Intel vPro Expert Center Blog

18 Posts tagged with the scs tag 1 2 Previous Next
Click to view michelegartner's profile
0

New articles for you to take a look at this week. As always, let me know if you have a best practice or known issue that you want to share or have investigated!



0 Comments Permalink Tags: troubleshoot, vpro, sms, scs
Click to view michelegartner's profile
0


0 Comments Permalink Tags: amt, tools, troubleshoot, scs
Click to view miroyer's profile
1

Here are some high level steps that walk you through procuring a VeriSign certificate and configuring it for the Intel Setup and Configuration Service (SCS). Other certificate vendors like Go Daddy, Starfield, Comdo, etc will have different purchasing processes.

Purchase Verisign Certificate

  1. Generate Certificate Signing Request (CSR) by following the instruction in the link, http://www.verisign.com/support/ssl-certificates-support/page_dev019431.html.
  2. The Common Name (CN) needs to be the FQDN of the server you want to install this certificate on. (i.e. host name + domain name)
  3. Enter ‘Intel(R) Client Setup Certificate' for Organization Unit (OU).
  4. Complete all the steps. Visit VeriSign website, http://www.verisign.com/ssl/buy-ssl-certificates/ to start purchasing process. Select ‘Secure Site: SSL Certificates' under ‘Buy Individual SSL Certificates'.
    Note: you could choose the other two, which are in more advanced level, depending on your need.
  5. Enter all the information required and copy the CSR generated by the server
  6. Complete all the steps and print out the order confirmation page for your record.
  7. You will receive an email of Verisign automated order verification within few hours. You have only 24 hours, after receiving the email, to finish this process. Click the link in the email and go through the process. \\\\\\*Important:* If you cannot recognize the second phone number listed on the webpage, cancel the automated verification process and have them call you instead.

Certificate Installation and Exporting


  1. You will receive the link of installation instruction in the email containing the certificate. Follow the instruction to complete installation
  2. VeriSign will send you the SSL certificate via email. If the certificate is an attachment (Cert.cer), save the file to the hard drive. If the certificate is in the body of the email, create a .cer file (example: NewCertificate.cer) by copying and pasting the certificate text into a plain text editor such as Notepad or Vi. Please be sure to include the header and footer as well as the surrounding dashes. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
  3. Open the Internet Services Manager (IIS). Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager.
  4. Under Web Sites, right-click your web site and select Properties.
  5. Click the Directory Security tab.
  6. Under Secure Communications, click Server Certificate.
  7. The Web Site Certificate Wizard will open, click Next.
  8. Choose Process the Pending Request and Install the Certificate, then click Next.
  9. Important: The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate.
  10. Select the location of the certificate response file, and then click Next.
  11. Read the summary screen to be sure that you are processing the correct certificate and then click Next.
  12. You see a confirmation screen.
  13. After you read this information, click Next.
  14. Go back to IIS Manager (Start > Programs > Administrative Tasks > IIS Manager)
  15. Expand Web Sites and right click Default Web Site
  16. Under Secure Communications, click View Certificate...
  17. select Detail tab
  18. Click Copy to file at right bottom of window, the Certificate Export wizard will pop up. (N)
  19. choose Yes, export the private key (N)
  20. mark Include all certificates in the certification path if possible (N)
  21. give a password (can be weak password) and confirm (N)
  22. Give location and file name for the resulting PFX. (N), Finish, Ok.
  23. Close all windows.


Adding Cert To SCS


Install the certificate created above in the System Certificate Store on the platform where the SCS executes. Follow the following steps:


  1. Open certificates (local computer) using the Microsoft Management Console (MMC). To add the certificates plug-in to the MMC,
  2. Select file/add snap-in.
  3. Select Add....
  4. Select Certificates.
  5. Select computer account; click Next.
  6. Select Local computer; click Next.
  7. Select Finish; Close; select Certificates and click OK.
  8. In the console tree, click the logical store where the mmc will import the certificate.
  9. On the Action menu, point to All Tasks and then click Import to start the Certificate Import Wizard.
  10. Type the path and file name of the certificate to be imported or click Browse and navigate to the file. Select automatically select the certificate store based on the type of certificate.

Invoke the loadcert utility


  1. Located at <install_root>:\Program files\Intel\AMTConfServer\Tools.
  2. Double-click on loadcert.exe
  3. Select the certificate that was just imported. The utility will report any problems in the certificates that it detects that would prevent using it as a ZTC certificate.

Matt Royer

1 Comments Permalink Tags: vpro, amt, scs, verisign, remote_config
Click to view mprimros's profile
0

The Brand Promise Validation team here at Intel came across an issue in the lab which many customers may also run into when they are trying to deploy AMT. The question was, how do I use two different ISVs to manage different aspects of my Enterprise configured AMT client fleet? Theoretically this isn't neccessarily a tough question. Based on how AMT was designed, so long as you have the same authentication and credentials setup between the different managment software, you should be able to access the AMT features. In practice, however, many management applications attempt to configure AMT in such a way that they have sole access by customizing the provisioning settings and then hide those settings away.

However, as I'm about to describe, with a little tweaking, you can force these applications to play nice together.

The main thing to remember anytime you are setting up AMT in enterprise mode is that the key to accessing AMT is having the correct certificates in place. For access that means having a Web Server based certificate template that will be used for TLS communication between the console and AMT. If you are also using PKI provisioning, you'll have to have a properly configured or purchased provisioning certificate in place (I won't be covering the details of PKI provisioning in this blog, but maybe in a future update). Lastly, for SMS and Altiris you'll also need a .pem certificate. Details on how to create a .pem certificate is included in both the Altiris help and Intel AMT Add-on for SMS documentation. A quick summary of a .PEM file certificate is taking each certificate in the chain starting at the top and concatinating those certificates into a single file. This file is used for secure TLS communication during SOL sessions.


The two management applicaitons we targetted for implementation was Altiris and SMS using the Intel AMT Add-on for SMS. The reason we targetted these apps is that we have inimate knowledge using these applications since they are used in our validation efforts and they both utilize the Intel SCS for provisioning.


Both Altiris and SMS systems should be in the same domain using the same certificate authority and have the same root certificate installed. While it is definately feasible that you could have the the two management applications in different child domains using wildcard certificates for authentication, this article doesn't cover that specific configuration.


I'm not going to go into the details of setting up Altiris and SMS or how to configure SCS for provisioning since it is assumed that if you are attempting to merge these ISVs so that they can manage AMT clients, then you should already know how to get the individual applications to work with AMT.


I started off by getting Altiris setup and configured using the built in SCS included in the OOB Management solution for Altiris. At this point I didn't have to do anything special in order to make sure that the SMS Add-on would work, I just setup Altiris as normal to manage AMT clients. Once setup, I verified that I could provision and manage my AMT clients.


Next step, on a different machine, I setup and configured SMS with the Intel AMT Add-on for SMS. I configured SMS to use it's own SQL server, however, there is no reason that you couldn't have it use the Altiris SQL server (setting up a separate instance) or a stand alone SQL server (again with a separate instance). For ease of configuration, however, I just used a separate SQL install on the same machine as SMS.


Once you have the SMSAMTUser_<sitecode> account created in active directory and have that account as well as whatever user accounts you want to use AMT via SMS added to the Intel(R) AMT groups (there are 3-5 of them depending on the version of the AMT Add-on you are using), you need to add the SMSAMTUser_<sidecode> to the Altiris SCS users list. On the Altiris system go to: View -> Configuration -> Solution Settings -> Platform Administration -> Out of Band Managment -> Provisioning -> Configuration Service Setings -> Users. Click the blue + to add a new user. Click the ... button. Select domain and type in the name query field SMSAMTUser and click Find. Select the SMSAMTUser_<sitecode> that is found in the results field and click OK. Under Role make sure Enterprise Administrator is selected. Click OK. This gives the service account for the Intel(r) AMT Add-on for SMS rights to view and modify the Altiris SCS.


On the SMS system, open up the Intel Add-on Settings dialogue box and configure it to use the Altiris Setup and Configuration Server. In order to find the URL that Altiris uses to connect to the SCS, On the Altiris machine, go to:


View -> Configuration -> Solution Settings -> Platform Administration -> Out of Band Managment -> Provisioning -> Configuration Service Setings -> Service Location.

If you have the Default URL set, you should have something like [/]<fqdn/AMTSCS. If you are using an alternative URL, copy that down. On the SMS machine, open up the Intel Add-on Settings and go to the Setup and Configuration tab. Select the Integrated Setup and Configuration radio button and type in the URL you copied down into the SCS Service URL box. Click the Set Profiles box and the AMT profiles that are setup in Altiris should pop up in a new window. Select the profiles you want to use in SMS (select all of them if you want all profiles to be able to be managed in SMS) and click OK. The list of supported profiles should now be populated with the profiles that are setup in Altiris.


Next step is to setup the .PEM certificate file that was used in Altiris for the Intel AMT Add-on for SMS. Copy the .PEM file used in Altiris to the SMS system. If you don't know where you .PEM file is located in Altiris, go to:


View -> Configuration -> Solution Settings -> Real-Time Console Infrastructure -> Configuration.


Click on the Intel(r) AMT Connection Settings tab. Under Redirection Security you should see a box next to the Trusted CA certifcate location. That box should have the path to the .PEM file. Once you have copied that file to your SMS system (doesn't matter where you put the .PEM file on your SMS box, so long as you remember where you put it) open up the Intel Add-on Settings dialogue and click on the Security tab. Check the Enable Intel(r) AMT secure Connection (TLS) box. In the CA Certificate Path put in the path to the location of the .PEM file that was copied onto the SMS system. Click Apply.


That is the basicis of what needs to be done. Once you have discovered the AMT clients in SMS and they are populated in the collection, right click on All Systems and go to All Tasks -> Intel(r) AMT Tasks -> Discover Systems. Now when you right click on an AMT system and go to All Tasks -> Intel(r) AMT Tasks you should see the list of AMT functions you can perform such as Asset Identification Information, Power Control Operations, etc.


In order to get SOL/IDE-R to work and System Defense to work, you'll need to go into the Intel(r) Add-on Settings in SMS again and setup the location of the ISO images that will be used for IDE-R and the System Defense file that will be used to filter packets using Circuit Breaker. Creating the System Defense file is covered in the Intel(r) AMT Add-on for SMS documentation and will not be explained in detail here. The repository for the ISO images needs to be a network share and can either reside locally on the SMS system (still mapped to the network share location) or can reside in a central repository. If you want both Altiris and SMS to use the same set of images just use the same network path to the ISO images for both applications.


That's it. In my environment I'm able to manage AMT machines with either management application. The only slight gotcha (and this is more a security feature of AMT) is that if one management application is currently managing a client (ex. using SoL) then the other is unable to break in and use the client. The gotcha part of this is that neither management application gives a clear indication that the system is currently in use by another management application, the attempt to manage just fails with an authentication error.

0 Comments 0 References Permalink Tags: amt, sms, altiris, scs, vpro, add-on, provision
Click to view michelegartner's profile
0





0 Comments 0 References Permalink Tags: amt, scs, troubleshoot
Click to view michelegartner's profile
0

Check'em out:

0 Comments 0 References Permalink Tags: amt, lenovo, drivers, scs, troubleshoot
Click to view michelegartner's profile
2

Here's the weekly update of issues posted to the Known Issues, Best Practices, and Workarounds wiki:

2 Comments 0 References Permalink Tags: sms, amt, troubleshoot, scs
Click to view tcduncan's profile
0

Last month's post of the open source packet decoder is just the first of a strong list of tools planned by the team that brings you the Technology Test Utility. The iCSO software engineering team is charted with making utilities and applications available to the public that accelerate and simplify the adoption and activation of Intel vPro technology.

We will be maintaining these tools and look forward to your feedback, suggestions, and participation in making these tools the best they can be for you and the marketplace. Our commitment is to post new versions of each tool at least every other month and of course post earlier if issues are found that render the tool less than useful.

The next tool we will be posting is a Pre-Installation Utility intended to speed the first user experience and automate as much as possible the initial setup of the Intel® AMT(tm) Setup and Configuration (aka SCS) environment in enterprise mode. Coupled with post setup wizards it will enable users to provision devices with minimal effort and time.

We look forward to hearing your feedback on our efforts.

Intel's iCSO Software Engineering Team

0 Comments 0 References Permalink Tags: amt, centrino_pro, client_management, developer, intel, pro, scs, tool, tools, vpro, source, open_source, code
Click to view swood's profile
1

As a network administrator for a small local government agency, I have been tasked to deploy Intel's Active Management Technology (AMT) into our network environment. Having sold our IT management on the benefits of vPro technology and how it can revolutionize our system management capabilities, I am ready to move forward and get AMT installed . In addition, today I learned that we will begin receiving brand spanking new HP systems in January that will have the latest greatest vPro technology aboard. I've got a few months to become an AMT expert and be ready for the new systems. Life is good!

Where To Start

The first thing I did after learning about vPro and AMT was to visit the Intel vPro Expert Center web site. There I found a great variety of resources to help me with my deployment. This is a good site to get help and guidance. The only problem I have with the site is that there's no link to download the AMT docs or software. You'll want to get your hands on the Intel Active Management Technology Setup and Configuration Service (SCS) - Installation and User Manual. You can get this document as well as the software from http://softwarecommunity.intel.com/articles/eng/1025.htm. Since SCS is the foundation and support structure of everything that goes on in the AMT and vPro world, this was the most logical place to start.

In addition, since I plan on integrating SCS with my existing SMS 2003 infrastructure, I also downloaded the Intel Active Management Technology Add-on for Microsoft SMS 2003 - Installation and User's Guide. Getting this was a bit of a challenge so stay with me on this one. I had to navigate to another good link you'll want to keep and refer to, The Intel Management Developer Community. From here I searched for "SMS 2003" and found the link to the SMS 2003 Add-on document. For non-developers like me, this site can appear to be not exactly what we do everyday, but hang in there, this site has a lot of info too. Now I had the documents I needed. They created the basis on which I would start to plan and deploy AMT into my network.

Read, read, read

The first thing I did after printing the documents was to read them over several times so I could get the gist of just how all the pieces played together. Then I read them again. After the first pass, it all looked pretty daunting and difficult, but after reading many of the sections over, it all started to come together and make sense. Read. Read. Read.

Time to lay things out

Ok, now I had a pretty good idea of what everything did and why, it was time to make sure I had everything I needed to make the pieces work together. I began to try and lay out what I needed to have to make AMT work.

Servers - I need to decide where to install SCS. I had a recently rebuilt Windows 2003 R2 server available that also had SQL 2005 on it. Plenty of disk space and horsepower. This was good. We were using this server to host our Help Desk application and it didn't appear to be over taxed in any way. The hardware and base OS part was taken care of. The server happened to be in our central office which was also a benefit. Our office is put together in a spoke and wheel configuration with all outer offices connecting to the central office over fast network connections. This would be good when we start to provision systems from outer office locations.

Active Directory - SCS / AMT relies on and utilizes Active Directory quite a bit. Our Active Directory is at Windows 2003 R2 level so I'm good to go. Also, as a Domain Admin, I have the ability to make any changes necessary to Active Directory.

Security - AMT supports Transport Layer Security (TLS) for secure communications between AMT devices and management console applications. TLS is optional for AMT, however we wanted to make all our communications as secure as possible so we're going for a full TLS implementation. This requires certificates and fortunately we have a Microsoft Certificate Authority server in our network that will make things easy to manage.

Database - SCS stores all its information in a database. We're going to use the existing SQL 2005 database on the server we're going to install SCS on.

AMT Device Location - Where were the new systems coming into and who was handling them? In the past when new systems came in, our Help Desk techs were very efficient in imaging them and deploying them right out the door. I need to make sure that everyone in our Help Desk group was tuned into what we were trying to do. We'll need to have a meeting to discuss what's going to happen after they plug in a system to the network for the first time.

Now that I've gotten my infrastructure laid out, it's time to start installing software. Yeah!

Next time I'll detail the steps I took in actually installing SCS into my network. As always, any comments and suggestions are warmly welcomed.

1 Comments Permalink Tags: amt, client_management, josh_hilliker, manageability, scs, tools, vpro, vpro_expert_center
Click to view Terry Cutler's profile
0

Take a look at the latest resource article posted at http://communities.intel.com/docs/DOC-1210

Use the file to generate custom setup.bin files for AMT 2.1, AMT 2.5, and AMT 3.0 systems.

0 Comments Permalink Tags: amt, scs, dtk
Click to view Terry Cutler's profile
0

This is the third and final part of this series (at least for now). The previous two posts include Basics and Common Intel SCS errors

BEFORE GOING ANY FURTHER - PLEASE READ AND ENSURE THE FOLLOWING
At this point, you have ensured the infrastructure is setup correctly and have attempted to troubleshoot the common Intel SCS errors as listed in the SCSconsole log file. Intel vPro systems are being recognized and listed in the SCSconsole. However, strange or unexpected behavior continues to occur - whether during provisioning, maintenance, or other activities. If Intel SCS has been included in a system management console or a provisioning script provider with whom you are working - AND - further debug analysis is needed, the following points may help. The debug log output may be one of the datapoints requested to replicate and remediate issues.

Before we go on - please note that these steps require modifications to the Microsoft Windows Registry on the system labeled as "ProvisionServer". That system will be running the AMTconfig service. Enabling the debug logging features will require root drive access and space to capture and store the log outputs. The logs will be stored at the root of C:

Ready to create an Intel SCS debug log?
SCS debug logging is off by default. If enabling for troubleshooting purposes, be sure to disable when done troubleshooting. The following steps will require a new registry key and string value to be added. Once these changes have been made - restart the AMTconfig service. At most, two log files will appear on the root of c: drive. The first is scs_win_server.log the second is scs_server.log. The second commonly appears only after errors have occurred.

Create the following registry key on the service's machine:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\AMTConfServer\Log with string value "LogLevel"="V"

Click on the following image to view the entire image

SCSdebuglogv2.gif

Logging levels can be set to 'V' for verbose, 'W' for warnings and errors, 'E' for only errors.

Once the debug log capture is complete, remove the LogLevel entry from the registry and restart the AMTconfig service.

This concludes the three part Intel SCS troubleshooting. If the community is experiencing additional events or has additional questions - please comment\reply.

0 Comments Permalink Tags: scs, vpro, troubleshoot
Click to view Terry Cutler's profile
0

This is the second in a three part blog post. The first article covers the Basics and the final article discusses creating an SCS debug log

Handling common Intel® SCS errors
With the SCS event log set to verbose mode, not only will successful provisioning events show but also warnings and errors if you are having difficulty in provisioning or configuring an Intel® vPro™ client. When a successful provisioning process occurs, you will see a sequence of Intel AMT properties being set followed by the statement "Commit Changes". Once this occurs, the target system is configured and ready to send\receive AMT webservice calls.

However, if this does not occur, refer to the following list of common errors with guidelines on how to interpret and resolve.

  • Error 102 - Intel AMT device is already provisioned - This indicates that the IntelAMT database has the target system identified as provisioned. If the target system was manually unprovisioned via the local MEBx, than manually delete\remove the entry from the provisioning console. From a provisioning security perspective, this error may also indicate an attempt to replay a provisioning sequence. The ProvisionServer with Intel® SCS running will reject additional requests if the system is already listed as Provisioned.

  • Error 103 - Request is already in the queue - This is really a status or awareness indicator. Provisioning and maintenance requests are queued within the IntelAMT database and processed by Intel® SCS servers. In larger implementations, multiple Intel® SCS servers can be configured to process requests within a single IntelAMT database queue. The queue includes immediate and delayed requests. Thus if a request is already delayed, this error will be generated. Similarly, if the request is being processed or handled by the poller, a competing request will generate this message.

  • Error 137 - Another process currently working on AMT - The target AMT device has a preceding request that has not completed. For example, if a partial un-provision request has not completed and a reprovision request is sent, this will generate the error. Reasons for the previously queued request not completing might including connectivity, difference of provisioning state, and so forth. If the error is persistent for a target AMT device\system and connectivity to the target system is available - try executing a management function if the system is in a configured state. (e.g. Remote inventory, remote power on\off, etc). If unsuccessful, the target system may be in an unsupported state. A manual process of partial unprovision may be required. Removing the assigned profile at the provisioning console should occur also.

  • Error 139 - Failed to update Kerberos Password with Kerberos Integration is disabled on server - Intel® SCS has the ability to integrate with Microsoft Active Directory for Kerberos based authentication. Check to ensure schema extensions have been applied and proper authentication to the Kerberos server (e.g. Microsoft Active Directory) is in place.

  • Error 407 - Batch exit code 0xfffff - This is a -1 return caused between a provisioning script and the SCS instance. Incomplete Intel® AMT profile, missing provisioning/configuration data, or other console configurations will likely cause this error. Check with the provider of the provisioning script - whether system management vendor or other. If the error is persistent afterwards, refer to the SCS debug log creation in the next article and contact support of the script provider.

  • Error 602 - Exception in clock sync worker - Clock synchronization is important in Kerberos environments, since the authentication process has a time stamp dependency. This error is benign in non-Kerberos authentication environments. It refers to a SOAP call failure - thus further environment and infrastructure investigation may be needed for future environmental considerations.

  • Error 913 - No rows found in get UuidMap - For provisioning to occur, the UUID and the FQDN of the target vPro system are mapped together. The provisioning script utilized may attempt to utilize WMI, reverse DNS, previously stored asset data or client agents to obtain this data. Check with the provisioning script provider.

  • Cannot contact back AMT with IP:xxx.xxx.xxx.xxx Exception - The recorded IP address from the hello packet sequence is not responding to requests. If the target system sends a new hello packet with an updated IP address, Intel SCS will update the queue entry. This error commonly occurs when the system has been connected, an IP address and DNS resolution have occurred, hello packet was sent, and then the system was disconnected from the network prior to the ProvisionServer response. A common scenario is pre-staging a system before sending to the intended location.

If the suggestions above are not helping, and a deeper investigation of Intel® SCS is needed - a debug log can be created. Please refer to part 3

0 Comments Permalink Tags: scs, vpro, troubleshoot
Click to view Terry Cutler's profile
0

This blog is divided into 3 sections - understanding the basics, addressing common Intel SCS errors, and how to generate an Intel SCS debug log.

If only solutions were perfect, errors resolved automatically, and tuning was never required nor needed. Then again, that's what many of us get paid to do and handle. The intent here is to focus on common Intel® vPro™ configuration and provisioning errors with Intel Setup and Configuration Services (SCS). More importantly, the article intent is to provide some insight on the correction needed or tasks to handle common errors.

The Basics
Deploying Intel® vPro™ enabled solutions presents many working parts. In a lab environment - these "always" work well. In a production environment, determining the cause of an error could be difficult. Generally speaking, to isolate the scenario take into consideration the management console, the vPro configuration services (e.g. Intel® SCS), the OEM firmware and drivers, and the infrastructure. The lab environment comes in handy to isolate components and aspects, especially when so many variables are present.

In stepping through each item, consider the following basic points:

  • OEM hardware and drivers - Check the update page for the latest BIOS and Firmware on the platform. The BIOS update will often include the Intel® AMT firmware. The drivers to be checked are mentioned Management Engine Interface (MEI), Local Management Service (LMS), Serial over LAN (SoL), and User Notification Service (UNS). NOTE: UNS applies to AMT 3.0 and higher versions.

  • Intel® SCS version - Don't know what version if running? Check the AMTconfig service properties or version listed in the SCSconsole. More on SCS and AMT versions here. Version 3.2 is the latest. If running version 1.x, an update to version 3.x is recommended. Check first with preferred system management vendor on supported setups, upgrade paths, and so forth.

  • Infrastructure - Ensure a ProvisionServer DNS record exists for the target DNS domain, and that this pointer record resolves to the server running AMTconfig (e.g. Intel SCS). Ensure proper resolution of the DNS entry for the FQDN of ProvisionServer (e.g. ProvisionServer.company.com)

  • Verbose Logging for SCS events - Within the SCSconsole, access the Change the Log Level to "Verbose" mode. This will log all informational, warning, and error messages and events in the SCS log. This is good to see when a hello packet is received, when the ProvisionServer attempts to provision the target system, and so forth. When changing this setting, you may also want to decrease the log retention level to a few days or shorter timeframe than the default value. Depending on the number of systems managed or attempting to provision, setting the log level to "verbose" may rapidly grow the size of the IntelAMT database.

Image of SCSconsole and setting logging to verbose mode
Verbose logging.gif



Image of SCSconsole viewing log events in verbose mode
SCSlog.gif

0 Comments Permalink Tags: scs, troubleshoot, vpro
Click to view Gareth Bevan's profile
1

Well, it probably won’t work if you stick it there, but the
truth is that there are a lot of certificates used in AMT, and knowing where to
put those certificates and their private keys can save a lot of hair pulling
down the line.

AMT Certs.jpg


AMT Certificates

Let’s start with the AMT system itself.

TLS Certificate

If the SCS profile calls for TLS to be enabled then a
private key and certificate are generated at the SCS and then installed on the
Amt device as part of the provisioning process. This certificate and key are
then used in future communications between the SCS and the AMT device and the
Management Console and the AMT device. I’m going to use the SMS Add-on as an
example of the management console because it uses gSOAP libraries which have
addition certificate storage requirements.

802.1x Certificate

If the SCS profile calls for and 802.1x certificate then a
private key and certificate are generated at the SCS and installed on the AMT
device as part of the provisioning process. This certificate and key are used
to allow the AMT device to connect to an 802.1x protected network without the
host operating system being available.

Mutual Authentication Root Certificate (MTLS Root)

The MTLS root certificate is used by the AMT device to
validate the mutual authentication certificate provided by the SCS or
management console after provisioning has completed. (Assuming of course that
the SCS profile used for provisioning configures MTLS). This certificate is
installed during the provisioning process. Note only the certificate is
installed – there is no private key installed for this certificate.

h1. Remote Configuration

The remaining two certificates on the AMT device are used
for Remote Configuration. This feature is available in AMT 2.2, 2.6 and 3.0.
(Note that does not include 2.5).

Remote Configuration Root Certificate (RCFG Root)

Actually this is not a whole certificate. It’s just the
certificate thumbnail, referred to as a hash. The certificate hashes can come
from a couple of places:

·{font:'Times New Roman'}
The AMT systems come with default certificate
hashes from VeriSign, GoDaddy and Comodo.


·{font:'Times New Roman'}
Your OEM can place a certificate hash of your
choosing on to the AMT devices you buy as part of their manufacturing process.
E.g. if you have your own PKI and wish to use your own root certificate.

{font:Symbol}·{font:'Times New Roman'}


You can
manually enter the certificate hash into the MEBx screen.


The advantages and disadvantages of each of these methods
are best left for another discussion.


This certificate is used to validate the remote
configuration certificate provided to the AMT device by the SCS service that is
trying to provision the AMT device. The details of this validation are somewhat
complicated and also best left to another discussion.


Remote Configuration Self Signed Certificate

Finally the remote
configuration processes requires the AMT device to generated its own self
signed (i.e. there is no certificate authority involved – and hence no trust
established) certificate to serve as a TLS/SSL certificate in place of the Pre
Shared Key (PSK) that was used to protect provision in earlier version of AMT.
Both the certificate and the key are generated locally on the AMT system.

SCS Certificates

Once we get to the server side, certificates become more
interesting as we have to know which Windows certificate store to put the
certificate and private key.

The SCS requires four certificates.


SSL Certificate

The SCS service runs as a web service within IIS.
Connections to the service can be carried out by the SCS console or by an ISV
supplied UI. To secure this traffic the SCS service requires that these web
services be protected by TLS/SSL. The SSL certificate is the same type used to
secure other web servers like amazon.com or eBay.

This certificate is installed in the Windows certificate
store of the service account used to run IIS. If you use the IIS “Server
Certificate” this is a two step process. First the IIS server generates the
private key and a certificate request. The private key is stored in the IIS
service account key store, and the request is stored in a text file. The
certificate request is then sent to the CA who issues the certificate. The
wizard then installs the certificate and matches it up with the private key.

SCS Certs.jpg


TLS Root

The TLS root certificate is the root certificate from the
certificate chain that issued the TLS certificates to the AMT devices. This may
or may not be the same as your MTLS Root, depending on how you issue your
certs. This certificate is used to validate the TLS certificate provided by the
AMT device when the SCS connects to the device to perform some function after
initial provisioning. This could be re-provisioning or one of the maintenance
tasks that the SCS performs – like setting the AMT system time.

There is no private key associated with this certificate.
The certificate should be stored in the “Trusted Root Certification
Authorities” folder of the SCS service accounts certificate store.


Mutual TLS Authentication Certificate

This certificate is used by the SCS to authenticate itself
to the AMT devices. Both the certificate and the private key should be stored
in the SCS service accounts “Personal” certificate store. The root certificate
of the chain must be installed on the AMT device during provisioning to allow
this authentication mechanism to work correctly.

Remote Configuration Certificate

This is the most interesting of the three SCS service
certificates. This is because the certificate needs to be in two certificate
stores – but the private key only needs to be in one. The SCS service presents
this certificate to the AMT device to start remote provisioning. As this is a
mutually authenticated TLS session, the SCS service must have access to the
private key. So the certificate and private key should be installed in the SCS
service accounts certificate store.

To configure SCS for remote configuration, a utility called
“loadcert.exe” is run. This utility lists the certificates in the local
computer store and you select the one you want the SCS service to use for
remote configuration. The utility then make a registry entry containing the
thumbnail of the certificate. The SCS service looks at this registry entry and
then looks up the selected certificate in the SCS service account certificate
store. Because the loadcert.exe utility reads from the local computer store,
the remote configuration certificate needs to be installed in there. But,
because it is only read by the utility to extract the thumbnail, the private
key does not have to be installed in the local computer store.


SMS (Management Console) Certificates

Certificates for the SMS Add-on are complicated by the use
of the gSOAP libraries. GSOAP is a cross platform, open source web services
development toolkit. Because it is cross platform it does not (obviously) use
the windows certificate store. Instead it uses a file format called PEM (from
the Privacy Enhanced Mail system). PEM files store certificates and keys as
base-64 encoded strings. This makes them easy to manipulate (with things like
notepad) and portable between systems. The following discussion assumes a 3
level PKI hierarchy, with a root CA, policy CA and an issuing CA. If there is
sufficient interest I can talk about PKI hierarchies on a separate thread.

As the SMS is also a windows program, it also needs its
certificates in the windows store.

SMS Certs.jpg


h2. Mutual Authentication Certificate (MTLS)

If the AMT profile the SCS calls for mutual TLS, then the
management console needs to supply an MTLSS certificate. This certificate, and
its private key, needs to be installed in SMS Add-on Service account
certificate store. This allows the SMS Add-on service to access the key for
operations such as power management. Because
the windows certificate store can “walk certificate chains”, only the MTLS cert
needs to be installed. Windows will work out where to get the rest of the chain
from on its own.

This is not true for the PEM file. In order for the gSOAP
library to have access to the certificate chain, all the chain entries must be
placed in the file (in the right order).


TLS Root Certificate

When a connection to the AMT device is made, it presents its
TLS certificate. In order for the Management console to trust the certificate,
the root certificate the issued the AMT certificate must be installed in the
“Trusted Root Certification Authorities” folder in the SMS Add-on’s certificate
store. . Because the windows certificate
store can “walk certificate chains”, only the TLS root cert needs to be installed.

Again, this is not true for the PEM file. In order for the
gSOAP library to have access to the certificate chain, all the chain entries
must be placed in the file (in the right order).


1 Comments Permalink Tags: certificates, pki, amt, vpro, remote_config, pem, keys, private_key, public_key, scs, sms
Click to view Terry Cutler's profile
0


Traditionally speaking - if security is improved, manageability suffers. The reverse of this is true also - traditionally.

Intel vPro presents a different approach and perspective to this common understanding - consider some of the usage models and scenarios described at the follow link. http://www.intel.com/business/vpro/index.htm (see the "improve security" and "extend manageability" links on this page under Resources - lower right side)

The above links demonstrates and introduces the usage models and capabilities. But - what about ensuring the security of the platform. As commonly inquired - "Could vPro be used maliciously?". Considering that any tool of value - even the screwdriver sitting in a garage or a desk drawer - could be used maliciously, the question might be better phrased - "What are the built-in security features of Intel vPro?" The following is only a summary and overview - yet should provide some comfort in the platform. (BTW: Are you aware of all the security features in current environments, or would introducing vPro perhaps expose a long term policy or technological oversight? Just a thought.)

  • Internal security - Use of Intel digitally signed firmware. In some cases, the OEM will also require their digital signature for firmware updates. The non-volatile RAM (NVRAM) has strict security and access control. There is a small section referred to as "3rd party datastore" or 3PDS. Access to this area requires registration with Intel and granting of a token. Communications into the management engine occur through secure channels - whether from the operating system or from the network interface. Generally speaking - compromising the internal security would indicate there are bigger problems in the environment.
  • Enterprise setup and configurationsecurity - Enterprise mode setup and configuration is handled via either a pre-shared secret or certificate based authentication. (see related blog on the latter). The configuration uses secure handshakes, authentication, and so forth. Replay attacks are prevented. With the latest configuration service, option to require authentication or approval of systems to be provisioned\configured. Pre-shared keys are changed after configuration, and subsequently based on definable schedules. Minimal setup rights can be used to limit exposure of accounts to perform setup\configuration. Security audit logs and event logs monitor activities. The process also has dependencies on the enterprise DHCP, DNS, PKI\CA, and so forth. Generally speaking - if the enterprise setup and configuration service is compromised, there are bigger problems wtihin the environment (whether technological, social networking, policy\procedure, etc)
  • Operator Security - Roles, permissions, and AMT security realm access control come into play here. This effectively defines who is allowed to configure the "configuration services", who is allowed to authorize or change vPro configurations, and who is allowed to utilize functions on configured vPro systems. The "who" could be defined by a user, group, service, etc.In addition - use of Kerberos for user rights mgmt and so forth provides an integration into the Microsoft Active Directory. Thus a group of users can be defined withe various levels of access control and capability. Plus - all security related actions and configuration changes can be logged. Generally speaking - if an operator compromising vPro security, there are likely bigger problems in the environment (eg. policies, procedures, etc)
  • Communication Security - Once a system configured, transport layer security (TLS) or Mutual TLS can used to secure management traffic. User sessions can authenticated using a digest protocol or Kerberos.
  • Infrastructure Security - Since vPro effectively hasa separate management computer inside, this management engine can be configured for environments supporting wireless profiles (WPA or WPA2), VLAN, Network Access Control, 802.1x, etc.
  • Operational Client Security - On top of all the configuration security items is the end-user usage and capabilities. Items such as System Defense, Agent Presence, remote power management, and so forth.

This returns to the first question - Can manageability and security be raised together for client management?

Open to hear from the community on your thoughts - whether in agreement or disagreement.

0 Comments Permalink Tags: amt, centrino_pro, client_management, security, scs, vpro, manageability
1 2 Previous Next