Professional Documents
Culture Documents
Encrypted Network Management
Encrypted Network Management
Encrypted Network Management
GBSS12.0
Feature Parameter Description
Issue 01
Date 2010-06-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
GSM BSS
Encrypted Network Management Contents
Contents
1 Introduction ................................................................................................................................1-1
1.1 Scope ............................................................................................................................................ 1-1
1.2 Intended Audience ........................................................................................................................ 1-1
1.3 Change History.............................................................................................................................. 1-1
4 Parameters .................................................................................................................................4-1
5 Counters ......................................................................................................................................5-1
6 Glossary ......................................................................................................................................6-1
7 Reference Documents .............................................................................................................7-1
1 Introduction
1.1 Scope
This document describes the encrypted network management feature (GBFD-113522 Encrypted
Network Management).
Document Issues
The document issues are as follows:
01 (2010-06-30)
Draft (2010-03-30)
01 (2010-06-30)
This is the first release of GBSS12.0.
Compared with issue draft (2010-03-30) of GBSS12.0, issue 01 (2010-06-30) of GBSS12.0 incorporates
the changes described in the following table.
Draft (2010-03-30)
This is the draft release of GBSS12.0.
3 Technical Description
3.1 Overview
During the data transmission between the M2000 and an NE, most of data is transmitted in the form of
data files such as performance data file, log file, configuration data file, and version and batch data file. If
data files are transmitted in traditional transmission mode (plain text), they are subject to exposure to
unauthorized parties.
With the encrypted network management feature, an SSL-based transmission channel is set up between
the M2000 server and an NE before a TCP link is established. Data is transmitted over the encrypted
channel. Figure 3-1 shows the encrypted network management feature.
Figure 3-1 Encrypted network management
SSL is a protocol that guarantees the security of data transmission. The SSL protocol is applied between
the application layer and the transport layer. It provides the following functions:
Data encryption
Identity authentication
Data integrity check
The SSL protocol provides secure data transmission to upper-layer applications such as WEB service,
FTP, and Telnet.
The transmission between the M2000 and a BSC supports both normal connection and SSL-based
connection. To ensure the security of data transmission between the M2000 and a BSC, it is
recommended that SSL-based connection be used.
Figure 3-2 shows the flowchart of establishing SSL-based connection between the M2000 and a BSC.
Figure 3-2 Flowchart of establishing SSL-based connection between the M2000 and a BSC
Figure 3-3 shows the flowchart of establishing FTP connection between the M2000 and a BSC.
Figure 3-3 Flowchart of establishing FTP connection between the M2000 and a BSC
The modes of SSL connections between the M2000 and NEs are as follows:
Anonymous: select neither of the two options.
Unidirectional authentication: select either of the option, that is, the OMC authenticates NEs or NE authenticates the
OMC.
Bidirectional authentication: select both the options.
M2000 Certificate
By default, the M2000 is not configured with a digital certificate. If users need to use a certificate, they
need to apply for a certificate from the certification authority (CA) and then manually configure the
certificate for the M2000 server.
The CA that applies for the M2000 certificate must be the one that applies for the NE certificate.
NE Certificate
The certificates of the BSC are managed by the M2000. Users can import, configure, and query
certificates.
Table 3-2 describes the certificates used by the BSC.
Table 3-2 Certificates used by the BSC
Certificate Description
Type
Root The root CA is the first issuing authority of the public key system. It is the source of all
certificate the trust and uses its private key for signature. The certificate issued by the root CA for
itself is the root certificate. The root CA can create certificates for other CAs. It can also
create certificates for other computers, users, or services. Users can trace the root
certificates of most certificate-based applications through the certificate chain.
Public key The digital certificate with a public key. To ensure that the public key certificate is correct,
certificate the public key certificate requires the signature of the CA.
Certificate Description
Type
Private Part of the private key. To ensure the security of the private key file, users must encrypt
key file the private key file. This means that only the person who knows the password of the
private key can use it.
CRL In case that the private key of an entity in PKI is stolen, the public key certificate
matching the stolen key must be added to the certificate revocation list (CRL) and set to
invalid. If a certificate owner has ended the relation with an organization, the
corresponding public key certificate must be added to the CRL.
Certificate To verify the public key, users must obtain the public key of the CA that issues the
chain certificate of the private key. Then, users can check the signature on the certificate. The
identity of a public key certificate should be authenticated by the CA of the upper level.
The process for authenticating a public key becomes an iterative process. As a result, a
certificate chain is formed, which ends at the root certificate.
The root certificate, public key certificate file, and private key file are mandatory for issuing NE certificates.
XXX refers to the format of a certificate. For details on the formats of certificates supported by NEs, see Table 3-4.
Table 3-4 Formats of certificates that are issued to the BSC and supported by the M2000
Certificate Type Format
Root certificate .cer, .crt, .pem, .pfx, .p12
Public key certificate .cer, .crt, .pem, .pfx, .p12
Private key file .pem, .pfx, .p12
Certificate chain .pem
CRL .cer, .crt, .crl, .pem
The certificates used by the M2000 and the BSC must be requested in the same CA.
A password is generated along with the NE private key. Therefore, users need to provide the password when the
M2000 issues the certificate to the BSC.
If the BSC certificate is not issued by the root CA, a certificate chain file is required.
The M2000 server automatically deletes certificate files after it successfully issues the files.
To protect digital certificates from being illegally copied, it is advised that users delete the certificate files saved on the
local M2000 client after they are backed up.
When importing certificates for a BSC, ensure that the imported certificates consist of the root certificate, public key
certificate, and private key file.
When the BSC communicate normally with the M2000, users can issue a certificate to the relevant BSC
by creating a task for creating certificates on the M2000 client.
Querying NE Certificates
When the connection between the BSC and the M2000 server requires an identity authentication, the
associated digital certificates must exist on the BSC. Users can query the digital certificates used by the
BSC on the M2000 client.
On the NE, only a set of activated digital certificates exist. When querying certificates, users can query only the names of
the certificates used by the BSC.
3.6 Specifications
If both communication parties adopt SSL to transmit data, the communication performance degrades by
20% to 60%. Table 3-5 and Table 3-6 list the hardware configuration of the server and client.
Table 3-5 Hardware of a server
Item Configuration
Server Sun Fire V440
CPU 1.59 GHz x 2
Operating system Solaris 10
RAM 4 GB
Item Configuration
Logs -
LAN 100 Mbit/s
Table 3-7 and Table 3-8 list the data transmission performance in TCP mode and SSL mode when the
hardware configuration listed in Table 3-5 and Table 3-6 is used.
Table 3-7 Transmission performance in TCP mode
Data Size (MB) Time (s) CPU Usage (%) Used RAM (MB)
5 0.145439 1.77777778 9.10222
10 0.256535 4.33333333 10.24
100 2.505977 17.4615385 32.29538
4 Parameters
None.
5 Counters
None.
6 Glossary
For the acronyms, abbreviations, terms, and definitions, see the Glossary.
7 Reference Documents
[1] M2000 Commissioning Guide
[2] M2000 Administrator Guide
[3] M2000 Operator Guide