ENM Network Security Configuration

System Administrator Guide

Operating Instructions

2/1543-AOM 901 151-2 Uen DE

Copyright

© Ericsson AB 2018 - 2022. All rights reserved. No part of this document may be
reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use of this
document.

Trademark List

All trademarks mentioned herein are the property of their respective owners.
These are shown in the document Trademark Information.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Contents

Contents

1 Network Security Configuration 1

2 Connect to a Service 2
2.1 Connect to a Virtual Machine on a Physical ENM Deployment 2
2.1.1 Connect to each ENM Physical Node 3
2.2 Connect to a Service on an ENM on Cloud Deployment 3
2.3 Connect to a Container in Cloud Native ENM 5
2.4 View Log Files and Dump Locations 6

3 Restart a Service 7
3.1 Restart a Service on a Physical ENM Deployment 7
3.2 Restart a Service on an ENM on Cloud Deployment 8
3.3 Restart an ENM Service on a Cloud Native ENM 9

4 View and Modify Configuration Parameters 12

4.1 Configure Parameters on a Physical ENM Deployment 12
4.2 Configure Parameters on ENM on Cloud Deployment 13
4.3 Configuration Parameter Handling Using Admin CLI 14
4.3.1 View Configuration Parameters 14
4.3.2 Modify Configuration Parameters 15
4.3.3 Reset Configuration Parameters 17

5 Node Credential and Key Administrative Tasks 19

5.1 Create Node Credentials 21
5.1.1 Enable and Disable ldapuser 23
5.2 Update Node Credentials 25
5.2.1 Update ldapuser 26
5.3 Create SSH Key 26
5.4 Update SSH Key 27
5.5 Import SSH Private Key 29
5.6 Get Node Credentials with Encrypted Password 30
5.7 Get Node Credentials with Password in Plain Text 31
5.8 Configure Single Sign-On (SSO) for Node Access 32
5.8.1 Configure Single Sign-On (SSO) for Node Access (Transport
Nodes) 32
5.8.1.1 Enable Single Sign-On 34
5.8.1.2 Disable Single Sign-On 36

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

ENM Network Security Configuration System Administrator Guide

5.8.1.3 Configure Single Sign-On (SSO) for R6000 Node Access Using
LDAP 37
5.8.2 Configure Single Sign-On (SSO) for Node Access (EPG and
IMS Nodes) 39
5.8.2.1 Enable Single Sign-On 40
5.8.2.2 Disable Single Sign-On 40
5.8.2.3 User Credential when Launching NodeCLI 41

6 Node Certificate Administrative Tasks 43

6.1 Distribute Trust Certificates to a Node 43
6.2 Get a Node Certificate 46
6.3 Get Trust Certificates of a Node 48
6.4 Issue a Node Certificate 50
6.5 Parameters for Auto-Renewal for Node Certificate 52
6.6 Reissue a Node Certificate 53
6.7 Remove a Trust Certificate from a Node 55
6.8 Enrollment Procedures 57
6.8.1 Enrollment Protocols 58
6.8.2 E2E Offline Enrollment Procedure for Baseband Radio Node 59
6.8.2.1 End Entity Creation and Credential Generation for E2E Offline
Enrollment for Baseband Radio Node 60
6.8.2.2 LDAP Configuration for E2E Offline Enrollment for Baseband
Radio Node 64
6.8.2.3 Node Configuration for E2E Offline Enrollment for Baseband
Radio Node 65
6.8.3 Online Certificate Enrollment on RadioNode 66
6.8.3.1 End Entity Creation and Credential Generation for Online
Certificate Enrollment on RadioNode 67
6.8.3.2 LDAP Configuration for Online Certificate Enrollment on
RadioNode 71
6.8.3.3 Node Configuration for Online Certificate Enrollment for
RadioNode 73
6.8.4 Online Enrollment Procedure for MSC Node (MSC-BC-BSP,
MSC-BC-IS, MSC-DB, and MSC-DB-BSP) 75
6.8.5 Offline Enrollment Procedure for MSC Node (MSC-BC-BSP,
MSC-BC-IS, MSC-DB, and MSC-DB-BSP) 86
6.8.5.1 Add ENM CAs to MSC Node (MSC-BC-BSP, MSC-BC-IS, MSC-
DB, and MSC-DB-BSP) 94
6.8.6 Online Enrollment Procedure for HLR-FE Node 95
6.8.7 Offline Enrollment Procedure for HLR-FE Node 106
6.8.7.1 Add ENM CAs to HLR-FE Node 114
6.8.8 Offline Enrollment Procedure for DSC Node 116
6.8.9 Online Enrollment Procedure for (v)BSC Node 117
6.8.10 Offline Enrollment Procedure for (v)BSC Node 131
6.8.11 Offline Enrollment Procedure for vDU, vCU-CP, vCU-UP Nodes 143
6.8.11.1 End Entity Creation in ENM PKI 144
6.8.11.2 Creation of Secure User on Node 147

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Contents

6.8.11.3 Installation of Trusted Certificates on the Node 148

6.8.11.4 Generation and Installation of Node Certificate on the Node 150
6.8.11.5 LDAP Configuration on the Node 151
6.8.11.6 Connect to the Node with NETCONF over SSH from ENM 152
6.8.11.7 Input NETCONF Hello Request with Example 154
6.8.11.8 Input NETCONF Request to Close Connection with Example 155
6.8.11.9 Input NETCONF Request for Creation of Secure User on Node
with Example 156
6.8.11.10 Update Secure User Password for the First SSH Connection
with Example 157
6.8.11.11 Input NETCONF Request to Create Trusted Certificate List on
Node with Example 158
6.8.11.12 Input NETCONF Request for Trusted Certificate Installation on
Node with Example 159
6.8.11.13 Input NETCONF Request to Fetch Trusted Certificates
Installed on Node with Example 162
6.8.11.14 Input NETCONF Request for Node Certificate Installation on
Node with Example 163
6.8.11.15 Input NETCONF Request to Fetch Node Certificate Installed
on Node with Example 165
6.8.11.16 Input NETCONF Request to Install LDAP Configuration on
Node with Example 167
6.8.11.17 Input NETCONF Request to Fetch LDAP Configuration
Installed on Node with Example 169
6.8.12 Offline Enrollment Procedure for Node Types (vCSCF, vSAPC,
vEME, vMTAS, vSBG, vIPWorks, HSS-FE, vHSS-FE, and NeLS) 170
6.8.12.1 Add ENM CAs to Node Types (vCSCF, vSAPC, vEME, vMTAS,
vSBG, vIPWorks, HSS-FE, vHSS-FE, and NeLS) 171
6.8.13 Offline Enrollment Procedure for CUDB/vCUDB 173
6.8.14 E2E Offline Certificate Enrollment on Router 6000 Family 176
6.8.14.1 OAM Enrollment 176
6.8.14.2 IPSec Enrollment 183
6.8.15 Online Certificate Enrollment on Router 6000 Family 189
6.8.15.1 OAM Enrollment 189
6.8.15.2 IPSec Enrollment 192
6.8.16 Online Certificate Enrollment on Fronthaul 6020 197
6.8.16.1 End Entity Creation and Credential Generation 197
6.8.17 E2E Enrollment and LDAP Configuration for Controller6610
Node 199
6.8.17.1 Online Certificate Enrollment for Controller6610 199
6.8.17.2 Offline Enrollment for Controller6610 200
6.8.17.3 LDAP Configuration on Controller6610 Node 205
6.8.18 End to End Enrollment Procedures for ESC Node 208
6.8.18.1 Online Enrollment Procedure for ESC Node 208
6.8.18.2 Offline Enrollment Procedure for ESC Node 210
6.8.19 End to End Enrollment Procedures for SCU Node 215
6.8.19.1 Online Enrollment Procedure for SCU Node 215
6.8.19.2 Offline Enrollment Procedure for SCU Node 216
6.8.20 End to End Enrollment for Citizens Broadband Radio Service
Domain Coordinator Standalone (CBRS DC SA) 222

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

ENM Network Security Configuration System Administrator Guide

6.8.20.1 Online Enrollment Procedure for CBRS DC SA 222

6.8.21 E2E Offline Enrollment Procedure for MINI-LINK Outdoor
Nodes 231
6.8.21.1 Certificate Profile Creation 232
6.8.21.2 End Entity Profile Creation 237
6.8.21.3 End Entity Creation 240
6.8.21.4 Offline Enrollment Procedure 244
6.8.22 E2E Offline Enrollment Procedure for MINI-LINK Indoor
Nodes 245
6.8.22.1 Certificate Profile Creation 246
6.8.22.2 End Entity Profile Creation 251
6.8.22.3 End Entity Creation 254
6.8.22.4 Offline Enrollment Procedure 258
6.8.23 Offline Enrollment Procedure for ADP Based Nodes
(GenericADP) 259

7 Administering Security Levels on CPP-Based Network

Elements 260
7.1 Configuring Security Levels in CPP-Based NEs 261
7.2 Configuring Local User Authentication and Authorization for
SL1 and SL2 Nodes 263
7.3 Distribution of LAAD Files on CPP-Based NEs 266
7.4 Activate Local AA 267
7.5 Deactivate Local AA 271
7.6 Get Security Level Status 274

8 LDAP Administrative Tasks 276

8.1 LDAP Configuration on Baseband Radio Node and
5GRadioNode 277
8.2 LDAP Reconfiguration on Baseband Radio Node and
5GRadioNode 279
8.3 LDAP Manual Configuration 280
8.4 Configure TLS Protocols and Disable Weak Ciphers for LDAP
Secure Communications 281
8.5 LDAP Configuration for Router 6000 Family 281
8.6 Configure LDAP on (v)BSC Node in SSH 284
8.7 LDAP Support for EIR-FE/vEIR-FE (ESA-Based Node) 289
8.8 Downsize Proxy Account Password Length 290
8.9 Renew Proxy Accounts 290

9 SNMP Administrative Tasks 294

9.1 Configure SNMPv3 294

10 IPsec Administrative Tasks 296

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Contents

10.1 IPsec Administration for Baseband Radio Nodes 296

10.1.1 Configure IPsec VPN and Inner Network 298
10.1.2 Configure Outer Network 300
10.1.3 Configure Outer Network for OAM 301
10.1.4 Configure Outer Network for UPCP 302
10.1.5 Configure Physical Interfaces 303
10.1.6 Configure IPsec VPN and Inner Network for OAM 304
10.1.7 Configure IPsec VPN and Inner Network for OAM with
Different VLAN 306
10.1.8 Configure IPsec VPN and Inner Network for UP/CP 307
10.1.9 Configure IPsec VPN and Inner Network for UP/CP with
Different VLAN 309
10.1.10 Disable IPsec 311
10.1.11 Enable IPsec Configuration A 313
10.1.12 Enable IPsec Configuration B 314
10.1.13 Enable IPsec Configuration C 315
10.1.14 Enrollment and Trust Distribution on Node 316
10.1.14.1 End Entity XML Template 320
10.1.15 IPsec Current Configuration on Baseband Node 322
10.1.15.1 Identify IPsec Configuration A on Node 322
10.1.15.2 Identify IPsec Configuration B on Node 324
10.1.15.3 Identify IPsec Configuration C on Node 326
10.1.16 Offline Enrollment on Security Gateway with CSR 328
10.1.16.1 Offline Enrollment on Security Gateway with CSR Entity XML
Template 329
10.1.17 Offline Enrollment on Security Gateway without CSR 330
10.1.17.1 Offline Enrollment on Security Gateway without CSR Entity
XML Template 332
10.1.18 Trust Distribution for Security Gateway 333
10.2 External CA Support for IPsec Payload Interfaces without PKI
Involvement 335
10.2.1 Enrollment of IPsec Certificate Issued by External CA 335
10.2.2 Trust Distribution of External CA Certificates 338
10.2.3 Migration of Baseband Radio Node from ENM PKI CA to
External CA 340

11 Certificate Revocation List Management 342

11.1 Manage CRL Check on Node 342
11.1.1 Supported Node Types 344
11.1.2 Supported Certificate Type 345
11.1.3 Cert Type Behavior on CRL Check 345
11.1.4 Introduce CDPS Extension 346
11.1.4.1 Reissue All ENM PKI Certificates 346
11.1.5 Enable Certificate Revocation Check on Nodes 350
11.1.6 Disable Certificate Revocation Check on Nodes 352
11.1.7 Read Certificate Revocation Check Status on Nodes 354
11.1.8 On-Demand CRL Download on Node 356
11.1.8.1 Verify CRL Download on COM/ECIM Node 358

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

ENM Network Security Configuration System Administrator Guide

11.1.8.2 Verify CRL Download on CPP Node 359

11.1.8.3 Modify CRL Early Update Time Interval 359
11.1.8.4 Retrieve CRL Early Update Time Interval 359

12 Manual Procedure to Fetch Security File Values 361

12.1 Create Entity for VNFM 362
12.1.1 Create Entity for VNFM XML Template 363
12.2 Fetch CA Fingerprint 364
12.3 Fetch CMPv2ServerURL 365

13 Ciphers Management for Nodes 366

13.1 Cipher Modernization for OAM 366
13.1.1 Set Ciphers on Nodes 375
13.1.1.1 Set Ciphers on Nodes for SSH and SFTP Protocol 375
13.1.1.2 Set Ciphers on Nodes for SSL/TLS/HTTPS Protocol 376
13.1.1.3 XML File - Usage in Set Ciphers 379
13.1.1.4 Configure Ciphers on Nodes 381
13.1.2 Get Ciphers on Nodes 384
13.2 Cipher Modernization for IPsec 384
13.2.1 Cipher Modernization for IPsec on G1 Nodes 384
13.2.2 Cipher Modernization for IPsec on G2 Nodes 385

14 Configuring Users to Access AMOS, Element Manager and

WinFIOL Towards SL2 or TLS Enabled Nodes 386
14.1 XML Files 388

15 Automatic Configuring of Users to Access AMOS and Element

Manager Towards SL2 or TLS Enabled Nodes 392

16 Management of Real Time Security Event Logging on CPP-

Based Network Elements 394
16.1 Activating Real Time Security Event Logging (RTSEL) CPP
Based NEs 394
16.2 Deactivating Real Time Security Event Logging (RTSEL) CPP
Based NEs 396
16.3 Deletion of External Syslog Servers 397
16.4 Offline Enrollment of External Syslog Server 398
16.5 Get Real Time Sec Log Attributes on CPP Based NEs 400

17 Management of Real-Time Security Event Logging (RTSEL) on

Baseband Radio Nodes 402
17.1 Activate Real Time Security Event Logging (RTSEL) for
Baseband Radio Network Elements 402
17.2 Deactivate Real Time Security Event Logging (RTSEL) for
Baseband Radio Network Elements 404

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Contents

17.3 Get Real Time Security Event Logging (RTSEL) Status for
Baseband Radio Network Elements 404

18 Management of Real Time Security Event Logging (RTSEL) for

AXE Network Elements 406
18.1 Activate Real Time Security Event Logging (RTSEL) for AXE
Network Elements 406
18.2 Deactivate Real Time Security Event Logging (RTSEL) for AXE
Network Elements 408
18.3 Get Real Time Security Event Logging (RTSEL) Status for AXE
Network Elements 409

19 Router6000 External CA Import Procedure 411

20 IPsec CLI Management 413

20.1 Activate IPsec Configuration for OAM on an Already
Operational Node 415
20.1.1 Monitor the IPsec Activation Status 418
20.2 Deactivate IPsec Configuration for OAM on eNodeB DU Radio
Nodes 419
20.2.1 Monitor the IPsec Deactivation Status 421
20.3 Activate or Deactivate IPsec Configuration for OAM by Using
Site Basic File 422
20.4 Get IPsec Current Status 424

21 Configuration of TLS for OAM Communication 426

21.1 TLS Protocol Version Update 428

22 HTTPS on CPP-Based Network Elements 430

22.1 Activate HTTPS on CPP-Based NEs 430
22.2 Deactivate HTTPS on CPP-Based NEs 432

23 Support for FTPES Protocol 434

23.1 Activate FTPES 435
23.2 Deactivate FTPES 436
23.3 Get FTPES Status 437
23.4 Enable of FTPES for G2 Nodes on AMOS 437
23.5 Enable of FTPES for G2 Nodes on AMOS in Cloud Native ENM 438

24 Configuration of Trusted NTP Server 440

24.1 NTP Configuration on Network Element 440
24.2 List NTP Server Details 442
24.3 Remove NTP Server Details 443
24.4 Renew NTP Key 444

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

ENM Network Security Configuration System Administrator Guide

25 Disable Weak Ciphers in ENM 446

25.1 Disable Weak Ciphers 447

26 Management of Node IPsec Certificate and Trust Distribution

Use Cases in Case of Multiple Ikev2PolicyProfile MOs 449

27 Network Security Configuration Parameters Table 452

28 Network Security Configuration Limitations 454

Security Reference List 459

2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Network Security Configuration

1 Network Security Configuration

This document describes the Network Security Configuration (NSC) for ENM.

NSC contains the ENM-related business logic needed to configure Network

Elements to support different security features.

Prerequisites
It is required that the user:
— Has knowledge on ENM.

— Has knowledge on using ENM CLI.

— Has knowledge of PKI.

— Has knowledge on computer security, private and public key technology and
X.509 certificates.

Target Groups
Security Administrator

Typographical Conventions
The typographical conventions for all Customer Product Information (CPI) in
ENM are found in ENM Library Typographic Conventions, Reference [20].

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 1

 ENM Network Security Configuration System Administrator Guide

2 Connect to a Service

2.1 Connect to a Virtual Machine on a Physical ENM

Deployment

Prerequisites
A command window is open and you have superuser privileges.

Steps

1. Log on to the ENM Management Server (MS) as litp-admin user and switch
to the root user.

2. List the contents of the host file to view all connected VMs within the
deployment.

[root@ms-1 ~]# cat /etc/hosts

...
192.168.99.20 svc-1-pmserv # Created by LITP. Please do not edit
192.168.99.26 svc-1-netex # Created by LITP. Please do not edit
192.168.99.16 svc-1-ebc # Created by LITP. Please do not edit
192.168.99.36 svc-1-mspm # Created by LITP. Please do not edit
192.168.99.28 svc-1-uiserv # Created by LITP. Please do not edit
192.168.99.14 svc-1-supervc # Created by LITP. Please do not edit
..
192.168.99.32 svc-1-mscm # Created by LITP. Please do not edit
..
192.168.99.50 svc-1-jms # Created by LITP. Please do not edit
..
192.168.99.3 logstash # Created by LITP. Please do not edit
..
192.168.99.2 httpd # Created by LITP. Please do not edit
192.168.99.40 sso # Created by LITP. Please do not edit
..
192.168.99.12 svc-1-medrout # Created by LITP. Please do not edit
192.168.99.22 svc-1-cmserv # Created by LITP. Please do not edit
192.168.99.52 svc-1-sec # Created by LITP. Please do not edit
192.168.99.8 openidm # Created by LITP. Please do not edit

The aliases for the parallel VMs take the form of <SVC host>-<service>.

For example: svc-1-cmserv, svc-2-cmserv.

The active-passive VMs take the form of <service>.

For example: httpd, sso, openidm.

3. To access the VM, copy the private key of the cloud-user from its secure
location to the MS or SVC node.

[root@ms-1 ~]# /root/.ssh/vm_private_key

2 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Connect to a Service

Refer to VM Security Tasks in the ENM System Administrator Guide to learn

more about the vm_private_key.

4. Connect by SSH to the VM you want.

To access the VM, use the cloud-user user ID and include the path to the VM
private key. For example:

[root@ms-1 ~]# ssh -i /root/.ssh/vm_private_key cloud-user@svc-1-cmserv

Last login: Thu Feb 26 10:14:43 2015 from 192.110.0.59
[cloud-user@svc-1-cmserv ~]# sudo su - root
[root@svc-1-cmserv ~]#

2.1.1 Connect to each ENM Physical Node

Prerequisites

— The root password was changed during the installation process and must
be known by the system administrator. This must be repeated on all newly
deployed ENM nodes.

— A command window is open.

Steps

1. Log on to each physical node from the MS

[root@ms-1 ~]$ ssh litp-admin@<node_hostname>

litp-admin@<node_hostname>'s password:
Last login: Mon Feb 23 11:25:13 2015 from ms-1
[litp-admin@<node_hostname> ~]$ su - root
Password:
[root@<node_hostname> ~]#

Note: Once connected, after the initial deployment, the passwords for
both the litp-admin and root users must be changed.

2.2 Connect to a Service on an ENM on Cloud Deployment

Prerequisites

— A command window is open and you have superuser privileges.

— You have access to the private key file for authentication, contact your
OpenStack administrator.

Steps

1. List the virtual machine aliases from the consul service:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 3

 ENM Network Security Configuration System Administrator Guide

Using the private key for authentication, copy the key to the EMP server. Log
on to EMP server and list the consul members to view all connected VMs
within the deployment:

> scp -i <cloud-user private key> <cloud-user private key> cloud-user@<EMP I →

P Address>:/var/tmp/vm_private_key
> ssh -i <cloud-user private key> cloud-user@<EMP IP Address>
[cloud-user@ostk003-emp-0 ~]$ chmod 700 /var/tmp/vm_private_key
[cloud-user@ostk003-emp-0 ~]$ sudo su -
[root@ostk003-emp-0 ~]# consul members
Node Address Status Type Buil →
d Protocol DC
haproxy 10.3.2.31:8301 alive client <consul_version> →
2 dc1
opendj-1 10.3.2.83:8301 alive client <consul_version> →
2 dc1
opendj-2 10.3.2.84:8301 alive client <consul_version> →
2 dc1
openidm 10.3.2.85:8301 alive client <consul_version> →
2 dc1
ostk003-accesscontrol-0 10.3.1.251:8301 alive client <consul_version> →
2 dc1
ostk003-accesscontrol-1 10.3.1.252:8301 alive client <consul_version> →
2 dc1
ostk003-elasticsearch-0 10.3.2.15:8301 alive client <consul_version> →
2 dc1
...
ostk003-neo4j-2 10.3.2.77:8301 alive client <consul_version> →
2 dc1
ostk003-nfscommon-0 10.3.0.81:8301 alive client <consul_version> →
2 dc1
ostk003-nfsnrbk-0 10.3.0.83:8301 alive client <consul_version> →
2 dc1
ostk003-nfspm-0 10.3.0.85:8301 alive client <consul_version> →
2 dc1
ostk003-nfspm-1 10.3.0.82:8301 alive client <consul_version> →
2 dc1
...
ostk003-secserv-1 10.3.2.98:8301 alive client <consul_version> →
2 dc1
ostk003-serviceregistry-0 10.3.2.100:8301 alive server <consul_version> →
2 dc1
ostk003-serviceregistry-1 10.3.2.101:8301 alive server <consul_version> →
2 dc1
ostk003-serviceregistry-2 10.3.2.102:8301 alive server <consul_version> →
2 dc1
ostk003-uiserv-0 10.3.2.116:8301 alive client <consul_version> →
2 dc1
ostk003-uiserv-1 10.3.2.117:8301 alive client <consul_version> →
2 dc1
ostk003-vnflaf-services 10.3.1.249:8301 alive client <consul_version> →
2 dc1
...
svc-2-httpd 10.3.2.35:8301 alive client <consul_version> →
2 dc1
svc-2-sps 10.3.2.111:8301 alive client <consul_version> →
2 dc1
svc-2-sso 10.3.2.113:8301 alive client <consul_version> →
2 dc1

2. SSH to the VM you want.

To access the VM, use the cloud-user user ID and include the path to the VM
private key. The VM can be accessed using either the node identifier or its IP
address. For example:

[cloud-user@ostk003-emp-0 ~]$ ssh -i /var/tmp/vm_private_key [email protected] →

.2.31
The authenticity of host 'haproxy (10.3.2.31)' can't be established.
RSA key fingerprint is b9:4f:ca:4f:bc:55:00:de:a8:77:e5:08:56:7c:db:98.
Are you sure you want to continue connecting (yes/no)? yes

4 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Connect to a Service

Warning: Permanently added 'haproxy,10.3.2.31' (RSA) to the list of known ho →

sts.
[cloud-user@haproxy ~]$

2.3 Connect to a Container in Cloud Native ENM

Prerequisites

— Client machine that can reach Kubernetes cluster API handling Cloud Native
ENM.

— The required user credentials for the client machine.

— The required kubeconfig file is available to access the cluster on which Cloud
Native ENM is deployed.

— The required <namespace> associated with the Cloud Native ENM

deployment.

Steps

1. Set the KUBECONFIG environment variable from the client machine.

A kubeconfig file is used to configure access to the Kubernetes container
platform when used in conjunction with the kubectl command line tool.

export KUBECONFIG=<path of kubeconfig file>

2. List all pods by service name.

# kubectl get pods -n <namespace>

Example

bash-4.4# kubectl get pods -n enm31

NAME READY STATUS RESTA →
RTS AGE
accesscontrol-74798584b-jqfdb 3/3 Running →
0 32h
amos-58fc6dbb9c-cttxt 3/3 Running →
0 32h
apserv-6896db5f59-xcjwk 3/3 Running →
0 32h
autoidservice-68f565ffc5-znmb6 3/3 Running →
0 32h
cmevents-86c6f9f597-brxb8 3/3 Running →
0 32h
............................................................................ →
........

3. Get the names of each container within a POD use the following.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 5

 ENM Network Security Configuration System Administrator Guide

# kubectl get pod <pod id> -n <namespace> -o jsonpath={.spec.containers[*].n →

ame}

Example
# kubectl get pod wpserv-0 -n enm48 -o jsonpath={.spec.containers[*].name}
wpserv wpserv-monitoring wpserv-httpd

4. Log on to a container using the kubectl exec command. The -c flag is used
to select which container within the pod is accessed.

kubectl exec -it <pod id> -c <container Name> <namespace> -- bash

Example
# kubectl exec -it wpserv-0 -c wpserv-httpd <namespace> -- bash
wpserv-0:/ #

2.4 View Log Files and Dump Locations

The following are details of log files available within each service in ENM.

Logs
All logs are configured to be forwarded to the Central Log Service. As such they
are visible in Log Viewer using the ENM Launcher.

JBOSS Logs
All JBOSS logs are stored locally in /ericsson/3pp/jboss/standalone/log

3PP & System Logs

As standard, most 3PP and system logs are available locally in /var/log

Dumps
All application memory and core dump files are located in /ericsson/enm/dumps

6 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Restart a Service

3 Restart a Service

3.1 Restart a Service on a Physical ENM Deployment

Prerequisites
— Root access to MS.

Steps

1. Establish the service instances installed on the ENM deployment using grep
for a particular service instance:

[root@<MS> ~]# /opt/ericsson/enminst/bin/vcs.bsh --groups | grep <service_na →

me>

Example
[root@ieatlms4352 ~]# /opt/ericsson/enminst/bin/vcs.bsh --groups | grep msp →
m
svc_cluster Grp_CS_svc_cluster_mspm ieatrcxb2539-1 parallel vm ONLINE OK -
svc_cluster Grp_CS_svc_cluster_mspm ieatrcxb4373 parallel vm ONLINE OK -
svc_cluster Grp_CS_svc_cluster_mspm ieatrcxb4374 parallel vm ONLINE OK -

2. Restart the VCS service group:

/opt/ericsson/enminst/bin/vcs.bsh --restart -g <service_group> -s <system>

Note: The -s command restarts only one service at a time. To restart

multiple services, repeat the command and modify the system
name.

It is not recommended (unless specifically instructed) to restart more than

one instance of a service at the same time. Restarting more than one
instance of a service at the same time impacts the service availability and
also results in some application specific consequences.

Example
/opt/ericsson/enminst/bin/vcs.bsh --restart -g Grp_CS_svc_cluster_mspm -s ie →
atrcxb4373
[root@ms-1 bin]# bash vcs.bsh --restart -g Grp_CS_svc_cluster_mspm -s ieatrc →
xb4373
2020-07-23 12:02:04.481 INFO hagrp_offline : Offlining 1 group(s)
2020-07-23 12:02:04.515 INFO hagrp_offline : Offlining Grp_CS_svc_cluster_ms →
pm on ieatrcxb4373
2020-07-23 12:02:04.807 INFO wait_vcs_state : Waiting for Grp_CS_svc_cluster →
_mspm to go OFFLINE on ieatrcxb4373 (timeout=1800)
2020-07-23 12:05:43.185 INFO wait_vcs_state : Group Grp_CS_svc_cluster_mspm →
now OFFLINE on ieatrcxb4373 (3m:39s)
2020-07-23 12:05:43.817 INFO hagrp_online : Onlining 1 group(s)
2020-07-23 12:05:43.822 INFO online_services : Onlining Grp_CS_svc_cluster_m →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 7

 ENM Network Security Configuration System Administrator Guide

spm on ieatrcxb4373
2020-07-23 12:05:44.057 INFO wait_vcs_state : Waiting for Grp_CS_svc_cluster →
_mspm to go ONLINE on ieatrcxb4373 (timeout=4500)
2020-07-23 12:09:03.400 INFO wait_vcs_state : Group Grp_CS_svc_cluster_mspm →
now ONLINE on ieatrcxb4373 (3m:19s)
[root@ms-1 bin]#

3. Verify if the service instance is ONLINE:

/opt/ericsson/enminst/bin/vcs.bsh --groups | grep mspm

Example
[root@ieatlms4352 ~]# /opt/ericsson/enminst/bin/vcs.bsh --groups | grep msp →
m
svc_cluster Grp_CS_svc_cluster_mspm ieatrcxb2539-1 parallel vm ONLINE OK -
svc_cluster Grp_CS_svc_cluster_mspm ieatrcxb4373 parallel vm ONLINE OK -
svc_cluster Grp_CS_svc_cluster_mspm ieatrcxb4374 parallel vm ONLINE OK -

4. After the service restarted in Step 2 is ONLINE, you can repeat Step 2 and
Step 3 to restart further instances of the service as per your requirement.

3.2 Restart a Service on an ENM on Cloud Deployment

Prerequisites
— User connected to EMP server.

Steps

1. Establish the service instances installed on the ENM on Cloud deployment

using grep for a particular service instance.

#consul members | grep <service name>

Example
#consul members | grep mscm

2. Connect to the VM of the service group and trigger a healthcheck failure of

the VM by killing consul.

#pkill consul

3. Verify if the service instance is ONLINE.

4. After the restarted service is ONLINE, repeat the preceding two steps to
restart further instances of the service as per your requirement.

8 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Restart a Service

3.3 Restart an ENM Service on a Cloud Native ENM

Prerequisites

— A client machine that can reach Kubernetes cluster API handling Cloud
Native ENM.

— The required user credentials for the client machine.

— The required kubeconfig file is available to access the cluster on which Cloud
Native ENM is deployed.

— The required namespace associated with the Cloud Native ENM deployment.

Note: On Kubernetes deployments restart of ENM services implemented as

Pod deletion and re-creation.

Steps

1. Set the KUBECONFIG environment variable from client machine.

A kubeconfig file is used to configure access to the Kubernetes container
platform when used with the kubectl command line tool.

# export KUBECONFIG=<path of kubeconfig file>

2. If restart is required for all the Pods of the deployment, statefulset, or

daemonset, perform the following, else follow Step 3.

a. Retrieve the name of the deployment, statefulset, or daemonset:

# kubectl get <deployment/statefulset/daemonset> -n <namespace> | g →

rep "<deployment/statefulset/daemonset name>"

Example
# kubectl get deployment -n enm101 | grep "mscm "
mscm 2/2 2 2 3d1h

Note: Use additional space while grepping to get the exact

resource.
b. Run the following command for the restart of all Pods of the
deployment, statefulset, or daemonset in a sequential order:

# kubectl rollout restart <deployment/statefulset/daemonset> <depl →

oyment/statefulset/daemonset> name> -n <namespace>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 9

 ENM Network Security Configuration System Administrator Guide

Example
# kubectl rollout restart deployment mscm -n enm101
deployment.apps/mscm restarted

c. Verify that all the Pods of the deployment are up and running.
Check the status by retrieving the deployment.

# kubectl rollout status <deployment/statefulset/daemonset> <deplo →

yment/statefulset/daemonset> name> -n <namespace>

Command waits till all the replicas rolled out completely.

Example
# kubectl rollout status deployment mscm -n enm101
Waiting for deployment "mscm" rollout to finish: 1 out of 2 new rep →
licas have been updated...

Result:

# kubectl rollout status deployment mscm -n enm101

Waiting for deployment "mscm" rollout to finish: 1 of 2 updated rep →
licas are available...
deployment "mscm" successfully rolled out

3. To restart the required Pod:

a. Retrieve the Pod name from the deployment.

# kubectl get pods -n <namespace> | grep "<name>"-

Example
# kubectl get pods -n enm101 | grep mscm-
mscm-76f9c758fb-4hjxf 3/3 Running 0 1d
mscm-57544df8bd-j42pt 3/3 Running 0 1d

b. Run the following command for the graceful termination.

This deletes the existing Pod and creates a new Pod.

# kubectl delete pod <name>-<pod id> -n <namespace>

Example
# kubectl delete pod mscm-76f9c758fb-4hjxf -n enm101

c. Verify that the Pod is up with all the containers Running that is, 1/1,
2/2, 3/3, or 4/4:
Check the status by retrieving the Pod.

10 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Restart a Service

# kubectl get pods -n <namespace> | grep "<name>"-

Example
# kubectl get pods -n enm101 | grep mscm-
mscm-57544df8bd-hsnbq 3/3 Running 0 2m39s
mscm-57544df8bd-j42pt 3/3 Running 0 1d

d. After the restarted Pod is up with all the containers Running, repeat
the same steps to restart the other Pods of same service if required.

4. Verify if the Pod is up with all the containers Running that is 1/1, 2/2, 3/3, or
4/4. Check the status by retrieving the Pod.

# kubectl get pods -n <namespace> | grep <name>-

Example
# kubectl get pods -n enm101 | grep mscm-
mscm-57544df8bd-hsnbq 3/3 Running 0 2m39s
mscm-57544df8bd-j42pt 3/3 Running 0 1d

5. After the restarted Pod is up with all the containers Running, repeat the
same steps to restart other Pods of the service if required.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 11

 ENM Network Security Configuration System Administrator Guide

4 View and Modify Configuration Parameters

To configure a parameter, it is necessary to determine the working environment

and follow the task relevant to the environment.

4.1 Configure Parameters on a Physical ENM Deployment

Prerequisites

— A command window is open and have super user privileges.

— Connected to the ENM MS as per the Connect to a Virtual Machine on a

Physical ENM Deployment on page 2.

Steps

1. Find the hostname for the service instance.

grep <hostname> /etc/hosts

2. Choose one of the returned hostnames for the following steps.

3. Navigate to the following directory:

[root @ms-1 ~]# cd /ericsson/pib-scripts/etc/

4. Check a configuration parameter on sample VM.

./config.py read --app_server_address=:8080 --service_identifier= --name=

Note: — --service_identifier= is optional for this command.

— --app_server_address= is the hostname of the VM or it

can be the hostname of any JBoss VM with the ear/interface
available.

Example
To check value of the SMRS_ERBS_NoOf_BACKUP_FILES parameter:

./config.py read --app_server_address=svc-1-fileaccountservice:8080 --name=S →

MRS_ERBS_NoOf_BACKUP_FILES

5. Update a configuration parameter on a deployed VM.

./config.py update --app_server_address=:8080 --service_identifier= --name= →

--value=

12 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 View and Modify Configuration Parameters

Note: --service_identifier= is optional for this command.

Example
To update the SMRS_ERBS_NoOf_BACKUP_FILES value to 4:

./config.py update --app_server_address=svc-1-fileaccountservice:8080 --name →

=SMRS_ERBS_NoOf_BACKUP_FILES --value=4

6. Reset a configuration parameter.

The default value is displayed immediately after user runs reset command.

./config.py reset --app_server_address=:8080 --name=

Example
To reset netconfCapabilities:

./config.py reset --app_server_address=svc-1-mscmce:8080 --name=netconfCapab →

ilities

Results
An application parameter is updated or reset using the script.

4.2 Configure Parameters on ENM on Cloud Deployment

Prerequisites

— A command window is open and have super user privileges.

— Connected to an EMP VM using Connect to a Service on an ENM on Cloud

Deployment on page 3.

Steps

1. As cloud-user change to root.

[cloud-user@emp ~]$ sudo su -

[root@emp ~]#

2. Find the hostname for the service instance.

consul members | grep <hostname>

3. Choose one of the returned hostnames for the following steps.

4. Change directory to where the config.py script is located.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 13

 ENM Network Security Configuration System Administrator Guide

[root@emp ~]# cd /ericsson/pib-scripts/etc/

[root@gat-emp-0 etc]#

5. Read the current parameter value.

./config.py read --app_server_address=:8080 --service_identifier= --name=

Note: --app_server_address= is the hostname of the VM or it can be the

hostname of any JBoss VM with the configuration ear/interface
available.

6. Set the parameter to the required value.

./config.py update --app_server_address=:8080 --service_identifier= --name= →

--value=

7. Reset a configuration parameter.

The default configuration value is displayed immediately after user runs
reset command.

./config.py reset --app_server_address=:8080 --name=

Results
An application parameter is updated or reset using the configuration script.

4.3 Configuration Parameter Handling Using Admin CLI

4.3.1 View Configuration Parameters

The admin parameter view command allows users to view a

configuration parameter by its name and optional identifiers such as
service_identifier and app_server_identifier.

Prerequisites

— Logged on to ENM as a user with role

Configuration_Parameter_Application_Administrator

Steps

1. Log on ENM.

2. From the menu, select the Command Line Interface.

3. Enter one of the following commands to export all configuration parameters

to a file.

14 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 View and Modify Configuration Parameters

— admin parameter exportall - to export the parameters to a file in

JSON output.

— admin parameter exportall --table - to export the parameters to a

file in CSV output.

In each case, the file can be searched for the parameter and it can be verified
if the parameter has a serviceIdentifier or jvmIdentifier associated to
it.

4. Enter the command to view the value of a configuration parameter.

Command syntax:

admin parameter view --name <param-name> --service_identifier <serviceIdenti →

fier> --app_server_identifier <jvmIdentifier>

Note: — --service_identifier <serviceIdentifier> is optional for

this command and must be provided if parameter is service
scoped.

— --app_server_identifier<jvmIdentifier> is optional for

this command and must be provided if parameter is JVM
scoped.

Example
admin parameter view --name protocolInfo --service_identifier mediationservi →
ce --app_server_identifier mscmce-8495ffcdb4-lcj8t

Result:
protocolInfo: CM

Results
A configuration parameter value is viewed through the ENM CLI.

4.3.2 Modify Configuration Parameters

The admin parameter modify command allows users to modify a

configuration parameter by its name, value, and optional identifiers such
as service_identifier and app_server_identifier.

Prerequisites

— Logged on to ENM as a user with

roles Configuration_Parameter_Application_Administrator and
LogViewer_Operator.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 15

 ENM Network Security Configuration System Administrator Guide

Steps

1. Log on ENM.

2. From the menu, select Command Line Interface.

3. Enter one of the following commands to export all configuration parameters

to a file.
— admin parameter exportall - to export the parameters to a file in
JSON output.

— admin parameter exportall --table - to export the parameters to a

file in CSV output.

In each case, the file can be searched for the parameter and it can be verified
if the parameter has a serviceIdentifier or jvmIdentifier associated to
it.

4. Enter the command to modify the value of a configuration parameter.

Command syntax:

admin parameter modify --name <param-name> --value <param-value> --service_i →

dentifier <serviceIdentifier> --app_server_identifier <jvmIdentifier>

Note: — --service_identifier <serviceIdentifier> is optional for

this command and must be provided if parameter is service
scoped.

— --app_server_identifier<jvmIdentifier> is optional for

this command and must be provided if parameter is JVM
scoped.

Example
admin parameter modify --name protocolInfo --value PM --service_identifier m →
ediationservice --app_server_identifier mscmce-8495ffcdb4-lcj8t

Result:
Parameter protocolInfo updated successfully.

Results
A configuration parameter value has been updated through the ENM CLI.

16 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 View and Modify Configuration Parameters

4.3.3 Reset Configuration Parameters

The admin parameter reset command allows users to reset a configuration

parameter to its default model value given its name and optional fields such
as namespace, service_identifier, and app_server_identifier.

Prerequisites

— Logged on to ENM as a user with

roles Configuration_Parameter_Application_Administrator and
LogViewer_Operator.

Steps

1. Log on ENM.

2. From the menu, select Command Line Interface.

3. Enter one of the following commands to export all configuration parameters

to a file.
— admin parameter exportall - to export the parameters to a file in
JSON output.

— admin parameter exportall --table - to export the parameters to a

file in CSV output.

In each case, the file can be searched for the parameter and it can be verified
if the parameter has a serviceIdentifier or jvmIdentifier associated to
it.

4. Enter the command to reset the value of a configuration parameter.

Command syntax:

admin parameter reset --name <param-name>--service_identifier <serviceIdenti →

fier> --app_server_identifier <jvmIdentifier> --namespace <namespace>

Note: — --service_identifier <serviceIdentifier> is optional for

this command and must be provided if parameter is service
scoped.

— --app_server_identifier<jvmIdentifier> is optional for

this command and must be provided if parameter is JVM
scoped.

— --namespace <namespace> is optional for this command and

can be provided if parameter belongs to a specific namespace.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 17

 ENM Network Security Configuration System Administrator Guide

Example
admin parameter reset --name protocolInfo --service_identifier mediationserv →
ice --app_server_identifier mscmce-8495ffcdb4-lcj8t

Result:
protocolInfo: CM

Results
A configuration parameter is reset as expected.

18 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

5 Node Credential and Key Administrative

Tasks

These tasks provide the features to access to the node through node
credentials (encrypted passwords) or through SSH public key.

The node credentials are needed to access to the nodes and depend on either the
feature, the node type or both. They are mandatory for:
— Node SSH key

— Trust Distribution

— Security Level Configuration

Note: The credentials must be already stored on the nodes before to perform
any administrative task.

Create and update credentials are performed on the ENM only. The
Node Credentials administrative task does not perform any automatic
certificate creation or update on the node.

There are four types of node credentials:

— secure

— normal

— root

— nodecli user

The nodecli user credentials are supported for all the node types and these
are optional. The nodecli user credentials are used while launching the Launch
Node CLI application.

The credentials are set in the Data Persistence Service (DPS), that is the
NetworkElementSecurity MO.

The NetworkElementSecurity MO contains the following four different couples

of credentials:

— secureUserName and secureUserPassword

— normalUserName and normalUserPassword

— rootUserName and rootUserPassword

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 19

 ENM Network Security Configuration System Administrator Guide

— nodeCliUserName and nodeCliUserPassword.

The meaning for secureUserName, normalUserName, and rootUserName

credentials is specific for Node Type.

The configuration of one or more of the node credentials depends on the node
type.

The following table is a summary example. For detailed information on

supported credentials for each node, see secadm capability get command
on ENM CLI online help.

Table 1
Node Type Secure Credentials Normal Credentials Root Credentials
BSC Yes No No
ERBS Yes Yes Yes
MINI-LINK Indoor Yes Yes Yes
MINI-LINK-CN210 Yes Yes Yes
MINI-LINK-CN510R1 Yes Yes Yes
MINI-LINK-CN510R2 Yes Yes Yes
MINI-LINK-CN810R1 Yes Yes Yes
MINI-LINK-CN810R2 Yes Yes Yes
MINI-LINK-665x Yes Yes Yes
MINI-LINK-669x Yes Yes Yes
MINI-LINK-6371 Yes Yes Yes
MINI-LINK-6366 Yes Yes Yes
MINI-LINK-6352 Yes Yes Yes
MINI-LINK-6351 Yes Yes Yes
MINI-LINK-PT2020 Yes Yes Yes
MGW Yes Yes Yes
SGSN-MME Yes No No
Router6672 Yes No No
Router6274 Yes No No
Router6675 Yes No No
Router6x71 Yes No No
Router6273 Yes No No
Router6673 Yes No No
SAPC Yes Yes Yes
EPG Yes Yes Yes
VEPG Yes Yes Yes
Fronthaul 6080 Yes Yes Yes
Fronthaul 6020 Yes Yes Yes
Fronthaul-6392 Yes Yes Yes
Switch-6391 Yes Yes Yes
RNC Yes Yes Yes
NodeB DU RadioNode Yes Yes Yes

20 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

Node Type Secure Credentials Normal Credentials Root Credentials

NodeB Baseband RadioNode Yes No No
CISCO-ASR9000 Yes No No
CISCO-ASR900 Yes No No
JUNIPER-MX Yes No No
Juniper-PTX Yes No No
Juniper-SRX Yes No No
Juniper-vSRX Yes No No
Juniper-vMX Yes No No
Router6675 Yes No No
Router6x71 Yes No No
vPP Yes Yes Yes
VTFRadioNode Yes No No
5GRadioNode Yes No No
CCRC Yes No No
CCPC Yes No No
CCDM Yes No No
CCSM Yes No No
SC Yes No No
EDA Yes No No
CCES Yes No No
vRC Yes Yes Yes
PCC Yes No No
PCG Yes No No
Controller6610 Yes Yes Yes
SMSF Yes No No
SCU Yes No No
ESC Yes No No
vBSC Yes No No

Yes means that the credentials are mandatory.

SSH Key The SSH Key authentication is needed to access to the

nodes if they do not support X.509 certificates-based
authentication.
5.1 Create Node Credentials
You can set the node user name and encrypted passwords in the ENM to
allow the ENM to access the nodes when required.

For detailed information on secadm credentials command, see ENM CLI online
help.

If the node supports LDAP, then the low privileged user needs to be created
on the ENM. If the node supports Local User Authentication and Authorization

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 21

 ENM Network Security Configuration System Administrator Guide

only (if the node does not support LDAP), then the user needs to be created
locally on the node. After creating the low privileged user, its credentials can be
configured to NodeCli user credentials on ENM. If the NodeCli user credentials
are not configured on the ENM, then root or normal or secure or nwiebsecureuser
or nwieasecureuser credentials are used based on the node type while launching
the Node CLI.

All parameters are not always required: mandatory ones depend on the involved
NE Type.

As a consequence, when a list of nodes is specified in the command, the list

must be homogeneous, containing nodes with the same mandatory parameters.
Otherwise, the command is rejected. The NodeCli user credentials are supported
for all the node types and these are optional. The NodeCli user credentials are
used while launching the Launch Node CLI application.

Actors
Node-Security Administrator, Action: create, Resource: credentials.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The credentials must be already stored on the nodes.

— The nodes must exist in the ENM.

— The nodes must have the NetworkElement MO defined.

— The SecurityFunction MO must exist under the NetworkElement MO.

— The NetworkElementSecurity MO must not be created for the nodes.

Steps

1. Set the credentials.

The NodeCli user credentials are supported for all the node types.

Run the following ENM CLI command:

secadm credentials create

See ENM CLI online help for details.

Results
All the credentials are successfully set in the ENM.

22 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

The NetworkElementSecurity MO is successfully created for each node. It

stores the credentials.

5.1.1 Enable and Disable ldapuser

The Create Node Credentials command can enable or disable the usage of
ENM predefined internal user (ldapApplicationUser) for Network Elements
supporting Centralized AA.

This can be done using an extra input parameter ldapuser with values disable or
enable.

When it is enable, predefined ENM LDAP user (ldapApplicationUser) is used

by ENM Mediation flows to open SSH/SFTP sessions with the Network Element.

If such Network Element have been configured without LDAP, this setting must
be disabled to avoid connectivity issues.

The outcome of this additional input parameter can be verified getting the
NetworkElementSecurity MO.

If the Network Element does not support LDAP or the credential

have been created with ldapuser=disable, ldapApplicationUserName and
ldapApplicationUserPassword are “null”.

cmedit get NetworkElement=CORE42ML01,SecurityFunction=1,NetworkElementSecurity=1

FDN : NetworkElement=CORE42ML01,SecurityFunction=1,NetworkElementSecurity=1
NetworkElementSecurityId : 1
algorithmAndKeySize : RSA_1024
enmSshPrivateKey : null
enmSshPublicKey : null
enrollmentMode : NOT_SUPPORTED
ldapApplicationUserName : null
ldapApplicationUserPassword : null
nodeCliUserName :
nodeCliUserPassword : bTyZrf6IJT/v9BOGqXJYezLvXAB5pUkH/dXLe2+xa2I=
normalUserName :
normalUserPassword : /0OwW+I9/QRzENNBSLW/lJwOS9o/ULt6LFDVkHuS1DQ=
nwieaSecureUserName : null
nwieaSecureUserPassword : null
nwiebSecureUserName : null
nwiebSecureUserPassword : null
rootUserName :
rootUserPassword : AkDv1iaYOJMd1MGosDNpv2LcrdjMKKGVTncR354pBNQ=
secureUserName : public
secureUserPassword : 5qAIKx+sMfY+gZQRquwnD2PLJ9i6+DD7EOY8ZbPGnB4=
snmpAuthKey : null
snmpAuthProtocol : NONE
snmpPrivKey : null
snmpPrivProtocol : NONE
summaryFileHash : null
targetGroups : null

If the Network Element supports LDAP and the credential have

been created setting ldapuser=enable, ldapApplicationUserName contains

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 23

 ENM Network Security Configuration System Administrator Guide

predefined ldapApplicationUser and ldapApplicationUserPassword

encrypted password.

cmedit get NetworkElement=LTE04dg2ERBS00036,SecurityFunction=1,NetworkElementSec →

urity=1

FDN : NetworkElement=LTE04dg2ERBS00036,SecurityFunction=1,NetworkElementSecurity →
=1
NetworkElementSecurityId : 1
algorithmAndKeySize : RSA_1024
enmSshPrivateKey : null
enmSshPublicKey : null
enrollmentMode : CMPv2_VC
ldapApplicationUserName : ldapApplicationUser
ldapApplicationUserPassword : OEPc3O7drI5C/qBBH8IaTiqZZwbpWh5wv1ECoUYPT4nHiJJz/Q →
HsfAcYEyo1VHks6CbVb9UmU7iILS2ztzC+tA==
nodeCliUserName :
nodeCliUserPassword : bTyZrf6IJT/v9BOGqXJYezLvXAB5pUkH/dXLe2+xa2I=
normalUserName : null
normalUserPassword : null
nwieaSecureUserName : null
nwieaSecureUserPassword : null
nwiebSecureUserName : null
nwiebSecureUserPassword : null
rootUserName : null
rootUserPassword : null
secureUserName : netsim
secureUserPassword : r3+aHbUJ3DyIsZ1y9kHkxj7d+ct/GGkWwl2ZeDYXLoU=
snmpAuthKey : null
snmpAuthProtocol : NONE
snmpPrivKey : null
snmpPrivProtocol : NONE
summaryFileHash : null
targetGroups : [defaultTargetGroup]

If the --ldpauser attribute is not explicity provided, its default value is enable.
If the Network Element supports LDAP and it is required to use secureuser
credentials instead of ldapApplicationUser, the operator has to disable the
predefined one providing the option --ldapuser disable every time performing
secadm credentials create or secadm credentials update .

secadm credentials update --secureusername newuser2 --secureuserpassword newpass →

word2 --ldapuser disable --nodelist NetworkElement=MTAS01

All credentials updated successfully.

cmedit get NetworkElement=MTAS01,SecurityFunction=1,NetworkElementSecurity=1

FDN : NetworkElement=MTAS01,SecurityFunction=1,NetworkElementSecurity=1
NetworkElementSecurityId : 1
algorithmAndKeySize : RSA_1024
enmSshPrivateKey : null
enmSshPublicKey : null
enrollmentMode : CMPv2_INITIAL
ldapApplicationUserName :
ldapApplicationUserPassword :
nodeCliUserName : null
nodeCliUserPassword : null
normalUserName : null
normalUserPassword : null
nwieaSecureUserName : null
nwieaSecureUserPassword : null
nwiebSecureUserName : null
nwiebSecureUserPassword : null
rootUserName : null

24 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

rootUserPassword : null
secureUserName : newuser2
secureUserPassword : Qx2bnWrUVfa6e+gdnX+caEzF9LXEltYWkO4D6tiMTLo=
snmpAuthKey : null
snmpAuthProtocol : NONE
snmpPrivKey : null
snmpPrivProtocol : NONE
summaryFileHash : null
targetGroups : [defaultTargetGroup]

5.2 Update Node Credentials

You can update the node usernames and encrypted passwords in the ENM
to allow the ENM to access the nodes when required

For detailed information on secadm credentials command, see ENM CLI online
help.

Note: Once the NodeCLI user credentials are created, they cannot be updated
back with empty or null values using secadm commands.

All parameters are not always allowed: supported ones depend on the involved
NE Type.

As a consequence, when a list of nodes is specified in the command, all the nodes
must support the requested parameter to update. Otherwise the command is
rejected.

Update can be done on one or more parameters at a time.

Actors
Node-Security Administrator, Action: update, Resource: credentials.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The updated credentials must be already stored on the nodes.

— The nodes must exist in the ENM.

— The nodes must have the NetworkElement MO defined.

— The SecurityFunction MO must exist under the NetworkElement MO.

— The NetworkElementSecurity MO must exist. This means that the

credentials must be already created.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 25

 ENM Network Security Configuration System Administrator Guide

Steps

1. Update the updated credentials.

Run the following ENM CLI command:

secadm credentials update

See online help for details.

Results
All the updated credentials are successfully updated in the ENM.

The NetworkElementSecurity MO is successfully updated for each node with

the new credentials.

5.2.1 Update ldapuser

The Update Node Credentials command can enable or disable the ldapuser
for Network Elements supporting Centralized AA.

See the section Enable and Disable ldapuser on page 23 for more details.

5.3 Create SSH Key

Some nodes can be accessed using SSH public key authentication only,
since they do not support X.509 certificates-based authentication.

For them, this task provides a mechanism to generate an SSH key pair. After
encryption, an SSH session is opened to the node and the public key is stored on
it.

Actors
Node-Security Administrator, Action: create, Resource: sshkey.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Node Type must support ssh-key mechanism.

— NetworkElement MO must exist.

26 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

— SecurityFunction MO must exist under the NetworkElement MO.

— Node credentials must be created for the node, that is the

NetworkElementSecurity MO must exist.

Steps

1. Create the SSH key pair.

Run the ENM CLI command:

secadm sshkey create

See online help for details.

Note: Router6672, Router6675, Router6x71, Router6273, Router6673,

and Router6274 support username and password.

Results
SSH session is opened by ENM to the node and enmSshPublicKey is copied on
the Node.

If success:

— New SSH Key pair (enmSshPrivateKey and enmSshPublicKey) is encrypted

and stored on NetworkElementSecurity MO.

— If "Authentication Failure" was previously active, it is cleared.

If fail:

— Invalid_Key string is stored on NetworkElementSecurity MO.

— Alarm Authentication Failure must be raised.

Note: The node can have some limitation in the handling of the SSH public key
(for example, for MME node, see the section Enabling SSH Key-Based
Logon for Internal User Accounts in the document Operator Access
Handling). Always check the Node CPI before proceeding.

5.4 Update SSH Key

Some nodes can be accessed using SSH public key authentication.

For them, Node Security Configuration Service provides a mechanism to update

SSH key pair and store public key in the node.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 27

 ENM Network Security Configuration System Administrator Guide

This use case is needed to cover the case ssh-key create have been
compromised.

Actors
Node-Security Administrator, Action: update, resource: sshkey.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Node Type must support ssh-key mechanism.

— Node credentials must be created for the node, for example,

NetworkElementSecurity MO must exist.

— SSH key pair must be generated again.

Steps

1. Update the SSH key pair.

Run the following ENM CLI command:

secadm sshkey update

See online help for details.

Results
SSH session is opened by ENM to the node and enmSshPublicKey is copied on
the Node.

If success:

— New SSH Key pair (enmSshPrivateKey and enmSshPublicKey) is encrypted

and stored on NetworkElementSecurity MO

— If Authentication Failure was previously active, it is cleared.

If fail:

— invalid-Key string is stored on NetworkElementSecurity MO.

— Alarm Authentication Failure must be raised.

Note: The node can have some limitation in the handling of the SSH public key
(for example, for MME node, see the section Enabling SSH Key-Based
Logon for Internal User Accounts in the document Operator Access
Handling). Always check the Node CPI before proceeding.

28 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

5.5 Import SSH Private Key

Some nodes can be accessed using SSH public key authentication only.

For them, this task provides a mechanism to import an externally generated

SSH private key. After encryption of the provided private key, it is stored in
enmSshPrivateKey attribute under NetworkElementSecurity MO.

Actors
Node-Security Administrator, Action: import, resource: sshkey.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Node Type must support sshkey import mechanism and Key set must be
generated externally to ENM.

— NetworkElement MO must exist.

— SecurityFunction MO must exist under the NetworkElement MO.

— Node credentials must be created for the node, for example,

NetworkElementSecurity MO must exist.

Steps

1. Import the node SSH private key.

Run the following ENM CLI command:

secadm sshkey import

See online help for details.

Results
Node SSH private key is imported into ENM.

If success:

— PrivateKey is encrypted and stored in enmSshPrivateKey attribute of

NetworkElementSecurity MO.

If fail:

— Suggested solution must be thrown along with error message.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 29

 ENM Network Security Configuration System Administrator Guide

Note: The node can have some limitation in the handling of the SSH public key
(for example, for MME node, see the section Enabling SSH Key-Based
Logon for Internal User Accounts in the document Operator Access
Handling). Always check the Node CPI before proceeding.

5.6 Get Node Credentials with Encrypted Password

You can retrieve the node credentials stored on ENM
(NetworkElementSecurity MO), with encrypted password for all supported
users.

For detailed information on secadm credentials command, see ENM CLI online
help.

Actors
Node-Security Administrator, Action: read, Resource: credentials.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NetworkElement MO defined.

— The SecurityFunction MO must exist under the NetworkElement MO.

— The NetworkElementSecurity MO must exist, that is the credentials must

be already created.

Steps

1. Acquire the information of all the credentials stored on the ENM.

Run the following ENM CLI command:

secadm credentials get --nodelist <node-name>

See online help for details.

30 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

Results

Table 2
Node Username User Password
LTE03ERBS00159 rootUserName:root rootUserPassword:***********
LTE03ERBS00159 secureUserName:secureuser secureUserPassword:***********
LTE03ERBS00159 normalUserName:normaluser normalUserPassword:***********
LTE03ERBS00159 nodeCliUserName:nodecliuser nodeCliUserPassword:***********

5.7 Get Node Credentials with Password in Plain Text

You can retrieve the node credentials stored on ENM
(NetworkElementSecurity MO), with passwords in plain text for all
supported users.

For detailed information on secadm credentials command, see ENM CLI online
help.

Actors
Node-Security Administrator, Action: read, Resource: Credentials-Plain-Text.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NetworkElement MO defined.

— The SecurityFunction MO must exist under the NetworkElement MO.

— The NetworkElementSecurity MO must exist, that is the credentials must

be already created.

Steps

1. Acquire the information of all the credentials stored on the ENM.

Run the following ENM CLI command:

secadm credentials get --plaintext show --nodelist <node-name>

See online help for details.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 31

 ENM Network Security Configuration System Administrator Guide

Results

Table 3
Node Username User Password
LTE03ERBS00159 rootUserName:root rootUserPassword:rootpassword
LTE03ERBS00159 secureUserName:secureuser secureUserPassword:securepassword
LTE03ERBS00159 normalUserName:normaluser normalUserPassword:normalpassword
LTE03ERBS00159 nodeCliUserName:nodecliuser nodeCliUserPassword:nodeclipassword

5.8 Configure Single Sign-On (SSO) for Node Access

ENM provides Single Sign-On (SSO) automatic authentication when launching
the Node CLI and Element Manager where the node is enabled with centralized
authentication.

To allow SSO, some preconditions are needed based on node type.

5.8.1 Configure Single Sign-On (SSO) for Node Access (Transport Nodes)
To allow SSO, it is mandatory that the TACACS+/RADIUS/LDAP server is
connected and enabled on the node.

The configuration of the TACACS/RADIUS/LDAP is external to ENM system and

user credentials of ENM must be present also on TACACS+/RADIUS/LDAP.

For example, a user with name centralized_user1 and its password to be

present in TACACS+/RADIUS/LDAP and ENM are the same.

The feature is supported for the following nodes:

Table 4
Nodes
MINI-LINK Indoor
MINI-LINK 6351
MINI-LINK 6352
MINI-LINK PT 2020
MINI-LINK-CN210
MINI-LINK-CN510R1
MINI-LINK-CN510R2
MINI-LINK-CN810R1
MINI-LINK-CN810R2

32 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

Nodes
MINI-LINK-669x
MINI-LINK-6371
MINI-LINK-6366
MINI-LINK-665x
Fronthaul 6392
Fronthaul 6020
Switch 6391
JUNIPER-MX
JUNIPER-SRX
JUNIPER-PTX
JUNIPER-vMX
JUNIPER-vSRX nodes
Router6672
Router6675
Router6x71
Router6274
Router6273
Router6673

Prerequisites
— TACACS+/RADIUS/LDAP must be enabled on node.

— The nodes must have Node Security administrator role to use the sso
enable command.

— The nodes must exist in the ENM.

— The configuration of TACACS+/RADIUS/LDAP server is external to ENM

system and the Administrator must take care of users/passwords/roles are
aligned between TACACS+/RADIUS/LDAP and ENM System.

— Secure User configured in ENM must be configured on TACACS+/RADIUS/

LDAP with administrator role.

— Recommended mapping of users roles in ENM and node are shown in

the following.TACACS+/RADIUS users roles must be synonymous to the
following:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 33

 ENM Network Security Configuration System Administrator Guide

Table 5
ENM Role MINI-LINK Juniper Node Fronthaul Router 6000
Node Role Role Node Role Node Role
NodeCLI_Sys admin superuser admin Privilege - 15
tem_
Administrato
r
NodeCLI_Ad control superuser user Privilege - 10
ministrator
NodeCLI_Op view operator guest Privilege - 3
erator

— TACACS+/RADIUS configuration is a manual configuration and can be done

by the security administrator.

Steps

1. Add node to ENM.

Node can be added to ENM using the following applications in ENM GUI:

— Command Line Interface

— Add Node

— Network Discovery

— Auto Provisioning

2. Enable SSO on node.

3. Launch Node CLI or Element Manager.

Results
Node CLI or Element Manager is launched successfully using ENM credentials.

5.8.1.1 Enable Single Sign-On

The Single Sign-On (SSO) command can enable the usage of ENM users for
Network Elements supporting TACACS+/RADIUS/LDAP.

This can be done using secadm sso command with enable value.

34 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

Prerequisites

— The Network Element supports SSO.

— The credentials have been creating setting sso=enable.

Steps

1. Enable SSO.
Run the following ENM CLI command:

secadm sso enable --nodelist <nodelist>

See online help for details.

To check the result, run the following ENM CLI command:

cmedit get NetworkElement=CORE82MLTN76,SecurityFunction=1,NetworkElementSecu →

rity=1

The command result is the following, where SSO is true:

FDN : NetworkElement=CORE82MLTN76,SecurityFunction=1,NetworkElementSecurity= →
1
NetworkElementSecurityId : 1
algorithmAndKeySize : RSA_1024
enmSshPrivateKey : null
enmSshPublicKey : null
enrollmentMode : NOT_SUPPORTED
ldapApplicationUserName : null
ldapApplicationUserPassword : null
nodeCliUserName : Not Configured
nodeCliUserPassword : ibiJAV5EMjVgwviFlhC0sk5fjzEhUUiGPd8nOumHJng=
normalUserName : CORE82MLTN76
normalUserPassword : JeaA4Lwqfmjp7FgRJq/7VtEbJewBNJC83YDH6gBMvcQ=
nwieaSecureUserName : null
nwieaSecureUserPassword : null
nwiebSecureUserName : null
nwiebSecureUserPassword : null
rootUserName : CORE82MLTN76
rootUserPassword : EUF9OEwCc/teAzljidwYt/nHZbphJUGSomUwAZSWNJ8=
secureUserName : CORE82MLTN76
secureUserPassword : KitIhyaF7kORcNH6z0+NNDIYAGqw1U87yz6RKDgK0rc=
snmpAuthKey : JFcmxSMfLg/1eJm6Eby7KqhfiE3z1qQsmSfB7Vq2mhQ=
snmpAuthProtocol : SHA1
snmpPrivKey : gAps7eNpwVUhxWdNjRw+pkw2btgxEA4Ue4DwqxrpJo0=
snmpPrivProtocol : DES
SSO : true
summaryFileHash : null
targetGroups : [defaultTargetGroup]

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 35

 ENM Network Security Configuration System Administrator Guide

5.8.1.2 Disable Single Sign-On

The Single Sign-On (SSO) command can disable the usage of ENM users for
Network Elements supporting TACACS+/RADIUS/LDAP.

This can be done using secadm sso command with disable value.

Prerequisites

— The Network Element supports SSO.

— The credentials have been creating setting sso=disable.

Steps

1. Disable SSO.
Run the following ENM CLI command:

secadm sso disable --nodelist <nodelist>

See online help for details.

To check the result, run the following ENM CLI command:

cmedit get NetworkElement=CORE82MLTN76,SecurityFunction=1,NetworkElementSecu →

rity=1

The command result is the following, where SSO is false:

FDN : NetworkElement=CORE82MLTN76,SecurityFunction=1,NetworkElementSecurity= →
1
NetworkElementSecurityId : 1
algorithmAndKeySize : RSA_1024
enmSshPrivateKey : null
enmSshPublicKey : null
enrollmentMode : NOT_SUPPORTED
ldapApplicationUserName : null
ldapApplicationUserPassword : null
nodeCliUserName : Not Configured
nodeCliUserPassword : ibiJAV5EMjVgwviFlhC0sk5fjzEhUUiGPd8nOumHJng=
normalUserName : CORE82MLTN76
normalUserPassword : JeaA4Lwqfmjp7FgRJq/7VtEbJewBNJC83YDH6gBMvcQ=
nwieaSecureUserName : null
nwieaSecureUserPassword : null
nwiebSecureUserName : null
nwiebSecureUserPassword : null
rootUserName : CORE82MLTN76
rootUserPassword : EUF9OEwCc/teAzljidwYt/nHZbphJUGSomUwAZSWNJ8=
secureUserName : CORE82MLTN76
secureUserPassword : KitIhyaF7kORcNH6z0+NNDIYAGqw1U87yz6RKDgK0rc=
snmpAuthKey : JFcmxSMfLg/1eJm6Eby7KqhfiE3z1qQsmSfB7Vq2mhQ=
snmpAuthProtocol : SHA1
snmpPrivKey : gAps7eNpwVUhxWdNjRw+pkw2btgxEA4Ue4DwqxrpJo0=
snmpPrivProtocol : DES
SSO : false

36 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

summaryFileHash : null
targetGroups : [defaultTargetGroup]

5.8.1.3 Configure Single Sign-On (SSO) for R6000 Node Access Using LDAP

In addition to the configuration of TACACS+/RADIUS server described in the

section Configure Single Sign-On (SSO) for Node Access (Transport Nodes)
on page 32, Router6000 nodes can also support LDAP server for Remote
Authentication and Authorization.

If ENM LDAP server is used as remote authentication server, user credentials are
already in the ENM LDAP directory.

For Router6000, user credential used when launching the NodeCLI depends not
only on the enable of the SSO attribute but also on LDAP/TACACS+/RADIUS
configuration.

See the following tables for details:

Table 6

ENM LDAP
ENABLED DISABLED
SSO SSO
ENABLED DISABLED ENABLED DISABLED
NODE CLI USER OPERATOR ldapApplicationU OPERATOR SECURE USER
CREDENTIAL ser CREDENTIAL

Table 7

TACACS+/RADIUS
CONFIGURED NOT CONFIGURED
SSO SSO
ENABLED DISABLED ENABLED DISABLED
NODE CLI USER OPERATOR SECURE USER OPERATOR SECURE USER
CREDENTIAL CREDENTIAL

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 37

 ENM Network Security Configuration System Administrator Guide

Note: Authenti
cation
fails as
user is
not
configur
ed in
TACACS
+/
RADIUS
server.

To configure LDAP for Router6000, see the following ENM CPI documents:
— Section LDAP configuration for ROUTER6000 Family in ENM Operators
Guide, Reference [5].

— Section Enable and Disable ldapuser in ENM Network Security Configuration

System Administrator Guide, Reference [4].

When Router6000 is configured to be used with external TACACS+/RADIUS

server, Authorization (what an operator can do) is controlled using privilege and
not roles. Typically, two different privileges are assigned to each user (start and
max privileges).

For more details on how privileges work for Router6000 nodes, see the section
Assigning Administrators Different Privilege Levels in the Node CPI document
Restrict access to the CLI, Reference [24].

In case of NodeCLI access using LDAP remote authentication server, starting

from 20.Q1 node release, node introduce a special feature called “LDAP role to
privilege mapping”. The node is supporting 32 different LDAP roles:

— PrivilegeStart-0, PrivilegeStart-1, ... PrivilegeStart-15

— PrivilegeMax-0, PrivilegeMax-1, ... PrivilegeMax-15

Two of them can be assigned to the operator: one for start and one for max.

Authentication fails as user is not configured inDuring authentication request

performed by the node, they are returned from the ENM LDAP server as part of
the ericssonUserAuthorizationScope LDAP attribute.

The node converts the role to the equivalent privilege level and user access is
restricted accordingly.

The node feature is described in the section Start and Max privilege for LDAP
user of the Node CPI document LDAP for administrator, Reference [25].

Before assigning two roles to the user, they need to be defined in ENM as “COM
roles” using the ENM Role Management application.

38 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

5.8.2 Configure Single Sign-On (SSO) for Node Access (EPG and IMS Nodes)
The Single Sign On for the Node CLI application is possible if the node is
configured to apply the centralized authentication and authorization towards
the ENM LDAP server.

Alternatively, in case the node cannot support the LDAP protocol with the ENM, a
local account in the node must exist with the exact same credentials of the ENM
user (username and password).

The Single Sign On can be configured from the ENM Command Line Interface.

The feature is supported for the following nodes:

Table 8
Nodes
EPG
EPG-OI
vEPG
vEPG-OI
vMTAS
vBGF
vCSCF

Prerequisites
— LDAP must be enabled on node (if supported) OR the user created on the
node has the same credentials of the user used in ENM.

— The ENM user has sufficient privileges to run the Node CLI application.

Steps

1. Add node to ENM.

Node can be added to ENM using the following applications in ENM GUI:

— Command Line Interface

— Add Node

2. Enable SSO on node.

3. Launch Node CLI.

Results
Node CLI is launched successfully using ENM credentials.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 39

 ENM Network Security Configuration System Administrator Guide

5.8.2.1 Enable Single Sign-On

The Single Sign-On (SSO) command can enable ENM users to access
Network Elements supporting LDAP or Network Elements with users having
the same credentials of ENM users.

This can be done using secadm sso command with enable value.

Prerequisites

— A Network Element from Table 8 is configured in ENM.

— The Network Element supports SSO and it is disabled.

Steps

1. Enable SSO.
Run the following ENM CLI command:

secadm sso enable --nodelist <nodelist>

See online help for details.

2. Check the result.

Run the following ENM CLI command:

secadm sso get --nodelist <nodelist>

The command result is: SSO Status = ENABLED:

5.8.2.2 Disable Single Sign-On

The Single Sign-On (SSO) command can disable ENM users to access
Network Elements supporting LDAP or Network Elements with users having
the same credentials of ENM users.

This can be done using secadm sso command with disable value.

40 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Credential and Key Administrative Tasks

Prerequisites

— A Network Element from Table 8 is configured in ENM.

— The Network Element supports SSO and it is enabled.

Steps

1. Disable SSO.
Run the following ENM CLI command:

secadm sso disable --nodelist <nodelist>

See online help for details.

2. Check the result.

Run the following ENM CLI command:

secadm sso get --nodelist <nodelist>

The command result is: SSO Status = DISABLED:

5.8.2.3 User Credential when Launching NodeCLI

User credential used when launching the NodeCLI depends not only on the
enable of the SSO attribute but also on LDAP configuration (if supported).

See the following tables for details (in case of LDAP is not supported consider the
LDAP disable column).

Table 9

ENM LDAP
ENABLED DISABLED
SSO SSO
ENABLED DISABLED ENABLED DISABLED
NODE CLI USER OPERATOR ldapApplicationU OPERATOR secureUserName
CREDENTIAL ser CREDENTIAL (if
nodeCliUserNam

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 41

 ENM Network Security Configuration System Administrator Guide

Note: Authenti e is not

cation configured)
fails if
the user
is not
created
locally
on the
node.

42 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

6 Node Certificate Administrative Tasks

Node certificate contains the ENM-related business logic for the following:
— Issue and reissue a certificate.

— Distribute and delete trusted certificate from network elements.

An enrollment protocol is selected for issuing certificates to network elements.

See the Enrollment Protocols on page 58 for more information.

6.1 Distribute Trust Certificates to a Node

This procedure allows distributing a trust certificate or a trust certificate
chain to one or more nodes at a time.

If the same trust certificate is already present among the trust certificates
installed in the node, that trust certificate is not redistributed again.

For DG2 nodes, if the same trust certificate is already present among the trust
certificates installed in the node, that trust certificate is not distributed again.

For CPP nodes, if the same trust certificate is already present in the required trust
category, then the trust certificate is not distributed again.

Actors
If input certificate type is IPsec, the actors are:

— Node-Security Administrator, Action: execute, Resource: ipsec

If input certificate type is OAM, the actors are:

— Node-Security Administrator, Action: execute, Resource: oam

If input trust category is LAAD, the actors are:

— Node-Security Administrator, Action: execute, Resource: laad.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must exist in the ENM.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 43

 ENM Network Security Configuration System Administrator Guide

— The nodes must have the NE defined.

— The nodes must be in SYNC status.

— CA certificate must be published to TDPS in case of issue trust to Baseband

Radio Node or 5GRadioNode. See the section Trust Distribution Point Service
Tasks of the document ENM Public Key infrastructure System Administrator
Guide, Reference [8].

— FM Alarm supervision must be on CPP nodes.

Steps

1. Distribute the trust certificate or the trust certificate chain to the nodes.

secadm trust distribute

See the online help for details.

Run the following ENM CLI command to verify if trust certificates are
distributed successfully:

secadm trust get

44 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Note: If the CertType option is deprecated and the user executes

this command with CertType option, a warning message is
provided as The command with --certtype option will be
deprecated in future but the action will continue, use
--trustcategory, instead of --certtype.

For Baseband Radio Nodes, the behavior of the IPsec

Trust Distribute Certificate Get use cases with the different
enforcedIKEv2PolicyProfileID configuration parameter values is as
follows:

a. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is NONE (default value), then:
— The IPsec Trust Distribute and Get use cases work fine if
only one Ikev2PolicyProfile is present on the node.

— The IPsec Trust Distribute and Get use cases are failed
if more than one Ikev2PolicyProfile is present on the
node.
b. If the value of the enforcedIKEv2PolicyProfileID
configuration parameter is other than NONE, then:
— The IPsec Trust Distribute and Get use cases use the
Ikev2PolicyProfile MO whose Ikev2PolicyProfileId
value is same as the configuration parameter value to
update or get the TrustCategory MO FDNs.

— The IPsec Trust Distribute and Get use cases fail if

no Ikev2PolicyProfile is found with the matching
Ikev2PolicyProfileId value as given configuration
parameter value. In this case, the user needs to
perform IPsec Certificate Issue or Reissue using secadm
command which creates a Ikev2PolicyProfile MO with
Ikev2PolicyProfileId value as the given configuration
parameter value and then this new Ikev2PolicyProfile
MO must be mapped manually to the proper Ikev2Session
MO to use new node credential and trust category for
establishing the IPsec Tunnel.
c. For more details on the usage of
enforcedIKEv2PolicyProfileID configuration parameter, see
the section Management of Node IPsec Certificate and Trust
Distribution Use Cases in Case of Multiple Ikev2PolicyProfile
MOs on page 449.

Results
A job for trust distribution to nodes is successfully started.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 45

 ENM Network Security Configuration System Administrator Guide

Note: If the trust distribute job is successful, then the node has new
certificates. If the node is in SL2, newly distributed certificate details
are not listed immediately in the ENM, but this does not have any impact
on the dependent use cases.

Manual CM sync command can be executed to list the updated trusted

certificate details.

6.2 Get a Node Certificate

This procedure allows getting the active certificate information for one or
more nodes at a time.

Actors
If input certificate type is IPsec, the actors are as follows:

— Node-Security Administrator, Action: read, Resource: Internet Protocol

Security

— Node-Security Operator, Action: read, Resource: ipsec

If input certificate type is OAM, the actors are as follows:

— Node-Security Administrator, Action: read, Resource: oam

— Node-Security Operator, Action: read, Resource: oam

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NE defined.

— The nodes must be in SYNC status.

Steps

1. Acquire the active certificate information for the nodes.

secadm certificate get

See online help for details.

If any issue is found, collect logs of the current Service Groups:

46 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

— secserv

Note: For Baseband Radio Nodes, the behavior of the IPsec Certificate
Get use case with the different enforcedIKEv2PolicyProfileID
parameter values is as follows:

a. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is NONE (default value), then:
— The IPsec Certificate Get use case works fine if only one
Ikev2PolicyProfile is present on the node.

— The IPsec Certificate Get use case is failed if more than one
Ikev2PolicyProfile is present on the node.

b. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is other than NONE, then:
— The IPsec Certificate Get use case uses the
Ikev2PolicyProfile MO whose Ikev2PolicyProfileId
value is same as the configuration parameter value to get
IPsec Certificate.

— The IPsec Certificate Get use case does not list any
certificates if no Ikev2PolicyProfile is found with
the matching Ikev2PolicyProfileId value as given
configuration parameter value.
c. For more details on the usage of
enforcedIKEv2PolicyProfileID configuration parameter, see
the section Management of Node IPsec Certificate and Trust
Distribution Use Cases in Case of Multiple Ikev2PolicyProfile
MOs on page 449.

Results
Node Name Enroll State Enroll Error Subject Serial Number Issuer Subject
Message Alternative
Name
LTE03ERBS01 IDLE Not Applicable CN=LTE03ERBS01 00A412FF0021 CN=NE_OAM_CA,O Not Applicable
-oam, =ERICSSON,OU=B
O=ERICSSON,OU= UCI_DUAC_NAM,C
BUCI DUAC =SE
NAM,C=SE

Where:

Enroll State is the current state of the certificate enrollment: IDLE,

ONGOING, ERROR.

Enroll Error Message

is the Certification Enrollment Error Message. If the
enrollment enters the ERROR state, this attribute contains
a string that states the cause of the error. Otherwise, the
value of this attribute is Not Applicable.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 47

 ENM Network Security Configuration System Administrator Guide

Subject, SerialNumber, Issuer, Subject Alternative Name

of the currently active node certificate. If the certtype is
different from IPSEC, the Subject Alternative Name is Not
Applicable.

6.3 Get Trust Certificates of a Node

This feature allows getting the information about the trust certificates
distributed to the nodes.

This information can be retrieved for one or more nodes at a time.

Actors
If input certificate type is IPSec, the actors are as follows:

— Node-Security Administrator, Action: read, Resource: ipsec

— Node-Security Operator, Action: read, Resource: ipsec

If input certificate type is OAM, the actors are as follows:

— Node-Security Administrator, Action: read, Resource: oam

— Node-Security Operator, Action: read, Resource: oam

If input trust category is LAAD, the actors are as follows:

— Node-Security Administrator, Action: read, Resource: laad

— Node-Security Operator, Action: read, Resource: laad

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NE defined.

— The nodes must be in SYNC status.

Steps

1. Acquire the information of all the trust certificates distributed to the nodes.

secadm trust get

48 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

See online help for details.

Note: If the CertType option is deprecated and the user executes

this command with CertType option, a warning message is
provided as the command with --certtype option will be
deprecated in future but the action will continue, use
--trustcategory, instead of --certtype.

For Baseband Radio Nodes, the behavior of the IPsec Certificate

Get use case with the different enforcedIKEv2PolicyProfileID
configuration parameter values is as follows:

a. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is NONE (default value), then:
— The IPsec Trust Get use case works fine if only one
Ikev2PolicyProfile is present on the node.

— The IPsec Trust Get use case is failed if more than one
Ikev2PolicyProfile is present on the node.

b. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is other than NONE, then:
— The IPsec Trust Get use case uses the
Ikev2PolicyProfile MO whose Ikev2PolicyProfileId
value is same as the configuration parameter value to get
IPsec Trusted Certificates.

— The IPsec Trust Get use case does not list any certificates
if no Ikev2PolicyProfile is found with the matching
Ikev2PolicyProfileId value as given configuration
parameter value.
c. For more details on the usage of
enforcedIKEv2PolicyProfileID configuration parameter, see
the section Management of Node IPsec Certificate and Trust
Distribution Use Cases in Case of Multiple Ikev2PolicyProfile
MOs on page 449.

Results
Node Name Install State Install Error Subject Serial Number Issuer
Message
LTE03ERBS00159 IDLE Not Applicable CN=ENM_OAM_CA,C=S 47103511567742699 CN=ENM_Infrastruc
E,O=ERICSSON,OU=B 4 ture_CA,C=SE,O=ER
UCI_DUAC_NAM ICSSON,OU=BUCI_DU
AC_NAM

Where:

Install State is the current state of the trust certificate distribution:

IDLE, ONGOING, ERROR.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 49

 ENM Network Security Configuration System Administrator Guide

Install Error Message

is the Trust Certificate Installation Error Message. If
the trust certificate distribution enters the ERROR state,
this attribute contains a string that states the cause of
the error. Otherwise, the value of this attribute is Not
Applicable.

Subject, SerialNumber, Issuer

of all the trust certificates currently distributed to the
node.

6.4 Issue a Node Certificate

This procedure allows issuing a certificate for one or more nodes at a time.

If the node already has a certificate, it starts an enrollment procedure obtaining a

new certificate. At the end of this procedure, the previous certificate is revoked.

Actors
If input certificate type is IPsec, the actors are as follows:

— Node-Security Administrator, Action: execute, Resource: ipsec

If input certificate type is OAM, the actors are as follows:

— Node-Security Administrator, Action: execute , Resource: oam

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites
— The nodes must exist in the ENM.

— The nodes must have the NE defined.

— NetworkElementSecurity MO must exist: Node Credentials must be created

to allow the access to the nodes.

— The nodes must be in SYNC status.

— FM Alarm supervision must be on CPP nodes.

Steps

1. Issue a certificate.

secadm certificate issue

50 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

See online help for details.

After performing enrollment for both SCEP and CMP, if there is IPSEC
certificate on CPP nodes that are configured with IPv6, the following
manual sync command must be used for verification of new certificate as
a workaround option because of bug on CPP node:

cmedit action NetworkElement=<Node_Name>,CmFunction=1 sync

Note: For Baseband Radio Nodes, the behavior of the IPsec Certificate
Issue use case with the different enforcedIKEv2PolicyProfileID
configuration values is as follows:

a. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is NONE (default value), then:
— The IPsec Certificate Issue use case works fine if only one
Ikev2PolicyProfile is present on the node.

— The IPsec Certificate Issue use case is failed if more than

one Ikev2PolicyProfile is present on the node.

b. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is other than NONE, then:
— The IPsec Certificate Issue use case uses the
Ikev2PolicyProfile MO whose Ikev2PolicyProfileId
value is same as the configuration parameter value to
update the NodeCredential and TrustCategory MO
FDNs.

— The IPsec Certificate Issue use case creates a

Ikev2PolicyProfile MO with Ikev2PolicyProfileId
value as the given configuration parameter value if
no Ikev2PolicyProfile is found with the matching
Ikev2PolicyProfileId value as given configuration
parameter value. In this case, the user must map this new
Ikev2PolicyProfile MO to the proper Ikev2Session MO
to use the new NodeCredential and TrustCategory for
establishing the IPsec Tunnel.

does not list any certificates if no Ikev2PolicyProfile is

found with the matching Ikev2PolicyProfileId value as
given configuration parameter value.
c. For more details on the usage of
enforcedIKEv2PolicyProfileID configuration parameter, see
the section Management of Node IPsec Certificate and Trust
Distribution Use Cases in Case of Multiple Ikev2PolicyProfile
MOs on page 449.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 51

 ENM Network Security Configuration System Administrator Guide

Results
Successfully started a job to issue certificates for nodes.

An entity related to each node is created. It is specific for the node and the input
certificate type and contains the configuration specified in the provided XML file.

If the nodes already had a certificate for the requested certificate type, the
previous one is revoked with reason Unspecified.

Moreover, the entity related to each node is updated with the new configuration
specified in the provided XML file.

To verify if the new certificate has been successfully issued for the node, run the
ENM CLI command:

secadm certificate get

Note: If the certificate issue/reissue job is successful, then node has the new
certificate. If the node is in SL2, newly installed certificate details are not
listed immediately in the ENM, but this does not have any impact on the
dependent use cases.

Manual CM sync command can be executed to get the installed

certificate details.

6.5 Parameters for Auto-Renewal for Node Certificate

The following parameters are configured to enable the auto-renewal for the node
certificate:

neCertAutoRenewalTimer
indicates the number of days before the expiry of the
node certificate in which the service is automatically
renewed.

neCertAutoRenewalEnabled
It is a BOOLEAN flag to enable or disable the auto-
renewal feature about node certificates.

neCertAutoRenewalMax
Indicates the maximum number of expired
nodes certificate for renewal at each round. If
neCertAutoRenewalMax < 0, all expired node certificates
are renewed.

The parameters are configured with the default values when the security service
group (secserv) started.

For details on how to view and modify configuration parameters, see View and
Modify Configuration Parameters on page 12.

52 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Table 10
Description CONFIGURATION PARAMETER Default Value
Timer for Auto-renewal neCertAutoRenewalTimer 30
Enable of Auto-renewal neCertAutoRenewalEnabled true
Warnings for Auto-renewal neCertAutoRenewalMax 100

6.6 Reissue a Node Certificate

This procedure reissues a certificate for one or more nodes at a time. After
obtaining a new certificate, the previous certificate is revoked.

This command cannot be executed if the node does not have a certificate yet.
In this case, to enroll a node, execute ENM CLI command secadm certificate
issue.

Actors
If input certificate type is IPsec, the actors are as follows:

— Node-Security Administrator, Action: execute , Resource: ipsec

If input certificate type is OAM, the actors are as follows:

— Node-Security Administrator, Action: execute , Resource: oam

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NE defined.

— Node credentials must be created for the nodes, that is,

NetworkElementSecurity MO must exist.

— The nodes must already have a certificate.

— The nodes must be in SYNC status.

— FM Alarm supervision must be on CPP nodes.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 53

 ENM Network Security Configuration System Administrator Guide

Steps

1. Reissue a certificate.

secadm certificate reissue

See online help for details.

Note: For Baseband Radio Nodes, the behavior of the IPsec Certificate
Reissue use case with the different enforcedIKEv2PolicyProfileID
configuration values is as follows:

a. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is NONE (default value), then:
— The IPsec Certificate Reissue use case works fine if only
one Ikev2PolicyProfile is present on the node.

— The IPsec Certificate Reissue use case is failed if more than

one Ikev2PolicyProfile is present on the node.

b. If the value of the enforcedIKEv2PolicyProfileID

configuration parameter is other than NONE, then:
— The IPsec Certificate Reissue use case uses the
Ikev2PolicyProfile MO whose Ikev2PolicyProfileId
value is same as the configuration parameter value to
update the NodeCredential and TrustCategory MO
FDNs.

— The IPsec Certificate Reissue use case creates a

Ikev2PolicyProfile MO with Ikev2PolicyProfileId
value as the given configuration parameter value if
no Ikev2PolicyProfile is found with the matching
Ikev2PolicyProfileId value as given configuration
parameter value. In this case, the user must map this new
Ikev2PolicyProfile MO to the proper Ikev2Session MO
to use the new NodeCredential and TrustCategory for
establishing the IPsec Tunnel.
c. For more details on the usage of
enforcedIKEv2PolicyProfileID configuration parameter, see
the section Management of Node IPsec Certificate and Trust
Distribution Use Cases in Case of Multiple Ikev2PolicyProfile
MOs on page 449.

Results
Successfully started a job to reissue certificates for nodes.

The previous nodes certificate is revoked with the input reason if specified, or
'reason unspecified' otherwise.

54 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

To verify if the new certificate has been issued for the node successfully, run the
ENM CLI command:

secadm certificate get

Note: If the certificate issue/reissue job is successful, then the node has the
new certificate. If the node is in SL2, newly installed certificate details
are not listed immediately in the ENM, but this does not have any impact
on the dependent use cases.

Manual CM sync command can be executed to get the installed

certificate details.

For Baseband Radio Nodes, the behavior of the IPsec Certificate Get
use case with the different enforcedIKEv2PolicyProfileID configuration
parameter values is as follows:

1. If the value of the enforcedIKEv2PolicyProfileID configuration

parameter is NONE (default value), then:
— The IPsec Certificate Get use case works fine if only one
Ikev2PolicyProfile is present on the node.

— The IPsec Certificate Issue Get use case is failed if more than
one Ikev2PolicyProfile is present on the node.

2. If the value of the enforcedIKEv2PolicyProfileID configuration

parameter is other than NONE, then:
— The IPsec Certificate Get use case uses the
Ikev2PolicyProfile MO whose Ikev2PolicyProfileId
value is same as the configuration parameter value to get IPsec
certificates.

— The IPsec Certificate Get use case does not list any
certificates if no Ikev2PolicyProfile MO is found with the
matching Ikev2PolicyProfileId value as given configuration
parameter value.
3. For more details on the usage of enforcedIKEv2PolicyProfileID
configuration parameter, see the section Management of Node
IPsec Certificate and Trust Distribution Use Cases in Case of
Multiple Ikev2PolicyProfile MOs on page 449.

6.7 Remove a Trust Certificate from a Node

This procedure removes a trust certificate from one or more nodes at a time.

Actors
If input certificate type is IPsec, the actors are as follows:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 55

 ENM Network Security Configuration System Administrator Guide

— Node-Security Administrator, Action: delete, Resource: ipsec

If input certificate type is OAM, the actors are as follows:

— Node-Security Administrator, Action: delete, Resource: oam

If input trust category is LAAD, the actors are as follows:

— Node-Security Administrator, Action: delete, Resource: laad

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NE defined.

— The nodes must be in SYNC status.

— FM Alarm supervision must be on CPP nodes.

Steps
Remove the trust certificate from the nodes using the ENM CLI command:

secadm trust remove

See online help for details.

56 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Note: In future, the CertType option is deprecated. When the user executes
this command with CertType option, a warning message is provided as
the command with --certtype option will be deprecated in
future but the action will contnue, use --trustcategory,
instead of --certtype.

For Baseband Radio Nodes, the behavior of the IPsec Trust Remove
use case with the different enforcedIKEv2PolicyProfileID configuration
parameter values is as follows:

1. If the value of the enforcedIKEv2PolicyProfileID configuration

parameter is NONE (default value), then:
— The IPsec Trust Remove use case works fine if only one
Ikev2PolicyProfile is present on the node.

— The IPsec Trust Remove use case is failed if more than one
Ikev2PolicyProfile is present on the node.

2. If the value of the enforcedIKEv2PolicyProfileID configuration

parameter is other than NONE, then:
— The IPsec Trust Remove use case uses the
Ikev2PolicyProfile MO whose Ikev2PolicyProfileId
value is same as the configuration parameter value to remove
Trusted certificates.

— The IPsec Trust Remove use case does not remove any Trusted
certificates if no Ikev2PolicyProfile MO is found with the
matching Ikev2PolicyProfileId value as given configuration
parameter value.
3. For more details on the usage of enforcedIKEv2PolicyProfileID
configuration parameter, see the section Management of Node
IPsec Certificate and Trust Distribution Use Cases in Case of
Multiple Ikev2PolicyProfile MOs on page 449.

Results
A job is successfully started for trust removal from nodes.

To verify if the trust certificate has been removed successfully, run the ENM CLI
command secadm trust get.

6.8 Enrollment Procedures

The enrollment is a procedure by which a node gets its credential and a set of
trusted credentials.

The enrollment can be done using an online or offline procedure.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 57

 ENM Network Security Configuration System Administrator Guide

The offline enrollment procedure is necessary to generate the node credentials

and trusted credentials manually and install them on the node in an offline
manner.

The enrollment is made by ENM PKI. ENM PKI uses two enrollment protocols:
SCEP and CMPv2.

Note: In ENM Geographical Redundancy deployments, the CA certificates

of Secondary ENM need to be installed on nodes to ensure smooth
switchover of nodes to secondary ENM.

The procedure to add the right CA certificates of Secondary ENM on

node trusted CA certificates varies depending on the node type and
enrollment type.

See the document ENM Geographical Redundancy User Guide,

Reference [29] for further information (for example, see the section
Extend Network Elements to Trust the Secondary ENM).

Example: For MSC nodes with OAM enrollment to primary ENM, run the
steps described in the section Add ENM CAs to MSC Node (MSC-BC-BSP,
MSC-BC-IS, MSC-DB, and MSC-DB-BSP) on page 94 for downloading
and installing the CA certificates of Secondary ENM on to node. Similar
steps must be executed for different node types and enrollment types.

6.8.1 Enrollment Protocols

ENM PKI supports two enrollment protocols:
— SCEP - Simple Certificate Enrollment Protocol

— CMPv2 - Certificate Management Protocol version 2

SCEP
SCEP protocol is used to enroll certificate for End Entity or node. When the
certificate is reissued using SCEP, operator needs to revoke the old certificate
manually.

Note: Operator needs to revoke the old certificate only after the confirmation
that the new certificate is successfully installed on the node.

CMPv2
CMPv2 is a PKI protocol used for certificate enrollment of End Entity (EE).

It can be used to perform initial enrollment and renew (key update) operations.
Through initial enrollment, an EE gets its own certificate and sets trusted
certificates. Renew (key update) can be used to renew the existing certificate.
The protocol works by exchanging signed messages back and forth between the

58 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

EE and the Registration Authority (RA) or Certificate Authority (CA) until the
issue of certificate is received by the EE.

EE is enrolled for a certificate using two ways of authentication:

— Vendor credential-based authentication:

The EE uses a third-party vendor credential to sign digitally the request

message. RA must trust the CA of the vendor certificate to authenticate the
message successfully.

— Initial Authentication Key (IAK) based authentication:

IAK authentication is achieved by the PKI (CA or RA) issuing the EE with
a IAK and reference value (used to identify the secret value) through some
out-of-band means. Then, the IAK is used by the EE to sign digitally the
CMPv2 message.

Considerations

1. For enrollment of certificates using SCEP/CMPv2 either for CPP or COM/

ECIM:

Entity Name must be in the format:

• <node-name>-oam for OAM

• <node-name>-ipsec for IPsec

2. When user initiates enrollment protocol, the user must consider that if
node uses any weak algorithm, it needs to be enabled in the PKI system.
By default, weak algorithms are disabled in the system. The user needs
to use pkiadm commands of ENM CLI to enable the same. See the
section Configuration Management Tasks in the document ENM Public Key
Infrastructure System Administrator Guide, Reference [8].

Example:

pkiadm configmgmt algo --enable --name SHA1

6.8.2 E2E Offline Enrollment Procedure for Baseband Radio Node

This section describes the set of steps to perform offline enrollment of Radio
Node.

The operator has to generate the node credential and trusted credentials
manually, and install them on the node, in an offline manner.

The procedure described here is applicable for OAM Enrollment only. Do not use
it for IPsec Enrollment.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 59

 ENM Network Security Configuration System Administrator Guide

Detailed description of operations to be performed on the node are available in

the document Manage Security, Reference [16].

Overview
The offline procedure is based on three main steps:

1. End Entity creation and Credential generation from ENM.

2. LDAP Configuration from ENM.
3. Node configuration.

At the end of the procedure, the Radio Node is added in ENM and in SYNC with
TLS.

6.8.2.1 End Entity Creation and Credential Generation for E2E Offline Enrollment for
Baseband Radio Node

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System. They use it for communication with other ENM systems.
End Entities must be created in the PKI system.

To generate credentials, each End Entity is mapped to an Entity Profile (EP) that
defines the Certificate Authority (CA).

For information about Entity and Profiles, see Public Key Infrastructure System
of the document ENM Public Key Infrastructure System Administrator Guide,
Reference [8].

Prerequisites

— The operator has ADMINISTRATOR role to access the CLI in ENM.

— The operator knows about Configuring MOs on the Node.

— The Radio Node SW. version is Rel16A IP12 or higher.

Steps

1. Check Entity Profile.

List all the Entity Profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

The highlighted profile must be available in the command output:

60 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

The highlighted profile is the default profile used when OAM Enrollment is
performed for Radio Nodes.

2. Prepare the XML File for the End Entity Creation.

A different End Entity must be created for each Radio Node.

The End Entities are created from an XML file. The template for the XML is
the following:

Template.xml

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 61

 ENM Network Security Configuration System Administrator Guide

In XML creation, the following rules must be followed:

— In the <EntityInfo> tag, the <name> must be Network Element ID-
oam.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the Radio Node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

NetworkElementID-oam.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the Radio Node is added in ENM.

The file is an example of the XML used to generate the End Entity for the
RadioNode with Network Element ID=G2RBS_27.

EE-G2RBS_27-oam.xml

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>G2RBS_27-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>G2RBS_27-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

3. Save the XML file.

Suggested name for the file is EE_Network Element ID-oam.xml.

4. Create the End Entity:

Drag and drop the XML file created in Step 2 into the ENM CLI app and run
the following command to create the End Entity:

62 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

pkiadm etm -c -xf file:EE_NetworkElementID-oam.xml

5. Verify the End Entity Creation.

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system:

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entity.

The End Entity is created, with name Network Element ID-oam, and its
status is NEW. The following example shows an End Entity related to Radio
Node G2RBS_27.

Example

6. End Entity Credential Generation.

The following command generates the End Entity credential, and packages it
in a p12 file. The p12 file also contains the corresponding private key of the
End Entity.

pkiadm ctm EECert -gen -nocsr -en NetworkElementID-oam -f P12

In the previous command, NetworkElementID-oam is the name of the entity

created in Step 4.

7. Download of Trusted Credentials.

For OAM connectivity with netconf over TLS, the following trusted CA
credentials are needed on node:

— ENM_OAM_CA

— ENM_Infrastructure_CA

— ENM_PKI_Root_CA

The ENM_PKI_Root_CA credential is already included in the p12 file

generated in Step 6. The other two credentials must be downloaded
manually.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 63

 ENM Network Security Configuration System Administrator Guide

Run the command to download ENM_OAM_CA and ENM_PKI_Root_CA in PEM

format.

pkiadm ctm CACert -expcert -en ENM_OAM_CA -f PEM

pkiadm ctm CACert -expcert -en ENM_Infrastructure_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

6.8.2.2 LDAP Configuration for E2E Offline Enrollment for Baseband Radio Node

Prerequisites

— The operator has ADMINISTRATOR role to access the ENM CLI.

— The operator knows about Configuring MOs on the Node.

— The Radio Node SW version is Rel16A IP12 or higher.

Steps

1. Create Data for LDAP Configuration.

Gather the LDAP configuration information from the ENM:

secadm ldap configure --manual

Example
Command output:

Figure 1 LDAP Configuration Settings

2. Gather the LDAP configuration data for Radio node.

This data is used to populate the MO Attributes on the node in the last step
of this procedure.

64 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

With the following indications, collect the value for each MO Attribute listed
in the first column:

MO Attribute Value Description

Ldap->baseDn get from Step 1 Base dn for which the client binds.
Ldap->bindDn get from Step 1 Proxy account for bind.
Ldap->bindPassword get from Step 1 Password for proxy account bind.
Ldap->ldapIpAddress get from Step 1 (1) The IP address of the primary LDAP
server.
Ldap->fallbackLdapIpAddress get from Step 1 (1) The IP address of the fallback
LDAP server. The fallback server is
used when the primary server is
inaccessible.
Ldap->serverPort 1636 Server port number to access the
primary and secondary LDAP servers.
Ldap->tlsMode LDAPS Toggles the TLS establishment mode
to access the primary and secondary
LDAP servers. Takes effect when
useTIs is true.
Ldap->useTls true Ldap-Toggle to enable TLS access to
primary and secondary LDAP targets.
Ldap->userLabel ENM Server Extra descriptive text.
Ldap->profileFilter ERICSSON_FILTER Selects an LDAP filter to determine
the user authorization profile.
Authorization profiles are used
by authorization methods. For
ERICSSON_FILTER, the contained
EricssonFilter MO must exist.
EricssonFilter 1
Filter 1
(1) If the node is IPv4 type, get the IPv4 ldap and fallbackldap IP addresses. If the node is IPv6 type get the
IPv6 ldap and fallbackldap IP addresses.

6.8.2.3 Node Configuration for E2E Offline Enrollment for Baseband Radio Node

Prerequisites

— The operator has ADMINISTRATOR role to access the CLI in ENM.

— The operator knows about Configuring MOs on the Node.

— The Radio Node SW version is Rel16A IP12 or higher.

Installation of Credentials and LDAP Configuration on the Node.

According to procedures described in the document Manage Security, Reference

[16], Node credential and LDAP must be configured on the Radio Node by
following these steps.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 65

 ENM Network Security Configuration System Administrator Guide

Steps

1. Configure Node Credentials.

Described in Node Credential Enrollment - PKCS#12 Based Offline
Enrollment file (p12 format) provided at Step 6 in Section 6.8.2.1 of the
document End Entity Creation and Credential Generation for E2E Offline
Enrollment for Baseband Radio Node.

2. Install trusted CA credential onto the node.

Described in Trusted Certificates Management, including TrustCategory MO
that must reference the TrustedCertificate MOs.

PEM files provided at Step 7 in Section 6.8.2.1 of the document End Entity
Creation and Credential Generation for E2E Offline Enrollment for Baseband
Radio Node.

3. Configure LDAP.
Described in step 2 of: LDAP Configuration for E2E Offline Enrollment for
Baseband Radio Node on page 64

4. Configure Transport Layer Security (TLS):

Described in Configure NETCONF over TLS.

6.8.3 Online Certificate Enrollment on RadioNode

This section describes the steps to perform online enrollment of Radio Node.

The operator starts the node enrollment through the CMPv2 protocol, obtaining
certificate from PKI-RA.

This procedure is only applicable for OAM Enrollment. Do not use for IPsec
Enrollment.

Details of the operations are available in the document Manage Security,

Reference [16].

Overview
The online procedure is based on three main steps:
— End Entity creation and Credential generation from ENM.

— LDAP Configuration from ENM.

— Node configuration.

At the end of the procedure, the Radio Node is added in ENM and is synchronized
with TLS.

66 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

6.8.3.1 End Entity Creation and Credential Generation for Online Certificate Enrollment
on RadioNode

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System. They use it for communication with other ENM systems.
End Entities must be created in the PKI system.

To generate credentials each End Entity is mapped to an Entity Profile (EP) which
defines the Certificate Authority (CA).

For more information about Entity and Profiles, see Public Key Infrastructure
System of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

Prerequisites

— The operator has ADMINISTRATOR role to access the ENM CLI.

— The operator knows about Configuring MOs on the Node.

— The Radio Node SW version is Rel16A IP12 or higher.

Steps

1. Check entity profile.

List all the Entity Profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

The following highlighted profile must be available in the command output:

The highlighted profile is the default profile used when OAM Enrollment is
performed for Radio Nodes.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 67

 ENM Network Security Configuration System Administrator Guide

2. Prepare the XML File for the End Entity Creation.

A different End Entity must be created for each Radio Node.

The End Entities are created starting from an XML file. The following is the
template for the XML file:

Template.xml

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

During the XML creation, the following rules must be respected:

— In the <EntityInfo> tag, the <name> must be Network Element ID-
oam.

The NetworkElementID is the identifier used at the end of this

procedure, when the Radio Node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

NetworkElementID-oam.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the Radio Node is added in ENM.

The following file is an example of XML file used to generate the End
Entity for the RadioNode with Network Element ID=G2RBS_27.

EE-G2RBS_27-oam.xml

68 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noN →

amespaceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>G2RBS_27-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>G2RBS_27-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

3. Save the XML file.

Name the file as EE_Network Element ID-oam.xml.

4. Create the End Entity.

Drag and drop the XML file created in Step 2 into the ENM CLI. To create the
End Entity, run the following command:

pkiadm etm -c -xf file :EE_NetworkElementID-oam.xml

5. Verify End Entity creation.

List all the End Entities in the ENM PKI system:

pkiadm etm -l - type ee

The End Entity must be present in the list of End Entity.

The End Entity must be created with name NetworkElementID-oam, and

status is NEW. The following example shows the EE related to Radio Node
G2RBS_27.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 69

 ENM Network Security Configuration System Administrator Guide

Example

6. Retrieve End Entity Subject DN.

From EE_NetworkElementID-oam.xml :

EE Subject DN:
CN=<EntityInfo.Subject.COMMON_NAME.value>,C=<EntityInfo.Subject.COUNTRY_NAME →
.value>,O=<EntityInfo.Subject.ORGANIZATION.value>,OU=<EntityInfo.Subject.ORG →
ANIZATION_UNIT.value>,

For instance, from EE-G2RBS_27-oam.xml:

EE Subject DN:
CN=G2RBS_27-oam,C=SE,O=ERICSSON,OU=BUCI DUAC NAM

7. Get Enrollment URI.

For global-properties, get the IP address of PKI RA Service (HAProxy South
Bound):

[root@ieatclvmlms908-1 ~]# cat /ericsson/tor/data/global.properties | grep h →

aproxysb
haproxysb=141.137.211.135
haproxysb_ipv6=2001:1b70:82a1:138:0:2313:5249:4a

Choose IPv4 or IPv6, according to Node IP stack.

8. Get Root CA Finger Print:

a. Retrieve ENM_PKI_Root_CA active Certificate from WebCLI.

pkiadm certmgmt CACert --exportcert --entityname ENM_PKI_Root_CA →

--format PEM

This command downloads ENM_PKI_Root_CA active certificate in

PEM format (for example, ENM_PKI_Root_CA.pem).

b. Retrieve Issuer of ENM_PKI_Root_CA.

openssl x509 -in ENM_PKI_Root_CA.pem -noout -issuer

issuer= /CN=ENM_PKI_Root_CA/OU=BUCI_DUAC_NAM/C=SE/O=ERICSSON

If ENM_PKI_Root_CA is self-signed:

70 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

— Calculate SHA1 FingerPrint of ENM_PKI_Root_CA using Openssl:

>openssl x509 -in ENM_PKI_Root_CA.pem -noout -fingerprint

SHA1 Fingerprint=57:FD:2A:59:36:D5:18:76:34:4D:FB:B7:98:FC:5B:15:BF:68: →
19:E8

otherwise (case with External CA Imported), retrieve the Root CA:

— Calculate SHA1 FingerPrint of External Root CA.

Assuming, for instance, ENM_PKI_Root_CA has been signed by "O=TCS,

C=IN, OU=DLF, CN=PrimeTowerIntermediateCA". - Retrieve External CA
List: From WebCLI:

>pkiadm extcalist

From this table, it is possible to retrieve the ExtRoot CA. For example, if from
step b the ENM_PKI_Root_CA has been signed by O=TCS, C=IN, OU=DLF,
CN=PrimeTowerIntermediateCA, then the ExtRoot CA name is O=TCS,
C=IN, OU=DLF, CN=PrimeTowerRootCA - Retrieve ExtCA Certificate
From WebCLI:

>pkiadm extcaexport -n "O=TCS, C=IN, OU=DLF, CN=PrimeTowerRootCA"

This command downloads PrimeTowerRootCA active certificate in

PEM format (for example PrimeTowerRootCA.pem) - calculates SHA1
FingerPrint of External Root CA Using Openssl:

>openssl x509 -in PrimeTowerRootCA.pem -noout -fingerprint

SHA1 Fingerprint=54:8B:D7:B9:81:E9:7D:D5:6E:3D:2D:B4:C5:A9:63:89:E9:9E:B2:26

6.8.3.2 LDAP Configuration for Online Certificate Enrollment on RadioNode

Setting LDAP Configuration and Establishing LDAP with Start TLS

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 71

 ENM Network Security Configuration System Administrator Guide

Connectivity

Prerequisites

— The operator has ADMINISTRATOR role to access the CLI in ENM.

— The operator knows about Configuring MOs on the Node.

— The Radio Node SW version is Rel16A IP12 or higher.

Steps

1. Get data for LDAP configuration:

To gather the ldap configuration information from the ENM system, use the
following command:

secadm ldap configure --manual

A sample output by running the previous command is the following:

Figure 2 LDAP Configuration Settings

2. Gather the LDAP configuration data for Radio Node:

This data is used to populate the MO Attributes on the radio node in the last
step of this procedure.

Following the indications reported in the following, collect the value for each
MO Attribute listed in the first column:

MO Attribute Value Description

Ldap->baseDn get from Step 1 Base dn that the client binds.
Ldap->bindDn get from Step 1 Proxy account for bind.

72 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

MO Attribute Value Description

Ldap->bindPassword get from Step 1 Password for proxy account bind.
Ldap->ldapIpAddress get from Step 1 (1) The IP address of the primary LDAP
server.
Ldap->fallbackLdapIpAddress get from Step 1 (1) The IP address of the fallback
LDAP server. The fallback server is
used when the primary server is
inaccessible.
Ldap->serverPort 1636 Server port number to access the
primary and secondary LDAP servers.
Ldap->tlsMode LDAPS Toggles the TLS establishment mode
to access the primary and secondary
LDAP servers. Takes effect when
useTls is true.
Ldap->useTls true Toggle to enable TLS access to
primary and secondary LDAP targets.
Ldap->userLabel ENM Server Extra descriptive text.
Ldap->profileFilter ERICSSON_FILTER Selects an LDAP filter to determine
the user authorization profile.
Authorization profiles are used
by authorization methods. For
ERICSSON_FILTER, the contained
EricssonFilter MO must exist.
EricssonFilter 1
Filter 1
(1) If the node is IPv4 type, get the IPv4 ldap and fallbackldap IP addresses. If the node is IPv6 type, get
the IPv6 ldap and fallbackldap IP addresses.

6.8.3.3 Node Configuration for Online Certificate Enrollment for RadioNode

Prerequisites

— The operator has ADMINISTRATOR role to access the ENM CLI..

— The operator knows about Configuring MOs on the Node.

— The Radio Node SW version is Rel16A IP12 or higher.

See the procedures in the document Manage Security, Reference [16].

Node credential and LDAP must be configured on the Radio Node by following
these steps.

Steps

1. Configure CertM MOs:

Described in Online Enrollment

a. EnrollmentAuthority MO:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 73

 ENM Network Security Configuration System Administrator Guide

— enrollmentCaFingerprint=<From Step 8 of End Entity Creation

and Credential Generation for Online Certificate Enrollment on
RadioNode on page 67>.

— enrollmentAuthorityName=" X.501 distinguished name of the

issuing CA: NE_OAM_CA ".

Example
enrollmentCaFingerprint=57 :FD:2A: 59 : 36 :D5: 18 : 76 : 34 :4D:FB →
:B7: 98 :FC:5B: 15 :BF: 68 : 19 :E8

enrollmentAuthorityName="C=SE,OU=BUCI_DUAC_NAM,O=ERICSSON,CN=NE_OAM →
_CA"

b. EnrollmentServer MO:

protocol=CMP URI=<From Step 7 of End Entity Creation and

Credential Generation for Online Certificate Enrollment on
RadioNode on page 67>

Example
in case Node is configured with IPv4:

uri=http://141.137.211.135:8091/pkira-cmp/NE_OAM_CA/synch

Example
In case Node is configured with IPv6:

uri=http://[2001:1b70:82a1:138:0:2313:5249:4a]:8091/pkira-cmp/NE_OA →
M_CA/synch

c. NodeCredential MO:

SubjectName=<From Step 6 of End Entity Creation and Credential

Generation for Online Certificate Enrollment on RadioNode on page
67>.

Example
SubjectName=CN=G2RBS_27-oam,C=SE,O=ERICSSON,OU=BUCI DUAC NAM

2. Configure LDAP:
Described in Configure LDAP:

LDAP parameters provided at step 1 of LDAP Configuration for Online

Certificate Enrollment on RadioNode on page 71: "Get required data for
LDAP configuration"

3. Configure Transport Layer Security (TLS):

74 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Described in Configure NETCONF over TLS.

6.8.4 Online Enrollment Procedure for MSC Node (MSC-BC-BSP, MSC-BC-IS,

MSC-DB, and MSC-DB-BSP)
Use this procedure to perform online enrollment of GSM MSC node (MSC-BC-BSP,
MSC-BC-IS, MSC-DB, and MSC-DB-BSP).

Prerequisites

— ADMINISTRATOR role to access the ENM CLI.

— Security Administrator to access User Management and Role Management

applications in ENM.

— Knowledge of Configuring MOs on the node.

— MSC node version is 18.A or higher.

— TS (Troubleshooter) user credentials to access the NE.

— LDAP user must be created using User Management application with few
important roles mentioned in Step 18.

— Added ENM CAs to MSC node: see the section Add ENM CAs to MSC Node
(MSC-BC-BSP, MSC-BC-IS, MSC-DB, and MSC-DB-BSP) on page 94 to do
this action.

— For MSC-BC-BSP node which consists of dual AP, install the certs on both
AP1 and AP2. If AP2 is chosen which is optional, then install the certs from
ENM.

Steps

The online procedure is based on three main steps:

— End Entity creation and credential generation from ENM.

— Node configuration.

— Reconfigure LDAP Credentials to use ENM LDAP server.

End Entity creation and Credential generation

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System and use it for communication with other ENM systems. EEs
must be created in the PKI system.

To generate credentials, each EE is mapped to an Entity Profile (EP) which

defines the Certificate Authority (CA).

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 75

 ENM Network Security Configuration System Administrator Guide

For more information about Entity and Profiles, see the section Concepts of the
document ENM Public Key Infrastructure System Administrator Guide, Reference
[8].

1. Launch ENM CLI from ENM Launcher.

2. Check Entity Profile.

List all entity profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

Sample output: the highlighted profiles are to be available in the command

output.

Figure 3

For more information about Entity and Profiles, see the section ENM
PKI Concepts of the document ENM Public Key Infrastructure System
Administrator Guide, Reference [8]. The highlighted profile is the default
profile used when OAM Enrollment is performed for MSC nodes.

3. Prepare the XML file for End Entity creation.

A different EE must be created for each MSC node.

76 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

The EEs are created starting from an *.xml file. The template for the *.xml
file is the following:

<?xml version="1.0"?>
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →
aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCIDUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
<OTP>Ericsson01</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

During the XML file creation, these rules must be applied:

— In the <EntityInfo> tag, the <name> must be <Network Element ID-

oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure, when the MSC node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

<NetworkElementID-oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure when the MSC node is added in ENM.

Save the created XML file. The suggested name for the file is
EE_<Network Element ID>-oam.xml.

4. Create the End Entity.

Drag and drop into the ENM CLI the XML file created in Step 2 and run the
following command to create the EE:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 77

 ENM Network Security Configuration System Administrator Guide

pkiadm etm -c -xf file:EE_MSCSRV054AP1-oam.xml

5. Verify the End Entity Creation.

Verify that the EE has been created by listing all the EEs in the ENM PKI
system:

pkiadm etm -l -type ee

The EE must be present in the list of End Entities.

The EE must be created with name <Network Element ID-oam> and its
status is NEW. In the following example, the EE is related to <MSC Node
NE_NAME>:

Figure 4
Node Configuration: it describes the configuration of the Node Credential MO
in the MSC.

For Online Enrollment, as preliminary node configuration, an

EnrollmentAuthority MO with an EnrollmentServerGroup MO and at least
one EnrollmentServer MO must be created.

a. The EnrollmentAuthority MO must be created under CertM=1 MO by

setting the attribute <enrollmentCaCertificate> with the DN of an
existing TrustedCertificate MO representing the CA trusted certificate for
the online enrollment server.
b. The EnrollmentServerGroup MO must be created under CertM=1 MO and a
new <EnrollmentServer> MO must be created in it, by setting the attributes
protocol and uri.

The enrollmentAuthority attribute must be set to the DN of the previously

created EnrollmentAuthority MO. The protocol attribute must be set to
value CMP, that is the protocol type used for online enrollment. The uri
attribute must be set according to the enrollment server configuration.

78 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Once the EnrollmentServerGroup MO has been defined, a

NodeCredential MO under CertM=1 MO must be created by setting few
attributes. The following are the further steps to do this configuration.

6. Log on the node to access the Node CLI:

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

7. Use the WinFiol application to access the Node CLI.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

8. Run the show command on the CertM MO to display the installed

NodeCredentials on the NE.

Example
The example shows one NodeCredential on the Node.

(CertM=1)>show
CertM=1
localFileStorePath="certificates"
CertMCapabilities=1
EnrollmentAuthority=1
EnrollmentServerGroup=1
NodeCredential=1
TrustCategory=1
TrustedCertificate=1
TrustedCertificate=2

9. Create NodeCredential MO:

a. Navigate to the <CertM=1>. Change to Configure mode and execute

the following command to create the Node Credentials:

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1
(CertM=1) >Configure
(config-CertM=1)>NodeCredential=1

b. Execute the commit command to save the changes after the node
credentials are created.

(config-NodeCredentail=1)>commit

c. Create enrollmentAuthority and enrollmentServerGroup MOs:

(CertM=1)>EnrollmentAuthority=1
(EnrollmentAuthority=1)>show -v
EnrollmentAuthority=1
authorityType=REGISTRATION_AUTHORITY

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 79

 ENM Network Security Configuration System Administrator Guide

enrollmentAuthorityName="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=NE_ →
OAM_CA"
enrollmentCaCertificate="ManagedElement=MSCSRV054AP1,SystemFunct →
ions=1,SecM=1,CertM=1,TrustedCertificate=16"
(EnrollmentServer=1)>

d. Show the associated value for MO EnrollmentAuthority.

(CertM=1)>EnrollmentAuthority=1(EnrollmentServerGroup=1)>show -v
EnrollmentServerGroup=1
enrollmentServerGroupId="1"
userLabel=[] <empty>
EnrollmentServer=1
(EnrollmentServerGroup=1)>EnrollmentServer=1
(EnrollmentServer=1)>show -v
EnrollmentServer=1
enrollmentAuthority="ManagedElement=MSCSRV054AP1,SystemFunctions →
=1,SecM=1,CertM=1,EnrollmentAuthority=1" <deprecated>
enrollmentServerId="1"
protocol=CMP
uri="http://131.160.146.36:8091/pkira-cmp/NE_OAM_CA/synch"
userLabel=[] <empty>
(EnrollmentServer=1)>

e. Install trust certs for ENM_PKI_Root_CA at least and for MSC it needs
ENM_PKI_Root_CA like other ECIM/COM nodes.

ENM CLI gets URLs for trust certs.

pkiadm trustmgmt --list --entitytype ca --entityname ENM_PKI_Root_C →

A

pkiadm trustmgmt --list --entitytype ca --entityname ENM_Infrastruc →

ture_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_OAM_CA

pkiadm trustmgmt --list --entitytype ca --entityname NE_OAM_CA

Run this command on the node:

installTrustedCertFromUri --uri "<TDPS URI>" --fingerprint NULL --u →

riPassword NULL

OR

trust certificates can be downloaded and SFTP to node and installed

using file:// or SFTP to check Trusted Certificate content:

(TrustedCertificate=16)>show -v
TrustedCertificate=16
certificateState=VALID <read-only>
managedState=ENABLED <default>
reservedByCategory <read-only>
"ManagedElement=MSCSRV054AP1,SystemFunctions=1,SecM=1,CertM=1 →
,TrustCategory=1"
trustedCertificateId="16"

80 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

certificateContent="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=ENM_PKI_ →
Root_CA" <read-only>
extensionContent <read-only>
"X509v3 Basic Constraints:CA:TRUE"
"X509v3 Key Usage:Certificate Sign, CRL Sign"
"X509v3 Subject Key Identifier:BD:A9:63:BE:13:5F:7F:36:A7: →
44:83:CE:46:4A:75:76:24:AF:F3:AB"
issuer="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=ENM_PKI_Root_CA" →
<read-only>
keyUsage="Certificate Sign, CRL Sign" <read-only>
publicKey="E7:85:6D:3F:B0:35:95:46:D2:07:5D:36:19:36:18:30:BA →
:8D:01:A2:8E:93:CA:42:0D:3B:88:AD:C4:08:B4:4B:2A:AE:BF:0E:6A:24:F5: →
B7:4D:96:E6:4D:59:36:E4:7F:5F:0E:F6:30:87:4A:54:63:48:EC:4F:06:6B:5 →
A:F1:FB:F2:CA:AC:D0:AE:D9:14:DF:86:8C:D8:86:08:1C:34:70:21:01:A9:36 →
:05:D0:20:88:C0:F9:B1:D0:BC:85:89:94:1B:E7:76:65:01:90:D3:9C:21:F3: →
BD:D8:CB:A6:C6:89:57:21:34:EA:17:DD:ED:5B:C8:6D:64:8E:EB:DB:CD:F6:4 →
A:77:84:25:FA:EB:B3:1C:D5:00:3C:46:40:8A:4F:E3:9C:58:0E:A9:A7:DB:AB →
:7A:F8:A5:46:83:6B:94:CA:EA:90:BF:D6:37:2D:E6:ED:C8:FF:B8:6E:D5:6F: →
BE:E0:93:9F:FF:5E:BD:C3:55:91:78:18:D4:F1:DE:8B:F6:63:FC:1F:B2:F5:4 →
7:6D:D4:80:05:8E:CE:62:63:15:A8:C5:1A:1B:C6:88:4C:3F:32:5A:AC:E8:41 →
:07:29:94:73:02:C3:73:7C:63:16:0D:18:00:01:C3:3D:7C:C8:8D:61:82:0B: →
31:F3:C7:3F:A6:1C:AE:3E:13:17:9F:04:54:E6:D5:8B" <read-only>
publicKeyAlgorithm="RSA" <read-only>
serialNumber="64:1E:23:68:D4:8E:74:D4" <read-only>
signatureAlgorithm="sha256WithRSAEncryption" <read-only>
subject="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=ENM_PKI_Root_CA →
" <key> <read-only>
validFrom="2018-01-03T20:43:20Z" <read-only>
validTo="2028-01-03T20:43:20Z" <read-only>
version="Version 3" <read-only>

To check Enrollment Server Group Content:

CertM=1)>EnrollmentServerGroup=1
(EnrollmentServerGroup=1)>show -v
EnrollmentServerGroup=1
enrollmentServerGroupId="1"
userLabel=[] <empty>
EnrollmentServer=1
(EnrollmentServerGroup=1)>EnrollmentServer=1
(EnrollmentServer=1)>show -v
EnrollmentServer=1
enrollmentAuthority="ManagedElement=MSCSRV054AP1,SystemFunctions →
=1,SecM=1,CertM=1,EnrollmentAuthority=1" <deprecated>
enrollmentServerId="1"
protocol=CMP
uri="http://131.160.146.36:8091/pkira-cmp/NE_OAM_CA/synch"
userLabel=[] <empty>
(EnrollmentServer=1)>

Note: Online enrollment URI IP can be retrieved reading

the IP address parameters: sbLoadBalancerIPv4Address
and sbLoadBalancerIPv6Address. See View and Modify
Configuration Parameters on page 12 to execure the read
action.
f. Run the action startOnlineEnrollment under NodeCredential
MO by specifying the initial shared password between APG and the
CA enrollment server, to initiate the online enrollment procedure.
The AP, Certification Authority Trusted Certificate, and Node
Credential Install Node Operational Instruction document describes
the procedure to install a node credential on APG through online
enrollment procedure.

(NodeCredential=1)>startOnlineEnrollment --challengePassword passwo →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 81

 ENM Network Security Configuration System Administrator Guide

rd<OTP set for the PKI entity created>

true
(config-NodeCredential=1)>show
NodeCredential=1
certificateState=VALID <read-only>
enrollmentAuthority="ManagedElement=MSCSRV054AP1,SystemFunctions →
=1,SecM=1,CertM=1,EnrollmentAuthority=1"
enrollmentServerGroup="ManagedElement=MSCSRV054AP1,SystemFunctio →
ns=1,SecM=1,CertM=1,EnrollmentServerGroup=1"
enrollmentTimer=60 <default>
expiryAlarmThreshold=30 <default>
keyInfo=RSA_2048
nodeCredentialId="1"
renewalMode=MANUAL <default>
reservedByUser=[] <empty> <read-only>
subjectName="CN=MSCSRV054AP1-oam,C=SE,O=ERICSSON,OU=BUCI DUAC NA →
M"
userLabel=[] <empty>
certificateContent="OU=BUCI DUAC NAM,O=ERICSSON,C=SE,CN=MSCSRV05 →
4AP1-oam" <read-only>
extensionContent <read-only>
"X509v3 Authority Key Identifier:keyid:60:D4:EE:DF:E7:91:6 →
2:07:79:51:C4:5B:DB:16:A1:C6:E5:1D:95:2C"
"X509v3 Basic Constraints:CA:FALSE"
"X509v3 CRL Distribution Points:Full Name:\n URI:http://1 →
31.160.146.36:8092/pki-cdps?ca_name=NE_OAM_CA&ca_cert_serialnumber= →
7231e13a76c3b54c\n\nFull Name:\n URI:http://[2001:1b70:82a1:146:0: →
609:5324:43]:8092/pki-cdps?ca_name=NE_OAM_CA&ca_cert_serialnumber=7 →
231e13a76c3b54c"
"X509v3 Key Usage:Digital Signature, Key Encipherment, Ke →
y Agreement"
"X509v3 Subject Key Identifier:D2:2C:5C:95:7A:51:F3:0C:A4: →
A7:5F:99:51:05:EB:2B:E2:55:D2:13"
issuer="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=NE_OAM_CA" <read- →
only>
keyUsage="Digital Signature, Key Encipherment, Key Agreement →
" <read-only>
publicKey="D7:60:87:EE:CF:17:4E:6A:9E:16:02:76:7B:BF:FF:5B:8D →
:E6:77:0C:86:13:70:AD:9C:E4:B5:B2:7F:4C:D7:62:69:69:79:75:EB:6E:EC: →
BE:97:1D:C6:E1:00:DD:57:5F:A6:98:5E:29:52:7F:64:3C:E5:99:72:37:D3:5 →
A:FE:1C:45:1D:48:99:BC:67:6F:39:C7:9C:AE:94:43:D4:B2:9A:EC:E4:3C:4C →
:C4:DA:99:3C:FB:4E:03:CB:B0:C6:C2:DE:EC:B6:53:47:F1:0A:54:EE:CA:A3: →
F9:81:3C:F5:8D:13:E9:71:67:CA:BF:C2:E4:0B:4C:3A:17:37:D3:7D:B7:F0:3 →
8:30:2E:4C:45:F1:F8:EC:1E:1D:6E:B9:3E:F4:95:80:3B:4A:A7:5E:41:41:D3 →
:4C:D8:3F:7B:A0:02:FC:E8:13:A2:DF:50:6F:70:D3:28:19:E0:86:69:C9:EF: →
EB:1E:41:74:F7:6F:3F:83:C2:24:F2:BD:64:13:11:1C:B0:20:ED:62:C3:AB:E →
9:53:72:DF:4E:F3:81:87:F9:39:B9:83:5A:AB:AF:97:3D:E0:4B:10:08:00:4C →
:4B:EB:D5:84:29:17:96:DC:F0:1D:20:4B:54:27:C9:B9:C9:D3:B6:5A:38:C5: →
E3:AB:DD:76:19:0E:7A:69:BC:B7:69:C4:46:FC:82:85" <read-only>
publicKeyAlgorithm="RSA" <read-only>
serialNumber="5A:EB:75:C0:65:03:65:B3" <read-only>
signatureAlgorithm="sha256WithRSAEncryption" <read-only>
subject="OU=BUCI DUAC NAM,O=ERICSSON,C=SE,CN=MSCSRV054AP1-oam →
" <key> <read-only>
validFrom="2018-01-12T07:29:18Z" <read-only>
validTo="2020-01-12T07:29:18Z" <read-only>
version="Version 3" <read-only>
enrollmentProgress <read-only>
actionId=0 <read-only>
actionName="startOnlineEnrollment" <read-only>
additionalInfo=[] <empty> <read-only>
progressInfo="" <read-only>
progressPercentage=100 <read-only>
result=SUCCESS <read-only>
resultInfo="installed from the online service" <read-only>
state=FINISHED <read-only>
timeActionCompleted="2018-01-12T07:59:24Z" <read-only>
timeActionStarted="2018-01-12T07:59:23Z" <read-only>
timeOfLastStatusUpdate="2018-01-12T07:59:24Z"
(NodeCredential=1)>

Note: <OTP set for the PKI entity created> is the One-
Time-Password (OTP) for the PKI End Entity created
(during Step 4) through PKI Management GUI.

82 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Ensure that the enrollment progress is fully completed. To verify it,

use the command show enrollmentProgress.

10. Update <Ldap=1> MO with the new NodeCredential MO details:

a. Navigate to the <Ldap=1> MO of the node by tabbing out each

comma-separated MO.

ManagedElement =<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1 →
,LdapAuthenticationMethod=1,Ldap=1

Note: Before navigating to Ldap=1 MO of the node, make sure

that the attribute administrativeState must be UNLOCKED
under LdapAuthenticationMethod=1 MO.

LdapAuthenticationMethod=1)>show
LdapAuthenticationMethod=1
administrativeState=UNLOCKED
Ldap=1

b. Configures <Ldap=1> MO with the new NodeCredential MO details:

(Ldap=1)>configure
(config-Ldap=1)>nodeCredential="ManagedElement=<NE_NAME>,SystemFunc →
tions=1,SecM=1,CertM=1,NodeCredential=2
(config-Ldap=1)>commit
(Ldap=1)>show -v
Ldap=1
baseDn="dc=ieatlms5589,dc=com"
bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e3,ou →
=proxyagent,ou=com,dc=ieatlms5223,dc=com"
bindPassword="1:EG5ukQoVKgSBjFCDM7AgwFAgpThShQGm"
fallbackLdapIpAddress="131.160.129.59"
ldapId="1"
ldapIpAddress="131.160.129.60"
nodeCredential="ManagedElement=NE_NAME,SystemFunctions=1,SecM=1,Cer →
tM=1,NodeCredential=2"
profileFilter=ERICSSON_FILTER
serverPort=636

Reconfigure LDAP Credentials to use ENM LDAP Server: this procedure

reconfigures LDAD credentials on the MSC to use ENM LDAP server.

11. Retrieve LDAP configuration details.

secadm ldap configure --manual

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 83

 ENM Network Security Configuration System Administrator Guide

Figure 5 LDAP Configuration Settings

12. Log on the node to access the Node CLI:

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

13. Navigate to the <Ldap=1> MO of the node by tabbing out each comma-
separated MO

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1

14. Configure the LDAP MO details as described in the following using values
retrieved from Step 10.

(Ldap=1)>
(Ldap=1)>configure
(config-Ldap=1)>baseDn="dc=ieatlms5223,dc=com"
(config-Ldap=1)>bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e →
3,ou=proxyagent,ou=com,dc=ieatlms5223,dc=com"
(config-Ldap=1)>fallbackLdapIpAddress="131.160.128.123"
(config-Ldap=1)>ldapIpAddress="131.160.128.124"
(config-Ldap=1)>bindPassword=”TLnH6ywUvNHWrAvdeHzZzswS" cleartext
(config-Ldap=1)>nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,S →
ecM=1,CertM=1,NodeCredential=2"
(config-Ldap=1)>commit
(Ldap=1)>show -v
Ldap=1
baseDn=" dc=ieatlms5223,dc=com"
bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e3,ou=proxyage →
nt,ou=com,dc=ieatlms5223,dc=com"
bindPassword="1:36OpqTK3HCo9zjV46dm1HmnQcIrXImn"
fallbackLdapIpAddress="131.160.128.123"
ldapId="1"

84 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

ldapIpAddress="131.160.128.124"
nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1 →
,NodeCredential=2"
profileFilter=ERICSSON_FILTER
serverPort=636
tlsMode=LDAPS
trustCategory="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=2"
useReferrals=false <default>
userLabel="LDAP based login authentication"
useTls=true
EricssonFilter=1
Filter=1
(Ldap=1)>

Note: NodeCredential=2 must have ENM certificates as part of node

configuration section.

15. Verify that <LDAP=1> MO has serverPort value as 1636 on node:

Navigate to the <LDAP=1> MO of the Node by tabbing out each comma-

separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1
(Ldap=1)>show -v
Ldap=1
baseDn="dc=oss123,dc=com"
bindDn="cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=ieatlms5589,dc=com"
bindPassword="1:EG5ukQoVKgSBjFCDM7AgwFAgpThShQGm"
fallbackLdapIpAddress="10.23.34.57"
ldapId="1"
ldapIpAddress="10.23.34.56"
nodeCredential="ManagedElement=NE_NAME,SystemFunctions=1,SecM=1,CertM=1,Node →
Credential=2"
profileFilter=ERICSSON_FILTER
serverPort=1636

If serverPort value is not 1636, configure the value:

(Ldap=1)>configure
(Config-Ldap=1)serverPort=1636
(Config-Ldap=1)>commit

16. Verify that the <mmlAuthorizationMethod> attribute in

<MmlAuthorizationM=1> MO is set to CPUSER or COCA.

Note: In Single-CP System, it can be based either on CPUSER or on COCA

groups.

In Multi-CP System. it is based only on COCA groups.

>ManagedElement=MSCSRV054AP1,SystemFunctions=1,AxeFunctions=1,SecurityHandli →
ng=1,MmlAuthorizationM=1
(MmlAuthorizationM=1)>show -v
MmlAuthorizationM=1
ignoreCpSuperUserRole=false <default> <read-only>
ignoreCpUserRoles=false <default> <read-only>
mmlAuthorizationMethod=CPUSER
mmlAuthorizationMId="1"

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 85

 ENM Network Security Configuration System Administrator Guide

MmlRole=CpRole4
(MmlAuthorizationM=1)>

17. Create a COM Role from Role Management.

a. Navigate to Role Management application.

b. Create a role with role type as COM Role.

18. Create an ENM LDAP user from User Management.

a. Navigate to User Management application.

b. Create a user and assign to it the following roles:

• SystemAdministrator

• SystemSecurityAdministrator

• EricssonSupport

• CpRole0

Note: CpRole must be created first in ENM using Role

Management application and it is applied to LDAP user.

For the roles that are applied, ensure that Assign Target Groups is set to
ALL:

Figure 6

Results
ENM LDAP user for MSC is now able to access to MSC node and must have the
roles added in Step 18.

6.8.5 Offline Enrollment Procedure for MSC Node (MSC-BC-BSP, MSC-BC-IS,

MSC-DB, and MSC-DB-BSP)
This procedure describes how to perform offline enrollment of MSC node (MSC-
BC-BSP, MSC-BC-IS, MSC-DB, and MSC-DB-BSP).

Note: For all the nodes, which support offline enrollment, alarm has to be
configured for certificate expiry notification to enable the user to renew
the certificate.

Prerequisites

— ADMINISTRATOR role to access the ENM CLI.

86 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

— Security Administrator to access to User Management and Role Management

applications in ENM.

— Knowledge of Configuring MOs on the node.

— MSC node version is 18.A or higher.

— TS (Troubleshooter) user credentials to access the NE.

— LDAP user must be created using User Management application with few
important roles mentioned in step Step 17.

— ENM CAs must be added to MSC node: see the section Add ENM CAs to MSC
Node (MSC-BC-BSP, MSC-BC-IS, MSC-DB, and MSC-DB-BSP) on page 94.

Steps

The offline procedure is based on three main steps:

— End Entity creation and credential generation from ENM.

— Node configuration.

— Reconfigure LDAP credentials to use ENM LDAP server.

End Entity creation and credential generation

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System and use it for communication with other ENM systems. EE
must be created in the PKI system.

To generate credentials, each EE is mapped to an Entity Profile (EP) which

defines the Certificate Authority (CA).

For more information about entity and profiles, see the section ENM PKI
Concepts of the document ENM Public Key Infrastructure System Administrator
Guide, [8].

1. Launch ENM CLI from ENM Launcher.

2. Check Entity Profile by listing all the Entity Profiles already present in ENM
PKI system:

pkiadm pfm --list -type entity

Sample output:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 87

 ENM Network Security Configuration System Administrator Guide

Figure 7

The highlighted profile is the default profile used when OAM Enrollment is
performed for MSC nodes.

3. Prepare the XML file for End Entity creation.

A different EE must be created for each MSC Node.

The EEs are created starting from an *.xml file. The template for the *.xml
file is the following (End-Entity.xml):

<?xml version="1.0"?>
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →
aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>

88 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCIDUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
<OTP>Ericsson03</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

During the XML file creation, the following rules must be applied:
— In the <EntityInfo> tag, the <name> must be <Network Element ID-
oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure when the MSC node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

<NetworkElementID-oam>.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the MSC node is added in ENM.

Save the created XML file.

The suggested name for the file is EE_Network Element ID-oam.xml.

4. Create the End Entity.

Drag and drop the XML file created in Step 3 into the ENM CLI and run the
command to create the EE:

pkiadm etm -c -xf file:EE_MSCSRV054AP1-oam.xml

5. Verify the End Entity creation.

Verify that the EE has been created by listing all the EEs in the ENM PKI
system:

pkiadm etm -l -type ee

The EE must be present in the list of Es.

The EE is to be created with name <Network Element ID-oam> and its

status is NEW. In the following example, there is the EE related to <MSC Node
NE_NAME>:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 89

 ENM Network Security Configuration System Administrator Guide

Figure 8

6. Generate End Entity Credential.

Use this command to generate the EE credential and package it in a P12 file.
The P12 file contains the corresponding private key of the EE:

pkiadm ctm EECert -gen -nocsr -en MSCSRV054AP1-oam -f P12 --password <passwo →
rd>

In the command, <MSCSRV054AP1-oam> is the name of the entity created in

Step 4.

Note: <password >can be anything and this is only needed for generating
P12 file.

Copy the P12 file to ENM management server in /tmp directory which is
generated in the previous step.
Node Configuration

This section describes the configuration of the node Node Credential MO in the
MSC.

7. Use the WinFiol application to access the Node CLI:

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

8. Navigate to the CertM MO of the node by tabbing out each comma-

separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

9. Execute the show command on the CertM MO to display the installed

NodeCredentials on the NE.
The example shows one NodeCredential on the node.

90 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

(CertM=1)>show
CertM=1
localFileStorePath="certificates"
CertMCapabilities=1
EnrollmentAuthority=1
EnrollmentServerGroup=1
NodeCredential=1
TrustCategory=1
TrustedCertificate=1
TrustedCertificate=2

10. Create a NodeCredential MO:

a. Navigate to the <CertM=1>, change to Configure mode, and execute

the command to create the Node Credentials.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1
(CertM=1)>Configure
(config-CertM=1)>NodeCredential=1

b. Execute the commit command to save the changes after the node
credentials are created.

(config-NodeCredentail=1)>commit

c. Install new P12 certificates in NodeCredential=1:

(NodeCredential=1)>installCredentialFromUri sftp://root@LMS_IP/tmp →
/NE_NAME-oam.p12 <LMS Password> <Password of P12 file> NULL
true
(NodeCredential=1)>show enrollmentProgress
enrollmentProgress
actionId=0
actionName="installCredentialFromUri"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the container file"
state=FINISHED
timeActionCompleted="2017-08-05T12:37:36Z"
timeActionStarted="2017-08-05T12:37:36Z"
timeOfLastStatusUpdate="2017-08-05T12:37:36Z"
(NodeCredential=1)>

Note: The password of the P12 file is the same password used for
creating P12 file.

Make sure that the enrollment progress is 100 percent

completed. To verify the same, the command show
enrollmentProgress can be used.

11. Update <Ldap=1> MO with the new NodeCredential MO details:

a. Navigate to the <Ldap=1> MO of the node by tabbing out each

comma-separated MO.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 91

 ENM Network Security Configuration System Administrator Guide

ManagedElement =<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1 →
,LdapAuthenticationMethod=1,Ldap=1

Note: Before navigating to LDAP=1 MO of the node, make

sure that the attribute administrativeState must be
UNLOCKED under LdapAuthenticationMethod=1 MO.

LdapAuthenticationMethod=1)>show
LdapAuthenticationMethod=1
administrativeState=UNLOCKED
Ldap=1

b. Configure <Ldap=1> MO with the new NodeCredential and

TrustCategory MOs details:

(Ldap=1)>configure
(config-Ldap=1)>nodeCredential="ManagedElement=<NE_NAME>,SystemFunc →
tions=1,SecM=1,CertM=1,NodeCredential=2
(config-Ldap=1)>trustCategory="ManagedElement=MSCSBC029AP1,SystemFu →
nctions=1,SecM=1,CertM=1,TrustCategory=1"
(config-Ldap=1)>commit
(Ldap=1)>show -v
Ldap=1
baseDn="dc=ieatlms5589,dc=com"
bindDn="cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=ieatlms5589,dc →
=com"
bindPassword="1:EG5ukQoVKgSBjFCDM7AgwFAgpThShQGm"
fallbackLdapIpAddress="131.160.129.59"
ldapId="1"
ldapIpAddress="131.160.129.60"
nodeCredential="ManagedElement=NE_NAME,SystemFunctions=1,SecM=1, →
CertM=1,NodeCredential=2"
profileFilter=ERICSSON_FILTER
serverPort=636
tlsMode=LDAPS
trustCategory="ManagedElement=MSCSBC029AP1,SystemFunctions=1,Sec →
M=1,CertM=1,TrustCategory=1"
useReferrals=false <default>
userLabel=[] <empty>
useTls=true

Reconfigure LDAP Credentials to use ENM LDAP server.

This section describes the procedure to reconfigure LDAP credentials on the MSC
to use ENM LDAP server.

12. Run this command in ENM CLI to retrieve LDAP configuration details:

secadm ldap configure --manual

13. Log on the node to access the Node CLI:

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

14. Navigate to the <Ldap=1> MO of the node by tabbing out each comma-
separated MO.

92 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1

15. Configure the LDAP MO details using values retrieved from Step 11.

(Ldap=1)>
(Ldap=1)>configure
(config-Ldap=1)>baseDn="dc=ieatlms5589,dc=com"
(config-Ldap=1)>bindDn="cn=ProxyAccount_19,ou=proxyagent,ou=com,dc=ieatlms55 →
89,dc=com"
(config-Ldap=1)>fallbackLdapIpAddress="131.160.129.59"
(config-Ldap=1)>ldapIpAddress="131.160.129.60"
(config-Ldap=1)>bindPassword=”gfu94ncy" cleartext
(config-Ldap=1)>nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,S →
ecM=1,CertM=1,NodeCredential=2"
(config-Ldap=1)>commit
(Ldap=1)>show -v
Ldap=1
baseDn=" dc=ieatlms5589,dc=com"
bindDn="cn=ProxyAccount_19,ou=proxyagent,ou=com,dc=ieatlms5589,dc=com"
bindPassword="1:36OpqTK3HCo9zjV46dm1HmnQcIrXImn"
fallbackLdapIpAddress="131.160.129.59"
ldapId="1"
ldapIpAddress="131.160.129.60"
nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1 →
,NodeCredential=2"
profileFilter=ERICSSON_FILTER
serverPort=636
tlsMode=LDAPS
trustCategory="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=2"
useReferrals=false <default>
userLabel="LDAP based login authentication"
useTls=true
EricssonFilter=1
Filter=1
(Ldap=1)>

Note: NodeCredential=2 must have ENM certificates as part of node

configuration section.

16. Verify that <LDAP=1> MO has serverPort value as 1636 on node:

Navigate to the LDAP=1 MO of the node by tabbing out each comma-

separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1
(Ldap=1)>show -v
Ldap=1
baseDn="dc=oss123,dc=com"
bindDn="cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=ieatlms5589,dc=com"
bindPassword="1:EG5ukQoVKgSBjFCDM7AgwFAgpThShQGm"
fallbackLdapIpAddress="10.23.34.57"
ldapId="1"
ldapIpAddress="10.23.34.56"
nodeCredential="ManagedElement=NE_NAME,SystemFunctions=1,SecM=1,CertM=1,Node →
Credential=2"
profileFilter=ERICSSON_FILTER
serverPort=1636

If serverPort value is not 1636, configure the value:

(Ldap=1)>configure

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 93

 ENM Network Security Configuration System Administrator Guide

(Config-Ldap=1)serverPort=1636
(Config-Ldap=1)>commit

17. Verify that the <mmlAuthorizationMethod> attribute in

<MmlAuthorizationM=1> MO is set to CPUSER and these roles exist.

— SystemAdministrator

— SystemSecurityAdministrator

— EricssonSupport

— CpRole0

Note: CpRole0 is created first in ENM using Role Management

application.

For the roles that are applied, ensure that Assign Target Groups is set to ALL:

Figure 9

18. Create a COM Role from Role Management application.

Navigate to Role Management from ENM Launcher page.

Create a role with role type as COM Role.

19. Create an ENM LDAP user.

Navigate to User Management from ENM Launcher page.

Create a user and assign to the user the following roles:

— SystemAdministrator,

— SystemSecurityAdministrator.

6.8.5.1 Add ENM CAs to MSC Node (MSC-BC-BSP, MSC-BC-IS, MSC-DB, and MSC-DB-
BSP)

Prerequisites
No prerequisites.

Steps

1. Launch ENM CLI and run the commands to obtain the Trust Distribution
Point Service (TDPS) URL for each of the four required ENM CA certificates.

94 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

These certificates are used later to download the ENM CA certificates to the
node.

pkiadm trustmgmt --list --entitytype ca --entityname ENM_PKI_Root_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_Infrastructure_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_OAM_CA

pkiadm trustmgmt --list --entitytype ca --entityname NE_AOM_CA

2. Use WinFiol application to access the Node CLI.

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>

3. Navigate to the CertM MO of the node.

4. Install the certificate by executing the installTrustedCertFromUri

command on the node, for each of the three ENM CA certificates.
This command requires three parameters:
— TDPS URL of the ENM CA certificate to be downloaded.

— URL password (if no password is required, the NULL string can be

provided).

— CA fingerprint (NULL string can be provided).

(CertM=1)>installTrustedCertFromUri <TDPS URL> NULL NULL

5. Execute the show command on the CertM MO to display the installed trusted
certificates on the node.

6. Navigate to the TrustCategory=1 MO and add the ENM CA certificates

installed in Step 4 to the NE TrustCategory=1.

7. Commit the changes to the TrustCategory=1 MO to add the ENM CA

certificates.

8. Verify that the TrustCategory has been updated correctly.

Navigate to TrustCategory and execute the show command to verify if all the
certificates are added.

6.8.6 Online Enrollment Procedure for HLR-FE Node

Use this procedure to perform online enrollment of GSM HLR-FE Node.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 95

 ENM Network Security Configuration System Administrator Guide

Prerequisites

— ADMINISTRATOR role to access the ENM CLI.

— Knowledge of Configuring MOs on the node.

— HLR-FE node version is 1.9 or higher.

— TS (Troubleshooter) user credentials to access the NE.

Steps

The offline procedure is based on three main steps:

— End Entity creation and credential generation from ENM.

— Node configuration.

— Reconfigure LDAP Credentials to use ENM LDAP server.

End Entity creation and Credential generation

End Entities of the PKI System are the end users who get credentials from the
ENM PKI System and use it for communication with other ENM systems. End
Entities must be created in the PKI system. Root access privileges are required to
log on the management server and the VMs.

To generate credentials, each End Entity is mapped to an Entity Profile (EP)

which defines the Certificate Authority (CA).

For more information about Entity and Profiles, see the section ENM PKI
Concepts of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

1. Launch ENM CLI from ENM Launcher.

2. Check Entity Profile.

List all Entity Profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

Sample output:

96 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Figure 10

The highlighted profile is the default profile used when OAM Enrollment is
performed for HLR-FE Nodes.

3. Prepare the XML File for End Entity Creation.

A different EE must be created for each HLR-FE Node.

The EEs are created from an XML file. The template for the XML file is the
following:

<?xml version="1.0"?>
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →
aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 97

 ENM Network Security Configuration System Administrator Guide

<Type>ORGANIZATION_UNIT</Type>
<Value>BUCIDUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
<OTP>Ericsson03</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

During the XML file creation, the following rules must be applied:

— In the <EntityInfo> tag, the <name> must be <Network Element ID-

oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure, when the HLR-FE node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

<NetworkElementID-oam>.

The NetworkElementID is the identifier that the user must use at the
end of this procedure, when the HLR-FE node is added in ENM.

Save the created XML file. The suggested name for the file is
EE_Network Element ID-oam.xml.

Note: — Check the NetworkElementID

— Values for these XML files can be fetched from SED.

4. Create the End Entity.

Drag and drop the XML file created in Step 3 into the ENM CLI and run this
command to create the EE:

pkiadm etm -c -xf file:EE_hlrfe-oam.xml

5. Verify the End Entity Creation.

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system: in the APG model and create EE profile accordingly.

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entities.

98 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

The End Entity must be created with name <Network Element ID-oam>
and its status is NEW. In the example, there is the End Entity related to
<HLR-FE Node NE_NAME>:

Figure 11
Node Configuration

As preliminary node configuration, an

EnrollmentAuthorityEnrollmentServerGroup MO and at least one MO with
an EnrollmentServer MO must be created.

a. The EnrollmentAuthority in the APG model MO must be created under

CertM=1 MO by setting the attribute <enrollmentCaCertificate> with the
DN of an existing TrustedCertificate MO representing the CA trusted
certificate for the online enrollment server.
b. The EnrollmentServerGroup MO must be created under CertM=1 MO and
a new <EnrollmentServer> MO must be created in it, setting the attributes
protocol and uri.

The enrollmentAuthority attribute must be set to the DN of the previously

created EnrollmentAuthority MO. The protocol attribute must be set to
value <CMP>, that is the protocol type used for online enrollment. The uri
attribute must be set according to the enrollment server configuration.

Once the EnrollmentServerGroup MO has been defined, a

NodeCredential MO under CertM=1 MO must be created by setting few
attributes. The following are the further steps to do this configuration.

6. Log on the node to access the Node CLI.

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

7. Navigate to the CertM MO of the node by tabbing out each comma-

separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 99

 ENM Network Security Configuration System Administrator Guide

8. Execute the show command on the CertM MO to display the installed

NodeCredentials on the NE.

(CertM=1)>show
CertM=1
localFileStorePath="certificates"
CertMCapabilities=1
EnrollmentAuthority=1
EnrollmentServerGroup=1
NodeCredential=1
TrustCategory=1
TrustedCertificate=1
TrustedCertificate=2

9. Create NodeCredential MO:

a. Navigate to the <CertM=1> of the node by tabbing out each comma-

separated MO:

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

b. Run the following command to get the enrollmentAuthority and

enrollmentServerGroup MOs from CertM MO:

(config-CertM=1)>NodeCredential=1(config-NodeCredential=1)>enrollme →
ntAuthority="ManagedElement=SELIITHLR00008,SystemFunctions=1,SecM=1 →
,CertM=1,EnrollmentAuthority=1"
(config-NodeCredential=1)>enrollmentServerGroup="ManagedElement=SEL →
IITHLR00008,SystemFunctions=1,SecM=1,CertM=1,EnrollmentServerGroup= →
1"
(config-NodeCredential=1)>keyInfo=RSA_2048
(config-NodeCredential=1)>renewalMode=MANUAL/AUTOMATIC
(config-NodeCredential=1)>subjectName="CN=MSCSRV054AP1-oam,C=SE,O=E →
RICSSON,OU=BUCI DUAC NAM"
(config-NodeCredential=1)>commit
(NodeCredential=1)>

Note: — NodeCredential must be created with "subjectName"

equal to the Subject DN defined in the ENM PKI End
Entity.

— SubjectName attribute can be derived

also by performing Manual MO action
(installCredentialFromUri) on NodeCredential MO.

— renewalMode can be set either MANUAL or

AUTOMATIC.
c. Show the associated value for MO EnrollmentAuthority.

(CertM=1)>EnrollmentAuthority=1
(EnrollmentAuthority=1)>show -v
EnrollmentAuthority=1
authorityType=REGISTRATION_AUTHORITY
enrollmentAuthorityName="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=NE_ →
OAM_CA"
enrollmentCaCertificate="ManagedElement=SELIITHLR00008,SystemFun →

100 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

ctions=1,SecM=1,CertM=1,TrustedCertificate=16"
(EnrollmentServer=1)>

d. Trust certs must be installed for ENM_PKI_Root_CA at least and for

HLR-FE it needs ENM_PKI_Root_CA like other ECIM/COM nodes.

Launch the ENM CLI. Run the following commands, to obtain the
Trust Distribution Point Service (TDPS) URL for each of the required
ENM and NE CA certificates. There are used to download the ENM
and NE CA certificates to the node.

ENM CLI gets URLs for trust certs:

pkiadm trustmgmt --list --entitytype ca --entityname ENM_PKI_Root_C →

A

pkiadm trustmgmt --list --entitytype ca --entityname ENM_Infrastruc →

ture_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_OAM_CA

pkiadm trustmgmt --list --entitytype ca --entityname NE_OAM_CA

Check Trusted Certificate content:

(TrustedCertificate=16)>show -v
TrustedCertificate=16
certificateState=VALID <read-only>
managedState=ENABLED <default>
reservedByCategory <read-only>
"ManagedElement=SELIITHLR00008,SystemFunctions=1,SecM=1,CertM →
=1,TrustCategory=1"
trustedCertificateId="16"
certificateContent="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=ENM_PKI_ →
Root_CA" <read-only>
extensionContent <read-only>
"X509v3 Basic Constraints:CA:TRUE"
"X509v3 Key Usage:Certificate Sign, CRL Sign"
"X509v3 Subject Key Identifier:BD:A9:63:BE:13:5F:7F:36:A7: →
44:83:CE:46:4A:75:76:24:AF:F3:AB"
issuer="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=ENM_PKI_Root_CA" →
<read-only>
keyUsage="Certificate Sign, CRL Sign" <read-only>
publicKey="E7:85:6D:3F:B0:35:95:46:D2:07:5D:36:19:36:18:30:BA →
:8D:01:A2:8E:93:CA:42:0D:3B:88:AD:C4:08:B4:4B:2A:AE:BF:0E:6A:24:F5: →
B7:4D:96:E6:4D:59:36:E4:7F:5F:0E:F6:30:87:4A:54:63:48:EC:4F:06:6B:5 →
A:F1:FB:F2:CA:AC:D0:AE:D9:14:DF:86:8C:D8:86:08:1C:34:70:21:01:A9:36 →
:05:D0:20:88:C0:F9:B1:D0:BC:85:89:94:1B:E7:76:65:01:90:D3:9C:21:F3: →
BD:D8:CB:A6:C6:89:57:21:34:EA:17:DD:ED:5B:C8:6D:64:8E:EB:DB:CD:F6:4 →
A:77:84:25:FA:EB:B3:1C:D5:00:3C:46:40:8A:4F:E3:9C:58:0E:A9:A7:DB:AB →
:7A:F8:A5:46:83:6B:94:CA:EA:90:BF:D6:37:2D:E6:ED:C8:FF:B8:6E:D5:6F: →
BE:E0:93:9F:FF:5E:BD:C3:55:91:78:18:D4:F1:DE:8B:F6:63:FC:1F:B2:F5:4 →
7:6D:D4:80:05:8E:CE:62:63:15:A8:C5:1A:1B:C6:88:4C:3F:32:5A:AC:E8:41 →
:07:29:94:73:02:C3:73:7C:63:16:0D:18:00:01:C3:3D:7C:C8:8D:61:82:0B: →
31:F3:C7:3F:A6:1C:AE:3E:13:17:9F:04:54:E6:D5:8B" <read-only>
publicKeyAlgorithm="RSA" <read-only>
serialNumber="64:1E:23:68:D4:8E:74:D4" <read-only>
signatureAlgorithm="sha256WithRSAEncryption" <read-only>
subject="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=ENM_PKI_Root_CA →
" <key> <read-only>
validFrom="2018-01-03T20:43:20Z" <read-only>
validTo="2028-01-03T20:43:20Z" <read-only>
version="Version 3" <read-only>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 101

 ENM Network Security Configuration System Administrator Guide

Check Enrollment Server Group content:

CertM=1)>EnrollmentServerGroup=1
(EnrollmentServerGroup=1)>show -v
EnrollmentServerGroup=1
enrollmentServerGroupId="1"
userLabel=[] <empty>
EnrollmentServer=1
(EnrollmentServerGroup=1)>EnrollmentServer=1
(EnrollmentServer=1)>show -v
EnrollmentServer=1
enrollmentAuthority="ManagedElement=SELIITHLR00008,SystemFunctio →
ns=1,SecM=1,CertM=1,EnrollmentAuthority=1" <deprecated>
enrollmentServerId="1"
protocol=CMP
uri="http://131.160.146.36:8091/pkira-cmp/NE_OAM_CA/synch"
userLabel=[] <empty>
(EnrollmentServer=1)>

Note: Online enrollment URI IP can be retrieved reading

the IP address parameters: sbLoadBalancerIPv4Address
and sbLoadBalancerIPv6Address. See View and Modify
Configuration Parameters on page 12 to execute the read
action.
e. Run the action startOnlineEnrollment under NodeCredential
MO by specifying the initial shared password between APG and the
CA enrollment server, to initiate the online enrollment procedure.
The AP, Certification Authority Trusted Certificate and Node
Credential, Install Node Operational Instruction document describes
the procedure to install a node credential on APG through online
enrollment procedure.

(NodeCredential=1)>startOnlineEnrollment --challengePassword passwo →

rd<OTP set for the PKI entity created>
true
(config-NodeCredential=1)>show
NodeCredential=1
certificateState=VALID <read-only>
enrollmentAuthority="ManagedElement=SELIITHLR00008,SystemFunctio →
ns=1,SecM=1,CertM=1,EnrollmentAuthority=1"
enrollmentServerGroup="ManagedElement=SELIITHLR00008,SystemFunct →
ions=1,SecM=1,CertM=1,EnrollmentServerGroup=1"
enrollmentTimer=60 <default>
expiryAlarmThreshold=30 <default>
keyInfo=RSA_2048
nodeCredentialId="1"
renewalMode=MANUAL <default>
reservedByUser=[] <empty> <read-only>
subjectName="CN=SELIITHLR00008-oam,C=SE,O=ERICSSON,OU=BUCI DUAC →
NAM"
userLabel=[] <empty>
certificateContent="OU=BUCI DUAC NAM,O=ERICSSON,C=SE,CN=SELIITHL →
R00008-oam" <read-only>
extensionContent <read-only>
"X509v3 Authority Key Identifier:keyid:60:D4:EE:DF:E7:91:6 →
2:07:79:51:C4:5B:DB:16:A1:C6:E5:1D:95:2C"
"X509v3 Basic Constraints:CA:FALSE"
"X509v3 CRL Distribution Points:Full Name:\n URI:http://1 →
31.160.146.36:8092/pki-cdps?ca_name=NE_OAM_CA&ca_cert_serialnumber= →
7231e13a76c3b54c\n\nFull Name:\n URI:http://[2001:1b70:82a1:146:0: →
609:5324:43]:8092/pki-cdps?ca_name=NE_OAM_CA&ca_cert_serialnumber=7 →
231e13a76c3b54c"
"X509v3 Key Usage:Digital Signature, Key Encipherment, Ke →
y Agreement"
"X509v3 Subject Key Identifier:D2:2C:5C:95:7A:51:F3:0C:A4: →

102 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

A7:5F:99:51:05:EB:2B:E2:55:D2:13"
issuer="OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=NE_OAM_CA" <read- →
only>
keyUsage="Digital Signature, Key Encipherment, Key Agreement →
" <read-only>
publicKey="D7:60:87:EE:CF:17:4E:6A:9E:16:02:76:7B:BF:FF:5B:8D →
:E6:77:0C:86:13:70:AD:9C:E4:B5:B2:7F:4C:D7:62:69:69:79:75:EB:6E:EC: →
BE:97:1D:C6:E1:00:DD:57:5F:A6:98:5E:29:52:7F:64:3C:E5:99:72:37:D3:5 →
A:FE:1C:45:1D:48:99:BC:67:6F:39:C7:9C:AE:94:43:D4:B2:9A:EC:E4:3C:4C →
:C4:DA:99:3C:FB:4E:03:CB:B0:C6:C2:DE:EC:B6:53:47:F1:0A:54:EE:CA:A3: →
F9:81:3C:F5:8D:13:E9:71:67:CA:BF:C2:E4:0B:4C:3A:17:37:D3:7D:B7:F0:3 →
8:30:2E:4C:45:F1:F8:EC:1E:1D:6E:B9:3E:F4:95:80:3B:4A:A7:5E:41:41:D3 →
:4C:D8:3F:7B:A0:02:FC:E8:13:A2:DF:50:6F:70:D3:28:19:E0:86:69:C9:EF: →
EB:1E:41:74:F7:6F:3F:83:C2:24:F2:BD:64:13:11:1C:B0:20:ED:62:C3:AB:E →
9:53:72:DF:4E:F3:81:87:F9:39:B9:83:5A:AB:AF:97:3D:E0:4B:10:08:00:4C →
:4B:EB:D5:84:29:17:96:DC:F0:1D:20:4B:54:27:C9:B9:C9:D3:B6:5A:38:C5: →
E3:AB:DD:76:19:0E:7A:69:BC:B7:69:C4:46:FC:82:85" <read-only>
publicKeyAlgorithm="RSA" <read-only>
serialNumber="5A:EB:75:C0:65:03:65:B3" <read-only>
signatureAlgorithm="sha256WithRSAEncryption" <read-only>
subject="OU=BUCI DUAC NAM,O=ERICSSON,C=SE,CN=SELIITHLR00008-o →
am" <key> <read-only>
validFrom="2018-01-12T07:29:18Z" <read-only>
validTo="2020-01-12T07:29:18Z" <read-only>
version="Version 3" <read-only>
enrollmentProgress <read-only>
actionId=0 <read-only>
actionName="startOnlineEnrollment" <read-only>
additionalInfo=[] <empty> <read-only>
progressInfo="" <read-only>
progressPercentage=100 <read-only>
result=SUCCESS <read-only>
resultInfo="installed from the online service" <read-only>
state=FINISHED <read-only>
timeActionCompleted="2018-01-12T07:59:24Z" <read-only>
timeActionStarted="2018-01-12T07:59:23Z" <read-only>
timeOfLastStatusUpdate="2018-01-12T07:59:24Z"
(NodeCredential=1)>

Note: <OTP set for the PKI entity created> is the One-
Time-Password (OTP) for the PKI End Entity created
(during step 4) through PKI Management GUI.

Ensure that the enrollment progress is fully completed. To verify it,

run the command:

show enrolmentProgress.

10. Update <Ldap=1> MO with the new NodeCredential MO details.

a. Navigate to the <Ldap=1> MO of the node by tabbing out each

comma-separated MO.

ManagedElement =<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1 →
,LdapAuthenticationMethod=1,Ldap=1

b. Configure <Ldap=1> MO with the new NodeCredential MO details:

(Ldap=1)>configure
(config-Ldap=1)>nodeCredential="ManagedElement=<NE_NAME>,SystemFunc →
tions=1,SecM=1,CertM=1,NodeCredential=2
(config-Ldap=1)>trustCategory="ManagedElement=<NE_NAME>,SystemFunct →
ions=1,SecM=1,CertM=1,TrustCategory=2"
(config-Ldap=1)>commit
(Ldap=1)>show -v

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 103

 ENM Network Security Configuration System Administrator Guide

Ldap=1
baseDn="dc=ieatlms5589,dc=com"
bindDn="cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=ieatlms5589,dc=co →
m"
bindPassword="1:EG5ukQoVKgSBjFCDM7AgwFAgpThShQGm"
fallbackLdapIpAddress="131.160.129.59"
ldapId="1"
ldapIpAddress="131.160.129.60"
nodeCredential="ManagedElement=NE_NAME,SystemFunctions=1,SecM=1,Cer →
tM=1,NodeCredential=2"
trustCategory="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,Ce →
rtM=1,TrustCategory=2"
profileFilter=ERICSSON_FILTER
serverPort=636

Reconfigure LDAP Credentials to use ENM LDAP Server

11. Run the command in ENM CLI to retrieve LDAP configuration details:

secadm ldap configure --manual

Figure 12 LDAP Configuration Settings

12. Log on the node to access the Node CLI.

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

13. Navigate to the <Ldap=1> MO of the node by tabbing out each comma-
separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1

14. Configure the LDAP MO details as described using values retrieved from Step
10.

104 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

(Ldap=1)>
(Ldap=1)>configure
(config-Ldap=1)>baseDn="dc=ieatlms5223,dc=com"
(config-Ldap=1)>bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e →
3,ou=proxyagent,ou=com,dc=ieatlms5223,dc=com"
(config-Ldap=1)>fallbackLdapIpAddress="131.160.128.123"
(config-Ldap=1)>ldapIpAddress="131.160.128.124"
(config-Ldap=1)>bindPassword=”TLnH6ywUvNHWrAvdeHzZzswS" cleartext
(config-Ldap=1)>nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,S →
ecM=1,CertM=1,NodeCredential=2"
(config-Ldap=1)>commit
(Ldap=1)>show -v
Ldap=1
baseDn=" dc=ieatlms5223,dc=com"
bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e3,ou=proxyage →
nt,ou=com,dc=ieatlms5223,dc=com"
bindPassword="1:36OpqTK3HCo9zjV46dm1HmnQcIrXImn"
fallbackLdapIpAddress="131.160.128.123"
ldapId="1"
ldapIpAddress="131.160.128.124"
nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1 →
,NodeCredential=2"
profileFilter=ERICSSON_FILTER
serverPort=636
tlsMode=LDAPS
trustCategory="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=2"
useReferrals=false <default>
userLabel="LDAP based login authentication"
useTls=true
EricssonFilter=1
Filter=1
(Ldap=1)>

Note: NodeCredential=2 must have ENM certificates as part of node

configuration section.

15. Verify that <LDAP=1> MO has serverPort value as 1636 on node.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1
(Ldap=1)>show -v
Ldap=1
baseDn="dc=oss123,dc=com"
bindDn="cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=ieatlms5589,dc=com"
bindPassword="1:EG5ukQoVKgSBjFCDM7AgwFAgpThShQGm"
fallbackLdapIpAddress="10.23.34.57"
ldapId="1"
ldapIpAddress="10.23.34.56"
nodeCredential="ManagedElement=NE_NAME,SystemFunctions=1,SecM=1,CertM=1,Node →
Credential=2"
profileFilter=ERICSSON_FILTER
serverPort=1636

If serverPort value is not 1636, configure the value:

(Ldap=1)>configure
(Config-Ldap=1)serverPort=1636
(Config-Ldap=1)>commit

16. Verify that the <mmlAuthorizationMethod> attribute in

<MmlAuthorizationM=1> MO is set to CPUSER and these roles exist.

— SystemAdministrator

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 105

 ENM Network Security Configuration System Administrator Guide

— SystemSecurityAdministrator

— EricssonSupport

— CpRole0

Note: CpRole0 is created first in ENM using Role Management

application.

For the roles that are applied, ensure that Assign Target Groups is set to ALL:

Figure 13

Results
ENM LDAP user for HLR-FE is now able to access HLR-FE node. The LDAP user
must have the roles added in the procedure.

6.8.7 Offline Enrollment Procedure for HLR-FE Node

This procedure describes how to perform offline enrollment of HLR-FE node.

Note: For all the nodes, which support offline enrollment, alarm has to be
configured for certificate expiry notification to enable the user to renew
the certificate.

Prerequisites

— ADMINISTRATOR role to access the ENM CLI.

— Knowledge of Configuring MOs on the node.

— HLR-FE node version is 18.1 or higher.

— TS (Troubleshooter) user credentials to access the NE.

— LDAP user must be created using User Management application with few
important roles mentioned in Step 17.

— ENM CAs must be added to HLR-FE node: see the section Add ENM CAs to
HLR-FE Node on page 114.

Steps

The offline procedure is based on three main steps:

— End Entity creation and credential generation from ENM.

— Node configuration.

106 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

— Reconfigure LDAP credentials to use ENM LDAP server.

End Entity creation and credential generation

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System and use it for communication with other ENM systems. End
Entity must be created in the PKI system.

To generate credentials, each End Entity is mapped to an Entity Profile (EP)

which defines the Certificate Authority (CA).

For more information about entity and profiles, see the section ENM PKI
Concepts of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

1. Launch ENM CLI from ENM Launcher.

2. Check Entity Profile.

List all entity profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

Output example:

Figure 14

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 107

 ENM Network Security Configuration System Administrator Guide

The highlighted profile is the default profile used when OAM Enrollment is
performed for HLR-FE nodes.

3. Prepare the XML file for End Entity creation.

A different End Entity must be created for each HLR-FE Node.

The End Entities are created starting from an XML file. The template for the
XML file is the following:

<?xml version="1.0"?>
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →
aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCIDUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
<OTP>Ericsson04</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

During the XML file creation, the following rules must be applied.

— In the <EntityInfo> tag, the <name> must be <Network Element ID-

oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure when the HLR-FE node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

<NetworkElementID-oam>.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the HLR-FE node is added in ENM.

108 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Save the created XML file.

The suggested name for the file is EE_Network Element ID-oam.xml.

Note: Values for these XML fields can be fetched from the ENM Site
Engineering Document. Security Reference List on page 459.

4. Create the End Entity.

Drag and drop the XML file created in Step 3 into the ENM CLI and run the
command to create the End Entity:

pkiadm etm -c -xf file:EE_MSCSRV054AP1-oam.xml

pkiadm etm -c -xf file:EE_hlr-fe_oam.xml

5. Verify the End Entity creation.

List all the End Entities in the ENM PKI system:

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entities.

The End Entity must be created with name <Network Element ID-oam>
and its status is NEW. In the example, there is the End Entity related to<
HLR-FE Node NE_NAME>:

Figure 15

6. Generate End Entity credential.

Run the command to generate the End Entity credential and package it in
a P12 file. The P12 file contains the corresponding private key of the End
Entity:

pkiadm ctm EECert -gen -nocsr -en testingHLR-FE01-oam -f P12 --password <pas →
sword>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 109

 ENM Network Security Configuration System Administrator Guide

In the previous command, <testingHLR-F01-oam> is the name of the entity

created in Step 4.

Note: <password> can be anything and this is only needed for generating
P12 file.

Copy the P12 file to ENM management server in /tmp directory which is
generated in above step.
Node Configuration

It describes the configuration of the Node Credential MO in the BSC, MSC, and
HLR-FE.

7. Use the WinFiol application to access the Node CLI.

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

8. Navigate to the CertM MO of the node by tabbing out each comma-

separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

9. Execute the show command on the CertM MO to display the installed

NodeCredentials on the NE.

(CertM=1)>show
CertM=1
localFileStorePath="certificates"
CertMCapabilities=1
EnrollmentAuthority=1
EnrollmentServerGroup=1
NodeCredential=1
TrustCategory=1
TrustedCertificate=1
TrustedCertificate=2

10. Create NodeCredential MO.

a. Navigate to the <NodeCredential=1> of the node by tabbing out

each comma-separated MO:

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1,NodeCrede →
ntial=1

b. Create NodeCredential=2 MO and installs new P12 certificates:

(NodeCredential=1)>installCredentialFromUri sftp://root@LMS_IP/tmp →
/NE_NAME-oam.p12 <LMS Password> <Password of P12 file> NULL

110 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

true
(NodeCredential=1)>show enrollmentProgress
enrollmentProgress
actionId=0
actionName="installCredentialFromUri"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the container file"
state=FINISHED
timeActionCompleted="2017-08-05T12:37:36Z"
timeActionStarted="2017-08-05T12:37:36Z"
timeOfLastStatusUpdate="2017-08-05T12:37:36Z"
(NodeCredential=1)>

or

Node credential certificates can be downloaded and SFTP to node

and installed using file:// or SFTP.

The new node credential has to be first uploaded on the node file
system, in the folder /certificates:

(CertM=1)>NodeCredential=2 (NodeCredential=1)>configure (config-Nod →

eCredential=2)>installCredentialFromUri NE_NAME-oam.p12 NULL <Passw →
ord of P12 file> NULL true (config-NodeCredential=2)>show enrollmen →
tProgress
enrollmentProgress
actionId=0
actionName="installCredentialFromUri"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the container file"
state=FINISHED

Note: The password of the P12 file is the same password used for
creating P12 file.

Make sure that the enrollment progress is 100

percent completed. To verify it, the command show
enrollmentProgress can be used.

11. Update <Ldap=1> MO with the new NodeCredential MO details:

a. Navigate to the <Ldap=1> MO of the node by tabbing out each

comma-separated MO.

ManagedElement =<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1 →
,LdapAuthenticationMethod=1,Ldap=1

Note: Before navigating to Ldap=1 MO of the node, make

sure that the attribute administrativeState must be
UNLOCKED under LdapAuthenticationMethod=1 MO.

LdapAuthenticationMethod=1)>show
LdapAuthenticationMethod=1
administrativeState=UNLOCKED
Ldap=1

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 111

 ENM Network Security Configuration System Administrator Guide

b. Configure <Ldap=1> MO with the new NodeCredential MO details:

>dn -m Ldap
ManagedElement=CEMSS07,SystemFunctions=1,SecM=1,UserManagement=1,Ld →
apAuthenticationMethod=1,Ldap=
(Ldap=1)>configure
(config-Ldap=1)>baseDn="dc=example,dc=com"
(config-Ldap=1)>bindDn="cn=comproxy,ou=proxyagent,ou=com,dc=example →
,dc=com"
(config-Ldap=1)>bindPassword=Password cleartext
(config-Ldap=1)>ldapIpAddress=10.44.77.13
(config-Ldap=1)>fallbackldapIpAddress=10.44.77.16
(config-Ldap=1)>useReferrals=true
(config-Ldap=1)>trustCategory="ManagedElement=SELIITHLR00008,System →
Functions=1,SecM=1,CertM=1,TrustCategory=1"
(config-Ldap=1)>nodeCredential="ManagedElement=SELIITHLR00008,Syste →
mFunctions=1,SecM=1,CertM=1,NodeCredential=2"
(config-Ldap=1)>EricssonFilter=1
(config-EricssonFilter=1)>roleAliasesBaseDn="ou=rolealias,ou=com,dc →
=example,dc=com"
(config-EricssonFilter=1)>version=2
(config-EricssonFilter=1)>up
(config-Ldap=1)>up
(config-LdapAuthenticationMethod=1)>up
(config-UserManagement=1)>targetType="SELIITHLR00008,BSC,London"
(config-UserManagement=1)>LdapAuthenticationMethod=1
(config-LdapAuthenticationMethod=1)>administrativeState=UNLOCKED
(config-UserManagement=1)>commit

Reconfigure LDAP credentials to use ENM LDAP server: describe how to

reconfigure LDAP credentials on the HLR-FE to use ENM LDAP server.

12. Retrieve LDAP configuration details.

secadm ldap configure --manual

13. Log on the node to access the Node CLI.

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

14. Navigate to the <Ldap=1> MO of the node by tabbing out each comma-
separated MO.

112 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1

15. Configure the LDAP MO details as described using values retrieved from Step
1.

(Ldap=1)>
(Ldap=1)>configure
(config-Ldap=1)>baseDn="dc=ieatlms5589,dc=com"
(config-Ldap=1)>bindDn="cn=ProxyAccount_19,ou=proxyagent,ou=com,dc=ieatlms55 →
89,dc=com"
(config-Ldap=1)>fallbackLdapIpAddress="131.160.129.59"
(config-Ldap=1)>ldapIpAddress="131.160.129.60"
(config-Ldap=1)>bindPassword=”gfu94ncy" cleartext
(config-Ldap=1)>nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,S →
ecM=1,CertM=1,NodeCredential=2"
(config-Ldap=1)>commit
(Ldap=1)>show -v
Ldap=1
baseDn=" dc=ieatlms5589,dc=com"
bindDn="cn=ProxyAccount_19,ou=proxyagent,ou=com,dc=ieatlms5589,dc=com"
bindPassword="1:36OpqTK3HCo9zjV46dm1HmnQcIrXImn"
fallbackLdapIpAddress="131.160.129.59"
ldapId="1"
ldapIpAddress="131.160.129.60"
nodeCredential="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1 →
,NodeCredential=2"
profileFilter=ERICSSON_FILTER
serverPort=636
tlsMode=LDAPS
trustCategory="ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=2"
useReferrals=false <default>
userLabel="LDAP based login authentication"
useTls=true
EricssonFilter=1
Filter=1
(Ldap=1)>

Note: NodeCredential=2 should have ENM certificates as part of the

section page 110.

16. Verify that <LDAP=1> MO has serverPort value as 1636 on node:

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1
(Ldap=1)>show -v
Ldap=1
baseDn="dc=oss123,dc=com"
bindDn="cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=ieatlms5589,dc=com"
bindPassword="1:EG5ukQoVKgSBjFCDM7AgwFAgpThShQGm"
fallbackLdapIpAddress="10.23.34.57"
ldapId="1"
ldapIpAddress="10.23.34.56"
nodeCredential="ManagedElement=NE_NAME,SystemFunctions=1,SecM=1,CertM=1,Node →
Credential=2"
profileFilter=ERICSSON_FILTER
serverPort=1636

If serverPort value is not 1636, configure the value:

(Ldap=1)>configure
(Config-Ldap=1)serverPort=1636

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 113

 ENM Network Security Configuration System Administrator Guide

(Config-Ldap=1)>commit

17. Verify that the <mmlAuthorizationMethod> attribute in

<MmlAuthorizationM=1> MO is set to CPUSER or COCA.

In Single-CP system, it can be based either on CPUSER or on COCA groups.

In Multi-CP system, it is based only on COCA groups.

>ManagedElement=SELIITHLR00008,SystemFunctions=1,AxeFunctions=1,SecurityHand →
ling=1,MmlAuthorizationM=1
(MmlAuthorizationM=1)>show -v
MmlAuthorizationM=1
ignoreCpSuperUserRole=false <default> <read-only>
ignoreCpUserRoles=false <default> <read-only>
mmlAuthorizationMethod=CPUSER
mmlAuthorizationMId="1"
MmlRole=CpRole4
(MmlAuthorizationM=1)>

Few other roles are:

— SystemAdministrator

— SystemSecurityAdministrator

— EricssonSupport

— SystemReadOnly

— CpRole0

Note: CpRole0 must be created first in ENM using Role Management

application.

For all the roles that are applied, ensure that Assign Target Groups is set to
ALL:

Figure 16

Results
ENM ldap user for HLR-FE is now able to access HLR-FE node.

6.8.7.1 Add ENM CAs to HLR-FE Node

Prerequisites
No prerequisites.

114 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Steps

1. Launch ENM CLI and run the commands to obtain the Trust Distribution
Point Service (TDPS) URL for each of the four required ENM CA certificates.
These certificates are used later to download the ENM CA certificates to the
node.

pkiadm trustmgmt --list --entitytype ca --entityname ENM_PKI_Root_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_Infrastructure_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_OAM_CA

pkiadm trustmgmt --list --entitytype ca --entityname NE_OAM_CA

2. Use WinFiol application to access the Node CLI.

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>

3. Navigate to the CertM MO of the node.

4. Install the certificate.

Run the installTrustedCertFromUri command on the node, for each of
the three ENM CA certificates.

This command requires three parameters:

— TDPS URL of the ENM CA certificate to be downloaded.

— URL password (if no password is required, the NULL string can be

provided).

— CA fingerprint (NULL string can be provided).

(CertM=1)>installTrustedCertFromUri <TDPS URL> NULL NULL

or trust certificates can be downloaded and sftp to node and installed

using file:// or sftp.

In case of offline enrollment procedure, the file cacert.pem is expected

to be into the folder /certificates on Node file system.

>configure
(config)>dn -m CertM
ManagedElement=CEMSS07,SystemFunctions=1,SecM=1,CertM=1
(config-CertM=1)>installTrustedCertFromUri cacert.pem NULL NULL
true
(config-CertM=1)>show
localFileStorePath="certificates"
userLabel="Certificate Management"
reportProgress

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 115

 ENM Network Security Configuration System Administrator Guide

actionId=0
actionName="installTrustedCertFromUri"
additionalInfo
"TrustedCertificate=1"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the certificate file"
state=FINISHED
(config-CertM=1)>TrustCategory=1
(config-TrustCategory=1)>trustedCertificates="ManagedElement=CEMSS07,Sy →
stemFunctions=1,SecM=1,Cer
(config-TrustCategory=1)>commit -s

5. Execute the show command on the CertM MO to display the installed trusted
certificates on the node.

6. Navigate to the TrustCategory=1 MO and add the ENM CA certificates

installed in step 4 to the NE TrustCategory=1.

7. Commit the changes to the TrustCategory=1 MO to add the ENM CA

certificates.

8. Verify that the TrustCategory has been updated correctly.

Navigate to TrustCategory and execute the show command to verify if all

the certificates are added.

6.8.8 Offline Enrollment Procedure for DSC Node

This procedure describes how to perform offline enrollment of DSC node.

The two offline enrollment options that ENM PKI for DSC node supports are:
— CSR-Based Offline Enrollment (PKCS#10).

— Container-Based Offline enrollment (PKCS#12).

Note: For all the nodes, which support offline enrollment, alarm has to be
configured for certificate expiry notification to enable the user to renew
the certificate.

Prerequisites
— End Entity (EE) name is defined in the following format:

• <node-name>-oam for OAM

• <node-name>-ipsec for IPSec

If EE is not in the mentioned format, it is not possible to reissue the

certificate for End Entity.

— Refer to PKCS#10 (RFC 2986 https://www.ietf.org/rfc/rfc2986.tx) for more

information.

116 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

— Refer to PKCS#12 (RFC 7292 https://tools.ietf.org/html/rfc7292) for more

information.

— A valid EE must be created in ENM PKI before performing the offline

enrollment for the node. In this case, End Entity is a node.

— For creation of End Entity, see the section Entity Management Tasks of
the document ENM Public Key Infrastructure System Administrator Guide,
Reference [8].

Generate or Renew Certificate Using PKCS#12

To generate and renew the certificate, see the section Certificate Management
Tasks of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

The user must transfer the p12 file to SFTP server to complete the offline
enrollment procedure. See the Node CPI for Offline enrollment procedures,
Reference [16].

Note: After the certificate is installed successfully on the node, for both CSR
and Container-based Offline Enrollment, it is recommended to perform
revocation of old certificate in ENM PKI.

Node Certificate Revocation

When a certificate for a DSC node is revoked, the serial number for that certificate
is added to the CRL of the CA which issued that certificate. For a node certificate
revocation, see the section PKI Revocation Management Task of the document
ENM Public Key Infrastructure System Administrator Guide, Reference [8].

6.8.9 Online Enrollment Procedure for (v)BSC Node

Use this procedure to perform online enrollment of GSM BSC node.

Prerequisites

— Cmedit_Administrator, Security_Administrator, NodeSecurity_Administrator,

PKI_EE_Administrator roles to access the ENM CLI.

— Knowledge of Configuring MOs on the node.

— BSC node version is 18.A or higher.

— TS (Troubleshooter) user credentials to access the NE.

— LDAP user must be created using User Management application with few
important roles mentioned in Step 7.

— vBSC node version is 21.Q4 or higher.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 117

 ENM Network Security Configuration System Administrator Guide

Steps

The online procedure is based on the following main steps:

— End Entity Creation and Credential Generation from ENM.

— Creation of ENM LDAP User for BSC Node.

— Online Enrollment URI IP from ENM Server.

— LDAP Details from ENM CLI.

— Trust Certificates Installation.

— Node configuration.

— Reconfigure LDAP Credentials to use ENM LDAP server.

End Entity creation and Credential generation

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System and use it for communication with other ENM systems. End
Entities must be created in the PKI system.

To generate credentials, each End Entity is mapped to an Entity Profile (EP)

which defines the Certificate Authority (CA).

For more information about Entity and Profiles, see the section ENM PKI
Concepts of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

1. Launch ENM CLI from ENM Launcher.

2. Check Entity Profile.

List all entity profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

Example
In the example, the highlighted profiles must be available in the command
output.

118 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Figure 17

The highlighted profile is the default profile used when OAM Enrollment is
performed for BSC nodes.

Note: [8PKI End Entity creation can be referred either from Step 3 or Step
4.

3. Create PKI End Entity (through ENM CLI).

A different EE must be created for each BSC node.

The Es are created starting from an XML file. The template for the XML file is
the following:

<?xml version="1.0"?>
<Entities xsi:noNamespaceSchemaLocation="EntitiesSchema.xsd" xmlns:xsi="http →
://www.w3.org/2001/XMLSchema-instance">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 119

 ENM Network Security Configuration System Administrator Guide

<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
<OTP>Ericsson01</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

During the XML file creation, these rules must be applied:

— In the <EntityInfo> tag, the <name> must be <Network Element ID-

oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure, when the BSC node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

<NetworkElementID-oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure when the MSC node is added in ENM.

— In the <OTP> tag, the Password is needed to perform the

startOnlineEnrollment action on the node.

— The <OTPCount> tag represents how many times this password can be
used.

— The <OTPValidityPeriod> tag represents the Validity period of OTP.

This value must be provided in minutes by calculating the time from
when the enrollment is triggered on the node.

Save the created XML file. The suggested name for the file is EE_Network
Element ID-oam.xml.

Note: Check the <NetworkElementID> in the APG model and create

accordingly the End Entity profile.

Drag and drop into the ENM CLI the created XML file and run the following
command to create the End Entity:

pkiadm etm -c -xf file:BSC028-oam.xml

120 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

4. Create the End Entity from PKI Entity Management application.

a. Navigate to ENM PKI Entity Management application.

b. Click Create End Entity and select PKI End Entity.
c. Fill the details as per the XML file described in Step 3.
d. Enter the OTP details.
e. Click Save.

5. Verify the End Entity Creation.

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system:

pkiadm etm -l -type ee

The End Entities must be present in the list of End Entities.

The End Entities must be created with name <Network Element ID-oam>
and its status is NEW. In the following example, the End Entity is related to
<BSC Node NE_NAME>:

Figure 18
Creation of ENM LDAP User for BSC Node

6. Create a COM Role.

If the roles are not present, the roles must be created first in ENM. If the roles
are already present, go to Step 7.

a. Navigate to Role Management GUI.

b. Create a role with Role Type = COM Role.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 121

 ENM Network Security Configuration System Administrator Guide

7. Create an ENM LDAP User.

a. Navigate to User Management GUI.

b. Create a user and assign the following roles:
— SystemAdministrator

— SystemSecurityAdministrator

EricssonSupport

— BscApplicationAdministrator

— SystemReadOnly

— CpRole0

For all the roles that are applied to the user, the Target Groups can be set to
ALL, based on user requirements.

For example:

Figure 20
Online Enrollment URI IP from ENM Server

Online enrollment URI IP can be retrieved by the following steps.

8. Read the IP address parameters: sbLoadBalancerIPv4Address and

sbLoadBalancerIPv6Address.

122 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

See View and Modify Configuration Parameters on page 12 to execute the

read action.
LDAP Details from ENM CLI

9. Retrieve LDAP Configuration Details.

secadm ldap configure --manual

Figure 21 LDAP Configuration Settings

10. Launch ENM CLI.

11. Run the following command to obtain the Trust Distribution Point Service
(TDPS) URLs for each of the three required ENM CA certificates.
The TDPS URLs are used to download the ENM CA certificates to the node.

pkiadm trustmgmt --list --entitytype ca --entityname ENM_PKI_Root_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_Infrastructure_CA
pkiadm trustmgmt --list --entitytype ca --entityname ENM_OAM_CA
pkiadm trustmgmt --list --entitytype ca --entityname NE_OAM_CA

The output is:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 123

 ENM Network Security Configuration System Administrator Guide

Figure 22

12. Download the TDPS URLs of ENM CA Certificate.

a. Log on the node to access to Node CLI.

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>

b. Navigate to the CertM MO of the Node.

Tab out each comma-separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

c. Download TDPS of ENM CA Cert.

Run the following command on the node, for each CA:

ENM_PKI_Root_CA:

(config-CertM=1)>installTrustedCertFromUri --uri "<ENM PKI Root CA →

TDPS URI>" --fingerprint NULL --uriPassword NULL

ENM_Infrastructure_CA:

(config-CertM=1)>installTrustedCertFromUri --uri "<ENM Infrastructu →

re CA TDPS URI>" --fingerprint NULL --uriPassword NULL

ENM_OAM_CA:

(config-CertM=1)>installTrustedCertFromUri --uri "<ENM OAM CA TDPS →

URI>" --fingerprint NULL --uriPassword NULL

NE_OAM_CA:

(config-CertM=1)>installTrustedCertFromUri --uri "<NE OAM CA TDPS U →

RI>" --fingerprint NULL --uriPassword NULL

124 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

d. Check the progress for Trusted Certificates Installation under CertM

MO.

(config-CertM=1)>show
localFileStorePath="certificates"
userLabel="Certificate Management"
reportProgress
actionId=0
actionName="installTrustedCertFromUri"
additionalInfo
"TrustedCertificate=13"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the certificate file"
state=FINISHED
timeActionCompleted="2012-10-17T11:34:56"
timeActionStarted="2012-10-17T11:34:56"
timeOfLastStatusUpdate="201

Note: Make sure that the enrollment progress is 100 percent

completed. To verify the same, the command show

e. Check the Trusted Certificate Content for one of the CA.

(CertM=1)>TrustedCertificate=13
(TrustedCertificate=13)>show
TrustedCertificate=13
certificateState=VALID
reservedBy
"ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,Enrollment →
Authority=1"
certificateContent="C=SE,OU=BUCI_DUAC_NAM,O=ERICSSON,CN=ENM_PKI_Ro →
ot_CA"
extensionContent
"X509v3 Basic Constraints:CA:TRUE"
"X509v3 Key Usage:Certificate Sign, CRL Sign"
"X509v3 Subject Key Identifier:08:66:71:94:6E:05:FD:53:46:24:C5:7B →
:AB:8E:AF:2E:0F:F5:16:6D"
issuer="C=SE,OU=BUCI_DUAC_NAM,O=ERICSSON,CN=ENM_PKI_Root_CA"
keyUsage="Certificate Sign, CRL Sign"
publicKey="8C:4C:56:5B:1B:37:E2:A1:B1:70:15:D2:BE:FC:2C:1E:79:09:1 →
4:F9:C4:5F:7C:1F:66:0C:B1:36:75:02:61:8C:F5:82:3E:CF:E9:AD:19:50:35 →
:1D:FD:35:EB:76:94:57:90:CF:A1:C4:D3:06:52:76:DD:99:46:B2:77:D6:25: →
A3:6A:E6:68:B4:89:72:46:0E:69:42:73:BE:1B:F6:64:2D:24:8A:4D:28:5C:7 →
1:4C:EB:35:1A:7A:A1:01:28:4C:EE:59:CD:D4:11:19:E4:F0:A3:6D:67:72:AB →
:40:92:FC:3C:21:ED:F7:0D:72:44:56:68:57:F6:E7:3D:3E:D6:CB:C3:F3:F7: →
50:28:5A:FB:AA:29:ED:BE:C9:5C:CE:2A:89:44:31:22:35:84:66:9D:79:69:E →
B:BC:6A:01:29:81:A8:6B:B7:18:1D:48:E0:D7:80:64:CC:C1:D6:39:D7:B1:5F →
:75:DD:E6:AE:17:F5:E9:22:BD:48:49:47:4B:42:D2:91:6C:56:28:7E:41:4E: →
76:31:6E:49:7B:76:60:35:D9:82:67:57:D1:45:DE:F4:0C:DA:EC:EC:F9:BE:C →
9:69:C6:AF:75:34:32:49:EB:17:9A:2D:95:7A:B2:62:9D:A7:DD:C8:D4:E1:F5 →
:8A:41:00:43:6C:04:0A:F6:38:7A:C1:3B:65:81"
publicKeyAlgorithm="RSA"
serialNumber="70:BD:99:75:22:BA:83:4F"
signatureAlgorithm="sha256WithRSAEncryption"
validFrom="2018-11-29T18:37:57Z"
validTo="2028-11-29T18:37:57Z"
version="Version 3"
(TrustedCertificate=13)>

TrustCategory represents a group of trusted certificates that can

be referenced by users.

TrustCategory MO must be updated with the attribute

trustedCertificates valued to the DN of the Trust
Certificate MO.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 125

 ENM Network Security Configuration System Administrator Guide

f. Navigate to the TrustCategory=1 MO and add the ENM CA

certificates, if installed Trusted Certificates are not updated.

(CertM=1)>TrustCategory=1
"ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,TrustedCer →
tificate=1"
(TrustCategory=1)>configure
(config-TrustCategory=1)>trustedCertificates="ManagedElement=BSC028 →
,SystemFunctions=1,SecM=1,CertM=1,TrustedCertificate=13"
(config-TrustCategory=1)>commit

g. Commit the changes to the TrustCategory=1 MO to add the ENM

CA certificates.
h. Navigate to Trust Category and execute the show command to
verify if all the certificates are added.

(TrustCategory=1)>show
TrustCategory=1
trustedCertificates
"ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,TrustedCer →
tificate=13"
(config-TrustCategory=1)>

Node Configuration

It describes the configuration of the Node Credential MO in the BSC.

For Online Enrollment, as preliminary node configuration, an

EnrollmentAuthority MO with an EnrollmentServerGroup MO and at least
one EnrollmentServer MO must be created.

a. The EnrollmentAuthority MO must be created under CertM=1 MO by

setting the attribute <enrollmentCaCertificate> with the DN of an
existing TrustedCertificate MO representing the CA trusted certificate for
the online enrollment server.
b. The EnrollmentServerGroup MO must be created under CertM=1 MO and a
new <EnrollmentServer> MO must be created in it, by setting the attributes
protocol and uri.

The enrollmentAuthority attribute must be set to the DN of the previously

created EnrollmentAuthority MO. The protocol attribute must be set to
value <CMP>, that is the protocol type used for online enrollment. The uri
attribute must be set according to the enrollment server configuration.

Once the EnrollmentServerGroup MO has been defined, a NodeCredential MO

under CertM=1 MO must be created by setting few attributes. The following are
the further steps to do this configuration.

13. Log on the node to access the Node CLI:

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>

126 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

....input TS User password

14. Navigate to the CertM MO of the node by tabbing out each comma-
separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

15. Execute the show command on the CertM MO to display the installed
NodeCredentials on the NE.
The example shows one NodeCredential on the node.

(CertM=1)>show
CertM=1
localFileStorePath="certificates"
CertMCapabilities=1
EnrollmentAuthority=1
EnrollmentServerGroup=1
NodeCredential=1
TrustCategory=1
TrustedCertificate=1

16. Create a NodeCredential MO:

a. Navigate to the <CertM=1> and create the enrollmentAuthority

and enrollmentServerGroup MOs:

(config)>dn -m CertM
ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1
(config-CertM=1)>EnrollmentAuthority=1
(config-EnrollmentAuthority=1)>enrollmentAuthorityName="OU=BUCI_DUA →
C_NAM,C=SE,O=ERICSSON,CN=NE_OAM_CA"
(config-EnrollmentAuthority=1)>authorityType=REGISTRATION_AUTHORITY
(config-EnrollmentAuthority=1)>enrollmentCaCertificate="ManagedElem →
ent=BSC028,SystemFunctions=1,SecM=1,CertM=1,TrustedCertificate=13"
(config-EnrollmentAuthority=1)>commit -s
(config-EnrollmentAuthority=1)>up

Note: Under EnrollmentAuthority MO,

enrollmentCaCertificate is referring to
ENM_PKI_Root_CA of Trusted Certificates.

(config-CertM=1)>EnrollmentServerGroup=1
(config-EnrollmentServerGroup=1)>commit -s
(config-EnrollmentServerGroup=1)>EnrollmentServer=1
(config-EnrollmentServerGroup=1)>enrollmentAuthority="ManagedElemen →
t=BSC028,SystemFunctions=1,SecM=1,CertM=1,EnrollmentAuthority=1" <d →
eprecated>
(config-EnrollmentServer=1)>protocol=CMP
(config-EnrollmentServer=1)>uri="http://131.160.146.36:8091/pkira-c →
mp/NE_OAM_CA/synch"
(config-EnrollmentServer=1)>commit -s
(config-EnrollmentServer=1)>top

Note: For EnrollmentServer=1 MO, URI IP can be determined

by steps for Online enrollment URI IP from ENM Server.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 127

 ENM Network Security Configuration System Administrator Guide

b. Run the action startOnlimeEnrollment.

To initiate the online enrollment procedure, run

startOnlineEnrollment under NodeCredential MO by specifying
the initial shared password between APG and the CA enrollment
server.

The Operational Instruction AP, Certification Authority Trusted

Certificate and Node Credential, Install describes the whole
procedure to install a node credential on APG through online
enrollment procedure.

Navigate to the CertM=1 MO, change to Configure mode, and

execute the following command to create the Node Credentials.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

(CertM=1)>configure
(config-CertM=1)>NodeCredential=1
(config-NodeCredential=1)>enrollmentAuthority="ManagedElement=BSC02 →
8,SystemFunctions=1,SecM=1,CertM=1,EnrollmentAuthority=1"
(config-NodeCredential=1)>enrollmentServerGroup="ManagedElement=BSC →
028,SystemFunctions=1,SecM=1,CertM=1,EnrollmentServerGroup=1"
(config-NodeCredential=1)>keyInfo=RSA_2048
(config-NodeCredential=1)>renewalMode=MANUAL
(config-NodeCredential=1)>subjectName="CN=BSC028-oam,C=SE,O=ERICSSO →
N,OU=BUCI DUAC NAM"
(config-NodeCredential=1)>commit -s
(NodeCredential=1)>startOnlineEnrollment --challengePassword passwo →
rd --<OTP set for the PKI entity created>
true
(config-NodeCredential=1)>show
NodeCredential=ENM
certificateState=VALID
enrollmentAuthority="ManagedElement=BSC028,SystemFunctions=1,SecM= →
1,CertM=1,EnrollmentAuthority=1"
enrollmentServerGroup="ManagedElement=BSC028,SystemFunctions=1,Sec →
M=1,CertM=1,EnrollmentServerGroup=1"
keyInfo=RSA_2048
subjectName="CN=BSC028-oam,C=SE,O=ERICSSON,OU=BUCI DUAC NAM"
certificateContent="OU=BUCI DUAC NAM,O=ERICSSON,C=SE,CN=BSC028-oam →
"
extensionContent
"X509v3 Authority Key Identifier:keyid:0D:33:C2:65:10:23:0F:4F:D2: →
D1:A4:21:5F:9E:6D:6A:B1:9A:FD:D3"
"X509v3 Basic Constraints:CA:FALSE"
"X509v3 CRL Distribution Points:Full Name:\n URI:http://131.160.14 →
6.36:8092/pki-cdps?ca_name=NE_OAM_CA&ca_cert_serialnumber=6da725860 →
54653e8\n\nFull Name:\n URI:http://[2001:1b70:82a1:146:0:609:5324:4 →
3]:8092/pki-cdps?ca_name=NE_OAM_CA&ca_cert_serialnumber=6da72586054 →
653e8"
"X509v3 Key Usage:Digital Signature, Key Encipherment, Key Agreeme →
nt"
"X509v3 Subject Key Identifier:A4:36:A6:87:13:45:28:1F:93:CC:D9:B3 →
:ED:84:54:2A:97:15:EC:FE"
issuer="C=SE,OU=BUCI_DUAC_NAM,O=ERICSSON,CN=NE_OAM_CA"
keyUsage="Digital Signature, Key Encipherment, Key Agreement"
publicKey="C5:1C:6D:F6:EB:69:20:3F:C9:D8:B8:B1:EF:FF:A5:69:E2:1F:5 →
5:A1:73:F7:8D:E4:FB:AF:9B:3E:42:A9:58:25:B0:7D:7B:85:BC:7C:FB:C4:18 →
:10:81:CD:88:A8:4D:2F:8D:04:00:69:11:BA:00:76:18:DC:4B:7B:CF:13:0F: →
6B:24:07:75:57:5A:53:48:D4:63:5D:C9:2C:C8:AB:5C:9B:D8:6C:D0:FE:17:F →
8:9D:49:1E:2C:2D:E4:E7:DD:FE:77:D3:E8:A0:6C:7A:FD:93:50:6C:06:D0:AF →
:0C:3E:18:B4:F2:DE:DB:F2:FC:88:69:EA:92:D2:B5:FD:12:04:36:C7:75:4F: →
0C:0C:44:D3:38:FE:6E:52:54:A8:5F:83:FA:51:9C:56:39:45:34:DD:48:0B:B →
6:E9:B0:9A:69:08:E9:7C:DF:18:05:87:D0:71:ED:39:39:EE:2C:32:CB:54:5C →
:91:F3:D6:C0:A1:36:BB:25:27:2E:AD:CF:C9:59:29:27:61:3D:83:B5:3E:7F: →
85:60:F2:BF:39:E4:C0:0F:B7:36:D2:B5:B9:15:B6:BD:9E:2E:93:17:22:9F:1 →

128 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

D:C0:97:9D:BC:CF:3F:1F:B7:4D:C1:EF:13:4B:AB:76:FD:3D:27:42:6B:0A:A4 →
:6A:29:EB:75:5B:A4:B8:D6:CA:5F:EF:F5:62:27"
publicKeyAlgorithm="RSA"
serialNumber="0E:FF:70:C5:70:DE:67:D0"
signatureAlgorithm="sha256WithRSAEncryption"
validFrom="2019-02-18T12:14:43Z"
validTo="2021-02-18T12:14:43Z"
version="Version 3"
enrollmentProgress
actionId=0
actionName="startOnlineEnrollment"
additionalInfo
"warning: certificate chain is discontinuous"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the online service"
state=FINISHED
timeActionCompleted="2019-02-18T12:45:30Z"
timeActionStarted="2019-02-18T12:45:28Z"
timeOfLastStatusUpdate="2019-02-18T12:45:30Z"
ChainCertificate=2
ChainCertificate=1
ChainCertificate=3
(config-NodeCredential=ENM)>

Note: — Once the enrollment is successful, update the

renewalMode to AUTOMATIC.

— NodeCredential must be created with csubjectName

equal to the Subject DN defined in the ENM PKI EE.

— <OTP set for the PKI entity created> is the One-Time-

Password for the PKI End Entity created during Step 3,
through PKI Entity Management GUI.

Make sure that the enrollment progress is 100 percent completed. To

verify it, the command show enrollmentProgress can be used.
Reconfigure LDAP Credentials to use ENM LDAP Server

This procedure reconfigures LDAP credentials on the BSC to use ENM LDAP
server.

17. Navigate to the Ldap=1 MO in the node by tabbing out each comma-
separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1

18. Configure the LDAP MO details as described in the LDAP details values.

(Ldap=1)>
(Ldap=1)>configure
(config-Ldap=1)>baseDn="dc=ieatlms5223,dc=com"
(config-Ldap=1)>bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e →
3,ou=proxyagent,ou=com,dc=ieatlms5223,dc=com"
(config-Ldap=1)>fallbackLdapIpAddress="131.160.128.123"
(config-Ldap=1)>ldapIpAddress="131.160.128.124"
(config-Ldap=1)>bindPassword="TLnH6ywUvNHWrAvdeHzZzswS" cleartext
(config-Ldap=1)>serverPort=1636
(config-Ldap=1)>nodeCredential="ManagedElement=BSC028,SystemFunctions=1,SecM →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 129

 ENM Network Security Configuration System Administrator Guide

=1,CertM=1,NodeCredential=1"
(config-Ldap=1)>trustCategory="ManagedElement=BSC028,SystemFunctions=1,SecM= →
1,CertM=1,TrustCategory=1"
(config-Ldap=1)>commit
(Ldap=1)>show
Ldap=1
baseDn="dc=ieatlms5223,dc=com"
bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e3,ou=proxyagent, →
ou=com,dc=ieatlms5223,dc=com"
bindPassword="1:3Ya7eqe7dmeEpqzlSnWw/Ygcj+kZcsZs"
fallbackLdapIpAddress="131.160.128.123"
ldapIpAddress="131.160.128.124"
nodeCredential="ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,NodeC →
redential=1"
profileFilter=ERICSSON_FILTER
serverPort=1636
tlsMode=LDAPS
trustCategory="ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,TrustC →
ategory=1"
useTls=true
EricssonFilter=1
Filter=1
(Ldap=1)>

Note: NodeCredential=1

19. Enable LDAP.

a. Navigate to the LdapAuthenticationMethod=1 MO of the node by

tabbing out each comma-separated MO. must have ENM certificates
as part of Trusted Certificates Installation section.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1, →
LdapAuthenticationMethod=1

Note: administrativeState must be UNLOCKED under

LdapAuthenticationMethod=1 MO.

>dn -m LdapAuthenticationMethod
ManagedElement=BSC028,SystemFunctions=1,SecM=1,UserManagem →
ent=1,LdapAuthenticationMethod=1
(LdapAuthenticationMethod=1)>configure
(config-LdapAuthenticationMethod=1)>administrativeState=UN →
LOCKED
(config-LdapAuthenticationMethod=1)>commit
(LdapAuthenticationMethod=1)>show
LdapAuthenticationMethod=1
administrativeState=UNLOCKED
Ldap=1
(LdapAuthenticationMethod=1)>

20. Verify that the mmlAuthorizationMethod attribute in

MmlAuthorizationM=1 MO is set to COCA.

Note: In Single-CP System, it can be based either on CP user or on COCA

groups.

In Multi-CP System, it is based only on COCA groups.

must have ENM certificates as part

>ManagedElement=BSC028,SystemFunctions=1,AxeFunctions=1,SecurityHandling=1,M →
mlAuthorizationM=1

130 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

(MmlAuthorizationM=1)>show -v
MmlAuthorizationM=1
ignoreCpSuperUserRole=false <default> <read-only>
ignoreCpUserRoles=false <default> <read-only>
mmlAuthorizationMethod=COCA
mmlAuthorizationMId="1"
MmlRole=CpRole0
(MmlAuthorizationM=1)>

Results
Verification of the online enrollment:

ENM LDAP user for BSC is able to access to BSC node and must have the roles
added during the procedure.

6.8.10 Offline Enrollment Procedure for (v)BSC Node

This procedure describes how to perform offline enrollment of BSC node.

Note: For all the nodes, which support offline enrollment, alarm has to be
configured for certificate expiry notification to enable the user to renew
the certificate.

Prerequisites

— Cmedit_Administrator, Security_Administrator, NodeSecurity_Administrator,

PKI_EE_Administrator roles to access the ENM CLI.

— Knowledge of Configuring MOs on the node.

— BSC node version is 18.A or higher.

— TS (Troubleshooter) user credentials to access the NE.

— vBSC node version is 21.Q4 or higher.

Steps

The offline procedure is based on the following main steps:

— End Entity creation and Credential Generation from ENM.

— Creation of ENM LDAP user for BSC Node.

— LDAP Details from ENM CLI.

— Trust Certificates Installation.

— Node Configuration.

— Reconfigure LDAP Credentials to use ENM LDAP Server.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 131

 ENM Network Security Configuration System Administrator Guide

End Entity Creation and Credential Generation

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System and use it for communication with other ENM systems. End
Entities must be created in the PKI system.

To generate credentials, each End Entity is mapped to an Entity Profile (EP)

which defines the Certificate Authority (CA).

For more information about entity and profiles, see the section ENM PKI
Concepts of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

1. Launch ENM CLI from ENM Launcher.

2. Check Entity Profile.

List all the Entity Profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

In the following example, the highlighted profiles have to be available in the

command output:

Figure 23

132 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

The highlighted profile is the default profile used when OAM enrollment is
performed for BSC nodes.

Note: PKI End Entity creation can be referred either from Step 3 or Step 4.

3. Create PKI End Entity.

A different EE must be created for each BSC node.

The EEs are created starting from an XML file. The template for the XML file is
the following (End-Entity.xml):

<?xml version="1.0"?>
<Entities xsi:noNamespaceSchemaLocation="EntitiesSchema.xsd" xmlns:xsi="http →
://www.w3.org/2001/XMLSchema-instance">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
<OTP>Ericsson01</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

During the XML file creation, the following rules must be applied:
— In the <EntityInfo> tag, the <name> must be <Network Element ID-
oam>.

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure when the BSC node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

<NetworkElementID-oam>.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 133

 ENM Network Security Configuration System Administrator Guide

The <NetworkElementID> is the identifier that the user must use at the
end of this procedure when the tag, the Password is needed to perform
the startOnlineEnrollment action on the node.BSC node is added in ENM.

— In the <OTP> is the one time password.

— The <OTPCount> tag, the password is needed to tag representing how

many times this password can be used.

— The <OTPValidityPeriod> tag represents the validity period of OTP.

This value must be provided in minutes by calculating the time from
when the enrollment is triggered on the node.

Save the created XML file. The suggested name for the file is EE_Network
Element ID-oam.xml.

Note: Check the NetworkElementID in the APG model and create

accordingly the End Entity profile.

Drag and drop the created XML file into the ENM CLI and run the command to
create the End Entity:

pkiadm etm -c -xf file:BSC-28-oam.xml

4. Create the End Entity from PKI Entity Management (through GUI).

a. Navigate to PKI Entity Management application in ENM.

b. Click Create End Entity and select PKI End Entity.
c. Fill the details as per the XML file created in Step 3.
d. Click Save.
e. Go back to PKI Entity Management and click Issue for the created
End Entity.
f. Choose the file format as PKCS 12 (P12).

g. Set the password and download it.

5. Verify the End Entity creation.

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system:

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entities.

134 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

The End Entity must be created with name <Network Element ID-oam>
and its status is NEW. In the following example, there is the End Entity related
to <BSC Node NE_NAME>:

Figure 24

6. Generate the End Entity Credential.

Use the following command to generate the End Entity credential and
packages it in a p12 file.

The p12 file also contains the corresponding private key of the End Entity.

pkiadm ctm EECert -gen -nocsr -en BSC028-oam -f P12 --password <password>

Creation of ENM LDAP User for BSC Node.

7. Create a COM Role.

If the roles are not present, the roles must be created first in ENM. If the roles
are already present, go to Step 8.

a. Navigate to Role Management GUI.

b. Create a role with Role Type = COM Role.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 135

 ENM Network Security Configuration System Administrator Guide

8. Create an ENM LDAP User.

a. Navigate to User Management GUI.

b. Create a user and assign the following roles:
— SystemAdministrator

— SystemSecurityAdministrator

EricssonSupport

— BscApplicationAdministrator

— SystemReadOnly

— CpRole0

For all the roles that are applied to the user, the Target Groups can be set to
ALL, based on user requirements.

For example:

Figure 26
LDAP Details from ENM CLI.

9. Retrieve LDAP Configuration Details.

Run the following ENM CLI command:

136 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

secadm ldap configure --manual

Figure 27 LDAP Configuration Settings

10. Launch ENM CLI.

11. Run the following commands to download ENM_OMA_CA,

ENM_Infrastructure_CA, ENM_PKI_Root_CA, and NE_OAM_CA in PEM
format.
These PEM files are used later to download the ENM CA certificates to the
node.

pkiadm ctm CACert -expcert -en ENM_OAM_CA -f PEM

pkiadm ctm CACert -expcert -en ENM_Infrastructure_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM
pkiadm ctm CACert -expcert -en NE_OAM_CA -f PEM

The output is:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 137

 ENM Network Security Configuration System Administrator Guide

Figure 28

12. Log on the node to access the Node CLI:

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>

13. Navigate to the CertM MO of the node by tabbing out each comma-
separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

14. Download, sftped and install the trust certificates using the file.

a. Download the Trust Certificate.

Note: The file cacert.pem is expected to be into folder /

certificates on node file system.

installTrustedCertFromUri --uri installTrustedCertFromUri ENM_PKI_R →

oot_CA.pem --fingerprint NULL --uriPassword NULL

b. Check the progress for Trusted Certificates installation under CertM

MO.

(config-CertM=1)>show
localFileStorePath="certificates"
userLabel="Certificate Management"
reportProgress
actionId=0
actionName="installTrustedCertFromUri"
additionalInfo
"TrustedCertificate=13"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the certificate file"
state=FINISHED
timeActionCompleted="2012-10-17T11:34:56"

138 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

timeActionStarted="2012-10-17T11:34:56"
timeOfLastStatusUpdate="201

Note: Make sure that the enrollment progress is 100

percent completed. To verify it, the command show
enrollmentProgress can be used under CertM MO.

c. Check Trusted Certificate Content.

(CertM=1)>TrustedCertificate=13
(TrustedCertificate=13)>show
TrustedCertificate=13
certificateState=VALID
reservedBy
"ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,EnrollmentA →
uthority=1"
certificateContent="C=SE,OU=BUCI_DUAC_NAM,O=ERICSSON,CN=ENM_PKI_Roo →
t_CA"
extensionContent
"X509v3 Basic Constraints:CA:TRUE"
"X509v3 Key Usage:Certificate Sign, CRL Sign"
"X509v3 Subject Key Identifier:08:66:71:94:6E:05:FD:53:46:24:C5:7B: →
AB:8E:AF:2E:0F:F5:16:6D"
issuer="C=SE,OU=BUCI_DUAC_NAM,O=ERICSSON,CN=ENM_PKI_Root_CA"
keyUsage="Certificate Sign, CRL Sign"
publicKey="8C:4C:56:5B:1B:37:E2:A1:B1:70:15:D2:BE:FC:2C:1E:79:09:14 →
:F9:C4:5F:7C:1F:66:0C:B1:36:75:02:61:8C:F5:82:3E:CF:E9:AD:19:50:35: →
1D:FD:35:EB:76:94:57:90:CF:A1:C4:D3:06:52:76:DD:99:46:B2:77:D6:25:A →
3:6A:E6:68:B4:89:72:46:0E:69:42:73:BE:1B:F6:64:2D:24:8A:4D:28:5C:71 →
:4C:EB:35:1A:7A:A1:01:28:4C:EE:59:CD:D4:11:19:E4:F0:A3:6D:67:72:AB: →
40:92:FC:3C:21:ED:F7:0D:72:44:56:68:57:F6:E7:3D:3E:D6:CB:C3:F3:F7:5 →
0:28:5A:FB:AA:29:ED:BE:C9:5C:CE:2A:89:44:31:22:35:84:66:9D:79:69:EB →
:BC:6A:01:29:81:A8:6B:B7:18:1D:48:E0:D7:80:64:CC:C1:D6:39:D7:B1:5F: →
75:DD:E6:AE:17:F5:E9:22:BD:48:49:47:4B:42:D2:91:6C:56:28:7E:41:4E:7 →
6:31:6E:49:7B:76:60:35:D9:82:67:57:D1:45:DE:F4:0C:DA:EC:EC:F9:BE:C9 →
:69:C6:AF:75:34:32:49:EB:17:9A:2D:95:7A:B2:62:9D:A7:DD:C8:D4:E1:F5: →
8A:41:00:43:6C:04:0A:F6:38:7A:C1:3B:65:81"
publicKeyAlgorithm="RSA"
serialNumber="70:BD:99:75:22:BA:83:4F"
signatureAlgorithm="sha256WithRSAEncryption"
validFrom="2018-11-29T18:37:57Z"
validTo="2028-11-29T18:37:57Z"
version="Version 3"
(TrustedCertificate=13)>

TrustCategory MO represents a group of trusted certificates that

can be referenced by users.

TrustCategory MO must be updated with the attribute

trustedCertificates valued to the DN of the Trusted
Certificate MO.

d. Navigate to the TrustCategory=1 MO and add the ENM CA

certificates, if installed Trusted Certificates are not updated in
TrustCategory MO.

(CertM=1)>TrustCategory=1
"ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,TrustedCert →
ificate=1"
(TrustCategory=1)>configure
(config-TrustCategory=1)>trustedCertificates="ManagedElement=BSC028 →
,SystemFunctions=1,SecM=1,CertM=1,TrustedCertificate=13"
(config-TrustCategory=1)>commit

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 139

 ENM Network Security Configuration System Administrator Guide

e. Commit the changes to the TrustCategory=1 MO to add the ENM

CA certificates.
f. Navigate to Trust Category and execute the show command to verify
if all the certificates are added.

(TrustCategory=1)>show
TrustCategory=1
trustedCertificates
"ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,TrustedCert →
ificate=13"
(config-TrustCategory=1)>

Node Configuration

This section describes the configuration of the Node Credential MO in the BSC.

15. Log on the Node to access the Node CLI:

ssh <TS_USER_NAME>@<NE_IP_ADDRESS>
....input TS User password

16. Navigate to the CertM MO of the node by tabbing out each comma-
separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,CertM=1

17. Execute the show command on the CertM MO to display the installed
NodeCredentials on the NE.

The example shows one NodeCredential on the node.

(CertM=1)>show
CertM=1
localFileStorePath="certificates"
CertMCapabilities=1
EnrollmentAuthority=1
EnrollmentServerGroup=1
NodeCredential=1
TrustCategory=1
TrustedCertificate=1

18. Create a NodeCredential MO under CertM=1 MO.

>dn -m CertM
ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1
(CertM=1)>
(CertM=1)>configure
(config-CertM=1)>NodeCredential=1
(config-NodeCredential=1)>commit
(NodeCredential=1)>

140 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

19. Install new P12 certificates in NodeCredential=1 MO.

The following command installs the P12 certificates in NodeCredential=1

MO.

(NodeCredential=1)>installCredentialFromUri sftp://root@LMS_IP/tmp/NE_NAME-o →
am.p12 <LMS Password> <Password of P12 file> NULL
true
(NodeCredential=1)>show enrollmentProgress
enrollmentProgress
actionId=0
actionName="installCredentialFromUri"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the container file"
state=FINISHED
timeActionCompleted="2017-08-05T12:37:36Z"
timeActionStarted="2017-08-05T12:37:36Z"
timeOfLastStatusUpdate="2017-08-05T12:37:36Z"
(NodeCredential=1)>

Note: The password of the P12 file is the same password used for creating
P12 file from Step 6.

The node credential certificates can be downloaded, SFTP to the node, and
installed using the file:

(CertM=1)>NodeCredential=1
(NodeCredential=1)>configure
(config-NodeCredential=1)>installCredentialFromUri NE_NAME-oam.p12 NULL <Pas →
sword of P12 file> NULL
true
(NodeCredential=1)>show enrollmentProgress
enrollmentProgress
actionId=0
actionName="installCredentialFromUri"
progressInfo=""
progressPercentage=100
result=SUCCESS
resultInfo="installed from the container file"
state=FINISHED
timeActionCompleted="2017-08-05T12:37:36Z"
timeActionStarted="2017-08-05T12:37:36Z"
timeOfLastStatusUpdate="2017-08-05T12:37:36Z"
(NodeCredential=1)>

Note: Make sure that the enrollment progress is 100 percent completed.
To verify the same, the command show enrollmentProgress can
be used.
Reconfigure LDAP Credentials to use ENM LDAP Server

20. Navigate to the Ldap=1 MO in the node by tabbing out each comma-
separated MO.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1,Ldap=1

21. Configure the LDAP MO details inside node using the LDAP details.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 141

 ENM Network Security Configuration System Administrator Guide

(Ldap=1)>
(Ldap=1)>configure
(config-Ldap=1)>baseDn="dc=ieatlms5223,dc=com"
(config-Ldap=1)>bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e →
3,ou=proxyagent,ou=com,dc=ieatlms5223,dc=com"
(config-Ldap=1)>fallbackLdapIpAddress="131.160.128.123"
(config-Ldap=1)>ldapIpAddress="131.160.128.124"
(config-Ldap=1)>bindPassword="TLnH6ywUvNHWrAvdeHzZzswS" cleartext
(config-Ldap=1)>serverPort=1636
(config-Ldap=1)>nodeCredential="ManagedElement=BSC028,SystemFunctions=1,SecM →
=1,CertM=1,NodeCredential=1"
(config-Ldap=1)>trustCategory="ManagedElement=BSC028,SystemFunctions=1,SecM= →
1,CertM=1,TrustCategory=1"
(config-Ldap=1)>commit
(Ldap=1)>show
Ldap=1
baseDn="dc=ieatlms5223,dc=com"
bindDn="cn=ProxyAccount__b380035f-e8e1-4819-9256-94b1024074e3,,ou=proxyagent →
,ou=com,dc=ieatlms5223,dc=com"
bindPassword="1:3Ya7eqe7dmeEpqzlSnWw/Ygcj+kZcsZs"
fallbackLdapIpAddress="131.160.128.123"
ldapIpAddress="131.160.128.124"
nodeCredential="ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,NodeC →
redential=1"
profileFilter=ERICSSON_FILTER
serverPort=1636
tlsMode=LDAPS
trustCategory="ManagedElement=BSC028,SystemFunctions=1,SecM=1,CertM=1,TrustC →
ategory=1"
useTls=true
EricssonFilter=1
Filter=1
(Ldap=1)>

Note: NodeCredential=1 MO must have ENM certificates as part of the

steps for Trust Certificates installation.

22. Enable LDAP.

Navigate to the LdapAuthenticationMethod=1 MO of the node by
tabbing out each comma-separated MO and set the administrativeState to
UNLOCKED.

ManagedElement=<NE_NAME>,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthe →
nticationMethod=1

Note: administrativeState must be UNLOCKED under

LdapAuthenticationMethod=1 MO.

>dn -m LdapAuthenticationMethod
ManagedElement=BSC028,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenti →
cationMethod=1
(LdapAuthenticationMethod=1)>configure
(config-LdapAuthenticationMethod=1)>administrativeState=UNLOCKED
(config-LdapAuthenticationMethod=1)>commit
(LdapAuthenticationMethod=1)>show
LdapAuthenticationMethod=1
administrativeState=UNLOCKED
Ldap=1
(LdapAuthenticationMethod=1)>

23. Verify that the <mmlAuthorizationMethod> attribute in

<MmlAuthorizationM=1> MO is set to COCA.

142 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Note: In Single-CP system, it can be based either on CP user or on COCA

groups.

In Multi-CP system, it is based only on COCA groups.

>ManagedElement=BSC028,SystemFunctions=1,AxeFunctions=1,SecurityHandling=1,M →
mlAuthorizationM=1
(MmlAuthorizationM=1)>show -v
MmlAuthorizationM=1
ignoreCpSuperUserRole=false <default> <read-only>
ignoreCpUserRoles=false <default> <read-only>
mmlAuthorizationMethod=COCA
mmlAuthorizationMId="1"
MmlRole=CpRole0
(MmlAuthorizationM=1)>

Results
Verification of offline enrollment:

ENM LDAP user for BSC is able to access BSC node and must have the roles
added during the procedure.

6.8.11 Offline Enrollment Procedure for vDU, vCU-CP, vCU-UP Nodes

This procedure describes how to perform offline enrollment for vDU, vCU-CP, and
vCU-UP Nodes.

vDU node supports container-based offline enrollment (PKCS#12).

Prerequisites
— PKI_Administrator role to access the pkiadm commands.

— Access privileges to log on to the node and execute commands.

— Admin User Credentials to log on to the Node CNF, and to create Security
Admin User on the Node.

Steps
The offline enrollment can be achieved by following these five main steps:
— End Entity creation in ENM PKI Entity Management. See the section End
Entity Creation in ENM PKI on page 144.

— Creation of Secure User on node for Installation of Certificates and LDAP

Configuration. See the section Creation of Secure User on Node on page 147

— Installation of trusted certificates on the node. See the section Installation of

Trusted Certificates on the Node on page 148.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 143

 ENM Network Security Configuration System Administrator Guide

— Generation and Installation of node certificate on the node. See the section
Generation and Installation of Node Certificate on the Node on page 150.

— LDAP configuration on the node. See the section LDAP Configuration on the
Node on page 151.

6.8.11.1 End Entity Creation in ENM PKI

End Entities (EE) of the PKI System are the end users who get credentials
from the ENM PKI System and use it for secure communications.

A valid End Entity must be created in the ENM PKI by executing the following
steps before performing the Offline Enrollment for the node.

Steps

1. Launch ENM CLI from ENM Launcher.

2. Check Entity Profile.

List all entity profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

Sample output: the highlighted profiles are to be available in the command

output.

144 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Figure 29

The highlighted profile is the default profile used when OAM Enrollment is
performed for vDU nodes.

Note: For more information about Entity and Profiles, see the section
ENM PKI Concepts in the ENM Public Key Infrastructure System
Administrator Guide, Reference [8].

3. Prepare the XML file for End Entity creation.

A different End Entity must be created for each vDU node certificate type.

The EEs are created starting from an XML file. The template for the XML file
is the following (Network Element ID-oam.xml):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<Entities>
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS> <En →
tityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Name>NODE-OAM</Name>
<Modifiable>true</Modifiable>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 145

 ENM Network Security Configuration System Administrator Guide

<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value> //This value has to be copied from En →
tity Profile DUSGen2OAM_CHAIN_EP
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value> //This value has to be copied fr →
om Entity Profile DUSGen2OAM_CHAIN_EP
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value> //This value has to be cop →
ied from Entity Profile DUSGen2OAM_CHAIN_EP
</SubjectField>
</Subject>
<OTP>cies62UIUgq2IG9zXbaJf</OTP>
<OTPCount>4</OTPCount>
<Issuer>
<Name>NE_OAM_CA</Name>
</Issuer>
</EntityInfo>
<OTPValidityPeriod>30</OTPValidityPeriod>
</Entity>
</Entities>

During the XML file creation, the following rules must be applied:

a. In the <EntityInfo> tag, the <name> must be <Network Element ID-

oam>.

b. The <NetworkElementID> is the identifier that the user must use at the
end of this procedure when the vDU node is added in ENM.

c. In the <EntityInfo><SubjectField> tag, the COMMON_NAME

<Value> must be <NetworkElementID-oam>.

d. EntityProfile Name must be DUSGen2OAM_CHAIN_EP. It is a default entity

profile in OAM communication.

Save the created XML file.

The suggested name for the file is EE_Network Element ID-oam.xml.

4. Create the End Entity.

Drag and drop the XML file created in Step 3 into the ENM CLI and run the
command to create the End Entity:

pkiadm etm -c -xf file:<NetworkElementID-oam.xml>

5. Verify the End Entity creation.

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system:

146 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

pkiadm entitymgmt --list --entitytype ee --name <NetworkElementID-oam>

The End Entity must be present in the list of End Entities.

The End Entity is to be created with name <Network Element ID-oam> and
its entity status must be NEW.

In the following example, there is the End Entity related to vDU Node:

Figure 30

6.8.11.2 Creation of Secure User on Node

Security admin user has permissions to install certificates and LDAP

configuration on the node. This security admin user must be same as the secure
user that is created in ENM node model.

Note: If the secure user is already present on the node, then creation of secure
user on node is not required.

Steps

1. Connect to the node through NETCONF over SSH from ENM with secure user
credentials.
See Connect to the Node with NETCONF over SSH from ENM on page 152.

a. If the connection is successful, skip the execution of the following steps,

and continue with the Installation of Trusted Certificates on the Node on
page 148.
b. If Connection fails, continue with Step 2.

2. Connect to the node through NETCONF over SSH from ENM using admin
user credentials.
See Connect to the Node with NETCONF over SSH from ENM on page 152.

3. Send a NETCONF Hello Request to the node after every NETCONF

connection.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 147

 ENM Network Security Configuration System Administrator Guide

See Input NETCONF Hello Request with Example on page 154.

4. Create the secure user on node.

See Input NETCONF Request for Creation of Secure User on Node with
Example on page 156.

5. Close the Connection after creation of secure user on node in Step 4.

See Input NETCONF Request to Close Connection with Example on page
155.

6. Connect to the node with NETCONF over SSH from ENM with the created
secure user credentials. Update the default secure password with desired
secure user password.
See Update Secure User Password for the First SSH Connection with
Example on page 157.

Note: Update of password is required due to node asks for change of

password for the first SSH connection.

6.8.11.3 Installation of Trusted Certificates on the Node

This procedure installs the trusted certificate CA certificates on the node.

The following trusted CA certificates must be installed on the node for the secure
OAM communications:
— NE_OAM_CA

— ENM_OAM_CA

— ENM_Infrastructure_CA

— ENM_PKI_Root_CA

Steps

1. Download the certificate for each of previous CAs in PEM format.

Run the following pkiadm command:

pkiadm ctm CACert -expcert -en <CA_Name> -f PEM

Note: Use the same command to download certificates of all the

mentioned CAs.

2. Install the certificate chain of the External CA until the self signed certificate,
if the ENM_PKI_Root_CA certificate is signed by that External CA.

a. Check the issuer of ENM_PKI_Root_CA.

148 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

If subject and issuer fields for the active certificate are different,
then that ENM_PKI_Root_CA is issued by External CA and you need
to perform the Step 2.b and Step 2.c, otherwise go to Step 3.

pkiadm ctm CACert -l -en ENM_PKI_Root_CA

Example

Figure 31
b. List the external CAs present in the ENM PKI and check for the
certificates that must be installed on the node.

Example

Figure 32
c. Download the required External CA certificate.

pkiadm extcaexport --name <External_CA_Name> --serialnumber <External_CA_certif →

icate_serialnumber>

Note: Download all the required External CA certificates until the

self signed external CA certificate.

3. Convert the certificate into Base64 encoded format, to install trusted

certificates on the node.
Use the following Linux command in the Linux terminal to convert each of
the downloaded trusted CA Certificates from Step 1 and Step 2 to Base64
encoded format.

base64 <Certificate.pem> | tr -d \\n > <base64_certificate.pem>

Note: Use the same command to convert all the trust certificates to
Base64 format.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 149

 ENM Network Security Configuration System Administrator Guide

4. Connect to the node through NETCONF over SSH from ENM with secure user
credentials.
See Connect to the Node with NETCONF over SSH from ENM on page 152.

5. Send a NETCONF Hello Request to the node after every NETCONF

connection.
See Input NETCONF Hello Request with Example on page 154.

6. Create oamTrustCategory certificates list under truststore MO.

See Input NETCONF Request to Create Trusted Certificate List on Node with
Example on page 158.

7. Install all the trusted certificates on the node which are downloaded and
converted to base64 format in Step 3.

See Input NETCONF Request for Trusted Certificate Installation on Node

with Example on page 159.

8. Verify if all the trusted certificates installed correctly in oamTrustCategory

certificates list.
See Input NETCONF Request to Fetch Trusted Certificates Installed on Node
with Example on page 162.

6.8.11.4 Generation and Installation of Node Certificate on the Node

This procedure describes to generate and install the node certificate.

Steps

1. Generate End Entity Credential.

Generate the End Entity credential using P12 file. The P12 file contains the
corresponding private key of the End Entity.

pkiadm ctm EECert -gen -nocsr -en <NetworkElementId-oam> -f P12 --password < →
provide password here>

In the command, <NetworkElementId-oam> is the name of the entity

created in step 4 in the section End Entity Creation in ENM PKI on page
144

2. Convert the generated P12 to Base64 format.

Use the following Linux command in the Linux terminal to convert the P12
file to Base64 encoded format.

base64 <Certificate.p12> | tr -d \\n > <base64_certificate.p12>

150 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

3. Connect to the node through NETCONF over SSH from ENM with secure user
credentials.
See Connect to the Node with NETCONF over SSH from ENM on page 152.

4. Send a NETCONF Hello Request to the node after every NETCONF

connection.
See Input NETCONF Hello Request with Example on page 154.

5. Install the node certificate and private key using the base64 converted p12
file in Step 2.
See Input NETCONF Request for Node Certificate Installation on Node with
Example on page 163.

6. Verify if oamNodeCredential installed correctly under asymmetric-keys MO.

See Input NETCONF Request to Fetch Node Certificate Installed on Node

with Example on page 165.

6.8.11.5 LDAP Configuration on the Node

This procedure describes the LDAP configuration details on the node.

Steps

1. Get the LDAP server details.

secadm ldap configure --manual

Example

Figure 33 LDAP Configuration Settings

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 151

 ENM Network Security Configuration System Administrator Guide

2. Connect to the node through NETCONF over SSH from ENM with secure user
credentials.
See Connect to the Node with NETCONF over SSH from ENM on page 152.

3. Send a NETCONF Hello Request to the node after every NETCONF

connection.
See Input NETCONF Hello Request with Example on page 154.

4. Configure LDAP server details on the node from the output of Step 1.
See Input NETCONF Request to Install LDAP Configuration on Node with
Example on page 167.

5. Verify if the LDAP configuration installed correctly on the Node.

See Input NETCONF Request to Fetch LDAP Configuration Installed on Node
with Example on page 169.

6. Connect to the node through NETCONF over SSH from ENM with user having
COM roles and its associated COM Target Group assigned with "ALL" to
verify the LDAP feature working.
See Connect to the Node with NETCONF over SSH from ENM on page 152.

7. Check the TLS communication. See Connect to a Service on page 2.

Run the following commands:

[root@rani-venm-1-mscmce-0 cloud-user]# cd /ericsson/mediation/data/certs/

[root@rani-venm-1-mscmce-0 certs]# openssl s_client -connect <node-ip>:6513 →
-cert tlsnetconf.cert -key tlsnetconf.key -CAfile tlsnetconfCA.pem

6.8.11.6 Connect to the Node with NETCONF over SSH from ENM

1. Connect to the node using netconf port with either admin user or secure user
or COM user credentials and node ip-address.

ssh -p <netconf_port> <admin-user_name/secure-user-name/COM-user-name>@<node →

_ip-address>

Example
[root@stsvp6enm40-mscmce-0 certs]# ssh -p 830 [email protected]
WARNING: This system is restricted solely to authorized users for legitimat →
e business purposes only. The actual or attempted unauthorized access, use, →
or modification of this system is strictly prohibited. Unauthorized users ar →
e subject to appropriate disciplinary proceedings and/or criminal and civil →
penalties under state, federal, or other applicable domestic and foreign law →
s. The use of this system is recorded and monitored. If monitoring reveals p →
ossible evidence of criminal activity, the owner of this equipment may provi →
de the evidence of such activity to law enforcement officials. All authorize →
d users shall comply with the security policies, instructions and requiremen →
ts related to the business purpose and in case of doubt shall seek advice fr →

152 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

om his/her manager.
This system process personal data. The misuse of personal data could cause h →
arm to the data subjects. Be aware of the confidentiality obligations you ha →
ve when accessing personal data and the disciplinary consequences of imprope →
r handling.
Password:
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:writable-running:1.0</capabil →
ity>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capabi →
lity>
<capability>urn:ietf:params:netconf:capability:validate:1.0</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.1</capability>
<capability>urn:ietf:params:netconf:capability:xpath:1.0</capability>
<capability>urn:ietf:params:netconf:capability:notification:1.0</capability>
<capability>urn:ietf:params:netconf:capability:interleave:1.0</capability>
<capability>urn:ietf:params:netconf:capability:partial-lock:1.0</capability>
<capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode= →
explicit&also-supported=report-all-tagged,report-all</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.0?revision=201 →
9-01-04&module-set-id=f3d0af818ce1c8aabb947dc1f52a4fcc</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.1?revision=201 →
9-01-04&content-id=f3d0af818ce1c8aabb947dc1f52a4fcc</capability>
<capability>http://tail-f.com/ns/netconf/actions/1.0</capability>
<capability>http://tail-f.com/ns/aaa/1.1?module=tailf-aaa&revision=2018-09-1 →
2</capability>
<capability>http://tail-f.com/ns/common/query?module=tailf-common-query&revi →
sion=2017-12-15</capability>
<capability>http://tail-f.com/ns/confd-progress?module=tailf-confd-progress& →
revision=2020-06-29</capability>
<capability>http://tail-f.com/ns/kicker?module=tailf-kicker&revision=2017-09 →
-28</capability>
<capability>http://tail-f.com/ns/netconf/query?module=tailf-netconf-query&re →
vision=2017-01-06</capability>
<capability>http://tail-f.com/yang/acm?module=tailf-acm&revision=2013-03-07< →
/capability>
<capability>http://tail-f.com/yang/common?module=tailf-common&revision=2020- →
06-25</capability>
<capability>http://tail-f.com/yang/common-monitoring?module=tailf-common-mon →
itoring&revision=2019-04-09</capability>
<capability>http://tail-f.com/yang/confd-monitoring?module=tailf-confd-monit →
oring&revision=2019-10-30</capability>
<capability>http://tail-f.com/yang/netconf-monitoring?module=tailf-netconf-m →
onitoring&revision=2019-03-28</capability>
<capability>http://tail-f.com/yang/xsd-types?module=tailf-xsd-types&revision →
=2017-11-20</capability>
<capability>urn:ietf:params:xml:ns:netconf:base:1.0?module=ietf-netconf&revi →
sion=2011-06-01&features=writable-running,rollback-on-error,validate,xpath</ →
capability>
<capability>urn:ietf:params:xml:ns:netconf:partial-lock:1.0?module=ietf-netc →
onf-partial-lock&revision=2009-10-19</capability>
<capability>urn:ietf:params:xml:ns:yang:iana-crypt-hash?module=iana-crypt-ha →
sh&revision=2014-08-06&features=crypt-hash-sha-512,crypt-hash-sha-256,crypt- →
hash-md5</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-typ →
es&revision=2013-07-15</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-acm?module=ietf-netconf →
-acm&revision=2018-02-14</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring?module=ietf- →
netconf-monitoring&revision=2010-10-04</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-notifications?module=ie →
tf-netconf-notifications&revision=2012-02-06</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-with-defaults?module=ie →
tf-netconf-with-defaults&revision=2011-06-01</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-system?module=ietf-system&revis →
ion=2014-08-06&features=local-users,authentication&deviations=ericsson-syste →
m-ext,ericsson-system-ext-aum</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang- →
metadata&revision=2016-08-05</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-typ →
es&revision=2013-07-15</capability>
<capability>urn:rdns:com:ericsson:oammodel:ericsson-notifications?module=eri →
csson-notifications&revision=2018-05-28&features=netconf-state-change</capab →
ility>
<capability>urn:rdns:com:ericsson:oammodel:ericsson-yang-extensions?module=e →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 153

 ENM Network Security Configuration System Administrator Guide

ricsson-yang-extensions&revision=2020-01-02</capability>
</capabilities>
<session-id>119</session-id></hello>]]>]]>

6.8.11.7 Input NETCONF Hello Request with Example

1. Send a NETCONF Hello Request to the Node after every SSH connection.

<?xml version="1.0" encoding="UTF-8"?>

<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:capability:notification:1.0</capab →
ility>
<capability>urn:ietf:params:netconf:capability:candidate:1.0</capabili →
ty>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</ →
capability>
<capability>urn:ietf:params:netconf:capability:confimed-commit:1.1</ca →
pability>
<capability>urn:ietf:params:netconf:capability:startup:1.0</capability →
>
</capabilities>
</hello>
]]>]]>

Example
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:writable-running:1.0</capabil →
ity>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capabi →
lity>
<capability>urn:ietf:params:netconf:capability:validate:1.0</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.1</capability>
<capability>urn:ietf:params:netconf:capability:xpath:1.0</capability>
<capability>urn:ietf:params:netconf:capability:notification:1.0</capability>
<capability>urn:ietf:params:netconf:capability:interleave:1.0</capability>
<capability>urn:ietf:params:netconf:capability:partial-lock:1.0</capability>
<capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode= →
explicit&also-supported=report-all-tagged,report-all</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.0?revision=201 →
9-01-04&module-set-id=f3d0af818ce1c8aabb947dc1f52a4fcc</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.1?revision=201 →
9-01-04&content-id=f3d0af818ce1c8aabb947dc1f52a4fcc</capability>
<capability>http://tail-f.com/ns/netconf/actions/1.0</capability>
<capability>http://tail-f.com/ns/aaa/1.1?module=tailf-aaa&revision=2018-09-1 →
2</capability>
<capability>http://tail-f.com/ns/common/query?module=tailf-common-query&revi →
sion=2017-12-15</capability>
<capability>http://tail-f.com/ns/confd-progress?module=tailf-confd-progress& →
revision=2020-06-29</capability>
<capability>http://tail-f.com/ns/kicker?module=tailf-kicker&revision=2017-09 →
-28</capability>
<capability>http://tail-f.com/ns/netconf/query?module=tailf-netconf-query&re →
vision=2017-01-06</capability>
<capability>http://tail-f.com/yang/acm?module=tailf-acm&revision=2013-03-07< →
/capability>
<capability>http://tail-f.com/yang/common?module=tailf-common&revision=2020- →
06-25</capability>
<capability>http://tail-f.com/yang/common-monitoring?module=tailf-common-mon →
itoring&revision=2019-04-09</capability>
<capability>http://tail-f.com/yang/confd-monitoring?module=tailf-confd-monit →
oring&revision=2019-10-30</capability>
<capability>http://tail-f.com/yang/netconf-monitoring?module=tailf-netconf-m →
onitoring&revision=2019-03-28</capability>
<capability>http://tail-f.com/yang/xsd-types?module=tailf-xsd-types&revision →
=2017-11-20</capability>

154 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<capability>urn:ietf:params:xml:ns:netconf:base:1.0?module=ietf-netconf&revi →
sion=2011-06-01&features=writable-running,rollback-on-error,validate,xpath</ →
capability>
<capability>urn:ietf:params:xml:ns:netconf:partial-lock:1.0?module=ietf-netc →
onf-partial-lock&revision=2009-10-19</capability>
<capability>urn:ietf:params:xml:ns:yang:iana-crypt-hash?module=iana-crypt-ha →
sh&revision=2014-08-06&features=crypt-hash-sha-512,crypt-hash-sha-256,crypt- →
hash-md5</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-typ →
es&revision=2013-07-15</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-acm?module=ietf-netconf →
-acm&revision=2018-02-14</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring?module=ietf- →
netconf-monitoring&revision=2010-10-04</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-notifications?module=ie →
tf-netconf-notifications&revision=2012-02-06</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-with-defaults?module=ie →
tf-netconf-with-defaults&revision=2011-06-01</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-system?module=ietf-system&revis →
ion=2014-08-06&features=local-users,authentication&deviations=ericsson-syste →
m-ext,ericsson-system-ext-aum</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang- →
metadata&revision=2016-08-05</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-typ →
es&revision=2013-07-15</capability>
<capability>urn:rdns:com:ericsson:oammodel:ericsson-notifications?module=eri →
csson-notifications&revision=2018-05-28&features=netconf-state-change</capab →
ility>
<capability>urn:rdns:com:ericsson:oammodel:ericsson-yang-extensions?module=e →
ricsson-yang-extensions&revision=2020-01-02</capability>
</capabilities>
<session-id>119</session-id></hello>]]>]]><?xml version="1.0" encoding="UTF →
-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:capability:notification:1.0</capab →
ility>
<capability>urn:ietf:params:netconf:capability:candidate:1.0</capabili →
ty>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</ →
capability>
<capability>urn:ietf:params:netconf:capability:confimed-commit:1.1</ca →
pability>
<capability>urn:ietf:params:netconf:capability:startup:1.0</capability →
>
</capabilities>
</hello>
]]>]]>

6.8.11.8 Input NETCONF Request to Close Connection with Example

1. <?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="close-netconf-session" xmlns="urn:ietf:params:xml:ns:netcon →
f:base:1.0">
<close-session/>
</rpc>
]]>]]>

Example
-------------------------------------------------------------------------
/* Previous Netconf content part is ignored to improve readability */
-------------------------------------------------------------------------
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="close-netconf-session" xmlns="urn:ietf:params:xml:ns:netcon →
f:base:1.0">
<close-session/>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="close →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 155

 ENM Network Security Configuration System Administrator Guide

-netconf-session"><ok/></rpc-reply>]]>]]>Connection to 10.156.12.86 closed.

[root@stsvp6enm40-mscmce-0 certs]#

6.8.11.9 Input NETCONF Request for Creation of Secure User on Node with Example

1. <?xml version="1.0" encoding="UTF-8"?>

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="create-sec →
-admin">
<edit-config>
<target>
<running />
</target>
<config>
<system xmlns="urn:ietf:params:xml:ns:yang:ietf-system">
<authentication>
<user>
<name>{secure_user_name}</name>
<password>admin</password>
<user-label xmlns="urn:rdns:com:ericsson:oammodel:ericsson →
-system-ext">security admin user</user-label>
<administrative-state xmlns="urn:rdns:com:ericsson:oammode →
l:ericsson-system-ext">unlocked</administrative-state>
<groups xmlns="urn:rdns:com:ericsson:oammodel:ericsson-sys →
tem-ext">system-security-admin</groups>
</user>
</authentication>
</system>
</config>
</edit-config>
</rpc>
]]>]]>

Note: Under the <user> tag, the <name> value must be secure username
and <password> value must be admin.

Example
-------------------------------------------------------------------------
/* Previous Netconf content is ignored to improve readability */
-------------------------------------------------------------------------
</hello>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"><d →
ata></data></rpc-reply>]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="create-sec →
-admin">
<edit-config>
<target>
<running />
</target>
<config>
<system xmlns="urn:ietf:params:xml:ns:yang:ietf-system">
<authentication>
<user>
<name>expert</name>
<password>admin</password>
<user-label xmlns="urn:rdns:com:ericsson:oammodel:ericsson →
-system-ext">security admin user</user-label>
<administrative-state xmlns="urn:rdns:com:ericsson:oammode →
l:ericsson-system-ext">unlocked</administrative-state>
<groups xmlns="urn:rdns:com:ericsson:oammodel:ericsson-sys →
tem-ext">system-security-admin</groups>
</user>
</authentication>
</system>
</config>
</edit-config>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="creat →
e-sec-admin"><ok/></rpc-reply>]]>]]>

156 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

6.8.11.10 Update Secure User Password for the First SSH Connection with Example

1. Connect to the node with secure user credentials created, and update the
default secure user password (admin) with the desired password.

[root@stsvp3enm02-mscmce-0 cloud-user]# ssh -p 830 expert@2001:1b70:8210:95e →

0::10
WARNING: This system is restricted solely to authorized users for legitimat →
e business purposes only. The actual or attempted unauthorized access, use, →
or modification of this system is strictly prohibited. Unauthorized users ar →
e subject to appropriate disciplinary proceedings and/or criminal and civil →
penalties under state, federal, or other applicable domestic and foreign law →
s. The use of this system is recorded and monitored. If monitoring reveals p →
ossible evidence of criminal activity, the owner of this equipment may provi →
de the evidence of such activity to law enforcement officials. All authorize →
d users shall comply with the security policies, instructions and requiremen →
ts related to the business purpose and in case of doubt shall seek advice fr →
om his/her manager.
This system process personal data. The misuse of personal data could cause h →
arm to the data subjects. Be aware of the confidentiality obligations you ha →
ve when accessing personal data and the disciplinary consequences of imprope →
r handling.
Password:
Password expired. Change your password now.
Current Password:
New Password:
Reenter new Password:
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:writable-running:1.0</capabil →
ity>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capabi →
lity>
<capability>urn:ietf:params:netconf:capability:validate:1.0</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.1</capability>
<capability>urn:ietf:params:netconf:capability:xpath:1.0</capability>
<capability>urn:ietf:params:netconf:capability:notification:1.0</capability>
<capability>urn:ietf:params:netconf:capability:interleave:1.0</capability>
<capability>urn:ietf:params:netconf:capability:partial-lock:1.0</capability>
<capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode= →
explicit&also-supported=report-all-tagged,report-all</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.0?revision=201 →
9-01-04&module-set-id=77cfecf026065330338a564b2c1a7567</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.1?revision=201 →
9-01-04&content-id=77cfecf026065330338a564b2c1a7567</capability>
<capability>http://tail-f.com/ns/netconf/actions/1.0</capability>
<capability>http://tail-f.com/ns/aaa/1.1?module=tailf-aaa&revision=2018-09-1 →
2</capability>
<capability>http://tail-f.com/ns/common/query?module=tailf-common-query&revi →
sion=2017-12-15</capability>
<capability>http://tail-f.com/ns/confd-progress?module=tailf-confd-progress& →
revision=2020-06-29</capability>
<capability>http://tail-f.com/ns/kicker?module=tailf-kicker&revision=2017-09 →
-28</capability>
<capability>http://tail-f.com/ns/netconf/query?module=tailf-netconf-query&re →
vision=2017-01-06</capability>
<capability>http://tail-f.com/yang/acm?module=tailf-acm&revision=2013-03-07< →
/capability>
<capability>http://tail-f.com/yang/common?module=tailf-common&revision=2020- →
06-25</capability>
<capability>http://tail-f.com/yang/common-monitoring?module=tailf-common-mon →
itoring&revision=2019-04-09</capability>
<capability>http://tail-f.com/yang/confd-monitoring?module=tailf-confd-monit →
oring&revision=2019-10-30</capability>
<capability>http://tail-f.com/yang/netconf-monitoring?module=tailf-netconf-m →
onitoring&revision=2019-03-28</capability>
<capability>http://tail-f.com/yang/xsd-types?module=tailf-xsd-types&revision →
=2017-11-20</capability>
<capability>urn:ietf:params:xml:ns:netconf:base:1.0?module=ietf-netconf&revi →
sion=2011-06-01&features=writable-running,rollback-on-error,validate,xpath</ →
capability>
<capability>urn:ietf:params:xml:ns:netconf:partial-lock:1.0?module=ietf-netc →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 157

 ENM Network Security Configuration System Administrator Guide

onf-partial-lock&revision=2009-10-19</capability>
<capability>urn:ietf:params:xml:ns:yang:iana-crypt-hash?module=iana-crypt-ha →
sh&revision=2014-08-06&features=crypt-hash-sha-512,crypt-hash-sha-256,crypt- →
hash-md5</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-typ →
es&revision=2013-07-15</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-acm?module=ietf-netconf →
-acm&revision=2018-02-14</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring?module=ietf- →
netconf-monitoring&revision=2010-10-04</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-notifications?module=ie →
tf-netconf-notifications&revision=2012-02-06</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-with-defaults?module=ie →
tf-netconf-with-defaults&revision=2011-06-01</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-system?module=ietf-system&revis →
ion=2014-08-06&features=local-users,authentication&deviations=ericsson-syste →
m-ext,ericsson-system-ext-aum</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang- →
metadata&revision=2016-08-05</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-typ →
es&revision=2013-07-15</capability>
<capability>urn:rdns:com:ericsson:oammodel:ericsson-notifications?module=eri →
csson-notifications&revision=2018-05-28&features=netconf-state-change</capab →
ility>
<capability>urn:rdns:com:ericsson:oammodel:ericsson-yang-extensions?module=e →
ricsson-yang-extensions&revision=2020-01-02</capability>
</capabilities>
<session-id>33</session-id></hello>]]>]]>

6.8.11.11 Input NETCONF Request to Create Trusted Certificate List on Node with Example

1. On NETCONF terminal, execute the following request to create certificates

list named "oamTrustCategory" under truststore MO.

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="Create-oamtrustCategory-List" xmlns="urn:ietf:params:xml:ns →
:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"
xmlns:ts="urn:ietf:params:xml:ns:yang:ietf-truststore">
<certificates xc:operation="merge">
<name>{Trust_Category_Name}</name>
<description>OAM trusted certs description</description>
</certificates>
</truststore>
</config>
</edit-config>
</rpc>
]]>]]>

Note: In the <certificates> tag, the <name> value must be

oamTrustCategory.

Example
-------------------------------------------------------------------------
/* Previous Netconf content is ignored to improve readability */
-------------------------------------------------------------------------
</hello>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="OAM C →
MP Server Trust Store"><data></data></rpc-reply>]]>]]><?xml version="1.0" en →
coding="UTF-8"?>
<rpc message-id="Create-oamtrustCategory-List" xmlns="urn:ietf:params:xml:ns →
:netconf:base:1.0">
<edit-config>

158 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<target>
<running/>
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"
xmlns:ts="urn:ietf:params:xml:ns:yang:ietf-truststore">
<certificates xc:operation="merge">
<name>oamTrustCategory</name>
<description>OAM trusted certs</description>
</certificates>
</truststore>
</config>
</edit-config>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="Creat →
e-oamtrustCategory-List"><ok/></rpc-reply>]]>]]>

6.8.11.12 Input NETCONF Request for Trusted Certificate Installation on Node with
Example

1. On NETCONF terminal, execute the following request to run install-

certificate-pem action defined in ericsson-truststore-ext YANG
model to install desired trusted certificate.

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="install-trustedCertificates-in-truststore" xmlns="urn:ietf: →
params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore">
<certificates>
<name>oamTrustCategory</name>
<install-certificate-pem xmlns="urn:rdns:com:ericsson:oammodel:e →
ricsson-truststore-ext">
<name>{Trusted CA Name}</name>
<pem>{base64_converted_pem}</pem>
</install-certificate-pem>
</certificates>
</truststore>
</action>
</rpc>
]]>]]>

Note: — Under <certificates> tag, <name> must be

oamTrustCategory

— Under <install-certificate-pem> tag, <name> must be

Trusted CA Certificate Name. Example: ENM_PKI_Root_CA

— Under <install-certificate-pem> tag, <pem> must be

base64 Converted PEM content of the Trusted CA Certificate

Example
Installing four trusted CA certificates

-------------------------------------------------------------------------
/* Previous Netconf content part is ignored to improve readability */
-------------------------------------------------------------------------
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="install-trustedCertificates-in-truststore" xmlns="urn:ietf: →
params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1">

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 159

 ENM Network Security Configuration System Administrator Guide

<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore">
<certificates>
<name>oamTrustCategory</name>
<install-certificate-pem xmlns="urn:rdns:com:ericsson:oammodel:e →
ricsson-truststore-ext">
<name>ENM_PKI_Root_CA</name>
<pem>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlakNDQW1LZ0F →
3SUJBZ0lJWlQwVEYwOEM3UWd3RFFZSktvWklodmNOQVFFTEJRQXdXekVZTUJZR0ExVUUKQXd3UFJ →
VNU5YMUJMU1Y5U2IyOTBYME5CTVFzd0NRWURWUVFHRXdKVFJURVJNQThHQTFVRUNnd0lSWEpwWTN →
OegpiMjR4SHpBZEJnTlZCQXNNRmxKdmMyVnljMkpsY21kZmMzUnpkbkF6Wlc1dE1ESXdIaGNOTWp →
Fd056QTFNVFV6Ck1USXlXaGNOTXpFd056QTFNVFV6TVRJeVdqQmJNUmd3RmdZRFZRUUREQTlGVGs →
xZlVFdEpYMUp2YjNSZlEwRXgKQ3pBSkJnTlZCQVlUQWxORk1SRXdEd1lEVlFRS0RBaEZjbWxqYzN →
OdmJqRWZNQjBHQTFVRUN3d1dVbTl6WlhKegpZbVZ5WjE5emRITjJjRE5sYm0wd01qQ0NBU0l3RFF →
ZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFJKzc5cWNtbnpiQ3BoYXZXNWMvUWR →
zeENUYVhvRWVOUGFkbjByNUJSRUxVSjdpdGttOTBlOC84c2l3TzlNKy8KVjU4THNPWnU4R1RRRDd →
XQy8rV0FQYVBoakxmUnBNcU5xY3hQMXBvamtLandxcHFKTFF0UXdiK2JUVW01NTlsVApUUW5RMi9 →
ic1l6Ny8vQ2tuMER6VFJTcGRucHpiakdxVnhyZzdxM2IvdURDRlFkeXhrSGZ6dEdLenZZa3dQMnN →
BClRtejJiYXJVTXRick9tWTVITDJJSXdENzJuM04yYW50Vkl0V1crbHVWakdTM3hjSFhrZGc3Sld →
Wb1NVZXNRQmwKRGczWlIzYVB0Vk1jNk5kS3NHOEZEaW41MGhXOUNtZXA1MjgrNzdaamdTNlVhUGx →
NaVhnV0JsL0xacU1jZjJWYgo3emQ1WkcvZnlZRC9jQi80REwyMVpOY0NBd0VBQWFOQ01FQXdIUVl →
EVlIwT0JCWUVGSTVJVW1aejRpbnd0TDllCnlRcjEwV255TEJpNU1BOEdBMVVkRXdFQi93UUZNQU1 →
CQWY4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUEwR0NTcUcKU0liM0RRRUJDd1VBQTRJQkFRQU5rMk0 →
vRDk0L0lFbEF0RFNpcE9Na2hEVGkrNU5IVHE0bWYrajVZRWpneWhOOApXZzFkSThOZ3RJak13Y0I →
3RnZ4a1pYREIwRlJwWjdCMkdONlVqRktrR1NyZHNEazNHNW9zNElFam4wY3ZPL09NCmFzM1ZIMWl →
sZlVhV29IWExkZ0tkcHFDb1p0WVJ4MzdJblpPRGpDYVIyblZiaDZRaldSYlB5OXYxRXhNVjNmamE →
KOW9sOENEL2NlbmhWV1ZBNWpaby91WU1qeDZ2SVJlQVp5TXZtN2ZlNFpwSGg5cWRnN2FkT004dmF →
SdUgyME9Zdworc200TXAwQk8yZDRHSmpGSk43aU9VdUlLZmZOSFdTamZsdEs3YzBHbW5tQmtKK1J →
vT3JoTmNyM2o5ODhUWDlrCkZxTExBWG9UdzBRTE5FRTcrZVVnd0NFaEt5S0g0OXpsLzB6SlVUdHY →
KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</pem>
</install-certificate-pem>
</certificates>
</truststore>
</action>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="insta →
ll-trustedCertificates-in-truststore"><ok/></rpc-reply>]]>]]><?xml version=" →
1.0" encoding="UTF-8"?>
<rpc message-id="install-trustedCertificates-in-truststore" xmlns="urn:ietf: →
params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore">
<certificates>
<name>oamTrustCategory</name>
<install-certificate-pem xmlns="urn:rdns:com:ericsson:oammodel:e →
ricsson-truststore-ext">
<name>ENM_Infrastructure_CA</name>
<pem>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvVENDQW9tZ0F →
3SUJBZ0lJSWU4UEI3RzYrNWd3RFFZSktvWklodmNOQVFFTEJRQXdXekVZTUJZR0ExVUUKQXd3UFJ →
VNU5YMUJMU1Y5U2IyOTBYME5CTVFzd0NRWURWUVFHRXdKVFJURVJNQThHQTFVRUNnd0lSWEpwWTN →
OegpiMjR4SHpBZEJnTlZCQXNNRmxKdmMyVnljMkpsY21kZmMzUnpkbkF6Wlc1dE1ESXdIaGNOTWp →
Fd056QTFNVFV6Ck1UTXdXaGNOTWprd056QTFNVFV6TVRNd1dqQmhNUjR3SEFZRFZRUUREQlZGVGs →
xZlNXNW1jbUZ6ZEhKMVkzUjEKY21WZlEwRXhDekFKQmdOVkJBWVRBbE5GTVJFd0R3WURWUVFLREF →
oRmNtbGpjM052YmpFZk1CMEdBMVVFQ3d3VwpVbTl6WlhKelltVnlaMTl6ZEhOMmNETmxibTB3TWp →
DQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQU0zVk5uWmlmVHZ2VVZ →
aOFlvbXVLVVF1VUl4V2w0S2M5RHg2TzkxcTUrMjRSSU5mZnJQaUthNnQKNTJrUitRd2FpUDlVK1k →
1cWEvbURHT2RJMXVXbGtxZEZwTDMwQ0hhU2RrcjE1RzNsTjZFVEdqWFprSlVlcUEvTwpTQVVibUE →
zRGlibnFJRUt0UWdsRTVQMUZBejZhY243M0hpYVk2elY3UFBqamxtOTNyY1E1UFQ0ZnMwRnpHR3R →
ZClJpblowZVhVWTd5dTVjeTltRENvU0ErTXo2VVpkamJhK2oya1VYU3dNcWQ2bGZ4YWd2eTdUbGY →
rRENiUFlaVkwKRmVXZ1RYSGVmMFNIelp0UHJ4WmtPOTdsL1U4ZWVGRk5MUktQVXhpSUdVayt0RGs →
zUDE1OGlyNWZKSldQVTVCSAp2SkhNR2VRYjBGUy9yS1JRMm9BTnhURWFTQlV2UXowQ0F3RUFBYU5 →
qTUdFd0hRWURWUjBPQkJZRUZKYThxamRsCnhNS3pzZSthaXRrdllmZHBtek5ZTUE4R0ExVWRFd0V →
CL3dRRk1BTUJBZjh3SHdZRFZSMGpCQmd3Rm9BVWpraFMKWm5QaUtmQzB2MTdKQ3ZYUmFmSXNHTGt →
3RGdZRFZSMFBBUUgvQkFRREFnRUdNQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFBWFZuV1c5NzQ →
5bjBIdEMvRjZ5RTNFbTZ2UHBtNTd3aXcxMGZaZnZvRjVZNU4xem13QmhmdXkwNzRlCmZLTUVpSXM →
xaTJhOUxCZEh5RVRwcW9jVEd4bVpra2hFRVBTaTE2NGlMTHJsblRyZHRaZThweWtLU1daa2pLUnY →
Kelp5OGZ2alhCNmdwaXExUWtZcEI1ell3VWtQdDRld0svdVNYNnozOStSQThpbm5qbXN4S3VtVDB →
kWFpkQXpMdwpiMnJ4YmF2YjMwdFQ3cWNGQVhMTksvcFk4c0ZJYVI0VmE4NStIdS9hbm0zWGJDUFl →
kemE2ZGw1NlJ0SEM3RnJHCjdwRnN2ZnFwUFpDS3JORkZydU50Z3R4STRCRzdTcE5Na1ExZG92RWI →
4MmU3bUI2MXlJL1ZVRDNHMk1vZ2dHa3YKSWxNcE44a0dDOGNGdGJmT0hnZWQvaU1WcFpVaQotLS0 →
tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</pem>
</install-certificate-pem>
</certificates>
</truststore>
</action>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="insta →
ll-trustedCertificates-in-truststore"><ok/></rpc-reply>]]>]]><?xml version=" →
1.0" encoding="UTF-8"?>

160 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<rpc message-id="install-trustedCertificates-in-truststore" xmlns="urn:ietf: →

params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore">
<certificates>
<name>oamTrustCategory</name>
<install-certificate-pem xmlns="urn:rdns:com:ericsson:oammodel:e →
ricsson-truststore-ext">
<name>ENM_OAM_CA</name>
<pem>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuRENDQW9TZ0F →
3SUJBZ0lJQm10bms2bnR6TlF3RFFZSktvWklodmNOQVFFTEJRQXdZVEVlTUJ3R0ExVUUKQXd3VlJ →
VNU5YMGx1Wm5KaGMzUnlkV04wZFhKbFgwTkJNUXN3Q1FZRFZRUUdFd0pUUlRFUk1BOEdBMVVFQ2d →
3SQpSWEpwWTNOemIyNHhIekFkQmdOVkJBc01GbEp2YzJWeWMySmxjbWRmYzNSemRuQXpaVzV0TUR →
Jd0hoY05NakV3Ck56QTFNVFV6TVRNMVdoY05Namt3TnpBMU1UVXdNRE0xV2pCV01STXdFUVlEVlF →
RRERBcEZUazFmVDBGTlgwTkIKTVFzd0NRWURWUVFHRXdKVFJURVJNQThHQTFVRUNnd0lSWEpwWTN →
OemIyNHhIekFkQmdOVkJBc01GbEp2YzJWeQpjMkpsY21kZmMzUnpkbkF6Wlc1dE1ESXdnZ0VpTUE →
wR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCCkFRQzQ1Zk91Z3h2cTRUSVBoNU1ZaEl →
PZTZIWG14VWtrQlBXc3hjM0pDdDlyWU9qWEF4ZVE3TkFjMzZ0aVozOXMKeCtlUFpqd0tJK3pGQzV →
IbXZqdk1QNHdGRlZNY0l1cUo2QkxKeU1lRkhpNHV6enFUMFRheVc2dkdqRUt5TlBVOAptbkJTQ3p →
vRGdFZnY2ayt2WExQdGt4emwwTGFlb2tPL1VmQTBkbVB2WFNIcU1veG9rbWdpekhLcWNLaFJXc3R →
1CkM4K0lwV0hsZVFBdmJpMWFUQUlhQjhGRkZLcGZMQ1NVOSsrVHJUdmt2Vk9pNlZiS2h6UU1CZ2J →
uQlJVenh2aGsKeXBwNU1NYVhpY2lhb1pocXVkL1V4dFhERmNMN2V4bnozMGlGckhPRHRvemsvSVQ →
5RE9vNDN4WE0vekxoamx3NQpKSlAzbklEYVhDbnNVdWxUbzFFaFI4N1RBZ01CQUFHall6QmhNQjB →
HQTFVZERnUVdCQlJVaG5QOG42TlorV0NRCjF4Zmh5VGNhdWg5UmVqQVBCZ05WSFJNQkFmOEVCVEF →
EQVFIL01COEdBMVVkSXdRWU1CYUFGSmE4cWpkbHhNS3oKc2UrYWl0a3ZZZmRwbXpOWU1BNEdBMVV →
kRHdFQi93UUVBd0lCQmpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQQpiZHBYS05MNTVPWUthSzF →
3ajVTMkUvaE5NdkZoMzZVdW8xRHczZXVtbVhqRjZjVkJkcWkxMTZQdnFTUUpNR09qCjZ4anljVTV →
WeWczM0t3K2NBM0RZNHZnNExCN0RlVGhkNEhOOHpsd2M3c2pZMWdXVndBbktLWEhrYjFQcXpJN1o →
KOWxUVHBEWWtjc1VLdVhzMEVHRi9ycDlHVURSRUdYRmxjcjVYN2VLcEFwcVNlc2VKNlNjWmxnYnJ →
nNURFOTVWQgpudVh6d0N3SU42VVdzWUtaN2JxUVRTOXlkUU8zL0U2TEdXN1J3NU1NcVUvbDVIbSs →
5Yzc1ekdNOFh1T0tpK3I5CmRkRzFNZHgxZmIvaHprcGMvSWlEN1hvUFgwR0p6YnI1em0zWS9Ib05 →
IZXR4NjBrVjZxQTg5K00yaDVTOXdGODcKeXBac3lweFJmbjJhV1FEZXl1amtHZz09Ci0tLS0tRU5 →
EIENFUlRJRklDQVRFLS0tLS0K</pem>
</install-certificate-pem>
</certificates>
</truststore>
</action>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="insta →
ll-trustedCertificates-in-truststore"><ok/></rpc-reply>]]>]]><?xml version=" →
1.0" encoding="UTF-8"?>
<rpc message-id="install-trustedCertificates-in-truststore" xmlns="urn:ietf: →
params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore">
<certificates>
<name>oamTrustCategory</name>
<install-certificate-pem xmlns="urn:rdns:com:ericsson:oammodel:e →
ricsson-truststore-ext">
<name>NE_OAM_CA</name>
<pem>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURsVENDQW4yZ0F →
3SUJBZ0lJTkprN01xNUZVVnd3RFFZSktvWklodmNOQVFFTEJRQXdXekVZTUJZR0ExVUUKQXd3UFJ →
VNU5YMUJMU1Y5U2IyOTBYME5CTVFzd0NRWURWUVFHRXdKVFJURVJNQThHQTFVRUNnd0lSWEpwWTN →
OegpiMjR4SHpBZEJnTlZCQXNNRmxKdmMyVnljMkpsY21kZmMzUnpkbkF6Wlc1dE1ESXdIaGNOTWp →
Fd056QTFNVFV6Ck1USTRXaGNOTWprd056QTFNVFV6TVRJNFdqQlZNUkl3RUFZRFZRUUREQWxPUlY →
5UFFVMWZRMEV4Q3pBSkJnTlYKQkFZVEFsTkZNUkV3RHdZRFZRUUtEQWhGY21samMzTnZiakVmTUI →
wR0ExVUVDd3dXVW05elpYSnpZbVZ5WjE5egpkSE4yY0RObGJtMHdNakNDQVNJd0RRWUpLb1pJaHZ →
jTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNR1hwbVpUCjFaZHQyRDg0QTlFTU50cHhpZkFPd1I →
2TWRzS0hrbUZwcmtZNVk3a0g3dGxDTElrSEZXTVlua2NELzlwZkRFQWQKemlwT21HVXlrYnVWUXZ →
kOVJjTEZuUlJvN3NjUG9ZNUV5OWt4TEJmZkNpbFhtNXZpMGlSdGRNMTdodzBNdmFUTQpTdGYzNEF →
1NDhEa25XenhjaGJaaGFPbm5aNmNOS2F3eTFjZmdoYnBIMTRjbXR6ck92cFFldmNxOEYvcVM1SlB →
JCnVjN0Z4MFV6VkpVdWpidnhLU0xiS2RwK0ZKQjcvdHlUVUoxWWl4eWo3ckNRZElud0QrcW9NNWl →
oRFUxYTdWWVYKZzdyd2pQQkFjTzB4aXRKakJQY0cyNjhUY2RtNFViTFdZUDA5VHhaR3dacUgwNlZ →
vZlNEd3VwanlUd1EwNTdhZgpuemlJTzh6MVZIYk5xY2tDQXdFQUFhTmpNR0V3SFFZRFZSME9CQll →
FRkFxWHFBYkhaUmg3RjE1clV3a2FPR3hPCnIvcFFNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdId1l →
EVlIwakJCZ3dGb0FVamtoU1puUGlLZkMwdjE3SkN2WFIKYWZJc0dMa3dEZ1lEVlIwUEFRSC9CQVF →
EQWdFR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVhoRmtybnhQUgo0VUFwZXk2UmhpM2kwZFR →
KNXhlMzczTkViOHZnRTROVWdYeXhVNVlqeDZJZDhKMjh4TDJkZmo5eTArTHJjK1VyClhSbnB4N2c →
5UGQycE41S1lGbkNRT2tQUDIrZDFsejBXOXQzemZCZGFJbWZVakJaZTdPQkIxQm12bFA4YlQ4SXo →
KSERBNE1rRnVyeXVDNjJjenUwSjVwaTZtNWpjZ3Z5RXdRanNDb21MNzJSUGhSYTU1N0dJWmgxcVo →
4MUhoWVlTawpBenFSNzBLd0huK3hWaFNOMUdPeGVVRkZqQ01yaXRScTUvOWppeHFiMTFabllzQW5 →
LaXBqaXVBb01qVDZBZWNPCkVQUktWR3NSQUlkaDZIVVZvVll2eis1b3VpV0plU2YwcCs0b1dlSUV →
oQzFkNk9aR3BOaDBIVTNEVUtoREpNNDAKbkdXMGlBVUZRaVp3Ci0tLS0tRU5EIENFUlRJRklDQVR →
FLS0tLS0K</pem>
</install-certificate-pem>
</certificates>
</truststore>
</action>
</rpc>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 161

 ENM Network Security Configuration System Administrator Guide

]]>]]><?xml version="1.0" encoding="UTF-8"?>

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="insta →
ll-trustedCertificates-in-truststore"><ok/></rpc-reply>]]>]]>

6.8.11.13 Input NETCONF Request to Fetch Trusted Certificates Installed on Node with
Example

1. On NETCONF terminal, execute the following request to get the trusted

certificates installed on the Node.

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="fetch-trustedCertificates-in-truststore" xmlns="urn:ietf:pa →
rams:xml:ns:netconf:base:1.0"><get xmlns="urn:ietf:params:xml:ns:netconf:bas →
e:1.0">
<filter type="subtree">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"
xmlns:ts="urn:rdns:com:ericsson:oammodel:ericsson-truststore-ext">
</truststore>
</filter>
</get>
</rpc>
]]>]]>

Example
-------------------------------------------------------------------------
/* Previous Netconf content part is ignored to improve readability */
-------------------------------------------------------------------------
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="fetch-trustedCertificates-in-truststore" xmlns="urn:ietf:pa →
rams:xml:ns:netconf:base:1.0">
<get xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<filter type="subtree">
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"
xmlns:ts="urn:rdns:com:ericsson:oammodel:ericsson-truststore-ext">
</truststore>
</filter>
</get>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="fetch →
-trustedCertificates-in-truststore"><data><truststore xmlns="urn:ietf:params →
:xml:ns:yang:ietf-truststore"><certificates><name>oamTrustCategory</name><de →
scription>OAM trusted certs description</description><certificate><name>NE_O →
AM_CA</name><cert>MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIDlT →
CCAn2gAwIBAgII
dM6qaxMf/NkwDQYJKoZIhvcNAQELBQAwWzEYMBYGA1UEAwwPRU5NX1BLSV9Sb290X0NBMQsw
CQYDVQQGEwJTRTERMA8GA1UECgwIRXJpY3Nzb24xHzAdBgNVBAsMFlJvc2Vyc2Jlcmdfc3Rz
dnA2ZW5tNDAwHhcNMjEwODA0MTUwMjQ1WhcNMjkwODA0MTUwMjQ1WjBVMRIwEAYDVQQDDAlO
RV9PQU1fQ0ExCzAJBgNVBAYTAlNFMREwDwYDVQQKDAhFcmljc3NvbjEfMB0GA1UECwwWUm9z
ZXJzYmVyZ19zdHN2cDZlbm00MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMg
rL2pTSdD57uwOeX8gym36HwYhLFBUYCf5gnn/jha6lui+hJDoCd9zO2IUsXdHEkOJlUj/4lm
ohMn35cYqvNtlaE9Fp61xdO+Z4u1bBI0oOLxOMMnlvnCK0cu1RQEvn2Q/kb4v01bm0li1zMh
mMlaS03EJmXwm4+9bKhjdi0Gn4epug2immUJRLuk2/ZQfrzhXS8KRY7TYoqQJmWgK9PXgM+Z
U/DmGD7ekNk6OA5pg5KVgw4voH9jlUjpF5dL33TwPN8631xBgNG8vlAR63fXEWPkPTlaWGcq
oGRp7K9nRruGgMS5n/jCfdkAc+Q1lKYfffhD00sNL3IlFnWZFgECAwEAAaNjMGEwHQYDVR0O
BBYEFA6oGHT25fsCeyjHdc/8xQp1KRpSMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU
xpI16d1HubMU3daK0WMk1g1CFJAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB
AQCkOyfC5r40qXldNyYcDizylTQ76WMyKuNOwDZXC1Nu0SvVBxUQn9iwqoYUzJVyFRGn9db/
HiwCSzKPDjtAgFCQQM46x4Ueeia4GspHIGR5V+IRqX/6GvqOg7WDKlmiHeSUDSBNg+IAwlpc
cgSaaOaSxyvTCZ0l1dmu9jBKHm8D5Ceurxgk6wCSUmQsmX6K5Hrov3vvgOd9X+HyEmueWpk4
uLGfaCh/EVcybsidzgsLvC/7z+A4LDBn6fKvJDSHSURHm2nRApm/JLlIZHjlrTu0/Ac3co6e
KzY2D31u/ASD6zTVR49qPTES3pJRwNTcP8Ra8V1eWFsFIuepPpSdnFolAAAxAAAAAAAAAA==</ce →
rt></certificate><certificate><name>ENM_OAM_CA</name><cert>MIAGCSqGSIb3DQEHA →
qCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIDnDCCAoSgAwIBAgII
aQFXIROyAH0wDQYJKoZIhvcNAQELBQAwYTEeMBwGA1UEAwwVRU5NX0luZnJhc3RydWN0dXJl
X0NBMQswCQYDVQQGEwJTRTERMA8GA1UECgwIRXJpY3Nzb24xHzAdBgNVBAsMFlJvc2Vyc2Jl
cmdfc3RzdnA2ZW5tNDAwHhcNMjEwODA0MTUwMjUxWhcNMjkwODA0MTQzMTUxWjBWMRMwEQYD
VQQDDApFTk1fT0FNX0NBMQswCQYDVQQGEwJTRTERMA8GA1UECgwIRXJpY3Nzb24xHzAdBgNV
BAsMFlJvc2Vyc2Jlcmdfc3RzdnA2ZW5tNDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

162 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

AoIBAQCM2fH9NbbX4OFwDm7o5PNrcoXYLbn+bxmNIWRlpS6mHVOex4gelsmBm+o5gKQQB9sU
SLcae9t5LmLptYZqLOJFhh7Cp5SQjK4o4AACzMDu1OQrcxSoKC2K4D0t4OJ8jLXij1C1N6ia
Dpvn7SIChlloG7FAZKQIJRD41i6/7sGuDmJZYslbADwKPUCh9b5sESdL3DO7xqaoIxWyhuCC
RaLOyXWXowTa2dqHWKsd52VH4gR6U+k40yaFOJ6nQKpo1nNhXGqTa7pdyt+3HOh2fuctMAJF
m3fcf8uaTd5B8bqohYuSt1jWIrEYolATdKZKVZ7bCjrkkAwGuPXm52Mk422rAgMBAAGjYzBh
MB0GA1UdDgQWBBRs/duhPg8S7gnp2XvzK39M9pttoTAPBgNVHRMBAf8EBTADAQH/MB8GA1Ud
IwQYMBaAFC5V9gr6RHk1Qq0uUzrKQB3HkFDfMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0B
AQsFAAOCAQEACv0/ypO3kTRz6+Urnrw3w91tUXc4d4nqSAg9wnNzcYXOKwXHOD83JjLeUyWE
GsjpF62wRZyAjJ9+bph08pT+lfzOK5eEMyx/w0wA88XaHbQ15XIQEi3niqEFikrfVTsuQBGR
9vg4y/HobzLfuEzibvtQ5qY7NA/LcWs/+Qrgf8czR7nelQ5YMoNfGkfH35CndFw5w0Yz/Xhv
en02lUf54ArqS6RueFLgVKP6Qo+3pd9EHG3j41KQysh/Qz8c1FqZFGmbIyWY1TBaEyNJrBa1
fv5Aw9Zebggy9h4LguiRQwu1whpVyYzKvAx6MwE96EtB+PMfFu/RWSC+kN5cE0fQDgAAMQAA
AAAAAAA=</cert></certificate><certificate><name>ENM_Infrastructure_CA</name> →
<cert>MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIDoTCCAomgAwIBAg →
II
Pcs/UVVU27EwDQYJKoZIhvcNAQELBQAwWzEYMBYGA1UEAwwPRU5NX1BLSV9Sb290X0NBMQsw
CQYDVQQGEwJTRTERMA8GA1UECgwIRXJpY3Nzb24xHzAdBgNVBAsMFlJvc2Vyc2Jlcmdfc3Rz
dnA2ZW5tNDAwHhcNMjEwODA0MTUwMjQ2WhcNMjkwODA0MTUwMjQ2WjBhMR4wHAYDVQQDDBVF
Tk1fSW5mcmFzdHJ1Y3R1cmVfQ0ExCzAJBgNVBAYTAlNFMREwDwYDVQQKDAhFcmljc3NvbjEf
MB0GA1UECwwWUm9zZXJzYmVyZ19zdHN2cDZlbm00MDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANxFLHz7tDBJGIQmvypOcl0zh6gcFZtSHuOhmgwWrlwSHpJlcIlSpaY27ssI
HubBd4ANPkx+mFaRfJhq9gpP00uqaouWydSgcMrWrh2F8anycTyRLH3+GcXFbgplnllV1l6U
Yu0hoppoySK+yG4USihL4OQkCRBBitgWbp8m6JRyPyUTJFBj93Zqk79gQuXl9wdRoFojJV1t
/2W7V92w7QuXOJB4JjLrVQS9P0SSq6Q8RnSkh0+Jw7gROmbWh8f7bP4tXrSbpnm/e7Zz7Yqb
/NNJb0RReMNMS4aVmPiTFB0PqEh2CBSdVFkilZ6qNrYYDGlfJ/XOVcZekWMKGusbSfkCAwEA
AaNjMGEwHQYDVR0OBBYEFC5V9gr6RHk1Qq0uUzrKQB3HkFDfMA8GA1UdEwEB/wQFMAMBAf8w
HwYDVR0jBBgwFoAUxpI16d1HubMU3daK0WMk1g1CFJAwDgYDVR0PAQH/BAQDAgEGMA0GCSqG
SIb3DQEBCwUAA4IBAQAkwqn1Ypk298B2frV80e4lznM+vpm9oN98UjYEO7/ooUVBG+nMjizq
dxpeSraRM8tAi7QeWT5II1C9E8i9oFmoqOdkieqyZfplbDj0LFot+SJw5V4ipOSrz1hJgUNc
nFgkdQOYouGGdeyTxxDxHrqeXYp9AB4ODuSK5BTpooGLo0EJI8jOvQpGiF59OMIen1JFULu3
74RkJuJ0wcXYo0aSQHGJUwQhpFWLnJPG2zn9A2uGfWzgbu9es6aZlaRAOTVvLI7/H7lMmJoH
tnwEqEg6BX6mGiQbJI8oCROiuc9a6GcJtiunF3uaDuvoLBEkLsaM7o0IVEPdfnwlQXT4XCU5
AAAxAAAAAAAAAA==</cert></certificate><certificate><name>ENM_PKI_Root_CA</nam →
e><cert>MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIDejCCAmKgAwIB →
AgII
fULkPrrXM2kwDQYJKoZIhvcNAQELBQAwWzEYMBYGA1UEAwwPRU5NX1BLSV9Sb290X0NBMQsw
CQYDVQQGEwJTRTERMA8GA1UECgwIRXJpY3Nzb24xHzAdBgNVBAsMFlJvc2Vyc2Jlcmdfc3Rz
dnA2ZW5tNDAwHhcNMjEwODA0MTUwMjM3WhcNMzEwODA0MTUwMjM3WjBbMRgwFgYDVQQDDA9F
Tk1fUEtJX1Jvb3RfQ0ExCzAJBgNVBAYTAlNFMREwDwYDVQQKDAhFcmljc3NvbjEfMB0GA1UE
CwwWUm9zZXJzYmVyZ19zdHN2cDZlbm00MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKbYJXpNsWCmDX1dW8RC4BoJDd6wZj/+a11NDo47e2ouTEnz0UnXqjRxI5vGIVy01mA/
J1nSjcERYytkyZBBggJkjJSzSAc0vYOKW9q0NGHV/brbgE2PnCc8EfISSQmz6M5mzNERW/GI
8MxU81yLuvRouzglcoA/oDibp50BJ074SUmJj0LYWHL65FghOUvIj/4l7Rcc8fnf7E5oUbL8
aIXogcw9IoAnQWgCYNJU4qi8PfdRur5e+ZobTFfdJgl/Jwprq/zHAiKjdJsVJMXRmjTqWeQt
mxLZOKlaOd7gF1nM36c1FykeCz3CNnvWZ9n7R0ImUfFmENbq6H7sCYmt8uUCAwEAAaNCMEAw
HQYDVR0OBBYEFMaSNendR7mzFN3WitFjJNYNQhSQMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
AQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAHU6M//irBNmJwGWwbzH38nk32qKPmkcf/
RrONh5u1KeLEvnlDAJvOdkZGN6X6lv0VbdE9Pl+8kk9fmpqJXLQTKc1TWmMoKjYzgF5tKPFc
uHPLEc2zrFbcQXnBad0ckjCal+dgVCpJ7Q/Re9BONm5Tnzaj6/QrWLohRy82JT0AoAmbhHLD
lWYR5V9EUTRTivqZ2flkCdB+S+zINcsvYfsrSazVyq5EiIe87gn9h7L7DmQhjq8gDxfWkCpy
BR3W0H+YT5PFR7ZblXonDVU56V5A1Y/naJ1rBGeJ709biC3a7WmANvQMYcCPF6JWWnPv3zXr
YZbRixiFjcIoIY8ng+UzAAAxAAAAAAAAAA==</cert></certificate></certificates></tr →
uststore></data></rpc-reply>]]>]]>

6.8.11.14 Input NETCONF Request for Node Certificate Installation on Node with Example

1. On NETCONF terminal, execute the following request to run action

install-asymmetric-key-pkcs12 defined by ericsson-keystore-ext
YANG model.

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="install-oamNodeCredential-in-keystore" xmlns="urn:ietf:para →
ms:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1" xmlns:nc="urn:ietf:params:xml: →
ns:netconf:base:1.0">
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
<asymmetric-keys xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
<install-asymmetric-key-pkcs12 xmlns="urn:rdns:com:ericsson:oamm →
odel:ericsson-keystore-ext">
<name>{pkcs12KeyName}</name>
<certificate-name>{Certificates_List_Name}</certificate-name →
>
<p12>{Base_64_Converted_p12}</p12>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 163

 ENM Network Security Configuration System Administrator Guide

<p12-password>{password_of_p12}</p12-password>
</install-asymmetric-key-pkcs12>
</asymmetric-keys>
</keystore>
</action>
</rpc>
]]>]]>

Note: Under the <install-asymmetric-key-pkcs12> tag:

— <name> and <certificate-name> values must be
oamNodeCredential.

— <p12> value must be the base64 converted p12.

— <p12-password> value must be the same password during

generation of p12 in ENM CLI.

Example
-------------------------------------------------------------------------
/* Previous Netconf content part is ignored to improve readability */
-------------------------------------------------------------------------
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="install-oamNodeCredential-in-keystore" xmlns="urn:ietf:para →
ms:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1" xmlns:nc="urn:ietf:params:xml: →
ns:netconf:base:1.0">
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
<asymmetric-keys xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
<install-asymmetric-key-pkcs12 xmlns="urn:rdns:com:ericsson:oamm →
odel:ericsson-keystore-ext">
<name>oamNodeCredential</name>
<certificate-name>oamNodeCredential</certificate-name>
<p12>MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0B →
BwGggCSABIID6DCCBWowggVmBgsqhkiG9w0BDAoBAqCCBPswggT3MCkGCiqGSIb3DQEMAQMwGwQU →
yf01Yo+Gww9jdrboKmxtJestwGkCAwDIAASCBMi7yCvr4mPupybmLkgwNYmKe8xKCt6cYmu0zIGZ →
KGSwU1Orc1wqcztoZZWfAErOLfBLWsNINgQktnVE1ZrbXH9Rs9KoE2/krklfdDZxcSb1eXLXw3fl →
2b8DX3nzjuH8EY7v8xHIvilBCde8yTGkFzI7MZmxEH7v2gsB/TiG2+r7MCX5lF1xrVurQne+TQ1X →
ciZnsW9GIxy7k42NDSsyria577oRqYHNZnfKUB5GW6EvpPdI80NokCgutWE139srfZUfuPfGtFjh →
egmIOmPudIG0SGCX2G7AFmWZ0qEAaC1HcFdNmnuGWA4QJISUq4cP0nbfJTd34LlhI2G2l77bUojv →
tLjtv8bhOMWP1BFQO4YzQ/3K8CyPjYpzkA7x5Ohkk3hlpDcxGNAoxFJwPrZF/bEo3/WdLB9Ck11i →
GoNo1GFjfDqenGjUAKWDu07R7hrV/ubpQ3aVacRnvKyfJfiqfXgTtt7GwsK/08NE2mVxOCGLKS4Y →
pWSxMkYZlAJXAHdhwlTBlYnIa/Xu0GUKBrzEBB8v3Ra/rwlsa4GUurCIsqpjQMigBcG/KPnDSHPU →
BU7Ty+dZI3iSTe/VPr0gMMUHNXQh4ir/n8wUGoiHRQOF1Or4Xkcep2yH9JWU4IMO1lCXfc2OpSys →
4+FaDdJ/afSHJTQp84eNecCH1Afbo0Rluy6fdXzeXAH8qvC0Wkp38scWAItYVFS4bpnegVt/OYhi →
rW/9zr/tCW2jg4f86JBV50abqLTGErhmlRiIqHvURhFpJsoRjwJBrgduqbn+kJRu2EI02DInsi/F →
lCXaRFXCTgh32NFQZ6YTd30v1zJhuwR+dW2uCJiKLDSQFY5pzJ+IvhFtJKv9cHtnbKh0CpJbdfDq →
8MpTGG95PzjZq9VmOGMTErnXSSoYgmGmTIaBsKLL6f4aFCjL3TGMO3tl6geGQyvjmu+/u9Yy3pdG →
C6xff8VZn/OdMns62bz/oUMfYI5Ar5CVgaPVKaXTRzw304Ku8/rNZv0Sm6jFBI168ig/Wru473C/ →
hxMrWNkzAhMd5Vt/5GZcJxw0N7Be+hH2AaJL2Iu0kqv9nmmt97cju6flquX9meKjT/ansePztjBL →
GnFQtdBg7lCCf7Y2HfeavGiao4LVcAtMuYM1FZh5tubsvZq1S4LQo8i/ShGXkD2QXyQlp8GTeVud →
27DhL4D65pSZamewtMtRmOEOBIID6BbulU4Dr9lL0l9sByHrg927oJH8h8t9BIIBhoOVM4lJGvKq →
OJNr4q70Hs2joBudZn+wL3sf/FX8Ns7lCV5VjrirupWXf7iwKkVKCHCVzy7++ppu1WkxGHimfT3D →
kiiZ8ZizT3RCs3pOjmBTpK7NbDUylsKx2B8h/DmOtYNfh5GsD+M9trn9ET3sbFZBAaQuWS4PDI0O →
Vh4xdW1JJmySz3v8x6wxF9k5vGbuvvMSWRkUtVveASrLYttgkS7OFYqDQf/ig5sqoxItERQnl/Ea →
oWvjUmIwBFtZrRkS3f76Yw4dILT1bO5YAaXeOo1tcB1COlQEX7bRFjubxZdNdegD1YXlrS42r1gD →
E/IvIA1QVuLYhGn1Ro/UvwyOL9p3hgNeTwo2s+vGLN4KNOZzHrJKe3FmB6/02XlbHzRfaABum156 →
u09LkqEthzFYMCMGCSqGSIb3DQEJFTEWBBS36iIk5iALlGZa8/ucMBzejNzlqjAxBgkqhkiG9w0B →
CRQxJB4iAGMAbABvAHUAZAAxADUAMgAwAC0AdgBkAHUALQBvAGEAbQAAAAAAADCABgkqhkiG9w0B →
BwaggDCAAgEAMIAGCSqGSIb3DQEHATApBgoqhkiG9w0BDAEGMBsEFBeOfsl2ZFjmTRtcRiYZPwAs →
ZZ+5AgMAyACggASCA+g8DM/85tIsNP9tuwRWKN0kEMJBBX4Y/0UBOZsFeSyEXJ/HAyEEDvn2OAuL →
3G4gSrzioe2TzARAZ7D67HuPGiaddoCL331vmF0Yp0Tw290N4f8lYrWELzHNNINzXRRzlS8Fmw6C →
OblBf4I4TYMV2yXUDpzYN+jWIKd4w2wLirSePzDfHJwELN00WtXkGPwmO7I9wP+uZEZhgHXFIssr →
FAbbofwDCAhz1pCuqN1mlVheHphaBnuA4tXkxlBfUrXy3nCtRqTvcrLZeekcrkJGARXkIGStZP9o →
CfqM5anr0qMNjNzgukICdpUvwUEIcPeExR+4OHwz0r9dyCuMBYGdO3jqgEQYN99bz6AdC9+e+x1A →
EVqFvJwXEmGgSfvumP2LTMPFJEEyD0OqYvtzEDwggPGwvbb+5vZuLkx8mvtvStdmnWO/fEUwST4T →
Mesdw1J0h3qQMeFhiG/8KO3GEQmYTsDf+Z7rjRok/+rMUtcxnR1a73ySN31Q1sXeHzw9jodB3B7/ →
4WP9fdjZjMrzREvFLzSVqA6yqGP50ykdOZDklMd5mhvBS3PfKHR70N+d6WxM6sQxWRcdviOscqI4 →
ndzGOWQhBgddhG6/MNItC0nRNfvo1y70SzNqCRvZl34PCpyW7iyclJ1N1aodhUEkyMk9lEoEggPo →
NUaprp7j57mtmm3Mp8wWNLFYoMVUKWfezsEWjvEHlOX8Ln09f9+/tBv1e3VvwUoR84mAoWvDREnK →
l5E91ZGCHurjET0byg7uVhctjrIAD+UxQUOx6fnLU+uZ9DhXIlA9dSWDrhVp0IwQgJWC9k506xXJ →

164 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

x62qc8nHGyr7peVUtB55Xq3xwEh14LRPmvCkKMUXXu2/izJtkLiFohi4PPs0UrPRKdvJHcaAsr6l →
Jka+8XoFn5NIcKpGd97iXFeEwxnMuard6PE1yLV9KEvHkt9oRRTIn92evaUH05arEZvHiuwHZ6Lq →
kwQsF7GtzDjUehPK2ibsdx7Bj8+WpVsFMt818d6nQTksusmTrCkUNr68fjC7/kSGHnBwmhGZuhMp →
0fx8UCd8vdZkDJZ2vVrBkgIh86VVb+s8NvhAulLva+3gQ4QPT1QaG3rjxxfaHgZeqzyUi2wvRdsa →
47CYFI2R+tR/c+EsdG79SVf17Ww/9WAOz+i7OZNRv7Snan7dyWYMukSBOwL3jVapj0pLJmNHhqkS →
CC4jm4EDeESOBxKNuXOSgAksmhHb3ZAV9Pt0XnCusIweUc/fSN/Gp+5xF1D9ZUxKCvqdlpDaWXMr →
blWgVTTxAYrOZlbrh6ri7krEDOzlWcVE0XQ8QdL+tqUOUJ29/EJC24UGaHVOPQ9DDwSCA+jtN3vt →
lAe4bs3rI1skaFU0Np/Go7WAilcqojQGSQIEBbztKlKeHRiFoxpRjesM5BFoGhSpBOUMZiTDWve0 →
Skvif5+rs47T5HtYeoXPjw+MzUhhTIML8UkNg011s0G0pW7aq30IeABboUJAujZMH17Gk+onm/9S →
N8QYum6ruDbw7XQ3pxGRb1pf63tWyAYJc5P98pLoM66aJZ9avhQtvUKnISf7gHUXkNkOxKpXaLjV →
hfI50474W3A9JQvQa+1Ui/6JTuyUDXxodekkKIrC0hjOCKSheRj/fbhOPFLvBNxwo37WLF+fzyWm →
/QrkediCiI9nG0UPAagQZHUX7+xfV9Pkuh6VJxHG/CplNsSZYrYEQGAKBsuL6M1efzlE+tUoyzHS →
NGET53QMJzm1zhI5gTqS6ctun49NTV53sT8oTqb83s5gdByfX+2Z4rcTro1VKrqmVMiXVzPeFSfe →
YAU7MH2o/98qQi8Te3KvPRSKv97GFgo9rO2lN2xHhXHH/6MCminbyIwzc7AmBwD+MihWjSMxi/EG →
RVFnnaIgbbxI3sV6NTx27JktJPkoBepmbcDaeBrLD6mW2Oz/0so6fcl3FzN46bDUpa6zbS1pmWSt →
Wj8dOqptEAi7Kjh1VyQq1gDrG3Ap3fs2LEYf5WUGBASCA+h21/AUvR/V+sTf5/UzN5gfxGmbthuV →
eNh8F8MXp6CLEbvM4a558SvSGBCxrMfuboG+jRlevmiJPKXCfwB8FVoDikRks39zZgt+blWAoTEY →
gdOLQKyUDuiqWg7EAsi60D0qIzpMgGsE72kmZKCmjvyn5VVdJTL/T0d812U8OQ465SRIKIV//wxs →
avndvQSM+VjPtey8c1V0Nk7zakof9ovniRrsvu6EcFMkgWynZ15jVzL0isUsQ9te4sv+DgljVqVD →
VSg3SnrpSZbvoX+z7csgA22MMphvlSbYHH/PHa0lsSztUuEEe55Ci0E9f+7PXw38ThpviicrxmJK →
pt+LzuhQZQuPEoDZFwd4nUxQZkHUzbOlzYwkrKDPXOJZAwq4JmGnY1tS4FJKSVLqOfxFDL+nh9A6 →
uonPmOrYyVThgnls1HRaAmcWTvnqOfUChSUoPIT5PDcy2xQ1Dq0wF/zJAA3+Hj5PXFROXCS6zgH8 →
Gi0+I2ks0wdZUtRb8ZZG+SwwueJiqVAzFGFywEisfoVMOYYdV5mNPQ04mMls3zhV+zHB++IxaOA6 →
AM5ONmB30QOAgK3qewhTdzcfYHHYZpffVOYb5lFx2B/zfPckrQ0gbpl6twZPmktKtJUnBKdQ4Apa →
dvYhPrTtCP4aVJb6djxJmX0FAxnt61vfTBbplmqYBASCA9DV92eBoK6oUHgWSVlnrC6RrHBHVTcX →
Gx2BtTdSespPNlEkoJUlPPmjVzuWz8j4WOAXodB1eJVu2O2y9cDNYm7oJ4OEzHA4NHHwyvfIxaBo →
B1Dy2+OEs3WXxrZOdwVw3CH36XlgFf1ZedfYwR2fYT/20EARPXJ1phgRciMennoCh8NTVWZqx9lv →
0pQcO8ZUiRgcDBR1X++SbYY4gKkm2vuRJZKoyxlMS8ADahZdoqLbPZJoEKCB+WAtXx6Lz/o3DFfQ →
vTOjraXa4dMx0XzwtZEbc8fJJEPoZB+P/CY3AMycP+30k7PrSXMv/EfYZjwWqtNxqsd/SMf7XZBn →
ZIkNDKUWwcPzSrF8ZVokL5410RrjmTi6gYDlLxli+F4Vu7klfhQ1tCWRonCTbrL10tirsofGaub5 →
M/BqDgNCSPnsrBrxfMeCbT0BVfLGhw/p3SZRHaIYWqqNQ6Sv3+JAZVtJWH+ySkfO9NzuwGMwzusw →
3LyqfOC/uzkQ3mVqVR+UGQlR1Il87ZlS9h8Yx8D8aRjg4F8eS92gfFF57GaNmckMVzwk4lSEARqW →
W6coX43W94TvmNR/8vn+zL7ApwNnQgU6K7HamITC4Kt98mGkpwcTr2B38h72l7WShTtrl76E/I+H →
GOr1kw0awSkCBIIB9YapqYBaZ6Ojv1h21mnlcnlY7VDvbqPMTl7J11nJ1LZ+c67OgyetELpn4eAZ →
vJlH6D9sUd9kuFEdnb0rXQsoIbwS+IrvHeXr9YVsF/oslFpjkHlltLpOpCLsKj9Qs3NzWM8IggX9 →
yhuXJQElzPM2JPENtmCQ7sagJYUf9c13u28BisaCzqE92fFB+4VZxx4xSlU6vx5y/ZHcITPVLNZa →
N6RG2JRDPFrliyOnur6i0b3rESBGiSw6ppeFI0uDDedcfJpjiVTLK3mqbE1ylGc6veKs6H5KIzUw →
o7cGFm2fIYwgzlqBmWsY+zqBU46p3XphAbjN78YoGJxX/6AFhJBsWWVQh3pI43uSnFnBId+uJ19s →
q6SFf3IEnflMT7Ire6JMO68x5KmknKlSPfD95tX1huyNGq2eCiM9oDYaHAU23tYktmvO3CqBG0dk →
BKhWRI3eWej+q+JGostQGACevpTwEZY+njDsNnBE+p5MTDnaB4fkft8c9+Ffbwf1Gq9sJ9Np2Uzt →
/5C9pTTkGpXlqO1Wkn8/sFpPzylZDr073syH5nDY9OB5ZRE32dcQNUaFid+OQQnbPL+8L1AZdbo9 →
UyaZZkabknA5mySuWDeUwDyFqqb4D7o3tn5THsnh4l5rVmMIF2/KoKwMknNxAgAAAAAAAAAAAAAA →
AAAAAAAAADA+MCEwCQYFKw4DAhoFAAQUkIUHHNBPTqQEk26GIaN1pPxoteUEFIKk0e0MkW0Yfqhx →
bPYkMPkC+YAZAgMBkAAAAA==</p12>
<p12-password>secure</p12-password>
</install-asymmetric-key-pkcs12>
</asymmetric-keys>
</keystore>
</action>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="insta →
ll-oamNodeCredential-in-keystore"><ok/></rpc-reply>]]>]]>

6.8.11.15 Input NETCONF Request to Fetch Node Certificate Installed on Node with
Example

1. On NETCONF terminal, execute the following request to get the

oamNodeCredential installed on the Node.

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="fetch-oamNodeCredential-in-keystore" xmlns="urn:ietf:params →
:xml:ns:netconf:base:1.0">
<get xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<filter type="subtree">
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore"
xmlns:ks="urn:rdns:com:ericsson:oammodel:ericsson-keystore-ext">
</keystore>
</filter>
</get>
</rpc>
]]>]]>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 165

 ENM Network Security Configuration System Administrator Guide

Example
-------------------------------------------------------------------------
/* Previous Netconf content part is ignored to improve readability */
-------------------------------------------------------------------------
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="fetch →
-oamNodeCredential-in-keystore"><ok/></rpc-reply>]]>]]><?xml version="1.0" e →
ncoding="UTF-8"?>
<rpc message-id="fetch-oamNodeCredential-in-keystore" xmlns="urn:ietf:params →
:xml:ns:netconf:base:1.0">
<get xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<filter type="subtree">
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore"
xmlns:ks="urn:rdns:com:ericsson:oammodel:ericsson-keystore-ext">
</keystore>
</filter>
</get>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="fetch →
-oamNodeCredential-in-keystore"><ok/></rpc-reply>]]>]]><?xml version="1.0" e →
ncoding="UTF-8"?>
<rpc message-id="OAM CMP Server Trust Store" xmlns="urn:ietf:params:xml:ns:n →
etconf:base:1.0">
<get xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<filter type="subtree">
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore"
xmlns:ks="urn:rdns:com:ericsson:oammodel:ericsson-keystore-ext">
</keystore>
</filter>
</get>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="fetch →
-oamNodeCredential-in-keystore"><data><keystore xmlns="urn:ietf:params:xml:n →
s:yang:ietf-keystore"><asymmetric-keys><asymmetric-key><name>oamNodeCredenti →
al</name><algorithm>rsa2048</algorithm><public-key>MIIBIjANBgkqhkiG9w0BAQEFA →
AOCAQ8AMIIBCgKCAQEAi4n3ebwL7qjcusoR/ok+TOFAIhXj
ciWXAHnBRMREjOYQP37AbbdIMvSmlxmQCDL1MIr+qkLsrznAyDu2zB8ZXDGGqeWYLp4o1PGy
/RbmqoQWu7Wrd7J5eRlS2QBzlk0qLN5U1UXe76CuoRIeFE160KFnqttrMXko8ZwjEBX/nQpu
3o9fc+RHwmIlBP5uB+KRS652zPZTaSdnXSG3T9f6WGVTMtVM0VG5k77iJa2FNpE61HItK0HR
rD68qR/74UA8IOTd+VIm13HVAGi5BREN6dfqlf0BNXNO3SVodonYqIkM4mRWHhUZv9XkxznY
G7fjEHiEnIl00Myk6IRAtmZVXQIDAQAB</public-key><private-key>MIIEvQIBADANBgkqhk →
iG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCLifd5vAvuqNy6yhH+iT5M
4UAiFeNyJZcAecFExESM5hA/fsBtt0gy9KaXGZAIMvUwiv6qQuyvOcDIO7bMHxlcMYap5Zgu
nijU8bL9FuaqhBa7tat3snl5GVLZAHOWTSos3lTVRd7voK6hEh4UTXrQoWeq22sxeSjxnCMQ
Ff+dCm7ej19z5EfCYiUE/m4H4pFLrnbM9lNpJ2ddIbdP1/pYZVMy1UzRUbmTvuIlrYU2kTrU
ci0rQdGsPrypH/vhQDwg5N35UibXcdUAaLkFEQ3p1+qV/QE1c07dJWh2idioiQziZFYeFRm/
1eTHOdgbt+MQeISciXTQzKTohEC2ZlVdAgMBAAECggEAJLyQAOa3JYAjjLHChwbO9iKfZdnp
ZZXr6V4kudwKSCYRxQWz167XPUMX0NQUDXSNBNizL1QrR/6meJDwEVFmtdT8JSKjLDLLgTSY
8PTkiaP48DZmDD9ap705CJSL2dg68FEgeH3Ksb/V+eXxMVssqFy2FE9sKzxAwUtgF84S298M
geTnNCBYGoK6jNO81pMlNf1OqRM5Ugy8quPIs4axyWpkIAyvtYL0lJwzTzCp7kjMKrkMvsf/
ccTD8yN0kN4S15n6vJlHxBc2RgWBLIqoPYqDyO7fS3D8VLXFUPJB0lkXnGvHlOSSEzJ1wGjX
v5F0zeJU+rwRTcEX9yREqQZdKQKBgQDdyBfFmNglcSIn3p7XhHG0UXTsATruBq8nL2j8DNtt
eyCxsNOhvvJpjPM1Y3l6iNFbGM4CxG/YDNMRhVS9LAFht27fBevvlh6Srf+kJbCKIzs/hwwD
nR9bOc7J8OmDx7TJRCFnqKzS29Fid7Jzm2BoPmdb0t91DjwvASr0C3oB9wKBgQChEXYDELwg
+CfJ4Rv+sfhrIUxQ/BK4uIY3dbwAcVEpbJebY24SbKGxTiaRfzqVRfAltkgnUWn+Och201N7
5D12eUt3t21kQC7ffP8RONFau71wSCTE0s/QxnigJLdoILvm8+F7KgCzBvdKNp+TJKj1tigG
f4WtW3C2lxORX8XOSwKBgQCZ20sqiJtCdlbEo/s79iTPfEcJxtyz7i0qmQhS+zRqoiWPP+XB
au9O7Dp5CjZnHG1ori+U2ePhVRxEJmQgDFw1BwVCcSA5iMJS7aTQoljzq/dZXf2msCTlq5fa
nmfRRQUVL0+hUvH6IgcDMZi5/MuH5ercV9Evqp1z2nKK9T9CBwKBgGxAvw86XSbPgnZ1nIom
9S6Td6ZqdO6/3j1CHPQzNPhhatfeEOnDJz1yqAtb9nTDR68g/wel+VYLYgcy60Y2VXTd+vHg
T150oMxGR2w8wsB3s8/WPRgoE9Jewk3nv3j1nzSPLznHNicdBHFVmxSbLA/QuL/9T0v/TBb8
HQO02c5XAoGAYDmy/LPyJEHlKcyjA8184aaGt5mibp2WEu/F7/5Lr0hSyvtEK3o/GAXyjkGS
8fUPcmiVRugclqfsB6kviZdSBqTsjHidDK6AkFrmP3rcwNRb/UnnwE0ZI/jPVZjqaV75OZiR
Irn/dapbNFMLYD/fH2f9i2yxTzC9M646Y6EwSSM=</private-key><certificates><certifi →
cate><name>oamNodeCredential</name><cert>MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgk →
qhkiG9w0BBwEAAKCAMIIDlDCCAnygAwIBAgII
OxnsurqGOUYwDQYJKoZIhvcNAQELBQAwVTESMBAGA1UEAwwJTkVfT0FNX0NBMQswCQYDVQQG
EwJTRTERMA8GA1UECgwIRXJpY3Nzb24xHzAdBgNVBAsMFlJvc2Vyc2Jlcmdfc3RzdnAzZW5t
MDIwHhcNMjEwODA1MTIyOTA2WhcNMjMwODA1MTIyOTA2WjBdMRowGAYDVQQDDBFjbG91ZDE1
MjAtdmR1LW9hbTELMAkGA1UEBhMCU0UxETAPBgNVBAoMCEVyaWNzc29uMR8wHQYDVQQLDBZS
b3NlcnNiZXJnX3N0c3ZwM2VubTAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
i4n3ebwL7qjcusoR/ok+TOFAIhXjciWXAHnBRMREjOYQP37AbbdIMvSmlxmQCDL1MIr+qkLs
rznAyDu2zB8ZXDGGqeWYLp4o1PGy/RbmqoQWu7Wrd7J5eRlS2QBzlk0qLN5U1UXe76CuoRIe
FE160KFnqttrMXko8ZwjEBX/nQpu3o9fc+RHwmIlBP5uB+KRS652zPZTaSdnXSG3T9f6WGVT
MtVM0VG5k77iJa2FNpE61HItK0HRrD68qR/74UA8IOTd+VIm13HVAGi5BREN6dfqlf0BNXNO

166 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

3SVodonYqIkM4mRWHhUZv9XkxznYG7fjEHiEnIl00Myk6IRAtmZVXQIDAQABo2AwXjAdBgNV
HQ4EFgQUt+oiJOYgC5RmWvP7nDAc3ozc5aowDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQK
l6gGx2UYexdea1MJGjhsTq/6UDAOBgNVHQ8BAf8EBAMCA6gwDQYJKoZIhvcNAQELBQADggEB
AFJ6+aQqAM+UvUAuOMcUbmomH6OaDimpIRz+q/XR+9TNLakHDTup9yZ57EuxXx6CwPbCG+jB
6GOqFnM3NUCVPkRAd3nAdc5cG2RFajp60UCSuMWXcOksbaJ3i6RSU0VrvD615j2UrP/Sls1u
6FrbRkaOu2zJ8I0j+BmBnMGDzK7uVok7++JV3cpOb6I0z+bBtF27zWdizRyQrqI8H9ULzddu
f+6m/y3XMkLyr/PSuRgxiK22SFx8iw6yalDLYb6RERqZyFLWcD+SpWx72ePBa9t5Zgqb01oy
I0uhYWiPdRCx+F1EKUr7rmPTKegGIF5KzAvdUdzNihvUuSVOmHiq6jEwggOVMIICfaADAgEC
Agg0mTsyrkVRXDANBgkqhkiG9w0BAQsFADBbMRgwFgYDVQQDDA9FTk1fUEtJX1Jvb3RfQ0Ex
CzAJBgNVBAYTAlNFMREwDwYDVQQKDAhFcmljc3NvbjEfMB0GA1UECwwWUm9zZXJzYmVyZ19z
dHN2cDNlbm0wMjAeFw0yMTA3MDUxNTMxMjhaFw0yOTA3MDUxNTMxMjhaMFUxEjAQBgNVBAMM
CU5FX09BTV9DQTELMAkGA1UEBhMCU0UxETAPBgNVBAoMCEVyaWNzc29uMR8wHQYDVQQLDBZS
b3NlcnNiZXJnX3N0c3ZwM2VubTAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
wZemZlPVl23YPzgD0Qw22nGJ8A7BHox2woeSYWmuRjljuQfu2UIsiQcVYxieRwP/2l8MQB3O
Kk6YZTKRu5VC931FwsWdFGjuxw+hjkTL2TEsF98KKVebm+LSJG10zXuHDQy9pMxK1/fgC7jw
OSdbPFyFtmFo6ednpw0prDLVx+CFukfXhya3Os6+lB69yrwX+pLkk8i5zsXHRTNUlS6Nu/Ep
Itsp2n4UkHv+3JNQnViLHKPusJB0ifAP6qgzmKENTVrtVhWDuvCM8EBw7TGK0mME9wbbrxNx
2bhRstZg/T1PFkbBmofTpWh9IPC6mPJPBDTntp+fOIg7zPVUds2pyQIDAQABo2MwYTAdBgNV
HQ4EFgQUCpeoBsdlGHsXXmtTCRo4bE6v+lAwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAW
gBSOSFJmc+Ip8LS/XskK9dFp8iwYuTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQAD
ggEBABeEWSufE9HhQCl7LpGGLeLR1MnnF7fvc0Rvy+ATg1SBfLFTliPHoh3wnbzEvZ1+P3LT
4utz5StdGenHuD093ak3kpgWcJA6Q8/b53WXPRb23fN8F1oiZ9SMFl7s4EHUGa+U/xtPwjMc
MDgyQW6vK4LrZzO7QnmmLqbmNyC/ITBCOwKiYvvZE+FFrnnsYhmHWpnzUeFhhKQDOpHvQrAe
f7FWFI3UY7F5QUWMIyuK1Grn/2OLGpvXVmdiwCcqKmOK4CgyNPoB5w4Q9EpUaxEAh2HodRWh
Vi/P7mi6JYl5J/Sn7ihZ4gSELV3o5kak2HQdTcNQqEMkzjScZbSIBQVCJnAwggN6MIICYqAD
AgECAghlPRMXTwLtCDANBgkqhkiG9w0BAQsFADBbMRgwFgYDVQQDDA9FTk1fUEtJX1Jvb3Rf
Q0ExCzAJBgNVBAYTAlNFMREwDwYDVQQKDAhFcmljc3NvbjEfMB0GA1UECwwWUm9zZXJzYmVy
Z19zdHN2cDNlbm0wMjAeFw0yMTA3MDUxNTMxMjJaFw0zMTA3MDUxNTMxMjJaMFsxGDAWBgNV
BAMMD0VOTV9QS0lfUm9vdF9DQTELMAkGA1UEBhMCU0UxETAPBgNVBAoMCEVyaWNzc29uMR8w
HQYDVQQLDBZSb3NlcnNiZXJnX3N0c3ZwM2VubTAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAj7v2pyafNsKmFq9blz9B2zEJNpegR409p2fSvkFEQtQnuK2Sb3R7z/yyLA70
z79Xnwuw5m7wZNAPtYL/5YA9o+GMt9Gkyo2pzE/WmiOQqPCqmoktC1DBv5tNSbnn2VNNCdDb
9uxjPv/8KSfQPNNFKl2enNuMapXGuDurdv+4MIVB3LGQd/O0YrO9iTA/awBObPZtqtQy1us6
ZjkcvYgjAPvafc3Zqe1Ui1Zb6W5WMZLfFwdeR2DslZWhJR6xAGUODdlHdo+1Uxzo10qwbwUO
KfnSFb0KZ6nnbz7vtmOBLpRo+UyJeBYGX8tmoxx/ZVvvN3lkb9/JgP9wH/gMvbVk1wIDAQAB
o0IwQDAdBgNVHQ4EFgQUjkhSZnPiKfC0v17JCvXRafIsGLkwDwYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAA2TYz8P3j8gSUC0NKKk4ySENOL7
k0dOriZ/6PlgSODKE3xaDV0jw2C0iMzBwHsW/GRlcMHQVGlnsHYY3pSMUqQZKt2wOTcbmizg
gSOfRy8784xqzdUfWKV9Rpagdct2Ap2moKhm1hHHfsidk4OMJpHadVuHpCNZFs/L2/UTExXd
+Nr2iXwIP9x6eFVZUDmNmj+5gyPHq8hF4BnIy+bt97hmkeH2p2Dtp04zy9pG4fbQ5jD6ybgy
nQE7Z3gYmMUk3uI5S4gp980dZKN+W0rtzQaaeYGQn5Gg6uE1yveP3zxNf2QWossBehPDRAs0
QTv55SDAISErIofj3OX/TMlRO28AADEAAAAAAAAA</cert></certificate></certificates> →
</asymmetric-key></asymmetric-keys></keystore></data></rpc-reply>]]>]]>

6.8.11.16 Input NETCONF Request to Install LDAP Configuration on Node with Example

1. On NETCONF terminal, execute the following request to configure LDAP

Server Details defined in ericsson-system-ext.

<?xml version="1.0" encoding="UTF-8"?>

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="configure-s →
ecure-ldap">
<edit-config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<target>
<running />
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<system xmlns="urn:ietf:params:xml:ns:yang:ietf-system" xc:operation →
="merge">
<ldap xmlns="urn:rdns:com:ericsson:oammodel:ericsson-system-ext" →
>
<server>
<name>external</name>
<tcp>
<address>{ldapIpv4Address/ldapIpv6Address}</address>
<ldaps>
<port>{ldapsPort}</port>
</ldaps>
</tcp>
</server>
<security>
<tls/>
<simple-authenticated>
<bind-dn>{bindDn}</bind-dn>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 167

 ENM Network Security Configuration System Administrator Guide

<bind-password>{bindPassword}</bind-password>
</simple-authenticated>
<user-base-dn>{baseDn}</user-base-dn>
</security>
<options>
<timeout>5</timeout>
<enable-referrals>false</enable-referrals>
</options>
</ldap>
</system>
</config>
</edit-config>
</rpc>
]]>]]>

Note: Under the <tcp> tag:

— <address> value must be ldapIpv4Address/
ldapIpv6Address based on the Node fetched from Step 1 of
LDAP Configuration on the Node on page 151.

Under the <ldaps> tag:

— <port> value must be ldapsPort fetched from Step 1 of LDAP
Configuration on the Node on page 151.

Under the <security> and <simple-authenticated> tag:

— <bind-dn> and <bind-password> must be bindDn,
bindPassword fetched from Step 1 of LDAP Configuration on
the Node on page 151.

Under the <security> tag:

— <user-base-dn> must be baseDn fetched from Step 1 of LDAP
Configuration on the Node on page 151.

Example
-------------------------------------------------------------------------
/* Previous Netconf content part is ignored to improve readability */
-------------------------------------------------------------------------
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="configure-s →
ecure-ldap">
<edit-config>
<target>
<running />
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<system xmlns="urn:ietf:params:xml:ns:yang:ietf-system">
<ldap xmlns="urn:rdns:com:ericsson:oammodel:ericsson-system-ext" →
>
<server>
<name>external</name>
<tcp>
<address>2001:1b70:8231:0001:0000:0000:0000:100e</addre →
ss>
<ldaps>
<port>1636</port>
</ldaps>
</tcp>
</server>
<security>
<tls />
<simple-authenticated>

168 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<bind-dn>cn=ProxyAccount_16,ou=proxyagent,ou=com,dc=sts →
vp3enm02-72,dc=com</bind-dn>
<bind-password>TLnH6ywUvNHWrAvdeHzZzswS</bind-password>
</simple-authenticated>
<user-base-dn>dc=stsvp3enm02-72,dc=com</user-base-dn>
</security>
<options>
<timeout>5</timeout>
<enable-referrals>false</enable-referrals>
</options>
</ldap>
</system>
</config>
</edit-config>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="confi →
gure-secure-ldap"><ok/></rpc-reply>]]>]]>

6.8.11.17 Input NETCONF Request to Fetch LDAP Configuration Installed on Node with
Example

1. On NETCONF terminal, execute the following request to get the LDAP

configuration present on the Node.

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="fetch-secure-ldap-details" xmlns="urn:ietf:params:xml:ns:ne →
tconf:base:1.0">
<get xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<filter type="subtree">
<system xmlns="urn:ietf:params:xml:ns:yang:ietf-system"
xmlns:ts="urn:ietf:params:xml:ns:yang:ietf-system">
<ldap xmlns="urn:rdns:com:ericsson:oammodel:ericsson →
-system-ext">
</ldap>
</system>
</filter>
</get>
</rpc>
]]>]]>

Example
-------------------------------------------------------------------------
/* Previous Netconf content part is ignored to improve readability */
-------------------------------------------------------------------------
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="fetch-secure-ldap-details" xmlns="urn:ietf:params:xml:ns:ne →
tconf:base:1.0">
<get xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<filter type="subtree">
<system xmlns="urn:ietf:params:xml:ns:yang:ietf-system"
xmlns:ts="urn:ietf:params:xml:ns:yang:ietf-system">
<ldap xmlns="urn:rdns:com:ericsson:oammodel:ericsson →
-system-ext">
</ldap>
</system>
</filter>
</get>
</rpc>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="fetc →
h-secure-ldap-details"><data><system xmlns="urn:ietf:params:xml:ns:yang:ietf →
-system"><ldap xmlns="urn:rdns:com:ericsson:oammodel:ericsson-system-ext"><s →
erver><name>external</name><tcp><address>2001:1b70:8231:1::100e</address><ld →
aps><port>1636</port></ldaps></tcp></server><security><simple-authenticated> →
<bind-dn>cn=ProxyAccount_16,ou=proxyagent,ou=com,dc=stsvp3enm02-72,dc=com</b →
ind-dn><bind-password>TLnH6ywUvNHWrAvdeHzZzswS</bind-password></simple-authe →
nticated><user-base-dn>dc=stsvp3enm02-72,dc=com</user-base-dn></security><op →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 169

 ENM Network Security Configuration System Administrator Guide

tions><timeout>5</timeout><enable-referrals>false</enable-referrals></option →
s></ldap></system></data></rpc-reply>]]>]]>

6.8.12 Offline Enrollment Procedure for Node Types (vCSCF, vSAPC, vEME,
vMTAS, vSBG, vIPWorks, HSS-FE, vHSS-FE, and NeLS)
There are two offline enrollment options for the nodes:

— CSR-Based Offline Enrollment (PKCS#10)

— Container-Based Offline Enrollment (PKCS#12)

Prerequisites

— End Entity name is defined in the following format:

in case of OAM

If End Entity is not in the mentioned format, it is not possible to reissue the
certificate for End Entity.<node-name>-oam<node-name>-oam

— Refer to PKCS #10 (RFC 2986) for more information on the CSR.

— Refer to PKCS#12 (RFC 7292) for more information on the PKCS#12.

— A valid End Entity must be created in ENM PKI before performing the Offline
Enrollment for the node. In this case, End Entity is a node.

For creation of the End Entity, see the section <Entity Management Tasks of
the document ENM Public Key Infrastructure System Administrator Guide",
Reference [8].

Generate or Renew Certificate Using PKCS#12

To generate and renew the certificate, see the section Certificate Management
Tasks of the document ENM Public Key Infrastructure System Administrator
Guide", Reference [8].

The user must transfer the P12 file to SFTP server to complete the offline
enrollment procedures. See the corresponding Node CPI for the same.

Note: For both CSR and Container-based Offline Enrollment, after the
certificate is installed successfully on the node, it is recommended to
perform revocation of old certificate in ENM PKI.

For LDAP configuration, see the LDAP Administrative Tasks on page 276.

170 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Node Certificate Revocation

When a certificate for a node is revoked, the serial number for that certificate is
added to the CRL of the CA which issued that certificate.

For a node certificate revocation, see the section PKI Revocation Management
Task of the document ENM Public Key Infrastructure System Administrator
Guide", Reference [8].

6.8.12.1 Add ENM CAs to Node Types (vCSCF, vSAPC, vEME, vMTAS, vSBG, vIPWorks,
HSS-FE, vHSS-FE, and NeLS)

This section describes how to install trusted certificates on node type: vCSCF,
vSAPC, vEME, vMTAS, vSBG, vIPWorks, HSS-FE ,vHSS-FE, and NeLS.

Prerequisites
— PKI_Administrator role to access the pkiadm commands.

— Access privileges to log on the node and execute commands.

— The system must be up and running.

— User must have access to the ENM CLI interface.

— User must have knowledge about the PKI system.

Steps

1. Launch ENM CLI and run the commands to obtain the Trust Distribution
Point Service (TDPS) URL for each of the four required ENM CA certificates.
These certificates are used to download the ENM CA certificates to the node.

pkiadm trustmgmt --list --entitytype ca --entityname ENM_PKI_Root_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_Infrastructure_CA

pkiadm trustmgmt --list --entitytype ca --entityname ENM_OAM_CA

pkiadm trustmgmt --list --entitytype ca --entityname NE_AOM_CA

2. Log on the node to access to Node CLI.

ssh <NE_USER_NAME>@<NE_IP_ADDRESS>

3. Navigate to the CertM MO of the node.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 171

 ENM Network Security Configuration System Administrator Guide

CEMSS07# /opt/com/bin/cliss

ManagedElement=CEMSS07,SystemFunctions=1,SecM=1,CertM=1

4. Install all the four trusted certificates.

a. Run the command installTrustedCertFromUrion the node:

(CertM=1)>installTrustedCertFromUri <TDPS URL> <URL_password> <CA_f →

ingerprint>

This command requires three parameters:

— TDPS URL of the ENM CA certificate to be downloaded.

— URL password (if no password is required, the NULL string can

be provided).

— CA fingerprint (if no CA fingerprint is required, NULL string can

be provided).

(CertM=1)>installTrustedCertFromUri <TDPS URL> NULL NULL

Example
(CertM=1)>installTrustedCertFromUri http://141.137.236.235:8093/pki →
-ra-tdps/ca_entity/ENM_PKI_Root_CA/c63197edd6ca617/active/ENM_PKI_R →
oot_CA NULL NULL

b. Trust certificates can be downloaded, SFTP to node, and installed

using file:// or SFTP.

i. Launch ENM CLI and run the pkiadm command to download

the trusted certificate. Store the trusted CA certificate in a
location on node.

pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

ii. Run the installTrustedCertFromUri command on the node.

(config)>dn -m CertM
ManagedElement=CEMSS07,SystemFunctions=1,SecM=1,Ce →
rtM=1
(config-CertM=1)>installTrustedCertFromUri ENM_PKI →
_Root_CA.pem <URL_password> <CA_fingerprint>
true
(config-CertM=1)>show
localFileStorePath="certificates"
userLabel="Certificate Management"
reportProgress
actionId=0
actionName="installTrustedCertFromUri"
additionalInfo
"TrustedCertificate=13"
progressInfo=""
progressPercentage=100
result=SUCCESS

172 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

resultInfo="installed from the certificate file"

state=FINISHED
timeActionCompleted="2012-10-17T11:34:56"
timeActionStarted="2012-10-17T11:34:56"
timeOfLastStatusUpdate="201

TrustCategory represents a group of trusted certificates that can

be referenced by users.

TrustCategory MO must be updated with the attribute trusted

certificates valued to the DN of the Trust Certificate MO.

5. Execute the show command on the CertM MO to display the installed trusted
certificates on the node.

6. Navigate to the TrustCategory=1 MO and add the ENM CA certificates

installed in Step 4 to the NE TrustCategory=1.

(config-CertM=1)>TrustCategory=1
(config-TrustCategory=1)>trustedCertificates="ManagedElement=CEMSS07,SystemF →
unctions=1,SecM=1,CertM=1,TrustedCertificate=13"

7. Commit the changes to the TrustCategory=1 MO to add the ENM CA

certificates.

(config-TrustCategory=1)>commit -s

8. Verify that the TrustCategory has been updated correctly.

Navigate to TrustCategory and execute the show command to verify if all the
certificates are added.

For ExternalCA procedure, see the section Configuring ENM PKI System with
External CA Support of the document ENM Public Key Infrastructure System
Administrator Guide, Reference [8].

6.8.13 Offline Enrollment Procedure for CUDB/vCUDB

This procedure describes how to perform offline enrollment on CUDB/vCUDB
node using the trusted CA certificate.

CUDB/vCUDB node supports CSR-Based Offline Enrollment (PKC#10).

Prerequisites
— PKI_Aministrator role to access the pkiadm commands.

— Access privileges to log on the node an execute commands.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 173

 ENM Network Security Configuration System Administrator Guide

Steps

1. Log on ENM and navigate to User Management application.

2. Click Create User Profile.

Use the following parameters to create a user:
— Authentication Mode: Local

— Status: Enabled

— Assign Role: System Administrator

Note: This role is not in use for CUDB but ENM requires that at least
one role must be assigned.

— COM Target Groups for System Administrator can be NONE for CUDB.

3. Export ENM_PKI_Root_CA trusted CA certificate.

Launch ENM CLI and run the pkiadm command:

pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

4. Copy the exported ENM_PKI_ROO_CA.pem file on CUDB/vCUDB node in the

following path.
cluster/home/cudb/security/config/certificates/ca/

Example
/cluster/home/cudb/security/config/certificates/ca/
ENM_PKI_Root_CA.pem

5. Set permission of ENM_PKI_Root_CA.pem to 644.

chmod 644 ENM_PKI_Root_CA.pem

6. Configure Secure Centralized Authentication feature on CUDB/vCUDB node.

CUDB_3 SC_2_1# /opt/com/bin/cliss

ManagedElement=1,CudbSystem=1,CudbSystemSecurity=1
(CudbSystemSecurity=1)>configure
(config-CudbSystemSecurity=1)>tlsCaCertificatesFile="/cluster/home/cudb/secu →
rity/config/certificates/ca/ENM_PKI_Root_CA.pem"
(config-CudbSystemSecurity=1)>commit
(CudbSystemSecurity=1)>exit
- Execute applyConfig

7. Retrieve LDAP configuration details.

secadm ldap configure --manual

174 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

8. Configure the parameters.

CUDB_3 SC_2_1# /opt/com/bin/cliss

ManagedElement=1,CudbSystem=1,CudbExternalAuthMgmt=1,CudbExternalAuthServer= →
1
(CudbExternalAuthServer=1)>configure
(config-CudbExternalAuthServer=1)>baseDn="<baseDn>"
(config-CudbExternalAuthServer=1)>bindDn="<bindDn>"
(config-CudbExternalAuthServer=1)>bindPassword="<bindpassword>"
(config-CudbExternalAuthServer=1)>primaryServer="<primaryServer_ip>"
(config-CudbExternalAuthServer=1)>secondaryServer="<secondaryServer_ip>"
(config-CudbExternalAuthServer=1)>tlsEnabled=true
(config-CudbExternalAuthServer=1)>tlsMode=”STARTTLS”
(CudbExternalAuthServer=1)>up
(CudbExternalAuthMgmt=1)>configure
(config-CudbExternalAuthMgmt=1)>enabled=true
(config-CudbExternalAuthMgmt=1)>commit
(CudbExternalAuthMgmt=1)>exit
- Execute applyConfig

Note: ENM supports only secure LDAP communication. When configuring

CUDB CA, tlsMode must be “LDAPS” or “STARTTLS” and
tlsEnabled to “true”.

9. Configure the remote LDAP server if it does not use default LDAP ports, like,
for example, 636 for LDAPS or 389 for STARTTLS tlsMode.

a. Modify ldap_uri in /cluster/home/cudb/security/config/

ldapAA_CudbLdapAAForAcsMethod and set it to the server IP and
port used in remote LDAP server.

Example
1636 or 1389 for ENM

ldap_uri = ldap://[<server ip>]:1389

Note: ldapAA_CudbLdapAAForAcsMethod file modification

requires root privileges.
b. Apply configuration changes on CUDB/vCUDB.

/opt/ericsson/cudb/OAM/support/bin/cudbConfigureLdapAA --acsupdate →
register

10. Check if connection to ENM LDAP server is working fine and the CA is as
expected.

Example

CUDB_3 SC_2_1# ldapsearch -x -H ldaps://10.133.117.160:1636 -w isw28olq -D " →

cn=ProxyAccount_40,ou=proxyagent,ou=com,dc=ericsson,dc=se" -b "uid=cudbtest, →
ou=People,dc=ericsson,dc=se" -vvv
....
dn: uid=cudbtest,ou=People,dc=ericsson,dc=se
....

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 175

 ENM Network Security Configuration System Administrator Guide

Note: If an ENM user needs to be added in local CUDB Linux POSIX

group (cudbadmin or cudbOperator), run the following command
on CUDB/vCUDB node:

usermod -a -G <local CUDB group> <ENM user name>

For example:

CUDB_1 SC_2_1# usermod -a -G cudbadmin cudbtest

For ExternalCA procedure, see the section Configuring ENM PKI

System with External CA Support of the document ENM Public Key
Infrastructure System Administrator Guide, Reference [8].

6.8.14 E2E Offline Certificate Enrollment on Router 6000 Family

Enrollment is the procedure by which a node gets its credential, and a set
of trusted credentials. The operator generates the node credential and trusted
credentials manually, and installs them on the node in an offline manner.

6.8.14.1 OAM Enrollment

This procedure is only for OAM.

At the end of the procedure, the Router 6000 series node is added in ENM and is
synchronized with TLS.

End Entity Creation and Credential Generation for E2E Offline Enrollment for
Router 6000 Family
End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System. They use it for communication with other ENM systems.
End Entities must be created in the PKI system.

To generate credentials each End Entity is mapped to an Entity Profile (EP) that
defines the Certificate Authority (CA).

For more information about Entity and Profiles, see Public Key Infrastructure
System of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

Prerequisites

— The operator has ADMINISTRATOR role to access the CLI in ENM.

— The operator knows about Configuring MOs on the Node.

176 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

— The node is configured with the required configuration before adding the
node in ENM. See the document Router 6672 Preliminary Configuration,
Reference [31].

— The Router6672 node type SW version is Release 17B or higher.

— The Router6675 node type SW version is Release 18A or higher.

— The Router6x71 node type SW version is Release 18A or higher.

— The Router6274 node type SW version is Release 18Q2 or higher.

— The Router6273 node type SW version is Release 20Q1 or higher.

— The Router6673 node type SW version is Release 21.Q3 or higher.

— The node is added in ENM and synchronized with SSH.

PKI Configuration Clean up on the Node

If the node already has PKI configuration, it can be cleaned up by using the
following commands:

1. Check the existing configuration.

[local]router6000#show pki
number of node-credential: 1
name: oamNodeCredential
number of trusted-certificate: 4
name: 1
subject-name: CN=NE_OAM_CA, C=SE, O=ERICSSON, OU=BUCI_DUAC_NAM
serial number: 033EDC6ED9BE693D
name: 2
subject-name: CN=ENM_PKI_Root_CA, C=SE, O=ERICSSON, OU=BUCI_DUAC_NAM
serial number: 2C3F10C3A2527865
name: 3
subject-name: CN=ENM_Infrastructure_CA, C=SE, O=ERICSSON, OU=BUCI_DUAC_NAM
serial number: 74F4A95A1B066F7D
name: 4
subject-name: CN=ENM_OAM_CA, C=SE, O=ERICSSON, OU=BUCI_DUAC_NAM
serial number: 2F740B4641200115
number of capabilities: 1
name: 1
number of vendor-credential: 1
name: 1
number of trust-category: 1
name: oamTrustCategory
number of enrollment-authority: 1
name: 1
number of enrollment-server-group: 1
name: 1

2. Perform the clean up.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 177

 ENM Network Security Configuration System Administrator Guide

[local]router6000# config
[local]router6000(config)# no netconf tls server node-credential
[local]router6000(config)# no netconf tls server trust-category oamTrustCate →
gory
[local]router6000(config)# commit
[local]router6000(config)# no pki node-credential oamNodeCredential
[local]router6000(config)# no pki trust-category oamTrustCategory
[local]router6000(config)# no pki enrollment-authority 1
[local]router6000(config)# no pki enrollment-server-group 1
[local]router6000(config)# commit
[local]router6000(config)# end
[local]router6000# pki remove-trusted-cert 1
[local]router6000# pki remove-trusted-cert 2
[local]router6000# pki remove-trusted-cert 3
[local]router6000# pki remove-trusted-cert 4

Steps

1. Check Entity Profile.

List all the Entity Profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

The highlighted profile in the command output is the default profile used
when OAM Enrollment is performed for Router 6000 nodes.

Figure 34 Default Entity Profile

2. Prepare the XML file for the End Entity Creation.

A different End Entity must be created for each Router 6000 node in ENM.

The End Entities are created starting from an XML file. The template for the
XML file follows:

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="Ent →

itiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>

178 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true<Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
<SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

In the XML creation, the following rules must be respected:

— In the <EntityInfo> tag, the <name> must be NetworkElementID-oam.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

NetworkElementID-oamIn the <EntityInfo> tag, the <name> must be
NetworkElementID-oam.

Note: The NetworkElementID is the identifier that the user uses at the
end of this procedure, when the Router 6000 Node is added in ENM.

The following is an example of the XML used to generate the End Entity for
the Router6000 with NetworkElementID=RouterOfflineEnrollment.

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="Ent →

itiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>RouterOfflineEnroll-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 179

 ENM Network Security Configuration System Administrator Guide

<Value>BUCI DUAC NAM</Value>

</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>RouterOfflineEnroll-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

3. Save the XML file.

Suggested name for the file is EE_NetworkElementID-oam.xml.

4. Create the End Entity.

Drag and drop the xmll file created in Step 2 into the ENM CLI app, and run
the following command to create the End Entity:

pkiadm etm -c -xf file:EE_NetworkElementID-oam.xml

5. Verify the End Entity Creation.

Verify through ENM CM CLI that the End Entity has been created. List all the
End Entities in the ENM PKI system with the command:

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entities. The End
Entity must be created with name NetworkElementID-oam and its status
is NEW. In the following example, EE is related to Router6000 node with ID
RouterOfflineEnrollment.

Figure 35 End Entity

6. Download of Trusted Credentials.

For OAM connectivity with netconf over TLS, the following trusted CA
credentials must be on node:

— NE_OAM_CA

— ENM_OAM_CA

— ENM_Infrastructure_CA

— ENM_PKI_Root_CA

180 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Run the following commands in ENM CLI to download the credentials in

PEM format:

pkiadm ctm CACert -expcert -en NE_OAM_CA -f PEM

pkiadm ctm CACert -expcert -en ENM_OAM_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_Infrastructure_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

7. Install the trusted credentials on the node.

The PEM files must be placed on a server (in the following example:
10.170.118.41) and installed on the node.

[local]Ericsson#pki install-trusted-cert sftp://[email protected]/md/NE_OAM_CA.pem password XXXXXX

[local]Ericsson#pki install-trusted-cert sftp://[email protected]/md/ENM_PKI_Root_CA.pem password →
XXXXXX
[local]Ericsson#pki install-trusted-cert sftp://[email protected]/md/ENM_Infrastructure_CA.pem pas →
sword XXXXXX
[local]Ericsson#pki install-trusted-cert sftp://[email protected]/md/ENM_OAM_CA.pem password XXXXX →
X

8. Create the node credential.

Node credential must be created on the node.

[local]Ericsson#config
[local]Ericsson(config)#pki node-credential RouterOfflineEnroll-oam
[local]Ericsson(pki-node-credential)#subject-name 'CN=RouterOfflineEnroll-oam, O=ERICSSON, C=SE, O →
U=BUCI_DUAC_NAM'
[local]Ericsson(pki-node-credential)#key-info rsa_2048
[local]Ericsson(pki-node-credential)#commit
[local]Ericsson(pki-node-credential)#end

The subject-name and key-info must be the same as the ENM entity
created in Step 2, Step 3, and Step 4.

9. Create CSR to a URI.

CSR file must be generated on the node. The CSR file is uploaded to a server
(10.10.10.1 in the following example).

[local]Ericsson#pki node-credential RouterOfflineEnroll-oam enroll offline sftp://[email protected]// →

home/user1/pki/pem/p1s_225_0105-1.csr password XXXXXX

10. Verify the enrollment progress.

Verify that the enrollment is 60% done after the CSR file is uploaded.

[local]router6000#show pki node-credential Router149-oam enroll-progress

Action ID : 0
Action Name : startOfflineCsrEnrollment
Additional Info : offline enrollment
Progress Info : waiting for certificate installation
Progress Percentage : 60%

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 181

 ENM Network Security Configuration System Administrator Guide

Result : not available

Result Info :
State : running
Started : 2018-01-19T08:25:30
Completed : 1900-01-01T00:00:00
Last Update : 2018-01-19T08:25:30

11. End Entity Credential Generation.

Download the previous CSR file and drag and drop into the ENM CLI app and
then execute the following command to generate the End Entity credential in
PEM format.

pkiadm ctm EECert -gen -en NetworkElementID-oam -csr file:<csr-file> -f PEM

In the command, NetworkElementID-oam is the name of the entity created

in Step 4.

The command downloads a PEM file with the name NetworkElementID-

oam.pem.

12. Install the node certificate after the CSR was signed by CA.
The PEM file downloaded at Step 10 must be uploaded to a server
(10.10.10.1 in the following example) and installed on the node using the
following command.

[local]Ericsson#pki node-credential RouterOfflineEnroll-oam install-cert sftp://[email protected]/hom →

e/user1/pki/pem/RouterOfflineEnroll-oam.pem password XXXXXX

13. Verify the enrollment progress on the node.

Verify that the enrollment is 100% done after the certificate is installed.

[local]router6000#show pki node-credential RouterOfflineEnroll-oam enroll-progress

Action ID : 0
Action Name : startOfflineCsrEnrollment
Additional Info : offline enrollment
Progress Info : notifying event
Progress Percentage : 100%
Result : success
Result Info : success
State : finished
Started : 2018-01-19T08:25:30
Completed : 2018-01-19T08:28:06
Last Update : 2018-01-19T08:28:06

14. Configure COMUser on the node (if not configured).

COMUser must be configured on the node.

[local]router6000#configure
[local]router6000(config)#context local
[local]router6000(config-ctx)#administrator COMUser password ********

182 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

[local]router6000(config-administrator)#role NetconfPlatformAdministrator
[local]router6000(config-administrator)#commit

15. Configure trust-category on the node (if not existing).

Configure trust-category on the node.

[local]router6000#config
[local]router6000(config)# pki trust-category oamTrustCategory trusted-certificate 1,2,3,4
[local]router6000(config)#commit
Transaction committed.
[local]router6000(config)#end

16. Configure TLS on the node.

[local]router6000#config
[local]router6000(config)#netconf tls server admin-state enabled
[local]router6000(config)#netconf tls server trust-category oamTrustCategory
[local]router6000(config)#netconf tls server node-credential RouterOfflineEnroll-oam
[local]router6000(config)#commit
Transaction committed.
[local]router6000(config)#end

17. Switch the node to TLS in ENM.

As the node is successfully enrolled offline, switch it from SSH to TLS:

— Turn off CM supervision:

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 activ →

e=false

— Set transportProtocol in Er6000ConnectivityInformation MO to

TLS:

cmedit set NetworkElement=<nodeName>,Er6000ConnectivityInformation=1 tr →

ansportProtocol="TLS"

— Turn on CM supervision:

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 activ →

e=true

— Check the syncStatus of CmFunction MO is SYNCHRONIZED:

cmedit get NetworkElement=<nodeName>,CmFunction=1

6.8.14.2 IPSec Enrollment

This procedure is only for IPsec.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 183

 ENM Network Security Configuration System Administrator Guide

End Entity Creation and Credential Generation for E2E Offline Enrollment for
Router 6000 Family
End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System. They use it for communication with other ENM systems.
End Entities must be created in the PKI system.

To generate credentials each End Entity is mapped to an Entity Profile (EP) that
defines the Certificate Authority (CA).

For more information about Entity and Profiles, see Public Key Infrastructure
System of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

Prerequisites

— The operator has ADMINISTRATOR role to access the CLI in ENM.

— The operator knows about Configuring MOs on the Node.

— The node has the required configuration before adding the node in ENM, see
the document Router 6672 Preliminary Configuration, Reference [31].

— The Router6672 node type SW version is Release 17B or higher.

— The Router6675 node type SW version is Release 18A or higher.

— The Router6x71 node type SW version is Release 18A or higher.

— The Router6273 node type SW version is Release 20Q1 or higher.

— The node is added in ENM and synchronized with SSH.

Steps

1. Check Entity Profile:

Using ENM CLI, list the Entity Profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

The highlighted profile must be available in the command output:

184 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Figure 36 Entity Profile

The highlighted profile is the default profile used when OAM Enrollment is
performed for Router 6000 nodes.

2. Prepare the XML file for End Entity creation:

A different End Entity must be created for each Router 6000 node.

The End Entities are created starting from an XML file. The following is the
template for the XML file:

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2IPSec_SAN_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-IPSEC</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-ipsec</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-ipsec</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 185

 ENM Network Security Configuration System Administrator Guide

In XML creation, the following rules must be respected:

— In the <EntityInfo><SubjectField> tag, the <Value> must be

NetworkElementID-ipsec.

Following is an example of XML used to generate the End Entity for the
Router6000 with NetworkElementID=RouterOfflineEnrollment:

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2IPSec_SAN_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>RouterOfflineEnroll-ipsec</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>RouterOfflineEnroll-ipsec</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

3. Save the XML file.

Suggested name for the file is EE_NetworkElementID-ipsec.xml.

4. Create the End Entity.

Drag and drop the XML file created in Step 2 into the ENM CLI, and run the
following command:

pkiadm etm -c -xf file:EE_NetworkElementID-ipsec.xml

5. Verify End Entity Creation:

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system with the following command:

pkiadm etm -l -type ee

186 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

The End Entity must be present in the list of End Entities. The End Entity
must be created with name NetworkElementID-ipsec and its status is
NEW. In the following example, EE related to Router6000 node with ID
RouterOfflineEnrollment.

Figure 37 End Entity

6. Download trusted credentials:

For OAM connectivity with netconf over TLS, the following trusted CA
credentials must be on node:

— NE_IPsec_CA

— ENM_Infrastructure_CA

— ENM_PKI_Root_CA

Run the following commands in ENM CLI to download the credentials in

PEM format:

pkiadm ctm CACert -expcert -en NE_IPsec_CA -f PEM

pkiadm ctm CACert -expcert -en ENM_Infrastructure_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

7. Install the trusted credentials on the node:

The PEM files must be placed on a server (in the following example:
10.170.118.41) and installed on the node.

[local]Ericsson#pki install-trusted-cert sftp://[email protected]/md/NE_IPse →

c_CA.pem password XXXXXX
[local]Ericsson#pki install-trusted-cert sftp://[email protected]/md/ENM_PKI →
_Root_CA.pem password XXXXXX
[local]Ericsson#pki install-trusted-cert sftp://[email protected]/md/ENM_Inf →
rastructure_CA.pem password XXXXXX

8. Create the node credential:

Node credential must be created on the node.

[local]Ericsson#config
[local]Ericsson(config)#pki node-credential ipsecNodeCredential
[local]Ericsson(pki-node-credential)#subject-name 'CN=RouterOfflineEnroll-ip →
sec, O=ERICSSON, C=SE, OU=BUCI_DUAC_NAM'
[local]Ericsson(pki-node-credential)#key-info rsa_2048
[local]Ericsson(pki-node-credential)#commit
[local]Ericsson(pki-node-credential)#end

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 187

 ENM Network Security Configuration System Administrator Guide

The subject-name and key-info must be the same as the ENM entity
created in Step 2, Step 3, and Step 4.

9. Create CSR to a URI:

CSR file must be generated on the node. The CSR file is uploaded to a server
(10.10.10.1 in the following example).

[local]Ericsson#pki node-credential ipsecNodeCredential enroll offline sftp: →

//[email protected]//home/user1/pki/pem/p1s_225_0105-1.csr password XXXXXX

10. Verify the enrollment progress:

Verify that the enrollment is 60% done after the CSR file is uploaded.

[local]router6000#show pki node-credential ipsecNodeCredential enroll-progre →

ss
Action ID : 0
Action Name : startOfflineCsrEnrollment
Additional Info : offline enrollment
Progress Info : waiting for certificate installation
Progress Percentage : 60%
Result : not available
Result Info :
State : running
Started : 2018-01-19T08:25:30
Completed : 1900-01-01T00:00:00
Last Update : 2018-01-19T08:25:30

11. End Entity Credential Generation:

Download the CSR file, and drag and drop it into the ENM CLI app. Then
execute the following command to generate the End Entity credential in PEM
format.

pkiadm ctm EECert -gen -en NetworkElementID-ipsec -csr file:<csr-file> -f PE →

M

NetworkElementID-ipsec is the name of the entity created in step 4.

The command downloads a PEM file with the name NetworkElementID-

ipsec.pem.

12. Install the node certificate after the CSR is signed by CA:

The PEM file downloaded at Step 10 must be uploaded to a server

(10.10.10.1 in the following example) and be installed on the node using
the following command:

[local]Ericsson#pki node-credential ipsecNodeCredential install-cert sftp:// →

[email protected]/home/user1/pki/pem/RouterOfflineEnroll-ipsec.pem password XXX →
XXX

13. Verify the enrollment progress:

Verify that the enrollment is 100% done after the certificate is installed:

188 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

[local]router6000#show pki node-credential ipsecNodeCredential enroll-progre →

ss
Action ID : 0
Action Name : startOfflineCsrEnrollment
Additional Info : offline enrollment
Progress Info : notifying event
Progress Percentage : 100%
Result : success
Result Info : success
State : finished
Started : 2018-01-19T08:25:30
Completed : 2018-01-19T08:28:06
Last Update : 2018-01-19T08:28:06

Results
The IPsec enrollment is successful.

6.8.15 Online Certificate Enrollment on Router 6000 Family

This procedure describes the steps to perform online enrollment of Ericsson
Router 6000 Series Family Nodes. Enrollment is a procedure that assigns to a
node its credential and a set of trusted credentials. The operator starts the node
enrollment through the CMPv2 protocol, obtaining certificate from PKI-RA.

Details of operations to be performed are available in the document Manage

Security, Reference [16].

At the end of the procedure, the Router 6000 series node is added in ENM and is
synchronized with TLS.

6.8.15.1 OAM Enrollment

The procedure described here is only applicable for OAM.

Details of operations are available in the document Manage Security, Reference

[16].

6.8.15.1.1 End Entity Creation and Credential Generation for Online Certificate Enrollment
on Router 6000

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System. They use it for communication with other ENM systems.
End Entities must be created in the PKI system.

To generate credentials each End Entity is mapped to an Entity Profile (EP) that
defines the Certificate Authority (CA).

For more information about Entity and Profiles, see Public Key Infrastructure
System of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 189

 ENM Network Security Configuration System Administrator Guide

See ER6000 node CPI Public Key Infrastructure for required node prerequisites
and configuration details.

Details of operations are available in the document Manage Security, [16].

Prerequisites

— The operator has ADMINISTRATOR role to access the CLI in ENM.

— The operator knows about Configuring MOs on the Node.

— The Router6672 node type SW version is Release 17B or higher.

— The Router6675 node type SW version is Release 18A or higher.

— The Router6675 node type SW version is Release 18Q2 or higher.

— The Router6274 node type SW version is Release 18Q2 or higher.

— The Router6273 node type SW version is Release 20Q1 or higher.

— The Router6673 node type SW version is Release 21.Q3 or higher.

— COMUser user configured preliminary to enable TLS on the node.

See the document Router 6672 Preliminary Configuration, Reference [31],

for additional details on Node Configurations.

— The node is SYNCHRONIZED with SSH protocol.

— Vendor credential MO is present in the node.

— The external cert supported by that VC is imported to ENM.

See Router6000 External CA Import Procedure on page 411.

Steps

1. To enable TLS on the node, access the node through Node CLI, and execute
the following commands in config mode:

SF151[config]#netconf tls server admin-state enabled

SF151[config]#default tls cipher-filter
SF151[config]#commit

2. Access the web-based ENM application as ADMINISTRATOR, and open the

ENM CLI to execute the following commands:

3. List all the Entity Profiles present in ENM PKI system:

pkiadm pfm --list -type entity

190 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Result: Verify that DUSGen2OAM_CHAIN_EP profile is listed in the command

output. This is the default profile used when OAM Enrollment is performed
for Router6672 Nodes.

4. Create an XML file for each Router6000 series Node:

<Nodes>
<Node>
<NodeFdn>NetworkElement-FDN</NodeFdn>
<EntityProfileName>DUSGen2OAM_CHAIN_EP</EntityProfileName>
<EnrollmentMode>CMPv2_VC</EnrollmentMode>
<KeySize>RSA_2048</KeySize>
</Node>
</Nodes>

Note: The <NodeFdn> value must be NetworkElement-Fdn.

FDN of Network Element can be retrieved from below command

from ENM CLI:

cmedit get <node name> NetworkElement

Suggested name for the file is EE_NetworkElementID-oam.xml.

Use show tls command on node to display all supported ciphers.

5. Import the XML file to ENM CLI.

6. Perform online enrollment for the node:

secadm cert issue -ct OAM -xf file:<End_Entity_xml File>

Result: A link displays.

7. Click the link generated as result of step Step 6 to check the enrollment job
status.

Result: If Job Status is COMPLETED and Workflow Status is SUCCESS, then

the enrollment of the node is done and you can continue to the next step. If
not, contact Ericsson Local Support.

8. When the node has successfully enrolled, switch it from SSH to TLS.

a. Turn off CM supervision:

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=false

b. Set transportProtocol in Er6000ConnectivityInformation MO

to TLS:

cmedit set NetworkElement=<nodeName>,Er6000ConnectivityInformation= →

1 transportProtocol="TLS"

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 191

 ENM Network Security Configuration System Administrator Guide

c. Turn on CM supervision:

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=true

d. Check the syncStatus:

cmedit get NetworkElement=<nodeName>,CmFunction=1

Result: The syncStatus attribute of CmFunction MO must be

SYNCHRONIZED.

6.8.15.2 IPSec Enrollment

This procedure is only applicable to IPsec.

Details of operations are available in the document Manage Security, Reference

[16].

6.8.15.2.1 End Entity Creation and Credential Generation for Online Certificate Enrollment
on RadioNode

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System. They use it for communication with other ENM systems.
End Entities must be created in the PKI system.

To generate credentials each End Entity is mapped to an Entity Profile (EP) which
defines the Certificate Authority (CA).

For more information about Entity and Profiles, see Public Key Infrastructure
System of the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8].

Prerequisites

— The operator has ADMINISTRATOR role to access the ENM CLI.

— The operator knows about Configuring MOs on the Node.

— The Radio Node SW version is Rel16A IP12 or higher.

Steps

1. Check entity profile.

List all the Entity Profiles already present in ENM PKI system:

pkiadm pfm --list -type entity

192 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

The following highlighted profile must be available in the command output:

The highlighted profile is the default profile used when OAM Enrollment is
performed for Radio Nodes.

2. Prepare the XML File for the End Entity Creation.

A different End Entity must be created for each Radio Node.

The End Entities are created starting from an XML file. The following is the
template for the XML file:

Template.xml

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 193

 ENM Network Security Configuration System Administrator Guide

</Entity>
</Entities>

During the XML creation, the following rules must be respected:

— In the <EntityInfo> tag, the <name> must be Network Element ID-
oam.

The NetworkElementID is the identifier used at the end of this

procedure, when the Radio Node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

NetworkElementID-oam.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the Radio Node is added in ENM.

The following file is an example of XML file used to generate the End
Entity for the RadioNode with Network Element ID=G2RBS_27.

EE-G2RBS_27-oam.xml

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noN →

amespaceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>G2RBS_27-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>G2RBS_27-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

3. Save the XML file.

Name the file as EE_Network Element ID-oam.xml.

4. Create the End Entity.

194 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Drag and drop the XML file created in Step 2 into the ENM CLI. To create the
End Entity, run the following command:

pkiadm etm -c -xf file :EE_NetworkElementID-oam.xml

5. Verify End Entity creation.

List all the End Entities in the ENM PKI system:

pkiadm etm -l - type ee

The End Entity must be present in the list of End Entity.

The End Entity must be created with name NetworkElementID-oam, and

status is NEW. The following example shows the EE related to Radio Node
G2RBS_27.

Example

6. Retrieve End Entity Subject DN.

From EE_NetworkElementID-oam.xml :

EE Subject DN:
CN=<EntityInfo.Subject.COMMON_NAME.value>,C=<EntityInfo.Subject.COUNTRY_NAME →
.value>,O=<EntityInfo.Subject.ORGANIZATION.value>,OU=<EntityInfo.Subject.ORG →
ANIZATION_UNIT.value>,

For instance, from EE-G2RBS_27-oam.xml:

EE Subject DN:
CN=G2RBS_27-oam,C=SE,O=ERICSSON,OU=BUCI DUAC NAM

7. Get Enrollment URI.

For global-properties, get the IP address of PKI RA Service (HAProxy South
Bound):

[root@ieatclvmlms908-1 ~]# cat /ericsson/tor/data/global.properties | grep h →

aproxysb
haproxysb=141.137.211.135
haproxysb_ipv6=2001:1b70:82a1:138:0:2313:5249:4a

Choose IPv4 or IPv6, according to Node IP stack.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 195

 ENM Network Security Configuration System Administrator Guide

8. Get Root CA Finger Print:

a. Retrieve ENM_PKI_Root_CA active Certificate from WebCLI.

pkiadm certmgmt CACert --exportcert --entityname ENM_PKI_Root_CA →

--format PEM

This command downloads ENM_PKI_Root_CA active certificate in

PEM format (for example, ENM_PKI_Root_CA.pem).

b. Retrieve Issuer of ENM_PKI_Root_CA.

openssl x509 -in ENM_PKI_Root_CA.pem -noout -issuer

issuer= /CN=ENM_PKI_Root_CA/OU=BUCI_DUAC_NAM/C=SE/O=ERICSSON

If ENM_PKI_Root_CA is self-signed:
— Calculate SHA1 FingerPrint of ENM_PKI_Root_CA using Openssl:

>openssl x509 -in ENM_PKI_Root_CA.pem -noout -fingerprint

SHA1 Fingerprint=57:FD:2A:59:36:D5:18:76:34:4D:FB:B7:98:FC:5B:15:BF:68: →
19:E8

otherwise (case with External CA Imported), retrieve the Root CA:

— Calculate SHA1 FingerPrint of External Root CA.

Assuming, for instance, ENM_PKI_Root_CA has been signed by "O=TCS,

C=IN, OU=DLF, CN=PrimeTowerIntermediateCA". - Retrieve External CA
List: From WebCLI:

>pkiadm extcalist

From this table, it is possible to retrieve the ExtRoot CA. For example, if from
step b the ENM_PKI_Root_CA has been signed by O=TCS, C=IN, OU=DLF,
CN=PrimeTowerIntermediateCA, then the ExtRoot CA name is O=TCS,

196 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

C=IN, OU=DLF, CN=PrimeTowerRootCA - Retrieve ExtCA Certificate

From WebCLI:

>pkiadm extcaexport -n "O=TCS, C=IN, OU=DLF, CN=PrimeTowerRootCA"

This command downloads PrimeTowerRootCA active certificate in

PEM format (for example PrimeTowerRootCA.pem) - calculates SHA1
FingerPrint of External Root CA Using Openssl:

>openssl x509 -in PrimeTowerRootCA.pem -noout -fingerprint

SHA1 Fingerprint=54:8B:D7:B9:81:E9:7D:D5:6E:3D:2D:B4:C5:A9:63:89:E9:9E:B2:26

6.8.16 Online Certificate Enrollment on Fronthaul 6020

This section describes the steps to perform the online enrollment of Fronthaul
6020. Enrollment assigns node credentials. The node is enrolled through the
CMPv2 protocol, obtaining certificate from PKI-RA.

This procedure is only applicable for OAM Enrollment. Do not use for IPsec
Enrollment.

Details of the operations are available in the document Manage Security,

Reference [16].

Upon enrollment, the Fronthaul node is added in ENM and synchronized with
TLS.

6.8.16.1 End Entity Creation and Credential Generation

End Entities (EE) of the PKI System are the end users who get credentials from
the ENM PKI System. They use it for communication with other ENM systems.
End Entities must be created in the PKI system.

To generate credentials each End Entity is mapped to an Entity Profile (EP) that
defines the Certificate Authority (CA).

For more information about Entity and Profiles, see Public Key Infrastructure
System of the ENM Public Key Infrastructure System Administrator Guide,
Reference [8].

Details of operations are available in the document Manage Security, [16].

Prerequisites

— Access to ENM server deployment structure.

— Root access privileges to log on the Management Server and virtual

machines.

— Root access privileges to log on the DB nodes.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 197

 ENM Network Security Configuration System Administrator Guide

— ADMINISTRATOR role to access the CLI in ENM.

— Access to configuration of MOs on the Node.

— Release 20.Q2.1 or higher version of the FH6020 node, type SW.

— The node is SYNCHRONIZED with SSH protocol.

Steps

1. Access the node through Node CLI and execute the following commands in
config mode to enable TLS on the node.

[config]#netconf-tls-edit netconf-tls-port 6513 admin-status UNLOCKED

[config]#commit

2. Create an XML file for each FH6020 series node.

<?xml version="1.0" encoding="UTF-8"?>

<Nodes>
<Node>
<NodeFdn>NetworkElement-FDN</NodeFdn>
<EnrollmentMode>CMPv2_INITIAL</EnrollmentMode>
</Node>
</Nodes>

Note: The <NodeFdn> value must be NetworkElement-Fdn.

3. Import the XML file to ENM CLI.

4. Perform online enrollment for the node.

secadm cert issue -ct OAM -xf file:<End_Entity_xml File>

Result: A link displays.

5. Click the link generated as result of the preceding step to check the
enrollment job status.

Result: If Job Status is COMPLETED and Workflow Status is SUCCESS, the

enrollment of the node is done and you can continue to the next step. If not,
contact Ericsson Local Support.

6. When the node has successfully enrolled, switch it from SSH to TLS.

a. Turn off CM supervision:

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=false

b. Set transportProtocol in
FrontHaul6000ConnectivityInformationMO to TLS:

198 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

cmedit set NetworkElement=nodename,FrontHaul6000ConnectivityInforma →

tion=1 port=6513
cmedit set NetworkElement=nodename,FrontHaul6000ConnectivityInforma →
tion=1 transportProtocol=TLS

c. Turn on CM supervision:

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=true

d. Check the syncStatus:

cmedit get NetworkElement=<nodeName>,CmFunction=1

Result: The syncStatus attribute of CmFunction MO must be

SYNCHRONIZED.

6.8.17 E2E Enrollment and LDAP Configuration for Controller6610 Node

This section describes about the enrollment and LDAP configuration of
Controller6610 node.

6.8.17.1 Online Certificate Enrollment for Controller6610

Prerequisites

1. Check the administrativeState of NetconfTLS.

cmedit get MeContext=hrzgiacie00007,ManagedElement=hrzgiacie00007,SystemFunc →

tions=1,SysM=1,NetconfTls=1

2. If it is locked, then unlock it.

cmedit set MeContext=hrzgiacie00007,ManagedElement=hrzgiacie00007,SystemFunc →

tions=1,SysM=1,NetconfTls=1 administrativeState=UNLOCKED

Steps

1. Perform online enrollment for the node.

secadm cert issue -ct OAM -xf file:<End_Entity_xml File>

Sample file: OAM_Certificate_Realnode.xml
<Nodes>
<Node>
<NodeFdn>hrzgiacie00007</NodeFdn>
</Node>
</Nodes>

Result: A link is displayed.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 199

 ENM Network Security Configuration System Administrator Guide

2. Click the link generated as result of Step 1 to check the enrollment job status.

Result: If Job Status is COMPLETED and Workflow Status is SUCCESS, then

the enrollment of the node is done. Continue to the next step, if not, contact
Ericsson Local Support.

3. When the node has successfully enrolled, switch it from SSH to TLS.

a. Turn off CM supervision:

cmedit set NetworkElement=hrzgiacie00007,CmNodeHeartbeatSupervision →

=1 active=false

b. Set transportProtocol in ComConnectivityInformation MO to

TLS and port to 6513.

cmedit set NetworkElement=hrzgiacie00007,ComConnectivityInformation →

=1 transportProtocol="TLS"
cmedit set NetworkElement=hrzgiacie00007,ComConnectivityInformation →
=1 port=6513

c. Turn on CM supervision:

cmedit set NetworkElement=hrzgiacie00007,CmNodeHeartbeatSupervision →

=1 active=true

d. Check the syncStatus:

cmedit get NetworkElement=hrzgiacie00007,CmFunction=1

Result: The syncStatus attribute of CmFunction MO must be

SYNCHRONIZED.

e. Verify that the ComConnectivityInformation and the protocol

must be TLS.

cmedit get NetworkElement=hrzgiacie00007,ComConnectivityInformation →

=1

6.8.17.2 Offline Enrollment for Controller6610

End Entity Creation

Steps

1. Check Entity Profile.

a. List all the Entity Profiles already present in ENM PKI system.

200 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

pkiadm pfm --list -type entity

b. The highlighted profile must be available in the command output:

The highlighted profile is the default profile used when OAM

Enrollment is performed for Controller6610 Nodes.

2. Prepare the XML file for the End Entity Creation.

a. A different End Entity must be created for each Controller6610

Node.
b. The End Entities are created from an XML file. The template for the
XML follows:

Template.xml
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi →
:noNamespaceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 201

 ENM Network Security Configuration System Administrator Guide

<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

In XML creation, the following rules must be followed:

— In the <EntityInfo> tag, the <name> must be Network Element ID-

oam.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the Controller6610 node is added in ENM.

— In the <EntityInfo><SubjectField> tag, the <Value> must be

NetworkElementID-oam.

The NetworkElementID is the identifier that the user must use at the
end of this procedure when the Controller6610 Node is added in ENM.

The following file is an example of the XML used to generate

the End Entity for the Controller6610 with Network Element
ID=hrzgiacie00007.

hrzgiacie00007-oam.xml
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noN →
amespaceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>hrzgiacie00007-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>hrzgiacie00007-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

202 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

3. Save the XML file.

Suggested name for the file is hrzgiacie00007-oam.xml.

4. Create the End Entity.

Drag and drop the XML file created in Step 2 into the ENM CLI app and run
the following command to create the End Entity:

pkiadm etm -c -xf file:EE_NetworkElementID-oam.xml

5. Verify the End Entity creation.

a. Verify that the End Entity has been created by listing all the End
Entities in the ENM PKI system:

pkiadm etm -l -type ee

b. Click PKI Entity Management in ENM launcher page.

i. The End Entity must be present in the list of End Entities.

The End Entity must be created with name hrzgiacie00007-

oam and its status is NEW. In the following example, there is the
EE related to Controller6610 node with ID 'hrzgiacie00007'

ii. Select the required entity and click Issue to download the
certificate in P12 format.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 203

 ENM Network Security Configuration System Administrator Guide

Note: Save the credentials so that they can be used while

performing offline enrollment. Upload the download P12
file to an URI (sftp://[email protected]/var/tmp/
hrzgiacie00007-oam.p12)

Result: The entity status is "Active" with one certificate assigned to it.

6. Connect to the node (Putty/NodeCLI/AMOS). Enter the node credentials to

connect to the node in AMOS.
Execute the following commands in AMOS application (Launch AMOS from
network explorer by selecting the node).

Run the following steps to perform offline enrollment:

204 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

a. HRZGIACIE00007>acl nodecredential

b. HRZGIACIE00007> acc 454 installCredentialFromUri

Parameter 1 of 4, URI (string): sftp://root@ipaddress/var/tmp/

hrzgiacie00007-oam.p12

Parameter 2 of 4, uriPassword (derivedRef-

RcsCertM.EcimPasswordString): ******* (root password)

Parameter 3 of 4, credentialPassword (derivedRef-

RcsCertM.EcimPasswordString): *************** (Password
provided at preceding step.)

Parameter 4 of 4, fingerprint (derivedRef-

RcsCertM.Fingerprint):72:59:bc:ae:9b:15:7e:dc:ad:15:52:e0:8f:4
3:ab:7b:ef:38:a2:b4

Note: If fingerprint value is not known, enter a dummy value in

the first attempt. This fails the polling as the fingerprint
does not match. Then repeat the preceding step with the
correct fingerprint value that is obtained.

6.8.17.3 LDAP Configuration on Controller6610 Node

1. Perform the prerequisite verification.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 205

 ENM Network Security Configuration System Administrator Guide

a. Verify that the following MO

contains empty ldapAuthenticatioUserName and
ldapAuthenticationUserPassword.

»cmedit get MeContext=<NodeName>,ManagedElement=<NodeName>,SystemFu →

nctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1
FDN : MeContext=NodeName,ManagedElement=NodeName,SystemFunctions=1, →
SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1
baseDn :
bindDn : null
bindPassword : {password=, cleartext=true}
fallbackLdapIpAddress : null
ldapId : 1
ldapIpAddress :
nodeCredential : null
profileFilter : null
serverPort : null
tlsMode : LDAPS
trustCategory : null
useReferrals : false
userLabel : null
useTls : true

b. Verify that LDAP authentication is not active.

»cmedit get MeContext=<NodeName>,ManagedElement=<NodeName>,SystemFu →

nctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1
FDN : MeContext=RouterLDAP,ManagedElement=<NodeName>,SystemFunction →
s=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1
administrativeState : LOCKED
ldapAuthenticationMethodId : 1

c. Verify that the node is in Sync.

»cmedit get NetworkElement=<NodeName>,CmFunction=1

2. Create an XML file (NodeName_ldapConfig_LDAPS.xml), using the following

template, to configure LDAP on the node from ENM.

Example

3. Drag and drop the XML file created above into the ENM CLI and run the
following command to configure LDAP.

206 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

secadm ldap configure --xmlfile file:"NodeName_ldapConfig_LDAPS.xml"

a. Verify that LDAP is correctly configured using the following

command.

»cmedit get MeContext=hrzgiacie00007,ManagedElement=hrzgiacie00007, →

SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod= →
1,Ldap=1

b. Verify that the value for the profileFilter attribute is set to

ERICSSON_FILTER. If not, then set it using the following command.

cmedit set ManagedElement=hrzgiacie00007,SystemFunctions=1,SecM=1,U →

serManagement=1,LdapAuthenticationMethod=1,Ldap=1 profileFilter=ERI →
CSSON_FILTER

c. Configure trustCategory and nodeCredential on LDAP MO (Do

this only if offline enrollment is performed).

cmedit set MeContext=hrzgiacie00007,ManagedElement=hrz →

giacie00007,SystemFunctions=1,SecM=1,UserManagement=1, →
LdapAuthenticationMethod=1,Ldap=1 trustCategory=<fdn o →
f trustCategory MO>

cmedit set MeContext=hrzgiacie00007,ManagedElement=hrz →

giacie00007,SystemFunctions=1,SecM=1,UserManagement=1, →
LdapAuthenticationMethod=1,Ldap=1 nodeCredential=<fdn →
of node-credential MO
>

d. Set the administrative state of LdapAuthenticationMethod MO to

UNLOCKED to activate LDAP authentication on the node.

cmedit set MeContext=hrzgiacie00007,ManagedElement=hrzgiacie00007, →

SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod= →
1 administrativeState=UNLOCKED

4. Enable LDAP user and toggle CM Supervision in ENM.

a. Stop CM Supervision.

»cmedit set NetworkElement=hrzgiacie00007,CmNodeHeartbeatSupervisio →

n=1active=false

b. Verify that the node is in UNSYNCRONIZED state.

»cmedit get NetworkElement=hrzgiacie00007,CmFunction=1

c. Enable ldapUser for the node so that ENM uses

ldapApplicationUser for authentication purposes.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 207

 ENM Network Security Configuration System Administrator Guide

»secadm credentials update --ldapuser enable --nodelist hrzgiacie00 →

007

d. Verify that the ldapApplicationUserName and

ldapApplicationUserPassword fields are compiled.

»cmedit get NetworkElement=hrzgiacie00007,SecurityFunction=1,Networ →

kElementSecurity=1

e. Start CM Supervision.

cmedit set NetworkElement=hrzgiacie00007,CmNodeHeartbeatSupervision →

=1 active=true

f. Verify that the node is in SYNC status so that LDAP authentication

on the node is successful.

cmedit get NetworkElement=hrzgiacie00007,CmFunction=1

6.8.18 End to End Enrollment Procedures for ESC Node

6.8.18.1 Online Enrollment Procedure for ESC Node

This section describes the online enrollment procedure for ESC node.

Prerequisites
— The user has access to the ENM CLI as an authorized user.

— This user has NodeSecurity_Administrator role assigned.

Steps

1. Check the administrativeState of NetconfTLS.

cmedit get MeContext=<node Name>,ManagedElement=<node Name>,SystemFunctions= →

1,SysM=1,NetconfTls=1

2. Unlock it if the administrativeState is locked.

cmedit set MeContext=<node Name>,ManagedElement=<node Name>,SystemFunctions= →

1,SysM=1,NetconfTls=1 administrativeState=UNLOCKED

3. Issue the certificate for the node.

secadm certificate issue -ct OAM -xf file:<OAM_Certificate_Realnode File>

208 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Example
Sample XML file: OAM_Certificate_Realnode.xml

<Nodes>
<Node>
<NodeFdn><node Name></NodeFdn>
</Node>
</Nodes>

Result: A link is displayed.

4. Click the link generated as result of Step 3 to check the enrollment job status.
— If the job status is COMPLETED and workflow status is SUCCESS, the
enrollment of the node is done. Continue to the next step.

— If the node enrollment is not done, contact Ericsson Local Support.

5. Switch the node from SSH to TLS, when the node has successfully enrolled.

a. Turn off CM supervision.

cmedit set NetworkElement=<node Name>,CmNodeHeartbeatSupervision=1 →

active=false

b. Set transportProtocol in EscConnectivityInformation MO to TLS

and port to 6513.

cmedit set NetworkElement=<node Name>,EscConnectivityInformation=1 →

transportProtocol="TLS"
cmedit set NetworkElement=<node Name>,EscConnectivityInformation=1 →
port=6513

6. Turn on CM supervision.

cmedit set NetworkElement=<node Name>,CmNodeHeartbeatSupervision=1 active=tr →

ue

7. Check the syncStatus.

cmedit get NetworkElement=<node Name>,CmFunction=1

Result: The syncStatus attribute of CmFunction MO must be

SYNCHRONIZED.

8. Verify that the EscConnectivityInformation and the protocol must be TLS.

cmedit get NetworkElement=<node Name>,EscConnectivityInformation=1

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 209

 ENM Network Security Configuration System Administrator Guide

6.8.18.2 Offline Enrollment Procedure for ESC Node

This section described the offline enrollment procedure for ESC node.

The operator must generate the node credential and trusted credentials
manually, and install them on the node, with the offline procedure.

The described procedure is applicable for OAM Enrollment only.

Prerequisites
— The user has access to the ENM CLI as an authorized user.

— This user has NodeSecurity_Administrator, NodeCLI_Administrator, and

PKI_Administrator roles assigned.

Steps

1. Check that DUSGen2OAM_CHAIN_EP exists.

Use the following command to verify that DUSGen2OAM_CHAIN_EP profile

exists:

pkiadm pfm --list -type entity --name DUSGen2OAM_CHAIN_EP

The highlighted DUSGen2OAM_CHAIN_EP profile must be available in the

command output:

Table 11
Id Profile Name Profile Type
74 DUSGen2OAM_CHAIN_EP ENTITY_PROFILE

2. Prepare the XML file for the End Entity creation.

A different End Entity must be created for each ESC node in ENM. In the
following template, NetworkElementID must be replaced with the name of
the node.

The End Entities are created starting from an XML file. The XML template is
the following:

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NetworkElementID-OAM</Name>

210 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

Note: In the above XML,the values for ORGANIZATION,

ORGANIZATION_UNIT and COUNTRY_NAME must be changed to
appropriate values specific to the deployment.

Save the XML file. Suggested name for the file is EE_NetworkElementID-
oam.xml.

3. Create the End Entity.

Drag and drop the XML file created in Step 2 into the ENM CLI and run the
following command:

pkiadm etm -c -xf file:EE_NetworkElementID-oam.xml

4. Verify the End Entity creation using ENM CLI.

List all the End Entities in the ENM PKI system:

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entities. The End Entity
must be created with name NetworkElementID-oam and its status is NEW.

Example
In this example, the End Entity is related to ESC node with
NetworkElementID ESC_220-oam.

Note: ESC_220 is the node name which is used to perform the offline
enrollment.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 211

 ENM Network Security Configuration System Administrator Guide

5. Download Trusted Credentials.

For OAM connectivity with NETCONF over TLS, the following trusted CA
credentials must be on the node:
— NE_OAM_CA

— ENM_OAM_CA

— ENM_Infrastructure_CA

— ENM_PKI_Root_CA

Run the following commands in the ENM CLI to download the credentials in
PEM format:

pkiadm ctm CACert -expcert -en NE_OAM_CA -f PEM

pkiadm ctm CACert -expcert -en ENM_OAM_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_Infrastructure_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

The certificates are downloaded to the user local client.

The certificates must be moved to server that can be reached via SFTP from
node and this server is used in the next step.

6. Install the trusted credentials on the node.

CA certificates of the server must be installed on the node using the following
command

Note: User "root" and path /root/tmp are for example purpose only.
Change them as per the SFTP user configuration on SFTP server.

#Node> action ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1 installTrust →

edCertFromUri sftp://root@<ServerIP>:22/root/tmp/ENM_PKI_Root_CA.pem <PASSWO →
RD> NULL

7. Create the node credential.

Node credential must be created on the node using the following command:

#Node> startTransaction t
#Node> createMO t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCred →
ential=1
#Node> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,No →
deCredential=1 subjectName "CN='imenode'"
#Node> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,No →
deCredential=1 keyInfo RSA_2048

212 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

#Node> commit t
#Node> endt t

8. Create CSR to a URI.

CSR file must be generated on the node. The CSR file is uploaded to a server
that can be reached via SFTP.

#Node> action ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredent →

ial=1 startOfflineCsrEnrollment sftp://root@<Server_IP>:22/root/tmp/node_csr →
.csr <Password> XXXX

9. Get the status of certificate.

#Node> getMoAttribute ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,Node →

Credential=1 certificateState

The output must be as follows:

ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1; certific →
ateState="NOT_VALID_YET"
OperationSucceeded

10. Generste End Entity Credential.

Download the previous CSR file and drag and drop into the ENM CLI and
execute the following command to generate the End Entity credential in PEM
format.

pkiadm ctm EECert -gen -en NetworkElementID-oam -csr file:<csr-file> -f PEM

In the command, NetworkElementID-oam is the name of the entity created

in Step 3.

The command downloads a PEM file with the name NetworkElementID-

oam.pem

The CSR is signed by CA after the PEM file is generated using the CSR.

11. Install the node certificate after the CSR was signed by CA.

#Node> action ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredenti →

al=1 installCredentialFromUri sftp://root@<Server_IP>:22/root/tmp/node_csr.c →
sr NetworkElementID-oam.pem <Password> NULL NULL

12. Verify the enrollment progress on the node.

Verify that the environment is 100% done after the certificate is installed.

#Node> getm ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredential →

=1

13. Configure trust-category on the node (if not existing).

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 213

 ENM Network Security Configuration System Administrator Guide

Configure trust-category on the node.

#Node %> createMO t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,TrustC →

ategory=1
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[0] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=1"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[1] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=2"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[2] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=3"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[3] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=4"

14. Configure TLS on the node.

#Node > startTransaction t

#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 nodeCredential "ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeC →
redential=1"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 administrativeState UNLOCKED
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 trustCategory
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 trustCategory "ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,TrustC →
ategory=1"
#Node %> commit t
#Node %> endTransaction t

15. Switch the node to TLS in ENM.

As the node is successfully enrolled offline, switch it from SSH to TLS.

a. Turn of CM supervision.

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=false

b. Set transportProtocol in EscConnectivityInformation MO to TLS.

cmedit set NetworkElement=<nodeName>,EscConnectivityInformation=1 t →

ransportProtocol="TLS"

c. Set port in EscConnectivityInformation MO to 6513.

cmedit set NetworkElement=<nodeName>,EscConnectivityInformation=1 p →

ort=6513

d. Turn on CM supervision.

214 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=true

e. Check the syncStatus of CmFunction MO is SYNCHRONIZED.

cmedit get NetworkElement=<nodeName>,CmFunction=1

f. Verify the EscConnectivityInformation and the protocol has to be

TLS.

cmedit get NetworkElement=<nodeName>,EscConnectivityInformation=1

6.8.19 End to End Enrollment Procedures for SCU Node

6.8.19.1 Online Enrollment Procedure for SCU Node

This section describes the online enrollment procedure for SCU node.

Prerequisites
— The user has access to the ENM CLI as an authorized user.

— This user has NodeSecurity_Administrator role assigned.

— In the following, SCU_124 is the <node Name> used for the examples.

Steps

1. Check the administrativeState of NetconfTLS.

cmedit get MeContext=<node Name>,ManagedElement=<node Name>,SystemFunctions= →

1,SysM=1,NetconfTls=1

2. Unlock it if the administrativeState is locked.

cmedit set MeContext=<node Name>,ManagedElement=<node Name>,SystemFunctions= →

1,SysM=1,NetconfTls=1 administrativeState=UNLOCKED

3. Issue the certificate for the node.

secadm cert issue -ct OAM -xf file:<End_Entity_xml File>

Sample XML file: OAM_Certificate_Realnode.xml

<Nodes>
<Node>
<NodeFdn>SCU_124</NodeFdn>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 215

 ENM Network Security Configuration System Administrator Guide

</Node>
</Nodes>

Result: A link is displayed.

4. Click the link generated as result of Step 3 to check the enrollment job status.

Result: If the Job Status is COMPLETED and the Workflow Status is

SUCCESS, the enrollment of the node is done. Continue to the next step.

5. Switch it from SSH to TLS with the following steps, when the node has
successfully enrolled.

a. Turn off CM supervision.

cmedit set NetworkElement=<node Name>,CmNodeHeartbeatSupervision=1 →

active=false

b. Set transportProtocol in EscConnectivityInformation MO to TLS and

port to 6513.

cmedit set NetworkElement=<node Name>,EscConnectivityInformation=1 →

transportProtocol="TLS"
cmedit set NetworkElement=<node Name>,EscConnectivityInformation=1 →
port=6513

c. Turn on CM supervision.

cmedit set NetworkElement=<node Name>,CmNodeHeartbeatSupervision=1 →

active=true

d. Check the syncStatus.

cmedit get NetworkElement=<node Name>,CmFunction=1

Result: The syncStatus attribute of CmFunction MO must be

SYNCHRONIZED.
e. Verify that the EscConnectivityInformation and the protocol must be
TLS.

cmedit get NetworkElement=<node Name>,EscConnectivityInformation=1

6.8.19.2 Offline Enrollment Procedure for SCU Node

This section described the offline enrollment procedure for SCU node.

The node credential and trusted credentials must be generated manually and
then installed on the node in an offline manner.

The described procedure is applicable for OAM Enrollment only.

216 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Prerequisites
— The user has access to the ENM CLI as an authorized user.

— The user has NodeSecurity_Administrator, NodeCLI_Administrator, and

PKI_Administrator roles assigned.

Steps

1. Check Entity Profile.

List all the Entity Profiles already present in ENM PKI.

pkiadm pfm --list -type entity

The highlighted profile must be available in the command output:

2. Prepare the XML file for the End Entity creation.

A different End Entity must be created for each SCU node in ENM. The End
Entities are created starting from an XML file.

The template for the XML file is the following. In the template,
NEtworkElementID needs to be replaced with the name of the node.

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 217

 ENM Network Security Configuration System Administrator Guide

<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>SCU_72-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>SCU_72-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

3. Save the XML file.

The suggested name for the file is EE_NetworkElementID-oam.xml

4. Create the End Entity.

Drag and drop the XML file created in Step 2 into the ENM CLI and run the
following command:

pkiadm etm -c -xf file:EE_NetworkElementID-oam.xml

5. Verify the End Entity creation using ENM CLI.

List all the End Entities in the ENM PKI system:

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entities. The End Entity
must be created with name NetworkElementID-oam and its status is NEW.

Example
In this example, the End Entity is related to SCU node with ID SCU_72-oam.

218 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

6. Download Trusted Credentials.

For OAM connectivity with NETCONF over TLS, the following trusted CA
credentials must be on the node:
— NE_OAM_CA

— ENM_OAM_CA

— ENM_Infrastructure_CA

— ENM_PKI_Root_CA

Run the following commands in the ENM CLI to download the credentials in
PEM format:

pkiadm ctm CACert -expcert -en NE_OAM_CA -f PEM

pkiadm ctm CACert -expcert -en ENM_OAM_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_Infrastructure_CA -f PEM
pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

7. Install the trusted credentials on the node.

CA certificates of the server must be installed on the node using the following
command.

Note: User root and path /root/tmp are for example purpose only.
Change them as per the SFTP user configuration on SFTP server.

#Node> action ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1 installTrust →

edCertFromUri sftp://root@<ServerIP>:22/root/tmp/ENM_PKI_Root_CA.pem <PASSWO →
RD> NULL

8. Create the node credential.

Node credential must be created on the node using the following command:

#Node> startTransaction t
#Node> createMO t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCred →
ential=1
#Node> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,No →
deCredential=1 subjectName "CN='imenode'"
#Node> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,No →

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 219

 ENM Network Security Configuration System Administrator Guide

deCredential=1 keyInfo RSA_2048

#Node> commit t
#Node> endt t

9. Create CSR to a URI.

CSR file must be generated on the node. The CSR file is uploaded to a server
that can be reached via SFTP from node and this server is used in this step:.

#Node> action ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredent →

ial=1 startOfflineCsrEnrollment sftp://root@<Server_IP>:22/root/tmp/node_csr →
.csr <Password> XXXX

10. Get the status of certificate.

#Node> getMoAttribute ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,Node →

Credential=1 certificateState

The output must be as follows:

ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1; certific →
ateState="NOT_VALID_YET"
OperationSucceeded

11. End Entity Credential Generation.

Download the CSR file that was uploaded in step 9, drag and drop into the
ENM CLI, and execute the following command to generate the End Entity
credential in PEM format.

pkiadm ctm EECert -gen -en NetworkElementID-oam -csr file:<csr-file> -f PEM

In the command, NetworkElementID-oam is the name of the entity created

in Step 4.

The command downloads a PEM file with the name

NetworkElementIDoam.pem

The CSR is signed by CA after the PEM file is generated using the CSR.

12. Install the node certificate after the CSR was signed by CA.

#Node> action ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredenti →

al=1 installCredentialFromUri sftp://root@:22/root/tmp/node_csr.csr SCU_72-o →
am.pem <password> NULL NULL

13. Verify the enrollment progress on the node.

Verify that the enrollment is 100% done after the certificate is installed.

#Node> action ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredenti →

al=1 installCredentialFromUri sftp://root@<Server_IP>:22/root/tmp/node_csr.c →

220 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

sr SCU_72-oam.pem <PASSWORD> NULL NULL

14. Configure trust-category on the node (if not existing).

Configure trust-category on the node.

#Node %> createMO t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,TrustC →

ategory=1
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[0] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=1"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[1] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=2"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[2] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=3"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1, →
TrustCategory=1 trustedCertificates[3] "ManagedElement=1,SystemFunctions=1,S →
ecM=1,CertM=1,TrustedCertificate=4"

15. Configure TLS on the node.

#Node > startTransaction t

#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 nodeCredential "ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeC →
redential=1"
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 administrativeState UNLOCKED
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 trustCategory
#Node %> setMOAttribute t ManagedElement=1,SystemFunctions=1,SysM=1,NetconfT →
ls=1 trustCategory "ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,TrustC →
ategory=1"
#Node %> commit t
#Node %> endTransaction t

16. Switch the node to TLS in ENM.

As the node is successfully enrolled offline, switch it from SSH to TLS.

a. Turn of CM supervision.

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=false

b. Set transportProtocol in EscConnectivityInformation MO to TLS.

cmedit set NetworkElement=<nodeName>,EscConnectivityInformation=1 t →

ransportProtocol="TLS"

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 221

 ENM Network Security Configuration System Administrator Guide

c. Set port in EscConnectivityInformation MO to 6513.

cmedit set NetworkElement=<nodeName>,EscConnectivityInformation=1 p →

ort=6513

d. Turn on CM supervision.

cmedit set NetworkElement=<nodeName>,CmNodeHeartbeatSupervision=1 a →

ctive=true

e. Check the syncStatus of CmFunction MO is SYNCHRONIZED.

cmedit get NetworkElement=<nodeName>,CmFunction=1

f. Verify the EscConnectivityInformation and the protocol has to be

TLS.

cmedit get NetworkElement=<nodeName>,EscConnectivityInformation=1

6.8.20 End to End Enrollment for Citizens Broadband Radio Service Domain
Coordinator Standalone (CBRS DC SA)

6.8.20.1 Online Enrollment Procedure for CBRS DC SA

The operator starts the CBRS DC SA enrollment through the CMPv2 protocol,
obtaining the certificate from PKI-RA.

This procedure is only applicable for OAM enrollment. Do not use for IPsec
enrollment.

Details of the operations are available in the document Manage Security,

Reference [16] .

Prerequisites

— ADMINISTRATOR role to access the ENM CLI.

— Knowledge of Configuring CBRS DC SA.

Steps

The online procedure is based on two main steps:

— End Entity creation and credential generation from ENM for HTTPS traffic.

— CBRS DC SA configuration.

222 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

At the end of the procedure, the connectivity is possible between ENM and CBRS
DC SA.

1. Launch ENM CLI from ENM Launcher.

2. Check if the required Entity Profiles ENM_System_HTTPS_SBI_EP and

ENM_System_SBI_COM_TPFC_EP exist.

Verify if ENM_System_HTTPS_SBI_EP is present in ENM PKI system:

pkiadm pfm --list -type entity --name ENM_System_HTTPS_SBI_EP

Sample output:

Figure 41

Verify if ENM_System_SBI_COM_TPFC_EP is present in ENM PKI system:

pkiadm pfm --list -type entity --name ENM_System_SBI_COM_TPFC_EP

Sample output:

Figure 42

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 223

 ENM Network Security Configuration System Administrator Guide

These are the default profiles used when OAM Enrollment is performed for
CBRS DC SA.

3. Create CBRS DC SA Trust Profile.

a. Create a Trust Profile XML file called CBRS_DC_SA_TP.xml.

<?xml version="1.0" encoding="UTF-8"?>

<Profiles xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi →
:noNamespaceSchemaLocation="ProfilesSchema.xsd">
<TrustProfile Name="CBRS_DC_SA_TP">
<ProfileValidity>2111-03-01</ProfileValidity>
<Modifiable>true</Modifiable>
<TrustCAChain>
<IsChainRequired>true</IsChainRequired>
<InternalCA>
<CertificateAuthority>
<Name>ENM_OAM_CA</Name>
</CertificateAuthority>
</InternalCA>
</TrustCAChain>
</TrustProfile>
</Profiles>

b. Drag and drop the CBRS_DC_SA_TP.xml on ENM CLI.

pkiadm profilemgmt --create --xmlfile file:CBRS_DC_SA_TP.xml

c. Check that the Trust Profile is created.

pkiadm profilemgmt --view --profiletype trust --name CBRS_DC_SA_TP

Result: CBRS_DC_SA_TP Trust Profile is successfully created.

4. Create CBRS DC SA Entity.

a. Create an Entity Profile XML file called CBRS_DC_SA_EP.xml.

<?xml version="1.0" encoding="UTF-8"?><Profiles xmlns:xsi="http://w →

ww.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="P →
rofilesSchema.xsd">
<EntityProfile Name="CBRS_DC_SA_EP">
<ProfileValidity>2111-03-01</ProfileValidity>
<Modifiable>true</Modifiable>
<Category>
<Modifiable>true</Modifiable>
<Name>node-oam</Name>
</Category>
<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>?</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI_DUAC_NAM</Value>
</SubjectField>

224 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

</Subject>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<CertificateProfile Name="ENM_System_HTTPS_SBI_CP" />
<TrustProfile Name="CBRS_DC_SA_TP" />
<KeyUsage>
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyU →
sageType>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUs →
ageType>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsage →
Type>
</KeyUsage>
</EntityProfile>
</Profiles>

b. Drag and drop the CBRS_DC_SA_EP.xml on the ENM CLI.

pkiadm profilemgmt --create --xmlfile file:CBRS_DC_SA_EP.xml

c. Check if the Entity Profile is created.

pkiadm profilemgmt --view --profiletype entity --name CBRS_DC_SA_EP

Result: CBRS_DC_SA_EP Entity Profile is successfully created.

5. Prepare the XML file for End Entity creation.

A different End Entity must be created for each CBRS DC SA instance. The
End Entity is created starting from an XML file. The following is the template
for the XML file.

<?xml version="1.0" encoding="UTF-8"?>

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →
aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="CBRS_DC_SA_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>CBRS_DC_SA_<ID>-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value><REPLACE WITH - User's Organization></Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value><REPLACE WITH - User's Organization Unit></Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value><REPLACE WITH - User Country's Alpha 2 Code per I →
SO 3166></Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>CBRS_DC_SA_<ID>-oam</Value>
</SubjectField>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 225

 ENM Network Security Configuration System Administrator Guide

</Subject>
<OTP><REPLACE WITH - user defined one time password></OTP>
<OTPCount>5</OTPCount>
<Issuer>
<Name>ENM_OAM_CA</Name>
</Issuer>
</EntityInfo>
<OTPValidityPeriod>1440</OTPValidityPeriod>
</Entity>
</Entities>

During the XML creation, the following rules must be respected:

— In the <EntityInfo> tag, the <Name> must be <CBRS_DC_SA_<ID>-oam>.

The <CBRS_DC_SA_<ID>> is the identifier that the user must use at the
end of this procedure, when the CBRS DC SA is connected in ENM. <ID>
is defined by the operator.

The ID must clearly indicate the name of the ENM managing this CBRS
DC SA instance.

— In the <EntityInfo><SubjectField> tag for type

<Type>COMMON_NAME</Type>, the <Value> must be replaced with
<CBRS_DC_SA_<ID>-oam>.

— Create a one time password to be used for this End Entity and set this as
the value for the <OTP> tag. This same password must be used again in
Step 12.

Note: This one time password expires 24 hours after the End Entity
is created. If it has not been used by then, another End Entity
needs to be created because this password gets used during the
installation of CBRS DC SA.

— In the <EntityInfo><SubjectField> tag for types

<Type>ORGANIZATION</Type>, <Type>ORGANIZATION_UNIT</
Type>, and <Type>COUNTRY_NAME</Type>, the <Value> of this tags
must be specific to the site of the installer.

Save the created XML file. The suggested name for the file is
EE_CBRS_DC_SA_<ID>-oam.xml. For example, EE_CBRS_DC_SA_ENM_ATH_1-
oam.xml.

Example

<?xml version="1.0" encoding="UTF-8"?>

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespace →
SchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="CBRS_DC_SA_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>

226 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<Category>
<Modifiable>true</Modifiable>
<Name>NODE-OAM</Name>
</Category>
<EntityInfo>
<Name>CBRS_DC_SA_ENM_ATH_1-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI_DUAC_NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>CBRS_DC_SA_ENM_ATH_1-oam</Value>
</SubjectField>
</Subject>
<OTP>password</OTP>
<OTPCount>5</OTPCount>
<Issuer>
<Name>ENM_OAM_CA</Name>
</Issuer>
</EntityInfo>
<OTPValidityPeriod>1440</OTPValidityPeriod>
</Entity>
</Entities>

6. Create the End Entity.

Drag and drop the XML file into the ENM CLI.

pkiadm etm -c -xf file:EE_CBRS_DC_SA_<ID>-oam.xml

7. Verify the End Entity Creation.

Verify that the End Entity has been created by listing all the EEs in the ENM
PKI system:

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entities.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 227

 ENM Network Security Configuration System Administrator Guide

The End Entity must be created with name <CBRS_DC_SA_<ID>-oam> and its
status is NEW.

8. Retrieve End Entity Subject DN.

This is needed when creating the CMPv2 configuration file in Step 12.

The DN must have the following format:

CN=<COMMON_NAME>,C=<COUNTRY_NAME>,O=<ORGANIZATION>,OU=<ORGANIZ
ATION_UNIT>.

Replace the values in <> with the following values taken from
EE_CBRS_DC_SA<ID>-oam.xml:

COMMON_NAME=<EntityInfo.Subject.COMMON_NAME.value>

COUNTRY_NAME=<EntityInfo.Subject.COUNTRY_NAME.value>

ORGANIZATION=<EntityInfo.Subject.ORGANIZATION.value>

ORGANIZATION_UNIT=<EntityInfo.Subject.ORGANIZATION_UNIT.value>

9. Get CMPv2 Server URI.

For Cloud Native ENM, retrieve the IP needed for the CMPv2ServerURL by
running the following Kubernetes command:

kubectl --namespace <cENM-namespace> get ericingress pkiraserv

The IP needed is listed beside pkiraserv under the VIRTUAL-SERVICE

column. The following is an example of the command output:

:~# kubectl --namespace enm124 get ericingress pkiraserv

NAME VIRTUAL-SERVICE BACKENDS
pkiraserv 10.120.237.161:8090 ["192.168.10.141:8090","192.168.12 →
.176:8090","192.168.194.162:8090","192.168.221.29:8090"]

In this example, the IP address is 10.120.237.161, the port number is not

needed.

For Physical ENM Deployment, see the section Fetch CMPv2ServerURL on

page 365.

Choose IPv4 or IPv6, according to Node IP stack.

10. Go back to ENM CLI and fetch CMPv2 issuing Certificate Authority Name:

a. Retrieve the subjectDN of ENM_OAM_CA.

pkiadm ctm CACert -l -en ENM_OAM_CA

228 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

b. Copy the subjectDN and use the same value as input for certificate-
authority.
The subjectDN is the value shown in the Subject column of the table
returned in the previous command.

11. Get Root CA PEM.

a. Retrieve ENM_PKI_Root_CA active certificate via ENM CLI.

pkiadm certmgmt CACert --exportcert --entityname ENM_PKI_Root_CA →

--format PEM

This command downloads ENM_PKI_Root_CA active certificate in

PEM format. For example, ENM_PKI_Root_CA.pem.

12. Create CMPv2 configuration JSON file to load into CBRS DC SA.
The file must be named eric-sec-certm-deployment-
configuration.json.

Sample of eric-sec-certm-deployment-configuration.json:

{
"ca-certs": [
{
"name": "cbrsDcSaEnmCaCerts",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDaDCCAlCgAwIBAgIIO5KzyAd →
2XGowDQYJKoZIhvcNAQELBQAwUjEYMBYGA1UEAwwPRU5NX1BLSV9Sb290X0NBMREwDwYDVQQKDAh →
FUklDU1NPTjEWMBQGA1UECwwNQlVDSV9EVUFDX05BTTELMAkGA1UEBhMCU0UwHhcNMjIwNTA5MjI →
xNTU5WhcNMzIwNTA5MjIxNTU5WjBSMRgwFgYDVQQDDA9FTk1fUEtJX1Jvb3RfQ0ExETAPBgNVBAo →
MCEVSSUNTU09OMRYwFAYDVQQLDA1CVUNJX0RVQUNfTkFNMQswCQYDVQQGEwJTRTCCASIwDQYJKoZ →
IhvcNAQEBBQADggEPADCCAQoCggEBAJO+cbLpRy7yE6oeZWdkrg4vF9gXAZmbxOVRqMVd7RSBq8I →
0h7VUeBeZkvbnEr0hoO6aJdLbs2LiM/V4M+abkf0jNd8BpbDmF67Qef/fH82sQRj87B+tCKslZoZ →
k5oPNDthFo951wH6qtqsAGC0C4MbKGdV6AZ1bk5wNBABKvdMeedV+N4cIxkXnLx+iD0V/SzVl0+T →
xTjjEwY+1mCt6vHd4ey8bh2wYVOo6txOeuWl5ISCUCWJi9fKjay9RXwh6oUgxcb0iou6tKGV+Zyu →
Fxh34Bnun3S7EqAmqM1sCYUyCSSrcgDT2ro9ax1PtlWefRnFHBPWe0QuhTHslP7Q/P5ECAwEAAaN →
CMEAwHQYDVR0OBBYEFMHf0xR9fj0kNyLfRfP4BrwZg4jUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0 →
PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBCEHeCv3ZOTn5Wy8XQJ28ojIYmoHZdejYBOLM →
wk35UJiPRsgrBE9F2qsOljGfRLAqQPPIQgm0HW6qlLI5ie6Fj91Cb9eVs/yl+TXUTYaDLnAL6RU8 →
EEL3uEsepO73qLfYnUcq6IpyBfX0mBlf6wPQoM70Vaksxf3dzFT51MJ1hmVXjhH7JfB9X5PTPKXz →
9hmIMks4BfLnmxVfXIQIPAngMSlfN8mV8OhFM+KayByrqgO9R9a1qr3m1o1NvX9rDEizCcVVPVga →
v96DLUwvHiFYDjaLttfW5xEFrAObPa9ZnewQLS20rN0CH/zwEJ90jQu47dxttzmSwHNlpbDjDLBe →
L\n-----END CERTIFICATE-----"
}
],
"certificate-authorities": {
"certificate-authority": [
{
"name": "CN=ENM_OAM_CA"
}
]
},
"cmp-server-groups": {
"cmp-server-group": [
{
"name": "cmpGroupCbrsDcSaEnm",
"cmp-server": [
{
"name": "cmpServerCbrsDcSaEnm",
"ca-certs": "cbrsDcSaEnmCaCerts",
"uri": "http://<IP>:8091/pkira-cmp/synch",
"certificate-authority": "C=SE,OU=BUCI_DUAC_NAM,O=ER →
ICSSON,CN=ENM_OAM_CA",
"priority": 1,
"ra-mode-enabled": false
}
]

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 229

 ENM Network Security Configuration System Administrator Guide

}
]
},
"enrollments": [
{
"name": "cbrs-dc-sa-enm",
"certificate-name": "cbrs-dc-sa-enm",
"algorithm": "rsa2048",
"cmp-server-group": "cmpGroupCbrsDcSaEnm",
"subject": "CN=CBRS_DC_SA_ENM_ATH_1-oam,C=SE,O=ERICSSON,OU=BUCI_ →
DUAC_NAM",
"subject-alternative-names": [
"DNS:eric-cbrs-dc-sa-hostname.com"
],
"password": "password",
"trusted-certs": "cbrsPubsDcSaEnmCaCerts"
}
],
"enrollment-retry-timeout": 60
}

During the JSON creation, the following rules must be respected:

— ca-certs:pem value is the Root CA PEM downloaded in Step 11.

Note: The PEM must be in one line. After downloading, it can be in

multiple lines. In this case, remove line breaks, so it is in one line
only. \n must be inserted at the end of the header dashes, and
at the beginning of the footer dashes, for example:

----- BEGIN CERTIFICATE -----\n

\n----- END CERTIFICATE -----

— cmp-server:uri is updated with <IP> retrieved in Step 9.

— cmp-server:certificate-authority is the subjectDN retrieved in Step 10.

— enrollments:subject is the End Entity Subject DN retrieved in Step 8.

— enrollments:password has to be the same password used in

<EntityInfo.OTP> in EE_CBRS_DC_SA<ID>-oam.xml defined in Step 5.

— enrollments:subject-alternative-names:DNS must have the following

value: eric-cbrs-dc-sa-hostname.com.

— Ensure that all the line endings in the eric-sec-certm-deployment-

configuration.json file are LF (Unix/Linux).

13. Upload the secret manually.

On the environment where CBRS DC SA is to be deployed, run the following
command:

kubectl create secret generic eric-ran-security-service-init-certm-secret →

--namespace <NAMESPACE> --from-file=<path to file>/eric-sec-certm-deployment →
-configuration.json

230 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Note: Replace <NAMESPACE> with the namespace where the CBRS DC

SA is installed.

14. Delete the secret.

Resume the installation of CBRS DC SA and then delete the secret after
successful deployment of CBRS DC SA to delete sensitive data. This also
prevents having to redo the process in future service restarts when keys and
certificates are already present.

kubectl delete secret eric-ran-security-service-init-certm-secret --namespac →

e <NAMESPACE>

Results
Once all the steps of the enrollment procedure are completed a new End Entity
is created in ENM. A Kubernetes Secret, created using the JSON configuration file
(created in [12]) that contains the credentials generated by ENM, exists in the
same namespace in the CBRS DC SA Kubernetes cluster.

6.8.21 E2E Offline Enrollment Procedure for MINI-LINK Outdoor Nodes

This procedure describes how to perform offline enrollment of MINI-LINK
Outdoor nodes.

Note: For all the nodes, which support offline enrollment, alarm must be
configured for certificate expiry notification to enable the user to renew
the certificate.

Prerequisites
It is required that the user:
— Has knowledge on ENM.

— Has knowledge on using ENM CLI.

— Has knowledge of PKI.

— The user has access to the ENM CLI as an authorized user.

— End Entity must be created in the system.

— The operator has ADMINISTRATOR role.

Overview
The offline procedure is based on three main steps:

1. End Entity Profile Creation

2. End Entity Creation

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 231

 ENM Network Security Configuration System Administrator Guide

3. Offline Enrollment Procedure

6.8.21.1 Certificate Profile Creation

The Certificate Profile can be created using XML file or using PKI Profile
Management application.

6.8.21.1.1 Certificate Profile Creation Using Certificate Profile Creation XML

Steps

1. Prepare and save XML for Certificate Profile Creation.

A single Certificate Profile can be used for all MINI-LINK nodes.

The Certificate Profile is created from an XML file. The template for the XML
is the following:

Certificate Profile XML Template

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<Profiles>
<CertificateProfile Id="99" Name="MINI-LINK_Outdoor_CP">
<Active>true</Active>
<Modifiable>true</Modifiable>
<ForCAEntity>false</ForCAEntity>
<Version>V3</Version>
<SignatureAlgorithm Id="3">
<Name>SHA256withRSA</Name>
<Supported>true</Supported>
</SignatureAlgorithm>
<KeyGenerationAlgorithm Id="28">
<Name>ECDSA</Name>
<KeySize>224</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="29">
<Name>ECDSA</Name>
<KeySize>256</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="23">
<Name>RSA</Name>
<KeySize>3072</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="22">
<Name>RSA</Name>
<KeySize>2048</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="33">
<Name>ECDSA</Name>
<KeySize>512</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>

232 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="31">
<Name>ECDSA</Name>
<KeySize>384</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="24">
<Name>RSA</Name>
<KeySize>4096</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<CertificateValidity>P2Y</CertificateValidity>
<Issuer>
<PublishCertificatetoTDPS>false</PublishCertificatetoTDPS>
<CertificateAuthority>
<Id>17</Id>
<Name>NE_OAM_CA</Name>
<IsRootCA>false</IsRootCA>
<CAStatus>NEW</CAStatus>
<PublishToCDPS>false</PublishToCDPS>
<IsIssuerExternalCA>false</IsIssuerExternalCA>
</CertificateAuthority>
</Issuer>
<SubjectUniqueIdentifier>false</SubjectUniqueIdentifier>
<IssuerUniqueIdentifier>false</IssuerUniqueIdentifier>
<SkewCertificateTime>PT30M</SkewCertificateTime>
<CertificateExtensions>
<CertificateExtension xsi:type="BasicConstraints"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Critical>true</Critical>
<IsCA>false</IsCA>
</CertificateExtension>
<CertificateExtension xsi:type="AuthorityKeyIdentifier"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<AuthorityKeyIdentifierType>SUBJECT_KEY_IDENTIFIER</Authorit →
yKeyIdentifierType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectKeyIdentifier"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<KeyIdentifier>
<KeyIdentifier>IssuerKeyIdentifier</KeyIdentifier>
<Algorithm Id="44">
<Name>160-BIT_SHA-1</Name>
<Type>MESSAGE_DIGEST_ALGORITHM</Type>
<Supported>true</Supported>
<AlgorithmCategory>KEY_IDENTIFIER</AlgorithmCategory →
>
</Algorithm>
</KeyIdentifier>
</CertificateExtension>
<CertificateExtension xsi:type="CRLDistributionPoints"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV4/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV6/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_DNS/pki-cdps?ca_name=$CANAME& →
amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
</CertificateExtension>
<CertificateExtension xsi:type="KeyUsage"

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 233

 ENM Network Security Configuration System Administrator Guide

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageT →
ype>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageTy →
pe>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectAltName"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
</SubjectAltNameField>
</CertificateExtension>
</CertificateExtensions>
<SubjectCapabilities>
<SubjectField>
<Type>COMMON_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SURNAME</Type>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>LOCALITY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>STATE</Type>
</SubjectField>
<SubjectField>
<Type>STREET_ADDRESS</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
</SubjectField>
<SubjectField>
<Type>DN_QUALIFIER</Type>
</SubjectField>
<SubjectField>
<Type>TITLE</Type>
</SubjectField>
<SubjectField>
<Type>GIVEN_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SERIAL_NUMBER</Type>
</SubjectField>
</SubjectCapabilities>
</CertificateProfile>
</Profiles>

The following file is an example of XML file used to generate the Certificate
Profile for the MINI-LINK Network Element:

Certificate Profile XML Example

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Profiles>
<CertificateProfile Id="99" Name="MINI-LINK_Outdoor_CP">
<Active>true</Active>
<Modifiable>true</Modifiable>
<ForCAEntity>false</ForCAEntity>
<Version>V3</Version>
<SignatureAlgorithm Id="3">
<Name>SHA256withRSA</Name>
<Supported>true</Supported>
</SignatureAlgorithm>
<KeyGenerationAlgorithm Id="28">
<Name>ECDSA</Name>
<KeySize>224</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>

234 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="29">
<Name>ECDSA</Name>
<KeySize>256</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="23">
<Name>RSA</Name>
<KeySize>3072</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="22">
<Name>RSA</Name>
<KeySize>2048</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="33">
<Name>ECDSA</Name>
<KeySize>512</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="31">
<Name>ECDSA</Name>
<KeySize>384</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="24">
<Name>RSA</Name>
<KeySize>4096</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<CertificateValidity>P2Y</CertificateValidity>
<Issuer>
<PublishCertificatetoTDPS>false</PublishCertificatetoTDPS>
<CertificateAuthority>
<Id>17</Id>
<Name>NE_OAM_CA</Name>
<IsRootCA>false</IsRootCA>
<CAStatus>NEW</CAStatus>
<PublishToCDPS>false</PublishToCDPS>
<IsIssuerExternalCA>false</IsIssuerExternalCA>
</CertificateAuthority>
</Issuer>
<SubjectUniqueIdentifier>false</SubjectUniqueIdentifier>
<IssuerUniqueIdentifier>false</IssuerUniqueIdentifier>
<SkewCertificateTime>PT30M</SkewCertificateTime>
<CertificateExtensions>
<CertificateExtension xsi:type="BasicConstraints" xmlns:xsi="htt →
p://www.w3.org/2001/XMLSchema-instance">
<Critical>true</Critical>
<IsCA>false</IsCA>
</CertificateExtension>
<CertificateExtension xsi:type="AuthorityKeyIdentifier" xmlns:xs →
i="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<AuthorityKeyIdentifierType>SUBJECT_KEY_IDENTIFIER</Authorit →
yKeyIdentifierType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectKeyIdentifier" xmlns:xsi= →
"http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<KeyIdentifier>
<KeyIdentifier>IssuerKeyIdentifier</KeyIdentifier>
<Algorithm Id="44">
<Name>160-BIT_SHA-1</Name>
<Type>MESSAGE_DIGEST_ALGORITHM</Type>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 235

 ENM Network Security Configuration System Administrator Guide

<Supported>true</Supported>
<AlgorithmCategory>KEY_IDENTIFIER</AlgorithmCategory →
>
</Algorithm>
</KeyIdentifier>
</CertificateExtension>
<CertificateExtension xsi:type="CRLDistributionPoints" xmlns:xsi →
="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV4/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV6/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_DNS/pki-cdps?ca_name=$CANAME& →
amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
</CertificateExtension>
<CertificateExtension xsi:type="KeyUsage" xmlns:xsi="http://www. →
w3.org/2001/XMLSchema-instance">
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageT →
ype>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageTy →
pe>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectAltName" xmlns:xsi="http: →
//www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
</SubjectAltNameField>
</CertificateExtension>
</CertificateExtensions>
<SubjectCapabilities>
<SubjectField>
<Type>COMMON_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SURNAME</Type>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>LOCALITY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>STATE</Type>
</SubjectField>
<SubjectField>
<Type>STREET_ADDRESS</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
</SubjectField>
<SubjectField>
<Type>DN_QUALIFIER</Type>
</SubjectField>
<SubjectField>
<Type>TITLE</Type>
</SubjectField>
<SubjectField>
<Type>GIVEN_NAME</Type>
</SubjectField>
<SubjectField>

236 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<Type>SERIAL_NUMBER</Type>
</SubjectField>
</SubjectCapabilities>
</CertificateProfile>
</Profiles>

2. Create the Certificate Profile.

Drag and drop the XML file created above into the ENM CLI app and run the
following command to create the Certificate Profile:

pkiadm profilemgmt --create --xmlfile file:<<CertificateProfile>>.xml

or

pkiadm pfm -c -xf file:<<CertificateProfileP>>.xml

3. Verify the Certificate Profile Creation.

Verify that the Certificate Profile has been created by listing all the
Certificate Profiles in the ENM PKI system:

pkiadm profilemgmt --list --profiletype certificate

The Certificate profile must be present in the list of Certificate Profiles.

See the sections Code Example of Certificate Profile and Certificate Profile
Inputs in the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8] for further information on Certificate Profile Creation
using Certificate Profile Creation XML.

6.8.21.2 End Entity Profile Creation

The End Entity Profile can be created using XML file or using PKI Profile
Management application.

6.8.21.2.1 End Entity Profile Creation Using XML

Steps

1. Prepare and save XML for End Entity Profile Creation.

A single End Entity Profile can be used for all MINI-LINK nodes.

The End Entity Profile is created from an XML file. The template for the XML
is the following:

End Entity Profile XML Template

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 237

 ENM Network Security Configuration System Administrator Guide

<?xml version="1.0" encoding="UTF-8"?>

<Profiles
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSch →
emaLocation="ProfilesSchema.xsd">
<EntityProfile Name="MINI-LINK_Outdoor_EP">
<Modifiable>true</Modifiable>
<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>CN_PKI</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>OU_PKI</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>CN_PKI</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>O_PKI</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<StringValue>IP</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<CertificateProfile Name="MINI-LINK_Outdoor_CP" />
<TrustProfile Name="Entity_Trust_Profile" />
<KeyUsage>
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</KeyUsage>
</EntityProfile>
</Profiles>

The following file is an example of XML file used to generate the End Entity
Profile for the MINI-LINK Network Element:

<?xml version="1.0" encoding="UTF-8"?>

<Profiles
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSch →
emaLocation="ProfilesSchema.xsd">
<EntityProfile Name="MINI-LINK_Outdoor_EP">
<Modifiable>true</Modifiable>
<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>?</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>

238 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<StringValue>0.0.0.0</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<CertificateProfile Name="MINI-LINK_Outdoor_CP" />
<TrustProfile Name="OAM_NE_CHAIN_TP" />
<KeyUsage>
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</KeyUsage>
</EntityProfile>
</Profiles>

Note: In <SubjectAltNameField>, in the tag <StringValue> 0.0.0.0 </

StringValue>, 0.0.0.0 represents a default value that would be by
default set while creating an End Entity. In actual this value should
be replaced with the respective node's IP Address.

2. Create the End Entity Profile.

Drag and drop the XML file created above into the ENM CLI app and run the
following command to create the End Entity Profile:

pkiadm profilemgmt --create --xmlfile file:<<EntityEntityProfile>>.xml

or

pkiadm pfm -c -xf file:<<EntityEntityProfileP>>.xml

3. Verify the End Entity Profile Creation.

Verify that the End Entity Profile has been created by listing all the End
Entity Profiles in the ENM PKI system:

pkiadm profilemgmt --list --profiletype entity

The End Entity must be present in the list of End Entity Profiles.

See the sections Create End Entity Profiles, Entity Profile Inputs and Code
Example of Entity Profile in the document ENM Public Key Infrastructure

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 239

 ENM Network Security Configuration System Administrator Guide

System Administrator Guide, Reference [8] for further information on End

Entity Profile Creation using XML.

6.8.21.2.2 End Entity Profile Creation Using PKI Profile Management

Steps

1. Launch PKI Profile Management, choose PKI Entity Profile from Create PKI
Profile dropdown selection.

2. Fill in the appropriate details in respective fields.

Note: Select Select MINI-LINK_Outdoor_CP as Certificate Profile,

UNDEFINED as Entity Category, OAM_NE_CHAIN_TP as
Trust Profile. Under section Subject Alternative Name, select
IP_ADDRESS and provide the value as 0.0.0.0

3. Verify Newly Created Entity Profile.

List all the Entity Profiles present in ENM PKI system.

pkiadm pfm --list -type entity

The newly created Entity Profile would be available in the list of entity
profiles listed by executing the above CLI command.

6.8.21.3 End Entity Creation

Steps

1. Prepare and save the XML File for the End Entity Creation.
A different End Entity must be created for each MINI-LINK node.

The End Entities are created from an XML file. The template for the XML is
the following:

Template.xml

<?xml version="1.0" encoding="UTF-8"?>

<Entities
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSch →
emaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>false</PublishCertificatetoTDPS>
<EntityProfile Name="TAF_PKI_ENTITY_PROFILE1444380480484"/>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MINOR</NotificationSeverity>
<PeriodBeforeExpiry>P180D</PeriodBeforeExpiry>
<FrequencyOfNotification>P7D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>

240 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<CertificateExpiryNotificationDetails>
<NotificationSeverity>WARNING</NotificationSeverity>
<PeriodBeforeExpiry>P90D</PeriodBeforeExpiry>
<FrequencyOfNotification>P4D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MAJOR</NotificationSeverity>
<PeriodBeforeExpiry>P60D</PeriodBeforeExpiry>
<FrequencyOfNotification>P2D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>CRITICAL</NotificationSeverity>
<PeriodBeforeExpiry>P30D</PeriodBeforeExpiry>
<FrequencyOfNotification>P1D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<EntityInfo>
<Name>NetworkElementId</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementId-oam</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString">
<StringValue>NodeIPAddress</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
</EntityInfo>
</Entity>
</Entities>

In XML creation, the following rules must be followed:

— In the <EntityInfo> tag, the <name> must be Network Element Id.

The <Network Element Id> is the identifier that the user must use at
the end of this procedure when the MINI-LINK Node is added in ENM.

— In the <EntityInfo> <SubjectField> tag, the <Value> must be

Network Element Id.

The Network Element Id is the identifier that the user must use at the
end of this procedure when the MINI-LINK Node is added in ENM.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 241

 ENM Network Security Configuration System Administrator Guide

Note: MINI-LINK Outdoor nodes, which support offline enrollment,

alarm has to be configured for certificate expiry notification to
enable the user to renew the certificate.

See the section Code Example of End Entity of ENM Public Key
Infrastructure System Administrator Guide, Reference [8].

The following file is an example of XML file used to generate the End
Entity for the MINI-LINK with Network Element ID = ML6352_102

ML6352_102.xml

<Entities
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance →
" xsi:noNamespaceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificat →
etoTDPS>
<EntityProfile Name="MINI-LINK_Outdoor_EP"/>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MINOR</NotificationSeve →
rity>
<PeriodBeforeExpiry>P180D</PeriodBeforeExpiry →
>
<FrequencyOfNotification>P7D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>WARNING</NotificationSe →
verity>
<PeriodBeforeExpiry>P90D</PeriodBeforeExpiry>
<FrequencyOfNotification>P4D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MAJOR</NotificationSeve →
rity>
<PeriodBeforeExpiry>P60D</PeriodBeforeExpiry>
<FrequencyOfNotification>P2D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>CRITICAL</NotificationS →
everity>
<PeriodBeforeExpiry>P30D</PeriodBeforeExpiry>
<FrequencyOfNotification>P1D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>

242 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<EntityInfo>
<Name>ML6352_102</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>ML6352_102-oam</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString →
">
<StringValue>10.42.141.102</Strin →
gValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
</EntityInfo>
</Entity>
</Entities>

Suggested name for the file is EE_<Network Element ID>.xml.

2. Create the End Entity.

Drag and drop the XML file created in Step 1 into the ENM CLI app and run
the following command to create the End Entity:

pkiadm etm -c -xf file:EE_<Network Element ID>.xml

3. Verify the End Entity Creation.

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 243

 ENM Network Security Configuration System Administrator Guide

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entity.

The End Entity is created, with name Network Element ID, and its status
is NEW. The following example shows an End Entity related to MINI-LINK
node ML6352_102.

6.8.21.4 Offline Enrollment Procedure

Steps

1. Download CSR From Node.

a. For GUI based process to download CSR, see the section Managing Web
Server Security of respective Node CPI in Cloud Native ENM Upgrade
Instructions, References [37], [38], [39], [40], [41].
b. For CLI based process to download CSR, see the section Managing Web
Server Security of respective Node CPI in Cloud Native ENM Upgrade
Instructions, References [37], [38], [39], [40], [41].
2. Generate the certificate.
Drag and drop the CSR file onto ENM CLI and run the following ENM CLI
command to generate the End Entity credential in PEM format.

pkiadm certmgmt EECert --generate --entityname <End_Entity> --csrfile file:" →

<downloaded_csr>" --format PEM

Certificate must be successfully generated on ENM deployment with

provided CSR.

3. Upload the signed certificate on the node.

a. Refer to following section Upload an HTTPS Certificate (GUI) in

respective Node CPI.
b. For CLI based process, upload the signed certificate to the node using
download-certificate command.

Syntax

244 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

config common services web-server download-certificate[filename <fileNa →

me>] [ip <serverIp>] [ipv6 <serverIpV6>] [mode <transferMode>] [passwor →
d <serverPassword>] [port <serverPort>] [user <serverUser>]

Example

config common services web-server download-certificate mode ssh port 2 →

2 ip <IP_Address> user <username> password <password> filename <path>/< →
filename>

Note: If Warning page with error code -

SEC_ERROR_UNKNOWN_ISSUER persists, add the certificate
to the Trusted Certificate list of the browser.

Run the following steps to overcome the issue:

i. Import the certificates (ENM_PKI_Root_CA and

NE_OAM_CA) to Certificate Manager in the browser.

If External CA is the issuer of ENM_PKI_Root_CA, then

all the external CA certificates until Root CA along with
ENM_PKI_Root_CA and NE_OAM_CA must be imported in
the browser.
ii. Add the Node IP Address to the End Entity that we have
created in PKI Entity Management.

6.8.22 E2E Offline Enrollment Procedure for MINI-LINK Indoor Nodes

This procedure describes how to perform offline enrollment of MINI-LINK Indoor
nodes.

Note: For all the nodes, which support offline enrollment, alarm must be
configured for certificate expiry notification to enable the user to renew
the certificate.

Prerequisites
It is required that the user:
— Has knowledge on ENM.

— Has knowledge on using ENM CLI.

— Has knowledge of PKI.

— The user has access to the ENM CLI as an authorized user.

— End Entity must be created in the system.

— The operator has ADMINISTRATOR role.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 245

 ENM Network Security Configuration System Administrator Guide

— MINI-LINK Indoor nodes must have release version M18.Q2 or higher

Overview
The offline procedure is based on three main steps:

1. End Entity Profile Creation

2. End Entity Creation
3. Offline Enrollment Procedure

6.8.22.1 Certificate Profile Creation

The Certificate Profile can be created using XML file or using PKI Profile
Management application.

6.8.22.1.1 Certificate Profile Creation Using Certificate Profile Creation XML

Steps

1. Prepare and save XML for Certificate Profile Creation.

A single Certificate Profile can be used for all MINI-LINK nodes.

The Certificate Profile is created from an XML file. The template for the XML
is the following:

Certificate Profile XML Template

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<Profiles>
<CertificateProfile Id="99" Name="MINI-LINK_Indoor_CP">
<Active>true</Active>
<Modifiable>true</Modifiable>
<ForCAEntity>false</ForCAEntity>
<Version>V3</Version>
<SignatureAlgorithm Id="3">
<Name>SHA256withRSA</Name>
<Supported>true</Supported>
</SignatureAlgorithm>
<KeyGenerationAlgorithm Id="28">
<Name>ECDSA</Name>
<KeySize>224</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="29">
<Name>ECDSA</Name>
<KeySize>256</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="23">
<Name>RSA</Name>
<KeySize>3072</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>

246 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="22">
<Name>RSA</Name>
<KeySize>2048</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="33">
<Name>ECDSA</Name>
<KeySize>512</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="31">
<Name>ECDSA</Name>
<KeySize>384</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="24">
<Name>RSA</Name>
<KeySize>4096</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<CertificateValidity>P2Y</CertificateValidity>
<Issuer>
<PublishCertificatetoTDPS>false</PublishCertificatetoTDPS>
<CertificateAuthority>
<Id>17</Id>
<Name>NE_OAM_CA</Name>
<IsRootCA>false</IsRootCA>
<CAStatus>NEW</CAStatus>
<PublishToCDPS>false</PublishToCDPS>
<IsIssuerExternalCA>false</IsIssuerExternalCA>
</CertificateAuthority>
</Issuer>
<SubjectUniqueIdentifier>false</SubjectUniqueIdentifier>
<IssuerUniqueIdentifier>false</IssuerUniqueIdentifier>
<SkewCertificateTime>PT30M</SkewCertificateTime>
<CertificateExtensions>
<CertificateExtension xsi:type="BasicConstraints" xmlns:xsi="htt →
p://www.w3.org/2001/XMLSchema-instance">
<Critical>true</Critical>
<IsCA>false</IsCA>
</CertificateExtension>
<CertificateExtension xsi:type="AuthorityKeyIdentifier" xmlns:xs →
i="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<AuthorityKeyIdentifierType>SUBJECT_KEY_IDENTIFIER</Authorit →
yKeyIdentifierType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectKeyIdentifier" xmlns:xsi= →
"http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<KeyIdentifier>
<KeyIdentifier>IssuerKeyIdentifier</KeyIdentifier>
<Algorithm Id="44">
<Name>160-BIT_SHA-1</Name>
<Type>MESSAGE_DIGEST_ALGORITHM</Type>
<Supported>true</Supported>
<AlgorithmCategory>KEY_IDENTIFIER</AlgorithmCategory →
>
</Algorithm>
</KeyIdentifier>
</CertificateExtension>
<CertificateExtension xsi:type="CRLDistributionPoints" xmlns:xsi →
="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV4/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 247

 ENM Network Security Configuration System Administrator Guide

</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV6/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_DNS/pki-cdps?ca_name=$CANAME& →
amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
</CertificateExtension>
<CertificateExtension xsi:type="KeyUsage" xmlns:xsi="http://www. →
w3.org/2001/XMLSchema-instance">
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageT →
ype>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageTy →
pe>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectAltName" xmlns:xsi="http: →
//www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
</SubjectAltNameField>
</CertificateExtension>
</CertificateExtensions>
<SubjectCapabilities>
<SubjectField>
<Type>COMMON_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SURNAME</Type>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>LOCALITY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>STATE</Type>
</SubjectField>
<SubjectField>
<Type>STREET_ADDRESS</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
</SubjectField>
<SubjectField>
<Type>DN_QUALIFIER</Type>
</SubjectField>
<SubjectField>
<Type>TITLE</Type>
</SubjectField>
<SubjectField>
<Type>GIVEN_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SERIAL_NUMBER</Type>
</SubjectField>
</SubjectCapabilities>
</CertificateProfile>
</Profiles>

The following file is an example of XML file used to generate the Certificate
Profile for the MINI-LINK Network Element:

248 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Certificate Profile XML Example

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Profiles>
<CertificateProfile Id="99" Name="MINI-LINK_Indoor_CP">
<Active>true</Active>
<Modifiable>true</Modifiable>
<ForCAEntity>false</ForCAEntity>
<Version>V3</Version>
<SignatureAlgorithm Id="3">
<Name>SHA256withRSA</Name>
<Supported>true</Supported>
</SignatureAlgorithm>
<KeyGenerationAlgorithm Id="28">
<Name>ECDSA</Name>
<KeySize>224</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="29">
<Name>ECDSA</Name>
<KeySize>256</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="23">
<Name>RSA</Name>
<KeySize>3072</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="22">
<Name>RSA</Name>
<KeySize>2048</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="33">
<Name>ECDSA</Name>
<KeySize>512</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="31">
<Name>ECDSA</Name>
<KeySize>384</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>2.23.42.9.11.4.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<KeyGenerationAlgorithm Id="24">
<Name>RSA</Name>
<KeySize>4096</KeySize>
<Type>ASYMMETRIC_KEY_ALGORITHM</Type>
<OID>1.2.840.113549.1.1.1</OID>
<Supported>true</Supported>
</KeyGenerationAlgorithm>
<CertificateValidity>P2Y</CertificateValidity>
<Issuer>
<PublishCertificatetoTDPS>false</PublishCertificatetoTDPS>
<CertificateAuthority>
<Id>17</Id>
<Name>NE_OAM_CA</Name>
<IsRootCA>false</IsRootCA>
<CAStatus>NEW</CAStatus>
<PublishToCDPS>false</PublishToCDPS>
<IsIssuerExternalCA>false</IsIssuerExternalCA>
</CertificateAuthority>
</Issuer>
<SubjectUniqueIdentifier>false</SubjectUniqueIdentifier>
<IssuerUniqueIdentifier>false</IssuerUniqueIdentifier>
<SkewCertificateTime>PT30M</SkewCertificateTime>
<CertificateExtensions>
<CertificateExtension xsi:type="BasicConstraints" xmlns:xsi="htt →
p://www.w3.org/2001/XMLSchema-instance">

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 249

 ENM Network Security Configuration System Administrator Guide

<Critical>true</Critical>
<IsCA>false</IsCA>
</CertificateExtension>
<CertificateExtension xsi:type="AuthorityKeyIdentifier" xmlns:xs →
i="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<AuthorityKeyIdentifierType>SUBJECT_KEY_IDENTIFIER</Authorit →
yKeyIdentifierType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectKeyIdentifier" xmlns:xsi= →
"http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<KeyIdentifier>
<KeyIdentifier>IssuerKeyIdentifier</KeyIdentifier>
<Algorithm Id="44">
<Name>160-BIT_SHA-1</Name>
<Type>MESSAGE_DIGEST_ALGORITHM</Type>
<Supported>true</Supported>
<AlgorithmCategory>KEY_IDENTIFIER</AlgorithmCategory →
>
</Algorithm>
</KeyIdentifier>
</CertificateExtension>
<CertificateExtension xsi:type="CRLDistributionPoints" xmlns:xsi →
="http://www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV4/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_IPV6/pki-cdps?ca_name=$CANAME →
&amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
<DistributionPoint>
<DistributionPointName>
<FullName>http://$FQDN_DNS/pki-cdps?ca_name=$CANAME& →
amp;ca_cert_serialnumber=$CACERTSERIALNUMBER</FullName>
</DistributionPointName>
</DistributionPoint>
</CertificateExtension>
<CertificateExtension xsi:type="KeyUsage" xmlns:xsi="http://www. →
w3.org/2001/XMLSchema-instance">
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageT →
ype>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageTy →
pe>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectAltName" xmlns:xsi="http: →
//www.w3.org/2001/XMLSchema-instance">
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
</SubjectAltNameField>
</CertificateExtension>
</CertificateExtensions>
<SubjectCapabilities>
<SubjectField>
<Type>COMMON_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SURNAME</Type>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>LOCALITY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>STATE</Type>
</SubjectField>
<SubjectField>
<Type>STREET_ADDRESS</Type>

250 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
</SubjectField>
<SubjectField>
<Type>DN_QUALIFIER</Type>
</SubjectField>
<SubjectField>
<Type>TITLE</Type>
</SubjectField>
<SubjectField>
<Type>GIVEN_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SERIAL_NUMBER</Type>
</SubjectField>
</SubjectCapabilities>
</CertificateProfile>
</Profiles>

2. Create the Certificate Profile.

Drag and drop the XML file created above into the ENM CLI app and run the
following command to create the Certificate Profile:

pkiadm profilemgmt --create --xmlfile file:<<CertificateProfile>>.xml

or

pkiadm pfm -c -xf file:<<CertificateProfileP>>.xml

3. Verify the Certificate Profile Creation.

Verify that the Certificate Profile has been created by listing all the
Certificate Profiles in the ENM PKI system:

pkiadm profilemgmt --list --profiletype certificate

The Certificate profile must be present in the list of Certificate Profiles.

See the sections Code Example of Certificate Profile and Certificate Profile
Inputs in the document ENM Public Key Infrastructure System Administrator
Guide, Reference [8] for further information on Certificate Profile Creation
using Certificate Profile Creation XML.

6.8.22.2 End Entity Profile Creation

The End Entity Profile can be created using XML file or using PKI Profile
Management application.

6.8.22.2.1 End Entity Profile Creation Using XML

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 251

 ENM Network Security Configuration System Administrator Guide

Steps

1. Prepare and save XML File for End Entity Profile Creation.
A single End Entity Profile can be used for all MINI-LINK nodes.

The End Entity Profile is created from an XML file. The template for the XML
is the following:

End Entity Profile XML Template

<?xml version="1.0" encoding="UTF-8"?>

<Profiles
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSch →
emaLocation="ProfilesSchema.xsd">
<EntityProfile Name="MINI-LINK_Indoor_EP">
<Modifiable>true</Modifiable>
<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>CN_PKI</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>OU_PKI</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>CN_PKI</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>O_PKI</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<StringValue>IP</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<CertificateProfile Name="MINI-LINK_Indoor_CP" />
<TrustProfile Name="Entity_Trust_Profile" />
<KeyUsage>
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</KeyUsage>
</EntityProfile>
</Profiles>

The following file is an example of XML file used to generate the End Entity
Profile for the MINI-LINK Network Element:

<?xml version="1.0" encoding="UTF-8"?>

<Profiles
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSch →

252 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

emaLocation="ProfilesSchema.xsd">
<EntityProfile Name="MINI-LINK_Indoor_EP">
<Modifiable>true</Modifiable>
<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>?</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<StringValue>0.0.0.0</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<CertificateProfile Name="MINI-LINK_Indoor_CP" />
<TrustProfile Name="OAM_NE_CHAIN_TP" />
<KeyUsage>
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</KeyUsage>
</EntityProfile>
</Profiles>

Note: In <SubjectAltNameField>, in the tag <StringValue> 0.0.0.0 </

StringValue>, 0.0.0.0 represents a default value that would be by
default set while creating an End Entity. In actual this value should
be replaced with the respective node's IP Address.

2. Create the End Entity Profile.

Drag and drop the XML file created above into the ENM CLI app and run the
following command to create the End Entity Profile:

pkiadm profilemgmt --create --xmlfile file:<<EntityEntityProfile>>.xml

or

pkiadm pfm -c -xf file:<<EntityEntityProfileP>>.xml

3. Verify the End Entity Profile Creation.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 253

 ENM Network Security Configuration System Administrator Guide

Verify that the End Entity Profile has been created by listing all the End
Entity Profiles in the ENM PKI system:

pkiadm profilemgmt --list --profiletype entity

The End Entity must be present in the list of End Entity Profiles.

See the sections Create End Entity Profiles, Entity Profile Inputs and Code
Example of Entity Profile in the document ENM Public Key Infrastructure
System Administrator Guide, Reference [8] for further information on End
Entity Profile Creation using XML.

6.8.22.2.2 End Entity Profile Creation Using PKI Profile Management

Steps

1. Launch PKI Profile Management, choose PKI Entity Profile from Create PKI
Profile dropdown selection.

2. Fill in the appropriate details in respective fields.

Note: Select Select MINI-LINK_Indoor_CP as Certificate Profile,

UNDEFINED as Entity Category, OAM_NE_CHAIN_TP as
Trust Profile. Under section Subject Alternative Name, select
IP_ADDRESS and provide the value as 0.0.0.0

3. Verify Newly Created Entity Profile.

List all the Entity Profiles present in ENM PKI system.

pkiadm pfm --list -type entity

The newly created Entity Profile would be available in the list of entity
profiles listed by executing the above CLI command.

6.8.22.3 End Entity Creation

Steps

1. Prepare and save the XML File for the End Entity Creation.
A different End Entity must be created for each MINI-LINK node.

The End Entities are created from an XML file. The template for the XML is
the following:

Template.xml

254 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<?xml version="1.0" encoding="UTF-8"?>

<Entities
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSch →
emaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>false</PublishCertificatetoTDPS>
<EntityProfile Name="MINI-LINK_Indoor_EP"/>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MINOR</NotificationSeverity>
<PeriodBeforeExpiry>P180D</PeriodBeforeExpiry>
<FrequencyOfNotification>P7D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>WARNING</NotificationSeverity>
<PeriodBeforeExpiry>P90D</PeriodBeforeExpiry>
<FrequencyOfNotification>P4D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MAJOR</NotificationSeverity>
<PeriodBeforeExpiry>P60D</PeriodBeforeExpiry>
<FrequencyOfNotification>P2D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>CRITICAL</NotificationSeverity>
<PeriodBeforeExpiry>P30D</PeriodBeforeExpiry>
<FrequencyOfNotification>P1D</FrequencyOfNotification>
</CertificateExpiryNotificationDetails>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-oam</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>MwNetworkElementID-oam</Value>
</SubjectField>
</Subject>
</EntityInfo>
</Entity>
</Entities>

In XML creation, the following rules must be followed:

— In the <EntityInfo> tag, the <name> must be Network Element Id.

The <Network Element Id> is the identifier that the user must use at
the end of this procedure when the MINI-LINK Node is added in ENM.

— In the <EntityInfo> <SubjectField> tag, the <Value> must be

Network Element Id.

The Network Element Id is the identifier that the user must use at the
end of this procedure when the MINI-LINK Node is added in ENM.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 255

 ENM Network Security Configuration System Administrator Guide

Note: MINI-LINK Indoor nodes, which support offline enrollment,

alarm must be configured for certificate expiry notification to
enable the user to renew the certificate.

See the section Code Example of End Entity of ENM Public Key
Infrastructure System Administrator Guide, Reference [8].

The following file is an example of XML file used to generate the End
Entity for the MINI-LINK with Network Element ID =ML6691_LK-140:

ML6691_LK-140.xml

<Entities
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance →
" xsi:noNamespaceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificat →
etoTDPS>
<EntityProfile Name="MINI-LINK_Indoor_EP"/>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MINOR</NotificationSeve →
rity>
<PeriodBeforeExpiry>P180D</PeriodBeforeExpiry →
>
<FrequencyOfNotification>P7D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>WARNING</NotificationSe →
verity>
<PeriodBeforeExpiry>P90D</PeriodBeforeExpiry>
<FrequencyOfNotification>P4D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>MAJOR</NotificationSeve →
rity>
<PeriodBeforeExpiry>P60D</PeriodBeforeExpiry>
<FrequencyOfNotification>P2D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<CertificateExpiryNotificationDetails>
<NotificationSeverity>CRITICAL</NotificationS →
everity>
<PeriodBeforeExpiry>P30D</PeriodBeforeExpiry>
<FrequencyOfNotification>P1D</FrequencyOfNoti →
fication>
</CertificateExpiryNotificationDetails>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>

256 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<EntityInfo>
<Name>ML6691_LK-140</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>ML6691_LK-140-oam</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString →
">
<StringValue>10.198.100.140</Stri →
ngValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
</EntityInfo>
</Entity>
</Entities>

Suggested name for the file is EE_<Network Element ID>.xml.

2. Create the End Entity.

Drag and drop the XML file created in Step 1 into the ENM CLI app and run
the following command to create the End Entity:

pkiadm etm -c -xf file:EE_<Network Element ID>.xml

3. Verify the End Entity Creation.

Verify that the End Entity has been created by listing all the End Entities in
the ENM PKI system:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 257

 ENM Network Security Configuration System Administrator Guide

pkiadm etm -l -type ee

The End Entity must be present in the list of End Entity.

The End Entity is created, with name Network Element ID, and its status
is NEW. The following example shows an End Entity related to MINI-LINK
node ML6691_LK-140.

6.8.22.4 Offline Enrollment Procedure

Steps

1. Download CSR From Node.

To download CSR, see the section Using Certificates from a Trusted
Certificate Provider of respective Node CPI, Reference [42].
2. Generate the certificate.
Drag and drop the CSR file onto ENM CLI and run the following ENM CLI
command to generate the End Entity credential in PEM format.

pkiadm certmgmt EECert --generate --entityname <End_Entity> --csrfile file:" →

<downloaded_csr>" --format PEM

Certificate must be successfully generated on ENM deployment with

provided CSR.

3. Upload the signed certificate on the node.

To upload signed certificate, see the section Using Certificates from a Trusted
Certificate Provider of respective Node CPI, Reference [42].

258 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Node Certificate Administrative Tasks

Note: If warning page with error code -

SEC_ERROR_UNKNOWN_ISSUER persists, add the certificate to
the Trusted Certificate list of the Firefox browser. Follow the below
specified steps to overcome the issue

a. Import the certificates (ENM_PKI_Root_CA and NE_OAM_CA)

to Certificate Manager in the browser.

If External CA is the issuer of ENM_PKI_Root_CA, then

all the external CA certificates until Root CA along with
ENM_PKI_Root_CA and NE_OAM_CA should be imported in the
browser.
b. Add the Node IP Address to the End Entity that we have
created in PKI Entity Management.

6.8.23 Offline Enrollment Procedure for ADP Based Nodes (GenericADP)

The procedure used to integrate ADP Based Nodes (GenericADP) is described in
Cloud RAN documentation.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 259

 ENM Network Security Configuration System Administrator Guide

7 Administering Security Levels on CPP-Based

Network Elements

It describes the security levels used to implement the security solution for
O&M access in CPP based NEs.

The main O&M interfaces for Configuration Management, Fault Management,

Performance Management, and Software and Hardware Management in a CPP
based NE are provided as CORBA services. CPP also provides a Command Line
Interface (CLI) and a file transfer service. For backward compatibility, different
security levels can be configured for O&M access.

Note: Maximum supported security level is 2.

Table 12 Defined Security Levels

Access Services Security Level 1 Security Level 2 Local Authentication & Security Level 3 (Not
Authorization Supported)
CORBA — No — Authentication — Authentication — Authentication
authentication using certificate with LAAD using certificate
AA service AA service
— No — Authorization
authorization — No with LAAD — Authorization
authorization
— Unsecured — Secured/ — Secured
protocol (IIOP) — Secured Unsecured protocol
protocol protocol (SSLIOP)
(SSLIOP) SSLIOP (for
SL2) / IIOP
(SL1)
Access to CLI — Authentication — Authentication — Authentication — Authentication
using node using node with LAAD using central AA
password password service
— Authorization
— No — No with LAAD — Authorization
authorization authorization
— Telnet or SSH — SSH
— Telnet or SSH — Telnet or SSH can be mandatory
can be can be configured.
configured. configured.
File transfer — Authentication — Authentication — Authentication — Authentication
using node using node with LAAD using central AA
password password service
— Authorization
— No — No with LAAD — Authorization
authorization authorization
— FTP or SFTP — SFTP
— FTP or SFTP — FTP or SFTP can be mandatory
can be can be configured.
configured. configured.
Other access services UDP Link Handler, Link Handler, Debug UDP Link Handler, UDP Link Handler and
Debug Server, and server, and Target Debug server, and Debug server always
Target Monitor are Monitor are off by Target Monitor are off closed. Target Monitor is
switched off by default default but can be by default but they can off by default but can be
but can be switched on. opened. be opened. opened.

260 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

7.1 Configuring Security Levels in CPP-Based NEs

This task describes how to start a job to change the security level for a list
of nodes from Level 1 to Level 2 (SL2 Activation) or Level 2 to Level 1 (SL2
Deactivation).

— Once SL2 Activation command is triggered, it performs Trust Cert

Distribution and Initial Enrollment on the node and it sets the Security Level
to 2. If Trust Cert Distribution has been already done on the node, it skips this
action and continues with Enrollment, to set the security level.

— Once SL2 Deactivation command is triggered, it allows the operator to

set the Operational Security Level from Level 2 to Level 1 on a Cello Packet
Platform (CPP) node.

— At Security Level 1, there is no security at all in the communication

towards NEs. This is the default mode after initial installation. As CORBA
communication is not secured, no authentication is required when accessing
the NE over this interface (plain IIOP, no encryption of data).

— At Security Level 2, secure protocols are used towards the NEs. CORBA
interface is secured and authentication is achieved by the use of certificates
that have been issued to the NE from a Certificate Authority (IIOP over
SSL, data encryption).

Note: Maximum supported security level is 2.

Prerequisites

— Nodes must exist in the system.

— Nodes must be synchronized.

— Enable the SHA1 algorithm to avoid the Cert Enrollment failure.

— Use the following command to check the algorithm status:

pkiadm cfg algo --list --type all --status all

— Use the following command to enable the SHA1 algorithm:

pkiadm configmgmt algo --enable --name SHA1

— Create Node Credentials - To create node credentials, see the Create Node
Credentials on page 21.

— User must be a Node Security Administrator to trigger the security level set
command.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 261

 ENM Network Security Configuration System Administrator Guide

— If CMPv2_VC enrollment mode has been selected, then make sure that Vendor
Credentials are imported to ENM.

— FM alarmSupervisionState must be active.

— Use the following command to check the alarmSupervisionState on

the node.

alarm status <node_name>

— Use the following command to activate the alarmSupervisionState on

the node.

alarm enable <node_name>

Steps

1. Configure security level on the node.

Run the ENM CLI command:

secadm sl set

See online help for more details.

2. Verify the Job status.

Run the ENM CLI command:

secadm get job

Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, the node is switched to Security Level 2 and if the workflow status
is ERROR, see the document ENM Security Management Troubleshooting
Guide, Reference [10], for more details.

3. Retrieve the security level on the node to verify the activation status.
Run the ENM CLI command:

secadm sl get

See the section Get Security Level Status on page 274.

Note: It can take up to a maximum of two heartbeat interval for the

security level change to reflect in ENM. Use the command to verify
the activation status.

secadm sl get

262 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

Results
If the command is triggered successfully, the following message is displayed:

"Security level change initiated. Perform secadm job get -j JOB_ID

to get progress info."

See online help for more details.

7.2 Configuring Local User Authentication and Authorization

for SL1 and SL2 Nodes
This task describes the Local AA (Authentication and Authorization) feature
and its functionality.

Note: Local AA feature is supported for RNC, ERBS, RBS, MGW, MRS,
and Evo8300 type of CPP nodes. The following table describes the
supported node versions.

Table 13
NE Type Local RBAC Automatic Local
Supported Node RBAC Enable
Versions From Supported Node
Versions From
RNC W18.Q4 W20.Q1
ERBS L19.Q1 L20.Q1
RBS W19.Q1 W20.Q1
MGW 6.10.4.0 6.11.2.0
MRS 6.10.4.0 6.11.2.0
Evo8300 C19.Q3 C20.Q1

The Local AA solution implements the local Authentication and Authorization of

users for CPP nodes. It manages local access profiles (CPP Task Profiles) and
creates LAAD (Local Authentication and Authorization Database) files which are
installed on CPP nodes.

The purpose of the CPP Task Profiles is to authorize users on CPP nodes. Users
are assigned with CPP Task Profiles and granted permissions to execute the
commands on CPP nodes based on the Task Profiles. The node uses the LAAD
files to authenticate and manage the different levels of authorization for different
users, while accessing it over SSH /SFTP/CORBA.

LAAD files must be distributed to the nodes before configuring the Local AA on
the node. All users associated with CPP Task Profiles are part of the LAAD files.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 263

 ENM Network Security Configuration System Administrator Guide

LAAD files must be redistributed if there is any addition or deletion of users, or

any modification with associated CPP task profiles to the users.

If Local Authentication and Authorization is activated (enhanced mode) on the

node, the node uses Local AA database to authenticate and authorize users.

If Local AA is deactivated on the node (basic mode), node uses node password
file to authenticate the users. By default, node is in deactivated mode (basic
mode).

This feature provides operator to enable Local AA on the node, which involves:

— Users creation and association of task profiles.

— Generation and Distribution of LAAD files on the node.

— Activate and Deactivate the Local AA on the node.

— Get the Local AA status.

Local User Authentication and Authorization can be activated on Security Level 1

and Security Level 2.

Prerequisites

— LAAD Files can contain at most 50 users, out of which two are predefined
users, nmsadm and secureuser, and other 48 users are configurable.

nmsadm is required for mediation components and this user is used for
authentication when mediation connects to the node during the secure
CORBA communication. There is no password for nmsadm user and it is
present only in Authorization file.

secureuser is the user which is defined on a network element to establish

the SSH connection. This user is used by Node Security Service component
during SSH connection. For secure user, the password is fetched from
NetworkElementSecurity MO.

— Among 48 users, at least one user must have assigned with

SecurityManagement task profile.

264 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

Note: Secure user is used by AMOS during the execution of COLI commands
whereas actual user who opened AMOS session is used for CRUD
operations. To use actual user for CLI commands, follow the steps on
every new or refreshed user interface session:

1. Open the Shell Terminal on Scripting (SSH on Scripting VMs) tab in

the ENM Launcher.
2. Connect to the node through AMOS using the command:

amos <nodename>

Example:

[administrator@scp-1-scripting(ieatENM5300) ~]$ amos rnc123

3. Log on the moshell and execute:

uv amos_enm_accountlookup=0

Example:

LIENB0511> uv amos_enm_accountlookup=0

Steps

1. Create Users and associate them to Task Profiles.

This step describes the procedure for creation of users and association of
task profiles.

This can be done through RESTful User Management and User Management
application.

See the document ENM Identity and Access Management System

Administrator Guide, Reference [2], for more details on users and their access
control management through the concept of roles and target groups.

See the document ENM Identity and Access Management Programmers

Guide, Reference [1], for interacting with RESTful user management.

2. Distribute LAAD files on the Nodes.

This step describes the procedure to distribute the LAAD files on the CPP
nodes.

See the section Distribution of LAAD Files on CPP-Based NEs on page 266.

3. Activate and Deactivate Local AA.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 265

 ENM Network Security Configuration System Administrator Guide

This step describes the procedure for activating and deactivating Local AA
on the node.

See the sections Activate Local AA on page 267 and Deactivate Local AA on
page 271.

4. Get Local AA Status on the Node.

Use the security level get command which gives information about whether
node is using LAAD for Authentication and Authorization files.

See the section Get Security Level Status on page 274 for more details.

7.3 Distribution of LAAD Files on CPP-Based NEs

This task describes the procedure to distribute LAAD files on the CPP nodes.

Note: Local AA feature is supported for RNC, ERBS, RBS, MGW, MRS, and
Evo8300 nodes.

The LAAD consists of two files, one is authentication file and the other is
authorization file. These files are generated and signed, and the signed files are
distributed to the node. As part of distribution of LAAD files, trust certificates
for LAAD are distributed and installed on the node with trust category as
LOCAL_AA_DB_FILE_SIGNERS. If trusted certificates are already distributed to
nodes, then the distribution of trusted certificates is skipped and continues with
LAAD files distribution to nodes.

To generate the LAAD files for CPP node, initially LAAD files are prepared using
the required information, for example, usernames, task profiles, and hashed
passwords for the given node. Using this information, Local Authentication and
Authorization files are generated.

— The Authentication file contains the usernames mapped with the respective
hashed passwords.

— The Authorization file contains the usernames mapped with the list of
corresponding task profiles of that user.

After generating the files, they are signed and installed on the nodes.

Prerequisites
— Node must be in sync with ENM.

— Secure User credentials must be created on node.

— FM Alarm Supervision State must be enabled:

266 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

• Use the following command to check the alarmSupervisionState on

the node.

alarm status <nodename>

— If alarmSupervisionState is not enabled, use the following command to

enable it.

fmedit set NetworkElement= <nodename>,FmAlarmSupervision=1 alarmSupervisionS →

tate=true

Actors
Authorized for: NodeSecurity_Administrator, Administrator, Action : execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Distribute LAAD files on the CPP nodes.

Run the ENM CLI command:

secadm laad distribute

See online help for more details.

Results
If the command is triggered successfully, the following message is displayed in
ENM CLI:

Successfully started a job to distribute LAAD files to node(s).

Perform 'secadm job get -j 2e9eb493-52a7-46dd-b970-01ce7250a52a'
to get progress information.

Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, the LAAD files are distributed to the nodes.

7.4 Activate Local AA

This task describes the step for activating Local AA on the node.

Upon activating the Local AA mode, the node uses the LAAD files for
authentication and authorization.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 267

 ENM Network Security Configuration System Administrator Guide

Prerequisites
— The supported node types are RNC, ERBS, RBS, MGW, MRS, RNC EVO 8200,
and RNC EVO 8300 nodes.

— The node must be synchronized.

— LAAD files must be distributed on the nodes.

Steps

1. Connect to the node and check UserAAPolicy status using the ENM CLI
command secmode -s.

[root@svc-1-mscmce cloud-user]# ssh [email protected]

[email protected]'s password: Ericsson_rnc20
Welcome to Shell on Evo8300
$ secmode -s
Security configuration settings:
Access method Current security mode
--------------------------------------------------------------
TelnetFtpServers secure, node internal Telnet and FTP servers are OFF →
.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OFF.
FileXferClient secure, node internal file transfer client uses SFTP →
.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.
UserAAPolicy unconfirmed, LAAD file with multiple Local Authentic →
ation and Authorization users is activated in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2

--End settings------------------------------------------------

2. Confirm the distributed LAAD files if the UserAAPolicy status is in

unconfirmed mode, as previously shown.

secmode -u c

After successfully confirmation, the UserAAPolicy status is changed to

enhanced mode.

Check UserAAPolicy status with the following COLI command:

268 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

secmode -s

See Step 4 to verify user authentication and authorization with the newly
distributed LAAD files.

Example

$ secmode -u c
Command returned: SECMODE_OK
Command executed successfully
$ secmode -s
Security configuration settings:
Access method Current security mode
--------------------------------------------------------------
TelnetFtpServers secure, node internal Telnet and FTP servers are OFF →
.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OFF.
FileXferClient secure, node internal file transfer client uses SFTP →
.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.
UserAAPolicy enhanced, LAAD file with multiple Local Authenticati →
on and Authorization users is activated in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2
--End settings------------------------------------------------
$

Note: — The UserAAPolicy status is automatically changed to

unconfirmed mode when the LAAD files are distributed on the
nodes with version greater than or equal to 20.Q1 (Automatic
Local RBAC Enable Supported Node Versions mentioned in the
Supported Node Versions table).

— If the UserAAPolicy status is in unconfirmed mode, then

the operator needs to confirm within 10 minutes of LAAD
files distribution using COLI commands. If not confirmed, then
UserAAPolicy status is changed to basic mode and in that
case, node password (RNC, ERBS, RBS, MGW, MRS, and RNC
EVO 8200) or username/password (Evo8300) needs to be
recreated as shown in the 2 of the section Deactivate Local AA
on the node.

3. Confirm the LAAD files procedure if the UserAAPolicy status is in basic

mode, as shown in the following.

$ secmode -s
Security configuration settings:
Access method Current security mode
--------------------------------------------------------------
TelnetFtpServers secure, node internal Telnet and FTP servers are OFF →
.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OFF.
FileXferClient secure, node internal file transfer client uses SFTP →
.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 269

 ENM Network Security Configuration System Administrator Guide

UserAAPolicy basic, Node Users with user specific password are us →

ed in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2
--End settings------------------------------------------------

Run the following commands:

secmode -u e

secmode -u c

After successfully confirmation, the UserAAPolicy status is changed to

enhanced mode.

Check UserAAPolicy status using the following COLI command:

secmode -s

See Step 4 to verify user authentication and authorization with the newly
distributed LAAD files.

Example

$ secmode -u e
Command returned: SECMODE_OK
Command executed successfully
Please confirm the setting by giving the secmode -u c command, from the secu →
rity user.
$ secmode -s
Security configuration settings:
Access method Current security mode
--------------------------------------------------------------
TelnetFtpServers secure, node internal Telnet and FTP servers are OFF →
.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OFF.
FileXferClient secure, node internal file transfer client uses SFTP →
.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.
UserAAPolicy unconfirmed, LAAD file with multiple Local Authentic →
ation and Authorization users is activated in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2
--End settings------------------------------------------------
$ secmode -u c
Command returned: SECMODE_OK
Command executed successfully
$ secmode -s
Security configuration settings:
Access method Current security mode
-------------------------------------------------------------
TelnetFtpServers secure, nde internal Telnet and FTP servers are OFF.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OFF.
FileXferClient secure, node internal file transfer client uses SFTP →
.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.

270 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

UserAAPolicy enhanced, LAAD file with multiple Local Authenticati →

on and Authorization users is activated in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2
--End settings------------------------------------------------
$

4. Verify if the user present in the distributed LAAD files can log on the node
successfully, if the UserAAPolicy status is in enhanced mode.

ssh <user created in User Management UI>@<Node IP>

Example
ssh [email protected]

5. See the section 4.10 Configuring Local User Authentication and

Authorization of the document Security for O&M Node Access, Reference
[18] for more details.

7.5 Deactivate Local AA

This task describes the step for deactivating Local AA on the node.

Upon deactivating the Local AA mode, the node does not use the LAAD files for
authentication and authorization.

Prerequisites
— The supported node types are RNC, ERBS, RBS, MGW, MRS, RNC EVO 8200,
and RNC EVO 8300 nodes.

— The node must be synchronized.

— Local AA must be activated on the node.

Steps

1. Connect to the node and check UserAAPolicy status using the COLI
command secmode -s.

[PNTC-5267@ieatlms4685 ~]$ ssh [email protected]

[email protected]'s password:
Welcome to Shell on Evo8300
$ secmode -s
Security configuration settings:
Access method Current security mode
--------------------------------------------------------------
TelnetFtpServers secure, node internal Telnet and FTP srvers are OFF.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OFF.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 271

 ENM Network Security Configuration System Administrator Guide

FileXferClient secure, node internal file transfer client uses SFTP →

.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.
UserAAPolicy enhanced, LAAD file with multiple Local Authenticati →
on and Authorization users is activated in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2
--End settings------------------------------------------------

2. Deactivate Local AA and bring back to node to basic mode, if the

UserAAPolicy status is in enhanced mode.

Run the following command to deactivate LocalAA.

secmode -u b

Check UserAAPolicy status with the following COLI command:

secmode -s

For RNC EVO 8200 or Media Gateway Nodes:

a. After the deactivation of local AA, a new node-password must be set as

shown in the following:

$ secmode -u b
Command returned: SECMODE_OK
UserAAPolicy changed from enhanced to basic, a new password must be set →
.
Enter new password: <Enter desired Password>
Re-enter new password: <Confirm desired Password>
Command executed successfully
[PNTC-5266@ieatlms4898 ~]$ ssh [email protected]
[email protected]'s password: <desired Password>
Welcome to OSE Shell OSE5.8.
$ secmode -s
Security configuration settings:
Access method Current security mode
--------------------------------------------------------------
TelnetFtpServers secure, node internal Telnet and FTP servers ar →
e OFF.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OF →
F.
FileXferClient secure, node internal file transfer client use →
s SFTP.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.
UserAAPolicy basic, One Node Password is used in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2
--End settings------------------------------------------------

b. Update the secure user credentials accordingly in ENM after changing

the node-password on the node in the previous step.

secadm credentials update --rootusername <user-name> --rootuserpasswor →

d <node-password> --secureusername <user-name> --secureuserpassword <no →

272 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

de-password> --normalusername <user-name> --normaluserpassword <node-pa →

ssword> -n <node-name>

For RNC EVO 8300:

After deactivation of Local AA on the node, all the previously available users
are deleted on the node. To create a user with OAM ADMIN role on the node,
do the following steps:

a. Get the SecureUser Credentials from ENM by executing the following

command in ENM CLI.

secadm credentials get --plaintext show --nodelist <<Node Name>>

Example:

Figure 43
b. Log on the node with the credentials username: initadmin and
password: init as shown in example.

c. Set the username and password as Secure user credentials in ENM for
the OAM ADMIN role user so that use cases in ENM using SSH does not
break.

Example:

$ secmode -u b
Command returned: SECMODE_OK
UserAAPolicy changed from enhanced to basic, node users must be configu →
red.
Command executed successfully

[PNTC-5267@ieatlms4685 ~]$ ssh [email protected]

[email protected]'s password: init
Welcome to Shell on Evo8300
Create OAM admin account:
=========================

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 273

 ENM Network Security Configuration System Administrator Guide

Please enter Username: <SecureUserName>

Enter new password: <SecureUserPassword>
Retype new password: <SecureUserPassword>
Successfully created the user: user.
Connection to 10.74.58.20 closed.

[PNTC-5267@ieatlms4685 ~]$ ssh [email protected]

[email protected]'s password: <secureUserPassword>
Welcome to Shell on Evo8300
$ secmode -s

Security configuration settings:

Access method Current security mode
--------------------------------------------------------------
TelnetFtpServers secure, node internal Telnet and FTP servers ar →
e OFF.
TargetMonitor secure, node Target Monitor is OFF.
DbgServerUdpLnh secure, Debug server and UDP Linkhandler are OF →
F.
FileXferClient secure, node internal file transfer client use →
s SFTP.
CorbaSecurity secure, corba security is ON.
WebServer unsecure, HTTP server is ON.
UserAAPolicy basic, Node Users with user specific password a →
re used in SL1 and SL2
OperationalSecLevel level 2
ConfiguredSecLevel level 2

--End settings------------------------------------------------

3. See the section 4.10 Configuring Local User Authentication and

Authorization of the document Security for O&M Node Access, Reference
[18] for more details.

7.6 Get Security Level Status

This task describes how to start a job to get the current Operational Security
Level and Local AA status on a Cello Packet Platform (CPP) node.

The table describes the values in the Local AA mode field.

274 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Administering Security Levels on CPP-Based Network Elements

Table 14
Local AA Mode Description
ACTIVATED LAAD file with multiple Local
Authentication and Authorization
users is activated in SL1 and SL2.
DEACTIVATED Node Password is used in SL1 and
SL2.
UNCONFIRMED LAAD file with multiple Local
Authentication and Authorization
users is activated in SL1 and SL2 and
is in unconfirmed state.

Prerequisites
— Nodes must exist in the system.

— Nodes must be synchronized.

— User must be a Node Security Administrator or Operator to trigger the

security level get command.

Steps

1. Get security level and Local AA status on CPP node.

Run the following ENM CLI command:

secadm sl get

See online help for more details.

Results
The security level on the node and the Local AA status details are displayed with
node name. See online help for more details.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 275

 ENM Network Security Configuration System Administrator Guide

8 LDAP Administrative Tasks

These tasks describe the procedures to configure Network Elements to have

Centralized User Authentication & Authorization through LDAP Protocol.

LDAP Configure
LDAP Configure can be applied to the Network Elements that support
Centralized User Authentication & Authorization to LDAP protocol, providing
required setting to LDAP Client.

Table 15 LDAP Attributes

LDAP Attribute Description
base DN The base DN against which the client binds.
bind DN The proxy agent account used by the node to perform the initial
bind.
bind Password The proxy agent password.
LDAP Primary Server IP Address The primary LDAP server IP address.
LDAP Secondary Server IP Address The fallback LDAP server IP address. Used by the nodes when
communication with the primary LDAP server fails.
TLS establishment protocols(TlsMode) This attribute can be set to either “LDAPS” or “startTls”.
Enable TLS (useTLS) Always true. Only secure connection, with TLS, is allowed.

Ad a consequence of this use case, a new proxy account is created on ENM LDAP
server with its password. These credentials are provided to the Network Element
to authenticate itself before having User Authentication & Authorization through
LDAP protocol.

By default, for password complexity requirement, the proxy account password

length is 24 characters.

Note: In case that the default password length is not supported by the node,
see the section Downsize Proxy Account Password Length on page 290.

The LDAP Configure can be performed with the following options:

LDAP Configure/Reconfigure through ENM Mediation

Network Elements in CM Sync are configured as LDAP Client through ENM
Mediation, using ENM CLI secadm ldap configure/reconfigure command,
providing an XML file with the list of Network Elements.

276 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

LDAP Configure with Manual Option

The LDAP Client setting is provided as output of ENM CLI secadm ldap
configure command with --manual option, requiring to apply the proper
Network Element setting manually, directly to the node.

This option is provided to configure the LDAP on Network Elements that are not
in CM Sync.

8.1 LDAP Configuration on Baseband Radio Node and

5GRadioNode
This task describes how to configure the LDAP server configuration details
on Baseband Radio Nodes and 5GRadioNode when the nodes are managed
in ENM.

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NE defined.

— The nodes must have the credentials already defined.

— The nodes must be in SYNC status.

Steps

1. Configure the LDAP Client.

Run the ENM CLI command:

secadm ldap configure -xf file:LdapConfiguration.xml

Note: The LDAP settings on node can be verified with the command:

cmedit get <Node-FDN>

Example
LdapConfiguration.xml

<?xml version="1.0" encoding="UTF-8"?>

<Nodes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="LdapConfigurationSchema.xsd">
<Node>
<nodeFdn>LTE01dg2ERBS00040</nodeFdn>
<tlsMode>STARTTLS</tlsMode>
<userLabel>Ldap Configuration</userLabel>
<useTls>true</useTls>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 277

 ENM Network Security Configuration System Administrator Guide

</Node>
</Nodes>

Result: The command returns a job id and a successful message as shown in

the following example:

Successfully started a job for configure LDAP operation. Perform 'secadm jo →

b get -j ac933cfc-0f5f-4971-980f-0b01f8ffdcec' to get progress info.

2. Get job progress info.

Enter the suggest command to get the job status:

secadm job get -j ac933cfc-0f5f-4971-980f-0b01f8ffdcec

In this example, the command gets the current status of the job:

Table 16

Job Com Job Job Job Job Node Workf Workf Workf Workf Workf
Id man User Statu Start End Nam low low low low low
d Id s Date Date e Statu Start Durat Detai Resul
s Date ion ls t
ac93 LDA admi RUN 2020 N/A LTE0 RUN 2020 N/A N/A N/A
3cfc- P_CO nistr NIN -09-2 1dg2 NIN -09-2
0f5f- NFIG ator G 9 ERBS G 9
4971 URA 10:0 0004 10:0
-980f TION 6:41 0 6:41
-0b0
1f8ff
dcec

Note: — Repeat the get command until the Job Status is COMPLETED.

— When the job is completed, check the Workflow Status to verify

if it finished successfully (SUCCESS) or with errors (ERROR).

For more detailed info, see online help.

278 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

8.2 LDAP Reconfiguration on Baseband Radio Node and

5GRadioNode
This task describes how to reconfigure the LDAP client configuration details
on Baseband Radio Nodes and 5GRadioNode when the nodes are manually
managed.

When the reconfigure LDAP action is running, the existing bindDN account (set
using LDAP Configure command) is deleted and a new account and password are
set.

This allows the user to handle a scenario where a proxy agent account can have
been compromised without requiring the security administrator to delete the
account, before the network element can be reconfigured.

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the NE defined.

— The nodes must have the credentials already defined.

— The nodes must be in SYNC status.

Steps

1. Reconfigure the LDAP Client.

Run the ENM CLI command:

secadm ldap reconfigure -xf file:LdapReconfiguration.xml

Note: The LDAP settings on node can be verified with the command:

cmedit get <Node-FDN>

Example
LdapReconfiguration.xml

<?xml version="1.0" encoding="UTF-8"?>

<Nodes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="LdapConfigurationSchema.xsd">
<Node>
<nodeFdn>LTE01dg2ERBS00040</nodeFdn>
<tlsMode>STARTTLS</tlsMode>
<userLabel>Ldap Reconfiguration</userLabel>
<useTls>true</useTls>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 279

 ENM Network Security Configuration System Administrator Guide

</Node>
</Nodes>

Result: The command returns a job id and a successful message as shown in

the following example:

Successfully started a job for configure LDAP operation. Perform 'secadm jo →

b get -j ac933cfc-0f5f-4971-980f-0b01f8ffffff' to get progress info.

2. Get job progress info.

Enter the suggest command to get the job status:

secadm job get -j ac933cfc-0f5f-4971-980f-0b01f8ffffff

In this example, the command gets the current status of the job:

Table 17

Job Com Job Job Job Job Node Workf Workf Workf Workf Workf
Id man User Statu Start End Nam low low low low low
d Id s Date Date e Statu Start Durat Detai Resul
s Date ion ls t
ac93 LDA admi RUN 2020 N/A LTE0 RUN 2020 N/A N/A N/A
3cfc- P_CO nistr NIN -09-2 1dg2 NIN -09-2
0f5f- NFIG ator G 9 ERBS G 9
4971 URA 10:0 0004 10:0
-980f TION 6:41 0 6:41
-0b0
1f8ff
ffff

Note: — Repeat the get command until the Job Status is COMPLETED.

— When the job is completed, check the Workflow Status to verify

if it finished successfully (SUCCESS) or with errors (ERROR).

For more detailed info, see online help.

8.3 LDAP Manual Configuration

This task describes how to retrieve the LDAP Configuration details which
are used to configure on Baseband Radio Nodes and 5GRadioNode, when
the nodes are not managed in ENM during manual configuration.

1. Retrieve the LDAP Configuration details.

280 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

Run the ENM CLI command with manual option (--manual | --ml):

secadm ldap configure --manual

Result: The command response is:

PROPERTY VALUE
fallbackLdapIpv6Address 2001:1b70:82a1:0103::11
ldapIpv6Address 2001:1b70:82a1:0103::12
ldapsPort 1636
tlsPort 1389
ldapIpv4Address 192.168.0.129
fallbackLdapIpv4Address 192.168.0.130
bindDn cn=ProxyAccount_17,ou=Profiles,dc=apache,dc=com
baseDn dc=apache,dc=com
bindPassword TLnH6ywUvNHWrAvdeHzZzswS

2. Configure LDAP details on the node as described in section LDAP

Configuration on the Node on page 151.

8.4 Configure TLS Protocols and Disable Weak Ciphers for

LDAP Secure Communications
To configure TLS protocol versions for LDAP secure communications, see the
section Configuration of TLS for OAM Communication on page 426.

To disable Weak Ciphers in LDAP communications, see the section Disable Weak
Ciphers in ENM on page 446.

8.5 LDAP Configuration for Router 6000 Family

Prerequisites

— Router6672, Router6675, Router6x71 node SW version must be 18A or

higher.

— Router6274 node S/W version must be 18Q2 or higher.

— Router6273 node S/W version must be 20Q1 or higher.

— Router6673 node S/W version must be 21.Q3 or higher.

— NetworkElementSecurity MO contains empty

ldapAuthenticatioUserName and ldapAuthenticationUserPassword.

— Router6000 series nodes are in SYNC state.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 281

 ENM Network Security Configuration System Administrator Guide

— Online / Offline Security enrollment must be completed.

To perform online enrollment, see LDAP Configuration for Router 6000 Family on
page 281.

To perform offline enrollment, see E2E Offline Certificate Enrollment on Router

6000 Family on page 176.

Steps

1. Prerequisite verification:

a. Verify that the following MO

contains empty ldapAuthenticatioUserName and
ldapAuthenticationUserPassword:

»cmedit get MeContext=<NodeName>,ManagedElement=1,SystemFunctions=1 →

,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1
FDN : MeContext=NodeName,ManagedElement=NodeName,SystemFunctions=1, →
SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1
baseDn :
bindDn : null
bindPassword : {password=, cleartext=true}
fallbackLdapIpAddress : null
ldapId : 1
ldapIpAddress :
nodeCredential : null
profileFilter : null
serverPort : null
tlsMode : LDAPS
trustCategory : null
useReferrals : false
userLabel : null
useTls : true

b. Verify that LDAP authentication is not active:

»cmedit get MeContext=<NodeName>,ManagedElement=1,SystemFunctions=1 →

,SecM=1,UserManagement=1,LdapAuthenticationMethod=1
FDN : MeContext=RouterLDAP,ManagedElement=1,SystemFunctions=1,SecM= →
1,UserManagement=1,LdapAuthenticationMethod=1
administrativeState : LOCKED
ldapAuthenticationMethodId : 1

c. Verify that the node is in Sync:

»cmedit get NetworkElement=<NodeName>,CmFunction=1

2. Configure LDAP:

a. Create an XML file (NodeName_ldapConfig_LDAPS.xml), using the

following template, to configure LDAP on the node from ENM:

<Nodes>
<Node>
<nodeFdn>NetworkElement=NodeName</nodeFdn>

282 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

<tlsMode>LDAPS</tlsMode>
<userLabel>ENM</userLabel>
<useTls>true</useTls>
</Node>
</Nodes>

b. Drag and drop the XML file created above into the ENM CLI app and
run the following command to configure LDAP:

secadm ldap configure --xmlfile file:"NodeName_ldapConfig_LDAPS.xml →

"

c. Verify that LDAP is correctly configured using the following

command:

»cmedit get MeContext=<NodeName>,ManagedElement=1,SystemFunctions=1 →

,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1

d. Verify that the value for the profileFilter attribute is set to

ERICSSON_FILTER. If not, then set it using the following command:

»cmedit set MeContext=<NodeName>,ManagedElement=1,SystemFunctions=1 →

,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1 profileF →
ilter=ERICSSON_FILTER

e. Configure trustCategory and nodeCredential on LDAP MO:

Note: Only if offline enrollment is performed.

»cmedit set MeContext=<NodeName>,ManagedElement=1,SystemFunctions=1 →

,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1 trustCat →
egory=<fdn of trustCategory MO>
»cmedit set MeContext=<NodeName>,ManagedElement=1,SystemFunctions=1 →
,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1 nodeCred →
ential=<fdn of node-credential MO>

f. Set the administrative state of LdapAuthenticationMethod MO to

UNLOCKED to activate LDAP authentication on the node.

»cmedit set MeContext=<NodeName>,ManagedElement=1,SystemFunctions=1 →

,SecM=1,UserManagement=1,LdapAuthenticationMethod=1 administrativeS →
tate=UNLOCKED

3. Enable LDAP user and toggle CM Supervision in ENM:

a. Stop CM Supervision:

»cmedit set NetworkElement=<NodeName>,CmNodeHeartbeatSupervision=1a →

ctive=false

b. Verify that the node is in UNSYNCRONIZED state:

»cmedit get NetworkElement=<NodeName>,CmFunction=1

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 283

 ENM Network Security Configuration System Administrator Guide

c. Enable ldapUser for the node so that ENM uses

ldapApplicationUser for authentication purposes:

»secadm credentials update --ldapuser enable --nodelist <NodeName>

d. Verify that the ldapApplicationUserName and

ldapApplicationUserPassword fields are compiled:

»cmedit get NetworkElement=<NodeName>,SecurityFunction=1,NetworkEle →

mentSecurity=1

e. Start CM Supervision:

»cmedit set NetworkElement=<NodeName>,CmNodeHeartbeatSupervision=1a →

ctive=true

f. Verify that the node is in SYNC status so that LDAP authentication

on the node is successful:

»cmedit get NetworkElement=<NodeName>,CmFunction=1

8.6 Configure LDAP on (v)BSC Node in SSH

In the following examples, <nodename> is the name of the node, and
<ossprefix> is the configured OSS prefix of the node, as read with the following
ENM CLI command:

cmedit get <nodename> NetworkElement.ossPrefix

FDN : NetworkElement=<nodename>
ossPrefix : <ossprefix>

Prerequisites

— BSC node is SYNCHRONIZED.

— BSC node credentials created under ENM with Secure user equal to BSC node
Troubleshooter (TS) user and empty ldapApplication user.

— The operator must have NodeSecurity_Administrator role and

Cmedit_Administrator role to access the ENM CLI.

Steps

1. Verify prerequisites (ENM CLI):

a. Verify that node is SYNCHRONIZED:

cmedit get <nodename> CmFunction.syncStatus

284 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

b. Verify that node credentials have been created under ENM, with
Secure user equal to node Troubleshooter (TS) user with the
command:

secadm credentials get --plaintext show --nodelist <nodename>

secureUserName and secureUserPassword must match the node

TS username and password configured locally into the node.

Verify NetworkElementSecurity MO contains empty

ldapApplicationUserName and ldapApplicationUserPassword
with the command:

cmedit get <nodename> NetworkElementSecurity.(ldapApplicationUserNa →

me, ldapApplicationUserPassword)
FDN : NetworkElement=<nodename>,SecurityFunction=1,NetworkElementSe →
curity=1
ldapApplicationUserName :
ldapApplicationUserPassword :

Note: In above case if Prerequisite

Verification is not true, secureUserName,
secureUserPassword, ldapAuthenticatioUserName, and
ldapAuthenticationUserPassword must be set to the
correct values with the following commands:

Disable CM Heartbeat Supervision:

cmedit set NetworkElement=<nodename>,CmNodeHeartbeatSupervision=1 a →

ctive=false

Verify that node is UNSYNCHRONIZED:

cmedit get <nodename> CmFunction.syncStatus

Update Secure user and ldapApplication user credentials:

secadm credentials update --secureusername <ts_username> --secureus →

erpassword <ts_password> --ldapuser disable --nodelist <nodename>

Enable CM Heartbeat Supervision:

cmedit set NetworkElement=<nodename>,CmNodeHeartbeatSupervision=1 a →

ctive=true

Verify that node is SYNCHRONIZED:

cmedit get <nodename> CmFunction.syncStatus

2. OAM Certificate Issue (ENM CLI):

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 285

 ENM Network Security Configuration System Administrator Guide

a. Use the following file to issue the OAM certificate on BSC node (put
the correct <nodename> inside the file).
Filename: <nodename>-OAM.xml

Template.xml

<?xml version="1.0" encoding="UTF-8"?>

<Nodes>
<Node>
<NodeFdn><nodename></NodeFdn>
</Node>
</Nodes>

b. Drag and drop the <nodename>-OAM.xml file onto the ENM CLI, then
perform the following command:

»secadm certificate issue --certtype OAM --xmlfile file:"<nodename> →

-OAM.xml"

The following output must be displayed:

Successfully started a job to issue certificates for n →

odes. Perform 'secadm job get -j <jobId number>' to ge →
t progress info.

As described by the output of the command, run the suggested

command to monitor the workflow progress until the "Job Status" is
COMPLETED.

When the "Job Status" is COMPLETED, verify that, in the same

command output, the "Workflow Status" is SUCCESS.

3. Configure LDAP and set its Administrative State to UNLOCKED (ENM CLI):

a. Get Ldap.bindDn attribute value:

cmedit get <nodename> Ldap.bindDn

FDN : SubNetwork=<ossprefix>,ManagedElement=<nodename>,SystemFuncti →
ons=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1
bindDn : <ldapBindDn>

The Ldap.bindDn value is used for further checks on LDAP

configuration result.
b. Use the following file to configure LDAP (put the correct
<nodename> inside the file).
Filename: <nodename>_LDAPS.xml

Template.xml

<?xml version="1.0" encoding="UTF-8"?>

<Nodes>

286 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

<Node>
<nodeFdn>NetworkElement=<nodename></nodeFdn>
<tlsMode>LDAPS</tlsMode>
<userLabel>ENM</userLabel>
<useTls>true</useTls>
</Node>
</Nodes>

c. Drag and drop the <nodename>-LDAPS.xml file onto the ENM CLI,
then perform the following command:

secadm ldap configure --xmlfile file:"<nodename>_LDAPS.xml"

d. Verify that the LDAP is correctly configured:

cmedit get <nodename> Ldap.bindDn

The current Ldap.bindDn value must be different from the previous

one.
e. Get the LDAP administrative status:

cmedit get <nodename> LdapAuthenticationMethod.administrativeState

If the administrativeState is LOCKED, set it to UNLOCKED:

cmedit set <ossprefix>,ManagedElement=<nodename>,SystemFunctions=1, →

SecM=1,UserManagement=1,LdapAuthenticationMethod=1 administrativeSt →
ate=UNLOCKED

4. Disable CM Heartbeat Supervision (ENM CLI):

a. Stop the CM heartbeat supervision for the node:

cmedit set NetworkElement=<nodename>,CmNodeHeartbeatSupervision=1 a →

ctive=false

b. Verify that the node is UNSYNCHRONIZED:

cmedit get <nodename> CmFunction.syncStatus

5. Update Node Credentials (ENM CLI):

a. Create (if not existing) a User Role named CpRole0 with Role Type
COM Role.

b. Create (if not existing) an ENM user to be used as Secure user:

The ENM user can be defined once in ENM and used as Secure user
for multiple BSC nodes.

The ENM user must have the following roles:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 287

 ENM Network Security Configuration System Administrator Guide

— SystemAdministrator

— SystemSecurityAdministrator

— EricssonSupport

— BscApplicationAdministrator

— SystemReadOnly

— CpRole0

For all the roles, the Target Group must be set to ALL.

The ENM user must have the Password Aging disabled.

The ENM user must have the Force Password Change disabled.
c. Update node credentials with ldapApplication user enabled and
with ENM User credentials as Secure user credentials:

secadm credentials update --secureusername <ENM User username> --se →

cureuserpassword %lt;ENM User password> --ldapuser enable --nodelis →
t <nodename>

d. Verify that node credentials have been updated under ENM with
Secure user equal to ENM User with the command:

secadm credentials get --plaintext show --nodelist <nodename>

secureUserName and secureUserPassword must match the ENM

user username and password.

e. Verify that the ldapApplicationUserName and

ldapApplicationUserPassword fields are not empty:

cmedit get <nodename> NetworkElementSecurity.(ldapApplicationUserNa →

me, ldapApplicationUserPassword)
FDN : NetworkElement=<nodename>,SecurityFunction=1,NetworkElementSe →
curity=1
ldapApplicationUserName : <ldapApplication username>
ldapApplicationUserPassword : <ldapApplication password>

6. Enable CM Heartbeat Supervision (ENM CLI):

a. Start the CM heartbeat supervision for the node:

cmedit set NetworkElement=<nodename>,CmNodeHeartbeatSupervision=1 a →

ctive=true

b. Verify that the node is SYNCHRONIZED:

cmedit get <nodename> CmFunction.syncStatus

288 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

Note: For more details on ldapApplicationUser, see ENM CLI online

help for the following commands:

#help/app/cliapp/topic/syntax_secadm/credentials_create
#help/app/cliapp/topic/syntax_secadm/credentials_update

For more details on secure credentials, see section Node Credential

and Key Administrative Tasks on page 19.

8.7 LDAP Support for EIR-FE/vEIR-FE (ESA-Based Node)

Note: The PM file collection on node side, in the directory /home/eir/oam/
Performancemanagement/output, can only be accessed using the LDAP
username and password.

LDAP must be configured on the node before testing the features in ENM. User
management must be supported on the node.

For EIR-FE/vEIR-FE, to configure LDAP on node, see LDAP Authentication

Configuration in the document EIR-FE System Administration Guide, Reference
[32].

This procedure must be verified on the node when integrated with ENM.

Use the following procedure to verify LDAP functionality from ENM side.

1. Create a user in User Management UI.

2. Add all the COM-Based roles to the user:

Roles: Admin, Amos Admin, All COM roles (COM target all).

3. Set username and password for the new user using the following command:

__secadm credentials create --secureusername <username> --secureuserpasswor →

d <password> -n <nodename>

4. Log on ENM as the user to test the EIR-FE/vEIR_FE features, when LDAP is
configured on node.

5. Retrieve the LDAP Configuration details using the following command on

ENM CLI:

secadm ldap configure --manual

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 289

 ENM Network Security Configuration System Administrator Guide

8.8 Downsize Proxy Account Password Length

This procedure can be applied in an emergency condition when a node does not
support a proxy account password length of 24 characters and the only way to
communicate through LDAP is to downsize the password length.

The proxy account password length must have 24 characters (default value) for
Machine to Machine (M2M) password complexity requirement.

Note: It is recommended to address the problem to the node so that this

supports a 24-character password as soon as possible.

Execute this procedure to have temporarily a proxy account for the node with the
supported password length.

Set the configuration parameter proxyAccountPwLen accordingly to the

procedure described in the section View and Modify Configuration Parameters
on page 12.

Example for eight-character password length:

./config.py update --app_server_address=svc-3-secserv:8080 --name=proxyAccountPw →

Len --value=8

After the LDAP configuration on the node, the configuration parameter

proxyAccountPwLen must be set back to 24 with the same procedure.

8.9 Renew Proxy Accounts

This procedure describes how to renew proxy accounts for all nodes with
Centralized LDAP Authentication and Authorization configured.

For such nodes, a new proxy account is created and configured and the old proxy
account, if any, can be deleted.

Prerequisites
— No auto provisioning procedure is ongoing.

— User has the list of the nodes which need to have a new proxy account.

— User has roles of NodeSecurity_Administrator and Cmedit_Administrator.

Steps

1. Get all proxy accounts from ENM.

secadm ldap proxy get --all

290 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

It returns <file-name>.xml file as output that contains all the proxy accounts
currently present.

Example
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<proxyAccountsData>
<proxyAccountsCounters>
<numOfProxyAccounts>4</numOfProxyAccounts>
<numOfRequestedProxyAccounts>4</numOfRequestedProxyAccounts>
<numOfLegacyProxyAccounts>4</numOfLegacyProxyAccounts>
<numOfRequestedLegacyProxyAccounts>4</numOfRequestedLegacyProxyAccou →
nts>
</proxyAccountsCounters>
<proxyAccounts>
<proxyAccount>
<dn>cn=ProxyAccount_1,ou=proxyagent,ou=com,dc=apache,dc=com</dn>
<adminStatus>ENABLED</adminStatus>
<createDate>2022-12-15 08:50:57</createDate>
<lastLoginDate>2023-01-09 08:50:00</lastLoginDate>
</proxyAccount>
<proxyAccount>
<dn>cn=ProxyAccount_2,ou=proxyagent,ou=com,dc=apache,dc=com</dn>
<adminStatus>ENABLED</adminStatus>
<createDate>2022-12-16 09:51:00</createDate>
<lastLoginDate>2022-12-17 10:51:00</lastLoginDate>
</proxyAccount>
<proxyAccount>
<dn>cn=ProxyAccount_3,ou=proxyagent,ou=com,dc=apache,dc=com</dn>
<adminStatus>ENABLED</adminStatus>
<createDate>2022-12-16 09:52:57</createDate>
<lastLoginDate>NEVER</lastLoginDate>
</proxyAccount>
<proxyAccount>
<dn>cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=apache,dc=com</dn>
<adminStatus>ENABLED</adminStatus>
<createDate>2022-12-16 12:01:22</createDate>
<lastLoginDate>2023-01-09 09:30:01</lastLoginDate>
</proxyAccount>
</proxyAccounts>
</proxyAccountsData>

2. List the proxy accounts used by Auto Provisioning and remove them from the
<file-name>.xml file.

a. Get all AutoProvisioningAccount managed objects.

cmedit get AutoProvisioningAccounts=1 AutoProvisioningAccount.userN →

ame

Example
FDN : AutoProvisioningAccounts=1,AutoProvisioningAccount=Router6672
userName : cn=ProxyAccount_2,ou=proxyagent,ou=com,dc=apache,dc=com
FDN : AutoProvisioningAccounts=1,AutoProvisioningAccount=RadioNode
userName : cn=ProxyAccount_1,ou=proxyagent,ou=com,dc=apache,dc=com
2 instance(s)

b. Remove from the <file-name>.xml file the retrieved proxy

accounts.

cn=ProxyAccount_2,ou=proxyagent,ou=com,dc=apache,dc=com
cn=ProxyAccount_1,ou=proxyagent,ou=com,dc=apache,dc=com

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 291

 ENM Network Security Configuration System Administrator Guide

Result: The resulting <file-name>.xml file is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<proxyAccountsData>
<proxyAccountsCounters>
<numOfProxyAccounts>4</numOfProxyAccounts>
<numOfRequestedProxyAccounts>4</numOfRequestedProxyAccounts>
<numOfLegacyProxyAccounts>4</numOfLegacyProxyAccounts>
<numOfRequestedLegacyProxyAccounts>4</numOfRequestedLegacyProxyAccou →
nts>
</proxyAccountsCounters>
<proxyAccounts>
<proxyAccount>
<dn>cn=ProxyAccount_3,ou=proxyagent,ou=com,dc=apache,dc=com</dn>
<adminStatus>ENABLED</adminStatus>
<createDate>2022-12-16 09:52:57</createDate>
<lastLoginDate>NEVER</lastLoginDate>
</proxyAccount>
<proxyAccount>
<dn>cn=ProxyAccount_4,ou=proxyagent,ou=com,dc=apache,dc=com</dn>
<adminStatus>ENABLED</adminStatus>
<createDate>2022-12-16 12:01:22</createDate>
<lastLoginDate>2023-01-09 09:30:01</lastLoginDate>
</proxyAccount>
</proxyAccounts>
</proxyAccountsData>

3. Create a proxy account for each node and configure it on the node.
If the node is in CM Sync, see the procedure described in section LDAP
Configuration on Baseband Radio Node and 5GRadioNode on page 277.

If the node is not in CM Sync, see the procedure described in section LDAP
Manual Configuration on page 280.

Verify that the command is performed successfully for all nodes as described
in the previous procedures.

4. Set the administrative state of the proxy accounts to DISABLED.

To delete a proxy account, its administrative state must be set to DISABLED.

When a proxy account is DISABLED, the authentication fails even providing

the correct credentials.

The DISABLED status can be reverted, so, before deleting a proxy account,
you can verify that it is not currently used by any node, avoiding the risk to
permanently lose synchronization.

Run this command:

secadm ldap proxy set --admin-status DISABLED --xmlfile file:"<file-name>.xm →

l"

See online help for the command response.

For each of the proxy account defined in the XML, the administrative status
is set to DISABLED.

For more info about the XML file structure, see online help.

292 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 LDAP Administrative Tasks

Note: These proxy accounts must not be used by any node.

After this operation, wait for a reasonable period of time accordingly

to your use cases (for example, if you have performances enabled, it
could be about one or two ROP Time).

If one or more involved nodes have unexpectedly lost synchronization, verify

the result of Step 3 on the nodes:
— If Step 3 was successfully performed but the synchronization is lost, stop
the procedure and contact Ericsson Support.

— If Step 3 was not successfully performed and the synchronization is lost:

— Set the administrative state back to ENABLED.

secadm ldap proxy set --admin-status ENABLED --xmlfile file:"<file →

-name>.xml"

See online help for the command response.

— Repeat Step 3 for the nodes not successfully configured.

— Perform again Step 3.

— In case of reiterated issues or different exceptions, stop the

procedure and contact Ericsson Support.

5. Delete the proxy accounts.

Note: This action cannot be reverted, the deleted proxy accounts cannot
be restored.

Run this command:

secadm ldap proxy delete --xmlfile file:"<file-name>.xml"

See online help for the command response.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 293

 ENM Network Security Configuration System Administrator Guide

9 SNMP Administrative Tasks

It allows the configuration of the SNMPv3 security parameters on the

specified nodes.

authnopriv with authentication and without encryption.

authpriv with authentication and encryption.

get get retrieve SNMPv3 Auth Password and Priv

Password in plain text and in encrypted mode.

Table 18
Level Authentication Encryption Behavior
noauthnopriv username No Uses a username match for
authentication
authnopriv MD5 or SHA1 No Provides authentication based
on the MD5 or SHA1
algorithms.
authpriv MD5 or SHA1 DES or AES128 Provides authentication based
on the MD5 or SHA1
algorithms. In addition
to authentication, provides
DES or AES128 encryption
algorithms.

For noauthnopriv, this task is not needed.

9.1 Configure SNMPv3

This procedure allows the configuration of the SNMPv3 security parameters on
the specified nodes:

— authnopriv

— authpriv

Actors
Node-Security Administrator, Action: snmp, Resource: authnopriv or authpriv.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

294 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 SNMP Administrative Tasks

Prerequisites

— The nodes must exist in the ENM.

— The nodes must have the SNMP version parameter set to SNMPv3 and the
correct security level.

— The nodes must have the credentials already defined.

Steps

1. Set SNMPv3 security level.

secadm snmp

See online help for details

Results
SNMPv3 security parameter correctly set on NetworkElementSecurity MO, for
each node.

NetworkElementSecurity MO is successfully configured for each node.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 295

 ENM Network Security Configuration System Administrator Guide

10 IPsec Administrative Tasks

Note: In ENM Geographical Redundancy deployments, the CA certificates

of Secondary ENM need to be installed on nodes to ensure smooth
switchover of nodes to secondary ENM.

The procedure to add the right CA certificates of Secondary ENM on

node trusted CA certificates varies depending on the node type and
enrollment type.

See the document ENM Geographical Redundancy User Guide,

Reference [29] for further information (for example, see the section
Extend Network Elements to Trust the Secondary ENM).

Example: For MSC nodes with OAM enrollment to primary ENM, run the
steps described in the section Add ENM CAs to MSC Node (MSC-BC-BSP,
MSC-BC-IS, MSC-DB, and MSC-DB-BSP) on page 94 for downloading
and installing the CA certificates of Secondary ENM on to node. Similar
steps must be executed for different node types and enrollment types.

10.1 IPsec Administration for Baseband Radio Nodes

This section describes the IPsec enabling and disabling on Baseband 52XX
and Baseband-T nodes using ENM CLI cmedit commands.

Three types of configurations can be enabled on Baseband 52XX and Baseband-

T nodes. As part of IPsec activation, enrollment for Security Gateway must be
done. Install certificates on Security Gateway can be done in two ways.

Generation of Certificates with CSR

Generate the CSR on Security Gateway and use the CSR to get the certificate
from PKI system. See the section Offline Enrollment on Security Gateway with
CSR on page 328 for more information.

Generation of Certificates without CSR

PKI generates the CSR and its certificate, on behalf of Security Gateway. See
the section Offline Enrollment on Security Gateway without CSR on page 330 for
more information.

Install trusted certificates on Security Gateway to establish IPsec setup. See the
section Trust Distribution for Security Gateway on page 333 for information.

If the managed element is added under SubNetwork, all commands must include
SubNetwork also in FDN.

296 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

For example,

cmedit create SubNetwork=<subnetwork_name>,ManagedElement=<node_name>,Equipment= →

1,FieldReplaceableUnit=1 fieldReplaceableUnitId=1

If the configuration is of type IPv6 over IPv4 (IPv6 inner and IPv4
outer), use IPv6 MOs instead IPv4 MOs for the inner router network and
provide IPv6 addresses for Dst, NextHop, Security gateway addresses. The
following are the sample commands to create RouteTableIPv4Static and
RouteTableIPv6Static MOs.

IPv4:

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,RouteTableIPv4 →

Static=1 routeTableIPv4StaticId=1

IPv6:

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,RouteTableIPv6 →

Static=1 routeTableIPv6StaticId=1

License Activation
As part of IPsec activation, activate IPsec and VR licenses using the following
commands. This is for all the IPsec configurations.

cmedit create ManagedElement=<Node Name>,SystemFunctions=1,Lm=1,FeatureState=1 f →

eatureStateId=CXC4040004,featureState='ACTIVATED'

cmedit create ManagedElement=<Node Name>,SystemFunctions=1,Lm=1,FeatureState=1 f →

eatureStateId=CXC4011823,featureState='ACTIVATED'

See the supported three configurations:

— Enable IPsec Configuration A on page 313

— Enable IPsec Configuration B on page 314

— Enable IPsec Configuration C on page 315

To disable IPsec, see the section Disable IPsec on page 311.

To know the Current IP Security Configuration, see the section IPsec Current
Configuration on Baseband Node on page 322.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 297

 ENM Network Security Configuration System Administrator Guide

10.1.1 Configure IPsec VPN and Inner Network

This task describes how to configure IPsec VPN connection (which is a

shared network for OAM and traffic) and inner network required IPsec
configuration.

1. Create inner Router and IpsecTunnel MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=1 routerId=inner

cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,IpsecTunne →
l=1 ipsecTunnelId=1,localAddress='ManagedElement=<node_name>,Transport=1,Rou →
ter=outer,InterfaceIPv4=1,AddressIPv4=1',remoteAddress='ManagedElement=<node →
_name>,Transport=1,Router=outer,PeerIPv4=segAddress'

2. Create Ikev2Session and IpsecPolicy MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,IpsecTunne →

l=1,Ikev2Session=1 ikev2SessionId=1,ikev2PolicyProfile='ManagedElement=<node →
_name>,Transport=1,Ikev2PolicyProfile=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,IpsecTunne →
l=1,IpsecPolicy=1 ipsecPolicyId=1,ipsecProposalProfile='ManagedElement=<node →
_name>,Transport=1,IpsecProposalProfile=1'

3. Create InterfaceIPV4 and AddressIPV4 MOs.

Set address attribute of AddressIPV4 MO to Node inner IP address, for

example, 192.168.100.10/32.

cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,InterfaceI →

Pv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transport= →
1,Router=inner,IpsecTunnel=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,InterfaceI →
Pv4=1,AddressIPv4=1 addressIPv4Id=1,address='%address_inner%'

4. Create RouteTableIPV4Static and Dst MOs.

Set dst attribute of Dst MO to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,RouteTable →

IPv4Static=1 routeTableIPv4StaticId=1
cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,RouteTable →
IPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

5. Create NextHop and DnsClient MOs.

Set serverAddress attribute of DnsClient MO to DNS servers addresses.

For example, ['2.3.4.5'] (for single dns server) or ['1.1.2.34', '4.5.6.7'] (for
multiple dns servers).

cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,RouteTable →

IPv4Static=1,Dst=1,NextHop=1 nextHopId=1,reference='ManagedElement=<node_nam →
e>,Transport=1,Router=inner,InterfaceIPv4=1'

298 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

cmedit create ManagedElement=<node_name>,Transport=1,Router=inner,DnsClient= →

1 dnsClientId=1,serverAddress=['2.3.4.5']

6. Check whether the SctpProfile MO exists under transport MO.

cmedit get <node_name> Transport.transportId,*

If the SctpProfile MO exists, do not create it, otherwise create

SctpProfile MO using the following command.

cmedit create ManagedElement=<node_name>,Transport=1,SctpProfile=1 sctpProfi →

leId=1

Note: After completion of this step, user needs to ensure that

operationalState attribute in Ikev2Session MO is ENABLED. Only
then, user can continue with the following steps.

7. Set the reference for accessPoint attribute which is under OamAccessPoint

MO.

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamAccessPoin →

t=1 accessPoint='ManagedElement=<node_name>,Transport=1,Router=inner,Interfa →
ceIPv4=1,AddressIPv4=1'

After changing the accessPoint reference to node inner address, set the
ComConnectivityInformation:

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamAccessPoin →

t=1 accessPoint='ManagedElement=<node_name>,Transport=1,Router=inner,Interfa →
ceIPv4=1,AddressIPv4=1'

8. Sync the node and check the sync status.

Node must be in SYNCHRONIZED state.

cmedit action NetworkElement=<node_name>,CmFunction=1 sync

cmedit get NetworkElement=<node_name>,CmFunction=1

9. Check whether the SctpEndpoint MO exists under transport MO.

cmedit get <node_name> Transport.transportId,*

10. Set localIpaddress attribute to Node inner IP address, if the SctpEndpoint

MO exists.

cmedit set ManagedElement=<node_name>,Transport=1,SctpEndpoint=1 localIpaddr →

ess=['ManagedElement=<node_name>,Transport=1,Router=inner,InterfaceIPv4=1,Ad →
dressIPv4=1']

Otherwise create SctpEndpoint MO. Set %portnumber% to local port number

for the SCTP endpoint, for example: {1..65535}.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 299

 ENM Network Security Configuration System Administrator Guide

cmedit create ManagedElement=<node_name>,Transport=1,SctpEndpoint=1 sctpEndp →

ointId=1,localIpaddress=['ManagedElement=<node_name>,Transport=1,Router=inne →
r,InterfaceIPv4=1,AddressIPv4=1'],portNumber=%portNumber%,sctpProfile='Manag →
edElement=<node_name>,Transport=1,SctpProfile=1'

Set the references for upIpAddressRef and sctpRef attributes under

EnodeBFunction MO.

cmedit set ManagedElement=<node_name>,ENodeBFunction=1 upIpAddressRef='Manag →

edElement=<node_name>,Transport=1,Router=inner,InterfaceIPv4=1,AddressIPv4=1 →
',sctpRef='ManagedElement=<node_name>,Transport=1,SctpEndpoint=1'

Results
IPsec VPN connection must be established after the configuration of inner
network.

10.1.2 Configure Outer Network

This task describes the steps required to configure the outer network.

1. Create outer Router MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=1 routerId=outer

2. Check whether the VlanPort MO exists under transport MO.

cmedit get <node_name> Transport.transportId,*

3. Create a Vlan port for the outer network, if the VlanPort MO exists.

Also create InterfaceIPV4 MO and set encapsulation attribute to newly

created VlanPort MO using the commands.

cmedit create ManagedElement=<node_name>,Transport=1,VlanPort=1 vlanPortId=% →

valanPortId%,vlanId=%vlan_id%,encapsulation='ManagedElement=<node_name>,Tran →
sport=1,EthernetPort=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,InterfaceI →
Pv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transport= →
1,VlanPort=1'

Otherwise create InterfaceIPV4 MO and set encapsulation attribute to

EthernetPort MO using the following command:

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,InterfaceI →

Pv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transport= →
1,EthernetPort=1'

4. Create AddressIPV4 and RouteTableIPV4Static MOs.

Set InterfaceIPV4 MO address attribute to A1/P1, for example, 1.2.3.4/28.

300 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,InterfaceI →

Pv4=1,AddressIPv4=1 addressIPv4Id=1,address=<A1/P1>
cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,RouteTable →
IPv4Static=1 routeTableIPv4StaticId=1

5. Create Dst MO.

Set dst attribute to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,RouteTable →

IPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

6. Create NextHop MO.

Set address attribute to address of the default router, for example: 1.2.3.4.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,RouteTable →

IPv4Static=1,Dst=1,NextHop=1 nextHopId=1,address='1.2.3.4'

7. Create PeerIPv4 MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,PeerIPv4= →

1 peerIPv4Id=segAddress,address='5.6.7.8'

Results
Outer network required for IPsec configuration must be configured successfully.

10.1.3 Configure Outer Network for OAM

This task describes detailed steps to configure the outer network for OAM
required for IPsec configuration.

1. Create outerOam Router MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=1 routerId=outer →

Oam

2. Create VLanPort MO.

Set %vlan_oam% to vid of OAM outer network. For the attribute

encapsulation, refers to EthernetPort MO created under Transport MO.

cmedit create ManagedElement=<node_name>,Transport=1,VlanPort=1 vlanPortId=O →

am,vlanId=%vlan_oam%,encapsulation='ManagedElement=<node_name>,Transport=1,E →
thernetPort=1'

3. Create InterfaceIPV4 MO.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 301

 ENM Network Security Configuration System Administrator Guide

For the attribute encapsulation, refers to VlanPort MO created under

Transport MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerOam,Interfa →

ceIPv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transpo →
rt=1,VlanPort=Oam'

4. Create AddressIPV4 and RouteTableIPV4Static MOs.

Set AddressIPV4 address attribute to A1/P1, for example, 1.2.3.4/28.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerOam,Interfa →

ceIPv4=1,AddressIPv4=1 addressIPv4Id=1,address=<A1/P1>
cmedit create ManagedElement=<node_name>,Transport=1,Router=outerOam,RouteTa →
bleIPv4Static=1 routeTableIPv4StaticId=1

5. Create Dst MO.

Set dst attribute to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerOam,RouteTa →

bleIPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

6. Create NextHop MO.

Set %address_default_router_oam% value to address of the default router,

for example, 1.2.3.4.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerOam,RouteTa →

bleIPv4Static=1,Dst=1,NextHop=1 nextHopId=1,address='%address_default_router →
_oam%'

Results
Outer network must be configured for OAM successfully.

10.1.4 Configure Outer Network for UPCP

This task describes how to configure the outer network for UPCP for IPsec
configuration.

1. Create outerUpCp Router MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=1 routerId=outer →

UpCp

2. Create VLanPort MO. Set %vlan_upcp% to vid of OAM outer network.

The attribute encapsulation, refers to EthernetPort MO created under

Transport MO.

302 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

cmedit create ManagedElement=<node_name>,Transport=1,VlanPort=1 vlanPortId=U →

pCp,vlanId=%vlan_upcp%,encapsulation='ManagedElement=<node_name>,Transport=1 →
,EthernetPort=1'

3. Create InterfaceIPV4 MO.

The attribute encapsulation, refers to VlanPort MO created under

Transport MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerUpCp,Interf →

aceIPv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transp →
ort=1,VlanPort=UpCp'

4. Create AddressIPV4 and RouteTableIPV4Static MOs.

Set AddressIPV4 MO address attribute to A5/P2, for example, 1.2.3.4/28.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerUpCp,Interf →

aceIPv4=1,AddressIPv4=1 addressIPv4Id=1,address=<A5/P2>
cmedit create ManagedElement=<node_name>,Transport=1,Router=outerUpCp,RouteT →
ableIPv4Static=1 routeTableIPv4StaticId=1

5. Create Dst MO. Set dst attribute to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerUpCp,RouteT →

ableIPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

6. Create NextHop MO.

Set %address_default_router_upcp% value to address of the default

router, for example, 1.2.3.4.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerUpCp,RouteT →

ableIPv4Static=1,Dst=1,NextHop=1 nextHopId=1,address='%address_default_route →
r_upcp%'

Results
Outer network must be configured for UPCP successfully.

10.1.5 Configure Physical Interfaces

1. Create FiledReplaceableUnit and TnPort MOs using the following

commands:

cmedit create ManagedElement=<node_name>,Equipment=1,FieldReplaceableUnit=1 →

fieldReplaceableUnitId=1
cmedit create ManagedElement=<node_name>,Equipment=1,FieldReplaceableUnit=1, →
TnPort=1 tnPortId=1

2. Create EthernetPort MO using the following command.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 303

 ENM Network Security Configuration System Administrator Guide

Ethernet needs to have reference to physical TN port and match the TN port
configured in the site equipment file.

cmedit create ManagedElement=<node_name>,Transport=1,EthernetPort=1 encapsul →

ation='ManagedElement=<node_name>,Equipment=1,FieldReplaceableUnit=1,TnPort= →
1', ethernetPortId=1, administrativeState=UNLOCKED

Results
Physical interfaces must be configured successfully.

10.1.6 Configure IPsec VPN and Inner Network for OAM

This task describes detailed steps to configure IPsec VPN connection and
inner network for OAM.

1. Create PeerIPv4 MO.

Set the address attribute to Operation and Maintenance (OAM) Security

Gateway outer address, for example, 192.168.100.10.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,PeerIPv4= →

1 peerIPv4Id=segOamAddress,address='%seg_address_oam%'

2. Create innerOam Router and IpsecTunnel MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=1 routerId=inner →

Oam
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTu →
nnel=1 ipsecTunnelId=1,localAddress='ManagedElement=<node_name>,Transport=1, →
Router=outer,InterfaceIPv4=1,AddressIPv4=1',remoteAddress='ManagedElement=<n →
ode_name>,Transport=1,Router=outer,PeerIPv4=segOamAddress'

3. Create Ikev2Session and IpsecPolicy MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTu →

nnel=1,Ikev2Session=1 ikev2SessionId=1,ikev2PolicyProfile='ManagedElement=<n →
ode_name>,Transport=1,Ikev2PolicyProfile=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTu →
nnel=1,IpsecPolicy=1 ipsecPolicyId=1,ipsecProposalProfile='ManagedElement=<n →
ode_name>,Transport=1,IpsecProposalProfile=1'

4. Create InterfaceIPv4 and AddressIPv4 MOs.

Set the address attribute of AddressIPv4 MO to Node inner OAM address,

for example, 192.168.100.10/32.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,Interfa →

ceIPv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transpo →
rt=1,Router=innerOam,IpsecTunnel=1'

304 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,Interfa →

ceIPv4=1,AddressIPv4=1 addressIPv4Id=1, address='%address_inner%'

5. Create RouteTableIPv4Static and Dst MOs.

Set dst attribute of Dst MO to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,RouteTa →

bleIPv4Static=1 routeTableIPv4StaticId=1
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,RouteTa →
bleIPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

6. Create NextHop and DnsClient MOs.

Set serverAddress attribute of DnsClient MO to DNS servers addresses, for

example, ['2.3.4.5'] (for single dns server) or ['1.1.2.34', '4.5.6.7'] (for multiple
dns servers).

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,RouteTa →

bleIPv4Static=1,Dst=1,NextHop=1 nextHopId=1,reference='ManagedElement=<node_ →
name>,Transport=1,Router=innerOam,InterfaceIPv4=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,DnsClie →
nt=1 dnsClientId=1,serverAddress=['%ServerAddress_dns%']

Note: After completion of this step, user needs to make sure that
operationalState attribute in Ikev2Session MO must be ENABLED.
Only then, user must continue with the following steps.

7. Set the reference for accessPoint attribute which is under OamAccessPoint

MO.

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamAccessPoin →

t=1 accessPoint='ManagedElement=<node_name>,Transport=1,Router=innerOam,Inte →
rfaceIPv4=1,AddressIPv4=1'

After changing the accessPoint reference to node inner address, set the
ComConnectivityInformation by using the following command.

cmedit set NetworkElement=<node_name>,ComConnectivityInformation=1 ipAddress →

="<node_inner_address>"

8. Sync the node and check the sync status by using following commands.

cmedit action NetworkElement=<node_name>,CmFunction=1 sync

cmedit get NetworkElement=<node_name>,CmFunction=1

Results
IPsec VPN connection must be established after the configuration of OAM inner
network.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 305

 ENM Network Security Configuration System Administrator Guide

10.1.7 Configure IPsec VPN and Inner Network for OAM with Different VLAN

This task describes detailed steps to configure the IPsec VPN connection
and inner network for OAM when different VLANs are used for OAM and
UPCP.

1. Create PeerIPv4 MO.

Set the address attribute to Operation and Maintenance (OAM) Security

Gateway outer address, for example, 192.168.100.10.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,PeerIPv4= →

1 peerIPv4Id=segOamAddress,address='%seg_address_oam%'

2. Create innerOam Router and IpsecTunnel MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=1 routerId=inner →

Oam
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTu →
nnel=1 ipsecTunnelId=1,localAddress='ManagedElement=<node_name>,Transport=1, →
Router=outer,InterfaceIPv4=1,AddressIPv4=1',remoteAddress='ManagedElement=<n →
ode_name>,Transport=1,Router=outer,PeerIPv4=segOamAddress'

3. Create Ikev2Session and IpsecPolicy MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTu →

nnel=1,Ikev2Session=1 ikev2SessionId=1,ikev2PolicyProfile='ManagedElement=<n →
ode_name>,Transport=1,Ikev2PolicyProfile=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTu →
nnel=1,IpsecPolicy=1 ipsecPolicyId=1,ipsecProposalProfile='ManagedElement=<n →
ode_name>,Transport=1,IpsecProposalProfile=1'

4. Create InterfaceIPv4 and AddressIPv4 MOs.

Set the address attribute of AddressIPv4 MO to Node inner OAM address,

for example, 192.168.100.10/32.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,Interfa →

ceIPv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transpo →
rt=1,Router=innerOam,IpsecTunnel=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,Interfa →
ceIPv4=1,AddressIPv4=1 addressIPv4Id=1, address='%address_inner%'

5. Create RouteTableIPv4Static and Dst MOs.

Set dst attribute of Dst MO to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,RouteTa →

bleIPv4Static=1 routeTableIPv4StaticId=1
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,RouteTa →
bleIPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

306 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

6. Create NextHop and DnsClient MOs.

Set serverAddress attribute of DnsClient MO to DNS servers addresses, for

example, ['2.3.4.5'] (for single dns server) or ['1.1.2.34', '4.5.6.7'] (for multiple
dns servers).

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,RouteTa →

bleIPv4Static=1,Dst=1,NextHop=1 nextHopId=1,reference='ManagedElement=<node_ →
name>,Transport=1,Router=innerOam,InterfaceIPv4=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,DnsClie →
nt=1 dnsClientId=1,serverAddress=['%ServerAddress_dns%']

Note: After completion of this step, User needs to make sure

operationalState attribute in Ikev2Session MO is ENABLED. Only
then user can continue with the following steps.

7. Set the reference for accessPoint attribute which is under OamAccessPoint

MO.

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamAccessPoin →

t=1 accessPoint='ManagedElement=<node_name>,Transport=1,Router=innerOam,Inte →
rfaceIPv4=1,AddressIPv4=1'

After changing the accessPoint reference to node inner address, set the
ComConnectivityInformation by using the following command.

cmedit set NetworkElement=<node_name>,ComConnectivityInformation=1 ipAddress →

="<node_inner_address>"

8. Sync the node and check the sync status by using the following commands.
Node must be in SYNCHRONIZED state.

cmedit action NetworkElement=<node_name>,CmFunction=1 sync

cmedit get NetworkElement=<node_name>,CmFunction=1

Results
IPsec VPN connection for OAM must be established after configuration of inner
network with different VLAN for OAM.

10.1.8 Configure IPsec VPN and Inner Network for UP/CP

This task describes how to configure IPsec VPN connection and inner
network for User Plane and Control Plane (UP and CP).

1. Create PeerIPv4 MO.

Set the address attribute to UP/CP traffic Security Gateway outer address.
For example, 5.6.7.8.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 307

 ENM Network Security Configuration System Administrator Guide

cmedit create ManagedElement=<node_name>,Transport=1,Router=outer,PeerIPv4= →

1 peerIPv4Id=segUpCpAddress,address='%seg_address_upcp%'

2. Create innerUpCp Router and IpsecTunnel MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecT →

unnel=1 ipsecTunnelId=1,localAddress='ManagedElement=<node_name>,Transport=1 →
,Router=outer,InterfaceIPv4=1,AddressIPv4=1',remoteAddress='ManagedElement=< →
node_name>,Transport=1,Router=outer,PeerIPv4=segUpCpAddress'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTu →
nnel=1 ipsecTunnelId=1,localAddress='ManagedElement=<node_name>,Transport=1, →
Router=outer,InterfaceIPv4=1,AddressIPv4=1',remoteAddress='ManagedElement=<n →
ode_name>,Transport=1,Router=outer,PeerIPv4=segOamAddress'

3. Create Ikev2Session and IpsecPolicy MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecT →

unnel=1,Ikev2Session=1 ikev2SessionId=1,ikev2PolicyProfile='ManagedElement=< →
node_name>,Transport=1,Ikev2PolicyProfile=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecT →
unnel=1,IpsecPolicy=1 ipsecPolicyId=1,ipsecProposalProfile='ManagedElement=< →
node_name>,Transport=1,IpsecProposalProfile=1'

4. Create InterfaceIPv4 and AddressIPv4 MOs.

Set the address attribute of AddressIPv4 MO to Node inner user or control

plane address. For example, 192.168.100.10/32.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,Interf →

aceIPv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transp →
ort=1,Router=innerUpCp,IpsecTunnel=1'

5. Create RouteTableIpv4Static MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,RouteT →

ableIPv4Static=1 routeTableIPv4StaticId=1

6. Create Dst MO. Set dst attribute to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,RouteT →

ableIPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

7. Create NextHop MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,RouteT →

ableIPv4Static=1,Dst=1,NextHop=1 nextHopId=1,reference='ManagedElement=<node →
_name>,Transport=1,Router=innerUpCp,InterfaceIPv4=1'

8. Check whether the SctpProfile MO exists under transport MO by using

the following command.

cmedit get <node_name> Transport.transportId,*

308 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

9. If the SctpProfile MO exists, do not create it, otherwise create

SctpProfile MO using the following command.

cmedit create ManagedElement=<node_name>,Transport=1,SctpProfile=1 sctpProfi →

leId=1

10. Check whether the SctpEndpoint MO exists under transport MO by using

the following command.

cmedit get <node_name> Transport.transportId,*

11. Set localIpaddress attribute to Node inner IP address if the SctpEndpoint

MO exists.

cmedit set ManagedElement=<node_name>,Transport=1,SctpEndpoint=1 localIpaddr →

ess=['ManagedElement=<node_name>,Transport=1,Router=inner,InterfaceIPv4=1,Ad →
dressIPv4=1']

Otherwise create SctpEndpoint MO. Set %portnumber% to Local port

number for the SCTP endpoint. For example, {1..65535}

cmedit create ManagedElement=<node_name>,Transport=1,SctpEndpoint=1 sctpEndp →

ointId=1,localIpaddress=['ManagedElement=<node_name>,Transport=1,Router=inne →
r,InterfaceIPv4=1,AddressIPv4=1'],portNumber=%portNumber%,sctpProfile='Manag →
edElement=<node_name>,Transport=1,SctpProfile=1'

12. Set the references for upIpAddressRef and sctpRef attributes under
EnodeBFunction MO.

cmedit set ManagedElement=<node_name>,ENodeBFunction=1 upIpAddressRef='Manag →

edElement=<node_name>,Transport=1,Router=innerUpCp,InterfaceIPv4=1,AddressIP →
v4=1',sctpRef='ManagedElement=<node_name>,Transport=1,SctpEndpoint=1'

Results
IPsec VPN connection for UP and CP must be established after the configuration
of inner network for UP and CP.

10.1.9 Configure IPsec VPN and Inner Network for UP/CP with Different VLAN

This task describes how to configure the IPsec VPN connection and inner
network for UPCP with different VLAN.

1. Create PeerIPv4 MO.

Set the address attribute to userplane/control Security Gateway outer

address. For example, 192.168.100.10.

cmedit create ManagedElement=<node_name>,Transport=1,Router=outerUpCp,PeerIP →

v4=1 peerIPv4Id=segUpCpAddress,address='%seg_address_upcp%'

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 309

 ENM Network Security Configuration System Administrator Guide

2. Create innerUpCp Router and IpsecTunnel MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=1 routerId=inner →

UpCp
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecT →
unnel=1 ipsecTunnelId=1,localAddress='ManagedElement=<node_name>,Transport=1 →
,Router=outerUpCp,InterfaceIPv4=1,AddressIPv4=1',remoteAddress='ManagedEleme →
nt=<node_name>,Transport=1,Router=outerUpCp,PeerIPv4=segUpCpAddress'

3. Create Ikev2Session and IpsecPolicy MOs.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecT →

unnel=1,Ikev2Session=1 ikev2SessionId=1,ikev2PolicyProfile='ManagedElement=< →
node_name>,Transport=1,Ikev2PolicyProfile=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecT →
unnel=1,IpsecPolicy=1 ipsecPolicyId=1,ipsecProposalProfile='ManagedElement=< →
node_name>,Transport=1,IpsecProposalProfile=1'

4. Create InterfaceIPv4 and AddressIPv4 MOs.

Set the address attribute of AddressIPv4 MO to Node inner UPCP address.

For example, 192.168.100.10/32.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,Interf →

aceIPv4=1 interfaceIPv4Id=1,encapsulation='ManagedElement=<node_name>,Transp →
ort=1,Router=innerUpCp,IpsecTunnel=1'
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,Interf →
aceIPv4=1,AddressIPv4=1 addressIPv4Id=1, address='%address_inner%'

5. Create RouteTableIPv4Static and Dst MOs.

Set dst attribute of Dst MO to default route address.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerOam,RouteTa →

bleIPv4Static=1 routeTableIPv4StaticId=1
cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,RouteT →
ableIPv4Static=1,Dst=1 dstId=1,dst='0.0.0.0/0'

6. Create NextHop MO.

cmedit create ManagedElement=<node_name>,Transport=1,Router=innerUpCp,RouteT →

ableIPv4Static=1,Dst=1,NextHop=1 nextHopId=1,reference='ManagedElement=<node →
_name>,Transport=1,Router=innerUpCp,InterfaceIPv4=1'

7. Check whether the SctpProfile MO exists or not under transport MO by

using the following command.

cmedit get <node_name> Transport.transportId,*

If the SctpProfile MO exists, do not create it, otherwise creates

SctpProfile MO using the following command.

310 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

cmedit create ManagedElement=<node_name>,Transport=1,SctpProfile=1 sctpProfi →

leId=1

8. Check whether the SctpEndpoint MO exists or not under transport MO by

using the following command.

cmedit get <node_name> Transport.transportId,*

If the SctpEndpoint MO exists, set localIpaddress attribute to Node inner

IP address using the following command.

cmedit set ManagedElement=<node_name>,Transport=1,SctpEndpoint=1 localIpaddr →

ess=['ManagedElement=<node_name>,Transport=1,Router=inner,InterfaceIPv4=1,Ad →
dressIPv4=1']

Otherwise create SctpEndpoint MO. Set %portnumber% to Local port

number for the SCTP endpoint. For example, {1..65535}

cmedit create ManagedElement=<node_name>,Transport=1,SctpEndpoint=1 sctpEndp →

ointId=1,localIpaddress=['ManagedElement=<node_name>,Transport=1,Router=inne →
r,InterfaceIPv4=1,AddressIPv4=1'],portNumber=%portNumber%,sctpProfile='Manag →
edElement=<node_name>,Transport=1,SctpProfile=1'

9. Set the references for upIpAddressRef and sctpRef attributes under

EnodeBFunction MO.

cmedit set ManagedElement=<node_name>,ENodeBFunction=1 upIpAddressRef='Manag →

edElement=<node_name>,Transport=1,Router=innerUpCp,InterfaceIPv4=1,AddressIP →
v4=1',sctpRef='ManagedElement=<node_name>,Transport=1,SctpEndpoint=1'

Results
IPsec VPN connection for UPCP must be established after configuring the inner
network for UPCP with different VLAN.

10.1.10 Disable IPsec

This procedure describes how to disable IPsec on Baseband nodes.

Actors
Authorized for: Cmedit_Administrator

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 311

 ENM Network Security Configuration System Administrator Guide

Prerequisites
IPsec must be activated on the node with either Configuration A, B, or C.

Note: If the managed element is added under SubNetwork, all commands

must include SubNetwork also in FDN.

For example,

cmedit set SubNetwork=<subnetwork_name>,ManagedElement=<node_name>,SystemFunctio →

ns=1,SysM=1,OamAccessPoint=1 accessPoint='ManagedElement=<node_name>,Transport=1 →
,Router=outer,InterfaceIPv4=1,AddressIPv4=1'

Steps

1. Change the OamAccessPoint address reference to outer address.

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamAccessPoin →

t=1 accessPoint='ManagedElement=<node_name>,Transport=1,Router=outer,Interfa →
ceIPv4=1,AddressIPv4=1'

2. Set the ComConnectivityInformation by using the command, after

changing the accessPoint reference to node outer address:

cmedit set NetworkElement=<node_name>,ComConnectivityInformation=1 ipAddress →

="<node_outer_address>"

3. Sync the node running the command:

cmedit action NetworkElement=<node_name>,CmFunction=1 sync

4. Check the sync status.

Node must be in SYNCHRONIZED state.

cmedit get NetworkElement=<node_name>,CmFunction=1

Once the node comes to SYNCHRONIZED state, all O&M communication flows
from outer network instead of IPsec VPN for O&M.

5. Change the OamAccessPoint address reference to node inner address, if user

wants to activate IPsec again.

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamAccessPoin →

t=1 accessPoint='ManagedElement=<node_name>,Transport=1,Router=inner,Interfa →
ceIPv4=1,AddressIPv4=1'

6. Set the ComConnectivityInformation, after changing the accessPoint

reference to node inner address.

312 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

cmedit set NetworkElement=<node_name>,ComConnectivityInformation=1 ipAddress →

="<node_inner_address>"

7. Sync the node.

cmedit action NetworkElement=<node_name>,CmFunction=1 sync

8. Check the sync status. Node must be in SYNCHRONIZED state.

cmedit get NetworkElement=<node_name>,CmFunction=1

Once the node comes to SYNCHRONIZED state, all O&M communication flows
from IPsec VPN instead of outer network.

Results
The current activated IPsec configuration must be disabled.

10.1.11 Enable IPsec Configuration A

Actors
Authorized for: Cmedit_Administrator

Authorized for: PKI_Operator

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— ENM CLI must be up and running in ENM.

— Security Gateway must be enrolled and trusted certificates must be installed.

See the section IPsec Administration for Baseband Radio Nodes on page 296
on how to enroll and distribution trusts on Security Gateway.

Steps

1. Configure and start enrollment and installation of trusted certificates as well

as global IPsec properties. See the section Enrollment and Trust Distribution
on Node on page 316 for details.

2. Configure the physical interfaces. See the section Configure Physical

Interfaces on page 303 for details.

3. Configure the outer network. See the section Configure Outer Network on
page 300.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 313

 ENM Network Security Configuration System Administrator Guide

4. Configure the IPsec VPN connection and inner network. See the section
Configure IPsec VPN and Inner Network on page 298 for details.

Results
IPsec is enabled on the node with configuration A.

10.1.12 Enable IPsec Configuration B

Actors
Authorized for: Cmedit_Administrator

Authorized for: PKI_Operator

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— ENM CLI must be up and running in ENM.

— Security Gateway must be enrolled and trusted certificates must be installed.

See the section IPsec Administration for Baseband Radio Nodes on page 296
on how to enroll and distribution trusts on Security Gateway.

Steps

1. Configure and start enrollment and installation of trusted certificates as well

as global IPsec properties. See the section for details.

2. Configure the phyEnable IPsec Configuration B on page 314sical interfaces.

See the section Configure Physical Interfaces on page 303 for details.

3. Configure the outer network. See the section Configure Outer Network on
page 300 for details.

4. Configure the IPsec VPN connection and inner network for OAM. See the
section Configure IPsec VPN and Inner Network for OAM on page 304 for
details.

5. Configure the Internet Protocol Security VPN connection and inner network
for UPCP. See the section Configure IPsec VPN and Inner Network for UP/CP
on page 307 for details.

Results
IPsec is enabled on the node with configuration B.

314 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

10.1.13 Enable IPsec Configuration C

Actors
Authorized for: Cmedit_Administrator

Authorized for: PKI_Operator

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— ENM CLI must be up and running in ENM.

— Security Gateway must be enrolled and trusted certificates must be installed.

See the section IPsec Administration for Baseband Radio Nodes on page 296
on how to enroll and distribution trusts on Security Gateway.

Steps

1. Configure and start enrollment and installation of trusted certificates as well

as global IPsec properties.
See the section Enable IPsec Configuration C on page 315 for details.

Steps 1 and 2 in Configuration C are identical to those in Enable IPsec

Configuration A on page 313.

2. Configure the physical interfaces.

See the section: Configure Physical Interfaces on page 303.

3. Configure the outer network for OAM.

See the section Configure Outer Network for OAM on page 301.

4. Configure the IPsec VPN connection and inner network for OAM.
See the section Configure IPsec VPN and Inner Network for OAM with
Different VLAN on page 306.

5. Configure the outer network for UPCP.

See the procedure Configure Outer Network for UPCP on page 302.

6. Configure the IPsec VPN connection and inner network for UPCP.
See the procedure Configure IPsec VPN and Inner Network for UP/CP with
Different VLAN on page 309.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 315

 ENM Network Security Configuration System Administrator Guide

Results
IPsec must be enabled on the node with configuration C.

10.1.14 Enrollment and Trust Distribution on Node

Actors
Authorized for: Cmedit_Administrator, PKI_Operator

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites
If the managed element is added under SubNetwork, all commands must include
SubNetwork also in FDN.

cmedit create SubNetwork=<subnetwork_name>,ManagedElement=<node_name>,SystemFunc →

tions=1,SecM=1,CertM=1,EnrollmentServerGroup=ipsecEnrollmentServerGroup enrollme →
ntServerGroupId=ipsecEnrollmentServerGroup

Steps

1. Check whether the End Entity has already been created.

[2pkiadm etm -l -type ee -n <entity_name>

Example
Entity Name - <node_name>-ipsec, <node_name>-oam

If the Entity Name of type <node_name>-ipsec exists, do not create the EE

in PKI system. Otherwise, go to step 2 to create the EE.

2. Create the End Entity.

Create an EE XML file using the End Entity XML Template on page 320.
Drag and drop the XML file created into the ENM CLI application and run the
following command:

pkiadm etm -c -xf file:EE_Network Element ID-ipsec.xml

3. Verify whether the End Entity has been created by listing all End Entities in
the ENM PKI system.

pkiadm etm -l -type ee

The EE must be present in the list.

316 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

4. Create EnrollmentAuthority MO.

a. Retrieve the subjectDN of NE_IPSec_CA.

pkiadm ctm CACert -l -en NE_IPsec_CA

b. Copy the subjectDN and use the same value as input for
enrollmentAuthorityName.

cmedit create ManagedElement=<node_name>,SystemFunctions=1,SecM=1,C →

ertM=1,EnrollmentAuthority=ipsecEnrollmentAuthority enrollmentAutho →
rityId=ipsecEnrollmentAuthority,enrollmentAuthorityName='<enrollmen →
tAuthorityName>'

Example
enrollmentAuthorityName =
OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=NE_IPsec_CA

c. Download the ENM Root CA Certificate.

pkiadm certmgmt CACert -expcert -en ENM_PKI_Root_CA -f PEM

d. Retrieve the CA Fingerprint.

openssl x509 -in <path>/ENM_PKI_Root_CA.pem -sha1 -noout -fingerpri →

nt

e. Copy the Fingerprint and set the value to

enrollmentCaFingerprint attribute.

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SecM=1,Cert →

M=1,EnrollmentAuthority=ipsecEnrollmentAuthority enrollmentCaFinger →
print='<Fingerprint>'

5. Create EnrollmentServerGroup MO.

cmedit create ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,En →

rollmentServerGroup=ipsecEnrollmentServerGroup enrollmentServerGroupId=ipsec →
EnrollmentServerGroup

6. Read the IP address parameters: sbLoadBalancerIPv4Address and

sbLoadBalancerIPv6Address.
See View and Modify Configuration Parameters on page 12.

The command returns the IP address. In the following URL, update the
hostAddress with the retrieved IP address and also update the uri value
with the updated URL:

http://<hostAddress>:8091/pkira-cmp/synch

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 317

 ENM Network Security Configuration System Administrator Guide

7. Create EnrollmentServers MO under http://<hostAddress>:8091/pkira-

cmp/synch EnrollmentServerGroup MO. Set the values for uri and
protocol attributes.

cmedit create ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,En →

rollmentServerGroup=ipsecEnrollmentServerGroup,EnrollmentServer=1 enrollment →
ServerId=1,uri="<uri>",protocol=CMP

8. Check whether the Root CA of the ENM is external CA or internal CA, before
trusted certificates installation.

pkiadm ctm CACert -l -en ENM_PKI_Root_CA -s active

If the Subject Dn and issuer Dn are same, then Root CA is a self signed
certificate. If they do not match, Root CA is an external CA.

9. Install trusted certificates, if Root is an internal CA.

Get the tdps URL for NE_External_CA, ENM_PKI_Root_CA:

pkiadm tsm -l -type ca

If the node has IPv4 address, copy the IPv4 URLs or if the node has IPv6
address, copy the IPv6 URLs from the output for both NE_External_CA and
ENM_PKI_Root_CA.

Update with the previous two URLs and run the two commands:

cmedit action ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1 i →

nstallTrustedCertFromUri.(uri="<NE_External_CA URL>",uriPassword=NULL,finger →
print=NULL)

http://cmedit action ManagedElement=<node_name>,SystemFunctions=1,SecM=1,Cer →

tM=1 installTrustedCertFromUri.(uri="<ENM_PKI_Root_CA URL>",uriPassword=NULL →
,fingerprint=NULL)

After successful installation of Trusted Certificates, update the

managedState attribute of Trusted Certificates to ENABLED using the
command to make the certificate valid.

cmedit set ManagedElement=<node_name>,SystemFunctions=1,SystemFunctions=1,S →

ecM=1,CertM=1,TrustedCertificate=<trustedCertificateId> managedState=ENABLED

10. Execute the commands to fetch the external Root CA chain, if the Root CA is
an external CA.

pkiadm ctm CACert -l -en ENM_PKI_Root_CA -s active

Get the issuer dn of the above certificate and list the external CAs in the
system. If the issuer dn exists in the external CAs, install that certificate

318 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

also on Node as trust. Repeat this step until the Root Certificate (where
subject Dn and issuer Dn are same) is installed.

The following command lists the chain to be installed on the node.

pkiadm extcalist

Then execute step 8 to install trusted certificates on the node for

NE_External_CA and ENM_PKI_Root_CA and the external CAs.

11. Create TrustCategory MO. Set the list of trustedCertificates (reference

to TrustedCertificate under CertM).

cmedit create ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,Tr →

ustCategory=ipsecTrustCategory trustCategoryId=ipsecTrustCategory, trustedCe →
rtificates=["ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,Tru →
stedCertificate=1","ManagedElement=<node_name>,SystemFunctions=1,SecM=1,Cert →
M=1,TrustedCertificate=2"]

12. Create NodeCredential MO. Set the values for enrollmentServerGroup,

KeyInfo, subjectName, subjectAltName, and renewalMode attributes.

CN value under subjectName must be in the format of <node_name>-ipsec.

Support both FQDN and IP address for subjectAltName field.

Example
subjectName = CN=<node_name>-ipsec,O=ERICSSON,C=SE,OU=BUCI
DUAC NAM, subjectAltName = IP:<IPV4/IPV6_address> (or)
DNS:<dns_address>

cmedit create ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,No →

deCredential=ipsecNodeCredential nodeCredentialId=ipsecNodeCredential,enroll →
mentAuthority='ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,E →
nrollmentAuthority=ipsecEnrollmentAuthority',enrollmentServerGroup='ManagedE →
lement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,EnrollmentServerGroup=ip →
secEnrollmentServerGroup',KeyInfo=RSA_2048,subjectName="<subjectName>",subje →
ctAltName="<subjectAltName>",renewalMode=AUTOMATIC

13. Create Ikev2PolicyProfile MO.

Set the values for trustCategory (reference to

ipsecTrustCategoryipsecNodeCredential) attributes while creating ),
credential (reference to Ikev2PolicyProfile MO.

cmedit create ManagedElement=<node_name>,Transport=1,Ikev2PolicyProfile=1 ik →

ev2PolicyProfileId=1,trustCategory='ManagedElement=<node_name>,SystemFunctio →
ns=1,SecM=1,CertM=1,TrustCategory=ipsecTrustCategory',credential='ManagedEle →
ment=<node_name>,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=ipsecNodeCr →
edential'

14. Create IpsecProposalProfile.

Set the values for dataLimit and timeLimit), (under childSaLifetime)

while creating IpsecProposalProfile MO.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 319

 ENM Network Security Configuration System Administrator Guide

cmedit create ManagedElement=<node_name>,Transport=1,IpsecProposalProfile=1 →

ipsecProposalProfileId=1, childSaLifetime=(dataLimit=<data_limit>, timeLimi →
t = <time_limit>)

15. Execute the action command for online enrollment:

cmedit action ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,No →

deCredential=ipsecNodeCredential startOnlineEnrollment.(challengePassword=NU →
LL)

Results
Node is enrolled and trusted certificates are installed on the node successfully.

10.1.14.1 End Entity XML Template

Example 1
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceS →
chemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2IPSec_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>NODE-IPSEC</Name>
</Category>
<EntityInfo>
<Name>NetworkElementID-ipsec</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>NetworkElementID-ipsec</Value>
</SubjectField>
</Subject>
<OTP>Ericsson05</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

320 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

Note: 1. In the EE XML file, use the

profile "DUSGen2_IPSec_SAN_ECDSA_EP" in place
of the "DUSGen2IPSEC_CHAIN_EP", as follows:
<EntityProfileName="DUSGen2_IPSec_SAN_ECDSA_EP"/>, if the
Certificate needs to be generated with ECDSA keys on Radio nodes
with versions >= 18.Q4.
2. Under KeyGenerationAlgorithm field, change value of <Name> as
ECDSA and value of <Keysize> as 256 as shown in the following.
Allowed values for key size are 256, 384, and 521.

<KeyGenerationAlgorithm>

<Name>ECDSA</Name>

<KeySize>256</KeySize>

</KeyGenerationAlgorithm>
3. ENM PKI supports generation of End Entity certificates with
ECDSA key, but CA certificates are generated with RSA keys only.
Signatures on all the certificates including End Entity and CA
certificates in the chain are done by RSA algorithm even if the
node IPsec or OAM certificate is enrolled with ECDSA key. For more
details, see the section Network Security Configuration Limitations
on page 454.

In XML creation, the following rules must be respected:

1. In the <EntityInfo> tag, the <name> must be Network ElementID-ipsec.

The NetworkElementID is the identifier that the user must use at the end of
this procedure when the Baseband Radio Node. If the Certificate needs to be
generated with ECDSA keys on Radio nodes with versions is added in ENM.
2. In the <EntityInfo><SubjectField> tag, the <Value> must be
NetworkElementID-ipsec.

The NetworkElementID is the identifier that the user must use at the end of
this procedure when the Baseband Radio Node is added in ENM.
3. Save the XML file that has been created.

Suggested name for the file is EE_Network Element ID-ipsec.xml.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 321

 ENM Network Security Configuration System Administrator Guide

10.1.15 IPsec Current Configuration on Baseband Node

This procedure describes the detailed steps to identify the current

configuration of IPsec on Baseband Nodes.

Actors
Authorized for: Cmedit_Administrator

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— IPsec must be activated on the node with either Configuration A, B, or C on

Baseband Nodes.

The user must identify the current configuration of IPsec on Baseband Nodes.

If the managed element is added under SubNetwork, then all commands must
include SubNetwork also in FDN.

Example 2
cmedit get SubNetwork=<subnetwork_name>,ManagedElement=<node_name>,SystemFunctio →
ns=1,SysM=1,OamAccessPoint=1

10.1.15.1 Identify IPsec Configuration A on Node

Prerequisites
IPsec configuration A must be activated on Baseband node.

Steps

1. Identify the number of routers.

cmedit get <node_name> Transport.transportId,*

The command returns the number of routers present under Transport MO.
If there are two routers, one is for inner network and the other is for outer
network.

OamAccessPoint MO denotes OAM plane. ENodeBFunction, SctpEndpoint

MOs denote user or control plane.

322 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

a. Check the references of these MOs to identify whether inner network

is shared for OAM and user or control plane.
b. Identify the accessPoint attribute reference which is under
OamAccessPoint MO

cmedit get ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamA →

ccessPoint=1

c. Identify the upIpAddressRef attribute reference which is under

ENodeBFunction MO.

cmedit get ManagedElement=<node_name>,ENodeBFunction=1

d. Identify the localIpAddress attribute reference which is under

SctpEndpoint MO.

cmedit get ManagedElement=<node_name>,Transport=1,SctpEndpoint=1

Result: If all the three attributes accessPoint, upIpAddressRef, and

localIpAddress point to same reference, then configuration A is activated
on node.

2. Execute the command to identify the number of routers.

cmedit get <node_name> Transport.transportId,*

If the command returns two inner routers and one outer router, then run the
following commands and identify the inner router address mapping.

a. Identify the accessPoint attribute reference which is under

OamAccessPoint MO.

cmedit get ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamA →

ccessPoint=1

b. Identify the upIpAddressRef attribute reference which is under

ENodeBFunction MO.

cmedit get ManagedElement=<node_name>,ENodeBFunction=1

c. Identify the localIpAddress attribute reference which is under

SctpEndpoint MO.

cmedit get ManagedElement=<node_name>,Transport=1,SctpEndpoint=1

Result: If all the three attributes accessPoint, upIpAddressRef, and

localIpAddress point to the same inner router address, then Configuration
A is activated on the node.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 323

 ENM Network Security Configuration System Administrator Guide

3. Identify the number of routers.

cmedit get <node_name> Transport.transportId,*

If the command returns two inner and two outer routers, then run the
following commands and identify the inner and outer routers address
mapping.

a. Identify the accessPoint attribute reference which is under

OamAccessPoint MO.

cmedit get ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamA →

ccessPoint=1

b. Identify the upIpAddressRef attribute reference which is under

ENodeBFunction MO.

cmedit get ManagedElement=<node_name>,ENodeBFunction=1

c. Identify the localIpAddress attribute reference which is under

SctpEndpoint MO.

cmedit get ManagedElement=<node_name>,Transport=1,SctpEndpoint=1

Result: If all three attributes accessPoint, upIpAddressRef, and

localIpAddress point to the same inner router address, then Configuration
A is activated on the node.

10.1.15.2 Identify IPsec Configuration B on Node

Configuration B has one inner network OAM, one inner network user or control
plane, and one outer network.

There are two different ways to identify configuration B.

Prerequisites
IPsec configuration B must be activated on Baseband node.

Steps

1. Identify the number of routers.

cmedit get <node_name> Transport.transportId,*

The command returns the number of routers present under Transport MO. If
there are three routers, two are meant for inner networks and other one is for
outer network.

324 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

OamAccessPoint MO denotes OAM plane. ENodeBFunction, SctpEndpoint

MOs denote user or control plane. Check the references of these MOs to
identify whether inner networks are for OAM and user or control plane.

a. Identify the accessPoint attribute reference which is under

OamAccessPoint MO.

cmedit get ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamA →

ccessPoint=1

The accessPoint reference points to Node inner OAM address which

is present in AddressIPV4 MO under OAM inner network.

b. Identify the upIpAddressRef attribute reference which is under

ENodeBFunction MO.

cmedit get ManagedElement=<node_name>,ENodeBFunction=1

c. Identify the localIpAddressCheck the references of these MOs to

identify whether inner networks attribute reference which is under
SctpEndpoint MO.

cmedit get ManagedElement=<node_name>,Transport=1,SctpEndpoint=1

Result: If the two upIpAddressRef and localIpAddress references point to

Node inner UPCP address which is present in AddressIPV4 under UPCP inner
network, then the node is activated with configuration B.

2. Execute the command to identify the number of routers.

cmedit get <node_name> Transport.transportId,*

The command returns the number of routers present under Transport MO. If
there are three routers, two are meant for inner networks and the other one
is for outer network.

a. Identify the accessPoint attribute reference which is under

OamAccessPoint MO.

cmedit get ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamA →

ccessPoint=1

The accessPoint reference points to Node inner OAM address which

is present in AddressIPV4 MO under OAM inner network.

b. Identify the upIpAddressRef attribute reference which is under

ENodeBFunction MO.

cmedit get ManagedElement=<node_name>,ENodeBFunction=1

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 325

 ENM Network Security Configuration System Administrator Guide

c. Identify the localIpAddress attribute reference which is under

SctpEndpoint MO.

cmedit get ManagedElement=<node_name>,Transport=1,SctpEndpoint=1

upIpAddressRef, localIpAddress references points to Node inner

UPCP address which is present in AddressIPV4 under UPCP inner
network.
d. Identify the localAddress attribute reference which is under inner
OAM router IpsecTunnel MO.

cmedit get ManagedElement=<node_name>,Transport=1,Router=innerOam,I →

psecTunnel=1

e. Identify the localAddress attribute reference which is under inner

userplane/control router IpsecTunnel MO.

Results
If the localAddress reference under both IpsecTunnel MOs points to same node
outer address which is present in cmedit get
ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecTunnel=1
AddressIPV4 under outer network, then the node is activated with configuration
B.

10.1.15.3 Identify IPsec Configuration C on Node

Prerequisites
IPsec configuration C must be activated on Baseband node.

Steps

1. Identify the number of routers.

cmedit get <node_name> Transport.transportId,*

The command returns the number of routers present under Transport MO. If
there are four routers, two are meant for inner networks and other one is for
outer networks.

OamAccessPoint MO denotes OAM plane.

ENodeBFunction, SctpEndpoint MOs denote user or control plane.

326 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

2. Check the references of these MOs to identify whether inner networks are
meant for OAM and user or control plane.

3. Identify the accessPoint attribute reference which is under

OamAccessPoint MO.

cmedit get ManagedElement=<node_name>,SystemFunctions=1,SysM=1,OamAccessPoin →

t=1

accessPoint reference points to Node inner OAM address which is present in

AddressIPV4 MO under OAM inner network.

4. Identify the upIpAddressRef attribute reference which is under

ENodeBFunction MO.

cmedit get ManagedElement=<node_name>,ENodeBFunction=1

5. Identify the localIpAddress attribute reference which is under

SctpEndpoint MO.

cmedit get ManagedElement=<node_name>,Transport=1,SctpEndpoint=1

upIpAddressRef, localIpAddress references point to Node inner UPCP

address which is present in AddressIPV4 under UPCP inner network.

6. Identify the localAddress attribute reference that is under inner OAM

router IpsecTunnel MO.

cmedit get ManagedElement=<node_name>,Transport=1,Router=innerOam,IpsecTunne →

l=1

localAddress reference points to Node outer OAM address which is present in

AddressIPV4 MO under OAM outer network.

7. Identify the localAddress attribute reference that is under inner userplane/

control router IpsecTunnel MO.

cmedit get ManagedElement=<node_name>,Transport=1,Router=innerUpCp,IpsecTunn →

el=1

localAddress reference points to Node outer UPCP address which is present

in AddressIPV4 MO under UPCP outer network. Then node is activated with
configuration C.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 327

 ENM Network Security Configuration System Administrator Guide

10.1.16 Offline Enrollment on Security Gateway with CSR

This procedure describes the generation of certificates with Certificate

Signing Request (CSR).

IPsec setup needs installation of certificates on Security Gateway. Generate the

CSR on Security Gateway and this CSR must be signed by ENM deployment.

Actors
Authorized for: PKI_EE_ADMINISTRATOR, Action : execute

Authorized for: PKI_OPERATOR, Action : execute

Authorized for: PKI_ADMINISTRATOR, Action : execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Generate CSR on Security Gateway in PKCS#10 format.

— Save the CSR file with .csr extension.

Steps

1. Create an XML entity.

See the procedure in Offline Enrollment on Security Gateway with CSR Entity
XML Template on page 329.

2. Create the End Entity.

Drag and drop the XML file created in step 1 into the ENM CLI application
and run the following command to create the EE.

pkiadm etm -c -xf file:<<Entity>>.xml

3. Verify whether the End Entity has been created.

List all the End Entities in the ENM PKI system with the following ENM
command:

pkiadm etm -l -type ee

The EE must be present in the list.

4. Generate the certificate.

328 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

Drag and drop the CSR file onto ENM CLI and run the command to generate
the certificate.

pkiadm certmgmt EECert --generate --entityname <entityName> --csrfile file:< →

CSR file> --format PEM

Example
pkiadm ctm EECert -gen -en ERBS_1 -csr file:CSR.csr -f PEM

This command generates the certificate with the chain (the issuer certificate
until the root CA). If the chain is not needed, --nochain or -nch option can
be used.

Certificate is downloaded in the ENM CLI. This certificate must be manually

installed on the Security Gateway.

5. Check if the certificate has been generated successfully.

pkiadm ctm EECert -l -en<<Entity Name>> -s<<status>>

Example
pkiadm ctm EECert -l -en ERBS_1 -s active

Results
Certificate is successfully generated on ENM deployment with provided CSR.

10.1.16.1 Offline Enrollment on Security Gateway with CSR Entity XML Template

Example 3
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceS →
chemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="SecGw_SAN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>SEC-GW</Name>
</Category>
<EntityInfo>
<Name>%SecurityGatewayName%</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>%organization%</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>%organizationUnit%</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>%countryCode%</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 329

 ENM Network Security Configuration System Administrator Guide

<Value>%SecurityGatewayName%</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString">
<StringValue>%IpAddressOfGateway%</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<OTP>Ericsson05</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

In the XML creation, these rules must be respected:

1. Replace %SecurityGatewayName% with the name of the Security Gateway at

all parts in the XML and save it.

Example: srx240b-7
2. Replace %IpAddressOfGateway% with the IP address of Security Gateway in
the XML and save it.

Example: 10.213.22.48
3. Replace %organization% with the organization name in XML and save it.

Example: ERICSSON
4. Replace %organizationUnit% with name of the organization unit in XML
and save it.

Example: BUCI DUAC NAM

5. Replace %countryCode% with two letter country code in XML and save it. See
https://en.wikipedia.org/wiki/ISO_3166-2 for two letter country codes.

Example: IN

10.1.17 Offline Enrollment on Security Gateway without CSR

This procedure describes the generation of certificates without Certificate

Signing Request (CSR).

PKI generates the CSR and its certificate, on behalf of Security Gateway.

Actors
Authorized for: PKI_EE_ADMINISTRATOR, Action : execute

330 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

Authorized for: PKI_OPERATOR, Action : execute

Authorized for: PKI_ADMINISTRATOR, Action : execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Create an XML entity.

See the procedure Offline Enrollment on Security Gateway without CSR
Entity XML Template on page 332.

2. Create the End Entity.

Drag and drop the XML file created in step 1 into the ENM CLI and run the
command to create the EE.

pkiadm etm -c -xf file:<<Entity>>.xml

EE must be successfully generated in ENM.

3. Verify whether the End Entity has been created.

List all End Entities in the ENM PKI system running the following ENM CLI
command:

pkiadm etm -l -type ee

The EE must be present in the list.

4. Generate the certificate without CSR.

pkiadm certmgmt EECert --generate -nocsr --entityname <<Entity Name>> --form →

at <<Format>> --password <<Password>>

Example
pkiadm certmgmt EECert --generate -nocsr --entityname ERBS_1
--format JKS --password secure

Formats supported are: P12, JKS.

This command generates the certificate with chain (the issuer certificate
until the root CA). If the chain is not needed, --nochain or -nch option can
be used.

5. Check if the certificate has been generated successfully.

pkiadm ctm EECert -l -en<<Entity Name>> -s<<status>>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 331

 ENM Network Security Configuration System Administrator Guide

Example
pkiadm ctm EECert -l -en ERBS_1 -s active

Results
Certificate must be successfully generated on ENM deployment.

10.1.17.1 Offline Enrollment on Security Gateway without CSR Entity XML Template

Example 4
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceS →
chemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="SecGw_SAN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>SEC-GW</Name>
</Category>
<EntityInfo>
<Name>%SecurityGatewayName%</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>%SecurityGatewayName%</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<SubjectAltNameField>
<Type>IP_ADDRESS</Type>
<Value xsi:type="SubjectAltNameString">
<StringValue>%IpAddressOfGateway%</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<OTP>Ericsson05</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

In the XML creation, the following rules must be respected.

1. Replace %SecurityGatewayName% with the name of the Security Gateway at

all parts in the XML and save it.

Example: srx240b-7

332 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

2. Replace %IpAddressOfGateway% with the IP address of Security Gateway in

the XML and save it.

Example: 10.213.22.48

10.1.18 Trust Distribution for Security Gateway

This procedure describes the trust distribution for the Security Gateway.

As part of IPsec setup, trusted certificates need to be installed on Security

Gateway for authentication. To authenticate node, issuer certificate of the node
and its chain which are NE_IPsec_CA and ENM_PKI_Root_CA certificates must
be installed as a trust on Security Gateway.

If the ENM_PKI_Root_CA is signed by external CA, those CAs need to be

considered a trust on Security gateway.

Actors
Authorized for: PKI_EE_ADMINISTRATOR, Action : execute

Authorized for: PKI_OPERATOR, Action : execute

Authorized for: PKI_ADMINISTRATOR, Action : execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— NE_IPsec_CA and ENM_PKI_Root_CA certificates must be present in ENM.

— If the ENM_PKI_Root_CA is signed by external CA, then signer certs of Root

CA must be present in ENM.

Steps

1. Export NE_IPsec_CA certificate from ENM CLI.

pkiadm ctm CACert -expcert -en NE_IPsec_CA -f PEM

Certificate is downloaded in ENM CLI. Install this PEM file on Security

Gateway.

2. Export ENM_PKI_Root_CA certificate from ENM CLI.

pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 333

 ENM Network Security Configuration System Administrator Guide

Certificate is downloaded in ENM CLI. Install this PEM file on Security

Gateway.

3. Check if the ENM_PKI_Root_CA is self-signed or signed by external CA.

If the ENM_PKI_Root_CA is signed by external CA, then those certificates
need to be installed as trust on Security Gateway.

Use the following ENM CLI command to do the check:

pkiadm ctm CACert -l -en ENM_PKI_Root_CA -s active

If the subjectDN and issuerDN of the certificate matches, the Root CA

is self-signed. Otherwise, Root CA is signed by external CA. If the Root
CA is self-signed, then certificates distribution on the node has been done.
Then execute the following steps. Otherwise, get the issuer DN in the active
certificate of ENM_PKI_Root_CA and get the entity name of that CA.

4. Get the external CAs.

Use the following ENM CLI command to export the external CA certificate:

pkiadm extcalist

Get the CA name that matches with issuer DN of the active certificate of
ENM_PKI_Root_CA. This command must be traversed until the root of the
chain is found and all those CA certificates must be installed as trust.

5. Download the certificate.

Use the external CA name from step 4 to download the certificate:

pkiadm extcaexport -n <external CA name> -sn <serial number>

Certificate is downloaded in ENM CLI. Install this PEM file on Security

Gateway.

Results
Successful download of trusted certificates from ENM deployment to install them
on Security Gateway.

334 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

10.2 External CA Support for IPsec Payload Interfaces

without PKI Involvement
ENM provides the capability to configure the node to contact the External
CA during IPsec certificate enrollment, without ENM PKI involvement.

Note: This feature is supported only for Baseband Radio Nodes having version
>= 18.Q3.

The following use cases are supported.

— Auto Provisioning Support for External CA.

This use case configures the node to contact the External CA during the auto
provisioning for IPsec node credentials.

See to online help for Auto Provisioning application.

— Enrollment of Node Certificate.

See the section Enrollment of IPsec Certificate Issued by External CA on

page 335.

— Distribution of External PKI Trusts.

See the section Trust Distribution of External CA Certificates on page 338.

— Reissue of Node Credentials.

See the section Reissue a Node Certificate of the document ENM Network
Security Configuration System Administrator Guide, Reference [4].

— Migration of the Node from ENM PKI to External PKI.

See the section Migration of Baseband Radio Node from ENM PKI CA to
External CA on page 340.

10.2.1 Enrollment of IPsec Certificate Issued by External CA

This procedure describes the enrollment of IPsec Certificate issued by

External CA, by configuring the External CA details on the node.

Actors
Authorized for: NodeSecurity_Administrator, action: execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 335

 ENM Network Security Configuration System Administrator Guide

Prerequisites

— Node is added and synchronized with ENM.

Enrollment XML File

The XML file with the following content must be provided as input to the secadm
certificate issue command with extca option.

<?xml version="1.0" encoding="UTF-8"?>

<EnrollmentDetails>
<nodeEnrollmentDetails> <!-- Repeat this tag along with all the sub tags i →
n case of enrolling multiple nodes with different external ca details-->
<Nodes>
<Node> <!-- Repeat this tag along with all the sub tags in case of e →
nrolling multiple nodes with same external ca details-->
<NodeFdn></NodeFdn>
<SubjectAltName></SubjectAltName> <!-- Specify the value accordi →
ng to SubjectAltNameType -->
<SubjectAltNameType></SubjectAltNameType> <!-- IP_ADDRESS or DNS →
_NAME -->
<CertificateSubjectDn></CertificateSubjectDn> <!-- SubjectDn of →
the node certificate -->
<ChallengePhrase></ChallengePhrase> <!-- This tag is mandatory w →
hen performing enrollment with External CA -->
<InterfaceFdn></InterfaceFdn> <!-- This tag is mandatory if the →
external CA cannot be reached through the OAM interface -->
</Node>
</Nodes>
<externalCAEnrollmentInfo>
<externalCAEnrollmentDetails>
<certificateAuthorityDn></certificateAuthorityDn> <!-- SubjectD →
N of the node certificate issuer -->
<caCertificate></caCertificate> <!-- CA certificate content in b →
ase64 format -->
<enrollmentServerUrl></enrollmentServerUrl> <!-- Enrollment Serv →
er URL of External CA -->
</externalCAEnrollmentDetails>
<TrustedCACertificates> <!-- This is an optional field which can b →
e removed if the trust distribution will be done manually -->
<TrustedCACertificateInfo> <!-- Repeat this tag in order to sp →
ecify multiple trusted certificates information -->
<TDPSUrl></TDPSUrl> <!-- TDPS URL of the certificate to be →
installed as trust -->
<TrustedCACertIssuerDn></TrustedCACertIssuerDn> <!-- Issuer →
DN of the trust certificate -->
<CertificateSerialNumber></CertificateSerialNumber> <!-- Se →
rial number of the trust certificate -->
</TrustedCACertificateInfo>
</TrustedCACertificates>
</externalCAEnrollmentInfo>
</nodeEnrollmentDetails>
</EnrollmentDetails>

Preparation of Enrollment XML

The values in the Enrollment XML can be prepared as follows.

336 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

Table 19
Tag Name Value Example
CertificateSubjectDn SubjectDN with which CN=TestNode,OU=TestO
the certificate has to be U,O=TestOrg,C=SE
issued to the node.
ChallengePhrase The challenge password
to be used for generating
Certificate by External
CA.
InterfaceFdn This is needed if the ManagedElement=<Node
external CA cannot be Name>,Transport=1,Ro
reached through the uter=<RouterName>,In
OAM interface. terfaceIPv4=1,Addres
sIPv4=1
FDN of Address (either
IPv4 or IPv6) MO under
the Interface MO which
belongs to the outer
network of IPsec tunnel.
CertificateAuthority SubjectDN of the node CN=TestNode,OU=TestO
Dn certificate issuer. U,O=TestOrg,C=SE
CaCertificate PEM content of External
RootCA certificate which
can be obtained with the
following steps.

1. Get the External

RootCA certificate in
PEM format.
2. Edit the certificate
PEM file in any text
editor.
3. Copy the content
between '-----BEGIN
CERTIFICATE-----'
and '-----END
CERTIFICATE-----'
and carefully arrange
the content in a single
line without loosing
any content.
4. Paste this content in
the CaCertificate tag
of the XML file.
enrollmentServerUrl External RA URL which
is accessible by the node.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 337

 ENM Network Security Configuration System Administrator Guide

Tag Name Value Example

TDPSUrl TDPS URL of the
external CA certificates
which can be distributed
as trusts on the node.
TrustedCACertIssuerD SubjectDN of trusted CN=TestNode,OU=TestO
n certificate issuer. U,O=TestOrg,C=SE
CertificateSerialNum Serial number of trusted
ber certificate.

Steps

1. Connect to ENM CLI.

2. Run the command with the enrollment XML file as input.

secadm certificate issue --certType IPSEC --xmlfile file:<Enrollment XML> →

--extca

3. List the node certificate after successful enrollment.

Run the following ENM CLI command and verify the certificate details.

secadm certificate get --certType IPSEC --nodelist <NodeName>

Results
The node is successfully enrolled with IPsec certificate and trusted certificates
provided by External CA.

10.2.2 Trust Distribution of External CA Certificates

Actors
Authorized for: NodeSecurity_Administrator, action: execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Node is added and synchronized with ENM.

Trust Distribution XML File

The XML file with the following content must be provided as input to the secadm
trust distribute command with extca option.

338 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

<?xml version="1.0" encoding="utf-8"?>

<ExternalTrustedCACertificatesDetails>
<NodesTrustedCACertificateDetails> <!-- Repeat this tag along with the sub tag →
s in case of distribution of different external ca trusted certificates for mult →
iple nodes -->
<Nodes>
<Node> <!-- Repeat this tag along with the sub tags in case of distribut →
ion of same external ca trusted certificates for multiple nodes -->
<NodeFdn></NodeFdn> <!-- node name -->
<InterfaceFdn></InterfaceFdn><!-- This tag is mandatory if External →
CA cannot be reached through the OAM interface -->
</Node>
</Nodes>
<TrustedCACertificates>
<TrustedCACertificateInfo> <!-- Repeat this tag in order to specify multip →
le trusted certificates information -->
<TDPSUrl></TDPSUrl> <!-- TDPS Url of External CA certificate to be distr →
ibuted as Trust -->
<TrustedCACertIssuerDn></TrustedCACertIssuerDn> <!-- SubjectDn of the tr →
usted certificate issuer -->
<CertificateSerialNumber></CertificateSerialNumber> <!-- Serial number o →
f the trusted certificate -->
</TrustedCACertificateInfo>
</TrustedCACertificates>
</NodesTrustedCACertificateDetails>
</ExternalTrustedCACertificatesDetails>

Preparation of Trust Distribution XML File

The values in the Trust Distribution XML file can be prepared as follows.

Table 20
Tag Name Value Example
InterfaceFdn This tag is mandatory if ManagedElement=<Node
the External CA cannot Name>,Transport=1,Ro
be reached through the uter=<RouterName>,In
OAM interface. terfaceIPv4=1,Addres
sIPv4=1
FDN of Address (either
IPv4 or IPv6) MO under
the Interface MO which
belongs to the outer
network of IPsec tunnel.
TDPSUrl TDPS URL of the
external CA certificates
which is distributed as
trusts on the node.
TrustedCACertIssuerD SubjectDN of trusted CN=TestNode,OU=TestO
n certificate issuer. U,O=TestOrg,C=SE
CertificateSerialNum Serial number of trusted
ber certificate.

Steps

1. Connect to ENM CLI.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 339

 ENM Network Security Configuration System Administrator Guide

2. Run the command with the Trust Distribution XML file as input.

secadm trust distribute --trustCategory IPSEC --xmlfile file:<Trust Distribu →

tion XML file> --extca

3. Verify the trusted Certificates distributed on the node.

secadm trust get --trustCategory IPSEC --nodelist <NodeName>

10.2.3 Migration of Baseband Radio Node from ENM PKI CA to External CA

This procedure describes how to migrate a Baseband Radio node enrolled with
IPsec certificate and trusted certificates provided by ENM PKI CA to the state
in which the node is enrolled with External CA provided IPsec certificate and
trusted certificates.

Prerequisites
Node is added and synchronized with ENM.

Required Tools and Equipment

Steps

1. Install required trusted certificates of External CA on the Security Gateway

which is used to authenticate the node IPsec certificate.

2. Perform enrollment of IPsec certificate on the node with the External CA.
See the section Enrollment of IPsec Certificate Issued by External CA on
page 335.

3. Restart and verify the IPsec tunnel after successful enrollment.

Connect to the node and browse to the Router MO. For example,
ManagedElement=<NodeName>,Transport=1,Router=<RouterName>.

Restart each IPsecTunnel by doing the following steps:

a. There can be one or more IPsecTunnels for each Router, so, from the
Router MO traverse to one of the IPsecTunnel MO and Ikev2Session
MO under it.

For example,
ManagedElement=<nodeName>,Transport=1,Router=<RouterName>,
IPsecTunnel=1,Ikev2Session=1

b. Restart the IPsec tunnel by running the command restart ikev2sa.

340 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec Administrative Tasks

c. Run the command show ikesa which can display IPsec tunnel status
between Node and Security Gateway. The IPsec tunnel is established
with the certificates of External CA.
d. Repeat the steps from step a to step c for each IPsecTunnel (if any).

4. Verify that the node is reachable and in Sync with ENM.

cmedit get NetworkElement=<NodeName>,CmFunctions=1

Results
The node is successfully enrolled with IPsec certificate and trusted certificates
provided by External CA.

The IPsec tunnel of the node with Security Gateway is not broken after successful
enrollment.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 341

 ENM Network Security Configuration System Administrator Guide

11 Certificate Revocation List Management

11.1 Manage CRL Check on Node

This task describes the procedure to enable, disable, and read Certificate
Revocation Check on nodes.

Enabling (activating) and Disabling (deactivating) CRL Check provides the

operator a control on the CRL Check on BaseBand Radio Node, eNodeB DU
Radio Node (Micro & Macro RBS) node, and 5GRadioNode.

This certificate revocation check can be switched on or off for the nodes.

After the CRL Check is enabled on the node, the node checks if the peer
certificate is revoked during IPSec/OAM communication.

If the peer certificate is revoked, the node does not establish any communication
channel with the mentioned services.

If the CRL Check is disabled on node, then during IPSec/OAM communication,

node does not verify whether peer certificate is revoked.

The status of whether the CRL Check is enabled or disabled on the node can be
checked by the Read command.

By default, this check is deactivated on the node.

For information on the supported node types and versions for CRL Check for
OAM and IPsec, see Supported Node Types on page 344.

For information on the supported values for the certificate types on the nodes for
the corresponding CRL Check commands, see Supported Certificate Type on page
345.

For information on the cert type behavior and CRL check, see Cert Type Behavior
on CRL Check on page 345

Prerequisites
These are the Node-specific prerequisites.

COM/ECIM Node

— The nodes must be in SYNC status.

— To enable, disable, and read CRL Check for OAM on Baseband Radio Node
and 5GRadioNode, node must have OAM certificate and node release version
must be 16B and above.

342 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

— To enable, disable, and read CRL Check for IPsec on Baseband Radio
Node and 5GRadioNode, node must have IPsec certificate and node release
version must be 17A and above.

CPP Node

— The nodes must be in SYNC status.

— To enable, disable, and read CRL Check for OAM on MGW nodes, node
release version must be 17B and above.

— To enable, disable, and read CRL Check for OAM & IPsec on ERBS nodes,
node release version must be 17B and above.

ER6000 Node

— The nodes must be in SYNC status.

— To enable, disable, and read CRL Check for OAM on ER6000 nodes, node
release version must be 17B and above.

Steps

1. Check if CDPS extension for both IPv4 and IPv6 is enabled.

See View and Modify Configuration Parameters on page 12.

If the CDPS extension is enable, go for step 2 and skip the step 3; otherwise
go to step 3.

2. Check for the CDPS extension for the following CAs by downloading the
corresponding CA certificate:
— ENM_Infrastructure_CA

— ENM_OAM_CA

Role: user with PKI Operator role can download the certificate on entities.

If the mentioned CA certificates do not have CDPS extension, then those

certificates must be reissued:

pkiadm certmgmt CACert --exportcert --entityname <entity_name> --format PEM

3. Introduce CDPS extension in all End Entity and CA Certificates.

See the procedure Introduce CDPS Extension on page 346.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 343

 ENM Network Security Configuration System Administrator Guide

After This Task

After CRL Check is enabled on the CPP node, revoke the Peer Certificate.
The node verifies the Peers Certificate revocation status from the next
communication and rejects it.

The user with Cmedit_Administrator role can run the following commands:

cmedit set NetworkElement=<Node_Name>,CmNodeHeartbeatSupervision=1 active=false

cmedit action NetworkElement=<Node_Name>,CmFunction=1 sync

cmedit set NetworkElement=<Node_Name>,CmNodeHeartbeatSupervision=1 active=true

cmedit action NetworkElement=<Node_Name>,CmFunction=1 sync

11.1.1 Supported Node Types

The table describes the supported node types and versions for CRL Check for
OAM and IPsec.

Table 21
Node Name Network NE Type Platform Type NE Release NE Release
Supported for Supported for
OAM IPsec
RadioNode WCDMA RadioNode ECIM 16B onwards 17A onwards
BaseBand 5212
RadioNode LTE RadioNode ECIM 16B onwards 17A onwards
BaseBand 5216
RadioTNode Transport RadioTNode ECIM 16B onwards 17A onwards
(T605)
RadioTNode Transport RadioTNode ECIM 16B onwards 17A onwards
(C608)
eNodeB DU LTE ERBS CPP L17B onwards L17B onwards
Radio Node
(Micro &
Macro RBS)
Router6672 Transport Router6672 ER6000 17B onwards 17B onwards
Router6274 Transport Router6274 ER6000 18Q2GA 18Q2GA
onwards onwards
Router6675 Transport Router6675 ER6000 18A onwards 18A onwards
Router6x71 Transport Router6x71 ER6000 18A onwards 18A onwards
Router6273 Transport Router6273 ER6000 20.Q1 onwards 20.Q1 onwards
Router6273 Transport Router6273 ER6000 21.Q2 onwards N/A
vPP (ECIM) LTE vPP ECIM 17Q3 onwards 17Q3 onwards
VTFRadioNode LTE VTFRadioNode ECIM 18Q1 onwards 18Q1 onwards
5GRadioNode NR RAN 5GRadioNode ECIM 18Q4 onwards 18Q4 onwards
gNodeB NR RAN Radionode ECIM 19Q2 onwards 19Q2 onwards
Baseband
RadioNode

344 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

Node Name Network NE Type Platform Type NE Release NE Release

Supported for Supported for
OAM IPsec
Fronthaul Transport Fronthaul 6020 ECIM 20.Q2.1 N/A
6020 onwards
Controller6610 Site Controller6610 ECIM 21.EX1 21.EX1
onwards onwards

11.1.2 Supported Certificate Type

The table describes the supported values for the certificate types on the nodes for
the corresponding CRL Check commands:

Table 22
Node Name Platform Type Cert Types to Enable or Cert Types to Read CRL
Disable CRL Check Check
RadioNode BaseBand ECIM IPSEC, OAM, ALL IPSEC, OAM
5212
RadioNode BaseBand ECIM IPSEC, OAM, ALL IPSEC, OAM
5216
RadioTNode T605 ECIM IPSEC, OAM, ALL IPSEC, OAM
RadioTNode C608 ECIM IPSEC, OAM, ALL IPSEC, OAM
eNodeB DU Radio Node CPP ALL IPSEC, OAM
(Micro & Macro RBS)
Router6672 ER6000 IPSEC, OAM, ALL IPSEC, OAM
Router6274 ER6000 IPSEC, OAM, ALL IPSEC, OAM
Router6675 ER6000 IPSEC, OAM, ALL IPSEC, OAM
Router6x71 ER6000 IPSEC, OAM, ALL IPSEC, OAM
Router6273 ER6000 IPSEC, OAM, ALL IPSEC, OAM
Router6673 ER6000 OAM OAM
vPP (ECIM) ECIM IPSEC, OAM, ALL IPSEC, OAM
5GRadioNode ECIM IPSEC, OAM, ALL IPSEC, OAM
Fronthaul 6020 ECIM OAM OAM
Controller6610 ECIM OAM OAM

11.1.3 Cert Type Behavior on CRL Check

Table 23
Cert Type Behavior
IPSEC It refers to enable, disable, or read CRL Check on
node regarding Security Gateway Communication.
OAM It refers to enable, disable, or read CRL Check on
node regarding ENM Services Communication.
ALL It refers to enable or disable CRL Check on node
regarding both Security Gateway & ENM Services
Communication.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 345

 ENM Network Security Configuration System Administrator Guide

11.1.4 Introduce CDPS Extension

This task gives overview to manage CDPS extension in all End Entities and
CA Certificates.

To manage CRL Check on node, CDPS extension must be present in all End
Entities and CA Certificates.

Those certificates must be reissued for CDPS extension to be present in them

after enabling CRL Distribution Point Location extension.

For ENM service, CredM CLI runs every 30 minutes to check the status of
the ENM service certificate and reissues new certificate, if it is revoked. Hence
operator must wait for 30 minutes, so that the new certificate is installed on the
ENM service.

For SecGW, the operator must reissue the certificate and install it manually on
the SecGW.

Prerequisites
No prerequisites.

Steps

1. Enable certificatesRevListDistributionPointServiceIpv4Enable
and certificatesRevListDistributionPointServiceIpv6Enable
parameters.
See View and Modify Configuration Parameters on page 12.

2. Reissue all ENM PKI Certificates.

For CDPS extension to be present in all End Entity and CA Certificates,
those certificates must be reissued. See the section Reissue All ENM PKI
Certificates on page 346.

Results
CDPS extension is present in all End Entities and CA Certificates.

11.1.4.1 Reissue All ENM PKI Certificates

This task describes the procedure to reissue all End Entity and CA certificates.

Prerequisites

— System is up and running.

346 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

— Root CA exists in the system.

— ENM CLI is up and running.

— User with PKI Administrator role can trigger all operations of certificate
command.

Steps

1. Disable credential manager checks.

See the section Disable Credential Manager Monitoring in the document
ENM Public Key Infrastructure System Administrator Guide, Reference [8].

2. List down hierarchy for all CA Entities.

pkiadm certmgmt CACert --listhierarchy --all

Note: Do not use the options such as rekey or renew with revocation,
while reissuing CAs.

Do not reissue the ENM_PKI_Root_CA as this breaks the

communications.

Example

pkiadm certmgmt CACert --reissue --entityname <name of CA> --reissuetype ren →

ew --level CA

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 347

 ENM Network Security Configuration System Administrator Guide

Note: For further information on how to reissue CA certificates with

various available options, see online help.

3. List down all trust certificates.

pkiadm trustmgmt --list --entitytype ca

4. Unpublish CA Certificates from TDPS.

Unpublish only those CA certificates which are reissued in Step 2.

pkiadm trustmgmt --unpublish --entitytype ca --entityname <Name of CA>

5. Publish CA Certificates to TDPS.

Publish only those CA certificates which are unpublished in Step 4.

pkiadm trustmgmt --publish --entitytype ca --entityname <Name of CA>

6. Generate CRLs of all the CAs which are listed in Step 2.

pkiadm crlmgmt --generate --caentityname <Name of CA> --status active

7. Retrieve the Trust certificate state of all the nodes existing in the system.
Note the serial number and issuer of the trusted certificates for each node, as
they are used in Step 13.

secadm trust get -ct <IPSec|OAM> -nf file:<file name>

Example

8. Distribute trusts to all nodes and wait until the job for trust distribution to
nodes is completed successfully.

secadm trust distr -ct <IPSEC|OAM> -nf file:<file name>

Note: See online help to distribute trust to nodes with various available
options.

As part of IPsec setup, trusted certificates must be installed offline on

Security Gateway for authentication.

For trust distribution on Security Gateway, perform the procedure Trust

Distribution for Security Gateway on page 333.

9. Reissue service certificate for haproxy-ext.

348 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

See the section Reissue Service Certificates in the document ENM Public Key
Infrastructure System Administrator Guide, Reference [8].

10. Re-enable CredM checks.

See the section Re-enable Credential Manager Monitoring in the document
ENM Public Key Infrastructure System Administrator Guide, Reference [8].

11. Reissue all node certificates and wait until the job to issue certificates for
nodes is completed successfully.

secadm certificate issue -ct <IPSEC|OAM> -xf file:<file name>

Note: See online help to reissue node certificates with various available
options.

12. Revoke all the inactive CA certificates.

All inactive CA certificates must be revoked in the following order:

— ENM_NBI_CA

— ENM_UI_CA

— ENM_Management_CA

— ENM_OAM_CA

— NE_OAM_CA

— NE_IPsec_CA

— NE_External_CA

— ENM_External_Entity_CA

— ENM_E-mail_CA

— ENM_Infrastructure_CA

pkiadm ctm CACert -l -en <<Name of CA>>

pkiadm revmgmt CA --revoke --issuername <<issuer name>> --serialno <<serial →
number>> --reasontext unspecified --invaliditydate <<invalidity date>>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 349

 ENM Network Security Configuration System Administrator Guide

Example

13. Remove old trust certificates from all the nodes after the new trust has been
distributed and node certificates have been reissued.

Note: Do not remove the ENM_PKI_ROOT_CA trust certificate, that is,

subject and issuer is ENM_PKI_ROOT_CA, from the nodes.

Use the issuer name and ca serial number of trust certificates obtained in
Step 7.

secadm trust remove -ct <IPSec|OAM> --issuer-dn "<issuer_name>" -sn <ca seri →
alnumber> -nf file:<file name>

Note: See online help to remove trust from nodes with various available
options.

Results
All End Entity and CA certificates are reissued.

11.1.5 Enable Certificate Revocation Check on Nodes

Actors
NodeSecurity_Administrator is allowed to perform CRL Check Enable operation.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Enable CRL check on OAM.

secadm enable crlcheck --certtype OAM --nodelist LTE04dg2ERBS00002

or

350 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

secadm enable crlcheck -ct OAM -n LTE04dg2ERBS00002

2. Enable CRL check on IPsec.

secadm enable crlcheck --certtype IPSEC --nodelist LTE04dg2ERBS00002 →

or

secadm enable crlcheck -ct IPSEC -n LTE04dg2ERBS00002

3. Enable CRL check on both IPsec and OAM.

secadm enable crlcheck --certtype ALL --nodelist LTE04dg2ERBS00002 →

or

secadm enable crlcheck -ct ALL -n LTE04dg2ERBS00002

4. Enable CRL check on multiple nodes, using the file as input.

To enable CRL check on OAM, run the following ENM CLI command:

secadm enable crlcheck --certtype OAM --nodefile file:NodeFile.txt

or

secadm enable crlcheck -ct OAM -nf file:NodeFile.txt

5. Enable CRL check on IPsec.

secadm enable crlcheck --certtype IPSEC --nodefile file:NodeFile.txt

or

secadm enable crlcheck -ct IPSEC -nf file:NodeFile.txt

6. Enable CRL check on both IPsec and OAM.

secadm enable crlcheck --certtype ALL --nodefile file:NodeFile.txt

or

secadm enable crlcheck -ct ALL -nf file:NodeFile.txt

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 351

 ENM Network Security Configuration System Administrator Guide

7. Enable CRL check by using saved search.

secadm enable clrcheck --certtype OAM --savedsearch save1

8. Enable CRL check by using collection.

secadm enable crlcheck --certtype A:: --collection collection1

See online help for more details.

9. Verify enable CRL Check on node.

read Revocation Status Check

Results
Successfully started a job for CRL Check enable operation. Perform secadm job
get -j <JOB_ID> to get progress info.

The sample output of the command is as follows:

The CRL Check must be activated on the specified nodes.

11.1.6 Disable Certificate Revocation Check on Nodes

Actors
NodeSecurity_Administrator is allowed to perform CRL Check Disable operation.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Disable CRL check on OAM.

secadm disable crlcheck --certtype OAM --nodelist LTE04dg2ERBS00002

or

secadm disable crlcheck -ct OAM -n LTE04dg2ERBS00002

352 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

2. Disable CRL check on IPsec.

secadm disable crlcheck --certtype IPSEC --nodelist LTE04dg2ERBS00002

or

secadm disable crlcheck -ct IPSEC -n LTE04dg2ERBS00002

3. Disable CRL check on both IPsec and OAM.

secadm disable crlcheck --certtype ALL --nodelist LTE04dg2ERBS00002 →

or

secadm disable crlcheck -ct ALL -n LTE04dg2ERBS00002

4. Disable CRL check on multiple nodes, using file as input.

To disable CRL check on OAM TrustCategory MO instance, run the
following ENM CLI command:

secadm disable crlcheck --certtype OAM --nodefile file:NodeFile.txt

or

secadm disable crlcheck -ct OAM -nf file:NodeFile.txt

5. Disable CRL check on IPsec TrustCategory MO instance.

secadm disable crlcheck --certtype IPSEC --nodefile file:NodeFile.txt

or

secadm disable crlcheck -ct IPSEC -nf file:NodeFile.txt

6. Disable CRL check on both IPsec and OAM.

secadm disable crlcheck --certtype ALL--nodefile file:NodeFile.txt

or

secadm disable crlcheck -ct ALL -nf file:NodeFile.txt

7. Disable CRL check by using saved search.

secadm disable crlcheck --certtype OAM --savedsearch save1

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 353

 ENM Network Security Configuration System Administrator Guide

8. Disable CRL check using collection.

secadm disable crlcheck --certtype ALL –collection collection1

See online help for more details.

9. Verify disable CRL check on node.

Run the following ENM CLI command:

read Revocation Check Status

Results
Successfully started a job for CRL Check disable operation. Perform secadm job
get -j <JOB_ID> to get progress info.

The sample output of the command is as follows:

The CRL Check must be deactivated on the specified nodes.

11.1.7 Read Certificate Revocation Check Status on Nodes

Actors
NodeSecurity_Administrator and NodeSecurity_Operator are allowed to perform
CRL Check Read operation.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Verify if CRL Check is ACTIVATED or DEACTIVATED successfully.

For OAM:

secadm read crlcheck --certtype OAM --nodelist LTE04dg2ERBS00002

or

354 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

secadm read crlcheck-ct OAM -n LTE04dg2ERBS00002

For IPsec:

secadm read crlcheck --certtype IPSEC --nodelist LTE04dg2ERBS00002

or

secadm read crlcheck-ct IPSEC -n LTE04dg2ERBS00002

2. Verify CRL Check on multiple nodes.

For OAM:

secadm read crlcheck --certtype OAM --nodefile file:NodeFile.txt

or

secadm read crlcheck -ct OAM -nf file:NodeFile.txt

For IPsec:

secadm read crlcheck --certtype IPSEC --nodefile file:NodeFile.txt

or

secadm read crlcheck -ct IPSEC -nf file:NodeFile.txt

Results
The expected result for OAM is:

The expected result for IPsec is:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 355

 ENM Network Security Configuration System Administrator Guide

11.1.8 On-Demand CRL Download on Node

On-demand CRL download feature enables operator to download the latest CRL
on the node irrespective of expiry of existing CRL on the node.

Usually, the latest CRL is being updated only when the existing CRL on the node
is expired. However, the operator can use this feature to update the latest CRL on
the node before the expiration of the existing CRL.

Table 24 Node Behavior for CRL Download

Node Platform Type Behavior for CRL Download
COM/ECIM On executing the CRL Download command on Radio Nodes, the
process of CRL Download starts immediately.
CPP On execution of CRL Download command on CPP nodes, the
process of CRL Download starts immediately.
In addition, for CPP node, the CRL download repeats for every set
time interval.
The CRL Download time interval is set to a default value of 60
minutes, if the existing interval is 0. For non-zero time intervals,
the existing interval values are retained.
There is a provision to change the interval time by using the
cmedit command which is described in section Modifying CRL
early update time interval.
The max value can be set for interval is 1440 minutes.

Actors
NodeSecurity_Administrator is allowed to perform On-Demand CRL Download
operation.

Cmedit_Administrator is allowed to modify the value of the CRL early update

time interval.

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— The nodes must be in SYNC status.

— CDPS extension must be present in all the certificates of CA and End Entity.

— Based on the network type, peer certificate must contain the respective
CDPS URL. For example, if the node is in IPv4 network, its peer certificate

356 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

must contain IPv4 CDPS URL. Similarly, if node is in IPv6 network, its peer
certificate must contain IPv6 CDPS URL.

— Enable Certificate Revocation Check on Nodes on page 350 must be enabled

on node at least once and TLS or IPsec connection to ENM service must be
reestablished at least once after activating the CRL Check.

— For CPP node, the node must be in SL2.

Steps

1. Download CRL on single node.

Run the following ENM CLI command:

secadm crl download --nodelist LTE07dg2ERBS00001

Or

secadm crl dl -n LTE07dg2ERBS00001

2. Download CRL on multiple nodes by providing nodes name using a text file.
Run the following ENM CLI command on:

secadm crl download --nodefile file:NodeFile.txt

Or

secadm crl download -nf file:NodeFile.txt

See the sample file input in NodeFile.txt

3. Download CRL on nodes by using saved search.

Run the following ENM CLI command:

secadm crl download --savedsearch save1

4. Download CRL on nodes by using collection.

Run the following ENM CLI command:

secadm crl download --collection collection1

See online help for more details.

5. Verify CRL download on COM/ECIM Node.

See the procedure in Verify CRL Download on COM/ECIM Node on page 358.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 357

 ENM Network Security Configuration System Administrator Guide

6. Verify CRL download on CPP Node.

See the procedure in Verify CRL Download on CPP Node on page 359 .

7. Retrieve CRL early update time interval.

See the procedure in Retrieve CRL Early Update Time Interval on page 359.

8. Modify CRL early update time interval.

See the procedure in Modify CRL Early Update Time Interval on page 359.

Results
Successfully started a job to download CRL on demand. Perform secadm job
get -j <JOB_ID> to get progress info.

The sample output of the command is as follows:

11.1.8.1 Verify CRL Download on COM/ECIM Node

This task verifies if the CRL has been downloaded on the COM/ECIM node.

Steps

1. Run the cmedit command to verify if CRL is downloaded on COM/ECIM

node:

cmedit get ManagedElement=LTE01dg2ERBS00001,SystemFunctions=1,SecM=1,CertM=1

2. Check the reportProgress and resultInfo attributes to verify if CRL has

been downloaded successfully.
If reportProgress attribute contains actionName as downloadCrl, and
resultInfo contains CRL download finished successfully, then CRL has
been successfully downloaded on the node. The sample output of the
success scenario verification is:

358 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Certificate Revocation List Management

11.1.8.2 Verify CRL Download on CPP Node

This task verifies if CRL has been downloaded on CPP nodes.

Steps

1. Search with the keyword CPPOnDemandCrlDownload&& <Node_Name> in

logviewer:

INFO [com.ericsson.oss.itpf.COMMAND_LOGGER] (job-executor-tp-threads - 14) [ →

administrator, WorkFlow Task Handler [CPPOnDemandCrlDownloadTask], STARTED, →
Node Security Service, node [ERBS01], task params [CPPOnDemandCrlDownloadTas →
k:{workflowInstanceId=144fcb1c-e230-11e6-8d90-52540044447f,businessKey=secwf →
_MeContext=ERBS01,executionId=1450dc92-e230-11e6-8d90-52540044447f,workflowD →
efinitionId=CPPOnDemandCrlDownload,activationStep=null,nodeFdn=NetworkElemen →
t=ERBS01}] : workflow name [CPPOnDemandCrlDownload] : workflow id [144fcb1c →
-e230-11e6-8d90-52540044447f]

2. Identify the workflow ID '144fcb1c-e230-11e6-8d90-52540044447f' from

the previously mentioned log.
Search with the workflow id and the message 'FINISHED_WITH_SUCCESS'
is displayed:

INFO [com.ericsson.oss.itpf.COMMAND_LOGGER] (job-executor-tp-threads - 14) →

[administrator, WorkFlow Handler [CPPOnDemandCrlDownload],
FINISHED_WITH_SUCCESS, Node Security Service, node [NetworkElement=ERBS01], →
workflow id [144fcb1c-e230-11e6-8d90-52540044447f] :
Workflow successfully completed with jobID: N/A, wfStatusId: null, activatio →
nStep: null]

11.1.8.3 Modify CRL Early Update Time Interval

1. Run the cmedit command:

cmedit set MeContext=ERBS00001,ManagedElement=1,SystemFunctions=1,Security= →

1 crlEarlyUpdateInterval=<required_value>

Example

11.1.8.4 Retrieve CRL Early Update Time Interval

1. Run the cmedit command to view the existing value of the CRL early update
time interval:

cmedit get MeContext=LTE05ERBS00001,ManagedElement=1,SystemFunctions=1,Secur →

ity=1

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 359

 ENM Network Security Configuration System Administrator Guide

The sample output of the command is:

360 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Manual Procedure to Fetch Security File Values

12 Manual Procedure to Fetch Security File

Values

This procedure describes steps to get the values to form the vSecurity file
manually.

Actors
Authorized for: PKI_Administrator

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— ENM CLI must be up and running in ENM.

— Entity must be created in the system. To create an entity, see Create Entity
for VNFM on page 362.

— After the XML creation, do not lose the OTP value given in the XML, as it is
not possible to retrieve it once the entity is created.

Steps

1. Fetch cmpv2Server URL.

Note: Do the following to get values of fields required to form the

vSecurity file.

See Fetch CMPv2ServerURL on page 365 to get URL.

2. Fetch cmpv2CaName.

a. Retrieve the subjectDN of NE_OAM_CA:

pkiadm ctm CACert -l -en NE_OAM_CA

b. Copy the subjectDN and use the same value as input for
cmpv2CaName.

Example
enrollmentAuthorityName = OU=BUCI_DUAC_NAM,C=SE,O=ERICSSON,CN=NE_OA →
M_CA

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 361

 ENM Network Security Configuration System Administrator Guide

3. Calculate cmpv2MsgSignerFingerprint.

See the procedure described in: Fetch CA Fingerprint on page 364

4. Fetch cmpv2Challenge attribute.

cmpv2Challenge attribute is the same as the field that is provided in the

procedure Create Entity for VNFM on page 362 as the field OTP in the
entity.xml.

5. Fetch subjectName attribute.

From the XML, obtain all the values that are in <SubjectField> tag used to
create the entity.

Example
SubjectName is OU=BUCI DUAC NAM,C=SE,O=ERICSSON,CN=VNFM-01

SubjectField Acronym
OrganisationUnit OU
Country C
Common Name CN
Organisation O

Results
The following field values are obtained:

Security File Fields Json File Fields Description

url cmpv2Servers URL of CMP server which is used by node
to get a certificate.
issuerCA cmpv2CaName SubjectDN of the CA that issues certificate
to node.
enrollmentCaFingerprint cmpv2MsgSignerFingerprint Fingerprint of the rootCA in ENM system.
subjectName SubjectName SubjectDN of the node.
challengePassword cmpv2Challenge One time password or pre-shared key that
is used to authenticate the node towards
ENM.

12.1 Create Entity for VNFM

Actors
Authorized for: PKI_EE_ADMINISTRATOR, Action : execute

Authorized for: PKI_OPERATOR, Action : execute

Authorized for: PKI_ADMINISTRATOR, Action : execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

362 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Manual Procedure to Fetch Security File Values

Steps

1. Create an entity with Create Entity for VNFM XML Template on page 363.

2. Create the End Entity.

Drag and drop the XML file created in step 1 into the ENM CLI and run the
following ENM CLI command:

pkiadm etm -c -xf file:<<Entity>>.xml

Entity must be successfully generated in ENM.

3. Verify if the End Entity has been created.

List all End Entities in the ENM PKI system with the following ENM CLI
command:

pkiadm etm -l -type ee

The End Entity must be present in the list.

Results
Entity must be created successfully.

12.1.1 Create Entity for VNFM XML Template

Example 5
<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceS →
chemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="DUSGen2OAM_CHAIN_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>Node-OAM</Name>
</Category>
<EntityInfo>
<Name>%VNFMName%</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>ERICSSON</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>BUCI DUAC NAM</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>SE</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>%VNFMName%</Value>
</SubjectField>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 363

 ENM Network Security Configuration System Administrator Guide

</Subject>
<OTP>TestPassw0rd</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

In the XML creation, the following rule must be respected:

— replace %VNFMName% with the name of the VNFM at all parts in the XML and
save it. For example, VNFM-01.

12.2 Fetch CA Fingerprint

This procedure describes the method to fetch
<cmpv2MsgSignerFingerprint>.

Actors
Authorized for: PKI_ADMINISTRATOR, Action : execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Access to Linux environment with openssl.

Steps

1. Download the ENM Root CA Certificate:

pkiadm certmgmt CACert -expcert -en ENM_PKI_Root_CA -f PEM

2. Retrieve the CA Fingerprint.

Run the following command on any Linux environment that has openssl.

openssl x509 -in <path>/ENM_PKI_Root_CA.pem -sha1 -noout -fingerprint

3. Copy the Fingerprint and set the value to cmpv2MsgSignerFingerprint

attribute.

Results
cmpv2MsgSignerFingerprint or CA Fingerprint must be obtained.

364 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Manual Procedure to Fetch Security File Values

12.3 Fetch CMPv2ServerURL

Prerequisites
No prerequisites.

Steps

1. Read the IP address parameters: sbLoadBalancerIPv4Address and

sbLoadBalancerIPv6Address.
See View and Modify Configuration Parameters on page 12.

2. Update the hostAddress with the retrieved IP address and update the URI
value with the updated URL to cmpv2Servers attribute, in the following
URL.

http://<hostAddress>:8091/pkira-cmp/synch

Results
cmpv2 Server URL must be obtained.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 365

 ENM Network Security Configuration System Administrator Guide

13 Ciphers Management for Nodes

Cipher Management for nodes provides capability to set ciphers, from the
ones supported on the node.

It also supports the listing of the enabled and the supported ciphers of the node.

13.1 Cipher Modernization for OAM

The Set ciphers procedure facilitates user to enable, disable, and rank the ciphers
supported by the nodes and set it to enabled ciphers. These enabled ciphers
are used in a secured network protocol-based communication which are agreed
between a node and the server through a handshake procedure.

The Get ciphers procedure facilitates user to get the supported and enabled
ciphers on the node. The enabled ciphers can either be subset or equal to all
listed supported ciphers.

Note: The Set ciphers procedure can disrupt the server-client connectivity if
used improperly. The connection setup can fail if a common cipher
cannot be found between an external client and the node. Furthermore,
if user accidentally resets the cipher suites configuration to a default
configuration, it can weaken the network security. It is therefore
important to perform the cipher suites configuration in a controlled and
careful way.

Before executing the Set ciphers procedure, user must get the supported ciphers
on the given nodes. So, only those ciphers can be added, removed, and ranked
in enabled ciphers list. It is the responsibility of user to know which ciphers to be
added, removed, and have enough knowledge on how to rank the ciphers. To get
the ciphers on the node, see Get Ciphers on Nodes on page 384.

Based on the above capabilities and knowing the list of ciphers supported by
ENM (mentioned in the table), the user can drive the selection of ciphers during
handshake with the following steps:

— List the ciphers supported by a node (or list of nodes of the same type) for a
specific protocol.

— Enable the strong ciphers on the nodes by placing the strong ciphers at top
rank of the list. These ciphers must be supported by ENM. See the table for
the list of ENM Supported Ciphers.

Configuration of ciphers is provided for the following network protocols:

— Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext
Transfer Protocol Secure (HTTPS)

366 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

— Secure Shell (SSH) and Secure File Transfer Protocol (SFTP)

The table lists the ciphers supported by ENM for each protocol type.

Table 25
Platform Type ENM Supported TLS Protocol ENM Supported Ciphers in ENM Supported Ciphers in
TLSv1.2 TLSv1
ECIM LDAP TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_A
ER6000 256_CBC_SHA384 ES_128_CBC_SHA
Router8800 TLS_RSA_WITH_AES_256_CB TLS_ECDHE_RSA_WITH_AES_
C_SHA256 128_CBC_SHA
TLS_DHE_RSA_WITH_AES_25 TLS_RSA_WITH_AES_128_CB
6_CBC_SHA256 C_SHA
TLS_ECDHE_ECDSA_WITH_A TLS_ECDH_ECDSA_WITH_AE
ES_128_CBC_SHA256 S_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_ TLS_ECDH_RSA_WITH_AES_1
128_CBC_SHA256 28_CBC_SHA
TLS_RSA_WITH_AES_128_CB TLS_DHE_RSA_WITH_AES_12
C_SHA256 8_CBC_SHA
TLS_ECDH_ECDSA_WITH_AE TLS_DHE_DSS_WITH_AES_12
S_128_CBC_SHA256 8_CBC_SHA
TLS_ECDH_RSA_WITH_AES_1 TLS_ECDHE_ECDSA_WITH_3
28_CBC_SHA256 DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_12 TLS_ECDHE_RSA_WITH_3DE
8_CBC_SHA256 S_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_12 TLS_ECDH_ECDSA_WITH_3D
8_CBC_SHA256 ES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A TLS_ECDH_RSA_WITH_3DES_
ES_128_CBC_SHA EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA
TLS_RSA_WITH_AES_128_CB
C_SHA
TLS_ECDH_ECDSA_WITH_AE
S_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_1
28_CBC_SHA
TLS_DHE_RSA_WITH_AES_12
8_CBC_SHA
TLS_DHE_DSS_WITH_AES_12
8_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384
TLS_RSA_WITH_AES_256_GC
M_SHA384
TLS_DHE_RSA_WITH_AES_25
6_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_
128_GCM_SHA256
TLS_RSA_WITH_AES_128_GC
M_SHA256
TLS_DHE_RSA_WITH_AES_12
8_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3
DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DE
S_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3D
ES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_
EDE_CBC_SHA
ECIM FTPES TLS_ECDHE_ECDSA_WITH_A TLS_ECDHE_ECDSA_WITH_A
ES_256_CBC_SHA384 ES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_RSA_WITH_AES_
256_CBC_SHA384 256_CBC_SHA
TLS_RSA_WITH_AES_256_CB TLS_RSA_WITH_AES_256_CB
C_SHA256 C_SHA
TLS_ECDH_ECDSA_WITH_AE TLS_ECDH_ECDSA_WITH_AE
S_256_CBC_SHA384 S_256_CBC_SHA

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 367

 ENM Network Security Configuration System Administrator Guide

Platform Type ENM Supported TLS Protocol ENM Supported Ciphers in ENM Supported Ciphers in
TLSv1.2 TLSv1
TLS_ECDH_RSA_WITH_AES_2 TLS_ECDH_RSA_WITH_AES_2
56_CBC_SHA384 56_CBC_SHA
TLS_DHE_RSA_WITH_AES_25 TLS_DHE_RSA_WITH_AES_25
6_CBC_SHA256 6_CBC_SHA
TLS_DHE_DSS_WITH_AES_25 TLS_DHE_DSS_WITH_AES_25
6_CBC_SHA256 6_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A TLS_ECDHE_ECDSA_WITH_A
ES_256_CBC_SHA ES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_RSA_WITH_AES_
256_CBC_SHA 128_CBC_SHA
TLS_RSA_WITH_AES_256_CB TLS_RSA_WITH_AES_128_CB
C_SHA C_SHA
TLS_ECDH_ECDSA_WITH_AE TLS_ECDH_ECDSA_WITH_AE
S_256_CBC_SHA S_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_2 TLS_ECDH_RSA_WITH_AES_1
56_CBC_SHA 28_CBC_SHA
TLS_DHE_RSA_WITH_AES_25 TLS_DHE_RSA_WITH_AES_12
6_CBC_SHA 8_CBC_SHA
TLS_DHE_DSS_WITH_AES_25 TLS_DHE_DSS_WITH_AES_12
6_CBC_SHA 8_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A TLS_ECDHE_ECDSA_WITH_3
ES_128_CBC_SHA256 DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_RSA_WITH_3DE
128_CBC_SHA256 S_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CB TLS_RSA_WITH_3DES_EDE_C
C_SHA256 BC_SHA
TLS_ECDH_ECDSA_WITH_AE TLS_ECDH_ECDSA_WITH_3D
S_128_CBC_SHA256 ES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_AES_1 TLS_ECDH_RSA_WITH_3DES_
28_CBC_SHA256 EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_12 TLS_DHE_RSA_WITH_3DES_E
8_CBC_SHA256 DE_CBC_SHA
TLS_DHE_DSS_WITH_AES_12 TLS_DHE_DSS_WITH_3DES_E
8_CBC_SHA256 DE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A
ES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA
TLS_RSA_WITH_AES_128_CB
C_SHA
TLS_ECDH_ECDSA_WITH_AE
S_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_1
28_CBC_SHA
TLS_DHE_RSA_WITH_AES_12
8_CBC_SHA
TLS_DHE_DSS_WITH_AES_12
8_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A
ES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_A
ES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384
TLS_RSA_WITH_AES_256_GC
M_SHA384
TLS_ECDH_ECDSA_WITH_AE
S_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_2
56_GCM_SHA384
TLS_DHE_RSA_WITH_AES_25
6_GCM_SHA384
TLS_DHE_DSS_WITH_AES_25
6_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_
128_GCM_SHA256
TLS_RSA_WITH_AES_128_GC
M_SHA256
TLS_ECDH_ECDSA_WITH_AE
S_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_1
28_GCM_SHA256

368 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

Platform Type ENM Supported TLS Protocol ENM Supported Ciphers in ENM Supported Ciphers in
TLSv1.2 TLSv1
TLS_DHE_RSA_WITH_AES_12
8_GCM_SHA256
TLS_DHE_DSS_WITH_AES_12
8_GCM_SHA256
CPP SSL/TLS/HTTPS TLS_ECDHE_ECDSA_WITH_A TLS_ECDHE_ECDSA_WITH_A
ECIM ES_256_CBC_SHA384 ES_256_CBC_SHA
ER6000 TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_RSA_WITH_AES_
Router8800 256_CBC_SHA384 256_CBC_SHA
TLS_RSA_WITH_AES_256_CB TLS_RSA_WITH_AES_256_CB
C_SHA256 C_SHA
TLS_ECDH_ECDSA_WITH_AE TLS_ECDH_ECDSA_WITH_AE
S_256_CBC_SHA384 S_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_2 TLS_ECDH_RSA_WITH_AES_2
56_CBC_SHA384 56_CBC_SHA
TLS_DHE_RSA_WITH_AES_25 TLS_DHE_RSA_WITH_AES_25
6_CBC_SHA256 6_CBC_SHA
TLS_DHE_DSS_WITH_AES_25 TLS_DHE_DSS_WITH_AES_25
6_CBC_SHA256 6_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A TLS_ECDHE_ECDSA_WITH_A
ES_256_CBC_SHA ES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_RSA_WITH_AES_
256_CBC_SHA 128_CBC_SHA
TLS_RSA_WITH_AES_256_CB TLS_RSA_WITH_AES_128_CB
C_SHA C_SHA
TLS_ECDH_ECDSA_WITH_AE TLS_ECDH_ECDSA_WITH_AE
S_256_CBC_SHA S_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_2 TLS_ECDH_RSA_WITH_AES_1
56_CBC_SHA 28_CBC_SHA
TLS_DHE_RSA_WITH_AES_25 TLS_DHE_RSA_WITH_AES_12
6_CBC_SHA 8_CBC_SHA
TLS_DHE_DSS_WITH_AES_25 TLS_DHE_DSS_WITH_AES_12
6_CBC_SHA 8_CBC_SHA
TLS_ECDHE_E47CDSA_WITH_ TLS_ECDHE_ECDSA_WITH_3
AES_128_CBC_SHA256 DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_RSA_WITH_3DE
128_CBC_SHA256 S_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CB TLS_RSA_WITH_3DES_EDE_C
C_SHA256 BC_SHA
TLS_ECDH_ECDSA_WITH_AE TLS_ECDH_ECDSA_WITH_3D
S_128_CBC_SHA256 ES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_AES_1 TLS_ECDH_RSA_WITH_3DES_
28_CBC_SHA256 EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_12 TLS_DHE_RSA_WITH_3DES_E
8_CBC_SHA256 DE_CBC_SHA
TLS_DHE_DSS_WITH_AES_12 TLS_DHE_DSS_WITH_3DES_E
8_CBC_SHA256 DE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A
ES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA
TLS_RSA_WITH_AES_128_CB
C_SHA
TLS_ECDH_ECDSA_WITH_AE
S_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_1
28_CBC_SHA
TLS_DHE_RSA_WITH_AES_12
8_CBC_SHA
TLS_DHE_DSS_WITH_AES_12
8_CBC_SHA
TLS_ECDHE_ECDSA_WITH_A
ES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_A
ES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384
TLS_RSA_WITH_AES_256_GC
M_SHA384
TLS_ECDH_ECDSA_WITH_AE
S_256_GCM_SHA384

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 369

 ENM Network Security Configuration System Administrator Guide

Platform Type ENM Supported TLS Protocol ENM Supported Ciphers in ENM Supported Ciphers in
TLSv1.2 TLSv1
TLS_ECDH_RSA_WITH_AES_2
56_GCM_SHA384
TLS_DHE_RSA_WITH_AES_25
6_GCM_SHA384
TLS_DHE_DSS_WITH_AES_25
6_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_
128_GCM_SHA256
TLS_RSA_WITH_AES_128_GC
M_SHA256
TLS_ECDH_ECDSA_WITH_AE
S_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_1
28_GCM_SHA256
TLS_DHE_RSA_WITH_AES_12
8_GCM_SHA256
TLS_DHE_DSS_WITH_AES_12
8_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3
DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DE
S_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_C
BC_SHA
TLS_ECDH_ECDSA_WITH_3D
ES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_
EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_E
DE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_E
DE_CBC_SHA
ECIM SSL/TLS (NETCONF TLS_ECDHE_ECDSA_WITH_A TLS_RSA_WITH_AES_128_CB
ER6000 Over TLS) ES_256_GCM_SHA384 C_SHA
Router8800 TLS_ECDHE_ECDSA_WITH_A
ES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_
128_GCM_SHA256
TLS_RSA_WITH_AES_256_GC
M_SHA384
TLS_RSA_WITH_AES_128_GC
M_SHA256
TLS_ECDH_ECDSA_WITH_AE
S_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AE
S_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_2
56_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_1
28_GCM_SHA256
TLS_DHE_RSA_WITH_AES_25
6_GCM_SHA384
TLS_DHE_RSA_WITH_AES_12
8_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_A
ES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_A
ES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_
256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA256
TLS_RSA_WITH_AES_256_CB
C_SHA256
TLS_RSA_WITH_AES_128_CB
C_SHA256
TLS_ECDH_ECDSA_WITH_AE
S_256_CBC_SHA384

370 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

Platform Type ENM Supported TLS Protocol ENM Supported Ciphers in ENM Supported Ciphers in
TLSv1.2 TLSv1
TLS_ECDH_ECDSA_WITH_AE
S_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_2
56_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_1
28_CBC_SHA256
TLS_DHE_RSA_WITH_AES_25
6_CBC_SHA256
TLS_DHE_RSA_WITH_AES_12
8_CBC_SHA256
TLS_RSA_WITH_AES_128_CB
C_SHA
TLS_EMPTY_RENEGOTIATIO
N_INFO_SCSV
CPP CORBA over SSL TLS_ECDHE_RSA_WITH_AES_ TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384 256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_ TLS_RSA_WITH_AES_256_CB
128_GCM_SHA256 C_SHA
TLS_RSA_WITH_AES_256_GC TLS_ECDHE_RSA_WITH_AES_
M_SHA384 128_CBC_SHA
TLS_RSA_WITH_AES_128_GC TLS_RSA_WITH_AES_128_CB
M_SHA256 C_SHA
TLS_DHE_RSA_WITH_AES_25 TLS_ECDHE_RSA_WITH_3DE
6_GCM_SHA384 S_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_12 SSL_RSA_WITH_3DES_EDE_C
8_GCM_SHA256 BC_SHA
TLS_ECDHE_RSA_WITH_AES_
256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_
256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA
TLS_RSA_WITH_AES_256_CB
C_SHA256
TLS_RSA_WITH_AES_256_CB
C_SHA
TLS_RSA_WITH_AES_128_CB
C_SHA256
TLS_RSA_WITH_AES_128_CB
C_SHA
TLS_DHE_RSA_WITH_AES_25
6_CBC_SHA256
TLS_DHE_RSA_WITH_AES_12
8_CBC_SHA256
TLS_ECDHE_RSA_WITH_3DE
S_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_C
BC_SHA
TLS_EMPTY_RENEGOTIATIO
N_INFO_SCSV

Table 26
Platform Type ENM Supported Protocol ENM Supported Ciphers ENM Supported Protocol
Version and 3PP Version
CPP SSH/SFTP KEY EXCHANGE SSH-2.0-OpenSSH_7.4 in
ECIM ALGORITHMS: AMOS Service
curve25519-sha256
curve25519-
[email protected]
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-
exchange-sha256

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 371

 ENM Network Security Configuration System Administrator Guide

Platform Type ENM Supported Protocol ENM Supported Ciphers ENM Supported Protocol
Version and 3PP Version
diffie-hellman-group16-
sha512
diffie-hellman-group18-
sha512
diffie-hellman-group-
exchange-sha1
diffie-hellman-group14-
sha256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
ENCRYPTION ALGORITHMS:
chacha20-
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
aes128-cbc
aes192-cbc
aes256-cbc
MAC ALGORITHMS:
[email protected]
[email protected]
hmac-sha2-256-
[email protected]
hmac-sha2-512-
[email protected]
[email protected]
[email protected]
[email protected]
hmac-sha2-256
hmac-sha2-512
hmac-sha1
CPP SSH/SFTP KEY EXCHANGE SSH-2.0-OpenSSH_7.4 in
ECIM ALGORITHMS: SMRS Service
ER6000 curve25519-sha256
MINI-LINK Outdoor curve25519-
MINI-LINK Indoor [email protected]
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-
exchange-sha256
diffie-hellman-group16-
sha512
diffie-hellman-group18-
sha512
diffie-hellman-group-
exchange-sha1
diffie-hellman-group14-
sha256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
ENCRYPTION ALGORITHMS:
aes256-ctr
aes192-ctr
aes128-ctr
aes256-cbc
aes192-cbc
aes128-cbc
blowfish-cbc
cast128-cbc
3des-cbc
[email protected]
MAC ALGORITHMS:
hmac-sha2-512
hmac-sha2-256
hmac-ripemd160

372 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

Platform Type ENM Supported Protocol ENM Supported Ciphers ENM Supported Protocol
Version and 3PP Version
hmac-ripemd160-
[email protected]
hmac-sha1
hmac-md5
hmac-sha1-96
hmac-md5-96
[email protected]
CPP SSH/SFTP KEY EXCHANGE SSH-2.0-
ECIM ALGORITHMS: maverick_legacy_1.6.5
MINI-LINK Outdoor ecdh-sha2-nistp521
MINI-LINK Indoor ecdh-sha2-nistp384
ER6000 ecdh-sha2-nistp256
diffie-hellman-group-
exchange-sha256
diffie-hellman-group14-sha1
diffie-hellman-group-
exchange-sha1
diffie-hellman-group1-sha1
ENCRYPTION ALGORITHMS:
aes256-ctr
aes192-ctr
aes128-ctr
aes256-cbc
aes192-cbc
aes128-cbc
3des-cbc
arcfour
arcfour128
arcfour256
MAC ALGORITHMS:
hmac-sha2-256
hmac-sha2-512-96
hmac-sha2-512
hmac-sha2-256-96
hmac-sha1
hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-sha256
[email protected]
hmac-sha512
[email protected]
CPP SSH/SFTP KEY EXCHANGE SSH-2.0-JSCH-0.1.53
ECIM ALGORITHMS:
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group14-sha1
diffie-hellman-group-
exchange-sha256
diffie-hellman-group-
exchange-sha1
diffie-hellman-group1-sha1
ENCRYPTION ALGORITHMS:
aes128-ctr
aes128-cbc
3des-ctr
3des-cbc
blowfish-cbc
aes192-ctr
aes192-cbc
aes256-ctr
aes256-cbc
MAC ALGORITHMS:
hmac-md5
hmac-sha1
hmac-sha2-256

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 373

 ENM Network Security Configuration System Administrator Guide

Platform Type ENM Supported Protocol ENM Supported Ciphers ENM Supported Protocol
Version and 3PP Version
hmac-sha1-96
hmac-md5-96
CPP SSH/SFTP KEY EXCHANGE SSH-2.0-JSCH-0.1.54
ECIM ALGORITHMS:
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
ENCRYPTION ALGORITHMS:
aes256-ctr
aes192-ctr
aes128-ctr
aes256-cbc
aes192-cbc
aes128-cbc
MAC ALGORITHMS:
hmac-sha2-256
hmac-sha1

Supported Network Element Types and Node Versions for Cipher Management
on Nodes
Cipher Management feature is supported for the following Network Element
types and supported NE release is mentioned in the table:

Table 27
Network Element Type NE Release
eNodeB Baseband Radio Node 17A onwards
NodeB Baseband Radio Node 17A onwards
GSM Baseband Radio Node 17A onwards
Baseband T (T605) 17A onwards
MAC_Algorithms
Router6672 17B onwards
Router6675 18A onwards
Router6x71 18A onwards
Router6274 18Q2GA onwards
Router6273 20.Q1 onwards
Router6673 21.Q3 onwards
MGW SSH Support - MGW6.8.6.0 onwards
TLS Support - MGW6.9.0.0 onwards
NodeB DU Radio Node SSH Support - W17.Q3 onwards
TLS Support - W17.Q4 onwards
eNodeB DU Radio Node (Micro &Macro RBS) SSH Support - L17.Q3 onwards
TLS Support - L17.Q4 onwards
vPP (ECIM) SSH Support - 17.Q3 onwards
TLS Support - 17.Q3 onwards
5GRadioNode (ECIM) SSH Support - 18.Q4 onwards
TLS Support - 18.Q4 onwards
Fronthaul 6020 20.Q2.1 onwards
Controller6610 21.EX1 onwards

374 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

Prerequisites

— Nodes must be in SYNC status.

— OAM Certificate Enrollment must be done on nodes for HTTPS

Communication.

Set Ciphers on Nodes

To set ciphers on nodes, perform the procedure described in the section Set
Ciphers on Nodes on page 375.

List Ciphers on Nodes

To list ciphers on nodes, perform the procedure described in the section Get
Ciphers on Nodes on page 384.

13.1.1 Set Ciphers on Nodes

This section describes the procedure to set ciphers on the given nodes for
SSH, SFTP, SSL, TLS, and HTTPS protocols.

13.1.1.1 Set Ciphers on Nodes for SSH and SFTP Protocol

The Set Ciphers procedure facilitates user to enable, disable, and rank Key
Exchange Algorithms, Mac Algorithms, and Encryption Algorithms on the
nodes.

Note: The SSH-based server components are automatically restarted upon

completion of the configuration request to set ciphers under SSH
and SFTP protocol. If there are any active SSH-based connections
established on to the node, these are lost and user has to connect
again.The enabled ciphers are ranked as per the order provided by user
in the command input for Key Exchange Algorithms, Mac Algorithms,
and Encryption Algorithms. The enabled ciphers, with the rank defined
by the user, are then used by the nodes for establishing a secure
communication with ENM. User can set ciphers on a single or multiple
nodes.

Actors
Authorized for: NodeSecurity_Administrator, Action: update

Authorized for: CustomUser with ciphers update capability, Action: update

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 375

 ENM Network Security Configuration System Administrator Guide

Result
Successfully started a job to set ciphers for nodes. Perform secadm job get -j
<Job Id to get progress information.

The provided ciphers are set on nodes. To verify if the Set ciphers procedure on
nodes is successful, execute Get Ciphers on Nodes on page 384 command in ENM
CLI and verify Enabled Ciphers.

13.1.1.2 Set Ciphers on Nodes for SSL/TLS/HTTPS Protocol

The Set Ciphers procedure facilitates user to enable, disable, and rank the
cipher suites on the nodes.

Internally node selects the cipher suites from its list of supported cipher suites
on the basis of the Cipher Filter value provided in the command by the operator.
The enabled cipher suites are ranked as per the order provided in the Cipher
Filter value in the command and the same cipher suites are used by the nodes for
establishing a secure communication. User can set ciphers suites on a single or
multiple nodes.

Notes:

— While setting ciphers for COM/ECIM nodes, make sure that the updating
cipher suites are supported by the node supported protocols mentioned in
the tables in Ciphers Management for Nodes on page 366.

— While setting ciphers for CPP nodes, make sure that the updating cipher
suites are supported by the node supported protocols mentioned in the
tables in Ciphers Management for Nodes on page 366.

— When setting cipherFilter with a specific cipher suite, it is required to build

the cipher name as "KeyExchange - Authentication - Encryption - MAC
(Message Authentication Code)” algorithms, do not use exact cipher suite
name present on node to set cipherFilter, the examples are given in following
table:

Table 28
Cipher Suite KeyEx Authenti Encryption MAC CipherFilter
Name chang cation Format
e
TLS_RSA_WITH RSA RSA AES-256- SHA25 RSA-RSA-
_AES_256_CBC CBC 6 AES-256-
_SHA256 CBC-
SHA256
(In such cipher
suite both
KeyExchange
and
Authentication

376 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

Cipher Suite KeyEx Authenti Encryption MAC CipherFilter

Name chang cation Format
e
algorithms are
RSA)
TLS_ECDHE_EC ECDH ECDSA AES_256_C SHA38 ECDHE-
DSA_WITH_AES E BC 4 ECDSA-
_256_CBC_SHA AES-256-
384 CBC-
SHA384
TLS_DHE_RSA_ DHE RSA AES_128_ SHA25 DHE-RSA-
WITH_AES_128 GCM 6 AES-128-
_GCM_SHA256 GCM-
SHA256

— In the enabled ciphers on the node, there must be at least one cipher
suite in which the authentication algorithm is same as the server public key
algorithm.

Examples:

In TLS connection between Radionodes and ENM(CM Mediation) where

Node is a TLS Server and ENM(CM Mediation) is a TLS Client:

If DG2 node has been enrolled with ECDSA certificate, then at least one
cipher suite with authentication algorithm as ECDSA must be enabled on
node to establish TLS connection with ENM(CM Mediation). ECDSA ciphers
are supported for DG2 nodes from 18.Q4.

Example Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS connection between Radionodes and LDAP Server where Node is a TLS
Client and LDAP is a TLS Server.

Since LDAP server is enrolled with RSA certificate, it needs at least one cipher
suite with authentication algorithm as RSA enabled on the node to establish
TLS connection with LDAP server.

Example Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

— Currently Element Manager GUI is using Firefox browser as a TLS client to

connect to the web server running on node while launching EM GUI against
node. Firefox supports the following TLS cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 377

 ENM Network Security Configuration System Administrator Guide

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Since the Firefox browser in the Element Manager supports only following
two TLSv1.2 strong cipher suites, the same two strong cipher suites must be
enabled on the Radionodes along with the other supported strong TLSv1.2
ciphers suites of operator choice to support the use cases associated with the
Element Manager GUI.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Actors
Authorized for: NodeSecurity_Administrator, Action: update

Authorized for: CustomUser with ciphers update capability, Action: update

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Result
Successfully started a job to set ciphers for nodes. Perform secadm job get -j
<Job Id> to get progress information.

The provided ciphers are set on nodes. To verify whether the Set ciphers
procedure on nodes is successful, execute Get Ciphers on Nodes on page 384
command in ENM CLI and verify Enabled Ciphers.

Note: It can take up to a maximum of eight minutes (based on the configured

heartbeat interval) for the set ciphers change to reflect in ENM in case of
SSL/HTTPS/TLS protocol configuration.

378 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

13.1.1.3 XML File - Usage in Set Ciphers

This section describes the XML template to configure ciphers on the given
nodes for respective SSH/SFTP and SSL/TLS/HTTPS protocols.

XML Template

<?xml version="1.0" encoding="UTF-8"?>

<ciphersConfiguration>
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
</nodes>
<sshProtocol>
<keyExchangeCiphers>
<cipher>hmac-sha2-512</cipher>
<cipher>hmac-sha2-256</cipher>
<cipher>hmac-ripemd160</cipher>
<cipher>[email protected]</cipher>
<cipher>hmac-sha1</cipher>
<cipher>hmac-md5</cipher>
<cipher>hmac-sha1-96</cipher>
<cipher>hmac-md5-96</cipher>
<cipher>[email protected]</cipher>
</keyExchangeCiphers>
<encryptCiphers>
<cipher>aes256-ctr</cipher>
<cipher>aes192-ctr</cipher>
<cipher>aes128-ctr</cipher>
<cipher>aes256-cbc</cipher>
<cipher>aes192-cbc</cipher>
<cipher>aes128-cbc</cipher>
<cipher>blowfish-cbc</cipher>
<cipher>Cast128-cbc</cipher>
<cipher>3des-cbc</cipher>
<cipher>[email protected]</cipher>
</encryptCiphers>
<macCiphers>
<cipher>diffie-hellman-group-exchange-sha256</cipher>
<cipher>diffie-hellman-group14-sha1</cipher>
<cipher>diffie-hellman-group-exchange-sha1</cipher>
<cipher>diffie-hellman-group1-sha1</cipher>
</macCiphers>
</sshProtocol>
<tlsProtocol>
<cipherFilter>ALL</cipherFilter>
</tlsProtocol>
</nodeCiphers>
</ciphersConfiguration>

This XML can be used to support setting of ciphers provided by operator for
respective protocol of the nodes as:

1. Same ciphers for multiple nodes.

2. Different ciphers for multiple nodes:

ciphersConfiguration
is the root element of the XML to configure ciphers on the
nodes.

nodeCiphers is the child element of ciphersConfiguration.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 379

 ENM Network Security Configuration System Administrator Guide

This element is used to add nodes and their respective

protocols (ssh, tls) for which ciphers have to be set as
child elements.

nodes is the child element of nodeCiphers.

This element is used to add single or multiple node

names.

nodeFdn is the child element of nodes.

This element is used to hold node name for which ciphers

have to be set.

sshProtocol is the child element of nodeCiphers.

This element is used to set ciphers for KeExchange,

Encryption, and Mac attributes used in SSH protocol.

keyExchangeCiphers
is the child element of sshProtocol.

This element is used to set ciphers for only KeExchange

attribute of the nodes.

encryptCiphers is the child element of sshProtocol.

This element is used to set ciphers for only Encryption

attribute of the nodes.

macCiphers is the child element of sshProtocol.

This element is used to set ciphers for only MAC attribute

of the nodes.

cipher is the child element of keyExchangeCiphers,

encryptCiphers and macCiphers independently.

This element is used to hold actual algorithms for

respective attributes of the nodes.

tlsProtocol is the child element of nodeCiphers.

This element is used to set cipher suites used in TLS

protocol with the help of cipher-filter of the nodes.

cipherFilter is the child element of tlsProtocol.

This element is used to hold the filter value used by the

nodes for sorting cipher suites from supported cipher to
be set to enabled ciphers.

380 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

13.1.1.4 Configure Ciphers on Nodes

1. Run the following XML code to define multiple nodes with same ciphers for
respective protocols.

<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00002</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
</nodes>
<sshProtocol>
.....
</sshProtocol>
<tlsProtocol>
.....
</tlsProtocol>

2. Run the following XML code to define multiple nodes with different ciphers.

<?xml version="1.0" encoding="UTF-8"?>

<ciphersConfiguration>
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<keyExchangeCiphers>
<cipher>hmac-sha2-512</cipher>
<cipher>hmac-sha2-256</cipher>
</keyExchangeCiphers>
<encryptCiphers>
<cipher>aes256-ctr</cipher>
<cipher>aes192-ctr</cipher>
</encryptCiphers>
<macCiphers>
<cipher>diffie-hellman-group-exchange-sha256</cipher>
<cipher>diffie-hellman-group14-sha1</cipher>
</macCiphers>
</sshProtocol>
<tlsProtocol>
<cipherFilter>ALL</cipherFilter>
</tlsProtocol>
</nodeCiphers>
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00002</nodeFdn>
<nodeFdn>LTE04dg2ERBS00004</nodeFdn>
<nodeFdn>LTE04dg2ERBS00006</nodeFdn>
</nodes>
<sshProtocol>
<keyExchangeCiphers>
<cipher>hmac-sha2-256</cipher>
<cipher>hmac-ripemd160</cipher>
<cipher>[email protected]</cipher>
<cipher>hmac-sha1</cipher>
<cipher>hmac-md5</cipher>
</keyExchangeCiphers>
<encryptCiphers>
<cipher>aes256-ctr</cipher>
<cipher>aes192-ctr</cipher>
<cipher>aes128-ctr</cipher>
<cipher>aes256-cbc</cipher>
<cipher>aes192-cbc</cipher>
</encryptCiphers>
<macCiphers>
<cipher>diffie-hellman-group-exchange-sha256</cipher>
<cipher>diffie-hellman-group14-sha1</cipher>
<cipher>diffie-hellman-group-exchange-sha1</cipher>
</macCiphers>
</sshProtocol>
<tlsProtocol>
<cipherFilter>ALL</cipherFilter>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 381

 ENM Network Security Configuration System Administrator Guide

</tlsProtocol>
</nodeCiphers>
</ciphersConfiguration>

3. Run the following XML code to define multiple nodes with SSH protocol only.

<?xml version="1.0" encoding="UTF-8"?>

<ciphersConfiguration>
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<keyExchangeCiphers>
<cipher>hmac-sha2-512</cipher>
<cipher>hmac-sha2-256</cipher>
</keyExchangeCiphers>
<encryptCiphers>
<cipher>aes256-ctr</cipher>
<cipher>aes192-ctr</cipher>
</encryptCiphers>
<macCiphers>
<cipher>diffie-hellman-group-exchange-sha256</cipher>
<cipher>diffie-hellman-group14-sha1</cipher>
</macCiphers>
</sshProtocol>
</nodeCiphers>
</ciphersConfiguration>

4. Run the following XML code to define multiple nodes with SSH protocol and
single child element as keyExchange or encrypt or mac ciphers.

<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<keyExchangeCiphers>
<cipher>hmac-sha2-512</cipher>
<cipher>hmac-sha2-256</cipher>
</keyExchangeCiphers>
</sshProtocol>
</nodeCiphers>
or
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<encryptCiphers>
<cipher>aes256-ctr</cipher>
<cipher>aes192-ctr</cipher>
</encryptCiphers>
</sshProtocol>
</nodeCiphers>
or
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<macCiphers>

382 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

<cipher>diffie-hellman-group-exchange-sha256</cipher>
<cipher>diffie-hellman-group14-sha1</cipher>
</macCiphers>
</sshProtocol>
</nodeCiphers>

5. Run the following XML code to define multiple nodes with SSH protocol and
two child elements as keyExchange and encrypt or keyExchange and mac or
encrypt and mac ciphers.

<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<keyExchangeCiphers>
<cipher>hmac-sha2-512</cipher>
<cipher>hmac-sha2-256</cipher>
</keyExchangeCiphers>
<encryptCiphers>
<cipher>aes256-ctr</cipher>
<cipher>aes192-ctr</cipher>
</encryptCiphers>
</sshProtocol>
</nodeCiphers>
or
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<keyExchangeCiphers>
<cipher>hmac-sha2-512</cipher>
<cipher>hmac-sha2-256</cipher>
</keyExchangeCiphers>
<macCiphers>
<cipher>diffie-hellman-group-exchange-sha256</cipher>
<cipher>diffie-hellman-group14-sha1</cipher>
</macCiphers>
</sshProtocol>
</nodeCiphers>
or
<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<sshProtocol>
<encryptCiphers>
<cipher>aes256-ctr</cipher>
<cipher>aes192-ctr</cipher>
</encryptCiphers>
<macCiphers>
<cipher>diffie-hellman-group-exchange-sha256</cipher>
<cipher>diffie-hellman-group14-sha1</cipher>
</macCiphers>
</sshProtocol>
</nodeCiphers>

6. Run the following XML code to define multiple nodes with TLS protocol only.

<nodeCiphers>
<nodes>
<nodeFdn>LTE04dg2ERBS00001</nodeFdn>
<nodeFdn>LTE04dg2ERBS00003</nodeFdn>
<nodeFdn>LTE04dg2ERBS00005</nodeFdn>
</nodes>
<tlsProtocol>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 383

 ENM Network Security Configuration System Administrator Guide

<cipherFilter>ALL</cipherFilter>
</tlsProtocol>
</nodeCiphers>

13.1.2 Get Ciphers on Nodes

This procedure describes the steps to get the supported and enabled ciphers
on the given nodes for SSH, SFTP and SSL, HTTPS, and TLS protocol-based
communication.

Actors
Authorized for: NodeSecurity_Operator, Action: read

Authorized for: CustomUser with ciphers read capability, Action: read

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. See the online help to get ciphers on Nodes.

Results
The command lists the supported and enabled ciphers for a single node.

The command downloads the supported and enabled ciphers in CSV file format
into users Download folder for more than one node.

13.2 Cipher Modernization for IPsec

13.2.1 Cipher Modernization for IPsec on G1 Nodes

For G1 Nodes, supported cryptographic algorithms suite is described in the
section Supported Algorithms of the document IP Security User Guide, Reference
[17].

The supported ciphers for IPsec can be configured on:

— allowedTransforms attribute of the IkePeer MO (for IKE) and
allowedTransforms attribute of the IpSecTunnel MO (for ESP) for manually
configured IPsec VPN connection

— allowedChildSaTransform and allowedIkeSa attributes of the

PeerIpSecProfile MO for automatic direct X2 IPsec VPN connections.

Write access to the IpSec MO and its children is permitted for the user with IPsec
Management task profile assigned.

384 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Ciphers Management for Nodes

IkePeer and IpSecTunnel MOs are children of IPsec MO, so they can only be
configured by user with IPsec Management task profile assigned.

PeerIpSecProfile MO is not a child of IPsec MO, so it can be configured by user

with CM task profile.

For more information regarding the task profiles, see the section Task Profiles of
the document Security for O&M Node Access, Reference [18].

13.2.2 Cipher Modernization for IPsec on G2 Nodes

For G2 Nodes, the configuration of cryptographic algorithms suite is described in
the section Configure Cryptographic Algorithms Suite of the document Manage
IPsec User Guide, Reference [19].

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 385

 ENM Network Security Configuration System Administrator Guide

14 Configuring Users to Access AMOS, Element

Manager and WinFIOL Towards SL2 or TLS
Enabled Nodes

To launch an AMOS or EM session towards a Security Level 2 (SL2), for CPP

nodes, or Transport Layer Security (TLS), for Nodes Supporting ECIM, the
user needs an ssu credential.

The ssu credentials are generated when the user logs on AMOS, WinFIOL GUI, or
WinFIOL CLI for the first time.

For the ssu credentials to be generated, an entity for each user must be created
in PKI.

The setupEEForAMOSUsers.py script must be executed to create the entities for

all the users.

This script holds good for users with at least one of the roles:

— ADMINISTRATOR

— OPERATOR

— Scripting_Operator

— Application roles and custom roles containing capabilities of AMOS, Element

Manager, or WinFIOL application.

For each user, the script verifies the existence of a PKI End Entity. If the
EndEntity does not exist, the script creates it automatically.

If the user is an SLS user too, the password to provide to the user to download its
own certificate is the username of the user.

To run the script, some preliminary steps are necessary.

Steps

1. Create a user with the following username in User Management:

username: cmscript

2. Assign the following roles:

— ADMINISTRATOR

386 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuring Users to Access AMOS, Element Manager and WinFIOL Towards SL2 or TLS Enabled Nodes

— SECURITY_ADMIN

— Scripting_Operator

If the ADMINISTRATOR role is unavailable, assign all available roles to the

user.

3. Log on ENM as the new user and change the password if required.

4. Log on the General Scripting VM through SSH using the credentials of the
new created user (see the section Load Balancing for AMOS and General
Scripting VMs of the document ENM Operators Guide, Reference [5]).

Note: Do not SSH as cloud-user or root and then su to the cmscript

account as this bypasses the required PAM and the home account is
not setup correctly.

5. Move to the correct folder:

cd /opt/ericsson/security/eeforamos

6. Run the script:

./setupEEForAMOSUsers.py

Log file is in /tmp/<username>_setupEEForAMOSUsers.log.

The option -aul followed by one or more users separated by comma (that is,
"user1, user2, user3") allows restricting the check and creation of EndEntity
only to the provided usernames.

The option -auf followed by a file name containing a set of username (in csv
format or in a column) allows restricting the check and creation of EndEntity
only to the provided username(s).

The option -nc avoids the script to change ENM PKI system. This can be
useful for test purposes.

usage: setupEEForAMOSUsers.py [-h] [-u USER] [-p PASSWORD] [-nc] [-enm ENMAD →
DRESS][-aul AMOSUSERLIST][-auf AMOSUSERFILE]
For each ENM User with AMOS roles, check if an associate EndEntity exists o →
n ENM PKI and create it if not.
optional arguments:
-h, --help show this help message and exit
-u USER, --user USER ENM username
-p PASSWORD, --password PASSWORD ENM username password
-nc, --nocreate only performs checks. PKI End Entity is not created →
. Test purpose
-enm ENMADDRESS, --enmaddress ENMADDRESS ENM address (enmapache.athtem.eei →
.ericsson.se)
-aul AMOSUSERLIST, --amosuserlist AMOSUSERLIST amos user list
-auf AMOSUSERFILE, --amosuserfile AMOSUSERFILE amos user file

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 387

 ENM Network Security Configuration System Administrator Guide

Note: — There is no need for creating a PKI End Entity or

ssucredentials.xml if all the following conditions are present:

— The user is created with all the required COM roles for
COM/ECIM based node.

— The node is integrated with COM-AA ENM service.

— The user is trying to access node using AMOS.

— If there is an issue with running the script, the following

procedure can be used alternatively to create profiles and
entities.

14.1 XML Files

This script uses XML templates to create the Certificate Profile, the Entity
Profile, and the required EndEntity.

1. Check if the certificate profile AMOS_EM_USER_CP exists.

pkiadm pfm --list --profiletype certificate --name AMOS_EM_USER_CP

2. Create a Certificate Profile, if the certificate profile does not exist.

Run the following ENM CLI command:

pkiadm pfm -c -xf file:<file-name.xml>

The following XML must be used for Certificate Profile creation.

Entity_Certificate_Profile.xml

<?xml version="1.0" encoding="UTF-8"?><Profiles xmlns:xsi="http://www.w3.org →

/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="ProfilesSchema.xsd" →
>
<CertificateProfile Name="AMOS_EM_USER_CP">
<Modifiable>true</Modifiable>
<ForCAEntity>false</ForCAEntity>
<Version>V3</Version>
<SignatureAlgorithm>
<Name>SHA256withRSA</Name>
</SignatureAlgorithm>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<CertificateValidity>P2Y</CertificateValidity>
<Issuer>
<CertificateAuthority>
<Name>ENM_OAM_CA</Name>
</CertificateAuthority>
</Issuer>
<SubjectUniqueIdentifier>true</SubjectUniqueIdentifier>
<IssuerUniqueIdentifier>false</IssuerUniqueIdentifier>
<SkewCertificateTime>PT30M</SkewCertificateTime>

388 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuring Users to Access AMOS, Element Manager and WinFIOL Towards SL2 or TLS Enabled Nodes

<CertificateExtensions>
<CertificateExtension xsi:type="AuthorityKeyIdentifier">
<Critical>false</Critical>
<AuthorityKeyIdentifierType>ISSUER_DN_SERIAL_NUMBER</Authori →
tyKeyIdentifierType>
</CertificateExtension>
<CertificateExtension xsi:type="BasicConstraints">
<Critical>true</Critical>
<IsCA>false</IsCA>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectKeyIdentifier">
<Critical>false</Critical>
<KeyIdentifier>
<Algorithm>
<Name>160-BIT_SHA-1</Name>
</Algorithm>
</KeyIdentifier>
</CertificateExtension>
<CertificateExtension xsi:type="KeyUsage">
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageT →
ype>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageTy →
pe>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</CertificateExtension>
<CertificateExtension xsi:type="SubjectAltName">
<Critical>false</Critical>
<SubjectAltNameField>
<Type>DIRECTORY_NAME</Type>
</SubjectAltNameField>
</CertificateExtension>
</CertificateExtensions>
<SubjectCapabilities>
<SubjectField>
<Type>COMMON_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SURNAME</Type>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>LOCALITY_NAME</Type>
</SubjectField>
<SubjectField>
<Type>STATE</Type>
</SubjectField>
<SubjectField>
<Type>STREET_ADDRESS</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION</Type>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
</SubjectField>
<SubjectField>
<Type>DN_QUALIFIER</Type>
</SubjectField>
<SubjectField>
<Type>TITLE</Type>
</SubjectField>
<SubjectField>
<Type>GIVEN_NAME</Type>
</SubjectField>
<SubjectField>
<Type>SERIAL_NUMBER</Type>
</SubjectField>
</SubjectCapabilities>
</CertificateProfile>
</Profiles>

3. Check if the entity profile AMOS_EM_USER_EP exists.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 389

 ENM Network Security Configuration System Administrator Guide

pkiadm pfm --list --profiletype entity --name AMOS_EM_USER_EP

4. Create an Entity Profile, if the entity profile does not exist.

Run the following ENM CLI command:

pkiadm pfm -c -xf file:<file-name.xml>

The following XML must be used for Entity Profile creation.

Entity_Entity_Profile.xml

<?xml version="1.0" encoding="UTF-8"?>

<Profiles xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →
aceSchemaLocation="ProfilesSchema.xsd">
<EntityProfile Name="AMOS_EM_USER_EP">
<Modifiable>true</Modifiable>
<Category>
<Modifiable>true</Modifiable>
<Name>UNDEFINED</Name>
</Category>
<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>?</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<Critical>false</Critical>
<SubjectAltNameField>
<Type>DIRECTORY_NAME</Type>
<Value xsi:type="SubjectAltNameString">
<StringValue>CN=COMUser</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<CertificateProfile Name="AMOS_EM_USER_CP" />
<KeyUsage>
<Critical>true</Critical>
<SupportedKeyUsageType>DIGITAL_SIGNATURE</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_ENCIPHERMENT</SupportedKeyUsageType>
<SupportedKeyUsageType>KEY_AGREEMENT</SupportedKeyUsageType>
</KeyUsage>
<SubjectUniqueIdentifierValue>?</SubjectUniqueIdentifierValue>
</EntityProfile>
</Profiles>

5. Check if an entity exists for this user.

Execute the following ENM CLI command with the correct username:

pkiadm etm --list --entitytype ee --name <user-name>

6. Rename the existing entity with a new name using the PKI Entity
Management UI app, if the entity exists.

7. Create an Entity from ENM CLI.

pkiadm etm -c -xf file:<file-name.xml>

390 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuring Users to Access AMOS, Element Manager and WinFIOL Towards SL2 or TLS Enabled Nodes

The following XML must be used for Entity creation. Replace the %username%
with the username of the ENM user.

Entity.xml

<?xml version="1.0" encoding="UTF-8"?>

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →
aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="AMOS_EM_USER_EP"/>
<SubjectUniqueIdentifierValue>%username%</SubjectUniqueIdentifierVal →
ue>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>USER-SLS</Name>
</Category>
<EntityInfo>
<Name>%username%</Name>
<Subject>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>%username%</Value>
</SubjectField>
</Subject>
<SubjectAltName>
<SubjectAltNameField>
<Type>DIRECTORY_NAME</Type>
<Value xsi:type="SubjectAltNameString" xmlns:xsi="http:/ →
/www.w3.org/2001/XMLSchema-instance">
<StringValue>CN=%username%</StringValue>
</Value>
</SubjectAltNameField>
</SubjectAltName>
<OTP>%username%</OTP>
<OTPCount>999</OTPCount>
</EntityInfo>
<OTPValidityeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

If some entity created in the previous drop does not work, it is possible to
recreate them by the script.

— Rename the entity using the PKI Entity Management application.

— Run the script following the above procedure.

— Log on with the user again and try to launch the AMOS. If it fails, remove
the ssucredential.xml file and try again.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 391

 ENM Network Security Configuration System Administrator Guide

15 Automatic Configuring of Users to Access

AMOS and Element Manager Towards SL2
or TLS Enabled Nodes

It is recommended to set up a crontab entry to execute periodically the ENM

script that check and create the needed PKI entities for users who have
AMOS and Element Manager access permissions.

In this way, such users automatically receive the X509 certificates needed to set
up a TLS communication channel toward nodes.

For more details about the script, see Configuring Users to Access AMOS, Element
Manager and WinFIOL Towards SL2 or TLS Enabled Nodes on page 386.

Prerequisites
— Knowledge of Linux operation and Cron schedule.

— ENM username and password - the SSH usernames are case-sensitive.

— Scripting_Operator role.

— Load must be balanced by the user across the available General Scripting
VMs not to overload the machine.

Warning
The maximum session (maxSessionTime) and idle (maxIdleTime) time
configured for the user impact how long the script is able to be run. It is
suggested to set them to the maximum value allowed (two years) using the
related IdAM REST interface.

For example, the following commands create the user scripting3 with the needed
privileges and the recommended settings:

curl -k -c cookie_Admin.txt -X POST "https://enmapache.athtem.eei.ericsson.se/lo →

gin?IDToken1=administrator&IDToken2=<Administrator Password>"

curl -k -b cookie_Admin.txt -H Accept:application/json -H Content-Type:applicati →

on/json -X POST "https://enmapache.athtem.eei.ericsson.se/oss/idm/usermanagement →
/users/" -d '{"username":"scripting3","name":"scripting3","surname":"scripting3" →
,"password":"CmPassw0rd","status":"enabled","passwordResetFlag":"false","maxSess →
ionTime":"1051200","maxIdleTime":"1051200","privileges":[{"role":"ADMINISTRATOR" →
,"targetGroup":"ALL"},{"role":"SECURITY_ADMIN","targetGroup":"ALL"},{"role":"Scr →
ipting_Operator","targetGroup":"ALL"}],"passwordAgeing":{"customizedPasswordAgei →
ngEnable":"true","passwordAgeingEnable":"false","pwdMaxAge":"","pwdExpireWarning →
":"","graceLoginCount":"0"}}'

392 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Automatic Configuring of Users to Access AMOS and Element Manager Towards SL2 or TLS Enabled Nodes

For more info about the IdAM REST interface, see the document ENM Identity
and Access Management Programmers Guide, Reference [1].

Steps

1. Access the Scripting SG.

See Connect to a Service on page 2

In the following example, the username is scripting3:

[root@lms ~]# ssh scripting3@scp-1-scripting

scripting3@scp-1-scripting's password:

2. Create or edit a Cron job using the standard crontab tool:

Open the vi editor.

[scripting3@scp-1-scripting ~]$ crontab -e

3. Add the following entries:

*/10 * * * * /opt/ericsson/security/eeforamos/setupEEForAMOSUsers.py

This entry runs the script to create missing user entities every 10 minutes.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 393

 ENM Network Security Configuration System Administrator Guide

16 Management of Real Time Security Event

Logging on CPP-Based Network Elements

Real Time Security Event Logging (RTSEL) is the capability of CPP-based

Network Elements to record security-related events (see the Network
Element documentation for details of such log records) and "push" those
events to an external <syslog> server configured to operators choice.

The role of the ENM system is to configure the Network Element with all
the data relevant to RTSEL communication and equip both external <syslog>
server and Network Element with certificates ensuring secure event dispatching.
The certificate for the external <syslog> server is generated using the offline
enrollment procedure.

See the section Offline Enrollment of External Syslog Server on page 398.

The RTSEL feature supports the following use cases:

1. RTSEL Activation.
2. RTSEL Deactivation.
3. Deletion of RTSEL Configuration.
4. Get RTSEL Status.

16.1 Activating Real Time Security Event Logging (RTSEL)

CPP Based NEs
RTSEL activation enables CPP based NEs to send event logs to external
syslog server.

Once activate rtsel command is triggered, it performs Cert Distribution and

Initial Enrollment on the node, then it performs configuration and activation of
RTSEL.

If Cert Distribution and Enrollment have been already done on the node, it skips
these actions and continues with configuration and activation of RTSEL.

Prerequisites

— Nodes must exist in the system.

394 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real Time Security Event Logging on CPP-Based Network Elements

— Nodes must be synchronized.

— User must have Node Security Administrator and PKI_Operator to perform

RTSEL activation.

— Enable the SHA1 algorithm to avoid the SCEP-based Cert Enrollment failure.
— Use the following command to check the algorithm status with user role
as:

pkiadm cfg algo --list --type all --status all

— Use the following command to enable the SHA1 algorithm:

pkiadm configmgmt algo --enable --name SHA1

— Create node credentials, if they do not exist. To create node credentials, see
the section Create Node Credentials on page 21.

— If CMPv2_VC enrollment mode has been selected, then make sure that Vendor
Credentials are imported to ENM.

— FM alarmSupervisionState must be activated. If not:

— Use the following command to activate the alarmSupervisionState on
the node.

alarm enable <node_name>

— Use the following command to check the alarmSupervisionState on

the node.

alarm status <node_name>

Steps

1. Activate rtsel.

Run the ENM CLI command with RTSEL Activation XML file as input::

secadm rtsel activate --xmlfile file:<rtsel_activate_single.xml>

See online help for more details.

2. Verify the job status.

Run the ENM CLI command:

secadm job get -j <job-id>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 395

 ENM Network Security Configuration System Administrator Guide

Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, then rtsel is activated on node.

3. Retrieve and verify the rtsel activation status on the node.

Run the ENM CLI command:

secadm rtsel get --nodelist <node-name>

Results
If the secadm command for activation of rtsel is triggered successfully, the
following message is displayed:

Successfully started a job to activate RTSEL for node(s).Perform

'<JOB_ID>' to get progress information.

See online help for more details.

16.2 Deactivating Real Time Security Event Logging (RTSEL)

CPP Based NEs

Prerequisites

— Nodes must exist in the system.

— Nodes must be synchronized.

— User must be a Node Security Administrator to trigger the rtsel activate

command.

Steps

1. Deactivate rtsel.

Run the following ENM CLI command with node-name as input:

secadm rtsel deactivate --nodelist <node-name>

See online help for more details.

2. Verify the job status.

Run the following ENM CLI command:

secadm job get -j <job-id>

Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, rtsel is deactivated on the node.

396 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real Time Security Event Logging on CPP-Based Network Elements

3. Retrieve and verify the rtsel deactivation status on the node.

Run the following ENM CLI command:

secadm rtsel get --nodelist <node-name>

For more details check the section Get Real Time Sec Log Attributes on CPP
Based NEs on page 400.

Results
If the secadm command for deactivation of rtsel is triggered successfully, the
following message is displayed:

Successfully started a job to deactivate RTSEL for valid

node(s).Perform '<JOB_ID>' to get progress information.

See online help for more details.

16.3 Deletion of External Syslog Servers

This task provides the steps to delete external syslog servers on CPP
platform-based nodes using RTSEL Delete command.

Prerequisites

— Network element must exist in ENM and must be synchronized.

— ERBS and MGW nodes must support to perform RTSEL delete. The nodes
must have the NE defined.

— User must be a Node Security Administrator to trigger the rtsel delete

command.

Steps

1. Delete external syslog servers on the node.

Run the following ENM CLI command with RTSEL Deletion XML file as input:

secadm rtsel delete --xmlfile file:rtsel_delete_1.xml

See online help for more details.

2. Verify the job status.

Run the following ENM CLI command:

secadm job get -j <job-id>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 397

 ENM Network Security Configuration System Administrator Guide

Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, external syslog servers are deleted on the node.

3. Retrieve and verify the rtsel delete status on the node.

Run the following ENM CLI command:

secadm rtsel get --nodelist <node-name>

For more details, check the section Get Real Time Sec Log Attributes on CPP
Based NEs on page 400.

Results
If the secadm rtsel delete command is triggered successfully, the following
message is displayed:

Successfully started a job to delete RTSEL server details for

node(s). Perform 'secadm job get -j <job-id>' to get progress
information.

See online help for more details.

16.4 Offline Enrollment of External Syslog Server

This procedure describes the generation of certificates with Certificate
Signing Request (CSR).

Generate the CSR on External Syslog Server and this CSR must be signed by ENM
deployment.

Actors
Authorized for: PKI_EE_ADMINISTRATOR, Action : execute

Authorized for: PKI_OPERATOR, Action : execute

Authorized for: PKI_ADMINISTRATOR, Action : execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Generate CSR on External Syslog Server in PKCS#10 format.

— Save the CSR file with .csr extension.

398 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real Time Security Event Logging on CPP-Based Network Elements

Steps

1. Create an entity XML.

Use the following template.

<Entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamesp →

aceSchemaLocation="EntitiesSchema.xsd">
<Entity>
<PublishCertificatetoTDPS>true</PublishCertificatetoTDPS>
<EntityProfile Name="ENM_System_Man_EP"/>
<KeyGenerationAlgorithm>
<Name>RSA</Name>
<KeySize>2048</KeySize>
</KeyGenerationAlgorithm>
<Category>
<Modifiable>true</Modifiable>
<Name>SERVICE</Name>
</Category>
<EntityInfo>
<Name>%ExternalServerName%</Name>
<Subject>
<SubjectField>
<Type>ORGANIZATION</Type>
<Value>%organization%</Value>
</SubjectField>
<SubjectField>
<Type>ORGANIZATION_UNIT</Type>
<Value>%organizationUnit%</Value>
</SubjectField>
<SubjectField>
<Type>COUNTRY_NAME</Type>
<Value>%countryCode%</Value>
</SubjectField>
<SubjectField>
<Type>COMMON_NAME</Type>
<Value>%ExternalServerName%</Value>
</SubjectField>
</Subject>
<OTP>Ericsson08</OTP>
<OTPCount>5</OTPCount>
</EntityInfo>
<OTPValidityPeriod>300</OTPValidityPeriod>
</Entity>
</Entities>

In the XML creation, the following rules must be respected:

— Replace %ExternalServerName% with the name of the External Syslog
Server at all parts in the XML and save it. For example, EServXYZ.

— Replace %organization% with the organization name in XML and save

it. For example, ERICSSON.

— Replace %organizationUnit% with name of the organization unit in

XML and save it. For example, BUCI DUAC NAM.

— Replace %countryCode% with two letter country code in XML and save
it. See https://en.wikipedia.org/wiki/ISO_3166-2 for two letter country
codes. For example, IN.

2. Create the End Entity.

Drag and drop the XML file created in step 1 into the ENM CLI application
and run the following command:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 399

 ENM Network Security Configuration System Administrator Guide

pkiadm etm -c -xf file:<<Entity>>.xml

Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, external syslog servers are deleted on the node.

3. Verify whether the End Entity has been created.

List all the End Entities in the ENM PKI system with the following ENM CLI
command:

pkiadm etm -l -type ee

4. Generate the certificate.

Drag and drop the CSR file onto ENM CLI and run the following ENM CLI
command.

pkiadm certmgmt EECert --generate --entityname <entityName> --csrfile file:< →

CSR file> --format PEM

Example
pkiadm ctm EECert -l -en ERBS_1 -s active

Results
Certificate must be successfully generated on ENM deployment with provided
CSR.

16.5 Get Real Time Sec Log Attributes on CPP Based NEs
This procedure describes how to obtain attributes like syslog server, Feature
State on CPP based network elements.

Actors
Authorized for: NodeSecurity_Administrator, Action: execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Nodes must exist in the system.

— Nodes must be synchronized.

400 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real Time Security Event Logging on CPP-Based Network Elements

Steps

1. Read rtsel details on the node.

Run the following ENM CLI command:

secadm rtsel get

See online help for more details.

Results
If the command is triggered successfully, the following message is displayed:

Sample Response:

RTSEL details for 1 valid node(s) is/are listed below.

Node Syslog Server Syslog Feature Severity Connection Applicati Status Error Details
Name Server State Log Level Attempt on Name
Timeout
NetworkEl Server Name : Server DEACTIVA DEBUG 10 Ericsson Feature NA
ement=LT Syslog-1 Name : TED is
E102ERBS Syslog-2 Deactivat
00001 ed.
Address : No Provides
100.25.153.65 authentica
tion based
on the
MD5 or
SHA1
algorithms
.
Protocol : Protocol Provides
TLS_OVER_TCP : authentica
TLS_OVER tion based
_TCP on the
MD5 or
SHA1
algorithms
. In
addition to
authentica
tion,
provides
DES or
AES128
encryption
algorithms
.

Command Executed Successfully.

See online help for more details.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 401

 ENM Network Security Configuration System Administrator Guide

17 Management of Real-Time Security Event

Logging (RTSEL) on Baseband Radio Nodes

The Real_Time Security Event Logging (RTSEL) feature captures real-time

security events that occur in the network and reports these for further handling in
a comprehensive way and sends them to an external <syslog> server.

This gives real-time feedback to detect the threats against the system. This is
done by collecting security events from all nodes. The content of the <syslog>
stream is identical to, or a subset of the Local Security and Audit Trail Logs.

The role of the ENM system is to configure the Network Element with all the data
relevant to RTSEL communication and equip both External <syslog> server and
Network Element with certificates ensuring secure event dispatching.

See the section Offline Enrollment of External Syslog Server on page 398.

The RTSEL feature supports the following use cases:

1. RTSEL Activation.
2. RTSEL Deactivation.
3. Get RTSEL Status.

17.1 Activate Real Time Security Event Logging (RTSEL) for

Baseband Radio Network Elements
RTSEL activation enables Baseband Radio network elements to send event logs
to external syslog server.

Prerequisites
— Network Elements must exist in the system.

— Operator must have Cmedit_Administrator role.

— Node Credential and Trust Category are installed on the node. If not, perform
trust distribution and online enrollment on the node.

— The license key is installed in the node.

— The <syslog> server is set up for reception of <syslog> events.

402 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real-Time Security Event Logging (RTSEL) on Baseband Radio Nodes

Steps

1. Set the FeatureState to ACTIVATED.

cmedit set ManagedElement=<Network_Element>,SystemFunctions=1,Lm=1,FeatureSt →

ate=CXC4040010 featureState=ACTIVATED –force

Example
cmedit set SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,SystemFun →
ctions=1,Lm=1,FeatureState=CXC4040010 featureState=ACTIVATED --force
SUCCESS FDN : SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,System →
Functions=1,Lm=1,FeatureState=CXC4040010

2. Create the LogPushTransfer MO.

cmedit create ManagedElement=<Network_Element>,SystemFunctions=1,LogM=1,Log= →

SecurityLog,LogPushTransfer=1 logPushTransferId=1, uri= "<URI_Of_External_Se →
rver>"

Example
cmedit create SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,System →
Functions=1,LogM=1,Log=SecurityLog,LogPushTransfer=TCP logPushTransferId=1, →
uri= "syslog://[2001:1b70:8210:9500::1c]"
FDN : SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,SystemFunction →
s=1,LogM=1,Log=SecurityLog,LogPushTransfer=1
logPushTransferId : 1
operationalState : null
password : null
transferType : BULK
uri : syslog://[2001:1b70:8210:9500::1c]

3. Update the attribute transferType to STREAM.

cmedit set ManagedElement=<Network_Element>,SystemFunctions=1,LogM=1,Log=Sec →

urityLog,LogPushTransfer=1 transferType=STREAM

Example
cmedit set SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,SystemFun →
ctions=1,LogM=1,Log=SecurityLog,LogPushTransfer=1 transferType=STREAM
SUCCESS FDN : SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,System →
Functions=1,LogM=1,Log=SecurityLog,LogPushTransfer=1

4. Update the nodeCredential and turstCategory attributes under LogM MO.

cmedit set ManagedElement=<Network_Element>,SystemFunctions=1,LogM=1 nodeCre →

dential='<fdn_of_oam_Node_Credential>', trustCategory='<fdn_of_oam_trust_cat →
egoty>'
Ex: cmedit set ManagedElement=<Network_Element>,SystemFunctions=1,LogM=1 no →
deCredential='ManagedElement=<Network_Element>,SystemFunctions=1,SecM=1,Cert →
M=1,NodeCredential=oamNodeCredential', trustCategory='ManagedElement=<Networ →
k_Element>,SystemFunctions=1,SecM=1,CertM=1,TrustCategory=oamTrustCategory'

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 403

 ENM Network Security Configuration System Administrator Guide

Example
cmedit set cmedit set SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME1 →
2,SystemFunctions=1,LogM=1 nodeCredential='SubNetwork=G2RBS,MeContext=MSME12 →
,ManagedElement=MSME12,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1', t →
rustCategory='SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,System →
Functions=1,SecM=1,CertM=1,TrustCategory=1'
SUCCESS FDN : SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,System →
Functions=1,LogM=1

17.2 Deactivate Real Time Security Event Logging (RTSEL)

for Baseband Radio Network Elements
RTSEL deactivation on Baseband Radio network elements disables the sending
of the event logs to external syslog server.

Prerequisites
— Real-Time Security Event Logging is activated on the node.

— The deactivation of the Real-Time Security Event Logging feature is agreed

with the administrator of the Syslog server.

Steps

1. Set the FeatureState to DEACTIVATED.

cmedit set ManagedElement=<Network_Element>,SystemFunctions=1,Lm=1,FeatureSt →

ate=CXC4040010 featureState=DEACTIVATED --force

Example
cmedit set SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,SystemFun →
ctions=1,Lm=1,FeatureState=CXC4040010 featureState=DEACTIVATED --force
SUCCESS FDN : SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,System →
Functions=1,Lm=1,FeatureState=CXC4040010

17.3 Get Real Time Security Event Logging (RTSEL) Status

for Baseband Radio Network Elements
This section describes the procedure to check the feature state and operational
state of RTSEL.

Prerequisites
— Operator must have Cmedit_Administrator role.

— Nodes must exist in the system.

404 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real-Time Security Event Logging (RTSEL) on Baseband Radio Nodes

— Nodes must be synchronized.

Steps

1. Get the FeatureState.

cmedit get ManagedElement=<Network_Element>,SystemFunctions=1,Lm=1,FeatureSt →

ate=CXC4040010

Example
cmedit get SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,SystemFun →
ctions=1,Lm=1,FeatureState=CXC4040010
description : Real Time Security Event Logging
featureKey : [SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,System →
Functions=1,Lm=1,FeatureKey=CXC4040010_5]
featureState : ACTIVATED
featureStateId : CXC4040010
keyId : CXC4040010
licenseState : ENABLED
serviceState : OPERABLE

2. Get the operational state.

cmedit get <Network_Element> LogPushTransfer.*

Example
cmedit get MSME12 LogPushTransfer.*
FDN : SubNetwork=G2RBS,MeContext=MSME12,ManagedElement=MSME12,SystemFunction →
s=1,LogM=1,Log=SecurityLog,LogPushTransfer=1
logPushTransferId : 1
operationalState : ENABLED
password : null
transferType : STREAM
uri : syslog://[2001:1b70:8210:9500::1c]

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 405

 ENM Network Security Configuration System Administrator Guide

18 Management of Real Time Security Event

Logging (RTSEL) for AXE Network Elements

The Real_Time Security Event Logging (RTSEL) feature captures real-time

security events that occur in the network and reports these for further handling in
a comprehensive way and sends them to an external <syslog> server.

This gives real-time feedback to detect the threats against the system. This is
done by collecting security events from all nodes. The content of the <syslog>
stream is identical to, or a subset of the Local Security and Audit Trail Logs.

The role of the ENM system is to configure the Network Element with all the data
relevant to RTSEL communication and equip both External <syslog> server and
Network Element with certificates ensuring secure event dispatching.

See the section Offline Enrollment of External Syslog Server on page 398.

The RTSEL feature supports the following use cases:

1. RTSEL Activation.
2. RTSEL Deactivation.
3. Get RTSEL Status.

18.1 Activate Real Time Security Event Logging (RTSEL) for

AXE Network Elements
RTSEL activation enables AXE network elements to send event logs to external
<syslog> server.

Prerequisites
— Network Elements must exist in the system.

— Node Credential and Trust Category are installed on the node. If not, perform
trust distribution and online enrollment on the node.

— The license key is installed in the node.

— The <syslog> server is set up for reception of <syslog> events.

Steps

1. Open Network Explorer application in ENM GUI.

406 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real Time Security Event Logging (RTSEL) for AXE Network Elements

2. Select the node from Actions → Launch WinFIOL GUI.

3. List the log streams that are supported with Log Management Function.

>dn -m LogM
>(LogM=1)>show

4. Go to RemoteLogServer=security from the list and verify that the availStatus

is OFF_LINE and operationState is DISABLED.

(LogM=1)RemoteLogServer=security
(RemoteLogServer=security)>show

5. Issue Configure command.

(RemoteLogServer=security)>configure

This command is used to configure node credential, trust category, and

external Syslog server URI in the following steps.

6. Configure nodecredential.

(config-RemoteLogServer=security)>nodeCredential="<fdn_of_OAM_NodeCredential →
>"

7. Configure trustcategory.

(config-RemoteLogServer=security)>trustCategory="<fdn_of_OAM_TrustCategory>"

8. Add the URI.

(config-RemoteLogServer=security)>uri="<URI_Of_External_Syslog_Server>"

9. Commit the changes and verify that the log streaming is activated for
security logs operationalState is ENABLED.

(config-RemoteLogServer=security)>commit -s
(config-RemoteLogServer=security)>show

Results
After the successful activation of RTSEL, operationalState is ENABLED. The
following is the sample output for all the executed steps.

>dn -m LogM
ManagedElement=BSC004,SystemFunctions=1,LogM=1
(LogM=1)>show
LogM=1
Log=sec_auth
Log=security_audit

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 407

 ENM Network Security Configuration System Administrator Guide

Log=saLogSystem
Log=kernel
Log=messages
Log=commonLogConfig
Log=FaultManagementCfgLogAlarmStream
Log=FaultManagementCfgLogAlertStream
Log=ComSecLogStream
Log=ComCliCmdLogStream
Log=ComSaCfgLogStream
Log=ComCfgLogStream
RemoteLogServer=regular
RemoteLogServer=security
(LogM=1)>RemoteLogServer=security
(RemoteLogServer=security)>show
RemoteLogServer=security
availStatus
OFF_LINE
operationalState=DISABLED
(RemoteLogServer=security)>configure
(config-RemoteLogServer=security)>nodeCredential="ManagedElement=BSC004,SystemFu →
nctions=1,SecM=1,CertM=1,NodeCredential=2"
(config-RemoteLogServer=security)>trustCategory="ManagedElement=BSC004,SystemFun →
ctions=1,SecM=1,CertM=1,TrustCategory=2"
(config-RemoteLogServer=security)>uri"10.74.143.10:10514"
(config-RemoteLogServer=security)>commit -s
(config-RemoteLogServer=security)>show
RemoteLogServer=security
nodeCredential="ManagedElement=BSC004,SystemFunctions=1,SecM=1,CertM=1,NodeCr →
edential=2"
operationalState=ENABLED
trustCategory="ManagedElement=BSC004,SystemFunctions=1,SecM=1,CertM=1,TrustCa →
tegory=2"
uri="10.74.143.10:10514"
(config-RemoteLogServer=security)>

18.2 Deactivate Real Time Security Event Logging (RTSEL)

for AXE Network Elements
RTSEL deactivation on AXE network elements disables the sending of the event
logs to external <syslog> server.

Prerequisites
— Real-Time Security Event Logging is activated on the node.

— The deactivation of the Real-Time Security Event Logging feature is agreed

with the administrator of the Syslog server.

Steps

1. Deactivate the RTSEL.

(config-RemoteLogServer=security)>show
(config-RemoteLogServer=security)>no nodeCredential
(config-RemoteLogServer=security)>no trustCategory
(config-RemoteLogServer=security)>no uri

2. Commit the changes and verify that the availStatus is OFFLINE and the
operationalState is DISABLED.

(config-RemoteLogServer=security)>commit -s
(config-RemoteLogServer=security)>show

408 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Real Time Security Event Logging (RTSEL) for AXE Network Elements

Results
After the successful deactivation of RTSEL, operationalState is DISABLED and
availStatus is OFFLINE. The following is the sample output for all the executed
steps.

(config-RemoteLogServer=security)>show
RemoteLogServer=security
nodeCredential="ManagedElement=BSC004,SystemFunctions=1,SecM=1,CertM=1,NodeCr →
edential=2"
operationalState=ENABLED
trustCategory="ManagedElement=BSC004,SystemFunctions=1,SecM=1,CertM=1,TrustCa →
tegory=2"
uri="10.74.143.10:10514"
(config-RemoteLogServer=security)>no nodeCredential
(config-RemoteLogServer=security)>no trustCategory
(config-RemoteLogServer=security)>no uri
(RemoteLogServer=security)>show
RemoteLogServer=security
availStatus
OFF_LINE
operationalState=DISABLED

18.3 Get Real Time Security Event Logging (RTSEL) Status

for AXE Network Elements
This section describes the procedure to check the availStatus and the
operationalState of RTSEL.

Prerequisites
— Operator must have Cmedit_Administrator role.

— Nodes must exist in the system.

— Nodes must be synchronized.

Steps

1. List the log streams that are supported with Log Management Function, go
to RemoteLogServer=security from the list, and use show command to check
the availStatus and operationalState.

(LogM=1)>RemoteLogServer=security
(RemoteLogServer=security)>show

Example
When the RTSEL is deactivated:

>dn -m LogM
ManagedElement=BSC004,SystemFunctions=1,LogM=1
(LogM=1)>
(LogM=1)>RemoteLogServer=security
(RemoteLogServer=security)>show
RemoteLogServer=security
availStatus

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 409

 ENM Network Security Configuration System Administrator Guide

OFF_LINE
operationalState=DISABLED

When the RTSEL is activated:

>dn -m LogM
ManagedElement=BSC004,SystemFunctions=1,LogM=1
(LogM=1)>
(LogM=1)>RemoteLogServer=security
(RemoteLogServer=security)>show
RemoteLogServer=security
nodeCredential="ManagedElement=BSC004,SystemFunctions=1,SecM=1,CertM=1,No →
deCredential=2"
operationalState=ENABLED
trustCategory="ManagedElement=BSC004,SystemFunctions=1,SecM=1,CertM=1,Tru →
stCategory=2"
uri="10.74.143.10:10514"

410 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Router6000 External CA Import Procedure

19 Router6000 External CA Import Procedure

This task describes the steps required to update the ENM Trust Store to
include the required External CAs.

This procedure enables ENM to trust security enabled NEs that have been
configured with CA certificates, allowing these NEs to synchronize in ENM.

Prerequisites
The Operator must have the ENM roles: ADMINISTRATOR, SECURITY_ADMIN.

Steps

1. Enable the security algorithms: SHA1, MD5, PasswordBasedMAC.

The status of security algorithms can be checked using the ENM CLI
command:

pkiadm cfg algo -l -t all -s all

If disabled, enable the algorithms using the ENM CLI command:

pkiadm cfg algo -e -n <algorithm_name>

2. Disable Credential Manager Checks.

See the section Disable Credential Manager Monitoring of the document
ENM Public Key Infrastructure System Administrator Guide, Reference [8].

3. Import the valid .pem certificate into ENM as External CA.

For each certificate copied, drag and drop the file to the ENM CLI and run the
command:

pkiadm extcaimport -fn file:<certificatePemFileName> -cr false --name "ROOT_ →

CA_NAME" --rfcvalidation true

4. Verify that the certificates were imported correctly.

pkiadm extcalist

5. Update ENM_SBI_FCTP_TP Trust Profile.

a. Export the ENM_SBI_FCTP_TP Trust Profile XML:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 411

 ENM Network Security Configuration System Administrator Guide

pkiadm profilemgmt --export --profiletype trust --name ENM_SBI_FCTP_TP

b. Open the file and obtain the Id attribute of the TrustProfile tag.
c. Create an XML file using the following template (ENM_SBI_FCTP_TP):

<Profiles>
<TrustProfile Id="{trust_profile_id}" Name="ENM_SBI_FCTP_TP">
<Modifiable>true</Modifiable>
<TrustCAChain>
<IsChainRequired>false</IsChainRequired>
<InternalCA>
<CertificateAuthority>
<Name>NE_OAM_CA</Name>
</CertificateAuthority>
</InternalCA>
</TrustCAChain>
<TrustCAChain>
<IsChainRequired>false</IsChainRequired>
<InternalCA>
<CertificateAuthority>
<Name>ENM_PKI_Root_CA</Name>
</CertificateAuthority>
</InternalCA>
</TrustCAChain>
<!--========== ADDED CERTIFICATE AUTHORITIES ====================-->
<ExternalCA>
<CertificateAuthority>
<Name>ROOT_CA_NAME</Name>
</CertificateAuthority>
</ExternalCA>
<!--=============================================================-->
</TrustProfile>
</Profiles>

d. Edit the XML file.

In the XML file, replace {trust_profile_id} with the TrustProfile Id

obtained in step 5.b.
e. Drag and drop the XML file into the ENM CLI and run the command:

pkiadm profilemgmt --update --xmlfile file:<update_trust_profile_xml>

f. Verify that the ENM_SBI_FCTP_TP Trust Profile has been updated with
the External CA.

6. Reissue service certificates.

See the section Reissue Service Certificates in the document ENM Public Key
Infrastructure System Administrator Guide, Reference [8].

7. Re-enable credential manager checks.

See the section Re-Enable Credential Manager Monitoring in the document
ENM Public Key Infrastructure System Administrator Guide, Reference [8].

Results
External CAs must be updated in the ENM_SBI_FCTP_TP Trust Profile.

412 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec CLI Management

20 IPsec CLI Management

This section describes the IP Security (IPsec) feature and its functionality.

IPsec is an end-to-end security scheme operating in the Network Layer of the

Internet Protocol Suite.

This feature provides the following:

— IP level protection: it means all messages on higher levels, such as
application level, are protected independent of their encryption status.

— Protection of management plane traffic between eNBs and Security

Gateways (SEGs) in the Long Term Evolution (LTE) network.

By setting up IPsec tunnels (between eNBs and SEGs) using Encapsulating

Security Payload (ESP) in tunnel mode, it provides encryption and integrity
protection for the traffic and management plane to exclude unauthorized access
and prohibit malicious activities by third parties.

The following are the two types of IPsec tunnels which can be established
between Node and Security Gateway:
— IPsec tunnel for Operation and Maintenance, for communication between
eNBS and ENM Infrastructures.

— IPsec tunnel for Traffic, for communication between eNBs and Private
Networks.

ENM PKI Management provides x.509 and trusted CA certificate support for
IPsec enabled Long Term Evolution (LTE) network, Core Network, and Security
Gateways (SEGs).

The communicating Traffic and O&M IPSec peers use provided certificates (ENM
PKI) while performing IKEv2 key negotiation.

The main use cases in IPsec solution are:

— Activation of IPsec Configuration for OAM with different IpInterface on an
already operational node. This is referred as Configuration 1.

— Deactivation of IPsec Configuration1 for OAM.

— Activation and Deactivation of IPsec for OAM by using site basic file.

— Retrieve the current IPsec status.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 413

 ENM Network Security Configuration System Administrator Guide

Note: secadm ipsec command supports only configuration 1 and generic

configuration (using site basic file). Configuration 2 is not supported by
secadm ipsec.

In Configuration 2, both OAM and Traffic use same IpInterface and

IpAccessHostEt (Outer Host).

Activate IPsec for OAM on an Already Operational Node

Once Activate IPsec for OAM is triggered, it internally performs the following
sequence of steps:

1. Certificate Enrollment on the node.

2. Distributes Trust Certificate on the node. If the trusted certificates are
already installed on the node, it skips this step.
3. Activates IPsec on the node with the given configuration. The node
remains integrated, operational, and carries OAM communication through
a configured IPsec tunnel.

See Activate IPsec Configuration for OAM on an Already Operational Node on

page 415 for more details.

Deactivate IPsec for OAM on an Already Operational Node

To trigger the deactivation command, IPsec for OAM must be activated on
the node. It means that node is integrated, operational and carries OAM
communication through an IPsec tunnel.

Disabling IPsec workflow deactivates the IPsec tunnel and then node is
integrated and it is operational. It carries OAM communication over the OAM
transport network.

See Deactivate IPsec Configuration for OAM on eNodeB DU Radio Nodes on

page 419 for more details.

Activate and Deactivate IPsec for OAM by Using Site Basic File
Once Activate IPsec for OAM is triggered using the site basic, it internally
performs the following sequence of steps.

1. Certificate Enrollment on the node.

2. Distributes Trust Certificate on the node. If the trusted certificates are
already installed on the node, skip this step.
3. Activates IPsec on the node with the given configuration. The node remains
integrated, operational, and carries OAM communication over the OAM
transport network.

414 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec CLI Management

See Activate or Deactivate IPsec Configuration for OAM by Using Site Basic
File on page 422 for more details.

Retrieve Current IPsec Status Information

IPsec status command returns the current IPsec status on the node.

See Get IPsec Current Status on page 424 to know how to retrieve the current
IPsec status information.

20.1 Activate IPsec Configuration for OAM on an Already

Operational Node
This procedure describes how to activate the IPsec for OAM on eNodeB DU
Radio Nodes (ERBS).

In Configuration1, there are different IpInterfaces for OAM and traffic. It means
that both OAM and Traffic have separate IpAccessHostEt (outer IP host).

Figure 44

Prerequisites

— Nodes must be synchronized.

— User must have root access to the ENM.

— Enable the SHA1 algorithm to avoid Certificate Enrollment failure.

— Check the algorithm status:

pkiadm cfg algo --list --type all --status all

— If SHA1 algorithm is disabled, enable it.

pkiadm configmgmt algo --enable --name SHA1

— FM supervision must be enabled on the node.

— Check alarmSupervisionState on the node:

alarm status <nodename>

— If alarmSupervisionState is not enabled, enable it.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 415

 ENM Network Security Configuration System Administrator Guide

fmedit set NetworkElement= <nodename>,FmAlarmSupervision=1 alarmSupervi →

sionState=true

— The certificate-based authentication must be enabled for IPsec at Security

Gateway.

— The variable <ossCorbaNameServiceAddress> must be set on the Node

under RbsConfiguration MO. If it is not set, connect to the Linux
Management Server (LMS) for physical deployments. Connect to VNF-LAF
for cloud deployments. Run the following command.

If the Node IP Address is IPv4 type, use the command:

cat /etc/hosts | grep visinamingsb-pub

Copy the visinamingsb-pub address and set the same to

<ossCorbaNameServiceAddress> variable by using the cmedit command
from ENM CLI.

cmedit set MeContext=<node_name>,ManagedElement=1,NodeManagementFunction=1,R →

bsConfiguration=1 ossCorbaNameServiceAddress=<visinamingsb-pub_address>

If the Node IP Address is IPv6 type, use the following command:

cat /ericsson/tor/data/global.properties | grep visinamingsb_service_IPv6_IP →

s

Copy the visinamingsb_service_IPv6_IPs address and set the same to

<ossCorbaNameServiceAddress> variable by using the cmedit command
from ENM CLI.

cmedit set MeContext=<node_name>,ManagedElement=1,NodeManagementFunction=1,R →

bsConfiguration=1 ossCorbaNameServiceAddress=<visinamingsb_service_IPv6_IPs_ →
address>

Actors
Authorized for: NodeSecurity_Administrator, PKI Administrator,
FM_Administrator, Cmedit_Administrator Action: activate

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Supported Algorithm Type

The following table contains the values for ipSecTunnelAllowedTransforms
and ikePeerAllowedTransforms in the input XML file for IpSectunnel and
Ikepeer MOs for the corresponding node versions.

416 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec CLI Management

Table 29 Supported Algorithm Type

Ne IkePeer IpSecTunnel
Relea
se Diffie IkeEncryption IkeIntegr Pseudo ChildSaEncr ChildSaIntegr
Hellm Algorithm ity Rando yption ity
an Algorith m Algorithm Algorithm
Grou m Functio
p n
15A GRO AES_CBC_128 AES_XCB AES_X NULL AES_XCBC_M
16A UP_2 AES_CBC_256 C_MAC_9 CBC_P AES_CBC_1 AC_96
GRO ALG_3DES_CB 6 RF128 28 HMAC_SHA_
UP_1 C HMAC_M HMAC_ AES_CBC_2 1_96
4 D5_96 SHA1 56 HMAC_MD5_
HMAC_S HMAC_ ALG_3DES_ 96
HA_1_96 MD5 CBC
16B GRO AES_CBC_128 AES_XCB AES_X NULL AES_XCBC_M
17A UP_2 AES_CBC_256 C_MAC_9 CBC_P AES_CBC_1 AC_96
17.Q1 GRO ALG_3DES_CB 6 RF128 28 HMAC_SHA_
17.Q2 UP_1 C HMAC_M HMAC_ AES_CBC_2 1_96
4 D5_96 SHA1 56 HMAC_MD5_
GRO HMAC_S HMAC_ ALG_3DES_ 96
UP_1 HA_1_96 MD5 CBC HMAC_SHA2
9 HMAC_S HMAC_ _256_128
GRO HA2_256 SHA2_
UP_2 _128 256
0
17.Q3 GRO AES_CBC_128 AES_XCB NULL NULL AES_XCBC_M
17.Q4 UP_2 AES_CBC_256 C_MAC_9 AES_C AES_CBC_1 AC_96
18.Q1 GRO ALG_3DES_CB 6 BC_12 28 HMAC_SHA_
UP_1 C HMAC_M 8 AES_CBC_2 1_96
4 AES_128_GC D5_96 AES_C 56 HMAC_MD5_
GRO M_128 HMAC_S BC_25 ALG_3DES_ 96
UP_1 AES_256_GC HA_1_96 6 CBC HMAC_SHA2
9 M_128 HMAC_S ALG_3 AES_128_G _256_128
GRO HA2_256 DES_C CM_128 AES_GCM
UP_2 _128 BC AES_256_G
0 AES_GC AES_1 CM_128
M 28_GC
M_128
AES_2
56_GC
M_128

Steps

1. Activate IPsec for OAM on the node.

Use the following ENM CLI command:

secadm ipsec

See online help for more details.

Results
— If the command is triggered successfully, the following message is displayed
in ENM CLI:

IPsec activation/deactivation change initiated for <n> valid

node(s), check the system log.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 417

 ENM Network Security Configuration System Administrator Guide

— IPsec tunnel for OAM must be established on the node. This can be verified
by using the command ikev2 ikesa after logging to the node.

— CppConnectivityInformation must be updated with the node inner IP

address. Use the ENM CLI command to get the <ipAddress> variable.

cmedit get NetworkElement=<node_name>,CppConnectivityInformation=1

— Node must be synchronized in ENM after IPsec tunnel establishment. Get the
sync status by using the command.

cmedit get NetworkElement=<node_name>,CmFunction=1

— Get the IPsec status by using secadm ipsec --status ENM CLI command. The
result of IPsec for OAM must be ACTIVATED.

— To monitor the IPsec Activation Status, see the section Monitor the IPsec
Activation Status on page 418.

20.1.1 Monitor the IPsec Activation Status

This section describes how to monitor the IPsec activation status from the
Log Viewer.

Prerequisites

— No prerequisites.

Steps

1. Search with the keyword Node name and Workflow Name ( <Node_Name>
&& <CPPActivateIpSec>) in log viewer.

INFO [com.ericsson.oss.itpf.COMMAND_LOGGER] (EJB default - 52) [Administrat →

or, WorkFlow Handler [CPPActivateIpSec], STARTED, Node Security Service, nod →
e [NetworkElement=LTE08ERBS00001], workflow id [a29237ea-f75d-11e7-b1ba-5254 →
0044447f] : Workflow successfully started: business key [secwf_MeContext=LTE →
08ERBS00001]: params [{NODE_FDN=NetworkElement=LTE08ERBS00001, SUB_ALT_NAME= →
192.168.100.217, NODES_XML=<?xml version="1.0" encoding="UTF-8" standalone=" →
yes"?>
<Nodes>
<Node>
<NodeFdn>LTE08ERBS00001</NodeFdn>
<SubAltName>192.168.100.217</SubAltName>
<SubAltNameType>IPV4</SubAltNameType>
<EnableOMConfiguration1>
<removeTrustOnFailure>true</removeTrustOnFailure>
<trustedCertificateFilePath>IPSEC</trustedCertificateFilePath>
<dnsServer1>10.0.0.1</dnsServer1>
<dnsServer2>10.0.0.2</dnsServer2>

418 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec CLI Management

<ipAddressOaMInner>192.168.100.100</ipAddressOaMInner>
<networkPrefixLength>24</networkPrefixLength>
<ipAccessHostEtId>2</ipAccessHostEtId>
<defaultrouter0>10.10.10.1</defaultrouter0>
<ipAddressOaMOuter>192.168.100.217</ipAddressOaMOuter>
<remoteIpAddress>10.10.4.2</remoteIpAddress>
<remoteIpAddressMask>20</remoteIpAddressMask>
<peerOaMIpAddress>10.10.4.10</peerOaMIpAddress>
<peerIdentityIdFqdn>SeGW1.LTERAN.example.com</peerIdentityIdFqdn →
>
<peerIdentityIdType>IP_V4_ADDRESS</peerIdentityIdType>
<tsLocalIpAddressMask>24</tsLocalIpAddressMask>
<ipAddress>10.10.2.1</ipAddress>
<mask>0</mask>
</tsRemoteIpAddressRanges>
<ipSecTunnelAllowedTransforms>
<ipSecTunnelAllowedTransform>
<encryptionAlgorithm>AES_CBC_128</encryptionAlgorithm>
<integrityAlgorithm>HMAC_SHA_1_96</integrityAlgorithm>
</ipSecTunnelAllowedTransform>
</ipSecTunnelAllowedTransforms>
<ikePeerAllowedTransforms>
<ikePeerAllowedTransform>
<diffieHellmanGroup>GROUP_2</diffieHellmanGroup>
<encryptionAlgorithm>AES_CBC_128</encryptionAlgorithm>
<integrityAlgorithm>HMAC_SHA_1_96</integrityAlgorithm>
<pseudoRandomFunction>HMAC_SHA1</pseudoRandomFunction>
</ikePeerAllowedTransform>
</ikePeerAllowedTransforms>
<vid>1</vid>
</EnableOMConfiguration1>
</Node>
</Nodes>
, SUB_ALT_NAME_TYPE=IPV4}]]

2. Identify the workflow ID a29237ea-f75d-11e7-b1ba-52540044447f for

the corresponding NetworkElement, search with the workflow id and the
message FINISHED_WITH_SUCCESS appears:

INFO [com.ericsson.oss.itpf.COMMAND_LOGGER] (job-executor-tp-threads -7) [N →

O USER DATA, WorkFlow Handler [CPPActivateIpSec], FINISHED_WITH_SUCCESS, Nod →
e Security Service, node [NetworkElement=LTE08ERBS00001], workflow id [a2923 →
7ea-f75d-11e7-b1ba-52540044447f] : Workflow successfully completed with jobI →
D: N/A, wfStatusId: null, activationStep: CPP Cleanup M2M User and SMRS]

20.2 Deactivate IPsec Configuration for OAM on eNodeB DU

Radio Nodes
This procedure describes how to deactivate the IPsec for OAM on eNodeB
DU Radio Nodes (ERBS).

Prerequisites

— Nodes must be synchronized.

— User must have root access to the ENM.

— IPsec for OAM must be activated on the node.

— The variable <ossCorbaNameServiceAddress> must be set on the Node

under RbsConfiguration MO. If it is not set, connect to the Linux

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 419

 ENM Network Security Configuration System Administrator Guide

Management Server (LMS) for physical deployments. Connect to VNF-LAF

for cloud deployments.

If the Node IP Address is IPv4 type, use the command:

cat /etc/hosts | grep visinamingsb-pub

Copy the visinamingsb-pub address and set the same to

<ossCorbaNameServiceAddress> variable using the cmedit command from
ENM CLI.

cmedit set MeContext=<node_name>,ManagedElement=1,NodeManagementFunction=1,R →

bsConfiguration=1 ossCorbaNameServiceAddress=<visinamingsb-pub_address>

If the Node IP Address is IPv6 type, use the command:

cat /ericsson/tor/data/global.properties | grep visinamingsb_service_IPv6_IP →

s

Copy the visinamingsb_service_IPv6_IPs address and set the same to

<ossCorbaNameServiceAddress> variable by using the cmedit command
from ENM CLI.

cmedit set MeContext=<node_name>,ManagedElement=1,NodeManagementFunction=1,R →

bsConfiguration=1 ossCorbaNameServiceAddress=<visinamingsb_service_IPv6_IPs_ →
address>

Actors
Authorized for: NodeSecurity_Administrator and Cmedit_Administrator Action:
deactivate

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Deactivate IPsec for OAM on the node using secadm ipsec.

Results
— If the command is triggered successfully, the following message is displayed
in ENM CLI. See online help for more details.

IPsec activation/deactivation change initiated for <n> valid

node(s), check the system log.

— IPsec configuration for OAM must be deactivated. This can be verified by

using the command ikev2 ikesa after logged on the node.

420 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec CLI Management

— CppConnectivityInformation must be updated with the node outer IP

address. Use the following command to get the <ipAddress> variable.

cmedit get NetworkElement=<node_name>,CppConnectivityInformation=1

— Node must be in SYNC with ENM after IPsec tunnel is up. Obtain the sync
status by using the command:

cmedit get NetworkElement=<node_name>,CmFunction=1

— Obtain the IPsec status by using secadm ipsec --status ENM CLI
command. The result of IPsec for OAM must be DEACTIVATED.

— To monitor the IPsec Deactivation Status, see the section Monitor the IPsec
Deactivation Status on page 421.

20.2.1 Monitor the IPsec Deactivation Status

This section describes how to monitor the IPsec deactivation status from
the Log Viewer.

Prerequisites

— No prerequisites.

Steps

1. Search for keyword Node Name and Workflow Name ('LTE08ERBS00001 &&
CPPDeactivateIpSec') in log viewer.

INFO [com.ericsson.oss.itpf.COMMAND_LOGGER] (EJB default - 19) [Administrat →

or, WorkFlow Handler [CPPDeactivateIpSec], STARTED, Node Security Service, →
node [NetworkElement=LTE08ERBS00001], workflow id [60fa0faa-f114-11e7-a0c9-5 →
2540044447f] : Workflow successfully started: business key [secwf_MeContext= →
LTE08ERBS00001]: params [{REMOVE_CERT=false, NODE_FDN=NetworkElement=LTE08ER →
BS00001, TRUST_SERIAL_NUMBER=-1, NODES_XML=<?xml version="1.0" encoding="UTF →
-8" standalone="yes"?>
<Nodes>
<Node>
<NodeFdn>LTE08ERBS00001</NodeFdn>
<SubAltName>192.168.100.217</SubAltName>
<DisableOMConfiguration>
<removeCert>false</removeCert>
<dnsServer1>10.0.0.1</dnsServer1>
<dnsServer2>10.0.0.2</dnsServer2>
<ipAddressOaMOuter>192.168.100.217</ipAddressOaMOuter>
<defaultRouter0>10.10.10.1</defaultRouter0>
<networkPrefixLength>23</networkPrefixLength>
<remoteIpAddress>10.10.10.5</remoteIpAddress>
<remoteIpAddressMask>20</remoteIpAddressMask>
<vid>1</vid>
</DisableOMConfiguration>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 421

 ENM Network Security Configuration System Administrator Guide

</Node>
</Nodes>
, TRUST_ISSUER=null}]]

2. Identify the workflow ID 60fa0faa-f114-11e7-a0c9-52540044447f from

the corresponding NetworkElement, search with the workflow ID, and the
message "FINISHED_WITH_SUCCESS" appears as follows:

INFO [com.ericsson.oss.itpf.COMMAND_LOGGER] (job-executor-tp-threads - 8) [N →

O USER DATA, WorkFlow Handler [CPPDeactivateIpSec], FINISHED_WITH_SUCCESS, N →
ode Security Service, node [NetworkElement=LTE08ERBS00001], workflow id [60f →
a0faa-f114-11e7-a0c9-52540044447f] : Workflow successfully completed with jo →
bID: N/A, wfStatusId: null, activationStep: Deactivate IpSec]

20.3 Activate or Deactivate IPsec Configuration for OAM by

Using Site Basic File
This procedure describes how to activate or deactivate the IPsec for OAM
on eNodeB DU Radio Nodes (ERBS) using site basic file.

User can provide any supported configuration in the site basic file and it is user
responsibility to provide a valid site basic file for the respective configuration.

Prerequisites

— Nodes must be synchronized.

— User must have root access to the ENM.

— Enable the SHA1 algorithm to avoid Certificate Enrollment failure.

— Check the algorithm status:

pkiadm cfg algo --list --type all --status all

— If SHA1 algorithm is disabled, enable it.

pkiadm configmgmt algo --enable --name SHA1

— FM supervision must be enabled on the node.

— Check alarmSupervisionState on the node:

alarm status <nodename>

— If alarmSupervisionState is not enabled, enable it.

422 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec CLI Management

fmedit set NetworkElement= <nodename>,FmAlarmSupervision=1 alarmSupervi →

sionState=true

— The certificate-based authentication must be enabled for IPsec at Security

Gateway.

— The variable <ossCorbaNameServiceAddress> must be set on the Node

under RbsConfiguration MO. If it is not set, connect to the Linux
Management Server (LMS) for physical deployments. Connect to VNF-LAF
for cloud deployments.

If the Node IP Address is IPv4 type, use the command:

cat /etc/hosts | grep visinamingsb-pub

Copy the visinamingsb-pub address and set the same to

<ossCorbaNameServiceAddress> variable by using the cmedit command
from ENM CLI.

cmedit set MeContext=<node_name>,ManagedElement=1,NodeManagementFunction=1,R →

bsConfiguration=1 ossCorbaNameServiceAddress=<visinamingsb-pub_address>

If the Node IP Address is IPv6 type, use the command:

cat /ericsson/tor/data/global.properties | grep visinamingsb_service_IPv6_IP →

s

Copy the visinamingsb_service_IPv6_IPs address and set the same to

<ossCorbaNameServiceAddress> variable by using the cmedit command
from ENM CLI.

cmedit set MeContext=<node_name>,ManagedElement=1,NodeManagementFunction=1,R →

bsConfiguration=1 ossCorbaNameServiceAddress=<visinamingsb_service_IPv6_IPs_ →
address>

Actors
Authorized for: NodeSecurity_Administrator, PKI Administrator,
FM_Administrator, Cmedit_Administrator Action: activate

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Activate or deactivate IPsec for OAM on the node.

Use the following ENM CLI command:

secadm ipsec

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 423

 ENM Network Security Configuration System Administrator Guide

See the online help for more details.

Results
— If the command is triggered successfully, the following message is displayed
in ENM CLI:

IPsec activation/deactivation change initiated for <n> valid

node(s), check the system log.

— IPsec tunnel for OAM must be established on the node. This can be verified
by using the command ikev2 ikesa after logging to the node.

— CppConnectivityInformation must be updated with the node inner IP

address. Use the ENM CLI command to get the <ipAddress> variable.

cmedit get NetworkElement=<node_name>,CppConnectivityInformation=1

— Node must be synchronized in ENM after IPsec tunnel establishment. Get the
sync status by using the command.

cmedit get NetworkElement=<node_name>,CmFunction=1

— Get the IPsec status by using:

secadm ipsec --status

ENM CLI command. The result of IPsec for OAM must be ACTIVATED.

— To monitor the IPsec Activation Status, see the section Monitor the IPsec
Activation Status on page 418.

20.4 Get IPsec Current Status

This section describes the procedure to get the current IPsec status
information on eNodeB DU Radio Node (ERBS) or a list of nodes.

Prerequisites

— Nodes must be synchronized.

Actors
Authorized for: Node Security Administrator, Action: read

Authorized for: Node Security Operator, Action: read

424 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 IPsec CLI Management

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Steps

1. Obtain the current IPsec status on the node.

Use the following ENM CLI command:

secadm ipsec --status

See the online help for more details.

Results
— If the command is triggered successfully, the following message is displayed
in ENM CLI:

IPsec Status details for 1 valid node(s) is/are listed below.

— IPsec current status must be retrieved and displayed as follows:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 425

 ENM Network Security Configuration System Administrator Guide

21 Configuration of TLS for OAM

Communication

ENM uses SSL/TLS protocol for secure communication with the nodes.

ENM uses the following protocols to communicate with the nodes.

— NETCONF over TLS

— HTTP over TLS

— CORBA over SSL/TLS (Secure CORBA)

— LDAP over TLS

The following are the two new configuration parameters introduced to manage
the TLS protocol versions in ENM.
— enabledTLSProtocolsECIM: this configuration parameter is used to enable
or disable the TLS protocol versions (TLSv1.0, TLSv1.1, TLSv1.2) in ENM
for TLS communications between ECIM-based nodes and ENM. The default
value is TLSv1.2.

— enabledTLSProtocolsCPP: this configuration parameter is used to enable

or disable the TLS protocol versions (TLSv1.0, TLSv1.1, TLSv1.2) in ENM for
TLS communications between CPP based nodes and ENM. The default value
is TLSv1.0, TLSv1.1, and TLSv1.2.

The following are the application use cases in which the previous configuration
parameters are used to enable or disable the TLS protocols:

— The COM/ECIM mediation initiates NETCONF/TLS connections towards the

node. The supported TLS versions for the ECIM mediation are configured
through the enabledTLSProtocolsECIM configuration parameter.

— CORBA over SSL/TLS and HTTP over TLS protocol-based communications

are used by the CPP nodes only when the node is configured with
Security Level as SL2/SL3. This communication is modified to use the
enabledTLSProtocolsCPP configuration parameter. By default, the CPP
mediation uses TLSv1.0, TLSv1.1, and TLSv1.2 since some older versions
of CPP Network Elements (<C16.2 EP18 and < C17.0 EP5) do not support
the renegotiation feature (request for a downgrade to TLSv1 from v2) when
ENM sends TLSv1.2 protocol.

— FTP over TLS protocol-based communications are used by COM/ECIM

nodes. The supported TLS versions for this communication is configured by
the enabledTLSProtocolsECIM configuration parameter. Operator needs to
wait at least one minute to reflect the updated TLS protocol versions.

426 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuration of TLS for OAM Communication

LDAP over TLS protocol-based communications are used by COM/ECIM

nodes. The supported TLS versions for this communication is configured by
the enabledTLSProtocolsECIM configuration parameter.

Note: ENM must be upgraded to the same ISO to reflect the updated TLS
protocol version:
— if enabledTLSProtocolsCPP configuration parameter is
modified,

— if enabledTLSProtocolsECIM configuration parameter is

modified.

For more information on the ENM upgrade in physical environment,

see ENM Upgrade Instructions, Reference [27].

For more information on the ENM upgrade in cloud environment,

see ENM on Cloud Upgrade Instructions, Reference [28].

— The AMOS and Element Manager Services uses the:

— enabledTLSProtocolsECIM for TLS connections towards the ECIM
nodes.

— enabledTLSProtocolsCPP for TLS connections towards the CPP nodes.

Note: AMOS and Element Manager services get notified automatically

about the TLS version change when the corresponding TLS
configuration is updated. When a new session of AMOS or
Element Manager is launched, the recently changed TLS version
is used. If the TLS version provided with a combination of two
or more protocols. AMOS or Element Manager tries to connect
with the highest TLS version available on the node.

— For Auto Provisioning:

— During CPP node integration, a CORBA Node Up Notification is sent
to ENM. The supported TLS versions for the notification are configured
through the enabledTLSProtocolsCPP configuration parameter.

— For AIWS connection, the supported TLS versions are configured

through the enabledTLSProtocolsCPP configuration parameter.
TLSv1.2 is always supported even if it is not configured in this
configuration parameter.

The following procedure allows the configuration of the ENM system to start
TLSv1.2 as the starting point always. The procedure to change the TLS protocol
version in the configuration is available in the section TLS Protocol Version
Update on page 428.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 427

 ENM Network Security Configuration System Administrator Guide

21.1 TLS Protocol Version Update

This section describes the procedure to change the TLS protocol
version from TLSv1 to TLSv1.2 and the other way around for CORBA
Communication.

Note: Communication failure (sync fails) happens if the network contains the
CPP nodes with the version less than C16.2 EP18 or C17.0 EP5. Sync
failure happens only if the network has mentioned node versions and
the nodes are in SL2 or SL3.

Prerequisites

— This procedure must be applied only when the network has CPP Nodes with
the version > to VNF-LAF for cloud deployments.= > to VNF-LAF for cloud
deployments.= C16.2 EP18 or >= C17.0 EP5.

— User has root access to the ENM.

Steps

1. Connect to pkiraserv.
See Connect to a Service on page 2.

2. Check the existing TLS version.

/ericsson/pkira/data/scripts/ConfigTlsPib.sh --readAll

3. Update TLS version.

/ericsson/pkira/data/scripts/ConfigTlsPib.sh --pibname <PIB Parameter Name> →

--pibvalue <PIB Parameter Value>

Press y to confirm the TLS version update.

Example
For CPP nodes:

/ericsson/pkira/data/scripts/ConfigTlsPib.sh --pibname "enabledTLSProtocolsC →

PP" --pibvalue "TLSv1.2,TLSv1.0"

For ECIM nodes:

/ericsson/pkira/data/scripts/ConfigTlsPib.sh --pibname "enabledTLSProtocolsE →

CIM" --pibvalue "TLSv1.2,TLSv1.1"

428 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuration of TLS for OAM Communication

4. Alternatively, configure by CLI the parameters enabledTLSProtocolsCPP,

enabledTLSProtocolsECIM, and enabledTLSProtocolsExtLDAP.

See Configuration Parameter Handling Using Admin CLI on page 14.

5. Upgrade the ENM to same ISO to reflect the configuration parameter value
of enabledTLSProtocolsCPP and enabledTLSProtocolsECIM.

See the following document for ENM upgrade in physical and cloud
environments.

— For physical environment, see ENM Upgrade Instructions, Reference

[27].

— For cloud environment, see ENM on Cloud Upgrade Instructions,

Reference [28].

— For Cloud Native deployment, see Cloud Native ENM Upgrade

Instructions, Reference [34].

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 429

 ENM Network Security Configuration System Administrator Guide

22 HTTPS on CPP-Based Network Elements

ENM supports CLI commands for enabling, disabling, and monitoring HTTP
over TLS for CPP nodes.

HTTP over TLS protocol is used by all ENM client services accessing CPP nodes
(ENM mediation, AMOS, and EM).

HTTPS feature supports the following Network Elements types:

— ERBS

— RBS

— RNC

— Evo8300

— MGW

HTTPS feature supports the following use cases:

— HTTPS activation

— HTTPS deactivation

— HTTPS status.

22.1 Activate HTTPS on CPP-Based NEs

This section describes the procedure to change the HTTP protocol to HTTPS.

Prerequisites

— Nodes must exist in the system.

— Nodes must be synchronized.

— User must have Node Security administrator role to trigger the HTTPS
activate command.

— Node must have alarms enabled (using the command: alarm enable
<node_name>).

430 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 HTTPS on CPP-Based Network Elements

Steps

1. Activate HTTP over TLS (HTTPS) on the node.

Use the ENM CLI command:

secadm https activate --nodelist <node_name>

or

secadm https activate --nodefile file: <file_name>

The command triggers workflow job which is responsible for activation of

HTTPS. Job id is given as an output of command.

Successfully started a job for HTTPS activate operation.

Perform 'secadm job get -j <job_id>' to get progress info.
Activation process consists of the following steps:
— Node validation

— Trusted certificates installation

— OAM certification enrollment

— HTTPS activation on the node

2. Verify the job status.

secadm job get -j <job_id>

Job status must be COMPLETED and if workflow status is SUCCESS, HTTPS is

activated on the node.

3. Retrieve and verify the status.

Use the ENM CLI command:

secadm https getstatus --nodelist

or

secadm https getstatus --nodefile file: <file_name>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 431

 ENM Network Security Configuration System Administrator Guide

22.2 Deactivate HTTPS on CPP-Based NEs

This section describes the procedure to change the HTTPs protocol to HTTP.

Prerequisites

— Nodes must exist in the system.

— Nodes must be synchronized.

— User must have Node Security administrator role to trigger the HTTPS
deactivate command.

— Node must have alarms enabled (using the command alarm enable
<node_name>).

Steps

1. Deactivate HTTP over TLS (HTTPS) on the node.

Use the ENM CLI command:

secadm https deactivate --nodelist <node_name>

or

secadm https deactivate --nodefile file: <file_name>

The command triggers workflow job which is responsible for activation of

HTTPS. Job id is given as an output of command.

Successfully started a job for HTTPS deactivate operation.

Perform 'secadm job get -j <job_id>' to get progress info.
Deactivation process consists of the following steps:
— Node validation

— HTTPS deactivation on the node

2. Verify the job status.

secadm job get -j <job_id>

Job status must be COMPLETED and if workflow status is SUCCESS, HTTPS is

deactivated on the node.

3. Retrieve and verify the status.

432 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 HTTPS on CPP-Based Network Elements

Use the ENM CLI command:

secadm https getstatus --nodelist

or

secadm https getstatus --nodefile file: <file_name>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 433

 ENM Network Security Configuration System Administrator Guide

23 Support for FTPES Protocol

ENM provides Explicit FTP over TLS (FTPES), a certificate-based

authentication File Transfer Protocol (FTP), alternative to SFTP for file
transfers between Network Elements and ENM.

FTPES feature is supported for RadioNode (eNodeB Baseband Radio Node,

NodeB Baseband Radio Node, GSM Baseband Radio Node, gNodeB Baseband
Radio Node), RadioTNode (Baseband T605, C608), 5GRadioNode, and AXE
Nodes only.

The following use cases support FTPES protocol:

Table 30
Application Use Cases
SHM — Node Software upgrade in ENM.

— Node Backup and Restore

management in ENM.

— License Key management.

FM (Netlog) — Node logs management from
ENM.
PMIC — PM file collection.

— PM file recovery.
AMOS — Download Node logs from
Network Element.
Upgrade Independence — Node model retrieval from
Network Element.
OPS — Node upgrade via OPS on AXE
nodes.

434 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Support for FTPES Protocol

Note: — SFTP is the default File Transfer Protocol on node. After activation
of FTPES on the node, File Transfer is performed using FTPES
protocol for the use cases mentioned in the table.

— FTPES feature needs certain ports to be opened in ENM and

Customer Firewalls. See the document ENM Network Integration
Guideline, Reference [3] for the ports to be opened for FTPES
feature.

— To enable FTPES on AXE nodes, see node CPI that includes

corresponding instructions per node type.

— AXE nodes do not support Restore management in ENM using SHM

Application.

— FTPES feature in Cloud Native deployment is not supported for the

nodes configured in IPv6 network.

23.1 Activate FTPES

This procedure describes how to activate FTPES protocol on nodes and
ENM.

Actors
Authorized for: NodeSecurity_Administrator, Action: execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Nodes must exist in the ENM system.

— Nodes must be synchronized with ENM.

Steps

1. Activate FTPES on nodes.

Run the ENM CLI command secadm ftpes activate.

See online help for more details.

Results
— If the command is triggered successfully, the following message appears in
the ENM CLI:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 435

 ENM Network Security Configuration System Administrator Guide

Successfully started a job for FTPES activate

operation. Perform 'secadm job get -j 232d4fb6-e706-46fd-
b91c-88fc03daae48' to get progress info.

— Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, then FTPES protocol is activated on nodes and ENM.

23.2 Deactivate FTPES

This procedure describes how to deactivate FTPES protocol on nodes and
ENM.

Actors
Authorized for: NodeSecurity_Administrator, Action: execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Nodes must exist in the system.

— Nodes must be synchronized with ENM.

Steps

1. Deactivate FTPES on nodes.

Run the ENM CLI command secadm ftpes deactivate.

See online help for more details.

Results
— If the command is triggered successfully, the following message appears in
the ENM CLI.

Successfully started a job for FTPES deactivate

operation. Perform 'secadm job get -j 232d4fb6-e706-46fd-
b91c-88fc03daae48' to get progress info.

— Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, then FTPES protocol is deactivated on nodes and ENM.

436 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Support for FTPES Protocol

23.3 Get FTPES Status

This procedure describes how to get FTPES status on nodes and ENM.

Actors
Authorized for: NodeSecurity_Operator, Action: execute

For more details about the capabilities, resources, and operations, see the ENM
Identity and Access Management System Administrator Guide, Reference [2].

Prerequisites

— Nodes must exist in the system.

— Nodes must be synchronized with ENM.

Steps

1. Get FTPES status on nodes.

Run the ENM CLI command secadm ftpes getstatus.

See online help for more details.

Results
Retrieve a table with FTPES status on nodes.

23.4 Enable of FTPES for G2 Nodes on AMOS

This section describes the changes required in AMOS service group to make
AMOS communicates with nodes using FTPES protocol during DCGM logs
collection.

Note: Execute uv export_method=1 command before triggering amos node

log download commands.

Steps

1. Add an entry in ipdatabase file under the path /opt/ericsson/amos/

moshell/sitefiles/ for the node to use FTPES protocol in communication
with AMOS.
The entry to be added is as follows:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 437

 ENM Network Security Configuration System Administrator Guide

<nodename> <nodeip> x export_protocol=1,export_port=9921

Similar entry in a new line is required for each node.

Note: The third field node password is not applicable for Gen2 nodes (it is
only applicable for Gen1), so, dummy value can be given in place of
the field.

If the ipdatabase file is not present in the /opt/ericsson/amos/moshell/

sitefiles/ location, create a text file with name ipdatabase and add the
entries.

Example
rbs1 10.1.10.5 x export_protocol=1,export_port=9921

Results
The ipdatabase file is updated.

If the ipdatabase file is not updated with node details, protocol and port details,
even though FTPES is activated on nodes using secadm ENM CLI command,
AMOS does not communicate using FTPES protocol during DCGM logs collection.

23.5 Enable of FTPES for G2 Nodes on AMOS in Cloud Native

ENM
This section describes the changes required in AMOS service group to make
AMOS communicates with nodes using FTPES protocol during DCGM logs
collection.

Steps

1. Add an entry in ipdatabase file under the path /opt/ericsson/amos/

moshell/sitefiles/ for the node to use FTPES protocol in communication
with AMOS.
The entry to be added is as follows:

<nodename> <nodeip> x export_protocol=1,export_port=9921

Similar entry in a new line is required for each node.

Note: The third field node password is not applicable for Gen2 nodes (it is
only applicable for Gen1), so, dummy value can be given in place of
the field.

438 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Support for FTPES Protocol

If the ipdatabase file is not present in the /opt/ericsson/amos/moshell/

sitefiles/ location, create a text file with name ipdatabase and add the
entries.

Example
rbs1 10.1.10.5 x export_protocol=1,export_port=9921

Results
The ipdatabase file is updated.

If the ipdatabase file is not updated with node details, protocol and port details,
even though FTPES is activated on nodes using secadm ENM CLI command,
AMOS does not communicate using FTPES protocol during DCGM logs collection.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 439

 ENM Network Security Configuration System Administrator Guide

24 Configuration of Trusted NTP Server

ENM can configure reliable time and date information on the node through
trusted NTP Server.

ENM supports to set authentication parameters on NTP Server and Network

Element (NTP client).

The authentication parameters secret key and digest algorithm must be set on
both node and NTP Server side. Using those authentication parameters, Network
Element and NTP Server are authenticated each other during time sync.

The following table describes the supported CPP and Baseband Radio Node
versions.

Table 31
neType Version
eNodeB >= 19.Q3
RBS >= 19.Q3
RNC >= 19.Q3
MGW >= 6.10.4.0
RadioNode >= 19.Q3

Note: This feature is not supported by Evo8300 node.

24.1 NTP Configuration on Network Element

This section describes how to configure NTP Server details on the node.

Note: For CPP nodes, configuration of maximum 10 NTP Servers is supported.

Prerequisites
— Nodes must exist in the system.

— Node must be in sync with ENM.

— User must be a NodeSecurity_Administrator to run the secadm ntp

configure command.

— Trusted NTP Server must be configured in ENM. If trusted NTP Server is

not configured, see the section Trusted NTP Server Configuration of the
document ENM Operators Guide, Reference [5].

440 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuration of Trusted NTP Server

Steps

1. Configure NTP Server details on the node.

Run the ENM CLI command:

secadm ntp configure

Node details are fetched from the command line input parameters, input text
file, or in the form of saved search or collection.

See online help for more details.

2. Verify the job status.

Run the ENM CLI command:

secadm get job

Job status must be COMPLETED and then check the workflow status. If it is
SUCCESS, then configuration of NTP Server details on node is completed. If
the workflow status is ERROR, see the document ENM Security Management
Troubleshooting Guide, Reference [10], for more details.

3. List the NTP Server details.

Run the ENM CLI command:

secadm ntp list

See the section List NTP Server Details on page 442.

Node details are fetched from the command line input parameters, input text
file, or in the form of saved search or collection.

See online help for more details.

Results
If the command is triggered successfully, the following message is displayed:

Successfully started a job to configure NTP server details on the

given node(s). Perform secadm job get -j JOB_ID to get progress
information.

If the Trusted NTP Server details are configured successfully on the NE, the
following command is used to verify nodes synchronization status with NTP
Server:

secadm ntp list --ntplist <list>

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 441

 ENM Network Security Configuration System Administrator Guide

For G1 nodes, the Service status must be SYSPEER.

For G2 nodes, the Service status must be UNLOCKED and there must not be any
open alarms on the node after performing configure operation.

See online help for more details.

24.2 List NTP Server Details

This section describes how to list configured NTP Server details on the node.

secadm ntp list command lists NTP key id, NTP Server Service Status, user
label, server Id, and server address of each NTP Server configured on the node.

Prerequisites
— Nodes must exist in the system.

— Node must be in sync with ENM.

— User needs Node Security Administrator and NodeSecurity_Operator roles to

run the secadm ntp list command.

Steps

1. List NTP Server details on node.

Run the ENM CLI command:

secadm ntp list

Node details are fetched from the command line input parameters, input text
file, or in the form of saved search or collection.

See online help for more details.

Results
When secadm ntp list command runs from CLI, the response is in the
following format.
— If multiple valid and invalid nodes are provided, execution starts for valid
nodes and a table is displayed with the suggested solutions for invalid nodes.

— If all invalid nodes are provided, a table is displayed with the suggested
solutions for invalid nodes.

442 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuration of Trusted NTP Server

24.3 Remove NTP Server Details

This section describes how to remove NTP Server details on the node based
on NTP Key Ids and Server Ids.

This command removes NTP Server on the node and the corresponding keyid
and nodeFdn mapping from the database of NTP Service, if that NTP Server
belongs to the same ENM. The input for the command can be a node list, node
file, or XML file, keyidlist, and serveridlist.

Prerequisites
— Nodes must exist in the system.

— Node must be in sync with ENM.

— User needs NodeSecurity_Administrator role to run the secadm ntp list

command.

Steps

1. Remove NTP Server details on the node.

Run the ENM CLI command:

secadm ntp remove

Node details are fetched from the command line input parameters, node
name, or XML file.

See online help for more details.

2. List NTP Keys Ids.

Run the ENM CLI command:

secadm ntp list

Node details are fetched from the command line input parameters, in the
input text file, or in the form of saved search or collection. See online help for
more details.

Results
If the command is triggered successfully, the following message is displayed:

All of the given input nodes are Valid. NTP remove workflow needs
to be executed. Perform secadm job get -j JOB_ID to get progress
information.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 443

 ENM Network Security Configuration System Administrator Guide

The keyids and/or NTP servers are removed.

See online help for more details.

24.4 Renew NTP Key

This section describes how to renew the configured key on the node.

Renew can be used to replace the old key with new key for the particular
NTP Server on the node. This procedure is applicable only to renew the keys
which were installed using secadm ntp configure command in the same ENM
environment.

Prerequisites
— Nodes must exist in the system.

— Node must be in sync with ENM.

— User needs NodeSecurity_Administrator role to run the secadm ntp

configure command.

Steps

1. Run the renew command in NTP Service of IT Services VM instance by giving

keyid or nodeFdn as input.

See the section Trusted NTP Server Configuration in ENM Operators Guide,
Reference [5].

2. Configure NTP Server details on the node.

Run the ENM CLI command:

secadm ntp configure --nodelist <node_name>

See online help for more details.

3. List the NTP Keys Ids.

Run the ENM CLI command:

secadm ntp list --nodelist

See online help for more details.

Results
New keys are installed on the node.

444 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Configuration of Trusted NTP Server

The following command is used to verify nodes synchronization status with NTP
Server:

secadm ntp list --ntplist <list>

For G1 nodes, the Service Status must be SYSPEER.

Figure 45

For G2 nodes, the Service status must be UNLOCKED and there must not be any
open alarms on the node after performing configure operation.

Figure 46

See online help for more details.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 445

 ENM Network Security Configuration System Administrator Guide

25 Disable Weak Ciphers in ENM

ENM applications use the secure TLS/SSH protocol communications towards the
node.

Prerequisites: TLSv1.2 protocol version must be enabled for TLS protocol-based

communications. See the section Configuration of TLS for OAM Communication
on page 426 for configuration TLS versions in ENM.

Currently, in ENM the weak and vulnerable ciphers are being used in
communications(SSH/TLS) towards the node.

The procedure to disable weak ciphers in ENM facilitates the operator to disable
the weak ciphers supported by ENM and enable the strong ciphers in the secure
communications.

These enabled strong ciphers are used in a secured network protocol-based

communication which is agreed between ENM and nodes during the handshake.

The following configuration parameters can be used in ENM to disable the weak
ciphers:
— disableWeakAuthenticationAlgorithms

— disableWeakEncryptionAlgorithms

— disableWeakHashingAlgorithms

— disableWeakKeyexchangeAlgorithms

Note: By default, the configuration parameter values are set to NONE.

The values for the previous configuration parameters are defined as in the
following.

Note: Application uses existing ciphers if the provided configuration parameter

value does not match with any of the supported ciphers list.

Currently, the following use cases do not support disabling of the weak
ciphers:
— Node connections opened through Element Manager GUI and
Winfiol.

— NETCONF/SSH mediation use cases for Transport nodes.

To provide exact ciphers names to the configurable parameter, see Table

19 and Table 20 for the lists of ciphers supported by ENM for each
protocol type.

446 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Disable Weak Ciphers in ENM

Table 32 Weak Ciphers Configuration Parameters Values

Sno Configuration Syntax TLS SSH
Parameter
1 disableWeak TLS:WA1+W TLS:NONE SSH:diffie-
Authenticatio A2+WA3, hellman-
nAlgorithms SSH:WA4+W group1-
A5 sha1+diffie-
hellman-
group14-
sha1+ecdh-
sha2-
nistp256
2 disableWeakE TLS:WA1+W TLS:AES_128 SSH:aes128-
ncryptionAlgo A2+WA3, _CBC cbc+arcfour1
rithms SSH:WA4+W 28
A5
3 disableWeak TLS:WA1+W TLS:SHA384 SSH:hmac-
HashingAlgori A2+WA3, md5+hmac-
thms SSH:WA4+W ripemd160"
A5
4 disableWeak TLS:WA1+W TLS:DHE SSH:diffie-
Keyexchange A2+WA3, hellman-
Algorithms SSH:WA4+W group1-
A5 sha1+diffie-
hellman-
group14-
sha1+ecdh-
sha2-
nistp256"

25.1 Disable Weak Ciphers

Prerequisites
No prerequisites.

Steps

1. Update the configuration parameter value.

See View and Modify Configuration Parameters on page 12.

2. Upgrade of the ENM to same ISO must be done to reflect the configuration
parameter values in CPP, COMECIM mediations, LDAP, and AP secure
communications towards nodes.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 447

 ENM Network Security Configuration System Administrator Guide

For more information on the ENM upgrade in physical environment, see ENM
Upgrade Instructions, Reference [27].

For more information on the ENM upgrade in cloud environment, see ENM on
Cloud Upgrade Instructions, Reference [28].

For more information on the ENM upgrade in Cloud Native environment, see
Cloud Native ENM Upgrade Instructions, Reference [34].

448 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Node IPsec Certificate and Trust Distribution Use Cases in Case of Multiple Ikev2PolicyProfile MOs

26 Management of Node IPsec Certificate and

Trust Distribution Use Cases in Case of
Multiple Ikev2PolicyProfile MOs

Node Security Configuration Service (NSCS) is unable to identify the correct

Ikev2PolicyProfile MO on the node to update the IPsec NodeCredential
and TrustCategory references if more than one IKEv2PolicyProfile is present
on the Baseband Radio Nodes during execution of IPsec Certificate and Trust
distribution use cases through NSCS, due to which Node IPsec Certificate Issue,
Reissue, and Trust Distribution use cases are failed.

To avoid this problem, execute the following procedure to update the

enforcedIKEv2PolicyProfileID configuration parameter value.

This configuration parameter value is used by the NSCS IPsec Certificate and
Trust use cases to identify or create the correct Ikev2PolicyProfile MO by
matching value of Ikev2PolicyProfileId attribute of Ikev2PolicyProfile
MO.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 449

 ENM Network Security Configuration System Administrator Guide

Note: 1. Affected Use Cases are IPsec Certificate Issue and Reissue, Get
Certificate Enroll State, IPSec Trust Distribution, Get Trusted
Certificates Install State, and IPsec Cert Auto-Renewal.
2. If the value of the enforcedIKEv2PolicyProfileID configuration
parameter is NONE (default value), then:
— All the affected use cases work fine if only one
Ikev2PolicyProfile is present on the node.

— All the affected use cases are failed if more than one
Ikev2PolicyProfile is present on the node.

3. If the value of the enforcedIKEv2PolicyProfileID configuration

parameter is other than NONE, then:
— All the affected use cases use the Ikev2PolicyProfile MO
whose Ikev2PolicyProfile Id value is the same as the
configuration parameter value to update the NodeCredential
and/or TrustCategory MO FDNs.

— IPsec Certificate Issue, Reissue, and Auto-Renewal use cases

create a Ikev2PolicyProfile MO with Ikev2PolicyProfile
Id value as the given configuration parameter value
if no Ikev2PolicyProfile is found with the matching
Ikev2PolicyProfile Id value as given configuration
parameter value. In this case Operator has to map this new
Ikev2PolicyProfile MO to the proper Ikev2Session MO to
use new node credential and trust category for establishing the
IPsec Tunnel. All the remaining affected use cases are failed.
4. The cases in points 2 and 3 are also applicable for the case where
the Initial IPsec Certificate Issue and IPsec Tunnel Configuration
are done using Auto Provisioning and later if the IPsec Certificate
Issue or Reissue is done through NSCS.
5. As the value of enforcedIKEv2PolicyProfileID configuration
refers only one Ikev2PolicyProfile MO Id, only one
Ikev2PolicyProfile MO with the given ID is created or
updated during the execution of affected use cases. All the
remaining Ikev2PolicyProfile MOs, if any are referring the old
NodeCredential and TrustCategory MO FDNs, are to be updated
with the new NodeCredential and/or TrustCategory MO FDNs if
created during the IPsec Certificate Issue, Reissue, Auto-Renewal,
or Trust Distribution use cases.
6. Radio Node allows up to eight Ikev2PolicyProfile MOs. If the
node has already eight Ikev2PolicyProfile MOs, then new MO
cannot be created if no MO with matching id is identified on the
node during the execution of mentioned IPsec Certificate Issue,
Reissue, and Auto-Renewal use cases.

450 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Management of Node IPsec Certificate and Trust Distribution Use Cases in Case of Multiple Ikev2PolicyProfile MOs

Prerequisites

— The user must have root access to the ENM.

— Refer the Notes for the allowed configuration parameter values, limitations,
affected Use Cases and different behaviors of the affected Use Cases with
the different enforcedIKEv2PolicyProfileID parameter values.

Steps

1. Update the configuration parameter value.

See View and Modify Configuration Parameters on page 12.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 451

 ENM Network Security Configuration System Administrator Guide

27 Network Security Configuration Parameters

Table

Parameters related to network security configuration management area

that can be updated by security tasks are reported in this section.

Table 33 Network Security Configuration Parameter

Name Parameter Value Default Unit Parameter Effective at GSM/ Functionalit
Description Range Value Type WCDMA/ y
LTE
neCertAuto Timer for - 30 day Integer Deployment System Created at
RenewalTi auto- wide secserv
mer renewal of a service
node group start.
certificate Configured
(configurati by user
on using the
parameter) CLI. See
View and
Modify
Configuratio
n
Parameters
on page 12.
neCertAuto Enabling of - true - Boolean Deployment System Created at
RenewalEn auto- wide secserv
abled renewal service
feature for group start.
node Configured
certificate by user
(configurati using the
on CLI. See
parameter) View and
Modify
Configuratio
n
Parameters
on page 12.
neCertAuto Max - 100 - Integer Deployment System Created at
RenewalMa number of wide secserv
x NEs to auto- service
renewal at group start.
each Configured
scheduling by user
(configurati using the
on CLI. See
parameter) View and
Modify
Configuratio
n
Parameters
on page 12.
socketIdleTi Time after 5000 - 60000 millisec String Restart System Created at
meout that the 60000 wide secserv
LDAP service
connection group start.
from client Configured
to LDAP by user
server is using the
closed. In CLI. See
case the View and
client keeps

452 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Network Security Configuration Parameters Table

Name Parameter Value Default Unit Parameter Effective at GSM/ Functionalit

Description Range Value Type WCDMA/ y
LTE
the Modify
connection Configuratio
in idle n
towards Parameters
LDAP server on page 12.
open for a
period
longer than
the
configured
value, the
connection
is forcedly
closed.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 453

 ENM Network Security Configuration System Administrator Guide

28 Network Security Configuration Limitations

This section provides an outline of the various limitations of the Security

solution in the current ENM system.

Where possible preventive steps are included to minimize outcome of limitation.

Limitations

1. Access Control for Nodes Supporting ECIM function

• Only Baseband Radio Nodes, 5GRadioNode, and pRBS nodes are

supported.

• COM Authentication and Authorization (AA) requests defined in

Function Specification for Security are supported across maximum of
50 concurrent connection from the nodes. If the number of concurrent
connections reaches 50, the subsequent requests are queued (until time-
out occurs on the client side).

• COM roles and COM role aliases do not include target groups directly
in names (for example: “SOUTH:SystemAdministrator”). The user is
assigned COM role with target group.

• It is not possible to log on the node using centralized user management

immediately after the user is created and assigned COM privileges.

• It can take up to 15 seconds before it is possible to internally synchronize

user privileges between user management and LDAP in ENM.

For COM LDAP Interface between node and ENM:

• POSIX_GROUPS and FLEXIBLE filter types are not supported (only

ERICSSON_ROLES filter type is supported).

• Only the following RFC 4511 operations are supported: BindRequest,

BindResponse, SearchRequest, SearchResultEntry, SearchResultDone,
ExtendedRequest, ExtendedResponse.

• ENM does not support querying for COM role alias to COM roles
mapping.

• Centralized LDAP is not supported by ENM and Access Control for Nodes
supporting ECIM function. For nodes to work in AMOS without having
to enter username and password, Access Control for Nodes supporting
ECIM function must be configured on the node, which is integrated
through TLS, and the default ENM LDAP must be used.
2. Issue an IPsec node certificate in IPv6 network

454 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Network Security Configuration Limitations

When user verifies the post condition of issue a IPsec node certificate using
the command secadm certificate get on ENM CLI, the command does
not show the latest installed certificate. It is because of that ENM is not
updated with latest information on the node.

This is observed in CPP nodes configured in IPv6 network and certificate is

issued using SCEP and CMPv2 protocols.

The user needs to run a resync operation before getting the certificate
information:

— cmedit action NetworkElement=<Node_Name>,CmFunction=1 sync

— secadm certificate get

3. Issue a certificate to Baseband RadioNode and 5GRadioNode

Initial enrollment using CMP protocol fails on Baseband Radio Node and
5GRadioNode as the ENM PKI system contains SerialNumber attribute in the
Subject DN field of CA and Entity Certificates.

This is because of the limitation on the node that it does not support
SerialNumber attribute in Subject DN field.

Perform the workaround described in the section Enrollment for Baseband

RadioNode Fails Due to the SERIALNUMBER Attribute in the Certificate
in ENM Security Management Troubleshooting Guide, Reference [10] to
remove the SerialNumber attribute from the SubjectDN of certain CA
certificates of ENM PKI system.

Note: User roles must be managed among secadm and cmedit users.

4. IPsec Cert Reissue on PICO Network Element

When a PICO Network Element is successfully auto-integrated in ENM with

IPsec, ENM is not able to reissue IPsec Cert.

The affected Security Use Cases are:

— Renewal CAs in case it is in the issuer chain of IPsec Node certificate.

— Import External root CA.

Also the OSS-RC migration scenario is affected.

To recover this situation, reintegrate the node using Auto Provisioning.

5. Baseband RadioNode and 5GRadioNode do not support initial enrollment,
if its issuer (NE_OAM_CA) has SERIALNUMBER attribute present in the
SubjectDN.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 455

 ENM Network Security Configuration System Administrator Guide

If the Issuer has already configured with SERIALNUMBER, then follow the
steps described in the section Enrollment for BaseBand RadioNode fails due
to the SERIALNUMBER attribute in the certificate of the document ENM
Security Troubleshooting Guide, Reference [10].
6. CRL check enable or disable ENM CLI command limitation for Baseband
Radio and Baseband Radio T node

When node has more than one Ikev2PolicyProfile MO, then CRL check
enable or disable using ENM CLI command does not work. In this case, user
needs to perform the following procedure to enable or disable CRL check.

User requires the following permissions to perform the procedure:

Cmedit_Administrator

a. Check if the node has more than one Ikev2PolicyProfile MO configured:

cmedit get <Node Name> Transport,*

Sample output

FDN : ManagedElement=LTE04dg2ERBS00040,Transport=1

FDN :
ManagedElement=LTE04dg2ERBS00040,Transport=1,Synchronization=
1

FDN : ManagedElement=LTE04dg2ERBS00040,Transport=1,Sctp=1

FDN :
ManagedElement=LTE04dg2ERBS00040,Transport=1,QosProfiles=1

FDN :
ManagedElement=LTE04dg2ERBS00040,Transport=1,Ikev2PolicyProfil
e=1

FDN :
ManagedElement=LTE04dg2ERBS00040,Transport=1,Ikev2PolicyProfil
e=2

If the output contains more than one occurrence of 'Ikev2PolicyProfile'.

Here is the reference for the same:

FDN :
ManagedElement=LTE04dg2ERBS00040,Transport=1,Ikev2PolicyProfil
e=1

FDN :
ManagedElement=LTE04dg2ERBS00040,Transport=1,Ikev2PolicyProfil
e=2

456 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Network Security Configuration Limitations

Do the following steps to enable or disable CRL check. However, these

steps need to be repeated for all required nodes.
b. To get the trust categories associated with the Ikev2PolicyProfile(s)
identified in the output of command in step a, execute the following
command:

cmedit get ManagedElement=<Node Name>,Transport=1,Ikev2PolicyProfile=<p →

rofile id>

Profile id is the reference of the Ikev2PolicyProfil. This must be executed

for each profile id. In the step a, sample output two profiles ids (1, 2) are
present.

Example of output:

FDN : ManagedElement=LTE04dg2ERBS00040,Transport=1,Ikev2P →
olicyProfile=1
credential : ManagedElement=LTE04dg2ERBS00040,SystemFunct →
ions=1,SecM=1,CertM=1,NodeCredential=ipsecNodeCredential
dpdTime : 60
ikeDscp : 48
ikeSaLifetime : 1440
ikev2PolicyProfileId : 1
ikev2Proposal : null
reservedBy : null
trustCategory : ManagedElement=LTE04dg2ERBS00040,SystemFu →
nctions=1,SecM=1,CertM=1,TrustCategory=ipsecTrustCategory
userLabel :
1 instance(s)

c. To enable and disable the CRL check, run the following cmedit set
command.

The output of the command shown in step b is partially used as input for
this step.

This means, the sub string in the example output in step b

'trustCategory :
ManagedElement=LTE04dg2ERBS00040,SystemFunctions=1,SecM=1,C
ertM=1,TrustCategory=ipsecTrustCategory' must be used to frame a
command as shown:

For enable:

cmedit set ManagedElement=LTE04dg2ERBS00040,SystemFunctions=1,SecM=1,Ce →

rtM=1,TrustCategory=ipsecTrustCategory crlCheck=ACTIVATED

For disable:

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 457

 ENM Network Security Configuration System Administrator Guide

cmedit set ManagedElement=LTE04dg2ERBS00040,SystemFunctions=1,SecM=1,Ce →

rtM=1,TrustCategory=ipsecTrustCategory crlCheck=DEACTIVATED

This command must be executed for each trustCategory associated to

Ikev2PolicyProfile profile MOs identified in step a.

7. Perform sync operation on the node to list the trust certificates after trust
Removal for BSC nodes.

When list trusted certificates operation is being performed followed by trust

removal operation, the values obtained are 'NA'.

Perform action sync of the node using the following command and then list
the trusted certificates:

cmedit action NetworkElement=<NodeName>,CmFunction=1 sync

8. IPsec certificate enrollment for Baseband Radio nodes with ECDSA keys.

ENM PKI uses RSA as a key generation algorithm for CA certificates.

Baseband Radio node supports both RSA and ECDSA to generate key pair
for its IPsec and OAM certificate enrollment.

When ECDSA is chosen to enroll IPsec certificate from ENM PKI, Baseband
Radio node receives a certificate chain with the following form:
— Root and SubCA certificates are with RSA keys.

— Node IPsec certificate is with ECDSA key.

— Signatures on all the certificates are done by RSA key.

The previous certificate chain is sent to Security Gateway for authentication.

If the Security Gateway does not support ECDSA algorithm or it rejects
this certificate chain, then reconfigure the Baseband Radio Node to use the
RSA key generation algorithm for the IPsec certificate enrollment for the
successful authentication by Security Gateway.

458 2/1543-AOM 901 151-2 Uen DE | 2023-01-31

 Security Reference List

Security Reference List

[1] ENM Identity and Access Management Programmers Guide, 19817-cna

403 3016 Uen
[2] ENM Identity and Access Management System Administrator Guide,
2/1543-aom 901 151-1 Uen
[3] ENM Network Integration Guidelines, 1/102 72-aom 901 151 Uen
[4] ENM Network Security Configuration System Administrator Guide,
2/1543-aom 901 151-2 Uen
[5] ENM Operators Guide, 1/1553-aom 901 151 Uen
[6] ENM Parameter List, 1/190 59-AOM 901 151
[7] ENM Product Description, 1/1551-AOM 901 151
[8] ENM Public Key Interface System Administrator Guide, 2/1543-aom 901
151-3 Uen
[9] ENM Security System Administrator Guide, 2/1543-aom 901 151 Uen
[10] ENM Security Management Troubleshooting Guide, 1/159 01-aom 901
151-4 Uen
[11] ENM Site Engineering Document, 1/1057-AOM 901 151
(Available from local Ericsson Support)
[12] ENM System Administrator Guide, 1/1543-aom 901 151 Uen
[13] ENM System Security Configuration Programmers Guide, 1/19817-cna
403 3065 Uen
[14] ENM System Monitor User Guide, 1/1553-cna 403 3115 Uen
[15] ENM Troubleshooting Guide, 1/15901-AOM 901 151
[16] Manage Security, 18/1553-LZA 701 6014
Available in Node CPI.
[17] IP Security User Guide, 60/1553-LZA 701 6014/1
Available in Node CPI.
[18] Security for O&M Node Access, 1551-CXA 110 3235
Available in Node CPI.
[19] Manage IPsec User Guide, 42/1553-LZA 701 6014/1-V1
Available in Node CPI.
[20] ENM Library Typographic Conventions, 3/1551-fck 101 05 Uen
[21] ENM Summary of External Interfaces, 2/155 19-aom 901 151 Uen
[22] ENM Backup and Restore System Administrator Guide, 3/1543-aom 901
151 Uen
[23] RFC5280, https://tools.ietf.org/html/rfc5280
[24] Restrict access to the CLI, 47/1543-AXI 101 09/1
Available in Node CPI.

2/1543-AOM 901 151-2 Uen DE | 2023-01-31 459

 ENM Network Security Configuration System Administrator Guide

[25] LDAP for administrator, 157/1543-AXI 101 09/1

Available in Node CPI.
[26] Small Integrated ENM System Administrator Guide , 1/1543-cna 403
3456 Uen
[27] ENM Upgrade Instructions, 1/153 72-AOM 901 151
(Available from local Ericsson Support)
[28] ENM on Cloud Upgrade Instructions, 2/153 72-AOM 901 151
(Available from local Ericsson Support)
[29] ENM Geographical Redundancy User Guide, 1553-cna 403 3466 Uen
[30] ENM Monitoring System Administrator Guide, 1/1543-aom 901 151-2 Uen
[31] Router 6672 Preliminary Configuration, 1/127 01-CRA 119 2183 Uen
Available in Node CPI.
[32] EIR-FE System Administration Guide, 5/1553-CSA 101 25/2-V1 Uen
Available in Node CPI.
[33] ENM Node Hardening Guidelines and Instructions, 1/174 73-aom 901 151
Uen
[34] Cloud Native ENM Upgrade Instructions, 3/153 72-AOM 901 151
(Available from local Ericsson Support)
[35] Cloud Native ENM - Backup and Restore System Administration Guide,
7/1543-aom 901 151 Uen
[36] Cloud Native ENM Initial Installation, 8/1531-aom 901 151 Uen
Available in Node CPI.
[37] Managing Web Server Security MINI-LINK 6352,,45/1543-HRA 901 17/7
Uen
Available in Node CPI.
[38] Managing Web Server Security MINI-LINK 6351,45/1543-HRA 901 17/9
Uen
Available in Node CPI.
[39] Managing Web Server Security MINI-LINK PT 2020, 45/1543-HRA 901
17/9 Uen
Available in Node CPI.
[40] Managing Web Server Security Switch 6391, 45/1543-HRA 901 17/11
Uen
Available in Node CPI.
[41] Managing Web Server Security Fronthaul 6392, 45/1543-HRA 901 17/10
Uen
Available in Node CPI.
[42] Managing Web Server Security MINI-LINK 6600 and MINI-LINK
6366,865/1543-HRA 901 20/11 Uen
Available in Node CPI.

460 2/1543-AOM 901 151-2 Uen DE | 2023-01-31