How Do I Use the CSV File Generated by Dell CFI Process?

If you've utilized the Dell CFI process for vPro configuration\provisioning, you've likely received a CSV file with a list of preshared keys and password.   The normal process of importing the security keys to the Intel SCS database will not work since the import process is prompting for a .BIN file.

One workaround is to directly import the CSV data into the target database - IntelAMT. 

Making a direct database modification has inherit risks - thus you may want to test this on a separate system if unsure.   The good news - if you test on a separate non-production system, you can then follow the correct key export procedure which will generate a valid setup.bin file.  The valid setup.bin file can then be imported to your production server.

For those that want to go directly to database insert - here's what you do:

• Check the last index number of IntelAMT database table csti_pid_map.  
• Modify the CSV file to align to the target database table format (id, pid, pps, current_password, admin_password, used)
• For the "used" field, value of zero '0' is unused and will show the values in the console once imported.  A value of '1' is used and will hide from console view
• Use a bulk SQL import to insert the modified CSV file directly into the database

Explanation of Attached Sample File

In the attached file (convertCSV2BIN.zip) are three sample files for your reference:

• samplesetup.csv - Modified CSV file to match the database table structure.   Notice that the index starts at 108 - this is because my test system already had generated 107 keys before stepping through this exercise
• importcsvPID.sql - Sample SQL script for bulk import of samplesetup.csv to the IntelAMT database table csti_pid_map
• samplesetup.bin - Correctly formatted .BIN file for preferred method of import   (this is unnecessary if you've decided to directly import)

Concluding Thoughts

My intent in sharing this is to provide a simple workaround method to frustrating situation.   Conversations with Dell associates have occurred, yet corrections to the CFI process for vPro provisioning have not yet occurred.   Thus in the meantime - if you receive a CSV file - use the workaround.

If you are gettng ready to upgrade your Intel® Active Management Technology (Intel® AMT) Setup and Configuration Service (Intel SCS or SCS) from version 3.x to 5.x. check out my Intel® AMT SCS V3.3 TO 5.X Upgrade Overview

It covers a couple of items that differ between the versions, especially around locations of your Remote Configuration provisioning certificate.

Whether you are planning to implement a Vendor TLS Certificate in the future, or you are having trouble applying a certificate you've already obtained, this article walks through the best practices. The details include all the steps to properly install the right items and resolve issues we've encountered up until this point. This article applies to Out of Band Management Solution 6.2. Since certificates introduce tight encryption security, if the right items and steps are not in place or followed, it can break the ability of AMT systems to provision with Remote Configuration.

Introduction

Using Remote Configuration to Provision your Intel AMT vPro capable computers takes the work out of the progress. All 2.6, 3.0+ AMT systems come preconfigured to automatically use Remote Configuration to provision with a valid Provisioning Server. The hashes from vendors (AMT 3.0 includes Verisign, GoDaddy, Comodo) are already configured in the firmware, and upon connection to power and the network, will begin to send out requests for provisioning. Thus in this way the managed vPro systems are already prepared to be provisioned without any needed intervention by the IT staff.

The issues we see then arise from the server-side application of a certificate that matches the hashes already loaded. Obtaining and installing a vendor TLS Remote Configuration certificate needs to be done the right way so that authentication can succeed. Once in place, provisioning will roll forward without any further intervention. This article focuses on applying the server-side certificate so that provisioning can move forward automatically.

Obtaining a Remote Configuration Certificate

This subject has been covered previously. I wanted to lightly touch upon this as there is a vital step that should be taken so that if anything goes wrong we can correct it. First, the following article covers how to properly obtain a certificate:

• http://juice.altiris.com/article/4496/obtaining-and-applying-a-verisign-remote-configuration-certificate

Note that part of obtaining a Remote Configuration is submitting the request from the Server you plan to install the certificate onto. This process creates the private key for the server-side certificate, and this piece will not be available until partway through the application of the crt (or cer) file obtained from the vendor. The specific step that provides the full key, both private and public, is when the certificate is exported after the initial import into a PFX format, checking the option to export the private key will give you a complete backup of the full certificate. If something happens, or if the application didn't go right, we'll need both, so it's essential to export this as soon as possible.

During the steps to install the certificate emphasis will be given on the step where the export should take place.

Installing the Certificate

I've condensed the steps required into the following list. This process works for all vendors once you've obtained a certificate. Note that these steps are provided to consolidate both recommended steps and documentation into one whole.

1. Go to Start > Run > type mmc > and click OK.

2. In the resulting console click under File and choose Add/Remove Snap-in...

3. Near the bottom of the resulting window click the Add button.

4. From the list that appears select Certificates and then click the Add button.

5. Leave the radial button selected on ‘My user account' and click Finish.

6. From the same list select Certificates again and click the Add button.

7. From the resulting window change the radial select to ‘Computer account' and click Next.

8. Leave the selection at ‘Local computer: (the computer this console is running on) and click Finish.

9. Click the Close button in the window offering you the list of available snap-ins.

10. At the original add/remove snap-in screen verify that you have two entries:

1. Certificates - Current User

2. Certificates (Local Computer)

11. Click OK.

12. Expand both trees in the left-hand pane within the console. You should see the full certificate stores.

13. Right-click on the Personal folder under the Current User certificate store and highlight ‘All Tasks' and click on ‘Import' in the pop-out menu.

14. Click Next on the Welcome page of the Certificate Import Wizard and click the Browse button.

15. Browse to the cer or crt file provided by the vendor, highlight it, and click Open.

16. Click Next, and leave the radial option on ‘Place all certificates in the following store', which should be set to ‘Personal'. Click Next.

17. Under the Completing section of the wizard, Click Finish. You should receive a pop-up .

18. NOTE! This is the vital step mentioned previously in the article. We will now export the certificate with both public and private keys, which will give us the full set and allow us to remove and reapply if necessary. In the MMC select the newly imported certificate > right-click > and choose All Tasks > Export...

19. Click Next on the Welcome screen. In the resulting list you should have an active option for ‘Personal Information Exchange - PKCS #12 (.PFX)'. If this option is not available there is a problem with the certificate and the private key is not accessible.

20. Follow the wizard, and ensure you select the option ‘Yes, export the private key'. When saving the file, it will prompt you to set a password to protect the private key (this is recommended for security reasons). The export should leave you a PFX file. Keep this in a safe place, and back it up just in case.

21. Next we need to import the full key into the Computer store. Start back in the MMC, under the Local Computer certificate store, right-click on the Personal folder, select All Tasks > Import...

22. Click Next on the Welcome screen and click the Browse button on the subsequent screen.

23. Browse to the newly exported PFX file. Note that you will need to change the ‘Files of type' to include the PFX format. Click Next.

24. The Password screen prompts for the password you set when you exported the key in step #20. Enter the password and click Next.

25. Choose or leave the select to ‘Place all certificates in the following store'. The value should be Personal. Click Next.

26. Click Finish on the end details page to complete the import.

27. Next, we need to load the certificate into Intel SCS so it can properly authenticate with the AMT systems requesting Remote Configuration. Browse to the following location: \Program Files\Intel\AMTConfServer\Tools.

28. Execute the file loadcert.exe.

29. Press Y and Enter.

30. A ‘Select Certificate' popup will appear. Select the name of the cer or crt file you received from the vendor and click OK. The window will disappear.

31. Now both Personal certificate stores and Intel SCS should have all the needed certificates to successfully work with Remote Configuration. However, we are not done as other steps may be needed.

Reinstalling the Certificate

If you need to reinstall the certificate and have a PFX file, you can do so by opening both certificate stores (User and Local Computer) as outlined in the previous steps. Browse through the certificate stores and delete any instance of the vendor certificate. This will remove any associations and allow a clean application of the certificate to occur. Look for the following:

• The name matching the name of the cer or crt file obtained from the vendor

• The vendor's certificate (the entry will contain the vendor name).

NOTE: Be careful when removing vendor certificates as they may not be part of the Remote Configuration. The best example is Verisign, which may have many entries. If unsure, leave the certificate in place, or export it before deleting it so you can restore it if necessary.

Other Setup Requirements

The following items may be required, depending on the environment.

ProvisionServer

Each zone within DNS should have a ProvisionServer entry to ensure that Remote Configuration requests are properly routed. This will also help properly resolve names during the authentication process. To test, log onto a system on the subnet you're trying to conduct Remote Configuration from. Run a command prompt and use the following command:

• ping ProvisionServer

We should see the responding IP Address by the IP Address of the Notification Server, or, if you've set it up this way, the Intel SCS Server conducting provisioning. Another test you can try is to run the following command:

• nslookup ProvisionServer

We should get the data on the Notification Server's name.

DNS Zones

In a multiple domain structure this is especially important, but all environments need to have the right data in DNS to properly pass and authenticate in a TLS environment. The DNS Primary Zone should be set to the Domain path contained within the certificate. For example, if the certificate name is MyNSServer_My1Domain_local, the DNS Primary Zone should be My1Domain.local. Without this, authentication can fail as the FQDN is used during authentication, and if the name being transmitted across the wire doesn't match what's in the certificate, authentication will fail. Here is another example:

• Certificate: MyNSServer_My1Domain_local.crt

• DNS Primary lookup Zone: My1Domain.local

DHCP Option

Another Network related requirement may be DHCP Option 15. While I'm not sure why this has proven to be required in some environments and not others, creating this option has resolved failed authentication issues within Remote Configuration.

In DNS, create an entry for Option 15, with the value of the domain path. This will often be the same as what is located in the DNS Primary Zone. The following details are an example:

• Certificate: MyNSServer_My1Domain_local.crt

• DNS Primary lookup Zone: My1Domain.local

• DHCP Option 15: My1Domain.local

Conclusion

Following the above procedure should allow remote configuration to occur without problems. Once in place, the configuration will move forward with automatically provisioning systems that support Remote Configuration.

Use the iAMT Scan Results Troubleshooting Guide. v.02 and the iAMT Scan - Custom Inventory helps with Enterprise Activations to resolve some common provisioning problems.

iAMT Scan Results Troubleshooting Guide. v.02

For those who have Provisioned Intel AMT Systems, you may wonder what takes place in the background. This article is for you! The process has often been covered at a high level, but here the technical details are provided. Hopefully this helps you understand the inner workings, and provide you information when troubleshooting Provisioning issues. And for those of you who are technically minded, it's also neat to know! This information was compiled working on issues and running through provisioning processes from Symantec Support.

Introduction

Often the Provisioning process for Intel vPro systems has been described as complex. This comes from the fact that the Provisioning process was designed with high security in mind. Since the initial release we have improved success rates by working with Intel to make the process more user friendly without compromising the high level of security. To this end this document will explain the process of Provisioning from a technical level, providing an unfiltered view of the process, also without compromising its security.

Provisioning Flow

The following process assumes that Altiris Out of Band Management and Intel SCS are install, configured, and ready to go. This process follows the flow of Provisioning and what data points, technologies, and methods are used. The level of details is meant to be a resource when working with Provisioning or troubleshooting Provisioning issues, so not all details are available for this process. Note the following points before moving through the process:

• The console items in the Altiris Console under View > Solutions > Out of Band Management > Provisioning are not tied to the Altiris database like most of the rest of the Altiris Console. They connect through a virtual Website (AMTSCS under the Default Website of the SCS Server) to the IntelAMT database.

• Data from two databases (IntelAMT and Altiris) are used during the Provisioning process.

The following articles can assist if you need information on these:

• http://juice.altiris.com/article/1314/altiris-and-intel-reg-vpro-copy-technology-evaluators-guide

• Administrator's and Reference Guides: http://www.altiris.com/support/documentation look under Out of Band Management

1. The server is loaded with a security key or certificate. See the following two items for how these keys are loaded:

1. For a PID PPS, either keys are randomly generated or imported into the IntelAMT database. Specifically they reside in the table csti_pid_map. Once created/imported, they are available for verifying authentication from an incoming provisioning request from AMT.

2. For TLS-PKI (certificate-based Remote Configuration) a certificate is loaded onto the server. See this article for details: http://juice.altiris.com/article/4496/obtaining-and-applying-a-verisign-remote-configuration-certificate.

2. The clients need the matching keys loaded onto them. This is done differently depending on the type:

1. For PID PPS the keys are set by one of the following methods: the OEM sets it, it's entered manually into the Intel ME, or inputted via a one-touch USB flash drive. The PID and PPS are written into the firmware to be used as the authentication credentials when it looks for a provisioning server.

2. For Remote Configuration (TLS-PKI) at the factory predefined hashes are burned into the firmware for the following certificate vendors (more to come in subsequent versions of AMT). This means AMT already has authentication keys to begin the provisioning process direct from the factory.

• VeriSign

• Komodo

• GoDaddy

1. The client machine, once it has it's keys and has been connected to the network and power, uses one of two methods to find the Provisioning Server:

1. The IP address of the server can be manually put into the Intel ME, including what port the SCS listener is configured for (default 9971). When this is done, the AMT client will transmit its Hello message directly to the IP Address and port.

2. The client will transmit its message on port 9971 to the name of ‘ProvisionServer'. If Out of Band Management, Intel SCS, and DNS have been properly setup DNS will route the packet to the Notification Server.

2. The Notification Server is set to listen for AMT Provisioning traffic on port 9971, but can be configured to use a different port if so desired in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > General. The top options labeled: ‘Listen port:".|
   !ListenPort.jpg!

3. When SCS, via the service AMTConfig (process AMTConfigWinService.exe) receives the incoming "hello" packet, it initiates an authentication request with the client to complete the authentication process, the beginning of which was stored in the packet. Once authentication completes successfully, the process moves on.

4. The service, AMTConfig, catches the incoming packet and logs the data in the IntelAMT database, in the table csti_amts. This table contains all the relevant data for this system's identity.
   !csti_amts.jpg!

5. Once the system has been logged into the IntelAMT database, Intel SCS uses the database entries under csti_configuration to initiate what's known as the props script. This script is what will assist in the provisioning process. In Altiris case, it is oobprov.exe, located by default at C:\Program Files\Altiris\OOBSC\oobprov.exe. For an example of how Intel SCS knows about this, see this data snippet from the csti_configuration table:
   !csti_configuration.jpg!

6. On a busy SCS server you can look at Task Manager and see multiple instances of oobprov.exe running. The default settings allow 10 threads to work on provisioning requests at any given time. These threads will interface with the Altiris Database via the Altiris Agent on the local server system. In a standard setup the local system is also the Notification Server.

7. OOBPROV runs a SQL query to fetch the Fully Qualified Domain Name (FQDN) for the system it is to provision. The query is based off the following data points:

1. UUID passed to it via Intel SCS, Source is as follows: Database: IntelAMT, Table: csti_amts, Data Source: "Hello" packet from AMT system, Values used: uuid

2. Database: Altiris, Data-class: OOB Capability, Table: Inv_OOB_Capability, Data Source: Out of Band Discovery Task, Values used: _ResourceGuid - UUID

3. Database: Altiris, Data-class: AeX AC Location, Table: Inv_AeX_AC_Location, Data Source: Basic Inventory Agent, whether from Basic Inventory function or Hardware Inventory from Inventory Solution, Values used: _ResourceGuid - Fully Qualified Domain Name

8. The Query accomplishes the following: It takes the UUID from csti_amts, uuid and looks for a match in Inv OOB Capability, uuid. If a match is made, it takes the _ResourceGuid from the same table and makes a match of the same columns name to AeX AC Location. With the match it then reads the values stored under Fully Qualified Domain Name (I'm not sure why they didn't just label this column FQDN...).

9. Next, oobprov.exe hands back the FQDN it's read from AeX AC Location, Fully Qualified Domain Name and passes it to SCS. SCS takes this value and inserts it into the IntelAMT database at csti_amts, fqdn for the matching resource.

10. Next, oobprov.exe fetches the automatic profile set within Out of Band Management Solution. This is done in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > Resource Synchronization. This policy needs to be enabled for this step to work, and a default profile configured and selected under the dropdown labeled ‘Intel AMT 2.0+ to profile:'.

11. The profile provides the operational data for management of the AMT system. After AMT accepts the profile, the Provisioning process is now complete. Before this step, AMT functionality is not available on this system, and after this step only properly authenticated functions will be able to use Intel vPro on the target provisioned systems.

Troubleshooting

The following items can be considered break points for this process. If you've done provisioning you may have run into the symptoms produced by the following items. These are compiled as common areas of trouble in this process.

• The "Hello" packets only transmit for 24 hours, on a back-off schedule, before stopping altogether. If the Server is unable to provision in that time, with IP refreshes becoming more frequent, the system can be in a limbo state. See this article for steps to rectify: http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning

• IP Address changes, refreshes within DHCP during a system's build process can leave SCS with an out of date IP Address for a system that needs provisioning. Coupled with the preceding issue this can leave the system in an unprovisioned state, leaving no ability of the SCS to contact the system to finish the process.

• Remote Configuration certificate is not properly installed on the server, producing authentication failure messages in the AMT logs.

• Oobprov.exe is unable to fetch the FQDN. The AMT system needs the Altiris Agent installed, have sent Basic Inventory when it had a valid FQDN (for example a system in the process of being built might not have a valid FQDN yet), OOB Discovery Task downloaded and executed, and data populated into the OOB Capability data class from the task in order for oobprov.exe to be able to fetch the FQDN. Conversely you can use the option in Resource Synchronization labeled, ‘Use DNS IP resolution to find FQDN when assigning profiles'.

A good resource for troubleshooting issues can be found here:

• http://juice.altiris.com/book/3699/troubleshooting-altiris-manageability-toolkit-vpro-technology

Conclusion

Knowing the underline mechanisms can help when troubleshooting or even when planning your environment. While not all details are provided here, the most essential are.

This document contains links to BIOS updates and available utilities to some of the OEMs out there. Take a look - this is helpful stuff if you are getting a vPro deployment off the ground!

BIOS Settings for Intel® Active Management Technology (Intel® AMT) Devices

Intel® AMT Reflector is a software tool designed to allow local management of Intel® AMT Mangement Engine functionality from the local operating system. Removing the need to reboot to verify and change the Intel® AMT host computer name or un-provision Intel® AMT on the computer. This functionality improves debug and factory operations in activating and building Intel® AMT based client environments. This release completes DOPD SW Engineering's original functionality plan for the tool and is therefore marked as a production level release.

This release has the following updates from the Beta release:

· Added a timestamp to Intel® AMT events in the logs generated by the client-side applications.

· Fixed the XML logfile format so that it will be properly recognized by external applications that support the XML file format.

· Fixed the issue where some commands may not succeed on the first call for some Intel(R) AMT systems.

· Fixed the "Browse" button functionality in the Intel(R) AMT Reflector Server configuration window.

· The Intel® AMT Reflector Server now logs the client FQDN for each event.

· Removed the View Log window from the Intel® AMT Reflector Client application.

· Improved the error handling of the Intel® AMT Reflector Client application.

Download the tool here

Here's a 5 minute video overview of the tool's capabilities (Click here to view video on YouTube) :

Have you ever wondered what the optimal provisioning conditions, and if there is anyway to script the event to occur? The linked article refers to batch files, VBscripts, key learning, and supporting materials for provisioning Intel vPro in an Altiris environment.

http://juice.altiris.com/node/4082

Take a look, add you insights\comments, and so forth.