October 26, 2021

Blog postTelecom

New ways to build mobile networks

PrimeKey Tech Sales on 5G Security

By using commercial off-the-shelf (COTS) hardware and virtualized software for mobile networks, new possibilities and new challenges arise for mobile operators. The need for security offered by PKI is increasing in this highly dynamic and flexible environment. The PrimeKey containerized PKI product EJBCA will give customers an advantage over standard deployed PKI products.

Traditionally, mobile network operators (MNOs) have built mobile networks by using proprietary equipment dedicated for mobile networks from a few mobile network vendors. Due to the hard competition, the number of mobile network vendors has been reduced significantly and there are currently mainly three left worldwide: Ericsson, Huawei and Nokia. As every MNO wants to keep the competition among vendors to reduce prices, the MNO usually buys equipment from at least two vendors when new equipment should be rolled out.

The national authorities want to have competition among MNOs within a country. By regulating the number of MNOs within a country to three or four, the subscribers can choose freely among those MNOs who get a license to offer mobile services. When it comes to outdoor coverage, the MNOs are usually forced to cooperate using shared physical mobile mast and put all their antennas in the same physical mast. All other equipment necessary for mobile services, including the radio base station, is owned by each MNO. This means three or more instances of mobile service equipment using space and power.

To have the same approach when building indoor coverage becomes a problem. A building typically needs many small radio base stations as the radio signals are blocked by walls, floors, elevator shafts etc. In a shopping mall, the visitors have chosen different mobile operators among those available and expect the mobile phone to work as good indoor as outdoor. To equip the building with multiple antennas and equipment from every MNO becomes expensive and unpractical as space is so limited indoor compared to outdoor. One solution is to invent a new type of operator, a neutral host.

A neutral host operator for indoor buildings is an operator without any subscribers of their own. All mobile traffic is forwarded to existing MNOs, so the visitors are unaware of the neutral host operator. The MNOs lease the mobile service from the neutral host operator who manages the indoor mobile network. 

In United Kingdom the specification JOTS NHIB, Joint Operator Technical Specifications for Neutral Host In‐Building, describes an architecture for neutral host within buildings. The JOTS document is agreed by the four UK mobile network operators: Telefonica O2, EE, Vodafone and 3UK. 

COTS and Virtualized mobile software

With the improvements during recent years in both hardware processing capacity and software design there are now completely new ways to implement a mobile network service. This creates new opportunities for operators, including neutral host operators, to reduce the cost for implementing mobile service. The existing MNOs also benefit from neutral host operators as the cost is shared for necessary equipment among participating MNOs when indoor coverage should be implemented. 

By using COTS hardware and virtualized mobile software in the form of containers the cost can be significantly reduced compared to use traditional proprietary equipment from mobile network vendors. A containerized mobile network solution makes it possible to scale the processing capacity so much better also in real-time when mobile traffic is high for example in the afternoon in a shopping mall.  The organization O-RAN ALLIANCE was founded in February 2018 by AT&T, China Mobile, Deutsche Telekom, NTT DOCOMO and Orange. It has been established as a German entity in August 2018.

This organization works in close cooperation with 3GPP how to use COTS and Container technology when implementing mobile network services. O-RAN ALLIANCE’s mission is to re-shape the RAN industry towards more intelligent, open, virtualized and fully interoperable mobile networks.

When using containers there is a need to ensure secure communication between containers. The traditional requirements for confidentiality, integrity and authentication still exists just as they do with traditional mobile equipment as the 3GPP security standards are independent of implementation technology. This is where the containerized PrimeKey PKI product, EJBCA comes in.

Deploying your PKI as VMs or Containers

Commercial off-the-shelf hardware and virtualized software for mobile networks, including the PKI solution, is illustrated above.

Deploying your PKI as VMs or Containers

When using containers or Virtual Machines, there are technically two ways of using the PrimeKey EJBCA product:

  • As a Software Appliance, self-sustained, packaged VM, to run directly in your virtualization infrastructure, connecting to network attached hardware security modules 
  • As a Docker Container, allowing you to deploy PKI in your container infrastructure, with the full flexibility you come to expect from containerized environments 

Kubernetes has gained massive popularity as the most common container runtime/orchestrator, with on- premise installations as well as cloud services offerings. As long as you consider the security aspects, it is natural to run also your PKI in a container runtime in a containerized mobile network environment. Running the PKI or digital signature solution as containers can be very streamlined, and it can also be combined with Ansible for automation and parameterized configuration.

PrimeKey offers EJBCA as a container deployment, contact us for a discussion on EJBCA Enterprise containers. EJBCA Community is available for immediate deployment from DockerHub, making it possible to get a test PKI up in a few seconds.

PrimeKey has an internal container registry used for Enterprise containers. To customize more complex, best practices deployments in Kubernetes we provide container deployment examples with ready-to-use yaml files for MicroK8s and Docker-engine, setting up separate containers for the database, EJBCA, and Ingres. This technology is also used to deploy and run EJBCA in RedHat OpenShift.

New vendors of virtualized mobile networks – such as Mavenir, Parallel Wireless and Altiostar – and also established mobile network vendors – like Ericsson and Nokia – can now offer the benefits of virtualized mobile network products.  In combination with a containerized PKI, this will be an attractive offer to MNOs compared to a traditional implementation using proprietary equipment.


Learn more

You can find more information about CMP 3GPP operations along with PKI/Signature Services for Microservices and DevOps on PrimeKey Documentation.

CMP 3GPP Operations

PKI and Signature Services for Microservices and DevOps



Peter Heidenberg

Peter Heidenberg is a pre-sales engineer at PrimeKey, focusing on end-to-end solutions from both a technical point of view as well as a commercial point of view. Peter is based in Sweden at PrimeKey's headquarters. He has over 20 years of experience working in Telecom, where his focus was on transmission & transport, and has been focusing on IT security/PKI for the last four years.