Académique Documents
Professionnel Documents
Culture Documents
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
1 Change History.............................................................................................................................. 1
1.1 SRAN15.1 01 (2019-06-06)........................................................................................................................................... 1
1.2 SRAN15.1 Draft B (2019-03-18)................................................................................................................................... 1
1.3 SRAN15.1 Draft A (2018-12-30)................................................................................................................................... 1
3 Overview......................................................................................................................................... 4
4 Base Station Supporting Multi-operator PKI.......................................................................... 5
4.1 Principles........................................................................................................................................................................ 5
4.1.1 Introduction................................................................................................................................................................. 5
4.1.2 Architecture................................................................................................................................................................. 6
4.1.3 Certificate Management and Application....................................................................................................................7
4.1.3.1 Certificate Preconfiguration Phase........................................................................................................................... 8
4.1.3.2 Base Station Deployment Phase............................................................................................................................... 8
4.1.3.3 Operation Phase...................................................................................................................................................... 11
4.1.3.3.1 Certificate Application.........................................................................................................................................11
4.1.3.3.2 Certificate Sharing............................................................................................................................................... 12
4.1.3.3.3 Certificate Validity Check................................................................................................................................... 12
4.1.3.3.4 Certificate Update................................................................................................................................................12
4.1.3.3.5 Certificate Revocation......................................................................................................................................... 12
4.1.3.3.6 CRL Acquisition..................................................................................................................................................12
4.1.3.4 PKI Networking Reliability....................................................................................................................................13
4.1.3.5 Digital Certificate Usage in UMPT+UMPT Cold Backup Mode.......................................................................... 13
4.2 Network Analysis......................................................................................................................................................... 13
4.2.1 Benefits...................................................................................................................................................................... 13
4.2.2 Impacts.......................................................................................................................................................................13
4.3 Requirements................................................................................................................................................................ 13
4.3.1 Licenses..................................................................................................................................................................... 14
4.3.2 Software.....................................................................................................................................................................14
4.3.2.1 GBFD-171205 BTS Supporting Multi-operator PKI............................................................................................. 15
5 Parameters..................................................................................................................................... 38
6 Counters........................................................................................................................................ 39
7 Glossary......................................................................................................................................... 40
8 Reference Documents................................................................................................................. 41
1 Change History
This section describes changes not included in the "Parameters", "Counters", "Glossary", and
"Reference Documents" chapters. These changes include:
l Technical changes
Changes in functions and their corresponding parameters
l Editorial changes
Improvements or revisions to the documentation
Technical Changes
Change Description Parameter Change
Editorial Changes
None
This document only provides guidance for feature activation. Feature deployment and feature
gains depend on the specifics of the network scenario where the feature is deployed. To achieve
the desired gains, contact Huawei professional service engineers.
Software Interfaces
Any parameters, alarms, counters, or managed objects (MOs) described in Feature Parameter
Description documents apply only to the corresponding software release. For future software
releases, refer to the corresponding updated product documentation.
3 Overview
As network deployment demands increase, operators are confronted with the following
challenges if they independently deploy networks:
l Expensive spectrum licenses
l Significant network deployment costs
l High network coverage requirements
l Difficult site deployment
To cope with these challenges, more and more operators choose the network sharing solution
(RAN Sharing for short), through which they can use one set of base station equipment to
cover the same area. For details about network sharing, see Multi-Operator Sharing.
In RAN Sharing scenarios, however, a base station can only be deployed with the public key
infrastructure (PKI) server of one operator (the primary operator). IPsec tunnels of secondary
operators must be authenticated using the certificate issued by the PKI server of the primary
operator, which reduces the IPsec tunnel reliability of secondary operators.
With the Base Station Supporting Multi-operator PKI feature, a base station can be deployed
with the PKI systems of multiple operators, thereby enhancing base station transmission
reliability.
4.1 Principles
4.1.1 Introduction
This feature enables each operator to deploy its own PKI server on the base station. With this
feature, certificates from multiple operators can be loaded to and managed on the base station,
and certificate application, update, and revocation of one operator are independent from those
of another operator. The IPsec tunnel of each operator uses the certificates issued by its own
PKI server for authentication, as shown in Figure 4-1.
Limitations
The Base Station Supporting Multi-operator PKI feature can be deployed only in RAN
Sharing scenarios. The eGBTS configured with a GTMUb or GTMUc and the GBTS do not
support this feature.
Specifications
l When PKI redundancy is used, each base station can be configured with a maximum of
six pairs of Certificate Authorities (CAs). When PKI redundancy is not used, each base
station can be configured with a maximum of six CAs.
l Each base station can be configured with six periodic certificate revocation list (CRL)
acquisition tasks, which can be configured using the CRLTSK managed object (MO).
l Each base station can be loaded with a maximum of 20 certificates, including
preconfigured Huawei certificates.
If operators use multi-level certificates and the certificates take up more storage space
than is available, then these certificates can be converted into the .p7b format to save
storage.
4.1.2 Architecture
Figure 4-2 illustrates the PKI system architecture for the Base Station Supporting Multi-
operator PKI feature.
l The PKI system of operator 1 consists of CA 1, RA 1, and certificate & CRL database 1.
l The PKI system of operator 2 consists of CA 2, RA 2, and certificate & CRL database 2.
RA is short for registration authority. For details about the CA, RA, and certificate & CRL
database, see PKI.
Figure 4-2 PKI system architecture for the Base Station Supporting Multi-operator PKI
feature
Certificate Certificate No -
management preconfiguration phase
and application
Base station deployment Yes See 4.1.3.2 Base Station
phase Deployment Phase.
Certificate sharing No -
Certificate update No -
Certificate revocation No -
CRL acquisition No -
PKI networking No -
reliability
Figure 4-3 Networking for deploying Base Station Supporting Multi-operator PKI in RAN
Sharing scenarios
Figure 4-4 details base station deployment procedures illustrated in Figure 4-3.
NOTE
Figure 4-5 illustrates the differences in configuration objects used for configuring multi-
operator PKI compared with those used for configuring single-operator PKI.
After the base station sends a CMPv2-based certificate request message to the CA, the
certificate application procedure fails if the certificate request times out. The waiting timeout
interval is 60s in single-operator PKI scenarios and is 20s for each PKI in multi-operator
PKI scenarios.
– After a successful certificate application, the obtained operator's certificate will be
automatically loaded to the CERTMK MO, and the CERTMK.CASW parameter
is automatically set to ON for this certificate.
l Before a reconstruction from single-operator PKI to multi-operator PKI, the
CERTMK.CASW parameter must be set to ON.
l After a successful certificate application, run the MOD APPCERT command to set a
certificate under the CERTMK MO as the global certificate, which saves the trouble of
running the MOD APPCERT command to validate certificates for multiple operators.
l After successful certificate loading, bind each operator's certificate to the corresponding
IPsec tunnel.
You can use the IKEPEER.CERTSOURCE and IKEPEER.CERTNAME parameters
to bind operators' certificates to IPsec tunnels.
l Operators' CRL servers are independent of each other and the CRL acquisition procedure
is the same as that in single-operator PKI scenarios.
l Only one global CRL policy can be configured for a base station. The global CRL policy
is configured using the CRLPOLICY MO.
l Each base station can be configured with six periodic CRL acquisition tasks, which can
be configured using the CRLTSK MO.
l The working mechanism of PKI redundancy in multi-operator PKI scenarios is the same
as that in single-operator PKI scenarios.
l The active and standby PKI servers must belong to the same operator.
l The base station supports a maximum of six pairs of PKI servers in redundancy mode.
The difference is that in multi-operator PKI scenarios, a base station manages the certificates
of multiple operators. That is, the number of certificates managed by one base station
increases. A base station can manage a maximum of 20 certificates, including the
preconfigured Huawei certificates.
4.2.1 Benefits
In RAN Sharing scenarios, if each operator deploys its own PKI server, this feature provides
an independent IPsec tunnel for each operator so as to achieve the secure isolation of each
operator's services.
4.2.2 Impacts
Network Impacts
The duration of base station deployment is prolonged by 10s due to certificate application for
each operator.
Function Impacts
None
4.3 Requirements
4.3.1 Licenses
Before deploying this feature, purchase and activate the license for this feature. No license is
required to deploy this feature on a gNodeB.
NOTE
The license activation rules for a multimode base station are as follows:
l In a separate-MPT multimode base station with co-transmission, the license needs to be deployed
only on the mode that provides the co-transmission port. If another mode needs to share the
certificate, the license also needs to be deployed on this mode.
l If the UTRPc provides a co-transmission port, the license needs to be activated for the mode that
controls the UTRPc.
l In a co-MPT multimode base station, the license can be activated on any of the GSM, UMTS, or
LTE mode.
4.3.2 Software
Before activating this function, ensure that its prerequisite functions have been activated and
mutually exclusive functions have been deactivated. For detailed operations, see the relevant
feature documents.
Prerequisite Functions
Function Name Function Switch Reference
Prerequisite Functions
Function Name Function Switch Reference
Prerequisite Functions
None
Prerequisite Functions
None
Prerequisite Functions
None
Prerequisite Functions
None
4.3.3 Hardware
NR l 3900 and 5900 series base stations. 3900 series base stations must be
configured with the BBU3910.
l DBS3900 LampSite and DBS5900 LampSite. DBS3900 LampSite
must be configured with the BBU3910.
Macro base stations: The eGBTS configured with a GTMUb/GTMUc and the GBTS do not
support this feature.
Boards
NE Type Board Configuration Board That Provides a Port Type
Port for Connecting to
the Transport Network
UMPT+UTRPc UTRPc
UMPT/WMPT+UTRPc UTRPc
LMPT/UMPT+UTRPc UTRPc
RF Modules
None
4.3.4 Others
Before deploying this feature, engineering personnel must obtain CA information from CA
maintenance personnel. The required CA information in this scenario is the same as that in
single-PKI scenarios. For details, see PKI.
l The PKI server (CA) of each operator must be deployed. Each base station supports a
maximum of six operators' PKI servers, that is, six independent CAs or twelve active/
standby CAs.
l The device certificate and CRL file issued by each operator's CA server must meet the
RFC 5280 standards.
l The operator's CA server complies with the CMPv2 specified in the RFC 4210
standards. The certificate request message format meets the RFC 4211 standards.
l The operator's CA server meets the following specification in 3GPP TS 33.310: The
certificate request message contains the operator's root certificate or certificate chain.
l The operator's CA server is preconfigured with the Huawei root certificate.
l The UMPT_U and UMPT_L have a separate SSL channel and OM channel with the
U2020. The UMPT_U shares the SSL certificate with the UMPT_L.
l The UMPT_L has separate IPsec tunnels with SeGW A and SeGW B. The two IPsec
tunnels are authenticated using the certificate issued by the corresponding operator.
Figure 4-8 Multi-operator PKI enabled with IPsec redundancy among multiple SeGWs
Shared Base Station Controller with No IPsec Tunnel Between the Base Station
Controller and CN
Operator A (primary operator) and operator B (secondary operator) share the base station
controller, which is connected to the CN of each operator. No IPsec tunnel is set up between
the base station controller and the CN. Figure 4-9 shows an example.
In this scenario, data of operator A and operator B is converged on the base station controller
and then is forwarded to the respective CN. It is recommended that only one IPsec tunnel be
set up between the base station and the base station controller. The primary operator's digital
certificate and SeGW are used.
Figure 4-9 Shared base station controller without IPsec tunnel between the base station
controller and CN
Shared Base Station Controller with IPsec Tunnel Between the Base Station
Controller and CN
Operator A and operator B share the base station controller, which is connected to the CN of
each operator. IPsec tunnels are set up between the base station controller and the CNs of the
two operators. Figure 4-10 shows an example.
In this scenario, although the base station controller has separate IPsec tunnels with the CNs
of the two operators, the base station supports the IPsec tunnel only with an external SeGW. If
separate IPsec tunnels are to be set up for different operators between the base station and
base station controller, different digital certificates must be configured to authenticate these
IPsec tunnels and certificate update should be performed separately for different PKI systems.
Figure 4-10 Shared base station controller with IPsec tunnel between the base station
controller and CN
4.4.2 Precautions
During new PKI deployment, the IPsec tunnel needs to be reestablished, which interrupts
services.
Figure 4-11 Process of deploying the Base Station Supporting Multi-operator PKI feature
Table 4-2 Data to be prepared on the base station side for the CA server
Parameter Parameter ID Setting Notes
Name
State or CA.STATEPROVINCE
Province NAME
Locality CA.LOCALITY
Certificate CA.CERTREQSIGNAL
Request G
Signature
Algorithm
Local IP CA.LOCALIP
Table 4-3 lists the data to be prepared for a device certificate (the CERTMK MO).
Table 4-4 lists the data to be prepared for an IKE peer (the IKEPEER MO).
This section describes how to activate multi-operator PKI for a base station with no PKI
feature deployed.
NOTE
You need to reset the base station to make the configuration take effect.
If the base station is configured with only one main control board, the certificate is deployed on this
main control board by default. In this case, you can skip this step.
Step 2 Run the MOD CERTREQ command to configure a global certificate request template.
NOTE
Pay attention to the following tips when configuring the global certificate request template.
l If the certificate request file used by the CA is the same as the global certificate request template,
use the template specified in CERTREQ.
l If the certificate request file used by the CA is different from the global certificate request template,
configure a certificate request template for the CA by referring to Step 3.
Step 3 Run the ADD CA command to add CA information for each operator.
l If the certificate request file used by the CA is different from that configured in Step 2,
set Certificate Request Switch to USERDEFINE(USERDEFINE) to customize a
certificate request template for this CA.
l If the PKI redundancy mode is used, configure the standby CA of this CA.
NOTE
You need to purchase the license for the PKI redundancy feature before enabling this feature. For
details, see PKI.
Step 4 (Optional, applicable only to manual certificate application) Run the DLD CERTFILE
command to download each operator's root certificate from the operator's certificate & CRL
database.
Step 5 (Optional, applicable only to manual certificate application) Run the ADD TRUSTCERT
command for each CA trust certificate you want to add.
NOTE
If multi-level CAs are deployed in an operator's PKI system, a complete certificate chain must be added.
If the certificates of different levels of CAs in the certificate chain are stored separately, run the ADD
TRUSTCERT command for each certificate you want to add.
Step 6 (Optional, applicable only to manual certificate application) Run the REQ DEVCERT
command for each CMP session you want to start to apply for a device certificate.
NOTE
The certificate application procedure is triggered when this configuration takes effect.
The obtained certificate will be automatically loaded to CERTMK and the CA Switch is set to on.
If automatic certificate loading fails, run the ADD CERTMK command to load the certificate.
Step 7 Run the MOD APPCERT command to activate the configured global certificate.
NOTE
Pay attention to the following tips when activating the configured global certificate:
l You can configure only one SSL certificate and one IKE certificate, respectively.
l In multi-PKI scenarios, if the certificate used by an operator is different from the configured
certificate, set the certificate name for the operator in the MO IKEPEER in Step 8.
Step 8 Enable the IPsec feature. For details, see Deployment of IPsec > Deployment > Deploying
IPsec on an eGBTS/NodeB/eNodeB > Using MML Commands in IPsec.
Pay attention to the following configurations:
Run the ADD IKEPEER command. In this step, set Certificate Source and Certificate File
Name to bind certificates to each IKE channel.
l When Certificate Source is set to APPCERT, the certificate configured in Step 7 is
used.
l When Certificate Source is set to CERTMK, the certificate configured in the MO
CERTMK is used.
Step 9 Run the SET CERTCHKTSK command to set a periodic certificate validity check task.
----End
Step 1 Run the DLD CERTFILE command for each CRL file you want to download.
Step 2 Run the ADD CRL command for each CRL file you want to add.
Step 3 Run the SET CRLPOLICY command to configure the CRL policy.
Step 4 Run the ADD CRLTSK command for each periodic CRL download task you want to add.
----End
l Automatic download
Step 1 Run the SET CRLPOLICY command to configure the CRL policy.
Step 2 Run the ADD CRLTSK command for each periodic CRL download task you want to add.
----End
----End
Assume that:
l Operator A: C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1
l Operator B: C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca2
//Setting the board where a certificate is to be deployed
SET CERTDEPLOY:DEPLOYTYPE=SPECIFIC,CN=0,SRN=0,SN=7;
//Setting CA information for operator A and use this information to customize a certificate
request template for the CA
l If the CA is accessible either through the intranet or through an external network and the
OM data is protected by IPsec, it is recommended that the source IP address used for
certificate application be set to an interface IP address, the source IP address used for
certificate update be set to the OM IP address (for example, 10.31.31.188), the CA URL
during site deployment be set to 10.87.87.87, and the certificate request template be
customized. The following is an example:
ADD CA:CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",URL="http://10.88.88.88:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.31.31.188",INITREQURL=
"http://10.87.87.87:80/
pkix/",INITREQSIP="10.20.20.188",CERTREQSW=USERDEFINE,COUNTRY="cn",ORG="ITEF",
ORGUNIT="hw",STATEPROVINCENAME="sc",LOCALITY="cd",KEYUSAGE=DATA_ENCIPHERMENT-1
&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMENT-1,CERTREQSIGNALG=SHA256,
KEYSIZE=KEYSIZE1024;
l If the CA is accessible either through the intranet or through an external network and the
OM data is not protected by IPsec, it is recommended that the source IP address used for
certificate update be set to an internal IP address (for example, 10.45.45.45), the source
IP address used for certificate application be set to an interface IP address, the CA URL
during site deployment be set to 10.87.87.87, and the certificate request template be set
to the global template. The following is an example:
ADD CA:CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",URL="http://10.88.88.88:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.45.45.45",INITREQURL="
http://10.87.87.87:80/pkix/",INITREQSIP="10.20.20.188",CERTREQSW=DEFAULT;
l The following shows an example when operator A uses PKI redundancy, an interface IP
address is used for certificate application and certificate update, and the default
certificate request template is used.
ADD CA:CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",URL="http://10.88.88.88:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.45.45.45",INITREQURL="
http://10.85.85.85:80/pkix/",INITREQSIP="10.20.20.188",SLVURL="http://
10.10.10.87:80/pkix/",SLVINITREQURL="http://10.10.10.86:80/
pkix/",CERTREQSW=DEFAULT;
l The following shows an example when operator B uses PKI redundancy, an interface IP
address is used for certificate application and certificate update, and the default
certificate request template is used.
ADD CA:CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca2",URL="http://10.89.89.89:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.35.35.35",INITREQURL="
http://10.86.86.86:80/pkix/",INITREQSIP="10.20.20.188",SLVURL="http://
10.10.10.85:80/pkix/",SLVINITREQURL="http://10.10.10.84:80/
pkix/",CERTREQSW=DEFAULT;
l //Manually applying for a digital certificate for operator A (skip this step if you use
automatic triggering of CMPv2-based certificate application)
REQ DEVCERT: CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd,
CN=eca1", APPCERT="OPKIDevCert1.cer";
l //Manually applying for a digital certificate for operator B (skip this step if you use
automatic triggering of CMPv2-based certificate application)
REQ DEVCERT: CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd,
CN=eca2", APPCERT="OPKIDevCert2.cer";
If operator A's certificate is used as the global certificate, operators not deployed with PKI
servers can share this certificate.
MOD APPCERT: APPTYPE=IKE, APPCERT="OPKIDevCert1.cer";
NOTE
After command execution, if the IKE connection is authenticated using a certificate and the status of the
IKE SA is normal, the base station automatically triggers an IKE re-negotiation.
l Operator B does not use the global certificate for IKE negotiation and the certificate
name is OpkiDevCert2.cer.
ADD IKEPEER: PEERNAME="peer", PROPID=1, IKEVERSION=IKE_V2, IDTYPE=FQDN,
REMOTEIP="10.91.91.91", DPD=PERIODIC, CERTSOURCE = 1,
CERTNAME="OpkiDevCert2.cer";
//Setting a periodic certificate validity check task universally for all operators
SET CERTCHKTSK: ISENABLE=ENABLE, PERIOD=7, ALMRNG=30, UPDATEMETHOD=CMP;
//(Optional) Downloading the CRL file from the FTP server (If the FTP server is deployed on
the U2020, the IP address of the FTP server is the same as that of the U2020.)
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="eNodeB.crl",DSTF="eNodeB.c
rl";
NOTE
If the base station is undergoing an IKE or SSL negotiation during the command execution, the
certificate update is performed after the negotiation.
l From single-operator PKI to multi-operator PKI
This section describes how to activate this feature when the base station has been deployed
with the PKI, PKI redundancy, or IPsec Redundancy Among Multiple SeGWs feature.
Step 4 (Optional, applicable only to manual certificate application) Run the ADD TRUSTCERT
command for the CA trust certificate of each secondary operator you want to add.
NOTE
If multi-level CAs are deployed in an operator's PKI system, a complete certificate chain must be added.
If the certificates of different levels of CAs in the certificate chain are stored separately, run the ADD
TRUSTCERT command for each certificate you want to add.
Step 5 (Optional, applicable only to manual certificate application) Run the REQ DEVCERT
command to set the information required by the base station to apply for operators' device
certificates.
NOTE
The certificate application procedure is triggered when this configuration takes effect.
The obtained certificate will be automatically loaded to CERTMK and the CA Switch is set to on.
If automatic certificate loading fails, run the ADD CERTMK command to load the certificate.
Step 6 Run the MOD IKEPEER command. In this step, set Certificate Source and Certificate File
Name to bind certificates to each IKE channel.
NOTE
This step is performed based on the assumption that the base station has been configured with IKE peers
(IKEPEER). If IKEPEER is not configured, you need to enable the IPsec feature and the MML
command used in this step is changed to ADD IKEPEER. For details about how to enable the IPsec
feature, see IPsec.
Step 7 Run the SET CERTCHKTSK command to set a periodic certificate validity check task.
----End
Step 1 Run the DLD CERTFILE command for each CRL file you want to download.
Step 2 Run the ADD CRL command for each CRL file you want to add.
Step 3 Run the SET CRLPOLICY command to configure the CRL policy.
----End
l Automatic download
Step 1 Run the ADD CRLTSK command for each periodic CRL download task you want to add.
Step 2 Run the SET CRLPOLICY command to configure the CRL policy.
----End
Assume that:
l Operator A is the primary operator and operator B is a secondary operator. Before the
reconstruction, the two operators use the certificate issued by operator A's PKI server for
authentication. After the reconstruction, operator B uses an independent PKI server.
NOTE
The CA switch must be turned on for all certificates loaded to the base station except for the
preconfigured Huawei certificates.
//Setting CA information for operator B and use this information to customize a certificate
request template for the CA
If operator B's CA is accessible only through the external network, it is recommended that
interface IP addresses be used for certificate application and certificate update, and a
customized certificate request template be used. The following is an example:
ADD CA:CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca2",URL="http://10.89.89.89:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.20.20.188",INITREQURL="10.
86.86.86:80/
pkix/",INITREQSIP="10.35.35.35",CERTREQSW=USERDEFINE,COMMNAME=ESN,USERADDINFO=".hu
awei.com",COUNTRY="cn",ORG="ITEF",ORGUNIT="hw",STATEPROVINCENAME="sc",LOCALITY="cd
",KEYUSAGE=DATA_ENCIPHERMENT-1&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMEN
T-1,CERTREQSIGNALG=SHA256,KEYSIZE=KEYSIZE1024;
//(Manual triggering of CMPv2-based certificate application) Applying for operator B's root
certificate
REQ DEVCERT: CANAME="C=AU, S=Some-State, O=Internet Widgits Pty Ltd, CN=eca2",
APPCERT="OPKIDevCert2.cer";
//(Optional) Downloading the CRL file from the FTP server (If the FTP server is deployed on
the U2020, the IP address of the FTP server is the same as that of the U2020.)
DLD
CERTFILE:IP="10.60.60.60",USR="admin",PWD="*****",SRCF="eNodeB.crl",DSTF="eNodeB.c
rl";
The MO CERTMK is referenced by the MO IKEPEER. Before running the RMV CERTMK
command, remove the reference relationships between the two MOs.
Step 2 (Optional, applicable only to binding an operator-issued certificate) Run the MML command
MOD APPCERT to modify the application certificate to a preconfigured Huawei certificate.
Step 3 Run the MML command RMV CERTMK to remove configurations of the CERTMK MO
(except for the preconfigured Huawei certificates).
NOTE
The MO CERTMK is referenced by the MO IKEPEER. Before running the RMV CA command,
remove the reference relationships between the two MOs.
Step 5 (Optional) Run the MML command RMV CRLTSK to remove the periodic CRL acquisition
task started for multiple operators.
----End
//Removing the binding relationships between an IPsec policy group and a port
l Removing the IPsec policy for operator A (Policy Group Name = A, IPSec Sequence
No. = 10)
RMV IPSECPOLICY:SPGN="A",SPSN=10;
l Removing the IPsec policy for operator B (Policy Group Name = B, IPSec Sequence No.
= 11)
RMV IPSECPOLICY:SPGN="A",SPSN=10;
//Restoring the application certificate to the preconfigured Huawei certificate (Skip this step if
no operator-issued certificate is bound.)
MOD APPCERT:APPTYPE=IKE,APPCERT="appcert.pem";
//Removing the periodic CRL acquisition task started for multiple operators
l Removing the periodic CRL acquisition task started for operator A (Task ID = 0)
RMV CRLTSK: TSKID=0;
l Removing the periodic CRL acquisition task started for operator B (Task ID = 1)
RMV CRLTSK: TSKID=1;
Step 1 (Optional, applicable only when the IKE certificate under the APPCERT MO is not the
primary operator's certificate) Run the MOD APPCERT command to change the IKE
certificate under the APPCERT MO to the primary operator's certificate.
Step 2 Run the MOD IKEPEER command to change the value of Certificate Source to
APPCERT for a secondary operator.
NOTE
The MO CERTMK is referenced by the MO IKEPEER. Before running the RMV CERTMK
command, remove the reference relationships between the two MOs.
Step 3 Run the RMV CERTMK command to remove secondary operators' certificates loaded to the
base station.
NOTE
The MO CERTMK is referenced by the MO IKEPEER. Before running the RMV CA command,
remove the reference relationships between the two MOs.
Step 4 Run the RMV CA command to remove the PKI information configured for the secondary
operator.
Step 5 Run the MOD CERTMK command to change the value of CA Switch to OFF(Off) for all
operators.
Step 6 Run the MOD CA command to change the value of Certificate Request Switch for the
primary operator's CA to DEFAULT(DEFAULT).
Step 7 (Optional) Run the RMV CRLTSK command to remove the periodic CRL acquisition task
started for secondary operators.
----End
//Modifying the IKE certificate specified by the APPCERT MO to the primary operator's
certificate (skip this step if the IKE certificate specified by the APPCERT is the primary
operator's certificate)
MOD APPCERT:APPTYPE=IKE,APPCERT="eNodeBCert1.pem";
//Modifying the binding relationships between operator B's IKE and the certificate (Certificate
Source = APPCERT, which means that operator B shares the certificate with operator A.
assume that the IKE peer name of operator B is ike2)
MOD IKEPEER:PEERNAME="ike2",CERTSOURCE=APPCERT;
//Removing secondary operators' certificates loaded to the base station (assume that the
certificate file name is eNodeBCert2.pem)
RMV CERTMK: APPCERT="eNodeBCert2.pem";
//Changing the value of CA Switch to OFF for the primary operator's certificate that will be
used
MOD CERTMK:APPCERT=" eNodeBCert1.pem",CASW=OFF;
//Removing the periodic CRL acquisition task started for secondary operators (assume that the
task ID is 1)
RMV CRLTSK: TSKID=1;
Step 5 (Optional) Run the DSP CRL command to query the status of the CRL file.
If the value of Status in the returned result is NORMAL, the CRL has been loaded to the
base station.
----End
4.4.5 Reconfiguration
Reconfiguration of CA Name
In CANAME, the S and ST fields are regarded as the same field. Services can be properly
provided regardless of whether the field name is S or ST.
To change the field name from S to ST, perform the following steps:
Step 2 Run the MOD CERTMK command to modify the device certificate.
----End
MML command examples are as follows:
ADD CA:CANAME="C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",URL="http://10.89.89.89:80/
pkix/",SIGNALG=SHA256,MODE=CFG_INIT_UPD_ADDR,UPDSIP="10.20.20.188",INITREQURL="10.
86.86.86:80/
pkix/",INITREQSIP="10.35.35.35",CERTREQSW=USERDEFINE,COMMNAME=ESN,USERADDINFO=".hu
awei.com",COUNTRY="cn",ORG="ITEF",ORGUNIT="hw",STATEPROVINCENAME="sc",LOCALITY="cd
",KEYUSAGE=DATA_ENCIPHERMENT-1&DIGITAL_SIGNATURE-1&KEY_AGREEMENT-1&KEY_ENCIPHERMEN
T-1,CERTREQSIGNALG=SHA256,KEYSIZE=KEYSIZE1024;
MOD CERTMK:APPCERT=" opki1.cer",CASW=ON,CANAME="C = AU, ST = Some-State, O =
Internet Widgits Pty Ltd, CN = eca1";
RMV CA: CANAME=" C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca1";
l Run the MOD CERTMK command to bind certificates to the new CA.
l Run the RMV CA command to remove the old CA.
l Run the SET CERTCHKTSK command to turn on the automatic application switch.
MML command examples are as follows:
//Assume that the expected RANAME is as follows: C = AU, S = Some-State, O = Internet
Widgits Pty Ltd, CN = eca2, CANAME is C = AU, S = Some-State, O = Internet Widgits Pty
Ltd, CN = eca1
//The following record exists.
ADD CA: CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca2",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE=
CFG_INIT_UPD_ADDR, UPDSIP="10.31.31.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188"; //
Run the following commands:
ADD CA:CANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN =
eca1",RANAME="C = AU, S = Some-State, O = Internet Widgits Pty Ltd, CN = eca2",
URL="http://10.88.88.88:80/pkix/", SIGNALG=SHA256, MODE= CFG_INIT_UPD_ADDR,
UPDSIP="10.31.31.188",INITREQURL="http://10.89.89.89:80/
pkix/",INITREQSIP="10.20.20.188";
MOD CERTMK:APPCERT="opki1.cer",CASW=ON,CANAME="C = AU, S = Some-State, O =
Internet Widgits Pty Ltd, CN = eca1";
RMV CA: CANAME="C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=eca2";
SET CERTCHKTSK: ISENABLE=ENABLE, PERIOD=7, ALMRNG=30,
UPDATEMETHOD=CMP,AUTOREAPPLYSW = ON;
5 Parameters
The following hyperlinked EXCEL files of parameter reference match the software version
with which this document is released.
l Node Parameter Reference: contains device and transport parameters.
l gNodeBFunction Parameter Reference: contains all parameters related to radio access
functions, including air interface management, access control, mobility control, and radio
resource management.
NOTE
You can find the EXCEL files of parameter reference for the software version on the live network from
the product documentation delivered with that version.
FAQ: How do I find the parameters related to a certain feature from parameter
reference?
Step 1: Open the EXCEL file of parameter reference.
Step 2: On the Parameter List sheet, filter the Feature ID column. Click Text Filters and
choose Contains. Enter the feature ID, for example, FBFD-020100.
Step 3: Click OK. All parameters related to the feature are displayed.
6 Counters
The following hyperlinked EXCEL files of performance counter reference match the software
version with which this document is released.
l Node Performance Counter Summary: contains device and transport counters.
l gNodeBFunction Performance Counter Summary: contains all counters related to radio
access functions, including air interface management, access control, mobility control,
and radio resource management.
NOTE
You can find the EXCEL files of performance counter reference for the software version used on the live
network from the product documentation delivered with that version.
FAQ: How do I find the counters related to a certain feature from performance counter
reference?
Step 1: Open the EXCEL file of performance counter reference.
Step 2: On the Counter Summary(En) sheet, filter the Feature ID column. Click Text
Filters and choose Contains. Enter the feature ID, for example, FBFD-020100.
Step 3: Click OK. All counters related to the feature are displayed.
7 Glossary
8 Reference Documents
1. IETF RFC 4210, "Internet X.509 Public Key Infrastructure Certificate Management
Protocol (CMP)"
2. IETF RFC 4211, "Internet X.509 Public Key Infrastructure Certificate Request Message
Format (CRMF)"
3. IETF RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile"
4. IETF RFC 2585, "Internet X.509 Public Key Infrastructure Operational Protocols: FTP
and HTTP"
5. IPsec for SingleRAN
6. PKI for SingleRAN
7. 3900 & 5900 Series Base Station Alarm Reference