Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

Intel AMT v8.x TLS Configuration



I would like to ask a few questions about configuring TLS-PSK (if it's still posible) with AMT SCS 8.0

My university had recently purchased about 200 AMT-enabled computers - HP 8300 series, MBEx of the version , with ME v8.1.0.1265.

Considering the amount of the machines we would like to use AMT for remote OOB managemant.

Since those computers are installed in students' labs there is a clear security concern: we cannot rely on the

login/password only, while managing each machine remotely.

So, for security reasons and also in order to be able to use SOL, KVM and IDE-R we have to configure the Transport Layer Security.

So, that's the background. Now my questions:

1) Is there still an option to configure the Transport Layer Security with Pre-Shared Key, but using the SCS 8.x?

2) If not - Can the PKI be configured instead of TLS-PSK, but without using the certificates from the vendor?

In other words, can PKI be configured to work with our custom certificates instead of the vendor's sertificates that are already embedded in the machine's firmware? Could it be done WITHOUT purchasing the certificate?

3) Is there a way to configure the TLS so it would use a Certificate Authority that does NOT run on Windows Server?

We use Linux machines (Debian 6.0 distribution mostly) and are willing to create a Certificate Authority with OpenSSL.

I found this tutorial on your site:

but unfortunately this could be done ONLY if the version of SCS/SDK is 7.x or lower.

So, if there's a way to achieve the same goal as in this tutorial, but for versions 8.x - I would like to know how as well.

4) I've already tried to change the "Current Provisioning Mode" manually in MEBx, but there's only one option - PKI.

Is there any way to enable TLS-PSK option as well?

5) Is there a way to enable TLS but with out Certificate Authority - relying only on self-sign certificates?

If yes - how cuold it be done using OpenSSL?

Thanks in advance

0 Kudos
1 Reply

The answer to question 1 is yes.  See the Setup and Configuration Using PSK section of the SDK Implementation and Reference Guide.  You can use either the Setup and Config Server or the Open DTK (Director) to provision your systems.

2 - you can use your own provisioning certificate if you have a system that acts as a certificate authority - make the certificate, add the hash into the ME from the MEBx menus.  I believe the SCS documentation describes how to create a certificate as well.

3.  I'm not sure about this one.  I need to investigate further. The blog you are referring to was written in 2012 - I suspect we used an AMT 8 system when we tested this.  Why do you say that it only works for versions older than 7?

4.  Need to investigate..

5.  Need to investigate.

0 Kudos