Part 3: vPro Deployment Scenarios for Intel Setup and Configuration Service (SCS)

Version 3

    NOTE: This resource and the associated series are a re-post of information provided at http://juice.altiris.com/node/4821 and related articles linked therein. Although the title and material make reference to Altiris, the core concepts apply to most Intel SCS based solutions. The material provided herein refers to Intel SCS version 3.x, although some of the core concepts will also apply to Intel SCS version 5 environments. (There was no version 4 of Intel SCS)

     

    The previous article in this series is Part 2: vPro Deployment Scenarios for Intel Setup and Configuration Service (SCS)

     

    This article makes reference to items supported in a previous resource posting providing a whitepaper on deployment and sizing of Intel SCS - Intel® Setup and Configuration Service 3.x Deployment and Capacity Model White Paper.

     

    Introduction: Setup and Configuration Application

    The core of the Intel® vProTM enterprise deployment reference architectures are based upon an understanding of the setup and configuration application (SCA). Providing the important roles of enterprise mode provisioning and configuration, the SCA becomes an integral part of the overall configuration management for Intel® vProTM systems. In essence, the client management solution suite maintains the configuration at the operating system layer and above, while the SCA maintains the configuration of the Intel® AMT management engine (ME). Without the SCA, remotely maintaining the Intel® ME below or without the operating system presents a difficult challenge.

     

    In an Altiris environment, the SCA used is the Intel® Setup and Configuration Service (SCS). This article first reviews the core components and interactions of an SCA, and then provides additional insights specific to Intel® SCS that will be relevant to an Altiris environment.

     

    SCA Core Components

    There are four core components of every SCA instantiation. These components provide the foundation services within the overall configuration service.

     

    • SCA Console: Visual interface into the SCA. Intel® SCS has a separate console component, or this can be integrated into the system management console. For Intel SCS, this is referred to as the SCS console. For an Altiris Out-of-Band Management environment, a majority of the Provisioning console is a direct reference from the Intel® SCS console.

    • WebService Interface: The AMTSCS virtual directory is the default interface for communications of the execution engine. The AMTSCS virtual directory within Microsoft IIS handles many of the communications to Intel® vProTM client systems and the user console for the provisioning service.

    • Execution engine: Contains the APIs and handles the processing of queued requests within the configuration database. For Intel® SCS, the Microsoft Windows service AMTConfig represents this core execution engine.

    • Configuration Database: Stores configurations and settings of the SCA service, Intel® vProTM clients, task queues and so forth. For Intel® SCS, this is referred to as the IntelAMT database. As noted in the previous articles and will be reinforced later in this article, any configuration related change to the Intel® SCS is stored within the IntelAMT database. For this reason, shared Intel® SCS environments with multiple AMTconfig services connecting must be at the same release version.

     

    The following image provides a summary diagram based on the above explanations.

     

     

     

    In addition to the base component and services mentioned above, the SCA also acts as proxy or contains core configuration settings for the Intel AMT clients within a specific client management domain. Some key examples include:

     

    • Certificate Management - If TLS is enabled in the provisioning profile, the logon account of the AMTconfig service requests authentication certificates during configuration or maintenance routines on behalf of the client.

    • Kerberos - Requesting of the Server Service Key (SSK) to be placed within the Intel® AMT firmware. More on Kerberos setup in an Altiris environment is available at http://juice.altiris.com/node/4492

    • 802.1x port authentication - Security and certificate settings to negotiate secure networks prior to the operating system.

     

    Since multiple SCA execution engines can exist within an enterprise, as discussed in previous article, this presents both capability and complexities. Once an Intel® vProTM system is configured or provisioned, all subsequent requests are based on authenticated and authorized webservice calls. Thus the ratio of clients to SCA servers, along with ratio of SCA to database, and so forth becomes a focus point. Add to this the unique infrastructure of various IT operations - and so forth. The attached document provides some insights on Intel® SCS deployment models and sizing guidelines.

     

    SCA Core Interactions

    Parts of the interactions were mentioned earlier, with the following diagram contributing additional perspective. The SCA becomes a crucial part of the initial and ongoing configuration management of the Intel® vProTM client.

     

    The following points and image provide a summary of the core interactions:

     

     

     

    • SCA console - As the user interface into the SCA, this console provides access to read or modify the SCA configuration parameters, event logs, and configuration state of Intel AMT clients within the configuration database. If the console must access the configuration database across a network connection, the recommendation is to enable SSL security on the AMTSCS virtual web directory.

    • Intel® vPro^TM ^Clients - As part of the provisioning sequence, the clients send provisioning requests to the SCA in the form of "hello" packets. For all clients listed in the configuration database, maintenance or configuration updates are sent from the SCA to the clients.

    • Proxy Configuration Requests - Awareness of the Microsoft Active Directory, Microsoft Certificate Authority, 802.1x port authentication service, or other infrastructural components within an Intel AMT profile hosted by the SCA are required to negotiate configuration settings on behalf of the Intel® vProTM clients within the configuration database.

     

    Client Management Solution - Although not shown in the diagram below, a connection is needed for the obtaining of the current list of configured Intel® vProTM clients from the SCA to update client objects within a solution's client management database. Some client management solutions may have the SCA console integrated. In the case of Altiris, the Resource Synchronization is the primary tool to replicate objects from the IntelAMT database into the Altiris CMDB.

     

     

     

    Understanding the core interactions of the SCA, as with the core functional components, adds to the associated requirements and considerations of the deployment reference architectures.

     

    SCA Communication Security

    The next perspective to consider is the security of communications between the core interacting components. The diagram below is adjusted slightly to the previous diagrams with the introduction of the client management solution suite.

     

    Intel® vProTM technology enables configuration management and security control at the hardware. Provisioning events, where configuration parameters are sent and committed to the Intel® vProTM client, occur "out-of-band" from the operating system. Authentication to the service, along with data exchange across the network, presents an opportunity to violate the integrity of the service and associated data. Various authentication, session security, request verification, and other mechanisms are available to protect session and data transactions. However, having the options, using the options, and allowing flexibility in the usage of options per SCA instance will vary per implementation - whether due to technical, people, or process related reasons.

     

    In the diagram below, the SCA console, client management solution suite, AMTSCS interface, SCA service on the server, and configuration database could all physically reside within a single server. At a minimum, the AMTSCS interface and SCA (or rather, the execution engine) must reside within the same physical system. This allows local API calls to be made from the web interface to the execution engine.

     

     

     

    During the installation and setup process, the connection between the execution engine and the database includes the creation of a database login account. This account is specific to all Intel® SCS instances associated to the configuration database.

     

     

    The AMTSCS virtual directory interface is configured to communicate over HTTP or HTTPS for service configuration interactions. If HTTPS, a server authentication certificate (e.g. SSL certificate) is obtained and associated to the virtual directory (i.e. SSL is enabled on AMTSCS). Thus all Intel® SCS consoles and associated client management suites via SOAP over HTTP or HTTPS, with the default network port either 80 or 443.

     

     

    The Intel® AMT management engine within the Intel® vProTM clients communicate primarily on network ports 16692 through 16995 using SOAP over HTTP or HTTPS. If TLS is enabled in the provision profile, then service requests are sent to the Intel® vProTM clients over HTTPS. From a TLS context, the Intel® vProTM system is the "server" and the console initiating the communications is the "client".

     

    Provisioning States of an Intel® vProTM Client

    Although the primary focus of this article is the SCA or Intel® SCS, it may help to briefly reviewing the core provisioning states of the target Intel® vProTM client. The following image and summary points provides a simplified explanation:

     

     

     

     

    • Factory Default Mode - The management engine and network interface are closed.

    • Setup Mode - The provisioning keys (e.g. PID\PPS or certificate hashes for remote configuration) have been entered. The network interface negotiates an IP address (i.e. DHCP) and attempts to locate the ProvisionServer DNS record to send Hello packets.

    • Configured - Authentication to the ProvisionServer succeeded, defined configuration parameters have been applied to the client, the Intel® AMT admin account and associated password have been defined, and the network interface is now open to sending and receiving requests.

    Intel® SCS Console and the Altiris Out-of-Band Provisioning Interface

    With a foundational understanding of what an SCA does and how this relates to Intel® SCS - this next section explores some configuration options specific to the Intel® SCS console which may not be exposed within the Altiris interface.

     

    As previous mentioned, the Altiris Out-of-Band Management Provisioning interface is based off the Intel® SCS console. To obtain and install the console, download the Intel® SCS package from http://softwarecommunity.intel.com/articles/eng/1025.htm. Once the ZIP file is downloaded, extract out AMTConsole.exe which is approximately 2.65MB in size. Run the executable to install the console. Once installed, start the Intel® SCS console and a window similar to the one below will be shown:

     

     

    The Service Name path desired is the same as the Service Location shown in the Altiris provisioning console (e.g. Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Service Location). This effectively states the path to connect to the AMTSCS virtual web directory. Access to the configuration service is handled via Windows Authentication based on the logged in user. That user is defined as an authorized user in the provisioning console based on defined roles.

     

     

    The image below shows that two users are "Enterprise Administrators", and a third user is authorized as an "Operator". The image shows the Altiris provisioning console, with a very similar interface if the Intel® SCS console were used. Both users or groups from the Local System account or defined domain account can be authorized through this interface. As noted in a previous article, one role that Altiris provisioning console does not presently show is the "Configuration Client" authorization role.

     

     

     

     

    A brief summary of the Intel® SCS user roles is as follows:

     

    • Enterprise Administrator - Full authorization and privilege to Intel® SCS provisioning service, including the ability to define other users.

    • Administrator - Similar to Enterprise Administrator without the ability to define additional users.

    • Operator - Able to access the security keys, Intel® AMT systems, Logs, and so forth. Main difference from the Administrator role is not being able to change the service configuration settings.

    • Log Viewer - Able to view the logs for provisioning events.

    • Configuration Client - Used with the Intel® vProTM Activator utility (http://www.intel.com/software/activator) to define domain privileged accounts able to send configuration parameters from an Intel® vProTM client. In essence, able to update defined entries in the IntelAMT database via the AMTSCS interface.

     

    One of the configuration service settings noted ONLY in the Intel® SCS console is the provisioning script settings. This is shown in the General tab of the Intel® SCS console, at the lower left. The image below is an example. The default setting for an Altiris environment is to use the oobprov.exe application at the defined path. For this purpose, all Altiris NSserver associated to a single IntelAMT database instance MUST have the oobprov.exe and accompanying modified Interop.AeXClient.dll in the exact same directory path. (See http://juice.altiris.com/node/3771 ).

     

    The image below shows the setting as From DB. If set in this manner, the provisioning service looks ONLY to the local IntelAMT database to find the necessary configuration parameters. Such a setting may be useful in mixed environments where Intel® SCS is used by management consoles, yet more than Altiris exists in the environment.

    NOTE: An example of Intel® SCS based solutions includes Microsoft SMS with AMT add-on, HP Out of Band Client Management, and SupportSoft. If using other client management products in addition to Altiris, please refer to the vendors materials on whether Intel® SCS is integrated. The next article will briefly address migration scenarios.

     

     

     

     

     

     

    Sizing and Scaling of the Intel® SCS Instance

     

    The whitepaper posted at Intel® Setup and Configuration Service 3.x Deployment and Capacity Model White Paper provides additional insights to the deployment and capacity models of Intel® SCS.  The core service is relatively light, as noted on page 18 of the Intel® SCS Installation and User Guide. (See - http://softwarecommunity.intel.com/isn/downloads/Manageability/Intel_AMT_SCS_Installation_and_UserManual.pdf )

     

     

    Page 22 of the sizing whitepaper provides a summary capacity model, with a summary point that each Intel® AMT client instance consumes about .11MB (i.e. ~110kb) in the database.  Database growth is primarily due to the logging level, log retention period, and frequency of events associated to the IntelAMT instance.

     

     

    A final note on this section - each associated AMTconfig service to the IntelAMT database replicates the configuration service settings.  Therefore, if 5 worker threads were specified and 3 systems with AMTconfig are associated - then 15 worker threads are processing queued requests.  Similarly, any of the AMTconfig instances can add or process requests within the queue.

     

    Summary

     

    Understanding the underlying Setup and Configuration application (SCA) performing the provisioning service provides additional insight for various deployment and migration models.  Intel® SCS is used a few client management solutions with Intel® vProTM technology capabilities, including Altiris Out-of-Band Management.  Some non-Altiris solutions (e.g. LANDesk, Microsoft SCCM, etc) have chosen to implement their own SCA instance.  For situations where a single or multiple client management solution using Intel® SCS, the possibility exists and has been proven that a single instance may be sufficient in the configuration management of the supporting Intel® vProTM firmware.  The key is knowing the underlying configuration requirements and interactions.

     

     

     

     

     

    The next section will briefly address migration scenarios. - http://communities.intel.com/docs/DOC-1934