2488 Im 20141001

Instruction Manual
SEL-2488
Satellite-Synchronized
Network Clock
Instruction Manual
20141001
*PM2488-01*
CAUTION
Equipment components are sensitive to electrostatic discharge

(ESD). Undetectable permanent damage can result if you do
not use proper ESD procedures. Ground yourself, your work
surface, and this equipment before removing any cover from
this equipment. If your facility is not equipped to work with
these components, contact SEL about returning this device and
related SEL equipment for service.
CAUTION
In order
to avoidexternal
losing system
logs
factory
default
reset,
Do
not connect
voltages
to on
thearelay
contact
inputs.
configurethe
thecontact
SEL-2488
to forward
Syslogwetted,
messages.
Because
inputs
are internally
per-manent
damage to the relay or external equipment may result from
!
DANGER
Disconnect or de-energize all external connections before

opening this device. Contact with hazardous voltages and
currents inside this device can cause electrical shock resulting
in injury or death.
!
DANGER
Contact with instrument terminals can cause electrical shock

that can result in injury or death.
!
WARNING
Have only qualified personnel service this equipment. If you are

not qualified to service this equipment, you can injure yourself
or others, or cause equipment damage.
WARNING
Use of this equipment in a manner other than specified in this

manual can impair operator safety safeguards provided by this
equipment.
ATTENTION
Les composants de cet quipement sont sensibles aux

dcharges lectrostatiques (DES). Des dommages permanents
non-dcelables peuvent rsulter de labsence de prcautions
contre les DES. Raccordez-vous correctement la terre, ainsi
que la surface de travail et lappareil avant den retirer un
panneau. Si vous ntes pas quips pour travailler avec ce type
de composants, contacter SEL afin de retourner lappareil pour
un service en usine.
ATTENTION
Pour
viter
de perdre
les enregistrements
sur un
Ne pas
raccorder
de tensions
externes sur du
lessystme
bornes des
redmarrage
dfini par
dfaut,
configurer
SEL-2488
pour
entres de contact.
Parce
que les
contactslesont
tremps
au
envoyer
de permanents
l'enregistreur
du systme
(Syslog).
mercure,les
desmessages
dommages
peuvent
rsulter
pour le
relais ou lquipement externe la suite du raccordement dune
!
DANGER
Dbrancher tous les raccordements externes avant douvrir cet

appareil. Tout contact avec des tensions ou courants internes
lappareil peut causer un choc lectrique pouvant entraner des
blessures ou la mort.
!
DANGER
Tout contact avec les bornes de lappareil peut causer un choc

lectrique pouvant entraner des blessures ou la mort.
!
AVERTISSEMENT
Seules des personnes qualifies peuvent travailler sur cet

appareil. Si vous ntes pas qualifis pour ce travail, vous
pourriez vous blesser avec dautres personnes ou endommager
lquipement.
!
AVERTISSEMENT
L'utilisation de cet appareil suivant des procdures diffrentes

de celles indiques dans ce manuel peut dsarmer les
dispositifs de protection d'oprateur normalement actifs sur
cet quipement.
2014 by Schweitzer Engineering Laboratories, Inc. All rights reserved.

All brand or product names appearing in this document are the trademark or registered trademark of their respective holders. No SEL
trademarks may be used without written permission. SEL products appearing in this document may be covered by U.S. and Foreign patents.
Schweitzer Engineering Laboratories, Inc. reserves all rights and benefits afforded under federal and international copyright and patent laws in
its products, including without limitation software, firmware, and documentation.
The information in this manual is provided for informational use only and is subject to change without notice. Schweitzer Engineering
Laboratories, Inc. has approved only the English language manual.
This product is covered by the standard SEL 10-year warranty. For warranty details, visit www.selinc.com or contact your customer service
representative.
PM2488-01
SEL-2488 Satellite-Synchronized Network Clock
Instruction Manual
Date Code 20141001
Table of Contents
R.Instruction Manual
List of Tables .......................................................................................................................................................iii

List of Figures ...................................................................................................................................................... v
Preface.................................................................................................................................................................. vii
Section 1: Connections, Installation, and Specifications
Introduction ..................................................................................................................................................... 1.1
Product Overview ............................................................................................................................................ 1.1
Product Features .............................................................................................................................................. 1.1
Connections, Reset Button, and LED Indicators............................................................................................. 1.2
Software System Requirements....................................................................................................................... 1.9
General Safety and Care Information.............................................................................................................. 1.9
Front- and Rear-Panel Diagrams ................................................................................................................... 1.10
Dimension Drawing....................................................................................................................................... 1.10
Warranty ........................................................................................................................................................ 1.11
Specifications ................................................................................................................................................ 1.12
Section 2: Getting Started

Introduction ..................................................................................................................................................... 2.1
Connecting to the Device ................................................................................................................................ 2.1
Commissioning the Device.............................................................................................................................. 2.4
Navigating the User Interface.......................................................................................................................... 2.4
Device Dashboard............................................................................................................................................ 2.7
Section 3: Managing Users

Introduction ..................................................................................................................................................... 3.1
User-Based Accounts ...................................................................................................................................... 3.1
Centralized User Accounts with LDAP........................................................................................................... 3.4
Section 4: Applications
Introduction ..................................................................................................................................................... 4.1
Time-Code Distribution................................................................................................................................... 4.1
Cable Delay Compensation ............................................................................................................................. 4.2
Network Time Protocol (NTP) ........................................................................................................................ 4.3
Section 5: Settings
Introduction ..................................................................................................................................................... 5.1
Reports............................................................................................................................................................. 5.1
Time Management ........................................................................................................................................... 5.3
Time-Code Outputs ......................................................................................................................................... 5.6
Network Settings ............................................................................................................................................. 5.9
Accounts ........................................................................................................................................................ 5.13
Security.......................................................................................................................................................... 5.14
System ........................................................................................................................................................... 5.15
Section 6: Testing and Troubleshooting

Introduction ..................................................................................................................................................... 6.1
Testing Philosophy .......................................................................................................................................... 6.1
LED/LCD Indicators ....................................................................................................................................... 6.2
LCD Screen ..................................................................................................................................................... 6.4
Device Dashboard............................................................................................................................................ 6.5
Troubleshooting............................................................................................................................................... 6.5
Factory Assistance........................................................................................................................................... 6.7
Date Code 20141001
Instruction Manual
ii
Table of Contents
Appendix A: Firmware and Manual Versions

Firmware......................................................................................................................................................... A.1
Instruction Manual.......................................................................................................................................... A.1
Appendix B: Firmware Upgrade Instructions

Introduction .....................................................................................................................................................B.1
Firmware Upgrade Procedure..........................................................................................................................B.1
Factory Assistance...........................................................................................................................................B.2
Appendix C: User-Based Accounts

Introduction .....................................................................................................................................................C.1
Benefits of User-Based Accounts....................................................................................................................C.1
Administration of User-Based Accounts.........................................................................................................C.2
Acceptable Use Banner ...................................................................................................................................C.2
Logging on With SEL User-Based Accounts..................................................................................................C.2
Passphrases ......................................................................................................................................................C.3
Appendix D: Lightweight Directory Access Protocol

SEL-2488 LDAP Client Implementation ....................................................................................................... D.1
Certificate Chain............................................................................................................................................. D.1
LDAP Settings Form ...................................................................................................................................... D.2
Appendix E: Syslog
Introduction .....................................................................................................................................................E.1
Remote Syslog Servers....................................................................................................................................E.3
Open Source Syslog Servers ...........................................................................................................................E.3
SEL-2488 Event Logs .....................................................................................................................................E.4
Appendix F: X.509
Introduction ..................................................................................................................................................... F.1
Public Key Cryptography ................................................................................................................................ F.1
X.509 Certificates............................................................................................................................................ F.2
Digital Signatures ............................................................................................................................................ F.3
Public Key Infrastructure................................................................................................................................. F.3
Web of Trust .................................................................................................................................................... F.4
Simple Public Key Infrastructure .................................................................................................................... F.4
Online Certificate Status Protocol (OCSP) ..................................................................................................... F.5
Sample X.509 Certificate ................................................................................................................................ F.5
Instruction Manual
Date Code 20141001
List of Tables
Table 1.1
Table 1.2
Table 1.3
Table 1.4
Table 1.5
Table 1.6
Table 1.7
Table 1.8
Table 1.9
Table 1.10
Table 1.11
Table 2.1
Table 2.2
Table 4.1
Table 5.1
Table 5.2
Table 5.3
Table 5.4
Table 5.5
Table 5.6
Table 5.7
Table 5.8
Table 5.9
Table 5.10
Table 5.11
Table 5.12
Table 5.13
Table 5.14
Table 5.15
Table 5.16
Table 5.17
Table 5.18
Table 5.19
Table 5.20
Table 5.21
Table 6.1
Table 6.2
Table 6.3
Table 6.4
Table A.1
Table A.2
Table E.1
Table E.2
Table E.3
Date Code 20141001
Ethernet Status Indicators....................................................................................................... 1.3

Time Status Indicators............................................................................................................ 1.4
Alarm Contact Pinout............................................................................................................. 1.5
Alarm Contact Ratings ........................................................................................................... 1.5
Timer Contact Pinout ............................................................................................................. 1.5
Timer Contact Ratings............................................................................................................ 1.5
Time Output Formats ............................................................................................................. 1.6
10/100 Mbps Ethernet Port Pinout ......................................................................................... 1.6
DB-9 Port Pinout.................................................................................................................... 1.7
High-Voltage Power Supply Connections .............................................................................. 1.9
Low-Voltage Power Supply Connections............................................................................... 1.9
Network Interface Icon Colors ............................................................................................... 2.8
System Statistics................................................................................................................... 2.10
Output Drive Capacity............................................................................................................ 4.1
GNSS Settings........................................................................................................................ 5.3
SEL-2488 GNSS Setting........................................................................................................ 5.4
NTP Multicast/Broadcast Settings ......................................................................................... 5.6
Time-Code Output Settings.................................................................................................... 5.7
IRIG-B Control Bit Assignments........................................................................................... 5.8
Four-Bit IRIG-B Time Quality (TQ) Code ............................................................................ 5.9
Three-Bit Continuous Time Quality (CTQ) Code ................................................................. 5.9
General Network Settings .................................................................................................... 5.10
ETH F Network Interface Settings....................................................................................... 5.10
ETH 14 Network Interface Settings ................................................................................... 5.11
Syslog Threshold Values ...................................................................................................... 5.12
Syslog Destination Settings.................................................................................................. 5.12
Add Hosts Settings ............................................................................................................... 5.13
Web Settings......................................................................................................................... 5.15
System Contact Information Settings................................................................................... 5.15
Date Format.......................................................................................................................... 5.15
Front Panel ........................................................................................................................... 5.16
Local Time Settings.............................................................................................................. 5.17
Manual Date/Time Settings.................................................................................................. 5.18
Alarm Contact Output Trigger Categories ........................................................................... 5.19
Timer Contact Settings ......................................................................................................... 5.20
System Status Indicators ........................................................................................................ 6.2
Communications Interface Indicators .................................................................................... 6.3
Time Status Indicators............................................................................................................ 6.3
Troubleshooting Procedure .................................................................................................... 6.6
Firmware Revision History ................................................................................................... A.1
Instruction Manual Revision History .................................................................................... A.1
Syslog Message Severities .....................................................................................................E.1
Syslog Message Facilities ......................................................................................................E.2
Event Logs..............................................................................................................................E.4
Instruction Manual
This page intentionally left blank
List of Figures
Figure 1.1
Figure 1.2
Figure 1.3
Figure 2.1
Figure 2.2
Figure 2.3
Figure 2.4
Figure 2.5
Figure 2.6
Figure 2.7
Figure 2.8
Figure 2.9
Figure 2.10
Figure 2.11
Figure 2.12
Figure 2.13
Figure 2.14
Figure 2.15
Figure 2.16
Figure 2.17
Figure 2.18
Figure 2.19
Figure 2.20
Figure 2.21
Figure 3.1
Figure 3.2
Figure 3.3
Figure 3.4
Figure 3.5
Figure 3.6
Figure 3.7
Figure 3.8
Figure 3.9
Figure 4.1
Figure 4.2
Figure 4.3
Figure 5.1
Figure 5.2
Figure 5.3
Figure 5.4
Figure 5.5
Figure 5.6
Figure 5.7
Figure 5.8
Figure 5.9
Figure 5.10
Figure 5.11
Figure 5.12
Figure 5.13
Figure 5.14
Figure 5.15
Figure 5.16
Figure 6.1
Figure 6.2
Date Code 20141001
Front-Panel View.................................................................................................................... 1.2

Rear-Panel View ..................................................................................................................... 1.4
Typical Surge-Protector Installation....................................................................................... 1.8
Commissioning Network........................................................................................................ 2.1
Open Network Connections With Run Command ................................................................. 2.2
Open Connection Properties................................................................................................... 2.2
Local Area Connection Properties ......................................................................................... 2.3
Configuring Automatic Network Configuration .................................................................... 2.3
Device Commissioning Page.................................................................................................. 2.4
Device Dashboard .................................................................................................................. 2.5
Local Users............................................................................................................................. 2.6
Adding a New User ................................................................................................................ 2.6
Device Dashboard .................................................................................................................. 2.7
Network Interfaces ................................................................................................................. 2.8
Satellite Status Screen ............................................................................................................ 2.8
Time Input and Output Status ................................................................................................ 2.9
Version Information................................................................................................................ 2.9
System Statistics..................................................................................................................... 2.9
Diagnostics ........................................................................................................................... 2.10
Open Terminal With Run Command.................................................................................... 2.10
Open Network Connections With Run Command ............................................................... 2.11
Open Connection Properties................................................................................................. 2.11
Local Area Connection Properties ....................................................................................... 2.12
Internet Protocol (TCP/IP) Properties .................................................................................. 2.12
Add New User Form .............................................................................................................. 3.2
LDAP Logon Process ............................................................................................................. 3.4
Host Settings .......................................................................................................................... 3.5
LDAP Configuration Summary.............................................................................................. 3.6
LDAP Communication Settings ............................................................................................. 3.7
Adding an LDAP Server ........................................................................................................ 3.9
Group Mappings Showing a Single Group ............................................................................ 3.9
Adding a New Role ................................................................................................................ 3.9
Selecting a Group from the Tree Display............................................................................. 3.10
Multiple-Device Connections................................................................................................. 4.2
SEL-2488 Cable Delay Compensation Example ................................................................... 4.3
SEL-2488 Grouping for Using Cable Delay Compensation .................................................. 4.3
Sample Syslog Report ............................................................................................................ 5.2
GNSS Settings........................................................................................................................ 5.4
NTP Settings .......................................................................................................................... 5.5
Time-Code Outputs ................................................................................................................ 5.7
IP Configuration ................................................................................................................... 5.10
Static Routes......................................................................................................................... 5.11
Syslog Settings ..................................................................................................................... 5.12
Add Hosts ............................................................................................................................. 5.13
Renaming Certificates .......................................................................................................... 5.14
Front Panel Settings Window ............................................................................................... 5.16
Local Time Settings.............................................................................................................. 5.17
Manual Date/Time Setting Screen ....................................................................................... 5.18
Alarm Contact Screen .......................................................................................................... 5.19
Timer Contact....................................................................................................................... 5.20
Export Settings Page ............................................................................................................ 5.21
Import Settings Page ............................................................................................................ 5.22
Front-Panel Status Indicators ................................................................................................. 6.2
Front-Panel Time Indicators................................................................................................... 6.3
Instruction Manual
vi
List of Figures
Figure 6.3
Figure 6.4
Figure 6.5
Figure 6.6
Figure 6.7
Figure B.1
Figure D.1
Figure E.1
Figure F.1
Figure F.2
Figure F.3
Figure F.4
Figure F.5
Front-Panel Time Display ...................................................................................................... 6.4

Front-Panel Firmware Version ............................................................................................... 6.4
Front-Panel Location.............................................................................................................. 6.5
Front-Panel Port Information ................................................................................................. 6.5
Front-Panel Satellite Information........................................................................................... 6.5
File Management....................................................................................................................B.2
LDAP Transaction................................................................................................................. D.1
Central Syslog Server.............................................................................................................E.3
Asymmetric Keys ................................................................................................................... F.1
Confidentiality With Asymmetric Keys ................................................................................. F.2
Authentication With Asymmetric Keys ................................................................................. F.2
Digital Signatures................................................................................................................... F.3
Web of Trust ........................................................................................................................... F.4
Instruction Manual
Date Code 20141001
Preface
Manual Overview
This instruction manual describes the functionality and use of the SEL-2488
Satellite Synchronized Network Clock. It includes information necessary to
install, configure, test, and operate this device.
An overview of the manuals layout and the topics that are addressed follows.
Preface. Describes the manual organization and conventions used to

present information.
Section 1: Connections, Installation, and Specifications. Introduces

SEL-2488 applications, connectivity, and use requirements. This section
also lists specifications.
Section 2: Getting Started. Provides dimension drawings on the

SEL-2488 and instructions for initializing the SEL-2488.
Section 3: Managing Users. Explains how users are managed on the

SEL-2488.
Section 4: Applications. Provides Job Done examples. These examples

provide setup and configuration information for the SEL-2488.
Section 5: Settings. Lists and describes all the SEL-2488 settings and
commands.
Section 6: Testing and Troubleshooting. Lists common operating and

troubleshooting questions and suggested solutions.
Appendix A: Firmware and Manual Versions. Lists firmware and manual

revisions.
Appendix B: Firmware Upgrade Instructions. Provides instructions to

update the firmware in the SEL-2488.
Appendix C: User-Based Accounts. Provides an introduction to user-based

accounts and the benefits associated with using user-based accounts.
Appendix D: Lightweight Directory Access Protocol. Describes

Lightweight Directory Access Protocol (LDAP) and its use in SEL
products.
Appendix E: Syslog. Provides an introduction to the Syslog protocol and

its uses in SEL products.
Appendix F: X.509. Explains the structure and use of X.509 certificates.
Examples
This instruction manual uses several example illustrations and instructions to
explain how to effectively operate the SEL-2488. These examples are for
demonstration purposes only; the firmware identification information or
settings values these examples include may not necessarily match those in
your SEL-2488.
Date Code 20141001
Instruction Manual
viii
Preface
Safety Information
Safety Information
This manual uses three kinds of hazard statements, defined as follows.
!
CAUTION
Indicates a potentially hazardous

situation that, if not avoided, may
result in minor or moderate injury or
equipment damage.
WARNING
Indicates a potentially hazardous

situation that, if not avoided, could
result in death or serious injury.
DANGER
Indicates an imminently hazardous

situation that, if not avoided, will result
in death or serious injury.
Technical Assistance
Obtain technical assistance from the following:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 U.S.A.
Phone: +1.509.332.1890
Fax: +1.509.332.7990
Internet: www.selinc.com
E-mail: info@selinc.com
Instruction Manual
Date Code 20141001
Section 1
Connections, Installation, and
Specifications
Introduction
This section includes the following information about the SEL-2488 SatelliteSynchronized Network Clock.
Product Overview on page 1.1
Product Features on page 1.1
Connections, Reset Button, and LED Indicators on page 1.2
Software System Requirements on page 1.9
General Safety and Care Information on page 1.9
Front- and Rear-Panel Diagrams on page 1.10
Dimension Drawing on page 1.10
Specifications on page 1.13
Product Overview
The SEL-2488 Satellite-Synchronized Network Clock receives Global
Navigation Satellite System (GNSS) time signals and distributes precise time
via multiple output protocols, including IRIG-B and Network Time Protocol
(NTP). As of August 2014, only the United States NAVSTAR Global
Positioning System (GPS) and the Russian GLONASS are global operational
GNSSs. The SEL-2488 uses one or both GNSSs based on the setting for
Satellite Signal Verification, see Table 5.2. The advanced capabilities of the
SEL-2488 make it well suited for demanding applications, such as
synchrophasors and event recording, as well as for larger substations with
multiple time-synchronization requirements.
Product Features
Accurate. Synchronize with precise time accuracy to within
40 ns to UTC for power protection applications. If GNSS time

signals become unavailable, the clock switches to the TCXO
Date Code 20141001
Instruction Manual
1.2
Connections, Installation, and Specifications

Connections, Reset Button, and LED Indicators
holdover, with 36 s/day accuracy, or to the optional OCXO

holdover, with 5 s/day accuracy. Both of these holdover
accuracy specifications are based on a constant temperature.
Flexible. Distribute time from eight time outputs that are
configurable for IRIG-B or time pulse outputs. The SEL-2488

also includes four standard Ethernet ports, which provide
NTPv4 and are available in copper as well as single- or
multimode fiber.
Dependable. Provides an option for a second, redundant power
supply; operates from 40 to +85C (40 to +185F); is

certified to IEEE 1613 Class 1, IEC 61850-3,and IEC 60255;
and is backed by our ten-year, worldwide product warranty.
Ease-of-Use. Simplify configuration and maintenance with a
secure web interface that allows convenient setup and

management. Configure settings offline using ACSELERATOR
QuickSet SEL-5030 Software or through an exported settings
file that can be imported later.
Time Synchronization. Provides a variety of high-accuracy
time outputs for other devices. Outputs include user selectable

1 PPS, 1 KPPS, or IRIG-B output and exceed performance
requirements specified by IEEE C37.118.1-2011 (Standards for
Synchrophasors for Power Systems). Synchronize time using
either IRIG-B or network time protocol (NTP). Time-align
events and user activity across your system.
Syslog. Log events for speedy alerts, consistency,
compatibility, and centralized collection. Use the clock to

forward Syslog system and security logs to as many as three
central servers.
User-Based Accounts. Provide user accountability and
separate authorization levels for configuration and

maintenance.

Front Panel
Figure 1.1 shows the front panel of the SEL-2488. The front panel includes all
of the device's status, port activity, and time status indicators. There are link
status and activity indicators for each of the 4 rear Ethernet ports. The LCD
display screen will display the present time, satellite information, critical log
events, and other diagnostic information. The front (local management)
Ethernet port has link and activity indicators built into the port itself. In
addition, there are status indications for the unit as a whole, as well as for the
power supply and optional backup power supply.
Status and Port Activity LEDs
Time Status LEDs

LCD Display Screen
Figure 1.1
Local Management Port
Front-Panel View
Instruction Manual
Date Code 20141001

Status Indicators
1.3
Figure 1.1 shows the layout of the status indicators on the front of the
SEL-2488. After the device has turned on and is in a normal operating state, a
red ALARM LED or unlit ENABLED LED indicates a non-optimal condition
needing operator attention.
Lamp Test
The LAMP TEST button illuminates front-panel LED indicators and the LCD
screen when pressed.
Device Status Indicators

The ENABLED indicator is green when the unit has passed self-tests and is
operational. This indicator is unlit during startup.
The ALARM indicator is unlit unless the unit asserts an alarm. A one-second
pulse indicates a minor alarm, while solid red indicates a major alarm.
Power Supply Status Indicators

The PWR A/PWR B indicators will be green if the power supply is installed and
healthy. If the unit detects a fault problem, the indicator will be red. If a power
supply is not installed, the corresponding indicator will be unlit.
Ethernet Status Indicators

Each of the four rear-panel Ethernet ports has a pair of corresponding LED
indicators on the front panel: an amber indicator above a green one. Table 1.1
shows how to interpret the states of these LED indicators. Note that the
connector for each port on the rear panel has built-in status indicators. As with
the front-panel indicators, these include one green and one amber LED, and
these indicate link status similarly. This simplifies detection of cabling errors
when inserting and removing Ethernet cables from the rear of the unit.
Table 1.1
Ethernet Status Indicators
LED State
Ethernet
Solid Green
Link up
Blinking Green
Port activity
Solid Amber
Full Speed Link
Extinguished Green
Link down
Blinking Amber
Collision
Extinguished Amber
Low Speed Link
LCD Display
The SEL-2488 is equipped with a multi-informational LCD display that
provides various information such as time, accuracy, satellite constellations
being used, latitude/longitude/altitude, and front Ethernet port (ETH F) IP
address. This information can be accessed by pressing the up and down push
buttons next to the display.
Date Code 20141001
Instruction Manual
1.4

Time Status Indicators

The front panel of the clock displays several indicators of health of time inputs
and outputs for the clock. These indicators include the Satellite Lock status,
Time Quality indication, Antenna status, PTP/NTP status and activity.
Table 1.2 shows how to interpret the states of these LED indicators.
Table 1.2
NOTE: If SSV is enabled, both GPS and

GLONASS constellations will have to
achieve satellite lock for the Satellite
Lock LED to turn green.
Time Status Indicators
Label
Color
Description
Satellite Lock
Green
GNSS is enabled in settings. Satellite lock is

achieved for all the required GNSS systems.
Amber
GNSS is enabled in settings. Satellite lock has not yet

been achieved for one or more required GNSS systems.
Off
GNSS is disabled in settings.
Green
Clock has been locked to an external source and is

providing time outputs with < 1us of accuracy to
UTC.
Flashing Green
Clock is not synchronized to an external time source

and time accuracy is 1 ms.
Red

Green
Antenna is connected and functional.
Red
Clock detected an antenna open or short failure

condition.
Off
GNSS is disabled via settings.
PTP
Off
Future use if ordered with IEEE 1588 PTP.
NTP
Green
NTP server capability is enabled but there is no

detected NTP activity.
Flashing Green
One or more NTP server ports is configured for

broadcast/multicast mode or has responded to a client
within the last five minutes.
Off
SEL-2488 is not enabled as an NTP server.
Time Quality
Antenna
Rear Panel
DB-9 Port (IRIG-B Output Only)
Timer Output
and Alarm
Figure 1.2
8 BNC Time Outputs
4 Ethernet Ports:
10/100BASE-T
100BASE-FX
100BASE-LX10
IRIG-B Input (Future)
TNC Antenna Input
Redundant, Hot-Swappable
Power Supply
Rear-Panel View
The base-model SEL-2488 has 8 BNC Time outputs and 4 10/100BASE-T

Ethernet copper ports. You can order each of the 10/100 Mbps copper ports as
single- or multimode fiber-optic ports in pairs of two to meet your network's
unique requirements.
Ethernet copper ports support Auto MDI/MDIX and auto negotiation for
speed and duplex values.
Instruction Manual
Date Code 20141001

1.5
Contact Output
One Form C output mechanical alarm contact and one Form A solid state
timing contact is provided on the rear panel. The alarm contact operates for
one second to indicate a minor alarm and latches to indicate a major alarm.
Table 1.3 and Table 1.4 gives the pinout and ratings of the alarm contact.
Table 1.3
Alarm Contact Pinout
Pin
Description
C3
Normally Open
C4
Common
C5
Normally Closed
Table 1.4
Alarm Contact Ratings
Max Voltage
250 Vdc
Contact Protection
270 Vdc, 75 J MOV protected
Max Current
2A
Pickup time
8 ms typical
Dropout time
8 ms typical
The timer contact is designed for testing external systems needing precise
timing to trigger the start of an event. The Form A contact can be used with
AC or DC voltages. The accuracies supplied below are only met using DC
voltages. Table 1.5 and Table 1.6 give the pinout and ratings of the timing
contact.
Table 1.5
Timer Contact Pinout
Pin
Description
C1
Normally Open
C2
Common
Table 1.6
Timer Contact Ratings
Max Voltage
250 Vdc
Contact Protection
330 Vdc (250 Vac), continuous, 145 J
Max Current
100 mA
Off Resistance
5 M
Minimum Voltage
12 Vdc
Timing Accuracy (closing)
1 s (applies only to DC voltages)
Time Outputs
The SEL-2488 comes standard with 8 BNC time outputs. When configured to
use demodulated outputs the SEL-2488 can be set to transmit IRIG-B002 or
IRIG-B004 timing formats. The IRIG-B004 output of the SEL-2488 transmits
the IEEE C37.118.1-2011 standard and is backwards compatible with the
previous IRIG-B000 C37.118-2005 standard as well as B000 without
C37.118-2005 extensions. The time outputs for the SEL-2488 are all software
configurable. Table 1.7 shows additional information on the available options
for time outputs.
Date Code 20141001
Instruction Manual
1.6

Table 1.7
Time Output Formats
Time Output
Time Reference
Format
Description
TO1
TO2
TO3
TO4
Local Time
UTC Time
B002
Transmit demodulated IRIG-B002 in

local or UTC. Format does NOT send
year and control bits
B004
Transmit demodulated IRIG-B004 format in local or UTC time. Control bits

are configured to be compatible with
IEEE-C37.118.1-2011 standard (reverse
compatible with IEEE-C37.118-2005).
B122
Transmit modulated IRIG-B122 in

year and control bits.
B124
Transmit modulated IRIG-B124 format

in local or UTC time. Control bits are
configured to be compatible with
PPS
Transmit 1 pulse per second
KPPS
Transmit 1,000 pulses per second
B002
Transmit demodulated IRIG-B002 in

year and control bits.
B004
Transmit demodulated IRIG-B004 format in local or UTC time. Control bits

are configured to be compatible with
PPS
Transmit 1 pulse per second
KPPS
Transmit 1,000 pulses per second
UTC Time
TO5
TO6
TO7
TO8
COM1
Local Time
UTC Time
UTC Time
10/100 Mbps Ethernet Ports

You can order ports 14 in combinations of two-port groups of either
10/100BASE-T copper or 100BASE-FX/LX10 fiber. Table 1.8 shows the
pinout for the copper Ethernet option.
Table 1.8
10/100 Mbps Ethernet Port Pinout
Pin
Description
A+
B+
N/C
N/C
N/C
N/C
Instruction Manual
Date Code 20141001

1.7
DB-9 Port
The rear COM1 is a female DB-9 port. You can use Pin 4 and Pin 6 to transmit
demodulated IRIG-B. This port is compatible with SEL-2812 Fiber-Optic
Transceivers for sending IRIG-B timing signals. The SEL-2812 will use Pin 7
of the DB-9 port as a power source. Table 1.9 shows the pinout for the port.
Table 1.9
Antenna
Date Code 20141001
DB-9 Port Pinout
Pin
Description
N/C
9 Vdc
N/A
+IRIG-B
GND
-IRIG-B
+5 Vdc
N/C
N/C
The SEL-2488 requires a Dual-Constellation GPS Antenna Kit (915900378)

to achieve lock with Satellite Signal Verification enabled. The SEL-2488
achieves lock with a standard GPS antenna but will require that the Satellite
Signal Verification feature be disabled (see Satellite Signal Verification on
page 5.4). Either antenna must be installed in accordance with national
electrical codes. A clear view of the sky, preferably 360 degrees, is preferred.
The antenna is housed in waterproof packaging designed to withstand
exposure to shock, excessive vibration, extreme temperatures, rain, snow, and
sunlight. Position the antenna so that the top of the antenna points skyward.
The dual-constellation GPS antenna is designed for pole mounting on a
1 in.-14 straight thread (typical marine antenna mount) or a 3/4 in. NPT pipe
thread. The N antenna connector is located on the bottom, which allows the
antenna cable to be routed inside the pole, protecting the cable connection and
adding reliability. The antenna should be located low and close to the controlhouse roof (above maximum snow accumulation and away from roof
maintenance activities).
Instruction Manual
1.8

915900378
Dual-Constellation
GPS Antenna Kit
(with N to TNC
adapter)
Building or Enclosure
91590043
Antenna Pipe
Mounting Kit
SEL-C961
(LMR-400
TNC to TNC)
SEL-2488
SEL-C961
(LMR-400 TNC to TNC)
915900139
Surge Protector Kit
(with mounting)
Common-Point
Earth Ground
Figure 1.3
Typical Surge-Protector Installation
Mounting the antenna on an equipment building roof or cabinet is safest

because the potential rise on the outside of either of these structures would be
more or less equal to the potential on the inside. A lightning protector (Gas
Tube Coaxial Surge Protector and mounting kit, SEL part number 915900139)
should be used to equalize the difference in potential that can occur between
the center conductor and the shield of the coaxial cable between the antenna
and the clock. The higher the GPS antenna is mounted on a support structure,
the greater the probability of equipment damage resulting from a lightning
strike. In all surge-protector applications, you should mount the surge
protector at the building or enclosure entrance, and ground the surge-protector
body as shown in Figure 1.3. Ground the clock to the same point as the surgeprotector ground to avoid round-rise-potential damage. When using the surge
protector, order an additional SEL-C961 cable and place this cable between
the SEL-2488 and the surge protector. Because the distance varies from the
SEL-2488 to the surge protector, be sure to order this cable at approximately
the correct length (plus 10 to 20 percent for installation variability). Refer to
the SEL Satellite-Synchronized Clocks Accessory Guide for complete
information and part numbers of clock accessories.
IRIG-B Time Input

The IRIG-B IN is a BNC Time Input for demodulated IRIG-B004 time. This
functionality for the IRIG-B IN is not presently enabled. A future firmware
release will add IRIG-B input functionality using the existing hardware.
Instruction Manual
Date Code 20141001

Software System Requirements
1.9
Redundant, Hot-Swappable Power Supplies

Optional redundant power supplies provide failover protection. Connect a
separate power source to each power supply. If one source fails, the other
continues to keep the SEL-2488 operational. The power supply has an
estimated mean time between failures (MTBF) of 3000 years. Power supply
inputs are isolated from ground and polarity protected.
High-Voltage Power Supply (110/125/220/230 Vac, 110/125/220/250 Vdc)

Table 1.10
High-Voltage Power Supply Connections
Pin
Description
GND
/N
+/H
Low-Voltage Power Supply (24/48 Vdc)

Table 1.11
Low-Voltage Power Supply Connections
Pin
Description
GND
Software System Requirements

The device is managed through the internal HTTPS web server. This server
requires a web browser capable of HTTPS communication. The official
supported browser is Microsoft Internet Explorer 8.
General Safety and Care Information

General Safety Notes
The SEL-2488 is designed for restricted access locations.
Access should be limited to qualified service personnel.

The SEL-2488 should neither be installed nor operated in a
condition this manual does not specify.
Cleaning Instructions
The device should be de-energized (by removing the power
connection to both the power and alarm connection) before

cleaning.
The case can be wiped down with a damp cloth. Solvent-based
cleaners should not be used on plastic parts or labels.
Date Code 20141001
Instruction Manual
1.10

Front- and Rear-Panel Diagrams
Front- and Rear-Panel Diagrams
Dimension Drawing
(mm)
Instruction Manual
Date Code 20141001

Warranty
1.11
Warranty
The SEL-2488 meets or exceeds the IEEE 1613 Class 1, IEC 61850-3, and
IEC 60255 industry standards for communications devices in electrical
substations for vibration, electrical surges, fast transients, extreme
temperatures, and electrostatic discharge.
SEL manufactures the SEL-2488 through use of the same high standards as
those for SEL protective relays and backs it with the same 10-year worldwide
warranty.
Date Code 20141001
Instruction Manual
1.12
Introduction and Specifications

Specifications
Specifications
User-Based Accounts
Receiver
Satellite Tracking:
GPS L1, C/A Code (1575.42 MHz),

GLONASS L1 (1602 MHz), track
up to 16 satellites for each
constellation
Acquisition Times
Warm Start:
240 s (With saved almanac data)
Cold Start:
240 s + UTC compensation time (up

to 12.5 min)
256
Password Length:
172 characters
Password Set:
All printable ASCII characters
User Roles:
Administrator, Engineer, User

Manager, Monitor
Syslog
Storage for 60,000 local Syslog messages
Clock Accuracy (to UTC Time)

1 PPS:
40 ns average, 100 ns peak
Demodulated IRIG-B:
40 ns average, 100 ns peak
Modulated IRIG-B:
1 s peak
NTP Time-Stamp
Accuracy (Typical):
Maximum Local
Accounts:
<100 s
Typical client synchronization accuracy to the SEL-2488 NTP

server on a LAN is 0.52 ms. Actual accuracy depends on
network conditions.
Support for three remote Syslog destinations
Processing and Memory

Processor Speed:
396 MHz
Memory:
512 MB
Storage:
512 MB
Communications Ports
Ethernet Ports
Holdover Accuracy (Typical)
Ports:
TCXO:
Data Rate:
10 or 100 Mbps
Front Connector:
RJ45 Female
Rear Connectors:
RJ45 Female or LC Fiber (singlemode or multimode)
Standard:
IEEE 802.3
OCXO:
36 s per day (constant temp)

315 s per day (1 C)
5 s per day (constant temp)
5 s per day (1 C)
Antenna Requirements
5 V, < 80 mA
32 dB preamp
Fiber-Optic Ports
Multimode Option (to 2 km)
Electrical Output Drive Levels

Demodulated
IRIG-B/PPS, TTL
(OUT1OUT8):
Modulated IRIG-B,
(OUT1OUT4):
DB-9 Port IRIG-B
output, TTL
(Pin 4/Pin 6):
4 rear, 1 front
Maximum TX Power: 14 dBm

Minimum TX Power: 20 dBm
5 V, 250 mA max
6.2 Vpp nominal
5 Vdc, 5 mA
General
RX Sensitivity:
31 dBm
System Gain:
11 dB
Source:
LED
Wavelength:
1310 nm
Connector Type:
LC (IEC 61754-20)
Single-Mode Option (to 15 km)
Operating Environment
Maximum TX Power: 8 dBm
Pollution Degree:
Minimum TX Power: 15 dBm
Overvoltage Category:
II
RX Sensitivity:
28 dBm
System Gain:
13 dB
Source:
Laser
Wavelength:
1310 nm
Connector Type:
LC (IEC 61754-20)
Dimensions
1U Rack Mount
Height:
Depth:
Width:
42.9 mm (1.69 inches)

232.1 mm (9.14 inches)
482.5 mm (19 inches)
Alarm Output
Weight
1.96 kg (4.3 lbs)
Warranty
10 Years
24250 Vdc
Continuous Carry:
2A
Timing Output
Network Management
HTTPS Web User Interface
ACSELERATOR QuickSet Software
Settings Import/Export
Rated Operational
Voltage:
Instruction Manual
Rated Operational
Voltage:
12250 Vdc
Continuous Carry:
100 mA
Date Code 20141001
Introduction and Specifications

Specifications
Environmental
Power Supply
Immunity:
Operating Temperature
40 to +85C (40 to +185F)
Relative Humidity
0 to 95% noncondensing
Altitude
2000 m
Surge Immunity:
IEC 60255-22-5:2008
Severity Level: 1 kV line-to-line,
2 kV line-to-earth
IEC 61000-4-5:2005
Severity Level: 1 kV line-to-line,
2 kV line-to-earth
Surge Withstand
Capability:
IEC 60255-22-1:2007
Severity Level: 2.5 kV peak common
mode, 1.0 kV peak differential mode
IEEE C37.90.1:2002
Severity Level: 2.5 kV oscillatory,
4 kV fast transient waveform
125/250 Volt Power Supply

125250 Vdc; 110240 Vac, 50/60 Hz
Input Voltage Range:
88300 Vdc or 85264 Vac
Power Consumption:
AC: < 60 VA
DC: < 45 W
Input Voltage
Interruptions:
50 ms @ 125 Vac/Vdc
100 ms @ 250 Vac/Vdc
24/48 Volt Power Supply

Rated Supply Voltage:
2448 Vdc (polarized)
Input Voltage Range:
19.257.6 Vdc
Power Consumption:
< 45 W
Input Voltage
Interruptions:
50 ms @ 48 Vdc
Environmental
Cold:
IEC 60068-2-1:2007
Severity Level: 16 hours at 40C
Damp Heat, Cyclic:
IEC 60068-2-30:2005
Severity Level: 25 to 55C
Relative Humidity:
95%
Dry Heat:
IEC 60068-2-2:2007
Severity Level: 16 hours at +85C
Vibration (Front-Panel
Mount Only):
IEC 60255-21-1:1988
Severity Level: Class 2 endurance,
Class 2 response
IEC 60255-21-2:1988
Severity Level: Class 1 - Shock
withstand, bump, and Class 2 Shock response
IEC 60255-21-3:1993
Severity Level: Class 2 (quake
response)
Type Tests
Communication Product Testing
Power Frequency
Disturbances:
IEC 61850-3:2002; Section 5.7.3
IEEE 1613, Class 1
Electromagnetic Compatibility Emissions

IEC 60255-25:2000
Generic Emissions:
CFR 47 Part 15
Severity Level: Class A
Electromagnetic Compatibility Immunity

Conducted RF
Immunity:
Fast Transient/Burst
Immunity:
Magnetic Field
Immunity:
Date Code 20141001
Safety
Dielectric Strength:
IEC 60255-5:2000
IEEE C37.90:2005
Power Supply: 3100 Vdc
Alarm Contact: 2500 Vac
IRIG-B Input: 2100 Vdc
Ethernet Ports: 1500 Vac
Timer Contact (OUT1): 3500 Vdc
Impulse:
IEC 60255-5:2000
Severity Level: 0.5 Joule, 5 kV (power
supply), 2.4 kV (Ethernet ports)
IEEE C37.90:2005
Severity Level: 0.5 Joule, 5 kV (power
supply), 2.4 kV (Ethernet ports)
IEC 60255-22-6:2001
Severity Level: 10 Vrms
IEC 61000-4-6:2006
Severity Level: 10 Vrms
Electrostatic Discharge IEC 60255-22-2:2008

Immunity:
Severity Level: 2, 4, 6, 8 kV contact;
2, 4, 8, 15 kV air
IEC 61000-4-2:2008
Severity Level: 2, 4, 6, 8 kV contact;
2, 4, 8, 15 kV air
IEEE C37.90.3:2001
Severity Level: 2, 4, and 8 kV
contact; 4, 8, and 15 kV air
IEC 60255-22-4:2008
Severity Level: Class A 4 kV, 5
kHz; 2 kV, 5 kHz on
communications ports
IEC 61000-4-4:2011
Severity Level: 4 kV, 5 kHz
IEC 60255-11:2008
IEC 61000-4-11:2004
IEC 61000-4-29:2000
Radiated Radio
IEC 60255-22-3:2007
Frequency Immunity:
Severity Level: 10 V/m
IEC 61000-4-3:2008
IEEE C37.90.2:2004
Power Supply
Rated Supply Voltage:
1.13
Certifications
ISO 9001:
This product was designed and

manufactured under an ISO 9001
certified quality management
system.
EMC:
FCC CFR 47 Part 15 Class A
IEC 61000-4-10:2001
Severity Level: 100 A/m
IEC 61000-4-8:2009
Severity Level: 1000 A/m for 3
seconds, 100 A/m for 1 minute
IEC 61000-4-9:2001
Severity Level: 1000 A/m
Instruction Manual
Section 2
Getting Started
Introduction
This section includes the following information:
Connecting to the Device on page 2.1
Commissioning the Device on page 2.4
Navigating the User Interface on page 2.4
Device Dashboard on page 2.7
Connecting to the Device

The device includes an HTTPS web server for most configuration and
management functions for use with Microsoft Internet Explorer 8.
For the initial connection to the SEL-2488, you will need to have the
following:
A computer with a wired Ethernet port
One RJ45 Ethernet cable
Physical Network
Connect the device to your computer as shown in Figure 2.1. Using a standard
RJ45 Ethernet cable, connect the Ethernet port of your computer to the front
Ethernet port (ETH F) of the device. The web management interface of an
uncommissioned SEL-2488 can only be reached through the front Ethernet
port. After commissioning, an additional IP interface can be configured. See
Network Settings on page 5.9 for information on enabling an additional IP
interface.
Ethernet
Cable
Figure 2.1
Date Code 20141001
Ethernet
(DHCP Enabled)
Commissioning Network
Instruction Manual
2.2
Getting Started
The default URL for the web server via the front port is https://192.168.1.2.
However, if your computer is configured as a DHCP client, the SEL-2488
captive port feature sends the necessary network configuration information
from the SEL-2488 to place your computer in the same subnet as the
SEL-2488. This will direct any entered URL to the SEL-2488. More
information about the captive port feature can be found in Network Settings on
page 5.9. If you prefer to use a static IP address, you can set these parameters
yourself, as described in Configuring a Static IP Address in Microsoft
Windows Networking on page 2.10.
The following steps show how to set your computer's network connection for
automatic configuration. If your computer is already set up to obtain an IP
address automatically, proceed to Commissioning the Device on page 2.4.
NOTE: If your PC is already set up to
obtain an IP address automatically,
proceed to Commissioning the Device
on page 2.4.
Step 1. Open the Microsoft Windows Network Connections Control

Panel applet. Do this by typing ncpa.cpl in the Windows Run
dialog box, as shown in Figure 2.2. Clicking OK opens the
Network Connections window, which contains a list of the
network devices available on your computer.
Figure 2.2
Open Network Connections With Run Command
Step 2. Right-click on the connection you will use to communicate

with the device and select the Properties option to show the
Connection Properties window (see Figure 2.3). The
connection may be labeled Local Area Connection, as
Figure 2.4 indicates.
Figure 2.3
Open Connection Properties
Instruction Manual
Date Code 20141001
Getting Started
Figure 2.4
2.3
Local Area Connection Properties
Step 3. Select the Internet Protocol (TCP/IP) entry from the This
connection uses the following items list (this entry is usually
last in the list). Click the Properties button to show the
Internet Protocol (TCP/IP) Properties window (see
Figure 2.5).
Figure 2.5
Configuring Automatic Network Configuration
Step 4. Select Obtain an IP address automatically. This is the usual

setting for computers on a company network.
Step 5. Select Obtain DNS server address automatically. This is the
usual setting for computers on a company network.
Step 6. Click the OK button.
Date Code 20141001
Instruction Manual
2.4
Getting Started
Commissioning the Device
Commissioning the Device

NOTE: You may receive a certificate
error from your browser. The message is
dependent on the browser you are
using. This error appears because the
default certificate is a self-signed
certificate and is not signed by a trusted
Certificate Authority (CA). You will need
to create a certificate exception to
access the device login page. Your
browser will provide instructions for
doing this. For information on creating
an X.509 certificate to eliminate this
error, please see Section 5: Settings.
Figure 2.6
Configure your computers network connection as described in Physical

Network on page 2.1. Using a standard RJ45 Ethernet cable, connect the
Ethernet port of your computer to the front port ETH F of the SEL-2488. Wait
for the network connection to be configured, and then open your web browser
and navigate to any URL (e.g., www.selinc.com)the SEL-2488 will
determine the correct URL and connect you to its web management interface.
Step 1. In the address bar for your browser, enter
https://www.selinc.com. This will open the device
Commissioning Page.
Device Commissioning Page
NOTE: The commissioning page only

appears during initial setup of a new
unit. After an account is established,
there will only be a login page for
accessing the device.
Step 2. Enter the account information for the first administrative user.
This requires both a username and a password. Password
characters do not display as you type, so it is necessary that you
type the password twice to confirm that it is entered correctly.
Step 3.
Click the Submit button to complete commissioning. When the

page reloads, you can log in as the administrative user to set up
accounts and configure the system. Navigating the User Interface on
page 2.4 provides a general description of the web interface.
Navigating the User Interface

The device has an HTTPS interface to enable easy device configuration. This
HTTPS interface can be accessed by opening your web browser and
navigating to the device management address. By default, this address is
https://192.168.1.2.
Instruction Manual
Date Code 20141001
Getting Started
2.5
When you log in to the device, a Dashboard window, such as that in

Figure 2.7, displays. The Dashboard window provides a quick overview of
the device status. Dashboard features are explained in greater detail later in
this section.
Figure 2.7
Device Dashboard
The far left frame of the device web interface is the navigation panel.
Selecting any link on this panel takes you to an associated page that includes
all settings and configurations for that part of the system. The navigation panel
is always present on the web interface. A first task in using the device might
be the creation of user accounts for personnel who will be configuring and
maintaining the device. Clicking on the Local Users link in the navigation
panel opens the Local Users page shown in Figure 2.8.
Date Code 20141001
Instruction Manual
2.6
Getting Started
Figure 2.8
Local Users
The Local Users page shown in Figure 2.8 shows the main panel of the web
interface. This example shows the single administrative user created when the
device was configured. On this page, we can see the status of each user
account and details about each user.
The Local Users page has an Add New User button above the table. There is
also an Edit button for each user in the table. There will also be a Delete
button for each user, except for the situation in which only one administrative
user remains. The last administrative user cannot be deleted.
Clicking the Add New User button displays the Accounts form (see
Figure 2.9) in which you can change the role, description, password, or
enabled condition of a user. Clicking the Edit button displays the same form,
without the username box.
Figure 2.9
Adding a New User
Instruction Manual
Date Code 20141001
Getting Started
Device Dashboard
2.7
Device Dashboard
The device dashboard is the page that displays when a user logs on to the
device. The Dashboard page provides a quick overview of the state of the
device. To access the dashboard from another device web page, select the
Dashboard link on the left navigation panel.
Figure 2.10
Device Dashboard
The device dashboard is broken into the following six categories:

Front-Panel Display
Satellite Status
Time Input and Output Status
Device Information
System Statistics
Diagnostics
Front-Panel Display
Date Code 20141001
The front-panel display section at the top of the device dashboard contains
most data found directly on the front panel of the SEL-2488. The Dashboard
web page automatically updates every 10 seconds. The network interfaces
section at the top center of the dashboard contains icons representing each
physical Ethernet network interface on the device. By mousing over any of the
network interface port icons, you can see the present status information of a
Instruction Manual
2.8
Getting Started
Device Dashboard
port over which you hover the mouse. Clicking one of these icons adds a
status area to the dashboard and adds a line to it containing the information for
that interface. More information about network interface configuration can be
found in Section 5: Settings.
Figure 2.11
Network Interfaces
The network interface icons are color coded to indicate the configuration state
of that interface. Table 2.1 lists interface icon colors and their meanings.
Table 2.1
Network Interface Icon Colors
Interface Icon
Status
Enabled (link up)

(Green)
Enabled (link down)

(Gray)
Disabled (not configured)

(Dark Gray)
Satellite Status
The dashboard screen contains a satellite status bar graph and SkyView
(Figure 2.12). The satellite status shows the present GPS and GLONASS
satellite numbers, signal strength, and whether the satellite is visible or used
by the SEL-2488. The SkyView graph and satellite status display the same
information, but the SkyView indicates the physical location in the sky for
each satellite. The status is updated automatically every 10 seconds. These
graphs help aid when troubleshooting problems while getting the SEL-2488 to
lock. In order for the SEL-2488 to initially lock there needs to be a minimum
of four satellites being tracked at a level of 30 dB-Hz or higher.
Figure 2.12
Satellite Status Screen
Instruction Manual
Date Code 20141001
Getting Started
Device Dashboard
Time Input and

Output Status
2.9
The Time Input and Time Output status section of the dashboard represents
all available time inputs and time outputs for the device (see Figure 2.13). The
time input section includes GPS and the internal clock holdover as sources
when they are available. The time quality of each source is displayed and the
selected source will be identified in bold font. Below the time input section the
dashboard lists the current time zone offset with respect to UTC, the present
daylight-saving time (DST) status, and leap second status. This information
aids in troubleshooting if the clock does not show the correct time.
The time outputs section provides a quick reference showing the present state
of all device time outputs. Any incorrect time output settings can be changed
through use of the Time Code Outputs settings tab.
Figure 2.13
Device Information
This section of the dashboard provides version information, including part

number, serial number, and the firmware identification string. This
information can be useful when factory support or firmware upgrades are
necessary.
Figure 2.14
System Statistics
Time Input and Output Status
Version Information
The System Statistics section (see Figure 2.15) of the dashboard provides
some basic statistics about device operations. This information can help you
quickly determine whether the device firmware is operating properly.
Figure 2.15
System Statistics
Table 2.2 explains each entry in the dashboard System Statistics section. The
CPU, RAM, and Storage statistics provide a visual indication of reserve
processing or storage capacity in the unit and should make any potential
problems related to system resource utilization readily apparent.
Date Code 20141001
Instruction Manual
2.10
Getting Started
Device Dashboard
Table 2.2
Diagnostics
Statistic
Meaning
CPU
Percentage loading of the SEL-2488 processor
RAM
Percentage usage of the on-board memory the CPU uses
Storage
Percentage of the nonvolatile storage the SEL-2488 uses to store

account information, logs, and other information when power is off
Active Session(s)
Number of users presently logged in to the management web interface
System Uptime
Time the unit has been running since the last time it was rebooted or
power was restored
Power Cycles
Number of times power has been cycled; increases by one every time
the unit is rebooted or power is removed and restored
Total Runtime
Total number of hours the unit has been operating
The Diagnostics section (see Figure 2.16) of the dashboard provides simple
status indications for the basic hardware systems of the SEL-2488. This
information can help you quickly determine the health of the device hardware
and whether it is operating properly.
Figure 2.16
Configuring a Static
IP Address in
Microsoft Windows
Networking
Diagnostics
To configure the SEL-2488 using a static IP address, you will need to

configure your computer to communicate on the 192.168.1.0/24 subnet.
Step 1. Start the Microsoft Windows Command Terminal.
a. Open the Run command (from the Start menu).
b. Type cmd in the text box.
c. Click OK.
NOTE: The instructions in this

section are provided in the event
you decide to use a static IP
address to access the device
instead of configuring your
computer for DHCP.
Figure 2.17
System Statistics
Open Terminal With Run Command
Instruction Manual
Date Code 20141001
Getting Started
Device Dashboard
2.11
Step 2. In the command window, type ipconfig <Enter>. This will

cause your computer to display the IP address and subnet mask
for which your Ethernet connection is configured. The IP
address must match 192.168.1.1, and the subnet mask must
match 255.255.255.0. If these values are correct, you can begin
commissioning the device.
Step 3. If you must configure your computer to communicate on the
192.168.1.0/24 subnet, open Microsoft Windows Network
Connections.
a. Type ncpa.cpl in the Run command.
b. Click OK.
The Network Connections window will open. This
window contains a list of the network devices available
on your computer.
Figure 2.18
Open Network Connections With Run Command
Step 4. Right-click on the connection you will use to communicate

with the device, and select Properties. This connection may be
labeled Local Area Connection.
Figure 2.19
Open Connection Properties
Step 5. Select the Internet Protocol (TCP/IP) entry from the This
connection uses the following items list (usually located last
in the list). Click the Properties button.
Date Code 20141001
Instruction Manual
2.12
Getting Started
Device Dashboard
Figure 2.20
Local Area Connection Properties
Step 6. Select Use the following IP address. Enter 192.168.1.1 as the

IP address and 255.255.255.0 as the Subnet mask, as shown in
Figure 2.21. Click the OK button.
Figure 2.21
Internet Protocol (TCP/IP) Properties
Step 7. Click the OK button in the Local Area Connection Properties

dialog box for the new settings to take effect.
Instruction Manual
Date Code 20141001
Section 3
Managing Users
Introduction
This section includes the following:
User-Based Accounts on page 3.1
Adding a User on page 3.2
Editing a User and Resetting a Password on page 3.2
Removing a User on page 3.3
Enabling or Disabling a User on page 3.3
Changing a User Password on page 3.4
User-Based Accounts
The SEL-2488 has user-based access control to provide for greater
authentication, authorization, and accountability. Individuals responsible for
configuring, monitoring, or maintaining the device can have their own unique
user accounts. User-based access controls are organized to answer, Who did
what and when? and allow flexibility for detailed auditing. This structure
also eases the burden of password management for the operators by only
requiring users to remember their own personal passwords. This eliminates
the need for each operator to remember a new password every time an
employee leaves or no longer needs access as required in a global account
structure.
Permissions of the device are organized into roles, and access is granted
through role-based access controls (RBACs). The device has four roles:
Administrator, Engineer, User Manager, and Monitor. User account privileges
are based on the group (i.e., role) in which the user is a member. A brief
overview of each role is provided below.
Users with the Administrator role have full access to the device.
Users with the Engineer role have access to most settings and
information on the device. The main exception to this is user

account management.
Users with the User Manager role have access to manage users
on the device. Access to other settings is restricted.

Users with the Monitor role have read-only access to most of
the device settings.
Date Code 20141001
Instruction Manual
3.2
Managing Users
User-Based Accounts
Adding a User
The device supports as many as 256 unique local user accounts. Please use the
following steps to create a new user account.
Step 1. Log on to the device with an account that is a member of either
the Administrator or the User Manager group. The account you
created during commissioning is one such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface. This link will open the User
Accounts page. From this page, a user with the Administrator
or the User Manager role can view, add, enable, disable, or
delete other users.
Step 3. Click Add New User.
Step 4. Enter the Username, Role, and Password of the new user. The
password must be entered twice to confirm that it has been
entered correctly.
Figure 3.1
Add New User Form
Step 5. Click the Submit button. This will add the new user to the
device.
Editing a User and

Resetting a Password
The device provides an Administrator or User Manager user with the ability to
edit account information for existing accounts. With this function, users can
reset forgotten passwords, reassign group membership, and enable or disable
an account. Please perform the following steps to reset an accounts password.
Step 1. Log on to the device with an account that is a member of the
Administrator or User Manager group. The account you created
during commissioning is one such account.
Accounts page. From this page, a user with the Administrator
or the User Manager role can view, add, edit, enable, disable, or
delete other users.
Instruction Manual
Date Code 20141001
Managing Users
User-Based Accounts
3.3
Step 3. Click the Edit button associated with the account that you want
to edit. This step will open the Edit User form.
Step 4. To change the users password, enter the new password,
confirm the new password, and click the Submit button.
Removing a User
In the case where an employee leaves the company, you should remove the
employees account to prevent security breaches. The device allows for the
easy removal of user accounts. Please follow these steps to remove an account.
Step 1. Log on to the device with an Administrator or User Manager
account. The account you created during commissioning is one
such account.
Accounts page. From here, an Administrator or User Manager
can view, add, edit, enable, disable, or delete other users.
Step 3. Click the Delete button associated with the account that you
want to remove.
Step 4. Verify that the user to be deleted is the correct user.
Step 5. Once verified, click Yes. If this person is not the correct user,
click No to go back to the User Accounts page.
Enabling or Disabling
a User
If an employee takes an extended leave of absence or has a temporary change

in duties, the employees account should be disabled to prevent unauthorized
access to the device. Disabling the account will maintain the account
information while preventing unauthorized access to the system during the
absence. The account can be reactivated when the employee resumes normal
duties. Please use the following steps to enable or disable a user's account.
Step 1. Log on to the device with an account that is a member of the
Administrator or User Manager group. The account you created
during commissioning is one such account.
web management interface.
Step 3. This link will open the User Accounts page. From here, an
Administrator or User Manager can view, add, edit, enable,
disable, or delete other users.
Step 4. Click the Edit button associated with the account that you want
to edit. This step will open the Edit User form.
Step 5. If an account is currently enabled, uncheck the Account
Enabled button to disable the account. To enable an account
that has been disabled, check Account Enabled.
Date Code 20141001
Instruction Manual
3.4
Managing Users
Centralized User Accounts with LDAP
Changing a User
Password
Many organizations have policies requiring employees to change their system

passwords at regular intervals. To aid with these policies, users on the device
can change their own passwords. Please use the following steps to change
your password.
Step 1. Log on to the device.
web management interface.
Users of the Monitor or Engineer group will only see a Change
Your Password button. Users of the User Manager or
Administrators group will see all user accounts of the device, as
well as the same Change Your Password button.
Step 3. Select the Change Your Password button. This step will bring
up the form to change your password. Enter your old password,
new password, and click the Submit button to change your
password.

Lightweight Directory Access Protocol (LDAP) is used by many IT
departments to manage the users and devices on their corporate networks.
LDAP is included in the SEL-2488 to provide a mechanism for centralized
user management. With LDAP, users can be managed at a central server.
When a user who does not have a local account requests access to the device,
the device will consult the central directory to find their account and verify
that they are authorized to access the unit, see Figure 3.2.
User Administrator
Engineering Station
LDAP Server
SEL-2488
SEL-3354
SEL-2488
Log in as Alice
Is Alice an authorized user?
Yes
Connection Established
Log in as Bob
Is Bob an authorized user?
No
Connection Refused
Figure 3.2
LDAP Logon Process
Instruction Manual
Date Code 20141001
Managing Users
3.5
To support this behavior, certain parameters must be configured in the

SEL-2488 to allow it to communicate with your LDAP server. All of these
parameters are configurable through the web interface. To configure LDAP on
your device, access the web interface and log on using an account with
administrative privileges.
The device has been tested to bind with the following LDAP servers in
supported configurations:
Active Directory Domain Services on Windows Server 2008
Server Standard/Enterprise
CentOS Directory Server 8.1 on CentOS 5.55.6
NOTE: This device is not compatible
with LDAP deployments that permit
commas in usernames.
SEL cannot guarantee that the device will be compatible with all possible
LDAP server architectures and implementations. Commissioning and
configuration of an LDAP server typically requires advanced knowledge of
certificate authority hierarchies and centralized user group configurations. It is
important that an organizations LDAP server administrators be involved
during the design and implementation process to ensure that the device
settings will be compatible with your organizations specific trust
management infrastructure.
Hosts
The device needs to know the name and IP address of your LDAP server in
order to know how to contact it. Select Hosts from the navigation panel on
your web page to view and edit the Hosts settings, see Figure 3.3.
Figure 3.3
Host Settings
The Host Settings page provides a method to statically map IP addresses with
external device hostnames such as your LDAP servers. To map an IP address
to a hostname, select Add Host. The SEL-2488 supports as many as 64 hosts.
LDAP Certificates
LDAP requires X.509 authentication in order to create binds (authenticated

connections) between the server and client. This is to ensure that attackers are
not spoofing the authentication server to gain unauthorized access. The device
requires that the root certificate of the LDAP servers certificate chain is stored
locally.
LDAP Settings
Now that your device knows who and where your LDAP servers are, we can
configure the device to access those servers. Select Accounts / LDAP in the
navigation panel on your web page to view the LDAP configuration (see
Figure 3.4).
Date Code 20141001
Instruction Manual
3.6
Managing Users
Figure 3.4
LDAP Configuration Summary
Figure 3.5 shows the LDAP Connection Settings form and all the options for
communicating with your LDAP servers. To simplify configuration, we have
included a form for your LDAP administrators to complete, which you can use
to populate all the LDAP fields. This form is located in Appendix D:
Lightweight Directory Access Protocol.
Instruction Manual
Date Code 20141001
Managing Users
Figure 3.5
3.7
LDAP Communication Settings
The LDAP Enabled setting must be set checked in order to make centrally
managed accounts available to the SEL-2488 for logins. When LDAP is
enabled, if the credentials entered by the user are not found in the locally
configured accounts on the SEL-2488, it will next consult the enterprise
directory using LDAP to attempt to authenticate the user. If LDAP
authentication is successful, the directory service will supply user attributes
that indicate the privilege level of the user when logging onto this device.
The TLS Required setting determines whether the connection to the LDAP
server will be protected by a TLS session. Using TLS requires that the LDAP
server be provided with a suitable X.509 server certificate, and that the
SEL-2488 import a suitable CA or server certificate.
The Synchronization Interval setting exists to reduce the overhead
associated with pulling account information from an LDAP server. The device
locally caches the credentials and privileges of centralized users for the period
of time configured. The synchronization interval is settable from 0 to 24
hours. If the synchronization interval is set to 0, then the device will
resynchronize on every logon. The synchronization interval exists to speed up
the logon process. The SEL-2488 will continue to verify the authenticity of
users against the central directory even if their privilege information is locally
cached.
Group Membership Attribute, Search Base, User ID Filter, and Group
Filter settings are used by the SEL-2488 to construct queries to the LDAP
server to locate the user and then to verify his credentials. The exact form and
content of these items must be carefully entered from information supplied by
the LDAP administrator. Using the form in Appendix D: Lightweight
Directory Access Protocol is recommended to collect this information.
Date Code 20141001
Instruction Manual
3.8
Managing Users
The Search Base can be thought of as the root directory to begin your
user search from. It is formed by listing all the components of the search
base separated by commas going from the most specific component to the
broadest component. In the figure above, the Search Base is configured as
DC=centralauth,DC=local. In this search base, DC refers to domain
component. The domain components are later combined with . to create
the search domain. In this case the search domain is centralauth.local.
This search base can be interpreted to mean search the directory residing
on an LDAP server in the centralauth.local domain.
NOTE: The broader your search

base, the more users/groups may be
able to access the device. Broader
search bases can take significantly
more time to search than search
bases that use more specific
organizational units or groups.
One other common component of LDAP queries is CN. The component

CN is short for common name. It is a name that refers to a specific
object that may or may not be unique. Examples of CNs are groups and
user names.
The User ID and Group Member attributes are the LDAP labels that
identify the usernames and groups of users of the system. If these are not
correctly entered, the device will not be able to determine which LDAP
fields to search for usernames or privileges. The User ID should be
configured similar to (sAMAccountName={USERNAME}) or
(uid={USERNAME}). In these examples, sAMAccountName or uid
is the name of the attribute on the directory server that identifies the
ownership of a user account. The {USERNAME} portion of the User ID
is the variable that holds the username of the person attempting to log on
to the device. For example, if the User ID were configured as
(sAMAccountName={USERNAME}), and a person with the username
jsmith were to attempt to log on to the device, then the device would
search the LDAP directory for an entry with a sAMAccountName
attribute that contained a value of jsmith. This field is extendable, so
you can search for entries matching multiple criteria. For example, the
search field (&(sAMAccountName={USERNAME})
(memberOf=cn=activeusers,dc=your,dc=domain)) would only allow
access to users with a valid username who are members of the activeusers
group of your domain.
The Use Anonymous Bind setting determines how the SEL-2488 accesses
the LDAP server. The device supports both authenticated and anonymous
binds to your LDAP servers. Authenticated binds use a service account to
access the LDAP server. If the service account is revoked, or the password
expires, the device will not be able to access the LDAP server, and centralized
users will be unable to access the device. Anonymous binds forgo the use of
service accounts. Find out from your LDAP administrator which method is
preferred for your system.
If you do not use anonymous bind, you will need to supply the service account
username in the Bind DN field, and you will need to supply the password in
the Bind DN Password fields.
LDAP Servers
The Configured Servers section lists the LDAP servers that the SEL-2488
will use to authenticate logons.
To improve availability when the primary LDAP server may be inaccessible,
the device supports accessing a secondary LDAP server. To add an LDAP
server, click the plus (+) sign below the Configured Servers table. This will
add a new row to the table. Enter the hostname and port number of your
server, and click Submit (see Figure 3.6).
Instruction Manual
Date Code 20141001
Managing Users
Figure 3.6
3.9
Adding an LDAP Server
LDAP servers are identified by their hostname and port numbers. Use
Port 389 unless a different port number is specified by your LDAP
administrator. This information should be obtained from your LDAP
Administrators using the form found in Appendix D: Lightweight Directory
Access Protocol.
The device allows for two LDAP servers to be configured for redundancy and
increased reliability. LDAP servers are assigned a priority and will be queried
in their order of priority until the user accessing the device is found, or the list
has been exhausted.
Group Mappings
The device has specific device roles that can be mapped to LDAP group
memberships on the Group Maps tab. The view shown in Figure 3.7 has a
single group defined for administrators.
Figure 3.7
Group Mappings Showing a Single Group
Click the plus sign (+) at the end of the table to configure a new group
mapping in a new row of the table. On the new table row, select the device role
from the drop down list in the left column. You can enter the Mapped DN
string yourself, or you can click the list icon at the end of the Mapped DN
field. When you click the list icon, the SEL-2488 will query your LDAP
server and then show a hierarchical tree of directory groups that can be
searched using your Search Base. Scroll through the tree as necessary to find
the correct group, select it with a mouse click, and click Submit. Opening a
new row in the table is shown in Figure 3.8.
Figure 3.8
Date Code 20141001
Adding a New Role
Instruction Manual
3.10
Managing Users
To expand the tree of groups for a row of the table, click the list icon at the
right end of the Mapped DN field in the table. Clicking the icon again will
close the tree of groups. Figure 3.9 shows the tree of possible groups that
appears after clicking the list icon.
Figure 3.9
Selecting a Group from the Tree Display
If you cannot find an appropriate group, your server administrator may need to
create new groups and assign members appropriate for these mappings. Work
with your LDAP administrator to determine group mappings using the form
found in Appendix D: Lightweight Directory Access Protocol.
The last tab on the LDAP page is Flush LDAP User Cache. Clicking the
Flush Cache button flushes the LDAP user cache, which will cause all LDAP
users to be logged out of the device and will force authentication information
to be refreshed from the server on each accounts next login.
Instruction Manual
Date Code 20141001
Section 4
Applications
Introduction
This section includes the following:
Time-code Distribution
Cable Delay Compensation
Network Time Protocol (NTP)
Time-Code Distribution
The SEL-2488 has sufficient drive capacity to provide demodulated and
modulated time-code signals to many products simultaneously.
Demodulated Time
Code
Table 4.1
Table 4.1 shows typical drive capabilities per demodulated BNC output for the
SEL-2488 to other SEL equipment. The demodulated BNC outputs provide a
standard IRIG-B00X DC level-shift (TTL) signal. The drive capability of each
output is 250 mA at a nominal level of 5.0 V. A series/parallel connection of
SEL-100 and SEL-200 series products consists of two relays in series, with as
many as ten of the series pairs connected in parallel.
Output Drive Capacity (Sheet 1 of 2)

Connection
Input Impedance
(Ohms)
Units Per SEL-2488

Output
SEL-100 Series
AUX INPUT (Conxall)
56/82
2 parallel, 20 series/parallela
SEL-200 Series
AUX INPUT
56/82
2 parallel, 20 series/parallela
(DEMODULATED) IRIG-B
333
10b
IRIG-B
750
10b
333
10b
IRIG-B, serial port
2.5K
20c
IRIG-B, BNC
>1K
20d
333
10b
SEL-651R
IRIG-B
1.33K
20c
SEL-700 Series
IRIG-B
4.5K or 2.5Ke
20c
SEL-734
IRIG-B
2.5K
20c
IRIG-B (In) (BNC)
333
10b
SEL-2240
IRIG-B
2.5K
20c
SEL-2411
IRIG-B
4.5K or 2.5Ke
20c
SEL-2414
IRIG-B
4.5K or 2.5Ke
20c
Product
Legacy SEL-300 Series

New SEL-300 Series
SEL-351R and SEL-351R Falcon
SEL-400 Series
New SEL-400 Series
SEL-500 Series
SEL-2032, SEL-2030, SEL-2020
Date Code 20141001
Instruction Manual
4.2
Applications
Table 4.1
Output Drive Capacity (Sheet 2 of 2)

Connection
Input Impedance
(Ohms)
Units Per SEL-2488

Output
SEL-2431
IRIG-B
750
10b
SEL-2440
IRIG-B
2.5K
20c
SEL-2523, SEL-2533
IRIG-B
2.5K
20c
SEL-2810MT
IRIG-B
25K
20c
SEL-2812MT
IRIG-B
2K
20c
SEL-3031
IRIG-B
333
10b
SEL-3350 Series, SEL-3530, SEL-3610,

SEL-3620, SEL-3622
IRIG-B
2.5K
20c
SEL-3401 manufactured before Sept. 2011
IRIG-B (In)
332
10b
SEL-3401 manufactured Sept. 2011 or later
IRIG-B (In)
1.33K
15b
Product
a
b
c
d
e
Do not add external terminating resistor.

Install 50-ohm termination resistor on farthest device for four or fewer devices.
Install 50-ohm termination resistor on farthest device.
Set internal 50-ohm termination resistor on farthest device.
2.5 kilohm if no Ethernet or single copper Ethernet port; 4.5 kilohm if fiber-optic or dual Ethernet port(s).
The maximum cable length is 152 m (500 feet). Connect multiple devices as
illustrated in Figure 4.1.
152 m (500 feet)
maximum
...
SEL-2488
Clock
50
*
...
* Keep this connection as short as possible.

Figure 4.1
Multiple-Device Connections
Modulated Time Code

The modulated output is a standard IRIG-B12X amplitude-modulated signal.
The accuracy of this signal is 1 s peak. The nominal output level is
6.2 Vpp. This output drives multiple devices in parallel. Maximum cable
length is 152 m (500 feet).

The SEL-2488 provides time-delay compensation for antenna cables and
output cables on a per-port basis to preserve accuracy. The SEL-2488 uses a
delay of 5 ns per meter for the time code output cables and 3.9 ns per meter for
the antenna cable. The cable delay compensation for the SEL-2488 clock
ensures high-accuracy time distribution in large facilities with dispersed IEDs
or in installations where antennas must be mounted high on towers. The
SEL-2488 supports a maximum 152 meters (500 feet) of LMR-400 for an
antenna cable and a maximum 152 meters (500 feet) of RG-58 for an output
cable. Figure 4.2 shows an example of a clock with an antenna and two output
ports. One output port is configured for a 6 meter (20 feet) cable. Another is
configured for 36.6 meters (120 feet), accounting for a difference of 150 ns.
Instruction Manual
Date Code 20141001
Applications
4.3
60 meters, 237 ns Delay
SEL-2488
IED
Figure 4.2
IED
SEL-2488 Cable Delay Compensation Example
The time output delay compensation can be set in the same manner as for the
satellite antenna cable delay compensation. If you use a time output connected
to multiple IEDs, you must take a few things into consideration. The
SEL-2488 has eight time outputs, so it is necessary to attempt grouping IEDs
according to their locations from the SEL-2488 (Figure 4.3). Grouping the
IEDs with respect to location helps minimize time inaccuracy for each device.
Once the IEDs are grouped, measure the distance to the farthest device and
measure the distance of the closest device all connected to one of the time
outputs. For example, assume that the farthest distance to the last IED is
60 meters and that the closest device is 40 meters. The setting should then be
at 50 meters. In this scenario, the last and first device would incur an
additional 50 ns of inaccuracy. This is very small, considering that the strictest
timing requirement is 500 ns.
SEL-2488
TO 1
Figure 4.3
TO 2
TO 3
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL Relay
SEL-2488 Grouping for Using Cable Delay Compensation
Compensating for both the antenna cable and time output cable will help
maintain a very tight timing tolerance to all devices locally and to devices
distributed across the power system.

NTP is the industry standard protocol for Ethernet-based time synchronization
of computers. The SEL-2488 includes four standard Ethernet ports to serve
NTP time to devices on the substation local-area network (LAN), such as
servers, computers, and other devices that set their time through NTP or the
Simple Network Time Protocol (SNTP). The SEL-2488 can serve NTP to four
independent networks and can act as a stratum 1 time server on the network
with typical client synchronization accuracy of 0.52 ms. The SEL-2488
Date Code 20141001
Instruction Manual
4.4
Applications
supports multicast, broadcast, and unicast to synchronize NTP clients. A

future firmware release will support time synchronization for manycast
clients.
The diagram below shows an SEL-2488 using a combination of output
protocols, IRIG-B to precisely synchronize IEDs for protection applications
and NTP to time synchronize computers and other LAN devices.
SEL-2488
NTP
Ethernet Switch
NTP
IRIG-B
IED
IED
IED
IED
IED
Figure 4.4 Functional Diagram for Utility Substation Time Synchronization
Instruction Manual
Date Code 20141001
Section 5
Settings
Introduction
This section explains the settings and commands of the device.
Reports on page 5.1
Syslog Report
Time Management on page 5.3
GNSS Settings
NTP Settings
Time-Code Outputs
Network Settings on page 5.9
IP Configuration
Static Routes
Syslog Settings
Hosts
Accounts on page 5.13
Local Users
LDAP
Security on page 5.14
X.509 Certificates
System on page 5.15
Global Settings
Front Panel
Date/Time
Contact I/O
Usage Policy
File Management
Device Reset
Reports
Syslog Report
Date Code 20141001
The SEL-2488 uses the Syslog message format to record event data. The and
can store as many as 60,000 Syslog messages. The device can also forward
Syslog messages to three destinations.
Instruction Manual
5.2
Settings
Reports
The Syslog message format includes five fields:

Severity
Facility
Tag name
Timestamp
Message
A message can have seven different severity ratings, ranging from

informational to emergency. There are three possible facilities on the device:
user, system, and security. The Tag field indicates which part of the system
generated the message. The Timestamp and Message fields include the time
stamp of when the message was generated and the message description. The
syslog events will display in local time when viewed from the web browser. If
the syslog events are sent to a syslog server, then the times tamp will be in
UTC time format. For more information about Syslog, refer to Appendix E:
Syslog.
Select the Syslog Report link from the navigation panel to show the local
system logs of the device (see Figure 5.1).
Figure 5.1
Sample Syslog Report
Instruction Manual
Date Code 20141001
Settings
Time Management
5.3
Device system logs display in the order of their generation. Select a field label
at the top of the list to reorder the messages according to the value of that
field. For example, selecting the Severity label reorders the list by severity.
Event messages in the device have two states: unacknowledged and
acknowledged. These two states exist to make identification of abnormal event
generation easier. Large numbers of unacknowledged messages can indicate
high levels of activity on the device.
Message acknowledgment also assists with log documentation. In your
periodic examination of logs, acknowledge existing logs. When you examine
logs in the future, the previously acknowledged logs will limit the logs of
concern to only those logs the device has generated since the last examination.
Click the Acknowledge Selected button to acknowledge selected system logs.
All system logs can be acknowledged by selecting the Acknowledge All
button. You cannot remove system logs from the device without issuing a
factory-default reset.
The Download button allows you to save log messages in an offline format.
Time Management
GNSS Settings
Table 5.1
Use the GNSS settings (Figure 5.2) to customize settings for the GNSS
receiver. Through use of these settings, you can enable or disable the receiver
and compensate for the antenna cable. The standard antenna cable used with
the SEL-2488 has a 3.9 nanosecond/meter delay. When you set the cable
length setting to the cable length used, the SEL-2488 automatically
compensates for the delay incurred because of the cable.
GNSS Settings
Field Name
Values
Default
Description
GNSS Time Source
Enable, Disable
Enable
Enables the use of GNSS as a time source.
Antenna Cable
Length
0300 meters
25
Length of the cable (in meters) between the

device and the antenna. This value is used to
compensate for the signal delays due to the
antenna cable.
Satellite Signal
Verification (SSV)
Enable, Disable
Disable
Provides a layer of protection against GNSS

attacks, when enabled. While enabled, the
system monitors the GNSS signals for any
potential problems. If a potential problem is
detected, the system takes the action prescribed
by the Failure Action setting.
NOTE: For the SSV to be operational, you must
use the Dual-Constellation GPS Antenna Kit
(915900378).
Failure Action
Notify, but continue to use

GNSS as a time source
Notify, and stop using
Notify, but continue to use

Determines the device action when SSV detects

a potential problem.
Enable Holdover
Alert
Enable, Disable
Enable
Closes alarm contact and generates a SYSLOG

event in the event of lost satellite lock and the
device operates in the holdover mode.
Holdover Alert
Pickup Delay
0120 minutes
Pick up delay for holdover alert notifications.

Notifications will occur when no external time
source has been active for <Holdover Alert
Pickup Delay> minutes.
Date Code 20141001
Instruction Manual
5.4
Settings
Time Management
Satellite Signal Verification

The SEL-2488 is capable of receiving signals from two satellite constellations
to validate GPS time signals, providing a layer of protection from GPS
spoofing attacks. To enable Satellite Signal Verification, you must enable the
verification setting in the web interface and use the Dual-Constellation GPS
Antenna Kit (915900378). For the SEL-2488 Table 5.2 shows which GNSSs
are in use based on Satellite Signal Verification Setting.
Table 5.2
NOTE: If you enable the satellite

signal verification, the clock will not
lock unless you use the specified dualconstellation antenna and the clock
verifies both constellations.
SEL-2488 GNSS Setting
SEL-2488 GNSS Setting
GNSS Used
Satellite Signal Verification (SSV) Disabled (default)
GPS
Satellite Signal Verification (SSV) Enabled
GPS & GLONASS
Once the SEL-2488 is locked and signal verification is enabled, the Failure
Action setting determines what steps to take when a spoofing event is
detected. Once the setting is enabled the default action for the SEL-2488 is
Notify, but continue to use GNSS as a time source. This will create a syslog
event and change the Satellite Lock LED on the front panel to amber when
satellite signals can no longer be verified. In this mode, the clock continues to
use the suspect signals for timekeeping regardless of the satellite errors. When
Notify, and stop using GNSS as a time source is selected the clock goes
immediately into holdover, creates a syslog event, and does not use GNSS for
time keeping until the time from that source can be properly verified.
Figure 5.2
GNSS Settings
Notification
The holdover alert settings enable operation of the alarm contact when the
device is unable to synchronize to any external time sources. By default, the
Enable Holdover Alert is set to Enabled and Holdover Alert Pickup Delay is
Instruction Manual
Date Code 20141001
Settings
Time Management
5.5
set to 0. By default, the device is unable to synchronize to a time source and

causes immediate closure of the alarm contact and a SYSLOG event notifying
the event. To delay this alarm the pickup delay can be set for as long as 120
minutes. To disable notification when loss of satellite lock occurs, disable the
check box for Enable Holdover Alert.
Network Time
Protocol Settings
(NTP)
Network Time Protocol (NTP) is a widely used message-based time

synchronization protocol used to synchronize the system clocks among a set
of distributed time servers and clients. The SEL-2488 can be configured as an
NTP server. When using NTP as time synchronization protocol, time
synchronization between the client and server depend on network conditions
as well as the specific NTP implementation in these devices. Typically, time
synchronization accuracies using NTP are measured in milliseconds.
NTP has three modes of operation; primary server, secondary server, and
client. A primary server is synchronized directly to a reference clock, such as
a GNSS receiver. A client is synchronized to one or more upstream servers but
does not provide any synchronization to dependent clients. A secondary server
has one or more upstream servers and one or more downstream servers, or
clients. SEL-2488 operates as a primary server.
The level of each NTP server in the NTP hierarchy is defined by a number
called the stratum, with the primary servers (e.g., SEL-2488) assigned
stratum one and the secondary servers at each level assigned one greater than
the preceding level. As the stratum increases from one, the accuracies
achievable degrade depending on the particular network path.
The SEL-2488 supports serving NTP to as many as four Ethernet ports. The
SEL-2488 synchronizes NTP according to NTP v4 (RFC 5905). The
SEL-2488 can use unicast, multicast, or simultaneous broadcast messages to
serve all four Ethernet ports with NTP server time.
To use NTP server, you must first enable NTP Server on a per-port basis (see
IP Configuration). The NTP Server setting enable is found in IP
Configuration under the Network Settings tab. Use the NTP server enable
setting from this location to configure NTP for each of the four Ethernet ports.
Once you have enabled the NTP server, the SEL-2488 allows unicast NTP
server sessions on the enabled port. The NTP LED on the front panel turns on
to indicate that at least one Ethernet port has NTP enabled. Once NTP server
is enabled, the NTP settings for multicast and broadcast can be configured in
the NTP Settings window, as shown in Figure 5.3.
Figure 5.3
Date Code 20141001
NTP Settings
Instruction Manual
5.6
Settings
Time-Code Outputs
NTP Multicast
Mark the check box in Figure 5.3 to enable NTP Server Multicast. Once you
have enabled NTP server multicast, you can configure the multicast interval
and multicast address. The multicast interval sets the period of time during
which the SEL-2488 sends NTP time to the corresponding multicast address.
The multicast address must conform to "www.xxx.yyy.zzz," where www, xxx,
yyy, zzz = strings with as many as 13 digits representing values of 0255.
The multicast address must contain Class D (224.0.0.0239.255.255.255)
range IP addresses not allocated to other Ethernet ports.
Table 5.3
NTP Multicast/Broadcast Settings
Field Name
Values
Default
Description
Enable NTP
Multicast
Enable, Disable
Disable
Enables the use of NTP as a

multicast server.
Enable NTP
Broadcast
Enable, Disable
Disable
Enables the use of NTP as a

broadcast server operating on
a zero network of the local
port IP address.
Broadcast Interval
16131072 seconds
64
Sets the interval when the

NTP server sends time to the
corresponding broadcast
address.
Multicast Interval
16131072 seconds
64
Sets the interval when the

NTP server sends time to the
corresponding multicast
address.
Multicast Address
Class D IP addresses
224.0.1.1
Sets the NTP server multicast

IP address.
NTP Broadcast
To enable NTP server broadcast, enable the checkbox in Figure 5.3. Once you
have enabled NTP broadcast, you can set the broadcast interval. The broadcast
interval sets the period of time the SEL-2488 sends NTP time to the
corresponding broadcast address. The broadcast address will be the zero
network corresponding to the IP address of the corresponding Ethernet port.
Time-Code Outputs
The Time Code Outputs page allows setting of time outputs T01 through T08
and COM1 (see Figure 5.4). From this page, you can configure all of these
time outputs.
Instruction Manual
Date Code 20141001
Settings
Time-Code Outputs
Figure 5.4
5.7
Time-Code Outputs
Table 5.4 lists all the settings in the time-code output settings. All time outputs
allow configuration of the ports as IRIG-B002, IRIG-B004, PPS, and KPPS.
Ports T01 through T04 can also be configured as modulated IRIG-B122 or
IRIG-B124. The first four ports, when configured as modulated time, can only
be set to one time code format and time reference.
Table 5.4
Time-Code Output Settings
Field Name
Values
Default
Description
T01T04
IRIG-B002, IRIG-B004, Modulated

IRIG, PPS, KPPS
IRIG-B004
Sets T01T04 to the specified time format.
T05T08
IRIG-B002, IRIG-B004, PPS, KPPS
IRIG-B004
Sets T05T08 to the specified time format.
Time Reference
Local, UTC
UTC
Sets the time format to local or UTC time for

IRIG-B set ports.
Output Cable Length
0300 meters
Compensates for the delays due to the cable

connected to the port.
Time Code Format for

Modulated IRIG Outputs:
IRIG-B122, IRIG-B124
IRIG-B124
Sets ports established for Modulated IRIG to

the Modulated time format.
Time Reference for

Modulated IRIG Outputs:
UTC, Local
UTC
Sets the time format to local or UTC time for

T01T04 set to Modulated IRIG.
Parity for IRIG-BXX4 Outputs:
Even, Odd
Odd
Sets the parity of the IRIG-B frame.
IRIG-B
IRIG-B is a serial data time format consisting of a 1-second frame that
contains 100 pulses divided into fields. The time-synchronized device decodes
the second, minute, hour, and day fields and sets the device internal time clock
upon detecting valid time data in the IRIG time mode. The SEL-2488 provides
both modulated and demodulated IRIG-B outputs according to the IRIG
Date Code 20141001
Instruction Manual
5.8
Settings
Time-Code Outputs
200-04 and IEEE C37.118.1 (2011) standard. Modulated IRIG-B is

IRIG-B12X. Demodulated IRIG-B time code is IRIG-B00X. The last digit,
either 2 or 4, indicates the coded expression(s).
The time code format IRIG-BXX2 is binary-coded decimal (BCD) time code.
This format represents traditional or legacy IRIG-B.
The time code format IRIG-BXX4 consists of BCD time code, plus straight
binary seconds (SBS) of the day (086400 s), and also contains control
function extensions that include data for the following: year, leap second,
daylight time, UTC time offset, time quality, continuous time quality, and
parity. Table 5.5, Table 5.6, and Table 5.7 list the control bit functions when
IRIG-B004 or B124 time formats are in use. For more information on the
control bit functions, see Annex D of the IEEE C37.118.1-2011 standard.
NOTE: IRIG-B004 and B124 are new
time formats that replace and are
backwards compatible with IRIG-B000
and B120. The new formats contain
the same control bits with the addition
of continuous time quality.
Control function extensions are described in Annex F of IEEE

C37.118.1-2011.
Table 5.5
IRIG-B Control Bit Assignments (Sheet 1 of 2)
Control
Bit #
Designation
Description
Year, BCD 1
Last digit of year in BCD.
Year, BCD 2
Year, BCD 3
Year, BCD 4
Not Used
NA
Year, BCD 10
Tens digit of year in BCD.
Year, BCD 20
Year, BCD 40
Year, BCD 80
P6
Position identifier #6.
10
Leap Second Pending (LSP)
Becomes 1 at 59 seconds before leap

second insert.
11
Leap Second (LS)
0 = Add leap second, 1 = Delete leap

second.
12
Daylight Saving Pending (DSP)
Becomes 1 at 59 seconds before DST

change.
13
Daylight Savings Time (DST)
Becomes 1 during daylight-saving time.
14
Time Offset Sign
Time offset sign 0 = +, 1= .
15
Time Offset Binary 1
16
Time offset coded IRIG-B to UTC time.

IRIG coded time minus time offset equals
UTC at all times.
17
18
P7
19
Time Offset 0.5 hours
0 = none, 1 = additional 0.5 hour time

offset.
20
Time Quality Binary 1
21
Four-bit code representing the

approximate clock time quality. See
Table 5.6 for Time Quality indicator code.
22
23
Instruction Manual
Date Code 20141001
Settings
Network Settings
Table 5.5
IRIG-B Control Bit Assignments (Sheet 2 of 2)
Control
Bit #
Designation
Description
24
Parity
Parity on all preceding data bits.
25
Continuous Time QualityBinary 1
26
27
Three-bit code representing the maximum

time inaccuracy of the transmitted
message. CTQ indicates error at all times.
See Table 5.7 for CTQ indicator code.
P8
Table 5.6
Four-Bit IRIG-B Time Quality (TQ) Code
Binary
Hex
Value
1111
Time not traceable to UTC
1011
Time within 10 seconds of UTC
1010
Time within 1 second of UTC
1001
Time within 100 ms of UTC
1000
0111
0110
Time within 100 s of UTC
0101
0100
0011
Time within 100 ns of UTC
0010
0001
0000
Clock is locked
Table 5.7
5.9
Three-Bit Continuous Time Quality (CTQ) Code
Binary
Hex
Value
111
Maximum time inaccuracy > 10 ms or unknown
110
Maximum time inaccuracy < 10 ms
101
Maximum time inaccuracy < 1 ms
100
Maximum time inaccuracy < 100 s
011
010
001
Maximum time inaccuracy < 100 ns
000
Not used (set to 0 if using IRIG-BXX0 or BXX2)
Network Settings
IP Configuration
Date Code 20141001
The IP Configuration page provides the configuration options for the Internet
Protocol (IP) settings of the device. ETH F is used for initial commissioning and
local access.
Instruction Manual
5.10
Settings
Network Settings
Remote Network
SEL-3620
SEL-3354
Mgmt
SEL-2488
ETH F
Local Access
Figure 5.5
Table 5.8
IP Configuration
General Network Settings
Field Name
Values
Default
Description
Hostnamea
163 characters
SEL<SERIAL#>
The unique name identifying the device on the network.
Domain Namea
0253 characters
N/A
The domain name of which the device is a member.
Default Gateway
Unicast network address
N/A
The IP address of the device used to transfer packets to another

network.
The Hostname and Domain Name combined length must be less than 255 characters.
Table 5.9
ETH F Network Interface Settings
Field Name
Values
Default
Description
Enabled
Enabled, Disabled
Enabled
Administratively enables or disables the interface.
Alias
132 characters
ETH F
Associates a name with the network interface.
IP Address
Unicast IP address
192.168.1.2/24
Establishes the IP address of the interface. The device uses classless

inter-domain routing (CIDR) notation to assign the subnet mask.a
HTTPS
Enabled, Disabled
Enabled
Enables or disables HTTPS on the interface.
Captive Port
Enabled, Disabled
Enabled
Enables or disables captive port on the interface.
The IP address and subnet for ETH F cannot be the same as for any of the other Ethernet ports on the device ports or for the Management
Network Interface.
When captive port is enabled on ETH F, the device provides an IP configuration

to connected devices that are configured for DHCP. The IP configuration the
device issues sets the connected device to use the ETH F IP address as the
default gateway and DNS server. The configuration of the DNS server on the
device resolves any DNS queries to the ETH F IP address. This redirects all
traffic from connected devices to the ETH F IP address. This configuration is
useful in the event the ETH F IP address is unknown.
Enable the captive port feature by connecting a computer configured for
DHCP to ETH F. Your making this connection causes the device to issue the IP
configuration for your computer that permits use of this feature. Simply open
your web browser and navigate to any site (e.g., www.selinc.com); the device
resolves this query to the ETH F IP address and redirects you to the web
management interface of the device.
Instruction Manual
Date Code 20141001
Settings
Network Settings
Table 5.10
ETH 14 Network Interface Settings
Field Name
Values
Default
Description
Enabled
Enabled, Disabled
Disabled
Administratively enables or disables the interface.
Alias
132 characters
IP Address
Unicast IP address
N/A
Determines the IP address of the interface. The device uses classless interdomain routing (CIDR) notation to assign the subnet mask.
HTTPS
Enabled, Disabled
Disabled
Enables or disables HTTPS on the interface.
NTP Server
Enabled, Disabled
Disabled
Enables or disables NTP Server on the interface.
Static Routes
Figure 5.6
5.11
Associates a name with the network interface.
The SEL-2488 supports a default gateway to allow users on different networks

to access the web interface from any of the four Ethernet ports. Static routes
are necessary to reach additional devices located on different networks. The
Static Routes page lets you define alternate routes to allow access to multiple
different networks.
Static Routes
Figure 5.6 displays the Static Routes page with as many as 32 different routes
for configuration. The remote network is the location of a device trying to
access the SEL-2488. The gateway is the address to which the SEL-2488 must
route data if access comes from a device on the specified remote network.
Syslog Settings
Date Code 20141001
Syslog is a specification that describes both the method and format in which
the device stores logs locally and routes them to a collector. The device logs
many different types of events such as system startup, login attempts, and
configuration changes. The device can send its log information to three
destinations and store as many as 60,000 event logs locally in nonvolatile
Instruction Manual
5.12
Settings
Network Settings
memory. Each destination, including the local device, has a configurable

logging threshold. For more information about Syslog, please refer to
Appendix E: Syslog.
Select the Syslog Settings link from the navigation menu to configure the
Syslog settings for the device. Use the Syslog Settings page (see Figure 5.7)
to configure the local logging threshold, as well as remote Syslog destinations.
The Local Logging Threshold setting indicates the minimum severity that a
Syslog message must have for the device to store that message locally.
Similarly, the logging threshold under Syslog Destinations determines the
minimum severity that a Syslog message must have for that message to be sent
to the configured Syslog server. For a description of these severity levels,
please refer to Appendix E: Syslog.
Figure 5.7
Syslog Settings
Table 5.11
Syslog Threshold Values
Field Name
Values
Default
Description
Local Logging
Threshold
Error
Warning
Notice
Informational
Notice
The minimum severity level that an

event must have to be stored locally
on the device.
Setting the logging threshold too low can result in the device generating many
logs. Setting the threshold too high can result in the device failing to record
important messages.
The settings under Syslog Destinations are to configure remote Syslog
destinations. These destinations are the Syslog servers that will store the
Syslog events remotely. You can configure as many as three remote
destinations. To configure the device to send Syslog events to a remote Syslog
server, enter the Alias and IP Address of the remote Syslog server, and
specify the logging threshold of the Syslog events to be sent to the remote
Syslog server.
Table 5.12
Syslog Destination Settings
Field Name
Values
Default
Description
Alias
132 characters
N/A
A name that is associated with the

Syslog destination.
IP Address
Unicast IP Address
N/A
The IP address of the Syslog

destination.
Logging
Threshold
Alert
Critical
Error
Warning
Notice
Informational
Warning
The minimum severity level that an

event must have to be forwarded to
this destination.
Instruction Manual
Date Code 20141001
Settings
Accounts
Hosts
5.13
Use the Hosts page to add hosts for configured servers when you are using
LDAP. LDAP settings require a hostname identified from an X.509 certificate.
The SEL-2488 does not resolve host names to IP address automatically from
the X.509 certificate. The Hosts page allows you to define a hostname and
resolve it to an IP address so that LDAP can connect to a centralized server.
The SEL-2488 does not provide a DNS solution. Perform the following steps
to add a host or network:
Step 1. From the Hosts page, click Add Hosts. This will cause a page
such as that in Figure 5.8 to display.
Figure 5.8
Add Hosts
Step 2. Enter the hostname you want to use for the host you will be
adding.
Step 3. Enter the host IP address.
Step 4. Enter as many as 16 entries on the Hosts page.
Step 5. Click Submit to complete.
Table 5.13
Add Hosts Settings
Field Name
Values
Default
Description
Hostname
1 to 64 characters
N/A
A name that is associated with the

host or network.
IP Address
Host IP address
(e.g., 192.168.10.10)
N/A
IP address for the configured

LDAP server(s).
Accounts
Local Users
Use the Local Users page to add, remove, and update local user accounts for
the device. Refer to Section 3: Managing Users for more information
regarding local user accounts.
LDAP
Use the LDAP page to set up, configure, and connect to a centralized
authentication server. Refer to Centralized User Accounts with LDAP on
page 3.4 for more information regarding LDAP.
Date Code 20141001
Instruction Manual
5.14
Settings
Security
Security
X.509 Certificates
HTTPS (SSL/TLS) connections require authentication to confirm that the

server with which you are communicating is the correct server. This
authentication is through X.509 certificates. By default, the device has a selfsigned X.509 certificate that can cause your web browser to issue a security
alert. This security alert will require a security exception for authentication to
continue. To prevent this security alert from appearing, install a CA-signed
X.509 certificate on the device. If your web browser has been configured to
trust the CA issuing and signing the certificate, the X.509 certificate will be
trusted and the security alert will no longer display.
The device supports one X.509 certificate that is used for HTTPS
communications between the client web browser and the web server running
on the device. The X.509 Certificates page has options to view, rename,
export, import, and regenerate the X.509 certificate. Descriptions follow for
each of these options.
View
This option provides a detailed view of the installed certificate.
Rename
This option provides a form for renaming the certificate. The Certificate
Name field can contain as many as 128 characters.
Figure 5.9
Renaming Certificates
Import
This option provides a form to import a certificate generated or signed
externally to the device. You must enter the password for the private key
during import if the private key is encrypted.
For more information on X.509 certificates, see Appendix F: X.509.
Instruction Manual
Date Code 20141001
Settings
System
5.15
System
Global Settings
Web Settings
Use web settings to modify settings related to the web management interface
of the device.
Table 5.14
Web Settings
Field Name
Values
Default
Description
Maximum Sessions
120
Maximum number of concurrent

web user sessions.
Sessions Timeout
160 minutes
Amount of time a users session

is inactive before the device
terminates the session.
System Contact Information

The system contact information settings provide fields for defining a system
contact and system location.
Table 5.15
System Contact Information Settings
Field Name
Values
Default
Description
Contact
0128 characters
Schweitzer Engineering
Laboratories, Inc.
(509) 332-1890
Contact information for

the device.
Location
0128 characters
Pullman, WA
Location of the device.
System Date
The date format setting determines the date format the device uses when the
user enters date setting information in the web interface. The system date is
applied to the Timer Contact start date and to the Manual Date/Time
setting.
Table 5.16
Front Panel
Date Code 20141001
Date Format
Field Name
Values
Default
Description
Date Format
Month/Day/Year
Day/Month/Year
Year/Month/Day
Month/Day/Year
Determines the date format to

use when configuring dates
within the web interface.
Use the front-panel settings to configure how you want to use the front panel
of the SEL-2488.
Instruction Manual
5.16
Settings
System
Table 5.17
Figure 5.10
Front Panel
Field Name
Values
Default
Description
Date Display
Format
None
Month/Day/Year
Day/Month/Year
Year/Month/Day
Day of Year
None
Determines the date format to use

when configuring dates within the
web interface.
Time Display
Format
12-hour local time

24-hour local time
UTC
12 hour
local time
Displays the time on the front panel

in 12/24 hour format. UTC is
Coordinated Universal Time
displayed in 24-hour format.
Enable Timeout
Enable/Disable
Enable
Timeout
130 minutes
15
Contrast
18
Front panel display inactivity

timeout. If no activity occurs for this
duration, the backlight will
automatically turn off and the
display will return to the default
screen.
Front Panel Settings Window
Date/Time
Use the Date/Time page to set the local time zone, adjust for daylight-saving
time, and manually set the clock. The local time settings page must be
properly set before the clock can send local time.
Instruction Manual
Date Code 20141001
Settings
System
5.17
Local Time Settings

By default, the SEL-2488 sends time referenced to UTC. To display local
time, you must set the proper time zone or local time offset and daylightsaving time (Figure 5.11).
Figure 5.11
Local Time Settings
The Start of Daylight Savings Time and End of Daylight Saving Time
settings are only configurable if Daylight Savings Time Mode is set to Custom
DST. Otherwise, these settings display the automatic daylight savings start/
end dates for the selected mode. See Table 5.18 for more information on local
time settings.
Table 5.18
Local Time Settings
Field Name
Values
Default
Description
Local Time Offset from UTC
13:00 to +13:00
08:00
Sets local time offset from UTC time. Can be

set in 30-minute increments
Daylight Savings Time

Mode
No DST, United States, European

Union, Custom DST
United States
Sets the daylight settings profile for local time.
Start Time
00:0024:00
02:00
Sets the start time when DST begins.
Start Month
January-December
March
Sets the start month when DST begins.
Start Week
First, Second, Third, Fourth, Last
Second
Sets the start week when DST begins.
Start Day of Week
SundaySaturday
Sunday
Sets the start day of week when DST begins.
End Time
00:0024:00
02:00
Sets the time when DST ends.
End Month
JanuaryDecember
November
Sets the month when DST ends.
End Week
First, Second, Third, Fourth, Last
First
Sets the week when DST ends.
End Day of Week
SundaySaturday
Sunday
Sets the day of the week when DST ends.
Date Code 20141001
Instruction Manual
5.18
Settings
System
Manual Date/Time
Use the Manual Date/Time page to configure the time when there is no
access to GNSS information and time display is needed for demonstration
purposes.
Figure 5.12
Manual Date/Time Setting Screen

Table 5.19
Manual Date/Time Settings
Field Name
Values
Default
Description
Manual Date
MM/DD/YYYY
N/A
Sets the manual date for the clock to begin

time. Format is configurable in Global
Settings.
Manual Time
HH:MM:SS
N/A
Sets the time for the clock to begin

incrementing time. Must be set in 24-hour
format.
Table 5.19 shows the settings necessary to properly set manual time. Follow
these steps to enter into manual Date/Time mode:
Step 1. Disable the GNSS time source from the GNSS Settings page
on the web interface.
Step 2. Power cycle the device.
Step 3. Login to the device and go to the Date/Time settings page
under the System settings panel.
Step 4. Click the Manual Date/Time tab.
Step 5. Enter the Manual Date and Manual Time in the format shown
next to the settings fields.
Step 6. Hit the Submit button.
After the above steps are completed, the device enters into the Manual
Date/Time mode. In this mode all time outputs generate time codes
corresponding to the manual time. The front-panel display shows the
corresponding date/time.
To exit the manual time mode, enable the GNSS Time source on the GNSS
Settings page.
Contact I/O
Alarm Contact
Use the alarm contact as a means of alerting system personnel to system and
security-related events that have occurred on the device. The alarm contact
pulses for 1 a second if you have selected any of the alarm contact output
trigger categories and an event occurs that falls within the category you
selected. Table 5.20 lists each category with an explanation of the event types
that fall within each category.
Instruction Manual
Date Code 20141001
Settings
System
Figure 5.13
5.19
Alarm Contact Screen

Table 5.20
Alarm Contact Output Trigger Categories
Category
Default
Description
Authentication
Enabled
Authentication-related events
Chassis
Enabled
Physical hardware-related events
Configuration
Disabled
Configuration events related to settings changes
Link
Disabled
Interface events related to link up/link down status
System Integrity
Disabled
Satellite signal verification state changes
Time Synchronization
Disabled
Time source change or time quality changed
Timer Contact
The timer contact is a high-speed contact you can use to externally trigger
devices to start or measure timing of a contact closure. Figure 5.14 displays
the settings available for setting the contact.
Date Code 20141001
Instruction Manual
5.20
Settings
System
Figure 5.14
Timer Contact
Through use of the contact, you can customize settings to configure the
contact start, time to hold contact close, and for a one time operation or
repeated operation. Table 5.21 shows the range and description of the settings.
Table 5.21
Timer Contact Settings
Field Name
Values
Default
Description
Enable Timer Contact
Enable, Disable
Disable
Enables the timing contact for use.
Pulse Duration:
0.013600
0.5 seconds
Sets the duration to hold the contact closed when

activated.
Pulse Repeat Mode:
Single Pulse, Repeating Pulses
Single Pulse
Sets whether the contact keeps repeating the

operation or occurs only once.
Pulse Period:
0099 (DD), 0.123:59:59.9

(HH:MM:SS.s)
00 (DD) 00:00:01.0
(HH:MM:SS.s)
Sets the length of time between pulses.
Pulse Start Mode:
Now, Scheduled
Now
Sets the time when the contact will start to pulse.
Start Date:
01/01/200012/31/2035
01/01/2000
Sets the start date to start the pulse operation.
Start Time:
00:00:00.023:59:59.9
00:00:00.0
Sets the start time to start the pulse operation.
Usage Policy
The device presents a usage policy to all users accessing the login page. This
policy notifies users regarding what constitutes appropriate use of this device,
what actions are taken to ensure the device is not used inappropriately, and
what actions will be taken if abuse is discovered. The device comes with the
following default usage policy:
This system is for the use of authorized users only. Individuals using this
system without authority or in excess of their authority, are subject to
having all their activities on this system monitored and recorded by
system personnel. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the evidence
of such activity to law enforcement officials.
The usage policy is configurable to as many as 4095 characters. Select the
Usage Policy link from the navigation menu to modify the usage policy.
Instruction Manual
Date Code 20141001
Settings
System
File Management
5.21
File management provides an interface from which you can import and export
settings, as well as perform firmware upgrades. Exporting system settings is
useful for providing device configuration backups for disaster recovery, as
well as for creating a template configuration that you can use in
commissioning large numbers of devices. For example, if all devices share the
same configuration, with the exception of a few device-specific configuration
items such as hostname and IP address, you can create the configuration once
and then export it as a template. When you import the configuration file into a
new device, you only need to make a couple of changes before the device is
fully configured.
Export Settings
You can export settings either encrypted or unencrypted in XML format. The
encrypted settings export is useful for creating an encrypted copy of the device
configuration as a device backup. You can use this backup for disaster
recovery purposes in the event that the device configuration. The other option
is to export the device settings in unencrypted XML format, which allows for
offline editing.
NOTE: Settings files should be
stored in a secure location, because
they contain sensitive information.
Perform the following steps to export a settings file:

Step 1. Login to the device and browse to the File Management page.
Step 2. You should be on the Export Settings page shown in
Figure 5.15.
Figure 5.15
Export Settings Page
Step 3. Skip this step if you want to export settings in an unencrypted

format for offline viewing or editing.
If you want to export settings in an encrypted format, select the
Encrypt Export check box and select an encryption password
for use in encrypting the settings file. You must use this
password when you perform an import of the encrypted
settings file, so be sure you store the password in a secure
location.
Step 4. Click the Export button.
Step 5. The settings export will initialize and display the export
progress for each module. The device will display the following
message when the export is complete.
Step 6. Click the Click to Download button. The device downloads the
settings to your local computer.
Date Code 20141001
Instruction Manual
5.22
Settings
System
Import Settings
Figure 5.16
Import Settings Page
The Import Settings page provides an interface to import settings from either
an encrypted or unencrypted settings file. Perform the following to import a
settings file:
Step 1. Log in to the device and browse to the File Management page.
Step 2. Select the Import Settings tab at the top of the page.
Step 3. Click Choose File and browse to the location of the settings file
you want to import.
!
Step 4. If the file was encrypted during the export process, enter the
encryption password into the Password field. If the file was not
encrypted during the export process, leave the Password field
blank.
WARNING
Importing settings will replace the

current settings and reboot the
device.
Step 5. Click the Import button.
Firmware Upgrade
The Firmware Upgrade page provides an interface from which you can
upgrade device firmware. Refer to Appendix B: Firmware Upgrade
Instructions for more information on the firmware upgrade procedure.
Device Reset
Device Reboot
The device reboot function turns the device off and back on. The device
restarts its time acquisition process while the device reboots.
Factory Reset
The device provides the factory-reset function to restore the unit to its factory
configuration. You should only use this feature when you decommission the
device. The factory-reset function erases the device log files and returns
device settings back to the factory-default values. After a factory reset, you
must recommission the device. Refer to Section 2: Getting Started for details
on commissioning the device.
Instruction Manual
Date Code 20141001
Section 6
Testing and Troubleshooting
Introduction
This section provides the following guidelines for testing and troubleshooting
the device.
Testing Philosophy on page 6.1
LED/LCD Indicators on page 6.2
Device Dashboard on page 6.5
Troubleshooting on page 6.5
Factory Assistance on page 6.7
Testing Philosophy
Device testing can be divided into three categories: acceptance,
commissioning, and maintenance. The categories are differentiated by when
they take place in the life cycle of the product and by test complexity. The
following paragraphs describe when you should perform each type of test, the
goals of testing at that time, and the functions that you need to test at each
point.
This information is intended as a guideline for testing a device.
Acceptance Testing
Perform acceptance testing when qualifying the SEL-2488 for use in a

communications system that supports critical systems.
Goals of Acceptance Testing

Ensure that the device meets published critical performance
specifications.
Ensure that the device meets the requirements of the intended
application.
Improve your familiarity with device capabilities.
What to Test
Acceptance test all settings parameters critical to your intended application.
SEL performs detailed acceptance testing on all SEL-2488 models and
versions. It is important for you to perform acceptance testing on the
SEL-2488 if you are unfamiliar with device operating theory or settings. Such
testing helps you ensure that device settings are correct for your application.
Date Code 20141001
Instruction Manual
6.2

LED/LCD Indicators
Commissioning
Testing
Perform commissioning testing when installing a new device. Commissioning

testing is performed on each unit installed.
Goals of Commissioning Testing

Ensure that power connections are correct.
Ensure that the alarm output connection is correct.
Ensure that the device functions with your settings according to
your expectations.
What to Test
Perform commissioning testing on all connected time outputs, Ethernet ports,
fiber ports, and alarm contacts.
SEL performs a complete functional check of each device before shipment.
Device commissioning tests should verify that the power supply, Ethernet
cables, fiber cables, and alarm contacts are connected properly.
Maintenance Testing
The SEL-2488 does not require regular maintenance testing.
LED/LCD Indicators
The SEL-2488 has extensive self-test capabilities. You can use the indicator
lights located on the front or rear panels to determine the status of your device.
These indicators are provided to show whether the device is enabled, whether
an alarm condition exists, whether the power supplies are healthy, and to show
the speed and link state for each of the communications interfaces. Figure 6.1
shows the locations of the LED indicators.
Figure 6.1
Front-Panel Status Indicators
Table 6.1 describes the system status indicators. On the front panel, these are
located next to the LAMP TEST button.
Table 6.1
System Status Indicators
Indicator
Green Condition
Red Condition
ENABLED
Normal operation
System halted or an error condition

has occurred.
ALARM
N/A
When the alarm contact operates.
PWR A
Power supply is installed and

working properly
Power supply is installed and failed.
PWR B
Power supply is installed and

working properly
Power supply is installed and failed.
Instruction Manual
Date Code 20141001

LED/LCD Indicators
6.3
The communications interface indicators in Table 6.2 display the status of the
four rear Ethernet interfaces. Ethernet Ports 14 are 100 Mbps ports. The
amber 100 Mbps speed indicator is lit when these ports are operating at 100
Mbps, and unlit when operating at a reduced speed. For all of these ports (14)
the same two indicators are provided at the port connector on the rear panel.
Table 6.2
Communications Interface Indicators
Indicator
Unlit Condition
Lit Condition
100 Mbps
Port is operating at a reduced

speed or is unconnected.
Amber when port is operating at its full

speed of 100 Mbps.
LNK/ACT
Port is unconnected.
Green when port is connected.

Blinks to indicate data traffic in either
direction.
The time interface indicators in Figure 6.2 display the present status of GNSS
satellites, antenna status, and time output status.
Figure 6.2
Front-Panel Time Indicators
The Satellite Lock, Time Quality, and ANT LED indicators work together to
provide you information about the status of time synchronization and when
the clock is locked on to a time source and transmitting. The NTP LED
informs the user if the NTP has been set up on a port and if it is
communicating with at least one NTP client. The PTP LED is for future use
when IEEE 1588 PTP is available as another time synchronization source.
Table 6.3 lists the time indicator LEDs and their descriptions.
Table 6.3
Time Status Indicators (Sheet 1 of 2)
Indicator
LED Condition
Description
Satellite Lock
Green
GNSS is enabled in settings. Satellite lock is achieved

for all the required GNSS systems. For information
on which GNSSs are in use based on Satellite Signal
Verification Setting refer to Table 5.2.
Amber
GNSS is enabled in settings. Satellite lock has not yet

been achieved for one or more required GNSS systems.
Off
GNSS is disabled in settings.
Green
Clock has been locked to an external source and is

providing time outputs with < 1us of accuracy to
UTC.
Flashing Green

Red

Time Quality
Antenna
Date Code 20141001
Green
Antenna is connected and functional.
Red
Clock detected an antenna open or short failure

condition.
Off
GNSS is disabled via settings.
Instruction Manual
6.4

LCD Screen
Table 6.3
Time Status Indicators (Sheet 2 of 2)
Indicator
LED Condition
Description
PTP
Off
Future use if ordered with IEEE 1588 PTP.
NTP
Green
NTP server capability is enabled but there is no

detected NTP activity.
Flashing Green
One or more NTP server ports is configured for

broadcast/multicast mode or has responded to a client
within the last five minutes.
Off
SEL-2488 is not enabled as an NTP server.
LCD Screen
The front-panel LCD screen displays the time, status information on the
satellites, time source and accuracy, firmware information, and location. The
LCD screen is a read-only interface that you can navigate through the use of
up/down arrows to scroll through the screens.
Figure 6.3
Front-Panel Time Display
The default display is the time display. Figure 6.3 shows an example of this
display. The time display by default shows the local time in 12-hour format.
Corresponding settings to change the date/time format on the front-panel
display are located in the System tab under the Front Panel settings.
In addition to time, the front-panel display includes information on the present
time source for time synchronization and the present accuracy of the source.
The sources available are GPS, Holdover, and None. Upon power-up the
SEL-2488 will display NONE as the time source at the upper left hand corner of
the display. After the device achieves satellite lock, it will display GPS. In the
event of losing satellite lock, the device will display HOLDOVER. The frontpanel display also displays the accuracy of the source when tracking GPS or in
holdover in the top right hand corner.
Figure 6.4
Front-Panel Firmware Version
If you press the down arrow, the device displays the firmware version (see
Figure 6.4). This screen provides easy access to information identifying the
present firmware the clock is using.
Instruction Manual
Date Code 20141001

Device Dashboard
Figure 6.5
6.5
Front-Panel Location
The next screen in sequence displays location information (see Figure 6.5).
When locked to the GPS satellites, the SEL-2488 displays the present GPS
location of the device.
Figure 6.6
Front-Panel Port Information
Figure 6.6 shows the subsequent screen, which displays information about the
present configuration of the front Ethernet port. By default, the front Ethernet
port is set to DHCP. This is so that you can plug your computer into the port
and have your computer route to the correct web interface. If you change this
screen to display a static IP address, then this screen is useful when you
connect to the configuration page.
Figure 6.7
Front-Panel Satellite Information
Figure 6.7 displays the present status of all satellite constellations being
tracked by the SEL-2488. The SEL-2488 is capable of tracking GPS and
GLONASS satellite constellations simultaneously. The front-panel display
screen shown in Figure 6.7 shows the number of visible and used satellites for
SEL-2488 in real time for both constellations. This information is useful
during the commissioning of the device and setting up the antenna
connections to the unit. The visible satellites are always greater than or equal
to the used satellites by the SEL-2488.
Device Dashboard
See Device Dashboard on page 2.7 for more information on the use of this
feature.
Troubleshooting
Inspection Procedure
Complete the following procedure before disturbing the device. After you
finish your inspection, refer to Table 6.4.
Step 1. If the web interface is accessible, record the part number, serial
number, and firmware version from the Device Information
table in the device dashboard.
Step 2. Record a description of any problem you encountered.
Date Code 20141001
Instruction Manual
6.6

Troubleshooting
Step 3. Examine the System Statistics and Diagnostics tables and

record any unusual values.
Step 4. Measure and record the power supply voltage at the power
input terminals.
Step 5. Record the states of the LED indicators.
Table 6.4
Troubleshooting Procedure
Problem
Possible Causes
Solution
The PWR A and PWR B indicators are both dark
Input power is not present.
Verify that input power is present and that the power supply
assembly is fully inserted.
The satellite clock will not

lock
Antenna or cable is bad
View the ANT LED on front. If ANT is red, then an antenna or

cable issue must be repaired or there is no antenna connection
to the device.
Antenna does not have a sufficient view of the sky to lock.
View the dashboard screen or the front panel. The clock must
track four or more satellites to obtain first lock. Reposition the
antenna so that it has a better view of the sky. If the clock
shows no visible satellites, then there may be an issue with the
antenna or cable.
Satellite signal verification is

turned on and an incorrect
antenna is in use.
Satellite Signal Verification requires a dual-constellation

antenna. If a single constellation antenna is used, the clock cannot verify sources and will not allow the clock to lock. Either
turn satellite signal verification off, or order the Dual-Constellation GPS Antenna Kit (part number 915900378).
The satellite clock will not

output time
Satellite clock is not locked.
If the Satellite Lock LED is green, then the clock must wait for
almanac data and ephemeris data before it can transmit time, as
long as 12.5 minutes. When the Time Quality LED turns solid
green, then time should function. If the Satellite Lock LED is
not green, then view the previous procedural steps.
The login page is inaccessible
The computer trying to connect

to the web interface is not on the
correct network.
Verify the physical and logical connection between the management computer and the SEL-2488.
Configure the IP address of the management computer to the
same network as the SEL-2488, or use DHCP as described in
Section 1: Connections, Installation, and Specifications and set
the computer network interface to autoconfigure the network.
The ETH F network interface on

the SEL-2488 is not enabled.
Insert a small tool such as a paperclip into the pinhole reset

located between the alarm contact and the BNC connectors on
the rear panel of the device, and depress the reset button for 2
seconds. This will enable the interface and turn on the captive
port feature, with which you should be able to use ETH F to connect to the management interface. See Section 2: Getting
Started for details.
The Syslog server is not reachable from the network containing

the SEL-2488.
Ensure that the Syslog server IP address is valid and reachable.

If the Syslog server is on another network, ensure that a network gateway is configured and available to route the Syslog
traffic.
No Syslog servers defined, or the

logging threshold is unexpectedly high.
Navigate to the Syslog Settings page and ensure that the proper
Syslog IP address and Logging Threshold settings are entered
there.
The users account is missing.
Log in to the SEL-2488 as an administrator and verify the

details for the subject account on the Local Users page.
The users password is incorrect.
Check that Caps Lock is not active on the computer logging in.
If necessary, reset the users account from the Local Users page.
No Syslog messages
A user cannot log in
Instruction Manual
Date Code 20141001

Factory Assistance
If You Forget Your

SEL-2488 IP Address
6.7
If you forget the IP address for which your SEL-2488 is configured, but do not
want to perform a full factory reset, the captive port feature provides you
access to the web management interface.
To activate the captive port feature on ETH F, insert a tool such as a straightened
paper clip into the pinhole reset located between the alarm contact and the
BNC connectors on the rear panel and press the recessed reset button for 5
seconds. This enables the front Ethernet port and turns on the captive port
feature.
The captive port feature provides special DHCP and DNS servers to the
computer connected to ETH F. The DHCP server assigns the computer an IP
address adjacent to the IP address of your SEL-2488, so the computer will be
on the same subnet and capable of communicating with it. This also sets the
DNS server for the computer to the IP address of your SEL-2488. Once this
occurs, any DNS requests from the computer resolve to the SEL-2488, so that
browsing to any host, such as www.selinc.com, results in opening the web
management interface of your SEL-2488.
If You Forget Your

Administrative
Account Password
Use of the captive port feature to gain access to your SEL-2488 reestablishes
network communication with it, but you must still know the credentials for an
administrative account. If you have lost all administrative account credentials,
you must perform a full factory-default reset.
Turn off power to your SEL-2488, insert a tool such as a straightened paper
clip into the pinhole reset located between the alarm contact and the BNC
connectors on the rear panel, and press the recessed reset button. Keeping the
button depressed, apply power. After two seconds, release the recessed reset
button.
Wait for the green ENABLED LED on the front panel to illuminate, indicating
that your SEL-2488 has reset to factory-default settings and is ready. ETH F
will be enabled, the captive port feature will be on, and the IP address for the
unit will be 192.168.1.2. You can access the Commissioning page by entering
a hostname, such as www.selinc.com, or you can browse directly to the IP
address for the unit at https://192.168.1.2.
Factory Assistance
We appreciate your interest in SEL products and services. If you have
questions or comments, please contact us at:
Tel: +1.509.332.1890
Fax: +1.509.332.7990
Email: info@selinc.com
Date Code 20141001
Instruction Manual
Appendix A
Instruction Manual
Firmware and Manual Versions

Firmware
This manual covers SEL-2488 devices containing firmware bearing the firmware
version numbers listed in Table A.1. This table also lists a description of
modifications and the instruction manual date code that corresponds to firmware
versions. The most recent firmware version is listed first.
Table A.1
Firmware Revision History
Firmware Identification (FID) Number
Summary of Revisions
Manual
Date Code
SEL-2488-R100-V0-Z001001-D20140620
Manual update only (See Table A.2).
20141001
SEL-2488-R100-V0-Z001001-D20140620
Initial version.
20140818
Instruction Manual
The date code at the bottom of each page of this manual reflects the creation or
revision date.
Table A.2 lists the instruction manual release dates and a description of
modifications. The most recent instruction manual revisions are listed at the top.
Table A.2
Instruction Manual Revision History
Revision Date
20141001
Summary of Revisions
Section 1
Updated Rear Panel.

Updated Figure 1.2: Rear-Panel View.
Updated Figure 1.3: Typical Surge-Protector Installation.
Updated Table 1.9: DB-9 Port Pinout.
Updated Specifications.
Section 5
Updated Table 5.1: GNSS Settings.

Updated Time Management.
Section 6
Updated Table 6.4: Troubleshooting Procedure.

20140818
Initial version.
Date Code 20141001
Instruction Manual
Appendix B
Firmware Upgrade Instructions
Introduction
SEL occasionally offers firmware upgrades to improve the performance of
your device. The SEL-2488 stores firmware in nonvolatile memory, so that
opening the case or changing physical components is not necessary. These
instructions give a step-by-step procedure to upgrade the device firmware by
uploading a file from a personal computer to the device via the web interface.
All firmware updates are logged.
Firmware releases are enhancements to improve functionality that change the
way your device is configured or maintained, and can be installed in
increasing or decreasing order. All existing settings will be transferred to
newer firmware. Settings may not be transferred to older firmware. After a
firmware update it is possible to revert to the previously installed firmware
version.
To perform an upgrade you will need the appropriate firmware upgrade file
and access to an administrative account on the device.
Firmware Files
SEL-2488 firmware upgrade files have a tar.gz file extension. An example

firmware filename is install_2488_R100.tar.gz.
The firmware packages are cryptographically signed to enable the device to
recognize official SEL firmware. Any uploaded files that cannot be verified as
being produced by SEL will not be processed.
Firmware Upgrade Procedure

Perform the following steps to upgrade the SEL-2488 firmware:
Step 1. Log on using an account with administrative-level privileges.
Nonadministrative accounts cannot perform firmware
upgrades.
Step 2. Select the File Management link from the navigation panel.
This will show the File Management page, where firmware
upgrades may be performed.
Step 3. In the File Management window, click the Firmware
Upgrade button, which will show the version of the currently
running firmware and allow you to choose the upgrade file to
upload to the unit (see Figure B.1).
Date Code 20141001
Instruction Manual
B.2
Firmware Upgrade Instructions

Factory Assistance
Figure B.1
File Management
Step 4. Enter the path name for the upgrade file. To locate the file
instead using the Windows file browser, click the Browse
button, navigate to the location where the upgrade file is stored,
select it, and click Open.
Step 5. Click the Upgrade button at the bottom of the page to upload
and install the new firmware. The Upgrading Firmware status
display will appear and periodically update the shown progress
of the upgrade operation as it proceeds. Firmware update takes
about 10 minutes to complete.
Factory Assistance
We appreciate your interest in SEL products and services. If you have
questions or comments, please contact us at:
Tel: +1.509.332.1890
Fax: +1.509.332.7990
Email: info@selinc.com
Instruction Manual
Date Code 20141001
Appendix C
User-Based Accounts
Introduction
Local accounts are the engineering access accounts that reside on SEL
products. SEL has historically used global accounts such as ACC and 2AC
and a password associated with each to control access to SEL devices. With
global accounts, every user has the same logon credentials (username and
password), which weakens the security of the system. To strengthen
authentication, authorization, and accountability, this SEL product uses a userbased account structure.
Benefits of User-Based Accounts

User-based accounts allow for a stronger security posture than global
accounts. One of the drawbacks of global accounts is that when an
individuals privileges are revoked, either everyone who uses that account is
temporarily without access or there exists an unauthorized individual with
secret knowledge that individual can use or sell for malicious purposes. Userbased accounts correct this problem with the ability to disable or remove one
individuals account without affecting access for anyone else.
Similarly, when password changes are required, either because of a
compromised system, routine maintenance, or regulatory requirements, users
will not need to remember several new and different global passwords. They
will only need to remember their own personal password changes. This
increases security by reducing the need to write passwords down and by
reducing the chance that an unauthorized individual might obtain an active
password.
Three key parts of strong access control are authentication, authorization, and
accountability. Authentication is the process of verifying that users are whom
they claim to be. This is very difficult to do reliably with global accounts
because of the nature of shared passwords. User-based accounts allow for the
reliable authentication of individual users of a system. This creates more trust
that those who access the system really are whom they claim to be.
Authorization is the process of granting privileges to users of a system. You
can perform authorization with global accounts when the accounts are
organized into access roles, such as with ACC and 2AC. However, unless you
have a large number of roles (and, therefore, a large number of shared
passwords), it is difficult to assign privileges granularly to global accounts.
You can use user-based accounts to assign specific privileges to users of a
system.
Date Code 20141001
Instruction Manual
C.2
User-Based Accounts
Administration of User-Based Accounts
Accountability is the idea that individual users can be held responsible for
their actions on a system. The lack of authentication with global accounts
creates too much opportunity to cast doubt on ones activities, making
accountability difficult to enforce. The ability to clearly authenticate a user to
the individual level allows all actions to be assigned to specific users.
Accountability is very important to event tracking and forensic investigations.
Administration of User-Based Accounts

This product comes unconfigured from the factory. This means that there are
no user accounts installed. To access the product, you must create an initial
account through the commissioning page. This account is authorized to add,
remove, enable, and disable system users. Only the individual who creates this
account should have knowledge of this account password.
It is possible to create other accounts that are able to manage users. Only those
users with a need to manage user accounts should be a member of the User
Manager or Administrator group.
The SEL-2488 stores user accounts in nonvolatile memory. This allows the
device to maintain account status through power cycles and other unexpected
events.
Acceptable Use Banner

Prior to logging on to this SEL product, any potential user will see a use
banner. The use banner is a programmable message indicating what
constitutes appropriate use of this device and potential consequences for
abusing this device. The default use banner for SEL products is the same as
the recommended use banner for the National Institute of Standards and
Technology:
This system is for the use of authorized users only. Individuals using this
system without authority or in excess of their authority, are subject to
having all their activities on this system monitored and recorded by
system personnel. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the evidence
of such activity to law enforcement officials.
Logging on With SEL User-Based Accounts

Upon connection to this SEL product, a user will see a use banner and a logon
prompt. The logon prompt includes fields for entering a username and the
password associated with that username. To log on to this SEL product, the
user must enter a valid username and the appropriate password. Usernames
are case insensitive and unique to each individual with authority to access the
device. Users who enter valid usernames and matching passwords will have
access to the device.
Instruction Manual
Date Code 20141001
User-Based Accounts
Passphrases
C.3
If the SEL-2488 determines a username or password to be invalid, then it

rejects the access attempt and provides an alert to the user. This alert will
inform the user that the logon credentials were incorrect. After three failed
logon attempts within a one-minute period, this SEL product will disallow
access attempts with the locked username for 30 seconds. Additionally, this
device will pulse the alarm contact for one second to provide an alert to the
control center that a failed logon attempt has occurred. These security features
are designed to prevent and slow down password guessing attacks. Logon
failure can happen for three reasons: the username was invalid, the password
was incorrect, or the users account is disabled. Please check the spelling of
the username and password if an access attempt fails. If you are certain that
you entered the username and password correctly, please contact your system
administrator to verify that your account has not been disabled.
Passphrases
Passphrases provide a user the ability to create strong and easy-to-remember
passwords that protect access to a system. A strong passphrase includes many
different characters from many different character sets. Longer passphrases
provide greater security than shorter passphrases. SEL user-based accounts
support complex passphrases that must include at least one character from
each of the following character sets.
Uppercase letters
Lowercase letters
Digits
Special characters
Additionally, passphrases must be at least eight characters in length. Spaces

are allowed in passphrases.
Users with administrative access can set or change passphrases for any user of
the system. Users without administrative access can only change their own
passphrases. For protection of your account, this SEL product will never
display, transmit, or store a passphrase in clear text.
Date Code 20141001
Instruction Manual
Appendix D
Lightweight Directory Access Protocol
SEL-2488 LDAP Client Implementation
LDAP allows the SEL-2488 to bind with existing centralized account
directories, such as Microsoft Active Directory, for user authentication and
authorization. SELs specific LDAP implementation utilizes the StartTLS
method for securing LDAP data from the device to the centralized account
server. See Figure D.1 for information about the LDAP interaction between
the SEL LDAP client and the centralized server.
Figure D.1
LDAP Transaction
Certificate Chain
When an SEL device receives an X.509 certificate from an LDAP server
during a StartTLS exchange prior to LDAP bind, you will need to have the
certificate chain stored locally. The certificate chain, also known as the
certification path, is a list of certificates used to authenticate the LDAP server.
The chain, or path, begins with the certificate of the LDAP server (the one the
Date Code 20141001
Instruction Manual
D.2
Lightweight Directory Access Protocol

LDAP Settings Form
SEL device receives), and each certificate in the chain is signed by the CA
identified by the next certificate in the chain. The chain terminates with a root
CA certificate. The root CA certificate is always signed by the CA itself. The
signatures of all certificates in the chain must be verified by the SEL LDAP
client until the root CA certificate is reached. The Distinguished Name (DN)
of the X.509 certificate the LDAP server uses to authenticate to the SEL
LDAP client must match the LDAP server name (i.e., LDAP server
3354.x509.local must match its certificate DN 3354.x509.local).
LDAP Settings Form

LDAP Hosts
(Input these settings on the Hosts page, need at least one):
Hostname:
IP Address:
Hostname:
IP Address:
LDAP Settings
(Input these settings on the LDAP Settings page):
TLS Required (Yes/No):
Synchronization Interval (Hours):
Search Base:
User ID Attribute:
Group Member Attribute:
Bind DN (optional, if left blank will use anonymous binds):
Bind DN Password (optional, required only if not using anonymous binds):
LDAP Servers
(Input these settings on the LDAP Settings page, need at least one):
Hostname:
Port Number:
Hostname:
Port Number:
Device Roles
(Required to map user privileges, input these settings on the LDAP settings page):
Administrator Group/User DN:

Engineer Group/User DN:
User Manager Group/User DN
Monitor Group/User DN
Instruction Manual
Date Code 20141001
Appendix E
Syslog
Introduction
The Syslog protocol, defined in RFC 3164, provides a transport mechanism by
which a device can send system event notification messages across IP
networks to remote Syslog servers. Syslog is commonly used to send system
logs such as security events, system events, and status messages useful in
troubleshooting, auditing, and event investigations. The Syslog packet size is
limited to 1024 bytes and is formatted into three parts: PRI, HEADER, and
MSG.
1. PRI: The priority part of a Syslog packet is a number enclosed
in angle brackets that represents both the facility and severity of
the message. The priority value is calculated by multiplying the
facility numerical code by 8 and adding the numerical value of
the severity. For example, a kernel message (facility = 0) with a
severity of Emergency (severity = 0) would have a priority of 0.
Also, a local use 4 message (facility = 20) with a severity of
Notice (Severity = 5) would have a priority value of 165. In the
PRI part of the Syslog message, these values would be placed
between the angel brackets as <0> and <165>, respectively.
The severity code (Table E.1) is a number indicative of how critical the
message is.
Table E.1
Syslog Message Severities
Numerical Code
Date Code 20141001
Severity
Emergency
Alert
Critical
Error
Warning
Notice
Informational
Debug
Instruction Manual
E.2
Syslog
Introduction
The facility code (Table E.2) defines the application group from the message
originated.
Table E.2
Syslog Message Facilities
Numerical Code
Facility
Kernel messages
User-level messages
Mail system
System daemons
Security/authorization messagesa
Messages generated internally by Syslog
Line printer subsystem
Network news subsystem
UUCP subsystem
Clock daemonb
10
Security authorization messagesa
11
FTP daemon
12
NTP subsystem
13
Log audita
14
Log auditb
15
Clock daemonb
16
Local use 0 (local 0)
17
18
19
20
21
22
23
Various operating systems have been found to use Facilities 4, 10, 13, and 14 for security/
authorization, audit, and alert messages that seem to be similar.
Various operating systems have been found to use both Facilities 9 and 15 for clock (cron/at)
messages.
Source: http://www.faqs.org/rfcs/rfc3164.html
2. HEADER: The header of a Syslog packet contains the time

stamp and the source of the message. The IP address or the
hostname defines the source of the message originator. Time
stamps are based on the time of the originating host, so it is
critical to have time synchronized across devices for the entire
network to accurately perform log analysis and event
correlation.
3. MSG: The message part of a Syslog packet contains the source
program that triggered the message and the human-readable
body of the message.
Instruction Manual
Date Code 20141001
Syslog
Remote Syslog Servers
E.3
A sample Syslog message follows. This particular message shows an invalid

login attempt on July 09, 2009, at 08:17:29 to myhostname for user root
from the IP address 192.168.1.1. The priority of this message is 34.
<34>Jul 09 2009 08:17:29 myhostname Invalid login attempt by:
root at 192.168.1.1
The Syslog message has been divided into each respective part, as shown in
the following table.
PRI
HEADER
MSG
<34>
Jul 09 2009 08:17:29 myhostname
Invalid login attempt by: root at 192.168.1.1
Remote Syslog Servers

Syslog messages are stored locally and optionally sent to remote Syslog
servers. The local buffers are circular in nature, so newer messages overwrite
older messages after the buffer is filled. Support for multiple remote Syslog
servers provides the added benefits of centralized logging including larger
storage capacity, centralized event analysis and correlation, and archival event
logs. In Figure E.1, remote devices are configured to send Syslog messages to
the remote Syslog server on the other end of the VPN tunnel. Syslogcompatible devices can send logs to the central Syslog server in this example
for centralized logging, reporting, and event correlation. The Syslog protocol
uses User Datagram Protocol (UDP) Port 514 to send Syslog messages to
remote Syslog servers.
PSTN
SEL-3025
SEL-2488
SEL-351
Syslog Message Flow

VPN
SEL-2730M
SEL-3620
SEL-351
Central Syslog
Server
SEL-351
Figure E.1
Central Syslog Server
Open Source Syslog Servers

Most Linux and UNIX distributions include a native Syslog server that can be
used for a central Syslog server solution. Syslog-ng (www.balabit.com) is also
an excellent solution with added functionality that can be used if not already
included in your distribution. Syslog server solutions for Microsoft Windows
are typically commercial or have limited feature sets if offered at no charge.
Date Code 20141001
Instruction Manual
E.4
Syslog
SEL-2488 Event Logs
SEL-2488 Event Logs

The SEL-2488 records and time stamps all events in the Syslog format
consistent with the Syslog description from RFC 3164. Table E.3 lists all of
the events that the SEL-2488 logs and the record generated with each of these
events.
Log messages may contain words or phrases in brackets such as {0}. This
notation indicates a variable that will be replaced with the value being logged.
For example, the {0} in Syslog message, User account {0} locked out due
to consecutive failed login attempts, would be replaced with the actual
username that was locked out.
Table E.3
Event Logs (Sheet 1 of 5)
Message
Tag Name
Severity
Facility
Captive Port: disabled by {username} at {user_ip}
CaptivePortConfig
Notice
USER
Captive Port: enabled by {username} at {user_ip}
CaptivePortConfig
Notice
USER
Configuration file export failed
ImportExport
Warning
USER
Configuration file export started by {username} at {user_ip}
ImportExport
Notice
USER
Configuration file export successful
ImportExport
Notice
USER
Configuration file import failed
ImportExport
Warning
USER
Configuration file import started by {username} at {user_ip}
ImportExport
Notice
USER
Configuration file import successful
ImportExport
Notice
USER
Alarm Contact: configuration changed by {username} at {user_ip}
AlarmContact
Notice
USER
Device initialization completed
Power
Notice
SYSTEM
Device rebooted by {username} at {user_ip}
Power
Error
USER
Device factory reset initiated through pinhole button
PushbuttonReset
Notice
USER
Device commissioned by {0} at {user_ip}
Commissioning
Notice
SECURITY
Device factory reset initiated by {username} at {user_ip}
Commissioning
Notice
SECURITY
Device reset because of hardware watchdog
Power
Critical
SYSTEM
Daylight Saving Time began
DateTime
Informational
CLOCK
Daylight Saving Time ended
DateTime
Informational
CLOCK
Daylight Saving Time adjustment pending
DateTime
Notice
CLOCK
Uploaded firmware update package is corrupted; unable to either decrypt

the firmware update package or validate the signature on the firmware
update package
Firmware
Error
SYSTEM
Firmware reversion to previous version initiated by {username} at {user_ip}
Firmware
Warning
USER
Firmware update from {0} to {1} succeeded
Firmware
Warning
SYSTEM
Firmware update to new version initiated by {username} at {user_ip}
Firmware
Notice
USER
The firmware update from {0} to new version failed with an error of
"{1}"?. Please contact Schweitzer Engineering Laboratories, Inc. for
assistance
Firmware
Critical
SYSTEM
Front Panel Contrast: Changed by user at Front Panel
FrontPanelConfig
Notice
USER
Front Panel Settings: Changed by {username} at {user_ip}
FrontPanelConfig
Notice
USER
Front management port reset initiated through pinhole button
PushbuttonReset
Alert
USER
GNSS Settings: Changed by {username} at {user_ip}
GNSSConfig
Notice
USER
Holdover Alert
TimeSync
Critical
CLOCK
Instruction Manual
Date Code 20141001
Syslog
SEL-2488 Event Logs
Table E.3
E.5
Message
Tag Name
Severity
Facility
Host Settings: Added host {0} with IP address {1} by {username} at

{user_ip}
HostConfig
Notice
USER
Host Settings: Removed host {0} with IP address {1} by {username} at

{user_ip}
HostConfig
Notice
USER
Host Settings: Changed hostname {0} with IP address {1} to {2} with IP
address {3} by {username} at {user_ip}
HostConfig
Notice
USER
LDAP: An error occurred during Bind DN authentication on server {0}:{1}
LDAP
Error
SECURITY
LDAP disabled by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP Bind DN changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: An error occurred when searching for the user's DN on the server
{0}:{1}
LDAP
Error
SECURITY
LDAP Bind DN Password changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP enabled by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP Group Filter changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: Group Filter syntax invalid for server {0}:{1}
LDAP
Error
SECURITY
LDAP: Group Filter search on server {0}:{1} returned no groups
LDAP
Warning
SECURITY
LDAP Group Membership Attribute changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP server {0}:{1} hostname changed to {2} by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: One or more of the user-configured DNs for server {0}:{1} contains syntax errors
LDAP
Error
SECURITY
LDAP group mapping {0} changed to {1} by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP group mapping {0} mapping created by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP group mapping {0} mapping deleted by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: No Group Mappings set for server {0}:{1}
LDAP
Warning
SECURITY
LDAP server {0}:{1} port changed to {2} by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP Search Base changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: Search base entry not found on server {0}:{1}
LDAP
Error
SECURITY
LDAP server {0}:{1} created by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP server {0}:{1} deleted by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: {0}:{1} does not respond
LDAP
Error
SECURITY
LDAP: Unable to connect to server at {0}:{1}
LDAP
Error
SECURITY
LDAP: LDAP version used by server {0}:{1} is not supported
LDAP
Error
SECURITY
LDAP: Bind DN authentication failed on server {0}:{1}
LDAP
Error
SECURITY
LDAP settings changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP Synchronization Interval changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: The hostname of the certificate presented by {0}:{1} does not match
LDAP
Error
SECURITY
LDAP: The certificate presented by {0}:{1} is invalid
LDAP
Error
SECURITY
LDAP: The certificate presented by {0}:{1} is expired
LDAP
Error
SECURITY
LDAP: The issuing authority of the certificate presented by {0}:{1} is

untrusted
LDAP
Error
SECURITY
LDAP TLS disabled by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP TLS enabled by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: Unable to start TLS session with {0}:{1}
LDAP
Error
SECURITY
Date Code 20141001
Instruction Manual
E.6
Syslog
SEL-2488 Event Logs
Table E.3
Message
Tag Name
Severity
Facility
LDAP: Server {0}:{1} returned a DN that was longer than 4096 bytes.
That DN was ignored
LDAP
Error
SECURITY
LDAP: An error occurred when searching for a DN on the server

{0}:{1}
LDAP
Error
SECURITY
LDAP User ID Filter changed by {username} at {user_ip}
LDAPConfig
Warning
SECURITY
LDAP: User ID Filter syntax invalid for server {0}:{1}
LDAP
Error
SECURITY
LDAP: An error occurred during authentication or authorization on

server {0}:{1}
LDAP
Error
SECURITY
Leap Second deleted
DateTime
Informational
CLOCK
Leap Second inserted
DateTime
Informational
CLOCK
Leap Second adjustment pending
DateTime
Notice
CLOCK
Port {0} changed link state to down
LinkUpDown
Notice
SYSTEM
Port {0} changed link state to up
LinkUpDown
Notice
SYSTEM
Local Time Settings: Changed by {username} at {user_ip}
DateTimeConfig
Notice
USER
User {0}: attributes changed by {username} at {user_ip}
UserConfig
Notice
SECURITY
User {0}: created by {username} at {user_ip}
UserConfig
Warning
SECURITY
User {0}: deleted by {username} at {user_ip}
UserConfig
Warning
SECURITY
User {0}: disabled by {username} at {user_ip}
UserConfig
Notice
SECURITY
User {0}: enabled by {username} at {user_ip}
UserConfig
Notice
SECURITY
User {0}: password set by {username} at {user_ip}
UserConfig
Warning
SECURITY
Login to {interface}: failed from {user_ip}
Login
Notice
SECURITY
Login to {interface}: successful by {username} at {user_ip}
Login
Notice
SECURITY
User account {0} locked out due to consecutive failed login attempts
Login
Warning
SECURITY
User account {0} timeout
Login
Warning
SECURITY
Logout {interface}: {username} at {user_ip}
Login
Notice
SECURITY
Time set manually by {username} at {user_ip}
TimeSync
Notice
USER
Network Settings: changed by {username} at {user_ip}
NetworkConfig
Notice
USER
Network Interface {0}: changed by {username} at {user_ip}
NetworkConfig
Notice
USER
NTP Server: Disabled on port {0}, {1} by {username} at {user_ip}
NTPServerConfig
Notice
USER
NTP Server: Enabled on port {0}, {1} by {username} at {user_ip}
NTPServerConfig
Notice
USER
NTP Server Settings: Changed by {username} at {user_ip}
NTPServerConfig
Notice
USER
The Part Number for the device has changed from {0} to {1}
PartNumber
Critical
SYSTEM
Timer Contact Settings: Changed by {username} at {user_ip}
TimerContactConfig
Notice
USER
The {0} event queue overflowed
EventSystem
Error
SYSTEM
The {0} event queue left the overflow condition. Approximately {1}
events were lost
EventSystem
Notice
SYSTEM
Failure: Power Supply {0} expected to be installed but absent
Diagnostics
Error
SYSTEM
Failure: Flash
Diagnostics
Alert
SYSTEM
Failure: FPGA
Diagnostics
Alert
SYSTEM
Failure: GNSS Receiver A
Diagnostics
Alert
SYSTEM
Failure: GNSS Receiver B
Diagnostics
Alert
SYSTEM
Failure: Holdover Clock
Diagnostics
Alert
SYSTEM
Instruction Manual
Date Code 20141001
Syslog
SEL-2488 Event Logs
Table E.3
E.7
Message
Tag Name
Severity
Facility
Failure: LCD
Diagnostics
Error
SYSTEM
Failure: Power Supply A
Diagnostics
Alert
SYSTEM
Failure: Power Supply B
Diagnostics
Alert
SYSTEM
Failure: RAM
Diagnostics
Alert
SYSTEM
Failure: Internal Clock
Diagnostics
Critical
SYSTEM
Failure: Internal Clock Battery
Diagnostics
Warning
SYSTEM
Failure: Antenna open/absent
Diagnostics
Alert
SYSTEM
Failure: Antenna short
Diagnostics
Alert
SYSTEM
GNSS signal verification failed
SystemIntegrity
Error
CLOCK
GNSS signal verification is not operational
SystemIntegrity
Warning
CLOCK
GNSS signal verification successful
SystemIntegrity
Error
CLOCK
GNSS signal verification is operational
SystemIntegrity
Warning
CLOCK
Static Route Settings: changed by {username} at {user_ip}
NetworkConfig
Notice
USER
Syslog Destination {0}: created by {username} at {user_ip}
SyslogConfig
Notice
USER
Syslog Destination {0}: deleted by {username} at {user_ip}
SyslogConfig
Warning
USER
Syslog Destination {0} Settings: modified by {username} at {user_ip}
SyslogConfig
Warning
USER
Syslog events acknowledged by {username} at {user_ip}
Syslog
Notice
USER
Local Syslog Event Queue contains >= 75% unacknowledged events
Syslog
Warning
SYSTEM
Local Syslog Event Queue contains >= 90% unacknowledged events
Syslog
Critical
SYSTEM
Local Syslog Event Queue contains <= 65% unacknowledged events
Syslog
Notice
SYSTEM
Local Syslog Event Queue contains <= 80% unacknowledged events
Syslog
Notice
SYSTEM
Syslog Settings: changed by {username} at {user_ip}
SyslogConfig
Notice
USER
System Contact Information: changed by {username} at {user_ip}
Config
Notice
USER
Time Quality 1s
TimeSync
Notice
CLOCK
1s < Time Quality 1ms
TimeSync
Notice
CLOCK
Time Quality > 1ms
TimeSync
Notice
CLOCK
Time source has changed to {0}
TimeSync
Warning
CLOCK
Time Code Output Settings: Changed by {username} at {user_ip}
TimeCodeOutputsConfig
Notice
USER
GNSS Notification Settings: Changed by {username} at {user_ip}
GNSSConfig
Notice
USER
Usage Policy: changed by {username} at {user_ip}
Config
Notice
SECURITY
Web Server Certificate: changed from {0} to {1} by {username} at {user_ip}
WebServerConfig
Warning
USER
Web Server Settings: changed by {username} at {user_ip}
WebServerConfig
Warning
USER
X.509 certificate {0} set as default web certificate by {username} at {user_ip}
X509Config
Notice
SECURITY
X.509 certificate {0} Alias: certificate changed to {1} by {username} at

{user_ip}
X509Config
Notice
USER
X.509 certificate {0} deleted by {username} at {user_ip}
X509Config
Notice
SECURITY
X.509 certificate {0} has expired; communications requiring X.509

based authentication may have stopped
X509Config
Error
SYSTEM
X.509 certificate import started by {username} at {user_ip}
X509Config
Notice
SECURITY
X.509 certificate import failed
X509Config
Warning
SECURITY
X.509 certificate {0}: certificate import completed successfully
X509Config
Notice
SECURITY
Date Code 20141001
Instruction Manual
E.8
Syslog
SEL-2488 Event Logs
Table E.3
Message
Tag Name
Severity
Facility
X.509 certificate {0} will expire in {1} days; communications requiring

X.509 based authentication may be affected when it expires
X509Config
Warning
SYSTEM

X509Config
Informational
SYSTEM

X509Config
Notice
SYSTEM
Instruction Manual
Date Code 20141001
Appendix F
X.509
Introduction
In cryptography, X.509 is an International Telecommunication Union standard
for public key infrastructure (PKI). X.509 specifies formats for public key
certificates and validation paths for authentication. The SEL-2488 uses X.509
certificates in the web server for secure device management, and for IPsec
authentication.
Public Key Cryptography

Public key cryptography is distinguished by the use of asymmetric keys
instead of the more traditional symmetric keys. Asymmetric keys are
mathematically related so that whatever one key encrypts, the other key must
be used to decrypt. There is no way to derive one key from knowledge of its
paired key. These key pairs are known as public and private keys. The private
key must be kept secret, while the public key can be distributed freely. This
allows for many methods of protecting and authorizing messages that are not
possible with symmetric key cryptography.
Alice
Figure F.1
52ED879E
70F71D92
Big Random
Number
Key Generation
Function
Alices Public Key
Alices Private Key
Asymmetric Keys
Symmetric key cryptography, which has been used in various forms for
thousands of years, uses a single key that both encrypts and decrypts the
message. This key must be shared between the sender and receiver in advance.
If the key cannot be shared securely, the confidentiality of any transmission
encrypted with that key cannot be known.
In public key cryptography, the encryption key is not the same as the
decryption key. If a message is encrypted with the publicly known key, only
the private key can be used to decrypt it. This private key is known only to the
owner of the key pair. Only the sender and the intended receiver will know the
message, ensuring confidentiality.
Date Code 20141001
Instruction Manual
F.2
X.509
X.509 Certificates
Bob
Hello
Alice!
Encrypt
Alices Public Key
6EB69570
08E03CE4
Alice
Hello
Alice!
Decrypt
Alices Private Key
Figure F.2
Confidentiality With Asymmetric Keys
Public key cryptography is much more computation intensive than symmetric

key cryptography. This makes it infeasible to send large amounts of data, or
secure a series of transmissions, using this technology. Public key
cryptography offers confidentiality and the corresponding ability to exchange
symmetric keys securely and confidentially. This is known as hybrid
cryptography and is one way that IPsec uses public key cryptography.
You can also use public key cryptography for authentication. Do this by using
a private key, rather than the public key, as the encryption key. The public key
you use to decrypt the message will identify the sender. This is known as an
electronic signature.
Alice
I Will
Pay $500
Sign
(Encrypt)
Alices Private Key
DFCD3454
BBEA788A
Bob
I Will
Pay $500
Verify
(Decrypt)
Alices Public Key
Figure F.3
Authentication With Asymmetric Keys
X.509 Certificates
Digital certificates, also known as public key certificates, provide a formal
method for associating pairs of asymmetric keys with their owners. You can
use these electronic documents, through the use of digital signatures, to bind
public keys to their owners.
Instruction Manual
Date Code 20141001
X.509
Digital Signatures
F.3
Digital Signatures
A digital signature is a more formal method of authenticating data than an
electronic signature. They can be compared to the wax seals that were placed
on envelopes before email was available. To create a digital signature of data,
you would first compute a hash of the data to be signed and then encrypt that
hash with the signers private key. You would then attach this signature to the
data to be signed. To verify the authenticity of the data, the receivers system
first separates data and signature. The receiver computes a hash of the data and
then uses the issuers public key to decrypt the signature. We compare these
two hashes and, if they match, we know the data is authentic.
Signing
Verification
Hash Function
101100110101
Hash
Data
Digitally Signed Data

Encrypt Hash
Using Signers
Private Key
111101101110
Signature
Data
111101101110
Signature
Certificate
Attach
to Data
Hash
Function
Decrypt Hash
Using Signers
Public Key
101100110101
Hash
101100110101
Hash
Digitally Signed Data
Figure F.4
Digital Signatures
Public Key Infrastructure

One of three common uses for digital certificates is in a public key
infrastructure (PKI). PKI is a formal, hierarchical system where a digital
certificate may contain the signature of one or a chain of more trusted
certificate issuers. At the top of the PKI hierarchy is the most trusted
certificate, a root certificate. A root certificate is self-signed, highly protected,
and should only be used to sign CA certificates. Root certificates have to be
manually made trusted by a system administrator, or they must be included by
the software vendor in a cache of trusted root certificates. Most modern
operating systems, such as Microsoft Windows preload a collection of root
certificates for commonly used (and trusted) certificate authorities (e.g.,
VeriSign, Thawte, etc.) in the Trusted Root certificate store. If a root
certificate is compromised, we must assume all certificates below it to be
compromised as well.
Date Code 20141001
Instruction Manual
F.4
X.509
Web of Trust
A certificate authority (CA) is an entity that issues, or signs, other certificates.

To obtain a certificate, an entity (the subject) will generate a key pair, and
send the public key and proof of identity to a CA. The CA will verify the
identity of the requester and issue the certificate containing the subject's
identity, the public key, and the CAs digital signature. A CA is responsible for
saying yes these people are whom they claim to be and this is their public
key. CAs are authenticated by other CAs or by a root certificate.
An attacker can subvert this process. This can happen when an attacker steals
the private key of a CA or of a party to whom a certificate was issued. It can
also happen when an attacker impersonates another party when requesting a
certificate. In either case, this can result in the issuance of untrustworthy
certificates. An attacker might also steal a subject's private key. In such cases,
these certificates must be revoked by the issuing authority.
Web of Trust
Another of the three common uses of digital certificates is in the web of trust.
This is a less formal method of authentication than PKI provides, but is still in
common use. The largest use of the web of trust model is in Pretty Good
Privacy (PGP) used for email security. This model is very similar to PKI in
that a trusted third party is verifying the authenticity of a certificate. The
difference is that this trusted third party is not a CA, but rather a person who
endorses the authenticity of another person. Signing the public key of the
person requiring endorsement (or trust) with the endorsers (trusted entity)
own private key establishes a web of trust. Figure F.5 below illustrates a
simple example of a web of trust. If Alice trusts Bob, and Bob trusts Charlie,
then Alice implicitly trusts Charlie.
Diane
Alice
Charlie
Trust
Implicit Trust
Bob
Figure F.5
Web of Trust
Simple Public Key Infrastructure

The third common use of digital certificates is in the simple public key
infrastructure (SPKI). This model evolved from the need to limit the
complexity inherent in PKI and the web of trust. There is no trusted third party
Instruction Manual
Date Code 20141001
X.509
Online Certificate Status Protocol (OCSP)
F.5
in SPKI, because the owner and issuer of the certificate are the same entity.
For SPKI to be secure, certificates must be pre-shared among all entities who
communicate on that system. This ensures that all knowledge for security
decisions resides locally.
Online Certificate Status Protocol (OCSP)

In consideration of the case where an authentic certificate has been stolen,
there are methods to revoke certificates. One method is the certificate
revocation list (CRL). The CRL method has a few problems that allow a
revoked certificate to still be used. This arises from the lag associated with
producing CRLs. Also, a certificate will be accepted by default, even if
revoked, if the CRL is not accessible.
The online certificate status protocol (OCSP) was created to fix some of these
problems. OCSP requires less bandwidth than CRLs and enables near realtime status checks to verify a certificates status. OCSP also allows a
certificate to be denied by default if the OCSP server is not accessible.
OCSP is a request/response protocol that provides real-time revocation status
information for X.509 certificates. When an OCSP-enabled certificate is
presented to an application, such as a web browser, the browser uses OCSP to
check the certificate and ensure it is valid before proceeding with the session.
OCSP uses the following response indicators to help determine certificate
revocation status:
Good: Indicates that the certificate is valid and has not been
revoked
Revoked: Indicates that the certificate has been revoked
Unknown: Indicates that the responder does not know about the
certificate being requested

The system performs a real-time revocation check for each certificate so that if
a certificate is compromised or for some other reason requires revocation, it
will no longer appear as valid.
Sample X.509 Certificate

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting
cc,
OU=Certification Services Division,
CN=Thawte Server CA/Email=server-certs@thawte.com
Date Code 20141001
Instruction Manual
F.6
X.509
Sample X.509 Certificate
Validity
Not Before: Aug 1 00:00:00 1996 GMT
Not After: Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting
cc,
OU=Certification Services Division,
CN=Thawte Server CA/Email=server-certs@thawte.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c:
68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da:
85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06:
6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2:
6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b:
29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90:
6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f:
5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36:
3a:c2:b5:66:22:12:d6:87:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:
a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88:
4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9:
8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5:
e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9:
b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
70:47
Instruction Manual
Date Code 20141001

2488 Im 20141001

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

2488 Im 20141001

Transféré par

Droits d'auteur :

Formats disponibles

Instruction Manual

Equipment components are sensitive to electrostatic discharge

Disconnect or de-energize all external connections before

Contact with instrument terminals can cause electrical shock

Have only qualified personnel service this equipment. If you are

Use of this equipment in a manner other than specified in this

Les composants de cet quipement sont sensibles aux

Dbrancher tous les raccordements externes avant douvrir cet

Tout contact avec les bornes de lappareil peut causer un choc

Seules des personnes qualifies peuvent travailler sur cet

L'utilisation de cet appareil suivant des procdures diffrentes

2014 by Schweitzer Engineering Laboratories, Inc. All rights reserved.

SEL-2488 Satellite-Synchronized Network Clock

Date Code 20141001

List of Tables .......................................................................................................................................................iii

Section 2: Getting Started

Section 3: Managing Users

Section 6: Testing and Troubleshooting

SEL-2488 Satellite-Synchronized Network Clock

Appendix A: Firmware and Manual Versions

Appendix B: Firmware Upgrade Instructions

Appendix C: User-Based Accounts

Appendix D: Lightweight Directory Access Protocol

SEL-2488 Satellite-Synchronized Network Clock

Date Code 20141001

Date Code 20141001

Ethernet Status Indicators....................................................................................................... 1.3

SEL-2488 Satellite-Synchronized Network Clock

This page intentionally left blank

Date Code 20141001

Front-Panel View.................................................................................................................... 1.2

SEL-2488 Satellite-Synchronized Network Clock

Front-Panel Time Display ...................................................................................................... 6.4

SEL-2488 Satellite-Synchronized Network Clock

Date Code 20141001

Preface. Describes the manual organization and conventions used to

Section 1: Connections, Installation, and Specifications. Introduces

Section 2: Getting Started. Provides dimension drawings on the

Section 3: Managing Users. Explains how users are managed on the

Section 4: Applications. Provides Job Done examples. These examples

Section 6: Testing and Troubleshooting. Lists common operating and

Appendix A: Firmware and Manual Versions. Lists firmware and manual

Appendix B: Firmware Upgrade Instructions. Provides instructions to

Appendix C: User-Based Accounts. Provides an introduction to user-based

Appendix D: Lightweight Directory Access Protocol. Describes

Appendix E: Syslog. Provides an introduction to the Syslog protocol and

Appendix F: X.509. Explains the structure and use of X.509 certificates.

Date Code 20141001

SEL-2488 Satellite-Synchronized Network Clock

Indicates a potentially hazardous

Indicates a potentially hazardous

Indicates an imminently hazardous

SEL-2488 Satellite-Synchronized Network Clock

Date Code 20141001

40 ns to UTC for power protection applications. If GNSS time

Date Code 20141001

SEL-2488 Satellite-Synchronized Network Clock

Connections, Installation, and Specifications

holdover, with 36 s/day accuracy, or to the optional OCXO

configurable for IRIG-B or time pulse outputs. The SEL-2488

supply; operates from 40 to +85C (40 to +185F); is

secure web interface that allows convenient setup and

time outputs for other devices. Outputs include user selectable