Community
cancel
Showing results for 
Search instead for 
Did you mean: 
jacace
Black Belt
77 Views

SCS mutual authentication error

Hi there,

I have created a profile with TLS mutual authentication enabled; this profile uses the same certificate to trust in others and to issue new ones. The server where SCS is running is the same Certification Authority.

The problem is that I can not connect to machines I have applied this profile; I mean, I can apply this profile to machines once, but then I can not connect to any machine again (for executing operations or other actions). The only way to get it working again is by reseting to factory values. I supose that AMT machine does not trust in SCS Console and that's the reason why SCS Console is not able to connect it.

In other hand, I think this error has to do with another one I'm having by code. In next sample I get from SCS the trusted root security certificates, then I load them into the client certificate collection and I finally query the machine Web Sevices to get the AMT version:

NetworkCredential netCred = new NetworkCredential("admin", "admin", "amt");
ScsService.Service confSvc = new ScsService.Service();
XmlElement[] dummyOut;

confSvc.UseDefaultCredentials = true;
confSvc.PreAuthenticate = true;
confSvc.Credentials = netCred;
confSvc.Url = "https://tfsrtm.AMT.LOCAL/amtscs/mod_gsoap.dll?services";

ScsService.CertTypeExResponse response = confSvc.GetTrustedRootCertificates(0, false, out dummyOut);
foreach (ScsService.CertTypeEx cert in response.certList)
{
infSvc.ClientCertificates.Add(new X509Certificate2(cert.Certificate));
}

infSvc.GetCoreVersion(out amtVersion);

The last line throws a "The request was aborted: Could not create SSL/TLS secure channel." exception.
I tried this as a desperate solution cause I previusly added a certificate issued by the trusted certificate to client certificates collection and I got the same exception, so I made this test to ensure myself I'm loading the rigth certificates.

Thanks a lot

=)


Javier Andrs Cceres Alvis

0 Kudos
13 Replies
jacace
Black Belt
77 Views

The error logged in SCS console says:
Error Configuring Intel AMT device: Failed to connect to configured Intel AMT device at FQDN INTELVPRO-DELL.AMT.LOCAL: AMT Connection Error: SOAP Error [26]: "getFullCoreVersion: SOAP Unknown error".
Thanks

jacace
Black Belt
77 Views

The error logged in SCS console says:
Error Configuring Intel AMT device: Failed to connect to configured Intel AMT device at FQDN INTELVPRO-DELL.AMT.LOCAL: AMT Connection Error: SOAP Error [26]: "getFullCoreVersion: SOAP Unknown error".
Thanks

Hi there! here more feedback

I switched to Director for testing purposes.

I could provision and connect toAMT machine in SMB and Enterprise with TLS enabled(server only, not mutual).

Then I created a new root cretificate and a new profile to set the machine in TLS mutual; I could set the new profile but Director was not able to connect again to machine, soI got the same errors.

I checked the debug information window andI saw the same error message:

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at SecurityAdministrationService.Invoke(String methodName, Object[] parameters)


Javier Andrs Cceres Alvis

jacace
Black Belt
77 Views

Hi there,
I'm still getting the same error and I actually have more feedback:
I fully un-povisioned the system andI provisioned it again using Director.
My first step wasto test connectionin SMB mode and everything worked ok.
Then I switched the system to Enterprise mode with mutual TLS and PSK.
The certificate I used to create the profile it was one Icreatedusing Director.
After provisioning the machineI could seethat Director issued a certificate for AMT machine.
The profile trusts in certificates issued by the same authority who issues its own.
Then I tried to connect andDirector showed me warningsand this text: "Computer name, connection name, DNS name, Certificate name mismatch.".
The point it's that Director is in charge of discovering the machine and generating its certificate; when I try to connect for second time, Directorwas not able to. I also tried to change the computer name using director but noting happened.
My conclusionof this exercise it's that the error is not due to certificates, becasue I tried with the ones created by Director and I got the same result. I suspectthat AMT is not able to certificate itself using certificates (maybe because there is a mismatch between computer name and certificate attributes) and does not trust in TLS secured machines (I mean, it's not able to secure a client identity by client's certificate)
Thanks a lot and waiting for your reply,
Javier Andrs Cceres Alvis

Andrew_S_Intel2
Employee
77 Views

Hi there,
I'm still getting the same error and I actually have more feedback:
I fully un-povisioned the system andI provisioned it again using Director.
My first step wasto test connectionin SMB mode and everything worked ok.
Then I switched the system to Enterprise mode with mutual TLS and PSK.
The certificate I used to create the profile it was one Icreatedusing Director.
After provisioning the machineI could seethat Director issued a certificate for AMT machine.
The profile trusts in certificates issued by the same authority who issues its own.
Then I tried to connect andDirector showed me warningsand this text: "Computer name, connection name, DNS name, Certificate name mismatch.".
The point it's that Director is in charge of discovering the machine and generating its certificate; when I try to connect for second time, Directorwas not able to. I also tried to change the computer name using director but noting happened.
My conclusionof this exercise it's that the error is not due to certificates, becasue I tried with the ones created by Director and I got the same result. I suspectthat AMT is not able to certificate itself using certificates (maybe because there is a mismatch between computer name and certificate attributes) and does not trust in TLS secured machines (I mean, it's not able to secure a client identity by client's certificate)
Thanks a lot and waiting for your reply,
Javier Andrs Cceres Alvis

Javier,

For setting up TLS with the DTK, did you follow the process in the tutorial videos that are available on the same page where you download the DTK? I've found them useful before, and I know there are videos for both one touch and remote provisioning, as well as a video for setting up TLS. It's just at: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool..., scroll down a bit and look for the title Download Manageability Developer Tool Kit (DTK) Tutorial Videos and you can download a zip of all of them or stream them from the page.

Also, I have a method you can use to verify whether certificates are setup properly. If the webUI is enabled, you should be able to connect to https:// :16993, and get the log-in page. You would only be able to connect from the system you installed the server side certificate on. If you cannot connect via a browser, then sample code will not work from that system either.

Andrew_S_Intel2
Employee
77 Views

Another question, when you were initially using SCS to do the provisioning in mutual authentication mode, you followed the steps on page 51 of the Installation guide, about Creating and Installing a Client Certificate Using a Standalone CA correct? I'm assuming so, since you mentioned that the CA and SCS were on the same system. Something that isn't clear in the instructions unless you are familiar with OID's is that in the OID field, the actual value you enter is 2.16.840.1.113741.1.2.1. The first part of the string before the comma indicates the client value, you only need to enter the part after the comma in the OID field. This certificate would be based off of the steps in Appendix C on page 129 of the installation guide about setting up the template.
Edit: One correction, that is the remote certificate value. You do also have to enter the client certificate value seperately.This isa standardized value, 1.3.6.1.5.5.7.3.2
jacace
Black Belt
77 Views

Another question, when you were initially using SCS to do the provisioning in mutual authentication mode, you followed the steps on page 51 of the Installation guide, about Creating and Installing a Client Certificate Using a Standalone CA correct? I'm assuming so, since you mentioned that the CA and SCS were on the same system. Something that isn't clear in the instructions unless you are familiar with OID's is that in the OID field, the actual value you enter is 2.16.840.1.113741.1.2.1. The first part of the string before the comma indicates the client value, you only need to enter the part after the comma in the OID field. This certificate would be based off of the steps in Appendix C on page 129 of the installation guide about setting up the template.
Edit: One correction, that is the remote certificate value. You do also have to enter the client certificate value seperately.This isa standardized value, 1.3.6.1.5.5.7.3.2


Hello Andy,

I followed thesteps to create and install a client certificate using Enterprise CA (not stand alone) and those steps do not mention anything about OID (page 53). I had into account the SCS user permissions and active directory considerations for these.

Thanks a lot,

Javier Andrs Cceres Alvis

jacace
Black Belt
77 Views

Javier,

For setting up TLS with the DTK, did you follow the process in the tutorial videos that are available on the same page where you download the DTK? I've found them useful before, and I know there are videos for both one touch and remote provisioning, as well as a video for setting up TLS. It's just at: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool..., scroll down a bit and look for the title Download Manageability Developer Tool Kit (DTK) Tutorial Videos and you can download a zip of all of them or stream them from the page.

Also, I have a method you can use to verify whether certificates are setup properly. If the webUI is enabled, you should be able to connect to https:// :16993, and get the log-in page. You would only be able to connect from the system you installed the server side certificate on. If you cannot connect via a browser, then sample code will not work from that system either.

Hello Andy,

I followed other videosthatI found in other sites but I'll do it again just to be sure.

After I setup the machine to have TLS basic can see in my IE brower the secure channel icon and I'm able to connect teh amt machine.

But when I setup in TLS mutual there is a popup windowrequestingfor a certificate cause, so I select one I created after the trust root certificate and nohing happens (I mean, there no specific error, only a "Internet Explorer cannot display the webpage")

Thanks a lot,

Javier Andrs Cceres Alvis

Andrew_S_Intel2
Employee
77 Views

Javier,

After setting up the profile on the CA, are you creating a cert. It's important to note that this is done outside of SCS. For every system that needs to talk to AMT systems (including SCS), you'll need to follow the steps on page 53 to request a cert, and get it installed on that system.

Luckily, there is a mechanism for checking certificates that are installed on a system. Bring up a command prompt on your SCS system, and type 'mmc'. This will bring up a Microsoft Management Console without any plugins. Click on the file dropdown, then select 'Add/Remove snap-in'. In the new window that comes up (Add Standalone Snap-in), there will be a Certificates snap-in. There are options for Local Computer and current user, you'll want to add both.

From the main mmc window, you can look in the Personal->Certificates and Trusted Root Certifcation Authorities->Certificates. You should be able to find a certificateyou created for MTLS on your SCS system, in both categories. As long as the cert is part of the Local Computer certificates, you should be able to connect with any user. If it's only in the current user account, you should only be able to connect to the WebUI for the AMT system when logged in as that user.

Andy

Andrew_S_Intel2
Employee
77 Views

I've attached pictures to show some of the important details of the mutual authentication certificate. In this case the certificate is in the Personal certificate store of the Current User, but it just as easily could be in the Personal certificate store of the Local computer (this would allow any user on that computer to connect to the AMT device). I blacked out the part of the machine FQDN that the cert was issued to, but the other details are there.

In the screenshots you can also see the Trusted root certificate that is needed for basic TLS (and which the certificate for mutual authentication is based on). This is also in the Trusted Root Certificate Store (that's where it needs to be). The first screenshot shows what the certificate is intended for (this was actually put in by the Direcotr, if you're using SCS I believe you enter this data when setting up the template in the CA). It also shows the root certificate that the certificate was issued by.

The second screenshot is more important, it shows the two values that must be in the Enhanced Key Usage field. Those are the two I mentioned earlier in the thread, these were also in the instructions in the Installation guide for setting up the template.

Andy

jacace
Black Belt
77 Views

I've attached pictures to show some of the important details of the mutual authentication certificate. In this case the certificate is in the Personal certificate store of the Current User, but it just as easily could be in the Personal certificate store of the Local computer (this would allow any user on that computer to connect to the AMT device). I blacked out the part of the machine FQDN that the cert was issued to, but the other details are there.

In the screenshots you can also see the Trusted root certificate that is needed for basic TLS (and which the certificate for mutual authentication is based on). This is also in the Trusted Root Certificate Store (that's where it needs to be). The first screenshot shows what the certificate is intended for (this was actually put in by the Direcotr, if you're using SCS I believe you enter this data when setting up the template in the CA). It also shows the root certificate that the certificate was issued by.

The second screenshot is more important, it shows the two values that must be in the Enhanced Key Usage field. Those are the two I mentioned earlier in the thread, these were also in the instructions in the Installation guide for setting up the template.

Andy

Hello Andy

I have followed the guide in stand alone CA mode (I was before in Enterprise CA).

Icompared my "Enhanced Key Usage"Server Certificate field (picture 1.2)with yours andI do not have the "iAMT Console" value.I have insteadan "Unknown Key Usage"value in.

Please see my currently certificates(I attached pictures of all).

Thanks a lot,

Javier Andrs Cceres Alvis

Andrew_S_Intel2
Employee
77 Views


Hmm, interesting. The cert shown in PIC1 is the cert that should work for mutual authentication, and assuming the Certificate Server is the same as the SCS, it should in theory be able to connect. It does show the appropriate extended information

It took me some time to notice it, but that cert is shown being valid from 12/4/2007 to 12/4/2008, which is rather strange since I'm assuming you issued this on 12/4 (when you submitted the pictures), and so the cert should be valid from 12/4/2008 to 12/4/2009. Could you check the clock in the bios on the AMT machine, and the clock on the cert server/SCS and make sure they are the same? By default the SCS should try to synchronizethe AMT systems once every seven days, but it would be good to confirm. Once you are past the date on the cert, it would no longer be recognized as valid by the AMT machine, so that might be causing a problem. The certificate should show up as valid for a year from the date issued, and the date issued should match the current date.

If the time's are in sync, and the current date is within the bounds of the certificate, and it still doesn't work, could you export the mutual authentication certificate (the one in PIC1) and send it to me so I can look at it in more depth? Other than that I'm not seeing anything wrong.

jacace
Black Belt
77 Views

Hello Andy,

I'm back againafter holyday season.
I solved this issue; there were manythings that made the problem happened which onesI'll discuss them in anext post but I cansay briefly that it was about certificateandsettings.

Thanks a lot,

=)

Gael_H_Intel
Moderator
77 Views


Hi Javier,
Welcome back from the Holidays. I'm so glad that you figured this one out. We would love to hear about what was happening so that we can helps others in the future.

I'm going to go a head an close this thread - let us know if you have more questions.

Gael
Reply