i got it figured out... i had ProvisionServer set in DNS to point to my SCS server. this was putting the UUID in the SCS database, thus stopping the machine from provisioning using the activiation tool. i took the entry out of DNS and set the vPro machine back to factory defaults. at this point, the hello packets were not reaching the SCS server. i ran the activation tool with the same parameters and it worked fine.
the option of using the Activator with user name password can be only utilized outside of the domain. so if your system in the domain the error that you got is expected.
the error 3 means that there is no access to the AMT from OS thru ME driver. please verify that you did installed the driver and the user that running the Activator is local admin or has significant permissions if you are using Vista or Win7
I got it working with out certificates. I can get the SCS server to work fine with certificates, but apparently i'm doing something wrong with HPCA. It keeps giving me an error when I try to hook it up with SCS using an HTTPS link. It gives me some standard "there was a certificate problem" error. let me change it back to use certificates and I'll post the steps I'm going through.
I think I may have my certs set up wrong. When I use NON-TLS everything works fine. As soon as I bring TLS into the picture, I start getting errors. It’s weird because the SCS will provision the AMT device with the certificates just fine, and I can use the AMT Mutual Authentication certificate I created to manage the AMT device through the web interface just fine. But the SCS console cannot communicate with the AMT device any more. The certificate I’m using to go through the AMT web interface is the one I exported from the cert store from the SCS service user account. So here is my set up
Server 2008 Enterprise with an enterprise CA running on it
The provisioning cert I created works great. The mutual authentication cert has the OIDs of 220.127.116.11.18.104.22.168.2 and 2.16.840.1.113722.214.171.124. the second one I had to create of course, but the first was already in there as “Client Authentication”.
I used the https://<FQDN of the CA>/certsrv to request the client cert. when I did that, I was logged in as the SCS service account. I then exported that cert and installed it on another computer so I could manage the AMT device through the web interface. To double check, I logged into the SCS server as the SCS service account and went to https://<FQDN of AMT device>:16993. I was asked which cert I wanted to use to authenticate to the AMT device, there was only one, I chose it and I was able to log in.
But one I use TLS, I start seeing these errors in the SCS console whenever I try to do anything else to that platform:
The SOAP connection with connection parameter set #1 failed: WS-Management : "Error calling WSMan getFullCoreVersion(CIM_SoftwareIdentity.Get): HTTP error".
The SOAP connection with connection parameter set #2 failed: AMT Connection Error: SOAP Error : "getFullCoreVersion: SOAP Unknown error".
Error Configuring Intel AMT device: Failed to connect to configured Intel AMT device at FQDN xxxxxx.xxx.xxx: AMT Connection Error: SOAP Error : "getFullCoreVersion: SOAP Unknown error".
So is it trying to connect to HTTP instead of HTTPS? The FQDN is correct.
I’ve established that I have SCS working fine in any mode (TLS, non-TLS, Mutual Authentication TLS). So now I’m working on getting CAS to see anything SCS side. Right now, if I have my AMT device is in NON-TLS mode, HPCA can get stats from it. So now I’ve put my AMT device into TLS mode. SCS can manage it and the web interface works fine with the HTTPS address. Here is what I’ve done to try to get HPCA to work.
I exported the root CA certificate by going to the root CA server, open Certification Authority, Right-click on the server name>properties>certificate #0 shows in the window>view certificate>details tab>copy to file>choose the DER x509 format> copy to a network location.
I then copy the .CER file to the HPCA server and import it to the Java Key Store using the Keytool utility. The command line I used was:
Keytool –import –noprompt –alias customcacert –keystore ..\lib\security\cacerts –storepass <password> -file –c:\certs\root.cer
I checked the CACERTS file and it grew by 1KB after the process. I then converted that same CER file to PEM format using the OpenSSL utility in the C:\Program Files\Hewlett-Packard\HPCA\ApacheServer\bin folder. The command I used here was
Openssl x509 –inform DER –outform PEM –in c:\certs\root.cer –out c:\certs\root.pem
I then modified the C:\Program Files\Hewlett-Packard\HPCA\OOBM\conf\config.properties and pointed it to that PEM file with this line:
lastly, I added the root CA common name with this line:
I took that CN from the Certification Authority window server name from the root CA server.
See anything I’ve missed?
Have you solved the problem,we also meet same trouble with the HPCA.
We have discovery the vPro client in HPCA with CA mode，but can not full control this client in HPCA.The log show is "Unknown_CA" error.
And we also can full control this vPro client in HPCA use PSK mode.
If you have solved it ,can you share with us.
Thank a lot!
My environment is simple, i am having two systems both are HP 8100 elite Desktops and both have Vpro.
1 system has windows server 2003 sp2 (32 bit) with intel SCS Version 126.96.36.199
2nd system has windows server 2008 R2 with HPCA installed.
Also, the intel SCS that is bundled with HPCA have only AMT Configuration Server and AMT Configuration Console, [[ there is no ACU Wizard in that package (This is one issue, however i downloaded Intel SCS Vesion 7.1 i guess and copied the ACU Wizard from there and tried to configure system through that using USB) ]] the part in brakets are my thoughts...
I was initially trying to integrate HPCA with Intel SCS but i have stopped working on HPCA since i am initially stuck with Intel SCS issue. I have done manual configuration. I can access the client through web interface but for some reason the system is not listed in Intel SCS. What i did once was to right click platforms and manually entering the UUID and the system appeared in Intel SCS but it was showing unconfigured and i couldnt do much on it. (Please see the screenshot)
I have created an OU named IT and moved the client to this OU.
I have done the SCS Discovery, please see the xml file in the zipped file
All i know once INTEL SCS picks up the system , i would be able to have the Vpro Clients discovered in HPCA as well (HP Client Automation) i mean.
its been over two weeks i am unable to get this to work. your help in this regard would be much appreciated.
intel-scs-issue.zip 267.9 K