Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Activation > Blog > Tags > activation
Up to Blog Posts in Activation
1 2 3 Previous Next

Activation Blog

36 Posts tagged with the activation tag
Timothy Duncan
0

 

The USB Key Provisioning Utility (UKPU) tool is designed to create a valid USB key for provisioning Intel® AMT Systems. The UKPU tool prepares a USB Flash drive, copies the requested setup.bin to the drive, and also verifies that the setup.bin is saved using the proper procedures necessary to ensure that it is detected by Intel® AMT.

 

The tool has a 'repair' mode that allows you to take an existing USB Key and reconstruct it to ensure the setup.bin is visible to Intel® AMT. In addition, you can set up a USB Key using any renamed setup.bin file on your computer, and the tool will automatically ensure it is renamed to 'setup.bin' when setting up the key.

 

Here's a 3 minute video overview of the tool's capabilities (Click here to view video on YouTube):

 

Both binary only & open source licensed source versions available at the download site.

 

DOPD SW Engineering Team

0 Comments Permalink Tags: activation, amt, deployment, intel_amt, vpro_expert_center, vpro, setup, self-activate, data_center, intel, enterprise, setup, bin, source
Joel Smith
0

In part 1 of this series we covered troubleshooting the local AMT client system. In this part we'll discuss the server components as part of the provisioning process. Learn how the symptoms pinpoint each components, and what methods reveal the source of the problem. Learn how Out of Band Management handles the Hello Packets in conjunction with the Intel SCS Component.

 

Introduction

Provisioning isn't a single road. There are two primary paths to reaching a provisioned state, not counting the simple ‘Small Business Mode'. Pre-shared Keys (TLS-PSK) and Remote Configuration (certificate-based TLS) provide two methods for authenticating with the Provision Server and receiving a Profile to set it into a Provisioned state. Understanding the server components is essential to properly diagnosing and troubleshooting problems with the process. Part 3 of this series will cover the symptoms and their likely causes, including troubleshooting details.

 

The following components integrate in the following manner:

 

 

 

 

Out of Band Management

Out of Band Management contains 3 main components, with further components broken down as shown here:

 

  • Out of Band Management Solution - This is the main NS installer

    • NS-based Tasks and Agents

    • Provisioning Console Nodes

  • Out of Band Setup and Configuration - This is a wrapper for the Intel SCS install

    • Creates the files used for the Intel SCS installation

  • Intel SCS Component - This is Intel code for interacting with AMT systems

    • AMTConfig Service

    • IntelAMT database

Out of Band Management Solution

The installer for this Solution creates the Altiris Console pages and underlining code that intersect directly with the Intel SCS component. Consider those pages as hooks into Intel SCS. Intel SCS can install without Out of Band Management. Everything located in the Altiris Console at View > Solutions > Out of Band Management > Configuration > Provisioning ties directly through the AMTSCS web service to access the IntelAMT database (with the exception of DNS Configuration, Service Location, and Delayed Provisioning).

 

This installer also creates the Tasks, Packages, and Agents used for Out of Band Management, including:

 

 

  • Out of Band Discovery - This is an EXE that uses the standard NS Software Delivery to detect the presence of AMT and pull certain data out, including the UUID. This is used heavily for FQDN mapping and is an important part of the best provisioning method.

  • Out of Band Task Agent - This agent installs like any other Altiris Agent subagent. It's used to function with ASF, or to restart the Hello Packet sequence with Delayed Provisioning in Remote Configuration.

  • Delayed Provisioning Task - This restarts the Hello Packet sequence, and requires the Out of Band Task Agent.

  • Collections and Packages - Collections and Packages for the above items.

  • Oobprov.exe - This is the Provisioning agent that assists the SCS in provisioning AMT client systems.

 

Important points:

 

  1. Out of Band Management NS items will work without IntelSCS, but the Provisioning nodes require Intel SCS to be installed and properly configured.

    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1300/ProvisioningTree.jpg!

  2. Installed Alone most of the above nodes will not function. The default error shown here will show with ANY problem:

    • Error connecting to the Intel® AMT Setup and Configuration Server. Verify that Intel® AMT Setup and Configuration Service security settings are configured and AMTConfig service is running. See documentation for details on troubleshooting the Intel® Setup and Configuration Server Installation.

  3. The error always has a second bullet point, with another warning box containing additional bullets. These usually give a more specific message concerning the problem. I've rarely found that the message above accurately points to the source of the problem. See this screenshot for an example:

 

 

Out of Band Setup and Configuration

This installer is truly just a wrapper for the Intel SCS installation. It does provide a crucial function. It lays down the following folder structure where the Intel SCS Component is installed from:

 

  • Install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS

 

The installer does make an automatic attempt to install Intel SCS using the script located at the above location named InstallWithDefaultSettings.cmd. This install makes the following assumptions:

 

  1. The SQL database server and instance is the same one the Notification Server is using

  2. The AMTConfig service account will run under the Altiris Application Identity credentials

  3. The Database install and user will be the Altiris Application Identity Account

  4. The Default Web Site is available for install of the AMTSCS virtual directory

Intel SCS Component

The Intel Setup and Configuration Service component is provided by Intel and supported by Altiris\Symantec. This includes the following components:

 

  1. IntelAMT database - Like the Altiris database, the IntelAMT database is the backbone of the SCS component. The following items are included in the database:

    1. Hello packet data

    2. Queues for Provisioning and Maintenance actions

    3. Settings for SCS

    4. Security keys

    5. AMT machine data

    6. AMT Profiles

  2. AMTConfig Service - This service is the piece that talks to the AMT systems and processes items in the database queues. It also calls oobprov.exe to assist in provisioning, primary to obtain the FQDN for the system.

  3. AMTSCS Virtual Directory - In IIS SCS creates a virtual directory that contains the interfaces Out of Band Management Console uses to connect to the IntelAMT database. It's simple structure belies the importance of this interface.

 

Keep in mind the following:

 

  1. Failures to install are almost always security related. See the below ‘Install' section for more information.

  2. The IntelAMT and Altiris databases are required to be installed to the same SQL instance for Resource Synchronization to work (Resource Synch is the process of importing AMT systems from SCS to NS. In cases where a system is already managed by NS, the data will be merged in the existing NS record)

Install

Often when you install Out of Band Management Solution or the Altiris Manageability Toolkit for vPro Technology the assumptions cause the OOBSC component to fail, and a message is thrown giving basic instructions on how to install it manually. In some ways I prefer the manual installation so each setting can be directly controlled. When this happens, it's important to follow these steps to avoid issues:

 

  1. Log onto the Notification Server with the Application Identity, or if not allowed, log on as the user that has rights to the Notification Server and the SQL Server.

  2. Stop IIS on the Notification Server, shut down all Altiris Consoles, stop the AMTConfig service, and shut down any SQL consoles (SQL Enterprise Studio, Query Analyzer, etc). While this can be difficult to arrange, it ensures all necessary accesses and resources are available.

  3. Launch the installer directly from install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\AMTConfServer.exe

  4. Follow the onscreen prompts. In the next part we'll discuss a scripted install should this install fail. The scripted install allows greater visibility to the process and shows any errors as they occur.

Oobprov.exe

This component is what is known as the Provisioning Script, or Properties Script. Intel SCS requires a provisioning script in order to conduct Provisioning, and as mentioned earlier this is provided as part of Out of Band Management.

 

When the AMTConfig Service receives an incoming hello message, it logs it in, places the provisioning request in the queue, and then calls oobprov.exe. Any message stating ‘Properties Script Failed' means that oobprov.exe did not successfully provision the AMT system.

 

 

AMTSCS Virtual Web-site

The web-site is generally invisible to the admin running the Console. It must exist, but otherwise the mechanism is pretty solid. The only exception to this rule is when TLS, or Transport Level Security, is involved or not.

 

Keep in mind the following:

 

 

  1. If you will be using TLS for AMT management, this virtual directory much be set with https for any functionality.

  2. If you will not be using TLS, https cannot be enabled on this virtual directory.

  3. If TLS is not implemented but https is enabled on the virtual directory, the Altiris Console will fail.

  4. If TLS is enabled but https is disabled on the virtual directory, the Altiris Console will fail.

  5. The default is https enabled when running the SCS install manually.

IntelAMT database

Much like the Altiris database is to NS, the IntelAMT database is the backbone of Intel SCS. While all functions in the console are automatically interconnected in the database, understanding some of the important tables can help in the troubleshooting process.

 

Important tables

The following is a list of some of the core tables used by Intel SCS:

 

  • csti_amts - This is the data on the actual AMT system. When looking in the Intel AMT Systems node in the Altiris Console, it is reflecting data from this table.

  • csti_configuration - This table holds the core configuration between Out of Band Management and Intel SCS.

  • csti_uuid_maps - This maps the UUID (Primary AMT ID) to the FQDN.

    !csti_uuid_maps.jpg!

  • csti_pid_map - This table contains the security key information so that Intel SCS can authenticate to the AMT client systems, and the client systems can initially authenticate with Intel SCS.

  • csto_queue_entries - This is the queue wherein Intel SCS processes Provisioning and Maintenance requests.

  • csto_delayed_entries - For Provisioning requests that have failed for whatever reason, this queue is used.

Conclusion

This introduction to the Server Components will help provide understanding for the moving pieces, and will be heavily referred to in Part 3. Knowing how each component functions will greatly help when walking through the troubleshooting steps, especially on how to identify where the problem is originating from.

0 Comments Permalink Tags: intel_amt, intel_scs, altiris, symantec, activation, out_of_band_management, intelamt
Joel Smith
0

 

*This is a repost of this article to the Activation section of the Site*

 

 

Troubleshooting issues with the Intel® AMT Provisioning process can be a daunting prospect. This series walks through the troubleshooting methods to pinpoint where problems originate and how to fix them. Use Part 1 to troubleshoot the AMT systems when provisioning is not occurring. If the issue is on the client side, this document should provide the tools to diagnose and fix the issue.

 

Introduction

There are several modes a vPro capable system can be in when it arrives at the customer site. The modes are:

 

  1. AMT disabled

  2. AMT enabled, not in Setup Mode (factory default)

  3. AMT enabled, not in Setup Mode (Password has been changed in the MEBx)

  4. AMT enabled, in Setup Mode for TLS-PSK

  5. AMT enabled, in Setup Mode for Remote Configuration

  6. 4 and 5 in ‘Hello' Packet Mode disabled

 

Each of the modes have their own quirks, and understanding the modes will help determine what state a system is in, and how to change a system from one state to another.

 

Versioning

It is important to understand the different versions of not only the local AMT build, but of Altiris' Out of Band Management with the Intel SCS Component. See the following table:

 

OOBM

Intel SCS

AMT

6.1

1.2

2.0

2.1

1.3

2.0

2.1

6.2

3.0

2.0

2.1

2.5

3.0

3.2.1

2.0

2.1

2.2

2.5

2.6

3.0

 

Note the following points when working with the different versions:

 

  • Versions 2.0, 2.1, 2.5 do not support Remote Configuration

  • Versions 2.5 and 2.6 are notebooks

  • Versions 2.2 and 2.6 are upgrades to versions 2.0, 2.1 and 2.5 respectively and provide the additional functionality of using Remote Configuration for Provisioning

  • Intel SCS version 1.2 was unstable. It's recommended to upgrade to 1.3 or upgrade OOB to 6.2.

  • Versions 2.2 and 2.6 are not supported for Remote Configuration unless Intel SCS is upgraded to version 3.2.1. Check the following KB articles for more information:

AMT Setup

Each mode for AMT sets the system in a specific state. See the brief descriptions below of how AMT acts in each state:

 

  1. AMT disabled - In this situation AMT must be enabled either manually by looking into the Intel MEBx (Ctrl+P at startup) or by using the RCT Tool. The following article covers the use of this tool, including data on the command-line switch that can be used to enable AMT:

  2. AMT enabled, not in Setup Mode (factory default) - This is the required mode to use USB One-Touch for provisioning. If a user or the OEM has logged into the MEBx and changed the password, the system is no longer in factory default and the One Touch method will not work.

  3. AMT enabled, not in Setup Mode (Password has been changed in the MEBx) - One Touch will not work, but manually entering the PSK or setting into Remote Configuration mode will allow the system to enter Setup Mode.

  4. AMT enabled, in Setup Mode for TLS-PSK - All Provisioning is encrypted using TLS, however the inner security workings can differ. For Pre-shared Key (known as PID PPS) a public and private key are used. The manufacturer can set a specific PID PPS on the system or a user can auto-generate them. The key is that both the client and server have to have the key in order for authentication to work.

  5. AMT enabled, in Setup Mode for Remote Configuration - All 2.2, 2.6, and 3.0 version AMT systems come in this mode unless the OEM is explicitly instructed to set it differently. The point of Remote Configuration is to avoid visiting the AMT system in order to get it provisioned for manageability use.

  6. Modes 4 and 5 in ‘Hello' Packet Mode disabled - This is common if the system is not immediately hooked up to the production network. All systems will fall into this state if they transmit the ‘hello' packet for 24 hours.

Troubleshooting Tools

Before we get into the actual symptoms, we'll cover the tools used to determine where the problem is coming from. While not easy to use, the logging capabilities allow us to verify if the correct processes are functioning on the local system.

 

AMT Logs

The Altiris Console has direct ties into the AMT Logs captured in the IntelAMT database as a normal part of operation. The Logging level is set in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > and select General. Debug Warning is recommended so you get both Errors and Warnings.

 

The logs are accessed from Provisioning > Logs > and select ‘Log'. Entries here will reveal problems during the provisioning process and other Intel SCS functions.

 

 

 

OOB Trace Logging

Out of Band Management has the ability to log trace details to a debugging program. See the following KB article on details on how to set this up:

 

 

Trace logging will log everything from console accesses, to oobprov.exe calls from IntelSCS. When oobprov.exe is called, all actions are logged to trace, which can capture problems with the provisioning process.

 

Wireshark

While the two above tools are distinctly for Out of Band Provisioning, Wireshark tells the whole story of what is coming and going across the wire. It's important to know what the AMT clients are sending, especially in the ‘Hello' packet, and what the server is responding with.

 

Wireshark can be obtained from: http://www.wireshark.org/. While this is the recommended tool, any network trace capture program can be used to examine the network traffic between the AMT client and the Provisioning Server.

 

Altiris Knowledgebase

All know errors and issues we've run across have been documented in the Altiris Knowledgebase. If you have a specific error, search in the KB and see if we have a documented fix for it. Access it directly here:

 

 

Symptoms

The following symptoms point to problems with the local AMT system or its ability to communicate to the Provisioning Server so that Provisioning can occur.

 

System Missing

A common symptom for new AMT client systems is that the system, even if believed to be in Setup Mode, doesn't show up in the Altiris Console under Intel® AMT Systems. The causes vary, but the following methodology should help pinpoint where the problem originates.

 

Is the system sending ‘Hello' packets? Walk through this procedure to determine if it is or not:

 

  1. Does the AMT Log contain entries for the system requesting Provisioning? The identifier in the logs is the UUID. One example of an error that would prevent a system from showing up is ‘failed to find PID mapping', meaning the requesting system is trying to authenticate with a PID that the Server does not have. Either import any keys provided by the OEM or other provider, or manually enter in the PID PPS under the ‘Security Keys' section of the Provisioning Altiris Console.

  2. If no entry appears for the system, place Wireshark on both the AMT client and the Server. Now initiate a restart of the ‘Hello' packet sequence by turning the AMT client off and unplugging it from power. Drain the capacitors by pressing the power button while unplugged. Generally the power LED will light for a moment before fading dark. Plug the system back in. Does the Server show hello packets (sending on port 16994, with destination port 9971) coming in from the system?

  3. If the server doesn't show any incoming ‘Hello' requests, fire up Wireshark on the local system to see if we see any ‘Hello' packets heading out. If they are actively leaving, something is blocking the traffic from reaching the Notification Server. These ports are standard TCP calls. See the next section labeled ‘Provision Server'.

  4. If no ‘Hello' packets are being sent, the system may be in a non-Setup State. At the AMT system access the Intel MEBx by pressing Ctrl+P at startup. Is the password what was setup during Setup Mode, or will it only accept Admin? If none of the valid passwords work, this machine may be in an unworkable state. Unplug the CMOS battery for 15 seconds to put the machine back in Factory Default Mode, and Setup as necessary.

Provision Server

With Wireshark we can prove a system is sending ‘Hello' packets out on the wire. The destination is an important distinction as usually this will be simply the name ProvisionServer. By default, Remove Configuration and TLS-PSK will target the simple name ProvisionServer. It's up to the administrator to properly direct that Hello packet to the Notification Server.

 

  1. If you ping ProvisionServer from a command-prompt, do you get the IP Address of the Notification Server? A CNAME record needs to be created in DNS to correctly direct the hello packets. Check page 21 of the Admin guide located at this KB article: Intel Communities for more information.

  2. Another place you can test the DNS functionality is under Provisioning in the Altiris Console. Select the ‘DNS Configuration' node. Click the ‘Test' button to initiate the test. A correct IP Address signifies that DNS is working correctly from the Notification Server. The ping test is still important to signify that the client can also resolve the name.

 

 

  1. If the network cannot support this CNAME, only two methods remain. You can set the Provision Server IP in the MEBx directly. You can also use the RCT tool to simulate the Hello packet and send it to the NS directly (see the previous link to the article on RCT usage).

Conclusion

Part 2 of this series covers the Server components for Provisioning. If you've read all the symptoms and suggestions, you'll note that there is crossover when troubleshooting between the client and the server, regardless of where the problem lies. See Part 2 for the continuation of Provisioning Troubleshooting.

0 Comments Permalink Tags: provisioning, out_of_band_management, intel_scs, activation, setup, intel_amt, altiris, symantec
Timothy Duncan
0

Today we offer the USB Key Provisioning Utility (UKPU) focused on one-touch provisioning and the Intel® AMT Reflector which offers a unique implimentation allowing an Intel® AMT client to access/manage some Intel® AMT functionality locally via the OS without entering the management engine directly (usually via BIOS).

 

Click here to learn more about Intel® AMT Reflector or here to download directly.

 

Click here to learn more about USB Key Provisioning Utility (UKPU) or here to download it directly.

 

Tell us what you think!

DOPD SW Engineering Team

0 Comments 0 References Permalink Tags: activation, amt, deployment, vpro, server, vpro_expert_center, enterprise, integration, usb
Timothy Duncan
0

Available for download and use is the SCS Setup Wizard, a tool designed to automate the installation of the Intel® Setup and Configuration Service (SCS) along with the third party pre-requisite components automatically. This is a pre-release alpha level project that will be updated soon. It requires a fresh install of Windows Server 2003 and un-provisioned Intel® AMT clients.

 

Background -

 

The Intel Setup and Configuration Service for Intel® Active Management Technology (Intel® AMT) is a free toolset that simplifies the preparation of hardware that supports Intel AMT for remote administration.

 

Intel SCS automates the process of populating Intel AMT managed platforms with the usernames, passwords, and network parameters that enable the platforms to be administered remotely.

 

The automation of these activates provide an efficient means of implementing Intel AMT hardware for enterprise customers.

 

The Intel SCS service works with other services in order to provide a secure setup and configuration infrastructure for Intel AMT devices.

 

To successfully take advantage of the functionality that the Intel SCS service can provide, all of the other needed services must be correctly installed and configured. These services include:

 

  • Microsoft SQL* Server

  • Internet Information Services (IIS) 6.0

  • Microsoft Certificate Authority

  • Active Directory

 

Installing and configuring all of the services needed to utilize the Intel SCS can take an experienced user 2+ hours to complete. Using the automation provided by the SCS Setup Wizard, this process can take less than 30 minutes.

 

SCS setup Wizard Performs the following functions -

  • Install/configure MS SQL Server 2005 Express* Edition and MS SQL Server Management Studio Express

  • Install/configure Internet Information Services (IIS) 6.0

  • Install/configure MS Certificate Authority*

  • Install/configure Active Directory Services

  • Install certificate for IIS

  • Install certificate for Intel AMT Client

  • Install/configure Intel SCS service

 

Download here:

http://downloadcenter.intel.com/detail_desc.aspx?ProductID=2557&DwnldID=15532&agr=N

 

DOPD Software Engineering Team

0 Comments 0 References Permalink Tags: amt, scs, vpro, activation, enterprise
Dave McCray
0

Define Activation...

Posted by Dave McCray Feb 25, 2008

Depending on your companies requirements (i.e. security, infrastructure, biz process) Activation can mean many things. If your security requirements are such Activation can simply mean enabling AMT in the BIOS in SMB mode. If your requirements are more stringent it can mean enabling AMT to prepare for Remote Configuration (Zero Touch), or, if you are still doing it the "old" way, then you are either manually (YUKE!) applying the PID/PPS combo or using the USB methodology. Great, but is this Activation? What about the other pieces to the device lifecycle i.e. break/fix, reuse, EOL where you have to manage the certificate? Intel IT, along with help from our friends in other Intel orgs are developing a programmatic script to aid in managing the systems as they move through the lifecycle. But is this Activation? How about how you use AMT? What business processes need to be changed to gain the full benefit of the cost savings from AMT?

 

Activation, as defined by Webster's Dictionary, is to make active or more active, or to set up or formally institute with the necessary personnel and equipment. What this means to AMT is that you need to map out all aspects of the full use of AMT but measure it based on each step of the way to get a clear picture of where you are. In other words, define your total market (system in the environment that are AMT capable); how many have AMT enabled in the BIOS (in prep for RC); how many are fully provisioned; how far have you tested your full lifecycle; do you have your console strategy in place; how have you defined your use cases; are you using it? Each step is making AMT more active. How far have you gone? How do you define Activation?

 

 

Note: As the Intel IT and product groups validate the new provisioing script we will post additional information. It effectively removes the ambiguity in provisioing lifecycle; managing from intial provision to break / fix. More to come.

 

 

0 Comments 0 References Permalink Tags: activation, amt, enterprise, scs, vpro
1 2 3 Previous Next

Popular Blog Posts