Solved: Re: Is it possible to provision (ZTC) via SCS Light where Admin

sayantan_majumdar · ‎10-13-2009

I asked the same question in another thread but got really scattared responses. So opening this thread with this very specific question.

Is it possible to provision an AMT device (must be a Zero Touch Configuration) with SCS Light when the default password of the AMT device has already been changed once from "admin"? Other constraints are

1. I have to use a self signed certificate and push the hash into the AMT device.
2. Provisioning has to be a PKI mode provisioning.

There should be a way to pass the changed password, either while creating the profile in SCS Console or in the activator. Thanks in advance.

Regards,
Sayantan

Lance_A_Intel · ‎10-14-2009

Yes, those steps are needed and are covered in the process in the documentation for SCS and the Activator.

Based on the errors you posted before I don't think your problem is with the MEBx password.

The complexity of setting up the server, networkand accounts is probably where the issues are for you.

View solution in original post

Gael_H_Intel · ‎10-14-2009

Quoting - sayantan_majumdar

I asked the same question in another thread but got really scattared responses. So opening this thread with this very specific question.

Is it possible to provision an AMT device (must be a Zero Touch Configuration) with SCS Light when the default password of the AMT device has already been changed once from "admin"? Other constraints are

1. I have to use a self signed certificate and push the hash into the AMT device.
2. Provisioning has to be a PKI mode provisioning.

There should be a way to pass the changed password, either while creating the profile in SCS Console or in the activator. Thanks in advance.

Regards,
Sayantan

Hi - I'm the one who confused you. This was happening to me - last week my system seemed to want to be in factory mode (ie, ME password = "admin") but then I was trying it again this week after doing a full unprovision and putmy current MEBx password into my SCS Profile, and it worked just fine. So you should be OK. If we can duplicate the problem I was seeing (the service seeming to want "admin" as the MEBx password) we will need to gather log files and send them to our dev teams.

Also, I tried to do remote provisioning without "unprovisioining" first and the Activator wouldn't even connect to the service - so it won't let you get very far unless you are starting with an unprovisioned system.

Gael

sayantan_majumdar · ‎10-14-2009

Quoting - Gael Holmes (Intel)

Hi - I'm the one who confused you. This was happening to me - last week my system seemed to want to be in factory mode (ie, ME password = "admin") but then I was trying it again this week after doing a full unprovision and putmy current MEBx password into my SCS Profile, and it worked just fine. So you should be OK. If we can duplicate the problem I was seeing (the service seeming to want "admin" as the MEBx password) we will need to gather log files and send them to our dev teams.

Also, I tried to do remote provisioning without "unprovisioining" first and the Activator wouldn't even connect to the service - so it won't let you get very far unless you are starting with an unprovisioned system.

Gael

Thanks for your quick response.
But I feel like still confused with this whole flow. Let me explain the current state of my setup. The AMT device was once provisioned but I could unprovision it. Once I unprovision it it will still retain the changed password. From your response it seems that I can still work with the changed password and need to mention the changed password while creating the SCS profile.

The steps I shall follow is:

1. Fully unprovision the AMT device manually. But this will retain the changed password
2. Push the self signed certificate hash into the AMT device manually.
2. Create an SCS profile with changed password
3. Start the activator in the AMT device.

Could you please confirm if this should be the streps I should follow or there is something else I need to do. Thanks a lot for all your help.

Regards,
Sayantan

Lance_A_Intel · ‎10-14-2009

Yes, those steps are needed and are covered in the process in the documentation for SCS and the Activator.

Based on the errors you posted before I don't think your problem is with the MEBx password.

The complexity of setting up the server, networkand accounts is probably where the issues are for you.

sayantan_majumdar · ‎10-14-2009

Quoting - Lance Atencio (Intel)

Yes, those steps are needed and are covered in the process in the documentation for SCS and the Activator.

Based on the errors you posted before I don't think your problem is with the MEBx password.

The complexity of setting up the server, networkand accounts is probably where the issues are for you.

I am trying it once again. I shall update my logs soon.

Thanks.

Gael_H_Intel · ‎10-14-2009

Quoting - sayantan_majumdar

I am trying it once again. I shall update my logs soon.

Thanks.

Did you get a chance to look at this blog? You have to create the certificate with the correct OID or OU and there are specific things you have to do with DNS, DHCP (Option 15), etc. Did you go into the AMT Configuration and verify that AMT is setup to get it's IP from DHCP (not static?)

Before Remote Configuration begins, the network should be configured as follows:

The Intel SCS must have a server (provisioning) certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device. The OID in the Extended Key Usage field must be [amt]2.16.840.1.113741.1.2.3, or the OU value in the Subject field must be "Intel Client Setup Certificate".
- Contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. A list of the hashes should be provided by the platform vendor. Go to the vendor's web site and purchase an "SSL certificate" For example, the following link to Verisign's site http://www.verisign.com/ssl/buy-ssl-certificates/index.html shows how to purchase an appropriate certificate. Use the OID or the OU values above (or both) when defining the certificate
- This provisioning certificate must be installed in the SCS User's personal store.
- It's OK if the provisioning certificate has a different domain associated with it than your management/provisioning console/AMT Client has.
The Intel AMT device must be configured to receive its IP address from a DHCP server.
Your DHCP server's Scope Options must be configured to support option 15 and to return the domain suffix that is in the provisioning certificate. Note that Remote Provisioning will not work without this requirement for Option 15.
The Intel AMT device must be pre-programmed with at least one active root certificate hash. The device comes with a set of hashes from various vendors.
The Intel AMT Setup and Configuration Server (SCS) must be registered with a DNS server accessible to the Intel AMT device with the name "ProvisionServer" (or the name defined by the PC manufacturer) and be in either the same domain as the device or in a domain with the same suffix. (Add an alias for "ProvisionServer"= Intel AMT Client>.)

sayantan_majumdar · ‎10-14-2009

Quoting - Gael Holmes (Intel)

Did you get a chance to look at this blog? You have to create the certificate with the correct OID or OU and there are specific things you have to do with DNS, DHCP (Option 15), etc. Did you go into the AMT Configuration and verify that AMT is setup to get it's IP from DHCP (not static?)

Before Remote Configuration begins, the network should be configured as follows:

The Intel SCS must have a server (provisioning) certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device. The OID in the Extended Key Usage field must be [amt]2.16.840.1.113741.1.2.3, or the OU value in the Subject field must be "Intel Client Setup Certificate".

Contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. A list of the hashes should be provided by the platform vendor. Go to the vendor's web site and purchase an "SSL certificate" For example, the following link to Verisign's site http://www.verisign.com/ssl/buy-ssl-certificates/index.html shows how to purchase an appropriate certificate. Use the OID or the OU values above (or both) when defining the certificate

This provisioning certificate must be installed in the SCS User's personal store.

It's OK if the provisioning certificate has a different domain associated with it than your management/provisioning console/AMT Client has.

The Intel AMT device must be configured to receive its IP address from a DHCP server.

Your DHCP server's Scope Options must be configured to support option 15 and to return the domain suffix that is in the provisioning certificate. Note that Remote Provisioning will not work without this requirement for Option 15.

The Intel AMT device must be pre-programmed with at least one active root certificate hash. The device comes with a set of hashes from various vendors.

The Intel AMT Setup and Configuration Server (SCS) must be registered with a DNS server accessible to the Intel AMT device with the name "ProvisionServer" (or the name defined by the PC manufacturer) and be in either the same domain as the device or in a domain with the same suffix. (Add an alias for "ProvisionServer"= Intel AMT Client>.)

Hi Gael and Lance,

Finally a good news!!!

I am able to provision the AMT device in TLS-PKI mode. The issue was a with the communication between the AMT device Workgroup and SCS domain.

A special thanksto youfor all your help.

Regards,
Sayantan

Is it possible to provision (ZTC) via SCS Light where Admin password has been changed once