I am doing SOL Redirection in Enterprise Mode, anybody from you who knows how to create certificate to be passed to IMR_SetCertificateInfo() using the AMT SDK ???I tried below;
IMR_SetCertificate( "cchain.raw", "newkey.pem", NULL) , returns IMR_RES_OK
ClientType ConnectionType = CLI_TLS;
IMR_AddClient( ConnectionType, (char*)sIP.GetBuffer(), NULL), returns IMR_RES_OK
but IMR_SOLOpenTCPSession() returns IMR_RES_TLS_CONNECTION_FAILED.
What is the relationship of the certificates being used during Enterprise configuration(cchain.raw & newkey.pem)of AMT device and with the one passed in IMR_SetCertificate() for SOL Redirection ? Or do they have relationship at all ?
Please guide me, I am newby to internet security but I know how SSL/TLS works.
Thanks for your question on the forum. Before we get into why the TLS connection failed, I would like to know about your environment. What version of firmware is AMT, is it configured in enterprise mode, if using TLS - are you using TLS server authentication or TLS mutual authentication?
If you are using TLS, can you make sure you can connect to the webUI of AMT? The error code clearly indicates there is problem with the certificates setup. I would highly recommend you to read section "3.1.5 Secure session support" in the Redirection Library Design Guide.pdf that can be found in the SDK.
Iusing Windows XPPro SP2. The AMT Firmware version is 126.96.36.1991. Yes, I've succesfully configured it in Enterprise Mode thru remote configuration. In fact, I've successfully done remote control commands like reset, shutdown andpower up in Enterprise mode. And I'm using TLS Server authentication for its security. And Yes, I can connect to the remote AMT device both using webUI and AMT Commander.
Actually, I just picked up the cchain.raw and newkey.pem certificates generated using the batch files used by the sample SCA. I have seen other certificates like newreq.pem, newcert.pem and those found in rootCA and subCA folders. But I am not sure which one of those certificates I found is to be used in SOL server authentication.
And Yes, the first thing I did was read the user guide for Redirection Library particularly Section 3.1.5. And from it, it says "In order to perform the verification, the library must be provided with trusted Certificate Authority (CA) certificates that were used to sign the SSL server-provided certificate. " My problem, I don't know which one of those certificates I found is to be supplied to the library in order to perform server authentication ?
IMR_SetCertificateInfo("????", NULL, NULL);
I tried placing newcert.pem/der and cacert.pem/cer as first parameter for IMR_SetCertificateInfo(), andit returns OK. But still IMR_SOLOpenTCPSession() returns IMR_RES_TLS_CONNECTION_FAILED.
Hoping for your help and thank you very much,
Thanks for all of the information. Since you have configured AMT with TLS server authentication, you have basically installed a server certificate in AMT signed by your trusted root certificate. In order for you to authenticate with AMT, you must have installed the trusted root certificate into your cert store. The trusted root certificate that was installed needs to be used for redirection application. SubCA is there only to request a certificate on behalf of the AMT device.
Hope this helps.
Fordemo purposes, I just used the certificates generated using the sample ConfigurationServer. Areyou saying thatI need to install the trusted root certificate where I am running my configurationserver ? In my case where I used the demo CA certificates, which is the trusted root certificate? Is it cacert.pem or newcert.pem? I need to know which file is to be inputted as first parameter for IMR_SetCertificateInfo().
You have to use the cacert.pem(trusted root CA)that signed the AMT web server certificate for TLS server authentication. When you connect through the web UI, do you get any message about trusted certificate not being in your certificate store? If yes, in the same warning window, you can see an option to view AMT certificate. you can look at the chain of the certificates and figure out which trust root to install or pass it to IDE-R application. I need to see the AMT certificate and the CA certificate to let you know if there is any problem.
Talking about certificates, I found from AMT Director.exe that there's a section "Certicate Manager" wherein you can create root certificate and issue new certificate.
I would just want you to ask what type of certificate being generated in "Create Root Certificate.." button, is it the Trusted CA certificate ??? Can I used this to generate the certificate to be passedas 1stparameter in IMR_SetCertificateInfo() ?
And also in "Issue New Certificate.." button, kindly discuss to methe usage of each Certificate Type option, namely, "Sub-CA Certicate", "Intel AMT Remote Console Certificate", "Intel AMT Local Agent Certificate" ,"Intel AMT Remote Configuration Certificate" and "All Permissions Certificate".
Btw, do I need to install different server certificate in AMT-enabled terminalthat is specialized only forRedirection ? During setup and configuration, the chain certificate (contains newcert.pem and subcacert.pem ) and newkey.pem is passed. And I think it is signed by cacert.pem ( Trusted CA ), right ??? But passing cacert.pem in Redirection lib, still returns TLS connection failure when calling API for opening SOL session.
I just reviewed my own source code in the DTKto try to answer this. From what I know, the call to IMR_SetCertificate() will last for all connections to SOL and IDE-R until you change the values with another IMR_SetCertificate() call. It has no relation with AddClient, and AddClient does not store any information about the certificate (that I know of).
The first parameter of the certificate chain is the list of trusted root certificates in PEM format. In the DTK, I just take all of the certificates in the trusted store of the Microsoft Certificate Store and convert them into a single PEM file I feed into the first argument.
The second argument is a PEM encoded certificate file with both public and private portions of the certificate. It should look like:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
I make calls to OpenSSL to make the certificate conversion. This second parameter is only useful if you use Mutual-authentication. I don't recommand you start with that configuration, it's much more difficult.
Also, one more thing that could cause problems. The name you use to connect to the computer must match the name that is in the certificate of the Intel AMT computer. So if thecomputer certificate is "foo.domain.com", you can't use "188.8.131.52" to connect to it, it will fail. You have to use the same name.
Ylian (Intel AMT Blog)
Ok, about Intel AMT Director. The first parameter of SetCertificateInfo() is a list of trusted root certificates. When you run Intel AMT Commander, it creates the file and leaves it there, it's name is "Tursted Root Certificates.pem", that is what I pass in the first parameter. It's the public key of all trusted root certificates. If you create a new root certificate in Director and add it to the list of trusted certificates, it will be added to this list next time Commander starts.
Once you created a root certificate using Intel AMT Director, you can issue new certificates from that root. You don't really need to use any of these unless you use Remote Configuration or Mutual-Authentication.
A sub-CA certificate is like a sub-root certificate. A local agent certificate is used when mutual-authentication is used on the agent side (When Intel AMT Outpost would need a certificate to log into AMT). A console certificate is when the console requires mutual-authentication (When Intel AMT Commander needs a certificate). A remote configuration certificate is for AMT 3.0 setup, and an "All Permission Certificate" has all of the options of all previous certificates enabled. Again, you should not need to use these unless you perform advanced usages.
Minimaly to perform TLS you need to put a certificate into Intel AMT, then pass the root certificate that signed the Intel AMT certificate into the first argument of SetCertificateInfo(). Also, the connection name must match the certificate name and the AMT certificate must not be expired.
Ylian (Intel AMT Blog)
You've said that in your DTK code you justtake all of the certificates in the trusted store of the Microsoft Certificate Store. Does it mean that if I have correct a trusted root certificate installed it will be included in Trusted Root Certificates.pem when starting AMTCommander ???Assume the answer is Yes, so I tried usingthe same file with the one you've used in DTK(Trusted Root Certificates.pem)as 1st parameter for IMR_SetCertificateInfo but still open SOL session in TLS connection fails. Maybe I am wrong with the making of certificates. Please correct me on the steps I've done below.
Here are actually what I did when generating demo certificates using the batch files that sample SCA provide, these arenumbered accordingly. These files are in ConfigurationCertGeneratorSecScripts folder of the SDK
1. Edited the certgen.bat file to set my own
UUID = equalto UUID sent by AMT device during configuration, is this reallyunique for different clientAMT devices ???Is thisbased from the PID-PSS pair ????I see it in certificate details tab underSubject field as CN value, how important is this for the certificates???Isit really needed that the certificate installedin AMT devicehassame UUID as with the UUID in the certificate???
HOSTNAME = hostname of the computer where AMT device installed, is this correct?????? I tried also hostname of the configuring server, webUI still works. But which is which that would run SOL/IDER in TLS connection???
DOMAIN= domain name like corp.company.com
RSA_KEY_BITS= set it 2048 bits since I use AMT 2.0, is this correct?????
2. Run clean.bat, then it deletesold certificate files.
3. Run checkca.bat, then it creates subCA and rootCA folders with files.
4. Run gencertchain.bat, and generates cchain.raw file. For the CertChainBuilder.exe, I only provide 2 certificates the newcert.pem and subCA's subcacert.pem. Do I have to include the rootCA's cacert.pem in the certificate chain ???
OUTPUT files cchain.raw and newkey.pem are used in LoadAMTCertificateAndKey() and works fine. I succesfully configured the AMT device, I can use the webUI remote controlfunctionalities and I can remotely restart, on/off the terminal with AMT device using my own SCA. Only in the webUI, I always I get Certificate warning. From that pop-up warning dialog box, I viewed the certificate and installed it in Trusted Root Certification Authorities store. But still certificate warning pop-ups everytime I open the webUI. That certificate sent by AMT device is the newcert.pem, right???
Thecertification path of that certificatein the warning is:
IAMTroot CA demo ->IAMTsub CA demo 2-> HostName.corp.companyname.com
I tried also installing the root CA demo( cacert.cer), followed by subCA demo 2 ( subcacert.der) and the serv er certificate( newcert.der). After installing these certificates, I run AMTCommander and yes I found the IAMT root CA demo in Trusted Root Certificates.pem. But using the Trusted Root Certificates.pem as 1st parameter for IMR_SetCertificate() still fails when opening SOL session.And still webUI certificate warning appears.
May I know how you created Trusted Root Certiifcate.pem, I mean the openssl command. I am not so familiar with openssl , your help would greatly lessen my researh time about openssl.
One more silly question.., Is it possible in Enterprise Mode setup that I will use No Authentication for both LocalInterface and NetworkInterface during SOAP SetTLSOptions() ???? So that in this way I can avoid the hassle of using certificates because I am sure that my targeted environment issafe andisolated.
Thank you very much.