OM Security (SRAN10.1 02)
OM Security (SRAN10.1 02)
Issue 02
Date 2015-05-15
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: [email protected]
Contents
2 Overview.........................................................................................................................................5
3 Technical Description...................................................................................................................7
3.1 OMCH Security..............................................................................................................................................................7
3.1.1 SSL-Encrypted Transmission......................................................................................................................................7
3.1.2 Management Plane IP Address Isolation.....................................................................................................................8
3.2 Web Security..................................................................................................................................................................8
3.2.1 Overview.....................................................................................................................................................................8
3.2.2 User Authentication.....................................................................................................................................................9
3.2.3 HTTPS-based Data Transmission.............................................................................................................................10
3.2.4 Anti-attack.................................................................................................................................................................11
3.2.5 Rights Control............................................................................................................................................................11
3.3 User Management.........................................................................................................................................................12
3.3.1 Overview...................................................................................................................................................................12
3.3.2 Login Authentication.................................................................................................................................................13
3.3.3 User Rights Control...................................................................................................................................................15
3.3.4 Login Password Policy..............................................................................................................................................17
3.3.5 Simultaneous Online User Number Management.....................................................................................................21
3.3.6 Southbound Interface Access Management...............................................................................................................22
3.3.7 FTP User Management..............................................................................................................................................23
3.4 Sensitive Personal Data Security..................................................................................................................................23
3.4.1 User Data Anonymization.........................................................................................................................................24
3.4.2 Sensitive Personal Data Protection............................................................................................................................24
3.5 Security Management of Configuration Files..............................................................................................................24
3.5.1 Overview...................................................................................................................................................................24
3.5.2 Application Scenario.................................................................................................................................................24
3.5.3 Configuration File Encryption...................................................................................................................................25
3.6 Digital Signature-based Software Integrity Protection.................................................................................................25
3.6.1 Definition...................................................................................................................................................................25
3.6.2 Application Scenarios................................................................................................................................................25
3.6.3 Digital Signature........................................................................................................................................................26
3.7 Time Security...............................................................................................................................................................29
3.7.1 SNTP Security for the Base Station Controller/eCoordinator...................................................................................29
3.7.2 NTP Security Authentication for the Base Station....................................................................................................29
3.8 Security Alarms, Events, and Logs..............................................................................................................................30
3.8.1 Overview...................................................................................................................................................................30
3.8.2 Security Alarms and Events......................................................................................................................................30
3.8.3 Security Logs and Security Audit..............................................................................................................................31
3.9 OMU Anti-attack..........................................................................................................................................................36
3.10 Security Policy Level Configuration..........................................................................................................................37
4 Engineering Guidelines.............................................................................................................40
4.1 OMCH Security............................................................................................................................................................40
4.2 Web Security................................................................................................................................................................40
4.2.1 When to Use Web Security.......................................................................................................................................40
4.2.2 Deployment...............................................................................................................................................................40
4.3 User Management.........................................................................................................................................................42
4.3.1 When to Use User Management................................................................................................................................42
4.3.2 Deployment...............................................................................................................................................................42
4.4 User Data Anonymization............................................................................................................................................44
4.5 Security Management of Configuration Files..............................................................................................................44
4.5.1 When to Use Security Management of Configuration Files......................................................................................44
4.5.2 Deployment...............................................................................................................................................................44
4.6 Digital Signature-based Software Integrity Protection.................................................................................................45
4.7 Time Security...............................................................................................................................................................46
4.7.1 When to Use Time Security.......................................................................................................................................46
4.7.2 Deployment of SNTP Security for the Base Station Controller/eCoordinator..........................................................46
4.7.3 Deployment of NTP Security Authentication for the Base Station...........................................................................46
4.8 Security Alarms, Events, and Logs..............................................................................................................................50
4.9 OMU Anti-attack..........................................................................................................................................................50
4.9.1 When to Use OMU Anti-Attack................................................................................................................................50
4.9.2 Required Information................................................................................................................................................50
4.9.3 Deployment...............................................................................................................................................................50
4.10 Security Policy Level Configuration..........................................................................................................................52
5 Parameters.....................................................................................................................................53
6 Counters........................................................................................................................................62
7 Glossary.........................................................................................................................................63
8 Reference Documents.................................................................................................................64
1.1 Scope
This document describes operation and maintenance (O&M) security, including its technical
descriptions, engineering guidelines, and parameters.
Co-MPT multimode Co-MPT multimode base station refers to a base station deployed
base station with UMPT_GU, UMDU_GU, UMPT_GL, UMDU_GL,
UMPT_GT, UMDU_GT, UMPT_UL, UMDU_UL, UMPT_UT,
UMDU_UT, UMPT_LT, UMDU_LT, UMPT_GUL,
UMDU_GUL, UMPT_GUT, UMDU_GUT, UMPT_ULT,
UMDU_ULT, UMPT_GLT, UMDU_GLT, UMPT_GULT, or
UMDU_GULT, and it functionally corresponds to any
combination of eGBTS, NodeB, and eNodeB. For example, Co-
MPT multimode base station deployed with UMPT_GU
functionally corresponds to the combination of eGBTS and
NodeB.
Unless otherwise specified, the descriptions and examples for the UMPT in a co-MPT base
station are applicable to the UMDU in a co-MPT base station.
SRAN10.1 02 (2015-05-15)
This issue includes the following changes.
SRAN10.1 01 (2015-03-23)
This is the first official release. This issue does not include any changes.
Feature Added the user local login alarm on the base None
change station. For details, see 3.3.2 Login
Authentication.
The LampSite base stations described in this document refer to distributed base stations that
provide indoor coverage. These base stations work in UMTS or LTE mode but not in GSM
mode.
The micro base stations described in this document refer to all integrated entities that work in
UMTS or LTE mode but not in GSM mode. Descriptions of boards, cabinets, subracks, slots,
and RRUs do not apply to micro base stations.
BTS3902E UMTS
NOTE
The co-MPT and separate-MPT applications are irrelevant to single-mode micro base stations.
The BTS3902E does not support any new and enhanced features or functions in SRAN10.1. For
details, see 1.3 Change History.
2 Overview
Table 2-1 lists the O&M security measures supported by Huawei network elements (NEs) in
SRAN9.0.
Operation and √ √ √ √ √ √
maintenance channel
(OMCH) security
Web security √ √ √ √ √ √
User management √ √ √ √ √ √
Digital signature-based √ √ √ √ √ √
software integrity
protection
Time security √ √ √ √ √ √
OMU anti-attack √ √ - - - -
NOTE
In this document, MBSC is called the base station controller, and eGBTS, NodeB, eNodeB and MBTS are
collectively referred to as the base station. For details about O&M security measures for the GBTS, see
GBTS Equipment and OM Security Feature Parameter Description.
3 Technical Description
Data transmitted over OMCHs is secured using Secure Sockets Layer (SSL).
SSL is a cryptographic protocol designed to secure communication over the Internet. SSL at the
transport layer supports only TCP. As shown in Figure 3-1, SSL works between the transport
layer and the application layer. It secures data transmission for various application protocols,
such as Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP).
SSL protects transmitted data against eavesdropping, tampering, and forging using encryption,
integrity protection, and identity authentication.
l Encryption
With SSL, the sender encrypts data at the application layer before transmission and the
receiver decrypts the received data. In this manner, data is transmitted as ciphertext,
preventing eavesdropping.
SSL supports multiple standard encryption algorithms, such as Triple Data Encryption
Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4).
l Integrity protection
SSL uses the Hash function to generate a digital signature for the data to be transmitted.
The receiver then checks the digital signature to determine whether the data was tampered
with during transmission.
SSL supports multiple standard Hash algorithms, such as Secure Hash Algorithm 1
(SHA-1).
l Identity authentication
SSL supports certificate-based authentication. The communicating parties authenticate the
digital certificates of each other before establishing an SSL connection.
Huawei equipment supports SSL versions SSL3.0, TLS1.0, TLS1.1, and TLS1.2. The SSL
version to be used can be negotiated with the peer party. The SSL version used is always TLS1.2
in SRAN8.0 or later and TLS1.1 in SRAN7.0 or earlier. During SSL negotiation, NEs choose a
supported SSL version from the list provided by the U2000.
The FTP connection between the base station controller, eCoordinator, or base station and the
U2000 is based on SSL. FTP files on the U2000 can be encrypted using SSL and then transmitted
in ciphertext format. For details about SSL application to FTP, see SSL Feature Parameter
Description.
NOTE
Currently, SSL 2.0 cannot be used. In addition, encryption and plaintext algorithms whose lengths are
shorter than 64 bits cannot be used.
You can run the SET OMCONNPOLICY command to enable this function. If the
GTRANSPARA.ONLYOMIP parameter is set to ENABLE(Enable) and the management
plane IP address is configured, the OMCH between the U2000 and the base station must be
established using the management plane IP address.
3.2.1 Overview
A user can access the base station controller, eCoordinator, or base station to perform O&M
with a WebLMT. The WebLMT is an HTTP/HTTPS-based web application that takes the
following measures to ensure O&M security:
l User authentication
Local User
Information of local users is stored and authenticated on the base station controller and the
eCoordinator.
Domain User
Domain users are managed by the U2000. User information is stored and authenticated on the
U2000.
l A user must input a verification code after inputting the user name and password. The
verification code is an image randomly generated by the web server.
l If a user fails to log in to the WebLMT after several consecutive attempts, the account will
be locked and then automatically unlocked after a certain period of time. The
PWDPOLICY.MaxMissTimes(BSC6900,BSC6910,NodeB) parameter specifies the
maximum number of login attempts allowed and the PWDPOLICY.AutoUnlockTime
(BSC6900,BSC6910,NodeB) parameter specifies the duration for which the account is
locked. The two parameters can be configured. If no operation is performed within a
specified period of time, the WebLMT GUI will be automatically locked. GUI unlock
authentication is implemented on the base station controller. If the user cannot unlock the
GUI after multiple attempts, the current session will be locked for another 30 minutes.
NOTE
As of SRAN8.0, the default policy for logging in to the WebLMT changed from compatibility mode to
forcible HTTPS mode.
In compatibility mode, the policy for logging in to the WebLMT is determined by the protocol (HTTP or
HTTPS) entered in the Internet Explorer address box.
3.2.4 Anti-attack
The web server has been reinforced to prevent the impacts of various attacks. The following
types of attacks have been taken into consideration before delivery:
3.3.1 Overview
User management implements authentication and access control on users who log in to an NE
to perform O&M. Authentication identifies users, and access control defines and restricts the
operations that users can perform and the resources they can access.
Function Description
Function Description
A domain user can also log in to the WebLMT to access an NE. In this case, the NE forwards
login authentication information to the U2000, which then authenticates the user.
As of SRAN8.0, challenge-response authentication has been used to enhance user login security.
NOTE
l A validity period can be set for a user account. After the period elapses, login using the
account is not allowed. Administrators can modify validity periods of accounts.
l Permissible access time ranges can be set for a user account. The ranges include validity
date ranges, time ranges, and week restrictions. Login is not allowed beyond the permissible
access time ranges.
Disabled or locked user accounts cannot be used for login. The identities of locked user accounts
cannot be checked.
Monitoring Users
The U2000 allows users to query information about online local and domain users and monitor
their status (login or logout). The U2000 can monitor all operations of specified online users.
When detecting that users are forcibly logged out, the U2000 disconnects the management
connections from the users.
The base station controller, eCoordinator, and base station determine the users to be monitored
according to the commands from the U2000 and report the results to the U2000.
To ensure security, the base station generates an alarm to notify the U2000 and north-bound
system of a local login in real-time. The north-bound system can subscribe to the alarm and
check local login information immediately after receiving the alarm.
Only the base station supports the user local login alarm.
l The rights of Administrator(s), Operator(s), User(s), and Guest(s) to use command groups
are fixed.
l The rights of Custom(s) to use command groups are defined depending on actual
requirements.
A command group is a group of commands that have the same attributes. For example, the G_8
command group consists of commands used to query equipment data, including the DSP
BRD and DSP BRDVER commands. The LST CCG command can be used to query the specific
commands in a command group.
To query accounts that are authorized to execute a command, perform the following steps:
1. Run the LST CMDVEST command to query the default and user-defined command groups
that contain a target command.
2. Run the LST OP command to query the accounts that are authorized to execute these
command groups.
Table 3-3 lists the mapping between user levels and command groups on base station controllers.
Table 3-3 Mapping between user levels and command groups on base station controllers
Administrator(s) G_0&G_1&G_2&G_3&G_4&G_5&G_6&
G_7&G_8&G_9&G_10&G_11&G_12&G_
13&G_14
Operator(s) G_0&G_2&G_3&G_4&G_5&G_6&G_7&
G_8&G_9&G_10&G_11&G_12&G_13&G
_14
User(s) G_0&G_2&G_4&G_6&G_7&G_8&G_9&
G_10&G_11&G_12&G_13&G_14
Guest(s) G_0&G_2&G_4&G_6&G_8&G_13
Table 3-4 lists the mapping between user levels and command groups on eCoordinators.
Table 3-4 Mapping between user levels and command groups on eCoordinators
Administrator(s) G_0&G_1&G_2&G_3&G_4&G_5&G_6&
G_7&G_8&G_9&G_10&G_11&G_12
Operator(s) G_0&G_2&G_3&G_4&G_5&G_6&G_7&
G_8&G_9&G_10&G_11&G_12
User(s) G_0&G_2&G_4&G_6&G_7&G_8&G_9&
G_10&G_11&G_12
Guest(s) G_0&G_2&G_4&G_6&G_8
Table 3-5 lists the mapping between user levels and command groups on base stations.
Table 3-5 Mapping between user levels and command groups on base stations
Administrator(s) G_0&G_1&G_2&G_3&G_4&G_5&G_6&
G_7&G_8&G_10&G_11&G_12&G_13&G
_14&G_15&G_16&G_17&G_18&G_19&
G_20&G_21
Operator(s) G_0&G_2&G_3&G_4&G_5&G_6&G_7&
G_8&G_10&G_11&G_12&G_13&G_16&
G_17&G_18&G_19&G_20&G_21
User(s) G_0&G_2&G_3&G_4&G_5&G_6&G_7&
G_8&G_10&G_11&G_12&G_13&G_16&
G_17&G_18&G_19&G_20&G_21
Guest(s) G_0&G_2&G_4&G_6&G_8&G_10&G_12
&G_16&G_18&G_20
Users can perform operations only after a successful login. All user operations are monitored
and operation permission is controlled. All operations must be classified according to permission
levels.
Before users operate NEs and objects, or run commands, the system checks their operation
permission levels to determine whether the operations are allowed. When users perform
operations beyond their permission, the system prompts them with a message, indicating that
the operations cannot be performed.
User permission information is stored on servers. After users successfully log in to the clients,
the servers send user permission lists to the clients. The user permission lists are always stored
on clients before users log out.
The system does not allow users to run any commands beyond permissible time ranges.
If required, administrators can grant permission to a specific user. If users attempt to access base
station controllers beyond the permissible time range, the base station controllers and
eCoordinators refuse to perform user authentication. If users use expired passwords for login,
the system forces users to change their passwords. Administrators can cancel password
expiration policies.
Resetting Interval of Account Lock Counter Meaning: Interval between two incorrect
password inputs. If a user inputs the password
incorrectly for x times (x can be configured)
and the interval between any two consecutive
incorrect inputs is smaller than the value
specified by this parameter, the user account
is locked.
Value range: 1 to 60
Unit: minute
New Password Repeat Limit Meaning: How many previous passwords the
current password must be different from.
GUI value range: 1 to 10
Must Modify Password When First Login Meaning: Whether the system forces a user to
Switch change the initial password. If this parameter
is set to ON(ON), the system forces a user
who logs in to an NE using the initial
password to change the password.
Value range: OFF(OFF), ON(ON)
Weak Dictionary Check Switch Meaning: Whether the system checks the
password in weak password dictionary.
Value range: OFF(OFF), ON(ON)
MML Example
On the base station controller or eCoordinator, run the following command to configure a
password policy:
SET PWDPOLICY: PWDMINLEN=8, COMPLICACY=LOWERCASE-1&UPPERCASE-1&DIGIT-1,
MAXMISSTIMES=3, AUTOUNLOCKTIME=30, RESETINTERVAL=5, MAXVALIDDATES=90,
MAXPROMPTDATES=10, HISTORYPWDNUM=5, MaxRepeatCharTimes=2,
FirstLoginMustModPWD=OFF,DICTCHKSW=ON;
On the base station, run the following command to configure a password policy:
SET
PWDPOLICY:PWDMINLEN=8,COMPLICACY=LOWERCASE-1&DIGIT-1,MAXMISSTIMES=3,AUTOUNLOCKTIME
=30,RESETINTERVAL=5,PASSREPLMT=5,MAXPERIOD=30,MINPERIOD=1440,PWDEXPRT=10,FirstLogi
nMustModPWD=OFF,MAXREPEATCHARTIMES=2,DICTCHKPWD=OFF,MAXCCUN=1;
l The system forces users to change their passwords when passwords expire.
l When users first use default or factory passwords, which are automatically allocated by the
system, the system forces users to change the passwords.
l The system prompts users to change their passwords before the passwords expire. If
passwords are not changed after expiration, users cannot log in to the system, but the
passwords can be modified or changed on the U2000. Administrators can disable password
expiration policies on the U2000.
Implementation
Simultaneous online user number management is used to control the maximum login instances
of a user on an NE, thereby ensuring that multiple users can concurrently log in to an NE. Without
this function, one or more users may repeatedly log in to an NE and do not log out, preventing
other local users from login when the number of allowed online instances reaches the maximum
and affecting the O&M of the NE.
This function is configured using the SET USRMAXONLINE command, in which
Configuration Type can be set to any of the following values:
l LOCAL_USER_GENERAL(General configuration of local users): The maximum
number of online instances is set to the same value for all local users. For example, when
Max Users Online is set to 3, new login request of any local user with three online instances
is denied.
This configuration does not change the Max Users Online setting of a local user specified
in SPECIFIED_LOCAL_USER(Configuration of a specified local user).
l SPECIFIED_LOCAL_USER(Configuration of a specified local user): The maximum
number of online instances is specific to a local user. For a local user, this configuration
takes precedence over the preceding general configuration.
l DOMAIN_USER_GENERAL(General configuration of domain users): The
maximum number of online instances is set to the same value for all domain users. For
example, when Max Users Online is set to 3, new login request of any domain user with
three online instances is denied.
l RESTORE_ALL_LOCAL_USER(Restore to general for all local users): The
maximum number of online instances for all local users reverts to the value specified in
general configuration for local users.
l RESTORE_SPECIFIED_LOCAL_USER(Restore to general for one local user): The
maximum number of online instances for a local user reverts to the value specified in
general configuration for local users.
The LST USRMAXONLINE command can be used to query the configurations, including
general configuration for local users, general configuration for domain users, and configuration
for a specified local user.
l Set the maximum number to 1 for users of the administrator level, including the admin
user, thereby enhancing system security.
l Set the maximum number based on the number of admitted terminals and tools for accounts
used by the terminals or tools.
The login system applies also restrictions to the total number of online instances of online users
along with the number of online instances of each user. When the total number of online instances
of all online users reaches the upper limit, the other users cannot log in until an online instance
logs out.
NOTE
The trace server (TS) is a subsystem of the U2000 and uses the U2000's identity credentials to access NEs.
Generally, the identity credentials do not distinguish between the U2000 and TS in NE logs, but
EMSCOMMTS is used to identify the TS in some MBTS logs.
The password for the account must be consistent between an NE and the NMS (either the U2000
or NetEco); otherwise, the NE cannot connect the NMS.
U2000
The U2000 can configure separate EMSCOMM passwords for different NEs. In SRAN8.0 and
later versions, the EMSCOMM password on an NE and the U2000 can be simultaneously
changed by choosing Security > Modify Password of OM Connection Administration on the
U2000.
When an NE is disconnected from the U2000 (for example, when the NE replaces its boards),
and the cause of the disconnection alarm is displayed as login failure on the U2000, perform the
following steps:
l On the NE side
– Use a local administrator account to log in to the LMT of the NE by using the U2000
proxy.
– Run the MOD OP command to change the EMSCOMM password on the NE.
l On the U2000 side
– Select the NE on the U2000 topology.
– Right-click, choose NE Properties from the shortcut menu, and then specify Account
for Logging In to NE in the displayed window.
NetEco
The NetEco can configure separate EMSCOMMNETECO passwords for different NEs. To
change the EMSCOMMNETECO password for an NE, perform the following steps:
l FtpUsr: Uses a third-party FTP client to log in to the FTP server on the NE and then upload
or download information about the NE.
l U2000 user: Uploads or downloads data between the NE and the U2000.
l FtpUsr: The MOD FTPPWD command can be used to change the password, but the
password policy does not take effect on this user.
l U2000 user: The password can be changed on the U2000 GUI, but the password policy
does not take effect on this user.
SRAN8.0 and later versions have the following enhancements to user management:
l When an FtpUsr changes the password, the base station controller checks the password
complexity according to the configured password policy. The base station does not check
the complexity of the password input by the user during software installation. Instead, the
user, when logging in to the FTP server, is prompted with a message indicating that the
password complexity is lower than the current configuration and must be changed.
However, the user can still use the password to log in to the FTP server without interrupting
the current FTP connection. The user will be forced to change the password to meet the
password complexity requirements after a specified period of time. When a U2000 user
changes the password, the base station controller checks the password complexity
according to the configured password policy. However, if a U2000 user fails to log in to
the FTP server, the base station controller does not lock the account but reports a security
alarm. This is because the password is used to secure data transmission over the southbound
interface, which connects the U2000 to the base station controller.
1. Specifying and logging the causes for starting system tasks that involve sensitive personal
data. The tasks mainly include:
a. Trace tasks
b. Emergency diagnosis tasks
c. Port mirroring tasks
2. Periodically deleting system files that contain sensitive personal data. These files mainly
include:
a. CHR and MR files
b. Trace files
The interval at which such files are automatically deleted can be defined by users.
3.5.1 Overview
The configuration data contains some security-sensitive data, such as keys and passwords. The
security-sensitive data is encrypted to be stored in the system database. When the configuration
data is exported to a configuration file, the configuration file can be encrypted by adding a
password.
If the configuration data is not encrypted when being exported to a configuration file, the
configuration file may contain security-sensitive fields. In this case, the operator must store the
configuration file properly and then delete the security-sensitive fields immediately to avoid
information leakage.
l The ENCRYPTMODE and FILEPWD parameters are added to the southbound interface
commands and MML commands.
l Encryption and decryption options are added to the GUI of tools such as the U2000, CME,
and WebLMT.
The ENCRYPTMODE parameter (specifying the encryption mode) has two values:
In the event of offline transmission of a configuration file, the procedure for encrypting a
configuration file is as follows:
1. The user selects an exported configuration file to be encrypted. The system encrypts the
configuration file.
2. The configuration file is forwarded offline to the destination.
3. The user runs scripts or enters the password. The system decrypts the configuration file.
In the event of online permanent storage of configuration files, for example, online backup of
NE data on the U2000, the procedure for encrypting a configuration file is as follows:
1. The user selects the NE data to be backed up and select the encryption option on the GUI.
2. The U2000 delivers the command to back up the NE data. The NE data is backed up on
the NE and encrypted for storage.
3. The U2000 loads the encrypted file from the NE to the system for storage.
3.6.1 Definition
Software integrity protection adds a digital signature to software by using a private key before
uploading software to the target server or NE. When a target NE downloads, loads, or runs
software, the NE authenticates the digital signature by using a matched public key. This ensures
end-to-end software reliability and integrity.
With this function, any virus or software tampering can be promptly detected. This prevents
malicious software from running on NEs.
l Software installation
l Software upgrade
l OS (DOPRA Linux or Euler Linux) upgrade
Overview
Integrity protection adopts the following two techniques: Hash algorithm: A one-way Hash
function.
l A Hash algorithm converts an arbitrary data block into a fixed-size bit string. The most
commonly used Hash algorithms are Message-Digest algorithm 5 (MD5), SHA-256, and
SHA-1.
l Public key cryptography: A pair of public and private keys is used for encryption and
decryption. The two keys relate to each other and belong to the same holder. The public
key is published for use, whereas the private key is confidential.
Principles
Figure 3-2 illustrates the principles of digital signatures.
1. A Hash algorithm calculates the message digest for the files to be signed in the software
package.
2. The private key is used to encrypt the message digest.
3. The encrypted message digest is saved to a digitally signed file.
The digitally signed file is then released with the software package.
After an NE or a U2000 receives the software package, it verifies the contained digital signature.
The procedure for verifying the digital signature is as follows:
1. The same Hash algorithm calculates the message digest for the files to be verified in the
software package.
2. The public key is used to decrypt the digitally signed file to restore the message digest.
3. The restored message digest is compared with the original message digest.
If they are identical, the software was not tampered with. If they are different, the software
was tampered with.
Figure 3-3 illustrates the procedure for Huawei software digital signature solution.
1. In the software package generation phase, SHA256 check codes are calculated for each
software component in the software package and saved to check code files. The check code
files are then digitally signed with the private key.
The check code files indicate files that are encrypted and added with verification
information and the algorithms that are used.
2. In the software version release phase, all software files and digitally signed files are
packaged and then uploaded to a version server, for example, http://support.huawei.com.
3. In the software version upgrade phase, when the U2000, WebLMT, or upgrade tool
downloads the software package from the version server, the U2000, WebLMT, or upgrade
tool authenticates the software package by using the public key. This is to verify the
software package authenticity.
4. Also in the upgrade phase, when the NE downloads the software package from the U2000,
WebLMT, or upgrade tool, the NE authenticates the software package by using the public
key to verify that the software has not been maliciously tampered with.
External attackers or unauthorized internal users may tamper with the software after the OMU
software is installed. Therefore, the base station controller checks the integrity of the software
on the OMU and reports only one ALM-20723 File Loss or Damage if one or more files are
damaged or lost. This alarm is cleared after all the damaged or lost files are restored. For an OS
upgrade, the U2000 or upgrade tool checks the integrity of the OS upgrade package.
For an OS upgrade, the U2000 or upgrade tool checks the integrity of the OS upgrade package.
For an OS driver upgrade, the driver upgrade tool checks the integrity of the OS drive package.
If the AUTHMODE parameter in the NTPCP MO is not set to PLAIN(Plain), NTP security
authentication is performed in encryption mode. The authentication procedure is as follows:
1. After calculating the checksum of NTP packets, the NTP server sends the checksum and
NTP packets to the base station.
2. The base station calculates the checksum of the received NTP packets, and compares the
calculated checksum with that in the NTP packets.
l If the checksums are identical, the NTP packets were not tampered with during
transmission and pass the NTP security authentication.
l If the checksums are different, the NTP packets were tampered with and fail the NTP
security authentication.
If the AUTHMODE parameter in the NTPCP MO is set to PLAIN(Plain), the NTP server sends
NTP packets directly to the base station without encryption, and therefore the base station does
not need to decrypt the received NTP packets.
NOTE
3.8.1 Overview
The U2000 and the WebLMT manage security alarms, events, and logs. If security faults occur,
users can be informed of the faults and perform fault diagnosis according to the reported alarm
or event information. In addition, security risks and vulnerability can be analyzed by tracing
history security alarms and logs.
Since SRAN7.0, user information and IP addresses can be recorded in the operation logs of
specific domain users. In versions earlier than SRAN7.0, domain users for the U2000 are not
distinguished and are collectively named EMSCOMM.
Since SRAN7.0, log tracing has been enhanced. Detailed information about the traced objects
is recorded in the tracing logs.
Table 3-8 lists the security alarms that may be reported by the base station when the related
security faults occur.
Logs record information about system security and user operations, and are classified into
operation logs of NEs and the U2000, system logs, and security logs. By querying logs, users
can obtain information about the running status, system security situation, and user operations
on NEs or the U2000. Users can also save logs as files or print them out.
Users can audit the security logs collected by the U2000 to evaluate O&M security.
Operation Logs
When commands are sent to NEs from the WebLMT or U2000, the command execution results
are saved in operation logs. The operation logs include those of the U2000 and NEs.
Operation logs record the operations to create, modify, query, modify, load, switch over NEs
and so on. The operations can be manually performed by O&M personnel or automatically
started by scheduled tasks on the WebLMT or U2000.
System Logs
System logs mainly record the system running status of NEs or the U2000. System logs help
users to learn the system running status and identify causes of security faults. The system herein
refers only to Huawei-developed application systems and system logs include those of the U2000
and NEs.
l Abnormal status and actions while the system is running, such as active/standby
switchovers, storage failures, and timer expiration
l Key events during system running, such as system startup and shutdown
l Operating status of the system process, such as the process start, exit, running, and
abnormality (for example, the system process stops responding)
l Usage of system resources, such as central processing unit (CPU), memory, and hard disk
Security Logs
Security logs record information about security events.
l Events related to account login, such as user login, user logout, account locking, and account
unlocking
Security logs include those of the U2000 and NEs. Users can evaluate system security by auditing
security logs. For details, see Security Log Auditing.
Table 3-9 describes security events recorded in security logs that the base station controller/
eCoordinator can provide.
Account management event A domain user or local user has been forced
to log out after having logged in to the base
station controller.
OMU security event for changing the The password of the admin account has been
password of an initial account changed.
Table 3-10 lists security-related operation logs that the base station controller/eCoordinator can
provide.
The LST SECLOG and LST OPTLOG commands can be used to query security logs and
operation logs, respectively.
l Log collection
Users can set log collection tasks and specify task periods to enable the U2000 to
periodically collect NE logs. Users can also set dumping and export of U2000 logs and NE
logs.
l Log query and printing
By querying logs, users can obtain information about the running status, system security
situation, and user operations of the U2000 or NEs. Users can also save logs as files or print
them out.
l Log analysis
Based on U2000 logs and NE logs collected, users can analyze such information as system
running status, security events, and operations.
Log Collection
Users can collect and dump all operation logs, security logs, and system logs of the U2000 as
well as operation logs and security logs of NEs. NEs generate and save their own system logs
and automatically report the logs to the U2000. For details, see Log Management in the U2000
product documentation.
On the WebLMT, users can query log files generated during a time range, including operation
logs and security logs. For details, see MML Command Reference.
l All O&M and configuration events: Including information about user names, O&M time,
workstation (such as its IP addresses), operations, and responses
l Operations concerning user accounts and permission levels: Including addition, deletion,
and modification
Events to be recorded in security logs are configurable, and the configuration process must be
recorded in security events that can be audited. For details about how to audit security logs, see
Log Management in the U2000 product documentation.
NOTE
The maximum number of logs that can be saved can be configured by using the SET LOGLIMIT command
on the base station controller or eCoordinator, but not on the base station.
l IP address filtering, which enables the OMU to only accept IP data streams from authorized
IP addresses and network segments
l Defending against attacks, such as ICMP ping, IP fragmentation, low time to live (TTL),
Smurf, and distributed denial-of-service (DDoS) attacks
l Defending against TCP sequence prediction attacks and synchronization (SYN) flood
attacks
l Isolating the internal network from the external network on the base station controller and
eCoordinator side: Packets whose destination IP addresses are internal IP addresses or
belong to an internal network segment cannot flow in to the base station controller or the
eCoordinator through the OMU.
For a properly running network, specifying whitelisted and blacklisted IP addresses is generally
not required and the IP addresses used for access is not restricted. Specifying whitelisted and
blacklisted IP addresses can be used to improve the security of the base station controller and
the eCoordinator:
l Whitelist: Only the specified IP address or IP addresses in the specified network segment
can be used to access the base station controller and the eCoordinator. The IP addresses
can be specified for a particular port or for all ports. Once some IP addresses are whitelisted,
all the other IP addresses are blacklisted and cannot be used for access.
l Blacklist: The specified IP address or IP addresses in the specified network segment cannot
be used to access the base station controller and the eCoordinator. The IP addresses can be
specified for a particular port or for all ports. All IP addresses that are not blacklisted are
whitelisted.
NOTE
Table 3-11 provides a default example of the security policy configuration level template.
NOTE
Security policy level configuration invokes the batch configuration interface of an NE. Therefore, the
configuration restoration function on the CME can be used to roll back batch configuration or restore the
configurations of an NE.
4 Engineering Guidelines
4.2.2 Deployment
Requirements
None
Activation
Step 1 Run the SET PWDPOLICY command to set the password security policy for local WebLMT
users.
----End
Step 1 Run the SET WEBLOGINPOLICY command to set the policy for logging in to the WebLMT.
In this step, set Policy for login to LMT and transmission to an appropriate value.
Step 2 Run the RST OMUMODULE command to restart the WebLMT server for the configured
WebLMT login policy to take effect. In this step, set Target OMU to ACTIVE(Active
OMU) and Module Name to weblmt.
----End
NOTE
Running the RST OMUMODULE command disconnects all users from the WebLMT but does not affect
OMU services. The WebLMT server can be restarted within 5 seconds if no exception occurs during the
restart.
While the WebLMT server restarts, WebLMT clients are disconnected and therefore cannot receive the
restart command response from the WebLMT server. In addition, an error message indicating that the
command fails to be sent is displayed. Ignore this error prompt because the command was successfully
sent.
The configured WebLMT login policy takes effect only after you log out and then log back in to the
WebLMT.
You can run the LST WEBLOGINPOLICY command to query the current policy for logging in to the
WebLMT.
To configure the rights of the Custom user to access the File Manager, perform the following
steps:
Step 1 On the WebLMT GUI, click User-defined command Group to add commands and function
items to a specific command group.
Step 2 Run the ADD OP or MOD OP command with Operator Level set to Customs(Custom) and
Command Group set to the same value as that specified in Step 1.
----End
NOTE
The configured rights to access the File Manager take effect only after you log out and then log back in
to the WebLMT.
You can perform consistency check on the Current Area on the CME. If the check results need
to be delivered, create or select a planned area first.
Step 1 On the CME, choose CME > Advanced > Consistency Check > Security Policy Level (CME
client mode) to set the consistency check parameters for security policies.
Step 2 Select the NEs for which consistency check is to be performed, execute the check to generate a
check report.
Step 3 Based on the check report, correct the configurations on NEs in batches in the event of
inconsistency.
----End
Activation Observation
N/A
4.3.2 Deployment
Requirements
None
Activation
l To add a user of a predefined level, for example, Operator(s), perform the following step:
----End
l To add a user of the Custom(s) level who has the rights to use the G_22 command group
including the COL LOG command so that the user can collect log files, perform the
following steps:
Step 1 Run the SET CCGN command to configure G_22 as the command group.
Step 2 Run the ADD CCG command to add commands to the G_22 command group. In this step, add
the COL LOG command to the command group.
Step 3 Add a user of the Custom(s) level and configure the rights to use the G_22 command group for
the user.
----End
Step 1 Run the SET FTPSCLT command with The Encrypted Mode set to ENCRYPTED(SSL
Encrypted).
----End
NOTE
An FTP client refers to a module that has the FTP client function on the OMU. The SET FTPSCLT
command takes effect on all FTP clients.
After SSL encrypted transmission is configured for an FTP client, the FTP server must also be configured
with SSL encrypted transmission before running FTP-related MML commands. Otherwise, the MML
commands fail to be executed.
If the Support SSL Certificate Authentication(BSC6900,BSC6910) parameter is set to YES(Yes), a
digital certificate must be configured for the connected server. Otherwise, file upload and download fail.
For instructions on how to configure digital certificates when the U2000 functions as the FTP server, choose
Security Management > Data Management > Configuring Digital Certificates > Importing Cross
Digital Certificates > Installing a Device Digital Certificate > Activating a Device Digital
Certificate > Follow-up Procedure in the U2000 online help.
You can run the LST FTPSCLT command to query the transmission encryption mode of FTP clients.
l To configure the FTP server to use encrypted transmission, perform the following steps:
Step 1 Run the SET FTPSSRV command with Transport Encrypted Mode set to ENCRYPTED
(SSL Encrypted).
NOTE
If the FTP server is configured with the SSL encrypted transmission mode, the same mode must also be
configured for all FTP clients that access the FTP server. The detailed configuration method varies
depending on the third-party FTP client software.
Step 2 Reset the ftp_server module for the encrypted transmission mode to take effect.
1. Run the DSP OMU command to query the OMU mode. If only one result for Operational
state is displayed, the OMU works in standalone mode. If two results for Operational
state are displayed, the OMUs work in active/standby mode.
2. Run the RST OMUMODULE command to reset the ftp_server module on the active
OMU. In this step, set Module Name to ftp_server.
If the OMU works in standalone mode, the encrypted transmission mode takes effect after
you perform this step. If the OMU works in active/standby mode, go to 3.
3. Run the RST OMUMODULE command to reset the ftp_server module on the standby
OMU. In this step, set Module Name to ftp_server.
----End
l To configure the port for transmitting data over FTP, perform the following step:
Run the SET FTPSSRV command to the value range of ports for transmitting data over
FTP. In this step, set Passive mode data port lower limit and Passive mode data port
upper limit to appropriate values.
NOTE
You can run the LST FTPSSRV command to query the encryption mode of the FTP server and the value
range of ports for transmitting data over FTP.
Activation Observation
N/A
4.5.2 Deployment
Requirements
None
Data Preparation
Table 4-1 lists MML commands used for configuration file encryption.
BKP DB Export
Activation
MML Configurations
On the WebLMT, run an MML command listed in Table 4-1 to encrypt a configuration file.
l On the U2000, select the encryption option on the window for manual or automatic data
backup.
l Select the encryption option when the CME is generating a configuration file.
l On the Web LMT, browse and activate the encrypted configuration file.
Activation Observation
l When a configuration file is exported, check whether the configuration file is encrypted by
observing the file name extension. If a configuration file is encrypted, the file name is
suffixed with .ecf. For example, the file name changes from NodeB.xml to NodeB.xml.ecf
after encryption.
l When an encrypted configuration file is imported, you can execute or browse the original
configuration file after entering the correct password.
Requirements
Parameters related to time synchronization are configured on the NTP server.
Activation
To configure the SNTP security for the base station controller/eCoordinator, perform the
following step:
Step 1 Run the ADD SNTPSRVINFO command to add the IP address and port number for the SNTP
server on the base station controller/eCoordinator and set the SNTP time synchronization
security policy.
----End
NOTE
Set Key ID, Encryption Algorithm, and Key if SNTP security is used. Based on the values of these
parameters, the base station controller/eCoordinator sends encrypted and authenticated time
synchronization requests to the SNTP server and authenticates the time synchronization responses from
the SNTP server.
You can run the LST SNTPCLTPARA command to query information about the SNTP server.
Activation Observation
NTP security is activated if the NTP parameters are correctly configured and NTP link status is
normal.
Requirements
Parameters related to time synchronization are configured on the NTP server.
Data Preparation
Table 4-2 describes key parameters that must be set in the NTPCP MO to activate NTP security
authentication.
Activation
----End
Using the CME to Perform Batch Configuration for Newly Deployed Base Stations
Enter the values of the parameters listed in Table 4-3 in a summary data file, which also contains
other data for the new base stations to be deployed. Then, import the summary data file into the
CME for batch configuration.
The summary data file may be a scenario-specific file provided by the CME or a customized
file, depending on the following conditions:
l The MO in Table 4-3 is contained in a scenario-specific summary data file. In this situation,
set the parameters in the MOs, and then verify and save the file.
l The MO in Table 4-3 is not contained in a scenario-specific summary data file. In this
situation, customize a summary data file to include the MO before you can set the
parameters.
For instructions about how to perform batch configuration for each type of base stations, see the
following sections in 3900 Series Base Station Initial Configuration Guide.
Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple base stations in a single procedure. The procedure is as follows:
Step 1 After creating a planned data area, choose CME > Advanced > Customize Summary Data
File (U2000 client mode), or choose Advanced > Customize Summary Data File (CME client
mode), to customize a summary data file for batch reconfiguration.
NOTE
Step 2 Export the base station data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data (U2000
client mode), or choose SRAN Application > MBTS Application > Export Data > Export
Base Station Bulk Configuration Data (CME client mode).
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > Export eGBTS Bulk Configuration Data
(U2000 client mode), or choose GSM Application > Export Data > Export eGBTS Bulk
Configuration Data (CME client mode).
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data (U2000 client mode), or choose UMTS Application > Export Data > Export Base
Station Bulk Configuration Data (CME client mode).
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Export Data > Export Base Station Bulk Configuration Data
(U2000 client mode), or choose LTE Application > Export Data > Export Base Station
Bulk Configuration Data (CME client mode).
Step 3 In the summary data file, set the parameters in the MOs listed in Table 4-3 and close the file.
----End
Activation Observation
To verify that NTP security authentication is activated on a base station, perform the following
steps:
Step 1 Run the LST NTPC command to query the NTP configuration information. Verify that the
parameter settings in the command output are consistent with that configured in the activation
procedure.
Step 2 Run the DSP NTPC command to query the time synchronization information of the base station.
Verify that the value of Link State of Current NTP Server is Available in the command output.
Step 3 Run the LST LATESTSUCCDATE command to query the latest successful time
synchronization of the base station. Verify that the value of Latest Successful Synchronization
Time is the same as the time that time synchronization was recently performed.
----End
If all the preceding verifications are true, NTP security authentication is activated.
Reconfiguration
To change the authentication mode for a base station, run the MOD NTPC command and change
the encryption algorithm on the NTP server to be consistent as that on the base station.
Deactivation
N/A
Configuring the whitelist and blacklist for the IPTable function has high risks. To ensure the
normal operation of a base station controller, do not configure the whitelist or blacklist if the
network runs properly.
4.9.3 Deployment
Requirements
None
Activation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -A INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
----End
If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
The following is a command example used to allow only users in the 10.141.148.0 network
segment to access the WebLMT:
iptables -A INPUT -s ! 10.141.148.0/255.255.255.0 -i bond1 -p tcp --dport 80 -j DROP
NOTE
----End
Activation Observation
Step 1 Log in to the PC whose IP address has been restricted.
Step 2 Run the DOPRA Linux command iptables –L to query all filtering criteria on the OMU. Verify
that the new criteria have been added successfully.
l If access over port 80 is denied, you cannot access the WebLMT. In this situation, check
whether you can access the WebLMT on the PC.
l If access over port 22 is denied, you cannot log in to the OMU remotely. In this situation,
check whether you can log in to the OMU using PuTTY on the PC.
NOTE
Execute caution when disabling port 22, because this operation prohibits users from remotely logging in
to the OMU.
l If access over port 21 is denied, you cannot access the ftp_server module on the OMU. In
this situation, check whether you can access the ftp_server module on the OMU using an
FTP client on the PC.
----End
Deactivation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -D INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
Step 3 Run the DOPRA Linux command iptables –L to query all filtering criteria on the OMU. Verify
that the new criteria have been removed successfully.
----End
5 Parameters
ONLYO BTS390 SET None None Meaning: Indicates whether to enable the security
MIP 0, OMCO policy of accessing the NE by using the maintenance IP
BTS390 NNPOL addresses (OMCH IP and LOCAL IP) only. This
0 ICY parameter does not take effect when OMCH IP is not
WCDM DSP configured.
A, OMCO GUI Value Range: DISABLE(DISABLE), ENABLE
BTS390 NNPOL (ENABLE)
0 LTE ICY Unit: None
LST Actual Value Range: DISABLE, ENABLE
OMCO
NNPOL Default Value: ENABLE(ENABLE)
ICY
PwdMin BSC690 SET None None Meaning: Minimum length of an LMT login password.
Len 0 PWDPO When a password is shorter than this length, the
LICY password is invalid.
GUI Value Range: 6~32
Unit: None
Actual Value Range: 6~32
Default Value: 8
PwdMin BSC691 SET None None Meaning: Minimum length of an LMT login password.
Len 0 PWDPO When a password is shorter than this length, the
LICY password is invalid.
GUI Value Range: 6~32
Unit: None
Actual Value Range: 6~32
Default Value: 8
MaxRep BSC690 SET None None Meaning: Maximum number of single character repeats
eatChar 0 PWDPO allowed in an LMT login password. When a single
Times LICY character in a password repeats for more times than this
number, the password is invalid.
GUI Value Range: 2~32
Unit: None
Actual Value Range: 2~32
Default Value: 2
MaxRep BSC691 SET None None Meaning: Maximum number of single character repeats
eatChar 0 PWDPO allowed in an LMT login password. When a single
Times LICY character in a password repeats for more times than this
number, the password is invalid.
GUI Value Range: 2~32
Unit: None
Actual Value Range: 2~32
Default Value: 2
MAXV BSC690 SET None None Meaning: Days between the day when a password takes
ALIDD 0 PWDPO effect and the day when the password expires. The
ATES LICY password becomes invalid after being valid for the days.
GUI Value Range: 1~999
Unit: day
Actual Value Range: 1~999
Default Value: 90
MAXV BSC691 SET None None Meaning: Days between the day when a password takes
ALIDD 0 PWDPO effect and the day when the password expires. The
ATES LICY password becomes invalid after being valid for the days.
GUI Value Range: 1~999
Unit: day
Actual Value Range: 1~999
Default Value: 90
MaxMis BSC690 SET None None Meaning: Maximum number of password retries when
sTimes 0 PWDPO a user logs in. When password retries by a user exceed
LICY this number, this user is locked.
GUI Value Range: 1~255
Unit: None
Actual Value Range: 1~255
Default Value: 3
MaxMis BSC691 SET None None Meaning: Maximum number of password retries when
sTimes 0 PWDPO a user logs in. When password retries by a user exceed
LICY this number, this user is locked.
GUI Value Range: 1~255
Unit: None
Actual Value Range: 1~255
Default Value: 3
MAXPR BSC690 SET None None Meaning: Longest days for which users are prompted in
OMPTD 0 PWDPO advance to notice that the password is going to expire.
ATES LICY When this day arrives, users will be prompted with the
remaining days.
GUI Value Range: 1~255
Unit: day
Actual Value Range: 1~255
Default Value: 5
MAXPR BSC691 SET None None Meaning: Longest days for which users are prompted in
OMPTD 0 PWDPO advance to notice that the password is going to expire.
ATES LICY When this day arrives, users will be prompted with the
remaining days.
GUI Value Range: 1~255
Unit: day
Actual Value Range: 1~255
Default Value: 5
HISTO BSC690 SET None None Meaning: Maximum number of historical passwords
RYPW 0 PWDPO that can be saved. When this number is reached, the
DNUM LICY earliest historical password will be deleted at the arrival
of a new one.
GUI Value Range: 1~10
Unit: None
Actual Value Range: 1~10
Default Value: 5
HISTO BSC691 SET None None Meaning: Maximum number of historical passwords
RYPW 0 PWDPO that can be saved. When this number is reached, the
DNUM LICY earliest historical password will be deleted at the arrival
of a new one.
GUI Value Range: 1~10
Unit: None
Actual Value Range: 1~10
Default Value: 5
FirstLog BSC690 SET None None Meaning: Switch for forcing users to change the
inMust 0 PWDPO password upon their first login to the LMT.
ModPW LICY GUI Value Range: OFF(Close), ON(Open)
D
Unit: None
Actual Value Range: ON, OFF
Default Value: OFF(Close)
FirstLog BSC691 SET None None Meaning: Switch for forcing users to change the
inMust 0 PWDPO password upon their first login to the LMT.
ModPW LICY GUI Value Range: OFF(Close), ON(Open)
D
Unit: None
Actual Value Range: ON, OFF
Default Value: OFF(Close)
DICTC BSC690 SET None None Meaning: Switch for checking whether the password is
HKSW 0 PWDPO in the weak password dictionary when users add or
LICY modify user's password. Weak passwords are inlcuded
in the weak password dictionary. After this switch is
turned on, you must not use common words or
combinations of simple letters and digits as passwords,
such as 111111, aaaaaa, abc123, linda, and snoopy.
GUI Value Range: OFF(Close), ON(Open)
Unit: None
Actual Value Range: ON, OFF
Default Value: OFF(Close)
DICTC BSC691 SET None None Meaning: Switch for checking whether the password is
HKSW 0 PWDPO in the weak password dictionary when users add or
LICY modify user's password. Weak passwords are inlcuded
in the weak password dictionary. After this switch is
turned on, you must not use common words or
combinations of simple letters and digits as passwords,
such as 111111, aaaaaa, abc123, linda, and snoopy.
GUI Value Range: OFF(Close), ON(Open)
Unit: None
Actual Value Range: ON, OFF
Default Value: OFF(Close)
AutoUnl BSC690 SET None None Meaning: Duration after which a locked user is
ockTime 0 PWDPO unlocked automatically.
LICY GUI Value Range: 1~65535
Unit: min
Actual Value Range: 1~65535
Default Value: 30
AutoUnl BSC691 SET None None Meaning: Duration after which a locked user is
ockTime 0 PWDPO unlocked automatically.
LICY GUI Value Range: 1~65535
Unit: min
Actual Value Range: 1~65535
Default Value: 30
AUTH BSC690 ADD None None Meaning: Authentication mode used when the active
MODE 0 SNTPS OMU (NTP client) synchronizes with the NTP server.
RVINF GUI Value Range: PLAIN(PLAIN), NTPV3(NTPV3)
O
Unit: None
Actual Value Range: PLAIN, NTPV3
Default Value: PLAIN(PLAIN)
AUTH BSC691 ADD None None Meaning: Authentication mode used when the active
MODE 0 SNTPS OMU (NTP client) synchronizes with the NTP server.
RVINF GUI Value Range: PLAIN(PLAIN), NTPV3(NTPV3)
O
Unit: None
Actual Value Range: PLAIN, NTPV3
Default Value: PLAIN(PLAIN)
AUTH BTS390 ADD None None Meaning: Indicates the encryption mode. If this
MODE 0, NTPC parameter is set to PLAIN, data is transmitted in
BTS390 MOD plaintext.
0 NTPC GUI Value Range: PLAIN(Plain), DES_S(DES_S),
WCDM DES_N(DES_N), DES_A(DES_A), MD5(MD5)
A, LST
BTS390 NTPC Unit: None
0 LTE Actual Value Range: PLAIN, DES_S, DES_N, DES_A,
MD5
Default Value: PLAIN(Plain)
KEYID BTS390 ADD None None Meaning: Indicates the server-side index of the NTP
0, NTPC authentication key. The index must be the same as the
BTS390 MOD setting on the server.
0 NTPC GUI Value Range: 1~4294967295
WCDM
A, LST Unit: None
BTS390 NTPC Actual Value Range: 1~4294967295
0 LTE Default Value: None
IP BTS390 ADD None None Meaning: Indicates the IPv4 address of the NTP server.
0, NTPC GUI Value Range: Valid IP address
BTS390 MOD
0 Unit: None
NTPC
WCDM Actual Value Range: Valid IP address
A, RMV
NTPC Default Value: 0.0.0.0
BTS390
0 LTE SET
MASTE
RNTPS
PORT BTS390 ADD None None Meaning: Indicates the port number of the NTP server.
0, NTPC An NTP client performs time calibration with the NTP
BTS390 MOD server through the port specified by this parameter.
0 NTPC GUI Value Range: 123~5999,6100~65534
WCDM
A, LST Unit: None
BTS390 NTPC Actual Value Range: 123~5999,6100~65534
0 LTE Default Value: 123
6 Counters
7 Glossary
8 Reference Documents
1. GBTS Equipment and OM Security Feature Parameter Description for GSM BSS
2. SSL Feature Parameter Description for SingleRAN
3. User Data Anonymization Feature Parameter Description for SingleRAN