1 / 8

Vodafone D2 PSK to PKI evolvement

Vodafone D2 PSK to PKI evolvement. PSK Topology. 2 Scenarios: eNodeB with HW certificates (>1700 Sites) eNodeB without HW certificates (102 Sites). M2000 10.50.30.230. IPCLK. IPSec tunnel 1. IPSec tunnel2. MME 10.1.0.1. Se-GW. SGW 10.1.0.9. PKI Topology :recommended.

noble-osborne
Download Presentation

Vodafone D2 PSK to PKI evolvement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vodafone D2 PSK to PKI evolvement

  2. PSK Topology 2 Scenarios: eNodeB with HW certificates (>1700 Sites) eNodeB without HW certificates (102 Sites) M2000 10.50.30.230 IPCLK IPSec tunnel 1 IPSec tunnel2 MME 10.1.0.1 Se-GW SGW 10.1.0.9

  3. PKI Topology :recommended Benefits: Minimize the OMCH link break risk Route remains, reduce the cost on the evolvement. Double security from eNodeB to Se-GW. M2000 10.50.30.230 IPCLK IPSec tunnel 1 IPSec tunnel2 With SSL MME 10.1.0.1 Se-GW SGW 10.1.0.9 CA Server

  4. Scenario 1:eNodeB with HW certificates Precondition: 1. eNodeB and CA server can reach each other. CA server name and URL is provided.(port 8080) 2. HW root certificate should be deployed in the CA server and the OP trust certificate should be deployed in eNodeB. 3. HW eNodeB ESN IDs are in CA server white list. HW command 1. ADD CA// define the target CA server for eNodeB. 2. MOD CERTREQ// edit certificate request information3. REQ DEVCERT// apply device certificate from CA server. 4. MOD APPCERT// apply the device certificate for IKE. 5. MOD APPCERT// apply the device certificate for SSL.

  5. Scenario 2:eNodeB without HW certificates Huawei command 1. MOD CERTREQ: //edit certificate request information.2. CRE CERTREQFILE// Create certificate request file.3. ULD NEFILE //ULD NE certificate request file 4. CA operator generate device certificate for eNodeB5. DLD CERTFILE // DLD CA root certificate to eNodeB 6. DLD CERTFILE // DLD device certificate to eNodeB7. ADD TRUSTCERT// configure CA root certificate as trust 8. ADD CERTMK//add device certificate into eNodeB. 9. MOD APPCERT// apply the device certificate for IKE10. MOD APPCERT// apply the device certificate for SSL

  6. PSK to PKI evolvement 1. IKE mode from PSK to PKI Command: MOD IKEPROPOSAL:PROPID=1,AUTHMETH=IKE_RSA_SIG; Change the authentication mode from PRE_SHARED_KEY to IKE_RSA_SIG. This operation will not affect the normal service if all the P.KI structure is ready and well deployed. Verification:DSP IKESA to check the IKE association status.

  7. SSL connection establish When the PSK to PKI evolvement is complete, we start the SSL connection setup. M2000 should have the CA root certificate. Log in M2000, choose the security menu. Choose Certificate Authentication Management\SSL Connection Management Choose the related NE and change the Connection type to SSL Connection and the SSL Authentication to Bidrectional Authentication.

  8. D2 target Topology If D2 prefer this solution, we need discuss about the cutover. M2000 10.50.30.230 IPCLK SSL MME 10.1.0.1 IPSec tunnel2 3.Ipsec tunnel establish Se-GW SGW 10.1.0.9 Certificate authentication Certificate update CA server

More Related