Collapse AllExpand All

18.3.5. Activation / Deactivation of SPE for Access Points Previous topic Parent topic Child topic Next topic

Activation

The following steps have to be performed for activating SPE for access points.
  1. Distribute Master Encryption Key (MEK) via OpenScape 4000 Assistant to all APs configured in the system (states Ready, NPR (not present) and UNACH (hierarchically blocked)).
    This will
    • configure the MEK in the RMX for all access points regardless of their state and
    • transmit the MEK to all access points in Ready state.
    The Master Encryption Key (MEK) is used to encrypt the signaling data between the host system and an IPDA access point.
    The MEK must be configured first on the NCUI boards for new access points and then on the host system. For more information, please refer to Section 3.5.1, “New Access Point in an Active SPE System”.
    The MEK is configured via OpenScape 4000 Assistant:
    Expert Mode > Gateway Manager > SPE
    mek_admin_v8-2.png
  2. Check the Progress to see if something has failed.
  3. Expert Mode > Gateway Manager > SPE
  4. For access points with the status NPR and UNACH, you need to enter the MEK manually via CLI on the access point using the Set new MEK XXXXXXXXXXXXXXXX command.
  5. Once MEKs have been successfully configured for all access points, SPE can be activated.
  6. The access point encryption is activated with AMO SIPCO, parameter IPDAENCR:
    CHANGE-SIPCO:TYPE=SECURITY,IPDAENCR=YES;
    IPDAENCR (YES/NO):
    Signaling and payload encryption for IPDA connections.
    SPE activation for the access points fails if MEKs are not configured for all access points (see points 1 to 3).
  7. Following activation of security in AMO SIPCO, a hard system restart is required.
IMPORTANT:
If you have a duplex system you have to perform the hard restart command on both processors simultaneously (at the same time). This means all LTUs and APs will restart! EXEC-REST:TYPE=UNIT,UNIT=BP,RSLEVEL=HARD;
  1. Exception
    A soft restart is enough, if
    • no common gateways exist in the access point
    • no HFA subscribers exist in the access point
    • only TDM terminals exist in the access point
    • common gateways in the access point need no encryption
    • HFA subscribers in the access point need no encryption
    Example: Soft restart of the active BP
    EXEC-REST:TYPE=UNIT,UNIT=BP,RSLEVEL=SOFT;
  2. If you have common gateway boards and HFA subscribers in the access point and if these are to be used in secure mode, you have to perform all steps that would be necessary if the common gateway board and the HFA subscribers were in the host system (activate SPE with AMO ZANDE parameter SPESUPP, import certificates and so on).
  3. Related topics:

Deactivation

If a customer would like to deactivate SPE completely for the access points and the associated common gateways, a hard restart must be performed for this.
${DocTitle}, ID: ${DocID}
© 03/2026 Mitel Networks Corporation. All rights reserved. Mitel and the Mitel logo are trademark(s) of Mitel Networks Corporation. Unify and associated marks are trademarks of Unify Software and Solutions GmbH & Co. KG. All other trademarks herein are the property of their respective owners.