Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1381 Discussions

Intel AMT v8.x TLS Configuration

Yuri_M_
Beginner
‎05-28-2013 01:05 PM
518 Views

Hello.

I would like to ask a few questions about configuring TLS-PSK (if it's still posible) with AMT SCS 8.0

My university had recently purchased about 200 AMT-enabled computers - HP 8300 series, MBEx of the version 8.0.0.0063 , with ME v8.1.0.1265.

Considering the amount of the machines we would like to use AMT for remote OOB managemant.

Since those computers are installed in students' labs there is a clear security concern: we cannot rely on the

login/password only, while managing each machine remotely.

So, for security reasons and also in order to be able to use SOL, KVM and IDE-R we have to configure the Transport Layer Security.

So, that's the background. Now my questions:

1) Is there still an option to configure the Transport Layer Security with Pre-Shared Key, but using the SCS 8.x?

2) If not - Can the PKI be configured instead of TLS-PSK, but without using the certificates from the vendor?

In other words, can PKI be configured to work with our custom certificates instead of the vendor's sertificates that are already embedded in the machine's firmware? Could it be done WITHOUT purchasing the certificate?

3) Is there a way to configure the TLS so it would use a Certificate Authority that does NOT run on Windows Server?

We use Linux machines (Debian 6.0 distribution mostly) and are willing to create a Certificate Authority with OpenSSL.

I found this tutorial on your site:

http://software.intel.com/en-us/blogs/2012/01/18/how-to-create-amt-certificates-using-the-amt-sdk-and-openssl

but unfortunately this could be done ONLY if the version of SCS/SDK is 7.x or lower.

So, if there's a way to achieve the same goal as in this tutorial, but for versions 8.x - I would like to know how as well.

4) I've already tried to change the "Current Provisioning Mode" manually in MEBx, but there's only one option - PKI.

Is there any way to enable TLS-PSK option as well?

5) Is there a way to enable TLS but with out Certificate Authority - relying only on self-sign certificates?

If yes - how cuold it be done using OpenSSL?

Thanks in advance

0 Kudos

Link Copied

1 Reply
Gael_H_Intel
Moderator
‎05-29-2013 02:01 PM
518 Views

The answer to question 1 is yes.  See the Setup and Configuration Using PSK section of the SDK Implementation and Reference Guide.  You can use either the Setup and Config Server or the Open DTK (Director) to provision your systems.

2 - you can use your own provisioning certificate if you have a system that acts as a certificate authority - make the certificate, add the hash into the ME from the MEBx menus.  I believe the SCS documentation describes how to create a certificate as well.

3.  I'm not sure about this one.  I need to investigate further. The blog you are referring to was written in 2012 - I suspect we used an AMT 8 system when we tested this.  Why do you say that it only works for versions older than 7?

4.  Need to investigate..

5.  Need to investigate.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.