Spectracom SecureSync 1200 User Reference Manual

Download

Page 1

SecureSync

Time and Frequency

Synchronization System

User Reference Guide

Document Part No.: 1200-5000-0050

Revision: 23

Date: 2-Dec-2016

spectracom.com

Page 2

Page 3

The information in this document has been carefully reviewed and is believed to be accurate and up-to-date. Spectracom assumes no respons ibility for any errors or omissions that may be contained in this document, and makes no commitment to keep current the information in this manual, or to notify any person or organization of updates. This User Reference Guide is subject to change without notice. For the most current version of this doc umentation, please see our web site at spectracom.com.

Spectracom reserves the right to make changes to the product described in this document at any time and without notice. Any software that may be provided with the product described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements.

No part of this publication may be reproduced, stored in a retrieval sys tem, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the pur chaser's personal use without the written permission of Spectracom Corp.

Other products and companies referred to herein are trademarks or registered trademarks of their respective companies or mark holders.

Spectracom Corp., a Business of the Orolia Group

• 1565 Jefferson Road, Suite 460, Rochester, NY 14623 USA

• Room 208,No. 3 Zhong Guan Village South Road, Hai Dian District, Beijing 100081, China

• 3, Avenue du Canada, 91974 LesUlis Cedex, France

Questions or comments regarding this User Reference Guide?

è E-mail: techpubs@spectracom.com

Warranty Information

For a copy of Spectracom's Limited Warranty policy, see the Spectracom website: http://spectracom.com/support/warranty-information.

SecureSync User Reference Guide I

Page 4

Blank page.

II SecureSync User Reference Guide

Page 5

CHAPTER 1

Product Description

1.1 Getting Started

1.2 SecureSync Introduction

1.2.1 SecureSync's Inputs and Outputs

1.3 SecureSync Front Panel

1.3.1 Keypad and Information Display

1.3.1.1 Keypad Operation

1.3.1.2 Navigating the Information Display

1.3.2 Status LEDs

1.4 Unit Rear Panel

1.5 Option Cards

1.5.1 Option Cards Overview

1.5.2 Option Card Identification

1.5.2.1 Option Card Identification by ID/Part Number

1.5.3 Option Card Connectors

1.6 The SecureSync Web UI

1.6.1 The Web UI HOME Screen

1.6.2 The INTERFACES Menu

1.6.3 The Configuration MANAGEMENT Menu

1.6.4 The TOOLS Menu

2 2

4 4

7 8

10 13

17 18 19 20

CONTENTS

SecureSync User Reference Guide • TABLE OF CONTENTS

1.7 Specifications

1.7.1 Input Power

1.7.1.1 Fuses

1.7.2 GNSS Receiver

1.7.3 RS-232 Serial Port (Front Panel)

1.7.4 10/100 Ethernet Port

1.7.5 Protocols Supported

1.7.6 1PPS Output

1.7.7 10MHz Output

1.7.7.1 10 MHz output — Oscillator Phase Noise (dBc/Hz)

22 23 23 23 23 24

III

Page 6

1.7.8 Mechanical and Environmental Specifications

1.8 Regulatory Compliance

CHAPTER 2

SETUP

2.1 Overview

2.1.1 Main Installation Steps

2.2 Unpacking and Inventory

2.3 Required Tools and Parts for Installation

2.4 Required GNSS Antenna Components

2.5 SAFETY

2.5.1 Safety: Symbols Used

2.5.2 SAFETY: Before You Begin Installation

2.5.3 SAFETY: User Responsibilities

2.5.4 SAFETY: Other Tips

2.6 Mounting the Unit

2.6.1 Rack Mounting

2.6.2 Desktop Operation

2.7 Connecting Supply Power

2.7.1 Power Source Selection

2.7.2 Using AC Input Power

2.7.3 Using DC Input Power

31 32 32 33

33 33 35 36

36 37

38 38 38

2.8 Connecting the GNSS Input

2.9 Connecting Network Cables

2.10 Connecting Inputs and Outputs

2.11 Powering Up the Unit

2.12 Setting up an IP Address

2.12.1 Dynamic vs. Static IP Address

2.12.2 Assigning a Static IP Address

2.12.2.1 Assigning a New Static IP Address

2.12.2.2 Setting Up an IP Address via the Front Panel

2.12.2.3 Setting Up a Static IP Address via a DHCP Network

2.12.2.4 Setting Up an IP Address via the Serial Port

2.12.2.5 Setting up a Static IP Address via Ethernet Cable

SecureSync User Reference Guide • TABLE OF CONTENTS

40 41 42 42 43

44 45

45 47 49 50 51

Page 7

2.12.3 Subnet Mask Values

2.13 Accessing the WebUI

2.14 Configuring Network Settings

2.14.1 General Network Settings

2.14.2 Network Ports

2.14.3 Network Services

2.14.4 Static Routes

2.14.5 Access Rules

2.14.6 HTTPS

2.14.6.1 Accessing the HTTPS Setup Window

2.14.6.2 About HTTPS

2.14.6.3 Supported Certificate Format Types

2.14.6.4 Creating an HTTPS Certificate Request

2.14.6.5 Requesting an HTTPS Certificate

2.14.6.6 Uploading an X.509 PEM Certificate Text

2.14.6.7 Uploading an HTTPS Certificate File

2.14.7 SSH

2.14.8 SNMP

2.14.8.1 SNMP V1/V2c

2.14.8.2 SNMP V3

2.14.8.3 SNMP Traps

2.14.9 System Time Message

2.14.9.1 System Time Message Format

52 54

55 56 58 58 60 61

61 62 63 63 66 68 68

69 78

82 84 85

2.15 Configuring NTP

2.15.1 Checklist NTP Configuration

2.15.2 The NTP Setup Screen

2.15.3 Dis-/Enabling NTP

2.15.4 Viewing NTP Clients

2.15.5 Restoring the Default NTP Configuration

2.15.6 NTP Output Timescale

2.15.7 NTP Reference Configuration

2.15.7.1 The NTP Stratum Model

2.15.7.2 Configuring "NTP Stratum 1" Operation

2.15.7.3 Configuring "NTP Stratum Synchronization"

2.15.8 NTP Servers and Peers

2.15.8.1 The NTP Servers and NTP Peers Panels

SecureSync User Reference Guide • TABLE OF CONTENTS

90 90 93 94 95 95 97

97 97 98

101

Page 8

2.15.8.2 NTP Servers: Adding, Configuring, Removing

2.15.8.3 NTP Peers: Adding, Configuring, Removing

2.15.9 NTP Authentication

2.15.9.1 NTP Autokey

2.15.9.2 NTP: Symmetric Keys (MD5)

2.15.10 NTP Access Restrictions

2.15.11 Enabling/Disabling NTP Broadcasting

2.15.12 NTP over Anycast

2.15.12.1 Configuring NTP over Anycast (General Settings)

2.15.12.2 Configuring NTP over Anycast (OSPF IPv4)

2.15.12.3 Configuring NTP over Anycast (OSPF IPv6)

2.15.12.4 Configuring NTP over Anycast (BGP)

2.15.12.5 Configuring Anycast via NTP Expert Mode

2.15.12.6 Testing NTP over Anycast

2.15.13 NTP Orphan Mode

2.15.14 Host Disciplining

2.15.14.1 Enabling Host Disciplining

2.15.15 NTP Expert Mode

2.15.16 Spectracom Technical Support for NTP

102 104

106

106 112

114 116 117

118 119 120 121 122 125

125 126

127

127 130

2.16 Configuring Input References

2.17 Configuring Outputs

2.17.1 The Outputs Screen

2.17.2 The 1PPS and 10MHz Outputs

2.17.2.1 Configuring a 1PPS Output

2.17.2.2 Configuring the 10 MHz Output

2.17.3 Configuring Optional Outputs

2.17.4 Network Ports

2.17.5 Signature Control

2.17.5.1 Configuring Signature Control for an Output

CHAPTER 3

MANAGING TIME

3.1 The Time Management Screen

3.2 System Time

3.2.1 System Time

3.2.1.1 Configuring the System Time

3.2.1.2 Timescales

131 131

132 133

135 135

136 136 136

137

139

140 141

142

142 143

SecureSync User Reference Guide • TABLE OF CONTENTS

Page 9

3.2.1.3 Manually Setting the Time

3.2.1.4 Using Battery Backed Time on Startup

3.2.2 Timescale Offset(s)

3.2.2.1 Configuring a Timescale Offset

3.2.3 Leap Seconds

3.2.3.1 Reasons for a Leap Second Correction

3.2.3.2 Leap Second Alert Notification

3.2.3.3 Leap Second Correction Sequence

3.2.3.4 Configuring a Leap Second

3.2.4 Local Clock(s), DST

3.2.4.1 Setting Up a Local Clock

3.2.4.2 DST Examples

3.2.4.3 DST and UTC, GMT

144 146

148

149

149 150 150 151

152

152 154 155

3.3 Managing References

3.3.1 Input Reference Priorities

3.3.1.1 Configuring Input Reference Priorities

3.3.1.2 The "Local System" Reference

3.3.1.3 The "User/User" Reference

3.3.1.4 Reference Priorities: EXAMPLES

3.3.2 The GNSS Reference

3.3.2.1 Reviewing the GNSS Reference Status

3.3.2.2 Determining Your GNSS Receiver Model

3.3.2.3 Selecting a GNSS Receiver Mode

3.3.2.4 Setting GNSS Receiver Dynamics

3.3.2.5 Performing a GNSS Receiver Survey

3.3.2.6 Configuring a GNSS Receiver Offset

3.3.2.7 Resetting the GNSS Receiver

3.3.2.8 Deleting the GNSS Receiver Position

3.3.2.9 Manually Setting the GNSS Position

3.3.2.10 GNSS Constellations

3.3.2.11 A-GPS

3.4 Holdover Mode

3.5 Managing the Oscillator

3.5.1 Oscillator Types

3.5.2 Configuring the Oscillator

3.5.2.1 About the "Time Figure of Merit (TFOM)"

3.5.2.2 About the "Phase Error Limit"

155

157 160 161 163

166

167 170 172 174 176 178 179 180 181 184 188

190 194

195 196

196 197

SecureSync User Reference Guide • TABLE OF CONTENTS

VII

Page 10

3.5.2.3 Configuring the Oscillator

3.5.3 Monitoring the Oscillator

3.5.4 Oscillator Logs

197

198 201

3.6 Managing TimeKeeper

3.6.1 What is TimeKeeper?

3.6.1.1 What can TimeKeeper do for me?

3.6.1.2 Using TimeKeeper – First Steps

3.6.2 Has TimeKeeper been activated?

3.6.3 Configuring a TimeKeeper PTP Master

3.6.4 Configuring TimeKeeper PTP Slaves

3.6.5 Configuring TimeKeeper as an NTP Time Server

3.6.6 En-/Disabling TimeKeeper

3.6.7 Status Monitoring with TimeKeeper

3.6.7.1 Enabling Status Monitoring

3.6.7.2 TKL "Status" Tab

3.6.7.3 TKL "Timing Quality" Tab

3.6.7.4 TKL "Time Map" Tab

CHAPTER 4

SYSTEM ADMINISTRATION

4.1 Powering Up/Shutting Down

4.1.1 Powering Up the Unit

4.1.2 Shutting Down the Unit

4.1.3 Issuing the HALT Command Before Removing Power

4.1.4 Rebooting the System

201

202

202 202

203 204 206 209 210 211

211 212 212 213

215

216

216 217 217 218

VIII

4.2 Notifications

4.2.1 Configuring Notifications

4.2.2 Notification Event Types

4.2.2.1 Timing Tab: Events

4.2.2.2 GPS Tab: Events

4.2.2.3 System Tab: Events

4.2.3 Configuring GPS Notification Alarm Thresholds

4.2.4 Setting Up SNMP Notifications

4.2.5 Setting Up Email Notifications

4.3 Managing Users and Security

4.3.1 Managing User Accounts

SecureSync User Reference Guide • TABLE OF CONTENTS

219

220 222

222 222 223

223 224 225

227

Page 11

4.3.1.1 Types of Accounts

4.3.1.2 Rules for Usernames

4.3.1.3 Adding/Deleting/Changing User Accounts

4.3.2 "user" Account Permissions

4.3.2.1 Account Differences, General

4.3.2.2 Account Differences, by Menu

4.3.3 Configuring Password Policies

4.3.3.1 The Administrator Login Password

4.3.3.2 Resetting the Administrator Password When Forgotten/Lost

4.3.4 LDAP Authentication

4.3.5 RADIUS Authentication

4.3.6 TACACS+ Authentication

4.3.6.1 Adding/Deleting a TACACS+ Server

4.3.6.2 Enabling/Disabling TACACS+

4.3.7 HTTPS Security Levels

4.3.8 Unlocking the Keypad via Keypad

4.3.9 If a Secure Unit Becomes Inaccessible

227 227 228

230

230 231

232

232 233

236 242 247

247 248

249 251 251

4.4 Miscellanous Typical Configuration Tasks

4.4.1 Web UI Timeout

4.4.2 Configuring the Front Panel

4.4.3 Displaying Local Time

4.4.4 Creating a Login Banner

4.4.5 Show Clock

4.4.6 Product Registration

4.4.7 Synchronizing Network PCs

4.4.8 Selecting the UI Language

4.5 Quality Management

4.5.1 System Monitoring

4.5.1.1 Status Monitoring via Front Panel

4.5.1.2 Status Monitoring via the Web UI

4.5.1.3 Status Monitoring of Input References

4.5.1.4 Reference Monitoring

4.5.1.5 Ethernet Monitoring

4.5.1.6 Outputs Status Monitoring

4.5.1.7 Monitoring the Oscillator

4.5.1.8 Monitoring the Status of Option Cards

4.5.1.9 NTP Status Monitoring

251

251 252 256 256 257 258 258 258

259

259 259 262 264 265 266 269 272 274

SecureSync User Reference Guide • TABLE OF CONTENTS

Page 12

4.5.1.10 Temperature Management

4.5.2 Logs

4.5.2.1 Types of Logs

4.5.2.2 Local and Remote Logs

4.5.2.3 The Logs Screen

4.5.2.4 Displaying Individual Logs

4.5.2.5 Saving and Downloading Logs

4.5.2.6 Configuring Logs

4.5.2.7 Setting up a Remote Log Server

4.5.2.8 Restoring Log Configurations

4.5.2.9 Clearing All Logs

4.5.2.10 Clearing Selected Logs

281

287

288 292 292 294 295 297 299 301 301 302

4.6 Updates and Licenses

4.6.1 Software Updates

4.6.2 Applying a License File

4.7 Resetting the Unit to Factory Configuration

4.7.1 Resetting All Configurations to their Factory Defaults

4.7.2 Backing-up and Restoring Configuration Files

4.7.2.1 Accessing the System Configuration Screen

4.7.2.2 Saving the System Configuration Files

4.7.2.3 Uploading Configuration Files

4.7.2.4 Restoring the System Configuration

4.7.2.5 Restoring the Factory Defaults

4.7.3 Cleaning the Configuration Files and Halting the System

4.7.4 Default and Recommended Configurations

4.7.5 Sanitizing the Unit

4.7.5.1 Physically Removing the CF Card

4.7.5.2 Cleaning/Restoring

4.7.5.3 Removing other files from the CF Card

4.7.5.4 Further Reading

APPENDIX

302

302 304

305

306 306

307 308 309 310 311

311 311 312

313 313 314 314

Appendix

5.1 Troubleshooting

5.1.1 Troubleshooting Using the Status LEDs

5.1.2 Minor and Major Alarms

5.1.3 Troubleshooting: System Configuration

SecureSync User Reference Guide • TABLE OF CONTENTS

315

316

316 317 318

Page 13

5.1.3.1 System Troubleshooting: Browser Support

5.1.4 Troubleshooting – Unable to Open Web UI

5.1.5 Troubleshooting via Web UI Status Page

5.1.6 Troubleshooting GNSS Reception

5.1.7 Troubleshooting – Keypad Is Locked

5.1.8 Troubleshooting – 1PPS, 10 MHz Outputs

5.1.9 Troubleshooting – Blank Information Display

5.1.10 Troubleshooting the Front Panel Serial Port

5.1.11 Troubleshooting the Front Panel Cooling Fan

5.1.12 Troubleshooting – Network PCs Cannot Sync

5.1.13 Troubleshooting Software Update

319

319 320 322 323 323 324 325 326 326 327

5.2 Option Cards

5.2.1 Accessing Option Cards Settings via the WebUI

5.2.1.1 Web UI Navigation: Option Cards

5.2.1.2 Viewing Input/Output Configuration Settings

5.2.1.3 Configuring Option Card Inputs/Outputs

5.2.1.4 Viewing an Input/Output Signal State

5.2.1.5 Verifying the Validity of an Input Signal

5.2.2 Option Card Field Installation Instructions

5.2.2.1 Field Installation: Introduction

5.2.2.2 Outline of the Installation Procedure

5.2.2.3 Safety

5.2.2.4 [1]: Unpacking

5.2.2.5 [2]: Saving Refererence Priority Configuration

5.2.2.6 [3]: Determining the Installation Procedure

5.2.2.7 [4]: Bottom Slot Installation

5.2.2.8 [5]: Top Slot Installation, Bottom Slot Empty

5.2.2.9 [6]: Top Slot Installation, Bottom Slot Occupied

5.2.2.10 [7]: Frequency Output Cards: Wiring

5.2.2.11 [8]: Gb ETH Card Installation, Slot1 Empty

5.2.2.12 [9]: Gb ETH Card Installation, Slot1 Occupied

5.2.2.13 [10]: Alarm Relay Card, Cable Installation

5.2.2.14 [11]: Verifying HW Detection and SW Update

5.2.2.15 [12]: Restoring Reference Priority Configuration

5.2.3 Time and Frequency Option Cards

5.2.3.1 1PPS Out [1204-18, -19, -21, -2B]

5.2.3.2 1PPS In/Out [1204-28, -2A]

5.2.3.3 1PPS In/Out, 10MHz In [1204-01, -03]

328

328 329 330 331 332

333

333 334 334 335 335 336 337 338 340 342 343 345 346 347 349

349

349 354 360

SecureSync User Reference Guide • TABLE OF CONTENTS

Page 14

5.2.3.4 Frequency Out [1204-08, -1C, -26, -38]

5.2.3.5 Programmable Frequency Out [1204-13, -2F, -30]

5.2.3.6 Programmable Square Wave Out [1204-17]

5.2.3.7 Simulcast (CTCSS/Data Clock) [1204-14]

5.2.4 Telecom Option Cards

5.2.4.1 T1/E1 Out [1204-09, -0A]

5.2.5 Time Code Option Cards

5.2.5.1 IRIG Out [1204-15, -1E, -22]

5.2.5.2 IRIG In/Out [1204-05, -27]

5.2.5.3 STANAG Out [1204-11, -25]

5.2.5.4 STANAG In [1204-1D, -24]

5.2.5.5 HAVE QUICK Out [1204-10, -1B]

5.2.5.6 HAVE QUICK In/Out [1204-29]

5.2.5.7 ASCII Time Code In/Out [1204-02, -04]

5.2.6 Network Interface Option Cards

5.2.6.1 Gigabit Ethernet [1204-06]

5.2.6.2 PTP Grandmaster [1204-32]

5.2.7 Miscellaneous Option Cards

5.2.7.1 Alarm Relay Out [1204-0F]

5.2.7.2 Revertive Selector Card [1204-2E]

5.2.7.3 Event Broadcast [1204-23]

5.2.7.4 Bi-Directional Communication, RS-485 [1204-0B]

368 371 377 380

388

394

394 400 413 421 429 436 443

454

454 456

472

472 477 479 487

5.3 Command-Line Interface

5.3.1 Setting up a Terminal Emulator

5.3.2 CLICommands

5.4 ASCIITime Code Data Formats

5.4.1 NMEAGGA Message

5.4.2 NMEARMC Message

5.4.3 NMEAZDA Message

5.4.4 Spectracom Format 0

5.4.5 Spectracom Format 1

5.4.6 Spectracom Format 1S

5.4.7 Spectracom Format 2

5.4.8 Spectracom Format 3

5.4.9 Spectracom Format 4

5.4.10 Spectracom Format 7

5.4.11 Spectracom Format 8

490

491 492

497

497 498 498 499 500 502 503 505 507 508 510

XII

SecureSync User Reference Guide • TABLE OF CONTENTS

Page 15

5.4.12 Spectracom Format 9

5.4.12.1 Format 9S

5.4.13 Spectracom Epsilon Formats

5.4.13.1 Spectracom Epsilon TOD1

5.4.13.2 Spectracom Epsilon TOD3

5.4.14 BBC Message Formats

5.4.14.1 Format BBC-01

5.4.14.2 Format BBC-02

5.4.14.3 Format BBC-03 PSTN

5.4.14.4 Format BBC-04

5.4.14.5 Format BBC-05 (NMEA RMC Message)

5.4.15 GSSIP Message Format

5.4.16 EndRun Formats

5.4.16.1 EndRun Time Format

5.4.16.2 EndRunX (Extended) Time Format

511

512

513

513 514

515

515 516 517 519 520

520 521

521 522

5.5 IRIG Standards and Specifications

5.5.1 About the IRIG Output Resolution

5.5.2 IRIG Carrier Frequencies

5.5.3 IRIG B Output

5.5.3.1 FAA IRIG B Code Description

5.5.4 IRIG E Output

5.5.5 IRIG Output Accuracy Specifications

5.6 Technical Support

5.6.1 Regional Contact

5.7 Return Shipments

5.8 License Notices

5.8.1 NTPv4.2.6p5

5.8.2 OpenSSH

5.8.3 OpenSSL

5.9 List of Tables

5.10 List of Images

5.11 Document Revision History

523

523 524 528

531

535 539

540

541 541

541 546 549

553 555 557

INDEX

SecureSync User Reference Guide • TABLE OF CONTENTS

XIII

Page 16

BLANK PAGE.

XIV

SecureSync User Reference Guide • TABLE OF CONTENTS

Page 17

Product Description

The Chapter presents an overview of the SecureSync Time and Fre quency Synchronization System, its capabilities, main technical fea tures and specifications.

The following topics are included in this Chapter:

1.1 Getting Started 2

1.2 SecureSync Introduction 2

1.3 SecureSync Front Panel 3

1.4 Unit Rear Panel 7

1.5 Option Cards 8

1.6 The SecureSync Web UI 17

1.7 Specifications 21

1.8 Regulatory Compliance 27

CHAPTER 1

CHAPTER 1 • SecureSync User Reference Guide

Page 18

1.1 Getting Started

1.1 Getting Started

Welcome to the SecureSync User Reference Guide.

Where to start:

First-time users: "SecureSync Introduction" below.

Users with some knowledge of Time and Frequency Servers: "Overview" on page30.

If your unit is up and running and you want to change a setting: "MANAGING TIME" on page139, or "SYSTEM ADMINISTRATION" on page215.

1.2 SecureSync Introduction

SecureSync®is a security-hardened 1-rack unit network appliance designed to meet rigorous network security standards and best practices. It ensures accurate timing through multiple ref erences, tamper-proof management, and extensive logging. Robust network protocols are used to allow for easy but secure configuration. Features can be enabled or disabled based on your network policies. Installation is aided by DHCP (IPv4), AUTOCONF (IPv6), and a front-panel keypad and LCD display.

The unit supports multi- constellation GNSS input (SAASM GPS receivers, supporting L1/L2, available for authorized users and required for the US DoD are available), IRIG input and other input references. The unit is powered by AC on an IEC60320 connector. DC power as back-up to AC power, or as the primary input power source, is also available.

SecureSync combines Spectracom’s precision master clock technology and secure network-cent ric approach with a compact modular hardware design to bring you a powerful time and fre quency reference system at the lowest cost of ownership. Military and commercial applications alike will benefit from its extreme reliability, security, and flexibility for synchronizing critical operations.

An important advantage of SecureSync is its unique rugged and flexible modular chassis that can be configured for your specific needs. Built-in time and frequency functions are extended with up to six input/output modules.

You can choose from a variety of configurable option cards, each with an assortment of input/output timing signal types and quantity, including additional 1PPS, 10 MHz, timecode (IRIG, ASCII, HAVE QUICK), other frequencies (5MHz, 2.048MHz, 1.544MHz, 1MHz), Pre cision Timing Protocol (PTP) input/output, multi-Gigabit Ethernet (10/100/1000Base-T),

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 19

telecom T1/E1 data rates and multi-network NTP, allowing SecureSync to be customized for your exact requirements.

A variety of internal oscillators is available, depending on your requirements for holdover cap ability and phase noise.

Note: Some of the features described are not available on all SecureSync vari

ants.

1.2.1 SecureSync's Inputs and Outputs

SecureSync provides multiple outputs for use in networked devices and other synchronized devices. A 1-Pulse-Per-Second (1PPS) output acts as a precise metronome, counting off seconds of System Time in the selected timescale (such as UTC, TAI or GPS). A 10MHz frequency ref erence provides a precise, disciplined signal for control systems and transmitters.

SecureSync's outputs are driven by its inputs – most notably, Global Navigation Satellite Sys tem (GNSS), or IRIG signal generators and other available input references. GNSS-equipped SecureSyncs can track up to 72 GNSS satellites simultaneously and synchronize to the satellite’s atomic clocks. This enables SecureSync-equipped computer networks to synchronize anywhere on the planet.

1.3 SecureSync Front Panel

1.3 SecureSync Front Panel

The front panel of a SecureSync unit consists of:

three separate illuminated status LEDs

a front panel control keypad

an LED time display

an LCD information display

an RS-232 serial interface

and a temperature controlled cooling fan.

The LCD information display is configurable using the SecureSync Web browser user interface (also referred to as the “Web UI”) or the front panel controls. Display options include status or position information, time, date, DOY (Day of Year), GNSS information, as well as network set tings and SAASM key status (available with the SAASM GPS receiver option only). The RS-232 serial interface and the front panel controls provide a means of configuring the unit’s network settings and perform other functions.

SecureSync units with the SAASM GPS receiver option module installed also have an encryp tion key fill connector and key zeroize switch on the left-hand side of the front panel.

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 20

1.3 SecureSync Front Panel

Figure 1-1: Front panel layout

1.3.1 Keypad and Information Display

To simplify operation and to allow local access to SecureSync, a keypad and LCD information display are provided on the front panel of the unit.

Among other things, the keypad and information display can be used to carry out basic net work configuration tasks, such as en-/disabling DHCP, or entering an IP address and subnet mask.

Note: Should the keypad be locked, see "Troubleshooting – Keypad Is Locked"

on page323.

1.3.1.1 Keypad Operation

The functions of the six keys are:

tu arrow keys: Navigate to a menu option (will be highlighted)

pq arrow keys: Scroll through parameter values in edit displays

ü ENTER key: Select a menu option, or load a parameter when editing

Ò BACK key: Return to previous display or abort an edit process

1.3.1.2 Navigating the Information Display

After power initialization, press any key to go to the “Home” display. As shown in the illus tration "Keypad menu tree" on the facing page, several status and setup displays are

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 21

1.3 SecureSync Front Panel

accessible from the main “Home” menu. To navigate through the menus, use the arrow keys to highlight a selection and then press the ENTER button.

The main menu options and their primary functions are as follows:

Display: Used to configure the information display

Clock:Displaying and setting of the current date and time

System:Displaying version info, system halt and reboot, reset spadmin password

Netv4:Network interface configuration

Lock: Locks the front panel keypad to prevent inadvertent operation.

Menu Tree

The front panel keypad and 4-line information display allow you to access the following func tions:

Figure 1-2: Keypad menu tree

To modify a parameter, highlight the menu option and press the ENTER button. The “O” data is the current old setting and the “N” data is the new setting. You can only change the “N” setting in all menus. Use the UP and DOWN arrow keys to scroll through all possible parameter val ues.

When editing a sequence of numbers, use the LEFT and RIGHT arrow keys to select other digits. When the parameter is correct, press ENTER to load the new value. You will be asked to con firm the setting change. Press ENTER to accept or BACK to cancel the parameter change. All entered values are stored in memory and restored after a power cycle.

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 22

LED Label Activity/Color Description

POWER

Off Both AC, and DC input power are disconnected.

OR: The unit's AC input switch is turned OFF, and DC input is not present.

On/solid

green

AC and/or DC Power are supplied; the unit detects all power inputs.

Red

The unit is configured for two power inputs, but detects only one power input. OR:Detects a power configuration error.

Green

& blinking

orange

1/sec.

Power Error — general power configuration fault.

SYNC

Red

Time Sync Alarm:

1) The unit has powered up, but has not yet achieved syn chronization with its inputs.

2) The unit was synchronized to its selected input references, but has since lost all available inputs (or the inputs were declared invalid) and the Holdover period has since expired.

Solid

green

The unit has valid time and 1PPS reference inputs present and is syn chronized to its reference.

Orange

The unit is in Holdover Mode: It was synchronized to its selected input references, but has since lost all available inputs (or the inputs are not declared valid).The time and frequency outputs will remain useable until the Holdover period expires.

1.3 SecureSync Front Panel

1.3.2 Status LEDs

Three Status LEDs (see "Front panel layout" on page4), located on the unit's front panel, indic ate SecureSync's current operating status:

POWER: Green, always on while power is applied to the unit

SYNC: Tri-color LED indicates the time data accuracy

FAULT: Two-color, three-state LED, indicating if any alarms are present.

At power up, the unit automatically performs a brief LED test run during which all three LEDs are temporarily lit.

Table 1-1:

Front panel status indications

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 23

LED Label Activity/Color Description

FAULT

Off No alarm conditions are currently active.

Blinking

orange

A GNSS antenna alarm has been asserted and is currently active. A short or open circuit has been detected in the GNSS antenna cable. The light will automatically turn off once the alarm condition clears. To troubleshoot this condition, see

"Troubleshooting via Web

UI Status Page" on page320

Solid

orange

A Minor Alarm condition (other than an antenna problem alarm) has been asserted and is currently active. To troubleshoot this condition, see

"Minor and Major Alarms"

on page317

Red

A Major Alarm condition has been asserted and is currently active. To troubleshoot this condition, see

"Minor and Major Alarms"

on page317

1.4 Unit Rear Panel

1.4 Unit Rear Panel

The SecureSync rear panel accommodates the connectors for all input and output references.

Optional AC connection for the power input

Optional DC power connector

Ethernet and USB connections

1PPS output

10 MHzoutput

Six bays for option cards

One optional antenna connector.

Figure 1-3: Standard rear panel

Typically, option cards will be installed at the factory. Should you purchase an extra option card at a later point, you will need to populate the next vacant slot, observing the numerical

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 24

LED State Meaning

Orange

On Off

LAN Activity detected No LAN traffic detected

Green

On Off

LAN Link established, 10 or 100 Mbps No link established

1.5 Option Cards

order shown above. However, not all cards can be installed in all slots. Your local Spectracom Sales Office will gladly assist you with the optimal option cards selection for your application.

The DC Power port connector is only installed if your unit was ordered with a DC input power option. Other optional input/output connectors depend on the installed option cards.

Note: DC input power does not have an ON/OFF switch.

The ACPower connector is the input for the ACpower and provides an ACpower ON/OFF switch. This connector assembly is only installed if SecureSync was ordered with AC input power option.

The Ethernet connector provides an interface to the network for NTP synchronization and to obtain access to the SecureSync product Web UI for system management. It has two small indicator lamps, “Good Link” (green LED), and “Activity” (orange LED). The “Good Link” light indicates a connection to the network is present. The “Activity” light will illu minate when network traffic is detected.

Table 1-2:

Ethernet status indicator lights

The USB connector is reserved for future expansion.

The 1PPS BNC connector offers a once-per-second square-wave output signal. The 1PPS signal can be configured to have either its rising or falling edge to coincide with the sys tem’s on-time point.

The 10 MHz BNC connector provides a 10 MHz sine-wave output signal.

The optional ANTENNA connector is a type “N” connector for the GNSS input from your GNSS antenna via a coax cable. This connector will only be present if the stand ard GNSS receiver, or the optional SAASM GPS receiver module are installed.

1.5 Option Cards

Option Cards are circuit boards that can be installed into a SecureSync unit in order to add

input and output functionality. Installation is normally done in the factory when the unit is built.

In many cases, however, Option Cards can also be added later by the customer (see "Option Card Field Installation Instructions" on page333).

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 25

Note: NEVER install an option card from the back of the unit, ALWAYS from the

top. It is therefore necessary to remove the top cover of the main chassis (hous ing).

Input and outputs can be categorized by:

Communication direction:

Input

Output

Signal type:

Frequency: 1/5/10/[programmable]MHz

Wave form (square, sinus)

1PPS

TTS

1.5 Option Cards

CTCSS

Signal protocol:

ASCII time code

IRIG

STANAG

Have Quick

E1/T1 data

Telecom timing, etc.

Ethernet (NTP, PTP)

Time code I/O

Alarm out, etc.

Functionality:

Signal transmission

Networking card (incl. NTP, PTP)

Time code I/O

Alarm output

Special functionality e.g., revertive selector, bidirectional communication

Connector type:

BNC

DB-9/25

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 26

Function Name used in Web UI Illustration ID* Inputs Outputs Conn.'s

Time and Frequency Cards

Quad 1PPS out (TTL)

1PPS Out BNC

0 1PPS, TTL (4x) BNC

(4x)

Quad 1PPS out (10 V)

1PPS Out 10V

0 1PPS, 10 V (4x) BNC

(4x)

1.5 Option Cards

Terminal block

RJ-12/45

SFP

ST fiber optic

To visually identify an option card installed in your unit, or to obtain an overview which option cards are available for SecureSync, see "Option Cards Overview" below.

To obtain detailed information on a specific option card, using its ID number, see "Option Card Identification" on page13.

To locate option card topics in this manual by their heading or functionality, see "Option Cards" on page328. This Chapter also includes information on field installation and Web UI functionality.

To visually identify a connector type, see "Option Card Connectors" on page16.

1.5.1 Option Cards Overview

The table below lists all SecureSync option cards available at the time of publication of this doc ument, sorted by their function.

The table column (see table below) Name used in WebUI ["Web User Interface"] refers to the names under which the cards installed in a SecureSync unit are listed in the INTERFACES >

OPTION CARDS drop-down menu.

The main purpose of the table below is to assist with the identification of the card(s), and to list its key input/output specifications.

Detailed information on every card can be found in the APPENDIX. To quickly access the APPENDIX topic for your option card(s), you may use the hyperlinks in table "Option cards lis ted by their ID number" on page14.

Note: * Every option card has a unique 2-digit ID number that can be found on its

cover plate, and in the center column of the table below. The complete Spec tracom Part Number for option cards is 1204-xx (e.g., 1204-18).

Table 1-3:

Option cards overview

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 27

Function Name used in Web UI Illustration ID* Inputs Outputs Conn.'s

Quad 1PPS out (RS-485)

1PPS Out, RS-485

0 1PPS, RS-485

(4x)

Terminal block, 10-pin

Quad 1PPS out (fiber optic)

1PPS Out, Fiber

0 1PPS, F/O (4x) ST Fiber

optic (4x)

1in/3out 1PPS (TTL [BNC])

1PPS/Frequency RS485

1PPS (1x)

1PPS (3x) BNC

(4x)

1in/2out 1PPS/freq (fiber optic)

1PPS In/Out, Fiber

1PPS (1x)

1PPS (2) ST Fiber

optic (3x)

5MHz out 5MHz Out

0 5MHz (3x) BNC

(3x)

10 MHz out 10 MHz Out

0 10 MHz (3x) BNC

(3x)

10 MHz out 10 MHz Out

0 10 MHz (3x) TNC

(3x)

1MHz out 1MHz Out

0 1MHz (3x) BNC

(3x)

Progr. frequ. out (Sine Wave)

Prog Freq Out, Sine

0 progr. clock,

sine (4x)

BNC (4x)

Progr. frequ out (TTL)

Prog Freq Out, TTL

0 progr. clock,

TTL/sq. (4x)

BNC (4x)

Prog frequ out (RS-485)

Prog Freq Out, RS-485

0 progr. clock, RS-

485 (4x)

Terminal block, 10-pin

Square Wave out

Square Wave Out, BNC

0 square wave, TTL

(4x)

BNC (4x)

1PPS in/out + frequ. in

1PPS/Frequency BNC

Var. frequ. + 1PPS

1PPS (TTL) BNC

(3x)

1PPS in/out + frequ. in

1PPS/Frequency RS485

10 MHz + 1PPS

1PPS Terminal

block, 10-pin

CTCSS, Data Sync/Clock

Simulcast

0 data clock,

CTCSS frequ., 1PPS, 1alarm (3x)

RJ-12 & DB-9

Telecom Timing Cards

1.5 Option Cards

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 28

Function Name used in Web UI Illustration ID* Inputs Outputs Conn.'s

E1/T1 data, 75Ω

E1/T1 Out BNC

0 1.544/2.048

MHz (1x) unbal. E1/T1 (2x)

BNC (3x)

E1/T1 data, 100/120Ω

E1/T1 Out Terminal

0 1.544/2.048

MHz (1x) unbal. E1/T1 (2x)

Terminal block, 10-pin

Time Code Cards

ASCII Time Code RS-232

ASCII Timecode RS232

1 RS-232 (1x) DB-9

(2x)

ASCII Time Code RS-485

ASCII Timecode RS485

1 1 Terminal

block, 10-pin

IRIG BNC IRIG In/Out BNC

1 2 BNC

(3x)

IRIG Fiber Optic

IRIG In/Out, Fiber

1 2 ST Fiber

optic (3x)

IRIG out, BNC IRIGOut BNC

0 4 BNC

(4x)

IRIG out, fiber optic

IRIG Out, Fiber

0 4 ST Fiber

optic (4x)

IRIG out, RS485

IRIGOut, RS-485

0 4 Terminal

block, 10-pin

STANAG input STANAG In

2x 1x DB-25

(1x)

STANAG in, isol.

STANAG In, Isolated

2x 1x DB-25

(1x)

STANAG out STANAG Out

0 2x STANAG, 1x

1PPS

DB-25 (1x)

STANAG out, isol.

STANAG Out, Isolated

0 2x STANAG, 1x

1PPS

DB-25 (1x)

HAVE QUICK out BNC

HAVE QUICK Out, BNC

0 4 (TTL) BNC

(4x)

HAVE QUICK out RS-485

HAVE QUICK Out, RS485

0 4 Terminal

block, 10-pin

HAVE QUICK HAVE QUICK

1 3 BNC

(4x)

1.5 Option Cards

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 29

Function Name used in Web UI Illustration ID* Inputs Outputs Conn.'s

Networking Cards

Gigabit Eth ernet

Gb Ethernet

(3, OR output)

(3, OR input) RJ-45

(3x)

1Gb PTP: Master only

Gb PTP

0 1PPS (1x BNC),

SFP (1x)

BNC (1x), SFP (1x)

Communication and Specialty Cards

Event in, Broad cast out

Event Broadcast

BNC: Event trigger

DB-9: Event broadcast

DB-9 + BNC (1x each)

Revertive Selector ("Fail over")

n/a

Frequ. or 1 PPS: (2x)

Frequ. or 1PPS (1x)

BNC (3x)

Alarm Relay Out

Relay Output

0 Relay Out (3x) Terminal

block, 10-pin

Bidir. Com munication

RS-485 Comm

Yes Yes Terminal

block, 10-pin

1.5 Option Cards

1.5.2 Option Card Identification

There are several ways to identify which option card(s) are installed in your SecureSync unit:

Using the Web UI, navigate to the INTERFACES > OPTION CARDS drop-down menu, and compare the list displayed in your UI with the table "Option cards overview" on page10.

1.5.2.1 Option Card Identification by ID/Part Number

If you have physical access to your SecureSync unit, inspect its rear panel, and compare the 2-digit ID number printed in the lower left-hand corner on each option card with the table below.

If you are looking for information specific to a particular option card, the table below can help you find this information in this User Reference Guide.

Note: * Every option card has a 2-digit identification (ID) number that can be

found in the corner of its cover plate, and in the table below. The ID number is

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 30

Card

ID*

Card Name Name in UI See ...

01 1PPS/freq input (TTL levels) mod

ule

1PPS/Frequency BNC

"1PPS In/Out, 10MHz In [1204-01, 03]" on page360

02 ASCII Time Code module (RS-

232)

ASCII Timecode RS-232

"ASCII Time Code In/Out [1204-02, 04]" on page443

03 1PPS/freq input (RS-485 levels)

module

1PPS/Frequency RS-485

"1PPS In/Out, 10MHz In [1204-01, 03]" on page360

04 ASCII Time Code module (RS-

485)

ASCIITimecode RS-485

"ASCII Time Code In/Out [1204-02, 04]" on page443

05 IRIG module, BNC (1 input, 2

outputs)

IRIG In/Out BNC

" IRIG In/Out [1204-05, -27]" on page400

06 Gigabit Ethernet module (3 ports) Gb Ethernet

"Gigabit Ethernet [1204-06]" on page454

08 5 MHz output module (3 outputs) 5 MHz Out

"Frequency Out [1204-08, -1C, -26, 38]" on page368

09 T1-1.544 (75 Ω) or E1-2.048 (75

Ω) module

E1/T1 Out BNC

"T1/E1 Out [1204-09, -0A]" on page388

0A T1-1.544 (100 Ω) or E1-2.048

(120 Ω) module

E1/T1 Out Ter minal

"T1/E1 Out [1204-09, -0A]" on page388

0B Bidirectional Communication

module

RS-485 Comm

"Bi-Directional Communication, RS-485 [1204-0B]" on page487

0F Alarm module Relay Output

"Alarm Relay Out [1204-0F]" on page472

10 HaveQuick output module (TTL) HAVE QUICK

Out, BNC

"HAVE QUICK Out [1204-10, -1B]" on page429

11 STANAG output module STANAG Out

"STANAG Out [1204-11, -25]" on page413

1.5 Option Cards

comprised of the two center digits of your option card's Spectracom Part Num ber: 1204-0180-0600.

Figure 1-4: Option Card ID number

The table lists all option cards available at the publication date of this documentation, sorted

by their ID number. Locate the option card ID number on its cover plate, and follow the cor

responding hyperlink in the right-hand column.

Table 1-4:

Option cards listed by their ID number

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 31

Card

ID*

Card Name Name in UI See ...

13 Programmable Frequency Out

put module (Sine Wave)

Prog Freq Out, Sine

"Programmable Frequency Out [120413, -2F, -30]" on page371

14 CTCSS, Data Sync/Clock mod

ule ("Simulcast")

Simulcast

"Simulcast (CTCSS/Data Clock) [120414]" on page380

15 IRIG module, BNC (4 outputs) IRIG Out BNC

"IRIG Out [1204-15, -1E, -22]" on page394

17 Square Wave (TTL) output mod

ule

Sq Wv Out, BNC

"Programmable Square Wave Out [1204-17]" on page377

18 Quad 1 PPS output module (TTL) 1PPS Out BNC

"1PPS Out [1204-18, -19, -21, -2B]" on page349

19 Quad 1 PPS output module (10V)1PPS Out 10V

"1PPS Out [1204-18, -19, -21, -2B]" on page349

1B HaveQuick output module (RS-

485)

HAVEQUICK Out, RS-485

"HAVE QUICK Out [1204-10, -1B]" on page429

1C 10 MHz output module (3 out

puts)

10 MHz Out

"Frequency Out [1204-08, -1C, -26, 38]" on page368

1D STANAG input module STANAG In

"STANAG In [1204-1D, -24]" on page421

1E IRIG module, Fiber Optic (4 out

puts)

IRIGOut, Fiber

"IRIG Out [1204-15, -1E, -22]" on page394

21 Quad 1 PPS output module (RS-

485 [terminal block])

1PPS Out, RS485

"1PPS Out [1204-18, -19, -21, -2B]" on page349

22 IRIG module, RS-485 (4 outputs) IRIG Out, RS-

485

"IRIG Out [1204-15, -1E, -22]" on page394

23 Event Broadcast module Event Broadcast

"Event Broadcast [1204-23]" on page479

24 STANAG isolated input module STANAG In, Isol

ated

"STANAG In [1204-1D, -24]" on page421

25 STANAG isolated output module STANAG Out,

Isolated

"STANAG Out [1204-11, -25]" on page413

26 1 MHz output module (3 outputs) 1MHz Out

"Frequency Out [1204-08, -1C, -26, 38]" on page368

27 IRIG module, Fiber Optic (1

input, 1 outputs)

IRIG In/Out, Fiber

" IRIG In/Out [1204-05, -27]" on page400

28 1-in/3-out 1 PPS module (TTL

[BNC])

1PPS/Frequency RS-485

"1PPS In/Out [1204-28, -2A]" on page354

29 1-in/3-out HaveQuick module

(TTL [BNC])

HAVEQUICK

"HAVE QUICK In/Out [1204-29]" on page436

1.5 Option Cards

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 32

Card

ID*

Card Name Name in UI See ...

2A 1-in/3-out 1 PPS module (Fiber

Optic)

1PPS In/Out, Fiber

"1PPS In/Out [1204-28, -2A]" on page354

2B Quad 1 PPS output module

(Fiber Optic)

1PPS Out, Fiber

"1PPS Out [1204-18, -19, -21, -2B]" on page349

2F Programmable Frequency Out

put module (TTL)

Prog Freq Out, TTL

"Programmable Frequency Out [120413, -2F, -30]" on page371

2E Revertive Selector module ("Fail

over")

n/a

"Revertive Selector Card [1204-2E]" on page477

30 Programmable Frequency Out

put module (RS-485)

Prog Freq Out, RS-485

"Programmable Frequency Out [120413, -2F, -30]" on page371

32 1Gb PTP module Gb PTP

"PTP Grandmaster [1204-32]" on page456

38 10 MHz output module (3 x TNC

outputs)

10 MHz Out

"Frequency Out [1204-08, -1C, -26, 38]" on page368

Connector Illustration Electr. Signals Timing signals

BNC Differential TTL xV,

sine wave, programm. square wave, AM sine wave, DCLS

1PPS, frequency, IRIG, HAVE QUICK, PTP

ST Fiber Optic AM sine wave,

DCLS

IRIG, 1PPS

Terminal Block [Recommended mating connector: Phoenix Contact, part no. 1827787]

RS-485 1PPS,frequency,

ASCIItime code, IRIG,HAVEQUICK, Alarm, T1/E1

DB-9 RS-232,

RS-485

ASCIItime code, GPS NMEA, data clocks, CTCSS frequency, 1PPS, Alarm signal

DB-25 Differential TTL xV,

RS-485

STANAG

1.5 Option Cards

1.5.3 Option Card Connectors

The table below lists the connector types used in SecureSync option cards.

Table 1-5:

Option card connectors

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 33

Connector Illustration Electr. Signals Timing signals

RJ-12 RS-485 data clock,

CTCSS frequency, 1PPS, Alarm

RJ-45 Gb-Ethernet PTP timing signal

SFP Ethernet PTP

1.6 The SecureSync Web UI

SecureSync has an integrated web user interface (referred to as "WebUI" throughout this doc umentation) that can be accessed from a computer over a network connection, using a standard web browser. The WebUI is used to configure the unit, and for status monitoring during every day operation.

1.6 The SecureSync Web UI

Note: An integrated Command-Line Interpreter interface (CLI) allows the use of a

subset of commands that are integrated into the Web UI.

The minimum browser requirements for the Web UI are: Internet Explorer®9 or higher, Firefox®, or Chrome

Note: Should it ever be necessary, you can restore SecureSync's configuration to

the factory settings at any time. See "Resetting the Unit to Factory Configuration"

on page305.

1.6.1 The Web UI HOME Screen

Note: Screens displayed in this manual are for illustrative purposes. Actual

screens may vary depending upon the configuration of your product.

The HOME screen of the SecureSync web user interface ("Web UI") provides comprehensive status information at a glance, including:

vital system information

current status of the references

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 34

1.6 The SecureSync Web UI

key performance/accuracy data

major log events.

The HOMEscreen can be accessed from anywhere in the Web UI, using the HOMEbutton in the Primary Navigation Bar:

The Primary Navigation Bar provides access to all menus:

HOME: Return to the HOME screen (see above)

INTERFACES: Access the configuration pages for …

… references (e.g., GPS, NTP)

… outputs (e.g. 10 MHz, PPS, NTP) and

… installed option cards (e.g., GPS, PPS).

MANAGEMENT: Access the NETWORK setup screens, and OTHER setup screens e.g., to

configure Reference Priorities, System Time, and the Oscillator.

TOOLS: Opens a drop-down menu for access to the system maintenance screens and sys

tem logs.

HELP/MONITORING: Opens a drop-down menu for access to system help and inform

ation on how to contact Spectracom for further help. (If the optional TimeKeeper license is installed, this button will open the TimeKeeper Monitoring menu. See also "Status Mon itoring with TimeKeeper" on page211.)

1.6.2 The INTERFACES Menu

The INTERFACES menu on the Main screen provides access to SecureSync's:

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 35

External REFERENCES e.g., the GNSS reference input

Detected OUTPUTS, such as 10 MHz and 1PPS

Installed OPTION CARDS.

1.6 The SecureSync Web UI

Clicking on any of the line items will open a status screen, providing real-time information on the selected interface e.g., availability, performance data and events history.

To configure settings for the selected interface, click the GEAR icons or buttons provided on most of the status screens. Icons like the INFO symbol provide access to more detailed status information and history data.

Note: Many of the interfaces can be accessed through different menu items e.g.,

an optional output will be available under the OPTION CARDS menu and the OUTPUTS menu.

The headings of each of the INTERFACES drop-down menus (white on orange) open overview status screens for the respective menu items.

1.6.3 The Configuration MANAGEMENT Menu

The MANAGEMENT menu on the Web UI's Main screen provides access to SecureSync's con figuration screens and settings:

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 36

1.6 The SecureSync Web UI

On the left side, under NETWORK, the following standard setup screens can be found:

Network Setup

General Setup

HTTPS Setup

SSH Setup

SNMP Setup

NTP Setup

PeerD Setup.

Under OTHER, you can access non-network related screens:

Authentication: Manage user accounts, Security Policy, LDAP Setup, RADIUS setup,

Reference Priority: Define the order of priority for timing inputs.

Notifications: Configure the notifications triggered by SecureSync’s events. A noti

fication can be a combination of a mask alarm and/or SNMP Trap and/or email.

Time Management: Manage the Local Clock, UTC Offset, DST Definition and Leap

Second information.

Front Panel: Configure the appearance of the SecureSync front panel display and

keypad.

Log Configuration: Manage the system logs.

Disciplining: Manage oscillator disciplining.

Change My Password: Configure the admin password.

1.6.4 The TOOLS Menu

The TOOLS menu on the Web UI's Main screen provides access to:

System and network monitoring screens

Log screens

Miscellaneous system administration screens.

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 37

1.7 Specifications

The specifications listed below apply to the SecureSync standard model, i.e. not including any option cards, and are based on “normal” operation, with SecureSync synchronized to valid Time and 1PPS input references (in the case of GNSS input, this is with the GNSS receiver oper ating in Stationary mode).

Specifications for the available option cards are provided in their corresponding topics;see "Option Cards Overview" on page10.

1.7 Specifications

1.7.1 Input Power

AC power source:

100 to 240 VAC, 50/60 Hz, ±10 % and

100-120 VAC400 Hz, ±10% via an IEC 60320 connector (power cord included)

DC input (option):

12-17 VDC-15%, +20%, or

21-60 VDC-15%, +20%, secure locking device

Maximum power draw:

TCXO/OCXO oscillator installed: 40 W normal (50 W start-up)

Rubidium (Rb) oscillator installed: 50 W normal (80 W start-up)

Low-Phase Noise (LPN) Rubidium oscillator installed: 52 W normal (85 W start-up)

1.7.1.1 Fuses

Type: T 2A L 250V Model:

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 38

1.7 Specifications

Spectracom recommends: LITTELFUSE 0213002.MXP

[Spectracom part number: F010R-0002-000 E FUSE,2A,SB,IECSURGE,GLASS]

Number: 2 (two) per unit

SecureSync label on rear panel of unit:

"AC POWER/F 2A T 250V (2)"

LEGEND:

F = Fuse

2A = Current Rating: 2 Ampères

T = Speed: Time Delay (Slow-Blow)

L = Breaking Capacity: Low (Glass)

250V = Voltage Rating

(2) = Fuses used: 2 (two)

Caution: Before testing fuses, remove ACpower by disconnecting the AC power

cord.

Note: In the event that the unit does not power up with AC power, these fuses

should be tested.

1.7.2 GNSS Receiver

Compatible signals:

GPS L1 C/A Code transmissions at 1575.42 MHz

GLONASS L10F transmissions centered at 1602.0 MHz

QZSS L1-SAIF (1575.42 MHz)

BeiDou B1 (center frequency 1561.098 MHz)

Galileo-ready E1B/C (firmware upgrade required)

Satellites tracked: Up to 72 simultaneously Update rate: up to 2Hz (concurrent) Acquisition time: Typically <27seconds from cold start Antenna requirements: Active antenna module, +5V, powered by SecureSync, 16dB gain min

imum

Antenna connector: Type N, female

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 39

1.7.3 RS-232 Serial Port (Front Panel)

Function: Accepts commands to locally configure the IP network parameters via CLI for initial

unit configuration.

Connector: DB9F, pin assignments conform to EIA/TIA-574, data communication equipment Character structure: ASCII, 9600 baud, 1 start, 8 data, 1 stop, no parity

1.7.4 10/100 Ethernet Port

Function : 10/100 Base- T, auto- sensing LAN connection for NTP/SNTP and remote man

agement and configuration, monitoring, diagnostics and upgrade

Connector: RJ-45, Network IEEE 802.3

1.7.5 Protocols Supported

NTP : NTP Version4 (Installed: Version 4.2.8p8). Provides MD5, Stratum1 through 15 (RFC

5905). Note that NTP Autokey is currently not supported, for more information, see

http://bugs.ntp.org/show_bug.cgi?id=3005.

NTP throughput: ETH0: 7000-7200 NTP requests per second; ETH1-ETH3 (1204-006-0600

GigabitEthernet option card 1-3): 8800-9000 NTP requests per second. For additional inform ation, please contact Spectracom.

Clients supported: The number of users supported depends on the class of network and the sub

net mask for the network. A gateway greatly increases the number of users.

TCP/IP application protocols for browser-based configuration and monitoring: HTTP, HTTPS FTP/SFTP: For remote upload of system logs and (RFC 959) Syslog: Provides remote log storage (RFCs 3164 and 5424) SNMP: Supports v1, v2c, and v3 Telnet/SSH: For limited remote configuration Security features: Up to 32-character password, Telnet Disable, FTP Disable, Secure SNMP,

SNMP Disable, HTTPS/HTTP Disable, SCP, SSH, SFTP.

Authentication: LDAP v2 and v3, RADIUS, MD5 Passwords, NTP Autokey protocol.

1.7 Specifications

1.7.6 1PPS Output

Signal: One pulse-per-second square wave (ext. reference connected to GNSS receiver) Signal level: TTL compatible, 4.3 V minimum, base-to-peak into 50 Ω Pulse width: Configurable pulse width (200 ms by default) Pulse width range: 20 ns to 900 ms Rise time: <10 ns Accuracy: Positive edge within ±50 ns of UTC when locked to a valid 1PPS input reference Connector: BNC female

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 40

Oscillator Type

Accuracy to UTC

(1 sigma locked to

GPS)

Holdover (constant temp. after 2weeks of GPS

lock)

After 4 hours After 24 hours

Low-phase noise Rubid ium

±25 ns 0.2 μs 1μs

Rubidium ±25 ns 0.2 μs 1μs

Low-phase noise OCXO ±25 ns 0.5 μs 10 μs

OCXO ±50 ns 1μs 25 μs

TCXO ±50 ns 12 μs 450 μs

1.7 Specifications

Table 1-6:

1PPS Output accuracies

1.7.7 10 MHz Output

Signal: 10 MHz sine wave

Signal Level: +13 dBm ±2dB into 50 Ω

Harmonics: ˗40 dBc minimum

Spurious: ˗70 dBc minimum TCXO

Connector: BNC female

Signature Control: This configurable feature removes the output signal whenever a

major alarm condition or loss of time synchronization condition is present. The output will be restored once the fault condition is corrected.

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 41

Oscillator Type Accuracy

Low-phase noise Rubidium 1x10

-12

typical 24-hour average locked to GPS

1x10

-11

per day (5x10

-11

per month) typical aging unlocked

Rubidium 1x10

-12

typical 24-hour average locked to GPS

1x10

-11

per day (5x10

-11

per month) typical aging unlocked

Low-phase noise OCXO 1x10

-12

typical 24-hour average locked to GPS

2x10

-10

per day typical aging unlocked

OCXO 2x10

-12

typical 24-hour average locked to GPS

1x10-9per day typical aging unlocked

TCXO 1x10

-11

typical 24-hour average locked to GPS

1x10-8per day typical aging unlocked

Oscillator Type

Medium-Term Stability

(without GPS after 2 weeks of

GPS lock)

Short-Term Stability (Allan vari

ance)

Temperature

Stability

(p˗p)

1sec. 10sec.

100

sec.

Low-phase noise Rubidium

5x10

-11

/month (3x10

-11

/month

typical)

5x10

-11

2x10

-11

5x10

-12

1x10

-10

Rubidium 5x10

-11

/month (3x10

-11

/month

typical)

2x10

-11

2x10

-12

2x10

-12

1x10

-10

Low-phase noise OCXO

2x10

-10

/day 5x10

-11

2x10

-11

1x10

-11

1x10

-9

OCXO 5x10

-10

/day 5x10

-10

5x10

-11

1x10

-11

5x10

-9

TCXO 1x10-8/day 2x10

-9

1x10

-9

3x10

-10

1x10

-6

Oscillator Type @ 1Hz @ 10Hz @ 100Hz @ 1KHz @ 10KHz

Low-phase noise Rubidium ˗100 ˗128 ˗148 ˗153 ˗155

1.7 Specifications

Table 1-7:

10 MHz output — oscillator types and accuracies

Note: Oscillator accuracies are stated as fractional frequency (i.e. the relative fre

quency departure of a frequency source), and as such are dimensionless.

See also "Configuring the Oscillator" on page196.

Table 1-8:

10 MHz output — oscillator stability

1.7.7.1 10 MHz output — Oscillator Phase Noise (dBc/Hz)

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 42

Oscillator Type @ 1Hz @ 10Hz @ 100Hz @ 1KHz @ 10KHz

Rubidium ˗80 ˗98 ˗120 ˗140 ˗140

Low-phase noise OCXO ˗100 ˗128 ˗148 ˗153 ˗155

OCXO ˗95 ˗123 ˗140 ˗145 ˗150

TCXO ./. ./. ˗110 ˗135 ˗140

1.7 Specifications

1.7.8 Mechanical and Environmental Specifications

Dimensions:

Designed for EIA 19” rack mount:

Housing w/o connectors and brackets:

16.75” W x 1.72” H [1U] x 14.33” D actual

(425 mm W x 44 mm H x 364 mm D)

Weight:

6.0 lbs (2.72 kg)

Temperature:

Operating:

Storage:

Humidity:

10% - 95% relative humidity, non-condensing @ 40°C

Altitude:

Operating:

Storage range:

Shock:

-20°C to +65°C

-40°C to +85°C

100-240 VAC: up to 6560 ft (2000 m)

100-120 VAC: up to 13123 ft (4000 m)

12-17 VDCand 21-60VDC: up to 13125 ft (4000 m)

up to 45000 ft (13700 m)

Operating: 15g/0.53 oz, 11ms, half sine wave

SAASM GPS storage shock specs: MRU 35g, GB-GRAM 40g

Storage: 50g/1.76 oz, 11ms, half sine wave

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 43

Vibration:

Operating: 10-55 Hz @ 0.07g

Storage: 10-55 Hz @ 0.15g²/Hz; 55-500 Hz @ 2.0g²/Hz

MIL-STD-810F: 501.4, 502.4, 507.4, 500.4, 516.5, 514.5

1.8 Regulatory Compliance

This product has been found to be in conformance with the following regulatory publications.

FCC

This equipment has been tested and found to comply with the limits for a ClassA digital

device, pursuant to Part15 of the FCC Rules.

These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the user documentation, may cause harmful interference to radio communications.

Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his/her own expense.

1.8 Regulatory Compliance

/Hz; 55-500 Hz @ 1.0g²/Hz

Safety

EN 60950-1:2006/A11:2009: Safety of Information Technology Equipment, including Elec

trical Business Equipment This product has been tested and meets the requirements specified in:

UL 60950-1, 1st Edition

CSA C22.2 No. 60950-1-07, 2nd Edition

UL Listing no. E311040

EMC, CE:

EN 55022:2006/A1:2007: Class A: EC Emissions Standard

EN 55024:1998/A2:2003: EC Generic Immunity Standard

EN 61000-3-2:2006: Harmonic Current Emissions

EN 61000-3-3:1995/A2:2005: Voltage Fluctuations and Flicker

The product complies with the requirements of the Low Voltage Directive 2006/95/EC and the EMC Directive 2004/108/EC.

Note: This is a Class A product. In a domestic environment this product

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 44

1.8 Regulatory Compliance

EMC, ICES-003 and AS/NZS CISPR 22:

This Class (A) digital apparatus complies with Canadian ICES-003, Issue 4.

This Class (A) digital apparatus complies with AS/NZS CISPR 22 for radiated and con ducted Emissions.

may cause radio interference in which case the user may be required to take adequate measures.

CHAPTER 1 • SecureSync User Reference Guide Rev. 23

Page 45

SETUP

The following topics are included in this Chapter:

2.1 Overview 30

2.2 Unpacking and Inventory 31

2.3 Required Tools and Partsfor Installation 32

2.4 Required GNSS Antenna Components 32

2.5 SAFETY 33

2.6 Mounting the Unit 36

2.7 Connecting Supply Power 37

2.8 Connecting the GNSS Input 40

2.9 Connecting Network Cables 41

2.10 Connecting Inputs and Outputs 42

2.11 Powering Up the Unit 42

2.12 Setting up an IP Address 43

2.13 Accessing the WebUI 52

2.14 Configuring Network Settings 54

2.15 Configuring NTP 89

2.16 Configuring Input References 131

2.17 Configuring Outputs 131

CHAPTER 2

CHAPTER 2 • SecureSync User Reference Guide

Page 46

2.1 Overview

2.1 Overview

This section provides an outline of the steps that need to be performed prior to putting SecureSync into service. This includes:

The following factors determine which steps need to be taken:

a. b.

Installation: Hardware setup, mechanical installation, physical connections.

Setup: Establish basic access to the unit, so as to allow the use of the web user interface

("WebUI").

Configuration: Access the Web UI, configure the network, input and output references,

protocols (e.g., NTP), other settings.

The power source(s) your SecureSync is configured for.

Your existing infrastructure and how you plan on integrating SecureSync into it (for example, integrating it into an existing Ethernet network, or setting-up a standalone installation.)

How you would like to setup basic network configuration parameters:

Using the unit's front panel keypad and information display

Using a PC connected to SecureSync via serial cable

Using a PC connected to SecureSync via network cable.

You can connect your PC to SecureSync either…

…directly by means of a dedicated Ethernet cable, or

…indirectly, using your existing Ethernet network (using a network hub).

The option cards configuration of your unit: Is your SecureSync equipped with any option cards, such as additional input references, or additional signal distribution cards? If so, they need to be configured separately via the SecureSync Web UI, once the network configuration is complete.

2.1.1 Main Installation Steps

The following list is a recommendation. Deviations are possible, depending on the actual application and system configuration.

Unpack the unit, and take inventory: "Unpacking and Inventory" on the facing page.

Obtain required tools and parts: "Required Tools and Parts for Installation" on page32.

Mount the unit: .

Read the Safety instructions: "SAFETY" on page33.

Connect your power supply/-ies: "Connecting Supply Power" on page37.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 47

Connect Input References such as your GNSS antenna, and network cable(s): "Con necting the GNSS Input" on page40, and "Connecting Network Cables" on page41.

Power up the unit: "Powering Up the Unit" on page216.

Setup basic network connectivity…

…via front panel keypad and information display: "Setting Up an IP Address via the Front Panel" on page47

ii.

…or via serial port, using a PC with a CLI: "Setting Up an IP Address via the Serial Port" on page50

iii.

…or via Ethernet, using a PC with a web browser, and the SecureSync Web UI: "Accessing the WebUI" on page52.

2.2 Unpacking and Inventory

2.2 Unpacking and Inventory

Caution: Electronic equipment is sensitive to Electrostatic Discharge (ESD).

Observe all ESD precautions and safeguards when handling the unit.

Unpack the equipment and inspect it for damage. If any equipment has been damaged in transit, or you experience any problems during installation and configuration of your Spec tracom product, please contact Spectracom (see "Technical Support" on page540.)

Note: Retain all original packaging for use in return shipments if necessary.

The following items are included with your shipment:

SecureSync unit

QuickStart Guide (printed version), and CD "Timing Product Manuals"

Ancillary items (except for rack mounting items, the contents of this kit may vary based on equipment configuration and/or regional requirements)

Purchased optional equipment; note that option cards listed on the purchase order will be pre-installed in the unit. See "Option Card Identification" on page13 and "Option Cards Overview" on page10.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 48

2.3 Required Tools and Parts for Installation

2.3 Required Tools and Parts for Installation

Phillips screwdrivers to install the rack-mount ears, and to mount the unit in a 19"-rack

Ethernet cables (see "Connecting Network Cables" on page41)

If you plan on using DC power Spectracom recommends an external ON/OFF switch.

2.4 Required GNSS Antenna Components

Should you plan on using a GNSS reference with your SecureSync, you will also need:

Spectracom LMR-400 antenna cable with N connectors

Spectracom outdoor GNSS antenna with mounting bracket

Spectracom GNSS antenna surge suppressor (recommended)

Spectracom GNSS antenna inline amplifier (optional for short cable lengths)

For antenna installation guidelines, see the separate documentation shipped with the antenna components.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 49

2.5 SAFETY

Caution: Do not ignore the Safety Instructions!

2.5.1 Safety: Symbols Used

2.5 SAFETY

Table 2-1:

Symbol Signal word Definition

Safety symbols used in this document, or on the product

Potentially dangerous situation which may lead to personal

DANGER!

CAUTION!

NOTE

ESD

CHASSIS GROUND

Analog Ground

Recycle

injury or death! Follow the instructions closely.

Potential equipment damage or destruction! Follow the instructions closely.

Tips and other useful or important information.

Risk of Electrostatic Discharge! Avoid potential equipment damage by following ESD Best Practices.

This symbol is used for identifying the functional ground of an I/O signal. It is always connected to the instrument chassis.

Shows where the protective ground terminal is connected inside the instrument. Never remove or loosen this screw!

Recycle the mentioned components at their end of life. Follow local laws.

2.5.2 SAFETY: Before You Begin Installation

This product has been designed and built in accordance with state-of-the-art standards and the recognized safety rules. Nevertheless, its use may constitute a risk to the operator or install ation/maintenance personnel, if used under conditions that must be deemed unsafe, or for pur poses other than the product's designated use, which is described in the introductory technical chapters of this guide.

Before you begin installing and configuring your SecureSync unit, carefully read the following important safety statements. Always ensure that you adhere to any and all applicable safety warnings, guidelines, or precautions during the installation, operation, and maintenance of your product.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 50

2.5 SAFETY

DANGER! — INSTALLATION OF EQUIPMENT:

Installation of this product is to be done by authorized service personnel only.This product is not to be installed by users/operators without legal author isation.

Installation of the equipment must comply with local and national electrical codes.

DANGER! — DONOTOPENEQUIPMENT, UNLESSAUTHORIZED:

The interior of this equipment does not have any user serviceable parts. Contact Spectracom Technical Support if this equipment needs to be serviced. Do not open the equipment, except to retrofit option cards, or replacement of battery. Fol low Spectracom Safety Instructions, and observe all local electrical regulatory requirements.

IF THE EQUIPMENT MUST BE OPENED: Never remove the cover or blank option card plates with power applied to this equipment. Ensure all power sources are removed from the unit prior to installing any option cards by removing both the AC and DC power cords connected to the equipment.

This unit will contain more than one power source if both the AC and DC power options are present. In this case, turning off the rear panel power switch will not remove all power sources.

DANGER! — FUSING:

The equipment has Double Pole/Neutral Line Fusing on AC power. For continued protection against risk of fire, replace fuses only with same type and rating of fuse.

DANGER! — GROUNDING: This equipment must be EARTHGROUNDED. Never

defeat the ground connector or operate the equipment in the absence of a suit ably installed earth ground connection. Contact the appropriate electrical inspec tion authority or an electrician if you are uncertain that suitable grounding is available.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 51

2.5 SAFETY

The AC and DC power connectors of this equipment have a connection to the earthed conductor of the AC and DC supply earthing conductor through the AC and DC power cords. The AC source outlet must contain a protective earthing con nection. This equipment shall be connected directly to the AC power outlet earth ing pin or DC supply system earthing electrode conductor. The DC supply source is to be located within the same premises as this equipment: The equipment shall be located in the same immediate area (such as, adjacent cabinets) as any other equipment that has a connection to the earthing conductor of the same AC or DC supply circuit earthing conductor, and also the point of earthing of the AC or DC system.The AC or DC system shall not be earthed else where.

Switches or other disconnection devices shall not be in the earthed circuit con ductor between the AC and DC source and the point of the connection of the earthing electrode conductor to SecureSync’s AC and DC input power connectors earthing pin.

DANGER! — BATTERY: Replace the battery only with the same or equivalent type

recommended by the manufacturer. Follow Spectracom Instructions — there is a danger of a new battery exploding if it is incorrectly installed. Discard used bat teries according to the manufacturer's instructions.

Caution: Electronic equipment is sensitive to Electrostatic Discharge (ESD).

Observe all ESD precautions and safeguards when handling Spectracom equip ment.

2.5.3 SAFETY: User Responsibilities

The equipment must only be used in technically perfect condition. Check components for damage prior to installation. Also check for loose or scorched cables on other nearby equipment.

Make sure you possess the professional skills, and have received the training necessary for the type of work you are about to perform.

Do not modify the equipment.

Use only spare parts authorized by Spectracom.

Always follow the instructions set out in this User Reference Guide, or in other Spec tracom documentation for this product.

Observe generally applicable legal and other local mandatory regulations.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 52

2.6 Mounting the Unit

2.5.4 SAFETY: Other Tips

Keep these instructions at hand, near the place of use.

Keep your workplace tidy.

Apply technical common sense: If you suspect that it is unsafe to use the product, do the following:

Disconnect the supply voltage from the unit.

Clearly mark the equipment to prevent its further operation.

2.6 Mounting the Unit

2.6.1 Rack Mounting

If installing the unit in a rack, install the rack-mount ears on the two sides of the front panel and mount the unit in a standard 19-inch rack cabinet. The unit is intended to be installed in one ori entation only. The unit should be mounted so the front panel interface keys are to the left of the display area.

The SecureSync unit will install into any EIA standard 19-inch rack. SecureSync occupies one rack unit of space for installation, however, it is recommended to leave empty space of at least one rack unit above and below the SecureSync unit to allow for best ventilation.

Rack mounting requirements:

The maximum ambient operating temperature must be observed. See "Mechanical and Environmental Specifications" on page26 for the operating temperature range spe cified for the type of oscillator installed in your SecureSync unit.

If the SecureSync unit is to be installed in a closed rack, or a rack with large amounts of other equipment, a rack cooling fan or fans should be part of the rack mount install ation.

Installation of the unit in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.

Follow the mounting directions described below to prevent uneven mechanical loading, possibly resulting in a hazardous condition.

Do not overload power supply circuits. Use only supply circuits with adequate overload

protection. For power requirements, see "Input Power" on page21.

Reliable grounding of rack-mounted equipment must be maintained. Particular attention must be given to supply connections other than direct connections to the branch circuit (e.g., use of power strips).

The SecureSyncancillary kit contains the following parts needed for rack mounting:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 53

2 each 1165-1000-0714 rack mounting brackets

2 each MP09-0003-0030 equipment rack handles

4 each H020-0832-0406 #8-32 flat head Phillips screws

6 each HM20R-04R7-0010 M4 flat head Phillips screws

The following customer supplied items are also needed:

4 each #10-32 pan head rack mount screws

1 each #2 Phillips head screwdriver

1 each 3/32" straight screwdriver

To rack mount the SecureSync unit:

Attach an MP09-0003-0030 equipment rack handle to the front of each 1165-10000714 rack mounting bracket, using the holes nearest the right angle bend of the 11651000-0714 rack mounting bracket, with the #2 size Phillips screwdriver, using 2 each of the H020-0832-0406 #8-32 flat head Phillips screws.

Attach the 1165-1000-0714 rack mount brackets to the sides of the SecureSync with the rack mounts ears facing outward, aligned with the front edge of the SecureSync front panel. Use the #2 Phillips screwdrivers, using 3 each of the HM20R-04R7-0010 M4 flat head Phillips screws.

2.7 Connecting Supply Power

Secure the rack mount brackets to the rack using the #10-32 rack mount screws and #2 Phillips head screwdriver, 2 each per side of the rack.

Caution: For safety reasons, the SecureSync unit is intended to be operated in a

HORIZONTAL POSITION, RIGHT-SIDE-UP, that is with the keypad to the left side and the 4-line information display and the time display on the right side.

2.6.2 Desktop Operation

SecureSync units can also be operated on a desktop in a HORIZONTAL, RIGHT-SIDE-UP pos ition. The location needs to be well-ventilated, clean and accessible.

2.7 Connecting Supply Power

Depending on the equipment configuration at time of purchase, SecureSync can be powered from an AC input, a DC input or with both AC, and DC input (DC input is an option). Sup plying both AC and DC input power provides redundant and automatic power switchover in case one or the other input power sources is lost.

Before connecting power to the unit, be sure that you have read all safety information detailed in section "SAFETY" on page33.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 54

2.7 Connecting Supply Power

2.7.1 Power Source Selection

If both an AC, and a DC power source are connected to the unit, the following rules apply:

If AC and DC power are both applied, AC power is used.

If DC power is applied, but AC power is not, then DC power will be used.

If AC and DC power are both present, but AC power is subsequently lost, SecureSync will automatically switch to using the DC power input.

DANGER! — This unit will contain more than one power source if both the AC

and DC power options are present. Turning off the rear panel power switch will NOT remove all power sources.

The following sections discuss AC and DC power input. Connect AC and/or DC power, as required.

2.7.2 Using AC Input Power

Connect the AC power cord supplied in the SecureSync ancillary kit to the AC input on the rear panel and the AC power source outlet. The AC input is fuse-protected with two fuses located in the AC power entry module (line and neutral inputs are fused). The AC power entry module also contains the main power switch for the AC power applied to the equipment.

Caution: This equipment has Double Pole/Neutral Line Fusing on AC power.

Note: Important! SecureSync is earth grounded through the AC power connector.

Ensure SecureSync is connected to an AC outlet that is connected to earth ground via the grounding prong (do not use a two prong to three prong adapter to apply AC power to SecureSync).

2.7.3 Using DC Input Power

If the rear panel DC port is present, connect DC power, per the voltage and current as called out on the label that resides above the DC power connector.

Note: DC power is an option chosen at time of purchase. The rear panel DC

input port connector is only installed if the DC input option is available. Different DC power input options are available (12 VDCwith a voltage range of 12 to 17V at 7A maximum or 24/48VDCinput with a voltage range of 21 to 60V at 3A maximum). Review the DC power requirement chosen, prior to connecting DC

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 55

2.7 Connecting Supply Power

power (when the DC port is installed, a label will be placed over the connector indicating the allowable DC input voltage range and the required current).

DANGER! GROUNDING: SecureSync is earth grounded through the DC power

connector. Ensure that the unit is connected to a DC power source that is con nected to earth ground via the grounding pin C of the SecureSync DC power plug supplied in the ancillary kit.

Caution: The DC input port is both fuse and reverse polarity protected. Reversing

polarity with the 24/48VDCoption will not blow the fuse, but the equipment will not power- up. Reversing polarity with the 12VDCoption will likely blow the internal fuse.

A DC power connector to attach DC power to SecureSync is included in the ancillary kit provided with the equipment. A cable of 6 feet or less, using 16AWG wire, with adequate insu lation for the DC voltage source should be used with this connector. The cable clamp provided with the DC power plug for strain relief of the DC power input cable should be used when DC power is connected to SecureSync.

Note: Spectracom recommends to use a dedicated DC power supply switch to

energize/de-energize SecureSync externally.

DC power connector pin-out:

SecureSync units can be ordered in a DC version that includes the following DC plug on the back panel: DC Plug, 3-pin, chassis mount: Amphenol P/N DL3102A10SL-3P

The DC ancillary kit includes, among other things, the following connector parts:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 56

2.8 Connecting the GNSS Input

Mating DC Connector, circular, 3-pin, solder socket, 16AWG,13A,300V: Amphenol

P/N DL3106A10SL-3S; (Spectracom part no. P240R-0032-002F)

Cable Clamp, circular: Amphenol part no. 97-3057-1004(621); (Spectracom part no.

Spectracom part no. MP06R-0004-0001)

Pinout description, DC connector

Pin B goes to the most positive DC voltage of the DC source. For +12V or +24/48V this would

be the positive output from the DC source. For a -12V or -24/48VDCsource this would be the ground or return of the DC source.

Pin A goes to the most negative voltage of the DC source. For +12V or +24/48V this would

be the ground or return output from the DC source. For a -12V or - 24/48VDCsource this would be the negative output from the DC source.

Pin C goes to the Earth ground of the DC source.

2.8 Connecting the GNSS Input

Typical installations include GNSS as an external reference input. If the GNSS receiver is not installed or if the GNSS will not be used as a SecureSync reference, disregard the steps to install the GNSS antenna and associated cabling.

Install the GNSS antenna, surge suppressor, antenna cabling, and GNSS preamplifier (if required). Refer to the documentation included with the GNSS antenna for additional information regarding GNSS antenna installation.

Connect the GNSS cable to the rear panel antenna input jack (see illustration under "Unit Rear Panel" on page7). In the event that NO antenna is connected to the rear panel jack, SecureSync will—once it gets powered up (see "Powering Up the Unit" on page216)—activate the Antenna

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 57

Problem alarm, causing the front panel “Fault” light to be blinking orange (the Antenna Problem alarm indicates an open or short exists in the antenna cable.)

Unless there is an open or short in the antenna cable, the "Fault" light should stop flash ing orange once the GNSS antenna and coax cable are connected to the rear panel. If the "Fault" light does not stop flashing after connecting the antenna, refer to "Troubleshooting GNSS Reception" on page322.

Initial synchronization with GNSS input may take up to 5minutes (approximately) when used in the default stationary GNSS operating mode. If using GNSS, verify that GNSS is the syn chronization source by navigating to MANAGEMENT > OTHER: Reference Priority: Confirm that GNSS is Enabled, and its Status for TIME and 1PPS is valid (green).

2.9 Connecting Network Cables

SecureSync provides a base 10/100 Ethernet port for full NTP functionality, as well as a com prehensive web-based user interface ("Web UI") for configuration, monitoring and diagnostic support. Additional network ports are available with the Gigabit Ethernet option card (1204-

06).

2.9 Connecting Network Cables

Before connecting the network cable(s), you need to decide which port(s) you want to use for which purpose (e.g., ETH0 for configuration only, etc.), and how you want to configure basic network connectivity e.g., the IP address:

Configure SecureSync via the unit's front panel: See "Setting Up an IP Address via the Front Panel" on page47.

Configure SecureSync by means of a PC connected to an existing network.

When connecting to a hub, router, or network computer, use a straight-through wired, shielded CAT 5, Cat 5E or CAT 6 cable with RJ-45 connectors. Connect one end to the Ethernet port on the SecureSync rear panel, and the opposite end of the cable to a network hub or switch.

Configure SecureSync by connecting a stand-alone computer directly via a dedicated network cable (standard-wired, or crossover cable):

When connecting directly to a stand-alone PC, use a network cable. Connect the cable to the NIC card of the computer. Since no DHCP server is available in this configuration both SecureSync, and the PC must be configured with static IP addresses that are on the same subnet

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 58

2.10 Connecting Inputs and Outputs

(10.1.100.1 and 10.1.100.2 with a subnet value of 255.255.255.0 on both devices, for example).For more information on configuring static IP addresses, see "Assigning a Static IP Address" on page45.

Once the unit is up and running, verify that the green link light on the Ethernet port is illu minated. The amber “Activity” link light may periodically illuminate when network traffic is present.

2.10 Connecting Inputs and Outputs

SecureSync can synchronize not only to an external GNSS reference signal, but also to other optional external references such as IRIG, HAVEQUICK and ASCII inputs (in addition to net work based references such as NTP and/or PTP).

At the same time, SecureSync can output timing and frequency signals for the consumption by other devices via the same formats as listed above.

E X A M P L E :

With the available IRIG Input/Output option card module (Model 1204-05) installed in an option bay, IRIG time code from an IRIG generator can also be applied as an external reference input (either in addition to, or in lieu of GNSS, NTP, user set time and other available reference inputs).

To use e.g., an external IRIG reference, connect the IRIG time source to the BNC connector “J1” on the optional IRIG Input/Output module. For additional information on optional connectivity, such as pinout tables, signal levels and other specifications, see "Option Cards" on page328.

Note that some option cards offer both input and output functionality, while others offer only one or the other.

2.11 Powering Up the Unit

After installing your SecureSync unit, and connecting all references and network(s), verify that power is connected, then turn ON the unit using the switch on the rear panel (only if equipped with AC power input), and wait for the device to boot up.

Note: DC input power is not switched, so SecureSync will be powered up

with DC input connected, unless you installed an external power switch.

Observe that all of the front panel LEDs momentarily illuminate (the Power LED will then stay lit) and that the Information display LCD back light illuminates. The fan may or may not run, depending on the model year of your SecureSync unit. For more information, see "Temperature Management" on page281.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 59

2.12 Setting up an IP Address

The time display will reset and then start incrementing the time. About 10 seconds after power-up, “Starting up SecureSync” will be displayed in the information display. After approximately 2minutes, the information display will then show the current network set tings.

By default, the 4-line information display shows the unit’s hostname, IPv4 address, mask, and gateway. The time display shows the current time: UTC (default), TAI, GPS or local timescale, as configured.

Figure 2-1: SecureSync front panel

Check the front panel status LED indicators:

The Power lamp should be solid green.

The Sync lamp will probably be red, since synchronization has not yet been achieved.

The Fault lamp will be OFF, or solid orange, indicating a minor alarm, or solid red, asserting a power-up frequency error alarm (until the disciplining state is reached.)

For additional information, see "Status LEDs" on page6 and "Status Monitoring via Front Panel" on page259.

2.12 Setting up an IP Address

In order for SecureSync to be accessible via your network, you need to assign an IP address to SecureSync, as well as a subnet mask and gateway, unless you are using an address assigned by a DHCP server.

There are several ways to setup an IP address, described below:

via the front panel keypad and information display

remotely …

…via serial cable

… via dedicated network cable

… via a DHCP network.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 60

2.12 Setting up an IP Address

Before you continue …

… please obtain the following information from your network administrator:

Available static IP address

Subnet mask (for the network)

Gateway address

This is the unique address assigned to the SecureSync unit by the network admin istrator. Make sure the chosen address is outside of the DHCP range of your DHCP server.

Note: The default static IP address of the SecureSync unit is

10.10.201.x (x= dependent on ETH port).

The subnet mask defines the number of bits taken from the IP address that are used in the network portion. The number of network bits used in the net mask can range from 8 to 30bits.

The gateway (default router) address is needed if communication to the SecureSync is made outside of the local network. By default, the gateway is dis abled.

Note: Make sure you are assigning a static IP address to your SecureSync unit

that is outside of the DHCP range defined for the DHCP server. Your system administrator will be able to tell you what this range is.

2.12.1 Dynamic vs. Static IP Address

On a DHCP network (Dynamic Host Configuration Protocol), SecureSync's IP address will be assigned automatically once it is connected to the DHCP server. This negotiated address and other network information are displayed on the unit front panel when the unit boots up.

If you plan on allowing your SecureSync to use this negotiated DHCP Address on a permanent basis, you can skip the following topics about setting up an IP address, and instead proceed to "Accessing the WebUI" on page52, in order to complete the SecureSync configuration pro cess.

Please note:

Unless you are using DNS in conjunction with DHCP (with the client configured using SecureSync's hostname instead of IP address), Spectracom recommends to disable DHCP for SecureSync, and instead use a static IP address. Failure to do this can result in a loss of time synchronization, should the DHCP server assign a new IPaddress to SecureSync.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 61

2.12.2 Assigning a Static IP Address

Spectracom recommends assigning a static IP address to SecureSync, even if the unit is con nected to a DHCP server.

This can be accomplished in several ways:

Via the keypad and information display on the front panel of the unit, see "Setting Up an IP Address via the Front Panel" on page47.

By connecting the SecureSync to an existing DHCP network, temporarily using the assigned DHCP address, see "Setting Up a Static IP Address via a DHCP Network" on page49.

By connecting a Personal Computer to SecureSync via a serial cable, see "Setting Up an IP Address via the Serial Port" on page50.

By connecting a Personal Computer directly to SecureSync via a dedicated Ethernet

cable, see "Setting up a Static IP Address via Ethernet Cable" on page51.

Note: For information on configuring routing tables, see "Static Routes" on

page58.

2.12 Setting up an IP Address

2.12.2.1 Assigning a New Static IP Address

To configure a SecureSync unit that has not yet been assigned a custom IP address (e.g., because your network does not support DHCP), there are two ways to enter the desired static IP address, subnet mask, and gateway address:

The front panel keypad and its 4-line information display, or

a personal computer, connected to the SecureSync unit via a serial cable, or via a ded icated Ethernet cable.

The keypad is the simplest method to configure the network settings. See "Keypad and Inform ation Display" on page4 for information on using the keypad.

Note: Units are shipped with the default IP address of 10.10.201.1 with subnet

mask 255.255.255.0.

Setting Up an IP Address via Serial Cable

The serial port can be used to make configuration changes (such as the network settings), retrieve operational data (e.g., GNSS receiver information) and log files, or to perform oper ations such as resetting the admin password.

For this task, you will need a serial cable, and a Personal Computer (PC) with a command-line user interface program (CLI) installed on it, such as TeraTerm®, PuTTY®, or similar.

To configure an IP address via the serial port:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 62

2.12 Setting up an IP Address

Connect a pinned straight-thru standard DB9M to DB9F RS232 serial cable to a PC run ning PuTTY, Tera Term, or HyperTerminal, and to your SecureSync. Use the following protocol parameters:

For more information on using the serial port connection, see "Setting up a Terminal Emulator" on page491.

The serial port is account and password protected. Login to SecureSync with a user account that has “admin” group rights, such as the default spadmin account (the

default password is admin123).

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None

Note: Users with “administrative rights” can perform all available com

mands. Users with “user” permissions only can perform get commands to retrieve data, but cannot perform any set commands or change/reset any passwords.

Disable DHCP, type: dhcp4set 0 off <Enter>.

Note: If your SecureSync is configured with an Ethernet option card, use

0, 1, 2, 3 for eth0 – eth3.

Note: For a list of CLI commands, type helpcli, or see "CLICommands"

on page492.

Configure the IP address, subnet mask, and gateway (if needed):

ip4set 0 x.x.x.x y.y.y.y <Enter>

(where 0 is the desired interface, “x.x.x.x” is the desired IP address for SecureSync, and “y.y.y.y” is the full subnet mask for the network (For a list of subnet mask values, see "Subnet Mask Values" on page52.)

Enter gw4set 0 gw_address, using your gateway address gw_address.

Once you have configured SecureSync's IP address, you can login to the WebUI by entering the new address into a web browser‘s address bar.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 63

2.12 Setting up an IP Address

Setting Up an IP Address via Ethernet Cable

Note: You may use an Ethernet crossover cable, but you do not have to.

Turn on the unit with NO cable plugged into the Ethernet port yet (Note: once you apply power, it may take up to two minutes for the system to fully boot).

Configure your PC‘s network interface card (NIC) with an IP address on the same network as the NetClock 9489‘s default IP address (10.10.201.1 ). For example, configure the IP

address of your PC‘s network interface card as 10.10.201.10 , with a subnet mask of

255.255.255.0.

Connect an Ethernet cable from your PC to the Ethernet port of the NetClock unit. Once con nected via crossover cable, open a web browser and enter the NetClock‘s default IP address (10.10.201.1) into the browser‘s address bar and login to the NetClock‘s WebUI as an

administrator. Once logged in, network settings for the NetClock can be configured under

MANAGEMENT > Network Setup > Actions: General Settings and under Ports: GEAR button.

2.12.2.2 Setting Up an IP Address via the Front Panel

Assigning an IP address to SecureSync, using the front panel keypad and information display is a preferred way to provide network access to the unit, thus enabling you thereafter to com plete the setup process via the WebUI.

Keypad Operation

The functions of the six keys are:

tu arrow keys: Navigate to a menu option (will be highlighted)

pq arrow keys: Scroll through parameter values in edit displays

ü ENTER key: Select a menu option, or load a parameter when editing

Ò BACK key: Return to previous display or abort an edit process

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 64

2.12 Setting up an IP Address

Step-by-step instructions:

First, disable DHCP:

Then, enter IP Address and Subnet Mask:

Press the ü key.

Using the arrow key, select Netv4 from the menu. (To select a menu item, highlight it using the arrow keys, then press the ü key.)

Select the Ethernet interface for which DHCP is to be disabled, such as eth0.

Select DHCP from the next menu. The display will show State=Enabled and

Action=Disabled.

(The State is the current DHCP setting and the Action is the action to take. You can only change the Action setting.)

Press the ü key once to select the action, then again to apply it.

Still on the Home > Netv4 > eth[0-3] menu, select IP Address, and change "N=010.010.201.001/16” to the value of the static IP address and subnet mask/network bits to be assigned (for a list of subnet mask values refer to the table "Subnet mask values" on page52).

Press the ü key once to enter the setting, then again to apply the new setting.

Lastly, enter the Gateway Address (if required)

Still on the Home > Netv4 menu, select the Gateway option (Home >

Netv4 > eth0 > Gateway).

Press the ü key once to enter the setting, then again to apply the new setting.

The display will change, allowing you to input an address at N=000.000.000.001. Enter the gateway address here.

The address entered must correspond to the same network IP address assigned to SecureSync.

After all addresses are entered, press the x key three times to return to the main display. It should now resemble the following example:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 65

Note: Despite having entered an IP address, the information display will show

0.0.0.0 if SecureSync could not detect an active link on the corresponding net work interface.

Note: About DNS: The Primary and Secondary DNS servers are set automatically

if using DHCP. If DHCP is not available, they can be configured manually in the SecureSync WebUI via the Network/General Setup screen.

The remainder of the configuration settings will be performed via the Web UI (accessed via an external workstation with a web browser such as Firefox®or Chrome®). For more information, see "The Web UI HOME Screen" on page17.

2.12.2.3 Setting Up a Static IP Address via a DHCP Network

2.12 Setting up an IP Address

To setup a permanent static IP address, after connecting SecureSync to a DHCP network:

Enter the IP address shown on the front panel information display of your SecureSync unit into the address field of your browser (on a computer connected to the SecureSync network). If the network supports DNS, the hostname may also be entered instead (the default hostname is "Spectracom"). The start screen of the SecureSync Web UI will be displayed.

Log into the Web UI as an administrator. The factory-default user name and password are:

Username: spadmin Password: admin123

Disable DHCP by navigating to MANAGEMENT > Network Setup. In the Ports panel on the right, click the GEAR icon next to the Ethernet Port you are using. In the Edit Ethernet

Port Settings window, uncheck the Enable DHCPv4 field. Do NOT click Submit or Apply

yet.

In the fields below the Enable DHCPv4 checkbox, enter the desired Static IP address, Net mask, and Gateway address (if required). Click Submit.

For more information on network configuration, see: "Network Ports" on page56. For subnet mask values, see "Subnet Mask Values" on page52.

Verify on the front panel information display that the settings have been accepted by SecureSync.

Enter the static IP address into the address field of the browser, and again log into the WebUI in order to continue with the configuration; see: "The Web UI HOME Screen" on page17.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 66

2.12 Setting up an IP Address

2.12.2.4 Setting Up an IP Address via the Serial Port

SecureSync's front panel serial port connector is a standard DB9 female connector. Com munication with the serial port can be performed using a PC with a terminal emulator program (such as PuTTY or TeraTerm) using a pinned straight-thru standard DB9M to DB9F serial cable.

The serial port is account and password protected. You can login via the serial port using the same user names and passwords as would be used to log into the SecureSync WebUI. Users with “administrative rights” can perform all available commands. Users with “user” permissions only can perform “get” commands that retrieve data, but cannot perform any “set” commands or change/reset any passwords.

To configure an IP address via the serial port:

Connect a serial cable to a PC running PuTTY, Tera Term, or HyperTerminal, and to your SecureSync. For detailed information on the serial port connection, see "Setting up a Terminal Emulator" on page491

Login to SecureSync with a user account that has “admin” group rights, such as the default spadmin account (the default password is admin123).

Disable DHCP, type: dhcp4set 0 off <Enter>.

Note: If your SecureSync is configured with an Ethernet option card, use

0, 1, 2, 3 for eth0 – eth3.

Note: For a list of CLI commands, type helpcli, or see "CLICommands"

on page492.

Configure the IP address and subnet mask, type:

ip4set 0 x.x.x.x y.y.y.y <Enter>

Configure the gateway by typing gw4set 0 z.z.z.z<Enter>

(where 0 indicates which interface routing table to add the default gateway for, and “z.z.z.z” is the default gateway address).

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 67

Note: If your SecureSync is configured with an Ethernet option card, use

0, 1, 2, 3 for eth0 – eth3.

Remove the serial cable, connect SecureSync to the network, and access the Web UI, using the newly configured IP address. (For assistance, see "Accessing the WebUI" on the next page)

The remainder of the configuration settings will be performed via the Web UI (accessed via an external workstation with a web browser such as Firefox®or Chrome®).

2.12.2.5 Setting up a Static IP Address via Ethernet Cable

This procedure will allow you to configure SecureSync using the WebUI directly via the Eth ernet port, if for some reason you prefer not to (or cannot) use a DHCP network.

First, disable DHCP using the front panel keypad and information display:

Press the ü key.

2.12 Setting up an IP Address

Using the arrow key, select Netv4 from the menu.

(To select a menu item, highlight it using the arrow keys, then press the ü key.)

Select the Ethernet interface for which DHCP is to be disabled, such as eth0.

Select DHCP from the next menu. The display will show State=Enabled and

Action=Disabled.

(The State is the current DHCP setting and the Action is the action to take. You can only change the Action setting.)

Press the ü key once to select the action, then again to apply it.

The front panel will now display the default static IP address 10.10.201.1/16.

Change the workstation IP address to be on the same network as SecureSync.

Connect workstation and SecureSync with an Ethernet cable.

Note: You may use an Ethernet crossover cable, but you do not have to.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 68

Network Bits Equivalent Netmask Network Bits Equivalent Netmask

30 255.255.255.252 18 255.255.192.0

29 255.255.255.248 17 255.255.128.0

28 255.255.255.240 16 255.255.0.0

27 255.255.255.224 15 255.254.0.0

26 255.255.255.192 14 255.252.0.0

25 255.255.255.128 13 255.248.0.0

24 255.255.255.0 12 255.240.0.0

23 255.255.254.0 11 255.224.0.0

22 255.255.252.0 10 255.192.0.0

21 255.255.248.0 9 255.128.0.0

20 255.255.240.0 8 255.0.0.0

19 255.255.224.0

2.13 Accessing the WebUI

2.12.3 Subnet Mask Values

Table 2-2:

Subnet mask values

2.13 Accessing the WebUI

SecureSync's WebUI is the recommended tool to interact with the device, since it provides access to nearly all configurable settings, and obtain comprehensive status information without having to use the Command Line Interpreter (CLI).

You can access the Web UI either by using the automatically assigned DHCP IP address, or by using a manually set static IP address (see "Assigning a Static IP Address" on page45):

On a computer connected to the SecureSync network, start a web browser, and enter the IPaddress shown on the SecureSync front panel, or setup manually beforehand into the web browser address.

When first connecting to the Web UI, a warning about security certificates may be dis played:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 69

Select Continue....

Note: "Cookies" must be enabled. You will be notified if Cookies are dis

abled in your browser.

Note: HTTPS only: Depending on your browser, the certificate/security

pop-up window may continue to be displayed each time you open the Web UI until you saved the certificate in your browser.

Note: Static IPaddress only: To prevent the security pop-up window from

opening each time, a new SSL Certificate needs to be created using the assigned IP address of SecureSync during the certificate generation. See

"HTTPS" on page61 for more information on creating a new SSL cer

tificate.

2.13 Accessing the WebUI

Log into the Web UI as an administrator. The factory-default administrator user name and password are:

Username: spadmin Password: admin123

Note: For security reasons, it is advisable to change the default credentials,

see: "The Administrator Login Password" on page232.

Upon initial login, you will be asked to register your product. Spectracom recommends to register SecureSync, so as to receive software updates and services notices. See also "Product Registration" on page258.

Number of login attempts

The number of failed login attempts for ssh is hard-set to (4) four. This value is not customer-con figurable.

The number of failed login attempts for the Web UI (HTTP/HTTPS) is hard-set to (5) five failed login attempts, with a 60 second lock. These two values are not customer- configurable.

To continue with the configuration, see e.g., "The Web UI HOME Screen" on page17. To learn more about setting up different types of user accounts, see "Managing User Accounts"

on page227.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 70

2.14 Configuring Network Settings

2.14 Configuring Network Settings

Before configuring the network settings, you need to setup access to SecureSync web user inter face ("Web UI"). This can be done by assigning a static IP address, or using a DHCP address. For more information, see "Setting up an IP Address" on page43.

Once you have assigned the IP address, login to the Web UI. For more information, see "Accessing the WebUI" on page52.

To configure network settings, or monitor your network, navigate to SecureSync's Network

Setup screen.

To access the Network Setup screen:

Navigate to MANAGEMENT > Network Setup. The Network Setup screen is divided into three panels:

The Actions panel provides:

General Settings: Allows quick access to the primary network settings necessary to

connect SecureSync to a network. See "General Network Settings" on the facing page.

Web Interface Settings:

Web interface timeout: Determines how long a user can stay logged on. For more information, see "Web UI Timeout" on page251.

Access Control: Allows the configuration of access restrictions from assigned net

works/nodes.

be displayed on the SecureSync Web UI login page and the CLI (Note: There is a 2000 character size limit).

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 71

2.14 Configuring Network Settings

SSH: This button takes you to the SSH Setup window. For details on setting up

SSH, see "SSH" on page69.

HTTPS: This button takes you to the HTTPS Setup window. For details on setting

up HTTPS, see "HTTPS" on page61.

System Time Message : Setup a once-per-second time message to be sent to

receivers via multicast. For details, see "System Time Message" on page87.

The Network Services panel is used to enable (ON) and disable (OFF) network services, as well as the Web UI display mode, details see: "Network Services" on page58.

The Ports panel not only displays STATUS information, but is used also to set up and man age SecureSync’s network ports via three buttons:

INFO button: Displays the Ethernet port Status window for review purposes.

GEAR button: Displays the Ethernet port settings window for editing purposes.

TABLE button: Displays a window that allows adding, editing, and reviewing

Static Routes.

2.14.1 General Network Settings

To expedite network setup, SecureSync provides the General Settings window, allowing quick access to the primary network settings.

To access the General Settings window:

Navigate to MANAGEMENT > Network Setup. In the Actions Panel on the left, click

General Settings.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 72

2.14 Configuring Network Settings

Populate the fields:

Hostname: This is the server’s identity on the network or IP address.

Default Port: Unless you specify a specific Port to be used as Default Port, the fact

ory default port eth0 will be used as the gateway (default gateway).

The General Settings window also displays the IPv4 Address and default IPv4 Gateway.

2.14.2 Network Ports

Ports act as communication endpoints in a network. The hardware configuration of your unit will determine which ports (e.g., Eth0, Eth1, ...) are available for use. Before using a port, it needs to be enabled and configured.

To enable & configure, or view a network port:

Navigate to MANAGEMENT > Network Setup.

The Ports panel on the right side of the screen lists the available Ethernet ports, and their

connection status:

Green: CONNECTED (showing the connection speed)

Yellow: CABLE UNPLUGGED (the port is enabled but there is no cable attached)

Red: DISABLED.

Locate the port you want to configure and click the GEAR button to enable & con

figure the port, or the INFO button to view the port status.

Note: The eth0 port is the built-in SecureSync Ethernet port.

If the port is not already enabled, in the Edit Ethernet Ports Settings window, click the

Enable check box. The Edit Ethernet Ports Settings window will expand to show the

options needed to complete the port setup.

Fill in the fields as required:

Domain: This is the domain name to be associated with this port.

Enable DHCPv4: Check this box to enable the delivery of IP addresses

from a DHCP Server using the DHCPv4 protocol. This box is checked by default. Should you disable (uncheck) DHCPv4, the following fields will dis play and must be completed:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 73

ETH port

Default "static lease"

IP address

ETH0 10.10.201.1

ETH1 10.10.201.2

ETH2 10.10.201.3

ETH3 10.10.201.4

2.14 Configuring Network Settings

Static IPv4 Address: This is the unique address assigned by the net

work administrator. The default static IP address of the SecureSync unit is 10.10.201.1. In the format “#.#.#.#” with no leading zer

oes or spaces, where each ‘#’ is a decimal integer from the range [0,255].

Table 2-3:

Default IP addresses

The default subnet is: 255.255.0.0

Netmask: This is the network subnet mask assigned by the network

administrator. In the form “xxx.xxx.xxx.xxx.” See "Subnet Mask Values" on page52 for a list of subnet mask values.

IPv4 Gateway: The gateway (default router) address is needed if

communication to the SecureSync is made outside of the local net work. By default, the gateway is disabled.

DNS Primary: This is the primary DNS address to be used for this

port. Depending on how your DHCP server is configured, this is set auto matically once DHCP is enabled. Alternatively, you may configure your DHCP server to NOT use a DNS address. When DHCP is disabled, DNS Primary is set manually, using the format "#.#.#.#" with no leading zeroes or spaces, where each ‘#’ is a decimal integer from the range [0,255].

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 74

2.14 Configuring Network Settings

To apply your changes, click Submit (the window will close), or Apply.

2.14.3 Network Services

Several standard network services can be enabled or disabled via the easily accessible Net

work Services Panel under MANAGEMENT > Network Setup:

The Network Services panel has ON/OFF toggle switches for the following daemons and fea tures:

System Time Message: A once-per second Time Message sent out via Multicast; for

details, see "System Time Message" on page87.

DNS Secondary: This is the secondary DNS address to be used for

this port. Depending on how your DHCP server is configured, this is set automatically once DHCP is enabled, or your DHCP server may be configured NOT to set a DNS address. When DHCP is disabled, DNS Secondary is set manually, using the format “#.#.#.#” with no leading zeroes or spaces, where each ‘#’ is a decimal integer from the range [0,255].

Daytime Protocol, RFC-867: A standard Internet service, featuring an ASCII daytime rep

resentation, often used for diagnostic purposes.

Time Protocol, RFC-868: This protocol is used to provide a machine-readable, site-inde

pendent date and time.

Telnet: Remote configuration

FTP server: Access to logs

SSH: Secure Shell cryptographic network protocol for secure data communication

HTTP: Hypertext Transfer Protocol

Note: A listing of recommended and default network settings can be found under

"Default and Recommended Configurations" on page311.

2.14.4 Static Routes

Static routes are manually configured routes used by network data traffic, rather than solely relying on routes chosen automatically by DHCP (Dynamic Host Configuration Protocol). With statically configured networks, static routes are in fact the only possible way to route network traffic.

To view, add, edit, or delete a static route:

Navigate to the MANAGEMENT > Network Setup screen.

The Ports panel displays the available Ethernet ports, and their connection status:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 75

2.14 Configuring Network Settings

To view all configured Static Routes for all Ethernet Ports, or delete one or more Static Routes, click the TABLE icon in the top-right corner.

To add a new Route, view or delete an existing Route for a specific Ethernet Port, locate the Port listing you want to configure, and click the TABLE button next to it. The Static Routes window for the chosen Port will open, displaying its Routing Table, and an Add Route panel.

In the Add Route panel, populate these fields in order to assign a Static Route to a Port:

Net Address: This is the address/subnet to route to.

Prefix: This is the subnet mask in prefix form e.g., "24". See also "Subnet

Mask Values" on page52.

Router Address: This is where you will go through to get there.

Click the Add Route button at the bottom of the screen.

Note: To set up a static route, the Ethernet connector must be phys

ically connected to the network.

Note: Do not use the same route for different Ethernet ports; a route

that has been used elsewhere will be rejected.

Note: The eth0 port is the default port for static routing. If a port is

not given its own static route, all packets from that port will be sent through the default.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 76

2.14 Configuring Network Settings

2.14.5 Access Rules

Network access rules restrict access to only those assigned networks or nodes defined. If no access rules are defined, access will be granted to all networks and nodes.

Note: In order to configure Access Rules, you need ADMINISTRATORrights.

To configure a new, or delete an existing access rule:

Navigate to the MANAGEMENT > Network Setup screen.

In the Actions panel on the left, click on Access Control.

The Network Access Rules window displays:

In the Allow From field, enter a valid IP address. It is not possible, however, to add dir ect IP addresses, but instead they must be input as blocks, i.e. you need to add /32 at

the end of an IP address to ensure that only that address is allowed. Example: 10.2.100.29/32 will allow only 10.2.100.29 access.

I P a d d r e s s n o m e n c l a t u r e :

IPv4—10.10.0.0/16, where 10.10.0.0 is the IP address and 16 is the subnet mask in prefix form. See the table "Subnet Mask Values" on page52 for a list of subnet

mask values.

Click the Add button in the Action column to add the new rule.

The established rule appears in the Network Access Rules window.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 77

2.14.6 HTTPS

2.14 Configuring Network Settings

Click the Delete button next to an existing rule, if you want to delete it.

HTTPS stands for HyperText Transfer Protocol over SSL (Secure Socket Layer). This TCP/IP pro tocol is used to transfer and display data securely by adding an encryption layer to protect the integrity and privacy of data traffic. Certificates issued by trusted authorities are used for sender/recipient authentication.

Note: In order to configure HTTPS, you need ADMINISTRATORrights.

Note that SecureSync supports two different modes of HTTPS operation: The Standard HTTPS

Level (default), and a High-Security Level. For more information, see "HTTPS Security Levels" on

page249.

2.14.6.1 Accessing the HTTPS Setup Window

Navigate to MANAGEMENT > NETWORK: HTTPS Setup (or, navigate to MANAGEMENT > Network Setup, and click HTTPS in the Actions panel on the left):

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 78

2.14 Configuring Network Settings

The HTTPS Setup window has four tabs:

Create Certificate Request: This menu utilizes the OpenSSL library to generate cer

tificate Requests and self-signed certificates.

Certificate Request: A holder for the certificate request generated under the Create Certificate Request tab. Copy and paste this Certificate text in order to send it to

your Certificate Authority.

Upload X509 PEM Certificate: Use the window under this tab to paste your X.509

certificate text and upload it to SecureSync.

Upload Certificate File: Use this tab to upload your certificate file returned by the

Certificate Authority. For more information on format types, see "Supported Cer tificate Format Types" on the facing page.

Exit the HTTPS Setup window by clicking the X icon in the top right window corner, or by click ing anywhere outside the window.

Should you exit the HTTPS Setup window while filling out the certificate request parameters form

before

ing between tabs within the HTTPS Setup window, the information you have entered will be retained.

clicking the Submit button, any information you entered will be lost. When switch

2.14.6.2 About HTTPS

HTTPS provides secure/encrypted, web-based management and configuration of SecureSync from a PC. In order to establish a secure HTTPS connection, an SSL certificate must be stored inside the SecureSync unit.

SecureSync uses the OpenSSL library to create certificate requests and self-signed certificates. The OpenSSL library provides the encryption algorithms used for secure HTTP (HTTPS). The OpenSSL package also provides tools and software for creating X.509 Certificate Requests, Self Signed Certificates and Private/Public Keys. For more information on OpenSSL, please see www.openssl.org.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 79

2.14 Configuring Network Settings

Once you created a certificate request, submit the request to an external Certificate Authority (CA) for the creation of a third party verifiable certificate. (It is also possible to use an internal corporate Certificate Authority.)

If a Certificate Authority is not available, or while you are waiting for the certificate to be issued, you can use the default Spectracom self-signed SSL certificate that comes with the unit until it expires, or use your own self-signed certificate. The typical life span of a certificate (i.e., during which HTTPS is available for use) is about 10years.

Note: If deleted, the HTTPS certificate cannot be restored. A new certificate will

need to be generated.

Note: If the IP Address or Common Name (Host Name) is changed, you may wish

to regenerate the certificate. Otherwise you may receive security warnings from your web browser each time you login.

2.14.6.3 Supported Certificate Format Types

SecureSync supports X.509 PEM and DER certificates, as well as PKCS#7 PEM and DER format ted certificates.

You can create a unique X.509 self-signed certificate, an RSA private key and X.509 certificate request using the WebUI. RSA private keys are supported because they are the most widely accepted. At this time, DSA keys are not supported.

SecureSync supports two different modes of HTTPS operation: The Standard HTTPS Level (default), and a High-Security Level. For more information, see "HTTPS Security Levels" on page249.

2.14.6.4 Creating an HTTPS Certificate Request

To create an HTTPS Certificate Request:

Navigate to MANAGEMENT > NETWORK:HTTPS Setup, or in the MANAGEMENT >

NETWORK Setup, Actions panel, select HTTPS:

Click the Create Certificate Request tab (this is the default tab).

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 80

2.14 Configuring Network Settings

Fill in the available fields:

Create Self-Signed Certificate:

This checkbox serves as a security feature: Check this box before clicking Submit, in order to confirm that you will be generating a new self- signed certificate,

thereby overwriting any previously generated (or the Spectracom default) cer

tificate. An invalid certificate may result in denial of access to SecureSync via the Web UI! (If this occurs, see "If a Secure Unit Becomes Inaccessible" on page251.)

Signature Algorithm: Choose the algorithm to be used from:

Caution: Spectracom recommends to check this box (if needed) after

you have filled out the form completely, before clicking Submit. This will prevent inadvertent submission.

MD4

SHA1

SHA256

SHA512

Private Key Pass Phrase: This is the RSA decryption key. This must be at least

4characters long.

RSA Private Key Bit Length: 2048 bits is the default. Using a lower number may

compromise security and is not recommended.

Two-Letter Country Code: This code should match the ISO-3166-1 value for the

country in question.

State Or Province Name: From the address of the organization creating up the

certificate.

Locality Name: Locale of the organization creating the certificate.

Organization Name: The name of the organization creating the certificate.

Organization Unit Name: The applicable subdivision of the organization cre

ating the certificate.

Common Name (e.g. Hostname or IP): This is the name of the host being authen

ticated. The Common Name field in the X.509 certificate must match the host name, IP address, or URL used to reach the host via HTTPS.

Email Address: This is the email address of the organization creating the cer

tificate.

Challenge Password: Valid response password to server challenge.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 81

2.14 Configuring Network Settings

Optional Organization Name: An optional name for the organization creating

the certificate.

Self-Signed Certificate Expiration (Days): How many days before the certificate

expires. The default is 7200.

You are required to select a signature algorithm, a private key passphrase of at least 4characters, a private key bit length, and the certificate expiration in days. The remain ing fields are optional.

It is recommended that you consult your Certificate Authority for the required fields in an X509-certificate request. Spectracom recommends all fields be filled out and match the information given to your Certificate Authority. For example, use all abbreviations, spellings, URLs, and company departments recognized by the Certificate Authority. This helps to avoid problems the Certificate Authority might otherwise have reconciling cer tificate request and company record information.

If necessary, consult your web browser vendor’s documentation and Certificate Authority to see which key bit lengths and signature algorithms your web browser supports.

Spectracom recommends that when completing the Common Name field, the user provide a static IP address, because DHCP-generated IP addresses can change. If the hostname or IP address changes, the X.509 certificate must be regenerated.

It is recommended that the RSA Private Key Bit Length be a power of 2 or multiple of 2. The key bit length chosen is typically 1024, but can range from 512 to 4096. Long key bit lengths of up to 4096 are not recommended because they can take several hours to generate. The most common key bit length is the value 1024.

Note: The default key bit length value is 2048.

When using a self-signed certificate, choose values based on your company’s security policy.

When the form is complete, check the box Create Self Signed Certificate at the top of the window, then click Submit. Clicking the Submit button automatically generates the Certificate Request in the proper format for subsequent submission to the Certificate Authority.

Note: It may take several minutes for SecureSync to create the certificate

request and the private key (larger keys will require more time than small keys). If the unit is rebooted during this time, the certificate will not be cre ated.

To view the newly generated request, in the HTTPS Setup window, click the Certificate

Request tab.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 82

2.14 Configuring Network Settings

When switching between tabs within the HTTPS Setup window, the information you have entered will be retained. If you exit the HTTPS Setup window before clicking Sub mit, the information will be lost.

2.14.6.5 Requesting an HTTPS Certificate

Before requesting an HTTPS Certificate from a third-party Certificate Authority, you need to cre ate a Certificate Request:

Navigate to MANAGEMENT > HTTPS Setup, or to MANAGEMENT > Network Setup >

Actions panel: HTTPS.

In the HTTPS Setup window, under the Certificate Request Parameters tab, complete the form as described under "Creating an HTTPS Certificate Request" on page63.

Click Submit to generate your Certificate Request.

You have now created a Certificate Request. Navigate to the Certificate Request tab to view it:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 83

2.14 Configuring Network Settings

Copy the generated Certificate Request from the Certificate Request window, and paste and submit it per the guidelines of your Certificate Authority. The Certificate Authority will issue a verifiable, authenticable third-party certificate.

OPTIONAL: While waiting for the certificate to be issued by the Certificate Authority, you may use the certificate from the Certificate Request window as a self-signed cer tificate (see below).

NOTE: Preventing accidental overwriting of an existing certificate:

If you plan on using a new Certificate Request, fill out a new form under the Certificate Request

Parameters tab. Be aware, though, that the newly generated Certificate Request will replace

the Certificate Request previously generated once you submit it. Therefore, if you wish to retain your previously generated Certificate Request for any reason, copy its text, and paste it into a separate text file. Save the file before generating a new request.

Using a Self-Signed Certificate

In the process of generating a Certificate Request, a self-signed certificate will automatically be generated simultaneously. It will be displayed under the Certificate Request tab.

You may use your self-signed certificate (or the default Spectracom self-signed certificate that comes with the unit) while waiting for the HTTPS certificate from the Certificate Authority, or – if a Certificate Authority is not available – until it expires. The typical life span of a certificate is about 10years.

NOTE: When accessing the SecureSync WebUI while using the self-signed certificate, your

Windows®web browser will ask you to confirm that you want to access this site via https with only a self-signed certificate in place. Other operating systems may vary in how they install and accept certificates. External Internet access may be required by your Certificate Authority to verify your certificate.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 84

2.14 Configuring Network Settings

2.14.6.6 Uploading an X.509 PEM Certificate Text

Many certificate authorities simply issue a certificate in the form of a plain text file. If your cer tificate was provided in this manner, and the certificate is in the X.509 PEM format, follow the procedure below to upload the certificate text by copying and pasting it into the WebUI.

Note: Only X.509 PEM certificates can be loaded in this manner. Certificates

issued in other formats must be uploaded via the Upload Certificate tab.

To upload an X.509 PEM certificate text to SecureSync:

Navigate to MANAGEMENT > NETWORK: HTTPS Setup.

Select the Upload X.509 PEM Certificate tab.

Copy the text of the certificate that was issued to you by your Certificate Authority, and paste it into the text field.

Click Submit.to upload the certificate to SecureSync.

NOTE: The text inside the text field under the Edit X.509 PEM Certificate tab is editable.

However, changes should not be made to a certificate once it is imported; instead, a new cer tificate should be requested. An invalid certificate may result in denial of access to the SecureSync through the Web UI. If this occurs, see "If a Secure Unit Becomes Inaccessible" on page251.

2.14.6.7 Uploading an HTTPS Certificate File

Once the HTTPS Certificate has been issued by your Certificate Authority, you have to upload the certificate file to SecureSync, unless it is a X.509 PEM-format certificate: in this case you may also upload the certificate text directly, see "Uploading an X.509 PEM Certificate Text" above.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 85

Note: For more information about certificate formats, see "Supported Certificate

Format Types" on page63.

To upload an HTTPS certificate file to SecureSync:

Store the Public Keys File provided to you by the Certificate Authority in a location accessible from the computer on which you are running the WebUI.

In the WebUI, navigate to MANAGEMENT > NETWORK: HTTPS Setup.

Select the tab Upload Certificate File.

2.14 Configuring Network Settings

2.14.7 SSH

The SSH, or Secure Shell, protocol is a cryptographic network protocol, allowing secure remote login by establishing a secure channel between an SSH client and an SSH server. SSH uses host keys to uniquely identify each SSH server. Host keys are used for server authen tication and identification. A secure unit permits users to create or delete RSA or DSA keys for the SSH2 protocol.

Choose the Certificate Type for the HTTPS Certificate supplied by the Certificate Author ity from the Certification Type drop-down menu:

PEM

DER

PKCS #7 PEM

PKCS #7 DER

Click the Browse… button and locate the Public Keys File provided by the Certificate Authority in its location where you stored it in step 1.

Click Submit.

Note: SecureSync will automatically format the certificate into the X.509

PEM format.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 86

2.14 Configuring Network Settings

Note: Only SSH2 is supported due to vulnerabilities in the SSH1 protocol.

The SSH tools supported by SecureSync are:

SSH: Secure Shell

SCP: Secure Copy

SFTP: Secure File Transfer Protocol

SecureSync implements the server components of SSH, SCP, and SFTP. For more information on OpenSSH, please refer to www.openssh.org. To configure SSH:

Navigate to MANAGEMENT > NETWORK: SSH Setup. The SSH Setup window will dis play.

The window contains two tabs:

Host Keys: SSH uses Host Keys to uniquely identify each SSH server. Host keys

are used for server authentication and identification.

Public Key: This is a text field interface that allows the user to edit the public key

files authorized_keys file.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 87

2.14 Configuring Network Settings

Note: Should you exit the SSH Setup window (by clicking X in the top right

corner of the window, or by clicking anywhere outside of the window), while filling out the Certificate Request Parameters form before clicking

Submit, any information you entered will be lost. When switching between

tabs within the SSH Setup window, however, the information you have entered will be retained.

Host Keys

You may choose to delete individual RSA or DSA host keys. Should you decide to delete the RSA or DSA key, the SSH will function, but that form of server authentication will not be avail able. Should you delete both the RSA and DSA keys, SSH will not function. In addition, if SSH host keys are being generated at the time of deletion, the key generation processes are stopped, any keys created will be deleted, and all key bit sizes are set to 0.

You may choose to delete existing keys and request the creation of new keys, but it is often sim pler to make these requests separately.

You can create individual RSA and DSA Host Public/Private Key pairs. Host keys must first be deleted before new Host Keys can be created.

SecureSync units have their initial host keys created at the factory. RSA host key sizes can vary between 768 and 4096 bits. The recommended key size is 1024. Though many key sizes are supported, it is recommended that users select key sizes that are powers of 2 or divisible by 2. The most popular sizes are 768, 1024, and 2048. Large key sizes of up to 4096 are sup ported, but may take 10 minutes or more to generate. DSA keys size support is limited to 1024 bits.

Host keys are generated in the background. Creating RSA and DSA keys, each with 1024 bits length, typically takes about 30 seconds. Keys are created in the order of RSA, DSA, RSA. When the keys are created you can successfully make SSH client connections. If the unit is rebooted with host key creation in progress, or the unit is booted and no host keys exist the key generation process is restarted. The key generation process uses either the previously specified key sizes or if a key size is undefined, the default key bit length size used is 2048. A key with a zero length or blank key size field is not created.

The SSH client utilities SSH, SCP, and SFTP allow for several modes of user authentication. SSH allows you to remotely login or transfer files by identifying your account and the target machine's IP address. As a user you can authenticate yourself by using your account password, or by using a Public Private Key Pair.

It is advisable to keep your private key secret within your workstation or network user account, and provide the SecureSync a copy of your public key. The modes of authentication supported include:

Either Public Key with Passphrase or Login Account Password

Public Key with Passphrase only

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 88

2.14 Configuring Network Settings

SSH using public/private key authentication is the most secure authenticating method for SSH, SCP or SFTP sessions.

You are required to create private and public key pairs on your workstation or within a private area in your network account. These keys may be RSA or DSA and may be any key bit length as supported by the SSH client tool. These public keys are stored in a file in the .ssh directory named authorized_keys. The file is to be formatted such that the key is followed

by the optional comment with only one key per line.

Note: The file format, line terminations, and other EOL or EOF characters should

correspond to UNIX conventions, not Windows.

Changing Key Length Values

You may change the key length of the RSA, DSA, ECDSA, and ED25519 type host keys. To change the key length of a host key:

Navigate to MANAGEMENT > NETWORK: SSH Setup. The SSH Setup window will open to the Host Keys tab by default.

Select the Key Length value for the key type you want to change.

Key sizes that are powers of 2 or divisible by 2 are recommended. The most popular sizes are 768, 1024, and 2048. Large key sizes of up to 4096 are supported, but may

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 89

take 10 minutes or more to generate. DSA keys size support is limited to 1024 bits. The key type ED25519 supports 256 bits.

Check the Regenerate All Keys box.

Click Submit. The new values will be saved.

Note: Changing the values and submitting them in this manner DOES NOT gen

erate new host public/private key pairs. See "Creating Host Public/Private Key

Pairs" below for information on how to create new host public/private key pairs.

Deleting Host Keys

You can delete individual host keys. To delete a key:

Navigate to MANAGEMENT > NETWORK: SSH Setup. The window will open to the

Host Keys tab by default.

Select Delete in the field for the key you wish to delete, and click Submit.

2.14 Configuring Network Settings

Creating Host Public/Private Key Pairs

You may create individualHost Public/Private Key pairs. Host keys must first be deleted before new Host Keys can be created. To create a new set of host keys:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 90

2.14 Configuring Network Settings

To access the SSH setup screen, navigate to MANAGEMENT > NETWORK: SSH Setup. The window will open to the Host Keys tab by default.

Should you want to change the key length of any host key, enter the desired length in the text field corresponding to the length you wish to change.

Check the Regenerate All Keys box.

Click Submit. The KeyType/Status/Action table will temporarily disappear while the SecureSync regenerates the keys. The Host keys are generated in the background. Creating RSA and DSA keys, each with 1024 bits length, typically takes about 30 seconds. Keys are cre ated in the order of RSA, DSA, ECDSA, ED25519. SecureSync will generate all 4 host keys, RSA, DSA, ECDSA, and ED25519.

Delete any of the keys you do not want. See "Deleting Host Keys" on the previous page.

Note: If the unit is rebooted with host key creation in progress, or the unit

is booted and no host keys exist, the key generation process is restarted. The key generation process uses the previously specified key sizes.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 91

2.14 Configuring Network Settings

Note: If a key size is undefined, the default key bit length size used is

2048. A key with a zero length or blank key size field will not be created.

When you delete a host key and recreate a new one, SSH client sessions will warn you that the host key has changed for this particular IP address. The user will then either have to:

Override the warning and accept the new Public Host Key and start a new connection. This is the default. This option allows users to login using either method. Whichever mode works is allowed for logging in. If the Public Key is not correct or the Passphrase is not valid the user is then prompted for the login account password.

Remove the old Host Public Key from their client system and accept the new Host Public Key. This option simply skips public/private key authentication and immediately prompts the user for password over a secure encrypted session avoiding sending passwords in the clear.

Load a public key into SecureSync. This public key must match the private key found in the users account and be accessible to the SSH, SCP, or SFTP client program. The user must then enter the Passphrase after authentication of the keys to provide the second factor for 2-factor authentication.

Please consult your specific SSH client’s software’s documentation.

Public Keys: Viewing, Editing, Loading

The authorized_keys file can be viewed and edited, so as to enable adding and delet ing Public Keys. The user may also retrieve the authorized_keys file from the .ssh dir ectory Using FTP, SCP, or SFTP.

If you want to completely control the public keys used for authentication, a correctly formatted

authorized_ keys file formatted as indicated in the OpenSSH web site can be loaded

onto SecureSync. You can transfer a new public key file using the Web UI. To view and edit the authorized_keys file:

Navigate to MANAGEMENT > NETWORK: SSH Setup. The SSH Setup window will open to the Host Keys tab by default.

Select the Public Key tab. The authorized_keys file appears in the Public Keys File

window:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 92

2.14 Configuring Network Settings

Edit the authorized_keys file as desired.

Click the Submit button or Apply button.

The file is to be formatted such that the key is followed by an optional comment, with only one key per line. The file format, line terminations, and other EOL or EOF characters should cor respond to UNIX conventions, not Windows.

Note: If you delete ALL Public Keys, Public/Private Key authentication is disabled.

If you have selected SSH authentication using the Public Key with Passphrase option, login and file transfers will be forbidden. You must select a method allow ing the use of account password authentication to enable login or file transfers using SCP or SFTP.

Editing the "authorized_key" File via CLI

Secure shell sessions using an SSH client can be performed using the admin or a user-defined account. The user may use Account Password or Public Key with Passphrase authentication. The OpenSSH tool SSH-KEYGEN may be used to create RSA and DSA keys used to identify and authenticate user login or file transfers.

The following command lines for OpenSSH SSH client tool are given as examples of how to create an SSH session.

Creating an SSH session with Password Authentication for the admin account

ssh spadmin@10.10.200.5

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 93

2.14 Configuring Network Settings

spadmin@10.10.200.5's password: admin123

You are now presented with boot up text and/or a “>” prompt which allows the use of the Spectracom command line interface.

Creating an SSH session using Public Key with Passphrase Authentication for the admin account

You must first provide the secure Spectracom product a RSA public key found typically in the OpenSSH id_rsa.pub file. Then you may attempt to create an SSH session.

ssh -i ./id_rsa spadmin@10.10.200.5

Enter passphrase for key './id_rsa': mysecretpassphrase

Please consult the SSH client tool’s documentation for specifics on how to use the tool, select SSH protocols, and provide user private keys.

Secure File Transfer Using SCP and SFTP

SecureSync provides secure file transfer capabilities using the SSH client tools SCP and SFTP. Authentication is performed using either Account Passwords or Public Key with Passphrase.

Example output from OpenSSH, SCP, and SFTP client commands are shown below.

Perform an SCP file transfer to the device using Account Password authentication

scp authorized_keys scp@10.10.200.5:.ssh

spadmin@10.10.200.135's password: admin123

publickeys 100% |***************************************************| 5 00:00

Perform an SCP file transfer to the device using Public Key with Passphrase authen tication.

scp -i ./id_rsa spadmin@10.10.200.5:.ssh

Enter passphrase for key './id_rsa': mysecretpassphrase

publickeys 100% |***************************************************| 5 00:00

Perform an SFTP file transfer to the device using Account Password authentication.

sftp spadmin@10.10.200.5

spadmin@10.10.200.135's password: admin123

You will be presented with the SFTP prompt allowing interactive file transfer and directory nav igation.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 94

2.14 Configuring Network Settings

Perform an SFTP file transfer to the device using Public Key with Passphrase authen tication

sftp -i ./id_rsa spadmin@10.10.200.5

Enter passphrase for key './id_rsa': mysecretpassphrase

You will be presented with the SFTP prompt allowing interactive file transfer and directory nav igation.

Recommended SSH Client Tools

Spectracom does not make any recommendations for specific SSH clients, SCP clients, or SFTP client tools. However, there are many SSH based tools available to the user at low cost or free.

Two good, free examples of SSH tool suites are the command line based tool OpenSSH run ning on a Linux or OpenBSD x86 platform and the SSH tool suite PuTTY.

The OpenSSH tool suite in source code form is freely available at www.openssh.org though you must also provide an OpenSSL library, which can be found at www.openssl.org.

PuTTY can be found at: http://www.chiark.greenend.org.uk/~sgtatham/putty/.

SSH Timeout

The keep-SSH alive timeout is hard-set to 7200 seconds. This value is not configurable.

2.14.8 SNMP

SNMP (Simple Network Management Protocol) is a widely used application-layer protocol for managing and monitoring network elements. It has been defined by the Internet Architecture Board under RFC-1157 for exchanging management information between network devices, and is part of the TCP/IP protocol.

SNMP agents must be enabled and configured so that they can communicate with the network management system (NMS). The agent is also responsible for controlling the database of con trol variables defined in the Management Information Base (MIB).

SecureSync’s SNMP functionality supports SNMP versions V1, V2c and V3 (with SNMP Version3 being a secure SNMP protocol).

To access the SNMP Setup screen:

Navigate to MANAGEMENT > NETWORK: SNMP Setup. The SNMP screen will dis play:

Note: In order to configure SNMP, you need ADMINISTRATORrights.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 95

The SNMP screen is divided into 3 panels:

The Main panel, which is subdivided into 3 displays:

SNMP V1/V2: This panel allows configuration of SNMP v1 and v2c com

munities (used to restrict or allow access to SNMP). This tab allows the con figurations for SNMP v1 and v2c, including the protocols allowed, permissions and Community names as well as the ability to permit or deny access to portions of the network. Clicking on the “+” symbol in the topright corner opens the SNMP V1/V2c Settings for Access Screen. See "SNMP V1/V2c" on page82.

2.14 Configuring Network Settings

SNMP V3: This panel allows configuration of SNMP v3 functionality,

including the user name, read/write permissions, authorization passwords as well as privilege Types and Passphrases. Clicking on the “+” symbol in the top-right corner opens the SNMP V3 Screen. See "SNMP V3" on page84.

SNMP Traps: This panel allows you to define different SNMP Managers

that SNMP traps can be sent to over the network. This allows for SNMP Managers in different geographical areas to receive the same SNMP traps that Managers in other areas also receive. Clicking the PLUS icon in the top-right corner opens the SNMP Traps Settings Screen. See also "SNMP Traps" on page85 and "Setting Up SNMP Notifications" on page224.

The Actions panel, which contains the Restore Default SNMP Configuration but ton.

The SNMP Status panel, which offers:

An SNMP ON/OFF switch.

An Authentication Error Trap ON/OFF switch.

SysObjID—The System Object ID number. This is editable in the SNMP

Status panel (see "Configuring the SNMP Status" on the next page).

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 96

2.14 Configuring Network Settings

Restoring the Default SNMP Configuration

To restore the SecureSync to its default SNMP configuration:

Navigate to the MANAGEMENT > NETWORK: SNMP Setup screen.

In the Actions panel, click the Restore Default SNMP Configuration button.

Confirm that you want to restore the default settings in the pop-up message.

Contact Information—The email to contact for service. This is editable in

the SNMP Status panel (see "Configuring the SNMP Status" below).

Location—The system location. This is editable in the SNMP Status panel

(see "Configuring the SNMP Status" below).

Description — A simple product description. This is not editable in the

SNMP Status.

Configuring the SNMP Status

The SNMP Status Settings are sysObjectID, sysContact, and sysLocation. To configure SNMP Status Settings:

Navigate to MANAGEMENT > NETWORK: SNMP Setup.

In the SNMP Status panel on the left, click the GEARicon in the top-right corner of the panel.

The SNMP Status pop-up window will display:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 97

2.14 Configuring Network Settings

The following settings can be configured in this window:

In the sysObjectID field, enter the SNMP system object ID.

In the sysContact field, enter the e- mail information for the system contact you wish to use.

In the sysLocation field, enter the system location of your SecureSync unit.

Click Submit, or cancel by clicking the X-icon in the top-right corner.

Accessing the SNMP Support MIB Files

Spectracom’s private enterprise MIB files can be extracted via File Transfer Protocol (FTP) from SecureSync, using an FTP client such as FileZilla or any other shareware/freeware FTP pro gram.

To obtain the MIB files from SecureSync via FTP/SFTP:

1.1.

Using an FTP program, log in as an administrator.

Through the FTP program, locate the Spectracom MIB files in the /home/spec-

tracom/mibs directory.

FTP the files to the desired location on your PC for later transfer to the SNMP Manager.

Compile the MIB files onto the SNMP Manager.

Note: When compiling the MIB files, some SNMP Manager programs may

require the MIB files to be named something other than the current names for the files. The MIB file names may be changed or edited as necessary to meet the requirements of the SNMP Manager. Refer to the SNMP Manager documentation for more information on these requirements.

Note: In addition to the Spectracom MIB files, there are also some net-

snmp MIB files provided. Net-snmp is the embedded SNMP agent that is used in the SecureSync and it provides traps to notify the user when it starts, restarts, or shuts down. These MIB files may also be compiled into your SNMP manager, if they are not already present.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 98

2.14 Configuring Network Settings

Spectracom’s private enterprise MIB files can be requested and obtained from the Spec tracom Customer Service department via email at techsupport@spectracom.com.

2.14.8.1 SNMP V1/V2c

SNMP V1 is the first version of the SNMP protocol, as defined in the IETF (Internet Engineering Task Force) RFCs (Request for Comments) number 1155 and 1157. SNMP V2c is the revised protocol, but it also uses the V1 community based administration model.

Creating Communities

Navigate to MANAGEMENT > NETWORK: SNMP Setup.

In the SNMP V1/V2 panel click the PLUS icon in the top-right corner.

Note: By default, techsupport@spectracom.com is the address in the

sysContact field of the SNMP Status panel of the SNMP Setup page.

The SNMP V1/V2c Settings for Access window will display:

Enter the required information in the fields provided

The IP Version field provides a choice of IPv4, IPV6 or both IPv4 and IPv6 (= default).

The choices offered below will change in context with the choice made in the IP

Version field.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 99

If no value is entered in the IPv4 and/or IPv6 field, SecureSync uses the system default address.

SNMP Community names should be between 4 and 32 characters in length.

Permissions may be Read Only or Read/Write

The Version field provides a choice of V1 or V2c.

Click Submit. The created communities will appear in the SNMP V1/V2 panel:

Editing and Deleting Communities

2.14 Configuring Network Settings

To edit or delete a community you have created:

Navigate to MANAGEMENT > NETWORK: SNMP Setup.

Click the row of the SNMP V1/V2 panel that displays the community you wish to edit or delete. The cursor will change from an arrow icon to a pointing finger to indicate that the entry is clickable.

The SNMP V1/V2c Settings for Access window will display.

Note: The options available for editing in the SNMP V1/V2c Settings for

Access window will vary contextually according to the information in the entry chosen.

To edit the settings, enter the new details you want to edit and click Submit. OR: To

delete the entry, click Delete.

CHAPTER 2 • SecureSync User Reference Guide Rev. 23

Page 100

2.14 Configuring Network Settings

2.14.8.2 SNMP V3

SNMP V3 utilizes a user-based security model which, among other things, offer enhanced secur ity over SNMP V1 and V2.

Creating Users

Navigate to MANAGEMENT > NETWORK: SNMP Setup.

In the SNMP V3 panel, click the PLUS icon in the top-right corner.

The SNMP V3 Settings window will display.

Enter the required information in the fields provided.

SNMP User Names and passwords are independent of users that are configured on the Tools/Users page.

User names are arbitrary. SNMP User Names should be between 1 and 31 characters in length.

The User Name must be the same on SecureSync and on the management station.

The Auth Type field provides a choice between MD5 and SHA.

The Auth Password must be between 8 and 32 characters in length.

The Priv Type field provides a choice between AES and DES.

The Priv Passphrase must be between 8 and 32 characters in length.

The Permissions field provides a choice between Read/Write and Read Only.

Click Submit. The created user will appear in the SNMP V3 panel:

CHAPTER 2 • SecureSync User Reference Guide Rev. 23