Intel vPro Expert Center Blog

GoDaddy vPro Landing Site

william.york@intel.com — Sun, 22 Nov 2009 12:47:41 GMT

I've been asking GoDaddy for over a year to provide a specific Intel vPro site to help customers buy Remote Configuration Certificates. Glad to see someone was able to get them to add a link on thier site. http://help.godaddy.com/article/5260

Get Going with GoDaddy

steve.f.taylor@intel.com — Tue, 30 Sep 2008 13:15:32 GMT

Going with GoDaddy

GoDaddy is one of the more popular sources for SSL certificates that support remote configuration. But GoDaddy doesn't take security lightly and will do a good bit of homework to validate that you are authorizated to recieve a Deluxe High-Assurance certificate on behalf of your organization. In order to make your purchasing process smooth and successful, here are some tips.

Bill York wrote an excellent blog on how to order such a certificate from GoDaddy that can be found at: http://communities.intel.com/openport/blogs/proexpert/2008/03/03/steps-to-purchase-a-godaddy-certificate-for-the-purpose-of-vpro-remote-configuration. Start by reading this article to familiarize yourself with the technical steps to complete the order. There are some tips below for setting up a new account that you may want to refer to as you start to follow his steps.

GoDaddy performs a good deal of "due diligence" research before they will issue a Deluxe High-Assurance SSL certificate. You can help to ensure the ordering process goes smoothly by anticipating the GoDaddy requirements to facilitate their research.

The "checks" that GoDaddy needs to perform are: domain authorization, corporate document approval, and online and verbal phone verification. You can see the on-going status of these steps when you log into your GoDaddy account after placing your order. As each step is completed, the icon next to that step will change in the Certification Steps Status page, shown below:

Account Setup

But prior to even ordering your SSL certificate, if you have to create a new account, be sure to use your company's formal legal name. GoDaddy will attempt to look up the company in a database, such as your state's list of registered companies maintained by the Secretary of State to see if your company is established. If not found, you may need to supply a letter of authorization from the company on letterhead for "Corporate Documents Approval" (see below).

Also be careful with your company address and phone number. GoDaddy will lookup your company in a online phone directory for the "Corporate Phone Number Found" step. If your business and location are listed with a phone number where you can be reached, you are in good shape since they are going to want to call a published phone number and be transferred to your extension.

If you are in a remote office that is not listed in a directory, be prepared to supply a phone bill in your name where you can be reached instead. Your mobile or home phone may be used if you cannot get a transferred call from an office that resolves to your business in a db like Yellowpages.com or Yellowbook.com. If you know that your address and office number will not be found in an online directory, have a copy of a phone bill (mobile or home) on an account in your name available to fax to them.

When ordering your Deluxe High-Assurance SSL certificate, be sure to follow the instructions from the articles shown above to generate the CSR and specify the appropriate OU to equal "Intel(R) Client Setup Certificate". Once the order is placed, you can start to monitor the status of your order.

Administrative Approval

As soon as you place the order, check the WHOIS lookup for your domain by using the link on the form or another method. Then, call or email your internal administrative contact for the domain to let them know to expect an email from GoDaddy requesting authorization for the certificate. Ask that person in your organization to let you know when they've replied and log back in to check the status after they do. The first three steps, "CSR Being Generated", "WHOIS Lookup Being Performed", and "Awaiting Administrative Approval," should be completed at this point. If not, you may want to call GoDaddy Technical Support to let them know of your progress.

Corporate Document Approval

At that time while you have GoDaddy on the phone, inquire as to whether they can find your company in the Sec. of State database and if not, verify what will substitute for Corporate Document Approval. In some cases, be prepared to submit Articles of Incorporation or copies of a SEC filing at this stage if necessary.

In other cases, you will need to fax a letter that includes the date and CommonName for the certificate signed by the department manager that authorizes you getting the certificate. This manager's position or title will need to be verified through either an on-line directory on your company's web site or by calling your HR department or contact. If you know that person's position or title cannot be verified on-line by GoDaddy, include the phone number for HR in the letter.

Corporate Phone Number Found

At this point, GoDaddy may need to forward your corporate documents to an administrative researcher within GoDaddy and there may be a delay for the documents to be verified. After this is done, and your "Corporate Document Approval" step status changes from In Progress to Completed, you may want to call Technical Support to help them find the best phone number to reach you at in an online directory. If this doesn't work for your phone number, ask for the Request for Verification form that you can complete and fax with the phone bill described above.

Once they have found the right number to call or received your phone bill and Request for Verification form, all that is left is to wait for the call. Verbally verify your identity and soon the certificate will be issued. In some cases, GoDaddy has sent an additional certificate with a P7X file extension, along with instructions on how to install it. I've not seen a case where the installation of this was necessary, and it may only serve to confuse you. You should only need to install the SSL cert for your domain in accordance with the documentation for your management console or provisioning server such as Intel's Setup and Configuration Service (SCS).

Remember, your certificate needs to have a CN matching the domain suffix of the machine where it will be installed and an OU matching "Intel(R) Client Setup Certificate" in the details of the Subject field. Also, the cert will need to "chain up" to the GoDaddy trusted root cert with a thumbprint matching one of the pre-installed trusted root CA thumbprints in the AMT firmware. For more information about certificate format requirements, installation of this cert, and other PKI-related questions regarding remote configuration, as alway,s a good place to look online is here at the vPro Expert Center.

Best of luck in getting going with GoDaddy!

Remote Configuration using Altiris

terry.c.cutler@intel.com — Fri, 02 May 2008 16:01:37 GMT

For general questions about Remote Configuration, please review the following article - http://communities.intel.com/docs/DOC-1490

Earlier in 2007, I wrote two brief articles about Remote Configuration.

The embedded video below is a summary of how Remote Configuration works in an Altiris environment. The target environment has a VeriSign Intel(R) Client Setup Certificate loaded. Intel AMT 2.2 and 2.6 systems are provisioned using Agent Initiated approach. The Intel AMT 3.0 system is provisioned using the baremetal approach (could have done this via agent initiated... yet wanted to show both methods)

More content\details on acquiring external certificates, or creating a custom internal certificate and adding the associated certificate hash to the clients... can be provided if needed.

Intel vPro AMT Out of Band Remote Configuration and Delayed Provisioning Best Practices

joel_smith1@symantec.com — Thu, 17 Apr 2008 19:25:05 GMT

Remote Configuration is the zero-touch configuration mechanism that allows Intel vPro AMT systems to be setup for AMT management without any manual intervention. This article covers the Best Practices for setting up Remote Configuration and using the Out of Band Delayed Provisioning Task to remotely and automatically provision systems for use within the Altiris infrastructure.

Introduction

In an ideal environment, vPro systems will automatically Provision without any interaction with the Administrator, allowing the versatile and robust functionality of AMT to be available immediately out of the gate. In this article we'll cover how to setup just such a scenario, but also how to use Out of Band Management's Delayed Provisioning Task to ‘kick-start' any AMT system that is no longer sending out configuration requests. Reasons for this need include:

The system is powered on in a location that does not have access to the Provisioning Server
The system is unable to be Provisioned due to changing identities while being setup in its Fully Qualified Domain Name (FQDN)
The IP Address changes during the Provisioning process and the Provision Server is unable to contact it back to Provision

Remote Configuration

Remote Configuration uses a certificate-based authentication model with preloaded certificate hashes to allow quick and automated process to Provision the AMT systems in the environment. The certificates require a vendor-certified cert from Verisign, GoDaddy, Komodo. While you can set your own cert and load your own hashes in the firmware of AMT systems, it turns the ease of Remote Configuration into a cost, whether by having the OEM load the proprietary cert for a fee, or requiring a configuration step to load the hashes manually into the firmware.

Certificates

The firmware will already contain the hashes for Verisign, GoDaddy, and Komodo certificates (more vendors will be added in later versions of AMT). Server-side certificates need to be loaded and registered on the Provision Server, and within Out of Band Management on the Altiris Notification Server. Please see the following article for more information on Remote Configuration:

http://juice.altiris.com/article/3866/frequently-asked-questions-about-remote-configuration

For a specific reference for what items are required, review the section labeled:

What core items MUST be defined in the provisioning certificate?

Also look at the section pointing to how to acquire a certificate (other links):

What resources or guidance are available for acquiring one of the core external certificates?

Additional information:

The Provision Server must be registered with DNS, accessible by the Intel AMT device via a CNAME value of ‘ProvisionServer' pointing to the IP address of the Notification. Note that in a multi-domain (including root-child domain infrastructures) multiple CNAME entries must be setup to include the suffixes to include all network segments the server will be managing.

The Provision Server requires a certificate with the appropriate OID or OU detailing directions to a certificate Authority (CA), which CA must have a root certificate hash stored on the Intel AMT Systems. The OID must be of the type ‘Server Authentication Certificate' with the Intel setup extension: 1.3.6.1.5.5.7.3.1, 2.16.840.1.113741.1.2.3, OR, the OU value in the Subject field must be "Intel(R) Client Setup Certificate".

The Subject CN must be either the fully qualified domain name (FQDN) of the platform running the service (example: Provisionserver.symantec.us), or the domain suffix of the platform (example: *.symantec.us.com or *.symantec.com).

Remote Configuration Process

The following process documents how the Remote Configuration Process works. This high-level overview will be referenced in the subsequent sections covering Delayed Provisioning. The following process assumes that the AMT System can reach the Provision Server and won't change identity through typical setup methods such as imaging or configuration scripts that changes the FQDN and/or Hostname of the system (including adding the system to a Domain).

The following steps must be completed before Remote Configuration will work in the environment. They are detailed with step-by-step processes in the Out of Band Management 6.2 Administrator's Guide, located here: http://www.altiris.com/upload/outofbandrefsep18.pdf

Setting up Intel AMT using Remote Configuration - Page 44

Certificate provider - Page 44

Preparing a Certificate Template - Page 45
Issuing a New Template - Page 46
Preparing a Certificate Request - Page 47
Acquiring a Certificate from an External Certificate Vendor - Page 48
Installing the Remote Configuration Certificate - Page 48
Loading the Certificate into Intel SCS - Page 49
Enabling the Remote Configuration Feature - Page 49

Note that not all the sections need to be accomplished depending on what method you use. If you're creating your own certificate:

Preparing a Certificate Template
Issuing a New Template
Preparing a Certificate Request

...should be used. Otherwise use the ‘Acquiring a Certificate from an External Certificate Vendor' section, including the previous links provided on the subject, should be consulted. Remember this is the recommended method since it requires no special processes to be in place to ready the AMT systems for Provisioning.

Delayed Provisioning

The purpose of Delayed Provisioning is to Provision those systems that failed the original Provision attempt. The includes failure at any part of the Remote Configuration/Provisioning process. Failure points include:

Hello Packet does not reach the Provision Server during the 24-hour period hello packets are sent
The IP Address changes after the Provision Server initially receives the hello packet and hasn't sent down a profile to complete the provisioning process
The FQDN changes, forcing an IP Address change from DHCP so when the OS is up, the Provisioning Server can't reach the system
The Provision Server is unable to complete the process due to a number of causes, including network access problems, firewalls, subnet locations, etc...

The following items must be in place for Delayed Provisioning to work:

AMT System must be in Setup Mode (pre-provisioned). This means the system must be in the state where it is using Remote Configuration and will use the provided hashes.
The system must have a functioning Windows Operating System.
The Altiris Agent must be installed and functioning within the OS.
The Out of Band Task Agent must be installed within the Altiris Agent.
The Delayed Provisioning Task must be enabled to target the AMT systems in question.

Delayed Provisioning Process

The following process details how Delayed Provisioning works from start to finish. In essence the process ‘kick starts' the hello packet process, allowing the Provision Server to receive fresh data on the system, allowing it to properly contact and provision it. The following diagram shows a high-level view of the Delayed Provisioning Process:

Full steps:

The AMT System must be in Remote Configuration setup mode. This is the default mode for AMT 2.2, 2.6, and 3.0.
Install the Altiris Agent on the system. Check the Notification Server reference guide for methods.
In the Altiris Console, go to View > Solution > Out of Band Management > Out of Band Discovery.
Enable the Out of Band Discovery Policy. This will help with the Provision process after the Delayed Provisioning Task executes.
Now go up a level and browse down into Out of Band Task Agent Rollout.
Add the collection: Non-Provisioned Intel® AMT Computers to the Policy by clicking on the Collections listed under ‘Applies to Collections' and browsing to it under ‘Out of Band Management', ‘Provisioning'.
Enable the Out of Band Task Agent Install Policy.
!oobagentinst.JPG!
Browse in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Delayed Provisioning > and select the ‘Delayed Provision' Task.
Concerning the options:

Override OTP: - If you don't want to use a random AMT password, check this option.
Switch to AMT: - Unless you're using ASF and want to keep using it on those computers that have it enabled, check this option.
Ignore intermediate errors: - Don't check this option unless there's a reason to ignore DNS and OTP errors.

Leave it on a Daily Schedule. Systems that run this and provision will drop out of the collection and not run the policy again.
Enable the Policy.

Once the above steps have been completed, the process should be automated as long as steps 1 and 2 are met. The collections will properly target each system so that the right steps occur in the right order.

Conclusion

The Delayed Provisioning Task allows an administrator to catch those systems that have not provisioned due to a number of reasons. This allows the systems to get provisioned in a targeted fashion, and if properly configured make it completely automated. As of version 6.2 of Out of Band Management, this only applies to provisioning by Remote Configuration. Please check these other articles for details on how to provision systems if not using Remote Configuration:

http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning

Lastly, this process does not touch on certificates used to encrypt AMT management traffic. This is the TLS option set in a Profile for any communication after the AMT system has been properly setup and configured. The certificate obtained for Remote Configuration is only for the Setup and Configuration process (also known as Provisioning).

Got a question about remote configuration?

terry.c.cutler@intel.com — Fri, 11 Apr 2008 05:14:13 GMT

We might have an answer. If you still have a question after reading FAQ - please ask.

Check out the FAQ posted by

clicking here

Steps to purchase a GoDaddy Certificate for the purpose of vPro Remote Configuration

william.york@intel.com — Mon, 03 Mar 2008 18:45:59 GMT

The following information contains the detailed steps used to order a Remote Configuration Client Certificate from GoDaddy. There are many methods that can be used, but this was tested and validated that the certificate worked for both SMS and SCCM SP1 to provide Remote Configuration Provisioning to vPro clients.

SUMMARY: You will be required to prove that you, or your company, own the rights to the domain for which you are applying for this certificate. In the following example, I first registered my lab domain before ordering my Remote Configuration Certificate. I also needed a Company representative to submit a letter of approval (Company Letterhead) to GoDaddy giving me authority to request this certificate. I also tested the certificate I received from GoDaddy did work with Remote Configuring AMT clients in SMS and SCCM SP1 environment.

Key items that are detailed in the steps below that were required to get my certificate:

○ Certificate type must be a Deluxe Assurance SSL certificate

○ Certificate request is for an Organization

○ OU = Intel(R) Client Setup Certificate

○ CN = ServerName.domain.com (this must be the FQDN of the Provisioning Server for Remote Configuration generating the CSR)

○ Organization = The legal name of your organization that can approve your certificate request

○ Required Documentation to be submitted (Driver's License, Bank Statement, and Approval Letter on Company Letterhead)

STEPS TO PURCHASE THE REMOTE CONFIGURATION CERTIFICATE

1. Go to GoDaddy Web site: www.godaddy.com

2. Select the SSL Certificate link: https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979

3. From the SSL Certificate page, choose the Deluxe SSL certificate and click ADD

a. select Single (your choice of 1, 2, or 3 years) for a single Domain environment

b. Unlimited Subdomains - wild cards are support for version of AMT 2.6 / 3.2 and higher

4. In the next screen, you will be prompted to customize your order. No additional items are necessary on this screen, select Continue

5. At the Checkout Now screen, you should see the Deluxe Assurance SSL certificate (other options may vary if you selected additional items to purchase)

6. In the Billing information Window, make sure to include your valid company name. You will be required to have someone from your company submit an approval letter for this certificate request on company letterhead (more detailed steps to follow).

7. After you fill out your billing information, you will need to login to your account to configure the certificate you have just purchased.

8. After logging in to your account, select Manage SSL Certificates.

9. You will see you have an available credit in the Secure Certificates, Click Set up Certificate link and Click Activate Account

a. You may need to Login in to your account or Create a new Certificate account - this is different than your GoDaddy Account

10. Select the Deluxe High-Assurance SSL Certificate and Click Request Certificate

11. Select Corporate option in Step 1

Fill out Personal Information in Step 2, including your company name

Generate you CSR and paste text in the box provided in Step 3 (make sure to indicate the type of server used to produce CSR)

They provide a link in Step 3 on How to generate a CSR (follow these steps).

The CSR MUST include the following fields to be a valid vPro Remote Configuration Certificate and approved by GoDaddy:

OU = Intel(R) Client Setup Certificate
CN = ServerName.domain.com (this must be the FQDN of the Provisioning Server for Remote Configuration generating the CSR)
Organization = The legal name of your organization that can approve your certificate request

12. After you paste your CSR information and click Submit, your request will be routed to GoDaddy and they will follow up via email for next steps.

13. You will be asked to send them two forms of Identification (Driver License and Bank Statement)

14. Additionally, you will be asked to have someone within your company provide an approval letter on company letterhead stating that you have the authority to request the SSL certificate for this server and domain.

15. After GoDaddy has validated the required documentation, they will send you an email stating that your SSL certificate is available.

16. You can now download your SSL certificate and apply it to your IIS Web Server on your requesting Provisioning Server.