open System Object Configuration Dialog Box . . . . . . . . . . . . . . . . . . . . . 2-5
Figure 2-4: System Object Configuration Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Figure 2-5: System Object Security Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Figure 2-6: PRNM Suite Application Launcher Window . . . . . . . . . . . . . . . . . . . . . . . 2-9
Figure 2-7: Zone Applications in PRNM Suite Application Launcher Window. . . . . . . . . . . . . 2-9
Figure 2-8: Zone Configuration Manager — Zone Object . . . . . . . . . . . . . . . . . . . . . . 2-10
Figure 2-9: Zone Configuration Manager — EBTS Site Object . . . . . . . . . . . . . . . . . . . . 2-11
Figure 2-10: Zone Configuration Manager — Open EBTS Site Object . . . . . . . . . . . . . . . . 2-12
Figure 2-11: Zone Configuration Manager — EBTS Authentication tab . . . . . . . . . . . . . . . . 2-13
Figure 2-12: User Configuration Manager — Radio Object. . . . . . . . . . . . . . . . . . . . . . 2-16
Figure 2-13: Radio Object Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Figure 2-14: User Configuration Manager — KVL Object . . . . . . . . . . . . . . . . . . . . . . 2-18
Figure 2-15: KVL Object Dialog Box — Basic Tab . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Figure 2-16: KVL Object Dialog Box — Configuration Tab . . . . . . . . . . . . . . . . . . . . . 2-19
Figure 3-1: The Nationwide Only Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Figure 3-2: AuC and PrC System Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Figure 3-3: AuC in the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Figure 3-4: The Reconnecting Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Figure 3-5: The AuC Splash Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Figure 3-6: The Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Figure 3-7: The AuC Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Figure 3-8: The Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Figure 3-9: The Main Window Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Figure 3-10: UCS Status and Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Figure 3-11: Zone/EBTS Key and Status Information . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Figure 3-12: The Exit Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Figure 3-13: The AuC Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Figure 3-14: The Work Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
6802800U60-D March 2007 xiii

List of Figures
Figure 3-15: The Events Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

Figure 3-16: The Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Figure 3-17: The Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Figure 4-1: The Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Figure 4-2: The Mobile Station Search Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Figure 4-3: The Mobile Stations List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Figure 4-4: Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Figure 4-5: Mobile Stations List Export Progress . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Figure 4-6: The Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Figure 4-7: The Delete Unmatched K-REF Pair Dialog Box . . . . . . . . . . . . . . . . . . . . . 4-7
Figure 4-8: The Delete All Unmatched K-REF Pairs Dialog Box . . . . . . . . . . . . . . . . . . . 4-7
Figure 4-9: The Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Figure 4-10: The Save Unmatched K-REF Pairs Report Dialog Box . . . . . . . . . . . . . . . . . 4-9
Figure 4-11: The Save Unmatched K-REF Pairs Report Confirmation Dialog Box . . . . . . . . . . . 4-9
Figure 4-12: Unmatched K-REF Pairs Report Completed . . . . . . . . . . . . . . . . . . . . . . 4-9
Figure 4-13: The Zones Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Figure 4-14: The Zone Information Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Figure 4-15: The BTS Site Information Display . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13
Figure 4-16: The UCS Status and Version Information . . . . . . . . . . . . . . . . . . . . . . . . 4-15
Figure 4-17: The KVLs Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
Figure 4-18: Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18
Figure 4-19: K-REF Pairs Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Figure 4-20: Duplicate Ref in K-REF Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Figure 4-21: Import Keys form File Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Figure 4-22: Import Key Confirmation Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Figure 4-23: Key File Scanning Status Alert Box . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Figure 4-24: Key Database Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
Figure 4-25: SCK-Trunked Mode Operation Display. . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Figure 4-26: Import Keys Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Figure 4-27: Import Key Confirmation Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Figure 4-28: Key File Scanning Status Alert Box . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Figure 4-30: SCK-Trunked Mode Operation display . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Figure 4-31: Modify SCK Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Figure 4-33: SCK-Trunked Mode Operation display . . . . . . . . . . . . . . . . . . . . . . . . . 4-29
Figure 4-34: Change Next Active SCK Number Dialog Box . . . . . . . . . . . . . . . . . . . . . 4-29
Figure 4-36: AuC CommKey Information Display. . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
Figure 4-38: DDK Information Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Figure 4-39: KVLs Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Figure 4-40: UKEK Key Assignment Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Figure 4-41: Zones Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
Figure 4-42: Zones Tabbed Pane, Refresh Ki . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40
Figure 4-43: Refresh Ki Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40
Figure 4-45: Zones Tabbed Pane, Update Ki . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
Figure 4-46: Update Ki Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
Figure 4-47: Key Schedules Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45
Figure 4-48: Key Schedule Information display . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Figure 4-49: SCK-TMO Modify Schedule Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Figure 4-51: Start Update Now Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49
Figure 4-52: Key Update Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49
xiv 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning List of Figures
Figure 4-53: Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50

Figure 4-54: Mobile Station Search Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51
Figure 4-55: Mobile Stations List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51
Figure 4-56: Update Authentication Material Dialog Box . . . . . . . . . . . . . . . . . . . . . . 4-52
Figure 4-57: Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53
Figure 4-58: Mobile Station Search Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54
Figure 4-59: Mobile Stations List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-55
Figure 4-60: Disable Mobile Station Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . 4-55
Figure 4-62: Disable Key Updates Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-57
Figure 4-64: Disable Key Updates Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-59
Figure 4-66: SCK—TMO Modify Schedule Dialog Box . . . . . . . . . . . . . . . . . . . . . . . 4-61
Figure 4-67: KVLs Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-62
Figure 4-68: Deny Access to KVL Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-63
Figure 5-1: AuC Connectivity Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Figure 5-2: AuC Net Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Figure 5-3: General Network Information Display . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Figure 5-4: AuC Connection Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Figure 5-5: Expected AuC Slave in AuC Net Structure Display . . . . . . . . . . . . . . . . . . . . 5-9
Figure 5-6: Connected AuC Slave in AuC Net Window . . . . . . . . . . . . . . . . . . . . . . . 5-10
Figure 5-7: AuC Connection Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Figure 5-8: AuC Master Connecting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Figure 5-9: AuC Master Connected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
Figure 5-10: AuC Master Unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Figure 6-1: Events Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Figure 6-2: Events Pane Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Figure 6-3: Remove All Events Confirmation Dialog Box . . . . . . . . . . . . . . . . . . . . . . 6-3
Figure 7-1: Audit Trail Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Figure 7-2: Audit Trail Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Figure 7-3: Audit Trail Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Figure 7-4: Audit Trail Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Figure 7-5: Audit Trail Purge Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Figure 7-6: Audit Trail Purge in Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Figure 7-7: Audit Trail Purge Completed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Figure 8-1: User Management Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Figure 8-2: Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Figure 8-5: Delete User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Figure 9-1: Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Figure 9-3: Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Figure 9-4: Debug Log Enabled Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Figure 9-6: User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Figure 9-8: Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Figure 9-9: Monitor Standby Status Turned On . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Figure 9-10: Settings Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Figure 9-11: Monitor Standby Status Turned On . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Figure 9-12: Monitor Standby Status Turned Off . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Figure 9-13: Encryption Device Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Figure 9-14: Encryption Device Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
6802800U60-D March 2007 xv

List of Figures
Figure 9-15: Load Master Key First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Figure 9-16: Load Master Key Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14
Figure 9-20: AuC Database Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Figure 9-21: AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . . . . . . . . . 9-17
Figure 9-22: AuC Database Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Figure 9-23: Start AuC Database Backup Confirmation . . . . . . . . . . . . . . . . . . . . . . . 9-18
Figure 9-24: Update CCK Version Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19
Figure 9-25: Save Standby Status Report Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Figure 9-26: Save Standby Status Report Progress . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
Figure 9-27: About Authentication Centre Window . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
Figure 10-1: Full Synchronization with UCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Figure 10-2: Full Synchronization with ZDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Figure 11-1: AuC Comm Key (Communication Key) Display . . . . . . . . . . . . . . . . . . . . 11-1
Figure 11-2: AuC Connectivity display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Figure 11-3: AuC Net Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Figure 11-4: Audit Search & Purge Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Figure 11-5: DDK Information display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
Figure 11-6: EBTS Site Information display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Figure 11-7: Events Information display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8
Figure 11-8: General Network Information Display . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Figure 11-9: K-REF Pairs Information display. . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Figure 11-10: Key Database Selection display . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
Figure 11-11: Key Schedule Information Display . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Figure 11-12: Key Schedules Selection display . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
Figure 11-13: Key Status tree view display . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
Figure 11-14: KVL Information display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16
Figure 11-15: Key Status list view display . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Figure 11-16: Mobile Stations List Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Figure 11-17: Mobile Stations Search Display . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-19
Figure 11-18: SCK-Trunked Mode Operation Information display . . . . . . . . . . . . . . . . . 11-20
Figure 11-19: Security Group Selection Tree View. . . . . . . . . . . . . . . . . . . . . . . . . 11-21
Figure 11-20: UCS Information display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21
Figure 11-21: User Account Selection display . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22
Figure 11-22: User Information display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Figure 11-23: Zone Information display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-25
Figure 11-24: Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
Figure 11-25: Set Expected Slave Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-28
Figure 11-26: Connect to Master AuC Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 11-28
Figure 11-27: AuC Database Backup Schedule Display . . . . . . . . . . . . . . . . . . . . . . 11-29
Figure 11-28: AuC Database Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Figure 11-29: Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31
Figure 11-30: Encryption Devices Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . 11-32
Figure 11-31: Key Update Lock Details Information Box . . . . . . . . . . . . . . . . . . . . . 11-33
Figure 11-32: Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34
Figure 11-33: KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 11-34
Figure 11-34: AuC Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
Figure 11-35: Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 11-36
Figure 11-36: Modify Schedule display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37
Figure 11-37: Port Settings Display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38
Figure 11-38: Purge Audit Trail Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39
Figure 11-39: SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39
Figure 11-40: Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-40
xvi 6802800U60-D March 2007

List of Figures
Figure 11-41: Update CCK Version display . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-41

Figure 11-42: User Settings Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-43
6802800U60-D March 2007 xvii

List of Figures
xviii 6802800U60-D March 2007

List
of
Tables
List of Tables
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 1-1: Recommended Key Update Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Table 1-2: Encryption Keys and their Source Materials. . . . . . . . . . . . . . . . . . . . . . . . 1-15
Table 2-1: Air Interface Encryption and Authentication Feature Operational Mode Settings. . . . . . . 2-1
Table 3-1: Security Planning Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Table 3-2: Procedures and Screen References Related to Tabs . . . . . . . . . . . . . . . . . . . . 3-17
Table 3-3: Authentication Centre (AuC) States of Operation . . . . . . . . . . . . . . . . . . . . . 3-20
Table 3-4: AuC Connection Status Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Table 3-5: Standby Database Connection States . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Table 3-6: Using Context Sensitive Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Table 5-1: Rejected Key Update Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Table 10-1: Overview: FAQ Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Table 10-2: Key Update Stages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Table 10-3: Common Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Table 11-1: Fields in the AuC Comm Key (Communication Key) Display . . . . . . . . . . . . . . . 11-1
Table 11-2: Buttons in the AuC Comm Key (Communication Key) Display . . . . . . . . . . . . . . 11-2
Table 11-3: Fields in the AuC Connectivity Information Display . . . . . . . . . . . . . . . . . . . 11-2
Table 11-4: AuC Server Status Information and Icons . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Table 11-5: Fields in the Audit Search & Purge Form display . . . . . . . . . . . . . . . . . . . . . 11-5
Table 11-6: Buttons in the Audit Search & Purge Form display . . . . . . . . . . . . . . . . . . . . 11-5
Table 11-7: Fields in the Audit Trail Information display . . . . . . . . . . . . . . . . . . . . . . . 11-6
Table 11-8: Fields in the DDK Information display . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
Table 11-9: Buttons in the DDK Information display. . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Table 11-10: Fields in the EBTS Site Information display . . . . . . . . . . . . . . . . . . . . . . 11-7
Table 11-11: Buttons in the EBTS Site Information display. . . . . . . . . . . . . . . . . . . . . . 11-8
Table 11-12: Fields in the Events Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-8
Table 11-13: Buttons in the Events Information display . . . . . . . . . . . . . . . . . . . . . . . 11-8
Table 11-14: Fields in the General Network Information Display . . . . . . . . . . . . . . . . . . . 11-9
Table 11-15: Fields in the K-REF Pairs Information display . . . . . . . . . . . . . . . . . . . . 11-11
Table 11-16: Buttons in the K-REF Pairs Information display. . . . . . . . . . . . . . . . . . . . 11-11
Table 11-17: Fields in the Key Database Selection display . . . . . . . . . . . . . . . . . . . . . 11-12
Table 11-18: Fields in the Key Schedule Information Display. . . . . . . . . . . . . . . . . . . . 11-13
Table 11-19: Buttons in the Key Schedule Information Display . . . . . . . . . . . . . . . . . . . 11-13
Table 11-20: Fields in the Key Update Selection display . . . . . . . . . . . . . . . . . . . . . . 11-14
Table 11-21: Key Status Icons (Zones and BTS sites) . . . . . . . . . . . . . . . . . . . . . . . 11-15
Table 11-22: Fields in the KVL Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-16
Table 11-23: Buttons in the KVL Information display . . . . . . . . . . . . . . . . . . . . . . . 11-16
Table 11-24: Key Status Icons (KVLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Table 11-25: Fields in the Mobile Stations List display . . . . . . . . . . . . . . . . . . . . . . . 11-18
Table 11-26: Buttons in the Mobile Stations List display . . . . . . . . . . . . . . . . . . . . . . 11-18
Table 11-27: Fields in the Mobile Stations Search display . . . . . . . . . . . . . . . . . . . . . 11-19
Table 11-28: Buttons in the Mobile Stations Search display . . . . . . . . . . . . . . . . . . . . 11-20
Table 11-29: Fields in the SCK-Trunked Mode Operation Information display . . . . . . . . . . . . 11-20
6802800U60-D March 2007 xix

List of Tables
Table 11-30: Buttons in the SCK-Trunked Mode Operation Information display . . . . . . . . . . . 11-21
Table 11-31: Fields in the UCS Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-22
Table 11-32: Buttons in the UCS Information display . . . . . . . . . . . . . . . . . . . . . . . 11-22
Table 11-33: Fields in the User Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Table 11-34: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24
Table 11-35: Buttons in the User Information display . . . . . . . . . . . . . . . . . . . . . . . 11-24
Table 11-36: Fields in the Zone Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-25
Table 11-37: Buttons in the Zone Information display . . . . . . . . . . . . . . . . . . . . . . . 11-25
Table 11-38: Fields in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
Table 11-39: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Table 11-40: Buttons in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Table 11-41: Fields in the AuC Connection display . . . . . . . . . . . . . . . . . . . . . . . . 11-28
Table 11-42: Buttons in the AuC Connection display. . . . . . . . . . . . . . . . . . . . . . . . 11-28
Table 11-43: Fields in the AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . . 11-29
Table 11-44: Buttons in the AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . 11-29
Table 11-45: Fields in the AuC Database Dialog Box . . . . . . . . . . . . . . . . . . . . . . . 11-30
Table 11-46: Buttons in the AuC Database Dialog Box. . . . . . . . . . . . . . . . . . . . . . . 11-30
Table 11-47: Fields in the Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-31
Table 11-48: Buttons in the Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-31
Table 11-49: Fields in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-32
Table 11-50: Buttons in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . . . . . . 11-33
Table 11-51: Field in the Key Update Lock Details Information Box . . . . . . . . . . . . . . . . 11-33
Table 11-52: Buttons in the Key Update Lock Details Information Box . . . . . . . . . . . . . . . 11-33
Table 11-53: Field in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-34
Table 11-54: Buttons in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-34
Table 11-55: Fields in the KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . . . . . . 11-34
Table 11-56: Buttons in the KVL UKEK Assignment Dialog Box. . . . . . . . . . . . . . . . . . 11-34
Table 11-57: Fields in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
Table 11-58: Buttons in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
Table 11-59: Fields in the Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . 11-36
Table 11-60: Buttons in the Miscellaneous Settings Dialog Box. . . . . . . . . . . . . . . . . . . 11-36
Table 11-61: Fields in the Modify Schedule display . . . . . . . . . . . . . . . . . . . . . . . . 11-37
Table 11-62: Buttons in the Modify Schedule display . . . . . . . . . . . . . . . . . . . . . . . 11-37
Table 11-63: Fields in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-38
Table 11-64: Buttons in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-38
Table 11-65: Fields in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-39
Table 11-66: Buttons in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-39
Table 11-67: Fields in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-40
Table 11-68: Buttons in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . 11-40
Table 11-69: Fields in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-40
Table 11-70: Buttons in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-41
Table 11-71: Fields in the Update CCK Version display . . . . . . . . . . . . . . . . . . . . . . 11-42
Table 11-72: Buttons in the Update CCK Version display . . . . . . . . . . . . . . . . . . . . . 11-42
Table 11-73: Fields in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 11-43
Table 11-74: Buttons in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . 11-44
Table 11-75: Main Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-44
xx 6802800U60-D March 2007

List
of
Procedures
List of Procedures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Procedure 2-1: How to Configure the System Object for AI Encryption and Authentication Operations . . 2-3
Procedure 2-2: How to Configure the EBTS Site Object for AI Encryption and Authentication
Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Procedure 2-3: Transitioning from Security Class 2 to 3 . . . . . . . . . . . . . . . . . . . . . . . 2-14
Procedure 2-4: How to Configure the Radio Object for Authentication Purposes . . . . . . . . . . . . 2-15
Procedure 2-5: How to Configure the Key Variable Loader (KVL) Object . . . . . . . . . . . . . . . 2-17
Procedure 3-1: How to Start the AuC Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Procedure 3-2: How to Change a User Account Password . . . . . . . . . . . . . . . . . . . . . . 3-11
Procedure 3-3: How to Check the Status of the UCS, Zone or a Site. . . . . . . . . . . . . . . . . . 3-13
Procedure 3-4: How to Log Out of the AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Procedure 4-1: How to View a Mobile Station’s Key Information . . . . . . . . . . . . . . . . . . . 4-3
Procedure 4-2: How to Generate Mobile Station (MS) Report . . . . . . . . . . . . . . . . . . . . 4-5
Procedure 4-3: How to View/Delete a List of Unmatched K-REF Pairs in the Authentication Centre . . 4-6
Procedure 4-4: How to Generate an Unmatched K-Ref Pairs Report . . . . . . . . . . . . . . . . . 4-8
Procedure 4-5: How to View Zone Status and Key Information . . . . . . . . . . . . . . . . . . . . 4-11
Procedure 4-6: How to view BTS site’s status and encryption key information . . . . . . . . . . . . . 4-13
Procedure 4-7: How to view UCS Status Information . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Procedure 4-8: How to View KVL Status and Key Information . . . . . . . . . . . . . . . . . . . . 4-16
Procedure 4-9: How to Enter K-REF Pairs into the Authentication Centre via Keyboard . . . . . . . . 4-18
Procedure 4-10: How to Import K-REF Pairs into the Authentication Centre. . . . . . . . . . . . . . 4-20
Procedure 4-11: How to Import SCK-TMO Keys into the Authentication Centre . . . . . . . . . . . . 4-22
Procedure 4-12: How to Modify an SCK-TMO Key in the Authentication Centre . . . . . . . . . . . 4-25
Procedure 4-13: How to Reset an Active SCK-TMO Key in the Authentication Centre . . . . . . . . . 4-28
Procedure 4-14: Entering a AuC CommKey into the AuC Database . . . . . . . . . . . . . . . . . . 4-30
Procedure 4-15: Entering a DDK key into the AuC database . . . . . . . . . . . . . . . . . . . . . 4-32
Procedure 4-16: How to Assign a UKEK Key to a KVL Device . . . . . . . . . . . . . . . . . . . 4-34
Procedure 4-17: How to Load an Infrastructure Key (Ki) to a BTS Site Entity . . . . . . . . . . . . . 4-36
Procedure 4-18: How to Refresh a Ki for Selected Zone or BTS Site Entity in the AuC Client . . . . . 4-39
Procedure 4-19: How to Update a Ki Key for a Zone or BTS Site Entity in AuC Client. . . . . . . . . 4-42
Procedure 4-20: How to Schedule Key Updates based on Key Type . . . . . . . . . . . . . . . . . . 4-45
Procedure 4-21: How to Perform Immediate Key Updates based on Key Type . . . . . . . . . . . . . 4-48
Procedure 4-22: How to Assign New Authentication Material for a Mobile Station . . . . . . . . . . 4-50
Procedure 4-23: How to Enable/Disable Key Updates for a Mobile Station . . . . . . . . . . . . . . 4-53
Procedure 4-24: How to Enable/Disable Key Updates for a Zone . . . . . . . . . . . . . . . . . . . 4-56
Procedure 4-25: How to Enable/Disable Key Updates for a BTS Site . . . . . . . . . . . . . . . . . 4-58
Procedure 4-26: How to Enable/Disable Key Updates based on Key Type . . . . . . . . . . . . . . . 4-60
Procedure 4-27: How to Enable/Disable KVL Access to the Authentication Centre . . . . . . . . . . 4-62
Procedure 5-1: Viewing AuC Connection Information and Status . . . . . . . . . . . . . . . . . . . 5-3
Procedure 5-2: How to Configure Nationwide Master AuC . . . . . . . . . . . . . . . . . . . . . . 5-8
Procedure 5-3: How to Configure Nationwide Slave AuC . . . . . . . . . . . . . . . . . . . . . . 5-10
Procedure 5-4: How to Add New Slave AuC to the AuC Net . . . . . . . . . . . . . . . . . . . . . 5-15
Procedure 5-5: How to Change Expected Slave AuC. . . . . . . . . . . . . . . . . . . . . . . . . 5-16
6802800U60-D March 2007 xxi

List of Procedures
Procedure 5-6: How to Remove Expected Slave AuC . . . . . . . . . . . . . . . . . . . . . . . . 5-16

Procedure 5-7: How to Remove Slave AuC form the AuC System . . . . . . . . . . . . . . . . . . 5-17
Procedure 5-8: How to Return to Single Cluster Mode from Master AuC . . . . . . . . . . . . . . . 5-17
Procedure 5-9: How to Connect Slave AuC to Another Master . . . . . . . . . . . . . . . . . . . . 5-18
Procedure 5-10: How to Change Master in Nationwide AuC System . . . . . . . . . . . . . . . . . 5-19
Procedure 6-1: How to View AuC Server Events . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Procedure 6-2: Removing One or More Events from the AuC Events Display . . . . . . . . . . . . . 6-3
Procedure 7-1: Creating an Audit Trail of Authentication Centre (AuC) Events. . . . . . . . . . . . . 7-2
Procedure 7-2: Removing Audit Trail Data from the Authentication Centre (AuC) Database for Archival File
Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Procedure 8-1: Creating a new Authentication Centre (AuC) User Account . . . . . . . . . . . . . . 8-2
Procedure 8-2: Modifying an existing Authentication Centre (AuC) User Account . . . . . . . . . . . 8-4
Procedure 8-3: Deleting an existing Authentication Centre User Account . . . . . . . . . . . . . . . 8-5
Procedure 9-1: How to Configure KVL Port Settings . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Procedure 9-2: How to Configure Miscellaneous Operation Settings . . . . . . . . . . . . . . . . . 9-3
Procedure 9-3: How to Configure the User Settings . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Procedure 9-4: How to Turn Standby Connection Monitoring On . . . . . . . . . . . . . . . . . . . 9-7
Procedure 9-5: How to Turn Standby Connection Monitoring Off. . . . . . . . . . . . . . . . . . . 9-9
Procedure 9-6: How to View the Status of AuC Encryption Devices . . . . . . . . . . . . . . . . . 9-11
Procedure 9-7: How to Load a Master Key into an Encryption Device. . . . . . . . . . . . . . . . . 9-13
Procedure 9-8: How to Change the State of the Authentication Centre (AuC) Server . . . . . . . . . . 9-16
Procedure 9-9: How to Schedule Authentication Centre Database Backups . . . . . . . . . . . . . . 9-16
Procedure 9-10: How to Start a Manual Authentication Centre Database Backup. . . . . . . . . . . . 9-18
Procedure 9-11: How to Manually Update the CCK Version Number . . . . . . . . . . . . . . . . . 9-20
Procedure 9-12: Updating a CCK Version by Connecting to the Nationwide System . . . . . . . . . . 9-21
Procedure 9-13: How to Create a Standby Status Report . . . . . . . . . . . . . . . . . . . . . . . 9-22
Procedure 9-14: Viewing Authentication Centre Version Information . . . . . . . . . . . . . . . . . 9-23
Procedure 10-1: How to Trigger Full Synchronization with the UCS . . . . . . . . . . . . . . . . . 10-5
Procedure 10-2: How to Trigger Full Synchronization with the ZDS . . . . . . . . . . . . . . . . . 10-7
xxii 6802800U60-D March 2007

List
of
Processes
List of Processes
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Process 4-1: How to Provision Zone or BTS Site Entity with an Infrastructure Key . . . . . . . . . . 4-36
Process 4-2: How to Reprovision Zone or BTS Site Entity with an Existing Infrastructure Key . . . . . 4-38
Process 4-3: How to Reprovision a Zone or BTS Site Entity with a New Infrastructure Key . . . . . . 4-41
Process 5-1: Nationwide AuC System configuration . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Process 5-2: Key Update in the Nationwide System . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
6802800U60-D March 2007 xxiii

List of Processes
xxiv 6802800U60-D March 2007

About
This
Booklet
Managing Authentication, Encryption and

Provisioning
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This booklet discusses management of the Dimetra IP system’s Authentication and Air Interface
Encryption feature. The purpose of this manual is to provide you with the knowledge and procedures
necessary to successfully manage Dimetra IP secure authentication and air interface encryption
operations in both the Dimetra IP radio system infrastructure and subscriber units.
What Is Covered In This Booklet?

This volume covers the management of the authentication and air interface encryption feature option
in the Dimetra IP system. This booklet includes the following topics:
• Processes and procedures for managing operation of the authentication and
air interface encryption feature
• Description of the authentication and air interface encryption features
• Discussion on planning and implementing your security policy
• Processes and procedures for managing encryption keys in the system infrastructure
• Description of the different aspects of secure encryption key management
This manual does not provide specific procedures for distributing keys using the Motorola
Provisioning Centre (PrC) or Key Variable Loader (KVL) tools. Where appropriate, you will
be referred to the relevant manuals for that information.
The purpose of this material is to provide you with the information that you will need to
use the Authentication Centre (AuC) application.
The material covered in this booklet is presented in the following chapters:
• Chapter 1, "Authentication and Air Interface Encryption Overview"
• Chapter 2, "Authentication and Air Interface Encryption Configuration"
• Chapter 3, "Introduction to Authentication Centre"
• Chapter 4, "Authentication and Air Interface Encryption Key Management"
• Chapter 5, "Nationwide AuC Configuration"
• Chapter 6, "Events Pane"
• Chapter 7, "Audit Trail"
• Chapter 8, "User Management"
6802800U60-D March 2007 xxv

Icon Conventions Chapter 14: Setup Procedures for External Modems
• Chapter 9, "System Management"

• Chapter 10, "FAQ"
• Chapter 11, "Screen Reference"
Helpful Background Information

This volume is intended for those who operate, administer, and manage the authentication and air interface
encryption option in the Dimetra IP system. To use this manual effectively, you should be familiar with:
• The Authentication Centre (AuC) application
• Fundamentals of encryption and use of encryption keys
• The operating principles of a Dimetra IP system
Related Information
• Provisioning Centre (PrC) User Guide: Includes information on how to use the PrC application.
Icon Conventions
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The document set is designed to give the reader more visual cues. The following graphic icons are used
throughout the documentation set. These icons and their associated meanings are described below.
SUGGESTION
A suggestion implies a recommendation or tip from Motorola, that does not require to be
followed, but might be helpful. There is no warning level associated with a Suggestion.
xxvi 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Icon Conventions
Notes contain information more important than the surrounding text, such as exceptions or
preconditions. They also refer the reader elsewhere for additional information, remind the reader
how to complete an action (when it is not part of the current procedure, for instance), or tell the
reader where something is located on the screen. There is no warning level associated with a Note.
Information that is crucial to the discussion at hand, but that is not a Caution or Warning, receives
an Important icon. There is no warning level associated with the Important icon.
The caution icon implies information that must be carried out in a certain manner
to avoid problems, procedures that may or may not be necessary as determined by
the reader’s system configuration, and so on. Although no damage will occur if
the reader does not heed the caution, some steps may need repeating.
The warning icon implies potential system damage if the instructions or

procedures are not carried out exactly, or if the warning is not heeded.
The danger icon implies information that, if disregarded, may result in severe
injury or death of personnel. This is the highest level of warning.
If your Dimetra system is not running in “Nationwide Mode”, some of the screen shots in this manual will be
slightly different from what you will see on the system you are working on. All screens that might appear
different will be accompanied by the icon above, and a brief description of the possible differences.
6802800U60-D March 2007 xxvii

Icon Conventions Chapter 14: Setup Procedures for External Modems
xxviii 6802800U60-D March 2007

Chapter
1
Authentication and Air Interface Encryption
Overview
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Authentication and Air Interface Encryption Functionality"
• "Authentication and Air Interface Encryption Key Management"
Authentication and Air Interface Encryption Functionality

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
To provide maximum security for over-the-air communications within the Dimetra IP system,
both validation of system entities (or authentication) and encryption of over-the-air signalling
and traffic is necessary. The Authentication and Air Interface Encryption feature provides
secure communication capabilities by safeguarding both access to the system and transmission
of sensitive over-the-air voice, data, and control signalling.
The Authentication and Air Interface Encryption feature relies on use of secure encryption keys that are
provisioned to equipment within the radio system infrastructure and to subscriber radios. These keys are used
to perform encryption and decryption services during the authentication and over-the-air encryption processes.
• "Authentication"
• "Air Interface Encryption"
Authentication
The Authentication feature allows the Dimetra IP system infrastructure and subscriber mobile station (MS) to
validate that the other entity is genuine before granting access to system services. Use of the Authentication
feature establishes a level of trust between the radio system infrastructure and the subscriber.
There are two types of authentication supported by the Dimetra IP system:
6802800U60-D March 2007 1-1

Explicit Authentication Chapter 1: Authentication and Air Interface Encryption Overview
• "Explicit Authentication"
• "Implicit Authentication"
Explicit Authentication
Explicit authentication utilizes a "challenge-response-result" process to verify the validity of
a mobile station (MS). Initiated by the system infrastructure, explicit authentication of an MS
is generally performed during the following system actions:
• Mobile station (MS) power-up registration
• System-initiated registration
• Registration without air interface encryption applied
• Registration performed by a temporarily disabled MS
A successful explicit authentication is achieved when the MS verifies knowledge of a secret authentication
key (K). A unique secret authentication key (K) is loaded into each MS when commissioned and is never
transmitted outside the MS. Instead of using the authentication key (K) directly, the explicit authentication
process uses authentication material that is known by the MS and system’s zone controllers. The
authentication material is provided by the AuC and is derived from the MS’s authentication key (K).
Figure 1-1 illustrates the "challenge-response-result" process of explicit authentication.
Figure 1-1 Explicit Authentication
Upon receiving an explicit authentication challenge, an MS can also request an explicit mutual
authentication by the system infrastructure (the feature must be supported by the MS).
1-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Implicit Authentication
The SwMI can be deliberately configured to bypass the authentication process for
a given MS in order for it to gain access to the system. This can be achieved
by clearing an MS’s authentication material from the system infrastructure or
not provisioning a REF for the ITSI in the radio record provisioning an MS’s
K-REF pair in the AuC. However, the system can be configured to prevent users
accessing it without authentication (except under link failure conditions).
Implicit Authentication
Implicit authentication relies on the encryption process to verify the validity of a mobile station’s
(MS’s) registration. A successful implicit authentication is achieved when the MS verifies knowledge
of the current air interface encryption key (SCK-TMO or CCK/DCK). If the BTS site can
successfully decrypt the registration request, the MS is considered authentic.
Implicit authentication is generally invoked for an MS after having performed a successful
explicit authentication during power-up, for example when roaming between sites and zones (call
restoration). The use of implicit authentication improves system cell reselection performance (over
explicit authentication) by avoiding unnecessary re-authentications.
Air Interface Encryption

The Air Interface (AI) Encryption feature allows the Dimetra IP system infrastructure and subscriber mobile
stations (MSs) to communicate over-the-air voice, data, and control signalling to each other in a secure manner.
Use of the Air Interface Encryption feature provides confidentiality of service between the infrastructure and
MS. There are three types of air interface encryption operational modes supported by the Dimetra IP system:
• CCK/DCK AI Encryption (known as Security Class 3) with SCK-TMO used as fallback
• SCK-TMO AI Encryption (known as Security Class 2)
• No AI Encryption (known as Security Class 1)
When operating with AI encryption enabled (Security Class 2 or 3), the system can be configured to
accept mobile stations (MSs) operating with no encryption (Security Class 1). This configuration
allows both clear and encrypted users to operate on the Dimetra IP system. This configuration
is not recommended since it is less secure than a system with all users using encryption.
The air interface encryption process uses encryption keys shared by MSs and Base Transceiver System
(BTS) sites. BTS site entity encryption keys are loaded either by the Authentication Centre (AuC)
or by the Zone Controller (ZC). MS encryption keys can be provisioned by the Provisioning Centre
(PrC), sent encrypted with other encryption keys from BTSs or generated internally by MSs. Some
keys are the same for the whole system, others are unique for each MS.
When operating, the air interface encryption process encrypts and decrypts all uplink and downlink short
subscriber identities (SSIs) as well as individual, group, and broadcast addressed information.
The air interface encryption process is illustrated in Figure 1-2.
6802800U60-D March 2007 1-3

DCK Air Interface Encryption (Security Class 3) Chapter 1: Authentication and Air Interface Encryption Overview
Figure 1-2 Air Interface Encryption
The air interface encryption feature is implemented on a system-wide basis and supports operation
of both encrypted and non-encrypted (or “clear”) over-the-air traffic. For MSs, encryption and
decryption of traffic signalling is enabled or disabled by the radio system based on the encryption
state of each MS involved in a call. If enabled by the radio system, the MS encrypts/decrypts
information based on its knowledge of the encryption key.
DCK Air Interface Encryption (Security Class 3)

The DCK air interface encryption process uses a derived (equivalent to dynamic) cipher key (DCK)
in conjunction with a common cipher key (CCK) shared by the system’s BTS sites and individual
MSs. The CCK key is provided to BTS site entities by the AuC, while the DCK key is provided
to the BTS site entities by the zone controller and is unique for each MS. When operating, the air
interface encryption process encrypts and decrypts all uplink and downlink short subscriber identities
(SSIs) as well as group and broadcast addressed downlink signalling and traffic using the CCK key.
For individually addressed signalling and traffic the system uses the respective DCK key associated
with the MS (which is derived through the most recent successful authentication).
When the Dimetra IP system infrastructure and mobile stations operate with DCK AI encryption, both are said
to be operating at Security Class 3 (SC3). When the system is configured to operate in SC3, the system will
fallback to SC2 if any network link fails and, as a result, the authentication service is temporarily unavailable.
Figure 1-3 illustrates the Dimetra IP system operating in Security Class 3 mode.
1-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning SCK Air Interface Encryption (Security Class 2)
Figure 1-3 Security Class 3 Operation
SCK Air Interface Encryption (Security Class 2)

The SCK air interface encryption process uses a static cipher key for trunked mode operation (SCK-TMO),
which is shared by the MS and the system’s BTS sites. The SCK-TMO key is provided to BTS site entities by the
AuC and is the same for all MSs. When operating, the air interface encryption process encrypts and decrypts all
uplink and downlink short subscriber identities (SSIs) as well as signalling and traffic using the SCK-TMO key.
When the Dimetra IP system infrastructure and mobile stations operate with SCK AI encryption,
both are said to be operating at Security Class 2 (SC2).
Figure 1-4 illustrates the Dimetra IP system operating in Security Class 2 mode:
6802800U60-D March 2007 1-5

No AI Encryption (Security Class 1) Chapter 1: Authentication and Air Interface Encryption Overview
Figure 1-4 Security Class 2 Operation
No AI Encryption (Security Class 1)

In the absence of AI encryption, the system infrastructure and mobile stations (MSs) operate at
Security Class 1 (SC1). When operating in Security Class 1 (including MSs operating at SC1 when
AI encryption is enabled), the MS is authenticated on power-on registrations.
Security Class and Air Interface Encryption Key Changes

The Dimetra IP system supports seamless, on-the-fly changes of security class and air interface encryption
keys (CCK / SCK-TMO key). Security class changes are supported between Security Class 2 (SC2) and
Security Class (SC3). No security class changes involving Security Class 1 (SC1) are supported.
A security class mode change (from SC3 to SC2) is initiated by an BTS site when the system infrastructure
does not possess (or cannot generate) a DCK key for a mobile station attempting to register that
supports both SC2 and SC3 modes. The BTS site schedules the security class change, waits during
a specified notification period (set by the Security Class Notification Period field in the UCS System
Object), and then performs the security change seamlessly without loss of service.
In order for the BTS site to transform back to SC3 mode, the site must possess a DCK key for all registered
mobile stations. When the latter condition is met, the BTS site waits a specific period (set by the Security
Class Hysteresis Period field in the UCS System Object) before scheduling a security class change from
SC2 to SC3. Once this period has expired, the BTS site schedules the security class change, waits during
a specified notification period (set by the Security Class Notification Period field in the UCS System
Object), and then performs the security change seamlessly without a loss of service.
An air interface encryption key change is initiated by the BTS site when the site receives a key activation
message originated by the AuC. The BTS site schedules the key change, waits during a specified notification
period (set by the Key Change Notification Period field in the UCS System Object), and then performs the
1-6 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Authentication and Air Interface Encryption Key Management
key change seamlessly without loss of service. If a mobile station supporting Security Class 3 does not have
possession of a newly activated CCK key, a request is sent for the new key by the mobile station to the BTS
site. The BTS site sends the CCK key to the mobile station using over-the-air rekeying (OTAR).
Authentication and Air Interface Encryption Key

Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
For the Dimetra IP system, operating the Authentication and Air Interface Encryption features require the
storage, distribution, and update of encryption keys. These tasks are centrally managed in the system
by the AuC application. The AuC performs the following key management tasks:
• Tracks key currency status for devices within the system infrastructure.
• Generates, imports, and allows manual entry of key material.
• Stores all key material for the authentication and air interface encryption functions.
◦ Keys are stored encrypted in a database using a Master Key.
• Securely provisions keys to new system infrastructure devices using the
key variable loader (KVL) device.
• Distributes new, updated keys to system infrastructure devices on a sched-
uled or on-demand basis.
• "Key Management in Non–Nationwide Systems"
• "Key Management in Nationwide Systems"
• "Key Distribution"
• "Key Updates"
• "Key Storage"
Key Management in Non–Nationwide Systems

For a single-cluster (non-nationwide) Dimetra IP system, one AuC is deployed for the entire
system. The AuC handles all key management tasks for the system.
Figure 1-5 illustrates the AuC in a non-nationwide Dimetra IP system.
6802800U60-D March 2007 1-7

Key Management in Nationwide Systems Chapter 1: Authentication and Air Interface Encryption Overview
Figure 1-5 AuC in a Non-Nationwide Dimetra IP system
AUC1 UCS1
Zone1x
Key Management in Nationwide Systems

For a multicluster, nationwide Dimetra IP system, an AuC is required for each cluster (each cluster supports
up to seven zones.) The AuC handles the key management tasks for the cluster. To support system-wide
key management tasks, the AuCs in the nationwide system communicate with one another to perform
updates of the KEKm, SCK-TMO, and CCK keys. These keys are coordinated between all AuCs and
subsequently distributed within their cluster. These system-wide keys are transferred securely between
AuCs using a shared AuC communications key, also referred to as the CommKey.
Figure 1-6 illustrates the AuC in a nationwide Dimetra IP system
Figure 1-6 AuC in a Nationwide Dimetra IP system

Each AuC is still responsible for a
particular x-zone cluster.
AUC1 UCS1 AUC2 UCS2
AuC synchronize
and share distribution
of common keys
Zone1x Zone2x
Cluster "A" Cluster "B"
An MS’s K-REF pair (required for authentication) must be manually delivered to the AuC
that is responsible for managing the MS, that is, the home cluster for the MS.
Key Distribution
Key distribution for the Authentication and Air Interface Encryption features is managed by the AuC. Delivery
of keys to system infrastructure devices (e.g., zone controllers, TETRA site controllers, base radio controllers)
is initiated by the AuC when a new entity is provisioned in the system and when key updates are enabled.
For subscriber mobile stations (MSs), key distribution is performed by the Dimetra IP system’s PrC
application (except for the CCK key, which is distributed to the MS over-the-air by the BTS site).
1-8 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning System Infrastructure
System Infrastructure
The AuC distributes keys to zone and BTS site entities in the system infrastructure. For system
infrastructure devices, authentication and air interface encryption keys are distributed using
an external key variable loader (KVL) device and over the system infrastructure network.
However, each key type is managed separately from the AuC.
The Network Management subsystem is used as a routing mechanism for key material.
Infrastructure Key (Ki)

The Infrastructure key (Ki) is used to encrypt the key encryption keys (KEKm/KEKz) that are
delivered to entities over the system infrastructure. A Key Variable Loader (KVL) is used to
distribute Ki keys throughout the Dimetra system, see Figure 1-7. In contrast the KEKm and KEKz
keys are distributed via the Dimetra IP system network, see Figure 1-8.
The Key Variable Loader (KVL) is used to distribute the infrastructure key (Ki) from
the AuC to the following infrastructure devices:
• Zone Controllers
• TETRA site controllers and base radio controllers (both entity types share
the same Ki key within the BTS site)
To distribute the Ki key, the Authentication Centre (AuC) must be connected to the proper KVL device.
Once connected to the AuC, the KVL receives the Ki key from the AuC. Then KVL is connected
to the infrastructure device and transfers the key into the device. Next, the KVL is reconnected to
the AuC and transfers an acknowledgement (ACK) message from the infrastructure device to the
AuC. The ACK message signifies that the Ki key was provisioned successfully.
The AuC must be connected to the Dimetra IP system and establish connections to all
of its entities, BEFORE it will be able to generate Ki keys.
Figure 1-7 illustrates the infrastructure key (Ki) distribution.
6802800U60-D March 2007 1-9

Key Encryption Keys (KEKm/KEKz) Chapter 1: Authentication and Air Interface Encryption Overview
Figure 1-7 Infrastructure Key (Ki) distribution
After the Ki is provisioned on an BTS site and the ACK is returned to the AuC (provisioning operation
complete), the AuC will update KEKz, SCK-TMO, and CCK keys in the BTS site.
Key Encryption Keys (KEKm/KEKz)

Key Encryption Keys (KEK) can be distributed once an infrastructure key (Ki) key is loaded into
target infrastructure devices. The AuC utilizes the KEKs to distribute authentication material and air
interface encryption keys over the system infrastructure network in encrypted form.
There are two types of KEKs:
• system key encryption key (KEKm)
• zone key encryption key (KEKz)
The KEKm key is used by the zone controller to encrypt/decrypt authentication material sent over
the infrastructure and encrypt/decrypt DCK key when sending to another zone controller. The KEKz
is used by BTS sites to encrypt/decrypt SCK-TMO and CCK keys sent over the infrastructure, and
by the zone controller to encrypt/decrypt DCK key when sending to BTS sites.
The KEKm or KEKz keys are distributed encrypted using the Ki key over the system infrastructure network.
The KEKm and KEKz keys are delivered to zone entities, while the KEKz key is delivered to BTS site entities.
Figure 1-8 illustrates how the KEKm and KEKz keys are distributed to zone and base entities.
1-10 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Authentication Material
Figure 1-8 Key Encryption Key (KEK) distribution
Authentication Material
Unique authentication material is delivered to the zone controller for each mobile station (MS).
The authentication material keys are distributed as encrypted keys (using the KEKm key) over
the system infrastructure network. Once decrypted by the KEKm key, the authentication material
is used by zone controller to authenticate a mobile station (MS).
An ongoing authentication material distribution may be interrupted when a Home

Zone Maps (HZM) change occurs. In this case the distribution is automatically
abandoned and appropriate warning message appears in the event log (HZM change
interrupted ongoing authentication material distribution). You must manually start
authentication material update when HZM change is finished.
Figure 1-9 illustrates how the authentication material is distributed to the zone controller.
Figure 1-9 Authentication Material Distribution
6802800U60-D March 2007 1-11

Common Cipher Key (CCK) and Static Cipher Key (SCK-TMO) Chapter 1: Authentication and Air Interface Encryption Overview
Common Cipher Key (CCK) and Static Cipher Key (SCK-TMO)

Air interface encryption keys (CCK and SCK-TMO) are distributed as encrypted keys (using the
KEKz key) to BTS site entities within a zone. Once decrypted using the zone key encryption key
(KEKz), the CCK and SCK-TMO keys are used to encrypt and decrypt air traffic.
A unique zone key encryption key (KEKz) is delivered to Base Transceiver System (BTS) site entities within
a zone. Once decrypted by the infrastructure key (Ki) and stored, the KEKz key is used to decrypt subsequent
static cipher key-trunked mode operation (SCK-TMO) key sent from the Authentication Centre (AuC).
Figure 1-10 illustrates how the CCK and SCK-TMO SCK-TMO keys are distributed to BTS site entities.
Figure 1-10 Common Cipher Key (CCK)/Static Cipher Key–Trunked Mode Operation (SCK-TMO)
key distribution
Derived Cipher Key (DCK)

A unique derived cipher key (DCK) is created during the explicit authentication process for the
MS and is distributed to the zone controller and BTS site. The DCK is encrypted with the system
key encryption key (KEKm) when transferring between zones, and encrypted with the zone key
encryption key (KEKz) when transferring to BTS sites within a zone.
Figure 1-11 illustrates how the DCK key is distributed to BTS site entities.
Figure 1-11 Derived Cipher Key (DCK) key distribution
1-12 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Subscriber Mobile Stations
Subscriber Mobile Stations

The AuC provides storage of copies of the following keys that are loaded into
the subscriber mobile station (MS):
• authentication key (K)
• common cipher key (CCK)
• static cipher key-trunked mode operation key (SCK-TMO)
However, distribution of the K and SCK-TMO keys to an MS is not performed by the AuC. These
keys are provisioned to the MS using the Provisioning Centre (PrC) application.
Please refer to the Dimetra IP Provisioning Centre (PrC) User Manual (68P02700U72) manual for
further information on distributing SCK-TMO and K keys to subscriber MSs.
Common Cipher Key (CCK)

The CCK key is distributed from BTS sites to mobile stations (MSs) over-the-air (OTAR) encrypted by
the derived cipher key (DCK). Key distribution is initiated when the MS detects that it does not possess a
required version(s) of the CCK key. When this occurs, the MS sends a message to the BTS site requesting
the CCK key(s). The BTS site responds by sending keys over-the-air to the MS.
The DCK key is generated by the MS as part of the authentication process.
Static Cipher Key (SCK-TMO) / Infrastructure Key (K)

The SCK-TMO and K keys are provisioned to the mobile stations (MSs) using the
Provisioning Centre (PrC) application.
Please refer to the Dimetra IP Provisioning Centre (PrC) User Manual (68P02700U72) manual for
further information on distributing SCK-TMO and K keys to subscriber MSs.
Key Updates
The update of authentication and air interface encryption keys stored in the system infrastructure is
performed by the AuC (except for the derived cipher key (DCK), which is updated automatically
by the system during a successful authentication). The AuC provides the ability to perform
scheduled and on-demand updates of the following keys:
• authentication material
• common cipher keys (CCK)
• static cipher key-trunked mode operation keys (SCK-TMO)
6802800U60-D March 2007 1-13

Key Storage Chapter 1: Authentication and Air Interface Encryption Overview
• system key encryption keys (KEKm)

• zone key encryption keys (KEKz)
For nationwide Dimetra IP systems, all AuCs are required to be operational during
an update of KEKm, SCK and CCK keys.
Table 1-1 provides a list of recommended update periods for keys used by the authen-
tication and air interface encryption feature:
Table 1-1 Recommended Key Update Periods
Minimum
Key Type Period Typical Period Maximum Period
Authentication Key (K) if compromised lifetime of MS lifetime of MS
Infrastructure Key (Ki) if compromised lifetime of entity lifetime of entity
Authentication Material if compromised 6 months 12 months
System Key Encryption Key if compromised 12 months 18 months
(KEKm)
Zone Key Encryption Key if compromised 12 months 18 months
(KEKz)
Static Cipher Key-Trunked if compromised 12 months 18 months
Mode Operation Key
(SCK-TMO)
Common Cipher Key (CCK) if compromised 1 day 30 days
derived cipher key (DCK) if compromised 24 hours last successful authentication
AuC Comm Key if compromised lifetime of entity lifetime of entity
(Communication Key)
Key Storage
The AuC maintains storage of key material used for the authentication and air interface encryption
functions. The key material is stored encrypted in a database using a Master Key supplied by
the AuC encryption device (an internal Crypto Card is used for encryption). The correct master
key must be used to read encryption keys from the AuC database.
The AuC database stores copies of key material currently loaded in system entities and maintains a repository
of new key material for future use. New key material is obtained by the AuC using one of three methods:
• Generated internally by the AuC using the encryption device
• Imported by file via CD-ROM or floppy disk
• Typed in manually via keyboard
1-14 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Key Storage
Table 1-2 lists each authentication and air interface encryption key and the source of its key material.
Table 1-2 Encryption Keys and their Source Materials
Generated Imported Typed via

Key Type
by AuC by File Keyboard
Authentication Key (K) x x
Authentication Material x
Infrastructure Key (Ki) x
System Key Encryption Key (KEKm) x
Zone Key Encryption Key (KEKz) x
Static Cipher Key-Trunked Mode Operation Key x x
(SCK-TMO)
Dimetra Distribution Key (DDK) x
Common Cipher Key (CCK) x
Authentication Communication Key (AuC Comm key) x
When new key material is required in the system, the AuC retrieves a new version from the repository.
Once the new version is assigned, distributed, and successfully deployed in the proper system entity,
the key material/entity association is recorded and tracked by the AuC.
6802800U60-D March 2007 1-15

Key Storage Chapter 1: Authentication and Air Interface Encryption Overview
1-16 6802800U60-D March 2007

Chapter
2
Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter provides procedures for configuring the authentication and air interface
encryption feature option in the Dimetra IP system.
• "Configuring Authentication and Air Interface Encryption Operation"
• "Configuring Devices for Authentication and Air Interface Encryption"
Configuring Authentication and Air Interface Encryption

Operation
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
To configure the operational mode for the air interface (AI) encryption and authentication features, the
Dimetra IP system maintains a set of configuration parameters in the network management subsystem.
These parameters are configured using the System object (of the User Configuration Manager (UCM)
application) and the EBTS Site object (of the Zone Configuration Manager (ZCM) application).
Table 2-1 provides the proper configuration settings for each operational mode of the
air interface encryption and authentication feature.
Table 2-1 Air Interface Encryption and Authentication Feature Operational Mode Settings
Operational Mode System Object Settings (UCM) EBTS Site Object (ZCM)
Security Class 3 (DCK AI • Authentication Enabled set to Yes • Security Class 3 Enabled
Encryption) in conjunction field set to Yes
• Air Interface Encryption Enabled
with authentication and
set to Yes
with fallback encryption
mode (to Security Class 2 • Key Change Notification Period
Encryption) (KCNP) set to 300 seconds
• Security Class Change
Notification Period (SCCNP)
set to 5 seconds
6802800U60-D March 2007 2-1

Configuring Authentication and Air Interface Encryption Operation Chapter 2: Authentication and Air Interface Encryption Configuration
Table 2-1 Air Interface Encryption and Authentication Feature Operational Mode Settings
(Continued)
Operational Mode System Object Settings (UCM) EBTS Site Object (ZCM)
The BTS will wait a

minimum time equivalent to
the settings of SCCNP, SCHP
and KCNP.
Security Class 2 (SCK • Authentication Enabled set to Yes • Security Class 3 Enabled
AI Encryption) with field set to No
Authentication
set to Yes
• Key Change Notification Period
set to 300 seconds
Notification Period set to 5
seconds
Security Class 2 (SCK • Authentication Enabled set to No • Security Class 3 Enabled
AI Encryption) without field set to No
Authentication
set to Yes
• Key Change Notification Period
set to 300 seconds
Notification Period set to 5
seconds
Security Class 1 (No • Authentication Enabled set to Yes N/A
AI Encryption) with
Authentication
set to No
Security Class 1 (No • Authentication Enabled set to No N/A
AI Encryption) without
Authentication
set to No
2-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning System Object
System Object
The following task allows you to configure the Dimetra IP system for operation of the
authentication and air interface encryption feature.
Follow Procedure 2-1 to configure the UCM application’s System object for authenti-
cation and air interface encryption operations.
Procedure 2-1 How to Configure the System Object for AI Encryption
and Authentication Operations
1 Double-click the Motorola Private Radio Network Management Suite icon on the desktop.
Result: PRNM Suite Application Launcher window appears.
Figure 2-1 PRNM Suite Application Launcher Window
2 Double-click the User Configuration Manager icon. The User Configuration Manager
window appears.
3 Select the System object in the left pane.
Result: The System object is listed in the window’s right pane.
6802800U60-D March 2007 2-3

System Object Chapter 2: Authentication and Air Interface Encryption Configuration
Procedure 2-1 How to Configure the System Object for AI Encryption and Authentication
Operations (Continued)
Figure 2-2 User Configuration Manager Window
4 To open System object configuration dialog box do one of the following:

• highlight the system object in the right pane and select Open from the File menu (see
Figure 2-3), or
• highlight the system object in the right pane and use the Crtl+O shortcut, or
• right click on the on the system object in the right pane and select Open from the pop -
up menu
2-4 6802800U60-D March 2007

Figure 2-3 Open System Object Configuration Dialog Box
Result: The System object dialogue box is displayed.

5 Click on the Configuration tab.
Result: The System object’s configuration information is displayed.
6802800U60-D March 2007 2-5

System Object Chapter 2: Authentication and Air Interface Encryption Configuration
Figure 2-4 System Object Configuration Dialog Box
6 Scroll down to the Security Parameters fields.

Result: The Security Parameters fields are displayed under the Configuration tab.
2-6 6802800U60-D March 2007

Figure 2-5 System Object Security Parameters
7 From the Air Interface Encryption Enabled field, select the appropriate radio button to enable
or disable the air interface encryption feature for the system.
8 From the Authentication Enabled field, select the appropriate radio button to enable or disable
the authentication feature for the system.
9 Using the Authentication Timer (sec) field, set the maximum length of time for an authentication
session.
If Authentication is enabled (see step 8), this field must be set to 30

seconds.
10 Using the Security Class 1 MS Supported field, select the appropriate radio button to enable
or disable the operation of security class 1 mobile stations (i.e., MS’s not using the air interface
encryption feature) on the system.
11 Using the Encrypted Registrations field, enable or disable DCK retrieval during initial cell
selection and cell reselection if operating the network in SC3.
The setting must be set to “Yes” if operating the network in SC3.
6802800U60-D March 2007 2-7

EBTS Site Object Chapter 2: Authentication and Air Interface Encryption Configuration
12 Using the Key Change Notification Period field, set the maximum number of seconds that the
notification period for an air interface encryption key change can last.
This field must be set to 300 seconds.

13 Using the Security Class Change Notification Period field, set the maximum number of seconds
that the notification period for a change of security class can last.
This field must be set to 5 seconds.
The BTS will wait a minimum time equivalent to the settings of SCCNP, SCHP
and KCNP.
14 Using the Security Class Hysteresis Period field, set the number of seconds that the conditions
for transitioning from security class 2 to security class 3 must be in effect before proceeding with
the security class change. See Procedure 2-3 for transitioning from Security Class 2 to 3.
This values must be set to 300 seconds

15 Using the Encrypted Broadcast Information field, select the appropriate toggle button to enable
or disable broadcast encryption of neighboring cell (D-NWRK BROADCAST) and security
related information (D-CK CHANGE DEMAND).
16 Using Tetra Encryption Algorithm Type field, select the algorithm used by the system for
the air interface encryption feature.
17 Using the Encrypted SSI Start Address and Encrypted SSI End Address fields, enter the
starting and ending addresses, respectively, for static cipher key (SCK) encryption for short
subscriber identities (SSI).
18 Click Apply.
Result: The authentication and air interface encryption feature settings for the system are
committed to the database.
EBTS Site Object

The following task allows you to configure the Dimetra IP system for operation of the
authentication and air interface encryption feature.
Procedure 2-2 explains how to configure the ZCM application’s EBTS Site object for
authentication and air interface encryption operations.
Procedure 2-3 explains the steps to be performed when enabling Security Class 3.
2-8 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning EBTS Site Object
Procedure 2-2 How to Configure the EBTS Site Object for AI Encryption
and Authentication Operations
Result: PRNM Suite Application Launcher window appears.
Figure 2-6 PRNM Suite Application Launcher Window
2 Double-click on the zone you wish to configure.

Result: The PRNM Suite Application Launcher window displays the following.
Figure 2-7 Zone Applications in PRNM Suite Application Launcher Window
6802800U60-D March 2007 2-9

Procedure 2-2 How to Configure the EBTS Site Object for AI Encryption and Authentication
3 Double-click the Zone Configuration Manager icon.
Result: The Zone Configuration Manager window appears.
Figure 2-8 Zone Configuration Manager — Zone Object
4 Select the EBTS Site object in the left pane.

Result: The existing EBTS Site objects are listed in the window’s right pane.
2-10 6802800U60-D March 2007

Figure 2-9 Zone Configuration Manager — EBTS Site Object
5 To open EBTS Site object configuration dialog box do one of the following:
• highlight the EBTS Site object in the right pane and select Open from the File menu (see
Figure 2-10), or
• highlight the EBTS Site object in the right pane and use the Crtl+O shortcut, or
• right click on the on the EBTS Site object in the right pane and select Open from the pop -
up menu
6802800U60-D March 2007 2-11

Figure 2-10 Zone Configuration Manager — Open EBTS Site Object
Result: The EBTS Site object dialogue box is displayed.

6 Select the EBTS Authentication tab.
Result: The EBTS Authentication tab appears
2-12 6802800U60-D March 2007

Figure 2-11 Zone Configuration Manager — EBTS Authentication tab
7 Using the Security Class 2 only MS Supported radio button, select whether to allow mobile
stations that support only security class 2 (SCK AI encryption) operation to perform power-on
registration on the system.
This field setting does not affect other types of MS registrations, for example,
roaming. This parameter may be used to prevent legacy terminals performing
power-on registration.
8 Using the Security Class 3 Enabled radio button, select whether to enable security class 3
encryption (DCK AI encryption) for the EBTS site.
9 Click Apply.
Result: The EBTS Site object is committed to the database.
The following procedure is not applicable from Dimetra 5.2 SER system onwards, because the
system will automatically adjust the SCCNP and SCHP parameters from the default value.
6802800U60-D March 2007 2-13

Procedure 2-3 Transitioning from Security Class 2 to 3
1 During normal Class 2 cluster wide operation, the

System Object Settings have the following values:
SCHP = 300
KCNP = 300
SCCNP = 5
2 Before enabling Security Class 3, the following must be performed:
• Log into UCM
• Open System Object > Settings
• Apply the following settings:
◦ SCHP = 5
◦ KCNP = 300
◦ SCCNP = 300
• Set Security Class 3 to Enabled in the relevant ZCMs (EBTS Site> Object)
• Ensure that the last site set is a local BTS
Result: This allows the initial distribution of keys to take place. If these parameters are not set
prior to enabling Class 3, a loss of service can occur.
If either the site link is disconnected or the link to the home zone is disconnected
whilst the SCCNP parameter is set to 300 seconds, then the subscriber will be unable
to register on the affected cell for up to 300 seconds, i.e. until the cell has transitioned
to Security Class 2. This transition to Security Class 2 occurs because it provides a
fallback encryption scheme, since Security Class 3 was not possible due to network
failures. Normally, the SCCNP parameter should be set to 5 seconds, which allows
the subscriber immediate access to the cell.
3 Verify that Security Class 3 is in operation:
• The last site set to Security Class 3 enabled should be the local site.
• Ensure that only one radio is registered on this site, and that the radio is configured to
use Security Class 3.
• Ten minutes after enabling Security Class 3 for the site, verify that the MS is registered
with SC3 and make a call with the radio.
• When the call is successful, proceed with step 4.
4 After enabling the Security Class 3 service within the cluster for a zone, and after allowing a
minimum of 10 minutes following the last EBTS Object change, the following must be carried out:
• Log in to UCM
• Open System Object > Configuration
2-14 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Configuring Devices for Authentication and Air Interface Encryption
Procedure 2-3 Transitioning from Security Class 2 to 3 (Continued)
• Apply the following settings:

◦ SCHP = 300
◦ KCNP = 300
◦ SCCNP = 5
Configuring Devices for Authentication and Air Interface

Encryption
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Dimetra IP system maintains specific device configuration information within network management
subsystem relating to operation of the authentication and air interface encryption feature. The following
device objects contain parameters used by the authentication and air interface encryption feature option:
• Radio (Mobile Station)
• KVL
Radio Object
A Radio object maintains a field for storing the mobile station’s radio reference ID (REF).
The REF is defined as either the mobile station’s TETRA equipment identity (TEI) or
subscriber identity module identifier (SIM-id).
Any mobile station that does not have a REF assigned will not be stored or displayed
by the Authentication Centre (AuC). The mobile station will be permitted access
to the system without using authentication.
Procedure 2-4 explains how to enter a mobile station’s REF parameter using the Radio object.
Procedure 2-4 How to Configure the Radio Object for Authentication Purposes
Result: The PRNM Suite Application Launcher window appears.
6802800U60-D March 2007 2-15

Radio Object Chapter 2: Authentication and Air Interface Encryption Configuration
Procedure 2-4 How to Configure the Radio Object for Authentication Purposes (Continued)
2 Double-click the User Configuration Manager icon.
Result: The User Configuration Manager window appears.
3 Select the Radio object in the left pane.

Result: The Radio object is listed in the window’s right pane.
Figure 2-12 User Configuration Manager — Radio Object
4 To open Radio object configuration dialog box do one of the following:

• highlight the Radio object in the right pane and select Open from the File menu, or
• highlight the Radio object in the right pane and use the Crtl+O shortcut, or
• right click on the on the Radio object in the right pane and select Open from the pop -
up menu
Result: The Radio object dialog box is displayed.
2-16 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning KVL Object
Procedure 2-4 How to Configure the Radio Object for Authentication Purposes (Continued)
Figure 2-13 Radio Object Dialog Box
5 From the Radio Reference ID field, enter the radio’s assigned REF number. The REF number
can either by the SIM number (using the S prefix) or TEI number (using the T prefix).
6 Click Apply.
Result: The authentication setting for the radio is committed to the database.
KVL Object
A KVL object maintains configuration information for use by the authentication and
air interface encryption feature option.
Before the KVL can be used with the AuC, the same UKEK key must be assigned
in the KVL itself and in the AuC application.
Procedure 2-5 explains how to configure a KVL object.
Procedure 2-5 How to Configure the Key Variable Loader (KVL) Object
Result: The PRNM Suite Application Launcherwindow appears.
2 Double-click the User Configuration Manager icon.
Result: The User Configuration Manager window appears.
6802800U60-D March 2007 2-17

KVL Object Chapter 2: Authentication and Air Interface Encryption Configuration
Procedure 2-5 How to Configure the Key Variable Loader (KVL) Object (Continued)
3 Select the Key Variable Loader object (under the System Configuration folder) in the left pane.
Result: The existing KVL objects are listed in the window’s right pane.
Figure 2-14 User Configuration Manager — KVL Object
4 To open KVL object configuration dialog box do one of the following:

• highlight the KVL object in the right pane and select Open from the File menu, or
• highlight the KVL object in the right pane and use the Crtl+O shortcut, or
• right click on the on the KVL object in the right pane and select Open from the pop -
up menu
Result: The KVL object dialog box is displayed.
2-18 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning KVL Object
Procedure 2-5 How to Configure the Key Variable Loader (KVL) Object (Continued)
Figure 2-15 KVL Object Dialog Box — Basic Tab
5 Using the KVL Alias field, enter an alias that uniquely identifies the KVL.
6 Using the KVL ID field, enter an ID number that uniquely identifies the KVL.
7 Using the Security Group field, assign the KVL to a security group on the system.
8 Click on the Configuration tab.
Result: The KVL object’s configuration information is displayed.
Figure 2-16 KVL Object Dialog Box — Configuration Tab
9 In the Configuration tab display, select the zones to which the KVL will be allowed to download
encryption keys obtained from the AuC.
10 Click Apply.
Result: The KVL object is committed to the database.
6802800U60-D March 2007 2-19

KVL Object Chapter 2: Authentication and Air Interface Encryption Configuration
2-20 6802800U60-D March 2007

Chapter
3
Introduction to Authentication Centre
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) is a client/server software application that handles encryption
key management duties for the Motorola Dimetra IP two-way radio system. The AuC
handles distribution, storage, and update of encryption keys used by the Dimetra IP system’s
Authentication and Air Interface Encryption feature.
The AuC provides the following features:
• Up-to-date display of key currency status for appropriate Dimetra IP ra-
dio system infrastructure devices.
• Central location for secure storage of both infrastructure and subscriber device
keys. Keys can be imported via file, typed in via keyboard, or generated by
the AuC’s encryption device (Crypto Card (CC)).
• Scheduled or on-demand key updates of infrastructure devices using secure distribution methods.
• Unique authentication key material that enables the system to perform real-time
authentication of subscriber mobile stations and infrastructure devices without
need to transmit a secret authentication key.

• "AuC, PrC and AIE Introduction"
• "Authentication Centre"
• "Implementing Your Security Policy"
• "First Steps"
• "The Main Window"
• "Getting Help"
If your Dimetra system is not running in “Nationwide Mode”, some of the screen shots in this manual will
be slightly different from what you’ll see on the system you are working on. All screens that might appear
different are accompanied by the icon below, and a brief description of the possible differences is given.
Figure 3-1 The Nationwide Only Icon
6802800U60-D March 2007 3-1

AuC, PrC and AIE Introduction Chapter 3: Introduction to Authentication Centre
AuC, PrC and AIE Introduction

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides an overview of the Authentication Centre (AuC) and Provisioning Centre
(PrC) components installed in the Dimetra IP system.
The AuC provides the authentication and key management material for devices related to air interface
security functions in the Dimetra IP. It is responsible for generating the cipher keys used for key
management throughout the infrastructure, and accountable for scheduled key changes, including
changing the SCK and CCK. One AuC is required for each cluster.
Infrastructure Keys are provisioned via the Key Variable Loader (KVL). Other keys and infrastructure
data are distributed via TCP/IP network to infrastructure servers.
These servers are:
• FullVision (FV)
The PrC generates, stores, and tracks delivery of K and SCK-TMO keys to the subscriber Mobile Stations
(MSs), using the Key Variable Loader (KVL) as a proxy to transport and confirm delivery. In addition, the
PrC generates and exports a file containing K-REF pairs to the Authentication Centre (AuC).
The Key Variable Loader (KVL) is a secure “store-and-forward” device for transporting and
provisioning keys from the PrC to Mobile Stations and from the AuC to Zone Controllers and
BTSs. The Crypto Card (CC) card provides tamper proof key encryption services. It must be
installed in the designated PrC workstation and in the AuC Server.
Figure 3-2 shows how the Dimetra IP infrastructure devices interface with the Authentication
Centre (AuC) and the Provisioning Centre (PrC).
3-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning AuC, PrC and AIE Introduction
Figure 3-2 AuC and PrC System Diagram
6802800U60-D March 2007 3-3

Authentication Centre Chapter 3: Introduction to Authentication Centre
Authentication Centre
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section describes the basic principles of what the AuC does and its infrastructure.
After reading the contents of this section you should:
• Be familiar with the functions that the AuC performs.
• Have gained an understanding of what the AuC Client, AuC Server and AuC Database do.

• "What is the Authentication Centre?"
• "Authentication Centre Client"
• "Authentication Centre Server"
• "Authentication Centre Database"
What is the Authentication Centre?

The Authentication Centre (AuC) is a Windows®-based, client/server application used to manage encryption
keys for the Dimetra IP radio system. The AuC generates, stores, distributes, and updates encryption keys
used by the Dimetra IP system’s optional Authentication and Air Interface Encryption feature.
As shown in Figure 3-3, the AuC (shown in red) is a single application that serves all zone and
Base Transceiver System (BTS) site entities throughout the cluster.
3-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Authentication Centre Client
Figure 3-3 AuC in the System
The AuC also maintains an external connection to the Key Variable Loader (KVL). The KVL
is connected either directly or via modem and is used for non-encrypted key transfers from the
AuC to each zone or Base Transceiver System (BTS) site entity.
The AuC client/server application utilizes a "three-tier" approach that distributes the software
application into three separate, but dependent entities:
• "Authentication Centre Client"
• "Authentication Centre Server"
• "Authentication Centre Database"
Authentication Centre Client

The Authentication Centre (AuC) Client application provides the user interface for system
operators to perform key management operations. The AuC client is a Java application
that provides a Microsoft® Windows® look and feel.
The AuC supports multiple clients (running on remote PCs) communicating with the AuC server.
On nationwide systems the AuC clients can connect to other servers, to get infor-
mation on other AuCs in the system.
6802800U60-D March 2007 3-5

Automatic Detection of Network Problems Chapter 3: Introduction to Authentication Centre
Automatic Detection of Network Problems

The AuC Client application is able to detect network problems. When a connection between the client and the
server breaks down a Reconnecting dialog box appears (see Figure 3-4). It may take up to one minute before it
appears. In this way you can finish your work gracefully and fix the underlying network problem (if necessary).
The automatic reconnecting function is not supported after long term disconnection or server
reboot and in such cases a restart of the client is recommended.
Figure 3-4 The Reconnecting Dialog Box
Authentication Centre Server

The Authentication Centre (AuC) Server application provides the back-end processing services
for the overall AuC application. These services include:
• Transaction and security management
• Database access and management
• Client/server communications
• Logging and auditing services
• External entity services (Crypto Card, KVL, UCS, ZDS, FullVision INM, AuC and ATR)
The AuC server application is deployed on a designated Windows® 2000 Server PC either alone or
together with the AuC database. An AuC client can also be installed on the AuC server.
Authentication Centre Database

The Authentication Centre (AuC) database stores key management data and key material for use by
the Authentication Centre client/server application. The data stored in the AuC database is encrypted
and decrypted using a master key stored in the AuC encryption device.
3-6 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Implementing Your Security Policy
Implementing Your Security Policy

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section describes planning steps required to make effective use of the Dimetra IP system’s authentication
and air interface encryption features. This section covers the following topics:
• "Planning Your Steps"
• "Technical Implementation Steps"
Planning Your Steps

Before performing the implementation steps in the next section, answer the following basic security questions
(Table 3-1), which should help you make some important decisions in implementing your security policy.
Table 3-1 Security Planning Questions
System
Security Question
Feature/Control
Will you allow security class 1 mobile stations to operate on the system? UCM System object
Will authentication be required by mobile stations? UCM System object
How often do you want to change keys? AuC Key Scheduling
What will be the source of imported keys used in the system? AuC Key Database
Who will have access to the Authentication Centre (AuC)? AuC User Management
What permissions should each AuC user have? AuC User Management
What key variable loaders (KVLs) are allowed to communicate with the AuC? AuC System Management
If a new entity is added to the system, do you want the entity to automatically AuC System Management
receive keys from AuC?
How will sensitive documents and key material media (such as CDs) be N/A
stored?
How do you want to handle possible key compromise via a lost or stolen N/A
subscriber unit?
Technical Implementation Steps

Once you have made decisions as to your security policy, consider the following technical
activities required in implementing authentication and air interface encryption key management
for the Dimetra IP system. The technical activities mentioned below are dealt with in Volume
10 “Authentication, Encryption and Provisioning”.
• Installing and configuring the AuC application
• Setting up AuC user accounts
6802800U60-D March 2007 3-7

First Steps Chapter 3: Introduction to Authentication Centre
• Setting up overall authentication and air interface encryption operating parameters

• Installing and configuring the PrC application
• Configuring radio and key variable loader (KVL) objects
• Distributing keys to system infrastructure and subscriber devices
• Implementing a centralized key management system
• Archiving and logging key management activities
• Dealing with compromised units
First Steps
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section introduces you to a number of tasks related to starting to work with the AuC application.
These will be especially useful if you are a new user of the application. The following topics
provide information on relevant procedures and reference information.
• "Starting the Authentication Centre Client Application"
• "Changing a User Account Password"
• "Verifying Authentication Centre Status"
• "Displaying Key and Entity Information"
• "Logging out of the Authentication Centre Client Application"
Starting the Authentication Centre Client Application

If you have not yet launched the Authentication Centre (AuC) application, follow Pro-
cedure 3-1 to launch the client application.
If one or more error messages are displayed during start-up, refer to "What Do I Do if
I get an Error Message when Starting the Client?" for assistance.
3-8 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Starting the Authentication Centre Client Application
Procedure 3-1 How to Start the AuC Client
1 Double-click on the Authentication Centre shortcut icon on the desktop or select the
Programs>Motorola>Authentication Centre Client application from the Windows® start-up
menu.
Result: The splash screen appears.
Figure 3-5 The AuC Splash Screen
2 After a few seconds, the Authentication Centre - Login dialog box appears.
Figure 3-6 The Login Dialog Box
3 Type in your user name and password.
To change the password immediately upon login, check the Change Password
checkbox (see Procedure 3-2).
Result: A few seconds after logging in, the Authentication Centre client main window appears.
6802800U60-D March 2007 3-9

Starting the Authentication Centre Client Application Chapter 3: Introduction to Authentication Centre
Procedure 3-1 How to Start the AuC Client (Continued)
Figure 3-7 The AuC Main Window
When you log into the client for the very first time after installation you will
have to use the following default values:
• User Name: admin
• Password: changeme1
After logging in using default values, you must add a new user to the database. In order to
begin the normal operation of the AuC, this user must be given user management permission.
You should then exit the application and log in again using the new user values. After you
have logged in as this new user, the default login values will no longer be valid.
3-10 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Changing a User Account Password
Changing a User Account Password

When logging in for the first time, you will have to change your assigned password.
Follow Procedure 3-2 to change the password.
Procedure 3-2 How to Change a User Account Password
1 Select Change Password from the User menu.
When logging in for the first time the Change Password dialog box appears
automatically and change of password is obligatory.
Result: The Change Password dialog box appears.
Figure 3-8 The Change Password Dialog Box
2 Type in the old and new passwords.
User names and passwords must comply with the user name and password
requirements set up in the current User Settings. See "The User Settings Tab".
3 Click OK.
Result: The password is changed for the next login.
6802800U60-D March 2007 3-11

Verifying Authentication Centre Status Chapter 3: Introduction to Authentication Centre
Verifying Authentication Centre Status

Whenever you log into the AuC client, you should verify that the Authentication Centre (AuC)
server is operational. To do this, locate "The Status Bar" and verify that the AuC Server Status
icon is green as shown to the left in the highlighted area below.
Figure 3-9 The Main Window Status Bar
3-12 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Displaying Key and Entity Information
Displaying Key and Entity Information

One of the most frequently visited tabs in the AuC client is the “Local Zones” tab, which
shows information about zones, sites and current key status. Follow Procedure 3-3 to
check the status of the UCS, zone or site entity.
Procedure 3-3 How to Check the Status of the UCS, Zone or a Site
1 To view the UCS, Zone or Site entity status, select the Local Zones tab.
2 To view the UCS status, select the UCS entity in the Zones display.
Result: UCS Status and Version information is displayed.
Figure 3-10 UCS Status and Version Information
3 To view a specific Zone or Base Transceiver System (BTS) site entity’s status, expand (if
necessary) the tree view by clicking the plus icons next to the zones, and select the entity you
want to view.
Result: When you select an entity, the respective key status is displayed in the work pane to
the right.
6802800U60-D March 2007 3-13

Logging out of the Authentication Centre Client Application Chapter 3: Introduction to Authentication Centre
Procedure 3-3 How to Check the Status of the UCS, Zone or a Site (Continued)
Figure 3-11 Zone/EBTS Key and Status Information
Logging out of the Authentication Centre Client Application

Follow Procedure 3-4 to log out of the Authentication Centre (AuC) client application.
Procedure 3-4 How to Log Out of the AuC
1 Select Exit from the File menu.

Result: The following dialog box appears.
Figure 3-12 The Exit Dialog Box
2 Click Yes.
Result: The AuC Client window closes.
3-14 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning The Main Window
The Main Window

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section describes the components that make up the application’s main window.
• "Authentication Centre Main Window Structure"
• "The Work Pane"
• "The Events Pane"
• "The Status Bar"
• "The Menu Bar"
Authentication Centre Main Window Structure

The Authentication Centre (AuC) client main window allows you to view current status and perform
tasks related to secure key management operations within the Dimetra IP system.
Figure 3-13 The AuC Main Window
6802800U60-D March 2007 3-15

The Work Pane Chapter 3: Introduction to Authentication Centre
Maintaining a Microsoft® Windows® look and feel, the AuC main client window functions as
the top-level container for the following user interface elements:
• "The Work Pane"
• "The Events Pane"
• "The Status Bar"
• "The Menu Bar"
The Work Pane

The work pane — including tabs — is highlighted in Figure 3-14.
Figure 3-14 The Work Pane
The work pane displays content corresponding to the task you are performing in the Authentication Centre
(AuC) client. Acting as a container, the work pane allows you to switch among content selections using
tabs. The content tabs that are selectable in the AuC main client window are listed in Table 3-2.
3-16 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning The Work Pane
Table 3-2 Procedures and Screen References Related to Tabs
Tab Name Related Procedures Screen Reference

Mobile • "Viewing Mobile Station Key • "Mobile Stations List" on page
Stations Information" on page 4-2 11-17
• "Generating Mobile Station (MS) • "Mobile Stations Search" on page
Report" on page 4-5 11-19
• "Assigning New Authentication Material • "Security Group Selection Tree
for a Mobile Station" on page 4-49 View" on page 11-21
• "Enabling/Disabling Key Updates for a
Mobile Station" on page 4-52
Local Zones • "Displaying Key and Entity Information" • "EBTS Site Information" on page
on page 3-13 11-7
• "Viewing Zone Status and Key • "Key Status tree view" on page
Information" on page 4-10 11-15
• "Viewing BTS Site Status and Key • "UCS Information" on page 11-21
Information" on page 4-12
• "Zone Information" on page 11-25
• "Viewing UCS Status" on page 4-14
• "Reprovisioning Zone or BTS Site
Entity with an Existing Infrastructure
Key" on page 4-38
• "Reprovisioning Zone or BTS Site
Entity with a New Infrastructure Key"
on page 4-41
• "Enabling/Disabling Key Updates for a
Zone" on page 4-56
• "Enabling/Disabling Key Updates for an
EBTS Site" on page 4-57
Key Loaders • "Viewing KVL Key Information and • "KVL Information" on page 11-16
Status" on page 4-15
• "KVL Status list view" on page
• "Entering a UKEK Key for a KVL 11-17
Device" on page 4-33
• "Port Settings Dialog Box" on page
• "Enabling/Disabling KVL Access to the 11-38
Authentication Centre" on page 4-62
• "KVL UKEK Assignment Dialog
Box" on page 11-34
Key • "Scheduling Key Updates" on page 4-44 • "Key Schedule Information" on
Schedules page 11-13
• "Performing Immediate Key Updates"
on page 4-47 • "Key Schedules Selection" on page
11-14
• "Enabling/Disabling Key Updates By
Key Type" on page 4-59 • "Modify Schedule Dialog Box" on
page 11-37
6802800U60-D March 2007 3-17

The Work Pane Chapter 3: Introduction to Authentication Centre
Table 3-2 Procedures and Screen References Related to Tabs (Continued)

Key • "Viewing a List of Unmatched K-REF • "AuC Comm Key (Communication
Database Pairs" on page 4-6 Key)" on page 11-1
• "Generating an Unmatched K-Ref Pairs • "DDK (Dimetra Distribution Key)"
Report" on page 4-8 on page 11-6
• "Entering K-REF Pairs into the • "K-REF Pairs" on page 11-10
• "Key Database Selection" on page
• "Importing a K-REF Pair File into the 11-12
• "SCK-Trunked Mode Operation
• "Importing a SCK-TMO Key File into Information" on page 11-20
the Authentication Centre" on page 4-21
• "AuC Database Backup Schedule
• "Modifying an SCK-TMO Key in the Dialog Box" on page 11-29
• "AuC Database Dialog Box" on
• "Setting the Next Active SCK-TMO page 11-30
Key" on page 4-27
• "SCK-TMO Modify Dialog Box"
• "Entering the AuC Communications on page 11-39
Key" on page 4-30
• "Entering a Dimetra Distribution Key"
on page 4-32
AuC Con- • "Viewing AuC Connection Information • "AuC Connectivity" on page 11-2
nectivity and Status" on page 5-2
• "AuC Net" on page 11-4
• "Nationwide AuC System
• "General Network Information" on
Configuration" on page 5-7
page 11-9
• "Key Updates in the Nationwide
• "AuC Connection" on page 11-28
System" on page 5-13
• "Slave AuCs Reconfiguration in the
Nationwide System" on page 5-15
• "Returning to the Single Cluster Mode"
on page 5-17
• "Connecting Slave AuC to Another
Master" on page 5-18
• "Changing Master in the Nationwide
System" on page 5-19
Audit Trail • "Viewing an Event Audit Trail" • "Audit Search and Purge Form" on
page 11-5
• "Removing Audit Trail Data from the
Database" • "Purge Audit Trail Dialog Box" on
page 11-39
3-18 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning The Events Pane
Table 3-2 Procedures and Screen References Related to Tabs (Continued)

User Man- • "Creating an AuC User Account" • "User Account Selection tree view"
agement on page 11-22
• "Modifying an AuC User Account"
• "User Information" on page 11-23
• "Deleting an AuC User Account"
• "Add User Dialog Box" on page
11-26
• "User Settings Dialog Box" on page
11-43
The Events Pane

The events pane displays event information related to the actions you perform in the
Authentication Centre (AuC) client.
The Events pane is highlighted in Figure 3-15.
Figure 3-15 The Events Pane
6802800U60-D March 2007 3-19

The Status Bar Chapter 3: Introduction to Authentication Centre
The Status Bar

The status bar provides information on the Authentication Centre (AuC) server’s state, name
of the client’s current user, and various status icons.
The status bar is highlighted in Figure 3-16.
Figure 3-16 The Status Bar
AuC state, AuC connection status and name of the user

logged in appears in the status bar to the left, as shown above.
The AuC Status icons to the left, report the conditions listed in Table 3-3.
Table 3-3 Authentication Centre (AuC) States of Operation
AuC Server
Icon Description
Operating State
Operational Normal operating mode
Out of Service Non-operational mode. AuC client user can only perform the
following tasks:
• Loading a Master Key into an Encryption Device
• All User Management tasks
• Changing Authentication Centre operating state
Database Restored During Database Restored state only nationwide operations can
be performed. Database Restored state is a sub-state of Out of
Service state.
3-20 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning The Status Bar
The AuC Connection status icons to the right, report the conditions listed in Table 3-4.
Table 3-4 AuC Connection Status Icons
Icon Description
All required system devices (UCS, ATR, ZM) are connected to the AuC server.
A system device (UCS, ATR, ZM) is not connected to the AuC server.
A database backup is in progress.
When standby database connection monitoring is enabled (see "Turning Standby Connection
Monitoring On" on page 9-6), the standby status icon is displayed. Table 3-5 lists possible
standby database connection states and corresponding icons.
Table 3-5 Standby Database Connection States
Icon State Name Description

Current Standby AuC is configured and running. All transactions from
primary AuC are applied to standby. This is the normal state for two
AuC set up (primary-standby).
Not Configured AuC has no standby configured. This is the normal state for single
AuC set up.
Not Available Standby AuC is configured on the system, however it is not available
– primary AuC can’t connect to it. This indicates a problem with
standby machine (network connection problem, oracle service stopped
or crushed). This is not a normal state.
Not Current Standby AuC is configured on the system, it is available – primary
AuC can connect to it - but some of the past transactions from primary
are not applied to standby. This is not a normal state - standby in such
state cannot be activated.
Invalid Internal Standby AuC is configured on the system but the password supplied in
Password Settings dialog is incorrect. It is not possible to determine the actual
standby state without valid password.
Pending Last It may happen that checking standby state occurs during data
Transactions replication from primary to standby AuC. This icon should refresh
automatically within 1 hour. It can also be refreshed manually by
selecting Check Standby Now... from the System menu. If the
state does not change within 1 hour it indicates a problem of data
replication.
6802800U60-D March 2007 3-21

The Menu Bar Chapter 3: Introduction to Authentication Centre
The Menu Bar

The menu bar provides a list of commands from which you can choose to perform a task or
navigate through the Authentication Centre (AuC) client application.
The menu bar is highlighted in Figure 3-17.
Figure 3-17 The Menu Bar
Getting Help
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) client is equipped with a context sensitive online help system,
that provides comprehensive information about the client application and how to work with it.
To view context sensitive help, select Help from the menu that you are working in. To view the
full help system, simply select Help Contents from the Help menu.
• "Using Context Sensitive Help"
• "Using Full Text Search"
3-22 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Using Context Sensitive Help
Using Context Sensitive Help

As you work within the AuC client, you can obtain information about procedures, windows, and dialog boxes
by using the context-sensitive help available in the application. You can access this help in several ways.
Table 3-6 Using Context Sensitive Help
Element Description
Windows Most windows display a Help button. Click the button and a topic opens in the
online help window that provides links to information on related procedures
and window fields and buttons.
Dialog Boxes Some dialog boxes display a Help button. Click the button and a topic opens
in the online help window that explains how to perform the procedure related
to the dialog box.
Menu Commands The AuC menu bar provides some commands under the Help menu to quickly
navigate to specific type of information.
The full online help system can be accessed from within each topic by clicking
the Show hyperlink at the top of each page.
Using Full Text Search

When you enter a word or phrase in the online help’s search field and press Enter key, the help system
searches the contents of your topics to find all occurrences of that word or phrase. It’s a good way to
find a topic title (if you know it) or every instance of a concept or feature in the system.
6802800U60-D March 2007 3-23

Using Full Text Search Chapter 3: Introduction to Authentication Centre
3-24 6802800U60-D March 2007

Chapter
4
Key Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Entity Status and Key Information"
• "Entering and Modifying Keys"
• "Key Distribution"
• "Enabling and Disabling Key Updates"
Entity Status and Key Information

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Viewing Mobile Station Key Information"
• "Generating Mobile Station (MS) Report"
• "Viewing a List of Unmatched K-REF Pairs"
• "Generating an Unmatched K-Ref Pairs Report"
• "Viewing Zone Status and Key Information"
• "Viewing BTS Site Status and Key Information"
• "Viewing UCS Status"
• "Viewing KVL Key Information and Status"
6802800U60-D March 2007 4-1

Viewing Mobile Station Key Information Chapter 4: Authentication and Air Interface Encryption Key Management
Viewing Mobile Station Key Information

The AuC stores and manages authentication and air interface encryption keys used by subscriber
mobile stations that utilize the system infrastructure.
While not actually distributing to or updating keys in the MS, the AuC uses its knowledge of the MS’s
authentication key (K) to create authentication material used by zone controllers to perform authentication.
Using KS and KS’ keys (along with a random seed and random number), an MS can be authenticated by
the system without transmission of the secret authentication key (K) stored in the MS at the factory.
For air interface encryption purposes, the AuC stores, distributes, and updates the static cipher key-trunked
mode operation key (SCK-TMO) used by the system. The AuC distributes the SCK-TMO key encrypted
to base site entities and regularly updates this key on a scheduled or on-demand basis.
The Authentication Centre (AuC) automatically retrieves and maintains records of all mobile
stations (MSs) stored in the system’s User Configuration Server (UCS) which have a Radio ID
assigned to them in the Reference Field. Each MS record is matched with an authentication key
(K) loaded separately into the AuC via file import or manual entry.
The Mobile Stations tab in the Authentication Centre (AuC) provides information and tasks for
performing key management of subscriber mobile stations (MSs).
Any mobile station that does not have a REF assigned will not be stored or displayed by
the AuC. These mobile stations will not be provided with authentication material and
therefore will be permitted to access the system without authentication.
The following topics provide procedures associated with the Mobile Stations tab in the AuC client display:
• "Generating Mobile Station (MS) Report" on page 4-5
• "Assigning New Authentication Material for a Mobile Station" on page 4-49
• "Enabling/Disabling Key Updates for a Mobile Station" on page 4-52
The following topics provide reference information associated with the Mobile Sta-
tions tab in the AuC client display:
• "Security Group Selection Tree View" on page 11-21
• "Mobile Stations List" on page 11-17
• "Mobile Stations Search" on page 11-19
Follow Procedure 4-1to view an MS’s key information.
4-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing Mobile Station Key Information
Procedure 4-1 How to View a Mobile Station’s Key Information
1 Select the Mobile Stations tab.

Result: The Mobile Station tabbed pane appears.
Figure 4-1 The Mobile Stations Tabbed Pane
2 Define the appropriate search criteria in the Mobile Station Search Form, highlighted below
(search text is case-insensitive). For a description of the available search criteria see Online Help.
Figure 4-2 The Mobile Station Search Form
6802800U60-D March 2007 4-3

Viewing Mobile Station Key Information Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-1 How to View a Mobile Station’s Key Information (Continued)
You must specify the appropriate security group in order to execute a mobile station
search. You can select a security group from the Security Groups tree display and
the entry is automatically populated in the Security Group field.
• The UCS Security Group functions as a “wildcard” in a search
• Any fields that are left empty will not be included in the search
3 Click on the Search button.
Result: The search results are displayed in the list window, highlighted below.
Figure 4-3 The Mobile Stations List
4 Locate the appropriate mobile station in the list window for current key information. The mobile
station’s key information appears in the appropriate row in the list window.
4-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Generating Mobile Station (MS) Report
Generating Mobile Station (MS) Report

The Authentication Centre allows a user to export information about all Mobile Stations
(MSs) to a CSV or XML format file.
Follow Procedure 4-2 to generate Mobile Station (MS) report.
Procedure 4-2 How to Generate Mobile Station (MS) Report

Result: The Mobile Stations tabbed pane appears.
Figure 4-4 Mobile Stations Tabbed Pane
2 Click on the Export button. Search criteria applied have no effect on the information exported.
Result: A dialog box to select a location and format for the report file appears.
3 Select location and file format and click Save.
Result: A dialog box indicating the progress of the MS information export appears.
Figure 4-5 Mobile Stations List Export Progress
4 Click OK.
6802800U60-D March 2007 4-5

Viewing a List of Unmatched K-REF Pairs Chapter 4: Authentication and Air Interface Encryption Key Management
Viewing a List of Unmatched K-REF Pairs

The AuC requires K-REF pairs to be loaded in to enable management of authentication keys (K) for
mobile stations. A K-REF pair is matched with an ITSI-REF pair (downloaded from the UCS) to
correlate a mobile station’s ID and authentication key (K). When a K-REF pair cannot be matched
with ITSI-REF pair, the K-REF pair is tagged as “unmatched” by the AuC.
Follow Procedure 4-3 to view/delete a listing of unmatched K-REF pairs.
Procedure 4-3 How to View/Delete a List of Unmatched K-REF Pairs in the Authentication Centre
1 From the AuC client main window, select the Key Database tab, or select Key Database from
the Key menu.
Result: The Key Database tabbed pane appears.
Figure 4-6 The Key Database Tabbed Pane
2 Select K-REF Pairs in the Keys selection display.

Result: The K-REF pair information display appears in the work pane. The list of unmatched
K-REF pairs are provided in the scrolling list box.
The displayed listing of unmatched K-REF pairs is not updated automatically on

the screen. To obtain the current listing of unmatched K-REF pairs, click on the
Refresh button.
3 To delete a single K-REF pair from the AuC database, select the K-REF pair you want to delete
from the list box.
Result: The selected K-REF pair is highlighted.
4-6 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing a List of Unmatched K-REF Pairs
Procedure 4-3 How to View/Delete a List of Unmatched K-REF Pairs in the Authentication Centre
(Continued)
4 Click Delete.
Figure 4-7 The Delete Unmatched K-REF Pair Dialog Box
5 Click Yes.
Result: The K-REF pair is removed from the list box.
6 To delete all the unmatched K-REF pairs from the AuC database, click the Delete All button.
Figure 4-8 The Delete All Unmatched K-REF Pairs Dialog Box
7 Click Yes.
Result: The K-REF pairs are removed from the list box (the list box is empty).
Depending on the amount of K-REF pairs, this can take long time.
6802800U60-D March 2007 4-7

Generating an Unmatched K-Ref Pairs Report Chapter 4: Authentication and Air Interface Encryption Key Management
Generating an Unmatched K-Ref Pairs Report

Follow Procedure 4-4 to generate an unmatched K-Ref pairs report.
Procedure 4-4 How to Generate an Unmatched K-Ref Pairs Report
the Key menu.
Figure 4-9 The Key Database Tabbed Pane
2 Select K-REF Pairs in the Keys selection display.

Result: The K-REF Pairs information display appears in the work pane. The list of unmatched
K-REF pairs appears in the Unmatched K-Refs scrolling list box.
3 Click Export… button to generate a report of unmatched K-Ref pairs.
Result: A dialog box appears to choose a location of the generated report.
4-8 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Generating an Unmatched K-Ref Pairs Report
Procedure 4-4 How to Generate an Unmatched K-Ref Pairs Report (Continued)
Figure 4-10 The Save Unmatched K-REF Pairs Report Dialog Box
4 Choose the location and file name of the report and click Save.
If a file with this name already exists, the following dialog will be displayed. Choose
either to overwrite the file or not as appropriate.
Figure 4-11 The Save Unmatched K-REF Pairs Report Confirmation Dialog Box
5 A progress bar will be displayed. This will close when the generation of the report is complete
and the following dialog box will be displayed.
Figure 4-12 Unmatched K-REF Pairs Report Completed
6802800U60-D March 2007 4-9

Viewing Zone Status and Key Information Chapter 4: Authentication and Air Interface Encryption Key Management
Viewing Zone Status and Key Information

The AuC stores and manages authentication and air interface encryption keys used by devices within
the system infrastructure. To facilitate secure distribution and updating of keys through the system
infrastructure, the AuC first generates an infrastructure key (Ki) for each zone and BTS site entity. The
Ki key is delivered from the AuC to each entity using the key variable loader (KVL) device. For zone
entities, a system key encryption key (KEKm) and zone key encryption key (KEKz) are then delivered
in encrypted form (using the Ki key) over the system infrastructure network to the entities.
The system zone controllers perform authentication of subscriber mobile stations (MS) using authentication
material generated and distributed by the AuC. The AuC distributes the proper KS and KS’ keys (along with a
random seed and random number) in encrypted form (using the KEKm key) to the zone controllers on
the system. The KS and KS’ keys are regularly updated on a scheduled or on-demand basis.
The current status of keys distributed to and stored in zone/site entities are tracked by the AuC. You
can quickly observe the key status for a zone/site by locating its respective key status icon. You
can also observe UCS connection status and version by locating its icon.
The Local Zones tab in the Authentication Centre (AuC) provides information and tasks for performing
key management of zone infrastructure entities. The following topics provide procedures applying to
zones entities and associated with the Local Zones tab in the AuC client display:
• "Displaying Key and Entity Information" on page 3-13
• "Viewing Zone Status and Key Information" on page 4-10
• "Enabling/Disabling Key Updates for a Zone" on page 4-56
The following topics provide reference information associated with the Local
Zones tab in the AuC client display:
• "Key Status tree view" on page 11-15
• "Zone Information" on page 11-25
Follow Procedure 4-5 to view a zone’s status and encryption key information.
4-10 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing Zone Status and Key Information
Procedure 4-5 How to View Zone Status and Key Information
1 From the AuC client main window, select the Local Zones tab.
Result: The Local Zones tabbed pane appears.
Figure 4-13 The Zones Tabbed Pane
2 The zone icons are red, yellow or green according to the state the entity’s keys are in. You can
quickly observe a zone’s key status by locating its respective key status icon, seeTable 11-21,
"Key Status Icons (Zones and BTS sites)," on page 11-15). To view all details about an entity’s
keys, click the appropriate icon in the tree view to the left.
Result: The zone’s key information appears in the work pane, highlighted below.
6802800U60-D March 2007 4-11

Viewing BTS Site Status and Key Information Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-5 How to View Zone Status and Key Information (Continued)
Figure 4-14 The Zone Information Display
Viewing BTS Site Status and Key Information

The AuC stores and manages authentication and air interface encryption keys used by devices
within the system infrastructure. To facilitate secure distribution and updating of keys through the
system infrastructure, the AuC first generates an infrastructure key (Ki) for each zone and BTS site
entity. The Ki key is delivered from the AuC to each entity using the key variable loader (KVL)
device. For BTS site entities, a zone key encryption key (KEKz) is delivered in encrypted form
(using the Ki key) over the system infrastructure network to the entities.
For air interface encryption purposes, the AuC stores, distributes, and updates the static cipher
key-trunked mode operation (SCK-TMO) keys and the common cipher keys (CCK) used by the
system. The AuC distributes the SCK-TMO and CCK keys encrypted (with the KEKz key) to BTS
site entities and regularly updates this key on a scheduled or on-demand basis.
The AuC automatically retrieves and maintains records of BTS site entities stored in the zone’s Zone Database
Server (ZDS). Each BTS site entity record is assigned encryption keys generated or loaded into the AuC.
4-12 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing BTS Site Status and Key Information
key management of BTS site infrastructure entities. The following topics provide procedures applying
to BTS site entities and associated with the Local Zones tab in the AuC client display:
• "Viewing BTS Site Status and Key Information" on page 4-12
• "Enabling/Disabling Key Updates for an EBTS Site" on page 4-57
• "EBTS Site Information" on page 11-7
Follow Procedure 4-6 to view a BTS site’s status and encryption key information.
Procedure 4-6 How to view BTS site’s status and encryption key information
Result: The Local Zones tabbed pane appears (see Figure 4-13).
2 The site icons are red, yellow or green according to which state the entity’s keys are in. You can
quickly observe BTS key status by locating its respective key status icon, seeTable 11-21, "Key
Status Icons (Zones and BTS sites)," on page 11-15). To view all details about an entity’s keys,
click the appropriate icon in the tree view to the left.
Result: The site’s key information appears in the work pane, highlighted below.
Figure 4-15 The BTS Site Information Display
6802800U60-D March 2007 4-13

Viewing UCS Status Chapter 4: Authentication and Air Interface Encryption Key Management
Viewing UCS Status

The Authentication Centre (AuC) automatically retrieves and maintains records of zone and site
entities stored in the system’s User Configuration Server (UCS). Each zone/site entity record
is assigned encryption keys generated or loaded into the AuC.
key management of BTS site infrastructure entities. The following topics provide procedures applying
to UCS and associated with the Local Zones tab in the AuC client display:
• "Viewing UCS Status" on page 4-14
• "UCS Information" on page 11-21
Follow Procedure 4-7 to view UCS status information.

Procedure 4-7 How to view UCS Status Information
Result: The Local Zones tabbed pane appears (see Figure 4-13).
2 To view the UCS status, select the UCS entity in the Zones display.
Result: UCS Status and Version information is displayed. The UCS icon reflects the connection
status.
4-14 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing KVL Key Information and Status
Procedure 4-7 How to view UCS Status Information (Continued)
Figure 4-16 The UCS Status and Version Information
Viewing KVL Key Information and Status

Each KVL is assigned specific zone and BTS site entities to update by the system. Using the KVL’s unique
key encryption key (UKEK) key, the AuC transfers the appropriate Ki keys to the KVL during a AuC/KVL
communications session. Once transferred to the proper entities, the KVL re-initiates a communications
session with the AuC and transfers download acknowledgements (received from the entities) to the AuC.
The AuC automatically retrieves and maintains records of key variable loader (KVL) entities
stored in the system’s User Configuration Server (UCS). Each KVL entity record is assigned
a UKEK key loaded separately into the AuC via manual entry.
The Key Loaders tab in the Authentication Centre (AuC) provides key management information
for the external key variable loaders (KVLs) used by the AuC.
The Key Loaders tab in the Authentication Centre (AuC) provides key management information
for the external key variable loaders (KVLs) used by the AuC. The following topics provide
procedures associated with the Key Loaders tab in the AuC client display:
• "Entering a UKEK Key for a KVL Device" on page 4-33
• "Enabling/Disabling KVL Access to the Authentication Centre" on page 4-62
6802800U60-D March 2007 4-15

Viewing KVL Key Information and Status Chapter 4: Authentication and Air Interface Encryption Key Management
The following topics provide reference information associated with the Key Load-
ers tab in the AuC client display:
• "KVL Information" on page 11-16
• "KVL Status list view" on page 11-17
• "Port Settings Dialog Box" on page 11-38
• "KVL UKEK Assignment Dialog Box" on page 11-34
Follow Procedure 4-8 to view a KVL’s encryption key, connectivity information and status.
Procedure 4-8 How to View KVL Status and Key Information
1 From the AuC client main window, select the Key Loaders tab.
Result: The Key Loaders tabbed pane appears.
Figure 4-17 The KVLs Tabbed Pane
2 Locate and click on the appropriate KVL device in the KVLs list display.
Result: The KVL’s current key status is reflected in both the icon color, and in the Status
field to the right.
IF the key status icon is colored... THEN...
Green KVL is provisioned in the AuC database
Yellow KVL is not provisioned in AuC database (due to no
assigned UKEK key)
Red KVL is locked out from connectivity to AuC (this is set
within the AuC)
4-16 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Entering and Modifying Keys
Entering and Modifying Keys

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Key Database tab in the Authentication Centre (AuC) provides the ability to load and store K-REF
pairs for mobile stations (MS), static cipher key-trunked mode operation (SCK-TMO) keys, Authentication
Communication (AuC Comm) keys and the Dimetra Distribution Key (DDK).
The following topics provide procedures associated with the Key Database tab in the AuC client display:
• "Viewing a List of Unmatched K-REF Pairs" on page 4-6
• "Generating an Unmatched K-Ref Pairs Report" on page 4-8
• "Entering K-REF Pairs into the Authentication Centre" on page 4-17
• "Importing a K-REF Pair File into the Authentication Centre" on page 4-20
• "Importing a SCK-TMO Key File into the Authentication Centre" on page 4-21
• "Modifying an SCK-TMO Key in the Authentication Centre" on page 4-25
• "Setting the Next Active SCK-TMO Key" on page 4-27
• "Entering the AuC Communications Key" on page 4-30
• "Entering a Dimetra Distribution Key" on page 4-32
The following topics provide reference information associated with the Key Data-
base tab in the AuC client display:
• "AuC Comm Key (Communication Key)" on page 11-1
• "DDK (Dimetra Distribution Key)" on page 11-6
• "K-REF Pairs" on page 11-10
• "Key Database Selection" on page 11-12
• "SCK-Trunked Mode Operation Information" on page 11-20
• "AuC Database Backup Schedule Dialog Box" on page 11-29
• "AuC Database Dialog Box" on page 11-30
• "SCK-TMO Modify Dialog Box" on page 11-39
Entering K-REF Pairs into the Authentication Centre

The AuC requires the loading of K-REF pairs to enable management of authentication keys (K)
for mobile stations. A K-REF pair is matched with an ITSI-REF pair (downloaded from the
UCS) to correlate a mobile station’s ID and authentication key (K).
K-REFs can be entered manually or they can be imported from another media, for example, floppy disk.
6802800U60-D March 2007 4-17

Entering K-REF Pairs into the Authentication Centre Chapter 4: Authentication and Air Interface Encryption Key Management
This procedure allows you to type in the K-REF pair from the keyboard. To
import a K-REF pair file, see Procedure 4-10.
Follow Procedure 4-9 to enter K-REF pairs manually into the AuC.
Procedure 4-9 How to Enter K-REF Pairs into the Authentication Centre via Keyboard
the Key menu.
Figure 4-18 Key Database Tabbed Pane
2 Select K-REF Pairs on the left.

3
K-REF pairs cannot be automatically generated by the AuC. They are generated
by the Provisioning Centre (PrC), or created externally by, for example a secure
authority. They can be entered manually using the AuC.
• Type in the authentication key (K) for the MS in the K field
• Using the radio buttons, select the REF type (SIM or TEI) used for the MS
• Type in the REF for the MS in the Ref field
4-18 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Entering K-REF Pairs into the Authentication Centre
Procedure 4-9 How to Enter K-REF Pairs into the Authentication Centre via Keyboard (Continued)
Figure 4-19 K-REF Pairs Entry
4 Click Enter button.

Result: The status field reports the status of the K-REF pair entry (accepted or rejected). In
addition, a confirmation message appears in the Events tab display. The Unmatched K-REFs list
box is also refreshed. The batch date is set to the current time and the batch number is left blank.
The Enter button will remain grayed out until all of the required information has
been entered in the appropriate fields.
5
If the user enters a K-REF pair where the Ref part already exists in a K-REF pair in
the AuC, the following dialog box appears.
Figure 4-20 Duplicate Ref in K-REF Pair
Decide whether you want to overwrite existing K-Ref pair or not.
6802800U60-D March 2007 4-19

Importing a K-REF Pair File into the Authentication Centre Chapter 4: Authentication and Air Interface Encryption Key Management
Importing a K-REF Pair File into the Authentication Centre

The AuC requires the loading of K-REF pairs to enable management of authentication keys (K) for mobile
stations. A K-REF pair is matched with an ITSI-REF pair (downloaded from the UCS) to correlate a
mobile station’s ID and authentication key (K). The PrC is the source of the K-REF pairs.
This procedure allows you to import a K-REF pair file. To manually type a
K-REF pair into the AuC, see Procedure 4-9.
Follow Procedure 4-10 to copy a K-REF pair file into the AuC.
Procedure 4-10 How to Import K-REF Pairs into the Authentication Centre
1 From the AuC client main window, select File>Import Keys... form the main menu.
Figure 4-21 Import Keys form File Dialog Box
2 Select the K-REF pair file in the dialog box.

3 Click the Import button.
4-20 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Importing a SCK-TMO Key File into the Authentication Centre
Procedure 4-10 How to Import K-REF Pairs into the Authentication Centre (Continued)
Figure 4-22 Import Key Confirmation Dialog Box
4 Select the desired setting and click Continue.

Result: The AuC scans the selected file to determine content type. When completed, the
following alert box appears.
Figure 4-23 Key File Scanning Status Alert Box
5 Click OK.
Result: Import progress is indicated in the Events display.
Importing a SCK-TMO Key File into the Authentication Centre

A static cipher key-trunked mode operation (SCK-TMO) key file contains a list of 32 numbered SCK-TMO
keys. Each key in the file is assigned a number and version and is handled as such by AuC.
All SCK key slots should be populated in the AuC. If an empty key slot is selected as the Next
Active key then the key update will not take place until the slot has been populated.
If a new set of SCK-TMO keys is imported, the same keys must be provisioned to
the MSs. If they are not, encryption using SCK-TMO will not be possible.
6802800U60-D March 2007 4-21

Importing a SCK-TMO Key File into the Authentication Centre Chapter 4: Authentication and Air Interface Encryption Key Management
Follow Procedure 4-11 to import a SCK-TMO key file into the AuC.
Procedure 4-11 How to Import SCK-TMO Keys into the Authentication Centre
the Key menu.
Figure 4-24 Key Database Tab
2 Select SCK-Trunked Mode Operation in the Keys selection display.

Result: The SCK-TMO information display appears in the work pane.
4-22 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Importing a SCK-TMO Key File into the Authentication Centre
Procedure 4-11 How to Import SCK-TMO Keys into the Authentication Centre (Continued)
Figure 4-25 SCK-Trunked Mode Operation Display
3 Select File>Import Keys... from the main menu.

Figure 4-26 Import Keys Dialog Box
6802800U60-D March 2007 4-23

Importing a SCK-TMO Key File into the Authentication Centre Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-11 How to Import SCK-TMO Keys into the Authentication Centre (Continued)
4 Select the SCK-TMO file in the dialog box.
5 Click the Import button.
All SCK slots in the SCK-TMO file must be filled, otherwise import will be
impossible.
Figure 4-27 Import Key Confirmation Dialog Box
6 Select the desired setting and click Continue.

Result: The AuC scans the selected file to determine content type. When completed, the
following alert box appears.
Figure 4-28 Key File Scanning Status Alert Box
7 Click OK.
Result: The keys are imported into the AuC database.
Importing new SCKs will cause a partial distribution of keys, if the AuC is part of a
Nationwide system, the keys will be distributed to the other AuCs.
4-24 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Modifying an SCK-TMO Key in the Authentication Centre
Modifying an SCK-TMO Key in the Authentication Centre

The AuC stores 32 numbered static cipher key-trunked mode operation (SCK-TMO) keys. You can
modify the number or version of any SCK-TMO key using the AuC main client window.
If an SCK-TMO key is modified after it has been provisioned to the MSs air
interface encryption using this key will not be possible.
Follow Procedure 4-12 to modify an SCK-TMO key in the AuC.

Procedure 4-12 How to Modify an SCK-TMO Key in the Authentication Centre
the Key menu.
6802800U60-D March 2007 4-25

Modifying an SCK-TMO Key in the Authentication Centre Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-12 How to Modify an SCK-TMO Key in the Authentication Centre (Continued)
Figure 4-30 SCK-Trunked Mode Operation display
3 Select the key slot row to modify.

Result: The key slot row is highlighted.
4 Click Modify...
Figure 4-31 Modify SCK Dialog Box
5 Type the key into the Key Value field.

6 Type in the key version number in the Key Version field.
4-26 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Setting the Next Active SCK-TMO Key
Procedure 4-12 How to Modify an SCK-TMO Key in the Authentication Centre (Continued)
7 Click OK.
Result: The key information is updated.
The OK button will remain grayed out until all of the required information has
Setting the Next Active SCK-TMO Key

The Authentication Centre (AuC) server designates the active static cipher key-trunked mode
operation (SCK-TMO) key to be used by the system. When an SCK-TMO key update occurs, the
active key (signified by the Active arrow in the Active column) is moved to the slot designated
by the Next Active arrow in the Active column. See the arrows icons below:
Active arrow
Next Active arrow
Only one SCK-TMO can be active at a time.
Performing this task enables changing the active SCK-TMO throughout the system during
the next SCK-TMO key update. There is no resulting disruption to system operations by this
task. When the key update occurs, the AuC communicates the change to each BTS site on the
system. To determine if a BTS site is using the new active SCK-TMO key, see Procedure 4-6,
"How to view BTS site’s status and encryption key information," on page 4-13.
Follow Procedure 4-13 to set the next active SCK-TMO key in the AuC.
6802800U60-D March 2007 4-27

Setting the Next Active SCK-TMO Key Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-13 How to Reset an Active SCK-TMO Key in the Authentication Centre
the Key menu.

4-28 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Setting the Next Active SCK-TMO Key
Procedure 4-13 How to Reset an Active SCK-TMO Key in the Authentication Centre (Continued)
Figure 4-33 SCK-Trunked Mode Operation display
3 Select the next active SCK-TMO key number.

Result: The SCK-TMO key number row is highlighted.
4 Click Set Next Active.
Figure 4-34 Change Next Active SCK Number Dialog Box
5 Click Yes.
Result: The Next Active slot appears in the work pane.
6802800U60-D March 2007 4-29

Entering the AuC Communications Key Chapter 4: Authentication and Air Interface Encryption Key Management
Entering the AuC Communications Key

The AuC Communication Key (AuC CommKey) is used by all nationwide AuCs to
transport key information securely between AuCs.
Since all AuCs need the same AuC CommKey, a synchronized key change is recommended
to ensure proper system communication. It is also recommended to temporarily disable
key schedules while an AuC CommKey change takes place.
Follow Procedure 4-14 to define the AuC Communications Key.
Procedure 4-14 Entering a AuC CommKey into the AuC Database
the Key menu.
4-30 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Entering the AuC Communications Key
Procedure 4-14 Entering a AuC CommKey into the AuC Database (Continued)
2 Select AuC CommKey (Communication Key) in the Keys selection display.
Result: The AuC CommKey information display appears in the work pane.
Figure 4-36 AuC CommKey Information Display
3 Type the key information into the AuC CommKey fields.

Result: The Status field display is updated.
The Enter button will remain grayed out until all of the required information has
6802800U60-D March 2007 4-31

Entering a Dimetra Distribution Key Chapter 4: Authentication and Air Interface Encryption Key Management
Entering a Dimetra Distribution Key

The Dimetra Distribution Key (DDK) was utilized in Dimetra system releases prior to release 5.0. This
key must be entered in the Authentication Centre (AuC) to facilitate replacement of the DDK key with
the infrastructure key (Ki) in Base Transceiver Bases System (BTS) site entities.
This task is necessary only when upgrading from a Dimetra IP Release 4.x system, or earlier.
Follow Procedure 4-15 to enter an existing DDK key into the AuC database.
Procedure 4-15 Entering a DDK key into the AuC database
the Key menu.
4-32 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Entering a UKEK Key for a KVL Device
Procedure 4-15 Entering a DDK key into the AuC database (Continued)
2 Select DDK (Dimetra Distribution Key) in the Keys selection display.
Result: The DDK (Dimetra Distribution Key) information display appears in the work pane.
Figure 4-38 DDK Information Display
3 Type in the DDK key in the DDK field

Result: TheStatus field in the DDK (Dimetra Distribution Key) information display is updated.
Entering a UKEK Key for a KVL Device

When receiving a key variable loader (KVL) entity record from the User Configuration Server (UCS),
the AuC indicates to the client user that it is necessary to enter a unique key encryption key (UKEK)
key for the KVL by displaying the This KVL needs a UKEK message.
The same UKEK key needs to be entered into the KVL.

Follow Procedure 4-16 to assign a UKEK key to a KVL device.
6802800U60-D March 2007 4-33

Entering a UKEK Key for a KVL Device Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-16 How to Assign a UKEK Key to a KVL Device
Figure 4-39 KVLs Tabbed Pane
2 Locate and click on the appropriate KVL in the KVLs list display.
Result: The KVL’s key information appears in the work pane.
3 To assign a new UKEK key for the selected KVL, click the Assign New UKEK... button.
Figure 4-40 UKEK Key Assignment Dialog Box
4 Type the UKEK key in the field.
The UKEK entered must match the one stored in the KVL.
5 Click OK.
Result: The key assignment is confirmed in the Events display.
4-34 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Key Distribution
Key Distribution
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides procedures for distributing infrastructure keys (Ki) to zone and BTS site entities.
This section provides also procedures for performing key updates to Dimetra IP system entities.
The following parameters must be set correctly in the UCS:

• Security Class Change Notification Period = 5 seconds.
• Key Change Notification Period = 300 seconds.
• Security Class Hysteresis Period = 300 seconds.
The BTS will wait a minimum time equivalent to the settings of SCCNP, SCHP and KCNP.
• "Provisioning Zone or BTS Site Entity with an Infrastructure Key"
• "Reprovisioning Zone or BTS Site Entity with an Existing Infrastructure Key"
• "Reprovisioning Zone or BTS Site Entity with a New Infrastructure Key"
• "Clearing an Infrastructure Key from a Zone or BTS Site Entity"
• "Scheduling Key Updates"
• "Performing Immediate Key Updates"
• "Assigning New Authentication Material for a Mobile Station"
If at least one Ki acknowledgment message is received by AuC from an entity (Zone or BTS site),
then the entity is no longer listed in the KVL. Thus, before reconnecting the KVL to the AuC
server, make sure that the Ki is provisioned to all entities that require the Ki, that is:
• when provisioning Zones:
◦ primary and standby Zone Controllers (ZC)
• when provisioning BTS sites:
◦ primary and standby Tetra Site Controllers (TSC)
◦ complete set of Base Radios (BR)
If you need the entity to be listed in the KVL again, use the Refresh Ki or Update Ki button
for this entity in the AuC client and then connect the KVL to the AuC server.
6802800U60-D March 2007 4-35

Provisioning Zone or BTS Site Entity with an Infrastructure Key Chapter 4: Authentication and Air Interface Encryption Key Management
Provisioning Zone or BTS Site Entity with an Infrastructure Key

When a Zone or BTS site is added to the System, the AuC synchronizes with UCS database and automatically
generates an initial version of Infrastructure key (Ki) for each added Zone or BTS entity. The Ki is assigned
to the entity in the AuC database. The assigned Ki should be delivered using a Key Variable Loader
(KVL) to respective entity and the acknowledgement message should be returned via KVL to the AuC.
When the Ki key is successfully provisioned the key Update can be enabled for the entity.
Follow Process 4-1 to provision zone or BTS site entity with an infrastructure key.
Process 4-1 How to Provision Zone or BTS Site Entity with an Infrastructure Key
1 Connect the KVL to the AuC server (directly or via modem). Using the KVL’s menu load the
Ki from the AuC to KVL.
Result: The appropriate Ki keys are loaded to the KVL.
2 • If you are provisioning the Ki to the Zone entity, connect the KVL to the Serial Port D of
each Zone Controller (ZC) (primary and standby) via the null-modem. Using the KVL’s
menu load the Ki from the KVL to the ZC. Wait for the Ki to be uploaded to the ZC and for
the acknowledgement message to be loaded back to the KVL.
• If you are provisioning the Ki to the BTS Site entity, follow Procedure 4-17.
acknowledge messages form the KVL to the AuC.
Result: The acknowledge messages are loaded to the AuC. The Ki Status becomes Stable for
the selected Zone or BTS Site entity. This signifies that the Ki key is successfully provisioned.
If the Ki is loaded into a zone or BTS site entity, but the acknowledgement message
is not returned to the AuC this entity will not receive key updates which use Ki, that
is, updates of KEKm and KEKz keys.
Loading an Infrastructure Key (Ki) to a BTS Site Entity

Follow Procedure 4-17 to load an Infrastructure Key (Ki) to BTS site entity.
Procedure 4-17 How to Load an Infrastructure Key (Ki) to a BTS Site Entity
1 If not already performed, configure the BTS site according to system requirements.
Use a new configuration to create TSC configuration file (Do not use any other site’s
configuration file).
2 Commission the BTS site for local site trunking mode (standalone mode) with the air interface
encryption feature disabled in the site configuration file.
3 If the BTS site has not yet been integrated with the Dimetra IP system, commission the BTS
site for wide area trunking mode with air interface encryption feature disabled in the User
Configuration Server (UCS).
4-36 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Loading an Infrastructure Key (Ki) to a BTS Site Entity
Procedure 4-17 How to Load an Infrastructure Key (Ki) to a BTS Site Entity (Continued)
4 Allow time for site configuration to be downloaded into the network management subsystem.
The site configuration must correctly specify the Zone ID and Site ID parameters.
Otherwise, the KVL will download the wrong keys to the site. Use the TSC’s
Man-Machine Interface (MMI) to verify the correct Zone and Site IDs using the
display config command.
5 Using a terminal interface, log in to the TSC’s MMI using the FIELD login.
Result: You see the SC> prompt.
6 From Application Mode, type LOCK at the prompt.
Result: The BTS site is placed in locked mode.
7 Type KVL at the prompt.
Result: The front panel serial port is configured for KVL use.
8 Within 60 seconds, connect the KVL to the TSC’s front serial port.
9 Using the KVL menus, load the Ki key into the TSC.
Result: Wait for the key load acknowledgement message.
10 Using a terminal interface, log in to the first Base Radio Controller (BRC) MMI using the FIELD
login.
Result: You see the BRC> prompt.
11 Type KVL at the prompt.
Result: The front panel serial port is configured for KVL use.
12 Within 60 seconds, connect the KVL to the BRC’s front serial port.
13 Using the KVL menus, load the Ki key into the BRC.
Result: Wait for the key load acknowledgement message.
14 Repeat step 10 through step 13 for each BRC at the BTS site.
15 Using a terminal interface, reconnect to the TSC’s MMI using the FIELD login.
Result: You see the SC> prompt.
16 From Application Mode, type UNLOCK at the prompt.
Result: The BTS site is placed in unlocked mode.
17 Type RESET at the prompt to reset the TSC.
Result: The TSC is reset.
6802800U60-D March 2007 4-37

Reprovisioning Zone or BTS Site Entity with an Existing Infrastructure Key Chapter 4: Authentication and Air Interface Encryption Key Management
Reprovisioning Zone or BTS Site Entity with an Existing

Infrastructure Key
In certain situations you may need to refresh existing Ki in a zone or BTS Site entity, for example
when a zone or BTS Site entity is replaced by a new one or upgraded.
This task allows you to reprovision an existing Ki key to a zone or BTS site entity. Perform
this task when you want to reload a Ki key into the zone or BTS site device, or when this
is necessary because hardware at a site has been replaced.
Follow Process 4-2 to reprovision zone or BTS site entity with an existing infrastructure key.
Process 4-2 How to Reprovision Zone or BTS Site Entity with an Existing Infrastructure Key
1 In the AuC Client select the zone or BTS Site entity that requires Ki to be refreshed. Follow
Procedure 4-18 to refresh a Ki for selected zone or BTS site entity in the AuC Client.
2 Connect the Key Variable Loader (KVL) to the AuC server (directly or via modem). Using the
KVL’s menu load the Ki from the AuC to KVL.
Result: The appropriate Ki keys are uploaded to the KVL.
3 • If you are refreshing the Ki for the Zone entity, connect the KVL to the Serial Port D of
each Zone Controller (ZC) (primary and standby) via the null-modem. Using the KVL’s
menu load the Ki from KVL to the ZC. Wait for the Ki to be uploaded to the Zone and for
the acknowledgement message to be loaded back to the KVL.
• If you are refreshing the Ki for the BTS Site entity, follow Procedure 4-17.
acknowledge messages from the KVL to AuC.
Result: The acknowledge messages are uploaded to the AuC. The Ki Status becomes Stable for
the selected Zone or BTS Site entity. This signifies that the Ki key is successfully reprovisioned.
4-38 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Refreshing a Ki for Selected Zone or BTS Site Entity
Refreshing a Ki for Selected Zone or BTS Site Entity

Follow Procedure 4-18 to refresh a Ki for selected zone or BTS site entity in the AuC Client.
Procedure 4-18 How to Refresh a Ki for Selected Zone or BTS Site Entity in the AuC Client
1 From the main AuC client window, select the Local Zones tab.
Figure 4-41 Zones Tabbed Pane
2 Locate and click on the appropriate zone or BTS site in the Zones tree display.
3 Click the Refresh Ki button, highlighted below, to reprovision an existing infrastructure key
(Ki) for the selected entity.
6802800U60-D March 2007 4-39

Refreshing a Ki for Selected Zone or BTS Site Entity Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-18 How to Refresh a Ki for Selected Zone or BTS Site Entity in the AuC Client
(Continued)
Figure 4-42 Zones Tabbed Pane, Refresh Ki
Result: The Refresh Ki information appears.
Figure 4-43 Refresh Ki Information
4 Click OK.
Result: The AuC is ready to upload the Ki to a KVL.
4-40 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Reprovisioning Zone or BTS Site Entity with a New Infrastructure Key
Reprovisioning Zone or BTS Site Entity with a New Infrastructure

Key
You may need to reprovision zone or BTS Site entity with a new Ki key, for example
when the Ki is believed to be compromised.
Follow Process 4-3 to reprovision a zone or BTS site entity with a new infrastructure key.
Process 4-3 How to Reprovision a Zone or BTS Site Entity with a New Infrastructure Key
1 In the AuC Client select the zone or BTS Site entity that requires new Ki to be assigned to.
Follow Procedure 4-19 to update a Ki for selected zone or BTS site entity in the AuC Client.
2 Connect the Key Variable Loader (KVL) to the AuC server (directly or via modem). Using the
KVL’s menu load the Ki from the AuC to KVL.
Result: The appropriate Ki keys are uploaded to the KVL.
3 • If you are reprovisioning the new Ki to the Zone entity, connect the KVL to the Serial Port D
of each Zone Controller (ZC) (primary and standby) via the null-modem. Using the KVL’s
menu load the Ki from the KVL to the ZC. Wait for the Ki to be uploaded to the Zone and
for the acknowledgement message to be loaded back to the KVL.
• If you are reprovisioning the new Ki to the BTS Site entity, follow Procedure 4-17.
acknowledge messages from the KVL to the AuC.
Result: The acknowledge messages are uploaded to the AuC. The Ki Status becomes Stable for
the selected Zone or BTS Site entity. This signifies that the Ki key is successfully reprovisioned.
If the Ki is loaded into a zone or BTS site entity, but the acknowledgement message is
not returned to the AuC, the AuC will use the previous Ki for key updates which use
Ki, that is, updates of KEKm and KEKz keys.
6802800U60-D March 2007 4-41

Updating a Ki Key for a Zone or BTS Site Entity Chapter 4: Authentication and Air Interface Encryption Key Management
Updating a Ki Key for a Zone or BTS Site Entity

Follow Procedure 4-19 to update a Ki for a zone or BTS site entity in the AuC Client.
Procedure 4-19 How to Update a Ki Key for a Zone or BTS Site Entity in AuC Client
2 Locate and click on the appropriate zone or BTS site in the Zones tree display on the left.
3 Click the Update Ki button, highlighted below, to assign a new infrastructure key (Ki) for the
selected entity.
4-42 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Clearing an Infrastructure Key from a Zone or BTS Site Entity
Procedure 4-19 How to Update a Ki Key for a Zone or BTS Site Entity in AuC Client (Continued)
Figure 4-45 Zones Tabbed Pane, Update Ki
Result: The Update Ki information appears.
Figure 4-46 Update Ki Information
4 Click OK.
Result: The Key Status icon becomes red for the selected zone or BTS Site. This signifies
that the new Ki key should be provisioned.
Clearing an Infrastructure Key from a Zone or BTS Site Entity

The Key Variable Loader (KVL) can clear (or "zeroize") an infrastructure key (Ki) from
a zone or BTS site entity. This may be necessary when a zone device is decommissioned
or permanently removed from service in the system.
For an BTS site, a Base Radio Controller’s Ki key can also be zeroized through the
BRC Man Machine Interface (MMI).
For information on performing this task with the KVL device, please refer to the KVL 3000 User’s Guide.
6802800U60-D March 2007 4-43

Scheduling Key Updates Chapter 4: Authentication and Air Interface Encryption Key Management
Scheduling Key Updates

The AuC manages updates of the following key types within the system infrastructure:
• static cipher key–trunked mode operation key (SCK-TMO)
The Key Schedules tab in the Authentication Centre (AuC) Client allows you to manage key updates
for system infrastructure entities. In particular it enables the following actions:
• configuring scheduled key updates
• performing immediate key updates
• enabling or disabling scheduled key updates based on a key type
When the AuC is part of a nationwide system, key schedules are shared by all the AuCs connected to it.
The following topics provide procedures associated with the Key Schedules tab in the AuC client display:
• "Scheduling Key Updates" on page 4-44
• "Performing Immediate Key Updates" on page 4-47
• "Enabling/Disabling Key Updates By Key Type" on page 4-59
The following topics provide reference information associated with the Key Sched-
ules tab in the AuC client display:
• "Key Schedule Information" on page 11-13
• "Key Schedules Selection" on page 11-14
• "Modify Schedule Dialog Box" on page 11-37
Follow Procedure 4-20 to schedule key updates for a key type throughout the system infrastructure.
4-44 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Scheduling Key Updates
Procedure 4-20 How to Schedule Key Updates based on Key Type
1 From the AuC main client window, select the Key Schedules tab, or select Key Schedules
from the Key menu.
Result: The Key Schedules tabbed pane appears.
Figure 4-47 Key Schedules Tabbed Pane
2 Locate and click on the appropriate key type in the Key Schedules display.
Result: The selected key type’s update schedule information appears in the work pane, as
highlighted below.
6802800U60-D March 2007 4-45

Scheduling Key Updates Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-20 How to Schedule Key Updates based on Key Type (Continued)
Figure 4-48 Key Schedule Information display
3 Click the Modify Schedule... button.

Result: The schedule modification dialog box appears.
Figure 4-49 SCK-TMO Modify Schedule Dialog Box
4 Select the date and the recurrence interval.
4-46 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Performing Immediate Key Updates
Procedure 4-20 How to Schedule Key Updates based on Key Type (Continued)
5 Click OK.
Result: The schedule modification screen closes and the settings are saved in the AuC database.
Now the key update will automatically be initiated at the selected date and time.
It is good practice to carry out a database backup after key updates. This keeps the information in the
database current, and avoids potential issues with the currency of key data if the database is restored.
Performing Immediate Key Updates

Although the AuC may have completed a requested SCK or CCK change, the actual change
on the air interface may not yet be complete (if the notification period has not yet expired).
However, no harm will result if further key changes are requested - the site will initiate a
change for the last activated key as soon as the ongoing change has completed.
Follow Procedure 4-21 to perform immediate key updates for a key type throughout the system infrastructure.
6802800U60-D March 2007 4-47

Performing Immediate Key Updates Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-21 How to Perform Immediate Key Updates based on Key Type
from the Key menu.
2 Locate and click on the appropriate key type in the Key Schedules display.
3 Click Start Update Now.
Figure 4-51 Start Update Now Dialog Box
The user is asked to confirm because some updates requires long time to finish.
Starting a manual update has no impact on the date and time for the next scheduled
update.
4-48 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Assigning New Authentication Material for a Mobile Station
Procedure 4-21 How to Perform Immediate Key Updates based on Key Type (Continued)
When the AuC is a part of a Nationwide system, key update will be

executed on every AuC that is a part of the Nationwide system.
4 Click Yes.
Result: The key update is started and can be monitored via the Key Update Progress bar as
shown below. When it reaches 100% the key update finishes.
Figure 4-52 Key Update Progress
Assigning New Authentication Material for a Mobile Station

The AuC does not automatically assign authentication material for a mobile station (MS) when initially
provisioned in the AuC database. The MS must be specifically selected in order to be enabled for key updates.
Once provisioned, and enabled for key updates future authentication material
updates for an MS are performed during scheduled updates.
Follow Procedure 4-22 to assign new authentication material for a mobile station.
6802800U60-D March 2007 4-49

Assigning New Authentication Material for a Mobile Station Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-22 How to Assign New Authentication Material for a Mobile Station

(search text is case-insensitive). For a description of the available search criteria see Online Help.
Figure 4-54 Mobile Station Search Form
4-50 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Assigning New Authentication Material for a Mobile Station
Procedure 4-22 How to Assign New Authentication Material for a Mobile Station (Continued)
Result: The mobile station selection(s) are highlighted.
3 Click on the Search button. The search results are displayed in the list window, highlighted
below.
Figure 4-55 Mobile Stations List
4 Select the appropriate mobile station(s) in the list window. To select multiple MSs, do the
following:
• To select a group of MSs that are next to each other in the list window, click and drag the
mouse over the selections (or hold down the SHIFT key and click each item you want
to select).
• To select a group of MSs that are not next to each other in the list window, hold down the
CTRL key and click each item you want to select.
6802800U60-D March 2007 4-51

Enabling and Disabling Key Updates Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-22 How to Assign New Authentication Material for a Mobile Station (Continued)
5 To update authentication material for the selected MSs, click the Update Auth Now button.
Figure 4-56 Update Authentication Material Dialog Box
6 To disable key updates for the selected MSs, click the Disable Key Updates button.
7 Click Yes.
Result: The information is saved in the AuC database.
Enabling and Disabling Key Updates

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

• "Enabling/Disabling Key Updates for a Mobile Station"
• "Enabling/Disabling Key Updates for a Zone"
• "Enabling/Disabling Key Updates for an EBTS Site"
• "Enabling/Disabling Key Updates By Key Type"
• "Enabling/Disabling KVL Access to the Authentication Centre"
Enabling/Disabling Key Updates for a Mobile Station

The AuC manages updates of authentication material, common cipher keys (CCK), and static cipher
key-trunked mode operation (SCK-TMO) keys in the system infrastructure. Using the AuC, you can select to
enable or disable future updates of these keys as they relate to a specific mobile station (MS).
When key updates are disabled, the MS will no longer get new authentication material,
for example, when KEKm key and authentication material updates are performed.
CCK and SCK-TMO key changes are not affected. The MS still receives new CCK
keys, and uses a different SCK-TMO key when requested.
4-52 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Enabling/Disabling Key Updates for a Mobile Station
A device should only be disabled for key updates if considered non-operational.

Similarly, a device should only be enabled for key updates if operational.
Follow Procedure 4-23 to enable or disable key updates for a mobile station.
Procedure 4-23 How to Enable/Disable Key Updates for a Mobile Station

(search text is case-sensitive). For a description of the available search criteria see Online Help.
6802800U60-D March 2007 4-53

Enabling/Disabling Key Updates for a Mobile Station Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-23 How to Enable/Disable Key Updates for a Mobile Station (Continued)
Figure 4-58 Mobile Station Search Form
Result: The search results are displayed in the list window, highlighted below.
4-54 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Enabling/Disabling Key Updates for a Mobile Station
Procedure 4-23 How to Enable/Disable Key Updates for a Mobile Station (Continued)
Figure 4-59 Mobile Stations List
4 Select the appropriate mobile station(s) in the list window. To select multiple MSs, do the
following:
• To select a group of MSs that are next to each other in the list window, click and drag the
mouse over the selections (or hold down the SHIFT key and click each item you want
to select).
• To select a group of MSs that are not next to each other in the list window, hold down the
5 To enable key updates for the selected MSs, click the Enable Key Updates button.
Result: The Mobile State field in the list window is changed to "Enabled".
6 To disable key updates for the selected MSs, click the Disable Key Updates button.
Figure 4-60 Disable Mobile Station Dialog Box
7 Click Yes.
Result: The Mobile State field in the list window is changed to "Disabled (manually)".
6802800U60-D March 2007 4-55

Enabling/Disabling Key Updates for a Zone Chapter 4: Authentication and Air Interface Encryption Key Management
Enabling/Disabling Key Updates for a Zone

The AuC manages updates of zone entities in the system infrastructure. Using the AuC, you can select to
enable or disable future key updates (scheduled and on-demand) relating to a specific zone entity.
• When the Zone is DISABLED, all sites and MS belonging to that Zone have
their key updates setting implicitly overridden with DISABLED, although for
MSs this will not be shown on the AuC GUI.
• When the Zone is ENABLED, all sites and MS belonging to that Zone
take on their own key updates setting, which may be either ENABLED or
DISABLED depending on customer configuration.
Follow Procedure 4-24 to enable or disable key updates for a zone.
Procedure 4-24 How to Enable/Disable Key Updates for a Zone
2 Locate and click on the appropriate zone in the Zones tree display on the left.
4-56 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Enabling/Disabling Key Updates for an EBTS Site
Procedure 4-24 How to Enable/Disable Key Updates for a Zone (Continued)

3 Click the Enable Key Updates button to enable or Disable Key Updates button to disable key
updates for the selected zone. The location of the button is highlighted below.
The Key Updates button is a toggle button. Thus, when Key Updates are enabled,
the button will say Disable Key Updates, and when Key Updates are disabled, it
will say Enable Key Updates.
Figure 4-62 Disable Key Updates Button
Result: The status of a zone and all sites beneath changes accordingly. If key updates are being
disabled, a confirmation dialog box appears.
Enabling/Disabling Key Updates for an EBTS Site

The AuC manages key updates for BTS sites in the system infrastructure. Using the AuC, you can select to
enable or disable future key updates (scheduled and on-demand) relating to a specific BTS site. BTS site key
updates status can be modified only when key updates are enabled for the zone which the BTS site belongs to.
When a new BTS site is added into the AuC it is in the disabled state by default. You can manually enable the
BTS site when either a Ki is provisioned for this site or a Dimetra Distribution Key (DDK) is configured.
Follow Procedure 4-25 to enable or disable key updates for a BTS site.
6802800U60-D March 2007 4-57

Enabling/Disabling Key Updates for an EBTS Site Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-25 How to Enable/Disable Key Updates for a BTS Site

2 Locate and click on the appropriate BTS site in the Zones tree display on the left.
3 Click the Enable Key Updates button to enable or Disable Key Updates button to disable key
updates for the selected BTS site. The location of the button is highlighted below.
The Key Updates button is a toggle button. Thus, when Key Updates are enabled,
the button will say Disable Key Updates, and when Key Updates are disabled, it
will say Enable Key Updates.
4-58 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Enabling/Disabling Key Updates By Key Type
Procedure 4-25 How to Enable/Disable Key Updates for a BTS Site (Continued)
Figure 4-64 Disable Key Updates Button
Result: The status of a BTS site changes accordingly. If key updates are being disabled, a
confirmation dialog box appears.
Enabling/Disabling Key Updates By Key Type

Follow Procedure 4-26 to enable or disable scheduled key updates for a key type
throughout the system infrastructure.
This procedure affects scheduled updates only (immediate key updates can still be performed).
When disabling, any key updates currently in progress will continue to be performed.
6802800U60-D March 2007 4-59

Enabling/Disabling Key Updates By Key Type Chapter 4: Authentication and Air Interface Encryption Key Management
Procedure 4-26 How to Enable/Disable Key Updates based on Key Type

from the Key menu.
2 Locate and click on the appropriate key type in the Key Schedules display and click Modify
Schedule...
Result: The selected key type’s modify schedule dialog box appears.
4-60 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Enabling/Disabling Key Updates By Key Type
Procedure 4-26 How to Enable/Disable Key Updates based on Key Type (Continued)
Figure 4-66 SCK—TMO Modify Schedule Dialog Box
3 To enable key updates, deselect Disable Key Schedule, select the values then click OK.
Result: Your schedule information will be stored and a key update will take place when
scheduled.
4 To disable key updates, select Disable Key Schedule then click OK.
Result: The Modify Schedule window will close and the Key Schedule State will show
Disabled.
5 Click Yes.
Result: The Key Schedule State field displays current state of the schedule.
6802800U60-D March 2007 4-61

Enabling/Disabling KVL Access to the Authentication Centre Chapter 4: Authentication and Air Interface Encryption Key Management
Enabling/Disabling KVL Access to the Authentication Centre

The Authentication Centre (AuC) allows you to control a key variable loader’s (KVL) access to the AuC. A
KVL must be allowed access to perform transfer of infrastructure keys (Ki) to system entities.
Follow Procedure 4-27 to enable or disable KVL access to the AuC.
Procedure 4-27 How to Enable/Disable KVL Access to the Authentication Centre
Figure 4-67 KVLs Tabbed Pane
2 Select a KVL from the KVLs list display.

Result: The KVL’s key information appears in the work pane.
3 To enable or disable KVL access to the AuC, click the Deny Access/Allow Access button.
The Deny Access/Allow Access button is a toggle button. Thus, you click the
same button to turn KVL access on or off. For example, to enable KVL access
(when disabled) to the AuC, you click the Allow Access button. Once KVL access
is enabled, the toggle button’s state changes to Allow Access. This allows you to
disable KVL access to the AuC in the future.
Result: The KVL’s current key status is changed in both the colored icon of the KVLs display
and by the Status field in the KVL Information display. If KVL access is being disabled,
the following dialog box appears.
4-62 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Enabling/Disabling KVL Access to the Authentication Centre
Procedure 4-27 How to Enable/Disable KVL Access to the Authentication Centre (Continued)
Figure 4-68 Deny Access to KVL Dialog Box
4 Click Yes.
Result: The KVL’s current key status is changed to disabled in both the colored icon of the Key
Status display (to red) and by the Status field in the KVL Information display.
6802800U60-D March 2007 4-63

Enabling/Disabling KVL Access to the Authentication Centre Chapter 4: Authentication and Air Interface Encryption Key Management
4-64 6802800U60-D March 2007

Chapter
5
Nationwide AuC Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
For a Nationwide (multicluster) Dimetra IP system, an AuC is required for each cluster (each
cluster supports up to seven zones). Each AuC handles the key management tasks for that
cluster. To support system-wide key management tasks, the AuCs in the nationwide system
communicate with one another to perform updates of the KEKm, SCK-TMO, and CCK keys.
The nationwide AuC system consists of one Master AuC and up to seven Slave AuCs. It has to be manually
configured which of the AuCs is a Master AuC. Master AuC is responsible for following operations:
• assuring that system-wide keys in all AuCs in the Nationwide system are consistent
• initiating nationwide key updates of system-wide keys
• coordinating updates between the Slave AuCs
• coordinating update schedules between the Slave AuCs
The system-wide keys are transferred securely between AuCs using a shared AuC com-
munication key, also referred to as the CommKey.
• "Viewing AuC Connection Information and Status"
• "Nationwide AuC System Configuration"
• "Key Updates in the Nationwide System"
• "Slave AuCs Reconfiguration in the Nationwide System"
• "Returning to the Single Cluster Mode"
• "Nationwide AuC System Reconfiguration"
The following topics provide reference information associated with the AuC Con-
nectivity tab in the AuC client display:
• "AuC Connectivity" on page 11-2
• "AuC Net" on page 11-4
• "General Network Information" on page 11-9
• "AuC Connection" on page 11-28
6802800U60-D March 2007 5-1

Viewing AuC Connection Information and Status Chapter 5: Nationwide AuC Configuration
Viewing AuC Connection Information and Status

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The AuC Connectivity tab in the Authentication Centre provides information about the Nationwide system
that the local AuC is a part of. The local AuC is the AuC, which the user is currently logged onto. For each
AuC Server listed in the AuC Net window, the AuC Connectivity window provides the following information:
• Server Alias
• Server ID
• Server Version
• Server Status
• Nationwide Role
• IP Address
The General Network Information window provides information about Master Alias, Master IP
address, Expected Slave and key update status for the following keys:
• CCK
• SCK-TMO
• System KEK
Follow Procedure 5-1 to view connectivity status and information in the nationwide system.
5-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing AuC Connection Information and Status
Procedure 5-1 Viewing AuC Connection Information and Status
1 From the AuC client main window, select the AuC Connectivity tab in the work pane.
Result: The AuC Connectivity tabbed pane appears.
Figure 5-1 AuC Connectivity Tabbed Pane
6802800U60-D March 2007 5-3

Procedure 5-1 Viewing AuC Connection Information and Status (Continued)

2 When the AuC is a part of Nationwide system you can see the system structure in the AuC Net
window, as highlighted below. The Master AuC is displayed at the top of the tree, all Slaves
and Expected Slave AuC Severs are listed below. For the explanations of the servers icons
see Table 11-4.
When the AuC is not a part of the Nationwide system the AuC Net window is empty
and the remaining fields in the AuC Connectivity tab do not provide any information.
Result: The AuC server that you are currently logged on, is displayed with the status In-Service
see the highlight in the screen below.
Figure 5-2 AuC Net Window
5-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing AuC Connection Information and Status

3 In the General Network Information window the following information about the Nationwide
AuC system is displayed (see Table 11-14 for details):
• Master Alias
• Master IP address
• Expected Slave IP address
• Key update status details for CCK, SCK-TMO and System KEK keys
See the highlighted field in the screen below.
Figure 5-3 General Network Information Display
6802800U60-D March 2007 5-5


4 In the AuC Net window select the AuC Server you wish to see information about. The
information is displayed in the AuC Connectivity window on the left (see Table 11-3 for details).
Result:
• When the local AuC is nationwide master the information about selected AuC Server
Alias, ID, Version, Status, Nationwide Role, IP Address and key update status is displayed.
See highlighted field in the screen below. When the key update is locked on the selected
AuC information about it is also provided.
5-6 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Nationwide AuC System Configuration

• When the local AuC is nationwide slave, the information about se-
lected AuC Server Alias, ID, Version, Status, Nationwide Role and
IP Address is displayed. See highlighted field in the screen below.
Nationwide AuC System Configuration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Process 5-1 to configure the Nationwide AuC system.

Process 5-1 Nationwide AuC System configuration
1 Verify the following preconditions:

• All AuC Servers, that will be connected to the Nationwide system have the same CommKey.
• There is no key update in progress.
• All AuC Serves that will be connected to the Nationwide system have the same SCK Table.
• The time set on the AuC Servers cannot vary more than 5 minutes.
6802800U60-D March 2007 5-7

Configuring Nationwide Master AuC Chapter 5: Nationwide AuC Configuration
Process 5-1 Nationwide AuC System configuration (Continued)

2 Choose the AuC Server to be the nationwide master and configure it according to Procedure 5-2.
Choose one of the remaining AuC Servers to be the Expected Slave.

3 Configure the AuC Server configured on master to be Expected Slave as a nationwide slave
according to Procedure 5-3.
4 To add more nationwide slaves to the network:
1. Wait for the nationwide master to synchronize keys. The key update status in the General
Network Information window should be Idle for all keys.
2. Set Expected Slave on the nationwide master according to Procedure 5-4.
3. Configure the AuC Server chosen to be Expected Slave as a nationwide slave, according to
Procedure 5-3.
Repeat this step until all slaves will be added.
When this process is completed, the CCK, SCK-TMO and System KEK Keys and
their update schedules for all AuC Servers connected to the nationwide system, will
be synchronized by the nationwide master.
Configuring Nationwide Master AuC

Follow Procedure 5-2 to configure nationwide Master AuC.
Procedure 5-2 How to Configure Nationwide Master AuC
1 From the AuC client main window, select the AuC Connectivity tab.
2 From the main AuC Client menu select Nationwide>Become Nationwide Master.
Result: You are prompted for IP address of Expected Slave AuC.
Figure 5-4 AuC Connection Dialog Box
5-8 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Configuring Nationwide Master AuC
Procedure 5-2 How to Configure Nationwide Master AuC (Continued)

3 Insert the IP address of Expected Slave AuC and press OK.
Result: The Slave AuC is listed in the AuC Net window as Expected.
Figure 5-5 Expected AuC Slave in AuC Net Structure Display
4 Wait until the Expected Slave AuC connects to the AuC Net.
Only AuC with the IP address matching the IP address of the Expected Slave defined
in step 3 will be able to connect to the Master AuC. To change the IP address of
the Expected Slave, see Procedure 5-5. To learn how to configure Slave AuC and
connect it to the system, see Procedure 5-3.
Result: When the Expected Slave AuC connects to the AuC System it will be listed in the
AuC Net window as Connected. Master will automatically update the CCK, SCK-TMO and
System KEK keys on the Slave AuC.
6802800U60-D March 2007 5-9

Configuring Nationwide Slave AuC Chapter 5: Nationwide AuC Configuration
Procedure 5-2 How to Configure Nationwide Master AuC (Continued)
Figure 5-6 Connected AuC Slave in AuC Net Window
5 To add more Slave AuCs to the net, see Procedure 5-4.
There can be up to seven Slave AuCs in the Nationwide system.
Configuring Nationwide Slave AuC

Follow Procedure 5-3 to configure nationwide Slave AuC.
Procedure 5-3 How to Configure Nationwide Slave AuC
5-10 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Configuring Nationwide Slave AuC
Procedure 5-3 How to Configure Nationwide Slave AuC (Continued)

2 From the main AuC Client menu select Nationwide>Become Nationwide Slave.
Result: You are prompted for IP address of Master AuC.
Figure 5-7 AuC Connection Dialog Box
3 Insert the IP address of Master AuC and press OK.

Result: The Master AuC and the Slave AuC are listed in the AuC Net. Initially the status of
the Master AuC is Connecting...
Figure 5-8 AuC Master Connecting
4 Wait until the Slave AuC connects to the Master AuC. The slave will be able to connect to the
Master AuC only when its IP address is set in the Master AuC as the IP address of the Expected
Slave AuC.
When the attempt to connect to the Master AuC fails, there will be one of the
following messages in master’s Event Log:
• Connection closed. Reason (Unknown Address)
— IP address of the Expected Slave AuC set up in Master AuC does
not match the IP address of Slave AuC that is trying to connect;
• Connection closed. Reason (Dif-
ferent Static Cipher Key Table)
— the SCK tables on master and slave do not match;
6802800U60-D March 2007 5-11

Configuring Nationwide Slave AuC Chapter 5: Nationwide AuC Configuration
Procedure 5-3 How to Configure Nationwide Slave AuC (Continued)
• Connection closed. Reason (Authenti-

cation Failure — Signature Mismatch)
— the CommKeys on master and slave do not match;
• Connection closed. Reason (Authentication
Failure — Unacceptable Time Difference)
— the time difference between servers is greater than 5 minutes;
Result: The Slave AuC tries to establish the connection with the master every 5 minutes until it
succeeds. When the Slave AuC connects to the master, the status of the master listed in the AuC
Net window changes to Connected.
Figure 5-9 AuC Master Connected
5 The CCK, SCK-TMO and System KEK keys in connected Slave AuC and/or other AuC Servers
will be updated, so that as the result they are identical. When the key update fails, there is one of
the messages listed and described in Table 5-1 in master’s Event Log. See the description of the
received message to find the solution and enable the key update.
5-12 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Rejected Key Update Event Log Messages
Rejected Key Update Event Log Messages

Table 5-1 Rejected Key Update Event Log Messages
Reason Field Description

Key update in progress The key update is already in progress. Wait until it finishes.
Key updates disabled The key update has been disabled on one of the AuC Servers
in the nationwide network. Make sure that the key update is
unlocked on every AuC Server in nationwide network to enable
the Master AuC to execute automatic key update.
Not all servers connected Not all AuC Serves in the nationwide system are currently
connected to the network. Restore the connection to proceed
with key update.
Invalid network configuration There is only one server in the AuC Network. The nationwide
key update can be executed only in multicluster system.
Remote server data missing The Master AuC doesn’t have information about slaves’s keys.
Please wait until the Master AuC receives the information.
Decryption failure The decryption failed. Check if the CommKeys in Slave AuC
and Master AuC match each other.
UCS disconnected The AuC has been disconnected form the UCS. Restore the
connection with UCS.
Remote server did not respond in time AuC Server did not answer for key update request within one
minute.
Key Updates in the Nationwide System

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
There are following types of key updates in the Nationwide AuC system:
1. Initial synchronization
When the new AuC joins the Nationwide system, the system-wide keys need to be
synchronized. The Master AuC assures that the keys in all AuCs are consistent. Depending on
the current situation, Master AuC either updates the keys on the new AuC or in the whole
nationwide network. Master AuC also updates the key update schedule on the new AuC.
Any new key update cannot begin until the initial synchronization finishes.
For more information on adding new AuC to the Nationwide system, see
"Slave AuCs Reconfiguration in the Nationwide System".
6802800U60-D March 2007 5-13

Key Updates in the Nationwide System Chapter 5: Nationwide AuC Configuration
2. Scheduled key update

In the Nationwide AuC system, Master AuC stores information about key update
schedule and initiates updates according to this schedule. Master AuC also
coordinates the key update schedules between the Slave AuCs, however Slave
AuCs do not initiate scheduled updates. The current key update schedule can
be viewed and modified in the Key Schedules tab in the AuC client.
3. Immediate key update

Operator can initiate immediate system-wide key update on any of AuCs in the Nationwide
system; however the Master AuC will execute and control the key update. The
immediate key update applies to all AuCs in the nationwide network.
The Master AuC performs the system-wide key update according to the process below.
The following steps are performed automatically by the Master and Slaves AuCs. No action
from the user is required. The process is presented only for information purposes.
Process 5-2 Key Update in the Nationwide System
1 Master AuC checks the following preconditions:

• All AuC servers must be connected to the Nationwide system
• Key updates on all AuC servers must be unlocked
• There mustn’t be any key updates in progress
2 Master AuC sends inquiry to all AuC servers that take part in the key update to check if the
key update can be started.
3 Slave AuCs respond to Master AuC. The response can be either positive or negative. When the
response is negative the Slave AuC provides the Master AuC with the reason of rejection,
see Table 5-1.
For the Master AuC SW Release 5.5 (or higher) and the Slave AuC SW Release 5.2
(or lower) the reason of update rejection is always Unknown.
If the key update is rejected by the Slave AuC then, depending on the update type Master AuC
performs the following actions:
• If it is immediate key update, the update will not be executed
• If it is scheduled key update, Master AuC repeats the request in one hour time intervals,
until the response is positive. When the responses from all AuC Slaves are positive, the key
update starts.
• If it is initial synchronization, Master AuC repeats the request in five minutes time
intervals, until the response is positive. When the responses from all AuC Slaves are
positive, the key update starts.
4 During the key update, the Slaves AuCs send their current status information to Master AuC. On
this basis Master AuC generates summary report, which can be viewed in the AuC Connectivity
tab. For more information see, "Viewing AuC Connection Information and Status".
5-14 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Slave AuCs Reconfiguration in the Nationwide System
Process 5-2 Key Update in the Nationwide System (Continued)

5 When specific stage of key update is completed on each AuC server (the progress reaches 100%)
Master AuC decides to start the next stage. Master AuC sends a request to start the next stage
to each AuC Slave.
6 Slave AuCs respond to Master AuC. The response can be either positive or negative. If the
slave’s response is negative, Master AuC repeats its request every 5 minutes (Exception: if
synchronizing with UCS is the reason of rejection, Master AuC repeats its request every 30
seconds). When the response is positive, Master AuC sends a command to move to the next
update stage to all Slave AuCs.
7 When all stages of the key update are completed, the key update process is finished.
Slave AuCs Reconfiguration in the Nationwide System

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
In the Master AuC you can introduce the following changes into the Slave AuCs configuration:
• Add new Slave AuC to the AuC System, see Procedure 5-4.
• Change Expected Slave AuC, see Procedure 5-5.
• Remove Expected Slave AuC from the AuC System, see Procedure 5-6
• Remove Slave AuC from the AuC System, see Procedure 5-7.
Adding a New Slave AuC to the Nationwide System

Follow Procedure 5-4 to add new Slave AuC to the AuC net.
Procedure 5-4 How to Add New Slave AuC to the AuC Net
1 On the Master AuC select the AuC Connectivity tab from the AuC client main window.
2 From the main AuC Client menu select Nationwide>Add Expected Slave....
3 Insert the IP address of Expected Slave AuC and press OK.
Result: The Slave AuC is listed in the AuC Net window as Expected.
6802800U60-D March 2007 5-15

Changing Expected Slave AuC Chapter 5: Nationwide AuC Configuration
Procedure 5-4 How to Add New Slave AuC to the AuC Net (Continued)
4 Wait until the Expected Slave AuC connects to the AuC Net.
Only AuC with the IP address matching the IP address of the Expected Slave defined
in step 3 will be able to connect to the AuC Net. To change the IP address of
the Expected Slave, see Procedure 5-5. To learn how to configure Slave AuC and
connect it to the system, see Procedure 5-3.
Result: When the Expected Slave AuC connects to the AuC System it will be listed in the
AuC Net window as a Connected.
Changing Expected Slave AuC

Follow Procedure 5-5 to change expected Slave AuC.
Procedure 5-5 How to Change Expected Slave AuC
1 From the main AuC Client menu select Nationwide>Change Expected Slave.
2 Insert the IP address of the new Expected Slave AuC and press OK.
Result: The new Slave AuC is listed in the AuC Net window as Expected.
Removing Expected Slave AuC

Follow Procedure 5-6 to remove expected Slave AuC.
Procedure 5-6 How to Remove Expected Slave AuC
2 From the main AuC Client menu select Nationwide>Remove Expected Slave.
This option is available only when at least one Slave AuC is connected to the Master
AuC.
Result: The Expected Slave AuC is delisted from the AuC Net window.
5-16 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Removing Slave AuC form the Nationwide System
Removing Slave AuC form the Nationwide System
Removing an AuC from the nationwide network means that this AuC will no longer
participate in nationwide key updates (KEKm, SCK-TMO, CCK). If it is still desired for
the mobile stations (MSs) located in this AuC’s cluster to maintain communication with
MSs in other clusters, removing the AuC is NOT recommended. Failure to follow this
recommendation may result in loss of radio communication between the cluster that has
been removed and the remaining clusters in the nationwide network.
Follow Procedure 5-7 to remove Slave AuC from the nationwide system.
Procedure 5-7 How to Remove Slave AuC form the AuC System
2 From the main AuC Client menu select Nationwide>Remove Slave.
Result: You are prompted for IP address of the Slave AuC to be removed.
3 Insert the IP address of Slave AuC to be removed and press OK.
Only disconnected Slave AuC can be removed.

Result: The Slave AuC is delisted from the AuC System. It is reflected in the AuC Net window.
Returning to the Single Cluster Mode

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 5-8 to return to the single cluster mode.

Procedure 5-8 How to Return to Single Cluster Mode from Master AuC
2 Remove all Slave AuCs. To remove Slave AuC follow Procedure 5-7.
The Expected Slave AuC does not need to be removed.
6802800U60-D March 2007 5-17

Nationwide AuC System Reconfiguration Chapter 5: Nationwide AuC Configuration
Procedure 5-8 How to Return to Single Cluster Mode from Master AuC (Continued)
3 From the main AuC Client menu select Nationwide>Back To Single Cluster.
Result: The AuC Net window becomes empty.
Nationwide AuC System Reconfiguration

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
To reconfigure Nationwide AuC system you can:

• connect Slave AuC to another Master AuC, see Procedure 5-9.
• change nationwide master, see Procedure 5-10.
Connecting Slave AuC to Another Master

Follow Procedure 5-9 to connect Slave AuC to another master.
Procedure 5-9 How to Connect Slave AuC to Another Master
2 From the main AuC Client menu select Nationwide>Change Master...
You can change the master only when the connection with current master is inactive.
To disconnect with current master select System>Go Out of Service from the main
AuC Client menu on the Master AuC.
Result: You are prompted for IP address of new Master AuC.
3 Insert the IP address of new Master AuC and press OK.
Result: The Master AuC and the Slave AuC are listed in the AuC Net. Initially the status of
the Master AuC is Connecting...
4 Wait until the Slave AuC connects to the Master AuC. The slave will be able to connect to the
Master AuC only when its IP address is set in the Master AuC as the IP address of the Expected
Slave AuC. To learn how to add Expected Slave, see Procedure 5-4. To learn how to change
Expected Slave, see Procedure 5-5.
Result: The Slave AuC tries to establish the connection with the master every 5 minutes until it
succeeds. When the Slave AuC connects to the master the status of the master listed in the AuC
Net window changes to Connected.
5-18 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Changing Master in the Nationwide System
Changing Master in the Nationwide System

Follow Procedure 5-10 to change master in the nationwide system.
Procedure 5-10 How to Change Master in Nationwide AuC System
1 On the Master AuC, from the main menu select Nationwide>Transform to Slave
Result: The local AuC is listed in AuC Net as a slave and there is an Unknown server is place
of master AuC.
Figure 5-10 AuC Master Unknown
2 On the Slave AuC that is to become Master AuC from the AuC client main window, select
the AuC Connectivity tab.
3 From the main AuC Client menu select Nationwide>Transform to Master.
This option is only available when the current connection with Master AuC is
inactive.
Result: The Slave AuC transforms to master. It keeps information about the previous network
configuration, therefore you don’t need to provide IP addresses of other Slave AuCs.
4 On the remaining Slave AuCs replace the existing Master AuC with the new one. For information
how to change the master, see Procedure 5-9.
Result: The Slave AuCs connects to the new Master AuC. You can monitor this process in the
AuC Net window on Master AuC.
6802800U60-D March 2007 5-19

Changing Master in the Nationwide System Chapter 5: Nationwide AuC Configuration
Procedure 5-10 How to Change Master in Nationwide AuC System (Continued)

5 On the previous Master AuC Server from the main menu select Nationwide>Change Master.
Result: You are prompted for the IP address of the new Master AuC.
6 Insert the IP address of the new Master AuC and press OK.
Result: The AuC Server is connected to the Master AuC.
On Master AuC check on the AuC Connectivity tab whether all Slave AuCs are
connected to the Nationwide AuC system. For more information on how to view the
status of each AuC in the Nationwide AuC system, see Procedure 5-1.
5-20 6802800U60-D March 2007

Chapter
6
Events Pane
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Events pane in the Authentication Centre (AuC) allows you to monitor actions and
performance of the Authentication Centre (AuC).
The following topics provide procedures associated with the Events pane in the AuC client display:
• "Viewing Authentication Centre Server Events" on page 6-1
• "Removing Authentication Centre Events" on page 6-2
The following topic provides reference information associated with the Events pane in the AuC client display:
• "Events Information" on page 11-8
Viewing Authentication Centre Server Events

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The AuC client window allows the user to view significant events that have occurred on the server since the
user logged in. The displayed events provide a window into what is going on in the system (for example, to
see if a link to a zone is down) as well as a visible confirmation of certain transactions occurring between the
client and server. The Events are displayed in a less complex format than the Audit Trail data. Some of the
Event data is duplicated in the Audit Trail, and some of the data is unique to the Events area only.
When the AuC client window is launched, the Events Log displays the latest 300 server events. By
default, new events are displayed at the top of the list box as they are received.
Follow Procedure 6-1 to view the AuC server events.
6802800U60-D March 2007 6-1

Removing Authentication Centre Events Chapter 6: Events Pane
Procedure 6-1 How to View AuC Server Events
1 The Events Pane is displayed in the AuC Client window, see the highlighted area below.
Figure 6-1 Events Pane
Removing Authentication Centre Events

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) client window displays events in a scrolling list box. Occasionally,
you may want to shrink the event listing by removing one or more events from the list.
Follow Procedure 6-2 to remove events from the AuC Events display.
6-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Removing Authentication Centre Events
Procedure 6-2 Removing One or More Events from the AuC Events Display
1 In the Events Pane in AuC Client window select the appropriate events in the list box. To select
multiple events, do the following:
• To select a group of events that are next to each other in the list box, click and drag the mouse
over the selections (or hold down the SHIFT key and click each item you want to select).
• To select a group of events that are not next to each other in the list box, hold down the
Result: The event selection(s) are highlighted.
Figure 6-2 Events Pane Selection
2 To remove the event or events use this button:

Result: The selected event(s) are removed from the list box.
3 To remove all events use this button:
Result: The confirmation dialog box appears.
Figure 6-3 Remove All Events Confirmation Dialog Box
4 Click Yes.
Result: All the events are removed from the list box.
6802800U60-D March 2007 6-3

Removing Authentication Centre Events Chapter 6: Events Pane
6-4 6802800U60-D March 2007

Chapter
7
Audit Trail
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Audit Trail tab in the Authentication Centre (AuC) allows you to monitor actions
and performance of the Authentication Centre (AuC).
The following topics provide procedures associated with the Audit Trail tab in the AuC client display:
• "Viewing an Event Audit Trail" on page 7-1
• "Removing Audit Trail Data from the Database" on page 7-4
The following topics provide reference information associated with the Audit
Trail tab in the AuC client display:
• "Events Information" on page 11-8
• "Audit Trail Information Display" on page 11-6
Viewing an Event Audit Trail

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) audit trail log stores a wide range of actions performed by the
AuC. For example, the audit trail log maintains a record of all key management operations and
allows you to "follow the life of a key" as it is distributed throughout the system. An audit of AuC
operations can be viewed by specifying search criteria and viewing the query results in the AuC client
window. The data in the Audit trail sometimes overlaps with the data in the Event Log, but the Audit
Trail data is in a more detailed format and is targeted for advanced users.
Follow Procedure 7-1 to create and audit trail of AuC events.
6802800U60-D March 2007 7-1

Viewing an Event Audit Trail Chapter 7: Audit Trail
Procedure 7-1 Creating an Audit Trail of Authentication Centre (AuC) Events.
1 Select the Audit Trail tab in the AuC Client window.

Result: The Audit Trail tabbed pane appears.
Figure 7-1 Audit Trail Tabbed Pane
2 Define the appropriate search criteria using the fields in the Audit Search & Purge Form
display.
Any of the fields Entity Type, Entity ID, Key Type, Key ID and User can be left
unspecified, thus not filtering or restricting data on those fields.
Result: The search results are displayed in the Audit Trail Information list box.
7-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing an Event Audit Trail
Procedure 7-1 Creating an Audit Trail of Authentication Centre (AuC) Events. (Continued)
Figure 7-2 Audit Trail Search Results
4 To remove the Audit Search & Purge Form, click on the Hide Form button.
The Hide/Show Search Form button is a toggle button. Thus, you click the same
button to remove or display the Audit Search & Purge Form. For example, to
remove the display (when it is showing), you click the Hide Form button. Once
the display is hidden, the toggle button’s state changes to Show Search & Purge
Form. This allows you to add the display in the future.
Result: The Audit Search & Purge Form is removed.
6802800U60-D March 2007 7-3

Removing Audit Trail Data from the Database Chapter 7: Audit Trail
Removing Audit Trail Data from the Database

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Since storage of audit trail data can grow rapidly, it is necessary to remove old audit trail data from
the database for archival storage. The audit trail can be purged from the database to an archive
file stored at the same directory location as the database backup file.
This task can only be performed by AuC users with User Management security permissions.
Follow Procedure 7-2 to remove audit trail from the AuC database for archival file storage.
Procedure 7-2 Removing Audit Trail Data from the Authentication Centre
(AuC) Database for Archival File Storage
1 Select the Audit Trail tab in the AuC Client window.

Result: The Audit Trail tabbed pane appears.
Figure 7-3 Audit Trail Tabbed Pane
2 Define the appropriate search criteria using the fields in the Audit Search & Purge Form display.
7-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Removing Audit Trail Data from the Database
Procedure 7-2 Removing Audit Trail Data from the Authentication Centre (AuC) Database for
Archival File Storage (Continued)
Result: The search results are displayed in the Audit Trail Information list box.
Figure 7-4 Audit Trail Search Results
4 Click the Purge button.

Figure 7-5 Audit Trail Purge Dialog Box
6802800U60-D March 2007 7-5

Removing Audit Trail Data from the Database Chapter 7: Audit Trail
Procedure 7-2 Removing Audit Trail Data from the Authentication Centre (AuC) Database for
Archival File Storage (Continued)
5 Select the number of months of data that you would like to RETAIN (these are the events that
will NOT be purged) using the Number of months of audit trail data to keep selection box.
It is the data for the most recent months that is retained when you select the months to
be kept. For example, if you have 6 months of data collected from January to June and
select to retain 3 months of data, then the retained data will be for April, May and June
Note also that the Number of months of audit trail data to keep field is used to
define months. Consider this example: If the current date is December 3, a purge
with months set to 1, will purge everything outside of December. This will keep only
3 days of audit trail in AuC database.
6 Click the Begin Purge button.
Figure 7-6 Audit Trail Purge in Progress
7 When the purging action is complete, the following dialog box appears.
Figure 7-7 Audit Trail Purge Completed
8 Click OK.
Result: The audit trail data removal procedure is complete.
7-6 6802800U60-D March 2007

Chapter
8
User Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The User Management tab in the Authentication Centre (AuC) allows you to create,
modify, and delete AuC client user accounts.
The following topics provide procedures associated with the User Management tab in the AuC client display:
• "Creating an AuC User Account" on page 8-1
• "Modifying an AuC User Account" on page 8-4
• "Deleting an AuC User Account" on page 8-5
The following topics provide reference information associated with the User Man-
agement tab in the AuC client display:
• "User Account Selection tree view" on page 11-22
• "User Information" on page 11-23
• "Add User Dialog Box" on page 11-26
Creating an AuC User Account

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 8-1 to create a new AuC user account.
6802800U60-D March 2007 8-1

Creating an AuC User Account Chapter 8: User Management
Procedure 8-1 Creating a new Authentication Centre (AuC) User Account
1 Select the User Management tab or select User Management from the User menu.
Result: The User Management tabbed pane appears.
Figure 8-1 User Management Tabbed Pane
2 Click Add...
Result: The following dialog appears.
Figure 8-2 Add User Dialog Box
8-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Creating an AuC User Account
Procedure 8-1 Creating a new Authentication Centre (AuC) User Account (Continued)
3 Type in the user profile information.
The Login Name field allows spaces. When logging in, the Login Name is
case-sensitive.
4 Select the appropriate check boxes to set the user security permissions.
5 Click OK.
Result: The user is stored in the AuC database, and now shows up in the user list on the left.
6802800U60-D March 2007 8-3

Modifying an AuC User Account Chapter 8: User Management
Modifying an AuC User Account

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 8-2 to modify existing AuC user account.

Procedure 8-2 Modifying an existing Authentication Centre (AuC) User Account
2 Select the appropriate user in the User Information display.

3 Edit the user account settings. To modify the user account password, select the Change
Password check box.
Result: The Change Password fields are activated.
You cannot change your own password from this dialog box (when logged in as
yourself). To change your own password, see "Changing a User Account Password"
4 Click Apply Settings.
Result: The new settings are stored in the AuC database.
8-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Deleting an AuC User Account
Deleting an AuC User Account

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 8-3 to delete an existing AuC user account.

Procedure 8-3 Deleting an existing Authentication Centre User Account
2 Select the appropriate user in the Users selection display.

3 Click Delete.
Result: The following dialog box appears
Figure 8-5 Delete User Dialog Box
4 Click Yes.
Result: The user is removed from the AuC database.
6802800U60-D March 2007 8-5

Deleting an AuC User Account Chapter 8: User Management
8-6 6802800U60-D March 2007

Chapter
9
System Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The operation of the Authentication Centre (AuC) requires certain setup and ad-
ministration tasks to be performed.
The following topics provide procedures associated with AuC setup and administration:
• "The KVL Port Settings Tab"
• "The Miscellaneous Tab"
• "The User Settings Tab"
• "The Standby Settings Tab"
• "Viewing Encryption Device Status"
• "Loading a Master Key into an Encryption Device"
• "Changing Authentication Centre Operating State"
• "Scheduling Authentication Centre Database Backups"
• "Starting a Manual Authentication Centre Database Backup"
The following topics provide reference information associated with AuC setup and administration:
• "Port Settings Dialog Box"
• "Encryption Devices Dialog Box"
• "User Settings Dialog Box"
• "AuC Database Dialog Box"
• "AuC Database Backup Schedule Dialog Box"
• "Update Common Cipher Key (CCK) Version"
6802800U60-D March 2007 9-1

Configuring Authentication Centre Operation Settings Chapter 9: System Management
Configuring Authentication Centre Operation Settings

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
You can configure the following Authentication Centre Operation settings:

The KVL Port Settings Tab

The KVL Port Settings configures the two COM ports connected to the AuC server. The
AuC has default values set for each COM port. These default values are set specifically to
work with a KVL and the recommended AuC modem.
It is highly recommended that the user always use the AuC to set the COM port settings
rather than Windows® or any other tool on the machine to alter the settings.
Follow Procedure 9-1 to configure KVL port settings.
Procedure 9-1 How to Configure KVL Port Settings
1 Select Settings... from the System menu.

Result: The Setting dialog box appears.
Figure 9-1 Settings Dialog Box
9-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning The Miscellaneous Tab
Procedure 9-1 How to Configure KVL Port Settings (Continued)

2 If you are not at the right tab already, click the Port Settings.
3 Set the Port, Bit Rate and Connection Type and click OK.
Result: The settings are stored in the AuC database.
The Miscellaneous Tab

Miscellaneous settings consist of a few AuC general settings. Follow Procedure 9-2 to
configure miscellaneous operation settings.
Procedure 9-2 How to Configure Miscellaneous Operation Settings

Result: The following window appears.
2 Click the Miscellaneous tab.

6802800U60-D March 2007 9-3

The User Settings Tab Chapter 9: System Management
Procedure 9-2 How to Configure Miscellaneous Operation Settings (Continued)
Figure 9-3 Miscellaneous Settings Dialog Box
3 Enter the AuC Server ID (for communicating with KVLs) and AuC Server Alias (How the
AuC appears in nationwide listings).
4 Check the Debug Log Enabled button to enable the storage of a debug log (used for system
troubleshooting purposes only).
Figure 9-4 Debug Log Enabled Information
The User Settings Tab

The User Settings allows a User Administer to change the security level for all future user names
and passwords. The User Settings consist of length constraints, consistency, and change interval
requirements. The AuC comes with default settings. These default settings can be changed, but the
changes will only be applied when users attempt to change their password.
It is highly recommended to maintain user settings complexity to ensure a secure system.

Follow Procedure 9-3 to configure user settings.
9-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning The User Settings Tab
Procedure 9-3 How to Configure the User Settings

2 Click the User Settings tab.

Figure 9-6 User Settings Dialog Box
6802800U60-D March 2007 9-5

The Standby Settings Tab Chapter 9: System Management
Procedure 9-3 How to Configure the User Settings (Continued)

3 Adjust all the restrictions you want applied to passwords and click OK.
Result: The new settings are stored in the AuC database.
If changing the user settings make current passwords noncompliant, the affected users
will be asked to change their password next time they log in.

The Standby Settings Tab

The Standby Settings allows configuring standby connection monitoring. To change the standby
connection monitoring state follow one of below procedures:
• "Turning Standby Connection Monitoring On"
• "Turning Standby Connection Monitoring Off"
Turning Standby Connection Monitoring On

Follow Procedure 9-4 to turn standby connection monitoring on.
9-6 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Turning Standby Connection Monitoring On
Procedure 9-4 How to Turn Standby Connection Monitoring On

2 Click the Standby Settings tab.

Figure 9-8 Standby Settings Dialog Box
6802800U60-D March 2007 9-7

Turning Standby Connection Monitoring On Chapter 9: System Management
Procedure 9-4 How to Turn Standby Connection Monitoring On (Continued)

3 Type and confirm password to the administrator account for standby database and click
theMonitor Standby Status check box.
The password entered is the one assigned during Oracle installation on a standby
AuC.
Result: The window now looks like this.
Figure 9-9 Monitor Standby Status Turned On
4 Click OK.
Result: The system displays a progress window.
5 Click OK when progress bar completes.
Result: The progress window disappears. The standby database connection state icon is
displayed on the status bar:
The tool tip text on the icon shows current status and when it was checked:
9-8 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Turning Standby Connection Monitoring Off
Turning Standby Connection Monitoring Off

Follow Procedure 9-4 to turn standby connection monitoring off.
Procedure 9-5 How to Turn Standby Connection Monitoring Off

2 Click the Standby Settings tab.

Figure 9-11 Monitor Standby Status Turned On
6802800U60-D March 2007 9-9

Viewing Encryption Device Status Chapter 9: System Management
Procedure 9-5 How to Turn Standby Connection Monitoring Off (Continued)

3 Click the Monitor Standby Status check box.
Result: The window now looks like this.
Figure 9-12 Monitor Standby Status Turned Off
4 Click OK.
Result: The Setting dialog box disappears. The standby database connection state icon is no
longer displayed on the status bar.
Viewing Encryption Device Status

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) utilizes an encryption device to perform encryption services.
Follow Procedure 9-6 to view the status of AuC encryption devices.
9-10 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing Encryption Device Status
Procedure 9-6 How to View the Status of AuC Encryption Devices
1 Select Encryption Devices from the System menu.

Result: The following dialog box indicating the status of the encryption device appears.
Figure 9-13 Encryption Device Dialog Box
2 The Encryption Device window provide following information:
Field Value
Master Key Status Loaded
Not loaded
Invalid
Unknown (if there is no crypto card)
Device Status Working
Failure
Battery Level Full
Low
Dead
Supported Algorithms List of required algorithms. When the algorithm is
installed on the encryption device the corresponding
checkbox is marked:
• DVI-XL
• Hurdle-II 128 Bit
• Hurdle-II 80 Bit
6802800U60-D March 2007 9-11

Loading a Master Key into an Encryption Device Chapter 9: System Management
Procedure 9-6 How to View the Status of AuC Encryption Devices (Continued)
The Master Key Status has influence on the encryption device status. For
example, if Master Key Status is not Loaded device status is Failed.
The Supported Algorithms have influence on the encryption device status. For
example, if not all algorithms are supported device status is Failed.
Loading a Master Key into an Encryption Device

The Authentication Centre (AuC) utilizes an encryption device to perform encryption services. To
operate, the encryption device requires the loading of a master key. The master key is used by
the encryption device to encrypt data stored in the AuC database. The loading of master key into
an encryption device must be initiated and performed from the AuC.
Once the master key is loaded into the AuC, it should not be changed. The existing
master key can be reloaded if necessary. When this operation is carried out both the
KVL’s current master key and SYSKEY must be the same as when the AuC’s master
key was generated. If this is not the case the database will become unavailable.
Follow Procedure 9-7 to load a Master Key into an encryption device.
9-12 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Loading a Master Key into an Encryption Device
Procedure 9-7 How to Load a Master Key into an Encryption Device
1 Select Encryption Devices from the System menu.

Figure 9-14 Encryption Device Dialog Box
2 Click the Load Master Key button.

Result: The following dialog box appears if this task is being performed for the first time.
Figure 9-15 Load Master Key First Time
Otherwise, this dialog box appears.
6802800U60-D March 2007 9-13

Loading a Master Key into an Encryption Device Chapter 9: System Management
Procedure 9-7 How to Load a Master Key into an Encryption Device (Continued)
Figure 9-16 Load Master Key Step 1
3 Click Next.
4 Set up the Key Variable Loader (KVL) to load the master key into the encryption device and
click Next.
9-14 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Loading a Master Key into an Encryption Device
Procedure 9-7 How to Load a Master Key into an Encryption Device (Continued)
5 Click Next.
6 Information that the key load operation was successful appears.

7 Click Finish.
Result: The dialog box is removed.
6802800U60-D March 2007 9-15

Changing Authentication Centre Operating State Chapter 9: System Management
Changing Authentication Centre Operating State

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 9-8 to change the AuC operating state.

Procedure 9-8 How to Change the State of the Authentication Centre (AuC) Server
1 Locate the AuC Server Status icon in the status bar and note the current AuC server operating
mode. See "The Status Bar" for a listing and description of AuC server operating states.
2 To set the operating mode to Out of Service, select Go Out of Service from the System menu.
Result: The AuC Server Status is changed accordingly.
3 To set the operating mode to Operational, select Go Operational from the System menu.
Result: The AuC Server Status is changed accordingly.
See Table 3-3 for more information about AuC Server status values.
Scheduling Authentication Centre Database Backups

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
It is good practice to carry out a database backup after key updates. This keeps the information in the
database current, and avoids potential issues with the currency of key data if the database is restored.
Follow Procedure 9-9 to schedule AuC database backups.
Procedure 9-9 How to Schedule Authentication Centre Database Backups
1 Select AuC Database from the System menu.

9-16 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Scheduling Authentication Centre Database Backups
Procedure 9-9 How to Schedule Authentication Centre Database Backups (Continued)
Figure 9-20 AuC Database Dialog Box
2 Click the Modify Schedule... button.

Figure 9-21 AuC Database Backup Schedule Dialog Box
3 Choose the date and time you want to start database backups.
4 Choose the recurrence interval for database backups.
5 Click OK.
Result: You are returned to the AuC Database dialog box.
6 Enter a file path for storage of the database backup.
7 Click OK.
Result: The dialog box will close. A backup of the database will occur at the next scheduled time.
For information on restoring the AuC database see Volume 10, Booklet 1, Installation and Configuration.
6802800U60-D March 2007 9-17

Starting a Manual Authentication Centre Database Backup Chapter 9: System Management
Starting a Manual Authentication Centre Database Backup

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 9-10 to start a manual AuC database backup.

Procedure 9-10 How to Start a Manual Authentication Centre Database Backup
1 Select AuC Database from the System menu.

Figure 9-22 AuC Database Dialog Box
2 Click the Start Backup button.

Result: The following alert box appears.
Figure 9-23 Start AuC Database Backup Confirmation
3 Click Yes.
Result: The AuC database backup will start.
For information on restoring the AuC database see Volume 10, Booklet 1, Installation and Configuration.
9-18 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Updating CCK Version after a Database Restore
Updating CCK Version after a Database Restore

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
When the AuC is a part of a single-cluster system and the backup database that is used for restore
has been taken prior to the last key update, the AuC database will contain key information that is
out of date. This may cause problems when the next key update is initiated, since the AuC could
create a new key using a version number that has already been used.
If that happens then the next CCK update may cause a mismatch between the key stored at the
base site and the key with the same version number at the mobile station. As a result, the base
site and mobile station will no longer be able to decrypt each other’s transmissions, and class
3 encrypted voice and data communication will not be possible.
To prevent this problem, it is good practice to carry out a database backup after
every key update. In this way the information in the database will contain current
version numbers when the database is restored.
If the AuC is part of a single-cluster system, then the first time you log in to the AuC Client after a
database restore has been carried out the Update CCK Version display appears.
Figure 9-24 Update CCK Version Display
6802800U60-D March 2007 9-19

Updating CCK Version after a Database Restore Chapter 9: System Management
If the AuC is a part of nationwide AuC system and the database backup used for restore has been taken after
connecting to the nationwide system the Update CCK Version window does not appear. The AuC Master
automatically verifies the validity of keys and initiates proper key update process when necessary. Finally AuC
Master informs the AuC Slave that the restore operation succeeded. However when the database backup used
for restore has been taken prior to connecting AuC to the nationwide system, the Update CCK Version appears.
To proceed, you have 3 options:
1. Modify CCK Manually
This option is appropriate if you are operating a single cluster system.
You must have Key Management permission to carry out this procedure.
Procedure 9-11 How to Manually Update the CCK Version Number
1 Select the Modify CCK Version field.

2 Using the keyboard or the field’s Up-Down control,
select the version number that you want to apply.
If you know the CCK version in use at the sites, then add 1 to this value and use it
instead. You can also use the Next suggested CCK Version presented in the Update
CCK Version window.
3 Click the Modify CCK Manually button.
Result:
The selected version number will be applied and the display will close. The
AuC will update those parts of the system that require updating based on this version number.
2. Connect to AuC...
Once the AuC is connected to the nationwide system, key updates will occur, which will
automatically synchronize all key versions to the versions in use in the nationwide network.
This option is valid only if your system is a part of a nationwide multicluster system and the
database backup used for restore has been taken prior to connecting to the nationwide
system. Otherwise the Update CCK Version window does not appear.
You must have Nationwide permission to carry out this procedure.
9-20 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Creating Standby Status Reports
Procedure 9-12 Updating a CCK Version by Connecting to the Nationwide System
1 Click the Connect To AuC button.

Result: The AuC Connection dialog box opens.
2 Enter the IP address for the Master AuC you want to connect to.
Result: When the connection is established, Master AuC automatically synchronizes all keys
in the Nationwide system.
3. Proceed Without Modification

If this option is selected, the AuC will attempt to enter Operational state and will begin or
resume any scheduled backups as indicated by the current crypto schedule and key update
status. This option is appropriate if you are sure that the last used CCK version
displayed on this dialog box is the highest CCK version number in use in the
system. Click the Proceed Without Modification button to proceed.
You must have Key Management permission to carry out this procedure.
Creating Standby Status Reports

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Data replication from primary to standby AuC is done by means of archived redo log files being sent from a
primary database and applied to a standby database. This is done automatically by the Oracle database.
It may happen that some of the files are not sent and applied to a standby machine due to e.g. network problems.
Standby status report can be used to find missing file that have to be manually copied to the standby machine.
Follow Procedure 9-13 to create a standby status report.
6802800U60-D March 2007 9-21

Creating Standby Status Reports Chapter 9: System Management
Procedure 9-13 How to Create a Standby Status Report
1 Select Standby Status Report from the System menu.

Result: A file select dialog box appears to select the report file.
Figure 9-25 Save Standby Status Report Dialog Box
2 Select a file name and location and press Save button.

Result: The file select dialog box disappears and a progress window appears.
Figure 9-26 Save Standby Status Report Progress
The window above presents positive scenario – no (0) archived redo log files are missing on
standby.
When the number of missing log files displayed on the progress window is greater
than 0, the report file should contain a list of missing log files.
The following is an example of a report when 5 files are missing:
C:\ORACLE\ORADATA\AUC\ARCHIVE\ARCH_1_1009.ARC
9-22 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Viewing Authentication Centre Version Information
Procedure 9-13 How to Create a Standby Status Report (Continued)
3 Click OK to close the progress window.
Viewing Authentication Centre Version Information

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 9-14 to view AuC version information.

Procedure 9-14 Viewing Authentication Centre Version Information
1 Select About AuC... from the Help menu.

Result: A box similar to the following appears.
Figure 9-27 About Authentication Centre Window
6802800U60-D March 2007 9-23

Viewing Authentication Centre Version Information Chapter 9: System Management
9-24 6802800U60-D March 2007

Chapter
10
FAQ
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The following topics address common questions and answers for Authentication Cen-
tre (AuC) operators and administrators.
Table 10-1 Overview: FAQ Section
Key Management Mobile Stations General Problems

"How are Keys Provisioned in "What Do I Do if a K-REF Pair "How to Trigger Full
the Dimetra IP System?" is Unmatched?" Synchronization with the
UCS"
"How are Keys Stored in the "When Should I Delete "How to Trigger Full
Dimetra IP System?" Unmatched K-REF Pairs?" Synchronization with the
ZDS"
"How are Keys Updated in the "How to Resolve the Error
Dimetra IP System?" ’Licence Limit Exceeded’?"
"What Do I Do if a Key is not "What Happens if a Key Update
Current?" Fails?"
"When Should I Perform an "What Do I Do if the Database
Audit Trail Search?" Fails?"
"Key Update Stages" "What Do I Do if an Encryption
Device Fails?"
"What Do I Do if I get an Error
Message when Starting the
Client?"
Key Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides answers to some of the Frequently Asked Questions (FAQs)
related to key management using the AuC:
• "How are Keys Provisioned in the Dimetra IP System?"
• "How are Keys Stored in the Dimetra IP System?"
6802800U60-D March 2007 10-1

How are Keys Provisioned in the Dimetra IP System? Chapter 10: FAQ
• "How are Keys Updated in the Dimetra IP System?"

• "What Do I Do if a Key is not Current?"
• "When Should I Perform an Audit Trail Search?"
• "Key Update Stages"
How are Keys Provisioned in the Dimetra IP System?

Keys are distributed to new system entities automatically from the Authentication Centre (AuC). The User
Configuration Server (UCS) and Zone Database Server (ZDS) applications notify the AuC when a new entity
has been added to the system. Upon notification, the AuC obtains configuration information on the new
entity from the UCS or ZDS and then generates and distributes the proper keys to the entity.
How are Keys Stored in the Dimetra IP System?

Keys are stored in the AuC database encrypted on the master key. The master key is
stored in the AuC encryption device and used to encrypt/decrypt all database data. Without
knowledge of the specific master key, data cannot be read.
How are Keys Updated in the Dimetra IP System?

The Authentication Centre (AuC) uses two methods to update encryption keys in the system infrastructure.
• scheduled key updates
• on-demand key updates
Both types of updates are executed from the AuC main client window.
When the key update is launched, the AuC performs an encrypted key transfer over
the system infrastructure network.
What Do I Do if a Key is not Current?

If an infrastructure key (Ki) is not current (signified by a red key status icon), you must ensure that
the appropriate key variable loader (KVL) has properly loaded the Ki key into the affected zone or
Base Transceiver Bases System (BTS) site entity. After successfully loading the key, the KVL must
reconnect and return an loading acknowledgement message to the Authentication Centre (AuC).
Until this is performed, the AuC considers the entity’s Ki key to not be current.
If a system key encryption key (KEKm) or zone key encryption key (KEKz) is not current (signified by a
yellow key status icon), verify that links to the User Configuration Server (UCS), Zone Database Server
(ZDS), or Air Traffic Router (ATR) are connected. If not, you need to perform proper system troubleshooting
procedures to determine the cause (such as consulting the FullVision fault management application).
10-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning When Should I Perform an Audit Trail Search?
If the links are up and there is an overall update occurring for the affected entity, you do not need
to do anything. If the links are up and no key update is occurring, you should query the audit trail
for that particular entity to further investigate the errors that have occurred.
When Should I Perform an Audit Trail Search?

The Authentication Centre (AuC) maintains an audit trail log of all performed key operations. An audit trail
can be created when you want to examine key operations (distribution and updates of keys) that have occurred
on the system. An audit trail is also a useful tool for troubleshooting problems with key updates.
Key Update Stages

A key update cycles through three stages:
Table 10-2 Key Update Stages
Stage Description
1: Activate Future Key The AuC sends a message to the entities to activate the
Future key stored in the entity from the last update. The
entities send back an acknowledgment when this stage
is completed.
2: Refresh Dependent Key Material The AuC refreshes existing dependent keys sealed with
the previous key. This is done by sealing the existing
dependent key material with the newly activated key,
and sending the re-sealed key material back to the
entities. In an example, if the Zone Key Encryption Key
(KEKz) is updated, all Static Cipher Keys (SCK-TMOs),
sealed with the previous KEKz, must be re-sealed with
the new KEKz and sent back to the BTS site entities.
The entities send back an acknowledgment when this
stage is completed.
3: Update Future Key The AuC sends a new Future key to be stored in the
entity. This key will be activated during the next key
update. The entities send back an acknowledgment
when this stage is completed.
During each stage, the Update Progress bar displays the stage number and percentage of completion.
The progress bar scrolls across until the stage is completed.
When the stage is completed, the next stage is started automatically. When the last stage
(Stage 3) is completed, the text "Complete" appears.
6802800U60-D March 2007 10-3

Mobile Stations Chapter 10: FAQ
Mobile Stations
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides answers to some of the Frequently Asked Questions (FAQs) related to
administering K-REFs for mobile stations using the AuC:
• "What Do I Do if a K-REF Pair is Unmatched?"
• "When Should I Delete Unmatched K-REF Pairs?"
What Do I Do if a K-REF Pair is Unmatched?

For an MS, an Individual TETRA Subscriber Identity (ITSI)-REF pair is stored in the User Configuration
Server (UCS) database and a K-REF pair is stored in the Authentication Centre (AuC) database. The two pairs,
both associated with a specific mobile station (MS), are matched by the AuC via the REF value. If unmatched
REF values exist between pairs, the associated unmatched K-REF pair is reported in the AuC client window.
The display of an unmatched K-REF pair in the Authentication Centre (AuC) indi-
cates one of the following conditions:
• An ITSI-REF pair for the mobile station (MS) has not yet been entered on the system.
• An erroneous ITSI-REF pair has been entered in the UCS database.
• An erroneous K-REF pair has been entered in the AuC database.
It is recommended that you verify that both the ITSI-REF and K-REF pair entries
are correctly entered in the system.
When Should I Delete Unmatched K-REF Pairs?

Once you determine the cause of the K-REF pair failure and have determined which (if any) mobile
station (MS) is affected, you can delete the unmatched K-REF pair. However, it is completely at
your discretion as to when you want to delete the unmatched K-REF pair.
10-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning General Problems
General Problems
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides answers to some of the Frequently Asked Questions (FAQs) related to general
problems that you as a user may encounter when using the AuC:
• "How to Trigger Full Synchronization with the UCS"
• "How to Trigger Full Synchronization with the ZDS"
• "What Happens if a Key Update Fails?"
• "What Do I Do if the Database Fails?"
• "What Do I Do if an Encryption Device Fails?"
• "What Do I Do if I get an Error Message when Starting the Client?"
How to Trigger Full Synchronization with the UCS

During the regular operation synchronization with the USC is performed automatically by the
system. However, if the AuC is not fully synchronized with the UCS and the UCS status is
connected, the synchronization process can be triggered manually.
To perform the full synchronization with UCS follow Procedure 10-1.
Procedure 10-1 How to Trigger Full Synchronization with the UCS
1 Select the Local Zones tab in the AuC Client window.

2 Select the UCS icon in the tree view to the left.
Result: The UCS status and version information is displayed.
3 Click the Synchronize button.
6802800U60-D March 2007 10-5

How to Trigger Full Synchronization with the ZDS Chapter 10: FAQ
Procedure 10-1 How to Trigger Full Synchronization with the UCS (Continued)
Figure 10-1 Full Synchronization with UCS
4 Wait while the synchronization process proceeds. You can observe the progress on the Status
Bar to the left.
Result: The AuC is fully synchronized with the UCS.
How to Trigger Full Synchronization with the ZDS

During the regular operation synchronization with the ZDC is performed automatically by the
system. However, if the AuC is not fully synchronized with the ZDS and the ZDS status is
connected, the synchronization process can be triggered manually.
To perform the full synchronization with ZDS follow Procedure 10-2.
10-6 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning How to Resolve the Error ’Licence Limit Exceeded’?
Procedure 10-2 How to Trigger Full Synchronization with the ZDS
1 Select the Local Zones tab in the AuC Client window.

2 Select the appropriate zone icon in the tree view to the left.
Result: The zone key status information is displayed.
3 Click the Synchronize button.
Figure 10-2 Full Synchronization with ZDS
4 Wait while the synchronization process proceeds. You can observe the progress on the Status
Bar to the left.
Result: The AuC is fully synchronized with the ZDS.
How to Resolve the Error ’Licence Limit Exceeded’?

The user can connect to the AuC Server from AuC Clients located on a local machine and
maximum two remote machines. Multiple AuC Clients can be run on a single computer, but when
connections are made from additional computers, the available count decreases. When attempting
to log in from a third remote machine, an error dialog is displayed.
To free unused licences it is advised to log out of the AuC Client when not in use. When an AuC Client is
closed using the task manager, the unused licence will be reclaimed when a timeout expires.
6802800U60-D March 2007 10-7

What Happens if a Key Update Fails? Chapter 10: FAQ
What Happens if a Key Update Fails?

A key update fails when a target device (zone or Base Transceiver System (BTS) site entity) fails to get
updated by the Authentication Centre (AuC). If an initial key update fails, the AuC marks the device(s)
affected by the failure as "not current" (yellow icon) and attempts a retry of the key update operation.
Once you determine which entities are not current from the key status display, you can perform a
search of audit trail information to pinpoint the specific failure that has occurred.
What Do I Do if the Database Fails?

If an error occurs indicating that the database has failed, contact Motorola for assistance.
What Do I Do if an Encryption Device Fails?

For the Authentication Centre (AuC) Crypto Card module, refer to the Crypto Card documentation
for recommended troubleshooting and repair step.
What Do I Do if I get an Error Message when Starting the Client?

When starting up the Authentication Centre (AuC) client application, you may encounter one or more
error messages. The most common error messages are listed in the table below.
Table 10-3 Common Error Messages

Host unreachable: connect. Please ensure the server Displayed when the AuC server machine cannot be
is set up and running correctly located on the network by the client.
This client is incompatible with the server. Please Displayed when the AuC client and server
install a server-compatible version of the client application versions are not compatible.
Connection refused: connect. Please ensure the Displayed when the AuC server machine is located,
server is set up and running correctly. but the server application is not running.
Unknown. Please ensure the server is running Displayed most commonly when starting the client
correctly. If the server is rebooting, please wait until while the server application is starting up.
it finished this process.
There are numerous other error messages that may display during start-up of the AuC client application.
These other messages will indicate the root cause of the problem and are self-descriptive.
If you are unsuccessful at resolving your client start-up problem, please contact Motorola for assistance.
You can also find more information. see Volume 10, Booklet 1, Installation and Configuration.
10-8 6802800U60-D March 2007

Chapter
11
Screen Reference
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides a complete reference for the screens encountered in the AuC. The information
is subdivided into Main Window and Secondary Window sections.
Main Window
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides detailed reference information for each of the AuC application’s main windows.
AuC Comm Key (Communication Key)
Figure 11-1 AuC Comm Key (Communication Key) Display
Table 11-1 Fields in the AuC Comm Key (Communication Key) Display
Field Description
AuC Comm Key The key consists of a 16 character hexadecimal key.
Status Indicates whether an AuC Comm Key has been entered into the AuC. An AuC
Comm Key can be entered multiple times with different values, but the key
must be the same for all nationwide AuCs.
6802800U60-D March 2007 11-1

AuC Connectivity Chapter 11: Screen Reference
Table 11-2 Buttons in the AuC Comm Key (Communication Key) Display
Button Action
Enter Writes the AuC Comm Key to the server. The Enter button is only enabled when
the AuC Comm Key is of the correct length.
Clear Clears the field in the display. It does not erase the AuC Comm Key on the server.
Help Launches the AuC online help window
AuC Connectivity
Figure 11-2 AuC Connectivity display
The AuC Connectivity display provides information about the AuC server selected in the AuC Net window.
Table 11-3 Fields in the AuC Connectivity Information Display
Field Values Description

Server Alias n/a A user friendly description for selected AuC Server.
It is possible for different AuCs in a nationwide

system to have the same alias, but this is not
recommended.
Server ID 1 — 9 999 999 The selected AuC’s server ID.
Server Version n/a Number of the AuC server application build.
Status Connected The selected AuC server is actively connected to the AuC
network.
Disconnected Selected AuC server is not connected to the AuC network.
Connecting... The selected AuC server is connecting to the AuC network.
Nationwide Role Master Selected AuC server is a nationwide master.
Slave Selected AuC server is a nationwide slave.
Expected Slave Selected AuC server has been set on the Master AuC as Expected
Slave AuC.
IP Address n/a IP address of selected AuC server.
11-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning AuC Connectivity
Table 11-3 Fields in the AuC Connectivity Information Display (Continued)

Information provided on Master AuC only:
Information about key update lock on selected server. The name of the user who locked the key update, the
date and reason of key update lock are displayed.
Key update status for the CCK, SCK-TMO and System KEK for selected AuC server including following
information for each key:
Update Status Idle No key update in progress.
Activate Key update process is in the first stage.
Update Key update process is in the third stage.
Refresh Key update process is in the second stage (for System KEK
update only).
Unknown Master AuC doesn’t have complete information about key status
on slaves.
Key Number 0 — 31 Number of the key that is sent out in current update stage
(applies to the SCK-TMO only). This information is displayed
only when key update is in progress.
Key Version 1 — 65535 Version of the key that is sent out in current update stage. This
information is displayed only when key update is in progress.
Key update progress X/Y Y - number of Zones/ Sites participating in key update.
X - number of Zones/ Sites that already accepted key update.
Progress Indicator n/a Indicates the key update progress.
6802800U60-D March 2007 11-3

AuC Net Chapter 11: Screen Reference
AuC Net
The AuC Net window displays the Nationwide network tree. The icon and the information in brackets
displayed next to each AuC Server listed in the AuC Net window represent its status.
Figure 11-3 AuC Net Display
Table 11-4 AuC Server Status Information and Icons
Icon Server Status Description

Connected The AuC Server is actively connected to the AuC network.
In-Service The local AuC Server, that you are currently logged onto. The server is
actively connected to the AuC network.
Disconnected The AuC Server is not connected to the AuC network.
Out-Of-Service The local AuC Server, that you are currently logged onto. The server is
out of service.
Expected The AuC Server that is configured on the Master AuC as the Expected
Slave AuC.
Connected The AuC Server is actively connected to the AuC network. The key
updates are locked on this server.
Restoring The AuC server has been restored.
Unknown The AuC server IP address is unknown.
11-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Audit Search and Purge Form
Audit Search and Purge Form

The Audit Search & Purge Form window is shown below.
Figure 11-4 Audit Search & Purge Form
Table 11-5 Fields in the Audit Search & Purge Form display
Field Description
Date between Range of dates to search. Use spin boxes or manual entry to set beginning
and ending time and date.
User User login name to search
Entity Type Type of entity to search. Use drop-down list box to select entity type.
Entity ID ID of entity to search.
Key Type Type of key to search. Use drop-down list box to search key type.
Key ID ID of key to search.
Table 11-6 Buttons in the Audit Search & Purge Form display
Button Action
Search Performs search using selected criteria. Results are listed in the Audit Trail
Information list box.
Hide Form Removes Audit Trail Search Criteria fields from window. Only displayed when
fields are visible
Purge Opens the Purge Audit Trail dialog box.
Show Search & Purge Shows Audit Trail Search Criteria fields in the window. Only displayed when
Form fields are invisible.
6802800U60-D March 2007 11-5

Audit Trail Information Display Chapter 11: Screen Reference
Audit Trail Information Display

The fields presented in the Audit Trail information display are listed below. By default, events are
listed as they occurred (by Date). You can resort the listed events by clicking on the column header.
Clicking on a column header will toggle the list items in forward and reverse order, respectively. A small
triangle next to a column header indicates by which field the items are currently sorted.
Table 11-7 Fields in the Audit Trail Information display
Field Description
Date Date of event.
Key Type Type of delivered key: Authentication Material, System KEK, Zone KEK,
SCK, CCK.
Key ID ID of delivered key (assigned by AuC).
Entity Type Type of entity: Zone, BTS site, Mobile Station, KVL.
Entity ID ID of entity (assigned by AuC).
User Login name of user performing event task.
Encrypting Key Type Type of sealing key (key used to encrypt delivered key for transport).
Encrypting Key ID ID of sealing key (assigned by AuC).
Description Description of event
DDK (Dimetra Distribution Key)
Figure 11-5 DDK Information display
Table 11-8 Fields in the DDK Information display
Field Description
DDK Entry of DDK key value. The DDK key is a 32-digit hexadecimal value.
Status Status of DDK in AuC (entered or not entered in the AuC).
11-6 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning EBTS Site Information
Table 11-9 Buttons in the DDK Information display
Button Action
Enter Commits DDK key entry (DDK field) to AuC database. Enabled only when
proper DDK key is entered in DDK field.
Clear Clears DDK field entry.
Help Launches the AuC online help window.
EBTS Site Information
Figure 11-6 EBTS Site Information display
Table 11-10 Fields in the EBTS Site Information display
Field Description
Status Current setting for Key Updates (enabled or disabled).
CCK Tabular display of the Common Cipher Key (CCK) version and status
information for the selected BTS site entity.
Ki Tabular display of infrastructure key (Ki) information and status for the BTS
site entity.
SCK Tabular display of static cipher key-trunked mode operation (SCK-TMO) key
information and status for the BTS site entity.
Zone KEK Tabular display of zone key encryption key (KEKz) information and status
for the BTS site entity.
6802800U60-D March 2007 11-7

Events Information Chapter 11: Screen Reference
Table 11-11 Buttons in the EBTS Site Information display
Button Action
Enable Key Updates Enables key updates for the BTS site. Only displayed when key updates are
disabled (see Status field).
Disable Key Updates Disables key updates for the BTS site. Only displayed when key updates are
enabled (see Status field).
Refresh Ki Redistributes the existing infrastructure key (Ki) for BTS site entities.
Update Ki Assigns a new infrastructure key (Ki) for BTS site entities.
Events Information
Figure 11-7 Events Information display
The fields presented in the Events Information display are listed below. By default, events are listed as
they occur (by Date). You can resort the listed events by clicking on the column header. Clicking on
a column header will toggle the list items in forward and reverse order, respectively. A small triangle
next to the column header indicates by which field the items are currently sorted.
Table 11-12 Fields in the Events Information display
Field Description
Severity Severity of event.
Description Description of event.
Date Date of event.
Table 11-13 Buttons in the Events Information display
Button Action
Removes highlighted events from display.
Removes all events from display.
11-8 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning General Network Information
General Network Information

The General Network Information window displays the summary of the Nationwide network status.
Figure 11-8 General Network Information Display
Table 11-14 Fields in the General Network Information Display

Master Alias n/a A user friendly description for Master AuC Server.
It is possible for different AuCs in a nationwide

system to have the same alias, but this is not
recommended.
Master IP n/a IP address of Master AuC server.
Address
Expected Slave n/a IP address of Expected Slave AuC server set on Master
AuC.
Summary of the key update status for the CCK, SCK-TMO and System KEK for the whole Nationwide
AuC network including following information for each key:
Update Status Idle No key update in progress.
Activate Key update process is in the first stage.
Update Key update process is in the third stage.
Refresh Key update process is in the second stage (for System KEK
update only).
Unknown Master AuC doesn’t have complete information about key
status on slaves.
Key Number 0 — 31 Number of the key that is sent out in current update stage
(applies to the SCK-TMO only). This information is
displayed only when key update is in progress.
Key version 1 — 65535 Version of the key that is sent out in current update stage.
This information is displayed only when key update is in
progress.
Key update X/Y Y - number of all Zones/ Sites in the Nationwide network
progress participating in key update.
X - number of Zones/ Sites in the Nationwide network that
already accepted key update.
6802800U60-D March 2007 11-9

K-REF Pairs Chapter 11: Screen Reference
Table 11-14 Fields in the General Network Information Display (Continued)

Progress n/a Indicates the key update progress.
Indicator
Nationwide Nationwide network AuCs are attempting to connect to the nationwide system
Status currently establishing (during upgrade process only).
connectivity
Nationwide System AuCs are connected to the nationwide system. Key updates
Operational. Ready to can now be performed.
perform Nationwide key
updates.
Need all listed AuCs Either it was not possible to connect all of the AuCs or one
connected before able or more of them lost connectivity after achieving it. The
to perform Nationwide AuC(s) that could not be connected will be indicated in
operations. the AuC Net window.
Single AuC configuration. The AuC is not connected to a nationwide system.
K-REF Pairs
Figure 11-9 K-REF Pairs Information display
11-10 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning K-REF Pairs
Table 11-15 Fields in the K-REF Pairs Information display
Field Description
K Entry of actual authentication key (K) for the mobile station (MS). The K
key is a 32-digit hexadecimal value.
Ref Entry of actual reference number for the mobile station (MS). The reference
number will be either the Subscriber Identification Module (SIM) or TETRA
Equipment Identifier (TEI) (based on selection of SIM or TEI option button).
SIM Select option button to designate the Ref field as a SIM entry.
TEI Select option button to designate the Ref field as a TEI entry.
Status Reports the status of the latest K-REF pair entry (accepted or rejected). This
field is not displayed until after the first K-REF entry is typed in and committed
to the AuC database during the current AuC client session.
Unmatched K-REFs A list of Refs for which a K-Ref pair is defined in the AuC but no matching
Individual TETRA Subscriber Identity (ITSI) Ref pair is found. These items
are listed in alphanumeric order. Their batch date and batch number are also
shown. These are set at the time of their creation. If a K-Ref pair is entered
manually, the batch number will be blank.
Count Number of unmatched K-Ref pairs.
Table 11-16 Buttons in the K-REF Pairs Information display
Button Action
Enter Commits K and Ref entries to AuC database. The button is disabled until the
proper K and Ref entries are made in corresponding fields. After selecting this
button, the Unmatched K-REFs list box is automatically refreshed. If the Ref
of the new K-Ref entered already exists in the AuC, the user is asked if they
wish to overwrite the current K-Ref in the AuC via the dialog box below:
Clear Clears K and Ref field entries.

Refresh Refreshes listings in Unmatched K-REFs list box.
Delete Removes highlighted unmatched K-REF pair from the AuC database.
Delete All Removes all unmatched K-REF pairs from the AuC database.
Export Generates a report of unmatched K-Ref pairs.
6802800U60-D March 2007 11-11

Key Database Selection Chapter 11: Screen Reference
Key Database Selection
Figure 11-10 Key Database Selection display
Table 11-17 Fields in the Key Database Selection display
Field Description
K-Ref Pairs Places the K-REF Pairs Information display in the work pane.
SCK-Trunked Mode Operation Places the SCK-TMO Information display in the work pane.
DDK (Dimetra Distribution Key) Places the DDK Information display in the work pane.
AuC Comm Key (Communication Key) Places the AuC Comm Information display in the work pane.
11-12 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Key Schedule Information
Key Schedule Information

The Key Schedule Information window displays information corresponding with the
key type selected in the Key Schedule window.
Figure 11-11 Key Schedule Information Display
Table 11-18 Fields in the Key Schedule Information Display
Field Description
Next Update Shows the date and time for the next update of the selected key schedule.
Last Update Shows the date and time when the last update was started.
Key Schedule State Shows whether key schedule updates are enabled.
Recurrence Interval Shows the interval for the updates. The interval is shown in months or days,
depending on the key type.
Key Update Progress Progress bars showing key update progress in local cluster. Depending on the
key type, there can be either one progress bar showing overall progress for the
cluster or separate progress bars for each zone.
Table 11-19 Buttons in the Key Schedule Information Display
Button Action
Start Update Now Forces an update to start immediately. A manual update has no impact on the
date and time of the next scheduled update.
Modify Schedule... Activates the Modify Schedule dialog
6802800U60-D March 2007 11-13

Key Schedules Selection Chapter 11: Screen Reference
Key Schedules Selection
Figure 11-12 Key Schedules Selection display
Table 11-20 Fields in the Key Update Selection display
Field Description
Authentication Material Places Key Schedule Information display in the work pane for Authentication
Material.
CCK Places Key Schedule Information display in the work pane for Common Cipher
Key (CCK).
SCK-TMO Places Key Schedule Information display in the work pane for Static Cipher
Key (SCK-TMO).
System KEK Places Key Schedule Information display in the work pane for System Key
Encryption Key (KEKm).
Zone KEK Places Key Schedule Information display in the work pane for Zone Key
Encryption Key (KEKz).
11-14 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Key Status tree view
Key Status tree view

Next to the UCS folder (displayed at the top), the connection status to the User Configuration Server (UCS)
server is reported in brackets. The status is reported as either "Connected" or "Disconnected".
Figure 11-13 Key Status tree view display
The colored icons displayed next to each zone and BTS site represent the entity’s current key status.
Table 11-21 Key Status Icons (Zones and BTS sites)
Icon Description
Requires Attention: The entity is missing both infrastructure keys (Ki), the
infrastructure key (Ki) has been improperly provisioned or equipment failure
occurred.
occurred and the entity is disabled from receiving key updates.
occurred and the entity is disconnected from the Air Traffic Router (ATR)
server or Zone Manager (ZM) (for zone entities only).
Entity is not current: The entity no longer has the most current key version
(except for the infrastructure key (Ki)).
Entity is not current and disabled: The entity no longer has the most current
key version (except for the infrastructure key (Ki)) and the key updates on
the entity have been disabled.
Entity is not current and disconnected: The entity no longer has the most
current key version (except for the infrastructure key (Ki)) and is disconnected
from the Air Traffic Router (ATR) server or Zone Manager (ZM) (for zone
entities only).
Entity is current The entity has the most current key version.
Entity is current The entity has the most current key version but the key
updates on the entity have been disabled.
Entity is current The entity has the most current key version but is
disconnected from the Air Traffic Router (ATR) server or Zone Manager (ZM)
(for zone entities only).
6802800U60-D March 2007 11-15

KVL Information Chapter 11: Screen Reference
KVL Information
Figure 11-14 KVL Information display
Table 11-22 Fields in the KVL Information display
Field Description
Alias Alias of KVL (obtained from User Configuration Server (UCS)).
ID ID of KVL (obtained from User Configuration Server (UCS)).
Status Current setting for KVL access to AuC (access allowed or locked out).
Table 11-23 Buttons in the KVL Information display
Button Action
Deny Access Locks out KVL access to the AuC. Only displayed when KVL access to AuC
is allowed (see Status field).
Allow Access Allows KVL access to the AuC. Only displayed when KVL access to AuC is
locked out (see Status field).
Assign New UKEK Launches KVL UKEK Assignment Dialog Box.
11-16 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning KVL Status list view
KVL Status list view
Figure 11-15 Key Status list view display
Table 11-24 Key Status Icons (KVLs)
Icon Description
Locked out from AuC connectivity.
Unprovisioned in the AuC database (does not have a UKEK key).
Provisioned in the AuC database.
Mobile Stations List
Figure 11-16 Mobile Stations List Display
The fields presented in the Mobile Stations List display are listed below. By default, query results are
listed by Serial Number. You can resort the listed items by clicking on the column header. Clicking on
a column header will toggle the list items in forward and reverse order, respectively. A small triangle
next to the column header indicates by which field the items are currently sorted.
6802800U60-D March 2007 11-17

Mobile Stations List Chapter 11: Screen Reference
Table 11-25 Fields in the Mobile Stations List display
Field Description
Security Group Alias Security group for the mobile station (MS) (obtained from User Configuration
Server (UCS)).
Serial Number Serial number for the mobile station (MS) (obtained from User Configuration
Server (UCS)).
Ref Reference number for the mobile station (obtained from User Configuration
Server (UCS)). The reference number will be either the Subscriber Identity
Module (SIM) or TETRA Equipment Identifier (TEI) number.
ISSI Individual Short Subscriber ID (ISSI) for the mobile station (obtained from
User Configuration Server (UCS)).
K Assigned Indicates whether an authentication key (K) has been assigned to the mobile
station (MS) (Yes or No).
Mobile State State of the mobile station (MS) key update:
• Enabled – key updates enabled.
• Disabled (new mobile) – key updates disabled because the MS is a newly
added one; new MSs have key updates disabled by default.
• Disabled (manually) – key updates disabled manually by a user.
• Disabled (K changed) – key updates disabled because the authentication
key (K) for the MS has changed.
Batch Date Creation date of a K-REF pair assigned to the mobile station (MS)
Batch Number Number assigned to a group of K-REF pairs during their creation time. If a
K-REF pair was entered manually in the AuC client, then this field is blank.
Table 11-26 Buttons in the Mobile Stations List display
Button Action
Update Auth Now Launches an immediate update of authentication material for the mobile
station(s) highlighted in the list box. This button is disabled until an MS
is selected from the list box.
Enable Key Updates Enables authentication material key updates for the mobile station(s)
highlighted in the list box. Only displayed when key updates are disabled (see
Key Updates Disabled field). This button is disabled until an MS is selected
from the list box.
Disable Key Updates Disables authentication material key updates for the mobile station(s)
highlighted in the list box. Only displayed when key updates are enabled (see
Key Updates Disabled field). This button is disabled until an MS is selected
from the list box.
11-18 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Mobile Stations Search
Mobile Stations Search
Figure 11-17 Mobile Stations Search Display
Table 11-27 Fields in the Mobile Stations Search display
Field Description
Security Group Security group to search. If field is left blank or contains "UCS", all security
groups are searched
Serial Number Serial number to search. Use drop-down list box to set condition of search
using this field. If left blank, the field is not included in the search query.
Ref Reference number to search. Use drop-down list box to set condition of search
using this field. If left blank, the field is not included in the search query.
ISSI Between Range of Individual Short Subscriber Identities (ISSIs) to search. Use both
fields to type beginning and ending ISSIs, respectively. If blank; the leftmost
field is set to 0 and rightmost field is set to 16,777,216.
Batch Number Number assigned to a group of K-REF pairs when created. If left blank, the
field is not included in the search query.
Batch Date Range of K-REF pairs creation times to search. Use both fields to specify the
beginning and end of a search period.
Secret Key (K) Status Search for mobile stations (MSs) with or without an assigned authentication
key (K) in the AuC database.
Mobile State State of the mobile station (MS) key update:
• Enabled – search for MSs with key updates enabled
• Disabled (new) – search for newly added MSs; new MSs have key
updates disabled by default
• Disabled (manually) – search for MSs which have key updates disabled
manually by a user
• Disabled (K changed) – search for MSs which have key updates disabled
because their authentication keys (K) have changed.
Include Not Local Not to be used in this Dimetra release.
6802800U60-D March 2007 11-19

SCK-Trunked Mode Operation Information Chapter 11: Screen Reference
Table 11-28 Buttons in the Mobile Stations Search display
Button Action
Search Performs search using selected criteria. Results are listed in Mobile Stations
List Reference list box.
Export Starts exporting MS information.
Clear Clears entries from search criteria fields.
SCK-Trunked Mode Operation Information
Figure 11-18 SCK-Trunked Mode Operation Information display
Table 11-29 Fields in the SCK-Trunked Mode Operation Information display
Field Description
SCK Number Number of SCK-TMO key slot
SCK Version Version of SCK-TMO key in the slot
Active Reflects the current and next active SCK-TMO keys. The following
arrows reflect the current and next active SCK-TMO keys:
currently active SCK-TMO key
next active SCK-TMO key
11-20 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Security Group Selection Tree View
Table 11-30 Buttons in the SCK-Trunked Mode Operation Information display
Button Action
Modify Launches SCK-TMO Modify Dialog Box.
Set Next Active Designates next active SCK-TMO key.
Security Group Selection Tree View
Figure 11-19 Security Group Selection Tree View
Each security group stored in the Authentication Centre (AuC) database is listed in Security Groups window.
UCS Information
Figure 11-20 UCS Information display
6802800U60-D March 2007 11-21

User Account Selection tree view Chapter 11: Screen Reference
Table 11-31 Fields in the UCS Information display
Field Description
UCS Status Status of connection to User Configuration Server (UCS). Available values:
• Disconnected
• Disconnected - Invalid Version
• Not Ready
• Synchronizing
• Connected
UCS Version Version of the User Configuration Server (UCS).
Table 11-32 Buttons in the UCS Information display
Button Action
Synchronize Starts the full synchronization with UCS process.

User Account Selection tree view
Figure 11-21 User Account Selection display
Each user account existing on the Authentication Centre (AuC) is listed.
11-22 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning User Information
User Information
Figure 11-22 User Information display
Table 11-33 Fields in the User Information display
Field Description
Login Name Login name of AuC user. This field allows use of spaces. Login names are
case sensitive. Users are not allowed to modify their login name.
Full Name Full name of AuC user (Optional).
Change Password Enables New Password and Confirm New Password fields.
You cannot change your own password from this dialog box, when
logged in as yourself, since User Management does not ask for the
old password. To change your own password, see "Changing a
User Account Password".
New Password New password for AuC user.
Confirm New Password New password for AuC user.
Permissions Access permissions for user to AuC tasks. Use the check boxes to select which
task categories the user can access and perform. A user with no permissions is
able to only view entity information. See Table 11-34 below.
6802800U60-D March 2007 11-23

User Information Chapter 11: Screen Reference
Table 11-34 Access Permissions for AuC users
Permission Tasks
Database Management Allows all database operations.
Infrastructure Management Allows disabling of zones and BTSs and all Zone/System KEK Key
Schedule operations, including Ki Provisioning.
Key Management Allows entry of keys in Key Database, SCK-TMO and CCK operations,
including Key Schedule operations.
Mobile Management Allows all MS operations and all Authentication Material Key Schedule
operations.
Master Key Load Allows Master key Loading.
KVL Management Allows the user to modify KVL records, change UKEK assignments,
disable/enable a KVL from communication with the AuC, and modify the
KVL port settings.
User Management Allows all user management operations and audit trail purging.
Server Management Allows System> Settings> Miscellaneous operations.
Nationwide Management Allows nationwide system connection operations under the Connections tab,
CCK key updates, and entry of AuC Comm Key.
Table 11-35 Buttons in the User Information display
Button Action
Restore Settings Restores user account information settings before current changes are
committed to AuC database (i.e., to start over with modifications).
Apply Settings Commits user account information settings to the AuC database.
Delete Deletes user account from the AuC database.
Add Launches the Add User Dialog Box.
11-24 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Zone Information
Zone Information
Figure 11-23 Zone Information display
Table 11-36 Fields in the Zone Information display
Field Description
Key Updates Current setting for key updates for the zone (enabled or disabled).
ATR Status of connection to Air Traffic Router (ATR) server.
ZM Status of connection to Zone Database Server (ZDS).
ZM Version Version of the Zone Database Server.
Ki Tabular display of infrastructure key (Ki) information and status for the zone entity.
System KEK Tabular display of system key encryption key (KEKm) information and status for the
zone entity.
Zone KEK Tabular display of zone key encryption key (KEKz) information and status for the
zone entity.
Table 11-37 Buttons in the Zone Information display
Button Action
Enable Key Updates Enables key updates for the zone. Only displayed when key updates are
disabled (see Status field).
Disable Key Updates Disables key updates for the zone. Only displayed when key updates are
enabled (see Status field).
Synchronize Starts the full synchronization with ZDS process.
Refresh Ki Redistributes the existing infrastructure key (Ki) for zone entities.
Update Ki Assigns a new infrastructure key (Ki) for zone entities.
6802800U60-D March 2007 11-25

Secondary Window Chapter 11: Screen Reference
Secondary Window
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides detailed information of the AuC application’s secondary windows.
Add User Dialog Box
Figure 11-24 Add User Dialog Box
Table 11-38 Fields in the Add User Dialog Box
Field Description
Login Name Login name of AuC user.
Full Name Full name of AuC user.
Password New password of AuC user.
Confirm Password New password of AuC user.
Permissions Access permissions for user to AuC tasks. Use check boxes to select which
task categories the user can access and perform. A summary of the tasks
allowed for each checkbox is provided below.
11-26 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Add User Dialog Box
Table 11-39 Access Permissions for AuC users
Permission Tasks
Database Management Allows all database operations.
Infrastructure Allows disabling of zones and BTSs and all Zone/System KEK Key Schedule
Management operations, including Ki Provisioning.
Key Management Allows entry of keys in Key Database, SCK-TMO and CCK operations,
including Key Schedule operations.
Mobile Management Allows all MS operations and all Authentication Material Key Schedule
operations.
Master Key Load Allows Master key Loading.
KVL Management Allows the user to modify KVL records, change UKEK assignments,
disable/enable a KVL from communication with the AuC, and modify the
KVL port settings.
User Management Allows all user management operations and audit trail purging.
Server Management Allows System> Settings> Miscellaneous operations.
Nationwide Management Allows nationwide system connection operations under the Connections tab,
CCK key updates, and entry of AuC Comm Key.
Table 11-40 Buttons in the Add User Dialog Box
Button Action
OK Commits user account information settings to the AuC database.
Cancel Cancels user account information settings without committing them to the
AuC database.
6802800U60-D March 2007 11-27

AuC Connection Chapter 11: Screen Reference
AuC Connection
Figure 11-25 Set Expected Slave Dialog Box
Figure 11-26 Connect to Master AuC Dialog Box
Table 11-41 Fields in the AuC Connection display
Field Description
Enter the IP address of expected slave AuC IP address for an AuC server that will be set by master AuC
as the expected slave AuC.
Enter the IP address of master AuC IP address of the master AuC that the local AuC will be
connected to.
Table 11-42 Buttons in the AuC Connection display
Button Action
OK Attempts to connect to the AuC using the IP address supplied.
Cancel Closes the dialog box.
11-28 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning AuC Database Backup Schedule Dialog Box
AuC Database Backup Schedule Dialog Box
Figure 11-27 AuC Database Backup Schedule Display
Table 11-43 Fields in the AuC Database Backup Schedule Dialog Box
Field Description
Month/Day/Year Start date of database backup. Use drop-down list box to choose month, spin box to
choose year, and buttons to choose day of the month to perform backup.
Time Start time of database backup. Use spin box to set time of day for database backup.
Backup occurs Frequency of database backup. Use drop-down list box to select how often (in
every... days) to perform backup.
Table 11-44 Buttons in the AuC Database Backup Schedule Dialog Box
Button Action
OK Commits the AuC database backup settings.
Cancel Cancels the AuC database backup settings without committing them to the AuC system.
6802800U60-D March 2007 11-29

AuC Database Dialog Box Chapter 11: Screen Reference
AuC Database Dialog Box
Figure 11-28 AuC Database Display
Table 11-45 Fields in the AuC Database Dialog Box
Field Description
Backup in Progress States whether an AuC database backup is currently in progress (yes or no).
During backup, you will still be able to perform AuC operation. However, you
will not be able to start a new backup, until the current backup is complete.
Once backup is initiated, it cannot be cancelled.
Last Successful Backup States when last AuC database backup occurred. The field displays No
backups performed yet if no backup has been performed.
Next Scheduled Backup States when next AuC database is scheduled to occur, even if backup schedules
are disabled. The field displays No schedule set yet if no backup schedule
has been set.
Backup Schedule Checkbox to disable schedule backup of the AuC database. Disabling backup
Disabled schedule is also possible while a backup is in progress.
Backups are not disabled until the OK button has been clicked,
after Backup Schedule Disabled has been selected.
Path Displays the current path for the for storing the AuC database backup file. The
path is shown from the database server’s perspective, not the client’s Default
is C:\AuCBackup.
Table 11-46 Buttons in the AuC Database Dialog Box
Button Action
Modify Schedule Launches the dialog box to schedule the AuC database backups.
Start Backup Now Launches an immediate AuC database backup.
11-30 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Change Password Dialog Box
Table 11-46 Buttons in the AuC Database Dialog Box (Continued)

Button Action
OK Commits the AuC database backup settings.
Close Closes the AuC Database dialog box.
Change Password Dialog Box
Figure 11-29 Change Password Dialog Box
Table 11-47 Fields in the Change Password Dialog Box
Field Description
User Name Login name of AuC user (already populated).
Old Password Entry for existing password.
New Password Entry for new password.
Confirm New Password Confirm entry for new password.
Table 11-48 Buttons in the Change Password Dialog Box
Button Action
OK Commits password change to AuC database.
Cancel Cancels password change.
If the dialog was brought up after the login dialog, that is before the
main screen is reached, and your password has expired, cancelling
will force the client application to close.
6802800U60-D March 2007 11-31

Encryption Devices Dialog Box Chapter 11: Screen Reference
Encryption Devices Dialog Box
Figure 11-30 Encryption Devices Dialog Box
Table 11-49 Fields in the Encryption Devices Dialog Box
Field Description
Vendor Name of the encryption device vendor.
Device Type Type of encryption device.
Software Version Version of software on encryption device
Master Key Status Indicates the state of the Master Key. The state can be Loaded, Not loaded,
Invalid or Unknown. The Invalid state is created when a new Master Key is
loaded, but does not match the one expected by the AuC.
Device Status Status of the encryption device: Working or Failed.
The Master Key state has influence on the Encryption Device

Status; when the Master Key state is not Loaded the Encryption
Device Status is Failed.
Battery Level Describes the battery level in the encryption device. The Level can be Full,
Low, Dead or Unknown.
Algorithms List of required algorithms. When the algorithm is installed on the encryption
device the corresponding checkbox is marked.
11-32 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Key Update Lock Details Information Box
Table 11-49 Fields in the Encryption Devices Dialog Box (Continued)

Field Description
The completeness of installed algorithms has influence on the

Encryption Device Status; when not all required algorithms are
installed the Encryption Device Status is Failed.
Table 11-50 Buttons in the Encryption Devices Dialog Box
Button Action
Load Master Key... Launches the Load Master Key wizard. See "Loading a Master Key into an
Encryption Device" for a description of this wizard.
Close Closes the Encryption Devices dialog box.
Key Update Lock Details Information Box
Figure 11-31 Key Update Lock Details Information Box
Table 11-51 Field in the Key Update Lock Details Information Box
Field Description
User User who locked the key updates.
Date Date of the key update lock operation.
Lock reason Reason of locking the key updates.
Table 11-52 Buttons in the Key Update Lock Details Information Box
Button Action
OK Confirms the key update lock and its reason.
Cancel Cancels the key update lock operation.
6802800U60-D March 2007 11-33

Key Update Lock Dialog Box Chapter 11: Screen Reference
Key Update Lock Dialog Box
Figure 11-32 Key Update Lock Dialog Box
Table 11-53 Field in the Key Update Lock Dialog Box
Field Description
Reason for locking key updates Reason for locking key updates to be provided by the user.
Table 11-54 Buttons in the Key Update Lock Dialog Box
Button Action
OK Confirms the key update lock and its reason.
Cancel Cancels the key update lock operation.
KVL UKEK Assignment Dialog Box
Figure 11-33 KVL UKEK Assignment Dialog Box
Table 11-55 Fields in the KVL UKEK Assignment Dialog Box
Field Description
Enter new UKEK Entry for unique key encryption key (UKEK) key value. The UKEK key is a
16-digit hexadecimal value.
Table 11-56 Buttons in the KVL UKEK Assignment Dialog Box
Button Action
OK Commits UKEK key to the AuC database. The button is disabled until 16
hexadecimal characters are entered in the Enter new UKEK field.
Cancel Cancels UKEK key storage.
11-34 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Login Dialog Box
Login Dialog Box
Figure 11-34 AuC Login Dialog Box
Table 11-57 Fields in the Login Dialog Box
Field Description
User Name Login name for AuC user.
Password Password for AuC user.
Change Password Tick this to open the Change Password dialog box upon login.
Table 11-58 Buttons in the Login Dialog Box
Button Action
OK Logs in user to AuC.
Cancel Cancels login.
6802800U60-D March 2007 11-35

Miscellaneous Settings Dialog Box Chapter 11: Screen Reference
Miscellaneous Settings Dialog Box
Figure 11-35 Miscellaneous Settings Dialog Box
Table 11-59 Fields in the Miscellaneous Settings Dialog Box
Field Description
AuC Server ID Entry for Authentication Centre (AuC) ID. This ID is necessary for the KVL
and AuC to communicate effectively. If the AuC ID is not the ID expected by
the KVL, the KVL will disconnect.
AuC Server Alias A user-friendly name (alias) for the AuC server. The maximum length is 20
characters. There is no initial alias value.
Debug Log Enabled Allows a debug log to be maintained on the AuC server.
Table 11-60 Buttons in the Miscellaneous Settings Dialog Box
Button Action
OK Commits miscellaneous settings to AuC database
Cancel Closes Settings dialog box.
11-36 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Modify Schedule Dialog Box
Modify Schedule Dialog Box
Figure 11-36 Modify Schedule display
Table 11-61 Fields in the Modify Schedule display
Field Description
Disable Key Schedule Disables scheduled key updates.
Next Update
Month/Day/Year Start date of scheduled key update. Use drop-down list box to choose
month, spin box to choose year, and buttons to choose day of the
month to perform update.
Time Start time of scheduled key updates. Use spin box to set time of day
for key update.
Last Update Time and date of last key update.
Recurrence Interval
Update occurs every Frequency of key updates. Use drop-down list box to select how often
(in months) to perform key update.
Table 11-62 Buttons in the Modify Schedule display
Button Action
Default Interval Sets the default recurrence interval.
Cancel Closes the dialog box without updating the schedule settings.
OK Commits key update schedule settings.
6802800U60-D March 2007 11-37

Port Settings Dialog Box Chapter 11: Screen Reference
Port Settings Dialog Box
Figure 11-37 Port Settings Display
Table 11-63 Fields in the KVL Port Settings Dialog Box
Field Description
Port AuC hardware port used to communicate with KVLs. Use drop-down list box
to select port. After selection, the port’s current settings are displayed in the
dialog box.
Bit Rate Bit rate for KVL communication port. Use drop-down list box to select bit rate.
Initialization String Initialization string used for modem connection to KVL. This field is disabled
when the Connection Type field is set to "Direct".
Connection Type Type of connection used to communicate with KVL. Use options buttons to
select connection type between direct for cable connection and modem for
dialup connection.
Table 11-64 Buttons in the KVL Port Settings Dialog Box
Button Action
Default Settings Resets KVL port settings to the AuC default settings.
OK Commits KVL port settings to AuC database.
Cancel Closes dialog box without changes being applied.
11-38 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Purge Audit Trail Dialog Box
Purge Audit Trail Dialog Box
Figure 11-38 Purge Audit Trail Dialog Box
Table 11-65 Fields in the Purge Audit Trail Dialog Box
Field Description
Number of months of audit trail Specifies number of months of audit trail data to keep in the AuC
data to keep in the AuC database (all data exceeding this setting will be archived to a file on
the server). Use drop-down list box to choose the number of months
(maximum of 24 months).
Table 11-66 Buttons in the Purge Audit Trail Dialog Box
Button Action
Begin Purge Launches the process of removing audit trail data from the AuC database.
Cancel Cancels selection and closes dialog box.
SCK-TMO Modify Dialog Box
A modified slot is not automatically distributed throughout the Dimetra system until the slot
is selected as the next active slot as part of a scheduled or manual update.
Figure 11-39 SCK-TMO Modify Dialog Box
6802800U60-D March 2007 11-39

Standby Settings Dialog Box Chapter 11: Screen Reference
Table 11-67 Fields in the SCK-TMO Modify Dialog Box
Field Description
Key Value Entry for SCK-TMO key value. The SCK-TMO key is a 20-digit hexadecimal value.
Key Version Version of SCK-TMO key.
Table 11-68 Buttons in the SCK-TMO Modify Dialog Box
Button Action
OK Commits entry to the AuC database.
Cancel Cancels entry and closes dialog box.
Standby Settings Dialog Box
Figure 11-40 Standby Settings Dialog Box
Table 11-69 Fields in the Standby Settings Dialog Box
Field Description
Password Password to the administrator account for standby database. The password
entered is the one assigned during Oracle installation on a standby AuC.
Confirm Password Retype password.
Monitor Standby Status Enables/disables monitoring of standby database connection. State icon
appears on the status bar.
11-40 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Update Common Cipher Key (CCK) Version
Table 11-70 Buttons in the Standby Settings Dialog Box
Button Action
OK Commits standby settings to AuC database.
Cancel Cancels the selection and closes Settings dialog box.
Update Common Cipher Key (CCK) Version

CCKs are delivered to BTS site entities within a zone. Once decrypted the CCK is
used to encrypt and decrypt air traffic.
Figure 11-41 Update CCK Version display
6802800U60-D March 2007 11-41

Update Common Cipher Key (CCK) Version Chapter 11: Screen Reference
Table 11-71 Fields in the Update CCK Version display
Field Description
Last used CCK version The CCK version number restored from the database backup.
Next suggested CCK version The CCK version number computed based on the restored version
number and schedule interval.
This value is an estimate based on the following formula:

(Date of last backup — Current time/Restored CCK
crypto. schedule interval). All values are in days. If
the database has been backed up manually, or changes
have been made to the key update schedule since the last
backup this value may not be appropriate.
Modify CCK Version The version number that will be used for the next update of the future
key when the Modify CCK Manually button is selected.
Table 11-72 Buttons in the Update CCK Version display
Button Action
Modify CCK Manually Updates the CCK version to the value selected.
Connect to AuC Opens the AuC Connection dialog box. When a connection to the
nationwide system is established key updates will automatically
occur. These will synchronize the CCK version with that in use
nationwide. This option is appropriate if your system is part of a
nationwide multicluster system.
Proceed Without Modification Closes the display without changing the CCK version. The next key
update will use the last used CCK version number, incremented by
one, as the version number for the future key.
This action applies the CCK version that was stored in the
database. If this version is lower than the highest version
currently in use in the system by more than one, there is
risk of losing voice traffic.
Cancel Closes the display without changing the CCK version.
The AuC client will not be in the operational state.

11-42 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning User Settings Dialog Box
User Settings Dialog Box
Figure 11-42 User Settings Dialog Box
Table 11-73 Fields in the User Settings Dialog Box
Field Description
Password Requirements: The default settings can be configured according to the following
limitations.
Maximum Length The maximum number of characters allowed for a password.
Maximum length: 20 characters.
Minimum Length The minimum number of characters allowed for a password.
Minimum length: 4 characters.
Passwords must contain at least When selected the password must contain at least one alphanumeric
one digit character.
Interval of days until passwords Period of days after which a user will be re-
expire quired to change their password during log in.
Minimum: 0 days, which means next login.
Maximum: 100 days.
Username Requirements:
Maximum Length The maximum number of characters allowed for a user name
Maximum: 20 characters.
Minimum Length The minimum number of characters allowed for a user name.
Minimum: 4 days.
6802800U60-D March 2007 11-43

Main Menu Items Chapter 11: Screen Reference
Table 11-74 Buttons in the User Settings Dialog Box
Button Action
Restore Settings Restores the application’s default user settings.
OK Commits user settings to AuC database.
Cancel Cancels the selection and closes Settings dialog box.
Main Menu Items

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 11-75 Main Menu Items
Menu Name Submenu Name Description
File Import Keys Initiates keys import. Opens the Import Keys form File
dialog box, see Figure 4-21.
Exit Turns off the AuC Client.
User Change Password Initiates password changing process. Opens the Change
Password dialog box, see Figure 11-29.
Key Key Update Lock Disables key updates. Opens the Key Update Lock dialog
box, see Figure 11-32.
Key Update Lock Details... Displays the key update lock details, see Figure 11-31.
System AuC Database.. Opens the AuC Database dialog box, see Figure 11-28.
Encryption Devices... Opens the Encryption Devices dialog box, see
Figure 11-30.
Standby Status Report... Displays the standby database status report.
Check Standby Now... Checks the standby database status immediately.
Settings... Opens the Settings dialog box, see Figure 11-35,
Figure 11-37, Figure 11-40 and Figure 11-42.
Go Operational Changes the AuC Server mode to operational.
Go Out of Service Changes the AuC Server mode to out off service.
Nationwide Become Nationwide Initiates the process of becoming the Nationwide
Master... Master AuC, opens the AuC Connection dialog box, see
Figure 11-26.
Become Nationwide Slave... Initiates the process of becoming the Nationwide
Slave AuC, opens the AuC Connection dialog box, see
Figure 11-25.
11-44 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Main Menu Items
Table 11-75 Main Menu Items (Continued)
Menu Name Submenu Name Description
Help Help Contents Opens the AuC Online Help Contents.

Introduction Opens the Introduction section of the AuC Online Help.
Overview Opens the Overview section of the AuC Online Help.
FAQ Opens the FAQ section of the AuC Online Help.
About AuC... Opens the About AuC information box, see Figure 9-27.
6802800U60-D March 2007 11-45

Main Menu Items Chapter 11: Screen Reference
11-46 6802800U60-D March 2007

Index
Index
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Activate AuC Connectivity (contd.)

Future Key . . . . . . . . . . . . . . . . . 10-3 entering IP address . . . . . . . . . . . . . 11-28
Air Interface Encryption (AIE) general network information . . . . . . . . . 11-9
configuration . . . . . . . . . . . . . . . . 2-1 information and status . . . . . . . . . . . . 5-3
EBTS Site object . . . . . . . . . . . . . 2-8 AuC database . . . . . . . . . . . . . . 3-6, 11-30
KVL object . . . . . . . . . . . . . . . . 2-17 restore. . . . . . . . . . . . . . . . . . . . 9-19
Radio object. . . . . . . . . . . . . . . . 2-15 scheduling bacukup . . . . . . . . . . . . 11-29
System object . . . . . . . . . . . . . . . 2-3 starting backup manually . . . . . . . . . . . 9-18
DCK . . . . . . . . . . . . . . . . . . . . 1-4 AuC server. . . . . . . . . . . . . . . . . . . 3-6
functionality . . . . . . . . . . . . . . . . . 1-1 ID . . . . . . . . . . . . . . . . . . . . 11-36
overview . . . . . . . . . . . . . . . . 1-1, 1-3 Audit Trail . . . . . . . . . . . . . . . . . . . 7-1
SCK . . . . . . . . . . . . . . . . . . . . 1-5 information display . . . . . . . . . . . . . 11-6
assign a UKEK purge form . . . . . . . . . . . . . . . . 11-39
KVL . . . . . . . . . . . . . . . . . . . . 4-33 removing data . . . . . . . . . . . . . . . . 7-4
new . . . . . . . . . . . . . . . . . . . . . 4-34 search criteria . . . . . . . . . . . . . . . . 11-5
Athentication material search form . . . . . . . . . . . . . . . . . 11-5
distributing . . . . . . . . . . . . . . . . . 1-11 viewing . . . . . . . . . . . . . . . . . . . 7-1
ATR status . . . . . . . . . . . . . . . . . . 11-25 authentication
AuC configuration . . . . . . . . . . . . . . . . 2-1
backups . . . . . . . . . . . . . . . . . . . 9-16 system object . . . . . . . . . . . . . . . 2-3
manual database backup . . . . . . . . . . . 9-18 explicit . . . . . . . . . . . . . . . . . . . 1-2
operating state . . . . . . . . . . . . . . . . 9-16 implicit . . . . . . . . . . . . . . . . . . . 1-3
standby status report . . . . . . . . . . . . . 9-22 overview . . . . . . . . . . . . . . . . . . 1-1
status verifying . . . . . . . . . . . . . . . 3-12 Authentication Centre (AuC)
version information . . . . . . . . . . . . . 9-23 overview . . . . . . . . . . . . . . . . . . 3-2
what is it? . . . . . . . . . . . . . . . . . . 3-4 system diagram . . . . . . . . . . . . . . . 3-2
AuC Client. . . . . . . . . . . . . . . . . . . 3-5 authentication key (K)
first steps . . . . . . . . . . . . . . . . . . 3-8 description. . . . . . . . . . . . . . . . . . 1-2
introduction . . . . . . . . . . . . . . . . . 3-1 distribution . . . . . . . . . . . . . . . . . 1-13
logging out . . . . . . . . . . . . . . . . . 3-14 authentication material
main window . . . . . . . . . . . . . . . . 3-15 assigning for a mobile station . . . . . . . . . 4-49
main window structure . . . . . . . . . . . . 3-15 description. . . . . . . . . . . . . . . . 1-2, 1-11
starting . . . . . . . . . . . . . . . . . . . 3-8 key distribution . . . . . . . . . . . . . . . 1-11
AuC communications key . . . . . . . . . . . . 1-8 key updates . . . . . . . . . . . . . . . . . 1-14
AuC Connectivity . . . . . . . . . . . . . 5-1, 11-2 Automatic detection
AuC Net. . . . . . . . . . . . . . . . . . . 11-4 network problems . . . . . . . . . . . . . . 3-6
background information
modem option . . . . . . . . . . . . . . 14-xxvi
6802800U60-D March 2007 IX-1

Index
Common Cipher Key Communication Key . . . . . . . . . . . . . . 11-1

update. . . . . . . . . . . . . . . . 9-19, 11-41 entering . . . . . . . . . . . . . . . . . . . 4-30
common cipher key (CCK) . . . . . . 1-4, 1-8, 1-10 configuring
description. . . . . . . . . . . . . . . . . . 1-12 authentication . . . . . . . . . . . . . . . . 2-1
key distribution . . . . . . . . . . . 1-12 to 1-13 Context sensitive help . . . . . . . . . . . . . 3-22
updates . . . . . . . . . . . . . . . . . . . 1-14 using . . . . . . . . . . . . . . . . . . . . 3-23
Database backup devices configuration . . . . . . . . . . . . . . 2-15

scheduling . . . . . . . . . . . . . . . . . . 9-16 Dimetra Distribution Key . . . . . . . . . . . . 11-6
DDK disabling key updates . . . . . . . . . . . . . . 4-52
entering . . . . . . . . . . . . . . . . . . . 4-32 EBTS site . . . . . . . . . . . . . . . . . . 4-57
derived cipher key (DCK). . . . . . 1-3 to 1-4, 1-13 zone. . . . . . . . . . . . . . . . . . . . . 4-56
distribution . . . . . . . . . . . . . . . . . 1-12 downlink . . . . . . . . . . . . . . . . . . . 1-5
transferring . . . . . . . . . . . . . . . . . 1-12
updates . . . . . . . . . . . . . . . 1-13 to 1-14
EBTS site Encryption Device . . . . . . . . . . . . . . 11-32

enabling / disabling key updates. . . . . . . . 4-57 master key. . . . . . . . . . . . . . . . . . 9-12
viewing EBTS site key information and status . . . . . . . . . . . . . . . . . . . . 9-10
status . . . . . . . . . . . . . . . . . . . . 4-12 Entity
EBTS sites . . . . . . . . . . . . . . . . 4-12, 11-7 information displaying . . . . . . . . . . . . 3-13
viewing status and key information . . . . . . 4-12 Events Pane . . . . . . . . . . . . . 3-19, 6-1, 11-8
enabling key updates . . . . . . . . . . . . . . 4-52 removing events . . . . . . . . . . . . . . . 6-2
EBTS site . . . . . . . . . . . . . . . . . . 4-57 viewing server events . . . . . . . . . . . . 6-1
zone. . . . . . . . . . . . . . . . . . . . . 4-56
FAQ . . . . . . . . . . . . . . . . . . . . . . 10-1 FAQ (contd.)

Audit Trail search . . . . . . . . . . . . . . 10-3 licence limit . . . . . . . . . . . . . . . . . 10-7
encryption device failure . . . . . . . . . . . 10-8 mobile stations. . . . . . . . . . . . . . . . 10-4
error messages . . . . . . . . . . . . . . . . 10-8 not current key . . . . . . . . . . . . . . . . 10-2
key unmatched K-REF Pairs . . . . . . . . . . . 10-4
provisioning. . . . . . . . . . . . . . . . 10-2 First login
storing . . . . . . . . . . . . . . . . . . 10-2 password . . . . . . . . . . . . . . . . . . 3-10
update . . . . . . . . . . . . . . 10-2 to 10-3 First Steps . . . . . . . . . . . . . . . . . . . 3-8
update failure . . . . . . . . . . . . . . . 10-8
Go operational . . . . . . . . . . . . . . . . . 9-16
IX-2 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Index
Help Help (contd.)

context sensitive . . . . . . . . . . . . . . . 3-22 full text search . . . . . . . . . . . . . . . . 3-23
icon conventions . . . . . . . . . . . . . . 14-xxvi infrastructure key (Ki) (contd.)

implicit authentication . . . . . . . . . . . . . 1-3 description. . . . . . . . . . . . . . . . . . 1-9
importing distribution . . . . . . . . . . . . . . . . . 1-9
K-REF pairs . . . . . . . . . . . . . . . . . 4-20 provisioning . . . . . . . . . . . . . . . . . 4-36
SCK-TMO key file . . . . . . . . . . . . . . 4-21 refreshing an existing key. . . . . . . . . . . 4-38
Individual TETRA Subscriber Identity . . . . . . 10-4 updates . . . . . . . . . . . . . . . . . . . 1-14
infrastructure key (Ki) . . . . . . . . . . . . . 1-10 Introduction . . . . . . . . . . . . . . . . . . 3-1
assigning a new key . . . . . . . . . . . . . 4-41 IP Address
clearing an existing key. . . . . . . . . . . . 4-43 entering . . . . . . . . . . . . . . . 11-28, 11-30
K-REF pairs . . . . . . . . . . . . . . . . . . 1-3 Key Encryption Keys (contd.)

entering . . . . . . . . . . . . . . . . . . . 4-17 distributing . . . . . . . . . . . . . . . . . 1-10
generating unmatched . . . . . . . . . . . . 4-8 key management
importing . . . . . . . . . . . . . . . . . . 4-20 key changes . . . . . . . . . . . . . . . . . 1-6
viewiing unmatched . . . . . . . . . . . . . 4-6 nationwide systems . . . . . . . . . . . . . 1-8
K-REF Pairs . . . . . . . . . . . . . . 4-17, 11-10 non-nationwide systems
key PrC . . . . . . . . . . . . . . . . . . . . 1-7
information and status . . . . . . . . . . . . 4-1 key schedules . . . . . . . . . . . . . . . . . 4-45
transferring . . . . . . . . . . . . . . . . . 1-12 Key Schedules . . . . . . . . . . . . . . . . . 4-44
zone status information . . . . . . . . . . . . 4-10 information . . . . . . . . . . . . . . . . 11-13
Key selection. . . . . . . . . . . . . . . . . . 11-14
information displaying . . . . . . . . . . . . 3-13 key storage
status . . . . . . . . . . . . . . . . . . . 11-15 Master Key . . . . . . . . . . . . . . . . . 1-14
key database overview . . . . . . . . . . . . . . . . . . 1-14
entering K-REF pairs. . . . . . . . . . . . . 4-17 key updates
importing a KREF-pair into the Authentication derived cipher key (DCK) . . . . . . . . . . 1-13
Centre. . . . . . . . . . . . . . . . . . . . 4-20 EBTS site . . . . . . . . . . . . . . . . . . 4-57
importing a SCK-TMO key file . . . . . . . . 4-21 enable/disable . . . . . . . . . . . . . . . . 4-60
modifying an SCK-TMO key . . . . . . . . . 4-25 immediate . . . . . . . . . . . . . . 4-47 to 4-48
Key Database . . . . . . . . . . . . . . . . . 4-17 key type . . . . . . . . . . . . . . . . . . . 4-59
selection. . . . . . . . . . . . . . . . . . 11-12 mobile station (MS) . . . . . . . . . . . . . 4-52
key distribution . . . . . . . . . . . . . . 1-8, 4-35 overview . . . . . . . . . . . . . . . . . . 1-13
authentication key (K) . . . . . . . . . . . . 1-13 rejected . . . . . . . . . . . . . . . . . . . 5-13
authentication material . . . . . . . . . . . . 1-11 scheduling . . . . . . . . . . . . . . . . . . 4-44
common cipher key (CCK) . . . . . . 1-12 to 1-13 zone. . . . . . . . . . . . . . . . . . . . . 4-56
derived cipher key (DCK) . . . . . . . . . . 1-12 Key updates
infrastructure key (Ki) . . . . . . . . . . 1-9, 4-41 modify schedule . . . . . . . . . . . . . . 11-37
mobile station (MS) . . . . . . . . . . . . . 1-13 KVL . . . . . . . . . . . . . . . . . . . . . 1-9
static cipher key (SCK-TMO) . . . . . 1-12 to 1-13 assign a UKEK . . . . . . . . . . . . . . . 4-33
system infrastructure . . . . . . . . . . . . . 1-9 deny access . . . . . . . . . . . . . . . . . 4-62
system key encryption key (KEKm) . . . . . . 1-10 enabling/disabling . . . . . . . . . . . . . . 4-62
Key Encryption Keys learing an existing Ki. . . . . . . . . . . . . 4-43
6802800U60-D March 2007 IX-3

Index
KVL (contd.) KVLs . . . . . . . . . . . . . . . . . . . . . 4-15

object . . . . . . . . . . . . . . . . . . . . 2-17 information . . . . . . . . . . . . . . . . 11-16
viewing key information and status . . . . . . 4-15 list . . . . . . . . . . . . . . . . . . . . 11-17
KVL port settings . . . . . . . . . . . . 9-2, 11-38
Logging out . . . . . . . . . . . . . . . . . . 3-14
Main window . . . . . . . . . . . . . . 3-15, 11-1 minimum period . . . . . . . . . . . . . . . . 1-14

events pane . . . . . . . . . . . . . . . . . 3-19 Miscellaneous settings . . . . . . . . . . 9-3, 11-36
menu bar . . . . . . . . . . . . . . . . . . 3-22 mobile station (MS) . . . . . . . . . . . . 1-11, 4-2
status bar . . . . . . . . . . . . . . . . . . 3-20 assigning new authentication material . . . . . 4-49
structure . . . . . . . . . . . . . . . . . . . 3-15 enabling / disabling key updates. . . . . . . . 4-52
work pane . . . . . . . . . . . . . . . . . . 3-16 explicit authentication . . . . . . . . . . . . 1-2
management exporting information . . . . . . . . . . . . 4-5
authentication and air interface . . . . . . . . 1-7 implicit authentication . . . . . . . . . . . . 1-3
key . . . . . . . . . . . . . . . . . . . . . 1-7 K-REF pair . . . . . . . . . . . . . . . . . 1-3
master AuC key distribution . . . . . . . . . . . . . . . 1-13
changing . . . . . . . . . . . . . . . . . . 5-19 viewing key information . . . . . . . . . . . 4-2
configuration . . . . . . . . . . . . . . . . 5-8 Mobile stations . . . . . . . . . . . . . . . . . 4-2
Master key list . . . . . . . . . . . . . . . . . . . . 11-17
loading . . . . . . . . . . . . . . . . . . . 9-12 search . . . . . . . . . . . . . . . . . . . 11-19
master key storage . . . . . . . . . . . . . . . 1-14 viewing key information . . . . . . . . . . . 4-2
maximum period . . . . . . . . . . . . . . . . 1-14 Modify CCK Manually . . . . . . . . . . . . . 9-20
Menu bar . . . . . . . . . . . . . . . . . . . 3-22
Nationwide only . . . . . . . . . . . . . . . . 3-1 nationwide system (contd.)

nationwide system removing slave AuC . . . . . . . . . . . . . 5-17
changing master AuC . . . . . . . . . . . . 5-19 returning to single cluster mode . . . . . . . . 5-17
configuration . . . . . . . . . . . . . . . . 5-7 slave AuC . . . . . . . . . . . . . . . . . . 5-10
key management . . . . . . . . . . . . . . . 1-8 Next Active SCK . . . . . . . . . . . . . . . . 4-21
master AuC . . . . . . . . . . . . . . . . . 5-8 no AI Encryption
reconfiguration. . . . . . . . . . . . . . . . 5-18 Security Class 1 . . . . . . . . . . . . . . . 1-6
Operating state Out of Service . . . . . . . . . . . . . . . . . 9-16

changing . . . . . . . . . . . . . . . . . . 9-16
Password Provisioning Centre (PrC)

changing . . . . . . . . . . . . . . 3-11, 11-31 overview . . . . . . . . . . . . . . . . . . 3-2
first login . . . . . . . . . . . . . . . . . . 3-10 system diagram . . . . . . . . . . . . . . . 3-2
PrC . . . . . . . . . . . . . . . . . . . . 14-xxvi provisioning Ki . . . . . . . . . . . . . . . . 4-36
IX-4 6802800U60-D March 2007

Managing Authentication, Encryption and Provisioning Index
radio object . . . . . . . . . . . . . . . . . . 2-15 reprovisioning (contd.)

Reconnecting function . . . . . . . . . . . . . 3-6 existing Ki. . . . . . . . . . . . . . . . . . 4-38
Remove All . . . . . . . . . . . . . . . . . . 6-3 new Ki . . . . . . . . . . . . . . . . . . . 4-41
reprovisioning . . . . . . . . . . . . . . . . . 4-39 returning to single cluster mode . . . . . . . . . 5-17
security static cipher key (SCK-TMO) (contd.)

implementation steps . . . . . . . . . . . . . 3-7 importing key file . . . . . . . . . . . . . . 4-21
policy . . . . . . . . . . . . . . . . . . . . 3-7 key distribution . . . . . . . . . . . . . . . 1-12
questions . . . . . . . . . . . . . . . . . . 3-7 modifying a key . . . . . . . . . . . . . . . 4-25
security class next active. . . . . . . . . . . . . . . . . . 4-27
level 1. . . . . . . . . . . . . . . . . . . . 1-6 updates . . . . . . . . . . . . . . . . . . . 1-14
level 2. . . . . . . . . . . . . . . . . . . . 1-5 Static Cipher Keys
level 3. . . . . . . . . . . . . . . . . . 1-4, 2-14 distributing . . . . . . . . . . . . . . . . . 1-12
transitioning from security class 2 to 3 . . . . . 2-14 information . . . . . . . . . . . . . . . . 11-20
Security group modifying . . . . . . . . . . . . . . . . . 11-39
selection. . . . . . . . . . . . . . . . . . 11-21 Status
Short Subscriber Identities (SSIs) . . . . . . . . 1-4 verifying . . . . . . . . . . . . . . . . . . 3-12
slave AuC zone or entity . . . . . . . . . . . . . . . . 3-13
adding. . . . . . . . . . . . . . . . . . . . 5-15 Status bar . . . . . . . . . . . . . . . . . . . 3-20
changing expected . . . . . . . . . . . . . . 5-16 Status icons . . . . . . . . . . . . . . . . . . 3-20
configuring . . . . . . . . . . . . . . . . . 5-10 Synchronize . . . . . . . . . . . . . . 11-22, 11-25
connecting to another master . . . . . . . . . 5-18 system diagram
reconfiguration. . . . . . . . . . . . . . . . 5-15 AuC and PrC . . . . . . . . . . . . . . . . 3-2
removing . . . . . . . . . . . . . . . . . . 5-17 system features . . . . . . . . . . . . . . . . . 3-7
removing expected . . . . . . . . . . . . . . 5-16 System KEK . . . . . . . . . . . . . . 11-14, 11-25
Stage Advancement . . . . . . . . . . . . . . 10-3 system key encryption key (KEKm) . . . . . . . 1-12
Standby settings . . . . . . . . . . . . . 9-6, 11-40 description. . . . . . . . . . . . . . . . . . 1-10
turning connection monitoring off . . . . . . . 9-9 key distribution . . . . . . . . . . . . . . . 1-10
turning connection monitoring on . . . . . . . 9-7 key updates . . . . . . . . . . . . . . . . . 1-14
Start Backup . . . . . . . . . . . . . . 9-18, 11-30 System Management . . . . . . . . . . . . . . 9-1
Starting AuC Client . . . . . . . . . . . . . . 3-8 KVL port settings . . . . . . . . . . . . . . 9-2
static cipher key (SCK-TMO) . . . 1-3, 1-5, 1-8, 1-10 miscellaneous settings . . . . . . . . . . . . 9-3
description. . . . . . . . . . . . . . . . . . 1-12 standby settings . . . . . . . . . . . . . . . 9-6
distribution . . . . . . . . . . . . . . . . . 1-13 user settings . . . . . . . . . . . . . . . . . 9-4
encryption key changes . . . . . . . . . . . . 1-6
transferring typical period . . . . . . . . . . . . . . . . . 1-14

DCK . . . . . . . . . . . . . . . . . . . . 1-12
keys. . . . . . . . . . . . . . . . . . . . . 1-12
6802800U60-D March 2007 IX-5

Index
UCM . . . . . . . . . . . . . . . . 2-1, 2-3, 2-16 User (contd.)

UCS adding. . . . . . . . . . . . . . . . . . . 11-26
information . . . . . . . . . . . . . . . . 11-21 information . . . . . . . . . . . . . . . . 11-23
viewing status . . . . . . . . . . . . . . . . 4-14 logging in . . . . . . . . . . . . . . . . . 11-35
UCS - system object . . . . . . . . . . . . . . 1-6 password changing . . . . . . . . . . . . . . 3-11
UKEK assignment . . . . . . . . . . . . . . 11-34 settings . . . . . . . . . . . . . . . . 9-4, 11-43
unmatched K-REF pairs . . . . . . . . . . . . 4-6 User Management . . . . . . . . . . . . . . . 8-1
Update CCK Version . . . . . . . . . . . . . . 9-19 creating an account. . . . . . . . . . . . . . 8-2
uplink . . . . . . . . . . . . . . . . . . . . . 1-5 deleting an account. . . . . . . . . . . . . . 8-5
User modifying an account . . . . . . . . . . . . 8-4
account selection. . . . . . . . . . . . . . 11-22
What is the AuC?. . . . . . . . . . . . . . . . 3-4 Work pane . . . . . . . . . . . . . . . . . . . 3-16
zone zone key encryption key (KEKz) (contd.)

enabling / disabling key updates. . . . . . . . 4-56 key updates . . . . . . . . . . . . . . . . . 1-14
viewing zone key information and status . . . . 4-10 Zones . . . . . . . . . . . . . . . . . . . . . 4-10
zone key encryption key (KEKz) . . . . . . 1-8, 1-12 information . . . . . . . . . . . . . . . . 11-25
description. . . . . . . . . . . . . . . . . . 1-10 viewing status and key information . . . . . . 4-10
IX-6 6802800U60-D March 2007

Appendix
A
TETRA/Dimetra Glossary
The glossary describes many terms connected with TETRA and Dimetra and is not system release
specific. Therefore not all terms may be relevant for a specific system or release.
Table A-1 Glossary
Item Description
10/100Base-T A method of connecting Ethernet devices directly to an Ethernet switch/hub.
Max transfer rate is 10 or 100 Mbps.
A/V Antivirus.
ABO Automatic Busy Override.
ACC Adjacent Control Channel.
Accounting Involves the reporting of the activities of radio users on the system. The system
Management provides several accounting management facilities.
ACCH Associated Control Channel.

ACELP Algebraic Code Excited Linear Prediction.
Acknowledged Data A service provided by the layer below which gives an acknowledgement back
Transfer over the air interface from the lower layer peer entity. This service is used by the
layer 3 entities to get a secure transmission including retransmissions.
Acknowledgement A message sent in response to another message to indicate status.
ADM See Alias Database Manager.
Admin See CENTRACOM Elite Admin
Advanced Lights Out ALOM functions allow for monitoring, logging, alerting and for basic control
Management (ALOM) of the system. ALOM is particularly useful for remotely managing a server in
a typical "lights out" environment. It is the next generation strategic solution,
replacing the functionality of Remote System Control (RSC) used on VSP
servers and Lights Out Management (LOM & LOMlite) used on Sun Netra
servers.
Advanced Link An Advanced Link (AL) is a bidirectional connection between one Mobile
Station (MS) and a Base Station (BS) with provision of acknowledged and
unacknowledged services including windowing, segmentation, extended error
protection and choice among several throughputs. The data transfer via the
advanced link requires a set-up phase.
AEB See Ambassador Electronics Bank.
AEB slot For E1, one of 960 possible slots on the Ambassador Electronics Bank (AEB)
Time Division Multiplexing (TDM) backplane busses (32 busses x 30 AEB
slots/bus). For T1, one of 768 possible slots (32 busses X 24 slots/bus).
6802800U60-D March 2007 A-1

Main Menu Items Appendix A: TETRA/Dimetra Glossary
Table A-1 Glossary (Continued)

Item Description
AEB System Timer Ambassador Electronics Bank System Timer Module. An AEB module that
provides system clocking and data bus arbitration. Each Audio Switch users two
AEB System Timer Modules in a redundant configuration.
AEI See Audio Expansion Interface.
Affiliated Zone The zone to which a radio is currently registered.
Affiliation The process by which a Mobile Station identifies its location and talkgroup
affiliation to the system as it moves through the coverage area.
Affiliation Display A Motorola software application that tracks mobility characteristics of radio
users by monitoring current affiliations and deaffiliations on the system.
Affiliation Group The talkgroup to which a Mobile Station is currently attached.
AI Air Interface.
AIE See Air Interface Encryption.
AIE KVL See Air Interface Encryption Key Variable Loader.
AIMI See Ambassador Interface Multiplex Interface.
Air Interface The Dimetra IP System supports Over the Air Standard Encryption of Mobile
Encryption (AIE) Stations and Base Stations using the standard TETRA algorithms TEA1, TEA2
and TEA3.
Air Interface This AIE KVL is used for transporting AIE keys (k and SCK) and for keys used
Encryption Key in the infrastructure (ki) used for distribution of AIE keys. It connects to the
Variable Loader (AIE AUC, MS, ZC, TSC and BRC and is used by the network operator.
KVL)
Air Traffic An option that provides raw data on air traffic activity that can be used to drive
Information Access a customer-supplied billing package.
(ATIA)
Air Traffic Router The Radio Applications Programming Interface (RAPI) is located on the ATR
(ATR) server that is colocated on the same LAN as the ZC. The ATR manages all
non-call processing processes for the Zone Controller and relies on the ZC
to provide aliases and security group information. The ZC and the ATR are
connected with a TCP link.
AIS 1. See Alias Integrated Solution
2. See Archiving Interface Server.
AKD Authentication Key Distribution
AL See Ambience Listening.
ALGID Algorithm Identification.
Alias An alphanumeric name used to identify for example a mobile station, a talkgroup
or a site. Aliases can be assigned to represent something more meaningful to a
console operator than the six digit ID number.
Alias Database A software tool for managing the alias database, which is the database that stores
Manager (ADM) all radio, console, talkgroup, and multigroup aliases used in the system.
ALOM See Advanced Lights Out Management.
A-2 6802800U60-D March 2007


Item Description
AllStart A talkgroup setting which requires resources on all involved sites to be available
before the call can begin.
Alias Integrated The Alias Integrated Solution (AIS) provides the means for dynamically
Solution assigning a user alias to a radio upon user logon to the radio. The dynamically
assigned user alias is made available to 3rd party via the MultiCADI API.
Alphanumeric Text A Motorola application used to send short data messages from a PC operating
Service (ATS) under Windows to a display on a Mobile Station.
AMB See Ambassador Board.
Ambassador Board A board that processes the audio coming from and going to its links. Each board
(AMB) supports two independent, full duplex E1 and T1 links. Used in the Ambassador
Electronics Bank (AEB) to interface CEBs or MGEGs to the AEB.
Ambassador Also Embassy Switch. Dimetra master site equipment consisting of a Time
Electronics Bank Division Multiplexing (TDM) audio switch capable of simultaneously routing
(AEB) audio from multiple sources to one or more destinations. In a Dimetra system,
each Zone Controller controls the audio routing for its associated AEB.
Ambassador Interface A Central Electronics Bank (CEB) module that provides the interface between
Multiplex Interface the AEB and CEB, and provides CEB timing and data bus arbitration.
(AIMI)
Ambience listening The ability to listen remotely to audio in the vicinity of a Mobile Station.
(AL)
AMS Alert Management System.
Announced Cell Cell reselection where Mobile Station (MS) Mobile Link Entity
Reselection (MLE) informs the Switching and Management Infrastructure (SwMI)
both in the serving cell and in the new cell that cell change is
performed. There can be three types of announced cell reselection:
- type 1: the MS-MLE knows the new cell and the traffic channel
allocations on the cell before deciding to leave its serving cell;
- type 2: the MS-MLE knows the new cell before changing to it, but
does not know the channel allocation on the new cell in advance;
- type 3: the MS-MLE need not to know the new cell before changing to it. The
serving cell is only informed by the MS-MLE that it wants to change cell.
Announcement Call An announcement call is a point to multipoint group call that provides the
capability to communicate with multiple talkgroups simultaneously.
Announcement group A special group which is used to address a number of normal groups which are
associated to the announcement group
API Application Programming Interface.
APN Access Point Name.
Application Launcher Application Launcher enables you to access one or more management
applications without going through the process of logging on to each application
separately.
Archiving Interface The AIS provides flexible, high-quality archiving services for audio and data
Server (AIS) associated with various types of calls and various events associated with radio
resources. Together with a logging recorder and a replay station, AIS make
up the logging system.
6802800U60-D March 2007 A-3


Item Description
ARP Address Resolution Protocol.
ASIC Application Specific Integrated Circuit.
ASSI Alias Short Subscriber Identity.
ATCC See Auto Tune Cavity Combiner.
ATG Announcement Talkgroup.
ATIA See Air Traffic Information Access.
ATM Asynchronous Transfer Mode.
ATR See Air Traffic Router.
ATS See Alphanumeric Text Service.
AuC See Authentication Centre.
Audio Expansion An interface module that receives audio from the CEB backplane for console
Interface position speakers and recording devices.
Audio Interrupt Capability that allows users of a talkgroup to interrupt the audio of the current
transmitting talkgroup member.
Authentication A function which allows the radio system infrastructure to validate that a
mobile station is genuine before granting access to system services. Upon
receiving an authentication request, the mobile station may also perform
a mutual validation of the infrastructure to ensure it is safe to operate.
The use of authentication establishes a level of trust between the radio system’s
infrastructure and subscriber mobile stations.
Authentication Centre A Motorola software application that allows system managers to manage
(AuC) encryption keys for Dimetra.
Authentication Key A secret key used to validate a mobile station’s ability
(K) to operate on the radio system. Each MS is assigned a
unique authentication key at the factory or a secure facility.
The authentication key is imported or typed into the Authentication Centre along
with its associated reference (REF).
Authentication A set of session keys used to perform explicit authentication. Each MS is
Material assigned a set of unique authentication material based on its authentication key
(K). The authentication material is generated and sent from the Authentication
Centre (AuC) to the system’s zone controllers encrypted using the system key
encryption key (KEKm).
Auto Tune Cavity The ATCC receives signals from several base radios and sends a combined
Combiner (ATCC) signal to the site sending antenna.
Automatic site The Mobile Station will choose the best site.
selection
Balun (Balanced/Unbalanced) A transformer connected between a balanced source or
load and an unbalanced source or load. A balanced line has two conductors,
with equal currents in opposite directions. The unbalanced line has just one
conductor; the current in it returns via a common ground or earth path.
A-4 6802800U60-D March 2007


Item Description
Base Interface Module This CEB module links conventional base station/repeaters and CEB for audio
(BIM) communications.
Base Radio (BR) Dimetra remote BTS site equipment. Each base radio (BR) provides one
TETRA carrier, comprising four TETRA time slots. The BR is equipped with
three receivers for diversity reception which increases the coverage area and
reception quality.
Base Radio Controller The Base Radio is made up from a number of replaceable units. A Base Radio
(BRC) Controller is used to communicate with the Site Controller and to control the
other units within the Base Radio.
Base Station Term used to identify the installation including the BTS, antenna and ancillary
equipment.
Basic Link A Basic Link (BL) bidirectional connectionless path between one or several
Mobile Stations and a Base Station, with a provision of both unacknowledged
and acknowledged services on a single message basis.
Basic logging This feature collects radio system traffic and generates the collected data in a
report format.
BCCH Broadcast Control Channel.
Bearer Service A type of telecommunication service that provides the capability for the
transmission of signals between user network interfaces.
BER See Bit Error Rate.
BERT Bit Error Rate Test.
BIC Barring of Incoming Calls.
Billing System (BS) A Billing System is a feature that collects, stores and displays subscriber
accounting data.
BIM See Base Interface Module.
Bit Error Rate (BER) Bit Error Rate characterizes the quality of a digital channel for all traffic on
the channel.
Black Key An encryption key that is encrypted by another key.
BLT Bulk Loader Tool.
BNC Connector Bayonet-Neill-Concelman connector. A standardized coaxial cable connector,
used for Thin Ethernet cables, ARCnet networks and for the transmission of
audio and RF signals.
BNCH Broadcast Network Channel.
BOC Barring of Outgoing Calls.
Border Router The Border Router is a router residing between Customer
Enterprise Network (CEN) and DMZ network, on mas-
ter site as well as on remote sites connected to the CEN.
The Border Router interposes a protective firewall to prevent access
to the Dimetra system from unauthorized external devices.
bps Bits per second.
BR See Base Radio.
6802800U60-D March 2007 A-5


Item Description
BRC See Base Radio Controller.
Broadcast A message to all Mobile Stations currently listening. Broadcast information
can be of a variety of types including adjacent channel information and
current system access control information. A Broadcast message needs no
acknowledgment.
BS See Billing System.
BSCH Broadcast Synchronisation Channel.
BTS Base Transceiver System. BTS is the common acronym for:
• Enhanced Base Transceiver System (EBTS)
• Mini Base Transceiver System (MBTS)
• Motorola Transceiver System (MTS)
BTS Site A remote segment within the Dimetra IP system responsible for call
processing and mobility services within a local geographical area. A
Dimetra IP BTS site (also known as a base site) contains equipment
such as TETRA Site Controller (TSC), Base Radio Controller (BRC),
Environment Alarm System (EAS), and RF distribution equipment.
The BTS site functions as the termination point for air interface encryption
services. A static cipher key-trunked mode operation (SCK-TMO) key
is stored and used by BTS site equipment and subscriber mobile stations
(MS) to encrypt/decrypt voice and data communications. To receive future
SCK-TMO key updates, BTS site equipment must also store and utilize a unique
infrastructure key (Ki) and zone key encryption key (KEKz).
Bundle A collection of Inter TETRA Connections (ITCs) which utilizes the same
scenario over the inter system interface.
Busy handling When channel resources are not available, the controller generates a busy
indication over the control channel. This busy indication in form of a tone is
given to the MS user indicating it is in queue for the next available resource.
Busy queue A memory storage in the central controller to hold Mobile Station information
and requests until a channel is assigned after a busy condition.
Busy Queuing A method of queuing a call when resources are not available to grant the call.
CAD Computer Aided Dispatch.
CADI See Computer Aided Dispatch Interface.
CAI Common Air Interface.
Call Continuation The capability of passing active calls or busy queue designations across zone
boundaries. Also termed “Call Handoff” Call Coordination, or Call Reconnect.
Call Detail Record The Call Detail Record contains information about usage of Packet Data service.
Call handoff The automatic assignment of an available channel when a radio user roams from
one site to another with continuous communications.
A-6 6802800U60-D March 2007


Item Description
Call Set-up Time Group Call:
Group Call, the call set-up time is a measure of the time between the initiating
PTT and the first audio slot to be transmitted by the initiating Mobile Station.
Private Call:
the call set-up time is a measure of time between the initiating
PTT and the alert indication that the receiving unit is ringing.
Interconnect Call (MS initiated):
the call set-up time is a measure of time between the initiating PTT
and the alert indication that the PSTN Gateway has initiate the call.
Interconnect Call (PSTN initiated):
the call set-up time is a measure of time between the reception of the
QSIG_SETUP from the external network to the transmission of the
QSIG_ALERT to the external network.
Call Back A message sent to the radio indicating a busy condition is over and to initiate the
channel request again.
Camped A Mobile Station (MS) is said to be camped on a cell when the MS is
synchronized on the cell Base Station (BS) and has decoded the Broadcast
Network Channel (BNCH) of the cell. The synchronization procedure is
performed by the Media Access Control (MAC) and the interpretation of the
network information from the BNCH (Voice+Data) is performed by a procedure
in the Mobile Link Entity (MLE). It is the MLE which decides when an MS is
said to be camped on a cell.
CAS 1. Channel Associated Signalling.
2. Child AntiVirus Server.
CAT Coverage Acceptance Test.
CATP Coverage Acceptance Test Procedure.
CBR Constant Bit Rate.
CC See Crypto Card.
CCC See Crypto Communications Controller.
CCGW See Conventional Channel Gateway.
CCH Control Channel.
CCITT Consultative Committee for International Telegraph and Telephone.
CCK Common Cipher Key.
CCM Channel Control Module. A CENTRACOM console module that is a direct
interface for the dispatcher to make calls and to indicate received calls.
CCMS See Customer Configuration Management System.
CDM See Console Database Manager.
CDR 1. Charging Detail Records.
2. See Call Detail Record.
CE Crypto Engine.
CEB See Central Electronics Bank.
6802800U60-D March 2007 A-7


Item Description
Cell A geographical area which is covered by a BTS site. Note that at the edge of
the cell the Mobile Station can begin to receive signals from adjacent cells and
will use its stored reselection criteria to determine at what point it should retune
to a better signal.
Cell Reselection TETRA defines five types of cell reselection for a Mobile Station (MS) involved
in a circuit mode call; these definitions are given in this list. See also Announced
Cell Reselection, Unannounced Cell Reselection, Undeclared Cell Reselection.
Cell ID A relative identification number of a cell. Relative to the current serving cell.
CEN Customer Enterprise Network.
CENIB Customer Enterprise Network Interface Barrier.
Center for Internet An organization dedicated to help addressing security of internet-connected
Security systems by providing means to measure, monitor, and compare the security
level of systems.
CENTRACOM The Motorola product line of console dispatch equipment, including furniture
and programming.
CENTRACOM Elite An application for creating objects on the CENTRACOM Elite operator position
Admin desktops.
CENTRACOM Gold A subnet that consists of a Windows based Console Database Manager/Alias
Elite Subnet Database Manager (CDM/ADM) file server(s) and a number of Windows based
Operator Dispatch workstations.
CENTRACOM Gold A platform that supports Classic Gold CRT, Classic Gold Button and LEDs,
Series Platform and Elite operator positions.
Central Electronics The CEB is the main processing bank in Dimetra trunking systems and provides
Bank (CEB) an interface between the console positions and the RF equipment and thereby
the entire Dimetra system.
Central Network This term is used to describe the system control equipment to which the sites
Management are all connected. This is comprised of a number of items including the Zone
Controller, Zone Manager, User Consoles, and Site Link Multiplexers (Only
R3.x & R4.0).
CEPT Conference European des Postes et Telecommunications. An association of the
26th European PTTs (Postes (mail), Telephone and Telegraph) that recommends
communication specifications to the International Telecommunications Union
(ITU).
CES CENTRACOM Elite Server.
CG Charging Gateway.
Channel Control The display seen by a console operator when using a CENTRACOM Elite
Window (CCW) console operator position. Each CCW corresponds to an object monitored by
the console.
Checkpoint Check Point Software Technologies, a company producing products for network
security.
CIE Console Interface Electronics.
A-8 6802800U60-D March 2007


Item Description
Circuit Mode Data A mode that offers constant data transfer rates of 2.4-28.8 kbps.
CIS See Center for Internet Security.
CiscoView Device A Web interface provided with CiscoWorks 2000 that provides real time views
Manager of networked Enterprise LAN Switch Systems devices.
CiscoWorks2000 (R5.0 A network management application that includes CiscoView Device Manager
& R5.1) and Resource Manager Essentials (RME). CiscoWorks 2000 is used to manage
the Cisco Catalyst 6509 Ethernet LAN switch. The CiscoWorks applications
reside on the Ethernet Switch Management Server (ESMS) and work together as
a LAN management solution.
CK Cipher Key
CKEK Common Key Encryption Key. An encryption key used solely to encrypt traffic
keys targeted for a group of secure entities.
Clear MS A mobile station that is registered on the system with ciphering off.
CLIP Calling Line Identification Presentation.
CLIR Calling/Connected Line Identification Restriction.
Cluster A cluster is defined to be a UCS cluster consisting of one to seven zones served
by the same UCS. A system consists of one to sixteen clusters. See Multicluster
System.
CMS Cable Management System.
CNE Central Network Equipment. The equipment located at the Master Site or
Mobile switching Office.
CNI Customer Network Interface.
Codeplug The firmware that holds the unique personality for a system or device. The
codeplug is programmable to change system or unit parameters. Codeplugs
are found in Mobile Stations, CENTRACOM equipment, as well as in some
repeaters and 6809 controllers.
COAM Customer-Owned and Maintained.
COIM See Console Operator Interface Module.
Colocated Pertaining to a configuration in which equipment resides in the same physical
site.
Computer Aided The CADI enables the user to do remote network management through an
Dispatch Interface Application Programming Interface (API). Possible functions may be radio
(CADI) check, radio inhibit and Dynamic Group Number Allocation (DGNA).
Configuration Refers to the capabilities which allow the user to configure operational
Management parameters of physical and logical devices used within the system. There are two
categories, Subscriber Management performed through the User Configuration
System and Infrastructure Management performed through the Zone Manager.
Console The console is the equipment used by dispatchers to interact with the Dimetra
system and thus to communicate with system users. Only CENTRACOM Gold
Series Consoles are compatible with Dimetra.
6802800U60-D March 2007 A-9


Item Description
Console A terminal that is connected directly to the Zone Controller to perform Terminal
Administration administrative functions for the system.
Terminal
Console Database A software tool that permits changes to the console database, which stores all
Manager (CDM) features programmed for the console.
Console Interface also known as Elite API. The Dimetra Console Interface runs under Windows .
May be used by 3rd party developers.
Console Operator An interface board in the Central Electronics Bank that has the connections for
Interface Module the console operator positions. The module controls audio flow and data signals
(COIM) to and from the console position.
Console Operator An interface board used in a Central Electronics Bank to provide connections
Remote Interface between the Console Operator Interface Module and telecom lines to a remote
(CORI) operator position.
Console Patch A unique call type. Some types of console patches can be performed by a
console operator to either expand the participant size for the call or to provide
interoperation ability between different agencies that do not communicate
together. For example, two multigroups would be created if talkgroups 1, 2,
3, and 4 were patched together and if talkgroups 1,2, and 3 are home to zone
1 and talkgroup 4 is home to zone 2.
Console Phone Patch A manual patch of a phone line module to another CCM/CCW. A CCM/CCW
may be associated with a trunked talkgroup or a conventional channel at the
time of the patch.
Console Only A type of call used exclusively for console operators, and does not involve any
Talkgroup Call Mobile Stations. All console operator members can be located within the same
zone or in different zones.
Constant delay service A network service (NS) where the transit delay of the NSDUs between
the network connection endpoints remains constant for the duration of the
connection.
Control channel The first time slot on the TETRA carrier frequency is always used as the main
Control Channel. The rest of the slots on the main carrier are used as Traffic
Channels.
Control Site A Control Site provides remote dispatch capabilities and remote access to
network management functions.
Control Message Term used to describe messages of a controlling nature sent between the BTS
and the Mobile Station (MS).
Control Router (R5.0) The Control Routers allow communication between the Zone Controller (ZC)
and the Transitional LANs within the Ethernet/LAN switch.
Controlling Zone The zone that coordinates the resources for a call. For group calls, the designated
Home Zone of the group is always the Controlling Zone for the call, regardless
of where group members are affiliated. For individual calls, the controlling zone
is the zone from which the voice service is being requested.
Controlling Zone The Zone Controller responsible for controlling a call throughout its duration.
Controller (CZC)
A-10 6802800U60-D March 2007


Item Description
Conventional Channel The CCGW provides analog call detection, vocoding and devocoding of audio,
Gateway (CCGW) station keying and dekeying through Tone Remote Control (TRC) or E&M
relay, and tone LOBL (Line Operated Busy Light) detection (for parallel console
interoperation). The CCGW may or may not be integrated with the site router.
The alternative is to have the CCGW locally on the LAN. This option is
available to console sites with a large number of conventional resources.
Conventional to A console patch that patches multiple conventional resources within the same
Conventional Patch zone together.
Cooperative WAN CWR interfaces the master site in one zone to Radio Frequency (RF) sites,
Routing dispatch sites, system Operations Support System (OSS), and other zones. In
multizone systems, core and exit routers are configured in pairs to provide
path redundancy for audio and control packets. With CWR, the routers work
to control an external relay panel to switch a group of 12 non-redundant T1/E1
links between the two routers.
CORBA Common Object Request Broker Architecture.
Core Router The Core Routers allow communication between the BTS and other subnets.
CORI See Console Operator Remote Interface.
CoU Class of Usage.
cPCI compact Peripheral Component Interconnect
CPS See Customer Programming Software.
CRC Cyclic Redundancy Check. An error checking technique.
Critical site See critical site assignment .
Critical site Critical Site Assignment is a Motorola service that supplements the group call
assignment service. For each talkgroup, the Network Manager can create a list of ‘Critical
Sites’. These are sites that must be included in a group call for it to be set up.
Thus, even when Fast Start is in operation, the call will not be set up until
channels are available at all the critical sites for the talkgroup.
Crypto Card A PCI-based encryption module installed in the AuC server. The AuC Crypto
Card provides encryption services to the AuC such as key generation and
database encryption. A master key is stored in the AuC Crypto Card and is
utilized to encrypt and decrypt data stored in the AuC database.
Crypto Communica- The Crypto Communications Controller establishes the communication between
tions Controller the Host CE. Cuttently implementation uses a Power QUICC II for the CCC.
CSMA/CD Carrier Sense Multiple Access/Collision Detect. Technique used in Ethernet to
manage access to a shared transmission medium.
CSMS Core Security Management Server.
CSV Comma Separated Variable.
Current Alerts/Alarms A Fault Management feature which provides the user with a mechanism to view
the current alerts and alarms in a zone.
Current serving BS The Base Station (BS) on one of whose channels the Mobile Station (MS)
is currently operating.
6802800U60-D March 2007 A-11


Item Description
Customer Customer Configuration Management System is tools and processes to manage
Configuration the configuration of a customer system. The system controls data like serial
Management System numbers, s/w and h/w versions, parameter settings, license numbers etc., in a
(CCMS) database to provide detailed information about the complex structure of systems.
Customer The software application used for programming Mobile Stations. Formerly
Programming called RSS.
Software (CPS)
Customized IP Plan Provides the possibility to configure the Zone Octet and Cluster Octet in the IP
Plan independently from the Zone ID and Cluster ID.
Customized IP Plan CD-ROM that contains the complete IP Plan and Shared TLAN (optionally)
CD configurations.
CVO Clear Voice Override.
CWR See Cooperative WAN Routing
CZC See Controlling Zone Controller.
DAQ Delivered Audio Quality.
DAT Digital Audio Tape.
Data Gateway See SDR and PDG.
Data Link Connection A DLCI is a communications channel identifier used in frame relay
Identifier (DLCI) communications to identify a PVC (permanent virtual circuit) over the link
between the BTS and the Central Network Equipment.
Data Prioritization See Packet Data Prioritization
Database Server A UNIX based computer connected to the Ethernet network, which supports the
Zone Manager and contains the database for the Dimetra system.
DBP Downstream Billing Processor.
DC Dispatch Console.
DCE Data Communication Equipment.
DCK Derived Cipher Key
DDI Direct Dial In. Also known as DID (Direct Inbound Dialling).
DDP See Disabled Dialling Pattern.
Deaffiliation The process in which the Mobile Station signals to the system, that it is no
longer monitoring the system, because it is power down or it is changing mode
to another system which is not part of the Dimetra system.
Decryption The process of unscrambling an encrypted message or information to regain
the original information or message.
Delayed A message indicating status transmitted after some delay.
Acknowledgment
DEM See Digital Elevation Model.
DGNA See Dynamic Group Number Assignment.
A-12 6802800U60-D March 2007


Item Description
Diagnostics A feature that allows the user to disable a failing device, enable repaired devices,
and/or set certain device operational states.
DIB Data Interface Box.
DID Direct Inbound Dialling. Also known as DDI (Direct Dial In).
Digital Access Cross A data concentrator and organizer for Tl / El based systems.
Connect System
(DACS)
Digital Elevation Computer readable data base with the elevation values (meters above sea level)
Model (DEM) of a certain area.
Digital Power Meter Device that measures the effect of the site antenna.
(DPM)
Dimetra Console See Elite Console.
Dimetra™ DIgital Motorola Enhanced Trunked RAdio. The Motorola Dimetra system
family is a sophisticated range of digital radio equipment that delivers the full
benefits of the TETRA standard. It is designed to meet the needs of the users of
both Private Mobile Radio networks (PMR) and Public Access Mobile Radio
systems (PAMR). The Dimetra product line includes base stations, switches,
operations management control, portables, mobiles, and consoles, all of which
are easily reprogrammed as the system is enhanced.
DIN Deutsche Industrie Normen (German Industrial Standards).
Direct Mode Direct communications between 2 or more mobile stations without using any
Operation (DMO) infrastructure.
Direct set-up signalling A signalling procedure where immediate communication can take place between
the calling and the called users without the alerting process and without an
explicit response from the called user that he has answered.
Dirty box An indicator button associated with a form or field. This button appears
darkened when any change to the form or field occurs.
Diagnostic Zone ID Number of zone with the lowest zone octet within the MSO (Mobile Switching
Office).
Disabled Dialling An individual telephone within an ECN.
Pattern (DDP)
Disk Controller This Zone Controller module handles the flow of data to and from the hard
drives and the quarter inch tape drive.
Dispatch Console Dimetra master site equipment consisting of an advanced dispatch system, which
provides fixed dispatch capabilities to both the Dimetra trunked system as well as
conventional PMR radio systems including the ability to connect calls between
these systems. The dispatcher may also connect calls to a telephone system.
Dispatcher A person logged on to the console terminal or RCM terminal as a Dispatcher
who monitors and transmits commands to radio traffic.
DLCI See Data Link Connection Identifier.
DM See Direct Mode Operation.
DMO See Direct Mode Operation.
6802800U60-D March 2007 A-13


Item Description
DMZ A DeMilitarised Zone is a network interconnecting other networks.
Downlink The radio frequency communications path from the BTS to the Mobile Station.
Also referred to as the BTS transmit path.
DPM See Digital Power Meter
Driver card A Zone Controller platform card for conversion of TTL protocol to RS-232
for the Line card.
DS0 The basic unit in the DSn (T1 and up) and E1 transmission applications. A DS0
carries a 64 Kbps data stream. A T1 line has 24 DS0s and an E1 line has 32 DS0s.
DSP Digital Signal Processing.
DSU Data Service Unit. A device used in digital transmission for connecting data
terminal equipment (DTE).
DSC Digital Service Cross Connect. Cross connection point for DS1 signals.
DTE 1. Data Terminal Equipment.
2. Data Traffic Estimator.
DTM Digital Terrain Model.
DTMF Dual Tone Multi Frequency.
Dual Watch Monitoring of both the trunked control channel and selected direct mode channel
by a radio operating in direct mode.
Duplex Transmission Duplex transmission means that both parties in the call can
send and receive traffic at the same time. There is gen-
erally no need for a PTT to request transmit permission.
Note: Duplex can be achieved in a TDMA system (such as
TETRA) without the need for the Mobile Station (MS) to actually transmit and
receive at the same time; this is known as time division duplex. Also note that
although the transmission in the air is in duplex mode the MS is simplex, thus
the control of the loudspeaker and the microphone may be performed using PTT
in a semiduplex fashion as this may be the only accessory which is available.
Dynamic Group Dynamic Group Number Assignment allows the user to create groups before
Number Assignment or during group calls.
(DGNA)
Dynamic regroup A Radio Dispatch Management option allowing a dispatcher to move radios
from one talkgroup into another. The radios receive reprogramming of certain
parameters using signalling over the control channel.
Dynamic site This feature allows the Dimetra system to assign voice channels only at the sites
assignment where radio users are registered to complete calls.
E&M Ear and mouth.
E1 Digital carrier facility used for transmission of data through the telephone
hierarchy. E1 consist of 32 channels, and has a total speed of 2.048Mbit/s. E1
links are used in most countries other than the United States and Japan. T1 links
are mostly used in the US and Japan. Both T1 and E1 are composed of DS0s,
the basic 64 Kbps path that makes up these links.
A-14 6802800U60-D March 2007


Item Description
E2E KVL End-to-End Encryption Key Variable Loader
End-to-End The E2E KVL is used for End-to-End encryption. It provisions the KEK (Key
encryption Key Encryption Key used for OTAK) and some other OTAK related parameters. The
Variable Loader E2E KVL can also be used for store-and-forward between the KMF and the MS.
The E2E KVL connects to the KMF and MS.
EAS See Environmental Alarm System.
EBTS See Enhanced Base Transceiver System.
EBTS Service The TETRA EBTS Service Software package used to configure and
Software communicate with the Dimetra BTSs.
EC 1. Electronic Codebook.
2. See Echo Canceller.
Echo Canceller (EC) The Echo Canceller provides echo cancelling of the echo returned from the
telephone system.
ECK Encryption Cipher Key
ECN See Exclusion Class Number.
ECU Environmental Conditioning Unit.
EEPROM Electrically Erasable Programmable Read Only Memory.
EIA Electronic Industries Association.
Elite Console A software based radio dispatch console working under Microsoft Windows
operating system.
Elite Operator Position Motorola’s GUI-based operator position.
Embassy Switch Ambassador Electronics Bank (AEB). A Time Division Multiplexing (TDM)
audio switch capable of simultaneously routing audio from multiple sources to
one or more destinations. In a Dimetra system, each Zone Controller controls
the audio routing for its associated AEB.
EMC 1) Encryption Module Cartridge.
2) Electromagnetic Compatibility.
Emergency Call The highest priority service of talkgroup call. When the emergency button of
a subscriber unit is pressed and a PTT initiated, an Emergency Call is granted
depending on the emergency setup method selected; i.e., Top of Queue or
Ruthless Pre-emption.
Encrypted MS A mobile station that is registered on the system to operate with ciphering.
Encryption The manipulation of a packet’s data in order to prevent anyone but the intended
recipient from reading that data. There are many types of data encryption, and
they are the basis of network security.
Encryption Algorithm A method of encrypting and decrypting information.
Encryption A PCI-based encryption module installed in the PrC server. The
Device/Crypto Card PrC Encryption Device (a Crypto Card) provides encryption
services to the PrC such as key generation and database encryption.
A master key is stored in the PrC Encryption Device and is utilized to encrypt
and decrypt data stored in the PrC database.
6802800U60-D March 2007 A-15


Item Description
Encryption Key A set of 1s and 0s that is used to determine the transformation of plain text to
cipher text in a cryptographic algorithm and vice versa.
Encryption The Network Management system is able to switch the use of encryption at a
Management site on or off. This is a site wide function for all control and traffic channels,
except where users may be individually provisioned to operate without
encryption. These units will always operate with encryption switched off.
The Network Management system is able to remotely download new SCK to all
BTSs in the network using the remote Software Download facility.
End-to-End The Dimetra IP System supports End-to-End Encryption using the AES
Encryption algorithm.
Enhanced Base A site connected to a Dimetra master site via a site link. A Dimetra
Transceiver System remote EBTS site consists of a base radio (BR), and a site controller.
Contains up to 8 base radios, TETRA Site Controller, Environmental Alarm
System, RF Distribution System, antennas, power supply and the telephone
company supplied X.21 or E1 line termination equipment.
Environmental Alarm EAS. Remote Base Transceiver System (BTS) site component that provides
System (EAS) monitoring of internal and external site alarms and controlling functions such as
redundancy control etc.
EPROM Erasable Programmable Read Only Memory. A non-volatile, read only chip
with a quartz window on the top. The chip requires erasing with UV light
before reprogramming.
ESD Electrostatic Discharge
ESMS (R5.0 & R5.1) See Ethernet Switch Management Server (ESMS).
ETG Enhanced Telephone Gateway.
Ethernet A method used for connecting computer systems together using local area
network (LAN) technology.
Ethernet Hub A device that acts as a multiport repeater in allowing multiple devices to be
connected together into a single Ethernet LAN. All the devices connected to the
hub share the available bandwidth as all packets are repeated at all ports.
Ethernet Switch A device that acts as a multiport bridge allowing multiple devices to be connected
together into a single Ethernet LAN. Each of the devices connected to the switch
have the full bandwidth available as a switch learns which devices are connected
to which ports. Router: A device that routes IP packets between IP subnets.
Ethernet Switch The Compact PCI server where the CiscoWorks2000 suite of applications
Management Server resides.
(ESMS) (R5.0 & R5.1)
ETS ETSI Technical Specification. A technical specification produced by ETSI to
define a communications standard.
ETSI See European Telecommunications Standards Institute.
European The European standards organization responsible for the TETRA standard.
Telecommunications
Standards Institute
(ETSI)
A-16 6802800U60-D March 2007


Item Description
Exclusion Class A set of telephone numbers or Disabled Dialling Patterns (DDPs) defined in the
Number (ECN) Telephone Interconnect database that radios cannot access.
Exit Router The Exit Routers allow communication between different SMSO (LAN
SHARED MSO).
Explicit This term is used to describe a successful challenge-response-result
Authentication authentication procedure based on knowledge of the secret key K.
External calls A call where only one of the parties (either the source or the destination) is in a
TETRA network. The other party is in a non-TETRA network.
FACCH Fast Associated Control Channel.
FAS Frame Alignment Signal.
FastStart A feature that allows a talkgroup call to start as long as resources programmed
as critical are available. Non-critical resources are added to a call in progress as
they become available.
FAT Factory Acceptance Test.
Fault Management A feature that allows the user to monitor operation status, display fault
information, perform diagnostics on the system, and provide notification of
managed object malfunctions.
Fault Tolerant (FT) A redundant equipment design that withstands a single point of failure without
disruption of call processing or isolation of the failure with only partial loss of
call capabilities.
FIFO See First in, first out.
FIPS Federal Information Processing Standards.
FIPS-140-1 This Federal standard assures that cryptographic modules are effectively
designed to meet specific security objectives.
Firewall Device that protects the Dimetra System against intrusion and other attacks
from outside Dimetra.
First in, first out In a busy trunked system, radio service requests are handled in the order received.
(FIFO)
Fixed Network All the system components excluding the mobile equipment i.e. the CNE and
Equipment (FNE) all the remote site equipment.
Fleetcall See Announcement group.
Fleetmap A document listing configuration information for all users in the system.
FLM Formatted Logical Message.
FNE See Fixed Network Equipment.
FRAD Frame Relay Access Device.
Frame TETRA term used to describe a period of time on a channel. A frame is further
divided into timeslots, and a number of frames may be grouped into a multiframe.
Frame Relay A form of packet switching that uses smaller packets and requires less error
checking than traditional forms of packet switching. Communications protocol
used for multiplexing and routing data over the site link.
6802800U60-D March 2007 A-17


Item Description
Frequency Reuse A complex method of maximizing coverage with the same set of RF channels.
Planning With proper planning, a given set of RF frequencies can be reused a number of
times throughout a very large service area.
FRU Field Replaceable Unit
FSSN Fleet Specific Subscriber Number.
FSU Fault Sense Unit
FT See Fault Tolerant.
FTP File Transfer Protocol.
FullVision (FV) Subsystem of the Dimetra network manager. This uses Hewlett Packet
OpenView Network Node Manager to provide a industry standards-based fault
management platform.
FullVision Integrated A Dimetra IP network management application used for reporting system fault
Network Manager conditions. Using the SNMP protocol, the FullVision INM application displays
(INM) alarms reported by all devices.
FV See FullVision.
FVS FullVision Server.
FW See Firewall.
G-HLR See Group Home Location Register.
Gateway Router The Gateway Router allows communication between all VLANs and the
Transitional LANs within the Ethernet/LAN switch.
GBN See Ground Based Network
GCK Group Cipher Key.
General Purpose The purpose of the GPIOM is to interface audio and auxiliary devices (e.g.,
Input/Output Module microphones, speakers, and recorders) to the voice card located in the dispatch
(GPIOM) console. The GPIOM can support 16 audio input paths and 16 audio output
paths simultaneously and independently, depending on which devices are
connected to the GPIOM
GGSN Gateway GPRS Support Node. This is the only node, that Dimetra IP
implements and that allows mobile users to access the customer network or
specified private IP networks.
Global Positioning A global positioning system which uses satellites to provide a continuous time
System (GPS) and positioning system. The EBTS and NTS uses this system to maintain system
synchronization.
GOS See Grade Of Service.
GPIOM See General Purpose Input/Output Module.
GPRS General Packet Radio Service.
GPRS Tunneling The GPRS Tunneling Protocol is used to establish a Packet Data session through
Protocol (GTP) the Dimetra infrastructure.
GPS See Global Positioning System.
A-18 6802800U60-D March 2007


Item Description
Grade Of Service A specification which determines how often a radio or console user will receive
(GOS) a busy. This is typically rated as a percentage of the total calls being processed
by the system.
Graphical User An icon-based user interface.
Interface (GUI)
Ground Based The entire E1 based network that make up the site links and inter MSO links.
Network (GBN)
Group Home Location The HLR that stores information for talkgroups that are home to that zone.
Register (G-HLR)
Group Home Zone The controlling zone for calls originated by a zone’s talkgroup members,
regardless of where they are located in the system at the time they originate
the call.
Group-Based Service Talkgroup voice-based services, includes Talkgroup Calls, Multigroup Calls,
Emergency Calls, and Group Regrouping.
GSSI Group Short Subscriber Identity. TETRA term, in Dimetra called Group ID
or Talkgroup ID.
GTP See GPRS Tunneling Protocol.
GTP’ GTP Prime, Packet Data Charging.
GTSI Group TETRA Subscriber Identity.
GUI See Graphical User Interface.
Half duplex Half duplex transmission means that only one Mobile Station (MS) can send
Transmission traffic in a call at any time. All other MSs in the call will receive traffic. In the
case of a voice call, for example, traffic transmission is generally initiated by
an MS user pressing the PTT at which time the MS speaker is muted. The MS
user releases the PTT at the end of the traffic transmission in order to hear the
response from another MS in the call.
HDD Hard Disc Drive.
HDLC High level Data Link Control.
HLA Home Location Area.
HLR See Home Location Register.
Home Location The entity that is used to receive (from the UCS) a master copy of individual and
Register (HLR) talkgroup Mobile Station information for call processing. It will also contain
mobility information for individuals and talkgroup on a per zone level.
Home network A network where a Mobile Station (MS) has a direct subscription. This means
that an MS identity has been allocated in advance of any network access.
Home Zone A designation made for each talkgroup and individual in the system that helps
determine what Zone Controller will coordinate the call process.
Host A computer which provides services to other computers, such as database access.
Hot pull Modules or boards that can be pulled out and replaced without powering down
the equipment that contains them.
HPOV Hewlett-Packard OpenView.
6802800U60-D March 2007 A-19


Item Description
HSSI High Speed Serial Interface
I&DC Initialization & Default Configuration.
I/F Router The Interface Routers provide access to the Wide Area Network (WAN) links.
ICMP Internet Control Message Protocol.
ID Identification.
Identity (Group or A number which uniquely identifies an individual Mobile Station or group of
Individual) mobile stations on a system.
IDSS See Intrusion Detection System Sensor.
IDSS Manager Intrusion Detection System Sensor Manager.
IEC International Electro-technical Committee.
IEEE Institute of Electrical and Electronic Engineers.
IFM Interzone Fault Management.
I-HLR Individual subscriber unit HLR.
Immediate A message indicating status transmitted without delay.
Acknowledgment
Implicit An authentication procedure where the mobile station/infrastructure are
Authentication assumed to be implicitly authenticated based on knowledge of the static cipher
key-trunked mode operation (SCK-TMO) key.
Inbound Event Request made by a radio user and sent to the RCM.
Individual Call Private Call or telephone interconnect call.
Individual Site Access This command allows individual radio user access for Private Call and
Interconnect options on specific sites, as configured by the Dimetra Network
Manager.
Individual- Based Individual voice-based services which include Private Calls, Landline-to-Radio
Service Interconnect Calls and Radio-to-Landline Interconnect Calls.
InfoVista A customisable performance management application for the transport system.
It reports and graphs a wide variety of data from multiple devices, such as
routers, Ethernet LAN switches, and the WAN switches. InfoVista resides on
the Transport Network Performance Server (TNPS).
Infrastructure The equipment and facilities that make up the Dimetra IP radio system. These
include zone, BTS site, and network management devices.
Inhibit A Dimetra RCM feature cancelling transmit and receive functions of a radio.
The target radio must be on and within system range in order for this feature
to function.
Initial cell selection In TETRA the act of choosing a first serving cell to register in. The initial cell
selection is performed by procedures located in MLE and in the MAC. When the
cell selection is made and possible registration is performed, the Mobile Station
(MS) is said to be attached to the cell.
INM Integrated Network Management.
A-20 6802800U60-D March 2007


Item Description
Interconnect This option provides independent telephone call capability for mobiles
and portables.
Internal calls A call where both the source (the calling party) and the destination (the called
party) both lie in a TETRA network domain.
Internet Protocol (IP) A protocol used for carrying packets of data primarily in Ethernet based systems.
Interrupt Mode A mode of operation for multigroup calls that can be programmed so that
the system immediately terminates all currently active talkgroup calls of all
talkgroups within the multigroup.
Inter-TETRA call A call where source and destination are in different TETRA networks.
InterVening Network IVN is the network which is used to interconnect two TETRA
(IVN) SwMIs at the ISI. The network may be of the following types:
- dedicated transmission system e.g. PCM;
- permanent circuit switched e.g. PSTN and ISDN;
- on-demand circuit switched e.g. PSTN and ISDN.
The IVN is also used to connect remote service terminal to Zone LAN switch.
Interzone (IZ) General term that refers to call processing that involves more than one zone
in the system.
Interzone Audio Card plugs into an Ambassador Electronics Bank (AEB). The card has modified AMB
(IZAC) (R4.0) firmware to support interzone audio. The hardware is the same as an AMB board
that interfaces Central Electronics Banks (CEBs) or sites to the AEB.
Interzone Audio Slot 64 kbps channel on OmniLink Ambassador card that carries audio DS0 level
(IZAS) (R4.0) between two Ambassador Electronics Banks (AEBs) in different zones.
Interzone Trunking A trunking state between two zones in which the Ambassador Electronics Bank
(AEB) and Zone Controller can communicate, and talkgroup-to-controlling zone
mapping tables exist in both zones.
Intra-TETRA call A call where both source and destination are in the same TETRA network
subdomain.
Intrusion Detection The IDSS contacts the Authentication Server for user authentication when a user
System Sensor (IDSS) attempts to establish a connection to the IDSS via e.g. telnet. Access via the
IDSS’s console port will also initiate the authentication process.
Intrusion Detection The IDSS Manager is used for configuration of the IDSS located at the Customer
System Sensor Enterprise Network Interface Barrier (CENIB). Furthermore the IDSS Manager
Manager (IDSS provides event notification and local logging when the IDSS reports about
Manager) potential attacks or abnormal behavior.
IOP Inter OPerability.
IP See Internet Protocol.
IP in IP IP in IP is a way to alter an IP packet’s normal routing by encapsulating it within
another IP header.
ISA Industry Standard Architecture.
ISDN Integrated Services Digital Network.
ISI Inter System Interface.
ISSI Individual Short Subscriber Identity. TETRA term, in Dimetra called Individual
ID, a subset of ITSI.
6802800U60-D March 2007 A-21


Item Description
ITC Inter TETRA Connection.
ITSI Individual TETRA Subscriber Identity, consists of ISSI plus country and
Network codes
ITU International Telecommunications Union.
ITU Conference Conference Europe�ne des Postes et Telecommunications. An association of
the 26 European PTTs that recommends communication specifications to the
International Telecommunications Union (ITU).
ITU-T International Telecommunications Union - Telecommunications Sector.
IZ See Interzone.
IZAC 1. See Interzone Audio Card.
2. Interzone Audio Channel.
IZAS (R4.0) See Interzone Audio Slot.
IZCP Interzone Control Path.
IZNM Interzone Network Manager.
K See Authentication Key.
K-REF A pair of parameters that identify a mobile station (MS) to the Authentication
Centre (AuC). A K-REF pair is needed by the AuC to create authentication
material (KS and KS’) for a MS.
Kbps Kilobits (1024 bits) per second.
KEK See Key Encryption Key.
Key Encryption Key The KEK is also known as a shadow key. An encryption key used solely to
(KEK) encrypt traffic keys.
Key Management The KMF manages, distributes, and tracks the various types of key material used
Facility (KMF) in the MS for the end-to-end encryption feature. The KMF distributes keys to
the MS using the short data service as a transport.
Key Variable Also known as an encryption key. A set of 1s and 0s that is used to encrypt
and decrypt information.
Key Variable Loader A portable device used to load encryption keys to a secure entity.
(KVL)
Ki Authentication (Infrastructure) Key. A secret key used to encrypt and decrypt
system and zone key encryption keys (KEKm and KEKz) transported over
the radio system’s infrastructure network. Each zone controller, TETRA
site controller, and base radio controller in the system is assigned a unique
infrastructure key. An infrastructure key is generated and sent from the
Authentication Centre (AuC) to the system entities using the Key Variable
Loader (KVL) device.
KID Key Identification.
KMF See Key Management Facility.
KMM Key Management Message.
A-22 6802800U60-D March 2007


Item Description
KMT Key Message Transport protocol. Protocol used to transfer keys between the
AuC and ZC, TSC, and BRC
KS, KS’ Session Authentication Keys. See Authentication Material.
KSG Key Stream Generator.
KSS Key Stream Segments.
KVL See Key Variable Loader.
KVM Keyboard Video Mouse.
LA Location Area.
LAN Local Area Network.
Land Use Land Cover Also known as "clutter data". Computer readable data base with information
(LULC) about the surface of the earth, e.g. wood, urban areas.
LAPD Link Access Procedure for D channel. A data transmission procedure used
in ISDN systems on the D channel.
LED Light Emitting Diode.
License Key A unique set of numbers used to enable the Zone Manager/Radio Dispatch
Management core software and purchasable options.
Local Site Trunking When a system fails or many of the sites lose connection to the CNE, the sites
(LST) are designed to go into a fall back situation known as Local Site Trunking
(LST). When the sites are forced to go into LST, the radios (users) are randomly
distributed across all the sites and communication between radios is dependant
on which site they are registered. Only radios registered at a particular site can
communicate to each other.
Location Area (LA) The area within radio coverage of a base station or group of base stations within
which a Mobile Station (MS) is allowed to operate.
Logging Operator A Central Electronics Bank (CEB) module responsible for demultiplexing audio
Multiplex Interface routed to a recording device.
(LOMI)
Logging Recorder This Central Electronics Bank (CEB) module interfaces with a recording device
Interface (LORI) to provide audio from the LOMI through the AEI.
LOMI See Logging Operator Multiplex Interface.
LORI See Logging Recorder Interface.
LLR Local Logging Recorder.
LS-MSO A LAN Shared MSO is a collection of one and up to three zone cores, which
are physically colocated and share one LAN switch. All zones in a LS-MSO
are connected to a single TLAN pair.
LST See Local Site Trunking.
LULC See Land Use Land Cover.
MAC See Media Access Control.
Main Control Channel The main control channel at a site. The channel is used by Mobile Stations to
(MCCH) register on the system and to request and setup speech calls with other Mobile
Stations.
6802800U60-D March 2007 A-23


Item Description
Master Key An encryption key stored in the PrC Encryption Device used to encrypt/decrypt
data stored in the PrC database. The master key is loaded into the PrC
Crypto Card using a Key Variable Loader (KVL) at the request of the PrC.
The Master Key is also used in the AUC encryption device.
Master Site A physical location in a Dimetra system containing one or more sets of zone
control equipment, including a Network Manager, Zone Controller, Ambassador
Electronics Bank (AEB), Dispatch Console, Transcoder, Telephone Interconnect
Gateway, and Site Link Multiplexer.
Mbps Megabits (1,000,000 bits) per second.
MBTS See Mini Base Transceiver System.
MCC See Mobile Country Code.
MCC 7500 A software based radio dispatch console work-
ing under Microsoft Windows operating system.
RoHS and WEEE compliant.
MCCH See Main Control Channel.
MDG IPL Mobile Data Gateway Initial Program Load.
MDM See Preside Multiservice Data Manager (MDM).
MDMWeb A Web interface provided with Preside MDM that allows you to perform fault
management tasks from the web browser.
Media Access Control An address that is hardware coded into every Ethernet controller and is unique
(MAC) and cannot be changed. It is also the lower part of the second layer of the OSI
Reference Model.
MER See Message Error Rate.
Message Error Rate Similar to Bit Error Rate (BER), but related to whole messages instead of single
(MER) bits.
Message number The number of a selectable message corresponding to a predefined text for radio
to dispatcher communications.
Message Trunking A feature that allows radios in the same talkgroup call to continue, utilizing a
hang time to allow responding users to respond on the same channel assignment.
MG Multigroup.
MGEG See Motorola Gold Elite Gateway.
MIB Management Information Base.
Migration The act of changing to a new Location Area in a network (either with different
MNC and/or MCC) where the user does not have subscription (ITSI) for that
network.
Mini Base Transceiver The Mini Base Transceiver System connects to the MSO through an X.21 or
System (MBTS) fractional E1 link. Contains up to 4 base radios, TETRA Site Controller, RF
Distribution System, remote GPS receiver and power supply. The MBTS uses a
hybrid combiner and is only available in dual diversity.
MLE See Mobile Link Entity.
A-24 6802800U60-D March 2007


Item Description
MMI Man Machine Interface.
MNC See Mobile Network Code.
MNR Motorola Network Router.
MO Mobile Originated.
Mobile Country Code The Mobile Country Code is as defined in CCITT recommendation X.121 and
(MCC) is normally the same as used for GSM systems in that country. The MCC and
MNC together form a unique TETRA system identifier that is broadcast by a
Dimetra system over the air interface.
Mobile Link Entity TETRA air interface term, see Announced Cell Reselection.
(MLE)
Mobile Network Code The Mobile Network Code should be allocated by the national authority that
(MNC) allocates frequency assignments in a country and should be requested from that
authority at the same time as frequency allocations are requested. The MCC and
MNC together form a unique TETRA system identifier that is broadcast by a
Dimetra system over the air interface.
Mobile Network The identity that is broadcast by all TETRA base stations to uniquely identify
Identity (MNI) the network.
Mobile Station (MS) A two-way voice and data communications device used by Dimetra IP
system subscribers. For the Dimetra IP system, the MS stores and utilizes an
authentication key (K) for explicit authentication purposes and a static cipher
key- trunked mode operation key (SCK-TMO) for implicit authentication and air
interface encryption purposes.
Mobile Switching MSO is a collection of zone cores that coincides on a physical location and
Office (MSO) that may consist of several Local Area Networks (LANs) connecting various
servers and clients into the network and one or more Wide Area Network (WAN)
switches providing the Frame Relay (FR) for the Base Sites and Asynchronous
Transfer Mode (ATM) for the Inter-MSO. An MSO may consist of one or more
and up to seven Zone Cores connected via LANs and WAN links.
MoCa Motorola California.
Modulation Types Methods used to modify the radio frequency carrier signal to carry speech and/or
data information over the carrier signal.
Motorola Gold Elite The MGEG is the interface between the IP packet switched transport of a
Gateway (MGEG) Dimetra IP System and the circuit switched transport of the Gold Series system
and the telephone interconnect system.
Motorola Telephone The MTIG acts as a gateway in the TI architecture and provides
Interconnect Gateway transcoding of voice between the external PABX and the Dimetra IP
(MTIG) network. MTIGs comprise the functions of AEBs, MGEGs and TIGs.
Motorola Transceiver A site connected to a Dimetra master site via a site link. A Dimetra
Station (MTS) MTS site consists of 2 or 4 base radios and a site controller.
MoU Memorandum of Understanding.
MS TETRA Mobile Station (portable and mobile radios). See Mobile Station.
6802800U60-D March 2007 A-25


Item Description
MSEL See Multiselect.
MSFC Multilayer Switch Feature Card.
MSK Minimum Shift Keying. A smooth transition form of PSK.
MSO See Mobile Switching Office.
MSO CSMS A CSMS that operates on MSO level.
MT Mobile Terminated.
MTBF Mean Time Between Failures.
MTIG See Motorola Telephone Interconnect Gateway
MTS See Motorola Transceiver Station
MTU Maximum Transmission Unit.
MultiCADI Multi CADI provides an expansion of the CADI allowing multiple CADI clients
and inter zone/cluster routing of commands and events.
Multizone COAM Multizone COAM is a multiple zone Dimetra IP system that is customer-owned
and operated. The customer has purchased the perimeter protection (CENIB)
option but is self-maintaining.
Multicast Traffic IP Multicast traffic is more efficient than normal unicast transmissions because
the source can send a message to many recipients simultaneously. One-to-one
communication for each source destination pair is not required. IP Multicasting
allows many recipients to share the same source. This means that just one set of
packets is transmitted to send the same information to many destinations.
Multicluster System System configuration with up to 16 clusters and a maximum number
of 56 zone cores in total. The clusters are individually configured and
managed. Multicluster network management capabilities also allow integrated
configuration and management across clusters. Through proper configuration,
mobile stations can operate and communicate with other mobile stations in
other clusters.
Multigroup A talkgroup composed of other talkgroups.
Multiselect (MSEL) Dispatchers can select several talkgroups at once for dispatching, using a single
channel resource.
Multi-slot Packet Data Multi-slot Packet Data Channels (PDCHs) comprise between 2 and 4 timeslots
Channel configured to form a single logical channel. A multi slot PDCH can provide
higher data throughput than a single slot PDCH.
Mute A control signal used by the repeater to quiet audio and break the in-cabinet
repeat.
MUX Multiplex/Multiplexer.
MZC 5000 Zone Controller equipped with a Netra 240 server.
MZS Multizone System.
NACK Negative status acknowledgment.
NAM Network Analyser Module which is part of the Ethernet LAN Switch.
A-26 6802800U60-D March 2007


Item Description
NAT Network Address Translation.
Nationwide See Multicluster System
Nationwide DNS Menu Enables the user to configure the Nationwide system.
(UCS)
Network Information A system that allows files such as hosts passwords, etc., to be updated in only
Service (NIS) one place and shared across multiple hosts.
Network Management Network Management consists of a set of software tools that supports the
(NM) management of a complex radio communications system and its component
parts, which include radios, computers, and internetworking components.
Network Management The Network Management Client is a Windows based PC running the various
Client network management client applications accessing the network management
servers.
Network SAP Address Addresses that belong to other (non-TETRA) addressing domains. These other
(NSAP Address) domains include ISDN, PSTN and PDN domains.
Network Time A protocol used to provide a time and date reference to all IP connected system
Protocol (NTP) elements (NTP clients) that support the NTP protocol.
Network Time Server The NTS is a server that acts both as an NTP server and as clock reference
(NTS) for the CNE equipment.
Network Transport NTMS provides the backup and restore management for the HP 5308XL LAN
Management Server switch, Cisco Catalyst 6509 LAN switch, and the Nortel 7480 WAN switch.
(NTMS)
NI Network Interface.
NIC Network Interface Card (Ethernet Card).
NIS See Network Information Service.
NM See Network Management.
NMC Network Management Centre.
NMT Network Management Terminal.
NNM Network Node Manager.
Nominal radio The nominal radio coverage area is the geographical area over which the radio
coverage area transmission performance exceeds a defined level. Note: The boundary of the
nominal radio coverage area is defined by a Bit Error Ratio (BER) contour as
defined in ETS 300 392-2 [17], clause 6.
NS Network Security.
NT 1. New Technologies. A Microsoft Windows environment.
2. Network Termination.
NTMS See Network Transport Management Server.
NTP Network Time Protocol.
NTS See Network Time Server.
Object A term referring to a system resource manipulated through the Dimetra Manager.
6802800U60-D March 2007 A-27


Item Description
OmniLink Shortened from the complete product name ‘Dimetra OmniLink’. OmniLink
also indicates the function or feature operates across zone boundaries; also
called ‘multizone’ or ‘interzone’.
OmniLink Network Defines the collection of subsystems, including OmniLink Zone Managers, the
Management System User Configuration Subsystem, and the FullVision Integrated Network Manager
that provide the network management capabilities for a Dimetra OmniLink
system.
OmniLink Zone The zone level application that operate on the OZM subsystem LAN.
Manager (OZM)
On/off hook signalling A signalling procedure which includes an alerting process to the called user. The
calling user should wait for an explicit response from the called user that he has
answered before the call can be set-up.
Open Systems The OSI model is an international standard layered reference model that
Interconnect (OSI) defines a generalized communication system. It shows how the functions in a
communication system can be divided into seven functional layers.
OSI See Open Systems Interconnect.
OSI Model An international standard layered reference model that defines a generalized
communication system. It shows how the functions in a communication system
can be divided into seven functional layers.
OSS Operations Support Subsystem.
OTAK Over-The-Air-Key management.
OTAR Over-The-Air-Rekeying.protocol.
Used in connection with Air Interface Encryp-
tion
Outbound Function initiated by RCM user and sent from the RCM to a target radio.
OZM See OmniLink Zone Manager.
PABX Private Automatic Branch Exchange, also called PBX.
Packet Data Gateway One PDG is made up of one PDR and one RNG. A Packet Data Gateway (PDG)
(PDG) provides IP connectivity between host applications connected to Dimetra Mobile
Stations or between a host application connected to a Dimetra Mobile Station
and a host application connected through the Dimetra Master Site.
Packet Data Mode A data mode selected from the radio. It offers the possibility of transferring
(PDM) data in the packet data format.
Packet Data Delivers downlink data according to priority set by the end-user application
Prioritization rather than determined by order of arrival. This allows high priority data to be
delivered prior to any lower priority data in queue.
Packet Data Router The Packet Data Router is one of the two software packages in the Packet
(PDR) Data Gateway. The PDR handles the IP functionality. See also RNG. The two
software packages, PDR and RNG, cannot function as stand alone applications,
i.e. both must be in operation before PDG functionality is available.
Packet Data Service Packet Data Service is a TETRA bearer service that allows IP hosts to
(PDS) communicate using the Internet Protocol.
A-28 6802800U60-D March 2007


Item Description
Participating Zone For a particular talkgroup call, is a zone that has talkgroup members registered
to it but is NOT the Controlling Zone. It is a zone that is ‘participating’ in
a talkgroup call.
Participating Zone A Zone Controller that is active in a call or busy but that is not in overall control
Controller of the call.
Passive An RCM indicator showing that a command is waiting for activity from the
targeted radios before sending radio commands.
Patch By selecting two of more talkgroups, dispatchers can join members of talkgroups
for normal message trunking operations.
Patch Panel Switches all the links on the interface to one of the routers connected to it.
PB (R3.x & R4.0) PathBuilder.
PCI Peripheral Component Interconnect.
PCM See Pulse Code Modulation.
PD Packet Data.
PDCH Packet Data Channel.
PDCIA Personal Computer Memory Card International Association:
A standard that defines I/O interface and software specification for 68 pin
connector interface cards (memory, modem, etc.).
PDG See Packet Data Gateway.
PDN Packet Data Network.
PDR See Packet Data Router.
PDS See Packet Data Service.
PDU Protocol Data Unit.
PEI Peripheral Equipment Interface.
Peripheral Network The Peripheral Network Routers allow communication between DeMilitarised
Router Zone (DMZ) subnets.
Performance Pertains to monitoring, controlling, and optimizing the utilization of system
Management resources.
Performance Reports These applications allow you to capture system wide and zone wide activity data.
Permanent Virtual A virtual circuit that is permanently available. The only difference between a
Circuit PVC and a switched virtual circuit is that an SVC must be re-established each
time data is to be sent. Once the data has been sent, the SVC disappears. PVCs
are more efficient for connections between hosts that communicate frequently.
PIM-SM Protocol Independent Multicast-Sparse Mode.
PIN Personal Identification Number.
PN Peripheral Network.
PN Router Peripheral Network Router.
Positive subscriber list A feature enabling radios to use the system until they are deleted from the
database.
6802800U60-D March 2007 A-29


Item Description
PPC See Pre-emptive Priority Call.
PPP Point to Point Protocol.
PrC See Provisioning Centre.
PRC Primary Reference Clock
Pre-emptive Priority The Pre-emptive Priority Call (PPC) feature allows enabled talkgroups,
Call (PPC) multigroups and radio users to be given higher priority for the allocation of
traffic resources.
Preside Multiservice A network management application that manages the WAN switch. Preside
Data Manager (MDM) MDM resides on the WAN Switch Management Server (WSMS).
(R5.0 & R5.1)
Primary Rate ISDN ISDN channels delivered on a 2Mbit/s line.
Primary Talkgroup Talkgroup configured for a radio user determining which RCM(s) should receive
the corresponding radio events.
Private Call An "individual" call between two radios or between a radio and a console
operator.
Private Radio Network The Private Radio Network Management Suite Application Launcher is the
Managment Suite single entry to all the management applications on a Dimetra system.
Application Launcher
PRNM Private Radio Network Management.
PRNMS Application See Private Radio Network Management Suite Application Launcher.
Launcher
PROM Programmable Read Only Memory.
Provisioning Centre The PrC Consists of a Client/Server and database application. The PrC SW will
(PrC) generate, store, and track the delivery of the K and the SCK TMO from the PrC
to the MS. The PrC interfaces with the KVL to transport and confirm delivery of
keys to the MS. Once keys are provisioned, the PrC will provide derived key
material through an electronic file. This file will be written to a CD and be
provided to the Dimetra AuC, or other non- Dimetra network key management
application.
PSK Phase Shift Keying.
PSM Public Safety Microphone.
PSTN Public Switched Telephone Network.
PSU Power Supply Unit.
PTT See Push-to-Talk.
PTT message The indication when a call begins informing the dispatcher of the type of call,
current talkgroup or multigroup, and the time of the call request.
Pulse Code The type of modulation used over T1 and E1 communication facilities.
Modulation (PCM)
Push-to-Talk (PTT) Button on a Mobile Station radio unit that allows the subscriber to transmit.
PVC See Permanent Virtual Circuit.
A-30 6802800U60-D March 2007


Item Description
QOS See Quality of Service.
QSIG Q-reference point Signalling.
Quality of Service Refers to certain characteristics of a Network Connection (NC) as observed
(QOS) between the NC end points which are attributable solely to the Network Service
(NS) provider.
Quick Operations A window element containing pushbuttons used to quickly perform tasks within
Panel the window.
Radio A two-way communication device used for voice and data. Referred to as
Mobile Station in the TETRA standard.
Radio activated A radio function to send in a deregistration signal when turning off power or
deregistration going to another trunked or conventional personality.
Radio Control RCM is a software application which runs at the System Manager and is
Manager (RCM) primarily used by certain Console dispatchers, typically supervisors.
Radio Frequency (RF) General term for the range of frequencies used in radio communication systems.
Radio Network The Radio Network Gateway is one of the two software packages in the Packet
Gateway (RNG) Data Gateway. The RNG handles the BTS interface. See also PDR. The two
software packages, PDR and RNG, cannot function as stand alone applications,
i.e. both must be in operation before PDG functionality is available.
Radio Query Tasks A set of dispatcher commands to obtain information on radio users in the
Dimetra system.
Radiocheck A Radio Query Task command the dispatcher uses to verify registered radio
users.
RADIUS Remote Authentication Dial-in User Service.
RAG Resource Allocation Group.
RAIM Receiver Autonomous Integrity Monitoring. This feature is provided to handle a
specific GPS satellite which is known to provide a low quality signal.
RAM Random Access Memory.
Random Access The method by which a Mobile Station transmits unsolicited requests to the
BTS. This might occur in the case of specific periods where Mobile Stations are
permitted to transmit requests.
Ranking A procedural method of listing cells in descending order from the most suitable
for communication to the least suitable for communication. The method
comprises multiple calculations of C4 parameters and C3 parameters, defined
in ETS 300 392-2 [17], clause 10. As inputs to the ranking procedure are: -
outputs from the monitor process (e.g. C2 parameters); - outputs from the
scanning process (e.g. C1 parameters); - network parameters received in the
MLE broadcast.
RAPI Radio Applications Programming Interface.
RAS Remote Access Server
RCM See Radio Control Manager.
RDP Remote Desktop Protocol.
6802800U60-D March 2007 A-31


Item Description
Recent System User A radio user recently active on the system receives a higher priority for service
(RSU) requests before new users who have not been assigned channel resources.
Red Key An encryption key that is not encrypted by another key.
Registration The act of becoming an active and recognised TETRA user by exchange of ITSI
with the Switching and Management Infrastructure (SwMI).
Relay Panel See Patch Panel
Remote Console A console located off the master site through remote access equipment.
Remote Monitor The instruction sent to a radio that causes the radio to key its transmitter and
open its microphone.
Remote Operator An interface board used in a remote operator position to provide connections
Console Interface between the Console Interface Electronics and telecom lines to a Central
(ROCI) Electronics Bank at another location.
Remote Site See Enhanced Base Transceiver System or Control Site
Requesting Zone The actual Zone the radio is registered with at that moment if it is not the
selected talkgroup’s home Zone
Resource Manager A suite of Web-based applications that manage the LAN switches and the MSFC
Essentials (RME) router cards on the LAN switch.
Resources A general term for network infrastructure and radio channels.
RF See Radio Frequency.
RF Distribution Remote Base Transceiver System (BTS) site component that combines inputs
System (RFDS) from the base radios and combines them to feed one or more antennas.
RFDS See RF Distribution System.
RIP Routing Information Protocol.
RMC Receiver Multicoupler.
RJ45 A serial connector similar to a standard telephone connector, except it houses
eight wires instead of four
RME See Resource Manager Essentials (RME).
RNG See Radio Network Gateway.
RNI Radio Network Infrastructure.
roaming The movement of a radio user from one site to another site. The radio registers
and affiliates on each site as the user moves from one coverage area to another.
ROCI See Remote Operator Console Interface.
Router Manager User A configuration management application that enables you to group routers so
Interface (UI) you can backup, restore, and reboot more than one router at a time. You can
also use Router Manager to maintain router configuration and software files on
the FullVision server and view router information, perform tasks, and launch
WebLink sessions. Router Manager UI resides on the FullVision INM server.
RP Rendezvous Point.
RSM Remote Speaker Microphone (for a Mobile Station).
A-32 6802800U60-D March 2007


Item Description
RSOM (R5.0 & R5.1) See Redundant Switchover Module.
RSSI Radio Signal Strength Indicator.
Redundant Switchover The Redundant Switchover Module (RSOM) in a call processing hardware
Module (RSOM) configuration is the mechanism used to switch manually from the active zone
controller to the standby zone controller (and vice versa) to maximize system
availability and to maximize system performance during hardware or software
upgrade procedures.
RSS Radio Service Software. See CPS.
RSU See Recent System User.
Ruthless Pre-emption A method of acquiring a channel for an emergency call in a busy condition.
A call with a lower priority is terminated to release a channel for assignment
to the emergency call.
RX Receiver.
SAC Subscriber Access Control.
SACCH Slow Associated Control Channel.
SAS Symantec AntiVirus Server.
SAV Symantec AntiVirus Client.
SAVCE Symantec AntiVirus Corporate Edition.
SC See Site Controller.
SCI Serial Communications Interface.
SCK See Static Cipher Key.
SCKN Static Cipher Key Number.
SCK-TMO See Static Cipher Key-Trunked Mode Operation Key.
SCO See Site Capacity Option.
SDR See Short Data Router.
SDS See Short Data Service.
SDS - TL Short Data Service Transport Layer.
SDTS Short Data Transport Service.
SEK See Signalling Encryption Key.
Secure Database A database in encryption mode which holds all of the encryption keys.
Services The TETRA standard offers a range of services.
Serving cell The cell that is currently providing service to the Mobile Station (MS).
SGSN Serving GPRS Support Node. The PDG acts as SGSN.
Shared TLAN An optional feature in Dimetra that lets seven zones share three HP LAN
switches.
6802800U60-D March 2007 A-33


Item Description
Short Data Router A Short Data Router (SDR) provides TETRA short data services between host
(SDR) applications connected to Dimetra Mobile Stations or between a host application
connected to a Dimetra Mobile Station and a host application connected through
the Dimetra Master Site. Furthermore the SDR provides TETRA short data
services directly between two Dimetra Mobile Stations or directly between a
Dimetra Mobile Station and a host application connected through the Dimetra
Master Site.
Short Data Service A flexible bearer service that transfers information from one interface to another.
(SDS)
Short Subscriber The network specific portion of a TSI. An SSI is only unique
Identity (SSI) within one TETRA subdomain (one TETRA network).
Note: There are four different types of SSI (see subclause 7.2.3):
a) Individual SSI (ISSI);
b) Group SSI (GSSI);
c) Alias SSI (ASSI);
d) Unexchanged SSI (USSI).
SIB Service Interface Barrier is the barrier between the RNI and the infrastructure of
the service organization.
Signalling Encryption The SEK is used for encrypting and decrypting KMMs.
Key (SEK)
Signalling System 7 A signalling protocol used in the Integrated Services Digital Network (ISDN)
(SS7) that controls how the ISDN network is managed.
SIM Subscriber Identity Module.
Simple Network A means to monitor and set network configuration and runtime parameters.
Management Protocol
(SNMP)
Site This normally refers to a remote base station site.
Site Capacity Option The Dimetra SCO System is a downsized version of the Dimetra IP Multizone
(SCO) system. The Dimetra SCO System consists of one zone only.
Site Controller (SC) The Site Controller is capable of controlling up to 8 BRs (32 logical channels)
and contains the SRI (Site Reference ISA) time and frequency reference module.
The module’s function is to provide a precise timing reference and a highly
stable frequency reference for the BTS. An optional second Site Controller can
be added to an EBTS, but not to an MBTS, for redundancy.
Site Handover When a roaming Mobile Station in handing over within the same zone or to
a new zone.
Site Link Wide area network (WAN) communication link that connects a Dimetra master
site to a remote site.
Site Link Multiplexer The Site Link Multiplexer combines all the necessary control, management, IP
(SLM) (R3.x & R4.0) data, and voice/data traffic into one n * 64 kbit Frame Relay formatted link
between the master and remote sites. This allows efficient use of the links
between the remote and master site which are often expensive leased links. The
SLM also ensures system synchronization to the network, i.e. the provider of
the leased synchronous lines.
A-34 6802800U60-D March 2007


Item Description
Site Registration and Automatic radio transmission of talkgroup affiliation and radio ID when
Affiliation powering up or entering a new site. This site registration information enables the
Zone Controller to locate all active radio users and talkgroup members.
Site switch activated When a radio registers on a new site, the Zone Controller deregisters the radio
deregistration from its previous trunking site and registers it on the new site.
Site Switch When a radio changes sites and affiliates on the new site, the Zone Controller
Deaffiliation automatically deaffiliates the radio from its previous trunking site.
Site trunking mode Local trunking operations after remote site and audio link failures. The site
controller performs all call processing. No communication links exist to other
sites.
Site Wide Call (SWC) This feature is similar to system wide call in SMARTNET II. A site wide call
goes out to all radio users and talkgroups registered on the sites selected for
the call.
SLM (R3.x & R4.0) See Site Link Multiplexer.
SmartCenter Checkpoint’s Firewall / Security management console suite.
Smart Phone Interface One of the telephone interconnect interfaces for the CENTRACOM consoles.
(SPI)
SMS Secure Manager Subsystem.
SMSO Shared MSO.
SNDCP Subnetwork Dependant Protocol
SNMP See Simple Network Management Protocol.
Software Download A System Manager application that allows remote software upgrades on the
EBTS/MBTS.
SONET See Synchronous Optical Network.
Source Site The site where a radio user initiates any of the call types.
SPAS System Parent Anti Virus Server.
SPI See Smart Phone Interface.
SRAM Static Random Access Memory.
SRI Site Reference ISA.
SS7 See Signalling System 7.
SSC Symantec System Center.
SSI Short Subscriber Identity.
SSS See System Statistics Server.
Standard IP Plan Configuration of the system, where zone octet is equal zone id for all 56 zones
and the cluster octet is equal the cluster id for all 16 clusters.
Static Cipher Key Key used for encryption between subscribers and BTS base radio.
(SCK)
6802800U60-D March 2007 A-35


Item Description
Static Cipher A key used to provide over-the-air encryption services for mobile stations
Key-Trunked Mode operating in a trunking mode. All MSs and BTS site equipment within the
Operation Key radio system share a unique SCK-TMO key. A static cipher key is imported or
(SCK-TMO) typed into the Authentication Center (AuC) and is distributed to all base radio
controllers using its zone key encryption key (KEKz).
STM See System Timer Module.
Storm Plan An RCM optional function to regroup talkgroups for special situations, such as
disasters or crowd control. The feature allows preset procedures for quick and
efficient manipulation of emergencies and planned events.
Subnetwork A collection of equipment and physical media which forms an autonomous
whole and which can be used to interconnect real systems for purpose of
communication.
Subscriber A Mobile Station, with Dimetra software installed.
Supplementary service A service which modifies or supplements a bearer service or a teleservice. A
supplementary service cannot be offered to a customer as a stand alone service.
It should be offered in combination with a bearer service or a teleservice.
SVC Switched Virtual Circuit. See PVC.
SWC See Site Wide Call.
Switching and The TETRA term for FNE. See FNE.
Management
Infrastructure (SwMI)
SWDL Software Download feature.
SWDLM Software Download Manager.
SwMI See Switching and Management Infrastructure.
SWTG Site Wide Talkgroup.
Symmetricom S200 The SyncServer Network Time Server offering protocols for synchronizing
equipment over a network
Synchronous Optical A synchronous optical hierarchical time division multiplexing system that
Network (SONET) operates at speeds referenced to 51.84 Mbps, commonly referred to as OC1.
OCn data speeds are multiples of the basic data rate transfer of OC1.
System CSMS A CSMS that operates on system level.
System A System is a collection of Clusters where the maximum number of zones in all
the clusters cannot exceed 56.
System ID A unique identification used as a reference for the system licence keys and
for CCMS. The system ID is required when ordering additional licences or
upgrading to ensure the original licence credits are retained. The system ID is
not broadcast by the Dimetra system. This ID should not be confused with
the Mobile Network Code (MNC) that is broadcast by a Dimetra system over
the air interface.
System Statistics The SSS is a UNIX based server that provides data storage for statistics data. It
Server (SSS) allows for system wide reporting functions to be stored.
A-36 6802800U60-D March 2007


Item Description
System Timer Module This CEB module controls the timing signals for data and audio processing.
(STM)
T1 Digital carrier facility used for transmission of data through the telephone
hierarchy. T1 links are mostly used in the US and Japan. E1 links are used
in most other countries. Both T1 and E1 are composed of DS0s, the basic 64
Kbps path that makes up these links.
Talkgroup A group of radio users that can share calls and messages as a group. Normally
a talkgroup is comprised of users who normally have a need to communicate
with each other.
Talkgroup Scan A feature that allows a Mobile Station to scan those talkgroups that have an
affiliated member at the scanning radio’s site. The Talkgroup Scan list(s) must
be programmed in the radio.
Talkgroup site access The Zone Manager can limit access by talkgroups to specific sites and the
controller rejects call requests on non-designated sites. Emergency calls can
access any site.
Target talkgroup Talkgroup assignment made by a dispatcher for communications between
regrouped radio users.
Task A dynamic function command directing radios and talkgroups to execute an
action.
Task indicator A screen indicator to inform dispatchers that a task requires service.
Task work window An interactive window that allows dispatchers to enter information into the
RCM database.
TCH Traffic Channel.
TCP/IP Transmission Control Protocol / Internet Protocol.
TDMA See Time Division Multiple Access.
TE Terminal Equipment.
TEA1/TEA2/TEA3 TETRA Encryption Algorithms.
(R5.2)
TEI TETRA Equipment Identity.
TEK See Traffic Encryption Key.
Telephone A call feature that provides subscriber access to the Public Switched Telephone
Interconnect Network (PSTN). Telephone interconnect can be used for both land-to-mobile
calls and mobile-to-land calls.
Telephone Dimetra master site equipment providing a computer telephony-based Telephone
Interconnect Gateway Interconnect Gateway function providing easy adaptation of current and new
(TIG) analogue and digital line interfaces. The Telephone Interconnect Gateway
connects to a PABX via QSIG.
Teleservice End to end application that allows e.g. group calls, emergency calls and private
calls.
TESS Tetra EBTS Service Software. See EBTS Service Software
6802800U60-D March 2007 A-37


Item Description
TETRA TErrestrial Trunked RAdio. The digital trunked radio standard produced
by ETSI providing detailed telecommunications specifications to which Base
Stations and Mobile Stations should adhere.
TETRA Equipment An electronic serial number that is permanently embedded in the TETRA
Identity (TEI) equipment. A TEI is embedded in both Mobile Stations (MSs) (in the MT)
and in LSs (in the NT).
TETRA site controller See Site Controller.
(TSC)
TG See Talkgroup.
TIA Telecommunications Industries Association.
TIG See Telephone Interconnect Gateway.
Time Division Multiple A method that divides a single communications channel into a number of
Access (TDMA) separate channels by dividing a fixed time period into time slots. Multiplexing
scheme used over T1 and E1 and other transmission media for transferring
multiple streams of voice and data over the same physical transmission medium.
Time slot Element of the TETRA frame structure corresponding to one traffic channel.
TLAN Transitional Local Area Network.
TMI TETRA Management Identity.
TMO Trunked Mode Operation.
TNM Transport Network Management.
TNPS See Transport Network Performance Server (TNPS).
Top of queue A method of acquiring a channel for an emergency call by transmission trunking
calls with the lowest priority. When a call ends, the controller assigns the
available channel to the emergency call.
TPI Talking Party Identification.
Traffic Channel Traffic channels are logical channels used to carry user data over the air
interface. Traffic channels may be assigned to carry speech or packet data. Each
Base radio in and BTS supports up to 4 traffic channels.
Traffic Encryption The TEK is also known as a traffic key. An encryption key used for voice and
Key (TEK) data.
Traffic Packet Term used to describe the voice signal sent between the BTS and a Mobile
Station.
Trak 9100 A system providing ultrastable frequency time and reference signals, referenced
to the GPS satellite system.
Transcoder (XCDR) Dimetra master site equipment that converts audio streams between TETRA
(R3.x & R4.0) ACELP compressed voice and 64 Kbps PCM voice. Pulse Code Modulation
voice is used for the Dispatch Consoles and the Telephone Interconnect Gateway.
A-38 6802800U60-D March 2007


Item Description
Transmission Delay Transmission of circuit mode voice or data in a digital communications is
subject to delay. The transmission delay is defined as the time from the voice
or data input at the transmitting end to the time at which the data is received
at the receiving end. In the case of audio, for example, this is the time from
microphone input to speaker output.
Transmission Trunking application that requires radios in a talkgroup to return to the control
Trunking channel and receive a new channel assignment after each Push-To-Talk (PTT).
Transport Network The HP NetServer server where the InfoVista application resides.
Performance Server
(TNPS)
Truncate To shorten or cut off. For example, if a voice transmission is truncated, the
receiving radios do not hear part of the message.
Trunking The automatic and dynamic sharing of a small number of communication
channels between a large number of radio users.
TSC TETRA Site Controller, see Site Controller.
TSI TETRA Subscriber Identity.
TX Transmitter.
Tx-I Transmit Inhibit.
UCM 1. See User Configuration Manager
2. Universal Crypto Module.
UCS (R3.x) See User Configuration Subsystem.
(R5.x) See User Configuration Server.
UCS Synchronisation The User Configuration Server (UCS) Synchronisation Tool provides automated
Tool intercluster configuration of some of the UCS objects that require to be registered
in all clusters in a multicluster system.
UDP User Data Protocol.
UKEK See Unique Key Encryption Key.
UI See Router Manager User Interface (UI).
Unannounced Cell This type of cell reselection occurs during a call when the Mobile Station (MS)
Reselection suddenly loses cell coverage before it has found an alternative cell. The MS
has no time to inform the serving cell that it is about to change cell and so
simply scans for an alternative cell, registers with the new cell, if necessary, and
attempts to reconnect the call. This results in a break in communication which
can be several seconds.
Undeclared Cell This type of cell reselection occurs when the Mobile Station (MS) is outside a
Reselection call and is idle. When an MS then decides that a better cell is available and
hence wants to change cell, it will then switch to the new cell and register itself.
The changeover will be very fast (less than 500 milliseconds) as the MS need
not to synchronize or search for any new cell as this already has been done
while still on the ‘old’ cell.
Unicast Traffic IP traffic that requires one-to-one communication for each source destination
pair. This means that multiple identical packets must be transmitted to send the
same information to many destinations.
6802800U60-D March 2007 A-39


Item Description
Unique Key A key used by the key variable loader (KVL) device to com-
Encryption Key municate with other secure devices. This UKEK key is
(UKEK) used for secure communications between the PrC and KVL.
An encryption key used solely to encrypt traffic keys targeted for an individual
secure entity.
Uplink The radio frequency communications path from the Mobile Station to the BTS.
Also referred to as the BTS receive path.
UPS Uninterruptable Power Supply. Highly recommended to supplement the standard
battery backup in the fault tolerant Zone Controller and for network management
computer devices.
User There are three types of users in a Dimetra system: individual radio users,
console operators, and manager users (administrators and maintainers of the
system).
User Configuration The User Configuration Manager (UCM) is a Windows based management
Manager (UCM) application used to enter and maintain provisioning information and cluster level
configuration data stored in the database on the UCS.
User Configuration The User Configuration Server holds the database containing provisioning
Server (UCS) (R5.x) information and cluster level configuration data.
User Configuration The User Configuration Subsystem consists of the User Configuration Subsystem
Subsystem Database Server and the User Configuration Subsystem User Server.
(UCS)(R3.x)
User Configuration The UCS Database Server is part of the User Configuration Subsystem and holds
Subsystem Database the database containing provisioning information and cluster level configuration
Server (R3.x) data.
User Configuration The UCS User Server runs the applications accessing the User Configuration
Subsystem User Server Server.
(R3.x)
User ID User ID is sent to receiving Mobile Stations (MSs) at start of transmission.
Also called Radio ID.
User station (terminal) A terminal with a monitor, keyboard, and mouse. Provides a user interface to the
Dimetra applications and database via the Ethernet network.
UST See UCS Synchronisation tool.
UTC Universal Time Coordinated. Indication of time, i.e. h:m:s.
UTP Unshielded Twisted Pair. Category 5 UTP is used in Dimetra systems for some
Ethernet connections.
V+D Voice and data.
VDTM Virus Definition Transport Method.
VICP Very Intelligent Communications Processor.
Virtual Local Area A technology that allows the formation of Virtual Ethernet segments and subnets
Network (VLAN) according to business needs, not cabling needs.
A-40 6802800U60-D March 2007


Item Description
Visited network A network where a subscriber has an indirect subscription. This means that a
valid subscriber identity is only allocated as part of the first network access.
Visitor Location The entity that is used to manage a local copy of zone specific information for
Register (VLR) individuals and Talkgroups. This includes subscriber database information as
well as site location information for both the individual and the Talkgroup.
There is a VLR associated with each zone in the system.
VistaPortal A Web interface provided with InfoVista that is used to view reports from the
web.
VLAN See Virtual Local Area Network.
VLR See Visitor Location Register.
Voice Channel When a call request is made by Mobile Stations the system will assign a voice
channel for the call. Mobile Stations are informed of the assigned channel and
are then permitted to transmit and receive speech on that channel.
VPN Virtual Private Network.
VPN-1 Checkpoint’s VPN implementation.
VPN-1 PRO Checkpoint’s combined VPN-1 and Firewall-1 software.
VRRP Virtual Router Redundancy Protocol.
VU Voice Unit.
WAN See Wide Area Network.
WAN Switch The Compact PCI server where the Preside MDM application resides.
Management Server
(WSMS) (R5.0 & R5.1)
WEBLink A Web-based network management application for management of the routers.
Router Manager provides a launch point for WEBLink.
Wide area call A call using a channel resource at all sites in a wide area system.
Wide Area Network A transport network that delivers communications between two geographically
(WAN) separated areas.
Windows Terminal Windows remote desktop.
Service
WS-MSO A WAN Shared MSO is a collection of LS-MSOs of four and up to 7 zones,
which are physically colocated, where the Exit routers from each LS-MSO share
one WAN switch for interzone connectivity.
WSMS (R5.0 & R5.1) See WAN Switch Management Server (WSMS).
XCDR (R3.x & R4.0) Transcoder, See Transcoder.
X-Press Update An update that contains only security content updates (protocol updates, new
signatures, and security content bug fixes).
ZAMBI 1. See Zone Ambassador Interface Board.
2. Zone Controller Ambassador Multiplex Inter-
face.
ZC See Zone Controller.
ZCM See Zone Configuration Manager.
6802800U60-D March 2007 A-41


Item Description
ZDS See Zone Database Server.
Zeroize To erase information, specifically, to write 0s to memory.
ZLM See Zone Link Multiplexer.
ZM See Zone Manager.
ZMS See Zone Manager Subsystem
Zone 1) A geographical region covered by a Dimetra system. The
zone design comprises sites to allow intrazone communica-
tions and roaming between sites/subsystems within a zone.
2) The equipment (Network Management, Data Management, Networking,
Switching, Infrastructure, i.e. SwMi) that forms the central part of a Dimetra
radio communications system with interfaces to air, telephone and other
zones/radio systems.
Zone Ambassador Interfaces Embassy Switch with Zone Controller. A Board that acts as an
Interface Board interface between the Ambassador Electronics Bank (AEB) and the Zone
(ZAMBI) Controller.
Zone Chooser The Zone Manager window through which all Dimetra applications are opened.
Zone Configuration A Motorola software application that is used to configure zone parameters.
Manager
Zone Controller (ZC) Dimetra master site equipment providing very fast call control for group
communication in a wide area network. The Zone Controller supports Status.
Zone Core Zone Core is a one ZC system, which is the central point for all the equipment
necessary to control and manage the sites in a zone. BTS and control site
equipment are not part of the zone core.
Zone Database Server The Zone Database Server holds the database containing zone level configuration
(ZDS) data.
Zone Level Trunking Trunking operation is limited to the coverage area of one single Dimetra system.
Zone Link Multiplexer Zone SLM. The ZLM ensures interzone connectivity. The ZLM is based upon
(R4.0) the Zhone (Premisys) IMACS platform.
Zone Manager (ZM) A network management product allowing configuration of the Dimetra system
and system management activities. The Zone Manager interfaces the Zone
Controller for software functions and database access.
Zone Manager The Zone Manager Subsystem consists of the Zone Database Server and one
Subsystem (R3.x) or more Zone User Server(s).
Zone Master Site A Master Site containing a set of zone control equipment (e.g. Zone Controller,
AEB, etc.) comprising a single zone.
Zone Statistics Server The ZSS is a UNIX based server that provides data storage for statistics data.
(ZSS) Each zone contains one ZSS for statistics that should be stored locally.
A-42 6802800U60-D March 2007


Item Description
Zone User Server The Zone User Server runs the applications accessing the Zone Database Server.
(R3.x)
ZoneWatch A Motorola software application that allows system managers to monitor
activity within a zone.
ZSS See Zone Statistics Server.
6802800U60-D March 2007 A-43

A-44 6802800U60-D March 2007

Index
Index
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Activate scheduling bacukup . . . . . . . bk 10-2 pg 11-29

Future Key . . . . . . . . . . . bk 10-2 pg 10-3 starting backup manually . . . . . bk 10-2 pg 9-18
Activating standby database - AuC. . bk 10-1 pg 5-11 AuC server. . . . . . . . . . . . . . bk 10-2 pg 3-6
Air Interface Encryption (AIE) ID . . . . . . . . . . . . . . . bk 10-2 pg 11-36
configuration . . . . . . . . . . . bk 10-2 pg 2-1 Audit Trail . . . . . . . . . . . . . . bk 10-2 pg 7-1
EBTS Site object . . . . . . . . bk 10-2 pg 2-8 information display . . . . . . . bk 10-2 pg 11-6
KVL object . . . . . . . . . . bk 10-2 pg 2-17 purge form . . . . . . . . . . . bk 10-2 pg 11-39
Radio object. . . . . . . . . . bk 10-2 pg 2-15 removing data . . . . . . . . . . . bk 10-2 pg 7-4
System object . . . . . . . . . . bk 10-2 pg 2-3 search criteria . . . . . . . . . . bk 10-2 pg 11-5
DCK . . . . . . . . . . . . . . . bk 10-2 pg 1-4 search form . . . . . . . . . . . bk 10-2 pg 11-5
functionality . . . . . . . . . . . . bk 10-2 pg 1-1 viewing . . . . . . . . . . . . . . bk 10-2 pg 7-1
overview . . . . . bk 10-2 pg 1-1, bk 10-2 pg 1-3 authentication
SCK . . . . . . . . . . . . . . . bk 10-2 pg 1-5 configuration . . . . . . . . . . . bk 10-2 pg 2-1
assign a UKEK system object . . . . . . . . . . bk 10-2 pg 2-3
KVL . . . . . . . . . . . . . . bk 10-2 pg 4-33 explicit . . . . . . . . . . . . . . bk 10-2 pg 1-2
new . . . . . . . . . . . . . . . bk 10-2 pg 4-34 implicit . . . . . . . . . . . . . . bk 10-2 pg 1-3
Athentication material overview . . . . . . . . . . . . . bk 10-2 pg 1-1
distributing . . . . . . . . . . . bk 10-2 pg 1-11 Authentication Centre . . . . . . . bk 10-1 pg 13-1
ATR status . . . . . . . . . . . . . bk 10-2 pg 11-25 Field Replaceable Units . . . . . bk 10-1 pg 13-1
AuC Authentication Centre (AuC)
backups . . . . . . . . . . . . . bk 10-2 pg 9-16 adding to system . . . . . . . . . bk 10-1 pg 10-18
manual database backup . . . . . bk 10-2 pg 9-18 cable connections . . . . . . . . . bk 10-1 pg 1-5
operating state . . . . . . . . . . bk 10-2 pg 9-16 Client
standby status report . . . . . . . bk 10-2 pg 9-22 installation . . . . . . . . . . . bk 10-1 pg 3-6
status verifying . . . . . . . . . bk 10-2 pg 3-12 uninstallation . . . . . . . . . . bk 10-1 pg 3-7
version information . . . . . . . bk 10-2 pg 9-23 Crypto Card . . . . . . . . . . . . bk 10-1 pg 1-5
what is it? . . . . . . . . . . . . . bk 10-2 pg 3-4 database
AuC Client. . . . . . . . . . . . . . bk 10-2 pg 3-5 Archive Log Mode. . . . . . . . bk 10-1 pg 6-2
first steps . . . . . . . . . . . . . bk 10-2 pg 3-8 backup . . . . . bk 10-1 pg 6-1, bk 10-1 pg 6-5
introduction . . . . . . . . . . . . bk 10-2 pg 3-1 backup files . . . bk 10-1 pg 6-3, bk 10-1 pg 6-5
logging out . . . . . . . . . . . bk 10-2 pg 3-14 cleaning up . . . . . . . . . . . bk 10-1 pg 6-9
main window . . . . . . . . . . bk 10-2 pg 3-15 creating user. . . . . . . . . . . bk 10-1 pg 6-3
main window structure . . . . . . bk 10-2 pg 3-15 hot backups . . . . . . . . . . . bk 10-1 pg 6-2
starting . . . . . . . . . . . . . . bk 10-2 pg 3-8 manual uninstallation . . . . . . bk 10-1 pg 3-9
AuC Communications (Comm) Key . . bk 10-1 pg 4-6 restart . . . . . . . . . . . . . . bk 10-1 pg 6-8
AuC communications key . . . . . . . bk 10-2 pg 1-8 restore . . . . . bk 10-1 pg 6-1, bk 10-1 pg 6-5
AuC Connectivity . . bk 10-2 pg 5-1, bk 10-2 pg 11-2 start services . . . . . . . . . . bk 10-1 pg 6-4
AuC Net. . . . . . . . . . . . . bk 10-2 pg 11-4 uninstallation . . . . . . . . . . bk 10-1 pg 3-7
entering IP address . . . . . . . . bk 10-2 pg 11-28 equipment rack . . . . . . . . . . bk 10-1 pg 1-3
general network information . . . bk 10-2 pg 11-9 hardware
information and status . . . . . . . bk 10-2 pg 5-3 configuration . . . . . . . . . bk 10-1 pg 2-10
AuC database . . . bk 10-2 pg 3-6, bk 10-2 pg 11-30 configuration versions . . . . . . bk 10-1 pg 1-3
restore. . . . . . . . . . . . . . bk 10-2 pg 9-19
6802800U60-D March 2007 IX-1

Index
equipment. . . . . . . . . . . . bk 10-1 pg 2-1 database configuration . . . . . . bk 10-1 pg 5-4

factory default settings . . . . . bk 10-1 pg 2-10 reconfiguration . . . . . . . . bk 10-1 pg 5-10
installation . . . . . . . . . . . bk 10-1 pg 2-9 troubleshooting . . . . . . . . bk 10-1 pg 10-19
RAID configuration . . . . . . bk 10-1 pg 2-12 start-up procedure, initial . . . . . . bk 10-1 pg 5-1
ROM based setup . . . . . . . bk 10-1 pg 2-11 system diagram . . bk 10-1 pg 1-1, bk 10-2 pg 3-2
hosts file. . . . . . . . . . . . . . bk 10-1 pg 4-6 troubleshooting . . . . . . . . . bk 10-1 pg 10-1
network security scenarios . . . . . . . . . . . bk 10-1 pg 10-2
installation . . . . . . . . . . bk 10-1 pg 2-12 start-up errors . . . . . . . . . bk 10-1 pg 10-2
overview . . . . . bk 10-1 pg 1-1, bk 10-2 pg 3-2 worst case scenarios . . . . . . . bk 10-1 pg 10-7
power requirements . . . . . . . . bk 10-1 pg 1-5 authentication key (K)
reconfiguration. . . . . . . . . . . bk 10-1 pg 5-3 description. . . . . . . . . . . . . bk 10-2 pg 1-2
restart . . . . . . . . . . . . . . bk 10-1 pg 10-18 distribution . . . . . . . . . . . bk 10-2 pg 1-13
Server authentication material
installation . . . . . . . . . . . bk 10-1 pg 3-2 assigning for a mobile station . . . bk 10-2 pg 4-49
uninstallation . . . . . . . . . . bk 10-1 pg 3-6 description. . . . . bk 10-2 pg 1-2, bk 10-2 pg 1-11
software key distribution . . . . . . . . . bk 10-2 pg 1-11
installation . . . . . . . . . . . bk 10-1 pg 3-1 key updates . . . . . . . . . . . bk 10-2 pg 1-14
standby Automatic detection
configuration . . . . . . . . . . bk 10-1 pg 5-4 network problems . . . . . . . . . bk 10-2 pg 3-6
database activating. . . . . . . bk 10-1 pg 5-11
background information AuC. . . . . . . . . . . . . . . . bk 10-1 pg 6-1

modem option . . . . . . . . . bk 10-2 pg 14-xxvi PrC . . . . . . . . . . . . . . . . bk 10-1 pg 9-3
Backup
Cable connections - AuC entering . . . . . . . . . . . . . bk 10-2 pg 4-30

cable connections . . . . . . . . . bk 10-1 pg 1-5 Compromised units
cabling guidelines . . . . . . . . . . bk 10-1 pg 2-4 handling . . . . . . . . . . . . . bk 10-1 pg 12-1
Client Configuration
installation - AuC AuC
installation . . . . . . . . . . . bk 10-1 pg 3-6 initial, start-up . . . . . . . . . . bk 10-1 pg 5-1
uninstallation standby . . . . . . . . . . . . . bk 10-1 pg 5-4
AuC . . . . . . . . . . . . . . bk 10-1 pg 3-7 standby database. . . . . . . . . bk 10-1 pg 5-4
PrC . . . . . . . . . . . . . . . bk 10-1 pg 8-4 KVL . . . . . . . . . . . . . . . bk 10-1 pg 4-5
Common Cipher Key master key. . . . . . . . . . . . . bk 10-1 pg 4-3
update. . . . . . bk 10-2 pg 9-19, bk 10-2 pg 11-41 system key . . . . . . . . . . . . bk 10-1 pg 4-3
common cipher key (CCK) . . . . . . . . bk 10-2 pg Unique Key Encryption Key (UKEK) . . . . . . bk
1-4, bk 10-2 pg 1-8, bk 10-2 pg 1-10 10-1 pg 4-4
description. . . . . . . . . . . . bk 10-2 pg 1-12 configuring
key distribution . . . . . . . . . . . . bk 10-2 pg authentication . . . . . . . . . . . bk 10-2 pg 2-1
1-12 to bk 10-2 pg 1-13 Context sensitive help . . . . . . . bk 10-2 pg 3-22
updates . . . . . . . . . . . . . bk 10-2 pg 1-14 using . . . . . . . . . . . . . . bk 10-2 pg 3-23
Communication Key . . . . . . . . bk 10-2 pg 11-1 Crypto Card . . . . . . . . . . . . . bk 10-1 pg 1-5
Database activating standby - AuC . . . . . bk 10-1 pg 5-11
IX-2 6802800U60-D March 2007

Authentication, Encryption and Provisioning Index
Archive Log Mode - AuC AuC . . . . . . bk 10-1 pg 6-1, bk 10-1 pg 6-5

hot backups . . . . . . . . . . . bk 10-1 pg 6-2 PrC . . . . . . . bk 10-1 pg 9-1, bk 10-1 pg 9-5
backup standby AuC IP reconfiguration . . bk 10-1 pg 5-10
AuC . . . . . . bk 10-1 pg 6-1, bk 10-1 pg 6-5 standby configuration - AuC . . . . bk 10-1 pg 5-4
PrC . . . . . . . bk 10-1 pg 9-1, bk 10-1 pg 9-3 start services - AuC
backup files backup files . . . . . . . . . . . bk 10-1 pg 6-4
AuC . . . . . . bk 10-1 pg 6-3, bk 10-1 pg 6-5 uninstallation
PrC . . . . . . . . . . . . . . . bk 10-1 pg 9-4 AuC . . . . . . . . . . . . . . bk 10-1 pg 3-7
cleaning up PrC . . . . . . . . . . . . . . . bk 10-1 pg 8-4
AuC . . . . . . . . . . . . . . bk 10-1 pg 6-9 Database backup
PrC . . . . . . . . . . . . . . . bk 10-1 pg 9-8 scheduling . . . . . . . . . . . . bk 10-2 pg 9-16
creating user - AuC DDK
Archive Log Mode. . . . . . . . bk 10-1 pg 6-3 entering . . . . . . . . . . . . . bk 10-2 pg 4-32
hot backups derived cipher key (DCK). . . . . . . bk 10-2 pg 1-3
AuC . . . . . . . . . . . . . . bk 10-1 pg 6-2 to bk 10-2 pg 1-4, bk 10-2 pg 1-13
PrC . . . . . . . . . . . . . . . bk 10-1 pg 9-1 distribution . . . . . . . . . . . bk 10-2 pg 1-12
installation - PrC transferring . . . . . . . . . . . bk 10-2 pg 1-12
installation . . . . . . . . . . . bk 10-1 pg 8-2 updates . . . . bk 10-2 pg 1-13 to bk 10-2 pg 1-14
manual uninstallation devices configuration . . . . . . . . bk 10-2 pg 2-15
AuC . . . . . . . . . . . . . . bk 10-1 pg 3-9 Dimetra Distribution Key . . . . . . bk 10-2 pg 11-6
PrC . . . . . . . . . . . . . . . bk 10-1 pg 8-5 disabling key updates . . . . . . . . bk 10-2 pg 4-52
restart - AuC EBTS site . . . . . . . . . . . . bk 10-2 pg 4-57
restore . . . . . . . . . . . . . bk 10-1 pg 6-8 zone. . . . . . . . . . . . . . . bk 10-2 pg 4-56
restore downlink . . . . . . . . . . . . . . bk 10-2 pg 1-5
EBTS site Encryption Device . . . . . . . . . bk 10-2 pg 11-32

enabling / disabling key updates . . bk 10-2 pg 4-57 master key. . . . . . . . . . . . bk 10-2 pg 9-12
viewing EBTS site key information and status . . bk status . . . . . . . . . . . . . . bk 10-2 pg 9-10
10-2 pg 4-12 Entity
EBTS sites . . . . . bk 10-2 pg 4-12, bk 10-2 pg 11-7 information displaying . . . . . . bk 10-2 pg 3-13
viewing status and key information . . . . . . . bk Equipment rack - AuC
10-2 pg 4-12 equipment rack . . . . . . . . . . bk 10-1 pg 1-3
Electrostatic Discharge (ESD) . . . . . bk 10-1 pg 2-8 Events Pane . . . . . . . . . . . . . . . bk 10-2 pg
enabling key updates . . . . . . . . bk 10-2 pg 4-52 3-19, bk 10-2 pg 6-1, bk 10-2 pg 11-8
EBTS site . . . . . . . . . . . . bk 10-2 pg 4-57 removing events . . . . . . . . . . bk 10-2 pg 6-2
zone. . . . . . . . . . . . . . . bk 10-2 pg 4-56 viewing server events . . . . . . . bk 10-2 pg 6-1
Failure update . . . bk 10-2 pg 10-2 to bk 10-2 pg 10-3

key distribution . . . . . . . . . bk 10-1 pg 10-20 update failure . . . . . . . . . bk 10-2 pg 10-8
FAQ . . . . . . . . . . . . . . . . bk 10-2 pg 10-1 licence limit . . . . . . . . . . . bk 10-2 pg 10-7
Audit Trail search . . . . . . . . bk 10-2 pg 10-3 mobile stations. . . . . . . . . . bk 10-2 pg 10-4
encryption device failure . . . . . bk 10-2 pg 10-8 not current key . . . . . . . . . . bk 10-2 pg 10-2
error messages . . . . . . . . . . bk 10-2 pg 10-8 unmatched K-REF Pairs . . . . . bk 10-2 pg 10-4
key First login
provisioning . . . . . . . . . . bk 10-2 pg 10-2 password . . . . . . . . . . . . bk 10-2 pg 3-10
storing . . . . . . . . . . . . bk 10-2 pg 10-2 First Steps . . . . . . . . . . . . . . bk 10-2 pg 3-8
6802800U60-D March 2007 IX-3

Index
Go operational . . . . . . . . . . . bk 10-2 pg 9-16 cabling . . . . . . . . . . . . . . bk 10-1 pg 2-4

guidelines hardware installation . . . . . . . . bk 10-1 pg 2-3
Hardware . . . . . bk 10-1 pg 2-9 to bk 10-1 pg 2-10 safety precautions . . . . . . . . . bk 10-1 pg 2-5

AuC configuration versions . . . . . bk 10-1 pg 1-3 Help
equipment - AuC. . . . . . . . . . bk 10-1 pg 2-1 context sensitive . . . . . . . . . bk 10-2 pg 3-22
equipment - PrC . . . . . . . . . . bk 10-1 pg 7-1 full text search . . . . . . . . . . bk 10-2 pg 3-23
factory default settings . . . . . . bk 10-1 pg 2-10 Host files - AuC
firmawere update hosts file. . . . . . . . . . . . . . bk 10-1 pg 4-6
HP ProLiant ML370 G4 . . . . bk 10-1 pg 2-10 HP NetServer LC2000 . . . . . . . . bk 10-1 pg 2-2
RAID confinguration - AuC. . . . bk 10-1 pg 2-12 HP ProLiant DL360 . . . . . . . . . bk 10-1 pg 2-2
ROM based setup - AuC . . . . . bk 10-1 pg 2-11 HP ProLiant DL360 G4P . . . . . . bk 10-1 pg 2-10
hardware installation . . . . . . . . . bk 10-1 pg 2-5 HP ProLiant ML370 G3 . . . . . . . bk 10-1 pg 2-2
guidelines . . . . . . . . . . . . . bk 10-1 pg 2-3 HP ProLiant ML370 G4 . . . . . . . bk 10-1 pg 2-2
icon conventions . . . . . . . . . bk 10-2 pg 14-xxvi refreshing an existing key. . . . . bk 10-2 pg 4-38

implicit authentication . . . . . . . . bk 10-2 pg 1-3 updates . . . . . . . . . . . . . bk 10-2 pg 1-14
importing Installation
K-REF pairs . . . . . . . . . . . bk 10-2 pg 4-20 AuC. . . . . . . . . . . . . . . . bk 10-1 pg 3-1
SCK-TMO key file . . . . . . . . bk 10-2 pg 4-21 Client . . . . . . . . . . . . . . bk 10-1 pg 3-6
Individual TETRA Subscriber Identity . . . . . . . bk Server . . . . . . . . . . . . . bk 10-1 pg 3-2
10-2 pg 10-4 PrC
infrastructure key (Ki) . . . . . . . bk 10-2 pg 1-10 database. . . . . . . . . . . . . bk 10-1 pg 8-2
assigning a new key . . . . . . . bk 10-2 pg 4-41 Server . . . . . . . . . . . . . bk 10-1 pg 8-3
clearing an existing key. . . . . . bk 10-2 pg 4-43 Introduction . . . . . . . . . . . . . bk 10-2 pg 3-1
description. . . . . . . . . . . . . bk 10-2 pg 1-9 IP Address
distribution . . . . . . . . . . . . bk 10-2 pg 1-9 entering . . . . bk 10-2 pg 11-28, bk 10-2 pg 11-30
provisioning . . . . . . . . . . . bk 10-2 pg 4-36
K-REF pairs . . . . . . . . . . . . . bk 10-2 pg 1-3 status . . . . . . . . . . . . . . bk 10-2 pg 11-15

entering . . . . . . . . . . . . . bk 10-2 pg 4-17 updates - worst case scenarios. . . bk 10-1 pg 10-8
generating unmatched . . . . . . . bk 10-2 pg 4-8 key database
importing . . . . . . . . . . . . bk 10-2 pg 4-20 entering K-REF pairs. . . . . . . bk 10-2 pg 4-17
viewiing unmatched . . . . . . . . bk 10-2 pg 4-6 importing a KREF-pair into the Authentication
K-REF Pairs . . . . bk 10-2 pg 4-17, bk 10-2 pg 11-10 Centre. . . . . . . . . . . . . . bk 10-2 pg 4-20
key importing a SCK-TMO key file . . bk 10-2 pg 4-21
information and status . . . . . . . bk 10-2 pg 4-1 modifying an SCK-TMO key . . . bk 10-2 pg 4-25
transferring . . . . . . . . . . . bk 10-2 pg 1-12 Key Database . . . . . . . . . . . bk 10-2 pg 4-17
zone status information . . . . . . bk 10-2 pg 4-10 selection. . . . . . . . . . . . . bk 10-2 pg 11-12
Key key distribution . . . bk 10-2 pg 1-8, bk 10-2 pg 4-35
database . . . . . . . . . . . . . . bk 10-1 pg 4-6 authentication key (K) . . . . . . bk 10-2 pg 1-13
distribution not completed . . . . bk 10-1 pg 10-21 authentication material . . . . . . bk 10-2 pg 1-11
information displaying . . . . . . bk 10-2 pg 3-13
IX-4 6802800U60-D March 2007

common cipher key (CCK) . . . . . . . bk 10-2 pg EBTS site . . . . . . . . . . . . bk 10-2 pg 4-57

1-12 to bk 10-2 pg 1-13 enable/disable . . . . . . . . . . bk 10-2 pg 4-60
derived cipher key (DCK) . . . . bk 10-2 pg 1-12 immediate . . . bk 10-2 pg 4-47 to bk 10-2 pg 4-48
infrastructure key (Ki) . . . . . . . . . . bk 10-2 key type . . . . . . . . . . . . . bk 10-2 pg 4-59
pg 1-9, bk 10-2 pg 4-41 mobile station (MS) . . . . . . . bk 10-2 pg 4-52
mobile station (MS) . . . . . . . bk 10-2 pg 1-13 overview . . . . . . . . . . . . bk 10-2 pg 1-13
static cipher key (SCK-TMO) . . . . . . bk 10-2 pg rejected . . . . . . . . . . . . . bk 10-2 pg 5-13
1-12 to bk 10-2 pg 1-13 scheduling . . . . . . . . . . . . bk 10-2 pg 4-44
system infrastructure . . . . . . . . bk 10-2 pg 1-9 zone. . . . . . . . . . . . . . . bk 10-2 pg 4-56
system key encryption key (KEKm) . . . . . . . bk Key updates
10-2 pg 1-10 modify schedule . . . . . . . . . bk 10-2 pg 11-37
Key Encryption Keys Key Variable Loader (KVL)
distributing . . . . . . . . . . . bk 10-2 pg 1-10 configuration . . . . . . . . . . . bk 10-1 pg 4-1
key management configuration, other . . . . . . . . bk 10-1 pg 4-5
key changes . . . . . . . . . . . . bk 10-2 pg 1-6 modem option . . . . . . . . . . bk 10-1 pg 14-3
nationwide systems . . . . . . . . bk 10-2 pg 1-8 KVL . . . . . . . . . . . . . . . . bk 10-2 pg 1-9
non-nationwide systems assign a UKEK . . . . . . . . . bk 10-2 pg 4-33
PrC . . . . . . . . . . . . . . . bk 10-2 pg 1-7 deny access . . . . . . . . . . . bk 10-2 pg 4-62
key schedules . . . . . . . . . . . bk 10-2 pg 4-45 enabling/disabling . . . . . . . . bk 10-2 pg 4-62
Key Schedules . . . . . . . . . . . bk 10-2 pg 4-44 learing an existing Ki. . . . . . . bk 10-2 pg 4-43
information . . . . . . . . . . . bk 10-2 pg 11-13 object . . . . . . . . . . . . . . bk 10-2 pg 2-17
selection. . . . . . . . . . . . . bk 10-2 pg 11-14 viewing key information and status . . . . . . . bk
key storage 10-2 pg 4-15
Master Key . . . . . . . . . . . bk 10-2 pg 1-14 KVL port settings . . bk 10-2 pg 9-2, bk 10-2 pg 11-38
overview . . . . . . . . . . . . bk 10-2 pg 1-14 KVLs . . . . . . . . . . . . . . . bk 10-2 pg 4-15
key updates information . . . . . . . . . . . bk 10-2 pg 11-16
derived cipher key (DCK) . . . . bk 10-2 pg 1-13 list . . . . . . . . . . . . . . . bk 10-2 pg 11-17
Logging out . . . . . . . . . . . . bk 10-2 pg 3-14
Main window . . . bk 10-2 pg 3-15, bk 10-2 pg 11-1 maximum period . . . . . . . . . . bk 10-2 pg 1-14
events pane . . . . . . . . . . . bk 10-2 pg 3-19 Menu bar . . . . . . . . . . . . . bk 10-2 pg 3-22
menu bar . . . . . . . . . . . . bk 10-2 pg 3-22 minimum period . . . . . . . . . . bk 10-2 pg 1-14
status bar . . . . . . . . . . . . bk 10-2 pg 3-20 Miscellaneous settings . . . . . . . . . . . bk 10-2
structure . . . . . . . . . . . . . bk 10-2 pg 3-15 pg 9-3, bk 10-2 pg 11-36
work pane . . . . . . . . . . . . bk 10-2 pg 3-16 mobile station (MS) . . . . . . . . . . . . . . . bk
management 10-2 pg 1-11, bk 10-2 pg 4-2
authentication and air interface . . . bk 10-2 pg 1-7 assigning new authentication material . . . . . . bk
key . . . . . . . . . . . . . . . . bk 10-2 pg 1-7 10-2 pg 4-49
Manual SCK synchronisation . . . . bk 10-1 pg 10-18 enabling / disabling key updates . . bk 10-2 pg 4-52
master AuC explicit authentication . . . . . . . bk 10-2 pg 1-2
changing . . . . . . . . . . . . bk 10-2 pg 5-19 exporting information . . . . . . . bk 10-2 pg 4-5
configuration . . . . . . . . . . . bk 10-2 pg 5-8 implicit authentication . . . . . . . bk 10-2 pg 1-3
Master key K-REF pair . . . . . . . . . . . . bk 10-2 pg 1-3
changing . . . . . . . . . . . . . bk 10-1 pg 4-2 key distribution . . . . . . . . . bk 10-2 pg 1-13
configuration . . . . . . . . . . . bk 10-1 pg 4-3 viewing key information . . . . . . bk 10-2 pg 4-2
loading . . . . . . . . . . . . . bk 10-2 pg 9-12 Mobile station (MS)
master key storage . . . . . . . . . bk 10-2 pg 1-14 temporarily disabling / enabling . . bk 10-1 pg 12-1
6802800U60-D March 2007 IX-5

Index
Mobile stations . . . . . . . . . . . . bk 10-2 pg 4-2 modems

list . . . . . . . . . . . . . . . bk 10-2 pg 11-17 setup . . . . . . . . . . . . . . bk 10-1 pg 14-1
search . . . . . . . . . . . . . . bk 10-2 pg 11-19 Modify CCK Manually . . . . . . . bk 10-2 pg 9-20
viewing key information . . . . . . bk 10-2 pg 4-2
Nationwide reconfiguration. . . . . . . . . . bk 10-2 pg 5-18

adding a new AuC . . . . . . . . bk 10-1 pg 10-18 removing slave AuC . . . . . . . bk 10-2 pg 5-17
Nationwide only . . . . . . . . . . . bk 10-2 pg 3-1 returning to single cluster mode . . bk 10-2 pg 5-17
nationwide system slave AuC . . . . . . . . . . . . bk 10-2 pg 5-10
changing master AuC . . . . . . bk 10-2 pg 5-19 Next Active SCK . . . . . . . . . . bk 10-2 pg 4-21
configuration . . . . . . . . . . . bk 10-2 pg 5-7 no AI Encryption
key management . . . . . . . . . . bk 10-2 pg 1-8 Security Class 1 . . . . . . . . . . bk 10-2 pg 1-6
master AuC . . . . . . . . . . . . bk 10-2 pg 5-8
Operating state Out of Service . . . . . . . . . . . bk 10-2 pg 9-16

changing . . . . . . . . . . . . bk 10-2 pg 9-16
Password restore . . . . . bk 10-1 pg 9-1, bk 10-1 pg 9-5

changing . . . . bk 10-2 pg 3-11, bk 10-2 pg 11-31 uninstallation . . . . . . . . . . bk 10-1 pg 8-4
first login . . . . . . . . . . . . bk 10-2 pg 3-10 hardware
periodic maintenance inspection equipment. . . . . . . . . . . . bk 10-1 pg 7-1
AuC. . . . . . . . . . . . . . . bk 10-1 pg 13-2 installation. . . . . . . . . . . . . bk 10-1 pg 8-1
Power requirements - AuC overview . . . . . bk 10-1 pg 1-1, bk 10-2 pg 3-2
cable connections . . . . . . . . . bk 10-1 pg 1-5 restart . . . . . . . . . . . . . . bk 10-1 pg 11-5
PrC . . . . . . . . . . . . . . . bk 10-2 pg 14-xxvi restart service . . . . . . . . . . . bk 10-1 pg 9-7
preinstallation requirements . . . . . . bk 10-1 pg 3-1 Server and Client
Provisioning Centre (PrC). . . . . . . bk 10-1 pg 8-1 installation . . . . . . . . . . . bk 10-1 pg 8-3
database uninstallation . . . . . . . . . . bk 10-1 pg 8-4
backup . . . . . bk 10-1 pg 9-1, bk 10-1 pg 9-3 system diagram . . bk 10-1 pg 1-1, bk 10-2 pg 3-2
backup files . . . . . . . . . . . bk 10-1 pg 9-4 troubleshooting . . . . . . . . . bk 10-1 pg 11-1
cleaning up . . . . . . . . . . . bk 10-1 pg 9-8 scenarios . . . . . . . . . . . bk 10-1 pg 11-2
full restore . . . . . . . . . . . bk 10-1 pg 9-5 start-up error messages . . . . . bk 10-1 pg 11-1
hot backups . . . . . . . . . . . bk 10-1 pg 9-1 uninstallation . . . . . . . . . . . bk 10-1 pg 8-3
installation . . . . . . . . . . . bk 10-1 pg 8-2 worst case scenarios . . . . . . . bk 10-1 pg 11-4
manual uninstallation . . . . . . bk 10-1 pg 8-5 provisioning Ki . . . . . . . . . . bk 10-2 pg 4-36
rack NM settings . . . . . . . . . . . . bk 10-1 pg 5-4

requirements. . . . . . . . . . . . bk 10-1 pg 2-4 standby AuC IP . . . . . . . . . bk 10-1 pg 5-10
rack placement . . . . . . . . . . . . bk 10-1 pg 2-3 Reconnecting function . . . . . . . . bk 10-2 pg 3-6
radio object . . . . . . . . . . . . bk 10-2 pg 2-15 Remove All . . . . . . . . . . . . . bk 10-2 pg 6-3
Reconfiguration reprovisioning . . . . . . . . . . . bk 10-2 pg 4-39
AuC. . . . . . . . . . . . . . . . bk 10-1 pg 5-3 existing Ki. . . . . . . . . . . . bk 10-2 pg 4-38
IP settings . . . . . . . . . . . . . bk 10-1 pg 5-3 new Ki . . . . . . . . . . . . . bk 10-2 pg 4-41
IX-6 6802800U60-D March 2007

requirements Restore
rack . . . . . . . . . . . . . . . . bk 10-1 pg 2-4 AuC. . . . . . . . . . . . . . . . bk 10-1 pg 6-1
Restart PrC . . . . . . . . . . . . . . . . bk 10-1 pg 9-5
AuC. . . . . . . . . . . . . . . bk 10-1 pg 10-18 returning to single cluster mode . . . bk 10-2 pg 5-17
PrC . . . . . . . . . . . . . . . bk 10-1 pg 11-5
safety information . . . . . . . . . . bk 10-1 pg 2-5 Starting AuC Client . . . . . . . . . bk 10-2 pg 3-8

safety precautions . . . . . . . . . . bk 10-1 pg 2-5 static cipher key (SCK-TMO) . . . bk 10-2 pg 1-3, bk
security 10-2 pg 1-5, bk 10-2 pg 1-8, bk 10-2 pg 1-10
implementation steps . . . . . . . . bk 10-2 pg 3-7 description. . . . . . . . . . . . bk 10-2 pg 1-12
policy . . . . . . . . . . . . . . . bk 10-2 pg 3-7 distribution . . . . . . . . . . . bk 10-2 pg 1-13
questions . . . . . . . . . . . . . bk 10-2 pg 3-7 encryption key changes . . . . . . . bk 10-2 pg 1-6
security class importing key file . . . . . . . . bk 10-2 pg 4-21
level 1. . . . . . . . . . . . . . . bk 10-2 pg 1-6 key distribution . . . . . . . . . bk 10-2 pg 1-12
level 2. . . . . . . . . . . . . . . bk 10-2 pg 1-5 modifying a key . . . . . . . . . bk 10-2 pg 4-25
level 3. . . . . . . bk 10-2 pg 1-4, bk 10-2 pg 2-14 next active. . . . . . . . . . . . bk 10-2 pg 4-27
transitioning from security class 2 to 3 . . . . . . bk updates . . . . . . . . . . . . . bk 10-2 pg 1-14
10-2 pg 2-14 Static Cipher Keys
Security group distributing . . . . . . . . . . . bk 10-2 pg 1-12
selection. . . . . . . . . . . . . bk 10-2 pg 11-21 information . . . . . . . . . . . bk 10-2 pg 11-20
Server modifying . . . . . . . . . . . . bk 10-2 pg 11-39
installation static sensitive precautions . . . . . . bk 10-1 pg 2-7
AuC . . . . . . . . . . . . . . bk 10-1 pg 3-2 Status
PrC . . . . . . . . . . . . . . . bk 10-1 pg 8-3 verifying . . . . . . . . . . . . bk 10-2 pg 3-12
uninstallation zone or entity . . . . . . . . . . bk 10-2 pg 3-13
AuC . . . . . . . . . . . . . . bk 10-1 pg 3-6 Status bar . . . . . . . . . . . . . bk 10-2 pg 3-20
PrC . . . . . . . . . . . . . . . bk 10-1 pg 8-4 Status icons . . . . . . . . . . . . bk 10-2 pg 3-20
Shared folder. . . . . . . . . . . . . bk 10-1 pg 6-3 Synchronize . . . bk 10-2 pg 11-22, bk 10-2 pg 11-25
Short Subscriber Identities (SSIs) . . . bk 10-2 pg 1-4 system diagram
slave AuC AuC and PrC . . . . . . . . . . . bk 10-2 pg 3-2
adding. . . . . . . . . . . . . . bk 10-2 pg 5-15 System diagram
changing expected . . . . . . . . bk 10-2 pg 5-16 AuC and PrC . . . . . . . . . . . bk 10-1 pg 1-1
configuring . . . . . . . . . . . bk 10-2 pg 5-10 system features . . . . . . . . . . . . bk 10-2 pg 3-7
connecting to another master . . . bk 10-2 pg 5-18 System KEK . . . bk 10-2 pg 11-14, bk 10-2 pg 11-25
reconfiguration. . . . . . . . . . bk 10-2 pg 5-15 System key
removing . . . . . . . . . . . . bk 10-2 pg 5-17 changing . . . . . . . . . . . . . bk 10-1 pg 4-2
removing expected . . . . . . . . bk 10-2 pg 5-16 configuration . . . . . . . . . . . bk 10-1 pg 4-3
Software system key encryption key (KEKm) . . . . . . . . bk
installation 10-2 pg 1-12
AuC . . . . . . . . . . . . . . bk 10-1 pg 3-1 description. . . . . . . . . . . . bk 10-2 pg 1-10
PrC . . . . . . . . . . . . . . . bk 10-1 pg 8-1 key distribution . . . . . . . . . bk 10-2 pg 1-10
Stage Advancement . . . . . . . . bk 10-2 pg 10-3 key updates . . . . . . . . . . . bk 10-2 pg 1-14
Standby settings . . bk 10-2 pg 9-6, bk 10-2 pg 11-40 System Management . . . . . . . . . bk 10-2 pg 9-1
turning connection monitoring off . . . . . . . . bk KVL port settings . . . . . . . . . bk 10-2 pg 9-2
10-2 pg 9-9 miscellaneous settings . . . . . . . bk 10-2 pg 9-3
turning connection monitoring on . . bk 10-2 pg 9-7 standby settings . . . . . . . . . . bk 10-2 pg 9-6
Start Backup . . . . bk 10-2 pg 9-18, bk 10-2 pg 11-30 user settings . . . . . . . . . . . . bk 10-2 pg 9-4
transferring
6802800U60-D March 2007 IX-7

Index
DCK . . . . . . . . . . . . . . bk 10-2 pg 1-12 standby AuC. . . . . . . . . . . bk 10-1 pg 10-19

keys. . . . . . . . . . . . . . . bk 10-2 pg 1-12 start-up error messages
Troubleshooting AuC . . . . . . . . . . . . . bk 10-1 pg 10-2
AuC. . . . . . . . . . . . . . . bk 10-1 pg 10-1 PrC . . . . . . . . . . . . . . bk 10-1 pg 11-1
PrC . . . . . . . . . . . . . . . bk 10-1 pg 11-1 worst case scenarios
scenarios AuC . . . . . . . . . . . . . bk 10-1 pg 10-7
AuC . . . . . . . . . . . . . bk 10-1 pg 10-2 PrC . . . . . . . . . . . . . . bk 10-1 pg 11-4
PrC . . . . . . . . . . . . . . bk 10-1 pg 11-2 typical period . . . . . . . . . . . bk 10-2 pg 1-14
UCM . . . . . . . . . . . . . . . . . . bk 10-2 pg Unique Key Encryption Keys (UKEKs) . . . . . . bk

2-1, bk 10-2 pg 2-3, bk 10-2 pg 2-16 10-1 pg 4-1
UCS configuration . . . . . . . . . . . bk 10-1 pg 4-4
information . . . . . . . . . . . bk 10-2 pg 11-21 System and Master Keys . . . . . . bk 10-1 pg 4-2
viewing status . . . . . . . . . . bk 10-2 pg 4-14 unmatched K-REF pairs . . . . . . . bk 10-2 pg 4-6
UCS - system object . . . . . . . . . bk 10-2 pg 1-6 Update CCK Version . . . . . . . . bk 10-2 pg 9-19
UKEK assignment . . . . . . . . . bk 10-2 pg 11-34 uplink . . . . . . . . . . . . . . . . bk 10-2 pg 1-5
Uninstallation User
AuC account selection. . . . . . . . . bk 10-2 pg 11-22
Client . . . . . . . . . . . . . . bk 10-1 pg 3-7 adding. . . . . . . . . . . . . . bk 10-2 pg 11-26
database. . . . . . . . . . . . . bk 10-1 pg 3-7 information . . . . . . . . . . . bk 10-2 pg 11-23
database - manual . . . . . . . . bk 10-1 pg 3-9 logging in . . . . . . . . . . . . bk 10-2 pg 11-35
Server . . . . . . . . . . . . . bk 10-1 pg 3-6 password changing . . . . . . . . bk 10-2 pg 3-11
PrC . . . . . . . . . . . . . . . . bk 10-1 pg 8-3 settings . . . . . bk 10-2 pg 9-4, bk 10-2 pg 11-43
Client . . . . . . . . . . . . . . bk 10-1 pg 8-4 User Management . . . . . . . . . . bk 10-2 pg 8-1
database. . . . . . . . . . . . . bk 10-1 pg 8-4 creating an account. . . . . . . . . bk 10-2 pg 8-2
database - manually . . . . . . . bk 10-1 pg 8-5 deleting an account. . . . . . . . . bk 10-2 pg 8-5
Server . . . . . . . . . . . . . bk 10-1 pg 8-4 modifying an account . . . . . . . bk 10-2 pg 8-4
What is the AuC?. . . . . . . . . . . bk 10-2 pg 3-4 Work pane . . . . . . . . . . . . . bk 10-2 pg 3-16
zone description. . . . . . . . . . . . bk 10-2 pg 1-10

enabling / disabling key updates . . bk 10-2 pg 4-56 key updates . . . . . . . . . . . bk 10-2 pg 1-14
viewing zone key information and status . . . . . bk Zones . . . . . . . . . . . . . . . bk 10-2 pg 4-10
10-2 pg 4-10 information . . . . . . . . . . . bk 10-2 pg 11-25
zone key encryption key (KEKz) . . . . . . . . . bk viewing status and key information . . . . . . . bk
10-2 pg 1-8, bk 10-2 pg 1-12 10-2 pg 4-10
IX-8 6802800U60-D March 2007

Volume10-6802800U60 AuthentEncrypAndProvis D60SERRevD

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Volume10-6802800U60 AuthentEncrypAndProvis D60SERRevD

Uploaded by

Copyright:

Available Formats

Dimetra IP 2006

System release 6.0

© 2007 Motorola, Inc.

Volume 5 Volume 7 Volume 8

Booklet 9-1: Master Site

Security/Authentication Feature Manuals

6802700U92 6881132E24 6881003Y85 6802800U66 6802800U67 6802800U62

AUC Crypto End to End Air Interface Backup/Restore Network Telephone

KVL 3000 Plus Provisioning Data MCC 7500

Affiliation Application Authentication Performance FullVision RCM RCM

Software UCM ZCM ZoneWatch System and KMF TESS

EMEA Systems Support Centre (ESSC)

Jays Close, Viables Industrial State

European Systems Component Centre (ESCC)

Motorola GmbH CGISS

Parts Identification and Ordering

EMEA Test Equipment Support

Updated Versions of this Manual

Edition Description Date

6802800U60-D March 2007 i

ii 6802800U60-D March 2007

Volume 10: Authentication, Encryption and Provisioning

Booklet 1: Authentication, Encryption and Provisioning - In-

Chapter 1: Authentication Centre and Provisioning Centre Overview

Chapter 2: AuC Hardware Installation and Configuration

Chapter 3: AuC Software Installation and Uninstallation

6802800U60-D March 2007 iii

Installing the AuC Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 3-2

Chapter 4: System, Master, and Unique Key Encryption Keys

Chapter 5: Primary and Standby AuC Configuration

Chapter 6: AuC Database Backup and Restore

Chapter 7: PrC Hardware

Chapter 8: PrC Software Installation and Uninstallation

Chapter 9: PrC Database Backup and Restore

iv 6802800U60-D March 2007

Performing the Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 9-3

Chapter 10: Troubleshooting the AuC

6802800U60-D March 2007 v

Resolution/Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-1 pg 10-26

Chapter 11: Troubleshooting the PrC

Chapter 12: Handling Compromised Units

Chapter 13: Authentication Centre Field Replaceable Units

Chapter 14: Setup Procedures for External Modems

Booklet 2: Managing Authentication, Encryption and Provisioning

Chapter 1: Authentication and Air Interface Encryption Overview

vi 6802800U60-D March 2007

Chapter 2: Authentication and Air Interface Encryption Configuration

Chapter 3: Introduction to Authentication Centre

Chapter 4: Authentication and Air Interface Encryption Key Management

6802800U60-D March 2007 vii

Entering a UKEK Key for a KVL Device . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-33

Chapter 5: Nationwide AuC Configuration

Chapter 6: Events Pane

Chapter 7: Audit Trail

Chapter 8: User Management

Chapter 9: System Management

viii 6802800U60-D March 2007

The KVL Port Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-2

Chapter 10: FAQ

Chapter 11: Screen Reference

6802800U60-D March 2007 ix

Mobile Stations Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-19

Appendix A: TETRA/Dimetra Glossary