13 Replies Latest reply on Feb 16, 2017 12:50 AM by FerumMan

    Intel AMT 5.0 + TLS

    FerumMan

      Hello!

      I trying to configure Intel AMT-ME 5.0-5.2 motherboard based on Q45 to use SSL/TLS-HTTPS connection.

      Intel AMT versions - Wikipedia - tells that AMT 5.0 have TLS.

      I make all needed settings at BIOS and ME-BIOS and successfully access to AMT PC via Web-GUI at 16992 port. But I want SSL/TLS connection encryption.

      First I try to use AcuWizard, but it tells that AMT5.0 does not support host-configuration (only AMT7.0 or later), but USB-key configuration does not have certificates and SSL/TLS options.

      Second I try MeshCommander (latest v0.3.8) - but all the way it shows only Error:400.

      Third I use "ToolMesh - Manageability Director/Commander" - it works more stable, so I create and import to AMT module 2 security certificates (root and user) - certificates was added successfully. Also I add those certificates to local Windows certification storage (at PC from where I trying to connect to AMT PC). And also I delete some suspicious 3rd party application from AMT named as "venCA (Unicenter)". But when I trying at "Manageability Director" setup SecurityProfile to AMT-PC with "intel AMT Security" option set to any of 4 types with TLS - error appears: "SetTLSKeyAndCertificate() returned FAILED_WEB_CALL". Also at AMT PC tab "Security" option TLS shows as "Unsupported" and drop-down menu is absent.

      I try Intel SCS console configuration to make "Delta configuration USB key" but it needs some "CA RCS server reach Microsoft CA" (something like this) and can not just use certificates stored at the near folder at the same PC... OMG! Also IntelSCS tells something about alternative "CA local plugin" but google tells me that this plugin does not exist yet.

      Making AMT<7.0 works through TLS is some kind of maltreatment!!!

      Can anyone help with SSL/TLS-HTTPS enabling at AMT5.0???

      Also at all those software I dont see possibility to use IDE-R image mount, where is it?!

        • 1. Re: Intel AMT 5.0 + TLS
          dariusz.wittek@intel.com

          The short answer is : you have to use Intel SCS SW to configure Intel AMT 2.0-5.x into Enterprise mode with TLS support.

           

          Intel AMT supports TLS encryption since first version that was part of Intel vPro platform -ie. Intel AMT 2.0.

          Intel AMT 2-5 has two modes of its configuration:

          • Small, Medium Business mode - configured manually via MEBx BIOS module (with optional use of USB Local configuration) - this is how you configured your system
            and
          • Enterprise mode - configured via Intel RCS server (part of Intel SCS SW) using so called Remote Configuration with use of TLS Pre-Shared Keys or Remote Configuration Certificate.

          SMB mode does not support TLS - it was intended for ...Small and Medium Businesses not having PKI CA and certs skills. Unfortunately you have to unprovision Intel AMT 5.x completely in order to configure it again in Enterprise mode. SMB mode is mutually exclusive to Enterprise mode.

          Intel AMT TLS configuration means each Intel AMT device will have to have its own SSL/TLS webserver certificate with key pair. The key pair and certificate have to be created by your PKI CA. Intel SCS supports MS AD PKI CA in Enterprise or Standalone mode.

          Intel SCS can also request key pair and certificate from other third party CA via 3rd party CA specyfic plugin for Intel SCS -so far only McAfee developed such plugin for their ePO CA.

          Alternatively for small scale you can use Intel SCS to configure Intel AMT into Enterprise mode without TLS and use Mesh Manageability Director/Commander or the latest Intel Manageability Commander 1.x  to generate your own Root Cert (common/shared) and AMT TLS Web server cert per device.

           

          As all public trusted CA's moved already to SHA2 certificates -you can't order AMT Remote Configuration SHA1 certificate  anymore - and as Intel AMT 2-5.x supports only SHA1 certificates - Intel AMT configuration with one of default 15 root CA issued AMT Remote Configuration certificates is no longer available.
          You may

          1. import your own Root CA cert hash into ME FW (with USB Local Pre-Config)  and use your own self signed SHA-1 Intel AMT Remote Configuration certificate

            OR
          2. Use PSK-TLS - pre-shared keys - generated using ACUConfig.exe tool (or AMT SDK's USBFile tool)  import them into AMT FW on each system (you may also need to import them into Intel RCS via SCS Console)
            This configuration method works for AMT 2-10.x but it is no longer supported by AMT 11 or newer (was deprecated).

           

          Last but not least - in  Intel AMT 6.0 or newer SMB mode and Enterprise mode have been merged into single configuration mode - so you can use MEBx or USB to configure Intel AMT then use RCS or Mesh Commander/Director to add TLS setup to it.

           

          Intel SCS User Guide contains all required information on configuration methods - it you like to get more "for dummies" config guides let me know.
          rgds

           

          Dariusz Wittek
          Intel  EMEA Biz Client Technical Sales Specialist

          • 2. Re: Intel AMT 5.0 + TLS
            FerumMan

            I write huge answer but forum just eat it...

            Long story short - the problem was that SmallBusiness mode does not support TLS.

            I somehow make setup TLS with Enterprise mode, so now I can connect via 16993. (Hallelujah!)

            (Full story I will restore later.)

            But now I have problem with IDE-R/SOL (WEB,SOL,IDE-R,RedirectionPort=Enable; BIOS COM=Enable) when trying to boot via AMT+.ISO with "IMR_RES_ERROR" and AMT PC shows a standard error: "Reboot and Select proper Boot Device" - please, look attached log - maybe you know how to fix this error?

            • 3. Re: Intel AMT 5.0 + TLS
              dariusz.wittek@intel.com

              What is a Intel AMT console SW you try to do IDE-R redirection?

              • 4. Re: Intel AMT 5.0 + TLS
                FerumMan

                Because genuine IntelSCS have only console for itself configuration server and ACUWizard for making only first configuration profiles, but does not have any possibility to remotely direct control-config already configured AMT-PCs...

                Because MechCommander all the time just show errors (Error 400 with 16992 port and TimeOut with 16993 port)...

                I can use only: Manageability Commander - AMT PC - Connect - Remote Control tab - Take Control... its open new window with console,SOL,IDE-R,etc...

                By directly from start "Take Control Console" and when pressing "Connect to SOL" or "Restart with IDE-R(many variants)" its shows this error "IMR_RES_ERROR" with no different does SOL Enabled or Not... (look screenshot here and log above)

                • 5. Re: Intel AMT 5.0 + TLS
                  FerumMan

                  So I make one more full un-provisioning but problems does not go away.

                  I can fully configure AMT5.0 PC via PSK and then connect to it via ManageabilityDirector/Commander with fully direct configuring via TLS 16993.

                  I can change all settings and all works fine. But when I trying to open "TakeControlTerminal" - error appears!

                  At terminal I can add 2 boot disks (floppy .img and CD .iso), I can reboot AMT PC with booting from CD - this shows at AMT PC boot screen as:

                  "AMT Boot Option: [IDER Primary Slave Device Boot] [SOL]"

                  Also at BIOS now I see two new storage devices named as "IDER....".

                  But at boot AMT PC just dont see those IDER boot disks! So it writes standard error: "Reboot and Select proper Boot Device".

                  Also at Terminal i see errors when I: start terminal; pressing "connect SOL"; pressing "IDER Activate".

                  Through MEBx I check that all needed options is really turned ON - and its true, SOL&IDER=Enable.

                  Also I try to change COM port address (IRQ) at BIOS, but it does not change anything.

                  I already try all what I can about 10-20times and this idiotic error just make me mad...

                  Also I still can not connect to my AMT5.0 PC via newer MechCommander.

                  Does Intel have at least one professional at AMT division that can help me???

                  • 6. Re: Intel AMT 5.0 + TLS
                    FerumMan

                    Maybe this help to investigate the problem...

                    When at MBEx I turn OFF-Disable SOL&IDER, reboot, enter MBEx and make them ON-Enable, reboot, connect via Manageability Commander - at RemoteControl tab the third option "Redirection port" is OFF-Disabled! And after I press near button "Redirection port" becomes Enabled... but maybe its not... ???

                    Also I don't see this option "Redirection port" at MEBx.

                     

                    Is there any other software except ManageabilityCommander&MechCommander that can use AMT 5.0 IDE-R function and boot from IDE-R disks images ???

                    • 7. Re: Intel AMT 5.0 + TLS
                      dariusz.wittek@intel.com

                      Intel AMT Redirection port (16994 for non TLS / 16995 for TLS setup)  is used by Intel AMT SOL, IDE-R/USB-R and KVM Redirection sessions.

                       

                      this port listener state shall be enabled by redirection application console. It is not AMT configuration parameter so you can't enable it as part of AMT setup.

                      After AMT configuration from full unprovisioned state Redirection Port Listener state will be Disabled (off).
                      In MEBx setup you may select Legacy Redirection Mode = Enabled which will turn on AMT Redirection Port.

                       

                       

                      If it is not enabled Manageability Commander Tool MESH Edition (use v0.1.35)  will gray-out Take Control button.
                      You have to enable it from Remote Control Tab or via RedirectConfig.exe tool from Intel AMT SDK.

                      In Manageability Commander Tool MESH Edition you have also activate IDE-R session from AMT Terminal  after selecting IDE-R FDD & CDD/DVD images/media click Disc Redirect > Redirect Active.

                       

                       

                      MeshCommander will display information about Redirection Port being disabled on the top of Redirection(SOL/KVM) window - you shall check Redirection Port

                       

                      Last but not least - you have to use FQDN of target PC for Intel AMT TLS connections - and make sure your console trusts all AMT TLS cert trust chain.

                      • 9. Re: Intel AMT 5.0 + TLS
                        FerumMan

                        Thanks for fast and detailed answer. But I start to hate Intel...

                        Forum second time eat my huge answer...

                        You repeat that I already write as already maded...

                        Also I dont have option named like "RedirectionPort, etc" at MEBx, if you doubt in it I can make video with MEBx view. But I suppose that you just dont have AMT 5.0 version test stand to look at his MEBx.

                        Of course I use MC latest version 1.0.35. Firstly after un-provisioning its shows RedirectionPort as Disabled with gray-out big button "TakeControl", but after pressing small button in front of "RedirectionPort" option - it became Enabled and now its possible to press big button "TakeControl".

                        At Terminal at top left corner all the time I see only "TLS Secured, Serial-over-LAN - Disconnected" and error...

                        So problem apparently is about "RedirectionPort"... as I assumed...

                        But how to solve it?!?!

                         

                        PS I just download all those madness quantity of software (in total I already have about 15 (!!!!!) programs for one AMT) and will try them... OMG...

                        • 10. Re: Intel AMT 5.0 + TLS
                          FerumMan

                          So I test all those software:

                          "Remote ISO Launcher" - just cant connect to AMT PC maybe because this software just dont have any settings for user-admin-security. Deleted.

                          "Intel Manageability Commander" - the same problem as with MechCommander - "Timeout error" instantly after pressing "Connect" button. Deleted.

                          "2 sw for PowerShell" - looks like some kind of Lego present for sw developer freaks. Deleted.

                          "Remote Drive Mount" - inside .zip there are ISO for boot and software for Linux, but I use Windows. Deleted.

                          "Intel vPro Platform Solution Manager" - at first try also cant connect with error about certificates, but when I somehow guessed to enter at Settings->Security->UseTLS->CertificateName name of the user certificate:"UserCA" (AMT root (trusted) certificate named RootCA -> makes -> AMT user certificate named UserCA) ... it connected and immediately IDE-R start to work!

                          THANKS GOD, HALLILUYA! Ou MY GODNESS!!! IT WORKS, IT REALLY WORKS!!! HALLILUYA! HALLILUYA! HALLILUYA! (after 2weeks of torments).

                          Unfortunately this software is only Console+Terminal+KVM+IDER+Info - but it cant setup and directly config AMT settings. So its only a client for already fully setup&configured AMT, so for full possibilities it needs some another configuration software.

                           

                          At this state I can recommend only 2 software:

                          "ManageabilityDeveloperToolKit (ManageabilityDirector+ManageabilityCommander)" - because only they gives all possible variants for fast + self-sufficient + clearly setup (via touch+usb+online) and then gives all possibilities for remotely re-setup and re-config AMT PC. (This software needs only improve by adding layer of check&block functions, for example: not to use TLS at AMT with SmallBusiness provisioning mode to not to mislead admins; dont open Terminal when RedirectionPort is disconnected; dont try to boot with IDE-R if IDE-R just does not Active; hide RemoteDesktopViewer option for AMT<6; etc etc etc) And what a specially important - ONLY THIS SW WORKS! OMG! TT

                          "Intel vPro Platform Solution Manager" - because this AMT client looks nice and clear; also this is only one software that really makes IDE-R working on AMT5 !!! OMG!!!

                           

                          I will add some personal opinion about all this stuff a little later.

                           

                          Thanks for help, but I really dont expect so much problems with buggy software from top-level Intel giant.

                          • 11. Re: Intel AMT 5.0 + TLS
                            FerumMan

                            One more problem with AMT...

                            At test local network that looks so:

                            Router -> Cable1 -> PC1Admin

                                      -> Cable2 -> PC2AMT

                                      -> WiFi1 -> Notebook1

                            When I trying to connect to PC2AMT from PC1Admin with Intel vPro Platform Solution Manager or WebGUI etc - all works fine (finally, halliluya!).

                            But when I trying to connect from Notebook1 with Intel vPro Platform Solution Manager - all the time I see errors:

                            Failed to connect <IP>: The message received was unexpected or badly formatted.

                            When I trying WebGUI - PC1Admin also connecting normally (with asking of cert choose and login-pw), but from Notebook1 connection dropped instantly.

                            Of course two needed certificates (root+user) already installed at all computers.

                            Any suggestions?

                            • 12. Re: Intel AMT 5.0 + TLS
                              FerumMan

                              Still does not work from notebook1 with Win10...

                              Also I have trying to connect notebook1 via cable - no result.

                              But all works flawlessly from another notebook2 with Win7sp1.

                              Any suggestions?

                               

                              What a special firewall rules are required for Intel vPro Platform Solution Manager & AMT & IDE-R connections?

                              • 13. Re: Intel AMT 5.0 + TLS
                                FerumMan

                                Hey, Dariusz Wittek, superior "Intel EMEA Biz Client Technical Sales Specialist", where is your promised - "more config guides "for dummies"?!

                                Is seems that my questions require much more than easy answer "for and from dummies"!

                                Dont be so conceited next time!

                                Regards.