- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
I have some issues when I import the certificate in order to accomplish the zero touch remote provision in DTK's Director's tool.
In detail, I import the trusted certificate (which I have order from Godaddy certificate vendor; exclusively for remote provision) and as you can see in screenshot1 image the certificate is trusted but then when I try to add it on my profile (option: trusted root certificates) the certificate that I have imported it's not in the list (screenshot 2).
How can I enable the certificate in order to select it from the list in order to add it on the profile ?
I have some issues when I import the certificate in order to accomplish the zero touch remote provision in DTK's Director's tool.
In detail, I import the trusted certificate (which I have order from Godaddy certificate vendor; exclusively for remote provision) and as you can see in screenshot1 image the certificate is trusted but then when I try to add it on my profile (option: trusted root certificates) the certificate that I have imported it's not in the list (screenshot 2).
How can I enable the certificate in order to select it from the list in order to add it on the profile ?
Link Copied
19 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The certificate you purchased is specifically for remote provisioning, as you clearly pointed out in your post. It is not for (mutual) TLS authentication, which is what the profiles are used to setup.
To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.
Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Brett McKown (Intel)
The certificate you purchased is specifically for remote provisioning, as you clearly pointed out in your post. It is not for (mutual) TLS authentication, which is what the profiles are used to setup.
To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.
Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.
ph3ar - I don't know if it will help you or not, but I just blogged about theremote provisioning steps using certificates.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Brett McKown (Intel)
To use this certificate for ZTC, you need to configure this via the "Remote Configuration" screen in Director. But you also need to define a profile to apply to the system(s) being provisioned.
Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.
Also, the certificate you purchased is not a root certificate (at least I'm assuming this based on what you've provided) which is why you cannot define it as such when creating a profile. You will need to establish you're own root certificate for your enterprise setup and specify that in this dialog. Then the certificates used for TLS communication will be based on this root certificate.
The certificate that I 've purchased is the one intended for zero touch remote provisioning as written on this blog.
I have setup the profile but still there are no options in 'Remote configuration section of Director's tool.
How can I establish my own root certificate for the enterprise setup as you propose?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice blog post Gael but still it's not real zero touch remote provisioning. You still need to use an activator for the provisioning to be initiated.
It's not so practical when you have to provision a big number of platforms.
It's not so practical when you have to provision a big number of platforms.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - ph3ar
Nice blog post Gael but still it's not real zero touch remote provisioning. You still need to use an activator for the provisioning to be initiated.
It's not so practical when you have to provision a big number of platforms.
It's not so practical when you have to provision a big number of platforms.
Good point about the activator - you can push it to the systems and run it remotely, hopefully.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Gael Holmes (Intel)
Good point about the activator - you can push it to the systems and run it remotely, hopefully.
Sure, but still this is not zero touch remote provisioning! As referred to the manual about this technology!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The definition of Zero Touch Configuration (ZTC)is that no person needs to physically be at the client system to perform the setup and configuration.
The use of the Activiator tool provided remotely is indeed an example of ZTC because no one has to be at the client system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Lance Atencio (Intel)
Hi,
The definition of Zero Touch Configuration (ZTC)is that no person needs to physically be at the client system to perform the setup and configuration.
The use of the Activiator tool provided remotely is indeed an example of ZTC because no one has to be at the client system.
That's right. BUT how do you configure platforms that come with no OS pre-installed?
I think that I misinterpret somehow the definitions, I guess that is called bare metal remote provisioning.
In any case still I haven't experienced yet this ZTC remote provisioning, have you tried successfully ?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - ph3ar
That's right. BUT how do you configure platforms that come with no OS pre-installed?
I think that I misinterpret somehow the definitions, I guess that is called bare metal remote provisioning.
In any case still I haven't experienced yet this ZTC remote provisioning, have you tried successfully ?
Thanks.
Hello - I have responded to this inyour other thread:http://software.intel.com/en-us/forums/showthread.php?t=67553
I'm going to keep my responses there to avoid further confustion.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Gael Holmes (Intel)
Hello - I have responded to this inyour other thread:http://software.intel.com/en-us/forums/showthread.php?t=67553
I'm going to keep my responses there to avoid further confustion.
Since Director app seems more easy and not so complicated I could give it a try.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm... I guess that zero touch remote provisioning (AKA bare-metal provisioning) is not so common for Intel AMT ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - ph3ar
Hm... I guess that zero touch remote provisioning (AKA bare-metal provisioning) is not so common for Intel AMT ?
I do not have a lot of experience with how most enterprise IT shops deploy new systems, but fromwhatI am familiar with I wouldsay that your statement is probably true. IT shopsseem to have to touch new systems coming in toprepare them fortheir corporate environment so it makes sense to provision AMT at this time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possibly, but this statement doesn't comply with Intel documentation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - ph3ar
Possibly, but this statement doesn't comply with Intel documentation.
Could you please indicate which documentation?
I can work to get documentation issues fixed if there is something that is confusing or inaccurate.
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Lance Atencio (Intel)
Could you please indicate which documentation?
I can work to get documentation issues fixed if there is something that is confusing or inaccurate.
thanks
From Intel vPro Remote Configuration FAQ :
What is the core purpose of Remote Configuration?
... Remote Configuration accomplishes the first main step of authentication, similar to the previous (and still existing) approach of pre-shared keys (e.g. PIDPPS). The key difference is that Intel vPro clients capable of remote configuration can be configured WITHOUT touching the system.What is the difference between Remote Configuration and pre-shared key?
... Instead of physically touching and modifying the system, as the name suggests Remote Configuration enables a hands-off configuration.- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OH, I was confused. I thought you were talking about the documentation being in conflict with your statement about the popularity of Bare Metal provisioning.
I will work on getting the documentation you mentioned changed to more clearly define the terms of Remote Configuration, Zero Touch Configuration, and Bare Metal Provisioning.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Lance Atencio (Intel)
OH, I was confused. I thought you were talking about the documentation being in conflict with your statement about the popularity of Bare Metal provisioning.
I will work on getting the documentation you mentioned changed to more clearly define the terms of Remote Configuration, Zero Touch Configuration, and Bare Metal Provisioning.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - ph3ar
Almost 1 month passed and I haven't see any corrections on the documentation yet!
Yes, I have asked them to add the following:
1 Touch - A person physically present at each client supplies preliminary information before setup begins (e.g. PID/PPS, MEBx Password, certificate hash)
Zero Touch - Performing setup without providing the Intel vPro client any information in advance (no physical presence)
Remote Configuration (TLS-PKI mode) - Setup is performed using a remote configuration certificate and the firmware must have a corresponding root certificate hash
Local Configuration- Performing setup and configuration by using only the MEBx (no software used)
However their site isrun separately from ours.
You may want to post a comment directly on that FAQ or start a thread in their forum.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Lance Atencio (Intel)
Yes, I have asked them to add the following:
1 Touch - A person physically present at each client supplies preliminary information before setup begins (e.g. PID/PPS, MEBx Password, certificate hash)
Zero Touch - Performing setup without providing the Intel vPro client any information in advance (no physical presence)
Remote Configuration (TLS-PKI mode) - Setup is performed using a remote configuration certificate and the firmware must have a corresponding root certificate hash
Local Configuration- Performing setup and configuration by using only the MEBx (no software used)
However their site isrun separately from ours.
You may want to post a comment directly on that FAQ or start a thread in their forum.
Unfortunately, I realized that things are going slow with the remote configuration process.
Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page