New features specific to self-hosted ThingPark Enterprise
Built-in NTP service RDTP-6881
Starting release 7.0, the NTP server embedded in self-hosted TPE may be used by the base stations for time synchronization purposes.
More details
In High Availability (HA) mode, the 3 nodes of the TPE cluster are synchronized over the same reference clock.
Key customer benefits
This feature is particularly interesting for self-hosted TPE deployments with limited (or no) internet access.
Thanks to this feature, all base stations remain time-synchronized with the common TPE reference clock, removing the need to deploy a local NTP server when base stations do not have access to internet.
Feature activation
To activate base station time synchronization through the TPE-embedded NTP server, the base station configuration should be updated to point to the TPE's public IP address.
This configuration is supported by SUPLOG GUI:
In High Availability mode, NTP server should be configured with the IP address of the load balancer, or virtual/floating IP address when available.
Feature limitations
The time reference provided by the built-in NTP server may not be very precise if the TPE server does not have internet access. However, even if this reference clock drifts, all base stations shall remain synchronized with the same reference clock, which guarantees a common time source for the entire radio access network.
Secure base station to core network backhaul through TLS RDTP-16577
Prior to release 7.0, only IPSec tunneling is supported between base stations and self-hosted ThingPark Enterprise core network.
Starting release 7.0, self-hosted TPE supports TLS besides IPSec. Both options can coexist within the same platform, i.e. some base stations using TLS while others using IPSec.
More details
TLS is based on HA-PROXY component, terminating the TLS authentication and encryption flows.
Key customer benefits
This feature brings the following benefits to TPE network administrators:
-
Offer a secure alternative to IPSec, especially for deployment scenarii where firewall policies are not compatible with IPSec. TLS is also the recommended authentication/encryption mode for self-hosted TPE deployments over Kubernetes infrastructure.
-
Support low-cost FreeRTOS base station models (such as Browan's MiniHub or MiniHub-Pro, as well as ST-Nucleo boards), where TLS is the only security mode supported on BS-NS backhaul interface.
Feature activation
Upon scratch installation of a self-hosted TPE platform in release 7.0, or upgrade an existing platform to this release, TLS is ready to be used but is deactivated by default, since the generic self-hosted TPE BS images use IPSec mode by default.
To activate TLS for a given base station, the following configuration should be set in the BS image (LRR configuration):
-
On LRR side, a specific flag must be configured in lrr.ini:
[services]
tls=1
checkvpn2=0 -
IP address of all the remote servers (LRC, FTP upload/download, Support server) must be configured to localhost (or 127.0.0.1), with a distinct port assigned to each server. Example:
[download:0]
ftpaddr=127.0.0.1
ftpport=2434
[download:1]
ftpaddr=127.0.0.1
ftpport=2435
[support:0]
addr=127.0.0.1
port=2414
ftpaddr=127.0.0.1
ftpport=2424
[support:1]
addr=127.0.0.1
port=2415
ftpaddr=127.0.0.1
ftpport=2425
[laplrc:0]
addr=127.0.0.1
port=2404
[laplrc:1]
addr=127.0.0.1
port=2405
Please contact your System Integrator or Actility Support team to learn more about which BS models/images support TLS.
Additionally, TLS activation requires whitelisting the following ports, in case a proxy/firewall is setup between the base station and the TPE server:
- Port 3001: IEC104 over TLS
- Port 3002: SFTP over TLS
- Port 3003: Support (SSH) over TLS
Feature limitations
TLS activation in the Base Station LRR is currently not supported from SUPLOG GUI. It may either be directly configured in a custom BS image or configured remotely through Infrastructure Commissioning Service (ICS).