11 Replies Latest reply on Apr 11, 2012 6:34 AM by

    SCS 5.0 with HP Client Automation

    chykun

      I'm using SCS 5.0 in conjunction with HP's Client Automation Standart 7.8 for vPro management.

       

      when using the Activation tool, I'm getting a couple errors in the SCS console and the command line.  Here is the command line i'm using with the Activation tool:

       

      Activator.exe /s https://FQDN/amtscs_rcfg /p 3 /o ou=casoob,dc=domain,dc=local /t ON /f /c /e /h /u user@domain.local /x password

       

      i've also tried this command line:

       

      Activator.exe /s https://FQDN/amtscs_rcfg /p 3 /o ou=casoob,dc=domain,dc=local /t ON /f /c /e /h

       

      here is the error on the command line:

       

      PT_STATUS_INVALID_PT_MODE: Command is not permitted in current operating mode.
      Activate Intel AMT configuration:
      failure
      PT_STATUS_INVALID_PT_MODE: Command is not permitted in current operating mode.Step Into: StartConfiguration
      Step out: StartConfiguration error 3
      After StartConfiguration 3

       

      this is the error i see in the SCS console:

       

      Error Configuring Intel AMT device: No rows found in get Configuration Parameters.

       

      the platform is showing in the SCS console as unconfigured with a UUID.  i can get around this by editing the platform and adding the FQDN, AD OU and PROFILE.  the device will remotely provision just fine after that.  but this doesnt really make sense to me because i'm supplying those parameters in the command line. 

       

      is this behavour by design, or is there something i'm missing?

        • 2. Re: SCS 5.0 with HP Client Automation
          chykun

          i got it figured out... i had ProvisionServer set in DNS to point to my SCS server.  this was putting the UUID in the SCS database, thus stopping the machine from provisioning using the activiation tool.  i took the entry out of DNS and set the vPro machine back to factory defaults.  at this point, the hello packets were not reaching the SCS server.  i ran the activation tool with the same parameters and it worked fine.

          • 3. Re: SCS 5.0 with HP Client Automation

            the option of using the Activator with user name password can be only utilized outside of the domain. so if your system in the domain the error that you got is expected.

            the error 3 means that there is no access to the AMT from OS thru ME driver. please verify that you did installed the driver and the user that running the Activator is local admin or has significant permissions if you are using Vista or Win7

            • 4. Re: SCS 5.0 with HP Client Automation
              slecomte

              Hi Mate

               

              Did you get this fixed? I have SCS 5 working perfectly with HP Client Automation, happy to help you out here just ping me and email.

               

              Regards

               

              Simon Le Comte

              • 5. Re: SCS 5.0 with HP Client Automation
                chykun

                I got it working with out certificates.  I can get the SCS server to work fine with certificates, but apparently i'm doing something wrong with HPCA.  It keeps giving me an error when I try to hook it up with SCS using an HTTPS link.  It gives me some standard "there was a certificate problem" error.  let me change it back to use certificates and I'll post the steps I'm going through.

                • 6. Re: SCS 5.0 with HP Client Automation
                  chykun

                  I think I may have my certs set up wrong.  When I use NON-TLS everything works fine.  As soon as I bring TLS into the picture, I start getting errors.  It’s weird because the SCS will provision the AMT device with the certificates just fine, and I can use the AMT Mutual Authentication certificate I created to manage the AMT device through the web interface just fine.  But the SCS console cannot communicate with the AMT device any more.  The certificate I’m using to go through the AMT web interface is the one I exported from the cert store from the SCS service user account.  So here is my set up

                  Server 2008 Enterprise with an enterprise CA running on it

                  The provisioning cert I created works great.  The mutual authentication cert has the OIDs of  1.3.6.1.5.5.7.3.2 and 2.16.840.1.113741.1.2.1.  the second one I had to create of course, but the first was already in there as “Client Authentication”. 

                  I used the https://<FQDN of the CA>/certsrv  to request the client cert.  when I did that, I was logged in as the SCS service account.  I then exported that cert and installed it on another computer so I could manage the AMT device through the web interface.  To double check, I logged into the SCS server as the SCS service account and went to https://<FQDN of AMT device>:16993.  I was asked which cert I wanted to use to authenticate to the AMT device, there was only one, I chose it and I was able to log in. 

                  But one I use TLS, I start seeing these errors in the SCS console whenever I try to do anything else to that platform:

                  The SOAP connection with connection parameter set #1 failed: WS-Management [3]: "Error calling WSMan getFullCoreVersion(CIM_SoftwareIdentity.Get): HTTP error".

                  The SOAP connection with connection parameter set #2 failed: AMT Connection Error: SOAP Error [25]: "getFullCoreVersion: SOAP Unknown error".

                  Error Configuring Intel AMT device: Failed to connect to configured Intel AMT device at FQDN xxxxxx.xxx.xxx: AMT Connection Error: SOAP Error [25]: "getFullCoreVersion: SOAP Unknown error".

                  So is it trying to connect to HTTP instead of HTTPS?  The FQDN is correct.

                  • 7. Re: SCS 5.0 with HP Client Automation
                    chykun

                    It seems my certificates were ok.  in the SCS console, in the profile section, i guess you have to set the ADMIN password (cannot be randomized).  that was the only thing i changed and now the SCS seems to be working fine.  so i'll go back to HPCAS and get some proceedures there.

                    • 8. Re: SCS 5.0 with HP Client Automation
                      chykun

                      I’ve established that I have SCS working fine in any mode (TLS, non-TLS, Mutual Authentication TLS).  So now I’m working on getting CAS to see anything SCS side.  Right now, if I have my AMT device is in NON-TLS mode, HPCA can get stats from it. So now I’ve put my AMT device into TLS mode.  SCS can manage it and the web interface works fine with the HTTPS address. Here is what I’ve done to try to get HPCA to work.

                      I exported the root CA certificate by going to the root CA server, open Certification Authority, Right-click on the server name>properties>certificate #0 shows in the window>view certificate>details tab>copy to file>choose the DER x509 format> copy to a network location.

                      I then copy the .CER file to the HPCA server and import it to the Java Key Store using the Keytool utility.  The command line I used was:

                      Keytool –import –noprompt –alias customcacert –keystore ..\lib\security\cacerts –storepass <password> -file –c:\certs\root.cer

                      I checked the CACERTS file and it grew by 1KB after the process.  I then converted that same CER file to PEM format using the OpenSSL utility in the C:\Program Files\Hewlett-Packard\HPCA\ApacheServer\bin folder.  The command I used here was

                      Openssl x509 –inform DER –outform PEM –in c:\certs\root.cer –out c:\certs\root.pem

                      I then modified the C:\Program Files\Hewlett-Packard\HPCA\OOBM\conf\config.properties and pointed it to that PEM file with this line:

                      root_certificate=C\:\\certs\\root.pem

                      lastly, I added the root CA common name with this line:

                      ca_server_commonname=xxx-XXX-XX-BDC2008-CA

                      I took that CN from the Certification Authority window server name from the root CA server.

                      See anything I’ve missed?

                      • 9. Re: SCS 5.0 with HP Client Automation
                        chykun

                        Boris,

                         

                        to answer your question, i was running the activiator tool as the local admin, then a domain admin.  both gave me the same error codes.  I am running on windows 7.  I took off the user name and password options per your suggestion and still got error 3.  the ME driver is installed.

                        • 10. Re: SCS 5.0 with HP Client Automation
                          Giggs

                          Hi chykun,

                          Have you solved the problem,we also meet same trouble with the HPCA.

                          We have discovery the vPro client in HPCA with CA mode,but can not full control this client in HPCA.The log show is "Unknown_CA" error.

                          And we also can full control this vPro client in HPCA use PSK mode.

                          If you have solved it ,can you share with us.

                          Thank a lot!

                           

                           

                          Giggs

                          • 11. Re: SCS 5.0 with HP Client Automation

                            My environment is simple, i am having two systems both are HP 8100 elite Desktops and both have Vpro.

                             

                            1 system has windows server 2003 sp2 (32 bit) with intel SCS Version 5.4.0.9

                            2nd system has windows server 2008 R2 with HPCA installed.

                             

                            Also,  the intel SCS that is bundled with HPCA have only AMT Configuration  Server and AMT Configuration Console, [[ there is no ACU Wizard in that  package (This is one issue, however i downloaded Intel SCS Vesion 7.1 i  guess and copied the ACU Wizard from there and tried to configure system  through that using USB) ]] the part in brakets are my thoughts...

                             

                            I  was initially trying to integrate HPCA with Intel SCS but i have  stopped working on HPCA since i am initially stuck with Intel SCS issue.  I have done manual configuration. I can access the client  through web interface but for some reason the system is not listed in  Intel SCS. What i did once was to right click platforms and manually  entering the UUID and the system appeared in Intel SCS but it was  showing unconfigured and i couldnt do much on it. (Please see the screenshot)

                             

                            I have created an OU named IT and moved the client to this OU.

                            I have done the SCS Discovery, please see the xml file in the zipped file

                             

                             

                            All i know once INTEL SCS picks up the system ,  i would be able to have the Vpro Clients discovered in HPCA as well (HP  Client Automation) i mean.

                             

                            its been over two weeks i am unable to get this to work. your help in this regard would be much appreciated.

                             

                            thanks