diff --git a/openair2/RRC/LTE/rrc_eNB.c b/openair2/RRC/LTE/rrc_eNB.c
index 50aa9d67d5dbcaaed24b96045f3968a89fdec3f7..4754abfe539cc26819109551a489b4f070526282 100644
--- a/openair2/RRC/LTE/rrc_eNB.c
+++ b/openair2/RRC/LTE/rrc_eNB.c
@@ -105,6 +105,9 @@ extern uint16_t                     two_tier_hexagonal_cellIds[7];
 mui_t                               rrc_eNB_mui = 0;
 
 extern uint32_t to_earfcn_DL(int eutra_bandP, uint32_t dl_CarrierFreq, uint32_t bw);
+extern int rrc_eNB_process_security(const protocol_ctxt_t *const ctxt_pP, rrc_eNB_ue_context_t *const ue_context_pP, security_capabilities_t *security_capabilities_pP);
+extern void process_eNB_security_key (const protocol_ctxt_t *const ctxt_pP, rrc_eNB_ue_context_t *const ue_context_pP, uint8_t *security_key_pP);
+extern int derive_keNB_star(const uint8_t *kenb_32, const uint16_t pci, const uint32_t earfcn_dl, const bool is_rel8_only, uint8_t * kenb_star);
 
 void
 openair_rrc_on(
@@ -3800,6 +3803,9 @@ rrc_eNB_process_MeasurementReport(
   int neighboring_cells=-1;
   int ncell_index = 0;
   long ncell_max = -150;
+  uint32_t earfcn_dl;
+  uint8_t KeNB_star[32] = { 0 };
+
   T(T_ENB_RRC_MEASUREMENT_REPORT, T_INT(ctxt_pP->module_id), T_INT(ctxt_pP->frame),
     T_INT(ctxt_pP->subframe), T_INT(ctxt_pP->rnti));
 
@@ -3929,9 +3935,11 @@ rrc_eNB_process_MeasurementReport(
     // Don't know how to get this ID?
     X2AP_HANDOVER_REQ(msg).mme_ue_s1ap_id = ue_context_pP->ue_context.mme_ue_s1ap_id;
     X2AP_HANDOVER_REQ(msg).security_capabilities = ue_context_pP->ue_context.security_capabilities;
-    memcpy (X2AP_HANDOVER_REQ(msg).kenb,
-            ue_context_pP->ue_context.kenb,
-            32);
+    // compute keNB*
+    earfcn_dl = (uint32_t)to_earfcn_DL(RC.rrc[ctxt_pP->module_id]->carrier[0].eutra_band, RC.rrc[ctxt_pP->module_id]->carrier[0].dl_CarrierFreq,
+    RC.rrc[ctxt_pP->module_id]->carrier[0].N_RB_DL);
+    derive_keNB_star(ue_context_pP->ue_context.kenb, X2AP_HANDOVER_REQ(msg).target_physCellId, earfcn_dl, true, KeNB_star);
+    memcpy(X2AP_HANDOVER_REQ(msg).kenb, KeNB_star, 32);
     X2AP_HANDOVER_REQ(msg).kenb_ncc = ue_context_pP->ue_context.kenb_ncc;
     //X2AP_HANDOVER_REQ(msg).ue_ambr=ue_context_pP->ue_context.ue_ambr;
     X2AP_HANDOVER_REQ(msg).nb_e_rabs_tobesetup = ue_context_pP->ue_context.setup_e_rabs;
@@ -4078,9 +4086,9 @@ void rrc_eNB_process_handoverPreparationInformation(int mod_id, x2ap_handover_re
   int rnti = taus() & 0xffff;
   int i;
   //global_rnti = rnti;
-  //HandoverPreparationInformation_t *ho = NULL;
-  //HandoverPreparationInformation_r8_IEs_t *ho_info;
-  //asn_dec_rval_t                      dec_rval;
+  LTE_HandoverPreparationInformation_t *ho = NULL;
+  LTE_HandoverPreparationInformation_r8_IEs_t *ho_info;
+  asn_dec_rval_t                      dec_rval;
   ue_context_target_p = rrc_eNB_get_ue_context(RC.rrc[mod_id], rnti);
 
   if (ue_context_target_p != NULL) {
@@ -4114,16 +4122,20 @@ void rrc_eNB_process_handoverPreparationInformation(int mod_id, x2ap_handover_re
   ue_context_target_p->ue_context.kenb_ncc = m->kenb_ncc;
   ue_context_target_p->ue_context.security_capabilities.encryption_algorithms = m->security_capabilities.encryption_algorithms;
   ue_context_target_p->ue_context.security_capabilities.integrity_algorithms = m->security_capabilities.integrity_algorithms;
-  /*
+
   dec_rval = uper_decode(NULL,
-                         &asn_DEF_HandoverPreparationInformation,
+                         &asn_DEF_LTE_HandoverPreparationInformation,
                          (void **)&ho,
                          m->rrc_buffer,
                          m->rrc_buffer_size, 0, 0);
 
+ if ( LOG_DEBUGFLAG(DEBUG_ASN1) ) {
+     xer_fprint(stdout, &asn_DEF_LTE_HandoverPreparationInformation, ho);
+ }
+
   if (dec_rval.code != RC_OK ||
-      ho->criticalExtensions.present != HandoverPreparationInformation__criticalExtensions_PR_c1 ||
-      ho->criticalExtensions.choice.c1.present != HandoverPreparationInformation__criticalExtensions__c1_PR_handoverPreparationInformation_r8) {
+      ho->criticalExtensions.present != LTE_HandoverPreparationInformation__criticalExtensions_PR_c1 ||
+      ho->criticalExtensions.choice.c1.present != LTE_HandoverPreparationInformation__criticalExtensions__c1_PR_handoverPreparationInformation_r8) {
     LOG_E(RRC, "could not decode Handover Preparation\n");
     abort();
   }
@@ -4132,13 +4144,13 @@ void rrc_eNB_process_handoverPreparationInformation(int mod_id, x2ap_handover_re
 
   if (ue_context_target_p->ue_context.UE_Capability) {
     LOG_I(RRC, "freeing old UE capabilities for UE %x\n", rnti);
-    ASN_STRUCT_FREE(asn_DEF_UE_EUTRA_Capability,
+    ASN_STRUCT_FREE(asn_DEF_LTE_UE_EUTRA_Capability,
                     ue_context_target_p->ue_context.UE_Capability);
     ue_context_target_p->ue_context.UE_Capability = 0;
   }
 
   dec_rval = uper_decode(NULL,
-                         &asn_DEF_UE_EUTRA_Capability,
+                         &asn_DEF_LTE_UE_EUTRA_Capability,
                          (void **)&ue_context_target_p->ue_context.UE_Capability,
                          ho_info->ue_RadioAccessCapabilityInfo.list.array[0]->ueCapabilityRAT_Container.buf,
                          ho_info->ue_RadioAccessCapabilityInfo.list.array[0]->ueCapabilityRAT_Container.size, 0, 0);
@@ -4146,16 +4158,16 @@ void rrc_eNB_process_handoverPreparationInformation(int mod_id, x2ap_handover_re
   ue_context_target_p->ue_context.UE_Capability_size = ho_info->ue_RadioAccessCapabilityInfo.list.array[0]->ueCapabilityRAT_Container.size;
 
   if ( LOG_DEBUGFLAG(DEBUG_ASN1) ) {
-     xer_fprint(stdout, &asn_DEF_UE_EUTRA_Capability, ue_context_target_p->ue_context.UE_Capability);
+     xer_fprint(stdout, &asn_DEF_LTE_UE_EUTRA_Capability, ue_context_target_p->ue_context.UE_Capability);
   }
 
   if ((dec_rval.code != RC_OK) && (dec_rval.consumed == 0)) {
       LOG_E(RRC, "Failed to decode UE capabilities (%zu bytes)\n", dec_rval.consumed);
-      ASN_STRUCT_FREE(asn_DEF_UE_EUTRA_Capability,
+      ASN_STRUCT_FREE(asn_DEF_LTE_UE_EUTRA_Capability,
                       ue_context_target_p->ue_context.UE_Capability);
       ue_context_target_p->ue_context.UE_Capability = 0;
   }
-  */
+
   ue_context_target_p->ue_context.nb_of_e_rabs = m->nb_e_rabs_tobesetup;
   ue_context_target_p->ue_context.setup_e_rabs = m->nb_e_rabs_tobesetup;
   ue_context_target_p->ue_context.mme_ue_s1ap_id = m->mme_ue_s1ap_id;
@@ -4239,7 +4251,6 @@ check_handovers(
 )
 //-----------------------------------------------------------------------------
 {
-  int                                 result;
   struct rrc_eNB_ue_context_s        *ue_context_p;
   RB_FOREACH(ue_context_p, rrc_ue_tree_s, &(RC.rrc[ctxt_pP->module_id]->rrc_ue_head)) {
     ctxt_pP->rnti  = ue_context_p->ue_id_rnti;
@@ -4256,19 +4267,15 @@ check_handovers(
         LOG_I(RRC,
               "[eNB %d] Frame %d : Logical Channel UL-DCCH, processing RRCHandoverPreparationInformation, sending RRCConnectionReconfiguration to UE %d \n",
               ctxt_pP->module_id, ctxt_pP->frame, ue_context_p->ue_context.rnti);
-        result = pdcp_data_req(ctxt_pP,
-                               SRB_FLAG_YES,
-                               DCCH,
-                               rrc_eNB_mui++,
-                               SDU_CONFIRM_NO,
-                               ue_context_p->ue_context.handover_info->size,
-                               ue_context_p->ue_context.handover_info->buf,
-                               PDCP_TRANSMISSION_MODE_CONTROL
-#if (LTE_RRC_VERSION >= MAKE_VERSION(14, 0, 0))
-                               ,NULL, NULL
-#endif
-                              );
-        AssertFatal(result == TRUE, "PDCP data request failed!\n");
+        rrc_data_req(
+          ctxt_pP,
+          DCCH,
+          rrc_eNB_mui++,
+          SDU_CONFIRM_NO,
+          ue_context_p->ue_context.handover_info->size,
+          ue_context_p->ue_context.handover_info->buf,
+          PDCP_TRANSMISSION_MODE_CONTROL);
+
         ue_context_p->ue_context.handover_info->state = HO_COMPLETE;
         LOG_I(RRC, "RRC Sends RRCConnectionReconfiguration to UE %d  at frame %d and subframe %d \n", ue_context_p->ue_context.rnti, ctxt_pP->frame,ctxt_pP->subframe);
       }
@@ -5306,6 +5313,19 @@ rrc_eNB_configure_rbs_handover(struct rrc_eNB_ue_context_s *ue_context_p, protoc
                           , 0, 0
 #endif
                          );
+  rrc_eNB_process_security (
+    ctxt_pP,
+    ue_context_p,
+    &ue_context_p->ue_context.security_capabilities);
+  process_eNB_security_key (
+    ctxt_pP,
+    ue_context_p,
+    ue_context_p->ue_context.kenb);
+  rrc_pdcp_config_security(
+    ctxt_pP,
+    ue_context_p,
+    FALSE);
+
   // Add a new user (called during the HO procedure)
   LOG_I(RRC, "rrc_eNB_target_add_ue_handover module_id %d rnti %d\n", ctxt_pP->module_id, ctxt_pP->rnti);
   // Configure MAC for the target
diff --git a/openair2/RRC/LTE/rrc_eNB_S1AP.c b/openair2/RRC/LTE/rrc_eNB_S1AP.c
index e07a4bd5d2c43cb85427975113ffad0e1659ff41..84f166e9e3cc1458894af81b44de211b98dcd32e 100644
--- a/openair2/RRC/LTE/rrc_eNB_S1AP.c
+++ b/openair2/RRC/LTE/rrc_eNB_S1AP.c
@@ -426,7 +426,7 @@ static e_LTE_SecurityAlgorithmConfig__integrityProtAlgorithm rrc_eNB_select_inte
  *\param security_capabilities The security capabilities received from S1AP.
  *\return TRUE if at least one algorithm has been changed else FALSE.
  */
-static int
+int
 rrc_eNB_process_security(
   const protocol_ctxt_t *const ctxt_pP,
   rrc_eNB_ue_context_t          *const ue_context_pP,
@@ -477,7 +477,7 @@ rrc_eNB_process_security(
  *\param security_key_pP The security key received from S1AP.
  */
 //------------------------------------------------------------------------------
-static void process_eNB_security_key (
+void process_eNB_security_key (
   const protocol_ctxt_t *const ctxt_pP,
   rrc_eNB_ue_context_t          *const ue_context_pP,
   uint8_t               *security_key_pP
diff --git a/openair2/X2AP/x2ap_eNB_handler.c b/openair2/X2AP/x2ap_eNB_handler.c
index 52b14f1d236510804626c9ee889383f19f306e78..b3b83a7e694f2860e9a25da2f7b83b69c1a6a2ed 100644
--- a/openair2/X2AP/x2ap_eNB_handler.c
+++ b/openair2/X2AP/x2ap_eNB_handler.c
@@ -671,8 +671,8 @@ int x2ap_eNB_handle_handover_preparation (instance_t instance,
   if (c->size > 1024 /* TODO: this is the size of rrc_buffer in struct x2ap_handover_req_ack_s*/)
     { printf("%s:%d: fatal: buffer too big\n", __FILE__, __LINE__); abort(); }
 
-  memcpy(X2AP_HANDOVER_REQ_ACK(msg).rrc_buffer, c->buf, c->size);
-  X2AP_HANDOVER_REQ_ACK(msg).rrc_buffer_size = c->size;
+  memcpy(X2AP_HANDOVER_REQ(msg).rrc_buffer, c->buf, c->size);
+  X2AP_HANDOVER_REQ(msg).rrc_buffer_size = c->size;
 
   itti_send_msg_to_task(TASK_RRC_ENB, x2ap_eNB_data->x2ap_eNB_instance->instance, msg);