Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

PKI Provisioning of iAMT device from SCA sample

peri
Beginner
599 Views

Hi All,

I am trying to provision the iAMT device using PKI by following the below steps.

1. Run the SCA's ConfigurationServer.exe on the machine1 and have given Yes for certificate creations and finally it listens at port no 9971.

2. created the setup.bin by running the following command.

USBFile.exe -create setup.bin Admin!123 Admin!123 -amt -ztc 1 -hash "F:\\iAMT\\iAMT_SDK_5.1.1\\Intel_AMT_SDK_Release_5.1.1\\Intel_AMT_SDK_Release_5.1.1\\Windows\\Intel_Manageability_Configuration\\Configuration\\ConfigurationServer\\Bin\\CertGenerator\\ZtcSecScripts\\rootCA\\rootCert.pem" periCert -dns blr.novell.com -fqdn pperiyasamy.blr.novell.com

(rootCert.pem is created by ConfigurationServer.exe)

3. Copied this setup.bin into USB and loaded into AMT firmware (machine2) and went into the BIOS and given machine1 as the provisionserver.

4. Now machine1 receives the "Hello" packet from the amt device and fails to make SOAP calls to AMT firmware and it throws the following error.

Waiting for incoming connection...

[2010-01-20 11:53:37] Incoming Connection from 164.99.138.190:16994
Incoming data is:
Configuration version: PKI Configuration
Count : 3
UUID : 4EE7C453-8A45-11DD-BBDA-FEE41245000F
reading configuration from default.conf.xml

>> starting soap call sequence <<

Error: failed while calling GetCoreVersion
Res = 26
SOAP 1.1 fault: SOAP-ENV:Client [no subcode]
"SSL_ERROR_SSL
error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error"
Detail: SSL connect failed in tcp_connect()
- failed to establish connection with AMT
- attempt to connect using default credentials...
Error: failed while calling GetCoreVersion
Res = 26
SOAP 1.1 fault: SOAP-ENV:Client [no subcode]
"SSL_ERROR_SSL
error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error"
Detail: SSL connect failed in tcp_connect()
- failed to establish connection with AMT
Aborting configuration
Warning: SetProvisioningParameters() failed

The following forum http://software.intel.com/en-us/blogs/2010/01/10/my-amt-experience-4-solution-for-tls-connection-error-of-intel-amt-zero-touch-configuration/ has talked about this issue and recommending Certificate CN name suffix to be set in line with the domain name. As i am using demo certificates created by Intel SCA, where to make changes so that certificate has proper CN name suffix?Could you please help me to resolve it?

Thanks in advance,

Periyasamy

0 Kudos
3 Replies
RBens2
Valued Contributor I
599 Views

Hi Periyasamy,

All of the configuration of the certificates is done in the various batch file in each of the CertGenerator subdirectories. I've included an excerpt from the checkztc.bat batch file from the ZtcSecScripts subdirectory. As you can see, the CN of the remote config cert is specified in the ZTC_CLIENT_CN variable. You can modify any of the variable values in any of the creation batch files to match your environment. You will also need to comb through the default.conf.xml file in the ConfigScripts subdirectory to make sure that all of the specified values match your environment. If you do make changes to any of these files, you should put them into some version control system.Any of the certificates that you create in using the scripts can be imported into the DTK to allow Director to do the remote configuration. This makes a good check to the configuration process.

Also, you can take the UUID from the system that tried to get configured, and create a new conf.xml file specific to that system by making a copy of the default.conf.xml file and renaming it to .conf.xml file. The SCA will see the system connect, look for the UUID specific file, and use that file to guide the configuration process. The documentation in the DOCS directory of the SDK explains the entire process, but you will need to do some experimentation to get everything to work well with your environment. Post to this forum again if you've got any other questions.

Regards,

Roger

REM ----------------------------------------------------------------------
REM The following environment parameters can be customized.
REM Note that they need to be coordinated with the appropriate
REM .conf.xml file in order to achieve properly working environment.
REM ----------------------------------------------------------------------
set CA_CRL_DISTRIBUTION_POINT=URI:http://crl.demoCA.com
set ZTC_CLIENT_CN=acme_app.intel.com
set ZTC_CLIENT_OU=Intel Client Setup Certificate
set PKCS12_PASSWORD=qwerty
set CAKEY=.\rootKey.pem
set CACERT=.\rootCert.pem
set CADIR=.\rootCA
set ZTCDIR=.\ZTC
set ZTCCERT=.\ZTC_cert.pem
set ZTCKEY=.\ZTC_key.pem
set FULLCHAIN=.\FullChain.pem

0 Kudos
peri
Beginner
599 Views

Hi Roger,

After changing the ZTC_CLIENT_CN variable in the checkztc.bat file, provisioning has gone through successfully. Thanks a lot for the help.

Thanks,

Periyasamy

0 Kudos
Gael_H_Intel
Moderator
599 Views

Hi Periyasamy,

I'm glad that it's working for you now. Roger: Thanks for your help!

0 Kudos
Reply