2 Replies Latest reply on Jan 12, 2016 5:02 AM by dariusz.wittek@intel.com

    Remote Configuration possible for AMT Version > 6 , but on Version 5 there´s Issue 0xc000521f

    FerdiBavaria

      Our Infrastructure: Intel SCS 10.0 with Network-Service User installed in Database-Mode with Comodo Remote Configuration Certificate.

      The Remote Configuration Process enabled by: ACUConfig.exe ConfigViaRCSOnly Servername Profilename works fine.

      The user which initiate this command has Full DCOM and WMI Access to the RCS-Server.
      This process works fine for all Clients with Intel AMT 6.2 and above. but i have more than 200 Clients with Intel AMT 5.01.

      On these Clients i got this error in the ACU-Config Log:

      Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

       

      At RCS i can see the Client Request in the monitoring section, but the configuration failed. If i view the log, there´s the same issue.

       

      I´ve verified that the Certificate Chain at the Client is valid. Intel ME Driver and Software is installed.

      The Root Certificate Hash is also implemented in ME-Firmware and was verified via  ACUConfig SystemDiscovery

       

      I can´t understand why this works only at 6.2 and above.
      I found in SCS User Guide, that Version 10 only supports Clients with 6.2 and above and for other versions, the guide is only informational without support?

      Does anyone have SCS 10 with AMT 5.0 Clients and uses Remote Configuration with PKI successful ?

       

       

        • 1. Re: Remote Configuration possible for AMT Version > 6 , but on Version 5 there´s Issue 0xc000521f
          dariusz.wittek@intel.com

          Hmm, Intel SCS 10 was fully validated with AMT 6 or newer  -that is why this version is listed as the lowest supported.

          I have asked SCS 10 development team if they have removed any pre AMT 6 related code modules and the answer was NO.

           

          So SCS 10 shall be able to configure AMT 2.2 or newer altough it was not tested by Intel as such systems are very old (AMT 5 is 2009 platform -6 years old already).
          I have AMT 4 system in my LAB - can test it with SCS 10 first days of  January 2016 will let you know.

           

          BTW AMT 5.01 is pretty old AMT FW - please check OEM website for updates - you shall look for ME FW 5.2.50.1039 which is the lates version that was published by Intel to OEMs.

          • 2. Re: Remote Configuration possible for AMT Version > 6 , but on Version 5 there´s Issue 0xc000521f
            dariusz.wittek@intel.com

            Hi, just checked AMT/ME FW  4.2.60.1060 FW and got the same error.

            In my case reason is (and it may be your root cause as well) ...AMT Provisioning (leaf) certificate is SHA2 cert - while SHA2 leaf certs are supported by Intel ME FW 6.0 or newer (in addition to SHA-1 support).

            AMT FW up to 5x supports only SHA 1 leaf certs.

             

            Please note that ME FW up to 10.x has only SHA1 hashes of 15 Public trusted CA Root certs - but this impacts CA root you have to use (build Leaf cert trust chain up to) not actual leaf cert SHA algorithm.

             

            Please check type of your AMR RCFG leaf cert, if it is SHA-2  -you will have to replace it with SHA-1 leaf cert.

            Please also note that SHA-1 certs will be EOL Jan 2017 - currently I don't know good solution for mixed AMT FW (<6 and >6)  enviroments. ;(

             

            Will post separate thread if I will develop something reasonable.

            rgds

            darek