Different Transport Layer Security Protocol (TLS) mode parameters are being supported by LTE iOMS. The below information describes the parameters and the possible values, as well as the meaning of each value.
2.2.3.1 TLS operation mode in Flexi Multiradio BTS LTE
Transport Layer Security in the eNB (omsTLS parameter) can be configured as:
•
Probing (Secure/Unsecure): Both secure and unsecure O&M connections are allowed betweenthe LTE iOMS and the eNodeB. If the connection setup to both secure and unsecure ports fails, the eNodeB starts the connection procedure from the beginning, that is, it tries to establish secure connection first. This setting should be used for only for transition from unsecure to secure BTS O&M interface without limiting the connectivity. From the security point of view, it is recommended not to use this setting permanently.
•
Forced: Only secure O&M connections are established between LTE iOMS and eNB.•
Off : Only unsecure O&M connections are established between LTE iOMS and eNB. This is thedefault setting.
Note: Ensure that the configuration of the operation mode settings is the same for eNodeB
and LTE iOMS. If the settings differ, the eNodeB might not be able to connect, but will continue trying to connect even though the LTE iOMS connection port is closed.
2.2.3.2 BTS and O&M Protocol (OM) security mode in LTE iOMS
The TLSModeOM parameter in LTE iOMS can be configured as any of the following:
•
Probing (Secure/Unsecure): Both secure and unsecure O&M protocol connections are allowed.Both secure and unsecure ports are open. When the parameter value is changed from Off to Probing, the LTE iOMS resets the port 8002 to trigger the eNodeB change from unsecure to secure connection.
•
Forced: Only secure O&M protocol connections are established. The LTE iOMS and the eNodeBuse the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite. The unsecure port (8002) is closed.
•
Off: Only unsecure O&M protocol connections are allowed. The secure port (8003) is closed.2.2.3.3 File Transfer (FT) security mode in LTE iOMS
For file transfer between LTE iOMS and eNodeB there is a separate parameter (TLSModeFT) which can be configured as any of the following:
•
Forced: Only secure file transfers are allowed.- The LTE iOMS and the eNodeB use the TLS_RSA_WITH_RC4_128_SHA cipher suite. - The secure port (443) is open. Insecure ports are closed (FTP 20, HTTP 80). -
•
Probing: Both secure and unsecure file transfers are allowed between LTE iOMS and eNodeB.Secure file transfer is tried first. File transfers between LTE iOMS and NetAct are in secure mode only. Both secure and unsecure ports are open.
•
Off: Only unsecure file transfers are allowed. Both secure and unsecure ports are open.The file transfers between eNodeB and LTE iOMS depend on the BTS O&M interface state. If the interface state is secure, then the file transfer is also secure. If the negotiated file transfer protocols allow both unsecure and secure file transfers, and the file transfer attempts from both secure and unsecure ports fails, the client does not retry, but aborts the procedure.
2.2.3.4 Allowed TLS mode combinations
The allowed combinations of TLS modes are listed in the table below. Only these combinations are allowed because of dependencies between O&M connection and file transfer secure state in some network elements. Forced Forced * Probing Probing Probing Off Off TSLModeFT Forced Probing Forced Probing Off Probing Off TSLModeOM
Table 11: Allowed TLS mode combinations
*
This combination can be introduced provided that the eNodeB has successfully established the secure BTSOM connection.
2.2.3.5 Configuring File Transfer modes in LTE iOMS
1. From the Application Launcher, open the LTE iOMS Parameter Tool.
Note: If the Parameter Tool is not visible in the Application Launcher, follow the
procedure under the LTE iOMS Parameter Tool entry in the Preparation checklist for LTE iOMS table to make the Parameter Tool visible.
Integrating Flexi Multiradio BTS LTE to NetAct Preparation before integration
fsClusterId=ClusterRoot → fsFragmentId=OMS → omsFragmentId=System →
omsFragmentId=Network → omsFragmentId=TLS
3. Set the value of the TLSModeFT or TLSModeOM parameter according to possible values
indicated in BTS and O&M Protocol (OM) security mode in LTE iOMS and File Transfer (FT)
security mode in LTE iOMS.
2.2.3.6 Mandatory certificates for TLS configuration in LTE iOMS Attribute TLSModeFT TLSModeOM Forced Mandatory Mandatory Probing
Mandatory for file transfers between NetAct and LTE iOMS.
Options for network elements.
Optional
Off
None
None
Table 12: Mandatory certificates
HTTP client BTSOM server
HTTP server BTSOM server
Attribute TLSModeFT TLSModeOM certificate x trusted CA certificate x certificate x trusted CA certificate x
Table 13: Certificates required for secure connections
2.2.3.7 Installing certificates for secure communication
To completely enable the TLS for Secure File Transfer, ensure the certificates are installed on the network element. For more information, refer to Certificate lifecycle management in the LTE RAN O&M
Security chapter of the LTE Radio Access Operating Documentation in the NSN online library. Note
that this document has several versions, depending on the software release. As an example, you may refer to LTE Radio Access Operating Documentation ( DN0958798)
Certificates must be installed in NetAct to complete the Trust cycle and enable the Secure Communication:
•
CM certificates - For more information, refer to Adding certificates for CM upload.•
NE certificates - For more information, refer to Adding a network element certificate to the NWI3mediation's truststore.