Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

How to manage vpro clients using MTLS/TLS kerberos based communication

idata
Employee
‎04-30-2012 02:33 AM
1,505 Views

Hi vpro Experts,

I have 100+ vpro clients with a mix of AMT 6 and AMT 7 machines. All of them have already been provisioned using the basic SMB / Manual configuration method and are now part of the corporate domain.

I now wish to capitalize on the AMT features like KVM, IDER, SOL, FCFH by securely and remotely managing these provisioned vpro systems using MTLS / TLS kerberos based communication with VNC as my management console. My current setup is windows server 2008 with roles of ADS, DNS , DHCP, IIS, ADCS along with SCS 8.0 and VNC Plus. I am able to perform most of the AMT features without TLS using the digest MeBX account, however for security reasons my objective is to integrate kerberos based authentication and MTLS/TLS communication between the Managament console (VNC) and the vpro clients.

Could you help me with a high level breakup on how to achieve the same.

In order to achieve the above objectives please clarify on the following as well:

>Do I need to create / purchase any SSL certificates for this purpose?

>If yes, What certificate do I need for implementing MTLS communcation for remotely managing the vpro clients for performing jobs like KVM, IDER,SOL, FCFH?

>How can I create a SSL certificate from our internal root CA using the ADCS running on one of the domain controllers for MTLS?TLS communication?

>Am I correct to say that the certificate hashes that are already embedded into the MeBX (like GoDaddy, verisign, Comodo etc), are only used for initial provisioning? Which further means that these external SSL certificates are of no use to me since all my vpro clients are already SMB / Manually provisioned as stated above?

Regards

Mohammed

0 Kudos

Link Copied

3 Replies
idata
Employee
‎05-02-2012 02:57 PM
673 Views

Hi Mohammed,

Have you had a chance to read the User Guide?

Appendix A & B Has all the information on setting up your CA and working with the certificates that is needed for Remote Configuration, Creating templates and Creating and installing your own certificate.

Greg

0 Kudos
Copy link
idata
Employee
‎05-02-2012 07:03 PM
673 Views
In response to idata

Hi Greg,

How is it going? Hope all is well at your end. Well, I am still working on it. The user guides are really helpful as I found it to be an improved version of the earlier documents. However for some reason I have had to stall the remote configuration testing for a while. I am trying to get my head around using MTLS/TLS kerberos based authentication and communication for security reasons which I found in the pages 66-70 of the user guide.

Q: Does that mean, for MTLS/TLS you dont really have to create a certificate? Do you?

Q: Is setting up a CA and Issuing a customised certifcate template to the AD (page 170) is all you got to do for using MTLS/TLS?

Thanks in advance

Mohammed

In response to idata
0 Kudos
Copy link
idata
Employee
‎05-03-2012 08:17 AM
673 Views
In response to idata

Hi Mohammed,

Yes you need to have a certificate for TLS communication

When doing remote configuration you will need a third party certificate for provisioning (Go Daddy, Verisign, ect) or create your own as explained on pages 178 - 183.

Greg

In response to idata
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.