- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I tried to configure TLS for my AMT-KVM as shown in:
http://www.youtube.com/watch?v=KroJHYyarng
After setting the profile to the AMT computer, the icon of the computer changes to red.
Also the following warning is shown in the field "Connection Warnings":
Computer name, connection name, DNS name, Certificate name mismatch.
What can be the reason and solution for this problem?
Thanks for your hints in advance.
P.S.:
The version of my ME is: 6.1.1.1045
And I used the AMT Director from the following package: "Manageability_Developer_Tool_Kit_0_6_0937_2.msi"
I tried to configure TLS for my AMT-KVM as shown in:
http://www.youtube.com/watch?v=KroJHYyarng
After setting the profile to the AMT computer, the icon of the computer changes to red.
Also the following warning is shown in the field "Connection Warnings":
Computer name, connection name, DNS name, Certificate name mismatch.
What can be the reason and solution for this problem?
Thanks for your hints in advance.
P.S.:
The version of my ME is: 6.1.1.1045
And I used the AMT Director from the following package: "Manageability_Developer_Tool_Kit_0_6_0937_2.msi"
Link Copied
9 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First off, what computer are you using?I know you updated to 6.1.1.1045 a few weeks ago to add a KVM resolution, but I've been wondering since then what hardware you have. I didn't realize that firmware was already available on OEM systems.
Offhand, I'd say there might be issues because you're using an older version of the manageability developer toolkit (from February of last year) on a new platform with firmware that just released a couple of weeks ago. But the error you're getting seems to indicate thatthere's a naming issue with the certificate. If you're using IP addresses instead of FQDN's for the cert common name, are you using DHCP in your environment for both the AMT system and the system running the director software?
TLS can be tricky, if configured incorrectly you can disable access to the AMT machine. Javier had a good post on his experience (and how he debugged issues) with TLS last year when he went through this effort. He was actually using mutual TLS instead of just Server TLS (mutual has more constraints), but I think it could still be helpful: http://software.intel.com/en-us/blogs/2009/01/21/tips-to-check-if-the-scs-the-dtk-or-your-app-doesnt-connect-to-an-amt-enterprise-machine/
Offhand, I'd say there might be issues because you're using an older version of the manageability developer toolkit (from February of last year) on a new platform with firmware that just released a couple of weeks ago. But the error you're getting seems to indicate thatthere's a naming issue with the certificate. If you're using IP addresses instead of FQDN's for the cert common name, are you using DHCP in your environment for both the AMT system and the system running the director software?
TLS can be tricky, if configured incorrectly you can disable access to the AMT machine. Javier had a good post on his experience (and how he debugged issues) with TLS last year when he went through this effort. He was actually using mutual TLS instead of just Server TLS (mutual has more constraints), but I think it could still be helpful: http://software.intel.com/en-us/blogs/2009/01/21/tips-to-check-if-the-scs-the-dtk-or-your-app-doesnt-connect-to-an-amt-enterprise-machine/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To continue what Andrew has said, you need to make sure that the certificate's Common Name (CN) matches that of the method you are using to connect the target Intel AMT system within the Manageability Commander Tool. For example, if the system is provisioned with a certificate CN of "MyAmtSystem.MyDomain.com", you will need to use the FQDN "MyAmtSystem.MyDomain.com" within the Manageability Commander Tool to avoid getting this warning message. If, however, you enter the device's IP address into Commander and connect to the system, then you will get this warning message because Commander is not designed to resolve the IP address to the DNS hostname and domain (FQDN) and compare this to the certificate CN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks for your fast answer.
Is there no way, to create a valid certificate for an AMT computer, which isn't member of a domain?
May be using its IP address as part of the certificate's CN?
thanks for your fast answer.
Is there no way, to create a valid certificate for an AMT computer, which isn't member of a domain?
May be using its IP address as part of the certificate's CN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You need to use a fully qualified domain name (FQDN) in your certificates.
Please refer to the following section in the AMT SDK documentation: Setup and Configuration of Intel AMT > Using the Setup and Configuration Application Sample > Issuing Certificates and Certification Authority.
You may also want to look at this FAQ.
You need to use a fully qualified domain name (FQDN) in your certificates.
Please refer to the following section in the AMT SDK documentation: Setup and Configuration of Intel AMT > Using the Setup and Configuration Application Sample > Issuing Certificates and Certification Authority.
You may also want to look at this FAQ.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, now I attached the AMT computer to a domain.
To make sure that everything is ok with the AMT-computer's FQDN, I access the AMT computer from other computers using its FQDN instead of its IP address. So the AMT-computer's FQDN is ok and works fine!
I did exactly the steps described in :
http://www.youtube.com/watch?v=KroJHYyarng
The AMT Director still shows the same warning:
>> Computer name, connection name, DNS name, Certificate name mismatch. <<
So can you please tell me, where I have to look for wrong settings, misspelt strings, .....
In advance thanks for your hints.
To make sure that everything is ok with the AMT-computer's FQDN, I access the AMT computer from other computers using its FQDN instead of its IP address. So the AMT-computer's FQDN is ok and works fine!
I did exactly the steps described in :
http://www.youtube.com/watch?v=KroJHYyarng
The AMT Director still shows the same warning:
>> Computer name, connection name, DNS name, Certificate name mismatch. <<
So can you please tell me, where I have to look for wrong settings, misspelt strings, .....
In advance thanks for your hints.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can install a cerficate authority in your Win 2003 server, also there is a SCS Wizard which helps you todo that.
Javier Andrs Cceres Alvis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution is:
The computer, into which the certificate (with CN=FQDN) has to stored,
must be accessed thru the AMT Director by entering the FQDN into the edit box
"IP / Hostname". If the IP address is set into the edit box "IP / Hostname",
the described error occurs. So here also the FQDN is required!
The computer, into which the certificate (with CN=FQDN) has to stored,
must be accessed thru the AMT Director by entering the FQDN into the edit box
"IP / Hostname". If the IP address is set into the edit box "IP / Hostname",
the described error occurs. So here also the FQDN is required!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is good to hear you have things working. Thanks for sharing your solution.
Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page