Hi,
I tried to configure TLS for my AMT-KVM as shown in:
http://www.youtube.com/watch?v=KroJHYyarng
After setting the profile to the AMT computer, the icon of the computer changes to red.
Also the following warning is shown in the field "Connection Warnings":
Computer name, connection name, DNS name, Certificate name mismatch.
What can be the reason and solution for this problem?
Thanks for your hints in advance.
P.S.:
The version of my ME is: 6.1.1.1045
And I used the AMT Director from the following package: "Manageability_Developer_Tool_Kit_0_6_0937_2.msi"
I tried to configure TLS for my AMT-KVM as shown in:
http://www.youtube.com/watch?v=KroJHYyarng
After setting the profile to the AMT computer, the icon of the computer changes to red.
Also the following warning is shown in the field "Connection Warnings":
Computer name, connection name, DNS name, Certificate name mismatch.
What can be the reason and solution for this problem?
Thanks for your hints in advance.
P.S.:
The version of my ME is: 6.1.1.1045
And I used the AMT Director from the following package: "Manageability_Developer_Tool_Kit_0_6_0937_2.msi"
链接已复制
9 回复数
First off, what computer are you using?I know you updated to 6.1.1.1045 a few weeks ago to add a KVM resolution, but I've been wondering since then what hardware you have. I didn't realize that firmware was already available on OEM systems.
Offhand, I'd say there might be issues because you're using an older version of the manageability developer toolkit (from February of last year) on a new platform with firmware that just released a couple of weeks ago. But the error you're getting seems to indicate thatthere's a naming issue with the certificate. If you're using IP addresses instead of FQDN's for the cert common name, are you using DHCP in your environment for both the AMT system and the system running the director software?
TLS can be tricky, if configured incorrectly you can disable access to the AMT machine. Javier had a good post on his experience (and how he debugged issues) with TLS last year when he went through this effort. He was actually using mutual TLS instead of just Server TLS (mutual has more constraints), but I think it could still be helpful: http://software.intel.com/en-us/blogs/2009/01/21/tips-to-check-if-the-scs-the-dtk-or-your-app-doesnt-connect-to-an-amt-enterprise-machine/
Offhand, I'd say there might be issues because you're using an older version of the manageability developer toolkit (from February of last year) on a new platform with firmware that just released a couple of weeks ago. But the error you're getting seems to indicate thatthere's a naming issue with the certificate. If you're using IP addresses instead of FQDN's for the cert common name, are you using DHCP in your environment for both the AMT system and the system running the director software?
TLS can be tricky, if configured incorrectly you can disable access to the AMT machine. Javier had a good post on his experience (and how he debugged issues) with TLS last year when he went through this effort. He was actually using mutual TLS instead of just Server TLS (mutual has more constraints), but I think it could still be helpful: http://software.intel.com/en-us/blogs/2009/01/21/tips-to-check-if-the-scs-the-dtk-or-your-app-doesnt-connect-to-an-amt-enterprise-machine/
To continue what Andrew has said, you need to make sure that the certificate's Common Name (CN) matches that of the method you are using to connect the target Intel AMT system within the Manageability Commander Tool. For example, if the system is provisioned with a certificate CN of "MyAmtSystem.MyDomain.com", you will need to use the FQDN "MyAmtSystem.MyDomain.com" within the Manageability Commander Tool to avoid getting this warning message. If, however, you enter the device's IP address into Commander and connect to the system, then you will get this warning message because Commander is not designed to resolve the IP address to the DNS hostname and domain (FQDN) and compare this to the certificate CN.
Hello,
You need to use a fully qualified domain name (FQDN) in your certificates.
Please refer to the following section in the AMT SDK documentation: Setup and Configuration of Intel AMT > Using the Setup and Configuration Application Sample > Issuing Certificates and Certification Authority.
You may also want to look at this FAQ.
You need to use a fully qualified domain name (FQDN) in your certificates.
Please refer to the following section in the AMT SDK documentation: Setup and Configuration of Intel AMT > Using the Setup and Configuration Application Sample > Issuing Certificates and Certification Authority.
You may also want to look at this FAQ.
ok, now I attached the AMT computer to a domain.
To make sure that everything is ok with the AMT-computer's FQDN, I access the AMT computer from other computers using its FQDN instead of its IP address. So the AMT-computer's FQDN is ok and works fine!
I did exactly the steps described in :
http://www.youtube.com/watch?v=KroJHYyarng
The AMT Director still shows the same warning:
>> Computer name, connection name, DNS name, Certificate name mismatch. <<
So can you please tell me, where I have to look for wrong settings, misspelt strings, .....
In advance thanks for your hints.
To make sure that everything is ok with the AMT-computer's FQDN, I access the AMT computer from other computers using its FQDN instead of its IP address. So the AMT-computer's FQDN is ok and works fine!
I did exactly the steps described in :
http://www.youtube.com/watch?v=KroJHYyarng
The AMT Director still shows the same warning:
>> Computer name, connection name, DNS name, Certificate name mismatch. <<
So can you please tell me, where I have to look for wrong settings, misspelt strings, .....
In advance thanks for your hints.
The solution is:
The computer, into which the certificate (with CN=FQDN) has to stored,
must be accessed thru the AMT Director by entering the FQDN into the edit box
"IP / Hostname". If the IP address is set into the edit box "IP / Hostname",
the described error occurs. So here also the FQDN is required!
The computer, into which the certificate (with CN=FQDN) has to stored,
must be accessed thru the AMT Director by entering the FQDN into the edit box
"IP / Hostname". If the IP address is set into the edit box "IP / Hostname",
the described error occurs. So here also the FQDN is required!
