Hi,

Which version of AMT are you using? How did you unprovision the system before switching to "use TLS + XXX"? Was it through the Director? If so, did you go for partial or full unprovisioning?

Thanks,

Sree

The AMT version is 3.0.
The unprovision was done using Director & by manually reset (and both of them fail).
I switched to "full unprovision" before unprovisioning

Thanks

Hello Sree,

I've continue trying different approaches and now It's working with TLS+console authentication. The thing is that I used to click on "toggle trust" on the certificate that I selected for the Profile and what I tried now it was creating a certificate, not toggle trusting it and then selecting it for the Security Profile.

Please verify me is is this the working flow:
-The AMT machine authenticates the server using a certificate issued by the Root certificate.
-The server authenticates the AMT machine 'cause machine is using a certificate in which one the server trust.

And please verify me if when it says console configuration is talking about any application trying to connect to the AMT machine? or it's talking specifically about Director and when it talks about agent is referring to any application using the "agent presence" feature on the AMT machine.

Many thanks,

Javier Andrs

Hi,

The mutual authentication process of Remote Configuration is as follows:

1. The ProvisonServer requests the self-signed certificate of the Intel AMT client.
2. The Intel AMT management engine requests the Intel Client Setup Certificate from the ProvisionServer. Based on the self-signed certificate form the client, the ProvisionServer generates TLS key 1 and encrypts this using the public key obtained from client's self-signed certificate. The encrypted TLS key 1, Intel Client Setup Certificate, and PEM file are then sent to the management engine.
3. At this point, the Intel AMT client does some validation. Extracts and stores Key 1. Using the PEM file and Intel Client Setup certificate, the management engine extracts the root certificate, generates a certificate hash and validates to the local active certificate hash. NOTE: If the two hashes do not match, the process stops. Validates the OU assignment of the Intel Client Setup certificate to the DNS suffix received via DHCP IP lease with option 15. For this reason, each ProvisionServer MUST have a unique Intel Client Setup certificate. A wildcard certification (e.g. *.company.com) is supported (AMT version 2.6 and beyond)
4. If the previous validation steps complete successfully, the Intel AMT management engine creates TLS key 2, encrypts with the public key of the Intel Client Setup Certificate obtained from the ProvisionServer, and transmits.
5. With TLS key 1 and key 2 obtained by both the ProvisionServer and the Intel AMT management engine, mutual authentication has occurred and an MTLS session is established.
   At this point, the configuration process occurs where the FQDN and UUID are matched, the assigned Intel AMT profile is sent to the management engine, and the changes are committed.

Regarding the question on console - I assume you are asking whether a Management Console is any application that can manage an AMT system, not just the Director; and that is correct.

A software agent is any application like Antivirus or Firewall running on the AMT system. More details on this can be seen at Agent Presence Checking Use caseand System Defence and Agent Presence Guide

Thanks,

Sree

Many thanks Sree,

That's what I needed to know.

Javier Andrs