- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I'm trying to use SOL/IDE-R in an Enterprise provisioned machine with TLS enabled (basic, not mutual) and I'm getting a Exception.
I'm able to see the asset information and to power up/down the machine (with EOI, NOT WsMan), but SOL/IDE-R does not work, so I'm sure it's not an access issue (cause the machine security certificate is added is the client trusted root certificate store and the user being used is admin).
The method which one returns the error is (AmtRedirectorWrapper.cs line 617):
r = IMR_SOLOpenTCPSession(clientId, login, data, IntPtr.Zero);
An the error is in r = IMRResult.IMR_RES_SOCKET_ERROR
Help!
Javier Andrs Cceres Alvis
Link Copied
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roger,
I have tried by repeating the provisionprocess but Director always gave a not expected name.
So at that point, I thinkcan not influence or change the way DIrector names machines.
Thanks a lot,
Javier Andrs Cceres Alvis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very Important Note:If a serious operational error occurs during the setup and configuration process (for example, TLS is configured incorrectly because a certificate or private key was installed inadvertently, or a certificate replacement was performed that does not align with current keys), and the platform is then transitioned to Operational Mode, the Intel AMT device may not be accessible remotely. The Intel AMT device needs to be returned to the Factory Mode by using the BIOS sub-menu Unprovision option.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier - I just wanted to add on to my last post that I don't think you shouldchange your provisioning method - I was just thinking that looking at what the SCA sample is doing might help you/us understand what is actually happening and why Mutual Authentication isn't working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Andy ,
If I use TLS basic I can access the Web UI but when I switch to TLS mutual it appears a window like the one shown in the attached picture and no matter which certificate I select, becasue it's always rejected (I have selected the root trust certificate and others I have created by deriving itbut they do not work). I'm running the RedirectorConfig.exe tool under the machine I'm developing, and this machine has nothing to do with the test domain or amt test machine. It is necesary to run the tool for example in the SCS server? (under the SCS user)
I actually can notconnect the amt machine by WebUI neither RedirectorConfig.exe.
Thanks a lot,
Javier Andrs Cceres Alvis
Javier,
The certificate that shows up in the image you attached, is that the one you created for mutual authentication? The machine you're running the tool or your code from should also have the certificate for mutual authentication, sincethat's how the AMT system is validating thatthe system has permission to connect. Every system thatwill be talking to AMT would needa cert in the mutual authentication case. You wouldn't necessarily need to runthrough the process on page 53 for each system, you could export the cert created from the CA into a file and import it in that manner (I can give you some more details here if you like).
You don't need to run the tool example on the SCS server, but I suggested it since I was guessing that's where you requested the cert from.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please see these steps I did with Director:
1-I created a Basic profile
2-I created a Key
3-I entered the key into BIOS
4-Director received the Hello message and provisioned the machine
5-I was able to connect to machine with Director, Commander (redirection) and WebUI.
1-I created created a root certificate and added it into windows trusted certificate store
2-I issued an all permissions certificate based on the root certificate
3-I issued a sub-ca certificate based on the root certificate
4-I created a server only TLS profile by selecting the certificate I created in (1) to be the issuer certificate and pushed it into machine:
5-Director configured the machine with the server only TLS profile correctly
6-I was able to connect to machine with Director, Commander (redirection) and WebUI.
1-I created a server + console TLS profile by selecting the certificate I created in (1-second round) to be the root trusted one and by I selecting the certificate I created in (1-second round) to be the issuer certificate. I finally entered the Director host machine FQDN name as the Trusted Certificate Names and pushed into machine
2-Director configured the machine with the server + console TLS profile correctly and it was able to connect only ONCE; as soon as I disconnected it and I tried to connect it again Director could not do it.
5-I was not able to connect to machine with Director, Commander.
6-When I tried to access the machine by its WebUI, IE browser prompted a window to choose one of the certificates I created in 1 or 2 (second round) but all of them were rejected.
I finally did all again with "streams events to file" option enabled for sending you but I don't know why Director and WebUI could connect to AMT machine after pushed the server + console TLS profile, so I went happily to run Commander and it could connect it, but when I clicked on the take control button I received the error what I have always received: "Serial-over-LAN error: IMR_RES_TLS_CONNECTION_FAILED" (see attached file).
Sweet bacause Director did not lose the connection as SCS did it
...and bad taste cause I do not why it "partially" worked if I have tried it before.
Javier Andrs Cceres Alvis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1-I created a Basic profile (NO TLS)
2-I created a key
3-I manually entered the key into BIOS
4-SCS applied configuration correctly
5-I was able to acces the machine by the WebUI, commander (redirection) and my code.
Second round:
1-I created a Basic TLS profile (only server) by selecting a root certificate I created in MS Cert. Authority
2-I changed the machine profile to the new one
4-SCS applied configuration correctly.
5-I was able to access the machine by the WebUI (but only typing the FQDN in IE browser) and commander showed me connections warnings, so I could not redirect it. It's really important redirecting the machine by using its IP because for example in discovery event you do not have other info or the host name property in AMT Sytem object is returned as the same IP.
My code did not work for redirection and I got the same error which one I started this thread.
I was not able to perform the third round cause I was not able to complete the second one.
After working all day in this issue I can say that SCS and Director name security certificates a bit different. Director names them with IP address and SCS names them with FQDN. This can be a pain in the neck. I actually try to connect with Commander and it shows me connections warnings because of the "Connection name, DNS name, certificate name mismatch.".
Thanks a lot,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
The SCS is indeed only using the FQDN in the certificate. This is the most robust option. Using the IP address in a DHCP environment wouldn't make sense since the IP address may change. SCS requires DHCP.
-
It is common for the client software in a TLS handshake to require a match between the FQDN and the certificate CN from the endpoint it is negotiating with. The SCS behaves this way and most browsers do to although some will allow you to override this after displaying a security warning. To demonstrate this, try pointing your browser to https://www.wellsfargo.com and again to https://151.151.88.144. In the latter case, you should see a warning from your browser about the certificate only being valid for the URL and not the IP address (unless Wells Fargo's IP has changed). If you require the use of TLS and connections through IP addresses, your software will have to allow a mismatch but this practice has security implications.
Hope this helps.
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
The SCS is indeed only using the FQDN in the certificate. This is the most robust option. Using the IP address in a DHCP environment wouldn't make sense since the IP address may change. SCS requires DHCP.
-
It is common for the client software in a TLS handshake to require a match between the FQDN and the certificate CN from the endpoint it is negotiating with. The SCS behaves this way and most browsers do to although some will allow you to override this after displaying a security warning. To demonstrate this, try pointing your browser to https://www.wellsfargo.com and again to https://151.151.88.144. In the latter case, you should see a warning from your browser about the certificate only being valid for the URL and not the IP address (unless Wells Fargo's IP has changed). If you require the use of TLS and connections through IP addresses, your software will have to allow a mismatch but this practice has security implications.
Hope this helps.
Tom
Hello Tom,
I'm back again after holyday season.
I solved the redirection issue and I could find out the warnings you mentioned during the process; there were many things that made the problem happened but I'll discuss them in a next post, by the meanwhile I can say briefly that it was about certificate and settings.
Thanks a lot,
=)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier,
I am glad that you solved this problem - again - we would love to see your next post - or perhaps a blog? :-)
I'm going to close this thread - please open a new thread for new questions.
Thanks,
Gael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier,
I am glad that you solved this problem - again - we would love to see your next post - or perhaps a blog? :-)
I'm going to close this thread - please open a new thread for new questions.
Thanks,
Gael
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- « Previous
-
- 1
- 2
- Next »