Re: SSL authentication failed attempting to remote configure

frank_monroe · ‎02-07-2008

Hello,

We are trying to user Remote Configuration without using a USB key. I believe that I have followed the instructions were I have obtained a certificate from Verisign and have used the loadcert tool to enter the certificate into the registry. However, when our systems try to provision we receive the following error in the SCS log:

Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and ca file..

Any ideas? Our AMT clients are version 2.6. The SCS server is version 3.3.

Thanks!

Sreelekshm_S_Intel · ‎02-07-2008

Hi,

We haven't seen this error before. We have forwarded this to SCS support. Will get back to you as soon as we hear from them.

Thanks,

Sree

Ylian_S_Intel · ‎02-08-2008

Hi. I never used SCS, I am the author of the Intel AMT DTK. I just know a few things about remote configuration. Check the following:

If you previously changed the MEBx password on that computer, SCS will need to know that new MEBx password.
Make sure that from any computer in your network, you can ping the SCS computer with the exact name that is in your verisign certificate. Also, Intel AMT will perform a reverse DNS lookup and see the DNS is reporting that the server computer's name is exactly equal to the verisign certificate you are using. So make a reverse DNS lookup to make sure.
Check that the verisign certificate is in fact signed with a root certificate that is trusted by Intel AMT. The certificate that signed your certificate must have a hash that is trusted by Intel AMT.
Check that your certificate contains the correct certificate key usage for Intel AMT remote provisioning. It should contain a key usage OID: "2.16.840.1.113741.1.2.3" or OU = "Intel Client Setup Certificate". If your Verisign certificate does not contain his, it will be rejected.

Hope this helps,
Ylian (Intel AMT Blog)

frank_monroe · ‎02-08-2008

Thanks for your response. These are all brand new units so I do not belive the password is the issue. I have also verified that the password is set to the default (without changing it). I have also verified that the system ins pingable with the correct FQDN and that reverse lookup returns the same name. The certificate does have an OU that is set to "Intel Client Setup Certificate".

The only remaining item is to verify that my Verisgn certificate is signed with a root that is trusted by Intel AMT. I'm not sure how to verify this. Any guidelines?

Sreelekshm_S_Intel · ‎02-11-2008

Hi,

Are you using TLS encryption?

Could you make sure that the RCFG certificate is imported with its private key to both local computer certificate store and SCS service user certificate?

Also,we need SCS dev log. In order to turn on the one you should do the follow:

In the registry HKEY_LOCAL_MACHINESOFTWAREIntelAMTConfServerLOG create new create new string value "LogLevel" with value data V.

It should create 2 files: scs_server.log and scs_win_server.log in root directory

Please capture the error and send it to us with machine name.

Thanks,

Sree

frank_monroe · ‎02-14-2008

I have set the logging as you listed. However, only one of the two files were produced. Here is the scs_server.log. By machine name are you asking for the machine name of the server or an example AMT client that fails?

bdunayex · ‎02-16-2008

Frank,

Please make sure that you imported the RCFG certificate not only into local computer certificate store, but into SCS service user account certificate store also

Regards

Boris Dunayevsky in behalf of SCS Support

frank_monroe · ‎02-20-2008

Even after adding the certificate to the service account certificate store the problem still persists.