3 Replies Latest reply on Apr 7, 2017 10:03 AM by Anitallica

    HLAPI: Digest authentication with mutual TLS

    Anitallica

      Hi everyone,

       

      I am trying to use the Intel AMT HLAPI to make a connection to an AMT 11.0 device that has been provisioned to use Digest authentication and mutual TLS.

      The machine I am connecting from has a valid certificate for mutual TLS, the subject is CN=<machine_fqdn>.

       

      I am using the Sample HLAPI project from Intel, and have also access to the HLAPI in debug.

      I defined the connection as follows:

      ci = new ConnectionInfoEX("<target_machine_fqdn>", "<digest_username>", "<password>", true, "CN=<machine_fqdn>", ConnectionInfoEX.AuthMethod.Digest, null, null, null);

       

       

      It works fine if I connect to an AMT 6.1 machine provisioned from the same SCS with the same settings.

      However, if I try to connect the same way to the AMT 11 machine (just change the target machine FQDN in the above ConnectioInfoEx), it fails in GetVersionWSMan() in AMTInstanceManager line 922. Exception is:

       

      {Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected ---> Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected

         at Intel.Management.Wsman.HttpTransport.GetResponse(String method)

         at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc, String soapCmd)

         at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc)

         at Intel.Management.Wsman.WsmanConnection.RetryLoop(XmlDocument reqDoc, Exception& resultExp)

         --- End of inner exception stack trace ---

         at Intel.Management.Wsman.WsmanConnection.SendObjectRequest(String msgId, XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

         at Intel.Management.Wsman.WsmanConnection.SubmitRequest(XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

         at Intel.Management.Wsman.WsmanConnection.SubmitRequest(String requestString, IManagedReference refObj, IManagedInstance input)

         at Intel.Management.Wsman.ManagedReference.Get()

         at Intel.Manageability.Impl.AMTInstanceManager.GetVersionWSMan() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 922

         at Intel.Manageability.Impl.AMTInstanceManager.SetVersionInfo() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 868}

      System.Exception {Intel.Management.Wsman.WsmanConnectionException}

       

      Does anyone have any idea how I could find out the cause of this issue? Thanks in advance.

        • 1. Re: HLAPI: Digest authentication with mutual TLS
          Anitallica

          Update:

          I realized that I had forgotten to add the hash of the Root CA certificate in the MEBx hash list on the AMT 11 device, so I did that as well.

          I noticed all the default hashes entered there are sha256, my certificate is sha1. Could that have anything to do with my issue?

          On the AMT 6 machine (the one that works), also the default hashes are from sha1 certificates.

           

          After adding the hast, still no change:

          - it doesn't work from the HLAPI sample project

          - it also doesn't work from the vProPlatformSolutionManager.exe application (found under AMT_SDK_11.6.0.7\Windows\Intel vPro Platform Solution Manager\Source Code\Bin)

           

          However, through the web access, https://<target_AMT_machine_fqdn>:16993, it works. I get a prompt to choose the certificate (only my Mutual TLS certificate shows up in the list, the same one I used in the HLAPI sample project and the Intel sample app), I select it, then I get prompted to login, I enter the digest user (the same one I tried in the HLAPI project and the Intel sample app), and it connects.

          I removed the hast from MEBx, re-provisioned the system with digest with mutual TLS (so I am back to the state from yesterday), and the web access still works!

           

          So now my question is: why is it necessary to add the has of the root CA to the MEBx hash list? What should not work if it's not added? Because without the hash, I tried both digest with TLS, which worked from all 3 methods (HLAPI, Intel sample app and web access), and mutual TLS, which at least works on web access.

          • 2. Re: HLAPI: Digest authentication with mutual TLS
            michael_a_intel

            Anitallica

            We've been looking over your post.  Would like to request that you open a ticket so that we can get your contact information here:

             

            Contact Support

            Select AMT and open service request and fill out details.

            • 3. Re: HLAPI: Digest authentication with mutual TLS
              Anitallica

              Thanks for the reply, I opened a case now. Will give an update if the issue gets solved.