4 Replies Latest reply on Aug 29, 2017 6:27 AM by Translator

    Enabling TLS via SCS Hoste-based method

    Translator

      My office pc has an AMT 11 enabled board, and I want to switch it on/off and reboot out-of-band via Internet (port 16992).
      I've managed to get the WebUI of AMT working perfectly, but the conncetion is not encrypted. So I want to enable the TLS function of AMT (port 16993).

      From the documentation I learned that I should choose the Host-based Provisioning method which is provided by Intel's configuration utility (ACUconfig.exe). The utility works and is able to modify some settings in my board's AMT/ME firmware. But if I check the TLS box and enter certificate files, it doesn't work anymore but displays "File decryption failed".

      So far I used a self-signed certificate, created by the Manageability Director tool and exported as files. Maybe this is a wrong way. How can I enable TLS? I don't need remote provisioning, KVM, SOL etc. I need WebUI only, but with TLS.

        • 1. Re: Enabling TLS via SCS Hoste-based method
          alderson

          Translator

           

          You'll need to make sure your certificate and private key are in the correct format. Using the Manageability Director tool you'll want to make sure you select either Intel AMT Remote Console Certificate or All Permissions Certificate and enter the FQDN of the AMT computer for the Common name. Once created you will need to save off the certificate as a base-64 .CER file as well as a .PFX file that includes your private key.

           

          Take the PFX file and extract the private key using Openssl.

          1. Openssl pkcs12 –in c:\path\cert.pfx –out c:\path\cert.key
          2. Enter password used to secure PFX certificate
          3. Enter a PEM pass phrase
          4. Verify PEM pass phrase

           

          After extracting your private key you'll need to convert the Encrypted Private Key file to an RSA Private Key.

          1. Openssl rsa –in c:\path\cert.key  –out c:\path\newcert.key

           

           

          The new private key should begin and end with:

           

          -----BEGIN RSA PRIVATE KEY-----

           

          -----END RSA PRIVATE KEY-----

           

          Use this new private key in your configuration profile.

           

           

          Regards,

          Alan

          • 2. Re: Enabling TLS via SCS Hoste-based method
            Translator

            Thanks for your answer. I had to modify your receipe slightly, because the Manageability Director exports binary .cer but not base64 .cer. So I imported the binary .cer into the Windows Cert Manager and exported it back as a base64 .cer file.

            Then, after having followed all remaining steps of your receipe, I had the two files as described in Intel(R)_AMT_Configuration_Utility.pdf V11.1. But it doesn't work.

             

            Log file:
            2017-08-25 10:12:32: Thread:5384(ERROR) : ACU.dll, Category: Configure Profile Source: ACUDll.cpp : ConfigureAMT Line: 1905: Failed to read certificates from given files. Reason: File decryption failed. 
            2017-08-25 10:12:32: Thread:5384(ERROR) : RDESK3, Category: Configure Profile Source: ACUDll.cpp : ConfigureAMT Line: 2389: Configure Profile Failed: File decryption failed.   (0xc000028f).
            2017-08-25 10:12:32: Thread:5384(DETAIL) : localhost, Category: end function Source: ACUDll.cpp : ConfigureAMT Line: 2499:
            2017-08-25 10:12:32: Thread:5384(ERROR) : ACU.dll, Category: Profile Configuration Source: ACUDll.cpp : ClientControlConfiguration Line: 3399: File decryption failed.   (0xc000028f).
            2017-08-25 10:12:32: Thread:5384(DETAIL) : ACU Configurator , Category: -END- Source: ACUDll.cpp : ClientControlConfiguration Line: 3418: ***** END

             

            I could look into ACUDll.cpp but there are no source files available?

            • 3. Re: Enabling TLS via SCS Hoste-based method
              alderson

              When you open your key file how does the BEGIN and END read, what's the exact text?

               

              -----BEGIN RSA PRIVATE KEY-----

               

              OR

               

              -----BEGIN ENCRYPTED PRIVATE KEY-----

               

               

               

              Also, did you install the Manageability Director Self-signed Root certificate into the target client's Computer account Trusted Root Certificate store?

               

              Regards,

              Alan

              • 4. Re: Enabling TLS via SCS Hoste-based method
                Translator

                "When you open your key file how does the BEGIN and END read, what's the exact text?"

                 

                Copy from the file:

                -----BEGIN RSA PRIVATE KEY-----

                and

                -----END RSA PRIVATE KEY-----

                 

                "did you install the Manageability Director Self-signed Root certificate into the target client's Computer account Trusted Root Certificate store"

                 

                Yes, I did. Additionally I put a copy into the Admin account Trusted Root Certificate store.