Welcome to Intel® Software Network Quick Login | Join | Help |
Search in Intel® Software Network Forums
in Go
Intel® Software NetworkPlatform and Technology Dis...Manageability Software Develop...Re: AMT Director provisioning problem with "TLS Security + XXX"

AMT Director provisioning problem with "TLS Security + XXX"

Last post 07-10-2008, 3:07 PM by Javier Andrés Cáceres Alvis. 7 replies.
Sort Posts: Previous Next
 07-08-2008, 2:33 PM 30258581  

AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote

Hi there,

I've provisioned an AMT machine in Enterprise mode with TLS security and it's working fine, but when I change to "Use TLS Security + XXX" following required steps the machine is not seen by AMT Director and then provision is not finished, requiring I manually reset the AMT system and swithing to "Use TLS Security".

Javier Andrés

Javier Andrés Cáceres Alvis
 
 07-08-2008, 3:52 PM 30258585 in reply to 30258581  

Re: AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote

Hi,

Could you specify the AMT and DTK versions that you are using? Also, did you un-provision the system before switching to "Use TLS Security + XXX"?

Thanks,

Sree

 
 
 07-09-2008, 7:42 AM 30258641 in reply to 30258585  

Re: AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote
Hi Sree

DTK Version: v0.51

And yes! we have unprovisioned the AMT computer before switching to "use TLS + XXX"

thanks
Javier Andrés Cáceres Alvis
 
 07-09-2008, 1:26 PM 30258687 in reply to 30258641  

Re: AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote

Hi,

Which version of AMT are you using? How did you unprovision the system before switching to "use TLS + XXX"? Was it through the Director? If so, did you go for partial or full unprovisioning?

Thanks,

Sree
 
 07-09-2008, 2:23 PM 30258690 in reply to 30258687  

Re: AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote

The AMT version is 3.0.
The unprovision was done using Director & by manually reset (and both of them fail).
I switched to "full unprovision" before unprovisioning

Thanks

Javier Andrés Cáceres Alvis
 
 07-09-2008, 3:15 PM 30258692 in reply to 30258690  

Re: AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote


Hello Sree,

I've continue trying different approaches and now It's working with TLS+console authentication. The thing is that I used to click on "toggle trust" on the certificate that I selected for the Profile and what I tried now it was creating a certificate, not toggle trusting it and then selecting it for the Security Profile.

Please verify me is is this the working flow:
-The AMT machine authenticates the server using a certificate issued by the Root certificate.
-The server authenticates the AMT machine 'cause machine is using a certificate in which one the server trust.

And please verify me if when it says console configuration is talking about any application trying to connect to the AMT machine? or it's talking specifically about Director and when it talks about agent is referring to any application using the "agent presence" feature on the AMT machine.

Many thanks,


Javier Andrés

Javier Andrés Cáceres Alvis
 
 07-10-2008, 9:51 AM 30258762 in reply to 30258692  

Re: AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote

Hi,

The mutual authentication process of Remote Configuration is as follows:

  1. The ProvisonServer requests the self-signed certificate of the Intel® AMT client.
  2. The Intel® AMT management engine requests the Intel® Client Setup Certificate from the ProvisionServer. Based on the self-signed certificate form the client, the ProvisionServer generates TLS key 1 and encrypts this using the public key obtained from client's self-signed certificate. The encrypted TLS key 1, Intel® Client Setup Certificate, and PEM file are then sent to the management engine.
  3. At this point, the Intel® AMT client does some validation. Extracts and stores Key 1. Using the PEM file and Intel® Client Setup certificate, the management engine extracts the root certificate, generates a certificate hash and validates to the local active certificate hash. NOTE: If the two hashes do not match, the process stops. Validates the OU assignment of the Intel® Client Setup certificate to the DNS suffix received via DHCP IP lease with option 15. For this reason, each ProvisionServer MUST have a unique Intel® Client Setup certificate. A wildcard certification (e.g. *.company.com) is supported (AMT version 2.6 and beyond)
  4. If the previous validation steps complete successfully, the Intel® AMT management engine creates TLS key 2, encrypts with the public key of the Intel® Client Setup Certificate obtained from the ProvisionServer, and transmits.
  5. With TLS key 1 and key 2 obtained by both the ProvisionServer and the Intel® AMT management engine, mutual authentication has occurred and an MTLS session is established.
    At this point, the configuration process occurs where the FQDN and UUID are matched, the assigned Intel® AMT profile is sent to the management engine, and the changes are committed.

Regarding the question on console - I assume you are asking whether a Management Console is any application that can manage an AMT system, not just the Director; and that is correct.

A software agent is any application like Antivirus or Firewall running on the AMT system. More details on this can be seen at Agent Presence Checking Use case and System Defence and Agent Presence Guide

Thanks,

Sree
 
 07-10-2008, 3:07 PM 30258790 in reply to 30258762  

Re: AMT Director provisioning problem with "TLS Security + XXX"

Reply Quote

Many thanks Sree,

That's what I needed to know.

Javier Andrés

Javier Andrés Cáceres Alvis
 
View as RSS news feed in XML

Shortcuts

View all users
My Tags
Tag This
Site Tag Cloud

Tags For This Post

...

Community Tags

...