Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

TLS-PSK with Java

George_V_
Beginner
2,184 Views
Hi,

I am trying to implement an SCS using Java and not sure how to open a connection using TLS-PSK to provision the device. I have read in other posts that others had similar problems with C# and the solution was to invoke an executable which done a similar job as the configuration server that uses openSSL. Is this possible to work with Java? or is this something supported just with openSSL?


0 Kudos
6 Replies
Ylian_S_Intel
Employee
2,184 Views

Ha yes, that TLS-PSK is causing lots of problems because it's not implemented in almost any TLS library... in fact, it probably only works with the "modified" OpenSSL included in the Intel AMT SDK.

In Intel AMT Director, a C# application, I solved this by saveing a configuration file and calling "ConfigurationServer.exe". I modified the configuration server that is included in the SDK and removed the server portion... so how, I just call "ConfigurationServer.exe " or something like that, when I need to perform an TLS-PSK. Also, in Director, perform a basic setup that I call "Round 1" and then, once Intel AMT is up and running, I go back using my own TLS session and setup the rest of the settings.

Yep, basicaly, no good options here...
Ylian
(Intel AMT Blog)

0 Kudos
George_V_
Beginner
2,184 Views
Hi,

Thanks for the reply. This explains now why the director is calling the configuration server. I have been looking on the director code and could not understand why it was done this way.

Another question is will I still have to use the modified openSSL when provisioning type 3 devices (certificate hashes) or a normal TLS session from any library will be sufficient? Does the director still make a call to the configuration server for this?

George
0 Kudos
Ylian_S_Intel
Employee
2,184 Views

H George,

Yes, I will still have to make a call to ConfigurationServer for the "Remote Configuration" mode with certificates hashs. That TLS connection is also... "atypical". Normally with TLS, the server must have a certificate and it's optional for the client. In this case, Director would connect to Intel AMT, but Director would have the certificate and AMT would have none. It's a TLS in reverse since the client has the cert and the server does not.

So yes, your going to be using ConfigurationServer.exe for all initial provisioning. To make it easy, you could just use my modified ConfigurationServer.exe from Director.

Ylian (Intel AMT Blog)

0 Kudos
peri
Beginner
2,184 Views

H George,

Yes, I will still have to make a call to ConfigurationServer for the "Remote Configuration" mode with certificates hashs. That TLS connection is also... "atypical". Normally with TLS, the server must have a certificate and it's optional for the client. In this case, Director would connect to Intel AMT, but Director would have the certificate and AMT would have none. It's a TLS in reverse since the client has the cert and the server does not.

So yes, your going to be using ConfigurationServer.exe for all initial provisioning. To make it easy, you could just use my modified ConfigurationServer.exe from Director.

Ylian (Intel AMT Blog)


Hi george,
Did you get this working in Java using axis client?

Thanks,
Periyasamy

0 Kudos
hou_y_
Beginner
2,184 Views

hi, brother. Now I also need to implement TLS-PSK using Java. but I do not know how to do it. Do I need to install openssl? Do I need to have a openssl jar package? Is there a ready-made interface? please help me, thank you. 

0 Kudos
Gael_H_Intel
Moderator
2,184 Views

Perhaps you could 1st enable your AMT System without TLS and then apply the TLS security using powershell? https://software.intel.com/en-us/blogs/2012/01/20/how-to-configure-your-system-to-run-the-intelvpro-powershell-module

 

0 Kudos
Reply