Community
cancel
Showing results for 
Search instead for 
Did you mean: 
gennadiy
Beginner
52 Views

Enterprise Mode

Hi
My AMT computer is set in Small business Mode. I wish to establish and work with Enterprise Mode. If the step-by-step documentation which describes steps for correct installation Enterprise Mode? I established Enterprise Mode in Manageability Director Tool, but AMT comuter is remotely inaccessible . Probably I have missed still any steps with the certificate.
Gennadiy.
0 Kudos
5 Replies
Gael_H_Intel
Moderator
52 Views

Quoting - gennadiy
Hi
My AMT computer is set in Small business Mode. I wish to establish and work with Enterprise Mode. If the step-by-step documentation which describes steps for correct installation Enterprise Mode? I established Enterprise Mode in Manageability Director Tool, but AMT comuter is remotely inaccessible . Probably I have missed still any steps with the certificate.
Gennadiy.


Hi gennadiy,
A really nice tool to use for Enterprise provisioning is the SCS Lite Tool. If you follow the link there are also training videos about it. So are you trying to to accomplish No-touch provisioning via a provisioning certificate? you might want to try using the USB method first - it is a little more straight forward and you don't have to have DNS servers and option 15 set. For more information on the SCS Lite, there are a couple blogs on our site.

When you say your AMT system is not accessible remotely - are you saying that you don't have it on a network? In order to provision in enterprise mode, whether you are wanting TLS or not, the system must be on the same network as where the Setup and Config Service is running, if using the SCS tools. Even ifyou are tyring to use the AMTDirector tool,it needs to run on a separtate systemthat is on thesame network as yourAMT system.The only way you can provision locally isfor SmallBusiness Mode.

Can you provide more details about your environment?

I also have some blogs on general provisioning information that you might find useful as well.

--Gael
gennadiy
Beginner
52 Views



Hi gennadiy,
A really nice tool to use for Enterprise provisioning is the SCS Lite Tool. If you follow the link there are also training videos about it. So are you trying to to accomplish No-touch provisioning via a provisioning certificate? you might want to try using the USB method first - it is a little more straight forward and you don't have to have DNS servers and option 15 set. For more information on the SCS Lite, there are a couple blogs on our site.

When you say your AMT system is not accessible remotely - are you saying that you don't have it on a network? In order to provision in enterprise mode, whether you are wanting TLS or not, the system must be on the same network as where the Setup and Config Service is running, if using the SCS tools. Even ifyou are tyring to use the AMTDirector tool,it needs to run on a separtate systemthat is on thesame network as yourAMT system.The only way you can provision locally isfor SmallBusiness Mode.

Can you provide more details about your environment?

I also have some blogs on general provisioning information that you might find useful as well.

--Gael
Hi Gael,

I write java program for AMT computer handle. At present I try to understand Enterprise Mode. I know as it becomes by Web Services, but the common understanding of sequence of steps for me is not present. Unfortunately I have not found the description what steps I should do for correct installation Enterprise Mode. For this purpose I have decided to use Manageability Director Tool. By Manageability Director Tool I was connected and to the AMT computer, have installed Enterprise Mode and after that I any more cannot will be connected to the computer. Manageability Director Tool allows generate the certificate. At what stages I should use the certificate?

Gennadiy.
Gael_H_Intel
Moderator
52 Views

Quoting - gennadiy
Hi Gael,

I write java program for AMT computer handle. At present I try to understand Enterprise Mode. I know as it becomes by Web Services, but the common understanding of sequence of steps for me is not present. Unfortunately I have not found the description what steps I should do for correct installation Enterprise Mode. For this purpose I have decided to use Manageability Director Tool. By Manageability Director Tool I was connected and to the AMT computer, have installed Enterprise Mode and after that I any more cannot will be connected to the computer. Manageability Director Tool allows generate the certificate. At what stages I should use the certificate?

Gennadiy.


Hi Gennadiy - you might want to watch some of the videos that are availablefor the the DTK, look specifically for the Director videos. I'm not very familiar with how the Director works as far as what it is doing with the certificates. You do need to have an understanding of the two different kinds of certificates:

1. Certificate Hash used for remote provisioning - there are some Cert Hashes in the ME and you have to purchase the matching root certificates from Verisign or Godaddy (and there are some other venders.) OR you can create your own and manually enter the hash into the ME. (This is why I was suggesting using the SCS Lite tool with the USB provisioning. - it is a little more straight forward and will give you a feel for successfully provisioning your system.) The sole purpose of this certificate is so you can open the provisioning interface (i.e. hello packets) so that you do not have to manually type in the PID/PPS keys in the ME or boot the AMT client with the setup.bin file that would be on the USB key that you created that would have the PID/PPS key.

2. The Certificate needed for Enterprise with TSL provisioning - this can be created via the Director but is specifically for applying security to your AMT client (not for getting the hello packet to be sent.)

So I'm not sure which certificate you are creating via the Director tool, but I highly recommend looking at the videos so that you can have a better understanding of the whole process.I saw that there was a video specifically for provisioning with TLS.

--Gael
gennadiy
Beginner
52 Views



Hi Gennadiy - you might want to watch some of the videos that are availablefor the the DTK, look specifically for the Director videos. I'm not very familiar with how the Director works as far as what it is doing with the certificates. You do need to have an understanding of the two different kinds of certificates:

1. Certificate Hash used for remote provisioning - there are some Cert Hashes in the ME and you have to purchase the matching root certificates from Verisign or Godaddy (and there are some other venders.) OR you can create your own and manually enter the hash into the ME. (This is why I was suggesting using the SCS Lite tool with the USB provisioning. - it is a little more straight forward and will give you a feel for successfully provisioning your system.) The sole purpose of this certificate is so you can open the provisioning interface (i.e. hello packets) so that you do not have to manually type in the PID/PPS keys in the ME or boot the AMT client with the setup.bin file that would be on the USB key that you created that would have the PID/PPS key.

2. The Certificate needed for Enterprise with TSL provisioning - this can be created via the Director but is specifically for applying security to your AMT client (not for getting the hello packet to be sent.)

So I'm not sure which certificate you are creating via the Director tool, but I highly recommend looking at the videos so that you can have a better understanding of the whole process.I saw that there was a video specifically for provisioning with TLS.

--Gael
Hi Gael
I have viewed video and have seen that operation with certificates is shown when Enterprise Modeis installed. I am interested in Enterprise Mode installation. I have not found it on video and the documentation.
Gennadiy
Andrew_S_Intel2
Employee
52 Views

Quoting - gennadiy
Hi Gael
I have viewed video and have seen that operation with certificates is shown when Enterprise Modeis installed. I am interested in Enterprise Mode installation. I have not found it on video and the documentation.
Gennadiy

If I understand your question correctly, you would like video on how to actually provision an AMT system in Enterprise mode. There are video's in the download that show how to do this, I'll describe which ones to look at.

But first, I wanted to make a clarification here that I'm not sure came across. In Enterprise mode, setting up TLS for ongoing communications with the AMT system is an optional item. It is recommended, especially if you are planning on using SOL sessions. Mainly because if you don't have TLS set-up, the communications in the SOL session will not be in the clear, which might not be desirable because of security reasons. This is separate from the TLS for provisioning, that will always be in place, and be either TLS-PKI or TLS-PSK.

That being said, I'll address the two separate issues, setting up in Enterprise mode, and setting up TLS in Enterprise mode. I'll be referring to the video package available on this page: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool... ,the videos are a fair distance down the page under the Tutorial Videos section.

There is definitely a video for using the DTK to provision a system in Enterprise mode, either with one-touch or Remote provisioning. For remote configuration (where a certificate is used, and it is not necessary to physically touch the system before provisioning), you would watch the Intel AMT DTK 0.28 - Remote Configuration.wmv video. (Note: The certificate mentioned here is potentially different than the certificate used for TLS mode once the system is provisioned, this is mentioned in this video and the one about TLS provisioning, which I will mention later). For One touch configuration (where you need to put a key onto the AMT system, either with a USB key or by entering the key in the MEBx), the video you would want to watch is Intel AMT DTK 0.28 One Touch Setup.wmv. Either of these methods will allow you to provision an AMT system in Enterprise mode.

For setting up TLS during provisioning, so that traffic to and from the AMT System will be encrypted once the system is provisioned, you would watch the video entitled "Intel AMT DTK 0.28 - TLS Setup.wmv".

As always, I want to include the caveat that the DTK is a tool to assist in the development and testing of solutions using Intel AMT. If you were planning on provisioning systems in a production environment (instead of seeing examples for developing solutions) like Gael mentioned previous you should take a look at either SCS Lite or SCS.
Reply