- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am trying to provision the iAMT device using PKI by following the below steps.
1. Run the SCA's ConfigurationServer.exe on the machine1 and have given Yes for certificate creations and finally it listens at port no 9971.
2. created the setup.bin by running the following command.
USBFile.exe -create setup.bin Admin!123 Admin!123 -amt -ztc 1 -hash "F:\\iAMT\\iAMT_SDK_5.1.1\\Intel_AMT_SDK_Release_5.1.1\\Intel_AMT_SDK_Release_5.1.1\\Windows\\Intel_Manageability_Configuration\\Configuration\\ConfigurationServer\\Bin\\CertGenerator\\ZtcSecScripts\\rootCA\\rootCert.pem" periCert -dns blr.novell.com -fqdn pperiyasamy.blr.novell.com
(rootCert.pem is created by ConfigurationServer.exe)
3. Copied this setup.bin into USB and loaded into AMT firmware (machine2) and went into the BIOS and given machine1 as the provisionserver.
4. Now machine1 receives the "Hello" packet from the amt device and fails to make SOAP calls to AMT firmware and it throws the following error.
Waiting for incoming connection...[2010-01-20 11:53:37] Incoming Connection from 164.99.138.190:16994
Incoming data is:
Configuration version: PKI Configuration
Count : 3
UUID : 4EE7C453-8A45-11DD-BBDA-FEE41245000F
reading configuration from default.conf.xml
>> starting soap call sequence <<
Error: failed while calling GetCoreVersion
Res = 26
SOAP 1.1 fault: SOAP-ENV:Client [no subcode]
"SSL_ERROR_SSL
error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error"
Detail: SSL connect failed in tcp_connect()
- failed to establish connection with AMT
- attempt to connect using default credentials...
Error: failed while calling GetCoreVersion
Res = 26
SOAP 1.1 fault: SOAP-ENV:Client [no subcode]
"SSL_ERROR_SSL
error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error"
Detail: SSL connect failed in tcp_connect()
- failed to establish connection with AMT
Aborting configuration
Warning: SetProvisioningParameters() failed
The following forum http://software.intel.com/en-us/blogs/2010/01/10/my-amt-experience-4-solution-for-tls-connection-error-of-intel-amt-zero-touch-configuration/ has talked about this issue and recommending Certificate CN name suffix to be set in line with the domain name. As i am using demo certificates created by Intel SCA, where to make changes so that certificate has proper CN name suffix?Could you please help me to resolve it?
Thanks in advance,
Periyasamy
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Periyasamy,
All of the configuration of the certificates is done in the various batch file in each of the CertGenerator subdirectories. I've included an excerpt from the checkztc.bat batch file from the ZtcSecScripts subdirectory. As you can see, the CN of the remote config cert is specified in the ZTC_CLIENT_CN variable. You can modify any of the variable values in any of the creation batch files to match your environment. You will also need to comb through the default.conf.xml file in the ConfigScripts subdirectory to make sure that all of the specified values match your environment. If you do make changes to any of these files, you should put them into some version control system.Any of the certificates that you create in using the scripts can be imported into the DTK to allow Director to do the remote configuration. This makes a good check to the configuration process.
Also, you can take the UUID from the system that tried to get configured, and create a new conf.xml file specific to that system by making a copy of the default.conf.xml file and renaming it to
Regards,
Roger
REM ----------------------------------------------------------------------
REM The following environment parameters can be customized.
REM Note that they need to be coordinated with the appropriate
REM .conf.xml file in order to achieve properly working environment.
REM ----------------------------------------------------------------------
set CA_CRL_DISTRIBUTION_POINT=URI:http://crl.demoCA.com
set ZTC_CLIENT_CN=acme_app.intel.com
set ZTC_CLIENT_OU=Intel Client Setup Certificate
set PKCS12_PASSWORD=qwerty
set CAKEY=.\rootKey.pem
set CACERT=.\rootCert.pem
set CADIR=.\rootCA
set ZTCDIR=.\ZTC
set ZTCCERT=.\ZTC_cert.pem
set ZTCKEY=.\ZTC_key.pem
set FULLCHAIN=.\FullChain.pem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roger,
After changing the ZTC_CLIENT_CN variable in the checkztc.bat file, provisioning has gone through successfully. Thanks a lot for the help.
Thanks,
Periyasamy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Periyasamy,
I'm glad that it's working for you now. Roger: Thanks for your help!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page