Re: Director tool - Trusted root certificates

ph3ar · ‎08-18-2009

Hello everyone,

I have some issues when I import the certificate in order to accomplish the zero touch remote provision in DTK's Director's tool.

In detail, I import the trusted certificate (which I have order from Godaddy certificate vendor; exclusively for remote provision) and as you can see in screenshot1 image the certificate is trusted but then when I try to add it on my profile (option: trusted root certificates) the certificate that I have imported it's not in the list (screenshot 2).

How can I enable the certificate in order to select it from the list in order to add it on the profile ?

Brett_M_Intel · ‎08-18-2009

The certificate you purchased is specifically for remote provisioning, as you clearly pointed out in your post. It is not for (mutual) TLS authentication, which is what the profiles are used to setup.

To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.

Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.

Gael_H_Intel · ‎08-18-2009

Quoting - Brett McKown (Intel)

The certificate you purchased is specifically for remote provisioning, as you clearly pointed out in your post. It is not for (mutual) TLS authentication, which is what the profiles are used to setup.

To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.

Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.

ph3ar - I don't know if it will help you or not, but I just blogged about theremote provisioning steps using certificates.

ph3ar · ‎08-19-2009

Quoting - Brett McKown (Intel)

To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.

Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.

The certificate that I 've purchased is the one intended for zero touch remote provisioning as written on this blog.

I have setup the profile but still there are no options in 'Remote configuration section of Director's tool.

How can I establish my own root certificate for the enterprise setup as you propose?

Thanks.

ph3ar · ‎08-19-2009

Nice blog post Gael but still it's not real zero touch remote provisioning. You still need to use an activator for the provisioning to be initiated.
It's not so practical when you have to provision a big number of platforms.

Gael_H_Intel · ‎08-19-2009

Quoting - ph3ar

Nice blog post Gael but still it's not real zero touch remote provisioning. You still need to use an activator for the provisioning to be initiated.
It's not so practical when you have to provision a big number of platforms.

Good point about the activator - you can push it to the systems and run it remotely, hopefully.

ph3ar · ‎08-19-2009

Quoting - Gael Holmes (Intel)

Good point about the activator - you can push it to the systems and run it remotely, hopefully.

Sure, but still this is not zero touch remote provisioning! As referred to the manual about this technology!

Lance_A_Intel · ‎08-19-2009

Hi,
The definition of Zero Touch Configuration (ZTC)is that no person needs to physically be at the client system to perform the setup and configuration.

The use of the Activiator tool provided remotely is indeed an example of ZTC because no one has to be at the client system.

ph3ar · ‎08-19-2009

Quoting - Lance Atencio (Intel)

Hi,
The definition of Zero Touch Configuration (ZTC)is that no person needs to physically be at the client system to perform the setup and configuration.

The use of the Activiator tool provided remotely is indeed an example of ZTC because no one has to be at the client system.

That's right. BUT how do you configure platforms that come with no OS pre-installed?
I think that I misinterpret somehow the definitions, I guess that is called bare metal remote provisioning.

In any case still I haven't experienced yet this ZTC remote provisioning, have you tried successfully ?

Thanks.

Gael_H_Intel · ‎08-19-2009

Quoting - ph3ar

That's right. BUT how do you configure platforms that come with no OS pre-installed?
I think that I misinterpret somehow the definitions, I guess that is called bare metal remote provisioning.

In any case still I haven't experienced yet this ZTC remote provisioning, have you tried successfully ?

Thanks.

Hello - I have responded to this inyour other thread:http://software.intel.com/en-us/forums/showthread.php?t=67553

I'm going to keep my responses there to avoid further confustion.

ph3ar · ‎08-19-2009

Quoting - Gael Holmes (Intel)

Hello - I have responded to this inyour other thread:http://software.intel.com/en-us/forums/showthread.php?t=67553

I'm going to keep my responses there to avoid further confustion.

There are two different applications so I guess two different posts are needed?

Since Director app seems more easy and not so complicated I could give it a try.

ph3ar · ‎08-25-2009

Hm... I guess that zero touch remote provisioning (AKA bare-metal provisioning) is not so common for Intel AMT ?

Lance_A_Intel · ‎08-25-2009

Quoting - ph3ar

Hm... I guess that zero touch remote provisioning (AKA bare-metal provisioning) is not so common for Intel AMT ?

I do not have a lot of experience with how most enterprise IT shops deploy new systems, but fromwhatI am familiar with I wouldsay that your statement is probably true. IT shopsseem to have to touch new systems coming in toprepare them fortheir corporate environment so it makes sense to provision AMT at this time.

ph3ar · ‎08-25-2009

Possibly, but this statement doesn't comply with Intel documentation.

Lance_A_Intel · ‎08-25-2009

Quoting - ph3ar

Possibly, but this statement doesn't comply with Intel documentation.

Could you please indicate which documentation?
I can work to get documentation issues fixed if there is something that is confusing or inaccurate.
thanks

ph3ar · ‎08-25-2009

Quoting - Lance Atencio (Intel)

Could you please indicate which documentation?
I can work to get documentation issues fixed if there is something that is confusing or inaccurate.
thanks

From Intel vPro Remote Configuration FAQ :

What is the core purpose of Remote Configuration?

... Remote Configuration accomplishes the first main step of authentication, similar to the previous (and still existing) approach of pre-shared keys (e.g. PIDPPS). The key difference is that Intel vPro clients capable of remote configuration can be configured WITHOUT touching the system.

What is the difference between Remote Configuration and pre-shared key?

... Instead of physically touching and modifying the system, as the name suggests Remote Configuration enables a hands-off configuration.

Lance_A_Intel · ‎08-25-2009

OH, I was confused. I thought you were talking about the documentation being in conflict with your statement about the popularity of Bare Metal provisioning.

I will work on getting the documentation you mentioned changed to more clearly define the terms of Remote Configuration, Zero Touch Configuration, and Bare Metal Provisioning.
Thanks

ph3ar · ‎09-16-2009

Quoting - Lance Atencio (Intel)

OH, I was confused. I thought you were talking about the documentation being in conflict with your statement about the popularity of Bare Metal provisioning.

I will work on getting the documentation you mentioned changed to more clearly define the terms of Remote Configuration, Zero Touch Configuration, and Bare Metal Provisioning.
Thanks

Almost 1 month passed and I haven't see any corrections on the documentation yet!

Lance_A_Intel · ‎09-16-2009

Quoting - ph3ar

Almost 1 month passed and I haven't see any corrections on the documentation yet!

Yes, I have asked them to add the following:

1 Touch - A person physically present at each client supplies preliminary information before setup begins (e.g. PID/PPS, MEBx Password, certificate hash)
Zero Touch - Performing setup without providing the Intel vPro client any information in advance (no physical presence)
Remote Configuration (TLS-PKI mode) - Setup is performed using a remote configuration certificate and the firmware must have a corresponding root certificate hash
Local Configuration- Performing setup and configuration by using only the MEBx (no software used)

However their site isrun separately from ours.
You may want to post a comment directly on that FAQ or start a thread in their forum.

ph3ar · ‎09-16-2009

Quoting - Lance Atencio (Intel)

Yes, I have asked them to add the following:

1 Touch - A person physically present at each client supplies preliminary information before setup begins (e.g. PID/PPS, MEBx Password, certificate hash)
Zero Touch - Performing setup without providing the Intel vPro client any information in advance (no physical presence)
Remote Configuration (TLS-PKI mode) - Setup is performed using a remote configuration certificate and the firmware must have a corresponding root certificate hash
Local Configuration- Performing setup and configuration by using only the MEBx (no software used)

However their site isrun separately from ours.
You may want to post a comment directly on that FAQ or start a thread in their forum.

Thanks for the prompt answer Lance.

Unfortunately, I realized that things are going slow with the remote configuration process.