Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

Soap ssl auth problem

frichter
Beginner
595 Views
Hi,
I have done the SOAP connection to an AMT (vPro) system with PHP but I get an exception from SOAP:

Faultstring: Unauthorized
Faultcode: HTTP


My Code:
snip -----------------------------------------------
$client1 = new SOAPClient
(
"http://SomewhereHost/java/EventManagerInterface.wsdl",
array
(
'location' => "http://My_AMT_Host:16992/EventManagerService",
'uri' => "http://schemas.intel.com/platform/client/Events/2004/01",
'login' => "admin",
'password' => "Password",
'local_cert' => "IDontKnow.pem"
)
);
snap --------------------------------------------------

Now i dont't know which parameters i have to send with the SOAP connect, especially how I got an cert file or ssl key or something for my AMT Host.

Can someone help me?


thx,
Frank Richter
0 Kudos
7 Replies
Sreelekshm_S_Intel
595 Views

Hi,

Could you specify which version of AMT and SDK you are using and how you have provisioned AMT - in SMB or Enterprise (with TLS or no-TLS). If you are using TLS, you have to use https instead of http.

Also, can you access the WebUI of the AMT system?

Thanks,

Sree

0 Kudos
Ylian_S_Intel
Employee
595 Views

Hi.

If you connect using http://x.x.x.x:16992, you do not need a certificate. Only if the computer is setup for TLS, you will need to connect using https://x.x.x.x:16993 and you need a certificate only if AMT is setup in mutual-authentication mode. I suggest everyone start without using TLS since it's much simpler.

Make sure your vPro computer works well otherwise, Intel AMT web page can be accessed, etc.I never tried it with PHP, but it's generally quite simple.

Ylian (Intel AMT Blog)

0 Kudos
frichter
Beginner
595 Views
Hi,
I'm using a Intel DQ965GF Board with AMT 2.1 and as I know whitout TLS. I can accsess the Webui an login and so on. I have seen My fault to connect https whitout TLS enable.
But if i try to connect over http how i logon the system? Must i use an WSDL file to connect an AMT over SOAP?

Can you put a little sample code in there, please? (c#, java or php)

Thx again,
Frank
0 Kudos
Sreelekshm_S_Intel
595 Views

Hi,

The sample code is available in the SDK under WindowsIntel AMT SDKSamples folder. Also, there are samples in the Linux folder also.

Thanks,

Sree

0 Kudos
Ylian_S_Intel
Employee
595 Views
The SDK sample is good, if you want to code very quickly in C#, I suggest looking at the IAmtCmd.exe sample in the Intel AMT DTK source code. The Intel AMT DTK makes use of the C# AMT stack that is pretty easy to use, but is not well documented like the SDK. In the DTK, you create a AmtSystem object with host, username and password and call the Connect method on it to get it connected. It will automaticaly detect TLS if needed.

Ylian (Intel AMT Blog)
0 Kudos
frichter
Beginner
595 Views
Hi Ylian!
sure, the code is good, but not well dokumented ;) And i am not a good programmer, but an "softwaretechnologe" (I dont know if its named in english too) I can good understand an UML design or some class diagrams but not good at refactoring an source code. *sadly* Thats why I came to an dead end by reading the Source code only.
So i wanted to build a simple conection by myself, whitout using code I don't understand.

I try to work again with the code of the amtcmd but i will be happy if you had some more help in understand the basics of connecting an AMT system.

Thx,
Frank


[edited by: frichter@datom.de at 1:15 AM (GMT -8) on Wed, Aug 22 2007]
PS: The code in the AMTcmd i understand, but i try to understand the code from the AMTremote stack to redesign it in java or php, you know? and there is my knowledge to be at an end.
0 Kudos
Gael_H_Intel
Moderator
595 Views

Hi - have you checked out the Errata doc that we posted where the SDK can be downloaded? Below is a snippet from it and it has to do with ssl_auth_init...

2. Intel AMT devices that have crypto hardware disabled use the NULL-SHA1 cipher suite. The Setup and Configuration Application (SCA) sample uses this cipher suite when performing setup using TLS-PSK. The Remote Configuration (PKI) flow does not support NULL-SHA1.

If you need to use the Remote Configuration flow to configure a machine with crypto hardware disabled, edit the file stdsoap2.cpp, located in the folder WindowsIntel AMT SDKThirdPartygSOAP, by adding the following two emphasized lines to the beginning of the ssl_auth_init()function (which starts at line 2864).

static int

ssl_auth_init(struct soap *soap)

{ if (!ssl_init_done)

soap_ssl_init();

if (!soap->ctx)

{ if (!(soap->ctx = SSL_CTX_new(SSLv23_method())))

return soap_set_receiver_error(soap, "SSL error", "Can't setup context", SOAP_SSL_ERROR);

}

if(!SSL_CTX_set_cipher_list(soap->ctx,"DEFAULT:NULL"))

return SOAP_FATAL_ERROR;

if (soap->randfile)

{ if (!RAND_load_file(soap->randfile, -1))

return soap_set_receiver_error(soap, "SSL error", "Can't load randomness", SOAP_SSL_ERROR);

}

}

After changing the code, rebuild the SCA sample.

0 Kudos
Reply