Managed Connected Router 4G and WiFi MDS 05-6628A01, Rev.
Quick-Start instructions for this product are contained in publication 05-6702A01. Visit our website for downloadable copies of all documentation at www.gemds.com.
TABLE OF CONTENTS 1.0 INTRODUCTION ...........................................................................................................................1 1.1 About This Manual .................................................................................................................................. 1 Software Command Notations .................................................................................................................. 1 Authorized Features Icon ............................
File Servers .......................................................................................................................... 68 Certificate Management ....................................................................................................... 69 Event Logging ...................................................................................................................... 77 Firmware Management .......................................................................................
Antennas must not be co-located. All transmission antennas must be at least 20 cm apart to comply with FCC co-location rules. Orbit Device vs. Minimum RF Safety Distance Minimum Safety Distance from Antenna Radio Module Type MCR-4G 20 cm MCR-900 23 cm Other models Consult factory prior to operation.
Cellular Operational Bands The following table shows the bands in which the cellular module operates for each wireless technology. FCC IDs of Installed Transmitters As of the date of printing, the following FCC identifiers are assigned to the modules listed below. For the latest, official listings of all agency approval information, please contact your factory representative.
Manual Revision and Accuracy This manual was prepared to cover a specific version of firmware code. Accordingly, some screens and features may differ from the actual unit you are working with. While every reasonable effort has been made to ensure the accuracy of this publication, product improvements may also result in minor differences between the manual and the product shipped to you.
should be in accordance with the transceiver's installation manual, and the National Electrical Code. Tampering or replacement with non-factory components may adversely affect the safe use of the transceiver in hazardous locations, and may void the approval. A power connector with screw-type retaining screws as supplied by GE MDS must be used. EXPLOSION HAZARD! vi Do not disconnect equipment unless power has been switched off or the area is known to be non-hazardous.
1.0 INTRODUCTION This manual describes the MDS Orbit MCR-4G (Managed Connected Router) shown in Figure 1. The unit is a highly secure, industrial grade, wireless communication product for broad based applications including control center monitoring, well site pad operations, and video surveillance. It serves the need for localized WiFi communications with a cellular back-up or backhaul option, while providing the extended temperature range and industrial-grade packaging inherent to GE MDS products.
Bolded font example (used for software commands and keyboard entries) Bolded font example (used for tabular screen data) In the Device Management section, there are a number of command strings where information is presented by the unit, and a reply is required from the user. In such cases, information from the unit is shown in a non-bolded font, and the user response is shown in bold.
2.0 PRODUCT DESCRIPTION The MCR-4G is a rugged networking router providing comprehensive solutions for IP/Ethernet, serial, and machine-to-machine wireless communication. This industrial package provides integrated 4G LTE wireless technology and connectivity for Ethernet and serial devices requiring secure operation. 2.
Invisible place holder Figure 2. Typical MCR Application 2.4 Connectors and Indicators Figure 3 shows the unit’s front panel connectors and indicators. These items are referenced in the text that follows. The unit’s LED Indicator Panel is described in Table 4 on Page 8. LED Indicator Panel Mini USB Port DC Power (10-60 Vdc) Ethernet Ports (RJ-45 10/100) COM Port Cellular Antennas (Aux & Main) SIM Card Slot WiFi Antenna Figure 3.
PWR—Two-conductor DC input connection. Input voltage must be well filtered, and within the range of 10-60 Vdc. The power supply must be capable of providing a maximum of 15 watts. The unit includes a 6-foot (1.83 meter) power cable suitable for indoor or outdoor use when properly connected. The DC power connector (Figure 4) is keyed, and can only be inserted one way. Invisible place holder Lead Binding Screws (2) Retaining Screws (2) Wire Ports (2) (Polarity: Left +, Right –) Figure 4.
COM Port—This connector serves as the serial interface port for both console management and payload data. It allows for connection of data equipment in the common Serial signaling standard. By default, the port is enabled for local console control. The COM port serves as the primary interface for connecting the unit to an external DTE serial device supporting the RS-232 or RS-485 serial data format. If necessary, an adapter may be used to convert the unit’s RJ-45 serial jack to a DB-9F type (GE MDS part no.
Table 3. COM1 Port Pin Details (RS-485) Pin Number Input/Output Pin Description 1 Reserved 2 OUT 3 Reserved 4 Ground Connects to ground (negative supply potential) on chassis 5 OUT TXD+ (Transmitted Data +)—Non-inverting driver output. Supplies received payload data to the connected device. 6 IN RXD+ (Received Data +)— Non-inverting receiver input. Accepts payload data from the connected device.
WiFi Antenna—Antenna connection for 2400 MHz WiFi service. The connector appears similar to the cellular connectors discussed above, but is a Reverse-SMA type. It contains a pin that matches with an SMA-F connector. The GE MDS part number for this antenna is 97-4278A48. SIM Port—This port accepts a mini SIM card (2FF type) for 4G cell operation. The unit’s cellular interface will not function without a valid SIM card installed.
2.4.1 Grounding Considerations To minimize the chance of damage to the unit and any connected equipment, a safety ground (NEC Class 2 compliant) is recommended which bonds the chassis, antenna system(s), power supply, and connected data equipment to a single-point ground, keeping all ground leads as short as possible. Normally, the unit is adequately grounded if mounted with the flat brackets to a well-grounded metal surface.
Figure 8. Attachment (Left) and Removal of unit from DIN Rail (Unit shown is for bracket example only, and is not an MCR Unit.) 2.4.4 Antenna Planning & Installation Consideration must be taken to select appropriate antennas for optimal RF performance. This section reviews the key factors involved in selecting and installing antennas for the MCR-4G. Only approved antennas may be used on the unit's RF output connectors, as listed in Table 5.
1. Direct mounting of LTE paddle antennas (GE MDS PN: 97-2485A04) on the Main and Aux Cell channels. Cabled mounting of the Wi-Fi antenna (GE MDS PN: 97-4278A34) using a magnetic mount (GE MDS PN: 97-4278A78). This configuration offers easy mobility for evaluation purposes or indoor applications with good cellular coverage (see Figure 9). Figure 9. Direct Mounting of Cell Antenna; Cabled WiFi Antenna Minimum 8-inch (20.32 cm) Separation Between Cell and WiFi 2.
2.4.5 Accessories and Spares Table 6 lists common accessories and spare items for use with the MCR-4G. GE MDS also offers an Accessories Selection Guide listing an array of additional items that may be used with the product. Contact your factory representative or visit www.gemds.com to obtain a copy of the guide. Table 6. Accessories & Ancillary Items 12 Item Description Part Number DC Power Plug, 2-pin, polarized Mates with power connector on the unit’s case.
3.0 DEVICE MANAGEMENT The MCR-4G offers several interfaces to allow device configuration and monitoring of status and performance. These include local serial console, USB, NETCONF, HTTPS, and Secure Shell (SSH) for local and remote access via the WAN and LAN networks. The serial console and SSH services offer a command line interface (CLI). There are three user accounts/roles for management access: admin, tech, and oper. User accounts can be centrally managed with a RADIUS server.
If necessary, an adapter may be used to convert the unit’s RJ-45 serial jack to a DB-9F type (GE MDS part no. 73-2434A12). If no serial port exist on the PC, a USB-to-serial adapter cable may also be used to connect to the MCR unit. Invisible place holder PC Running Terminal Session To COM Port Figure 10. PC Connection for Programming/Management 2. Press the ENTER key at half-second intervals to receive the Login: prompt. This indicates that the unit is ready to receive commands. 3.
One-Time Passwords: How They Work One-time recovery passwords put control directly and exclusively in the user’s hands. They are similar to spare keys for a lock. If you make a spare key, and put it away safely, you can take it out to quickly gain entry when your primary key is lost. If you don’t make a spare, you are always at risk of locking yourself out. A one-time recovery password is different from the one used to log into the unit on a routine basis.
3.
Default Values While configuring the unit, some of the configuration data may not need to be explicitly set, but instead the data assumes the default value defined in the data model. For example, when a File Server configuration is added and the server type is specified as TFTP, then the remote TFTP port will default to 69 if the user does not explicitly specify the port. Data nodes that do not have a default value will require the user to input a value for that node during configuration.
Step 2: Instruct the device to enter configuration mode by typing “configure” and pressing the enter key: admin@(none) 04:51:06> configure Entering configuration mode private [ok][2012-06-20 04:51:07] [edit] admin@(none) 04:51:07% Step 3: Change the device name by typing in the following, followed by enter: set system name Device539 admin@(none) 05:31:14% set system name Device539 [ok][2012-06-20 05:32:45] [edit] admin@(none) 05:32:45% Step 4: Verify the change looks correct by reading the data back using
CLI Quick Reference Table Table 7 provides a summary listing of commonly-needed tasks and the appropriate commands to enter. The table can be used as a quick reference before consulting the more detailed information which follows in this section. Each CLI command is proceeded by the symbol > for operational command, or % for a configuration command. Table 7. CLI Quick Reference Table If you wish to...
Specific examples Example #1 In Figure 11, the MCR-4G is functioning as a WiFi Access Point to provide connectivity between a set of laptops and a handheld device. The MCR-4G is also acting as a DHCP server for the laptops and handheld device. Invisible place holder Ethernet Laptop 1 192.168.1.11 Laptop 2 192.168.1.12 Ethernet WiFi Laptop 3 192.168.1.13 MCR-4G 192.168.1.21 WiFi Access Point Handheld 1 192.168.1.14 Figure 11.
Example #2 In Figure 12, there are two MCR-4G devices, one acting as a WiFi Access Point, the other as a WiFi Station. Together, the MCR-4G devices are providing a wireless bridge between the laptop and the SCADA device. Invisible place holder Ethernet Laptop 1 192.168.1.11 Ethernet WiFi Ethernet MCR-4G #2 192.168.1.22 MCR-4G #1 192.168.1.21 WiFi Access Point SCADA Device 192.168.1.31 WiFi Station Figure 12.
Example #3 Figure 13 shows the MCR-4G #2 device acts as a terminal server to provide connectivity to the serial-based SCADA device via UDP. Invisible place holder Ethernet SCADA application 192.168.1.11 serial Ethernet WiFi MCR-4G #2 192.168.1.22 MCR-4G #1 192.168.1.21 WiFi Access Point SCADA Device WiFi Access Point Figure 13. Example 3: Unit Providing Connectivity to Serial-Based SCADA Device via UDP The following commands will configure the MCR-4G #2 for this scenario. 1.
Example #4 In Figure 14, the MCR-4G provides internet access for a laptop that is accessing a public web page. Invisible place holder Ethernet Public Carrier Network Internet MCR-4G 192.168.1.21 Internet web server Cellular Laptop 1 192.168.1.11 Figure 14. Example 4: Unit Providing Internet Access for Laptop SIM Type: In this scenario, the MCR-4G has a SIM installed that simply provides Internet access. The following commands will configure the MCR-4G for this scenario. 1.
Serial Console A serial cable may be used to connected to a COM port on the unit to access the CLI. The default serial console settings are 115200 bps with 8N1 format. A mini-USB-to-USB cable may also be used to connect to a Computer in case no serial port exists. If a mini-USB connection is used, the computer must contain the appropriate device driver. A driver for serial operation can be found on GE MDS website.
Network Understanding The unit has multiple network interfaces including LAN, Cellular, and WiFi. Each of these has numerous networking features and each feature is described below in a separate section: • • • • • Static or dynamic IP addressing (DHCP) for each interface Bridging Firewall Routing VPN Configuring See each individual section for details about configuring the LAN, Cell, WiFi interfaces, and related networking features. Monitoring Ensure the CLI is in operational mode.
LAN Understanding The unit has external Local Area Network (LAN) ports that can be used to connect to a local LAN. It supports both IPv4 and IPv6 addresses and may be assigned multiple IP addresses. The LAN port can be assigned static IP addresses or a dynamically allocated address can be assigned using DHCP. NOTE: The LAN port should be assigned IP addresses only if it is a routed interface (that is, not in a bridge). Refer to the section on Bridging later in the document.
status mac-address 00:00:00:00:01:01 status mtu 1500 status link up status ipv4 address [ 192.168.1.10/24 192.168.1.
VLAN Operation Understanding Virtual Local Area Networks (VLANs) are generic interface types in the MCR-4G, and can be assigned unique IP addresses. They are treated the same as any other interface type, but they offer a way to link traffic between interface ports. As such, a VLAN device can be thought of as a “bridging device.” Setup To setup a VLAN, you must first create one or more VLAN interfaces.
Cell Understanding The unit incorporates a 4G LTE module capable of operation on Verizon Wireless LTE/CDMA network (LTE 700Mhz Band 13) in the United States. The unit supports routing of TCP/UDP/IP data from the Cellular WAN network interface to any of the other network interfaces (including WiFi or LAN) using the IPsec VPN or network address and port translation (NAPT) feature and to the COM1 (or COM2) serial port using the terminal server service.
LTE Recovery The cellular modem used inside the unit may occasionally remain in a 3G (EVDO-REV A) service state and not transition to 4G LTE. The firmware incorporates a recovery mechanism to recover from this condition. If the cellular modem has been in 3G coverage for more than 15 minutes, the firmware resets the modem to bring it back into LTE service state. LTE recovery is enabled by default. This mechanism should be disabled if the unit is deployed in areas that either lack or have poor LTE coverage.
status counters rx_missed_errors 0 status counters rx_packets 259 status counters rx_over_errors 0 status counters tx_aborted_errors 0 status counters tx_bytes 40114 status counters tx_carrier_errors 0 status counters tx_compressed 0 status counters tx_dropped 0 status counters tx_errors 0 status counters tx_fifo_errors 0 status counters tx_heartbeat_errors 0 status counters tx_packets 273 status counters tx_window_errors 0 cell-status imsi 311480023788535 cell-status imei 990000624071751 cell-status iccid
WiFi Understanding The internal WiFi module has FCC modular approval and may only be used with one of the GE MDS approved antennas (see 802.11 WiFi Module Specifications below). The WiFi antenna is connected to the reverse-SMA connector on the unit’s front panel. Only these antennas may be used. The WiFi module can be configured to operate as an 802.11b/g/n Access Point or Station. The operational mode and frequency can be configured through the user interface. The specifications for the 2.
tx-power 15; ap-config { ssid somessid; broadcast-ssid true; channel 6; station-max 7; station-timeout 300; beacon-interval 100; operation-mode 80211g; dtim-period 2; rts-threshold 2347; fragm-threshold 2346; privacy-mode none; } [ok][2012-06-19 00:17:37] admin@(none) 00:17:37% commit Commit complete. Privacy mode configuration The default privacy mode, as shown above, is none. The following configures the unit to use WPA2-Personal security with the default CCMP/AES encryption.
admin@(none) 00:19:02% set interfaces interface wlan0 wifi-config ap-config privacy-mode wpa2-personal psk-config encryption ccmp-tkip psk somepassphrase [ok][2012-06-19 00:26:51] [edit] admin@(none) 00:26:51% show interfaces interface wlan0 wifi-config | detail mode access-point; tx-power 15; ap-config { ssid somessid; broadcast-ssid false; channel 6; station-max 7; station-timeout 300; beacon-interval 100; operation-mode 80211g; dtim-period 2; rts-threshold 2347; fragm-threshold 2346; privacy-mode wpa2-pe
} } [ok][2012-06-19 00:36:39] [edit] admin@(none) 00:36:39% commit Commit complete. Station Mode This command sets the unit to act as WiFi station to connect to an AP with somessid and WPA2 Personal security.
Station Mode The following shows status when connected to a configured AP. Note that in this case bssinfo-0 represents the AP (i.e., id is the bssid).
Bridging Understanding The unit supports transparent bridging of LAN and WiFi networks. The bridge forwards traffic between LAN and WiFi networks at the layer-2 of OSI model. This allows LAN and WiFi clients to be in the same IP sub-network. The bridge learns the clients’ locations by analyzing the source address of incoming frames from all attached networks (LAN and WiFi network).
Invisible place holder Figure 15. Bridging Functions Diagram Configuring Creating a bridge interface and assigning it an IP address: admin@(none) 00:02:09% set interfaces interface myBridge type bridge admin@(none) 00:02:20% set interfaces interface myBridge bridge-settings ageing-time 500 admin@(none) 00:22:26% set interfaces interface myBridge ipv4 address 192.168.1.
Monitoring Ensure the CLI is in operational mode. Follow the example below to view the state and statistics of a bridge. In this example, bridge br0 is bridging LAN (eth0) and WiFi (wlan0) networks. interfaces interface br0 if-index 4 status mac-address 00:19:70:94:7e:2d status mtu 1500 status link up status ipv4 address [ 10.10.1.
Routing Understanding The unit can be configured to route IP packets between routed interfaces. Configuring a default static route: admin@(none) 00:50:52% set routing static-routes ipv4 route 1 dest-prefix 0.0.0.0/0 next-hop 192.168.1.10 Configuring a static host route: set routing static-routes ipv4 route 2 dest-prefix 10.2.3.1/32 next-hop 192.168.1.9 admin@(none) 00:04:57% show routing static-routes ipv4 { route 1 { dest-prefix 0.0.0.0/0; next-hop 192.168.1.10; route 2 { dest-prefix 10.2.3.
Firewall and NAT Understanding The MCR incorporates a firewall service that provides the following functionality: 1. Packet filtering to permit or deny incoming or outgoing traffic on an interface. 2. Network Address Translation (NAT) • Source NAT - Masquerading • Destination NAT – Port Forwarding Packet Flow This section provides a simplified view of packet flow for various categories of traffic flows going in and out of the MCR unit. Figure 16 shows the flow of packets terminating at MCR.
Figure 19 shows the flow of packets being port-forwarded (DNAT’ed) through the MCR unit. For example, TCP traffic arriving at the cellular interface and getting port forwarded to a private host connected to the local Ethernet interface. Invisible place holder Figure 19. Packets Being Port-Forwarded Through MCR Figure 20 shows the flow of packets being masqueraded (source NATed) through the MCR unit.
enabled ; filter { rule { match { protocol ; src-address { address or address-range; } src-port { services [ …] or port-range; } dst-address { address or address-range; } dst-port { services [ …] or port-range; } ipsec { direction ; tunnel-src-address ; tunnel-dst-address ; } } actions { action ; reject-type ; log { lev
The following example describes the step-by-step configuration of an example filter that can be applied to cellular interface of the MCR. Change to CLI configuration mode: 1. Enable firewall service admin@(none) 19:33:20% set services firewall enabled true 2. Create a “restrictive” filter named “IN_UNTRUSTED” to indicate that this filter has been designed to be applied to an untrusted cellular interface of MCR.
6. Create the last rule for this “restrictive” filter to deny everything else. Note that rules are applied in ascending order using rule IDs. Any rules added after this last rule will have no effect, as they would match “any” traffic, and be dropped. In this example rule ID 10 is chosen. This facilitates the insertion of new rules prior to this last one to support future new traffic types.
Source NAT Source NAT performs translation of source IP address of the traffic egressing an interface. This is typically used to provide many-to-one translation (also called masquerading) of a private network behind MCR to allow hosts on that private network to access a host (say HOST-B) on the public network. (See Figure 21.
Source NAT configuration on MCR involves following high level steps: 1. Create a source NAT rule-set. 2. Add rule to perform source NAT on the public interface. 3. Apply the source NAT rule-set to the public interface. Following example describes the step-by-step configuration of an example source NAT rule-set to perform masquerading on cellular interface of MCR. Change to CLI configuration mode: 1. Enable firewall service, if it is not already enabled.
Invisible place holder Figure 22. Destination NAT Translation of IP Address Configuring Configuration Hierarchy services { firewall nat { destination { rule-set { rule { match { protocol src-address ; dst-address ; dst-port ; } destination-nat { address ; port ; } } } } } } interfaces { interface { nat { destination ; } } } Destination NAT configuration on MCR involves following high level steps: 1.
3. Apply the destination NAT rule-set to the public interface. Following example describes the step-by-step configuration of an example destination NAT rule-set to perform port forwarding for incoming Modbus protocol (TCP port 512) traffic on the cellular interface to the private HOST-1 (assume that modbus traffic is running on port 5512 on HOST-1). Change to CLI configuration mode: 1. Enable firewall service, if it is not already enabled. admin@(none) 19:33:20% set services firewall enabled true 2.
VPN Understanding The MCR supports standards-based IPsec Virtual Private Network (VPN) technology to securely connect remote private network (LAN or WiFi) with the customer’s backoffice/data center private network see Figure 23). This allows IP traffic from/to devices connected to either LAN, WiFi or Serial port of the MCR to securely flow to/from back-office applications via a secure tunnel through a public cellular network.
The process of IPsec VPN connection establishment consists of following phases: • IKE Phase-1 (IKE security negotiation) - Negotiate how IKE should be protected • IKE Phase-2 (IPsec Security Association) - Negotiate how IPsec should be protected - Derive fresh keying material from the key exchange in phase-1, to provide session keys to be used in the encryption - and authentication of the VPN data flow • Exchange data over the IPsec tunnel Both the IKE and the IPsec connections have limited lifetimes.
} } } connection { ike-peer ipsec-policy ; local-ip-subnet ; remote-ip-subnet ; failure-retry-interval 1; is-out-of-band-ima } Firewall Filters for the Cellular Interface When setting up IPsec VPN over a Cellular interface, the following firewall filters are recommended to be configured and applied to the cellular interface.
} actions { action accept; } } rule 2 { match { ipsec { direction out; tunnel-src-address | /32; tunnel-dst-address /32; } } actions { action accept; } } rule 10 { match { protocol all; } actions { action drop; } } } VPN configuration involves the following high level steps: 1. Configure an IKE policy specifying an authentication method, cipher suites to be included in the proposal during IKE phase-1 and the credentials to be used for authentication e.g. |
admin@(none) 20:38:44% set services vpn enabled true 5. Create IKE policy with auth-method “public-key encryption”. admin@(none) 19:33:29% set services vpn ike policies policy IKE-POLICY-1 auth-method pub-key 6. Configure Public Key Infrastructure (PKI) security credentials a. Certificate type as “rsa” if RSA public key encryption based certificates are being used. b. Client certificate ID – This is the ID that was assigned to the client certificate obtained via SCEP or loaded manually. c.
2.
admin@(none) 20:38:44% exit [ok][2013-01-18 20:40:45] admin@(none) 20:38:44> Monitoring Ensure the CLI is in operational mode. Follow the example below to view the VPN connection state (connecting, connected or disconnected). The failure-reason displays the reason for last connection failure.
DNS Understanding Domain Name System (DNS) servers can be configured on the unit to facilitate the resolution of domain names to IP addresses. NOTE: Manual configuration of DNS overrides any DNS settings obtained via DHCP. Configuring The following example shows how to configure a DNS server with IP address 192.168.1.2 on the MCR. Note that the “search” option can take a list of arguments and in this example, there are two arguments; mds and gemds. admin@(none) 00:31:02% set system dns server 192.168.1.
DHCP Service Understanding The unit can be configured to act as a DHCP server. When enabled, this service will respond to DHCP requests from any interface. Configuring The following shows an example of configuring DHCP service on the unit. The unit will administer IPv4 addresses from the 192.168.x.x network when requests are received from DHCP clients. NOTE: At least one of the unit’s interfaces (eth0 or br0 if eth0 is bridged) must be configured with an IP address from this subnet.
Terminal Service Understanding The unit allows the setup of the COM ports as a terminal server that passes data to/from the serial port to network interfaces. The serial port must be configured to do this, in addition to the baud rate and data format. The data from the serial port is treated as a seamless stream; meaning it is not protocol aware and will send data from the serial port to the remote endpoint as soon as the data is received.
Monitoring Ensure the CLI is in operational mode. Follow the example below to view the state and statistics: admin@(none) 22:03:06> show services serial SERIAL SERIAL SERIAL SERIAL SERIAL IP TX IP TX IP RX IP RX TX TX RX RX PORT PACKETS BYTES PACKETS BYTES PACKETS BYTES PACKETS BYTES -------------------------------------------------------------------------COM2 0 0 0 0 0 0 0 0 [ok][2013-01-24 22:03:13] 60 MDS Orbit MCR-4G Technical Manual MDS 05-6628A01, Rev.
Iperf Service Understanding Iperf service allows one to receive TCP traffic from remote host running iperf. Currently, iperf service is hardcoded to act only as a TCP server listening on port 5001. Configuring The following shows how to enable iperf service: admin@(none) 22:04:32% set services iperf enabled true admin@(none) 22:04:32% commit NOTE: If firewall is enabled, then it must be configured to permit incoming TCP traffic on port 5001. Monitoring Ensure the CLI is in operational mode.
Date, time and NTP Understanding The date and time can be set on the MCR using a manually configured value or automatically via Network Time Protocol (NTP). The NTP settings take precedence over the manual settings. If NTP is enabled, then the user will not be able to set the date and time manually.
Geographical-location The geographical-location of the unit can be configured as shown below: admin@(none) 00:50:46% set system geographical-location altitude 1.0 latitude 43.117807 longitude -77.611896 [ok][2012-06-19 00:56:00] [edit] admin@(none) 00:56:00% commit Commit complete. [ok][2012-06-19 00:56:05] [edit] admin@(none) MDS 05-6628A01, Rev.
User Management and Access Controls Understanding There are three user accounts/roles (admin, technician, and operator) for management access. Users in the admin group have the highest privilege and can read everything in the tree that is readable, write everything that is writable, and can execute any of the requests. Users in the tech group have less access than admin. Generally, the tech group cannot configure any security related configuration.
priority notice event-type console_login status message success “user_name oper, “ logging event-log 62627 time-stamp 2011-12-21T01:23:00.288046+00:00 priority notice event-type console_login status message failure “msg noauth, user_name admin, “ [ok][2011-12-21 01:23:03] admin@(none) 01:23:03> MDS 05-6628A01, Rev.
Login-Lockout Understanding The unit has protections against repeated login attempts. The max-login-attempts configuration determines the number of failed logins that can occur in succession before the unit disables the ability to login for a specified amount of time. The amount of time is determined by failed-login-lockout-time, which represents the time in seconds.
RADIUS Understanding User accounts can be centrally managed with a RADIUS server. RADIUS accounts can be mapped to one of the three user roles. If the RADIUS server is not accessible, users may use the local username/password to “fall back” to local authentication if the unit is configured to do so. Many RADIUS servers do not respond to a failed login attempt. To the unit, this appears the same as if the server is not there.
File Servers Understanding External file servers can be preconfigured so that the configuration can easily be referenced in other services without the need to re-enter the information. File Server Configurations can be used for reprogramming, downloading certificates, and sending support bundles for debugging. Configuring The following shows how to add a file server configuration named “GE File Server 1”: admin@(none) 05:11:42% set file-servers GE_file_server_1tftp address 192.168.1.
Certificate Management Understanding The unit uses X.509 public certificates and private keys for the following services: · Secure Reprogramming · Syslog over TLS · IPsec VPN/IMA (when using pub-key, EAP-TLS or EAP-TTLS based authentication) · WiFi (when doing EAP-TLS authentication in station mode) Certificates can be loaded into the device using one of two methods: manual or SCEP. Note that certificates for secure reprogramming can only be loaded using the manual method.
When loading certificates manually, the file server from which the certificate will be retrieved must be provided.
admin@(none) 23:46:28> config Entering configuration mode private [ok][2012-06-22 23:46:35] [edit] admin@(none) 23:48:14% set pki certificate-servers certificate-server ex_scep_serv server-type scep scep-server-setting scep-uri 192.168.1.5:12345/certserv/mscep/mscep.dll scep-poll-interval 5 scep-retry-count 120 [ok][2012-06-22 23:49:52] [edit] admin@(none) 23:49:52% commit Commit complete.
admin@(none) 04:08:19% set pki cert-info certificate-info my_ca_serv Possible completions: common-name-x509 country-x509 digest-algo - Digest Algorithm: default=md5? encrypt-algo - Encryption Algorithm: default=des_cbc? locale-x509 org-unit-x509 organization-x509 pkcs9-email-x509 state-x509 - The list above was displayed by entering Space-Tab after entering a name for the new set of certificate info.
admin@(none) 00:27:14> request pki-scep-get-cacert cert-server-name ex_scep_serv ca-issuer-name ex_ca_serv is-valid true [ok][2012-06-23 00:27:47] admin@(none) 00:27:47> show pki KEY KEY IDENTITY LENGTH KEY DATE TIME ---------------------------------------ex_key 2048 2012-06-20T10:46:59Z ex_key_1 2048 2012-06-19T04:36:26Z CACERT IDENTITY ---------ex_ca_server ex_ca_server_ENC ex_ca_server_SGN Additional CA server files sent as part of the request and needed later are saved with the base name you selected f
Certificate Renewal with SCEP At some point, the dates on your certificate will need to be renewed due to time or security policy. A client certificate can be renewed using the existing certificate with the same key as originally used when it was generated. An alternative is to provide a new key and identify for the certificate that is to be renewed and rekeyed. The same request is used to renew as for the original request with a slight change in parameters provided.
KEY KEY IDENTITY LENGTH KEY DATE TIME ---------------------------------------ex_key 2048 2012-06-20T10:46:59Z ex_key_1 2048 2012-06-19T04:36:26Z ex_key_2 2048 2012-06-19T10:57:10Z ex_key_3 2048 2012-06-24T09:09:49Z CACERT IDENTITY -----------------pag_SGN ex_ca_server ex_ca_server_ENC ex_ca_server_SGN CERT IDENTITY ------------ex_c_cert_2 tst3 tst4 [ok][2012-06-24 05:17:38] admin@(none) 05:17:38> Deleting security material Obsolete security material in all categories can be deleted from the device with the
Ensure the CLI is in operational mode.
Event Logging Understanding An event is a notification that something meaningful occurred on the unit. Events contain information about the occurrence that may be useful for administrators. The event can be stored locally and/or transported to a remote server. Administrators can adjust which events are reported by the unit. The structure of the information about the event is described below (CEE). NETCONF-notifications The events generated by the unit are converted to NETCONF notifications.
Firmware Management Understanding The unit can have two firmware packages programmed into the device. The package that the device booted into is referred to as the Active Firmware. The other image is referred to as the Inactive Firmware. To reprogram the device, the Active Firmware streams the new firmware package from the network and writes the package into the Inactive Firmware location in memory. To use the new firmware package, the user must reboot the device to the Inactive Firmware.
system firmware versions 2 version 1.0.0 active false CERTIFICATE SIGNING INDEX CERTIFICATE SHA256 ------------------------------------------------------------------------------1 3d9d795dcf374084de536986a29238ea7dc87104259619bc7aa4cfa3e2c64990 Requesting an update admin@(none) 03:55:43>request system firmware reprogram-inactive-image filename iwc-bkrc-1_0_0.mpk manual-file-server { tftp { address 192.168.1.
Support Bundle Understanding The MCR incorporates a facility to generate a support package bundle that includes internal debugs, logs, etc. that can help GE MDS troubleshoot customer issues. Configuring The following example shows how to have MCR generate and transfer a support package bundle (named debug-2013-01-24.tgz) to a FTP server running on host (address 192.168.1.2) that is accessible from the MCR (e.g.
4.0 TECHNICAL REFERENCE 4.1 Troubleshooting All units must meet the basic requirements listed below for proper operation. Check these items first when troubleshooting a system problem: • • • • • • Adequate and stable primary power Secure connections (antennas, data and power) A clear transmission path between associated units An efficient, properly installed antenna system Proper configuration of unit settings Correct interface between the unit and other equipment 4.1.
4.2 Specifications GENERAL Input Power: 10 to 60 Vdc, 15 W maximum Temperature: -40°C to +70°C Housing: Die-cast Aluminum PHYSICAL Size: 6.5” long (16.51 cm), 4.625” wide (11.75 cm), 1.5” High (3.81 cm) Weight: 2 lbs (without mounting hardware) ENVIRONMENTAL Ethernet Port(s): RJ-45 10/100 Serial Port(s): RJ-45, supporting RS-232/RS-485 LAN Protocols: 802.3 (Ethernet) 802.
Bridging: (see Ethernet Bridging) Byte: A string of digital data usually made up of eight data bits and start, stop and parity bits. CLI: Command Line Interface. A method of user control where commands are entered as character strings to set configuration and operating parameters. CTS: Clear to Send Decibel (dB): A measure computed from the ratio between two signal levels. Frequently used to express the gain (or loss) of a system. Data Circuit-terminating Equipment: See DCE.
PLC (Programmable Logic Controller): A dedicated microprocessor configured for a specific application with discrete inputs and outputs. It can serve as a host or as an RTU. PPM: Parts per Million Programmable Logic Controller: See PLC. Remote Terminal Unit: See RTU. RTS: Request-to-send RTU: Remote Terminal Unit. A data collection device installed at a Remote unit site. RX: Abbreviation for “Receive.” Signal-to-Noise Ratio: See SNR.
5.0 APPENDIX A – DATA CONFIGURATION TREE Initial Firmware version The following is a hierarchical view of the data configuration tree for the unit. It is a composition of all YANG files used by the unit.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 86 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--ro in-broadcast-pkts? yang:counter64 | +--ro in-multicast-pkts? yang:counter64 | +--ro in-discards? yang:counter32 | +--ro in-errors? yang:counter32 | +--ro in-unknown-protos? yang:counter32 | +--ro out-octets? yang:counter64 | +--ro out-unicast-pkts? yang:counter64 | +--ro out-br
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--ro mdsif:neighbors | +--ro mdsif:ip? inet:ip-address-no-zone | +--ro mdsif:phys-address? yang:phys-address | +--ro mdsif:state? enumeration +--rw mds_wifi:wifi-config? | +--rw mds_wifi:mode enumeration | +--rw mds_wifi:tx-power? uint32 | +--rw mds_wifi:station-config? | | +--rw mds_wifi
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 88 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--ro mds_wifi:ap-status | | +--ro mds_wifi:ap [ssid] | | +--ro mds_wifi:ssid ssid | | +--ro mds_wifi:client [mac] | | +--ro mds_wifi:mac string | | +--ro mds_wifi:rssi? int8 | | +--ro mds_wifi:authenticated? boolean | | +--ro mds_wifi:authorized? boolean | | +--ro mds_wifi:inactive?
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--rw mds_bridge:ssid leafref | | | +--rw mds_bridge:port-priority? uint32 | | | +--rw mds_bridge:port-path-cost? uint32 | | +--rw mds_bridge:wifi-station | | +--rw mds_bridge:interface? if:interface-ref | | +--rw mds_bridge:port-priority? uint32 | | +--rw mds_bridge:port-path-cost?
| | | | +--ro mds_nx:tx_dropped? uint32 | | | | +--ro mds_nx:rx_unavailable? uint32 | | | | +--ro mds_nx:tx_unavailable? uint32 | | | | +--ro mds_nx:resource_failures? uint32 | | | | +--ro mds_nx:init_failures? uint32 | | | | +--ro mds_nx:rx_bad_mtu? uint32 | | | | +--ro mds_nx:tx_bad_mtu? uint32 | | | +--ro mds_nx:nicsvcs_stats | | | +--ro mds_nx:nic_tx_dropped? uint32 | | | +--ro mds_nx:data_tx_dropped? uint32 | | | +--ro mds_nx:mgmt_rx_dropped? uint32 | | | +--ro mds_nx:data_rx_dropped? uint32 | | | +--r
| | +--rw signal-period? uint32 | | +--rw signal-duration? uint32 | +--ro event-log [id] | | +--ro id int64 | | +--ro time-stamp? yang:date-and-time | | +--ro priority? priority-enumeration | | +--ro event-type? string | | +--ro status? string | | +--ro message? string | +--ro current-alarms [name] | +--ro name string | +--ro events* string +--rw pki | +--rw certificate-servers | | +--rw certificate-server [cert-server-identity] | | +--rw cert-server-identity string | | +--rw server-type? cert-mgmt-type | |
| +--ro req-fp-md5? string | +--ro req-fp-sha1? string | +--ro req-fp-sha256? string | +--ro req-fp-sha512? string +--rw system | +--rw contact? string | +--rw name? string | +--rw location? string | +--ro platform | | +--ro os-name? string | | +--ro os-release? string | | +--ro os-version? string | | +--ro machine? string | | +--ro nodename? string | +--rw clock | | +--ro current-datetime? yang:date-and-time | | +--ro boot-datetime? yang:date-and-time | | +--rw (timezone)? | | | +--:(timezone-location) | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--ro mdssys:serial-number-core? uint32 +--ro mdssys:serial-number-platform? uint32 +--ro mdssys:product-configuration? string +--ro mdssys:guid? string +--rw mdssys:pre-login-banner? string +--rw mdssys:authentication | +--rw mdssys:max-login-attempts? uint32 | +--rw mdssys:failed-login-lockout-time? uint32 | +--rw mdssys:user-authentication-order* identityref | +--rw mdssys:password-options | +--
| | +--ro mdssys:support-transfer-status | | +--ro mdssys:state? enumeration | | +--ro mdssys:detailed-message? string | | +--ro mdssys:size? uint32 | | +--ro mdssys:bytes-transfered? uint32 | | +--ro mdssys:percent-complete? uint32 | +--rw mdssys:power | +--rw mdssys:configuration-files | +--rw mdssys:recovery | | +--ro mdssys:snapshots | | | +--ro mdssys:identifier string | | | +--ro mdssys:description? string | | | +--ro mdssys:date? string | | | +--ro mdssys:version? string | | | +--ro mdssys:hash? stri
| +--ro source? enumeration +--rw services | +--ro services-status [name] | | +--ro name string | | +--ro status? enumeration | +--rw dhcp:dhcp | | +--ro dhcp:leases [ip] | | | +--ro dhcp:ip inet:ip-address | | | +--ro dhcp:starts? yang:date-and-time | | | +--ro dhcp:ends? yang:date-and-time | | | +--ro dhcp:binding-state? enumeration | | | +--ro dhcp:client-mac? yang:mac-address | | | +--ro dhcp:hostname? string | | +--rw dhcp:enabled? boolean | | +--rw dhcp:default-lease-time? uint32 | | +--rw dhcp:min-le
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 96 | | | | +--rw serial:idle-timeout? uint32 | | | +--rw serial:tcp-client? | | | +--rw serial:remote | | | | +--rw serial:address inet:ip-address | | | | +--rw serial:port? inet:port-number | | | +--rw serial:idle-timeout? uint32 | | +--:(modbus-tcp) | | | +--rw serial:modbus-tcp? | | | +--rw serial:mode enumeration | | | +--rw serial:port? inet:port-number | | | +--rw serial:idle-timeout? uint32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--:(address-range) | | | | +--rw fire:address-range | | | | +--rw fire:from inet:ip-address | | | | +--rw fire:to? inet:ip-address | | | +--rw fire:dst-port? | | | | +--rw (type)? | | | | +--:(services) | | | | | +--rw fire:services* service | | | | +--:(port-range) | | | | +--rw fire:port-range [from] | | | | +--rw fire:from uint16 | | | | +--rw fire:to? uint16 | | | +--rw fire:ipsec? | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 98 | +--rw snmp:ipv6-bind-ips* leafref | +--rw snmp:port? inet:port-number | +--rw (engine-id-method)? | | +--:(from-ip) | | | +--rw snmp:from-ip? leafref | | +--:(from-mac-address) | | +--rw snmp:from-mac-address? empty | +--rw snmp:max-message-size? int32 +--rw ssh:ssh | +--rw ssh:enabled? boolean | +--rw ssh:port? inet:port-number | +--rw ssh:ipv4-bind-ips* leafref | +--rw ssh:ipv6-bind-ips* le
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--rw vpn:fqdn? string | | +--:(user-fqdn) | | | +--rw vpn:user-fqdn? string | | +--:(dn) | | +--rw vpn:dn? string | +--rw vpn:peer-endpoint | | +--rw (ike-endpoint-type) | | +--:(any) | | | +--rw vpn:any? | | +--:(address) | | | +--rw vpn:address? inet:ip-address | | +--:(fqdn) | |
| | +--ro vpn:failure-reason? string | | +--ro vpn:last-timestamp? yang:date-and-time | | +--ro vpn:ima-evaluation? string | | +--ro vpn:ima-recommendation? string | +--rw web:web | +--rw web:http | | +--rw web:enabled? boolean | | +--rw web:port? inet:port-number | | +--rw web:ipv4-bind-ips* leafref | | +--rw web:ipv6-bind-ips* leafref | +--rw web:https | +--rw web:enabled? boolean | +--rw web:port? inet:port-number | +--rw web:ipv4-bind-ips* leafref | +--rw web:ipv6-bind-ips* leafref | +--rw web:tls-certi
6.0 APPENDIX B – COMMAND LINE INTERFACE (CLI) FEATURES Operational Mode Operational Mode is the initial mode that the CLI is in right after logging in. Users can view operational and configuration data but cannot change configuration data. The prompt will show a “>” character when it is in operational mode. Configuration Mode Configuration mode is entered when the user types “configure” after logging in. Configuration Mode can be exited by typing “exit”, which brings the user back to Operational Mode.
3.
rollback - Roll back database to last committed version run - Run an operational-mode command set - Set a parameter show - Show a parameter status - Display users currently editing the configuration tag - Manipulate statement tags top - Exit to top level and optionally run command up - Exit one level of configuration validate - Validate current configuration admin@(none) 01:05:03% When the tab key is pressed after a typed command, then the CLI will show the user all the possible options that are pertinent
display-level 99999999; history 100; idle-timeout 1800; ignore-leading-space false; output { file terminal; } paginate true; prompt1 \u@\h\M \t> ; prompt2 \u@\h\M \t% ; screen { length 24; width 80; } show { defaults false; } terminal linux; [ok][2012-06-19 17:19:12] admin@(none) 17:19:12> The different values control different parts of the CLI behavior.
idle-timeout () Maximum idle time before being logged out. Use 0 (zero) for infinity. paginate (true | false) Some commands paginate their output, for example. This can be disabled or enabled. It is enabled by default. screen width () Current width of terminal. This is used when paginating output to get proper line count. screen length () Current length of terminal. This is used when paginating output to get proper line count. terminal (string) Terminal type.
[ok][2007-08-31 13:49:44] Count: 99 lines admin@io 13:49:44> show configuration interfaces | count [ok][2007-08-31 13:50:12] Count: 90 lines admin@io 13:50:12> Search for a String in the Output The match target is used to only include lines matching a regular expression.
For example: admin@(none) 00:24:37> show interfaces | find tx | until compressed status counters tx_aborted_errors 0 status counters tx_bytes 250246 status counters tx_carrier_errors 0 status counters tx_compressed 0 [ok][2012-06-19 00:24:43] admin@(none) 00:24:43> Regular expressions The regular expressions is a subset of the regular expressions found in egrep and in the AWK programming language. Some common operators are: . ^ $ [abc...] [^abc...] r1 | r2 r1r2 r+ r* r? (r) Matches any character.
7: uid 1019; 8: gid 1013; Showing information Control Sequences The default key strokes for editing the command line and moving around the command history are as follows.
ping quit request set set-path show ssh top traceroute up delete edit exit help insert move quit rename request resolved revert rollback run set show status tag top up validate Operational mode commands commit (abort | confirm) [persist-id ] Abort or confirm a pending confirming commit. A pending confirming commit will also be aborted if the CLI session is terminated without doing commit confirm (default is confirm).
script To be supplied. set [environment] See section “CLI Environment” set-path Set relative show path show [path] Display CLI properties. show configuration The “show” command can be used to view information. Notice the information displayed is different, depending on which mode the CLI is in. Showing operational data when the CLI is in operational mode: admin@(none) 01:25:01> show system system platform os-name Linux system platform os-release 3.0.
name "Device #42"; serial-number-core 42; serial-number-platform 42; pre-login-banner ""; [ok][2012-06-19 01:24:31] admin@(none) 01:24:31> Showing configuration data when the CLI is in configuration mode: admin@(none) 01:25:36% show system name "Device #42"; serial-number-core 42; serial-number-platform 42; pre-login-banner ""; [ok][2012-06-19 01:25:43] [edit] admin@(none) 01:25:43% Normally, only those values explicitly set by the user will be displayed.
..... ..... ssh Open a secure shell on another host top Exit to top level and optionally run command traceroute Trace the route to a remote host up Exit one level of configuration Configure mode commands annotate Associate an annotation with a given configuration statement. To remove an annotation leave the text empty.
configuration that was active before the commit confirmed command was issued. If no timeout is given then the confirming commit will have a timeout of 10 minutes. The configuration session will be terminated after this command since no further editing is possible. Only available in configure exclusive and configure shared mode. The confirming commit will be rolled back if the CLI session is terminated before confirming the commit, unless the persist argument is given.
configuration-mode Exit from configuration mode regardless of mode. help Shows help text for command. revert If changes have been made, but have not yet been committed, then those changes can be committed, reverted, or ignored by quitting the configuration mode of the CLI. Reverting the changes can be done using the “revert” command. rollback [] Return the configuration to a previously committed configuration. The system stores a limited number of old configurations.
7.0 APPENDIX C – INTEGRITY MEASUREMENT AUTHORITY (IMA) Understanding The MCR supports the integrity measurement and attestation architecture as described by Trusted Network Connect (TNC) specifications, jointly developed and published by Trusted Computing Group (TCG) and IETF NEA working group. The MCR establishes secure IPsec VPN connection with the VPN gateway via mutual authentication based on certificates or pre-shared secrets.
admin@(none) 21:51:32> admin@(none) 19:33:29% set services vpn ipsec connections connection IMA-CONN-1 periodic-retry-interval 60 The “periodic-retry-interval” applies only to the IPsec connection designated as an “out-of-band” IMA connection. The MCR attempts attestation every “periodic-retry-interval” if the previous attempt to connect with IMA server was unsuccessful. In case of an out of band IMA server setup, the MCR needs to be configured with an IMA IPsec connection and a VPN-GWY IPsec connection.
hash e60429aa127cb2f23e10ae00b6c1553fa9d1f598b2a206926ad0dcdf9a758622eec77ad559b32f85ceea901 3a961041f [ok][2013-01-18 22:10:15] This hash can then be loaded in IMA database. Monitoring The current attestation status of the IMA connection is displayed using same command as used to display regular VPN data connection status. The example, below shows that the IMA connection succeeded but the IMA Evaluation was “non-compliant” and IMA recommendation was “Quarantined”.
APPENDIX D – Common Event Expression (CEE) Events will be categorized using a taxonomy based on the Common Event Expression (CEE) event profile (1). These events will be encoded using JavaScript Object Notation (JSON), and placed into the standard message body of a syslog message. From the CEE website: Common Event Expression (CEE™) improves the audit process and the ability of users to effectively interpret and analyze event log and audit data.
With the exception of ‘subject’, the Core Profile defines valid values for each of these categories, some examples of the values include “access, copy, clone, encrypt” for action values, and “error, failure, ongoing, success” for status values. All taxonomy fields are optional, however if given they must contain exactly one non-null value. Event Field Dictionary The Core Profile defines a selection of common fields that may be used in event logs.
A valid CEE JSON Event Record used with a “legacy” Syslog transport: <0>Dec 20 12:42:20 syslog-relay process[35]: @cee: {"crit":123,"id":"abc","appname":"application","pname":"auth","pid":123,"host":"system.example.c om","pri":10,"time":"2011-12-20T12:38:05.
syslog MSG For events of type audit, the msg is vendor specific, whereas events of type alert must be in a specified format which contains a GUID, level and message. Using the CEE approach all of the requested information would be present in all messages.
APPENDIX E– Configuring Firmware Management The GE MDS code signing tool (CST) is a command line program that can be run on Windows or Linux. Running the CST and passing the “--help” argument will print the following usage info: pkgsigner --help GEMDS Firmware Packaging Signing Utility (pkgsigner) 06-6671A01 Rev. 0.3.
Signing a GE MDS firmware package is an optional step for users and is not required. Users may wish to sign a firmware package to ensure that only user-approved firmware package revisions from GE MDS can be loaded into a unit. An example of signing a firmware package is shown below: ./pkgsigner -v ge_pubcert.pem -k user_key.pem -P "mypass" -p user_pubcert.pem -f ge_signed_package.mpk -o user_signed_package.mpk Processing file: 'ge_signed_package.
APPENDIX F– Obtaining Provisioned Cell Service (Verizon) Understanding The MDS Orbit MCR-4G requires a mini SIM card (2FF type) provisioned for 4G cell operation. The unit’s cellular interface will not function without a valid SIM card installed. GE MDS does not provide SIM cards. Service can be obtained by contacting Verizon and requesting a provisioned SIM card for the appropriate M2M service plan.
8.0 APPENDIX G – LICENSES +++++++++++++SQLCiper++++++++++++++++++ Copyright (c) 2008-2012 Zetetic LLC All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
works are solely in the form of machine-executable object code generated by a source language processor. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
for use in the OpenSSL Toolkit (http://www.openssl.org/)” * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED.
* * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * 3.
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The “Program”, below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language.
permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number.
NOTES 134 MDS Orbit MCR-4G Technical Manual MDS 05-6628A01, Rev.
NOTES MDS 05-6628A01, Rev.
136 MDS Orbit MCR-4G Technical Manual MDS 05-6628A01, Rev.
IN CASE OF DIFFICULTY... GE MDS products are designed for long life and trouble-free operation. However, this equipment, as with all electronic equipment, may have an occasional component failure. The following information will assist you in the event that servicing becomes necessary. TECHNICAL ASSISTANCE Technical assistance for GE MDS products is available from our Technical Support Department during business hours (8:30 A.M.–6:00 P.M. Eastern Time).
GE MDS, LLC 175 Science Parkway Rochester, NY 14620 Telephone: +1 585 242-9600 FAX: +1 585 242-9620 www.gemds.
