Community
cancel
Showing results for 
Search instead for 
Did you mean: 
ph3ar
Beginner
60 Views

Director tool - Trusted root certificates

Hello everyone,

I have some issues when I import the certificate in order to accomplish the zero touch remote provision in DTK's Director's tool.

In detail, I import the trusted certificate (which I have order from Godaddy certificate vendor; exclusively for remote provision) and as you can see in screenshot1 image the certificate is trusted but then when I try to add it on my profile (option: trusted root certificates) the certificate that I have imported it's not in the list (screenshot 2).





How can I enable the certificate in order to select it from the list in order to add it on the profile ?
0 Kudos
19 Replies
Brett_M_Intel
Employee
60 Views


The certificate you purchased is specifically for remote provisioning, as you clearly pointed out in your post. It is not for (mutual) TLS authentication, which is what the profiles are used to setup.

To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.

Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.
Gael_H_Intel
Moderator
60 Views


The certificate you purchased is specifically for remote provisioning, as you clearly pointed out in your post. It is not for (mutual) TLS authentication, which is what the profiles are used to setup.

To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.

Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.

ph3ar - I don't know if it will help you or not, but I just blogged about theremote provisioning steps using certificates.
ph3ar
Beginner
60 Views

To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.

Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.

The certificate that I 've purchased is the one intended for zero touch remote provisioning as written on this blog.



I have setup the profile but still there are no options in 'Remote configuration section of Director's tool.

How can I establish my own root certificate for the enterprise setup as you propose?

Thanks.
ph3ar
Beginner
60 Views

Nice blog post Gael but still it's not real zero touch remote provisioning. You still need to use an activator for the provisioning to be initiated.
It's not so practical when you have to provision a big number of platforms.


Gael_H_Intel
Moderator
60 Views

Quoting - ph3ar
Nice blog post Gael but still it's not real zero touch remote provisioning. You still need to use an activator for the provisioning to be initiated.
It's not so practical when you have to provision a big number of platforms.



Good point about the activator - you can push it to the systems and run it remotely, hopefully.
ph3ar
Beginner
60 Views


Good point about the activator - you can push it to the systems and run it remotely, hopefully.

Sure, but still this is not zero touch remote provisioning! As referred to the manual about this technology!

Lance_A_Intel
Employee
60 Views


Hi,
The definition of Zero Touch Configuration (ZTC)is that no person needs to physically be at the client system to perform the setup and configuration.

The use of the Activiator tool provided remotely is indeed an example of ZTC because no one has to be at the client system.
ph3ar
Beginner
60 Views


Hi,
The definition of Zero Touch Configuration (ZTC)is that no person needs to physically be at the client system to perform the setup and configuration.

The use of the Activiator tool provided remotely is indeed an example of ZTC because no one has to be at the client system.

That's right. BUT how do you configure platforms that come with no OS pre-installed?
I think that I misinterpret somehow the definitions, I guess that is called bare metal remote provisioning.

In any case still I haven't experienced yet this ZTC remote provisioning, have you tried successfully ?

Thanks.

Gael_H_Intel
Moderator
60 Views

Quoting - ph3ar

That's right. BUT how do you configure platforms that come with no OS pre-installed?
I think that I misinterpret somehow the definitions, I guess that is called bare metal remote provisioning.

In any case still I haven't experienced yet this ZTC remote provisioning, have you tried successfully ?

Thanks.


Hello - I have responded to this inyour other thread:http://software.intel.com/en-us/forums/showthread.php?t=67553

I'm going to keep my responses there to avoid further confustion.
ph3ar
Beginner
60 Views


Hello - I have responded to this inyour other thread:http://software.intel.com/en-us/forums/showthread.php?t=67553

I'm going to keep my responses there to avoid further confustion.
There are two different applications so I guess two different posts are needed?

Since Director app seems more easy and not so complicated I could give it a try.
ph3ar
Beginner
60 Views

Hm... I guess that zero touch remote provisioning (AKA bare-metal provisioning) is not so common for Intel AMT ?
Lance_A_Intel
Employee
60 Views

Quoting - ph3ar
Hm... I guess that zero touch remote provisioning (AKA bare-metal provisioning) is not so common for Intel AMT ?

I do not have a lot of experience with how most enterprise IT shops deploy new systems, but fromwhatI am familiar with I wouldsay that your statement is probably true. IT shopsseem to have to touch new systems coming in toprepare them fortheir corporate environment so it makes sense to provision AMT at this time.
ph3ar
Beginner
60 Views

Possibly, but this statement doesn't comply with Intel documentation.
Lance_A_Intel
Employee
60 Views

Quoting - ph3ar
Possibly, but this statement doesn't comply with Intel documentation.

Could you please indicate which documentation?
I can work to get documentation issues fixed if there is something that is confusing or inaccurate.
thanks
ph3ar
Beginner
60 Views


Could you please indicate which documentation?
I can work to get documentation issues fixed if there is something that is confusing or inaccurate.
thanks

From Intel vPro Remote Configuration FAQ :

What is the core purpose of Remote Configuration?

... Remote Configuration accomplishes the first main step of authentication, similar to the previous (and still existing) approach of pre-shared keys (e.g. PIDPPS). The key difference is that Intel vPro clients capable of remote configuration can be configured WITHOUT touching the system.

What is the difference between Remote Configuration and pre-shared key?

... Instead of physically touching and modifying the system, as the name suggests Remote Configuration enables a hands-off configuration.
Lance_A_Intel
Employee
60 Views


OH, I was confused. I thought you were talking about the documentation being in conflict with your statement about the popularity of Bare Metal provisioning.

I will work on getting the documentation you mentioned changed to more clearly define the terms of Remote Configuration, Zero Touch Configuration, and Bare Metal Provisioning.
Thanks
ph3ar
Beginner
60 Views


OH, I was confused. I thought you were talking about the documentation being in conflict with your statement about the popularity of Bare Metal provisioning.

I will work on getting the documentation you mentioned changed to more clearly define the terms of Remote Configuration, Zero Touch Configuration, and Bare Metal Provisioning.
Thanks
Almost 1 month passed and I haven't see any corrections on the documentation yet!

Lance_A_Intel
Employee
60 Views

Quoting - ph3ar
Almost 1 month passed and I haven't see any corrections on the documentation yet!


Yes, I have asked them to add the following:

1 Touch - A person physically present at each client supplies preliminary information before setup begins (e.g. PID/PPS, MEBx Password, certificate hash)
Zero Touch - Performing setup without providing the Intel vPro client any information in advance (no physical presence)
Remote Configuration (TLS-PKI mode) - Setup is performed using a remote configuration certificate and the firmware must have a corresponding root certificate hash
Local Configuration- Performing setup and configuration by using only the MEBx (no software used)

However their site isrun separately from ours.
You may want to post a comment directly on that FAQ or start a thread in their forum.
ph3ar
Beginner
60 Views


Yes, I have asked them to add the following:

1 Touch - A person physically present at each client supplies preliminary information before setup begins (e.g. PID/PPS, MEBx Password, certificate hash)
Zero Touch - Performing setup without providing the Intel vPro client any information in advance (no physical presence)
Remote Configuration (TLS-PKI mode) - Setup is performed using a remote configuration certificate and the firmware must have a corresponding root certificate hash
Local Configuration- Performing setup and configuration by using only the MEBx (no software used)

However their site isrun separately from ours.
You may want to post a comment directly on that FAQ or start a thread in their forum.
Thanks for the prompt answer Lance.

Unfortunately, I realized that things are going slow with the remote configuration process.