- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I have created a profile with TLS mutual authentication enabled; this profile uses the same certificate to trust in others and to issue new ones. The server where SCS is running is the same Certification Authority.
The problem is that I can not connect to machines I have applied this profile; I mean, I can apply this profile to machines once, but then I can not connect to any machine again (for executing operations or other actions). The only way to get it working again is by reseting to factory values. I supose that AMT machine does not trust in SCS Console and that's the reason why SCS Console is not able to connect it.
In other hand, I think this error has to do with another one I'm having by code. In next sample I get from SCS the trusted root security certificates, then I load them into the client certificate collection and I finally query the machine Web Sevices to get the AMT version:
NetworkCredential netCred = new NetworkCredential("admin", "admin", "amt");
ScsService.Service confSvc = new ScsService.Service();
XmlElement[] dummyOut;
confSvc.UseDefaultCredentials = true;
confSvc.PreAuthenticate = true;
confSvc.Credentials = netCred;
confSvc.Url = "https://tfsrtm.AMT.LOCAL/amtscs/mod_gsoap.dll?services";
ScsService.CertTypeExResponse response = confSvc.GetTrustedRootCertificates(0, false, out dummyOut);
foreach (ScsService.CertTypeEx cert in response.certList)
{
infSvc.ClientCertificates.Add(new X509Certificate2(cert.Certificate));
}
infSvc.GetCoreVersion(out amtVersion);
The last line throws a "The request was aborted: Could not create SSL/TLS secure channel." exception.
I tried this as a desperate solution cause I previusly added a certificate issued by the trusted certificate to client certificates collection and I got the same exception, so I made this test to ensure myself I'm loading the rigth certificates.
Thanks a lot
=)
Javier Andrs Cceres Alvis
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there! here more feedback
I switched to Director for testing purposes.
I could provision and connect toAMT machine in SMB and Enterprise with TLS enabled(server only, not mutual).
Then I created a new root cretificate and a new profile to set the machine in TLS mutual; I could set the new profile but Director was not able to connect again to machine, soI got the same errors.
I checked the debug information window andI saw the same error message:
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at SecurityAdministrationService.Invoke(String methodName, Object[] parameters)
Javier Andrs Cceres Alvis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Javier,
For setting up TLS with the DTK, did you follow the process in the tutorial videos that are available on the same page where you download the DTK? I've found them useful before, and I know there are videos for both one touch and remote provisioning, as well as a video for setting up TLS. It's just at: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit, scroll down a bit and look for the title Download Manageability Developer Tool Kit (DTK) Tutorial Videos and you can download a zip of all of them or stream them from the page.
Also, I have a method you can use to verify whether certificates are setup properly. If the webUI is enabled, you should be able to connect to https://
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Andy,
I followed thesteps to create and install a client certificate using Enterprise CA (not stand alone) and those steps do not mention anything about OID (page 53). I had into account the SCS user permissions and active directory considerations for these.
Thanks a lot,
Javier Andrs Cceres Alvis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Javier,
For setting up TLS with the DTK, did you follow the process in the tutorial videos that are available on the same page where you download the DTK? I've found them useful before, and I know there are videos for both one touch and remote provisioning, as well as a video for setting up TLS. It's just at: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit, scroll down a bit and look for the title Download Manageability Developer Tool Kit (DTK) Tutorial Videos and you can download a zip of all of them or stream them from the page.
Also, I have a method you can use to verify whether certificates are setup properly. If the webUI is enabled, you should be able to connect to https://
Hello Andy,
I followed other videosthatI found in other sites but I'll do it again just to be sure.
After I setup the machine to have TLS basic can see in my IE brower the secure channel icon and I'm able to connect teh amt machine.
But when I setup in TLS mutual there is a popup windowrequestingfor a certificate cause, so I select one I created after the trust root certificate and nohing happens (I mean, there no specific error, only a "Internet Explorer cannot display the webpage")
Thanks a lot,
Javier Andrs Cceres Alvis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Javier,
After setting up the profile on the CA, are you creating a cert. It's important to note that this is done outside of SCS. For every system that needs to talk to AMT systems (including SCS), you'll need to follow the steps on page 53 to request a cert, and get it installed on that system.
Luckily, there is a mechanism for checking certificates that are installed on a system. Bring up a command prompt on your SCS system, and type 'mmc'. This will bring up a Microsoft Management Console without any plugins. Click on the file dropdown, then select 'Add/Remove snap-in'. In the new window that comes up (Add Standalone Snap-in), there will be a Certificates snap-in. There are options for Local Computer and current user, you'll want to add both.
From the main mmc window, you can look in the Personal->Certificates and Trusted Root Certifcation Authorities->Certificates. You should be able to find a certificateyou created for MTLS on your SCS system, in both categories. As long as the cert is part of the Local Computer certificates, you should be able to connect with any user. If it's only in the current user account, you should only be able to connect to the WebUI for the AMT system when logged in as that user.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the screenshots you can also see the Trusted root certificate that is needed for basic TLS (and which the certificate for mutual authentication is based on). This is also in the Trusted Root Certificate Store (that's where it needs to be). The first screenshot shows what the certificate is intended for (this was actually put in by the Direcotr, if you're using SCS I believe you enter this data when setting up the template in the CA). It also shows the root certificate that the certificate was issued by.
The second screenshot is more important, it shows the two values that must be in the Enhanced Key Usage field. Those are the two I mentioned earlier in the thread, these were also in the instructions in the Installation guide for setting up the template.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the screenshots you can also see the Trusted root certificate that is needed for basic TLS (and which the certificate for mutual authentication is based on). This is also in the Trusted Root Certificate Store (that's where it needs to be). The first screenshot shows what the certificate is intended for (this was actually put in by the Direcotr, if you're using SCS I believe you enter this data when setting up the template in the CA). It also shows the root certificate that the certificate was issued by.
The second screenshot is more important, it shows the two values that must be in the Enhanced Key Usage field. Those are the two I mentioned earlier in the thread, these were also in the instructions in the Installation guide for setting up the template.
Andy
Hello Andy
I have followed the guide in stand alone CA mode (I was before in Enterprise CA).
Icompared my "Enhanced Key Usage"Server Certificate field (picture 1.2)with yours andI do not have the "iAMT Console" value.I have insteadan "Unknown Key Usage"value in.
Please see my currently certificates(I attached pictures of all).
Thanks a lot,
Javier Andrs Cceres Alvis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, interesting. The cert shown in PIC1 is the cert that should work for mutual authentication, and assuming the Certificate Server is the same as the SCS, it should in theory be able to connect. It does show the appropriate extended information
It took me some time to notice it, but that cert is shown being valid from 12/4/2007 to 12/4/2008, which is rather strange since I'm assuming you issued this on 12/4 (when you submitted the pictures), and so the cert should be valid from 12/4/2008 to 12/4/2009. Could you check the clock in the bios on the AMT machine, and the clock on the cert server/SCS and make sure they are the same? By default the SCS should try to synchronizethe AMT systems once every seven days, but it would be good to confirm. Once you are past the date on the cert, it would no longer be recognized as valid by the AMT machine, so that might be causing a problem. The certificate should show up as valid for a year from the date issued, and the date issued should match the current date.
If the time's are in sync, and the current date is within the bounds of the certificate, and it still doesn't work, could you export the mutual authentication certificate (the one in PIC1) and send it to me so I can look at it in more depth? Other than that I'm not seeing anything wrong.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm back againafter holyday season.
I solved this issue; there were manythings that made the problem happened which onesI'll discuss them in anext post but I cansay briefly that it was about certificateandsettings.
Thanks a lot,
=)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier,
Welcome back from the Holidays. I'm so glad that you figured this one out. We would love to hear about what was happening so that we can helps others in the future.
I'm going to go a head an close this thread - let us know if you have more questions.
Gael
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page