Professional Documents
Culture Documents
Volume 10:
Authentication, Encryption
and Provisioning
6802800U60-D
When printed by Motorola March 2007
Copyrights
The Motorola products described in this document may include copyrighted Motorola computer programs. Laws in the United States and other countries
preserve for Motorola certain exclusive rights for copyrighted computer programs. Accordingly, any copyrighted Motorola computer programs contained in
the Motorola products described in this document may not be copied or reproduced in any manner without the express written permission of Motorola.
Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or by implication, estoppel or otherwise, any license under the
copyrights, patents or patent applications of Motorola, except for the normal nonexclusive, royalty-free license to use that arises by operation of law in the sale
of a product.
Disclaimer
Please note that certain features, facilities and capabilities described in this document may not be applicable to or licensed for use on a particular system, or
may be dependent upon the characteristics of a particular mobile subscriber unit or configuration of certain parameters. Please refer to your Motorola contact
for further information.
Trademarks
Motorola, the Motorola logo, and all other trademarks identified as such herein are trademarks of Motorola, Inc. All other product or service names are the
property of their respective owners.
Copyrights
© 2006 - 2007 Motorola, Inc. All rights reserved.
No part of this document may be reproduced, transmitted, stored in a retrieval system, or translated into any language or computer language, in any form or by
any means, without the prior written permission of Motorola, Inc.
CMM labeling and disclosure table
The People’s Republic of China requires that Motorola’s products comply with
China Management Methods (CMM) environmental regulations. (China
Management Methods refers to the regulation Management Methods for
Controlling Pollution by Electronic Information Products.) Two items are used to
demonstrate compliance; the label and the disclosure table.
The label is placed in a customer visible position on the product.
• Logo 1 means that the product contains no substances in excess of the
maximum concentration value for materials identified in the China
Management Methods regulation.
• Logo 2 means that the product may contain substances in excess of the
maximum concentration value for materials identified in the China
Management Methods regulation, and has an Environmental Friendly
Use Period (EFUP) in years, fifty years in the example shown.
Logo 1 Logo 2
The Environmental Friendly Use Period (EFUP) is the period (in years) during
which the Toxic and Hazardous Substances (T&HS) contained in the Electronic
Information Product (EIP) will not leak or mutate causing environmental pollution
or bodily injury from the use of the EIP. The EFUP indicated by the Logo 2 label
applies to a product and all its parts. Certain field-replaceable parts, such as
battery modules, can have a different EFUP and are marked separately.
The Disclosure Table is intended only to communicate compliance with China
requirements; it is not intended to communicate compliance with EU RoHS or any
other environmental requirements.
PCI Short Form PCI Crypto KMF Crypto Alias Integrated MultiCADI UCS
Crypto Card Card Upgrade Card Instruction Solution (AIS) Feature Synchronisation
Service Manual Manual Manual Feature Manual Manual Tool Manual
Online Help
The EMEA Systems Support Centre provides a Technical Consulting service. This service is accessed via the Call
Management Centre.
The European System Component Centre provides a repair service for infrastructure equipment, including the
MBTS. Customers requiring repair service should contact the Call Management Centre to obtain a Return
Authorisation number. The equipment should then be shipped to the following address unless advised otherwise.
Request for help in identification of non-referenced spare parts should be directed to the Customer Care
Organization of Motorola’s local area representation. Orders for replacement parts, kits and assemblies should be
placed directly on Motorola’s local distribution organization or via the Extranet site Motorola Online at
https://emeaonline.motorola.com.
Information related to support and service of Motorola Test Equipment is available by calling the Motorola Test
Equipment Service Group in Germany at +49 (0) 6128 702179, Telefax +49 (0) 6128 951046, through the
Customer Care Organization of Motorola’s local area representation, or via the Internet at
http://www.gd-decisionsystems.com/cte/.
Your Input
...is much appreciated. If you have any comments, corrections, suggestions or ideas for this publication or any
other requiremens regarding Motorola publications, please send an e-mail to doc.emea@motorola.com.
Document History
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The following major changes have been implemented in this manual since the previous edition:
CONTENTS
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
List Of Figures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Figure 1-10: Common Cipher Key (CCK)/Static Cipher Key–Trunked Mode Operation (SCK-TMO) key
distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 1-12
Figure 1-11: Derived Cipher Key (DCK) key distribution . . . . . . . . . . . . . . . . bk 10-2 pg 1-12
Figure 2-1: PRNM Suite Application Launcher Window . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-3
Figure 2-2: User Configuration Manager Window . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-4
Figure 2-3: Open System Object Configuration Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 2-5
Figure 2-4: System Object Configuration Dialog Box . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-6
Figure 2-5: System Object Security Parameters . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-7
Figure 2-6: PRNM Suite Application Launcher Window . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-9
Figure 2-7: Zone Applications in PRNM Suite Application Launcher Window. . . . . . . . bk 10-2 pg 2-9
Figure 2-8: Zone Configuration Manager — Zone Object . . . . . . . . . . . . . . . . bk 10-2 pg 2-10
Figure 2-9: Zone Configuration Manager — EBTS Site Object . . . . . . . . . . . . . . bk 10-2 pg 2-11
Figure 2-10: Zone Configuration Manager — Open EBTS Site Object . . . . . . . . . . bk 10-2 pg 2-12
Figure 2-11: Zone Configuration Manager — EBTS Authentication tab . . . . . . . . . . bk 10-2 pg 2-13
Figure 2-12: User Configuration Manager — Radio Object. . . . . . . . . . . . . . . . bk 10-2 pg 2-16
Figure 2-13: Radio Object Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-17
Figure 2-14: User Configuration Manager — KVL Object . . . . . . . . . . . . . . . . bk 10-2 pg 2-18
Figure 2-15: KVL Object Dialog Box — Basic Tab . . . . . . . . . . . . . . . . . . . bk 10-2 pg 2-19
Figure 2-16: KVL Object Dialog Box — Configuration Tab . . . . . . . . . . . . . . . bk 10-2 pg 2-19
Figure 3-1: The Nationwide Only Icon . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-1
Figure 3-2: AuC and PrC System Diagram . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-3
Figure 3-3: AuC in the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-5
Figure 3-4: The Reconnecting Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-6
Figure 3-5: The AuC Splash Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-9
Figure 3-6: The Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-9
Figure 3-7: The AuC Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-10
Figure 3-8: The Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-11
Figure 3-9: The Main Window Status Bar . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-12
Figure 3-10: UCS Status and Version Information . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-13
Figure 3-11: Zone/EBTS Key and Status Information . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-14
Figure 3-12: The Exit Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-14
Figure 3-13: The AuC Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-15
Figure 3-14: The Work Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-16
Figure 3-15: The Events Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-19
Figure 3-16: The Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-20
Figure 3-17: The Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 3-22
Figure 4-1: The Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-3
Figure 4-2: The Mobile Station Search Form . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-4
Figure 4-3: The Mobile Stations List . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-4
Figure 4-4: Mobile Stations Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-5
Figure 4-5: Mobile Stations List Export Progress . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-5
Figure 4-6: The Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-6
Figure 4-7: The Delete Unmatched K-REF Pair Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 4-7
Figure 4-8: The Delete All Unmatched K-REF Pairs Dialog Box . . . . . . . . . . . . . . bk 10-2 pg 4-7
Figure 4-9: The Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-8
Figure 4-10: The Save Unmatched K-REF Pairs Report Dialog Box . . . . . . . . . . . . bk 10-2 pg 4-9
Figure 4-11: The Save Unmatched K-REF Pairs Report Confirmation Dialog Box . . . . . . bk 10-2 pg 4-9
Figure 4-12: Unmatched K-REF Pairs Report Completed . . . . . . . . . . . . . . . . . bk 10-2 pg 4-9
Figure 4-13: The Zones Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-11
Figure 4-14: The Zone Information Display . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-12
Figure 4-15: The BTS Site Information Display . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-13
Figure 4-16: The UCS Status and Version Information . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-15
Figure 4-17: The KVLs Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-16
Figure 4-18: Key Database Tabbed Pane . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-18
Figure 4-19: K-REF Pairs Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-19
List Of Tables
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 11-1: Fields in the AuC Comm Key (Communication Key) Display . . . . . . . . . bk 10-2 pg 11-1
Table 11-2: Buttons in the AuC Comm Key (Communication Key) Display . . . . . . . . bk 10-2 pg 11-2
Table 11-3: Fields in the AuC Connectivity Information Display . . . . . . . . . . . . . bk 10-2 pg 11-2
Table 11-4: AuC Server Status Information and Icons . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-4
Table 11-5: Fields in the Audit Search & Purge Form display. . . . . . . . . . . . . . . bk 10-2 pg 11-5
Table 11-6: Buttons in the Audit Search & Purge Form display . . . . . . . . . . . . . . bk 10-2 pg 11-5
Table 11-7: Fields in the Audit Trail Information display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-6
Table 11-8: Fields in the DDK Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-6
Table 11-9: Buttons in the DDK Information display. . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-7
Table 11-10: Fields in the EBTS Site Information display . . . . . . . . . . . . . . . . bk 10-2 pg 11-7
Table 11-11: Buttons in the EBTS Site Information display . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
Table 11-12: Fields in the Events Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
Table 11-13: Buttons in the Events Information display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-8
Table 11-14: Fields in the General Network Information Display . . . . . . . . . . . . . bk 10-2 pg 11-9
Table 11-15: Fields in the K-REF Pairs Information display . . . . . . . . . . . . . . . bk 10-2 pg 11-11
Table 11-16: Buttons in the K-REF Pairs Information display. . . . . . . . . . . . . . . bk 10-2 pg 11-11
Table 11-17: Fields in the Key Database Selection display . . . . . . . . . . . . . . . . bk 10-2 pg 11-12
Table 11-18: Fields in the Key Schedule Information Display. . . . . . . . . . . . . . . bk 10-2 pg 11-13
Table 11-19: Buttons in the Key Schedule Information Display . . . . . . . . . . . . . . bk 10-2 pg 11-13
Table 11-20: Fields in the Key Update Selection display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-14
Table 11-21: Key Status Icons (Zones and BTS sites) . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-15
Table 11-22: Fields in the KVL Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-16
Table 11-23: Buttons in the KVL Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-16
Table 11-24: Key Status Icons (KVLs) . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-17
Table 11-25: Fields in the Mobile Stations List display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-18
Table 11-26: Buttons in the Mobile Stations List display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-18
Table 11-27: Fields in the Mobile Stations Search display . . . . . . . . . . . . . . . . bk 10-2 pg 11-19
Table 11-28: Buttons in the Mobile Stations Search display . . . . . . . . . . . . . . . bk 10-2 pg 11-20
Table 11-29: Fields in the SCK-Trunked Mode Operation Information display . . . . . . . bk 10-2 pg 11-20
Table 11-30: Buttons in the SCK-Trunked Mode Operation Information display . . . . . . bk 10-2 pg 11-21
Table 11-31: Fields in the UCS Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-22
Table 11-32: Buttons in the UCS Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-22
Table 11-33: Fields in the User Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-23
Table 11-34: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-24
Table 11-35: Buttons in the User Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-24
Table 11-36: Fields in the Zone Information display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-25
Table 11-37: Buttons in the Zone Information display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-25
Table 11-38: Fields in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-26
Table 11-39: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-27
Table 11-40: Buttons in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-27
Table 11-41: Fields in the AuC Connection display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-28
Table 11-42: Buttons in the AuC Connection display. . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-28
Table 11-43: Fields in the AuC Database Backup Schedule Dialog Box . . . . . . . . . . bk 10-2 pg 11-29
Table 11-44: Buttons in the AuC Database Backup Schedule Dialog Box . . . . . . . . . bk 10-2 pg 11-29
Table 11-45: Fields in the AuC Database Dialog Box . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-30
Table 11-46: Buttons in the AuC Database Dialog Box. . . . . . . . . . . . . . . . . . bk 10-2 pg 11-30
Table 11-47: Fields in the Change Password Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-31
Table 11-48: Buttons in the Change Password Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-31
Table 11-49: Fields in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-32
Table 11-50: Buttons in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . bk 10-2 pg 11-33
Table 11-51: Field in the Key Update Lock Details Information Box . . . . . . . . . . . bk 10-2 pg 11-33
Table 11-52: Buttons in the Key Update Lock Details Information Box . . . . . . . . . . bk 10-2 pg 11-33
Table 11-53: Field in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
Table 11-54: Buttons in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-34
Table 11-55: Fields in the KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . bk 10-2 pg 11-34
Table 11-56: Buttons in the KVL UKEK Assignment Dialog Box. . . . . . . . . . . . . bk 10-2 pg 11-34
Table 11-57: Fields in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-35
Table 11-58: Buttons in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-35
Table 11-59: Fields in the Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . bk 10-2 pg 11-36
Table 11-60: Buttons in the Miscellaneous Settings Dialog Box. . . . . . . . . . . . . . bk 10-2 pg 11-36
Table 11-61: Fields in the Modify Schedule display . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-37
Table 11-62: Buttons in the Modify Schedule display . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-37
Table 11-63: Fields in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-38
Table 11-64: Buttons in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-38
Table 11-65: Fields in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
Table 11-66: Buttons in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-39
Table 11-67: Fields in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Table 11-68: Buttons in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Table 11-69: Fields in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . . bk 10-2 pg 11-40
Table 11-70: Buttons in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . bk 10-2 pg 11-41
Table 11-71: Fields in the Update CCK Version display . . . . . . . . . . . . . . . . . bk 10-2 pg 11-42
Table 11-72: Buttons in the Update CCK Version display . . . . . . . . . . . . . . . . bk 10-2 pg 11-42
Table 11-73: Fields in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-43
Table 11-74: Buttons in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-44
Table 11-75: Main Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 11-44
Table A-1: Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg A-1
Table A-2: Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg A-i
List Of Procedures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Procedure 4-12: How to Modify an SCK-TMO Key in the Authentication Centre . . . . . bk 10-2 pg 4-25
Procedure 4-13: How to Reset an Active SCK-TMO Key in the Authentication Centre . . . bk 10-2 pg 4-28
Procedure 4-14: Entering a AuC CommKey into the AuC Database . . . . . . . . . . . . bk 10-2 pg 4-30
Procedure 4-15: Entering a DDK key into the AuC database . . . . . . . . . . . . . . . bk 10-2 pg 4-32
Procedure 4-16: How to Assign a UKEK Key to a KVL Device . . . . . . . . . . . . . bk 10-2 pg 4-34
Procedure 4-17: How to Load an Infrastructure Key (Ki) to a BTS Site Entity . . . . . . . bk 10-2 pg 4-36
Procedure 4-18: How to Refresh a Ki for Selected Zone or BTS Site Entity in the AuC
Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 4-39
Procedure 4-19: How to Update a Ki Key for a Zone or BTS Site Entity in AuC Client. . . bk 10-2 pg 4-42
Procedure 4-20: How to Schedule Key Updates based on Key Type . . . . . . . . . . . . bk 10-2 pg 4-45
Procedure 4-21: How to Perform Immediate Key Updates based on Key Type . . . . . . . bk 10-2 pg 4-48
Procedure 4-22: How to Assign New Authentication Material for a Mobile Station . . . . bk 10-2 pg 4-50
Procedure 4-23: How to Enable/Disable Key Updates for a Mobile Station . . . . . . . . bk 10-2 pg 4-53
Procedure 4-24: How to Enable/Disable Key Updates for a Zone . . . . . . . . . . . . . bk 10-2 pg 4-56
Procedure 4-25: How to Enable/Disable Key Updates for a BTS Site . . . . . . . . . . . bk 10-2 pg 4-58
Procedure 4-26: How to Enable/Disable Key Updates based on Key Type . . . . . . . . . bk 10-2 pg 4-60
Procedure 4-27: How to Enable/Disable KVL Access to the Authentication Centre . . . . bk 10-2 pg 4-62
Procedure 5-1: Viewing AuC Connection Information and Status . . . . . . . . . . . . . . bk 10-2 pg 5-3
Procedure 5-2: How to Configure Nationwide Master AuC . . . . . . . . . . . . . . . . . bk 10-2 pg 5-8
Procedure 5-3: How to Configure Nationwide Slave AuC . . . . . . . . . . . . . . . . bk 10-2 pg 5-10
Procedure 5-4: How to Add New Slave AuC to the AuC Net . . . . . . . . . . . . . . . bk 10-2 pg 5-15
Procedure 5-5: How to Change Expected Slave AuC. . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-16
Procedure 5-6: How to Remove Expected Slave AuC . . . . . . . . . . . . . . . . . . bk 10-2 pg 5-16
Procedure 5-7: How to Remove Slave AuC form the AuC System . . . . . . . . . . . . bk 10-2 pg 5-17
Procedure 5-8: How to Return to Single Cluster Mode from Master AuC . . . . . . . . . bk 10-2 pg 5-17
Procedure 5-9: How to Connect Slave AuC to Another Master . . . . . . . . . . . . . . bk 10-2 pg 5-18
Procedure 5-10: How to Change Master in Nationwide AuC System . . . . . . . . . . . bk 10-2 pg 5-19
Procedure 6-1: How to View AuC Server Events . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 6-2
Procedure 6-2: Removing One or More Events from the AuC Events Display . . . . . . . . bk 10-2 pg 6-3
Procedure 7-1: Creating an Audit Trail of Authentication Centre (AuC) Events. . . . . . . . bk 10-2 pg 7-2
Procedure 7-2: Removing Audit Trail Data from the Authentication Centre (AuC) Database for Archival File
Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 7-4
Procedure 8-1: Creating a new Authentication Centre (AuC) User Account . . . . . . . . . bk 10-2 pg 8-2
Procedure 8-2: Modifying an existing Authentication Centre (AuC) User Account . . . . . . bk 10-2 pg 8-4
Procedure 8-3: Deleting an existing Authentication Centre User Account . . . . . . . . . . bk 10-2 pg 8-5
Procedure 9-1: How to Configure KVL Port Settings . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-2
Procedure 9-2: How to Configure Miscellaneous Operation Settings . . . . . . . . . . . . bk 10-2 pg 9-3
Procedure 9-3: How to Configure the User Settings . . . . . . . . . . . . . . . . . . . . bk 10-2 pg 9-5
Procedure 9-4: How to Turn Standby Connection Monitoring On . . . . . . . . . . . . . . bk 10-2 pg 9-7
Procedure 9-5: How to Turn Standby Connection Monitoring Off. . . . . . . . . . . . . . bk 10-2 pg 9-9
Procedure 9-6: How to View the Status of AuC Encryption Devices . . . . . . . . . . . bk 10-2 pg 9-11
Procedure 9-7: How to Load a Master Key into an Encryption Device. . . . . . . . . . . bk 10-2 pg 9-13
Procedure 9-8: How to Change the State of the Authentication Centre (AuC) Server . . . . bk 10-2 pg 9-16
Procedure 9-9: How to Schedule Authentication Centre Database Backups . . . . . . . . bk 10-2 pg 9-16
Procedure 9-10: How to Start a Manual Authentication Centre Database Backup. . . . . . bk 10-2 pg 9-18
Procedure 9-11: How to Manually Update the CCK Version Number . . . . . . . . . . . bk 10-2 pg 9-20
Procedure 9-12: Updating a CCK Version by Connecting to the Nationwide System . . . . bk 10-2 pg 9-21
Procedure 9-13: How to Create a Standby Status Report . . . . . . . . . . . . . . . . . bk 10-2 pg 9-22
Procedure 9-14: Viewing Authentication Centre Version Information . . . . . . . . . . . bk 10-2 pg 9-23
Procedure 10-1: How to Trigger Full Synchronization with the UCS . . . . . . . . . . . bk 10-2 pg 10-5
Procedure 10-2: How to Trigger Full Synchronization with the ZDS . . . . . . . . . . . bk 10-2 pg 10-7
List Of Processes
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Volume 10:
Authentication, Encryption
and Provisioning
Booklet 1
Authentication, Encryption
and Provisioning - Installation
and Configuration
6802800U60-D
When printed by Motorola March 2007
Copyrights
The Motorola products described in this document may include copyrighted Motorola computer programs. Laws in the United States and other countries
preserve for Motorola certain exclusive rights for copyrighted computer programs. Accordingly, any copyrighted Motorola computer programs contained in
the Motorola products described in this document may not be copied or reproduced in any manner without the express written permission of Motorola.
Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or by implication, estoppel or otherwise, any license under the
copyrights, patents or patent applications of Motorola, except for the normal nonexclusive, royalty-free license to use that arises by operation of law in the sale
of a product.
Disclaimer
Please note that certain features, facilities and capabilities described in this document may not be applicable to or licensed for use on a particular system, or
may be dependent upon the characteristics of a particular mobile subscriber unit or configuration of certain parameters. Please refer to your Motorola contact
for further information.
Trademarks
Motorola, the Motorola logo, and all other trademarks identified as such herein are trademarks of Motorola, Inc. All other product or service names are the
property of their respective owners.
Copyrights
© 2006 - 2007 Motorola, Inc. All rights reserved.
No part of this document may be reproduced, transmitted, stored in a retrieval system, or translated into any language or computer language, in any form or by
any means, without the prior written permission of Motorola, Inc.
CMM labeling and disclosure table
The People’s Republic of China requires that Motorola’s products comply with
China Management Methods (CMM) environmental regulations. (China
Management Methods refers to the regulation Management Methods for
Controlling Pollution by Electronic Information Products.) Two items are used to
demonstrate compliance; the label and the disclosure table.
The label is placed in a customer visible position on the product.
• Logo 1 means that the product contains no substances in excess of the
maximum concentration value for materials identified in the China
Management Methods regulation.
• Logo 2 means that the product may contain substances in excess of the
maximum concentration value for materials identified in the China
Management Methods regulation, and has an Environmental Friendly
Use Period (EFUP) in years, fifty years in the example shown.
Logo 1 Logo 2
The Environmental Friendly Use Period (EFUP) is the period (in years) during
which the Toxic and Hazardous Substances (T&HS) contained in the Electronic
Information Product (EIP) will not leak or mutate causing environmental pollution
or bodily injury from the use of the EIP. The EFUP indicated by the Logo 2 label
applies to a product and all its parts. Certain field-replaceable parts, such as
battery modules, can have a different EFUP and are marked separately.
The Disclosure Table is intended only to communicate compliance with China
requirements; it is not intended to communicate compliance with EU RoHS or any
other environmental requirements.
PCI Short Form PCI Crypto KMF Crypto Alias Integrated MultiCADI UCS
Crypto Card Card Upgrade Card Instruction Solution (AIS) Feature Synchronisation
Service Manual Manual Manual Feature Manual Manual Tool Manual
Online Help
The EMEA Systems Support Centre provides a Technical Consulting service. This service is accessed via the Call
Management Centre.
The European System Component Centre provides a repair service for infrastructure equipment, including the
MBTS. Customers requiring repair service should contact the Call Management Centre to obtain a Return
Authorisation number. The equipment should then be shipped to the following address unless advised otherwise.
Request for help in identification of non-referenced spare parts should be directed to the Customer Care
Organization of Motorola’s local area representation. Orders for replacement parts, kits and assemblies should be
placed directly on Motorola’s local distribution organization or via the Extranet site Motorola Online at
https://emeaonline.motorola.com.
Information related to support and service of Motorola Test Equipment is available by calling the Motorola Test
Equipment Service Group in Germany at +49 (0) 6128 702179, Telefax +49 (0) 6128 951046, through the
Customer Care Organization of Motorola’s local area representation, or via the Internet at
http://www.gd-decisionsystems.com/cte/.
Your Input
...is much appreciated. If you have any comments, corrections, suggestions or ideas for this publication or any
other requiremens regarding Motorola publications, please send an e-mail to doc.emea@motorola.com.
Contents
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Add New Site, AuC Distributes KEKz and then Waits One Hour to Send SCK . . . . . . . . . 10-27
Resolution/Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27
Wrong or Incomplete NM Connection Checks to Start KEKz/SCK/CCK Updates . . . . . . . . 10-27
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28
Remote AuC Clients not Updated/Informed of Server State Changes . . . . . . . . . . . . . . 10-28
Resolution/Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28
List of Figures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
List of Tables
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 10-1: Common Client Startup Error Messages and Descriptions . . . . . . . . . . . . . . . . 10-2
Table 10-2: Troubleshooting the AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Table 10-3: AuC Worst-Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Table 10-4: Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Table 10-5: Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Table 10-6: Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Table 10-7: Scenario 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Table 10-8: Scenario 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
Table 10-9: Scenario 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
Table 10-10: Scenario 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13
Table 10-11: Scenario 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
Table 10-12: Scenario 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15
Table 10-13: Scenario 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
Table 10-14: Scenario 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Table 10-15: Troubleshooting Standby AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
Table 11-1: Common PrC Client Start-Up Error Messages and Descriptions . . . . . . . . . . . . . . 11-1
Table 11-2: Troubleshooting the PrC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Table 11-3: PrC Worst Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Table 13-1: Authentication Centre FRUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Table 13-2: Authentication Centre Periodic Maintenance Inspection . . . . . . . . . . . . . . . . . 13-2
List of Procedures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Procedure 2-1: How to Install Hardware for Primary AuC and Standby AuC . . . . . . . . . . . . . 2-9
Procedure 2-2: How to Restore the Factory Default Settings . . . . . . . . . . . . . . . . . . . . . 2-10
Procedure 2-3: How to Update Firmware on the HP ProLiant DL360 G4P. . . . . . . . . . . . . . . 2-10
Procedure 2-4: How to Configure ROM Based Set Up for Primary and Standby AuC . . . . . . . . . 2-11
Procedure 2-5: How to Configure RAID for Primary AuC and Standby AuC . . . . . . . . . . . . . 2-12
Procedure 3-1: How to Install the AuC Server — Part 1 . . . . . . . . . . . . . . . . . . . . . . . 3-2
Procedure 3-2: How to ensure that the AuC is operational after installation process . . . . . . . . . . 3-5
Procedure 3-3: How to Install a Remote AuC Client Component . . . . . . . . . . . . . . . . . . . 3-6
Procedure 3-4: How to Uninstall the AuC Server . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Procedure 3-5: How to Uninstall the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Procedure 3-6: How to Uninstall the AuC Database Manually . . . . . . . . . . . . . . . . . . . . 3-9
Procedure 4-1: How to Configure a System Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Procedure 4-2: How to Configure a Master Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Procedure 4-3: How to Configure a Unique Key Encryption Key . . . . . . . . . . . . . . . . . . . 4-4
Procedure 4-4: How to Configure Other KVL Configurations. . . . . . . . . . . . . . . . . . . . . 4-5
Procedure 4-5: How to Change the AuC Comm Key . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Procedure 5-1: How to Perform Initial Configuration of the Primary Authentication Centre . . . . . . . 5-1
Procedure 5-2: How to Configure the IP settings using the AuC Configuration Assistant . . . . . . . . 5-3
Procedure 5-3: How to Configure the Network Management (NM) Settings Using the AuC Configuration
Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Procedure 5-4: How to Configure Standby Database Using the AuC Configuration Assistant . . . . . . 5-5
Procedure 5-5: How to Configure a Standby Database . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Procedure 5-6: How to Change the Standby IP using the AuC Configuration Assistant when It Incorrectly
Points to the Primary AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Procedure 5-7: How to Configure Standby IP using the AuC Configuration Assistant. . . . . . . . . . 5-10
Procedure 5-8: How to Activate Standby AuC Database Using the AuC Configuration Assistant . . . . 5-12
Procedure 5-9: How to Activate the Standby Database . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Procedure 6-1: How to Verify if the Database is in Archive Log Mode . . . . . . . . . . . . . . . . 6-2
Procedure 6-2: How to Create a New User on a Remote Computer . . . . . . . . . . . . . . . . . . 6-3
Procedure 6-3: How to Create a Shared Backup Folder on a Remote Computer. . . . . . . . . . . . . 6-3
Procedure 6-4: How to Start the AUC Service with the New User. . . . . . . . . . . . . . . . . . . 6-4
Procedure 6-5: How to Restore the AuC Database Using the AuC Configuration Assistant . . . . . . . 6-6
Procedure 6-6: How to Restore the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Procedure 6-7: How to Restart the Restored AuC . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Procedure 6-8: How to Clean Up the AuC Database . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Procedure 8-1: How to Install the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Procedure 8-2: How to Install the PrC Server and Client . . . . . . . . . . . . . . . . . . . . . . . 8-3
Procedure 8-3: How to Uninstall the PrC Server and Client. . . . . . . . . . . . . . . . . . . . . . 8-4
Procedure 8-4: How to Uninstall the PrC Database . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Procedure 8-5: How to Uninstall the PrC Database Manually . . . . . . . . . . . . . . . . . . . . . 8-5
Procedure 9-1: How to Configure the PrC Database for Hot Backups . . . . . . . . . . . . . . . . . 9-2
Procedure 9-2: How to Perform the PrC Database Backup . . . . . . . . . . . . . . . . . . . . . . 9-3
List of Processes
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This booklet is intended for those involved with the installation and configuration of the
Authentication Centre (AuC) and Provisioning Centre (PrC).
This manual also includes procedures for configuring the Authentication Centre to work
properly with the other parts of the Dimetra system including:
• User Configuration Server (UCS)
• Zone Database Server (ZDS)
• Air Traffic Router (ATR)
• Full Vision (FV)
• Key Variable Loader (KVL)
Finally, this document will include troubleshooting procedures for common field problems.
Related Information
The following manuals will be referenced from this manual:
• Authentication Centre Crypto Card Instruction Manual
• Provisioning Centre User Manual
• Key Variable Loader User’s Guide
• Key Variable Loader Service Manual
• Network Security Feature Manual
Icon Conventions
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The document set is designed to give the reader more visual cues. The following graphic icons are used
throughout the documentation set. These icons and their associated meanings are described below.
SUGGESTION
A suggestion implies a recommendation or tip from Motorola, that does not have to be followed,
but which might be helpful. There is no warning level associated with a Suggestion.
Notes contain information more important than the surrounding text, such as exceptions or
preconditions. They also refer the reader elsewhere for additional information, remind the reader
how to complete an action (when it’s not part of the current procedure, for instance), or tell the
reader where something is located on the screen. There is no warning level associated with a Note.
Information that is crucial to the discussion at hand, but that is not a Caution or Warning, receives
an Important icon. There is no warning level associated with the Important icon.
The caution icon implies information that must be carried out in a certain manner
to avoid problems, procedures that may or may not be necessary as determined by
the reader’s system configuration, and so on. Although no damage will occur if
the reader does not heed the caution, some steps may need repeating.
The danger icon implies information that, if disregarded, may result in severe
injury or death of personnel. This is the highest level of warning.
1
Authentication Centre and Provisioning
Centre Overview
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter provides a overview of the Authentication Centre (AuC) and Provisioning Centre (PrC)
components installed in an Dimetra IP system, an introduction regarding the requirements and considerations
for mechanical installation, and an overview of the physical interface and cabling requirements for the AuC.
This chapter covers the following topics:
• "AuC and PrC Description and System Diagram"
• "Authentication Server Configuration Versions"
• "AuC Crypto Card"
The AuC provides the authentication and key management material for devices related to
air interface security functions in Dimetra IP. It is responsible for generating the cipher
keys used for key management throughout the infrastructure, and accountable for scheduled
key changes, including changing the SCK and CCK. One AuC is required for each cluster.
Infrastructure Keys are provisioned via the Key Variable Loader (KVL). Other keys and infrastructure
data are distributed via TCP/IP network to infrastructure servers. These servers are:
• FullVision (FV)
• Zone Database Server (ZDS)
• User Configuration Server (UCS)
• Air Traffic Router (ATR)
The PrC generates, stores, and tracks delivery of K and SCK-TMO keys to the subscriber Mobile Stations
(MSs), using the Key Variable Loader (KVL) as a proxy to transport and confirm delivery. In addition, the
PrC generates and exports a file containing K-REF pairs to the Authentication Centre (AuC).
Figure 1-1 shows how the Dimetra IP infrastructure devices interface with the Authentication
Centre (AuC) and the Provisioning Centre (PrC).
The AuC rack may vary from the one shown in Figure 1-2.
• AuC Server (Primary and Standby) is connected to the UCS VLAN (part of the Dimetra
IP Network) via the patch panel installed on the AuC rack.
• The DIAL port on an external modem (if provided) is connected to PSTN via
the patch panel. The DTE port on the modem is connected to the serial port A
(COM1) on the rear of the Primary AuC server.
• A direct connection with KVL is established via a null-modem cable connected to
the serial port B (COM2) on the rear of the Primary AuC Server.. If there is no
second COM, please refer to: step 9 in Procedure 2-1, "How to Install Hardware
for Primary AuC and Standby AuC," on page 2-9
• Each AuC server is connected to KVM Switch.
The Authentication Centre Crypto Card is a PCI bus card that is inserted in the AuC server work station
and provides the actual encryption and decryption services for the Authentication Centre (AuC).
For more information please see the following manuals:
• Authentication Centre Crypto Card - Instruction Manual
• Authentication Centre Crypto Card - Service Manual
Follow the information in the Service manual “Authentication Centre Crypto Card” to
troubleshoot the battery circuitry on the AuC Crypto Card.
Failure to install and/or replace the lithium battery correctly may result in an
explosion. Replace the battery only with the same or equivalent type of battery.
Dispose of used batteries at an authorized metals/batteries reclamation dealer.
2
AuC Hardware Installation and
Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Do not tamper with factory configuration settings for these devices. This
includes software configuration, firmware release, password, and physical
connections. Motorola has configured and connected these devices to meet
very specific performance requirements. Tampering with these devices may
result in unpredictable system performance or catastrophic failure.
Environmental Considerations
Most of the Master Site equipment is designed to be rack mounted and is normally supplied in 19" equipment
cabinets. These cabinets are intended to be installed in an equipment room with an appropriate Heating,
Ventilation, and Air Conditioning (HVAC) system installed. The ambient temperature of the equipment room
should be maintained in the range of 18°C to 24°C and the relative humidity maintained within the range 30%
to 55% (non-condensing). If feet are supplied, ensure that they are installed under the equipment cabinets to
allow sufficient airflow through the cabinet. See also "Placement Recommendations". If you have a FAN
system in a cabinet without any alarm system, it needs yearly inspection. If necessary, replacement is needed.
Placement Recommendations
Use the following suggestions for placing the equipment at the site.
• Place each rack in a stable area on a firm surface. Use the correct mounting
hardware and shims to prevent rack movement.
• Install the system safely. Use strain relief when installing and positioning cables and
cords to help ensure that no interruption of service occurs.
• Allow at least one meter of space at the front and rear of the system for proper
air flow for cooling and for safe access.
• Locate the site racks and other equipment with ease of service and access in mind.
Service personnel require access to the front and the rear of the rack.
• Locate the system in an area free of heat, dust, smoke, and Electrostatic Discharge (ESD).
• If feet are supplied with your equipment, make sure they are fitted under the cabinet to
provide as least 15 mm between the bottom of the rack and the floor. Additional clearance
will be required for compressible floor surfaces such as carpet tiles.
• External cables coming into the cabinets must not significantly reduce airflow
within the cabinets. Cables are expected to be grouped together and secured
along the side of the cabinets using the vertical rails.
Rack Requirements
Most equipment is installed on a standard 19" rack. If you need to install additional equipment, see the
Site Configuration Guide for your system or consult your Motorola Field Representative.
Cabling Guidelines
See the Quality Standards - Fixed Network Equipment (FNE) Installation Manual, Motorola R56 Manual -
Standards and Guidelines for Communication Sites (68P81089E50) for cabling standards.
Use only Category 5 Shielded Twisted Pair (or higher) for cabling Ethernet
connections. Motorola has engineered this system to meet specific performance
requirements and EMC standards. Using other cabling and connectors may
result in unpredictable system performance or catastrophic failure.
Maintenance actions may require two people or more persons. The appropriate activity risk assessment should
be completed prior to the activity being conducted. Examples of item that should be considered are:
• Repairs where the risk of injury would require second person to perform first aid or call for
emergency support. An example would be work around high voltage sources.
• Manual handling of rack and some system components may require more than one
person; therefore the appropriate risk assessments should be conducted.
• The stability of the equipment should be considered when removing system
element(s) from a rack or other equipment.
If troubleshooting the equipment while power is applied, be aware of the live circuits.
DO NOT operate the transmitter of any radio unless all RF connectors are secure and
all connectors are properly terminated.
All equipment must be properly grounded in accordance with Motorola Standards and Guideline for
Communications Sites “56” (68P81089E50) and specified installation instructions for safe operation.
Racks may need to be secured to the ground (or by other methods) to prevent tipping
over when units are being removed.
Slots and openings in the cabinet are provided for ventilation. To ensure reliable operation of the product
and to protect it from overheating, these slots and openings must not be blocked or covered.
The cabinets are fitted with feet to raise them off the floor and to provide ventila-
tion. These feet should not be removed.
Never store combustible materials in or near the rack. The combination of combustible material,
heat and electrical energy increases the risk of a fire safety hazard.
Only a qualified technician familiar with similar electronic equipment should service equipment.
Some equipment components can become extremely hot during operation. Turn off all power
to the equipment and wait until sufficiently cool before touching.
Antenna installation should be designed to comply with the ICNIRP (International Commission on
Non-Ionizing Radiation Protection), or the local regulatory requirements which pertain to human exposure to
RF (Non Ionizing) radiation Further information on ICNIRP guidelines can be found at http://www.icnirp.org/
Determining the compliance of transmitter sites of various complexities may be accomplished by
means of computational methods. For more complex sites direct measurement of the power density
may be more expedient. Additional information on the topic of electromagnetic exposure is contained
in the Motorola Standards and Guideline for Communications Sites publication. Persons responsible
for installation of this equipment are urged to consult the listed reference material to assist in
determining whether a given installation complies with the applicable limits.
In general the following guidelines should be observed when working in or around radio transmitter sites:
• All personnel should have electromagnetic energy awareness training.
• All personnel entering the site must be authorized.
• Obey all posted signs.
• Assume all antennas are active.
• Before working on antennas notify owners and disable appropriate transmitters.
• Maintain minimum 1 meter clearance from all antennas.
• Do not stop in front of antennas.
• Use personal RF monitors while working near antennas.
• Never operate transmitters without shields during normal operation.
• Do not operate base station antennas in equipment rooms.
For installations outside of the U.S., consult with the applicable governing body and standards for RF energy
human exposure requirements and take the necessary steps for compliance with local regulations.
References:
• TIA/EIA TSB92 "Report on EME Evaluation for RF Cabinet Emissions Under FCC MPE
Guidelines", Global Engineering Documents: http://global.ihs.com/
• FCC OET Bulletin 65 “Evaluating Compliance with FCC Guidelines for Human Exposure
to Radio Frequency Electromagnetic Fields”: http://www.fcc.gov/oet/rfsafety/.
• Motorola Standards and Guideline for Communications Sites, R56 Mo-
torola manual (68P81089E50).
• IEEE Recommended Practice for the Measure of Potentially Hazardous Electromagnetic
Fields – RF and Microwave, IEEE Std C95.3-1991, Publication Sales, 445 Hoes
Lane, P.O. Box 1331, Piscattaway, NJ 08855-1331.
• IEEE Standard for Safety Levels with Respect to Human Exposure to Radio Frequency
Electromagnetic Fields, 3 kHz to 300 GHz, IEEE C95.1-1991, Publication Sales, 445
Hoes Lane, P.O. Box 1331, Piscattaway, NJ 08855-1331.
Extreme care must be taken while handling, shipping, and servicing these boards or modules.
To avoid static damage, observe the following precautions:
• Prior to handling, shipping, and servicing equipment, connect a wrist strap to the
grounding clip. This discharges any accumulated static charges.
• Avoid touching any conductive parts of the module with your hands.
• Never remove boards or modules with power applied to the unit (hot-pull) unless
you have verified it is safe to do for a particular board or module. Make sure the
unit will not be damaged by this. Several boards and modules require that power
be turned off before any boards or modules are removed.
• Avoid carpeted areas, dry environments, and certain types of clothing (silk, nylon, etc.)
during service or repair due to the possibility of static buildup.
• Apply power to the circuit under test before connecting low impedance test equipment
(such as pulse generators, etc.). When testing is complete, disconnect the test
equipment before power is removed from the circuit under test.
• Be sure to ground all electrically powered test equipment. Connect a ground lead (-) from
the test equipment to the board or module before connecting the test probe (+). When
testing is complete, remove the test probe first, then remove the ground lead.
• Lay all circuit boards and modules on a conductive surface when removed from the system.
The conductive surface must be connected to ground through 100Kohm.
Never use non-conductive material for packaging modules being transported. All modules
should be wrapped with static sensitive (conductive) material. Replacement modules shipped
from the factory are packaged in a conductive material.
Electrostatic Discharge
If an ESD station is not available, wear an antistatic wrist strap. Wrap one end strap around
your wrist. Attach the ground end (usually a piece of copper foil or an alligator clip) to the same
electrical ground as the equipment under repair or the equipment chassis.
This section describes the Authentication Centre hardware installation Follow Procedure 2-1 to
install AuC hardware. This procedure applies only for new installations.
Procedure 2-1 How to Install Hardware for Primary AuC and Standby AuC
1 Open the top of the case and, following the manufacturer’s installation instructions, install the
memory cards in the first free sockets.
2 Install the Combo Drive in slot B.
3 Install the two hard drives in slots 0 and 1.
4 Install the AuC Crypto Card in PCI-X Slot 2.
The Crypto Card should have a battery installed on it before it is installed in the
server. For instructions on how to prepare the Crypto Card, before installing it,
see “AuC Crypto Card” manual.
5 Close the server’s case, then, following the manufacturer’s installation instructions, mount it
in the rack.
This section describes Authentication Centre hardware configuration as well as other procedures
to be performed before installing AuC software. To configure AuC hardware properly before
AuC software installation, perform following procedures:
• Restore the factory default settings, see Procedure 2-2
• Update firmware, see Procedure 2-3
• Configure ROM Based Setup, see Procedure 2-4
• Configure RAID card, see Procedure 2-5
HP Firmware Update
Follow Procedure 2-3 to update the HP firmware.
Procedure 2-3 How to Update Firmware on the HP ProLiant DL360 G4P
1 Download Firmware Maintenance CD 7.40 from:
http://h18000.www1.hp.com/support/files/server/us/download/23331.html
2 Burn the downloaded CD.
3 Insert the CD into the drive during the system startup.
Result: The server starts booting from the CD.
4 Select the display language and keyboard layout. Click Continue.
Procedure 2-3 How to Update Firmware on the HP ProLiant DL360 G4P (Continued)
5 Agree to the User License Agreement.
6 Click the Launch ROM Update utility. The system will be scanned. This may take a while.
7 If possible, update the firmware for:
• System ROM
• Array Controllers
• Hard Drives
• Management Processors
by clicking the Update Now button. If the button is grayed out, no updates are necessary. In such
case exit by clicking EXIT, click OK to confirm and EXIT to reboot.
This prompt is only displayed for a few seconds after which it disappears. If you
do not press the F8 key before the prompt is gone, then you must restart the server
to display it again.
3 Delete all logical drives, if any exist.
4 Create a logical drive using the default option: RAID 1 Configuration (1+0).
5 Save the configuration.
6 Select Select as Boot Controller (use the F8 key to confirm).
Select as Boot Controller will not be displayed if the Smart Array controller is
already set up to be the boot controller. If that is the case, ignore this step.
7 Exit the Option ROM Configuration for Arrays Utility.
If you have the optional feature of Anti Virus, you need to install the A/V client on the AuC clients.
See the ”Installation and Configuration” chapter of the Network Security Feature Manual.
3
AuC Software Installation and Uninstallation
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) software application can be installed on both active (primary) and standby
(secondary) PCs. The complete AuC software application consists of the following software components:
• AuC Server software component
• AuC Client software component
You can install the AuC Server and Client components together on the same PC, or separately where the
AuC Client is installed on a remote PC that can access the AuC Server over the Dimetra IP network.
This chapter covers the following topics:
• "Software Preinstallation Requirements and Considerations"
• "Installing the AuC Server"
• "Installing the AuC Client Only"
• "Uninstalling the AuC Server"
• "Uninstalling the AuC Client"
• "Uninstalling the AuC Database"
• "Uninstalling the AuC Database Manually"
You should review the following list of requirements and considerations prior to installing
software. If you do not have any of the following information, contact your system
administrator or the local Motorola field representative.
• Make sure you have appropriate network administrative rights or privileges
required to install the software.
• Make sure that all CD-ROMs and other software media are available before
starting any software installation activity.
In case of the AuC Server the complete image of system partition containing both operating system and AuC
software is installed within one procedure. Follow Procedure 3-1 to perform a new installation of the AuC
Server. To ensure that the AuC is operational after the installation process follow Procedure 3-2.
Procedure 3-1 How to Install the AuC Server — Part 1
1 Insert the Dimetra IP 2006 AuC Installation, CD1 into the drive during the system startup.
Result: The server starts booting from the CD.
2 Select the Install AuC Image option and press Enter.
Result: Norton Ghost application starts.
3 If the Continue without marking drives button appears, press it to continue.
Result: Norton Ghost starts restoring the disc images.
4 When Norton Ghost asks for next CD insert Dimetra IP 2006 AuC Installation, CD2.
5 When Norton Ghost asks for next CD insert Dimetra IP 2006 AuC Installation, CD3.
6 Wait until server automatically reboots.
Use IP plan to obtain correct values for IP addresses and Zone IDs.
Result: The information screen appears.
20 Read the information and click Next.
Result: You will be prompted for supported Network Management Database version.
21 Enter supported Network Management Database version using Add, Modify and Delete buttons.
Click Next to continue.
Result: The summary screen appears.
22 Click Finish.
Result: The first stage of AuC Server installation is completed.
23 • When installing the AuC server on the primary machine go to Procedure 3-2;
• When installing the AuC server on the standby machine follow the steps below;
24 Click Start on the Windows® task bar. Select Settings> Control Panel>System.
Result: The System Properties dialog box appears.
25 Select the Computer Name tab.
26 On the Computer Name tab press Change... button.
Result: The Computer Name Changes dialog box appears.
27 In the Computer Name field type:auc02 and press OK.
Result: The confirmation dialog box appears.
28 Press OK.
29 On the Computer Name tab press OK.
30 Reboot the computer.
Result: The AuC Server installation process is complete.
Procedure 3-2 How to ensure that the AuC is operational after installation process
1 Make sure that the startup type of the AuC, Master and Subagent services is set to Automatic.
If the startup type for these services is not Automatic, start these services and then
change the startup type to Automatic.
2 Log into the AuC Client. For more information on how to login go to the AuC Online Help.
When logging into the AuC client for the first time, the user name and password are
admin and changeme1 (numeral 1) respectively.
3 Make sure the Crypto Card has been detected and is usable. From the main menu select
System>Encryption Devices. The CCC and CCE version must be correct, and the device status
must be Working. If these requirements are not fulfilled, the problem MUST be resolved before
proceeding.
If the AuC operational service is Out of Service, from the main menu select System>
Go Operational.
You can uninstall the AuC Server but you cannot install it without executing partition
image installation described in Procedure 3-1 again.
1 Click Start on the Windows® task bar. Select Settings> Control Panel>Add/Remove
Programs.
Result: The Add/Remove Programs dialog box appears.
2 Select the Authentication Centre then click Change/Remove.
Result: The InstallWizard welcome screen appears.
3 Click Next.
Result: A summary screen appears.
4 Click Next.
Result: The uninstallation process will start.
5 When the uninstallation process is completed, click Finish.
Result: The AuC Server uninstallation process is completed.
You can uninstall the AuC Database but you cannot install it without executing partition
image installation described in Procedure 3-1 again.
1 Click Start on the Windows® task bar. Select Settings> Control Panel>Add/Remove
Programs.
Result: The Add/Remove Programs dialog box appears.
2 Select the Authentication Centre Database then click Change/Remove.
Result: The InstallWizard welcome screen appears.
3 Click Next.
Result: A summary screen appears.
4 Click Next.
Result: An information screen appears.
The screen contains instructions which should be followed when Oracle® Universal
Installer launches. These instructions are repeated in consecutive steps of this
procedure.
5 Click Next.
Result: The uninstallation process will start.
If error messages appear on the screen, look at the log file for details (the file name
is displayed on the screen). Then follow Procedure 3-6 to manually remove the
database. Please note that some steps of the procedure might not be necessary if some
actions have been already performed by the uninstaller.
12 Select if you want to restart your computer now or later and click Finish.
Result: The AuC Database has now been successfully uninstalled.
In case of a failed or stopped installation or uninstallation, it may be necessary to manually delete the
AuC database components. Follow Procedure 3-6 to manually uninstall the AuC database.
Procedure 3-6 How to Uninstall the AuC Database Manually
1 Click Start on the Windows® task bar. Select Settings> Control Panel> Administrative Tools>
Services.
Result: The Services dialog box appears.
2 Select all Oracle services one by one and click Stop.
3 Close the Services dialog box.
4 Click Start on the Windows® task bar and then Run...
5 Enter regedit and click OK.
6 In the Registry Editor window go to HKEY_CLASSES_ROOT and delete any keys that begin
with Oracle, Ora, EnumOra or ORCL.
7 Delete the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key.
8 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key and delete
any keys that begin with Oracle.
9 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Appli-
cation key and delete any keys that begin with Oracle.
10 Delete the HKEY_CURRENT_USER\Software\Oracle key.
11 Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Esplorer\Men-
uOrder\StartMenu\Programs\Oracle — Oracle 10g key.
12 Delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Unin-
stall\2ab7faa6c76dba2fdaf675d6f89b63e8 key.
13 Close the Registry Editor.
14 Click Start on the Windows® taskbar. Select Settings> Control Panel> System and then
Advanced> Environment Variables…
15 Select System variables> Path and Edit.
16 Delete any Oracle entries from the variable and click OK.
17 Click OK to close the Environment Variables window.
18 Click OK to close the System Properties window.
19 Open the Windows® profiles directory for all users and select Start Menu and Programs
(system dependent location, but for example D:\Profiles\All Users\Start Menu\Programs).
4
System, Master, and Unique Key Encryption
Keys and KVL Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter describes how to configure the Authentication Centre (AuC), Provisioning Centre (PrC), and
Key Variable Loader (KVL) with a consistent set of keys for correct Dimetra IP system operation.
The KVL is used to communicate with the Authentication Centre, the Provisioning Centre, and their
respective Crypto Cards for the secure transmission of keys. The communication between the Crypto
Card and the KVL use the DVI-XL encryption which is not used elsewhere in the Dimetra IP system.
This chapter covers the following topics:
• "Changing System and Master Keys in an Existing System"
• "System Key Configuration"
• "Master Key Configuration"
• "Unique Key Encryption Key Configuration"
• "Other KVL Configurations"
• "AuC Communications (Comm) Key"
• "AuC Hosts File Changes"
The System Key is loaded into the AuC and PrC via the KVL when the Master Key is loaded into each machine’s
Crypto Card. The Master Key in each AuC and PrC must not be changed after initial installation and startup.
If the wrong Master Key is loaded into an AuC or PrC, and any system
data is entered into the application software, either manually via the
Client GUI or automatically via PNM, that data will be lost when the
Master Key is changed to the correct Master Key!
To change System Key and/or Master Key in an existing system, the following steps must be performed:
System Key Change
1. All Master Keys in the AuC and PrC Crypto Cards will need to be erased by
pushing the reset button on the rear of the Crypto Card
3. Loading the new System Key and Master Key (even if it’s the same as the old
Master Key) into every KVL on the system
4. Loading the new Master Key into each of the AuC and PrC Crypto Cards
5. Reprovisioning of all EBTS sites and Zone Controllers and loading all data into the PrC.
3. Loading the new Master Key into every KVL on the system
4. Loading the new Master Key into each of the AuC and PrC Crypto Cards
5. Reprovisioning all EBTS sites and Zone Controllers and loading all data into the PrC.
The Key Variable Loader 3000+ requires a 128-digit System Key to communicate in
DVI-XL systems. Each KVL 3000+ is shipped from the factory with a default System
Key. FollowProcedure 4-1 to change the System Key.
Procedure 4-1 How to Configure a System Key
1 Switch on the KVL and navigate to the CONFIG menu by pressing the Left Arrow key once
and then press the Left dotted key under CONFIG on the display.
2 Navigate to the SYSKEY option by pressing the Left Arrow key once and then press the Left
dotted key under SYSKEY.
3 Press the Left dotted key under EDIT. The following warning will be displayed
ALL DVI-XL KEYS WILL BE LOST! CONT?
Press the Left dotted key under YES.
4 The display will show SYSKEY BYTE 01, enter the 128-digit (64 bytes) System Key. The display
will then show SLOT FILLED. Press the Enter key.
5 The display will show BUSY... ERASING KEYS while the keys and the UKEK are erased.
6 When finished, the display will show THE SYSKEY IS READY. The previous System Key has
been overwritten. Press the Esc key to go up a menu level.
7 The Default System Key can always be restored by repeating steps 1 and 2 and then pressing the
Right dotted key under DEFAULT.
The Authentication Centre and Provisioning Centre Crypto Cards require a 16-digit (8
bytes) Master Key to communicate in DVI-XL systems with their respective applications.
Follow Procedure 4-2 to change the Master Key.
1 Turn on the KVL and navigate to the Au/PrC menu by pressing the Right Arrow key once and
then press the Left dotted key under Au/PrC on the display.
2 Navigate to the SETUP option by pressing the Left Arrow key once and then press the Left
dotted key under SETUP.
3 Press the Right dotted key under MKEY.
Result: The following message will be displayed KVL-MKEY ALGID: DVI-XL ERASED.
4 Press the Left dotted key under EDIT.
Result: The display will show MKEY DVI-XL BYTE 01.
5 Enter the 16-digit (8 bytes) Master Key.
Result: The display will then show FILLED.
6 Press the Enter key.
Result: The display will show KVL-MKEY ALGID: DVI-XL READY. The previous Master
Key has been overwritten.
7 Press the Esc key to go up a menu level.
The Authentication Centre and Provisioning Centre require a 16-digit (8 bytes) UKEK to communicate
in DVI-XL systems with a KVL. Follow Procedure 4-3 to change the UKEK.
Procedure 4-3 How to Configure a Unique Key Encryption Key
1 Turn on the KVL and navigate to the Au/PrC menu by pressing the Right Arrow key once and
then press the Left dotted key under Au/PrC on the display.
2 Navigate to the SETUP option by pressing the Left Arrow key once and then press the Left
dotted key under SETUP.
3 Press the Left dotted key under UKEK.
Result: The following message will be displayed KVL-UKEK ALGID: DVI-XL ERASED.
4 Press the Left dotted key under EDIT.
Result: The display will show UKEK DVI-XL BYTE 01.
5 Enter the 16-digit (8 bytes) UKEK Key.
Result: The display will then show FILLED.
The checklist presented in Procedure 4-4 details the required settings for a KVL to work with
the Authentication Centre and/or the Provisioning Centre.
Procedure 4-4 How to Configure Other KVL Configurations
1 Verify in the Au/PrC->SETUP menu that the A/P ID and KVLID match what the AuC/PrC has
assigned.
2 • For KVL downloading of Ki’s (infrastructure keys) from the AuC via direct connect to the
Serial Port, the KVL must be set to 19200.
• To change/verify the baud rate, go to the CONFIG->BAUDR option on the KVL.
• To change/verify the baud rate on the AuC or PrC, go to the System>Settings drop-down
menu on the AuC or PrC client.
For KVL downloading via a modem, the KVL must be set to 9600. After the modem download
has completed, the KVL must be reset to 19200. To change/verify the baud rate go to the
CONFIG->BAUDR option on the KVL, please see Chapter 14, "Setup Procedures for External
Modems".
3 The CONFIG menu also allows for configuring the time, date, password, and timeout period for
the KVL.
All AuCs in a nationwide system must use the same Comm Key, so a change of Comm Key
needs to be coordinated to ensure proper system operation. It is also necessary to temporarily
disable key schedules while an AuC Comm Key change takes place.
It is strongly recommended that you enter a Comm Key into the AuC, BE-
FORE connecting to a nationwide system.
Follow Procedure 4-5 to change the Comm Key.
Procedure 4-5 How to Change the AuC Comm Key
1 From the AuC client, select the Key Database tab. Select AuC Comm Key (Communications
Key) from the selections on the left of the screen.
2 Enter the 16-digit Comm Key and press Enter button.
Result: The status line should now read:
The AuC has a Comm Key
If the nominal Dimetra IP address configuration is not used on the network, the AuC Server hosts file
must be changed to reflect the IP Address configuration that is used. The hosts file is located:
• For Microsoft® Windows® 2000 Server: c:\WINNT\system32\drivers\etc\hosts
• For Microsoft® Windows® Server 2003 : c:\Windows\system32\drivers\etc\hosts
The file can be edited with Notepad or WordPad. It lists the host names and IP addresses for the system:
• UCS
• SSS
• AuC Server
• AuC Database
• AuC Standby database
• The ZDS, ZSS, ATR, and FullVision servers for each Zone
5
Primary and Standby AuC Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 5-1 to perform initial configuration of the Primary Authentication Centre (AUC01).
Procedure 5-1 How to Perform Initial Configuration of the Primary Authentication Centre
1 The AuC Server automatically starts as a Windows® service. The server needs about two
minutes to initialize.
2 Start the AuC Client:
• double click on the Authentication Centre icon on the desktop or
• click Start on the Windows® task bar and select Programs>Motorola>Authentication
Centre
and log in.
Until initialization is completed the AuC Client will report an error when an attempt
is made to log in.
When logging into the AuC client for the first time, the user name and password are
admin and changeme1 (numeral 1) respectively.
Procedure 5-1 How to Perform Initial Configuration of the Primary Authentication Centre
(Continued)
3 Create the initial user(s). See Online Help for instructions how to create new users.
Only users with user management permission can add users to the system and assign
their initial passwords. It is a requirement that the first user created must have full
permissions, including user management.
4 Restart the AuC Client and log in with the new user name just created. Change the new user
password as prompted.
5 Load the Master Key, according to instructions in Online Help.
6 Go to the NM-Client. Add each KVL to the System. Assign each KVL to one or more Zones.
Under UCS Configuration>Key Variable Loader>Setup a new KVL configure KVL Alias
with ID and System. Add all zones under Configuration. Each Zone must have at least one
KVL assigned to it.
Each KVL must be configured to zones that have no more than 237 entities (EBTS
and ZC).
7 Return to the AuC Client. Select Go Operational from the System menu.
The AuC will establish connections to the UCS, each ZDS and ATR. At this time, the AuC will
also synchronize itself with the UCS and each Zone Database. All Mobiles, KVLs, Base Sites,
Zones, Security Groups, and KVL-Zone assignments will be updated in the AuC. The audit trail
and events log can be reviewed to verify that all records have been added to the AuC database.
Each respective tab: Local Zones, Key Loaders, and Mobile Stations should display all records.
The Mobile Stations tab Search button will have to be clicked to update its display.
8 Check if each KVL has an UKEK assigned to it. If not, assign an appropriate UKEK. See Online
Help for instructions how to assign UKEK key to a KVL.
9 Import or manually enter SCK-TMO keys, for instructions see Online Help.
When only the Security Class 1 (no Air Interface Encryption, optional authentication)
is to be used, there is no need to import and assign any SCK-TMO keys. Continue
the procedure starting from step 11.
10 Set the next active SCK-TMO key, for instructions see Online Help.
11 Provision each infrastructure entity with a Ki, for instructions see Online Help.
12 Perform necessary key updates, according to Online Help instructions.
AuC Reconfiguration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The following settings can be changed using the AuC Configuration Assistant, when necessary:
• IP settings, see Procedure 5-2
• Network Management (NM) settings, see Procedure 5-3
IP Settings Reconfiguration
Follow Procedure 5-2 to reconfigure IP settings using the AuC Configuration Assistant.
Procedure 5-2 How to Configure the IP settings using the AuC Configuration Assistant
Use IP plan to obtain correct values for IP addresses and Zone IDs.
Result: The information screen appears.
6 Read the information and click Next.
Result: The summary information screen appears.
7 Click Finish.
Result: The IP settings configuration is completed.
NM Settings Reconfiguration
Follow Procedure 5-3 to reconfigure Network Management (NM) settings using
the AuC Configuration Assistant.
Procedure 5-3 How to Configure the Network Management (NM) Settings
Using the AuC Configuration Assistant
A Standby AuC can be used in order to protect against loss of data. A standby database is a second
database that continuously runs transactions that were completed on the primary database. It receives
redo logs from the primary database. Redo logs are used by the Oracle® database to record all of the
transactions that are completed on the server. When a redo log fills up, it is archived at the primary
database and also sent to the standby machine. The standby machine then plays the transactions
in the redo log so that it can synchronize with the primary database.
Follow Procedure 5-4 to configure the standby database using the AuC Configuration Assistant.
In case of encountering any problems while performing Procedure 5-4, execute Procedure 5-5
to configure the Oracle® database on a standby AuC database.
Before executing Procedure 5-4 or Procedure 5-5 make sure that the Master Key is already
loaded on standby AuC and is identical to the one on primary AuC.
To minimize the number of archive files that need to be copied to the standby database it is
advised to perform the AuC database backup before configuring the standby AuC machine.
Procedure 5-4 How to Configure Standby Database Using the AuC Configuration Assistant
1 To ensure correct startup settings on the standby AuC, click Start on the Windows® task bar and
select Settings>Control Panel>Administrative Tools>Services.
2 Stop and set Startup type parameter to Manual for the following services:
• AUC
• AUC Master Agent
• AUC Sub Agent
In order to change Startup type parameter right click on the service and then choose
Properties. Choose required value for Startup type and press OK.
If FullVision discovered the Standby AuC before disabling the agent, then the
contents of the APCO cloud container (aucAgent_10.0.<Cluster-ID>.220
and AuthenticationCentre_10.0.<Cluster-ID>.220) and the
APCO cloud container must be deleted from both the FullVision and FullVision
Administration Dimetra maps.
3 Close the Services window.
4 On the primary AuC, double click on the AuC Configuration Assistant icon on the desktop
to start configuration.
Procedure 5-4 How to Configure Standby Database Using the AuC Configuration Assistant
(Continued)
7 IF... THEN...
The standby IP address is 1. Abort this procedure.
incorrect because it points to the
2. Execute Procedure 5-6.
primary AuC.
3. Execute Procedure 5-4 form the beginning once again.
The standby IP address is 1. Abort this procedure.
incorrect for any other reason.
2. Execute Procedure 5-7.
3. Execute Procedure 5-4 form the beginning once again.
The standby IP address is correct. Continue with current procedure.
8 Select Continue standby configuration and click Next.
Result: The Standby info panel appears.
9 Click Next.
Result: You are prompted for database administrator password on the primary machine.
10 Enter the primary machine database administrator password and click Next.
Result: You are prompted for database administrator password on the standby machine.
11 Enter the standby machine database administrator password and click Next.
Result: You are prompted for the system’s user password on the standby machine.
12 Enter the standby machine system’s user password and click Next.
If the passwords are identical on both machines: primary and standby, you can
leave this field empty.
Result: The standby database configuration process starts.
13 Wait while the standby database configuration is being performed.
Result: The summary of the standby configuration process appears.
14 Click Next.
Result: The summary screen appears.
15 Click Finish.
Result: The standby database configuration process is completed.
In case of encountering any problems while performing Procedure 5-4, follow Procedure 5-5
to configure the Oracle® database on a standby AuC database.
1 If a previous installation of the Authentication Centre database exists, you must delete the folder
standby_files from all PCs before carrying out this procedure.
2 Verify the hosts file that auc01 has the IP address of 10.0.<Cluster-ID>.220. The hosts
file is located:
• on Microsoft® Windows®Server 2003 in folder:
C:\Windows\system32\drivers\etc
• on Microsoft® Windows 2000 Server in folder:
C:\WINNT\system32\drivers\etc
The file may be edited with Notepad or WordPad.
3 On the Standby AuC machine, click Start on the Windows® task bar and select Settings>Control
Panel>Administrative Tools>Services.
4 Stop and set Startup type parameter to Manual for the following services:
• AUC
• AUC Master Agent
• AUC Sub Agent
In order to change Startup type parameter right click on the service and then choose
Properties. Choose required value for Startup type and press OK.
If FullVision discovered the Standby AuC before disabling the agent, then the
contents of the APCO cloud container (aucAgent_10.0.<Cluster-ID>.220
and AuthenticationCentre_10.0.<Cluster-ID>.220) and the
APCO cloud container must be deleted from both the FullVision and FullVision
Administration Dimetra maps.
5 Start the AUC service.
6 Close the Services window.
7 Start the AuC Client:
• double click on the Authentication Centre icon on the desktop or
• click Start on the Windows® task bar and select Programs>Motorola>Authentication
Centre
and log in.
The AuC Server automatically starts as a Windows® service. The Server needs about
two minutes to initialize. Until initialization is completed the AuC Client will report
an error when an attempt is made to log in.
When logging into the AuC client for the first time, the user name and password are
admin and changeme1 (numeral 1) respectively.
8 Create the initial user(s). See Online Help for instructions how to create new users.
Only users with user management permission can add users to the system and assign
their initial passwords. It is a requirement that the first user created must have full
permissions, including user management.
9 Restart the AuC Client and log in with the new user name just created. Change the new user
password as prompted.
10 Load the Master Key, according to instructions in Online Help.
11 Reboot the Standby AuC.
12 On the Primary AuC close the AuC Client if opened.
13 Click Start on the Windows® task bar and select Settings>Control Panel>Administrative
Tools>Services.
14 Right click on the AUC service and choose Stop.
15 Close the Services window.
16 Click Start on the Windows® task bar and select Programs>Accessories>Command Prompt to
open a command prompt window.
17 In the command prompt window type:
C:\>cd C:\Motorola\AuC\database\data\prod
and press Enter.
18 Type:
C:\Motorola\AuC\database\data\prod>production <password>
where password is the database administrator password specified during installation. Press Enter.
19 The system will perform several operations. Wait for these operations to finish. If the command
prompt cursor does not appear in twenty (20) minutes, type Ctrl-C to stop the process. Then try
executing the process again.
20 Return to the root folder of the C: drive by typing
C:\Motorola\AuC\database\data\prod>cd \
Press Enter.
21 Type:
C:\>dir
and check if a directory called standby_files exists. If the directory does not exist, repeat
step 17 through step 21.
22 Close the command prompt window.
23 On the Standby AuC click Start on the Windows® task bar and select Programs>Acces-
sories>Windows Explorer.
24 Click on the Tools menu and then click on Map Network Drive...
If a different password is used for the standby PC and the primary PC, then it may be
necessary to enter it after clicking Finish button.
26 Make sure that you now have access to the file system on the Primary AuC via the mapped drive.
27 Click Start on the Windows® task bar and select Programs>Accessories>Command Prompt.
28 In the command prompt window type:
C:\>cd C:\Motorola\AuC\database\data\standby
Press Enter.
29 Type:
C:\Motorola\AuC\database\data\standby>standby
<password> P:\standby_files
where password is the database administrator password specified during installation. Press Enter.
30 In the command prompt window type:
SQL>quit
and press Enter.
31 Copy the Primary AuC hosts file to the Standby AuC hosts file. The hosts file is located:
• on Microsoft® Windows® Server 2003 in folder
C:\Windows\system32\drivers\etc
• on Microsoft® Windows® 2000 Server in folder
C:\WINNT\system32\drivers\etc
32 On the Primary AuC click Start on the Windows® task bar and select Programs>Acces-
sories>Command Prompt.
33 In the command prompt window type:
C:\>sqlplus sys/<password> as sysdba
Where password is database administrator password specified during installation. Press Enter.
34 Type:
SQL>alter system switch logfile;
and press Enter.
35 Type:
SQL>quit
and press Enter.
36 Close the command prompt window.
37 Reboot the Primary AuC and log in to the AuC Client as usually.
Procedure 5-6 How to Change the Standby IP using the AuC Configuration Assistant
when It Incorrectly Points to the Primary AuC
Procedure 5-7 How to Configure Standby IP using the AuC Configuration Assistant
Procedure 5-7 How to Configure Standby IP using the AuC Configuration Assistant (Continued)
5 Enter the IP address of the standby AuC and click Next.
Result: Information about changing IP address of the standby machine appears in the dialog box.
6 Click Next.
Result: A summary information screen appears.
7 Click Finish.
Result: The IP address of the standby machine is configured.
The Procedure 5-8 and Procedure 5-9 will stop the Standby Mode and the
copying of logs from the primary database! Activation of the Standby Database
should only occur when the Primary AuC has failed!
The standby database will remain in standby mode and continue copying logs from the primary database
until standby mode is cancelled. Once the standby database is active, the Authentication Centre server
will need to be redirected to the new database and then restarted. Follow Procedure 5-8 to activate the
standby AuC database using the AuC Configuration Assistant. In case of encountering any problems
while performing Procedure 5-8, execute Procedure 5-9 to activate the standby AuC database.
Procedure 5-8 and Procedure 5-9 assume that the Primary AuC is powered
down or has been shut down.
Procedure 5-8 How to Activate Standby AuC Database Using the AuC Configuration Assistant
Use IP plan to obtain correct values for IP addresses and Zone IDs.
Result: The information screen appears.
7 Read the information and click Next.
Result: You will be prompted for supported Network Management Database version.
8 Enter supported Network Management Database version using Add, Modify and Delete buttons.
Click Next to continue.
Result: The summary screen appears.
9 Click Finish.
Result: The standby AuC database activation process is completed.
In case of encountering any problems while performing Procedure 5-8, follow Proce-
dure 5-9 to activate the standby AuC database.
In order to change Startup type parameter right click on the service and then choose
Properties. Choose required value for Startup type and press OK.
11 Close the Services window.
12 Restart the new Primary AuC. When rebooting is complete, the primary machine will be ready
for use.
13 Open and log into the AuC client application as if you were working on the original primary
machine. You should find your data.
14 After another machine is acquired or the old one is repaired, setup the machine as the new
Standby AuC according to "Standby Database Configuration" on page 5-4.
6
AuC Database Backup and Restore
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Oracle® database provides the capability to perform a backup without shutting down the database. This
backup procedure, also known as a hot backup, allows the database to be available at all times for mission
critical applications. Even though a hot backup can be taken at any time, it is recommended that they are
planned for times when there is minimal database activity. The procedures for configuring the database for a
hot backup, performing the backup, and restoring the backup are presented in the following sections. If the
intention is to backup the AuC database via a network connection to a machine that is external to the database
server, it is suggested that the Standby AuC machine be used for this. This is an effective approach
since this machine already has an established network connection to the database server.
Backup Guidelines
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
It is important to manage the number of backups located on a single AuC. It is currently advised
that no more than 3 backups should reside on a single AuC in order to prevent memory issues.
Therefore, the fourth (oldest) backup should always be completely deleted from the AuC.
In order to perform hot backups, the database must be in archive log mode. Follow Procedure 6-1
to verify if the database is in archive log mode.
The database was put into archive log mode during the Authentication Centre database installation.
Procedure 6-1 How to Verify if the Database is in Archive Log Mode
1 Click Start on the Windows® task bar and select Programs>Accessories>Command Prompt.
2 In the command prompt window type:
C:\>sqlplus sys/<password> as sysdba
where password is database administrator password specified during installation. Press Enter.
3 Type:
SQL>archive log list
and press Enter.
4 Make sure that the database log mode is Archive Mode.
5 Type:
SQL>quit
and press Enter.
6 Close the command prompt window.
1 On the remote computer, click Start on the Windows® task bar and select Settings>Control
Panel>Administrative Tools>Computer Management.
2 In the navigation tree, expand Local Users and Groups.
3 Right click on Users and select New User...
4 Enter the information for the user and press Create.
5 Close the Computer Management window.
Procedure 6-3 How to Create a Shared Backup Folder on a Remote Computer. (Continued)
5 Click the Add button.
6 Select the user created in Procedure 6-2 and then click OK.
7 Give full control to the added user.
8 Click OK to save the shared folder properties.
A user that has database management permissions can start a backup on demand from the AuC client. The
client can also be used to set the database backup schedule. See Online Help for more information about:
• setting destination for backup files
• setting database backup schedule
• starting database backup
Several situations would require an AuC database restore. The most common is that either the hard drive
containing the database stops functioning, or one or more of the files containing data becomes corrupt.
The Authentication Centre database uses a RAID 1 configuration with hot-swap drives, so if one hard
drive fails, the operator is notified to replace the bad hard drive and the system will automatically recover.
However, if both drives were unavailable, an AuC database restore would be needed.
The AuC Service must be stopped before performing the database restore. The files
from the backup folder with the latest time stamp should be used for the restoration.
Follow Procedure 6-5 to restore the AuC database using the AuC Configuration Assistant. In case of
encountering any problems while performing Procedure 6-5, execute Procedure 6-6 to restore the AuC database.
Procedure 6-5 How to Restore the AuC Database Using the AuC Configuration Assistant
The backup directory will depend on where the current valid backup is stored. If
the Backup was stored remotely, then it must first be restored to the AuC backup
directory.
Result: You are prompted for the database administrator password.
6 Enter the database administrator password and click Next.
Result: The database restoration process starts.
7 Wait while the database is being restored.
Result: Information window with a summary of the restoration process appears.
8 Click Next.
Result: A summary screen appears.
9 Click Finish.
Result: The AuC database restoration process is completed.
In case of encountering any problems while performing Procedure 6-5, follow Proce-
dure 6-6 to restore the AuC database.
Procedure 6-6 How to Restore the AuC Database
1 If the AuC Client is running, select System from menu bar and select Go Out of Service.
2 Log out of the AuC Client.
3 Click Start on the Windows® task bar and select Settings>Control Panel>Administrative
Tools>Services.
4 Stop the AUC service.
5 Close the Services window.
6 Click Start on the Windows® task bar and select Programs>Accessories>Command Prompt.
7 In the command prompt window type:
restore dir = <path to backup directory>
and press Enter.
The backup directory will depend on where the current valid backup is stored. If
the Backup was stored remotely, then it must first be restored to the AuC backup
directory.
Result: A password dialog box for oracle SYS appears.
8 Type the database administrator password and press Enter.
Result: Another command window appears and then closes – be patient. A message appears
when the database restore is complete. Check for error messages during the restore. If an error
occurs, repeat the restore procedure.
9 Close the command prompt window.
1 Click Start on the Windows® task bar and select Settings>Control Panel>Administrative
Tools>Services.
2 Right click on the AUC service and choose Start.
3 Close the Services window.
4 Log in to the AuC Client.
The service needs about two minutes to initialize. Until initialization is completed the
AuC Client will report an error when an attempt is made to log in.
Result:
• If operating in stand-alone mode, e.g. Non-nationwide, a Update CCK Version screen will
be presented.
• If operating in Nationwide mode, no splash screen will be seen, as the Master AuC will
automatically synchronize the nationwide keys (KEKm and CCK). Move to step 6.
If operating in Nationwide mode and the Update CCK Version screen is seen,
check the AuC connectivity to the network as there will be a fault. Repair the
fault before executing following steps.
5 If operating in stand-alone mode select Option 1 and use the value suggested for Modify CCK
Version plus 2.
6 The AuC should now be back in an operational state, if not then select the System option in the
top tool bar and select Go Operational. The event is logged in the Events window.
It is ESSENTIAL that a new AuC backup is taken. A criterion for restoration is that the
restoration database contains the same KEKz as the operation system.
7
PrC Hardware
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
PrC hardware consists of the following elements, only one of the PC models is used:
• DELL OptiPlex GX270 PC
◦ 1 GB RAM memory
◦ CD-RW/DVD-ROM Drive
◦ 40+ GB Hard Disk
• HP xw4300 PC
◦ 1 GB RAM memory
◦ CD-RW/DVD-ROM Drive
◦ 40 GB+ Hard Disk
• HP xw4400 PC
◦ 2 GB RAM memory
◦ DVD-Rw Drive
◦ 160 GB Hard Disk
• PrC Crypto Card
• Modem (optional)
• KVL 3000 Plus, with
◦ Key Loading Cable
◦ RS-232 Null Modem Cable
8
PrC Software Installation and Uninstallation
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Provisioning Centre (PrC) is a Windows® based, client/server software application. The PrC
generates, stores, and tracks delivery of K and SCK-TMO keys to the subscriber Mobile Stations
(MSs), using the Key Variable Loader (KVL) as a proxy to transport and confirm delivery of the
keys to the Mobile Stations. In addition, the PrC generates and exports a file containing K-REF
pairs to the Authentication Centre (AuC). The file can be written to a CD.
Before installing the PrC the Microsoft® Windows XP, Service Pack 1 or 2 operating system must be installed.
This procedure applies only to unistallation of 5.5SER or 6.0 PrC Database. In case
of uninstallation of older release of PrC Database please follow Procedure 8-5.
In case of failed or stopped installation or uninstallation it might be necessary to manually remove
the PrC Database components. To perform it follow Procedure 8-5.
If error message appears on the screen, look at the log file for details (the file name
is displayed on the screen). Then follow the Procedure 8-5 to manually remove
database. Please note that some steps of the procedure might not be necessary if some
actions have been already performed by the uninstaller.
15 Choose if you want to restart your computer now or at later time and click Finish.
9
PrC Database Backup and Restore
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Database Backup
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Oracle® database provides the capability to perform a backup without shutting down
the database. This backup procedure, also known as a ’hot’ backup, allows the database to
be available at all times for mission critical applications.
Even though a hot backup can be made at any time, it is recommended that it be
planned for times when there is minimal database activity.
Procedure 9-1 How to Configure the PrC Database for Hot Backups
1 Create a folder for the backups. Open windows explorer. From the File menu, choose the New
option, and select Folder. Type the name of the database backup destination.
The default database backup destination for the PrC is C:\PrCBackup. Using the
default path is recommended, as this will save a step later on in the configuration
process.
2 Click on the PrC Client desktop icon.
Result: First the PrC Splash screen shows up. Then the Provisioning Centre Login dialog box
appears (see Figure 9-1).
3 Type the User Name and the Password and then click OK to log in.
Result: The PrC Client main window appears (see Figure 9-2).
Procedure 9-1 How to Configure the PrC Database for Hot Backups (Continued)
4 Select the System>PrC Database from the main PrC Client menu.
Result: The PrC Database dialog box appears (see Figure 9-3).
5 Enter the name of the database backup destination in the Path field and click OK.
Result: The PrC will attempt to validate the path to ensure that it exists. If the path does not exist
an error message will appear, if it does the PrC Database dialog box will close.
The next time the PrC Database dialog box is opened, the most recently specified
path will be displayed.
5 Click Yes. The backup of the database starts. The Backup in Progress field in PrC Database
dialog box changes to Yes. The backup icon appears in the Status Bar (see Figure 9-5) and
there is "PrC Backup Started" event displayed in the Events Pane at the bottom of the
PrC Client window.
You can continue to perform other operations on the PrC Client, but they may run
slightly slower due to the backup operation taking place. You will not be able to
start a new backup, until the current backup is complete. Once backup is initiated it
cannot be canceled.
6 After about 2 minutes, when the PrC database backup process is completed the backup icon
disappears for the Status Bar, and there is "PrC Backup Complete" event displayed
in the Events Pane.
• RBS01.DBF
• SYSTEM01.DBF
• TEMP01.DBF
• TOOLS01.DBF
• USER01.DBF
Verification
You can verify that the backup was successful by making sure that all of the files and the archive directory
are present in the backup destination directory when the backup has completed.
Once the backup is complete, the directory and its contents can be burned to a CD.
Several situations may require a database restore. Some of the more common problems are the following:
• Hard drive failure
• A data file becomes corrupt
• A user accidentally deletes a large amount of data
It is recommended that the latest backup set taken be used for the database restore since all of the data that
was entered since the backup will be lost. In order to perform a database restore you will need the password
for the sys user. Remember that this is the password that was set at the end of the PrC Database installation.
Database Restore
The database restore will restore all data that was committed up to the point of the database failure.
The PrC database restore requires the procedures listed in Process 9-1.
Process 9-1 PrC - Database Restore Overview
1 Click on the Start button on the windows task bar, click Run, then click OK
Result: The Run dialog box appears.
2 Enter cmd in the Open field and click OK
Result: The command prompt window appears.
3 Enter:
restore dir = <backup directory>
If the backup files are on a CD, then insert the CD at this point.
Make sure that the PrC Client is closed before executing Procedure 9-4.
Procedure 9-4 How to Restart the PrC Service
1 Click on the Start button on the task bar, then select Settings>Control Panel>Administrative
Tools>Services.
Result: The Services window appears.
1 Click on the Start button on the task bar, then select Settings>Control Panel>Administrative
Tools>Services.
Result: The Services window appears.
See Figure 9-6, on page 9-7
2 Locate the name PrC in the Name column.
3 If the PrC status column shows the status Started, right click and select the Stop option.
If necessary, it is possible to clean up the PrC’s database. Doing so erases all of the data stored
in the database and resets the database to its initial preinstallation state.
10
Troubleshooting the AuC
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Basic Troubleshooting
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
There are numerous other error messages that may display during start-up of the AuC client application.
These other messages will indicate the root cause and are self-descriptive.
If you are unsuccessful at resolving your client start-up problem, please contact the ESSC for assistance.
In general, if the user is concerned that the AuC client is showing invalid or
incorrect data, the user should restart the client.
Scenario 9 (KEKz)
In the event that no Zone Controllers or TSCs have responded for a particular zone (that is
the progress bar shows 0% for any stage), it could be that the connection to a PNM box is
down or cannot be reached. See the resolution for Scenario 1.
Scenario 10 (KEKz)
In this scenario, one or more zones have infrastructure entities (Zones or Base Sites) not responding to the
activation message. In the above figure, both Zone 1 and Zone 2 are waiting for one or more acknowledgements
Scenario 11 (KEKz)
In this scenario, one or more zones have Base Sites not responding to the SCK-TMO and CCK refresh
messages. In Figure 10-10, Zone 1 is waiting for one or more Base Sites to acknowledge the SCK-TMO
and CCK refreshes. If the AuC doesn’t have an SCK-TMO map loaded (or a Next Active SCK-TMO
Slot selected) and no CCK updates have been completed, the AuC will skip stage 2.
Scenario 12 (KEKz)
In this scenario, one or more zones have infrastructure entities (Zones or Base Sites) not responding to the
update message. In Figure 10-11, both Zone 1 and Zone 2 are waiting for one or more acknowledgements.
1 Disable CCK, SCK, and KEKm updates on the nationwide network. This can be accomplished
from any ONE AuC that is currently participating in the nationwide network.
2 Disable CCK, SCK, and KEKm updates on the new AuC. This step requires that the new AuC
already have the application software installed.
3 Physically connect the new AuC to the network, but do not logically add it to the nationwide
network.
4 Enter the SCK map into the new AuC.
5 Logically add the new AuC to the nationwide network (provide it with a Master AuC IP Address).
This allows AuC-AuC synchronization to occur.
6 Enable nationwide CCK, SCK, and KEKm updates on the network. This can be accomplished
from any ONE AuC that is currently participating in the nationwide network.
Key updates on the new AuC will automatically be enabled at this time.
1 With the Client up, select Go out of Service from the System menu.
2 Select Go Operational.
Procedure 10-3 How to Restart the AuC — Method 2 (Full reset of the AuC)
1 Click the Start button in the task bar and select the Control Panel
2 Select the Administrative Tools, followed by Services.
3 In the Services section, click on the service labelled AuC.
4 Right-click on that service after it is highlighted, and click on Stop.
5 Right-click on the AuC service and select Start.
6 Wait a few minutes, then restart the client
Procedure 10-4 How to Test the Communication Between the Primary Data-
base and the Standby Database
Procedure 10-4 How to Test the Communication Between the Primary Database and the Standby
Database (Continued)
6 If there does not appear to be a problem with the hosts file then it is possible that the procedure to
setup the standby database was not carried out correctly. In that case, return to the setup procedure
in Chapter 3, "AuC Software Installation and Uninstallation", and perform the procedure again.
Before starting the procedure again, be sure to remove the standby files directories
created in the previous attempt to setup the configuration. Also, make sure to
close command prompt windows used previously on both the standby and primary
databases.
Normal Operation
After initial set up, a number of issues could arise while performing key updates
that require operator intervention.
In the event that not all site hardware is available upon initial set up and the site has to be disabled for
key updates on the AuC, the site will have to be brought online after the initial sites are already operating
with a set of keys. When this occurs, the site will have to be provisioned prior to any other key update
operation. Once provisioned, the AuC will attempt to update the site with all the current keys. The progress
bar in the key schedules tab of the AuC will not reflect the update operations for this site. The site can
be monitored in the Local Zones tab and will be represented by a green, circular icon with a yellow
key in it when all key types for that site are current for both present and future keys.
In the event that the site fails in a key update in the first scenario, the first course of action is to "wobble" the
site by selecting the site in the AuC client under the Local Zones tab and selecting Disable Key Updates and
then selecting Enable Key Updates. This will cause the AuC to resend the keys for that site only. If that
fails, try resetting the failing entity, base radio or TSC or both. Alternatively, if the site is still not updated
for all keys, the AuC can be taken Out of Service and brought back to the Operational state by selecting
appropriately from the System menu. Normally, the AuC will send out key update messages to non-updated
entities once an hour. Taking the AuC Out of Service and making it Operational again causes the AuC to
send the updates immediately unless the entity has already responded with three (3) NACKs.
In the event that an update appears to be completed for all infrastructure entities except the entity disabled
in the third scenario, contact ESSC through the normal channels for assistance.
Follow Up Action
Check all other Key distribution Failure Resolution/Workarounds. Then contact
ESSC/TDACC if distribution still fails.
1 Start the AuC debug log and check that all entities on the AuC are set correctly for key updates:
All sites currently not commissioned are set to Key Updates Disabled.
All sites that are set to updates enabled are green on both the AuC and the Zone Watch.
Check to see if any of the sites have received the expected update.
2 If no sites have received any new keys, then there may be an issue where the NM is not
forwarding the distribution; this can be the case if the distribution is stuck at 0%.
3 • This can be cleared by running the clearance script on the NM (contact ESSC/TDACC) or,
• Backup the AuC, restore to this backup then move the next update forward at least 2 keys
and distribute again
4 Start logging on ZoneWatch (ATIA stream), and take the logs for 1 hour and 10 minutes.
5 Check the logs for negative ACKs and note down the sites that are sending them.
6 Establish why these sites are not accepting the keys.
7 You can either fix these sites now, or disconnect them from the SwMI to fix later (see "Site Does
Not Take Keys" on page 10-23). Disconnect them using the Nortel (”lock fruni/<aabbcc>” a =
slot, b = port, c = channel)
8 Wait 1 hour and check if distribution has completed or not.
9 If distribution completes, stop the debug logging.
Follow-Up Action
Check all other Key distribution Failure Resolution/Workarounds. Then contact
ESSC/TDACC if distribution still fails.
1 Start logging on Zone Watch (ATIA stream), and take the logs for 1 hour and 10 minutes.
2 Check the logs for negative ACKs and note down the sites that are sending them.
3 Establish why these sites are not accepting the keys.
4 You can either fix these sites now, or disconnect them from the SwMI to fix later (see "Site Does
Not Take Keys" on page 10-23). Disconnect them using the Nortel (”lock fruni/<aabbcc>” a =
slot, b = port, c = channel)
5 Removing these sites, and therefore the NACKs, from the system will stop the AuC client hanging.
Follow-Up Action
If this has no effect, contact ESSC/TDACC.
1 Start logging on ZoneWatch (ATIA stream), and take the logs for 1 hour and 10 minutes.
2 Check the logs for negative ACKs and note down the sites that are sending them.
Procedure 10-8 How to Solve a KVL Download or Upload Fails on AuC (Continued)
3 Establish why these sites are not accepting the keys.
4 You can either fix these sites now, or disconnect them from the SwMI to fix later (see "Site Does
Not Take Keys" on page 10-23). Disconnect them using the Nortel (”lock fruni/<aabbcc>” a =
slot, b = port, c = channel)
5 Removing these sites, and therefore the NACKs, from the system will allow the AuC to perform
a successful connection to the KVL.
Follow-Up Action
If this has no effect, contact ESSC/TDACC.
2 Establish, in the case of a new site, that the TSC being used has never been configured as
another site, as this can result in key information from the old site being installed in the AuC
and Negative ACKs being sent to the AuC.
3 Upload the site configure and check for anomalies.
4 Check the BR status on FullVision.
5 Get permission to reset the Site (the whole site) FOUR times as it has been reported from the
field that some TSCs and BRs need three or four resets before they accept the Ki values.
Follow-Up Action
If these actions do not correct the issue, contact ESSC/TDACC.
Known Issues
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
In the event that the resolutions/workarounds stated below do not work, please contact
the ESSC through normal channels for assistance.
Whenever a cluster is being integrated into an existing network, the corresponding AuC must also be
integrated with the existing network of AuC(s). However, prior to these integration steps, all EBTSs
belonging to the cluster being integrated must be configured to operate in Security Class 2. Once
all integration activities have been completed (including the change of Mobile Network Identity
on the air interface), the newly integrated cluster may be configured to operate in Security Class 3.
From the MS perspective, the system will look homogenous (same Mobile Network Identity used on
all cells), and therefore the AuCs must synchronize their cryptographic data in order to ensure the
same CCK is in use between all MSs and all cells belonging to the SwMI.
Resolution/Workaround
Disable and enable key updates for the EBTS that returned the NACK. If no action is taken,
SCK/CCK update will continue automatically after one (1) hour.
Resolution/Workaround
This problem occurs with an old version of the KVL software. Upgrade the KVL software to the latest valid
version. In addition, the operator can get around this by utilizing a direct connection to the AuC. Stop and
restart the AuC service through the operating system’s services window to clear the locked up state.
Resolution/Workaround
None, since the recovery is automatic and the problem only visual. If necessary a search can be
performed on the audit trail to detect the presence of decryption failures.
SCK Crypto Schedule doesn’t Notify User When Next Active SCK
Not Set
The scheduled time for an SCK update arrives and the AuC attempts to initiate the update. However, the
next active SCK is not set and so the AuC is unable to begin the update. The update will be rescheduled
to try again in approximately 1 hour. No notification of this status is presented to the user.
Resolution/Workaround
This situation would typically occur either following the initial configuration of the SCK crypto schedule,
or after the SCK has been advanced through several updates such that slot 31 is currently active. On
initial configuration of the SCK crypto schedule, the operator should ensure that the next active pointer
is set. The operator should also note when the end of the map is reached and take appropriate action
to load a new map (if desired) and reset the next active slot to the desired value. After the next active
pointer has been set, the next retry to initiate the SCK update (within one hour) should successfully
initiate the update (assuming all AuCs in a nationwide configuration are able to proceed).
Resolution/Workaround
Ensure the Ethernet cable is properly connected at both ends before starting the AuC. Verify/configure
the network parameters on the AuC server and shut down the AuC Sub Agent service and restart it.
The correct IP address for the AuC will now be displayed in FullVision.
Resolution/Workaround
Restart the AuC service following an MNI change. Once the AuC is operational and connected to
the UCS, start an update of Authentication Material. This will ensure that Authentication Material
containing the new MNI value has been distributed for all subscribers.
Resolution/Workaround
Avoid making multiple key distributions at the same time (especially two dependent key updates, for example,
KEKz and CCK). Take the AuC Out of Service and then back to the Operational state. If it is not completed
and this is a nationwide system then AuC must be delisted to allow remaining AuCs complete key updates.
The act of delisting must always be preceded by transitioning the whole cluster
down to SC2 before the associated AuC is delisted. Otherwise, if key distributions
are performed for CCK then key mismatches can occur between the SwMI and
MS, which would lead to complete loss of communications between SwMI and all
MSs serviced by the cluster. The cluster can only be reconfigured back to SC3
following re-integration of the delisted AuC to the nationwide AuC network.
The delisted AuCs have to be operated in single cluster mode to complete their updates
and then joined again to the nationwide network.
Add New Site, AuC Distributes KEKz and then Waits One Hour
to Send SCK
After disabling EBTS(s) for key updates. An update of KEKz and SCK is performed, after which the
EBTS is enabled for key updates. The EBTS does not update SCK immediately.
Resolution/Workaround
Disable and then enable the affected EBTSs for key updates. If no further action is taken,
key distributions will complete after one (1) hour.
Scenario 1
CCK and SCK are keys provided to sites and are written to the ZDS. Currently, the AuC checks if the UCS
is connected before starting these two types of key updates. So if the UCS is disconnected, CCK and SCK
updates cannot be started and a message indicating UCS or ATR disconnected will be displayed to the user (at
least in the case of a manual update). Instead the ZDS should be checked and the message should be expanded
to indicate that the ZDS is disconnected. Unable to send out CCK/SCK keys to sites if UCS is down. Should
still be able to send these keys out to sites since it is only the ZDS connectivity that matters for this case.
Resolution/Workaround
If UCS needs to be taken down, avoid CCK/SCK key updates (manual or scheduled). If update
occurs and UCS connection unavailable, update will get stuck until UCS returns.
Scenario 2
Also on a KEKz update, UCS connectivity is being checked, but ZDS connectivity is not being checked.
This would allow a KEKz update to start and attempt to write site-secure information to a disconnected
ZDS. However, if a zone is opted out again like the ATR it shouldn’t matter whether the ZDS is up or
down for either of the two above cases. Won’t be able to send. Will go to 1 hour retry timer.
Resolution/Workaround
If the UCS and ZDS are disconnected, get both working/connected again. If only the ZDS is down and an
update is stuck, get the ZDS working/connected again. Once this is completed, may need to wobble sites.
Resolution/Workaround
Shut down the client during a switch over and restart the client if receiving specified errors.
11
Troubleshooting the PrC
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
During start up you may encounter one or more error messages that are displayed in an alert
box. The most common error messages are listed in Table 11-1.
Table 11-1 Common PrC Client Start-Up Error Messages and Descriptions
There are other error messages that may display during start-up of the PrC client application. These
other messages will indicate the root cause and are self-descriptive.
If you are unsuccessful at resolving your client start-up problem, please contact the ESSC for assistance.
In general, if the user is concerned that the PrC client is showing invalid or
incorrect data, the user should restart the client.
Attempt to download K or SCK • No K in repository For K there are three options to add
TMO and PrC displays no K or K to the repository:
• No SCK TMO assigned
SCK downloaded.
• Auto generate.
• Import from file.
• Manual entry.
For SCK there are two options to
define SCK:
• Import from file.
• Manual entry.
KVL displays "Bad Response • The KVL ID is • Check the PrC for the KVL
from PrC" when attempting to mismatched ID. If the KVL does not reside
download provisioning material. in the PrC, add the KVL at the
• wrong KVL software
PrC displays an error about an client.
version
unknown KVL trying to connect.
• Check if the KVL has the
correct ID assigned to it.
This can be checked and
changed in the KVL under the
Au/PrC>SETUP>KVL ID
Menu.
1 With the client up, select Go out of Service from the System pull-down menu.
2 Then select Go Operational.
The PrC is still able to reload the Master Key while Out of Service.
Procedure 11-2 How to Restart the PrC — Method 2 Stop/Start PrC Server
12
Handling Compromised Units
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter describes how the Dimetra IP system can handle compromised subscriber units.
When a subscriber mobile station (MS) is lost or its encryption keys are compromised, you
can temporarily disable the MS until the problem is resolved.
This task allows you to submit a temporary disable command to radios throughout the system
using the Radio Control Manager (RCM) application. Perform this task when you want to
temporarily disable a subscriber MS from operating on the system.
Follow Procedure 12-1 to submit a temporary disable command to a subscriber mobile station (MS).
Procedure 12-1 How to Temporarily Disable a Radio from Operating on the System
1 Double-click the Motorola Private Radio Network Management Suite icon on the desktop (if
the RCM application is not running). If the RCM application is running, go to step 4.
Result: The NT Explorer window appears (Figure 12-1). This example shows a three-zone
system.
2 Click the icon for the Zone from which you want to issue the temporary disable command.
Result: The applications associated with the selected zone appear in the contents pane
(Figure 12-2).
Procedure 12-1 How to Temporarily Disable a Radio from Operating on the System (Continued)
3 Double-click the Radio Control Manager icon.
Result: The Radio Control Manager window appears (Figure 12-3).
5 Select the Temporary Disable command from the Command drop-down combo box.
Procedure 12-1 How to Temporarily Disable a Radio from Operating on the System (Continued)
6 Type a radio alias or ID in the Radio field and click the right arrow button to move the entry to
the Radios Selected list. Use the following guidelines:
• You can enter either an alias or an ID. An ID must be within the valid ID range for the
system. Otherwise, it is considered an alias.
• You cannot enter duplicate radio entries within a single command.
• You can select only 100 radios. Each radio represents an individual task in a command.
To remove a radio from the Radios Selected list, select the radio and then click the left arrow
button.
7 Type a comment in the Comment field. Comments can be used for future reference (for example,
to describe the purpose of the command and the reason that it was submitted).
8 Click Submit.
Result: After a command is submitted, it appears in the Command Monitor window pane.
Subsequent actions on the command are monitored via the Command Monitor window pane.
After you click Submit, you cannot modify a command. The radios in the Radios
Selected list are the default selection for a new command. If you do not want a new
command to be issued to the same radio, you need to remove it from the list.
Due to radio system limitations and the impact on call traffic, radio commands are
sent to radios at a rate of two per second. In case of sending two or more commands
to the same radio, a command is send every two seconds.
9 Select Command Monitor from the View menu (if the Command Monitor window pane
is not currently displayed).
Result: The Command Monitor window pane appears (Figure 12-5).
Procedure 12-1 How to Temporarily Disable a Radio from Operating on the System (Continued)
10 Examine the Command Monitor window pane columns for information about the Temporary
Disable command (see the Radio Control Manager Reference booklet for details). The following
columns provide key information:
The Status column provides an overview of the state of all of the radio tasks for that
command. After a radio command is submitted, it transitions through a number of
states before completing. See the Radio Control Manager Reference booklet for a
description of command status states as listed in the Status column.
The Reason’ column shows the reject or failure reasons for failed commands. See
the Radio Control Manager Reference booklet for a description of reject reasons
as listed in the Reason column.
13
Authentication Centre Field Replace-
able Units
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Field Replaceable Units (FRUs) are sub assemblies that can be replaced in the field and returned
to Motorola for repair. Table 13-1 lists the AuC FRUs. Repair of a failed or functionally limited
module is limited to removal of the failed FRU and installation of a functional replacement
FRU. Return all failed FRUs to Motorola for further repair.
Table 13-1 Authentication Centre FRUs
See Table 13-2 for information on recommended maintenance period under normal operating conditions.
Table 13-2 Authentication Centre Periodic Maintenance Inspection
Motorola
recommended
period under
Com- PMI Re- normal operating PMI Action
Part Number Description ment quired conditions Required
GMDN0275C Authentication Model n/a
Server ML370 number
GMDN1093A DIMETRA n/a
DL360
SERVER
CLN7612A or Authentication FRU yes 8 years Replace battery. Part
DLN1236 Centre Crypto number CNN6002A
Card
GMLN4204A Display, FRE yes as required if on continuously,
Keyboard and turn off periodically
KVM Switch to cycle the degauss
mechanism. Also,
clean screen.
GMDN1157A Modem FRE no PMI n/a n/a
(Multitech ZBA) encounter required
specific
14
Setup Procedures for External Modems
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Follow Procedure 14-1 when preparing MultiTech MT5634ZBA Modem for connection with Provisioning
Centre. For connection with the Authentication Centre no changes in Windows® setup are required.
Procedure 14-1 How to Setup Windows® for MultiTech MT5634ZBA
Modem for Connection with PrC
Procedure 14-1 How to Setup Windows® for MultiTech MT5634ZBA Modem for Connection
with PrC (Continued)
3 Install New Modem in Windows®:
• In the Control Panel double click on the Modems or the Phone and Modem Options icon.
•
If the "Location Information" dialog windows appears, please fill in the fields.
You will get the Modems Properties panel. Click the Add button and you will see the
Install New Modem window. Check the Don’t detect my modem box and then click Next.
• A list of modems and manufacturers will be displayed. Click the Have disk... button.
• Browse to the location where you extracted the files from the Zip archive, select the
5634.inf and click OK in the Install from Disk box.
• You will then be shown a selection box of the MultiTech modems. Pick your modem from
the list and click Next.
•
If you are uncertain about your particular model, please refer to the label located
at the bottom of the modem.
• Next pick COM1 port (where the modem should be plugged in) and click Next.
Result: Windows® will now set up the modem.
1 Double click on the AuC application shortcut and log in with the appropriate user name and
password.
2 From the menu bar at the top of the Authentication Centre select the System option and from
the drop down menu select Settings option.
3 Click on the KVL Port Settings tab and set the following parameters:
• Port: COM1 (where the modem should be plugged in)
• Bit Rate: 9600
• Connection Type: Modem
Then click on OK button.
Result: The Authentication Centre is configured to work with a modem.
Procedure 14-3 How to Configure the KVL to Operate with the Modem Option
1 Connect the KVL serial port to the Modem using a 9 to 25 way all wired cable (Motorola part
number CKN6324A).
2 Check that the CTS led on the modem is illuminated.
3 Scroll through the initial menu and select AUC/PRC.
4 Scroll through the menu and select Setup.
5 Select AUC/PRCSEL from the menu and then select Main. The KVL should display that the
ACTIVE AUC/PRC SETTING IS MAIN. Press Esc to move up one menu level.
6 Scroll through the menu and select DIAL. Select the appropriate dial method for the phone line
you are using and then press Esc to move back one menu level.
7 Scroll through the menu and select PHONE. Select MAIN and then EDIT. Enter the
Authentication/Provisioning centre phone number in here and then press Enter when finished.
Procedure 14-3 How to Configure the KVL to Operate with the Modem Option (Continued)
8 Press Esc several times until you return to the top level of the menu tree. Then scroll through
the options until you find CONFIG option. Select this option.
9 Scroll through the options and select BAUDR. This should be set to 9600, if it is not then select
EDIT and edit to 9600.
10 Press Esc several times to return to the top level menu.
Result: The KVL should now be correctly configured to connect to the Authentication Centre via
a modem.
Index
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Failure
key distribution . . . . . . . . . . . . . . 10-20
Nationwide
adding a new AuC . . . . . . . . . . . . . 10-18
rack requirements
requirements. . . . . . . . . . . . . . . . . 2-4 rack . . . . . . . . . . . . . . . . . . . . . 2-4
rack placement . . . . . . . . . . . . . . . . . 2-3 Restart
Reconfiguration AuC. . . . . . . . . . . . . . . . . . . . 10-18
AuC. . . . . . . . . . . . . . . . . . . . . 5-3 PrC . . . . . . . . . . . . . . . . . . . . . 11-5
IP settings . . . . . . . . . . . . . . . . . . 5-3 Restore
NM settings . . . . . . . . . . . . . . . . . 5-4 AuC. . . . . . . . . . . . . . . . . . . . . 6-1
standby AuC IP . . . . . . . . . . . . . . . 5-10 PrC . . . . . . . . . . . . . . . . . . . . . 9-5
Volume 10:
Authentication, Encryption
and Provisioning
Booklet 2
Managing Authentication,
Encryption and Provisioning
6802800U60-D
When printed by Motorola March 2007
Copyrights
The Motorola products described in this document may include copyrighted Motorola computer programs. Laws in the United States and other countries
preserve for Motorola certain exclusive rights for copyrighted computer programs. Accordingly, any copyrighted Motorola computer programs contained in
the Motorola products described in this document may not be copied or reproduced in any manner without the express written permission of Motorola.
Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or by implication, estoppel or otherwise, any license under the
copyrights, patents or patent applications of Motorola, except for the normal nonexclusive, royalty-free license to use that arises by operation of law in the sale
of a product.
Disclaimer
Please note that certain features, facilities and capabilities described in this document may not be applicable to or licensed for use on a particular system, or
may be dependent upon the characteristics of a particular mobile subscriber unit or configuration of certain parameters. Please refer to your Motorola contact
for further information.
Trademarks
Motorola, the Motorola logo, and all other trademarks identified as such herein are trademarks of Motorola, Inc. All other product or service names are the
property of their respective owners.
Copyrights
© 2006 - 2007 Motorola, Inc. All rights reserved.
No part of this document may be reproduced, transmitted, stored in a retrieval system, or translated into any language or computer language, in any form or by
any means, without the prior written permission of Motorola, Inc.
CMM labeling and disclosure table
The People’s Republic of China requires that Motorola’s products comply with
China Management Methods (CMM) environmental regulations. (China
Management Methods refers to the regulation Management Methods for
Controlling Pollution by Electronic Information Products.) Two items are used to
demonstrate compliance; the label and the disclosure table.
The label is placed in a customer visible position on the product.
• Logo 1 means that the product contains no substances in excess of the
maximum concentration value for materials identified in the China
Management Methods regulation.
• Logo 2 means that the product may contain substances in excess of the
maximum concentration value for materials identified in the China
Management Methods regulation, and has an Environmental Friendly
Use Period (EFUP) in years, fifty years in the example shown.
Logo 1 Logo 2
The Environmental Friendly Use Period (EFUP) is the period (in years) during
which the Toxic and Hazardous Substances (T&HS) contained in the Electronic
Information Product (EIP) will not leak or mutate causing environmental pollution
or bodily injury from the use of the EIP. The EFUP indicated by the Logo 2 label
applies to a product and all its parts. Certain field-replaceable parts, such as
battery modules, can have a different EFUP and are marked separately.
The Disclosure Table is intended only to communicate compliance with China
requirements; it is not intended to communicate compliance with EU RoHS or any
other environmental requirements.
PCI Short Form PCI Crypto KMF Crypto Alias Integrated MultiCADI UCS
Crypto Card Card Upgrade Card Instruction Solution (AIS) Feature Synchronisation
Service Manual Manual Manual Feature Manual Manual Tool Manual
Online Help
The EMEA Systems Support Centre provides a Technical Consulting service. This service is accessed via the Call
Management Centre.
The European System Component Centre provides a repair service for infrastructure equipment, including the
MBTS. Customers requiring repair service should contact the Call Management Centre to obtain a Return
Authorisation number. The equipment should then be shipped to the following address unless advised otherwise.
Request for help in identification of non-referenced spare parts should be directed to the Customer Care
Organization of Motorola’s local area representation. Orders for replacement parts, kits and assemblies should be
placed directly on Motorola’s local distribution organization or via the Extranet site Motorola Online at
https://emeaonline.motorola.com.
Information related to support and service of Motorola Test Equipment is available by calling the Motorola Test
Equipment Service Group in Germany at +49 (0) 6128 702179, Telefax +49 (0) 6128 951046, through the
Customer Care Organization of Motorola’s local area representation, or via the Internet at
http://www.gd-decisionsystems.com/cte/.
Your Input
...is much appreciated. If you have any comments, corrections, suggestions or ideas for this publication or any
other requiremens regarding Motorola publications, please send an e-mail to doc.emea@motorola.com.
Contents
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
List of Figures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
List of Tables
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Table 11-30: Buttons in the SCK-Trunked Mode Operation Information display . . . . . . . . . . . 11-21
Table 11-31: Fields in the UCS Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-22
Table 11-32: Buttons in the UCS Information display . . . . . . . . . . . . . . . . . . . . . . . 11-22
Table 11-33: Fields in the User Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Table 11-34: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24
Table 11-35: Buttons in the User Information display . . . . . . . . . . . . . . . . . . . . . . . 11-24
Table 11-36: Fields in the Zone Information display . . . . . . . . . . . . . . . . . . . . . . . . 11-25
Table 11-37: Buttons in the Zone Information display . . . . . . . . . . . . . . . . . . . . . . . 11-25
Table 11-38: Fields in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
Table 11-39: Access Permissions for AuC users . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Table 11-40: Buttons in the Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Table 11-41: Fields in the AuC Connection display . . . . . . . . . . . . . . . . . . . . . . . . 11-28
Table 11-42: Buttons in the AuC Connection display. . . . . . . . . . . . . . . . . . . . . . . . 11-28
Table 11-43: Fields in the AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . . 11-29
Table 11-44: Buttons in the AuC Database Backup Schedule Dialog Box . . . . . . . . . . . . . . 11-29
Table 11-45: Fields in the AuC Database Dialog Box . . . . . . . . . . . . . . . . . . . . . . . 11-30
Table 11-46: Buttons in the AuC Database Dialog Box. . . . . . . . . . . . . . . . . . . . . . . 11-30
Table 11-47: Fields in the Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-31
Table 11-48: Buttons in the Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-31
Table 11-49: Fields in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-32
Table 11-50: Buttons in the Encryption Devices Dialog Box . . . . . . . . . . . . . . . . . . . . 11-33
Table 11-51: Field in the Key Update Lock Details Information Box . . . . . . . . . . . . . . . . 11-33
Table 11-52: Buttons in the Key Update Lock Details Information Box . . . . . . . . . . . . . . . 11-33
Table 11-53: Field in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-34
Table 11-54: Buttons in the Key Update Lock Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-34
Table 11-55: Fields in the KVL UKEK Assignment Dialog Box . . . . . . . . . . . . . . . . . . 11-34
Table 11-56: Buttons in the KVL UKEK Assignment Dialog Box. . . . . . . . . . . . . . . . . . 11-34
Table 11-57: Fields in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
Table 11-58: Buttons in the Login Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
Table 11-59: Fields in the Miscellaneous Settings Dialog Box . . . . . . . . . . . . . . . . . . . 11-36
Table 11-60: Buttons in the Miscellaneous Settings Dialog Box. . . . . . . . . . . . . . . . . . . 11-36
Table 11-61: Fields in the Modify Schedule display . . . . . . . . . . . . . . . . . . . . . . . . 11-37
Table 11-62: Buttons in the Modify Schedule display . . . . . . . . . . . . . . . . . . . . . . . 11-37
Table 11-63: Fields in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-38
Table 11-64: Buttons in the KVL Port Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-38
Table 11-65: Fields in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-39
Table 11-66: Buttons in the Purge Audit Trail Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-39
Table 11-67: Fields in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-40
Table 11-68: Buttons in the SCK-TMO Modify Dialog Box . . . . . . . . . . . . . . . . . . . . 11-40
Table 11-69: Fields in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . 11-40
Table 11-70: Buttons in the Standby Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . 11-41
Table 11-71: Fields in the Update CCK Version display . . . . . . . . . . . . . . . . . . . . . . 11-42
Table 11-72: Buttons in the Update CCK Version display . . . . . . . . . . . . . . . . . . . . . 11-42
Table 11-73: Fields in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 11-43
Table 11-74: Buttons in the User Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . 11-44
Table 11-75: Main Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-44
List of Procedures
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Procedure 2-1: How to Configure the System Object for AI Encryption and Authentication Operations . . 2-3
Procedure 2-2: How to Configure the EBTS Site Object for AI Encryption and Authentication
Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Procedure 2-3: Transitioning from Security Class 2 to 3 . . . . . . . . . . . . . . . . . . . . . . . 2-14
Procedure 2-4: How to Configure the Radio Object for Authentication Purposes . . . . . . . . . . . . 2-15
Procedure 2-5: How to Configure the Key Variable Loader (KVL) Object . . . . . . . . . . . . . . . 2-17
Procedure 3-1: How to Start the AuC Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Procedure 3-2: How to Change a User Account Password . . . . . . . . . . . . . . . . . . . . . . 3-11
Procedure 3-3: How to Check the Status of the UCS, Zone or a Site. . . . . . . . . . . . . . . . . . 3-13
Procedure 3-4: How to Log Out of the AuC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Procedure 4-1: How to View a Mobile Station’s Key Information . . . . . . . . . . . . . . . . . . . 4-3
Procedure 4-2: How to Generate Mobile Station (MS) Report . . . . . . . . . . . . . . . . . . . . 4-5
Procedure 4-3: How to View/Delete a List of Unmatched K-REF Pairs in the Authentication Centre . . 4-6
Procedure 4-4: How to Generate an Unmatched K-Ref Pairs Report . . . . . . . . . . . . . . . . . 4-8
Procedure 4-5: How to View Zone Status and Key Information . . . . . . . . . . . . . . . . . . . . 4-11
Procedure 4-6: How to view BTS site’s status and encryption key information . . . . . . . . . . . . . 4-13
Procedure 4-7: How to view UCS Status Information . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Procedure 4-8: How to View KVL Status and Key Information . . . . . . . . . . . . . . . . . . . . 4-16
Procedure 4-9: How to Enter K-REF Pairs into the Authentication Centre via Keyboard . . . . . . . . 4-18
Procedure 4-10: How to Import K-REF Pairs into the Authentication Centre. . . . . . . . . . . . . . 4-20
Procedure 4-11: How to Import SCK-TMO Keys into the Authentication Centre . . . . . . . . . . . . 4-22
Procedure 4-12: How to Modify an SCK-TMO Key in the Authentication Centre . . . . . . . . . . . 4-25
Procedure 4-13: How to Reset an Active SCK-TMO Key in the Authentication Centre . . . . . . . . . 4-28
Procedure 4-14: Entering a AuC CommKey into the AuC Database . . . . . . . . . . . . . . . . . . 4-30
Procedure 4-15: Entering a DDK key into the AuC database . . . . . . . . . . . . . . . . . . . . . 4-32
Procedure 4-16: How to Assign a UKEK Key to a KVL Device . . . . . . . . . . . . . . . . . . . 4-34
Procedure 4-17: How to Load an Infrastructure Key (Ki) to a BTS Site Entity . . . . . . . . . . . . . 4-36
Procedure 4-18: How to Refresh a Ki for Selected Zone or BTS Site Entity in the AuC Client . . . . . 4-39
Procedure 4-19: How to Update a Ki Key for a Zone or BTS Site Entity in AuC Client. . . . . . . . . 4-42
Procedure 4-20: How to Schedule Key Updates based on Key Type . . . . . . . . . . . . . . . . . . 4-45
Procedure 4-21: How to Perform Immediate Key Updates based on Key Type . . . . . . . . . . . . . 4-48
Procedure 4-22: How to Assign New Authentication Material for a Mobile Station . . . . . . . . . . 4-50
Procedure 4-23: How to Enable/Disable Key Updates for a Mobile Station . . . . . . . . . . . . . . 4-53
Procedure 4-24: How to Enable/Disable Key Updates for a Zone . . . . . . . . . . . . . . . . . . . 4-56
Procedure 4-25: How to Enable/Disable Key Updates for a BTS Site . . . . . . . . . . . . . . . . . 4-58
Procedure 4-26: How to Enable/Disable Key Updates based on Key Type . . . . . . . . . . . . . . . 4-60
Procedure 4-27: How to Enable/Disable KVL Access to the Authentication Centre . . . . . . . . . . 4-62
Procedure 5-1: Viewing AuC Connection Information and Status . . . . . . . . . . . . . . . . . . . 5-3
Procedure 5-2: How to Configure Nationwide Master AuC . . . . . . . . . . . . . . . . . . . . . . 5-8
Procedure 5-3: How to Configure Nationwide Slave AuC . . . . . . . . . . . . . . . . . . . . . . 5-10
Procedure 5-4: How to Add New Slave AuC to the AuC Net . . . . . . . . . . . . . . . . . . . . . 5-15
Procedure 5-5: How to Change Expected Slave AuC. . . . . . . . . . . . . . . . . . . . . . . . . 5-16
List of Processes
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Process 4-1: How to Provision Zone or BTS Site Entity with an Infrastructure Key . . . . . . . . . . 4-36
Process 4-2: How to Reprovision Zone or BTS Site Entity with an Existing Infrastructure Key . . . . . 4-38
Process 4-3: How to Reprovision a Zone or BTS Site Entity with a New Infrastructure Key . . . . . . 4-41
Process 5-1: Nationwide AuC System configuration . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Process 5-2: Key Update in the Nationwide System . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
This booklet discusses management of the Dimetra IP system’s Authentication and Air Interface
Encryption feature. The purpose of this manual is to provide you with the knowledge and procedures
necessary to successfully manage Dimetra IP secure authentication and air interface encryption
operations in both the Dimetra IP radio system infrastructure and subscriber units.
The purpose of this material is to provide you with the information that you will need to
use the Authentication Centre (AuC) application.
The material covered in this booklet is presented in the following chapters:
• Chapter 1, "Authentication and Air Interface Encryption Overview"
• Chapter 2, "Authentication and Air Interface Encryption Configuration"
• Chapter 3, "Introduction to Authentication Centre"
• Chapter 4, "Authentication and Air Interface Encryption Key Management"
• Chapter 5, "Nationwide AuC Configuration"
• Chapter 6, "Events Pane"
• Chapter 7, "Audit Trail"
• Chapter 8, "User Management"
Related Information
• Provisioning Centre (PrC) User Guide: Includes information on how to use the PrC application.
Icon Conventions
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The document set is designed to give the reader more visual cues. The following graphic icons are used
throughout the documentation set. These icons and their associated meanings are described below.
SUGGESTION
A suggestion implies a recommendation or tip from Motorola, that does not require to be
followed, but might be helpful. There is no warning level associated with a Suggestion.
Notes contain information more important than the surrounding text, such as exceptions or
preconditions. They also refer the reader elsewhere for additional information, remind the reader
how to complete an action (when it is not part of the current procedure, for instance), or tell the
reader where something is located on the screen. There is no warning level associated with a Note.
Information that is crucial to the discussion at hand, but that is not a Caution or Warning, receives
an Important icon. There is no warning level associated with the Important icon.
The caution icon implies information that must be carried out in a certain manner
to avoid problems, procedures that may or may not be necessary as determined by
the reader’s system configuration, and so on. Although no damage will occur if
the reader does not heed the caution, some steps may need repeating.
The danger icon implies information that, if disregarded, may result in severe
injury or death of personnel. This is the highest level of warning.
If your Dimetra system is not running in “Nationwide Mode”, some of the screen shots in this manual will be
slightly different from what you will see on the system you are working on. All screens that might appear
different will be accompanied by the icon above, and a brief description of the possible differences.
1
Authentication and Air Interface Encryption
Overview
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
To provide maximum security for over-the-air communications within the Dimetra IP system,
both validation of system entities (or authentication) and encryption of over-the-air signalling
and traffic is necessary. The Authentication and Air Interface Encryption feature provides
secure communication capabilities by safeguarding both access to the system and transmission
of sensitive over-the-air voice, data, and control signalling.
The Authentication and Air Interface Encryption feature relies on use of secure encryption keys that are
provisioned to equipment within the radio system infrastructure and to subscriber radios. These keys are used
to perform encryption and decryption services during the authentication and over-the-air encryption processes.
This section covers the following topics:
• "Authentication"
• "Air Interface Encryption"
Authentication
The Authentication feature allows the Dimetra IP system infrastructure and subscriber mobile station (MS) to
validate that the other entity is genuine before granting access to system services. Use of the Authentication
feature establishes a level of trust between the radio system infrastructure and the subscriber.
There are two types of authentication supported by the Dimetra IP system:
• "Explicit Authentication"
• "Implicit Authentication"
Explicit Authentication
Explicit authentication utilizes a "challenge-response-result" process to verify the validity of
a mobile station (MS). Initiated by the system infrastructure, explicit authentication of an MS
is generally performed during the following system actions:
• Mobile station (MS) power-up registration
• System-initiated registration
• Registration without air interface encryption applied
• Registration performed by a temporarily disabled MS
A successful explicit authentication is achieved when the MS verifies knowledge of a secret authentication
key (K). A unique secret authentication key (K) is loaded into each MS when commissioned and is never
transmitted outside the MS. Instead of using the authentication key (K) directly, the explicit authentication
process uses authentication material that is known by the MS and system’s zone controllers. The
authentication material is provided by the AuC and is derived from the MS’s authentication key (K).
Figure 1-1 illustrates the "challenge-response-result" process of explicit authentication.
Upon receiving an explicit authentication challenge, an MS can also request an explicit mutual
authentication by the system infrastructure (the feature must be supported by the MS).
The SwMI can be deliberately configured to bypass the authentication process for
a given MS in order for it to gain access to the system. This can be achieved
by clearing an MS’s authentication material from the system infrastructure or
not provisioning a REF for the ITSI in the radio record provisioning an MS’s
K-REF pair in the AuC. However, the system can be configured to prevent users
accessing it without authentication (except under link failure conditions).
Implicit Authentication
Implicit authentication relies on the encryption process to verify the validity of a mobile station’s
(MS’s) registration. A successful implicit authentication is achieved when the MS verifies knowledge
of the current air interface encryption key (SCK-TMO or CCK/DCK). If the BTS site can
successfully decrypt the registration request, the MS is considered authentic.
Implicit authentication is generally invoked for an MS after having performed a successful
explicit authentication during power-up, for example when roaming between sites and zones (call
restoration). The use of implicit authentication improves system cell reselection performance (over
explicit authentication) by avoiding unnecessary re-authentications.
When operating with AI encryption enabled (Security Class 2 or 3), the system can be configured to
accept mobile stations (MSs) operating with no encryption (Security Class 1). This configuration
allows both clear and encrypted users to operate on the Dimetra IP system. This configuration
is not recommended since it is less secure than a system with all users using encryption.
The air interface encryption process uses encryption keys shared by MSs and Base Transceiver System
(BTS) sites. BTS site entity encryption keys are loaded either by the Authentication Centre (AuC)
or by the Zone Controller (ZC). MS encryption keys can be provisioned by the Provisioning Centre
(PrC), sent encrypted with other encryption keys from BTSs or generated internally by MSs. Some
keys are the same for the whole system, others are unique for each MS.
When operating, the air interface encryption process encrypts and decrypts all uplink and downlink short
subscriber identities (SSIs) as well as individual, group, and broadcast addressed information.
The air interface encryption process is illustrated in Figure 1-2.
The air interface encryption feature is implemented on a system-wide basis and supports operation
of both encrypted and non-encrypted (or “clear”) over-the-air traffic. For MSs, encryption and
decryption of traffic signalling is enabled or disabled by the radio system based on the encryption
state of each MS involved in a call. If enabled by the radio system, the MS encrypts/decrypts
information based on its knowledge of the encryption key.
key change seamlessly without loss of service. If a mobile station supporting Security Class 3 does not have
possession of a newly activated CCK key, a request is sent for the new key by the mobile station to the BTS
site. The BTS site sends the CCK key to the mobile station using over-the-air rekeying (OTAR).
For the Dimetra IP system, operating the Authentication and Air Interface Encryption features require the
storage, distribution, and update of encryption keys. These tasks are centrally managed in the system
by the AuC application. The AuC performs the following key management tasks:
• Tracks key currency status for devices within the system infrastructure.
• Generates, imports, and allows manual entry of key material.
• Stores all key material for the authentication and air interface encryption functions.
◦ Keys are stored encrypted in a database using a Master Key.
• Securely provisions keys to new system infrastructure devices using the
key variable loader (KVL) device.
• Distributes new, updated keys to system infrastructure devices on a sched-
uled or on-demand basis.
This section covers the following topics:
• "Key Management in Non–Nationwide Systems"
• "Key Management in Nationwide Systems"
• "Key Distribution"
• "Key Updates"
• "Key Storage"
AUC1 UCS1
Zone1x
AuC synchronize
and share distribution
of common keys
Zone1x Zone2x
An MS’s K-REF pair (required for authentication) must be manually delivered to the AuC
that is responsible for managing the MS, that is, the home cluster for the MS.
Key Distribution
Key distribution for the Authentication and Air Interface Encryption features is managed by the AuC. Delivery
of keys to system infrastructure devices (e.g., zone controllers, TETRA site controllers, base radio controllers)
is initiated by the AuC when a new entity is provisioned in the system and when key updates are enabled.
For subscriber mobile stations (MSs), key distribution is performed by the Dimetra IP system’s PrC
application (except for the CCK key, which is distributed to the MS over-the-air by the BTS site).
System Infrastructure
The AuC distributes keys to zone and BTS site entities in the system infrastructure. For system
infrastructure devices, authentication and air interface encryption keys are distributed using
an external key variable loader (KVL) device and over the system infrastructure network.
However, each key type is managed separately from the AuC.
The Network Management subsystem is used as a routing mechanism for key material.
The AuC must be connected to the Dimetra IP system and establish connections to all
of its entities, BEFORE it will be able to generate Ki keys.
Figure 1-7 illustrates the infrastructure key (Ki) distribution.
After the Ki is provisioned on an BTS site and the ACK is returned to the AuC (provisioning operation
complete), the AuC will update KEKz, SCK-TMO, and CCK keys in the BTS site.
After the Ki is provisioned on an BTS site and the ACK is returned to the AuC (provisioning operation
complete), the AuC will update KEKz, SCK-TMO, and CCK keys in the BTS site.
Authentication Material
Unique authentication material is delivered to the zone controller for each mobile station (MS).
The authentication material keys are distributed as encrypted keys (using the KEKm key) over
the system infrastructure network. Once decrypted by the KEKm key, the authentication material
is used by zone controller to authenticate a mobile station (MS).
After the Ki is provisioned on an BTS site and the ACK is returned to the AuC (provisioning operation
complete), the AuC will update KEKz, SCK-TMO, and CCK keys in the BTS site.
Figure 1-10 Common Cipher Key (CCK)/Static Cipher Key–Trunked Mode Operation (SCK-TMO)
key distribution
After the Ki is provisioned on an BTS site and the ACK is returned to the AuC (provisioning operation
complete), the AuC will update KEKz, SCK-TMO, and CCK keys in the BTS site.
After the Ki is provisioned on an BTS site and the ACK is returned to the AuC (provisioning operation
complete), the AuC will update KEKz, SCK-TMO, and CCK keys in the BTS site.
Key Updates
The update of authentication and air interface encryption keys stored in the system infrastructure is
performed by the AuC (except for the derived cipher key (DCK), which is updated automatically
by the system during a successful authentication). The AuC provides the ability to perform
scheduled and on-demand updates of the following keys:
• authentication material
• common cipher keys (CCK)
• static cipher key-trunked mode operation keys (SCK-TMO)
For nationwide Dimetra IP systems, all AuCs are required to be operational during
an update of KEKm, SCK and CCK keys.
Table 1-1 provides a list of recommended update periods for keys used by the authen-
tication and air interface encryption feature:
Table 1-1 Recommended Key Update Periods
Minimum
Key Type Period Typical Period Maximum Period
Authentication Key (K) if compromised lifetime of MS lifetime of MS
Infrastructure Key (Ki) if compromised lifetime of entity lifetime of entity
Authentication Material if compromised 6 months 12 months
System Key Encryption Key if compromised 12 months 18 months
(KEKm)
Zone Key Encryption Key if compromised 12 months 18 months
(KEKz)
Static Cipher Key-Trunked if compromised 12 months 18 months
Mode Operation Key
(SCK-TMO)
Common Cipher Key (CCK) if compromised 1 day 30 days
derived cipher key (DCK) if compromised 24 hours last successful authentication
AuC Comm Key if compromised lifetime of entity lifetime of entity
(Communication Key)
Key Storage
The AuC maintains storage of key material used for the authentication and air interface encryption
functions. The key material is stored encrypted in a database using a Master Key supplied by
the AuC encryption device (an internal Crypto Card is used for encryption). The correct master
key must be used to read encryption keys from the AuC database.
The AuC database stores copies of key material currently loaded in system entities and maintains a repository
of new key material for future use. New key material is obtained by the AuC using one of three methods:
• Generated internally by the AuC using the encryption device
• Imported by file via CD-ROM or floppy disk
• Typed in manually via keyboard
Table 1-2 lists each authentication and air interface encryption key and the source of its key material.
Table 1-2 Encryption Keys and their Source Materials
When new key material is required in the system, the AuC retrieves a new version from the repository.
Once the new version is assigned, distributed, and successfully deployed in the proper system entity,
the key material/entity association is recorded and tracked by the AuC.
2
Authentication and Air Interface Encryption
Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This chapter provides procedures for configuring the authentication and air interface
encryption feature option in the Dimetra IP system.
This chapter covers the following topics:
• "Configuring Authentication and Air Interface Encryption Operation"
• "Configuring Devices for Authentication and Air Interface Encryption"
To configure the operational mode for the air interface (AI) encryption and authentication features, the
Dimetra IP system maintains a set of configuration parameters in the network management subsystem.
These parameters are configured using the System object (of the User Configuration Manager (UCM)
application) and the EBTS Site object (of the Zone Configuration Manager (ZCM) application).
Table 2-1 provides the proper configuration settings for each operational mode of the
air interface encryption and authentication feature.
Table 2-1 Air Interface Encryption and Authentication Feature Operational Mode Settings
Operational Mode System Object Settings (UCM) EBTS Site Object (ZCM)
Security Class 3 (DCK AI • Authentication Enabled set to Yes • Security Class 3 Enabled
Encryption) in conjunction field set to Yes
• Air Interface Encryption Enabled
with authentication and
set to Yes
with fallback encryption
mode (to Security Class 2 • Key Change Notification Period
Encryption) (KCNP) set to 300 seconds
• Security Class Change
Notification Period (SCCNP)
set to 5 seconds
Table 2-1 Air Interface Encryption and Authentication Feature Operational Mode Settings
(Continued)
Operational Mode System Object Settings (UCM) EBTS Site Object (ZCM)
System Object
The following task allows you to configure the Dimetra IP system for operation of the
authentication and air interface encryption feature.
Follow Procedure 2-1 to configure the UCM application’s System object for authenti-
cation and air interface encryption operations.
Procedure 2-1 How to Configure the System Object for AI Encryption
and Authentication Operations
1 Double-click the Motorola Private Radio Network Management Suite icon on the desktop.
Result: PRNM Suite Application Launcher window appears.
2 Double-click the User Configuration Manager icon. The User Configuration Manager
window appears.
3 Select the System object in the left pane.
Result: The System object is listed in the window’s right pane.
Procedure 2-1 How to Configure the System Object for AI Encryption and Authentication
Operations (Continued)
Procedure 2-1 How to Configure the System Object for AI Encryption and Authentication
Operations (Continued)
Procedure 2-1 How to Configure the System Object for AI Encryption and Authentication
Operations (Continued)
Procedure 2-1 How to Configure the System Object for AI Encryption and Authentication
Operations (Continued)
7 From the Air Interface Encryption Enabled field, select the appropriate radio button to enable
or disable the air interface encryption feature for the system.
8 From the Authentication Enabled field, select the appropriate radio button to enable or disable
the authentication feature for the system.
9 Using the Authentication Timer (sec) field, set the maximum length of time for an authentication
session.
Procedure 2-1 How to Configure the System Object for AI Encryption and Authentication
Operations (Continued)
12 Using the Key Change Notification Period field, set the maximum number of seconds that the
notification period for an air interface encryption key change can last.
The BTS will wait a minimum time equivalent to the settings of SCCNP, SCHP
and KCNP.
14 Using the Security Class Hysteresis Period field, set the number of seconds that the conditions
for transitioning from security class 2 to security class 3 must be in effect before proceeding with
the security class change. See Procedure 2-3 for transitioning from Security Class 2 to 3.
Procedure 2-2 How to Configure the EBTS Site Object for AI Encryption
and Authentication Operations
1 Double-click the Motorola Private Radio Network Management Suite icon on the desktop.
Result: PRNM Suite Application Launcher window appears.
Procedure 2-2 How to Configure the EBTS Site Object for AI Encryption and Authentication
Operations (Continued)
3 Double-click the Zone Configuration Manager icon.
Result: The Zone Configuration Manager window appears.
Procedure 2-2 How to Configure the EBTS Site Object for AI Encryption and Authentication
Operations (Continued)
5 To open EBTS Site object configuration dialog box do one of the following:
• highlight the EBTS Site object in the right pane and select Open from the File menu (see
Figure 2-10), or
• highlight the EBTS Site object in the right pane and use the Crtl+O shortcut, or
• right click on the on the EBTS Site object in the right pane and select Open from the pop -
up menu
Procedure 2-2 How to Configure the EBTS Site Object for AI Encryption and Authentication
Operations (Continued)
Procedure 2-2 How to Configure the EBTS Site Object for AI Encryption and Authentication
Operations (Continued)
7 Using the Security Class 2 only MS Supported radio button, select whether to allow mobile
stations that support only security class 2 (SCK AI encryption) operation to perform power-on
registration on the system.
This field setting does not affect other types of MS registrations, for example,
roaming. This parameter may be used to prevent legacy terminals performing
power-on registration.
8 Using the Security Class 3 Enabled radio button, select whether to enable security class 3
encryption (DCK AI encryption) for the EBTS site.
9 Click Apply.
Result: The EBTS Site object is committed to the database.
The following procedure is not applicable from Dimetra 5.2 SER system onwards, because the
system will automatically adjust the SCCNP and SCHP parameters from the default value.
◦ KCNP = 300
◦ SCCNP = 300
• Set Security Class 3 to Enabled in the relevant ZCMs (EBTS Site> Object)
• Ensure that the last site set is a local BTS
Result: This allows the initial distribution of keys to take place. If these parameters are not set
prior to enabling Class 3, a loss of service can occur.
If either the site link is disconnected or the link to the home zone is disconnected
whilst the SCCNP parameter is set to 300 seconds, then the subscriber will be unable
to register on the affected cell for up to 300 seconds, i.e. until the cell has transitioned
to Security Class 2. This transition to Security Class 2 occurs because it provides a
fallback encryption scheme, since Security Class 3 was not possible due to network
failures. Normally, the SCCNP parameter should be set to 5 seconds, which allows
the subscriber immediate access to the cell.
3 Verify that Security Class 3 is in operation:
• The last site set to Security Class 3 enabled should be the local site.
• Ensure that only one radio is registered on this site, and that the radio is configured to
use Security Class 3.
• Ten minutes after enabling Security Class 3 for the site, verify that the MS is registered
with SC3 and make a call with the radio.
• When the call is successful, proceed with step 4.
4 After enabling the Security Class 3 service within the cluster for a zone, and after allowing a
minimum of 10 minutes following the last EBTS Object change, the following must be carried out:
• Log in to UCM
• Open System Object > Configuration
◦ KCNP = 300
◦ SCCNP = 5
The Dimetra IP system maintains specific device configuration information within network management
subsystem relating to operation of the authentication and air interface encryption feature. The following
device objects contain parameters used by the authentication and air interface encryption feature option:
• Radio (Mobile Station)
• KVL
Radio Object
A Radio object maintains a field for storing the mobile station’s radio reference ID (REF).
The REF is defined as either the mobile station’s TETRA equipment identity (TEI) or
subscriber identity module identifier (SIM-id).
Any mobile station that does not have a REF assigned will not be stored or displayed
by the Authentication Centre (AuC). The mobile station will be permitted access
to the system without using authentication.
Procedure 2-4 explains how to enter a mobile station’s REF parameter using the Radio object.
Procedure 2-4 How to Configure the Radio Object for Authentication Purposes
1 Double-click the Motorola Private Radio Network Management Suite icon on the desktop.
Result: The PRNM Suite Application Launcher window appears.
Procedure 2-4 How to Configure the Radio Object for Authentication Purposes (Continued)
2 Double-click the User Configuration Manager icon.
Result: The User Configuration Manager window appears.
Procedure 2-4 How to Configure the Radio Object for Authentication Purposes (Continued)
5 From the Radio Reference ID field, enter the radio’s assigned REF number. The REF number
can either by the SIM number (using the S prefix) or TEI number (using the T prefix).
6 Click Apply.
Result: The authentication setting for the radio is committed to the database.
KVL Object
A KVL object maintains configuration information for use by the authentication and
air interface encryption feature option.
Before the KVL can be used with the AuC, the same UKEK key must be assigned
in the KVL itself and in the AuC application.
Procedure 2-5 explains how to configure a KVL object.
Procedure 2-5 How to Configure the Key Variable Loader (KVL) Object
1 Double-click the Motorola Private Radio Network Management Suite icon on the desktop.
Result: The PRNM Suite Application Launcherwindow appears.
2 Double-click the User Configuration Manager icon.
Result: The User Configuration Manager window appears.
Procedure 2-5 How to Configure the Key Variable Loader (KVL) Object (Continued)
3 Select the Key Variable Loader object (under the System Configuration folder) in the left pane.
Result: The existing KVL objects are listed in the window’s right pane.
Procedure 2-5 How to Configure the Key Variable Loader (KVL) Object (Continued)
5 Using the KVL Alias field, enter an alias that uniquely identifies the KVL.
6 Using the KVL ID field, enter an ID number that uniquely identifies the KVL.
7 Using the Security Group field, assign the KVL to a security group on the system.
8 Click on the Configuration tab.
Result: The KVL object’s configuration information is displayed.
9 In the Configuration tab display, select the zones to which the KVL will be allowed to download
encryption keys obtained from the AuC.
10 Click Apply.
Result: The KVL object is committed to the database.
3
Introduction to Authentication Centre
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) is a client/server software application that handles encryption
key management duties for the Motorola Dimetra IP two-way radio system. The AuC
handles distribution, storage, and update of encryption keys used by the Dimetra IP system’s
Authentication and Air Interface Encryption feature.
The AuC provides the following features:
• Up-to-date display of key currency status for appropriate Dimetra IP ra-
dio system infrastructure devices.
• Central location for secure storage of both infrastructure and subscriber device
keys. Keys can be imported via file, typed in via keyboard, or generated by
the AuC’s encryption device (Crypto Card (CC)).
• Scheduled or on-demand key updates of infrastructure devices using secure distribution methods.
• Unique authentication key material that enables the system to perform real-time
authentication of subscriber mobile stations and infrastructure devices without
need to transmit a secret authentication key.
If your Dimetra system is not running in “Nationwide Mode”, some of the screen shots in this manual will
be slightly different from what you’ll see on the system you are working on. All screens that might appear
different are accompanied by the icon below, and a brief description of the possible differences is given.
This section provides an overview of the Authentication Centre (AuC) and Provisioning Centre
(PrC) components installed in the Dimetra IP system.
The AuC provides the authentication and key management material for devices related to air interface
security functions in the Dimetra IP. It is responsible for generating the cipher keys used for key
management throughout the infrastructure, and accountable for scheduled key changes, including
changing the SCK and CCK. One AuC is required for each cluster.
Infrastructure Keys are provisioned via the Key Variable Loader (KVL). Other keys and infrastructure
data are distributed via TCP/IP network to infrastructure servers.
These servers are:
• FullVision (FV)
• Zone Database Server (ZDS)
• User Configuration Server (UCS)
• Air Traffic Router (ATR)
The PrC generates, stores, and tracks delivery of K and SCK-TMO keys to the subscriber Mobile Stations
(MSs), using the Key Variable Loader (KVL) as a proxy to transport and confirm delivery. In addition, the
PrC generates and exports a file containing K-REF pairs to the Authentication Centre (AuC).
The Key Variable Loader (KVL) is a secure “store-and-forward” device for transporting and
provisioning keys from the PrC to Mobile Stations and from the AuC to Zone Controllers and
BTSs. The Crypto Card (CC) card provides tamper proof key encryption services. It must be
installed in the designated PrC workstation and in the AuC Server.
Figure 3-2 shows how the Dimetra IP infrastructure devices interface with the Authentication
Centre (AuC) and the Provisioning Centre (PrC).
Authentication Centre
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section describes the basic principles of what the AuC does and its infrastructure.
After reading the contents of this section you should:
• Be familiar with the functions that the AuC performs.
• Have gained an understanding of what the AuC Client, AuC Server and AuC Database do.
The AuC also maintains an external connection to the Key Variable Loader (KVL). The KVL
is connected either directly or via modem and is used for non-encrypted key transfers from the
AuC to each zone or Base Transceiver System (BTS) site entity.
The AuC client/server application utilizes a "three-tier" approach that distributes the software
application into three separate, but dependent entities:
• "Authentication Centre Client"
• "Authentication Centre Server"
• "Authentication Centre Database"
On nationwide systems the AuC clients can connect to other servers, to get infor-
mation on other AuCs in the system.
The AuC server application is deployed on a designated Windows® 2000 Server PC either alone or
together with the AuC database. An AuC client can also be installed on the AuC server.
This section describes planning steps required to make effective use of the Dimetra IP system’s authentication
and air interface encryption features. This section covers the following topics:
• "Planning Your Steps"
• "Technical Implementation Steps"
System
Security Question
Feature/Control
Will you allow security class 1 mobile stations to operate on the system? UCM System object
Will authentication be required by mobile stations? UCM System object
How often do you want to change keys? AuC Key Scheduling
What will be the source of imported keys used in the system? AuC Key Database
Who will have access to the Authentication Centre (AuC)? AuC User Management
What permissions should each AuC user have? AuC User Management
What key variable loaders (KVLs) are allowed to communicate with the AuC? AuC System Management
If a new entity is added to the system, do you want the entity to automatically AuC System Management
receive keys from AuC?
How will sensitive documents and key material media (such as CDs) be N/A
stored?
How do you want to handle possible key compromise via a lost or stolen N/A
subscriber unit?
First Steps
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section introduces you to a number of tasks related to starting to work with the AuC application.
These will be especially useful if you are a new user of the application. The following topics
provide information on relevant procedures and reference information.
This section covers the following topics:
• "Starting the Authentication Centre Client Application"
• "Changing a User Account Password"
• "Verifying Authentication Centre Status"
• "Displaying Key and Entity Information"
• "Logging out of the Authentication Centre Client Application"
If one or more error messages are displayed during start-up, refer to "What Do I Do if
I get an Error Message when Starting the Client?" for assistance.
1 Double-click on the Authentication Centre shortcut icon on the desktop or select the
Programs>Motorola>Authentication Centre Client application from the Windows® start-up
menu.
Result: The splash screen appears.
2 After a few seconds, the Authentication Centre - Login dialog box appears.
To change the password immediately upon login, check the Change Password
checkbox (see Procedure 3-2).
Result: A few seconds after logging in, the Authentication Centre client main window appears.
When you log into the client for the very first time after installation you will
have to use the following default values:
• User Name: admin
• Password: changeme1
After logging in using default values, you must add a new user to the database. In order to
begin the normal operation of the AuC, this user must be given user management permission.
You should then exit the application and log in again using the new user values. After you
have logged in as this new user, the default login values will no longer be valid.
When logging in for the first time the Change Password dialog box appears
automatically and change of password is obligatory.
Result: The Change Password dialog box appears.
User names and passwords must comply with the user name and password
requirements set up in the current User Settings. See "The User Settings Tab".
3 Click OK.
Result: The password is changed for the next login.
1 To view the UCS, Zone or Site entity status, select the Local Zones tab.
2 To view the UCS status, select the UCS entity in the Zones display.
Result: UCS Status and Version information is displayed.
3 To view a specific Zone or Base Transceiver System (BTS) site entity’s status, expand (if
necessary) the tree view by clicking the plus icons next to the zones, and select the entity you
want to view.
Result: When you select an entity, the respective key status is displayed in the work pane to
the right.
Procedure 3-3 How to Check the Status of the UCS, Zone or a Site (Continued)
2 Click Yes.
Result: The AuC Client window closes.
This section describes the components that make up the application’s main window.
This section covers the following topics:
• "Authentication Centre Main Window Structure"
• "The Work Pane"
• "The Events Pane"
• "The Status Bar"
• "The Menu Bar"
Maintaining a Microsoft® Windows® look and feel, the AuC main client window functions as
the top-level container for the following user interface elements:
• "The Work Pane"
• "The Events Pane"
• "The Status Bar"
• "The Menu Bar"
The work pane displays content corresponding to the task you are performing in the Authentication Centre
(AuC) client. Acting as a container, the work pane allows you to switch among content selections using
tabs. The content tabs that are selectable in the AuC main client window are listed in Table 3-2.
AuC Server
Icon Description
Operating State
Operational Normal operating mode
Out of Service Non-operational mode. AuC client user can only perform the
following tasks:
• Loading a Master Key into an Encryption Device
• All User Management tasks
• Changing Authentication Centre operating state
Database Restored During Database Restored state only nationwide operations can
be performed. Database Restored state is a sub-state of Out of
Service state.
The AuC Connection status icons to the right, report the conditions listed in Table 3-4.
Table 3-4 AuC Connection Status Icons
Icon Description
All required system devices (UCS, ATR, ZM) are connected to the AuC server.
A system device (UCS, ATR, ZM) is not connected to the AuC server.
When standby database connection monitoring is enabled (see "Turning Standby Connection
Monitoring On" on page 9-6), the standby status icon is displayed. Table 3-5 lists possible
standby database connection states and corresponding icons.
Table 3-5 Standby Database Connection States
Getting Help
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Authentication Centre (AuC) client is equipped with a context sensitive online help system,
that provides comprehensive information about the client application and how to work with it.
To view context sensitive help, select Help from the menu that you are working in. To view the
full help system, simply select Help Contents from the Help menu.
This section covers the following topics:
• "Using Context Sensitive Help"
• "Using Full Text Search"
Element Description
Windows Most windows display a Help button. Click the button and a topic opens in the
online help window that provides links to information on related procedures
and window fields and buttons.
Dialog Boxes Some dialog boxes display a Help button. Click the button and a topic opens
in the online help window that explains how to perform the procedure related
to the dialog box.
Menu Commands The AuC menu bar provides some commands under the Help menu to quickly
navigate to specific type of information.
The full online help system can be accessed from within each topic by clicking
the Show hyperlink at the top of each page.
4
Authentication and Air Interface Encryption
Key Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Any mobile station that does not have a REF assigned will not be stored or displayed by
the AuC. These mobile stations will not be provided with authentication material and
therefore will be permitted to access the system without authentication.
The following topics provide procedures associated with the Mobile Stations tab in the AuC client display:
• "Generating Mobile Station (MS) Report" on page 4-5
• "Assigning New Authentication Material for a Mobile Station" on page 4-49
• "Enabling/Disabling Key Updates for a Mobile Station" on page 4-52
The following topics provide reference information associated with the Mobile Sta-
tions tab in the AuC client display:
• "Security Group Selection Tree View" on page 11-21
• "Mobile Stations List" on page 11-17
• "Mobile Stations Search" on page 11-19
2 Define the appropriate search criteria in the Mobile Station Search Form, highlighted below
(search text is case-insensitive). For a description of the available search criteria see Online Help.
You must specify the appropriate security group in order to execute a mobile station
search. You can select a security group from the Security Groups tree display and
the entry is automatically populated in the Security Group field.
• The UCS Security Group functions as a “wildcard” in a search
• Any fields that are left empty will not be included in the search
3 Click on the Search button.
Result: The search results are displayed in the list window, highlighted below.
4 Locate the appropriate mobile station in the list window for current key information. The mobile
station’s key information appears in the appropriate row in the list window.
2 Click on the Export button. Search criteria applied have no effect on the information exported.
Result: A dialog box to select a location and format for the report file appears.
3 Select location and file format and click Save.
Result: A dialog box indicating the progress of the MS information export appears.
4 Click OK.
Procedure 4-3 How to View/Delete a List of Unmatched K-REF Pairs in the Authentication Centre
(Continued)
4 Click Delete.
Result: The following dialog box appears.
5 Click Yes.
Result: The K-REF pair is removed from the list box.
6 To delete all the unmatched K-REF pairs from the AuC database, click the Delete All button.
Result: The following dialog box appears.
Figure 4-8 The Delete All Unmatched K-REF Pairs Dialog Box
7 Click Yes.
Result: The K-REF pairs are removed from the list box (the list box is empty).
Depending on the amount of K-REF pairs, this can take long time.
1 From the AuC client main window, select the Key Database tab, or select Key Database from
the Key menu.
Result: The Key Database tabbed pane appears.
Figure 4-10 The Save Unmatched K-REF Pairs Report Dialog Box
4 Choose the location and file name of the report and click Save.
If a file with this name already exists, the following dialog will be displayed. Choose
either to overwrite the file or not as appropriate.
Figure 4-11 The Save Unmatched K-REF Pairs Report Confirmation Dialog Box
5 A progress bar will be displayed. This will close when the generation of the report is complete
and the following dialog box will be displayed.
The following topics provide reference information associated with the Local
Zones tab in the AuC client display:
• "Key Status tree view" on page 11-15
• "Zone Information" on page 11-25
Follow Procedure 4-5 to view a zone’s status and encryption key information.
1 From the AuC client main window, select the Local Zones tab.
Result: The Local Zones tabbed pane appears.
2 The zone icons are red, yellow or green according to the state the entity’s keys are in. You can
quickly observe a zone’s key status by locating its respective key status icon, seeTable 11-21,
"Key Status Icons (Zones and BTS sites)," on page 11-15). To view all details about an entity’s
keys, click the appropriate icon in the tree view to the left.
Result: The zone’s key information appears in the work pane, highlighted below.
Procedure 4-5 How to View Zone Status and Key Information (Continued)
The Local Zones tab in the Authentication Centre (AuC) provides information and tasks for performing
key management of BTS site infrastructure entities. The following topics provide procedures applying
to BTS site entities and associated with the Local Zones tab in the AuC client display:
• "Displaying Key and Entity Information" on page 3-13
• "Viewing BTS Site Status and Key Information" on page 4-12
• "Enabling/Disabling Key Updates for an EBTS Site" on page 4-57
The following topics provide reference information associated with the Local
Zones tab in the AuC client display:
• "Key Status tree view" on page 11-15
• "EBTS Site Information" on page 11-7
Follow Procedure 4-6 to view a BTS site’s status and encryption key information.
Procedure 4-6 How to view BTS site’s status and encryption key information
1 From the AuC client main window, select the Local Zones tab.
Result: The Local Zones tabbed pane appears (see Figure 4-13).
2 The site icons are red, yellow or green according to which state the entity’s keys are in. You can
quickly observe BTS key status by locating its respective key status icon, seeTable 11-21, "Key
Status Icons (Zones and BTS sites)," on page 11-15). To view all details about an entity’s keys,
click the appropriate icon in the tree view to the left.
Result: The site’s key information appears in the work pane, highlighted below.
The following topics provide reference information associated with the Local
Zones tab in the AuC client display:
• "Key Status tree view" on page 11-15
• "UCS Information" on page 11-21
1 From the AuC client main window, select the Local Zones tab.
Result: The Local Zones tabbed pane appears (see Figure 4-13).
2 To view the UCS status, select the UCS entity in the Zones display.
Result: UCS Status and Version information is displayed. The UCS icon reflects the connection
status.
The following topics provide reference information associated with the Key Load-
ers tab in the AuC client display:
• "KVL Information" on page 11-16
• "KVL Status list view" on page 11-17
• "Port Settings Dialog Box" on page 11-38
• "KVL UKEK Assignment Dialog Box" on page 11-34
Follow Procedure 4-8 to view a KVL’s encryption key, connectivity information and status.
Procedure 4-8 How to View KVL Status and Key Information
1 From the AuC client main window, select the Key Loaders tab.
Result: The Key Loaders tabbed pane appears.
2 Locate and click on the appropriate KVL device in the KVLs list display.
Result: The KVL’s current key status is reflected in both the icon color, and in the Status
field to the right.
IF the key status icon is colored... THEN...
Green KVL is provisioned in the AuC database
Yellow KVL is not provisioned in AuC database (due to no
assigned UKEK key)
Red KVL is locked out from connectivity to AuC (this is set
within the AuC)
The Key Database tab in the Authentication Centre (AuC) provides the ability to load and store K-REF
pairs for mobile stations (MS), static cipher key-trunked mode operation (SCK-TMO) keys, Authentication
Communication (AuC Comm) keys and the Dimetra Distribution Key (DDK).
The following topics provide procedures associated with the Key Database tab in the AuC client display:
• "Viewing a List of Unmatched K-REF Pairs" on page 4-6
• "Generating an Unmatched K-Ref Pairs Report" on page 4-8
• "Entering K-REF Pairs into the Authentication Centre" on page 4-17
• "Importing a K-REF Pair File into the Authentication Centre" on page 4-20
• "Importing a SCK-TMO Key File into the Authentication Centre" on page 4-21
• "Modifying an SCK-TMO Key in the Authentication Centre" on page 4-25
• "Setting the Next Active SCK-TMO Key" on page 4-27
• "Entering the AuC Communications Key" on page 4-30
• "Entering a Dimetra Distribution Key" on page 4-32
The following topics provide reference information associated with the Key Data-
base tab in the AuC client display:
• "AuC Comm Key (Communication Key)" on page 11-1
• "DDK (Dimetra Distribution Key)" on page 11-6
• "K-REF Pairs" on page 11-10
• "Key Database Selection" on page 11-12
• "SCK-Trunked Mode Operation Information" on page 11-20
• "AuC Database Backup Schedule Dialog Box" on page 11-29
• "AuC Database Dialog Box" on page 11-30
• "SCK-TMO Modify Dialog Box" on page 11-39
This procedure allows you to type in the K-REF pair from the keyboard. To
import a K-REF pair file, see Procedure 4-10.
Follow Procedure 4-9 to enter K-REF pairs manually into the AuC.
Procedure 4-9 How to Enter K-REF Pairs into the Authentication Centre via Keyboard
1 From the AuC client main window, select the Key Database tab, or select Key Database from
the Key menu.
Result: The Key Database tabbed pane appears.
K-REF pairs cannot be automatically generated by the AuC. They are generated
by the Provisioning Centre (PrC), or created externally by, for example a secure
authority. They can be entered manually using the AuC.
• Type in the authentication key (K) for the MS in the K field
• Using the radio buttons, select the REF type (SIM or TEI) used for the MS
• Type in the REF for the MS in the Ref field
Procedure 4-9 How to Enter K-REF Pairs into the Authentication Centre via Keyboard (Continued)
The Enter button will remain grayed out until all of the required information has
been entered in the appropriate fields.
5
If the user enters a K-REF pair where the Ref part already exists in a K-REF pair in
the AuC, the following dialog box appears.
This procedure allows you to import a K-REF pair file. To manually type a
K-REF pair into the AuC, see Procedure 4-9.
Follow Procedure 4-10 to copy a K-REF pair file into the AuC.
Procedure 4-10 How to Import K-REF Pairs into the Authentication Centre
1 From the AuC client main window, select File>Import Keys... form the main menu.
Result: The following dialog box appears.
Procedure 4-10 How to Import K-REF Pairs into the Authentication Centre (Continued)
5 Click OK.
Result: Import progress is indicated in the Events display.
All SCK key slots should be populated in the AuC. If an empty key slot is selected as the Next
Active key then the key update will not take place until the slot has been populated.
If a new set of SCK-TMO keys is imported, the same keys must be provisioned to
the MSs. If they are not, encryption using SCK-TMO will not be possible.
Follow Procedure 4-11 to import a SCK-TMO key file into the AuC.
Procedure 4-11 How to Import SCK-TMO Keys into the Authentication Centre
1 From the AuC client main window, select the Key Database tab, or select Key Database from
the Key menu.
Result: The Key Database tabbed pane appears.
Procedure 4-11 How to Import SCK-TMO Keys into the Authentication Centre (Continued)
Procedure 4-11 How to Import SCK-TMO Keys into the Authentication Centre (Continued)
4 Select the SCK-TMO file in the dialog box.
5 Click the Import button.
All SCK slots in the SCK-TMO file must be filled, otherwise import will be
impossible.
Result: The following dialog box appears.
7 Click OK.
Result: The keys are imported into the AuC database.
Importing new SCKs will cause a partial distribution of keys, if the AuC is part of a
Nationwide system, the keys will be distributed to the other AuCs.
If an SCK-TMO key is modified after it has been provisioned to the MSs air
interface encryption using this key will not be possible.
Procedure 4-12 How to Modify an SCK-TMO Key in the Authentication Centre (Continued)
2 Select SCK-Trunked Mode Operation in the Keys selection display.
Result: The SCK-TMO information display appears in the work pane.
Procedure 4-12 How to Modify an SCK-TMO Key in the Authentication Centre (Continued)
7 Click OK.
Result: The key information is updated.
The OK button will remain grayed out until all of the required information has
been entered in the appropriate fields.
Active arrow
Performing this task enables changing the active SCK-TMO throughout the system during
the next SCK-TMO key update. There is no resulting disruption to system operations by this
task. When the key update occurs, the AuC communicates the change to each BTS site on the
system. To determine if a BTS site is using the new active SCK-TMO key, see Procedure 4-6,
"How to view BTS site’s status and encryption key information," on page 4-13.
Follow Procedure 4-13 to set the next active SCK-TMO key in the AuC.
Procedure 4-13 How to Reset an Active SCK-TMO Key in the Authentication Centre
1 From the AuC client main window, select the Key Database tab, or select Key Database from
the Key menu.
Result: The Key Database tabbed pane appears.
Procedure 4-13 How to Reset an Active SCK-TMO Key in the Authentication Centre (Continued)
5 Click Yes.
Result: The Next Active slot appears in the work pane.
Since all AuCs need the same AuC CommKey, a synchronized key change is recommended
to ensure proper system communication. It is also recommended to temporarily disable
key schedules while an AuC CommKey change takes place.
Follow Procedure 4-14 to define the AuC Communications Key.
Procedure 4-14 Entering a AuC CommKey into the AuC Database
1 From the AuC client main window, select the Key Database tab, or select Key Database from
the Key menu.
Result: The Key Database tabbed pane appears.
Procedure 4-14 Entering a AuC CommKey into the AuC Database (Continued)
2 Select AuC CommKey (Communication Key) in the Keys selection display.
Result: The AuC CommKey information display appears in the work pane.
The Enter button will remain grayed out until all of the required information has
been entered in the appropriate fields.
This task is necessary only when upgrading from a Dimetra IP Release 4.x system, or earlier.
Follow Procedure 4-15 to enter an existing DDK key into the AuC database.
Procedure 4-15 Entering a DDK key into the AuC database
1 From the AuC client main window, select the Key Database tab, or select Key Database from
the Key menu.
Result: The Key Database tabbed pane appears.
Procedure 4-15 Entering a DDK key into the AuC database (Continued)
2 Select DDK (Dimetra Distribution Key) in the Keys selection display.
Result: The DDK (Dimetra Distribution Key) information display appears in the work pane.
1 From the AuC client main window, select the Key Loaders tab.
Result: The Key Loaders tabbed pane appears.
2 Locate and click on the appropriate KVL in the KVLs list display.
Result: The KVL’s key information appears in the work pane.
3 To assign a new UKEK key for the selected KVL, click the Assign New UKEK... button.
Result: The following dialog box appears.
The UKEK entered must match the one stored in the KVL.
5 Click OK.
Result: The key assignment is confirmed in the Events display.
Key Distribution
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides procedures for distributing infrastructure keys (Ki) to zone and BTS site entities.
This section provides also procedures for performing key updates to Dimetra IP system entities.
The BTS will wait a minimum time equivalent to the settings of SCCNP, SCHP and KCNP.
This section covers the following topics:
• "Provisioning Zone or BTS Site Entity with an Infrastructure Key"
• "Reprovisioning Zone or BTS Site Entity with an Existing Infrastructure Key"
• "Reprovisioning Zone or BTS Site Entity with a New Infrastructure Key"
• "Clearing an Infrastructure Key from a Zone or BTS Site Entity"
• "Scheduling Key Updates"
• "Performing Immediate Key Updates"
• "Assigning New Authentication Material for a Mobile Station"
If at least one Ki acknowledgment message is received by AuC from an entity (Zone or BTS site),
then the entity is no longer listed in the KVL. Thus, before reconnecting the KVL to the AuC
server, make sure that the Ki is provisioned to all entities that require the Ki, that is:
• when provisioning Zones:
◦ primary and standby Zone Controllers (ZC)
• when provisioning BTS sites:
◦ primary and standby Tetra Site Controllers (TSC)
◦ complete set of Base Radios (BR)
If you need the entity to be listed in the KVL again, use the Refresh Ki or Update Ki button
for this entity in the AuC client and then connect the KVL to the AuC server.
1 Connect the KVL to the AuC server (directly or via modem). Using the KVL’s menu load the
Ki from the AuC to KVL.
Result: The appropriate Ki keys are loaded to the KVL.
2 • If you are provisioning the Ki to the Zone entity, connect the KVL to the Serial Port D of
each Zone Controller (ZC) (primary and standby) via the null-modem. Using the KVL’s
menu load the Ki from the KVL to the ZC. Wait for the Ki to be uploaded to the ZC and for
the acknowledgement message to be loaded back to the KVL.
• If you are provisioning the Ki to the BTS Site entity, follow Procedure 4-17.
3 Connect the KVL to the AuC server (directly or via modem). Using the KVL’s menu load the
acknowledge messages form the KVL to the AuC.
Result: The acknowledge messages are loaded to the AuC. The Ki Status becomes Stable for
the selected Zone or BTS Site entity. This signifies that the Ki key is successfully provisioned.
If the Ki is loaded into a zone or BTS site entity, but the acknowledgement message
is not returned to the AuC this entity will not receive key updates which use Ki, that
is, updates of KEKm and KEKz keys.
Use a new configuration to create TSC configuration file (Do not use any other site’s
configuration file).
2 Commission the BTS site for local site trunking mode (standalone mode) with the air interface
encryption feature disabled in the site configuration file.
3 If the BTS site has not yet been integrated with the Dimetra IP system, commission the BTS
site for wide area trunking mode with air interface encryption feature disabled in the User
Configuration Server (UCS).
Procedure 4-17 How to Load an Infrastructure Key (Ki) to a BTS Site Entity (Continued)
4 Allow time for site configuration to be downloaded into the network management subsystem.
The site configuration must correctly specify the Zone ID and Site ID parameters.
Otherwise, the KVL will download the wrong keys to the site. Use the TSC’s
Man-Machine Interface (MMI) to verify the correct Zone and Site IDs using the
display config command.
5 Using a terminal interface, log in to the TSC’s MMI using the FIELD login.
Result: You see the SC> prompt.
6 From Application Mode, type LOCK at the prompt.
Result: The BTS site is placed in locked mode.
7 Type KVL at the prompt.
Result: The front panel serial port is configured for KVL use.
8 Within 60 seconds, connect the KVL to the TSC’s front serial port.
9 Using the KVL menus, load the Ki key into the TSC.
Result: Wait for the key load acknowledgement message.
10 Using a terminal interface, log in to the first Base Radio Controller (BRC) MMI using the FIELD
login.
Result: You see the BRC> prompt.
11 Type KVL at the prompt.
Result: The front panel serial port is configured for KVL use.
12 Within 60 seconds, connect the KVL to the BRC’s front serial port.
13 Using the KVL menus, load the Ki key into the BRC.
Result: Wait for the key load acknowledgement message.
14 Repeat step 10 through step 13 for each BRC at the BTS site.
15 Using a terminal interface, reconnect to the TSC’s MMI using the FIELD login.
Result: You see the SC> prompt.
16 From Application Mode, type UNLOCK at the prompt.
Result: The BTS site is placed in unlocked mode.
17 Type RESET at the prompt to reset the TSC.
Result: The TSC is reset.
1 In the AuC Client select the zone or BTS Site entity that requires Ki to be refreshed. Follow
Procedure 4-18 to refresh a Ki for selected zone or BTS site entity in the AuC Client.
2 Connect the Key Variable Loader (KVL) to the AuC server (directly or via modem). Using the
KVL’s menu load the Ki from the AuC to KVL.
Result: The appropriate Ki keys are uploaded to the KVL.
3 • If you are refreshing the Ki for the Zone entity, connect the KVL to the Serial Port D of
each Zone Controller (ZC) (primary and standby) via the null-modem. Using the KVL’s
menu load the Ki from KVL to the ZC. Wait for the Ki to be uploaded to the Zone and for
the acknowledgement message to be loaded back to the KVL.
• If you are refreshing the Ki for the BTS Site entity, follow Procedure 4-17.
4 Connect the KVL to the AuC server (directly or via modem). Using the KVL’s menu load the
acknowledge messages from the KVL to AuC.
Result: The acknowledge messages are uploaded to the AuC. The Ki Status becomes Stable for
the selected Zone or BTS Site entity. This signifies that the Ki key is successfully reprovisioned.
2 Locate and click on the appropriate zone or BTS site in the Zones tree display.
3 Click the Refresh Ki button, highlighted below, to reprovision an existing infrastructure key
(Ki) for the selected entity.
Procedure 4-18 How to Refresh a Ki for Selected Zone or BTS Site Entity in the AuC Client
(Continued)
4 Click OK.
Result: The AuC is ready to upload the Ki to a KVL.
1 In the AuC Client select the zone or BTS Site entity that requires new Ki to be assigned to.
Follow Procedure 4-19 to update a Ki for selected zone or BTS site entity in the AuC Client.
2 Connect the Key Variable Loader (KVL) to the AuC server (directly or via modem). Using the
KVL’s menu load the Ki from the AuC to KVL.
Result: The appropriate Ki keys are uploaded to the KVL.
3 • If you are reprovisioning the new Ki to the Zone entity, connect the KVL to the Serial Port D
of each Zone Controller (ZC) (primary and standby) via the null-modem. Using the KVL’s
menu load the Ki from the KVL to the ZC. Wait for the Ki to be uploaded to the Zone and
for the acknowledgement message to be loaded back to the KVL.
• If you are reprovisioning the new Ki to the BTS Site entity, follow Procedure 4-17.
4 Connect the KVL to the AuC server (directly or via modem). Using the KVL’s menu load the
acknowledge messages from the KVL to the AuC.
Result: The acknowledge messages are uploaded to the AuC. The Ki Status becomes Stable for
the selected Zone or BTS Site entity. This signifies that the Ki key is successfully reprovisioned.
If the Ki is loaded into a zone or BTS site entity, but the acknowledgement message is
not returned to the AuC, the AuC will use the previous Ki for key updates which use
Ki, that is, updates of KEKm and KEKz keys.
1 From the AuC client main window, select the Local Zones tab.
Result: The Local Zones tabbed pane appears.
2 Locate and click on the appropriate zone or BTS site in the Zones tree display on the left.
3 Click the Update Ki button, highlighted below, to assign a new infrastructure key (Ki) for the
selected entity.
Procedure 4-19 How to Update a Ki Key for a Zone or BTS Site Entity in AuC Client (Continued)
4 Click OK.
Result: The Key Status icon becomes red for the selected zone or BTS Site. This signifies
that the new Ki key should be provisioned.
When the AuC is part of a nationwide system, key schedules are shared by all the AuCs connected to it.
The following topics provide procedures associated with the Key Schedules tab in the AuC client display:
• "Scheduling Key Updates" on page 4-44
• "Performing Immediate Key Updates" on page 4-47
• "Enabling/Disabling Key Updates By Key Type" on page 4-59
The following topics provide reference information associated with the Key Sched-
ules tab in the AuC client display:
• "Key Schedule Information" on page 11-13
• "Key Schedules Selection" on page 11-14
• "Modify Schedule Dialog Box" on page 11-37
Follow Procedure 4-20 to schedule key updates for a key type throughout the system infrastructure.
1 From the AuC main client window, select the Key Schedules tab, or select Key Schedules
from the Key menu.
Result: The Key Schedules tabbed pane appears.
2 Locate and click on the appropriate key type in the Key Schedules display.
Result: The selected key type’s update schedule information appears in the work pane, as
highlighted below.
Procedure 4-20 How to Schedule Key Updates based on Key Type (Continued)
Procedure 4-20 How to Schedule Key Updates based on Key Type (Continued)
5 Click OK.
Result: The schedule modification screen closes and the settings are saved in the AuC database.
Now the key update will automatically be initiated at the selected date and time.
It is good practice to carry out a database backup after key updates. This keeps the information in the
database current, and avoids potential issues with the currency of key data if the database is restored.
Although the AuC may have completed a requested SCK or CCK change, the actual change
on the air interface may not yet be complete (if the notification period has not yet expired).
However, no harm will result if further key changes are requested - the site will initiate a
change for the last activated key as soon as the ongoing change has completed.
Follow Procedure 4-21 to perform immediate key updates for a key type throughout the system infrastructure.
Procedure 4-21 How to Perform Immediate Key Updates based on Key Type
1 From the AuC main client window, select the Key Schedules tab, or select Key Schedules
from the Key menu.
Result: The Key Schedules tabbed pane appears.
2 Locate and click on the appropriate key type in the Key Schedules display.
3 Click Start Update Now.
Result: The following dialog box appears.
The user is asked to confirm because some updates requires long time to finish.
Starting a manual update has no impact on the date and time for the next scheduled
update.
Procedure 4-21 How to Perform Immediate Key Updates based on Key Type (Continued)
Once provisioned, and enabled for key updates future authentication material
updates for an MS are performed during scheduled updates.
Follow Procedure 4-22 to assign new authentication material for a mobile station.
Procedure 4-22 How to Assign New Authentication Material for a Mobile Station
2 Define the appropriate search criteria in the Mobile Station Search Form, highlighted below
(search text is case-insensitive). For a description of the available search criteria see Online Help.
Procedure 4-22 How to Assign New Authentication Material for a Mobile Station (Continued)
You must specify the appropriate security group in order to execute a mobile station
search. You can select a security group from the Security Groups tree display and
the entry is automatically populated in the Security Group field.
Result: The mobile station selection(s) are highlighted.
3 Click on the Search button. The search results are displayed in the list window, highlighted
below.
4 Select the appropriate mobile station(s) in the list window. To select multiple MSs, do the
following:
• To select a group of MSs that are next to each other in the list window, click and drag the
mouse over the selections (or hold down the SHIFT key and click each item you want
to select).
• To select a group of MSs that are not next to each other in the list window, hold down the
CTRL key and click each item you want to select.
Result: The mobile station selection(s) are highlighted.
Procedure 4-22 How to Assign New Authentication Material for a Mobile Station (Continued)
5 To update authentication material for the selected MSs, click the Update Auth Now button.
Result: The following dialog box appears.
6 To disable key updates for the selected MSs, click the Disable Key Updates button.
7 Click Yes.
Result: The information is saved in the AuC database.
When key updates are disabled, the MS will no longer get new authentication material,
for example, when KEKm key and authentication material updates are performed.
CCK and SCK-TMO key changes are not affected. The MS still receives new CCK
keys, and uses a different SCK-TMO key when requested.
Follow Procedure 4-23 to enable or disable key updates for a mobile station.
Procedure 4-23 How to Enable/Disable Key Updates for a Mobile Station
2 Define the appropriate search criteria in the Mobile Station Search Form, highlighted below
(search text is case-sensitive). For a description of the available search criteria see Online Help.
Procedure 4-23 How to Enable/Disable Key Updates for a Mobile Station (Continued)
You must specify the appropriate security group in order to execute a mobile station
search. You can select a security group from the Security Groups tree display and
the entry is automatically populated in the Security Group field.
Result: The mobile station selection(s) are highlighted.
3 Click on the Search button.
Result: The search results are displayed in the list window, highlighted below.
Procedure 4-23 How to Enable/Disable Key Updates for a Mobile Station (Continued)
4 Select the appropriate mobile station(s) in the list window. To select multiple MSs, do the
following:
• To select a group of MSs that are next to each other in the list window, click and drag the
mouse over the selections (or hold down the SHIFT key and click each item you want
to select).
• To select a group of MSs that are not next to each other in the list window, hold down the
CTRL key and click each item you want to select.
Result: The mobile station selection(s) are highlighted.
5 To enable key updates for the selected MSs, click the Enable Key Updates button.
Result: The Mobile State field in the list window is changed to "Enabled".
6 To disable key updates for the selected MSs, click the Disable Key Updates button.
Result: The following dialog box appears.
7 Click Yes.
Result: The Mobile State field in the list window is changed to "Disabled (manually)".
2 Locate and click on the appropriate zone in the Zones tree display on the left.
The Key Updates button is a toggle button. Thus, when Key Updates are enabled,
the button will say Disable Key Updates, and when Key Updates are disabled, it
will say Enable Key Updates.
Result: The status of a zone and all sites beneath changes accordingly. If key updates are being
disabled, a confirmation dialog box appears.
2 Locate and click on the appropriate BTS site in the Zones tree display on the left.
3 Click the Enable Key Updates button to enable or Disable Key Updates button to disable key
updates for the selected BTS site. The location of the button is highlighted below.
The Key Updates button is a toggle button. Thus, when Key Updates are enabled,
the button will say Disable Key Updates, and when Key Updates are disabled, it
will say Enable Key Updates.
Procedure 4-25 How to Enable/Disable Key Updates for a BTS Site (Continued)
Result: The status of a BTS site changes accordingly. If key updates are being disabled, a
confirmation dialog box appears.
This procedure affects scheduled updates only (immediate key updates can still be performed).
When disabling, any key updates currently in progress will continue to be performed.
2 Locate and click on the appropriate key type in the Key Schedules display and click Modify
Schedule...
Result: The selected key type’s modify schedule dialog box appears.
Procedure 4-26 How to Enable/Disable Key Updates based on Key Type (Continued)
3 To enable key updates, deselect Disable Key Schedule, select the values then click OK.
Result: Your schedule information will be stored and a key update will take place when
scheduled.
4 To disable key updates, select Disable Key Schedule then click OK.
Result: The Modify Schedule window will close and the Key Schedule State will show
Disabled.
5 Click Yes.
Result: The Key Schedule State field displays current state of the schedule.
1 From the AuC client main window, select the Key Loaders tab.
Result: The Key Loaders tabbed pane appears.
The Deny Access/Allow Access button is a toggle button. Thus, you click the
same button to turn KVL access on or off. For example, to enable KVL access
(when disabled) to the AuC, you click the Allow Access button. Once KVL access
is enabled, the toggle button’s state changes to Allow Access. This allows you to
disable KVL access to the AuC in the future.
Result: The KVL’s current key status is changed in both the colored icon of the KVLs display
and by the Status field in the KVL Information display. If KVL access is being disabled,
the following dialog box appears.
Procedure 4-27 How to Enable/Disable KVL Access to the Authentication Centre (Continued)
4 Click Yes.
Result: The KVL’s current key status is changed to disabled in both the colored icon of the Key
Status display (to red) and by the Status field in the KVL Information display.
5
Nationwide AuC Configuration
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
For a Nationwide (multicluster) Dimetra IP system, an AuC is required for each cluster (each
cluster supports up to seven zones). Each AuC handles the key management tasks for that
cluster. To support system-wide key management tasks, the AuCs in the nationwide system
communicate with one another to perform updates of the KEKm, SCK-TMO, and CCK keys.
The nationwide AuC system consists of one Master AuC and up to seven Slave AuCs. It has to be manually
configured which of the AuCs is a Master AuC. Master AuC is responsible for following operations:
• assuring that system-wide keys in all AuCs in the Nationwide system are consistent
• initiating nationwide key updates of system-wide keys
• coordinating updates between the Slave AuCs
• coordinating update schedules between the Slave AuCs
The system-wide keys are transferred securely between AuCs using a shared AuC com-
munication key, also referred to as the CommKey.
This chapter covers the following topics:
• "Viewing AuC Connection Information and Status"
• "Nationwide AuC System Configuration"
• "Key Updates in the Nationwide System"
• "Slave AuCs Reconfiguration in the Nationwide System"
• "Returning to the Single Cluster Mode"
• "Nationwide AuC System Reconfiguration"
The following topics provide reference information associated with the AuC Con-
nectivity tab in the AuC client display:
• "AuC Connectivity" on page 11-2
• "AuC Net" on page 11-4
• "General Network Information" on page 11-9
• "AuC Connection" on page 11-28
The AuC Connectivity tab in the Authentication Centre provides information about the Nationwide system
that the local AuC is a part of. The local AuC is the AuC, which the user is currently logged onto. For each
AuC Server listed in the AuC Net window, the AuC Connectivity window provides the following information:
• Server Alias
• Server ID
• Server Version
• Server Status
• Nationwide Role
• IP Address
The General Network Information window provides information about Master Alias, Master IP
address, Expected Slave and key update status for the following keys:
• CCK
• SCK-TMO
• System KEK
Follow Procedure 5-1 to view connectivity status and information in the nationwide system.
1 From the AuC client main window, select the AuC Connectivity tab in the work pane.
Result: The AuC Connectivity tabbed pane appears.
When the AuC is not a part of the Nationwide system the AuC Net window is empty
and the remaining fields in the AuC Connectivity tab do not provide any information.
Result: The AuC server that you are currently logged on, is displayed with the status In-Service
see the highlight in the screen below.
When this process is completed, the CCK, SCK-TMO and System KEK Keys and
their update schedules for all AuC Servers connected to the nationwide system, will
be synchronized by the nationwide master.
4 Wait until the Expected Slave AuC connects to the AuC Net.
Only AuC with the IP address matching the IP address of the Expected Slave defined
in step 3 will be able to connect to the Master AuC. To change the IP address of
the Expected Slave, see Procedure 5-5. To learn how to configure Slave AuC and
connect it to the system, see Procedure 5-3.
Result: When the Expected Slave AuC connects to the AuC System it will be listed in the
AuC Net window as Connected. Master will automatically update the CCK, SCK-TMO and
System KEK keys on the Slave AuC.
4 Wait until the Slave AuC connects to the Master AuC. The slave will be able to connect to the
Master AuC only when its IP address is set in the Master AuC as the IP address of the Expected
Slave AuC.
When the attempt to connect to the Master AuC fails, there will be one of the
following messages in master’s Event Log:
• Connection closed. Reason (Unknown Address)
— IP address of the Expected Slave AuC set up in Master AuC does
not match the IP address of Slave AuC that is trying to connect;
• Connection closed. Reason (Dif-
ferent Static Cipher Key Table)
— the SCK tables on master and slave do not match;
Result: The Slave AuC tries to establish the connection with the master every 5 minutes until it
succeeds. When the Slave AuC connects to the master, the status of the master listed in the AuC
Net window changes to Connected.
5 The CCK, SCK-TMO and System KEK keys in connected Slave AuC and/or other AuC Servers
will be updated, so that as the result they are identical. When the key update fails, there is one of
the messages listed and described in Table 5-1 in master’s Event Log. See the description of the
received message to find the solution and enable the key update.
UCS disconnected The AuC has been disconnected form the UCS. Restore the
connection with UCS.
Remote server did not respond in time AuC Server did not answer for key update request within one
minute.
There are following types of key updates in the Nationwide AuC system:
1. Initial synchronization
When the new AuC joins the Nationwide system, the system-wide keys need to be
synchronized. The Master AuC assures that the keys in all AuCs are consistent. Depending on
the current situation, Master AuC either updates the keys on the new AuC or in the whole
nationwide network. Master AuC also updates the key update schedule on the new AuC.
Any new key update cannot begin until the initial synchronization finishes.
For more information on adding new AuC to the Nationwide system, see
"Slave AuCs Reconfiguration in the Nationwide System".
The following steps are performed automatically by the Master and Slaves AuCs. No action
from the user is required. The process is presented only for information purposes.
Process 5-2 Key Update in the Nationwide System
For the Master AuC SW Release 5.5 (or higher) and the Slave AuC SW Release 5.2
(or lower) the reason of update rejection is always Unknown.
If the key update is rejected by the Slave AuC then, depending on the update type Master AuC
performs the following actions:
• If it is immediate key update, the update will not be executed
• If it is scheduled key update, Master AuC repeats the request in one hour time intervals,
until the response is positive. When the responses from all AuC Slaves are positive, the key
update starts.
• If it is initial synchronization, Master AuC repeats the request in five minutes time
intervals, until the response is positive. When the responses from all AuC Slaves are
positive, the key update starts.
4 During the key update, the Slaves AuCs send their current status information to Master AuC. On
this basis Master AuC generates summary report, which can be viewed in the AuC Connectivity
tab. For more information see, "Viewing AuC Connection Information and Status".
In the Master AuC you can introduce the following changes into the Slave AuCs configuration:
• Add new Slave AuC to the AuC System, see Procedure 5-4.
• Change Expected Slave AuC, see Procedure 5-5.
• Remove Expected Slave AuC from the AuC System, see Procedure 5-6
• Remove Slave AuC from the AuC System, see Procedure 5-7.
Procedure 5-4 How to Add New Slave AuC to the AuC Net (Continued)
4 Wait until the Expected Slave AuC connects to the AuC Net.
Only AuC with the IP address matching the IP address of the Expected Slave defined
in step 3 will be able to connect to the AuC Net. To change the IP address of
the Expected Slave, see Procedure 5-5. To learn how to configure Slave AuC and
connect it to the system, see Procedure 5-3.
Result: When the Expected Slave AuC connects to the AuC System it will be listed in the
AuC Net window as a Connected.
1 From the main AuC Client menu select Nationwide>Change Expected Slave.
Result: You are prompted for IP address of Expected Slave AuC.
2 Insert the IP address of the new Expected Slave AuC and press OK.
Result: The new Slave AuC is listed in the AuC Net window as Expected.
1 From the AuC client main window, select the AuC Connectivity tab.
Result: The AuC Connectivity tabbed pane appears.
2 From the main AuC Client menu select Nationwide>Remove Expected Slave.
This option is available only when at least one Slave AuC is connected to the Master
AuC.
Result: The Expected Slave AuC is delisted from the AuC Net window.
Removing an AuC from the nationwide network means that this AuC will no longer
participate in nationwide key updates (KEKm, SCK-TMO, CCK). If it is still desired for
the mobile stations (MSs) located in this AuC’s cluster to maintain communication with
MSs in other clusters, removing the AuC is NOT recommended. Failure to follow this
recommendation may result in loss of radio communication between the cluster that has
been removed and the remaining clusters in the nationwide network.
Follow Procedure 5-7 to remove Slave AuC from the nationwide system.
Procedure 5-7 How to Remove Slave AuC form the AuC System
1 On the Master AuC select the AuC Connectivity tab from the AuC client main window.
Result: The AuC Connectivity tabbed pane appears.
2 From the main AuC Client menu select Nationwide>Remove Slave.
Result: You are prompted for IP address of the Slave AuC to be removed.
3 Insert the IP address of Slave AuC to be removed and press OK.
1 On the Master AuC select the AuC Connectivity tab from the AuC client main window.
Result: The AuC Connectivity tabbed pane appears.
2 Remove all Slave AuCs. To remove Slave AuC follow Procedure 5-7.
Procedure 5-8 How to Return to Single Cluster Mode from Master AuC (Continued)
3 From the main AuC Client menu select Nationwide>Back To Single Cluster.
Result: The AuC Net window becomes empty.
You can change the master only when the connection with current master is inactive.
To disconnect with current master select System>Go Out of Service from the main
AuC Client menu on the Master AuC.
Result: You are prompted for IP address of new Master AuC.
3 Insert the IP address of new Master AuC and press OK.
Result: The Master AuC and the Slave AuC are listed in the AuC Net. Initially the status of
the Master AuC is Connecting...
4 Wait until the Slave AuC connects to the Master AuC. The slave will be able to connect to the
Master AuC only when its IP address is set in the Master AuC as the IP address of the Expected
Slave AuC. To learn how to add Expected Slave, see Procedure 5-4. To learn how to change
Expected Slave, see Procedure 5-5.
Result: The Slave AuC tries to establish the connection with the master every 5 minutes until it
succeeds. When the Slave AuC connects to the master the status of the master listed in the AuC
Net window changes to Connected.
2 On the Slave AuC that is to become Master AuC from the AuC client main window, select
the AuC Connectivity tab.
Result: The AuC Connectivity tabbed pane appears.
3 From the main AuC Client menu select Nationwide>Transform to Master.
This option is only available when the current connection with Master AuC is
inactive.
Result: The Slave AuC transforms to master. It keeps information about the previous network
configuration, therefore you don’t need to provide IP addresses of other Slave AuCs.
4 On the remaining Slave AuCs replace the existing Master AuC with the new one. For information
how to change the master, see Procedure 5-9.
Result: The Slave AuCs connects to the new Master AuC. You can monitor this process in the
AuC Net window on Master AuC.
On Master AuC check on the AuC Connectivity tab whether all Slave AuCs are
connected to the Nationwide AuC system. For more information on how to view the
status of each AuC in the Nationwide AuC system, see Procedure 5-1.
6
Events Pane
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Events pane in the Authentication Centre (AuC) allows you to monitor actions and
performance of the Authentication Centre (AuC).
The following topics provide procedures associated with the Events pane in the AuC client display:
• "Viewing Authentication Centre Server Events" on page 6-1
• "Removing Authentication Centre Events" on page 6-2
The following topic provides reference information associated with the Events pane in the AuC client display:
• "Events Information" on page 11-8
The AuC client window allows the user to view significant events that have occurred on the server since the
user logged in. The displayed events provide a window into what is going on in the system (for example, to
see if a link to a zone is down) as well as a visible confirmation of certain transactions occurring between the
client and server. The Events are displayed in a less complex format than the Audit Trail data. Some of the
Event data is duplicated in the Audit Trail, and some of the data is unique to the Events area only.
When the AuC client window is launched, the Events Log displays the latest 300 server events. By
default, new events are displayed at the top of the list box as they are received.
Follow Procedure 6-1 to view the AuC server events.
1 The Events Pane is displayed in the AuC Client window, see the highlighted area below.
The Authentication Centre (AuC) client window displays events in a scrolling list box. Occasionally,
you may want to shrink the event listing by removing one or more events from the list.
Follow Procedure 6-2 to remove events from the AuC Events display.
Procedure 6-2 Removing One or More Events from the AuC Events Display
1 In the Events Pane in AuC Client window select the appropriate events in the list box. To select
multiple events, do the following:
• To select a group of events that are next to each other in the list box, click and drag the mouse
over the selections (or hold down the SHIFT key and click each item you want to select).
• To select a group of events that are not next to each other in the list box, hold down the
CTRL key and click each item you want to select.
Result: The event selection(s) are highlighted.
4 Click Yes.
Result: All the events are removed from the list box.
7
Audit Trail
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The Audit Trail tab in the Authentication Centre (AuC) allows you to monitor actions
and performance of the Authentication Centre (AuC).
The following topics provide procedures associated with the Audit Trail tab in the AuC client display:
• "Viewing an Event Audit Trail" on page 7-1
• "Removing Audit Trail Data from the Database" on page 7-4
The following topics provide reference information associated with the Audit
Trail tab in the AuC client display:
• "Events Information" on page 11-8
• "Audit Trail Information Display" on page 11-6
The Authentication Centre (AuC) audit trail log stores a wide range of actions performed by the
AuC. For example, the audit trail log maintains a record of all key management operations and
allows you to "follow the life of a key" as it is distributed throughout the system. An audit of AuC
operations can be viewed by specifying search criteria and viewing the query results in the AuC client
window. The data in the Audit trail sometimes overlaps with the data in the Event Log, but the Audit
Trail data is in a more detailed format and is targeted for advanced users.
Follow Procedure 7-1 to create and audit trail of AuC events.
2 Define the appropriate search criteria using the fields in the Audit Search & Purge Form
display.
Any of the fields Entity Type, Entity ID, Key Type, Key ID and User can be left
unspecified, thus not filtering or restricting data on those fields.
3 Click on the Search button.
Result: The search results are displayed in the Audit Trail Information list box.
Procedure 7-1 Creating an Audit Trail of Authentication Centre (AuC) Events. (Continued)
4 To remove the Audit Search & Purge Form, click on the Hide Form button.
The Hide/Show Search Form button is a toggle button. Thus, you click the same
button to remove or display the Audit Search & Purge Form. For example, to
remove the display (when it is showing), you click the Hide Form button. Once
the display is hidden, the toggle button’s state changes to Show Search & Purge
Form. This allows you to add the display in the future.
Result: The Audit Search & Purge Form is removed.
Since storage of audit trail data can grow rapidly, it is necessary to remove old audit trail data from
the database for archival storage. The audit trail can be purged from the database to an archive
file stored at the same directory location as the database backup file.
This task can only be performed by AuC users with User Management security permissions.
Follow Procedure 7-2 to remove audit trail from the AuC database for archival file storage.
Procedure 7-2 Removing Audit Trail Data from the Authentication Centre
(AuC) Database for Archival File Storage
2 Define the appropriate search criteria using the fields in the Audit Search & Purge Form display.
Procedure 7-2 Removing Audit Trail Data from the Authentication Centre (AuC) Database for
Archival File Storage (Continued)
3 Click on the Search button.
Result: The search results are displayed in the Audit Trail Information list box.
Procedure 7-2 Removing Audit Trail Data from the Authentication Centre (AuC) Database for
Archival File Storage (Continued)
5 Select the number of months of data that you would like to RETAIN (these are the events that
will NOT be purged) using the Number of months of audit trail data to keep selection box.
It is the data for the most recent months that is retained when you select the months to
be kept. For example, if you have 6 months of data collected from January to June and
select to retain 3 months of data, then the retained data will be for April, May and June
Note also that the Number of months of audit trail data to keep field is used to
define months. Consider this example: If the current date is December 3, a purge
with months set to 1, will purge everything outside of December. This will keep only
3 days of audit trail in AuC database.
6 Click the Begin Purge button.
Result: The following dialog box appears.
7 When the purging action is complete, the following dialog box appears.
8 Click OK.
Result: The audit trail data removal procedure is complete.
8
User Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The User Management tab in the Authentication Centre (AuC) allows you to create,
modify, and delete AuC client user accounts.
The following topics provide procedures associated with the User Management tab in the AuC client display:
• "Creating an AuC User Account" on page 8-1
• "Modifying an AuC User Account" on page 8-4
• "Deleting an AuC User Account" on page 8-5
The following topics provide reference information associated with the User Man-
agement tab in the AuC client display:
• "User Account Selection tree view" on page 11-22
• "User Information" on page 11-23
• "Add User Dialog Box" on page 11-26
1 Select the User Management tab or select User Management from the User menu.
Result: The User Management tabbed pane appears.
2 Click Add...
Result: The following dialog appears.
Procedure 8-1 Creating a new Authentication Centre (AuC) User Account (Continued)
3 Type in the user profile information.
The Login Name field allows spaces. When logging in, the Login Name is
case-sensitive.
4 Select the appropriate check boxes to set the user security permissions.
5 Click OK.
Result: The user is stored in the AuC database, and now shows up in the user list on the left.
1 Select the User Management tab or select User Management from the User menu.
Result: The User Management tabbed pane appears.
You cannot change your own password from this dialog box (when logged in as
yourself). To change your own password, see "Changing a User Account Password"
4 Click Apply Settings.
Result: The new settings are stored in the AuC database.
1 Select the User Management tab or select User Management from the User menu.
Result: The User Management tabbed pane appears.
4 Click Yes.
Result: The user is removed from the AuC database.
9
System Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The operation of the Authentication Centre (AuC) requires certain setup and ad-
ministration tasks to be performed.
The following topics provide procedures associated with AuC setup and administration:
• "The KVL Port Settings Tab"
• "The Miscellaneous Tab"
• "The User Settings Tab"
• "The Standby Settings Tab"
• "Viewing Encryption Device Status"
• "Loading a Master Key into an Encryption Device"
• "Changing Authentication Centre Operating State"
• "Scheduling Authentication Centre Database Backups"
• "Starting a Manual Authentication Centre Database Backup"
• "The KVL Port Settings Tab"
• "The User Settings Tab"
The following topics provide reference information associated with AuC setup and administration:
• "Port Settings Dialog Box"
• "The Miscellaneous Tab"
• "Encryption Devices Dialog Box"
• "User Settings Dialog Box"
• "AuC Database Dialog Box"
• "AuC Database Backup Schedule Dialog Box"
• "Update Common Cipher Key (CCK) Version"
It is highly recommended that the user always use the AuC to set the COM port settings
rather than Windows® or any other tool on the machine to alter the settings.
Follow Procedure 9-1 to configure KVL port settings.
Procedure 9-1 How to Configure KVL Port Settings
3 Enter the AuC Server ID (for communicating with KVLs) and AuC Server Alias (How the
AuC appears in nationwide listings).
4 Check the Debug Log Enabled button to enable the storage of a debug log (used for system
troubleshooting purposes only).
Result: The following dialog box appears.
If changing the user settings make current passwords noncompliant, the affected users
will be asked to change their password next time they log in.
The password entered is the one assigned during Oracle installation on a standby
AuC.
Result: The window now looks like this.
4 Click OK.
Result: The system displays a progress window.
5 Click OK when progress bar completes.
Result: The progress window disappears. The standby database connection state icon is
displayed on the status bar:
The tool tip text on the icon shows current status and when it was checked:
4 Click OK.
Result: The Setting dialog box disappears. The standby database connection state icon is no
longer displayed on the status bar.
The Authentication Centre (AuC) utilizes an encryption device to perform encryption services.
Follow Procedure 9-6 to view the status of AuC encryption devices.
Field Value
Master Key Status Loaded
Not loaded
Invalid
Unknown (if there is no crypto card)
Device Status Working
Failure
Unknown (if there is no crypto card)
Battery Level Full
Low
Dead
Unknown (if there is no crypto card)
Supported Algorithms List of required algorithms. When the algorithm is
installed on the encryption device the corresponding
checkbox is marked:
• DVI-XL
• Hurdle-II 128 Bit
• Hurdle-II 80 Bit
Procedure 9-6 How to View the Status of AuC Encryption Devices (Continued)
The Master Key Status has influence on the encryption device status. For
example, if Master Key Status is not Loaded device status is Failed.
The Supported Algorithms have influence on the encryption device status. For
example, if not all algorithms are supported device status is Failed.
Once the master key is loaded into the AuC, it should not be changed. The existing
master key can be reloaded if necessary. When this operation is carried out both the
KVL’s current master key and SYSKEY must be the same as when the AuC’s master
key was generated. If this is not the case the database will become unavailable.
Procedure 9-7 How to Load a Master Key into an Encryption Device (Continued)
3 Click Next.
Result: The following dialog box appears.
4 Set up the Key Variable Loader (KVL) to load the master key into the encryption device and
click Next.
Result: The following dialog box appears.
Procedure 9-7 How to Load a Master Key into an Encryption Device (Continued)
5 Click Next.
Result: The following dialog box appears.
1 Locate the AuC Server Status icon in the status bar and note the current AuC server operating
mode. See "The Status Bar" for a listing and description of AuC server operating states.
2 To set the operating mode to Out of Service, select Go Out of Service from the System menu.
Result: The AuC Server Status is changed accordingly.
3 To set the operating mode to Operational, select Go Operational from the System menu.
Result: The AuC Server Status is changed accordingly.
See Table 3-3 for more information about AuC Server status values.
It is good practice to carry out a database backup after key updates. This keeps the information in the
database current, and avoids potential issues with the currency of key data if the database is restored.
Follow Procedure 9-9 to schedule AuC database backups.
Procedure 9-9 How to Schedule Authentication Centre Database Backups
3 Choose the date and time you want to start database backups.
4 Choose the recurrence interval for database backups.
5 Click OK.
Result: You are returned to the AuC Database dialog box.
6 Enter a file path for storage of the database backup.
7 Click OK.
Result: The dialog box will close. A backup of the database will occur at the next scheduled time.
For information on restoring the AuC database see Volume 10, Booklet 1, Installation and Configuration.
3 Click Yes.
Result: The AuC database backup will start.
For information on restoring the AuC database see Volume 10, Booklet 1, Installation and Configuration.
When the AuC is a part of a single-cluster system and the backup database that is used for restore
has been taken prior to the last key update, the AuC database will contain key information that is
out of date. This may cause problems when the next key update is initiated, since the AuC could
create a new key using a version number that has already been used.
If that happens then the next CCK update may cause a mismatch between the key stored at the
base site and the key with the same version number at the mobile station. As a result, the base
site and mobile station will no longer be able to decrypt each other’s transmissions, and class
3 encrypted voice and data communication will not be possible.
To prevent this problem, it is good practice to carry out a database backup after
every key update. In this way the information in the database will contain current
version numbers when the database is restored.
If the AuC is part of a single-cluster system, then the first time you log in to the AuC Client after a
database restore has been carried out the Update CCK Version display appears.
If the AuC is a part of nationwide AuC system and the database backup used for restore has been taken after
connecting to the nationwide system the Update CCK Version window does not appear. The AuC Master
automatically verifies the validity of keys and initiates proper key update process when necessary. Finally AuC
Master informs the AuC Slave that the restore operation succeeded. However when the database backup used
for restore has been taken prior to connecting AuC to the nationwide system, the Update CCK Version appears.
To proceed, you have 3 options:
1. Modify CCK Manually
This option is appropriate if you are operating a single cluster system.
You must have Key Management permission to carry out this procedure.
If you know the CCK version in use at the sites, then add 1 to this value and use it
instead. You can also use the Next suggested CCK Version presented in the Update
CCK Version window.
3 Click the Modify CCK Manually button.
Result:
The selected version number will be applied and the display will close. The
AuC will update those parts of the system that require updating based on this version number.
2. Connect to AuC...
Once the AuC is connected to the nationwide system, key updates will occur, which will
automatically synchronize all key versions to the versions in use in the nationwide network.
This option is valid only if your system is a part of a nationwide multicluster system and the
database backup used for restore has been taken prior to connecting to the nationwide
system. Otherwise the Update CCK Version window does not appear.
You must have Key Management permission to carry out this procedure.
Data replication from primary to standby AuC is done by means of archived redo log files being sent from a
primary database and applied to a standby database. This is done automatically by the Oracle database.
It may happen that some of the files are not sent and applied to a standby machine due to e.g. network problems.
Standby status report can be used to find missing file that have to be manually copied to the standby machine.
Follow Procedure 9-13 to create a standby status report.
The window above presents positive scenario – no (0) archived redo log files are missing on
standby.
When the number of missing log files displayed on the progress window is greater
than 0, the report file should contain a list of missing log files.
C:\ORACLE\ORADATA\AUC\ARCHIVE\ARCH_1_1009.ARC
C:\ORACLE\ORADATA\AUC\ARCHIVE\ARCH_1_1010.ARC
C:\ORACLE\ORADATA\AUC\ARCHIVE\ARCH_1_1011.ARC
C:\ORACLE\ORADATA\AUC\ARCHIVE\ARCH_1_1012.ARC
C:\ORACLE\ORADATA\AUC\ARCHIVE\ARCH_1_1013.ARC
3 Click OK to close the progress window.
10
FAQ
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
The following topics address common questions and answers for Authentication Cen-
tre (AuC) operators and administrators.
Table 10-1 Overview: FAQ Section
Key Management
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides answers to some of the Frequently Asked Questions (FAQs)
related to key management using the AuC:
• "How are Keys Provisioned in the Dimetra IP System?"
• "How are Keys Stored in the Dimetra IP System?"
If the links are up and there is an overall update occurring for the affected entity, you do not need
to do anything. If the links are up and no key update is occurring, you should query the audit trail
for that particular entity to further investigate the errors that have occurred.
Stage Description
1: Activate Future Key The AuC sends a message to the entities to activate the
Future key stored in the entity from the last update. The
entities send back an acknowledgment when this stage
is completed.
2: Refresh Dependent Key Material The AuC refreshes existing dependent keys sealed with
the previous key. This is done by sealing the existing
dependent key material with the newly activated key,
and sending the re-sealed key material back to the
entities. In an example, if the Zone Key Encryption Key
(KEKz) is updated, all Static Cipher Keys (SCK-TMOs),
sealed with the previous KEKz, must be re-sealed with
the new KEKz and sent back to the BTS site entities.
The entities send back an acknowledgment when this
stage is completed.
3: Update Future Key The AuC sends a new Future key to be stored in the
entity. This key will be activated during the next key
update. The entities send back an acknowledgment
when this stage is completed.
During each stage, the Update Progress bar displays the stage number and percentage of completion.
The progress bar scrolls across until the stage is completed.
When the stage is completed, the next stage is started automatically. When the last stage
(Stage 3) is completed, the text "Complete" appears.
Mobile Stations
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides answers to some of the Frequently Asked Questions (FAQs) related to
administering K-REFs for mobile stations using the AuC:
• "What Do I Do if a K-REF Pair is Unmatched?"
• "When Should I Delete Unmatched K-REF Pairs?"
It is recommended that you verify that both the ITSI-REF and K-REF pair entries
are correctly entered in the system.
General Problems
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides answers to some of the Frequently Asked Questions (FAQs) related to general
problems that you as a user may encounter when using the AuC:
• "How to Trigger Full Synchronization with the UCS"
• "How to Trigger Full Synchronization with the ZDS"
• "What Happens if a Key Update Fails?"
• "What Do I Do if the Database Fails?"
• "What Do I Do if an Encryption Device Fails?"
• "What Do I Do if I get an Error Message when Starting the Client?"
Procedure 10-1 How to Trigger Full Synchronization with the UCS (Continued)
4 Wait while the synchronization process proceeds. You can observe the progress on the Status
Bar to the left.
Result: The AuC is fully synchronized with the UCS.
4 Wait while the synchronization process proceeds. You can observe the progress on the Status
Bar to the left.
Result: The AuC is fully synchronized with the ZDS.
There are numerous other error messages that may display during start-up of the AuC client application.
These other messages will indicate the root cause of the problem and are self-descriptive.
If you are unsuccessful at resolving your client start-up problem, please contact Motorola for assistance.
You can also find more information. see Volume 10, Booklet 1, Installation and Configuration.
11
Screen Reference
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides a complete reference for the screens encountered in the AuC. The information
is subdivided into Main Window and Secondary Window sections.
Main Window
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides detailed reference information for each of the AuC application’s main windows.
Table 11-1 Fields in the AuC Comm Key (Communication Key) Display
Field Description
AuC Comm Key The key consists of a 16 character hexadecimal key.
Status Indicates whether an AuC Comm Key has been entered into the AuC. An AuC
Comm Key can be entered multiple times with different values, but the key
must be the same for all nationwide AuCs.
Table 11-2 Buttons in the AuC Comm Key (Communication Key) Display
Button Action
Enter Writes the AuC Comm Key to the server. The Enter button is only enabled when
the AuC Comm Key is of the correct length.
Clear Clears the field in the display. It does not erase the AuC Comm Key on the server.
Help Launches the AuC online help window
AuC Connectivity
The AuC Connectivity display provides information about the AuC server selected in the AuC Net window.
Table 11-3 Fields in the AuC Connectivity Information Display
AuC Net
The AuC Net window displays the Nationwide network tree. The icon and the information in brackets
displayed next to each AuC Server listed in the AuC Net window represent its status.
In-Service The local AuC Server, that you are currently logged onto. The server is
actively connected to the AuC network.
Disconnected The AuC Server is not connected to the AuC network.
Out-Of-Service The local AuC Server, that you are currently logged onto. The server is
out of service.
Expected The AuC Server that is configured on the Master AuC as the Expected
Slave AuC.
Connected The AuC Server is actively connected to the AuC network. The key
updates are locked on this server.
Restoring The AuC server has been restored.
Table 11-5 Fields in the Audit Search & Purge Form display
Field Description
Date between Range of dates to search. Use spin boxes or manual entry to set beginning
and ending time and date.
User User login name to search
Entity Type Type of entity to search. Use drop-down list box to select entity type.
Entity ID ID of entity to search.
Key Type Type of key to search. Use drop-down list box to search key type.
Key ID ID of key to search.
Table 11-6 Buttons in the Audit Search & Purge Form display
Button Action
Search Performs search using selected criteria. Results are listed in the Audit Trail
Information list box.
Hide Form Removes Audit Trail Search Criteria fields from window. Only displayed when
fields are visible
Purge Opens the Purge Audit Trail dialog box.
Show Search & Purge Shows Audit Trail Search Criteria fields in the window. Only displayed when
Form fields are invisible.
Field Description
Date Date of event.
Key Type Type of delivered key: Authentication Material, System KEK, Zone KEK,
SCK, CCK.
Key ID ID of delivered key (assigned by AuC).
Entity Type Type of entity: Zone, BTS site, Mobile Station, KVL.
Entity ID ID of entity (assigned by AuC).
User Login name of user performing event task.
Encrypting Key Type Type of sealing key (key used to encrypt delivered key for transport).
Encrypting Key ID ID of sealing key (assigned by AuC).
Description Description of event
Field Description
DDK Entry of DDK key value. The DDK key is a 32-digit hexadecimal value.
Status Status of DDK in AuC (entered or not entered in the AuC).
Button Action
Enter Commits DDK key entry (DDK field) to AuC database. Enabled only when
proper DDK key is entered in DDK field.
Clear Clears DDK field entry.
Help Launches the AuC online help window.
Field Description
Status Current setting for Key Updates (enabled or disabled).
CCK Tabular display of the Common Cipher Key (CCK) version and status
information for the selected BTS site entity.
Ki Tabular display of infrastructure key (Ki) information and status for the BTS
site entity.
SCK Tabular display of static cipher key-trunked mode operation (SCK-TMO) key
information and status for the BTS site entity.
Zone KEK Tabular display of zone key encryption key (KEKz) information and status
for the BTS site entity.
Button Action
Enable Key Updates Enables key updates for the BTS site. Only displayed when key updates are
disabled (see Status field).
Disable Key Updates Disables key updates for the BTS site. Only displayed when key updates are
enabled (see Status field).
Refresh Ki Redistributes the existing infrastructure key (Ki) for BTS site entities.
Update Ki Assigns a new infrastructure key (Ki) for BTS site entities.
Help Launches the AuC online help window.
Events Information
The fields presented in the Events Information display are listed below. By default, events are listed as
they occur (by Date). You can resort the listed events by clicking on the column header. Clicking on
a column header will toggle the list items in forward and reverse order, respectively. A small triangle
next to the column header indicates by which field the items are currently sorted.
Table 11-12 Fields in the Events Information display
Field Description
Severity Severity of event.
Description Description of event.
Date Date of event.
Button Action
Refresh Key update process is in the second stage (for System KEK
update only).
Unknown Master AuC doesn’t have complete information about key
status on slaves.
Key Number 0 — 31 Number of the key that is sent out in current update stage
(applies to the SCK-TMO only). This information is
displayed only when key update is in progress.
Key version 1 — 65535 Version of the key that is sent out in current update stage.
This information is displayed only when key update is in
progress.
Key update X/Y Y - number of all Zones/ Sites in the Nationwide network
progress participating in key update.
X - number of Zones/ Sites in the Nationwide network that
already accepted key update.
K-REF Pairs
Field Description
K Entry of actual authentication key (K) for the mobile station (MS). The K
key is a 32-digit hexadecimal value.
Ref Entry of actual reference number for the mobile station (MS). The reference
number will be either the Subscriber Identification Module (SIM) or TETRA
Equipment Identifier (TEI) (based on selection of SIM or TEI option button).
SIM Select option button to designate the Ref field as a SIM entry.
TEI Select option button to designate the Ref field as a TEI entry.
Status Reports the status of the latest K-REF pair entry (accepted or rejected). This
field is not displayed until after the first K-REF entry is typed in and committed
to the AuC database during the current AuC client session.
Unmatched K-REFs A list of Refs for which a K-Ref pair is defined in the AuC but no matching
Individual TETRA Subscriber Identity (ITSI) Ref pair is found. These items
are listed in alphanumeric order. Their batch date and batch number are also
shown. These are set at the time of their creation. If a K-Ref pair is entered
manually, the batch number will be blank.
Count Number of unmatched K-Ref pairs.
Button Action
Enter Commits K and Ref entries to AuC database. The button is disabled until the
proper K and Ref entries are made in corresponding fields. After selecting this
button, the Unmatched K-REFs list box is automatically refreshed. If the Ref
of the new K-Ref entered already exists in the AuC, the user is asked if they
wish to overwrite the current K-Ref in the AuC via the dialog box below:
Field Description
K-Ref Pairs Places the K-REF Pairs Information display in the work pane.
SCK-Trunked Mode Operation Places the SCK-TMO Information display in the work pane.
DDK (Dimetra Distribution Key) Places the DDK Information display in the work pane.
AuC Comm Key (Communication Key) Places the AuC Comm Information display in the work pane.
Field Description
Next Update Shows the date and time for the next update of the selected key schedule.
Last Update Shows the date and time when the last update was started.
Key Schedule State Shows whether key schedule updates are enabled.
Recurrence Interval Shows the interval for the updates. The interval is shown in months or days,
depending on the key type.
Key Update Progress Progress bars showing key update progress in local cluster. Depending on the
key type, there can be either one progress bar showing overall progress for the
cluster or separate progress bars for each zone.
Button Action
Start Update Now Forces an update to start immediately. A manual update has no impact on the
date and time of the next scheduled update.
Modify Schedule... Activates the Modify Schedule dialog
Help Launches the AuC online help window.
Field Description
Authentication Material Places Key Schedule Information display in the work pane for Authentication
Material.
CCK Places Key Schedule Information display in the work pane for Common Cipher
Key (CCK).
SCK-TMO Places Key Schedule Information display in the work pane for Static Cipher
Key (SCK-TMO).
System KEK Places Key Schedule Information display in the work pane for System Key
Encryption Key (KEKm).
Zone KEK Places Key Schedule Information display in the work pane for Zone Key
Encryption Key (KEKz).
The colored icons displayed next to each zone and BTS site represent the entity’s current key status.
Table 11-21 Key Status Icons (Zones and BTS sites)
Icon Description
Requires Attention: The entity is missing both infrastructure keys (Ki), the
infrastructure key (Ki) has been improperly provisioned or equipment failure
occurred.
Requires Attention: The entity is missing both infrastructure keys (Ki), the
infrastructure key (Ki) has been improperly provisioned or equipment failure
occurred and the entity is disabled from receiving key updates.
Requires Attention: The entity is missing both infrastructure keys (Ki), the
infrastructure key (Ki) has been improperly provisioned or equipment failure
occurred and the entity is disconnected from the Air Traffic Router (ATR)
server or Zone Manager (ZM) (for zone entities only).
Entity is not current: The entity no longer has the most current key version
(except for the infrastructure key (Ki)).
Entity is not current and disabled: The entity no longer has the most current
key version (except for the infrastructure key (Ki)) and the key updates on
the entity have been disabled.
Entity is not current and disconnected: The entity no longer has the most
current key version (except for the infrastructure key (Ki)) and is disconnected
from the Air Traffic Router (ATR) server or Zone Manager (ZM) (for zone
entities only).
Entity is current The entity has the most current key version.
Entity is current The entity has the most current key version but the key
updates on the entity have been disabled.
Entity is current The entity has the most current key version but is
disconnected from the Air Traffic Router (ATR) server or Zone Manager (ZM)
(for zone entities only).
KVL Information
Field Description
Alias Alias of KVL (obtained from User Configuration Server (UCS)).
ID ID of KVL (obtained from User Configuration Server (UCS)).
Status Current setting for KVL access to AuC (access allowed or locked out).
Button Action
Deny Access Locks out KVL access to the AuC. Only displayed when KVL access to AuC
is allowed (see Status field).
Allow Access Allows KVL access to the AuC. Only displayed when KVL access to AuC is
locked out (see Status field).
Assign New UKEK Launches KVL UKEK Assignment Dialog Box.
Help Launches the AuC online help window.
Icon Description
Locked out from AuC connectivity.
The fields presented in the Mobile Stations List display are listed below. By default, query results are
listed by Serial Number. You can resort the listed items by clicking on the column header. Clicking on
a column header will toggle the list items in forward and reverse order, respectively. A small triangle
next to the column header indicates by which field the items are currently sorted.
Field Description
Security Group Alias Security group for the mobile station (MS) (obtained from User Configuration
Server (UCS)).
Serial Number Serial number for the mobile station (MS) (obtained from User Configuration
Server (UCS)).
Ref Reference number for the mobile station (obtained from User Configuration
Server (UCS)). The reference number will be either the Subscriber Identity
Module (SIM) or TETRA Equipment Identifier (TEI) number.
ISSI Individual Short Subscriber ID (ISSI) for the mobile station (obtained from
User Configuration Server (UCS)).
K Assigned Indicates whether an authentication key (K) has been assigned to the mobile
station (MS) (Yes or No).
Mobile State State of the mobile station (MS) key update:
• Enabled – key updates enabled.
• Disabled (new mobile) – key updates disabled because the MS is a newly
added one; new MSs have key updates disabled by default.
• Disabled (manually) – key updates disabled manually by a user.
• Disabled (K changed) – key updates disabled because the authentication
key (K) for the MS has changed.
Batch Date Creation date of a K-REF pair assigned to the mobile station (MS)
Batch Number Number assigned to a group of K-REF pairs during their creation time. If a
K-REF pair was entered manually in the AuC client, then this field is blank.
Button Action
Update Auth Now Launches an immediate update of authentication material for the mobile
station(s) highlighted in the list box. This button is disabled until an MS
is selected from the list box.
Enable Key Updates Enables authentication material key updates for the mobile station(s)
highlighted in the list box. Only displayed when key updates are disabled (see
Key Updates Disabled field). This button is disabled until an MS is selected
from the list box.
Disable Key Updates Disables authentication material key updates for the mobile station(s)
highlighted in the list box. Only displayed when key updates are enabled (see
Key Updates Disabled field). This button is disabled until an MS is selected
from the list box.
Field Description
Security Group Security group to search. If field is left blank or contains "UCS", all security
groups are searched
Serial Number Serial number to search. Use drop-down list box to set condition of search
using this field. If left blank, the field is not included in the search query.
Ref Reference number to search. Use drop-down list box to set condition of search
using this field. If left blank, the field is not included in the search query.
ISSI Between Range of Individual Short Subscriber Identities (ISSIs) to search. Use both
fields to type beginning and ending ISSIs, respectively. If blank; the leftmost
field is set to 0 and rightmost field is set to 16,777,216.
Batch Number Number assigned to a group of K-REF pairs when created. If left blank, the
field is not included in the search query.
Batch Date Range of K-REF pairs creation times to search. Use both fields to specify the
beginning and end of a search period.
Secret Key (K) Status Search for mobile stations (MSs) with or without an assigned authentication
key (K) in the AuC database.
Mobile State State of the mobile station (MS) key update:
• Enabled – search for MSs with key updates enabled
• Disabled (new) – search for newly added MSs; new MSs have key
updates disabled by default
• Disabled (manually) – search for MSs which have key updates disabled
manually by a user
• Disabled (K changed) – search for MSs which have key updates disabled
because their authentication keys (K) have changed.
Include Not Local Not to be used in this Dimetra release.
Button Action
Search Performs search using selected criteria. Results are listed in Mobile Stations
List Reference list box.
Export Starts exporting MS information.
Clear Clears entries from search criteria fields.
Field Description
SCK Number Number of SCK-TMO key slot
SCK Version Version of SCK-TMO key in the slot
Active Reflects the current and next active SCK-TMO keys. The following
arrows reflect the current and next active SCK-TMO keys:
Button Action
Modify Launches SCK-TMO Modify Dialog Box.
Set Next Active Designates next active SCK-TMO key.
Help Launches the AuC online help window.
Each security group stored in the Authentication Centre (AuC) database is listed in Security Groups window.
UCS Information
Field Description
UCS Status Status of connection to User Configuration Server (UCS). Available values:
• Disconnected
• Disconnected - Invalid Version
• Not Ready
• Synchronizing
• Connected
UCS Version Version of the User Configuration Server (UCS).
Button Action
User Information
Field Description
Login Name Login name of AuC user. This field allows use of spaces. Login names are
case sensitive. Users are not allowed to modify their login name.
Full Name Full name of AuC user (Optional).
Change Password Enables New Password and Confirm New Password fields.
You cannot change your own password from this dialog box, when
logged in as yourself, since User Management does not ask for the
old password. To change your own password, see "Changing a
User Account Password".
New Password New password for AuC user.
Confirm New Password New password for AuC user.
Permissions Access permissions for user to AuC tasks. Use the check boxes to select which
task categories the user can access and perform. A user with no permissions is
able to only view entity information. See Table 11-34 below.
Permission Tasks
Database Management Allows all database operations.
Infrastructure Management Allows disabling of zones and BTSs and all Zone/System KEK Key
Schedule operations, including Ki Provisioning.
Key Management Allows entry of keys in Key Database, SCK-TMO and CCK operations,
including Key Schedule operations.
Mobile Management Allows all MS operations and all Authentication Material Key Schedule
operations.
Master Key Load Allows Master key Loading.
KVL Management Allows the user to modify KVL records, change UKEK assignments,
disable/enable a KVL from communication with the AuC, and modify the
KVL port settings.
User Management Allows all user management operations and audit trail purging.
Server Management Allows System> Settings> Miscellaneous operations.
Nationwide Management Allows nationwide system connection operations under the Connections tab,
CCK key updates, and entry of AuC Comm Key.
Button Action
Restore Settings Restores user account information settings before current changes are
committed to AuC database (i.e., to start over with modifications).
Apply Settings Commits user account information settings to the AuC database.
Zone Information
Field Description
Key Updates Current setting for key updates for the zone (enabled or disabled).
ATR Status of connection to Air Traffic Router (ATR) server.
ZM Status of connection to Zone Database Server (ZDS).
ZM Version Version of the Zone Database Server.
Ki Tabular display of infrastructure key (Ki) information and status for the zone entity.
System KEK Tabular display of system key encryption key (KEKm) information and status for the
zone entity.
Zone KEK Tabular display of zone key encryption key (KEKz) information and status for the
zone entity.
Button Action
Enable Key Updates Enables key updates for the zone. Only displayed when key updates are
disabled (see Status field).
Disable Key Updates Disables key updates for the zone. Only displayed when key updates are
enabled (see Status field).
Synchronize Starts the full synchronization with ZDS process.
Refresh Ki Redistributes the existing infrastructure key (Ki) for zone entities.
Update Ki Assigns a new infrastructure key (Ki) for zone entities.
Help Launches the AuC online help window.
Secondary Window
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
This section provides detailed information of the AuC application’s secondary windows.
Field Description
Login Name Login name of AuC user.
Full Name Full name of AuC user.
Password New password of AuC user.
Confirm Password New password of AuC user.
Permissions Access permissions for user to AuC tasks. Use check boxes to select which
task categories the user can access and perform. A summary of the tasks
allowed for each checkbox is provided below.
Permission Tasks
Database Management Allows all database operations.
Infrastructure Allows disabling of zones and BTSs and all Zone/System KEK Key Schedule
Management operations, including Ki Provisioning.
Key Management Allows entry of keys in Key Database, SCK-TMO and CCK operations,
including Key Schedule operations.
Mobile Management Allows all MS operations and all Authentication Material Key Schedule
operations.
Master Key Load Allows Master key Loading.
KVL Management Allows the user to modify KVL records, change UKEK assignments,
disable/enable a KVL from communication with the AuC, and modify the
KVL port settings.
User Management Allows all user management operations and audit trail purging.
Server Management Allows System> Settings> Miscellaneous operations.
Nationwide Management Allows nationwide system connection operations under the Connections tab,
CCK key updates, and entry of AuC Comm Key.
Button Action
OK Commits user account information settings to the AuC database.
Cancel Cancels user account information settings without committing them to the
AuC database.
Help Launches the AuC online help window.
AuC Connection
Field Description
Enter the IP address of expected slave AuC IP address for an AuC server that will be set by master AuC
as the expected slave AuC.
Enter the IP address of master AuC IP address of the master AuC that the local AuC will be
connected to.
Button Action
OK Attempts to connect to the AuC using the IP address supplied.
Cancel Closes the dialog box.
Table 11-43 Fields in the AuC Database Backup Schedule Dialog Box
Field Description
Month/Day/Year Start date of database backup. Use drop-down list box to choose month, spin box to
choose year, and buttons to choose day of the month to perform backup.
Time Start time of database backup. Use spin box to set time of day for database backup.
Backup occurs Frequency of database backup. Use drop-down list box to select how often (in
every... days) to perform backup.
Table 11-44 Buttons in the AuC Database Backup Schedule Dialog Box
Button Action
OK Commits the AuC database backup settings.
Cancel Cancels the AuC database backup settings without committing them to the AuC system.
Field Description
Backup in Progress States whether an AuC database backup is currently in progress (yes or no).
During backup, you will still be able to perform AuC operation. However, you
will not be able to start a new backup, until the current backup is complete.
Once backup is initiated, it cannot be cancelled.
Last Successful Backup States when last AuC database backup occurred. The field displays No
backups performed yet if no backup has been performed.
Next Scheduled Backup States when next AuC database is scheduled to occur, even if backup schedules
are disabled. The field displays No schedule set yet if no backup schedule
has been set.
Backup Schedule Checkbox to disable schedule backup of the AuC database. Disabling backup
Disabled schedule is also possible while a backup is in progress.
Backups are not disabled until the OK button has been clicked,
after Backup Schedule Disabled has been selected.
Path Displays the current path for the for storing the AuC database backup file. The
path is shown from the database server’s perspective, not the client’s Default
is C:\AuCBackup.
Button Action
Modify Schedule Launches the dialog box to schedule the AuC database backups.
Start Backup Now Launches an immediate AuC database backup.
Field Description
User Name Login name of AuC user (already populated).
Old Password Entry for existing password.
New Password Entry for new password.
Confirm New Password Confirm entry for new password.
Button Action
OK Commits password change to AuC database.
Cancel Cancels password change.
If the dialog was brought up after the login dialog, that is before the
main screen is reached, and your password has expired, cancelling
will force the client application to close.
Field Description
Vendor Name of the encryption device vendor.
Device Type Type of encryption device.
Software Version Version of software on encryption device
Master Key Status Indicates the state of the Master Key. The state can be Loaded, Not loaded,
Invalid or Unknown. The Invalid state is created when a new Master Key is
loaded, but does not match the one expected by the AuC.
Device Status Status of the encryption device: Working or Failed.
Button Action
Load Master Key... Launches the Load Master Key wizard. See "Loading a Master Key into an
Encryption Device" for a description of this wizard.
Close Closes the Encryption Devices dialog box.
Help Launches the AuC online help window.
Table 11-51 Field in the Key Update Lock Details Information Box
Field Description
User User who locked the key updates.
Date Date of the key update lock operation.
Lock reason Reason of locking the key updates.
Table 11-52 Buttons in the Key Update Lock Details Information Box
Button Action
OK Confirms the key update lock and its reason.
Cancel Cancels the key update lock operation.
Field Description
Reason for locking key updates Reason for locking key updates to be provided by the user.
Button Action
OK Confirms the key update lock and its reason.
Cancel Cancels the key update lock operation.
Field Description
Enter new UKEK Entry for unique key encryption key (UKEK) key value. The UKEK key is a
16-digit hexadecimal value.
Button Action
OK Commits UKEK key to the AuC database. The button is disabled until 16
hexadecimal characters are entered in the Enter new UKEK field.
Cancel Cancels UKEK key storage.
Field Description
User Name Login name for AuC user.
Password Password for AuC user.
Change Password Tick this to open the Change Password dialog box upon login.
Button Action
OK Logs in user to AuC.
Cancel Cancels login.
Field Description
AuC Server ID Entry for Authentication Centre (AuC) ID. This ID is necessary for the KVL
and AuC to communicate effectively. If the AuC ID is not the ID expected by
the KVL, the KVL will disconnect.
AuC Server Alias A user-friendly name (alias) for the AuC server. The maximum length is 20
characters. There is no initial alias value.
Debug Log Enabled Allows a debug log to be maintained on the AuC server.
Button Action
OK Commits miscellaneous settings to AuC database
Cancel Closes Settings dialog box.
Help Launches the AuC online help window
Field Description
Disable Key Schedule Disables scheduled key updates.
Next Update
Month/Day/Year Start date of scheduled key update. Use drop-down list box to choose
month, spin box to choose year, and buttons to choose day of the
month to perform update.
Time Start time of scheduled key updates. Use spin box to set time of day
for key update.
Last Update Time and date of last key update.
Recurrence Interval
Update occurs every Frequency of key updates. Use drop-down list box to select how often
(in months) to perform key update.
Button Action
Default Interval Sets the default recurrence interval.
Cancel Closes the dialog box without updating the schedule settings.
OK Commits key update schedule settings.
Help Launches the AuC online help window.
Field Description
Port AuC hardware port used to communicate with KVLs. Use drop-down list box
to select port. After selection, the port’s current settings are displayed in the
dialog box.
Bit Rate Bit rate for KVL communication port. Use drop-down list box to select bit rate.
Initialization String Initialization string used for modem connection to KVL. This field is disabled
when the Connection Type field is set to "Direct".
Connection Type Type of connection used to communicate with KVL. Use options buttons to
select connection type between direct for cable connection and modem for
dialup connection.
Button Action
Default Settings Resets KVL port settings to the AuC default settings.
OK Commits KVL port settings to AuC database.
Cancel Closes dialog box without changes being applied.
Help Launches the AuC online help window.
Field Description
Number of months of audit trail Specifies number of months of audit trail data to keep in the AuC
data to keep in the AuC database (all data exceeding this setting will be archived to a file on
the server). Use drop-down list box to choose the number of months
(maximum of 24 months).
Button Action
Begin Purge Launches the process of removing audit trail data from the AuC database.
Cancel Cancels selection and closes dialog box.
A modified slot is not automatically distributed throughout the Dimetra system until the slot
is selected as the next active slot as part of a scheduled or manual update.
Field Description
Key Value Entry for SCK-TMO key value. The SCK-TMO key is a 20-digit hexadecimal value.
Key Version Version of SCK-TMO key.
Button Action
OK Commits entry to the AuC database.
Cancel Cancels entry and closes dialog box.
Field Description
Password Password to the administrator account for standby database. The password
entered is the one assigned during Oracle installation on a standby AuC.
Confirm Password Retype password.
Monitor Standby Status Enables/disables monitoring of standby database connection. State icon
appears on the status bar.
Button Action
OK Commits standby settings to AuC database.
Cancel Cancels the selection and closes Settings dialog box.
Help Launches the AuC online help window.
Field Description
Last used CCK version The CCK version number restored from the database backup.
Next suggested CCK version The CCK version number computed based on the restored version
number and schedule interval.
Button Action
Modify CCK Manually Updates the CCK version to the value selected.
Connect to AuC Opens the AuC Connection dialog box. When a connection to the
nationwide system is established key updates will automatically
occur. These will synchronize the CCK version with that in use
nationwide. This option is appropriate if your system is part of a
nationwide multicluster system.
Proceed Without Modification Closes the display without changing the CCK version. The next key
update will use the last used CCK version number, incremented by
one, as the version number for the future key.
This action applies the CCK version that was stored in the
database. If this version is lower than the highest version
currently in use in the system by more than one, there is
risk of losing voice traffic.
Cancel Closes the display without changing the CCK version.
Field Description
Password Requirements: The default settings can be configured according to the following
limitations.
Maximum Length The maximum number of characters allowed for a password.
Maximum length: 20 characters.
Minimum Length The minimum number of characters allowed for a password.
Minimum length: 4 characters.
Passwords must contain at least When selected the password must contain at least one alphanumeric
one digit character.
Interval of days until passwords Period of days after which a user will be re-
expire quired to change their password during log in.
Minimum: 0 days, which means next login.
Maximum: 100 days.
Username Requirements:
Maximum Length The maximum number of characters allowed for a user name
Maximum: 20 characters.
Minimum Length The minimum number of characters allowed for a user name.
Minimum: 4 days.
Button Action
Restore Settings Restores the application’s default user settings.
OK Commits user settings to AuC database.
Cancel Cancels the selection and closes Settings dialog box.
Help Launches the AuC online help window.
File Import Keys Initiates keys import. Opens the Import Keys form File
dialog box, see Figure 4-21.
Exit Turns off the AuC Client.
User Change Password Initiates password changing process. Opens the Change
Password dialog box, see Figure 11-29.
Key Key Update Lock Disables key updates. Opens the Key Update Lock dialog
box, see Figure 11-32.
Key Update Lock Details... Displays the key update lock details, see Figure 11-31.
System AuC Database.. Opens the AuC Database dialog box, see Figure 11-28.
Encryption Devices... Opens the Encryption Devices dialog box, see
Figure 11-30.
Standby Status Report... Displays the standby database status report.
Check Standby Now... Checks the standby database status immediately.
Settings... Opens the Settings dialog box, see Figure 11-35,
Figure 11-37, Figure 11-40 and Figure 11-42.
Go Operational Changes the AuC Server mode to operational.
Go Out of Service Changes the AuC Server mode to out off service.
Nationwide Become Nationwide Initiates the process of becoming the Nationwide
Master... Master AuC, opens the AuC Connection dialog box, see
Figure 11-26.
Become Nationwide Slave... Initiates the process of becoming the Nationwide
Slave AuC, opens the AuC Connection dialog box, see
Figure 11-25.
Index
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
background information
modem option . . . . . . . . . . . . . . 14-xxvi
Go operational . . . . . . . . . . . . . . . . . 9-16
A
TETRA/Dimetra Glossary
The glossary describes many terms connected with TETRA and Dimetra and is not system release
specific. Therefore not all terms may be relevant for a specific system or release.
Item Description
10/100Base-T A method of connecting Ethernet devices directly to an Ethernet switch/hub.
Max transfer rate is 10 or 100 Mbps.
A/V Antivirus.
ABO Automatic Busy Override.
ACC Adjacent Control Channel.
Accounting Involves the reporting of the activities of radio users on the system. The system
Management provides several accounting management facilities.
BTS Site A remote segment within the Dimetra IP system responsible for call
processing and mobility services within a local geographical area. A
Dimetra IP BTS site (also known as a base site) contains equipment
such as TETRA Site Controller (TSC), Base Radio Controller (BRC),
Environment Alarm System (EAS), and RF distribution equipment.
The BTS site functions as the termination point for air interface encryption
services. A static cipher key-trunked mode operation (SCK-TMO) key
is stored and used by BTS site equipment and subscriber mobile stations
(MS) to encrypt/decrypt voice and data communications. To receive future
SCK-TMO key updates, BTS site equipment must also store and utilize a unique
infrastructure key (Ki) and zone key encryption key (KEKz).
Bundle A collection of Inter TETRA Connections (ITCs) which utilizes the same
scenario over the inter system interface.
Busy handling When channel resources are not available, the controller generates a busy
indication over the control channel. This busy indication in form of a tone is
given to the MS user indicating it is in queue for the next available resource.
Busy queue A memory storage in the central controller to hold Mobile Station information
and requests until a channel is assigned after a busy condition.
Busy Queuing A method of queuing a call when resources are not available to grant the call.
CAD Computer Aided Dispatch.
CADI See Computer Aided Dispatch Interface.
CAI Common Air Interface.
Call Continuation The capability of passing active calls or busy queue designations across zone
boundaries. Also termed “Call Handoff” Call Coordination, or Call Reconnect.
Call Detail Record The Call Detail Record contains information about usage of Packet Data service.
Call handoff The automatic assignment of an available channel when a radio user roams from
one site to another with continuous communications.
Index
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Main window . . . bk 10-2 pg 3-15, bk 10-2 pg 11-1 maximum period . . . . . . . . . . bk 10-2 pg 1-14
events pane . . . . . . . . . . . bk 10-2 pg 3-19 Menu bar . . . . . . . . . . . . . bk 10-2 pg 3-22
menu bar . . . . . . . . . . . . bk 10-2 pg 3-22 minimum period . . . . . . . . . . bk 10-2 pg 1-14
status bar . . . . . . . . . . . . bk 10-2 pg 3-20 Miscellaneous settings . . . . . . . . . . . bk 10-2
structure . . . . . . . . . . . . . bk 10-2 pg 3-15 pg 9-3, bk 10-2 pg 11-36
work pane . . . . . . . . . . . . bk 10-2 pg 3-16 mobile station (MS) . . . . . . . . . . . . . . . bk
management 10-2 pg 1-11, bk 10-2 pg 4-2
authentication and air interface . . . bk 10-2 pg 1-7 assigning new authentication material . . . . . . bk
key . . . . . . . . . . . . . . . . bk 10-2 pg 1-7 10-2 pg 4-49
Manual SCK synchronisation . . . . bk 10-1 pg 10-18 enabling / disabling key updates . . bk 10-2 pg 4-52
master AuC explicit authentication . . . . . . . bk 10-2 pg 1-2
changing . . . . . . . . . . . . bk 10-2 pg 5-19 exporting information . . . . . . . bk 10-2 pg 4-5
configuration . . . . . . . . . . . bk 10-2 pg 5-8 implicit authentication . . . . . . . bk 10-2 pg 1-3
Master key K-REF pair . . . . . . . . . . . . bk 10-2 pg 1-3
changing . . . . . . . . . . . . . bk 10-1 pg 4-2 key distribution . . . . . . . . . bk 10-2 pg 1-13
configuration . . . . . . . . . . . bk 10-1 pg 4-3 viewing key information . . . . . . bk 10-2 pg 4-2
loading . . . . . . . . . . . . . bk 10-2 pg 9-12 Mobile station (MS)
master key storage . . . . . . . . . bk 10-2 pg 1-14 temporarily disabling / enabling . . bk 10-1 pg 12-1
requirements Restore
rack . . . . . . . . . . . . . . . . bk 10-1 pg 2-4 AuC. . . . . . . . . . . . . . . . bk 10-1 pg 6-1
Restart PrC . . . . . . . . . . . . . . . . bk 10-1 pg 9-5
AuC. . . . . . . . . . . . . . . bk 10-1 pg 10-18 returning to single cluster mode . . . bk 10-2 pg 5-17
PrC . . . . . . . . . . . . . . . bk 10-1 pg 11-5
transferring