Operation

System Administration

OMN-SY

A50016-D3131-Q901-1-7619
OMN-SY Operation
System Administration

f Important Notice on Product Safety

Elevated voltages are inevitably present at specific points in this electrical equipment. Some of the
parts may also have elevated operating temperatures.
Non-observance of these conditions and the safety instructions can result in personal injury or in prop-
erty damage.
Therefore, only trained and qualified personnel may install and maintain the system.
The system complies with the standard EN 60950 / IEC 60950. All equipment connected has to comply
with the applicable safety standards.

The same text in German:

Wichtiger Hinweis zur Produktsicherheit
In elektrischen Anlagen stehen zwangsläufig bestimmte Teile der Geräte unter Spannung. Einige Teile
können auch eine hohe Betriebstemperatur aufweisen.
Eine Nichtbeachtung dieser Situation und der Warnungshinweise kann zu Körperverletzungen und
Sachschäden führen.
Deshalb wird vorausgesetzt, dass nur geschultes und qualifiziertes Personal die Anlagen installiert und
wartet.
Das System entspricht den Anforderungen der EN 60950 / IEC 60950. Angeschlossene Geräte
müssen die zutreffenden Sicherheitsbestimmungen erfüllen.

Trademarks:
All designations used in this document can be trademarks, the use of which by third parties for their
own purposes could violate the rights of their owners.

Copyright (C) Siemens AG 2002.

Issued by Information and Communication Mobile

Hofmannstraße 51
D-81359 München

Technical modifications possible.

Technical specifications and features are binding only insofar as
they are specifically and expressly agreed upon in a written contract.

2 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

Reason for Update

Summary:
The most important features that have been added to this document in comparison to
the previous version (OMN:CS-SY, A50016-D1702-Q401-*-7619 and OMN:PS-SY,
A50016-D1702-Q906-1-7619) are:
– Revision and restructuring of contents

Issue History
Issue Date of issue Reason for Update
Number

1 12/2002 New software version

A50016-D3131-Q901-1-7619 3
OMN-SY Operation
System Administration

4 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

This document consists of a total of 43 pages. All pages are issue 1.

Contents
1 Introduction (IN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1 Administration of the MP platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.1.1 System time at SGSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.1.2 Message Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.1.2.1 Event Report Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.1.2.2 Log Control Function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.1.3 Q3 Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.3.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.3.2 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.1.3.3 Alarming in the Case of Access Violation . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.1.3.4 File Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.1.4 Alarm Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.1.4.1 Alarm Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.1.4.2 Alarm Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.1.4.3 External Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.1.4.4 Alarm Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.1.5 Data Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.1.6 Input Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.1.6.1 Administration of Input Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.1.6.2 Input Log Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.1.7 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.1.7.1 SAM File Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.1.7.2 File Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.1.7.3 File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.2 Administration of the SP Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.1 System Time at GGSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.2.2 Accounting File Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.2.3 Alarm Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.2.4 File Handling with FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.3 Appendix: International Alphabet No. 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2 Task List (TL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.1 MP Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.1 System Time at SGSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.2 Message Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.3 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.4 Alarm Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.1.5 Data Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.1.6 Input Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.1.7 File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2 SP Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.1 Accounting File Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3 Task Summary Lists (TS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

1 Task Procedures (TP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

A50016-D3131-Q901-1-7619 5
OMN-SY Operation
System Administration

1 Introduction (IN)
The OMN-SY describes the administration tasks to be performed in order to maintain
the operating functions of the system in the PS domain of the core network while the
network node is in service .
The general packet radio service (GPRS) allows the mobile subscriber access to the In-
ternet or other packet data networks. The GPRS core network consists of two different
network nodes, the Serving GPRS Support Node (SGSN) and the Gateway GPRS Sup-
port Node (GGSN). The nodes are connected via the Gn interface within the backbone
network.
The SGSN mainly handles the radio-related protocols and the mobility of the subscrib-
ers. The SGSN serves the base station controller (BSC) via the Gb interface. The SGSN
consists of an MP platform and an SP platform.
The GGSN performs the connection to the ISP via the Gi interface. The GGSN consists
of an SP platform and an accounting file server (AFS). (For detailed information on the
hardware architecture of the CN, see the System Description.)
According to the platforms integrated into the different network nodes of the core net-
work the introduction and the task list of this manual are divided into the following parts:
• Administration of the MP platform (see chapter 1.1)
• Administration of the SP platform (see chapter 1.2)
Depending on the network node you wish to administrate, please refer to the chapter of
the manual describing this platform and select the topic needed.
The following documentation deals with subjects closely related to the information given
in the present manual:
– in the manual OMN-NNC the configuration of the network nodes in the PS domain
is explained
– in the manual OMN-CM the administration of interfaces and connections is ex-
plained
– the Switch Commander documentation informs about the handling and the function
of the SC

6 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

1.1 Administration of the MP platform

Fig. 1.1 shows the MP platform and its connection to the Switch Commander (SC).The
MP platform is combined with the SP platform within the SGSN. SGSN data which is
stored on the hard disk (e.g. charging records) can be retrieved via FTP.

Switch
FTP Commander
different hard
MP:OAM TCP/IP
MPs disk
Work-
bench
MP platform

Fig. 1.1 MP platform

The MP platform is administrated via Q3 at the Switch Commander. The tasks described
in this chapter and in the task list can be performed at the workbench application of the
SC.
While the system is operating, you can establish access protection for Q3 tasks, admin-
istrate the handling of event reports and alarms, create input logging and handle files
stored on the hard disk via FTP. Information required for these administration tasks is
given the following chapters and in the task list.

1.1.1 System time at SGSN

The system time of the network node (including information as to whether the system
time is secure, i.e. its status is not ’INSECURE’) can be called up with DISP ME.
The tasks DISP SYSTIME and MOD SYSTIME are available for displaying or modifying
the system time.
The MOD SYSTIME task is used
– to set the initial system time,
– to correct the system time,
– to alter the system time from winter time to summer time and vice versa.
If a radio clock of the type “GPS” is connected, only relative time corrections are permis-
sible (e.g. from winter time to summer time). Time corrections of less than 15 minutes
will be ignored. All other corrections are rounded up or down to the nearest 15 minutes.
Consequently, only corrections of +/- n x 15 minutes are possible (1 ≤ n ≤ 8). The sec-
onds are automatically corrected by the GPS.
If a DCF-77 radio clock is connected, any attempt to alter the time will be rejected with
an error message. This type of radio clock automatically corrects the seconds and per-
forms the changeover from winter time to summer time (and vice versa).

A50016-D3131-Q901-1-7619 7
OMN-SY Operation
System Administration

1.1.2 Message Control

For message control on the MP platform, destinations for Q3 notifications can be de-
fined and the event reports can be filtered and stored.

1.1.2.1 Event Report Management

Q3 notifications from the MP are regarded as event reports.
The task CR EVDEST creates an event destination which defines where reports are to
be routed to. A destination is an application in a remote operating system, e.g. the
Switch Commander.
Up to six destinations can be defined as event destinations and receive event reports.
In addition, up to five alternative destinations can be determined for each destination. If
a regular destination fails or is unavailable, the event reports are sent to the first alter-
native destination. If it fails or is unavailable, the event reports are sent to the second
alternative destination and so on.
If the notifications are to be received by more than six destinations, several event des-
tinations with the same filter criteria and corresponding destinations can be generated.
Each event report has three significant attributes:
– the object class transmitting the report,
– the object instance (object transmitting the report),
– the event type (type of message).
These three attributes can be used in the filter of an event destination (parameter: Event
filter) to control what event reports are to be forwarded by the event destination. All three
attributes can be defined in the filter; at least one of the three attributes has to be spec-
ified. Up to ten triplets (object class, object instance, event type) can be defined in the
filter of an event destination – i.e., the total number of filter conditions is limited to ten.
An event report is forwarded when the three attributes of the event report match the filter
criteria of the event destination.
The transfer of event reports by an event destination can be explicitly suppressed (pa-
rameter: Administrative state).
You can also define times at which event reports are to be transferred. These can be
start and/or end times or daily/weekly periods.
The settings for an event destination can be changed with MOD EVDEST. DISP EVD-
EST displays the current settings of one or more event destinations; CAN EVDEST can-
cels an event destination.

1.1.2.2 Log Control Function

Event logs are used to store records giving event information. Each event log contains
event filters which describe the attributes that an event has to have in order to be stored.
The same filter criteria as for event report management apply (see section 1.1.2.1)
– the object class transmitting the report,
– the object instance (object transmitting the report),
– the event type (type of message).
When creating an event log with task CR EVLOG the size for the event log can be spec-
ified and the action that must be performed if the size is reached (stop recording or over-
write the oldest records – parameters: Log size and Log full action).

8 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

What’s more, up to five capacity alarm thresholds can be defined (parameter: Capacity
alarm thresholds). If the capacity of an event log reaches any of the threshold values, a
capacity alarm message is generated.
The storage of event log records in the event log can be explicitly suppressed (param-
eter: Administrative state).
Depending on the Event log parameter, DISP EVLOG displays the status information of
one or more event logs. Detailed information is output for an actual event log.
The settings for an event log can be changed with MOD EVLOG. Note that parameters
can only be added after being entered with CR EVLOG.
Canceling an event log (CAN EVLOG) deletes all records in the log.
Event log records can be displayed with DISP EVRECF. You can also specify the range
of records to be displayed (parameter: Record range). The volume of data to be dis-
played for records can be reduced by entering filter criteria (parameter: Detailed filter).
CAN EVREC deletes a record or a range of records in an event log.

1.1.3 Q3 Access Protection

Access protection is provided in two stages. The first stage covers the log-in at the
Switch Commander (or a similar operating system). A user must log on to the control
terminal and be authenticated. The authentication requires the creation of user IDs,
passwords and user groups with the resources available to the system. Once an autho-
rized user has logged on, he or she can make contact with the network node.
The second stage of the access protection, i.e. the Q3 access protection, is implement-
ed in the network node and is described in this chapter.
The Q3 access protection function provides functions for administration and control of
• initiators and their passwords for Q3 sessions (see section 1.1.3.1 "Authentication")
• access authorizations of Q3 initiators for objects (object classes) and Q3 operations
(see section 1.1.3.2 "Access Control")
• alarm function for access and entry violations (see section 1.1.3.3 "Alarming in the
Case of Access Violation").
Q3 access protection is set up or modified by system administrators. After logging on to
the Switch Commander, users are regarded in the MP as initiators by using the applica-
tions they require.

1.1.3.1 Authentication
Task MOD AUTHDEF is used to set a global default authentication for unknown initia-
tors (Default authent.). The default authentication can be:
– Allow
– Abort association
– Deny with response
The response to unauthorized access can also be set.
Initiators are assigned to users (user groups) who work with Switch Commander appli-
cations allocated to them. Which user is allowed to use an application is administered in
the Switch Commander. Each initiator is identified by an AET (application entity title).
The relationship between users and initiators is shown in the example in Fig. 1.2.

A50016-D3131-Q901-1-7619 9
OMN-SY Operation
System Administration

Switch Commander

User 1 User 2 User 3 User 4

User group A User group B User group C

Application a Application b Application c

Network Node

Initiator x Initiator y Initiator z

Fig. 1.2 Relationship between users and initiators (example)

Task CR INI is used to create an initiator in the MP and to define the applicable authen-
tication type – i.e., whether the initiator has to authenticate by using a simple password
or a replay-protected password (one-time password), or whether he has to be identified
only by the AET (without password). The initiator’s access to the MP can time-limited
(start and stop times or daily/weekly periods).
Authentication by means of a replay-protected password also provides protection
against bugging and re-entry of the authentication data. The maximum period (validity)
for a connection attempt is defined by specifying the acceptance time (parameter: Ac-
cept time range).
The following tasks can be used for modifying, displaying and canceling initiators: MOD
INI, DISP INI and CAN INI respectively.

1.1.3.2 Access Control

The access control allows to administer access rights by means of rules, initiator groups
and target groups. In order to create a suitable system of access rights, global settings
for the access control must be made and initiator groups, target groups and rules must
be created.
An initiator group is a set of initiators, while a target group refers to a set of object class-
es/object model branches and operations.
A rule defines the access rights of an initiator group to a target group. In other words, it
specifies which types of access (operations on one or more object classes/object model
branches) can be performed by an initiator. Initiator groups as well as target groups can
be referenced by a number of rules.

Global access parameters

Global settings for the access control are specified with MOD ACCFG:
• Default access rights
Default access rights apply if no explicit access rights are defined (i.e., if no rules for
access exist). They can be set for each operation to Deny or Allow access (Default
access).
Default access rights be set to Deny after the individual rules have been created.

10 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

• Denial response
Response to an access attempt refused because of a lack of default access rights
(Deny or Abort).
• Security administrator
The security administrator is a special AET. He or she has access to the system at
all times (see 1.1.3.1) and access to the access control database.
The authentication data of the security administrator is stored in a file without gen-
eration. After an online fallback, the administrator is the only AET whose authentica-
tion data is available both as part of the new generation and of the valid generation.
A security administrator must be specified before the individual rules are defined.
• Rule restriction
The rule types can be limited using the rule restriction so as to simplify the complex
access control system. For example, it is useful to only permit Allow rules and at the
same time to set the default access rights to Deny.
The security administrator should administer the initiator groups, target groups and
rules.
Do not change the default access rights before defining the security administrator and
! fixing the access rights by rules. Otherwise each Q3 operation could be rejected and no
further administration is possible.

Initiator groups, target groups

When creating an initiator group with the CR ACINIGRP task, a list of AETs is assigned
to the group. The group can be modified with MOD ACINIGRP (i.e., replaced, reduced,
expanded). DISP ACINIGRP and CAN ACINIGRP display and cancel initiator groups re-
spectively. Analogous tasks are available for administration of target groups.

Rules
A rule is created with task CR ACRULE. In addition to specifying the concerned initiators
and target groups, the rule type is defined. The period of validity of a rule can also be
limited (start and stop times or daily/weekly periods).
The types of rules are as follows:
– Allow rule: An allow rule permits access, provided that no deny rule applies.
– Deny rule: A deny rule causes rejection of access attempts.
– Abort rule: An abort rule aborts the connection to an initiator whenever an access is
attempted.
– Global rule: A global rule defines the global access rights for a referenced initiator
group. It does not reference any target group.
– Common rule: A common rule defines the general access rights for a referenced tar-
get group. It does not reference any initiator group.
Note the following when modifying a rule (MOD ACRULE):
– You cannot change a common rule (no initiator group) to a non-common rule or vice
versa. In other words, only an existing initiator group can be modified.
– You cannot change a global rule (no target group) to a non-global rule or vice versa.
In other words only an existing target group can be modified.
– You cannot change an Allow rule to a Deny rule or vice versa. In other words, a rule
type can only be changed from Deny to Abort or vice versa.
– Time parameters can only be modified if the have been created with CR ACRULE.

Example

A50016-D3131-Q901-1-7619 11
OMN-SY Operation
System Administration

Create a security administrator (a user with the AET <admin_aet> has been created):
MOD ACCFG: Sec. administrator = <admin_aet>;
Create an initiator group (STDGRP1), which should have access rights to all objects
(global rule - no Target group list):
CR ACINIGRP: Initiator group = STDGRP1, AET list = <aet1> >aet2>;
CR ACRULE: Rule = STDQ3ACCESS, Rule type = Allow,
Initiator group list = STDGRP1;
Create the default access rights and the permitted rule types:
MOD ACCFG: Default access = {M-ACTION = Deny, M-CREATE = Deny,
M-DELETE = Deny, M-GET = Deny, M-SET = Deny}, Denial response = Deny,
Rule restriction = Allow rules;

1.1.3.3 Alarming in the Case of Access Violation

Access violations are detected by the authentication, access control or file security func-
tions and can be reported as security alarm reports. For each alarm type it is possible
to specify whether reports are to be written (MOD SECAL).
The following types of security alarm exist:
– Security violation - security check failed because no access rights exist.
– Time violation - security check failed because the time conditions are incorrect (not
within the defined times).
– Operat. violation - security check failed because of an internal error.
– Integ. violation - security check failed because of incorrect data from a replay check.
The generated security alarm reports are forwarded to event destinations (see also sec-
tion 1.1.2.1) and can be stored in security alarm logs. Security alarm logs can be created
commonly for Authentication, Q3 Access Control and File Security or separately for
each alarm type.
When creating a security alarm log with CR SECALLOG you can define the file size and
the action to be performed whenever the file size is reached (stop recording or overwrite
the oldest records) with the parameters: Log size and Log full action. The file is prefixed
‘SAL.’ (Security Alarm Log). Only security alarm reports selected with MOD SECAL are
logged.
In addition, up to five capacity alarm thresholds can be defined (parameter: Capacity
alarm thresholds). If the capacity level of the security alarm log reaches a threshold, a
capacity alarm is generated.
With DISP SECALLOG you can display the settings for one or more security alarm log.
When a security alarm log (CAN SECALLOG) is canceled, all records in it are deleted.
Security alarm report records can be displayed with DISP SECALRECF. You can spec-
ify a range of records to be displayed (parameter: Record range). Records can be cop-
ied from the history window to a file by using the copy and paste function on the Switch
Commander. You can view the file in a standard text editor in the Switch Commander
and use it for backup purposes.
CAN SECALREC cancels a record or range of records in a security alarm log.

1.1.3.4 File Access Protection

File access protection involves the control of:
– file transfer initiators and their passwords for file access (see below),

12 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

– access rights of file transfer initiators to files (see section 1.1.7.2),

– alarm signaling in response to access violations (together with Q3 access protec-
tion, see section 1.1.3.3).
File access protection is set up or modified by system administrators. After logging on
to the SC, ‘normal’ users are implicitly classed as file transfer initiators for using the ap-
plications they require for working with files.
The global settings the Q3 access protection uses for authentication (see section
1.1.3.2) are also valid for file access protection.
File transfer initiators are created (CR FTINI) to provide access protection for file trans-
fers. This is performed in the same way as for the initiators for operation (see section
1.1.3.1) whereby simple passwords or replay-protected passwords are used. In this
case, however, in place of the AET at the user interface, a user ID must be specified to
identify the initiator.

A50016-D3131-Q901-1-7619 13
OMN-SY Operation
System Administration

1.1.4 Alarm Data

Alarms are displayed on the Switch Commander at the alarm and message display
(AMD). The AMD provides alarm summaries of the nodes (node status), alarm lists for
selected nodes as well as alarm details.

1.1.4.1 Alarm Indication

Suitable event destinations must be created for alarm indication.

Example
An event destination is created for communications alarms, equipment alarms, etc.
and one for security alarms:
CR EVDEST: Event destination = <destination1>, Destination = <aet_list>,
Dest. with backup = <backup_aet_list>, Event filter = {,,communicationsAlarm},
{,,environmentAlarm}, {,,equipmentAlarm}, {,,processingErrorAlarm}, {,,qualityofSer-
viceAlarm}, {,,objectDeletion}, {,,stateChange};
CR EVDEST: Event destination = <destination2>, Destination = <aet_list>,
Dest. with backup = <backup_aet_list>,
Event filter = {,,securityServiceOrMechanismViolation}, {,,timeDomainViolation},
{,,integrityViolation}, {,,operationalViolation};
All system alarms (including the CP) are compiled in the MP using the Standard Alarm
Balance Monitor (STALBAMO). The alarms are selected according to object classes,
events types and probable causes. A further Alarm Balance Monitor (PCM) can be cre-
ated for PCM alarms in the CP (CR ALRELAIS, see also 1.1.4.3). Under the control of
the STALBAMO, alarms for all Alarm Balance Monitors are indicated by means of the
lamps on the ALI module (CRITICAL, MINOR, MAJOR). DISP ALBALMON is used to
display an overview of the created monitors and their alarms.
It is not possible to suppress alarm indication on the MP.

1.1.4.2 Alarm Log

There is no periodic overview of alarms in the MP. An overview can only be obtained on
request.
Alarm logs must be created on the MP in order to store all alarm messages (including
those in the CP). All logs are to have the default size. If the logs are full, the oldest entry
is to be overwritten (default settings).
The alarm log can be displayed with the Switch Commander application “Q3 Event Pre-
sentation Service” (Q3EPS).
The contents of the alarm log can also be viewed with the resources of the log control
function (see Section 1.1.2.2): DISP EVRECF: Event log = AlarmLog, ...;

Example
An alarm log “AlarmLog” for communications, equipment and similar alarms and an
alarm log “SAL_AlarmLog” for security alarms are created:
CR EVLOG: Event log = AlarmLog, Event filter = {,,communicationsAlarm}, {,,envi-
ronmentAlarm}, {,,equipmentAlarm}, {,,processingErrorAlarm}, {,,qualityofService-
Alarm}, {,,objectDeletion}, {,,stateChange};
CR EVLOG: Event log = SAL_AlarmLog,

14 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

Event filter = {,,securityServiceOrMechanismViolation}, {,,timeDomainViolation},

{,,integrityViolation}, {,,operationalViolation};

1.1.4.3 External Alarms

The administration of external alarms on the MP platform differs in dependency on the
combination with another platform respectively on type of network node.

Combined MP and SP platform

0 to 15 ALIB Alarm Relays

0 to 4
External Alarm

MP SC
Lines

Fig. 1.3 External alarm signaling (combined MP and SP platform)

The alarm inputs are administered in the MP. An alarm input interface (CR ALINIF) is
created for each alarm input. This defines the module on which the alarm input is to be
used and the alarm line number to which it is assigned. The Alarm level parameter spec-
ifies the physical level of the alarm line which is to result in activation of the alarm (de-
fault setting: HIGH, i.e. a closed contact activates the alarm). In addition, an alarm
profile, a probable cause and, optionally, an alarm text are assigned to the alarm input.
The ALIB module incorporates 16 alarm inputs.
The alarms are routed via three relays (for CRITICAL, MINOR, and MAJOR), which are
also located on the ALIB module. The relays can only be controlled once the CR ALRE-
LAIS task has been executed. This creates the ‘CRITICAL’, ‘MINOR’ and ‘MAJOR’
alarm output interfaces for forwarding the relevant alarms, under the control of the stan-
dard alarm balance monitor.
The settings specified when the alarm output interfaces are created can be displayed
with DISP ALOUTIF.

1.1.4.4 Alarm Profiles

An alarm profile contains the probable cause values. An alarm priority is assigned to
each cause. The alarm profiles of the MP can be displayed with DISP ALPROFMP
The following default alarm profiles are available in the MP:

Alarm profile Description

ALSUPP Alarm is suppressed

Tab. 1.1 Alarm profiles

A50016-D3131-Q901-1-7619 15
OMN-SY Operation
System Administration

Alarm profile Description

WARNING Alarm priority: WARNING

MINNOESC Alarm priority: MINOR without escalation
MINESC Alarm priority: MINOR with escalation to CRITICAL for cases in
which the function is impaired
MAJNOESC Alarm priority: MAJOR without escalation
MAJESC Alarm priority: MAJOR with escalation to CRITICAL for cases in
which the function is impaired
CRITICAL Alarm priority: CRITICAL

Tab. 1.1 Alarm profiles

16 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

1.1.5 Data Media

This section describes the administration of the data media of the MP. These media are:
• the magnetic disk (MD) and
• the magneto-optical disk (MO).
Management of the various devices does not fall within the scope of this Operation Man-
ual as this is done during the installation of the system.

Magnetic disk
The two magnetic disks of the MP are permanently installed in the system. They can be
deactivated (for maintenance purposes for example) and reactivated with the task
CONF MDDMP. When they are activated, it is possible to determine whether or not their
content is to be discarded, i.e. whether or not the content of the hard disk is to be over-
written by copying.
The following properties of the magnetic disks can be verified with the task DISP MD-
DMP:
– free memory space
– total memory space
– MP alarm profile
– board and board type
– mounting location (rack, shelf, pitch).

Magneto-optical disk
The two magneto-optical disks of the MP are operated with random access, i.e like a
hard disk. Prior to a change of medium, the device must be deactivated and then reac-
tivated, using the task CONF MODMP in both cases. For activated disks, it is possible
to determine whether or not the content of the redundant magneto-optical disk is to be
overwritten by copying.
The following properties of the magneto-optical disks can be verified with the task DISP
MODMP:
– free memory space
– total memory space
– MP alarm profile
– board and board type
– mounting location (rack, shelf, pitch).

A50016-D3131-Q901-1-7619 17
OMN-SY Operation
System Administration

1.1.6 Input Logging

Every modification to the database of the network node caused by operator input (Q3
tasks) or subscriber controlled input is recorded in a series of log files by the input log-
ging function.
Log files are needed, for example:
– after a change of APS
– after a fallback of the software to a secure APS

1.1.6.1 Administration of Input Logging

Input logging must be activated with the task SET INPLOG. The input log files are then
created on the MP hard disk, as indicated in Tab. 1.2.

Log file Content File name

Master file Information about all the associated LG.<name>.<ext>.MAS-

log files (names and sequence num- TER
bers of the Q3 requests they con-
tain) as readable text
Q3 binary file Q3 requests in binary form LG.<name>.<ext>.Q3B
Q3 text file Q3 requests as readable text LG.<name>.<ext>.Q3T

Tab. 1.2 Log files

The file name consists of the following parts:

<name> This is the user-specific part of the file name. It corresponds to the Log
file name parameter of the SET INPLOG task. If this file name is not spec-
ified, the current system time is indicated here as the character string.
<number> This part of the file name is automatically assigned. The first layer man-
agement log file is numbered ‘001’. Following further configuration, this
part is numbered in ascending order, provided that <ext> remains un-
changed.
<ext> This part of the filename is automatically assigned incrementally. The first
Q3 files are assigned the extension ‘A1’. The value range is from A1 to
Z9. The master file always has the extension ‘A0’.
When activating the logging function, a maximum size of the log files can be defined
(Swap file size parameter). If this limit is reached (combined volume of Q3 binary files
and Q3 text files), the files are automatically closed and new files are created with an
incremented <ext> in the filename.

Example
The input logging function is activated and the indicated files are created. The maxi-
mum size of the log files is not indicated and the files therefore have the default size
(20 Mbytes).
SET INPLOG: Log file name = MCH1;
LG.MCH1.A0.MASTER
LG.MCH1.A1.Q3B
LG.MCH1.A1.Q3T
LG.MCH1.A1.LM001 (if configuration of the layer manager is performed)
LG.MCH1.A1.LM002 (if a second configuration of the layer manager is performed).

18 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

The user-specific part of the file name <name> and the maximum size of the log files
can be modified with task MOD INPLOGFILE. The file size can only be modified togeth-
er with the name. The old log files are closed and regenerated. This may take some time
since, before they are closed, all database changes which have already been started
must be completed. If log jobs (activities recorded by input logging) are still active after
30 minutes, the MOD INPLOGFILE task is rejected.
Task RSET INPLOG terminates the input logging operation and closes all log files. In
this case it is necessary to wait until all the initiated database changes have been com-
pleted. If log jobs are still active after one hour, they are terminated and alarm messages
reports will be lost.
The current status of the input logging function can be checked with STAT INPLOG.
The log files can be transferred via FTP to the operation terminal where they can be
viewed and edited. Requests should only be deleted and not inserted in the Q3 text file
since, during the subsequent export (see section 1.1.6.2), the Q3 text file is interpreted
(as it relates to the sequence of operations) while the associated data from the Q3 binary
file is used.

1.1.6.2 Input Log Execution

The input log execution functions are used to incorporate the content of the input log files
to the database of the network node. When starting the incorporation, just one master
file is processed. The master file, together with the other input log files, can be located
either on the hard disk or on a magneto-optical disk. If a fault occurs during the incorpo-
ration procedure, the procedure is suspended and the position (sequence number of the
request that could not be processed successfully) is displayed.
It is possible to specify the sequence number (i.e., the Q3 request or MML command)
within the log files where exporting shall start and where it shall be stopped (partial ex-
portation of the log files).
The incorporation can be interrupted with DACT INPLOGEX. The file name and the se-
quence number of the last request processed are displayed, regardless of whether the
export was successful or a fault occurred.
After an interruption, log file execution should be restarted with the first entry which has
not yet been exported. The sequence number of the last request exported successfully
can be determined by displaying the status of the input log execution with STAT IN-
PLOGEX.
If exporting is to be restarted after a error occurred, the error must first be cleared. Log
file execution should be restarted with the entry at which it was suspended. If necessary,
the Q3 text file must be edited. In this file, requests should only be deleted and not in-
serted or modified (see Section 1.1.6.2).
Incorporating contents of the input log files into the database of the network node can
be completed with the following results:

EXECUTED The complete input log file was able to be incorporated.

NOT_EXECUTED The input log file was not able to be incorporated (see error in-
with error information formation, e.g. Master Syntax Error).
NOT_EXECUTED A few MML commands, Q3 requests or layer management
without error informa- configuration files were not able to be incorporated. More de-
tion tailed information is contained in the error log files.

A50016-D3131-Q901-1-7619 19
OMN-SY Operation
System Administration

Error handling
If errors occur during incorporation of the contents of the input log files into the database
of the network node, various information is written into the following error log files:
– LG.<name>.LEXERR.nnn (on the MP hard disk)
– LG.<name>.LEXLMR.nnn (on the MP hard disk)
– LG.LEXOUT.nnn (on the CP hard disk)
The placeholder <name> corresponds to the <name> part of the input log file that is to
be incorporated. nnn is a number (001 to 999) which will be incremented when the same
input log file (<name>) is incorporated.
Error log file LG.<name>.LEXERR.nnn is created at the start of incorporation and con-
sists of the following parts:
• Start header
This part consists of a time stamp (beginning of incorporation), the start parameters,
a short explanation of the function of the file and the abbreviations used in the file.
• Error entries
This part contains a one-line entry for each erroneous Q3 request or MML command
with
– the sequence number of the request or command
– the expansion of the log file concerned
– the application which caused the rejection (AS (Application server), MMI, LEX
(Log executor), LM (Layer management))
– a part which describes a detailed reason
– a warning code
The warning code is set if the Layer management or Application server applications
have rejected the request/the command. If one of these applications also responds
with a rejection when the second attempt is made, no warning is written into the error
log file.
• Stop time stamp or end of execution code
For Layer management entries the sequence number and the \NET.RESULT file for the
Layer management Configuration file (see manual OMN-NNC, OSI over TCP), which
cannot be copied in are copied into log file LG.<name>.LEXLMR.nnn. Log file LG.<File-
Name>.LEXLMR.nnn contains the copy of all \NET.RESULT files of all Layer manage-
ment Configuration files which could not be copied in and which are stored in the
LG.<FileName>.A0.MASTER input log file.
Entries for MML command which could not be incorporated are written into Error log file
LG.LEXOUT.nnn on the CP hard disk. To identify the outputs in log file LG.LEX-
OUT.nnn the procedure is as follows:
– Select the MML command (to be found in the MML log file) with the sequence num-
ber from LG.LEXOUT.nnn and
– compare it with the entries in LG.LEXOUT.nnn; the result is after the matching com-
mand.

20 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

1.1.7 Files
This section deals with the management of files on the local data media such as mag-
netic disk (MD) and magneto-optical disk (MO). For information on the data media itself,
see section 1.1.5.

1.1.7.1 SAM File Arrays

On the MP’s system disk arrays of sequential access method files (SAM file arrays, SA-
MARs) can be administered.
The sequential access method (SAM) files are filled in succession. If one file is filled, this
particular file is closed and the next one is open.
A SAMAR is created with the task CR SAMAR. The following parameters are adminis-
trable:
– Name of SAM File Array
– SAMAR size (Number of Files; File size)
– Record format (fix length or variable length)
– Record size
– Transfer mode (oneFileView; multipleFileView)
– No. of safety copies (to be transferred before the SAMAR can be deleted) and Max
size of copies
– three step alarm thresholds for upgrade (level increasing) and downgrade (level de-
creasing) of the SAMAR filling level (minor; major; critical)
A SAMAR is always created in the root directory of the MP’s system disk. The Name of
SAM File Array consists of maximum 25 characters (<samarId>) and an extension for a
sequential number of 4 digits (\<samarId>.nnnn).
Dependent on the parameter Transfer mode the state query and the transfer of a SA-
MAR is done via FTP in two different ways:
• Transfer mode = “multipleFileView”
Each file is transferred separately. A request to an active file causes the closing of
the active file. The release of the file (delete of the file contents) can be done after
execution of all required safety copies. The files stay available until new content is
written.
• Transfer mode = “oneFileView”
A file group is transferred. The transfer starts with the oldest file and ends, depend-
ing on the administrated Max size of copies. If the Max size of copies is not reached
the transfer ends with the active file which is closed before. The release of the file
group (delete of the file contents) can be done after execution of all required safety
copies. The next request to new SAMAR files can be only done after release of the
former file group.
Depending on the Display action parameter, DISP SAMAR lists all SAMARs or displays
the status information or attributes of one specified SAMAR.
Some settings for a SAMAR can be changed with MOD SAMAR. For changing of set-
tings not possible with MOD SAMAR (e.g. reduction of SAMAR’s size) the SAM file array
is to be deleted and to be recreated.
The task CAN SAMAR deletes a SAMAR from the hard disk. Deletion is only possible if
all files of the SAMAR are either empty or copied as many times as required (parameter
No. of safety copies of the CR SAMAR task) and no file is open for data writing. The fea-

A50016-D3131-Q901-1-7619 21
OMN-SY Operation
System Administration

ture which causes the writing is to be deactivated at first to avoid further writings into
SAMAR’s files during or after making the safety copies.

1.1.7.2 File Security

File security rights are administered by means of rules, initiator groups and file groups.
An initiator group is a set of initiators. An initiator corresponds to a user ID created in the
network node. A file group refers to a set of files and file operations. A rule defines the
rights of an initiator group to access a file group. In other words, it determines which type
of access (file operations on one or more files) may be performed by an initiator. Initiator
groups as well as file groups can be subject of a number of rules.
In order to create a suitable system of access rights, global settings for the initiator-
based file security must be made and initiator groups, file groups and rules must be cre-
ated.

Global file security parameters

The global settings for file security are specified with MOD FSCFG:
• Default access rights
Default access rights (Default access) can be set to Deny or Allow for each file op-
eration (read, write, create, cancel and read attributes). They apply if no explicit file
security rights are defined (i.e., if there are no rules for file access).
Default access rights should be set to Deny after the individual rules have been cre-
ated.
• Rule restriction
With the aid of rule restriction it is possible to limit the number of rule types so as to
simplify the complex file security system. Thus it is useful, for example, to permit only
Allow rules and, at the same time, to set the default access rights to Deny.

Initiator groups
When creating an initiator group with task CR FSINIGRP, a list of initiator IDs is as-
signed to the group. The group can be modified with MOD FSINIGRP (i.e., replaced, re-
duced, expanded). DISP FSINIGRP and CAN FSINIGRP display and cancel initiator
groups respectively.

File groups
When creating a file group (CR FSFGRP), a file list and an operation list are assigned
to the file group. The file list can contain up to 20 fully or partially qualified file names.
The maximum lengths of file names differ between CP and MP (17 characters in the CP
and 48 in the MP).
The operation list defines one or more file operations for the file group (read, write, cre-
ate, cancel or read the attributes). A rule applied to the file group defines whether the
operations are permitted or not. In addition, a password can be defined for each opera-
tion. This password is only evaluated if an Allow rule applies to the particular operation.
The file lists and operation lists can be modified with task MOD FSFGRP. Note that op-
erations cannot be added or deleted at the same time. To delete an operation protected
by a password, you must enter the password.
To modify or reset the password for a file operation, use task MOD FSFGRPPW or
RSET FSFGRPPW respectively. Task RSET FSFGRPPW may only be set by adminis-

22 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

trators with a high level of authorization as it is possible to reset a password with this
task without knowing the old password.
The tasks DISP FSFGRP and CAN FSFGRP are provided for displaying and canceling
files groups respectively.

Rules
A rule is defined with task CR FSRULE. In addition to specifying the initiator groups and
file groups concerned, the rule type is defined. The validity of a rule can be limited in time
(start and stop times or daily/weekly periods).
The types of rules are as follows:
• Allow rule
An Allow rule permits file accesses, provided no Deny rules apply.
• Deny rule
A Deny rule causes rejection of file access attempts.
• Global rule
The global rule does not reference a file group. Instead, it defines the global access
rights for a referenced initiator group, i.e., for all files and file operations.
• Common rule
A Common rule does not reference an initiator group. Instead, it defines the general
access rights for a referenced file group, i.e., it applies to all initiators.
Note the following when modifying a rule (MOD FSRULE):
– You cannot change a common rule (no initiator group) to an non-common rule or
vice versa. In other words, only an existing initiator group can be modified.
– You cannot change a global rule (no file group) to an non-global rule or vice versa.
In other words, only an existing file group can be modified.
– Only time parameters created with CR FSRULE can be modified.

A50016-D3131-Q901-1-7619 23
OMN-SY Operation
System Administration

1.1.7.3 File Transfer

File transfer on the MP is normally performed with FTP. File transfer with FTAM is used
in case of system upgrades without changing the infrastructure.

File transfer with FTP

Files can be transferred with FTP from the data media of the MP to a remote system
(e.g., the Switch Commander) and vice versa (see Fig. 1.4) as well as locally within the
MP. This includes listing the files in a directory, deleting and copying files. For logging
purposes, files are transferred to the SC and viewed using an editor.

Local Data Media Copying Direction Remote Data Media

Network Node

MP
Magnetic
Disk SC / OS / PC

Hard disk
Magneto-
optical
Disk
Disk

Fig. 1.4 File transfer with FTP

The file access security options (see section 1.1.3.4) are applied. In addition, remote file
transfer is only possible via a user ID and password (see section 1.1.6).
FTP is operated on the SC with the aid of the commands: RCV FILE, SEND FILE, LIST
FILE, CAN FILE. You can use also FTP commands (e.g., open, close, put, get, ls /
or ls //, del) on other OS or FTP-clients.

File transfer with FTAM

Project-specifically, files can be transfered from the MP with FTAM. In this case, a file
server API on the CP invokes FTAM and handles the contact to the MP file server. File
transfers in accordance with the FTAM standard are initiated by remote computers.

24 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

1.2 Administration of the SP Platform

Fig. 1.5 shows the SP platforms within the SGSN and GGSN. The SGSN consists of a
combination of MP and SP, the GGSN of an SP platform, only. The main devices of the
SP platform are the SPs with the different functionalities (SP:BSSGP, SP:GTP, SP:ISP)
and the main control processor (MCP). The GGSN additionally has an accounting file
server (AFS) used to store charging data.

SGSN

different hard Q3
MPs MP:OAM
disk

MP platform
internal
Switch
connections
Commander
IPMDD
SP:BSSGP SP:GTP SNMP
MCP Work-
LCT
bench
Gb
SP platform

GGSN
MCP SNMP

ISP SP:ISP SP:GTP

Gi AFS FTP
ABC
SNTP
SP platform Time server

Fig. 1.5 SP platform

The SP platform is administrated via Simple Network Management Protocol (SNMP) at

the Switch Commander with a series of applications. The tasks described in this chapter
and in the task list can be performed at the workbench application of the SC.
With the LCT application basic administration of the SP platform is performed. The SWM
application handels software releases and backups. With the IPMDD application device
application data can be administered. Detailed information on theses applications is giv-
en in the manual OMN-NNC:PS and in Switch Commander documentation.
While the system is operating, you can perform the following administration tasks: cor-
rect the system time, administrate the storage of charging files and the handling of
alarms and handle files via FTP. Information required for these administration tasks is
given the following chapters and in the task list.

A50016-D3131-Q901-1-7619 25
OMN-SY Operation
System Administration

1.2.1 System Time at GGSN

The GGSN synchronizes with the accounting file server (AFS) time. The AFS uses the
simple network time protocol (SNTP) to get the universal time coordinated (UTC) from
an external time server (see Fig. 1.5.). The difference to the local time is provided by
means of the time zone variable which is assigned during AFS installation.
The time can be displayed with DISP GTIME.

1.2.2 Accounting File Storage

The accounting data is stored in SAMAR files on the AFS and can be retrieved by the
ABC via FTP.
The sequential access method (SAM) files are filled in succession. As soon as a file is
full, it is closed and the next one is opened.
The SAMAR file is created using CR GSAMAR. The FTP users are created at GGSN
with CR GACCFTPUSER. The user name and user password must be entered. For
more detailed information see, OMN-CHA.

1.2.3 Alarm Handling

The SP platform sends alarms in the form of traps to the Switch Commander.
The IP address to which the traps are sent are entered at the LCT application in the
’Trap Configuration dialog box’.
After entering a trap destination, the IP address may not be available in the AFS for 15
i minutes (worst case). During this time, traps sent from the AFS may get lost.

The alarm data collector (ADC) receives the traps and converts them into the X.733
alarm format. The alarm store service stores the alarms in the alarm DB. The alarm pre-
sentation service applications are informed about incoming alarms and perform presen-
tation or forwarding.
Alarms and events are also stored at the SP platform and can be viewed for system,
card and port level at the LCT application.

1.2.4 File Handling with FTP

FTP users have to be created for retrieving charging files from the AFS and for file han-
dling on the SP.
An FTP-user for charging purposes is created with CR GACCFTPUSER, while an FTP-
user for file handling is created with CR FTPUSER.
The following FTP commands are supported:
Access control commands: USER userId
QUIT logout
Transfer parameter commands: TYPE representation type
STRU file structure
MODE transfer mode
FTP service commands: GET retrieve file (-> "oneFileView")
DEL release file (-> "oneFileView")
DIR or LS

26 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

1.3 Appendix: International Alphabet No. 5

The following table is an excerpt from the "International Alphabet No. 5", which is re-
quired for the input of USSD texts. It contains the special characters which must be used
when changing texts to hexadecimal form.
The hexadecimal code for a character is a combination of the column number and the
line number.

Example:
The character "[" is represented in hexadecimal form as 5B.

0 1 2 3 4 5 6 7

0 NUL DLE SP 0 @ P ´ p
1 SOH DC1 ! 1 A Q a q
2 STX DC2 " 2 B R b r
3 ETX DC3 # 3 C S c s
4 EOT DC4 $ 4 D T d t
5 ENQ NAK % 5 E U e u
6 ACK SYN & 6 F V f v
7 BEL ETB ’ 7 G W g w
8 BS CAN ( 8 H X h x
9 HT EM ) 9 I Y i y
A LF SUB * : J Z j z
B VT ESC + ; K [ k {
C FF IS4 , < L \ l |
D CR IS3 - = M ] m }
E SO IS2 . > N ^ n ¯
F SI IS1 / ? O _ o
6C = (lowercase) letter "l", 7C = <vertical line>

Tab. 1.3 International Alphabet No. 5 (excerpt)

A50016-D3131-Q901-1-7619 27
OMN-SY Operation
System Administration

28 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

2 Task List (TL)

Display commands are only specified in the procedures when they are absolutely necessary. Generally,
i display commands are not necessary for confirming the execution of a command. It can already be seen
from the command acknowledgment output by the system whether the command entered was correctly
executed. If it should be necessary for administrative reasons to receive an acknowledgment of the ex-
ecuted tasks in addition to the run listing, the contents of the database can be displayed, for example,
before and after or only after each task using the appropriate commands (see TML).
Each task contains only the parameters or identifiers characteristic for that particular task.

2.1 MP Platform
2.1.1 System Time at SGSN
(See Introduction (IN), section 1.1.1 "System time at SGSN")
Display general MP data describing the network node, here system time . . . . . DISP ME
Display the system time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP SYSTIME
Modify the system time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD SYSTIME
Change the system time from winter time to summer time and vice-versa . . . . . MOD SYSTIME

2.1.2 Message Control

(See Introduction (IN), section 1.1.2 "Message Control")
Event report management
Display event destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP EVDEST
Create an event destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR EVDEST
Modify an event destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD EVDEST
Delete an event destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN EVDEST
Management of the log control function
Display the status information of event logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP EVLOG
Create an event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR EVLOG
Modify an event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD EVLOG
Delete an event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN EVLOG
Display event log records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP EVRECF
Delete event log records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN EVREC

2.1.3 Access Control

(See Introduction (IN), section 1.1.3 "Q3 Access Protection"
Management of the authentication
Display the global authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP AUTHDEF
Modify the global authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD AUTHDEF
Display initiators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP INI
Create an initiator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR INI
Modify an initiator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD INI
Delete an initiator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN INI
Display file transfer initiators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP FTINI
Create a file transfer initiator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR FTINI
Modify a file transfer initiator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD FTINI
Delete a file transfer initiator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN FTINI

A50016-D3131-Q901-1-7619 29
OMN-SY Operation
System Administration

Management of access control

Display the global access control settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP ACCFG
Modify the global access control settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD ACCFG
Display access control initiator groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP ACINIGRP
Create an access control initiator group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR ACINIGRP
Modify an access control initiator group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD ACINIGRP
Delete an access control initiator group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TP-120
Display access control target groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP ACTARGRP
Create an access control target group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR ACTARGRP
Modify an access control target group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD ACTARGRP
Delete an access control target group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TP-122
Display access control rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP ACRULE
Create access control rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TS-130
Modify an access control rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD ACRULE
Delete an access control rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN ACRULE
Management of security alarm signaling
Display the global security alarm signaling settings . . . . . . . . . . . . . . . . . . . . . . DISP SECAL
Modify the global security alarm signaling settings . . . . . . . . . . . . . . . . . . . . . . MOD SECAL
Display security alarm logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP SECALLOG
Create a security alarm log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR SECALLOG
Delete a security alarm log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN SECALLOG
Display security alarm report records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP SECALRECF
Delete security alarm report records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN SECALREC

2.1.4 Alarm Data

(See Introduction (IN), section 1.1.4 "Alarm Data")
Alarm profiles
Display alarm profiles on the MP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP ALPROFMP
Alarm input interfaces
Create an alarm input interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR ALINIF
Modify an alarm input interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD ALINIF
Display alarm input interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP ALINIF
Delete an alarm input interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN ALINIF
Alarm output interfaces
Create the alarm output interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR ALRELAIS
Display the parameters for alarm output interfaces . . . . . . . . . . . . . . . . . . . . . . DISP ALOUTIF
Alarm balance monitor
Display the alarm balance monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP ALBALMON

2.1.5 Data Media

(See Introduction (IN), section 1.1.5 "Data Media")
Magnetic disk
Display the properties of a magnetic disk in the MP . . . . . . . . . . . . . . . . . . . . . DISP MDDMP
Activate a magnetic disk in the MP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CONF MDDMP
Deactivate a magnetic disk in the MP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CONF MDDMP
Magnetic-optical disk
Display the properties of a magnetic-optical disk in the MP. . . . . . . . . . . . . . . . DISP MODMP
Activate a magnetic-optical disk in the MP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CONF MODMP
Deactivate a magnetic-optical disk in the MP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CONF MODMP

30 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

2.1.6 Input Logging

(See Introduction (IN), section 1.1.6 "Input Logging")
Input logging
Display the input logging status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . STAT INPLOG
Start input logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SET INPLOG
Stop input logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RSET INPLOG
Modify the log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD INPLOGFILE
Input log execution
Display the input log execution status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . STAT INPLOGEX
Deactivate input log execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DACT INPLOGEX

2.1.7 File Management

(See Introduction (IN), section 1.1.7 "Files"
Initiator based file security
Display the global settings of the initiator based file security . . . . . . . . . . . . . . . DISP FSCFG
Modify the global settings of the initiator based file security . . . . . . . . . . . . . . . MOD FSCFG
Display file security initiator groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP FSINIGRP
Create a file security initiator group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR FSINIGRP
Modify a file security initiator group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD FSINIGRP
Delete a file security initiator group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TP-196
Display file security file groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP FSFGRP
Create a file security file group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR FSFGRP
Modify a file security file group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD FSFGRP
Delete a file security file group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TP-197
Display file security rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP FSRULE
Create file security rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TS-660
Modify a file security rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD FSRULE
Cancel a file security rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN FSRULE

2.2 SP Platform
2.2.1 Accounting File Storage
(See Introduction (IN), section 1.2.2 "Accounting File Storage")
Accounting File Server and accounting and billing center
Enter IP address for GGSN accounting file server nodes . . . . . . . . . . . . . . . . MOD GACCFSN
Display IP address for GGSN accounting file server nodes . . . . . . . . . . . . . . . . DISP GACCFSN
Enter IP address for accounting and billing center. . . . . . . . . . . . . . . . . . . . . . MOD GACCBILLC
Display IP address for accounting and billing center. . . . . . . . . . . . . . . . . . . . . . DISP GACCBILLC

FTP user
Display all FTP user for accounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP GACCFTPUS-
ER
Display one FTP user for accounting
using parameter User index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DISP GACCFTPUS-
ER
Create an FTP user for accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR GACCFTPUSER
Modify an FTP user for accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD GACCFTPUS-
ER
Cancel an FTP user for accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN GACCFTPUS-
ER
Create an FTP user at SP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR FTPUSER

A50016-D3131-Q901-1-7619 31
OMN-SY Operation
System Administration

Cancel an FTP user at SP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CAN FTPUSER

32 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration

3 Task Summary Lists (TS)

A50016-D3131-Q901-1-7619 33
OMN-SY Operation
TS-130 System Administration

TS-130 Create access control rules

All rules for the access control should be created jointly. Security administrator rights are required to create the
rules (step 1). Steps 2 and 3 must be repeated according to the initiator or target groups required. Repeat step 4
as often as rules are needed. After creating all rules, the default access rights should be set to Deny.
1 Define a security administrators (if required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD ACCFG
with Sec. administrator
2 Create an initiator group (if required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR ACINIGRP
3 Create a target group (if required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR ACTARGRP
4 Create an access control rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR ACRULE
with Initiator group list, Target group list
5 Set the default access rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD ACCFG
with Default access = Deny

Remark:
Tasks with the comment "if required" are omitted if they have already been carried out in another step.

34 A50016-D3131-Q901-1-7619
Operation OMN:PS-SY
System Administration TS-660

TS-660 Creating file security rules

Steps 1 and 2 are to be repeated according to the initiator groups or file groups required. Step 3 is to be executed
as frequently as the rules specify. Once all the rules have been compiled, the standard access rights should be
set to Deny.
1 Create an initiator group (if required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR FSINIGRP
2 Create file group (if required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR FSFGRP
3 Create a file security rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CR FSRULE
with: Initiator group list, File group list
4 Set the standard access rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOD FSCFG
with: Default access = Deny

Remark:
Tasks with the comment "if required" are omitted if they have already been carried out in another step.

A50016-D1702-Q906-1-7619 35
OMN:PS-SY Operation
TS-660 System Administration

Remark:
Tasks with the comment "if required" are omitted if they have already been carried out in another step.

36 A50016-D1702-Q906-1-7619
Operation OMN-SY
System Administration

1 Task Procedures (TP)

A50016-D3131-Q901-1-7619 37
OMN-SY Operation
TP-120 System Administration

Cancel an access control initiator group

TP-120

DISP ACRULE:
Initiator group

Is the Access Control Ini-

tiator Group referenced N
by a rule?

Y
Alternatively, the rule can be
CAN ACRULE: modified with MOD ACRULE in
Rule such a way that it no longer ref-
erences the Access Control Ini-
tiator Group to be canceled.

Was that the last refer-

N encing rule?

CAN ACINIGRP:
Initiator group

38 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration TP-122

Deleting an access control target group

TP-122

DISP ACRULE: Target

group

Is the target group subject

to a rule? N

CAN ACRULE: Rule Alternatively, the rule can be

modified with MOD ACRULE in
such a way that it no longer ap-
plies to the target group to be
deleted.

Was it the last applicable

N rule?

CAN ACTARGRP: Target

group

A50016-D3131-Q901-1-7619 39
OMN-SY Operation
TP-195 System Administration

Delete a SAM file array (SAMAR)

Deletion is only possible if all files of the SAMAR are either empty or copied as many times as required (parameter
No. of safety copies of the CR SAMAR task) and no file is opened for data writing.

TP-195

DISP SAMAR: displays (among other things)

Name of SAM File Array = the current number of safety
<samar_name>, copies
Display action = status;

DISP SAMAR: displays (among other things)

Name of SAM File Array = the required number of safety
<samar_name>, copies
Display action = attr;

Were the required num-

ber of safety copies made Y
or are the files empty?

Make a safety copy (file trans- CAN SAMAR:

fer via FTP with the appropri- Name of SAM File Array =
ate Transfer mode) <samar_name>;

40 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration TP-195

A50016-D3131-Q901-1-7619 41
OMN-SY Operation
TP-196 System Administration

Deleting a file security initiator group

TP-196

DISP FSRULE:
Initiator group

Is the File Security Initia-

tor Group referenced by a N
rule?

Y
Alternatively, the rule can be
CAN FSRULE: modified with MOD FSRULE in
Rule such a way that it no longer ref-
erences the File Security Initia-
tor Group to be canceled.

Was that the last refer-

N encing rule?

CAN FSINIGRP:
Initiator group

42 A50016-D3131-Q901-1-7619
Operation OMN-SY
System Administration TP-197

Deleting a file security file group

TP-197

DISP FSRULE:
File group

Is the File Security File

Group referenced by a N
rule?

CAN FSRULE: Alternatively, the rule can be

Rule modified with MOD FSRULE in
such a way that it no longer ref-
erences the File Security File
Group to be canceled.

Was that the last refer-

N encing rule?

CAN FSFGRP:
File group

A50016-D3131-Q901-1-7619 43