Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1388 Discussions

HOWTO config TLS with Director's One Touch Configuration

theperfectwave
Beginner
1,828 Views
Hi,

in the Director I added an AMT computer to the node "Network". Afterwards it's possible to set a profile (with TLS settings) to that computer. - With this method it is possible, to configure an AMT computers to use TLS.

I tried to set such a profile to another AMT computer with the Director's "One Touch Configuration" method. In the "Generate Key" Dialog I selected the same "TLS" profile, which I used above. Afterwards I exported the fresh generated key to an USB stick. The AMT computer, which I provisioned with this stick, shows after the provisioning attempt the following message:

>> Intel AMT is disabled and USB data missing Manageability Feature Selection
Network and provisioning settings will not be applied.
Configuration Settings from the USB file were successfully applied
Press any key to continue with system boot... <<

This test only changed the MEBx password from "admin" to "P@ssw0rd". That's all. But the TLS configuration failed.


Does somebody know message above and know what must be changed?


0 Kudos
1 Solution
Ajith_I_Intel
Employee
1,828 Views
Hi,
I am borrowing some notes from your reply to answer some of your questions.

To do that, you have to add the AMT computer to the network node in the Director. Then you can put the needed settings-profile & certificate into the AMT computer. After doing that, you can use TLS in the Real VNC Viewer Plus, the WEB interface, etc.... to connect to this AMT computer via a TLS secured connection.

The above mentioned can be achieved, when you add a system that was already provisioned. In fact, this is how you can reconfigure a machine to add new features or change any of the existing features that are already configured.

==================================================================

A colleague told me that he used a similar way to do that.

1. He also create a profile with a certificate and the settings for TLS.
2. With the node "One Touch Configuration" in the Director he pushed his profile to an USB Flash driver.
3. With this USB Flash drive he was able to configure the AMT computer (via USB provisioning) to use TLS
for ongoing communication.

My colleague told me that his way also worked.


But when he tried to show me his way, he wasn't able to do that. It never worked.
==================================================================

You are confusing TLS -PSK (one touch configuration) with TLS for encrypting the communicationsbetween management console and AMT client. USBKey provides you an interface to only modify the parameters that are exposed to BIOS through the Management Engine BIOS Extensions (MEBx). so in summary, with USB key, you can only enter the parameters that you can configure by manually configuring in the MEBx menu.

If you really want to achieve what was mentioned in the flow above, this is the order of the flow.
1. Create a profile in Director that will configure the AMT device for TLS encryption. Lets call it profile1.
2. In DTK Director, create a set of PId/PPS keys under one touch configuration and when you create the keys, it will ask for the profile to use and you can select profile1.
3. In the same screen, you can create a USB Key. This step will import the PID/PPS keys along with the IP/FQDN of the configuration server (Which is DTK director in your case) that can be imported into the AMT Client.
4. Reboot the AMT Cleint with the USB key installed. This process would trigger AMT Client to start contacting the DTK Director and after then, DTK Director can configure the AMT device as defined in profile 1 created in step 1.

Hopefully this explains what you are looking for.

Thanks,
AI

View solution in original post

0 Kudos
10 Replies
Ajith_I_Intel
Employee
1,828 Views
Hi There,
The message seems to indicate that Intel AMT in the BIOS is disabled and for that reason you are not able to set any of the AMT specific parameters when booting off the USB stick. Please check in the BIOS/MEBx to enable Intel AMT and then try booting off the USB stick.

Thanks,
AI
0 Kudos
theperfectwave
Beginner
1,828 Views
No AMT is enabeld.

Does somebody know why USB provisioning doesn't work in our case.
0 Kudos
RBens2
Valued Contributor I
1,828 Views
AMT might be enabled on your system, but USB provisoning might not be. I seem to remember that Intel's recommendation was for USB provisioning to be disabled by default, that way a malicious party couldn't just walk up to your system and use a USB key to provision it to work with a rogue SCS. I know on HP commercial notebooks, USB provisioning is enabled/disabled by a setting in the BIOS setup, and by default it is disabled.

Regards,
Roger
0 Kudos
theperfectwave
Beginner
1,828 Views
AMT and USB Provisioning are enabled.

Does somebody know what else must be done, to configure AMT for TLS by using USB Provisioning?

Thanks in advance for helpfull answers.
0 Kudos
Andrew_S_Intel2
Employee
1,828 Views
Have you read the following recent thread about using a USB key to provision the system in PKI mode? It goes into details about the exact arguments to use in that case, and might be helpful for you here (I'd also take a look at the readme for the USBFile tool in the SDK, it's in the Windows\Intel_Manageability_Configuration\Configuration\USBFile directory)
http://software.intel.com/en-us/forums/showthread.php?t=71346&o=a&s=lr


Also, when you say configure AMT for TLS, do you mean to configure AMT to use TLS in ongoing communications, without also using some sort of configuration server like SCS?

To actually use TLS for ongoing communication, it's necessary to use some sort of configuration server. The USBKey can get you as far as getting the AMT system talking to the configuration server, but can't directly put a certificate into AMT to use for ongoing TLS communications. There's also the option of having your local agent do the necessary configuration after AMT has been enabled with the USBTool, or having your remote agent complete the configuration to support TLS after using the USBTool to activate AMT.
0 Kudos
theperfectwave
Beginner
1,828 Views
With the Managebility Director you can setup an AMT computer to use TLS for ongoing communication. Therefore no configuration server is necessary.

The way I did this in the Director, was:
1. Creating a profile containing a certificate and the necessary settings for TLS.
2. Adding a computer to the node Network.
3. Storing the profile to this computer.

This way works for ongoing TLS communication. For this configuration no configuration server is necessary. I used this way several times. And I am able to do it again.

===============================================================

A colleague told me that he used a similar way to do that.

1. He also create a profile with a certificate and the settings for TLS.
2. With the node "One Touch Configuration" in the Director he pushed his profile to an USB Flash driver.
3. With this USB Flash drive he was able to configure the AMT computer (via USB provisioning) to use TLS
for ongoing communication.

My colleague told me that his way also worked. There was also no configuration server necessary.

===============================================================


He was trying to show me his way. But now he was no more able to do it. This time he made somewhere a mistake (one wrong step / setting.... ).

Now we are trying to use his way again for configuring an AMT computer.


Currently we make somewhere a little mistake, when we use his way. So what we need, is a detailed description of all the exact steps for the desired way. And also of settings which might be the reason for our current problem to reproduce his way.

We want to use the Director. We don't want any configuration server. We want to be able to use his way again.

Can you give use detailed step by step instructions for his way.



Thanks in advance for your help.
0 Kudos
Andrew_S_Intel2
Employee
1,828 Views
The Manageability director isa configuration server (I believe all the versions when you bring them up say "Setup and Configuration Tool" at the top, although I haven't checked the most recent version),it's simply one that's intended as a reference design for someone to create their own, and act as a demonstrator for configuration of AMT systems. Also, keep in mind that the director tool has been end of lifed, so while it still can be used as a reference, there are no current plans to keep adding to that component.

The certificate pushed with the USB key with director is used for configuration, not for ongoing communication The certificate actually used for ongoing communication can either be pushed as part of the configuration prcoess, or can be pushed after the machine has been provisioned.

In thePreviousDTK Videospackage (available at the bottom of the DTK page here: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/ ). There is a video on using Remote Configuration (which talks about provisioning the system with PKI (which uses a certificate) that I believe discusses the USB key) and a video on TLS setup.
0 Kudos
theperfectwave
Beginner
1,828 Views

Sorry, but my question is not answered herewith.



As I said, it is possible to use the Director to set up a ongoing TLS communication on an ATM computer.

To do that, you have to add the AMT computer to the network node in the Director. Then you can put the needed settings-profile & certificate into the AMT computer. After doing that, you can use TLS in the Real VNC Viewer Plus, the WEB interface, etc.... to connect to this AMT computer via a TLS secured connection.


==================================================================

A colleague told me that he used a similar way to do that.

1. He also create a profile with a certificate and the settings for TLS.
2. With the node "One Touch Configuration" in the Director he pushed his profile to an USB Flash driver.
3. With this USB Flash drive he was able to configure the AMT computer (via USB provisioning) to use TLS
for ongoing communication.

My colleague told me that his way also worked.


But when he tried to show me his way, he wasn't able to do that. It never worked.
==================================================================

Here my exact questions:



1. Is the way, which my colleague told me, really possible or not? yes or no?

2. If yes, so can you tell me please the exact steps for this way. Or a link to a good user manual / movie etc. .






"One Touch Configuration"
0 Kudos
Ajith_I_Intel
Employee
1,829 Views
Hi,
I am borrowing some notes from your reply to answer some of your questions.

To do that, you have to add the AMT computer to the network node in the Director. Then you can put the needed settings-profile & certificate into the AMT computer. After doing that, you can use TLS in the Real VNC Viewer Plus, the WEB interface, etc.... to connect to this AMT computer via a TLS secured connection.

The above mentioned can be achieved, when you add a system that was already provisioned. In fact, this is how you can reconfigure a machine to add new features or change any of the existing features that are already configured.

==================================================================

A colleague told me that he used a similar way to do that.

1. He also create a profile with a certificate and the settings for TLS.
2. With the node "One Touch Configuration" in the Director he pushed his profile to an USB Flash driver.
3. With this USB Flash drive he was able to configure the AMT computer (via USB provisioning) to use TLS
for ongoing communication.

My colleague told me that his way also worked.


But when he tried to show me his way, he wasn't able to do that. It never worked.
==================================================================

You are confusing TLS -PSK (one touch configuration) with TLS for encrypting the communicationsbetween management console and AMT client. USBKey provides you an interface to only modify the parameters that are exposed to BIOS through the Management Engine BIOS Extensions (MEBx). so in summary, with USB key, you can only enter the parameters that you can configure by manually configuring in the MEBx menu.

If you really want to achieve what was mentioned in the flow above, this is the order of the flow.
1. Create a profile in Director that will configure the AMT device for TLS encryption. Lets call it profile1.
2. In DTK Director, create a set of PId/PPS keys under one touch configuration and when you create the keys, it will ask for the profile to use and you can select profile1.
3. In the same screen, you can create a USB Key. This step will import the PID/PPS keys along with the IP/FQDN of the configuration server (Which is DTK director in your case) that can be imported into the AMT Client.
4. Reboot the AMT Cleint with the USB key installed. This process would trigger AMT Client to start contacting the DTK Director and after then, DTK Director can configure the AMT device as defined in profile 1 created in step 1.

Hopefully this explains what you are looking for.

Thanks,
AI
0 Kudos
theperfectwave
Beginner
1,828 Views
Ok thanks, this is what I looked for.
0 Kudos
Reply