SCA's error dump

sohaib2y · ‎06-21-2007

hi all,

I am configuring an AMT machine in enterprise mode and using the sample SCA thats included with sdk, I did necessary configurations on amt machine and for SCA I started SCA and AMT machine, AMT machine connected to SCA, but it failed showing this response ...

------------- SCA's response ------------

Server listens on port 9971 for incoming connections.

Waiting for incoming connection...
[2007-06-21 10:01:15] Incoming Connection from 192.168.1.38:16994
Incoming data is:
Version: 2
Count : 0
UUID : 08D4CF80-FEBA-DB11-9335-00E01888972E
PID : DILL-TTEQ

reading configuration from default.conf.xml

>> starting soap call sequence
soap call: GetCoreVersion ok

AMT version: 2.0.5

soap call: GetPkiCapabilities ok

[PKI capabilities]
CrlStoreSize = 1424
RootCertMaxSize = 1500
RootCertMaxInstances = 4
FqdnSuffixMaxEntries = 4
FqdnSuffixMaxEntryLength = 50
CertChainMaxSize = 4100
SupportedKeyLengths = 1024,1536,2048
[PKI capabilities]

soap call: SetHostName ok
soap call: SetDomainName ok
soap call: SetPingResponse ok
soap call: SetProvisioningMode ok
soap call: SetRngKey ok
soap call: SetTLSKeyAndCertificate ok
soap call: GetLowAccuracyTimeSynch ok
soap call: SetHighAccuracyTimeSynch ok
soap call: EnumerateTrustedRootCertificates ok
- No trusted root certificates to delete
soap call: AddTrustedRootCertificate ok
soap call: SetCRL ok
soap call: SetTrustedFqdnCN ok
soap call: SetTlsOptions ok
soap call: EnumerateUserAclEntries ok
- No existing ACLs to remove
soap call: GetCoreVersion ok
Error: failed while calling SetPowerOptions
Status = 36
soap call: SetEnabledInterfaces ok
Errors in configuration process - skip changing admin ACL and/or changing PID/PP
S
1 Errors in configuration process - configuration failed
Warning: SetProvisioningParameters() failed

------------- SCA's response ------------

any clue about the problem. as u can see most of the calls are working, pid/pps were matched , power option failed ...

The "Developers guide to the sample setup and configuration application" says

"If an operational error occurs during the setup and configuration process, then Intel AMT needs to be returned to the Factory Mode by using the BIOS sub-menu Unprovision option"

The above mentioned error that occurred, does this error requires me to start this process again from factory mode ???

- Sohaib

Gael_H_Intel · ‎06-21-2007

Hi Sohaib,

I notice that you still have that very old firmware on your system. I beleive there has been 12 updates since what is on your system. You are runing an AMT 2.0 firmware against AMT 2.1 capabilities. It is possible that the power options that the SCA is trying to set were not there in AMT 2.0. I'm not 100% sure this is your problem, but you do need to get your system to the current version of firmware - there have been a lot of issues fixed since the version that you are running. (remember the first question we usually have for people is: What version of the firmware are you running? )

If you are getting a message saying that you need to return your system back to the Factory mode, then I would say you need to do that.

sohaib2y · ‎06-21-2007

Hi Holmes,

I removed those power setting tags in default.conf.xml file, now the thing worked.

If I upgrade the firmware, can I roll that back to this state ? Actually I cannot upgrade firmware, because then it 'll be necessary to upgrade that at deployment site in all machines .

I enabled ServerAuthentication not mutual, I want to see the certificates SCA gives to AMT machines, does SCA stores them locally ?

- Sohaib

virtual_walker · ‎06-22-2007

Hi!

I'm also working on a setup and configuration service that's more or less the same with SCA. I also encountered the same problem with the power settings. I think the value specified in the XML is incorrect. With regards to the certificates, SCA can use a pre-generated certificate or generate a new certificate. The Intel AMT SDK SetTLSKeyAndCertificate API asks for the key data and certificate chain data. The default filenames are cchain.raw and newkey.pem, which contains the certificate chain data and private key respectively. The file cchain.raw is generated by extracting information from the root certificate down to the certificate for the device. The root certificate is located in BinConfigurationCertGeneratorSecConfig.

To simply answer your question "does SCA stores them locally ?", yes, the certicates are stored locally. You may trace the *.bat files for the filenames.

// Pre-generated certificates

FileCertificate
CERTIFICATE_CHAIN_FILENAME
KEY_FILENAME

// To generate a new certificate

GenerateCertificate

sohaib2y · ‎06-24-2007

Hi,

I am not using pre-generated certificates, SCA is generating certificates, so I am using

GenerateCertificate

option.

I think it creates newcert.pem file for each AMT client, but I am unable to find that file, newkey.pem exists there.

I more thing, when multiple clients will be connecting with SCA/SCS, it will be serving them simultaneously, then it should create different filenames for certificate files, it looks to me that SCA/SCS does't store AMT client certificates in any directory for easy access, however we can modify the batch files to store them ?

Sohaib

virtual_walker · ‎06-25-2007

You are right, SCA creates those files. But you will not be able to see those files after executing SCA because they are deleted by calling "provend.bat". If you wanna see these files, you need to edit "configurationserver.cpp", comment out the line

if

(0 != ExecBatchScript("PROVEND.BAT", NULL, true,configPath.c_str()))

and recompile the code in order to prevent the execution of provend.bat.

SCA/SCS stores the certificates in specific directories in order to use them again when authenticating the server/AMT device.

hope this helps!