Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

Zero Touch Configuration

calsboy
Beginner
3,202 Views

Hi everyone,

I've just read about the Zero Touch Configuration that is supported in AMT 2.2. I would like to ask clarifications on the following parts:

  1. What are root certificate hashes? The document i've read stated that "The Intel AMT device firmware image contains one or more root certificate hashes from recognized vendors in the firmware image". Is the root certificate hash for openssl already included there, or something like that? If not how could i embed this to the firmware?
  2. Can anyone provide mea sample C++ ConfigurationServer code thatwillhandle the zero touchconfiguration?
  3. Is a local agent really needed to provide one time passwordfor AMT 2.2? Can anyone also provide me a sample C++ code for this.

Thanks.

0 Kudos
22 Replies
Ylian_S_Intel
Employee
2,859 Views

Hi, these are good questions.

1. Intel AMT must know what certificate it can trust. When performing ZTC, Intel AMT will verify that the server has a certificate that is signed by a trusted certificate. Instead of storing the entire root certificate in Intel AMT, we store only the has of the certificate... In hex, the hash looks like this:

bb 42 69 ad 56 5f ac 5c d8 d2 d2 9e f4 d4 24 c2 2d 22 6a 66

When you create a root certificate, you can use the Microsoft Windows built-in certificate viewer or using Intel AMT Director to look at may certificate and get it's hash.

2. The full source code to the "ConfigurationServer.exe" that does support ZTC is included in the Intel AMT SDK.

3. The Intel AMT SDK also include ZTCLocalAgent.exe, this tool will cause Intel AMT to start the ZTC process. As far as I know, the password is optional.

Ylian (Intel AMT Blog)

0 Kudos
Gael_H_Intel
Moderator
2,859 Views

Last system I looked at had 4 certificate hashes included (Verisign and Godaddy were two of them.) you can check this on your system by going into the provisioning menus - there is one that displays them. There is also an option to add your own CH.

The AMT DTK might have examples of ConfigServer code, but the DTK is written in C#.

Yes, you need a local agent to provide the one-time password. (You can use the RCT (Remote Configuration Tool) tool that is provided with the SCS...)

0 Kudos
calsboy
Beginner
2,859 Views

Hi,

Is certificate hash similar to thumbprint? When i looked at the windows certificate viewwer, that was the only certificate property that i saw having a similar value with the one Ylian provided in his reply.

Gael, what provisioning menus are you referring at. Is it the MEBX? But if it is, i haven't seen a menu that displays certificate hashes? Please provide me directions on how to view the certificate hashes and to add my own one.

Thanks.

0 Kudos
Gael_H_Intel
Moderator
2,859 Views

Yes the certificate hash is the thumbprint.

The provisioning menus may vary according to your particular Bios/OEM system, but here is how I get to them on mine: (Noe that my system is not OEM branded.) From my experience, the ability to look at the hashes and add them is availablestarting withAMT 3.0.

F2 - get into System Setup

Choose "Intel Active Management Technology Configuration"

Enter ME Password

Choose "Provisioning Configuration"

Choose "Manage Certificates"

Choose "Manage Permanent Certificates"

My system has the following:

VeriSign Class 3 Primary CA-G1

VeriSign Class 3 Primary CA-G3

Go Daddy Class 2 CA

Comodo AAA CA

If these options are not on your system, you should be able to insert a hash using the USB setup.bin according to the options (we have not tried this yet.)

Go tothe AMTSDKBinConfigurationConfigScripts folder and enter "usbfile. " You should get a help screen that will show all the options for this particular script.

Let us know if this helps.

0 Kudos
calsboy
Beginner
2,859 Views

Hi Gael,

Thanks for the info.

I'm using AMT 2.2 so i do not have that menu in Intel AMT configuration. I was able to see the certificate hashes through the ZTCLocalAgent that is provided in the AMT SDK.

I followed the steps in USBfile but i was not able to add my certificate hash or update the AMT configurations. I used the following command to create setup.bin:

USBfile.exe -create setup.bin admin Pass@2008 -v 2 -amt -ztc 1 -hash cert.pem friendlyName

Can i use a USB Flash Drive as my USB key? I used one and format it to FAT and added the setup.bin to the usb flash drive. I attached the drive to the device and rebbot it. After the reboot i tried to enter to MEBx, the password was still admin. When i tried to see the certificate hashes using the ZTCLocalAgent, it did not change. Could anyone help me figure out what step i miss?

Thanks.

0 Kudos
Gael_H_Intel
Moderator
2,859 Views

Hi,

You have to use a USB Key that is 128 MB or less. Note that not all USB keys work so you might want to play around with a few different varieties. (We have a 256 MB "Hello Kitty" USB key in our lab that actually works great! - however it is an exception to all of our rules.)

0 Kudos
calsboy
Beginner
2,859 Views

Hi,

I would like ask about certificate chain that is needed in remote configuration. How can i create a certificate chain? If one will buyone of the pre installed hash root certificates, where will he get a certificate chain?

thanks.

0 Kudos
Sreelekshm_S_Intel
2,859 Views

Hi,

Please refer to http://software.intel.com/en-us/forums/showpost.php?p=45771for details on how to create a certificate chain.

Thanks,

Sree

0 Kudos
calsboy
Beginner
2,859 Views

Hi Sree,

The abovethread wasvery helpful for me since i'm just starting to understand amt dealing with certificates. But i would like to clarify something, according to AMT SDK 3.0:

full_cert_chain_file :

Path to a pem file containing a certificate chain that starts with the SCA certificate and includes the private key and contains the full chain of trust (including the root) in ascending order (from the leaf to the root)

What is this pem file that containa certificate chain? According to the documentation, zero configuration needs this pem file, how can i create this now?

Thanks.

0 Kudos
Sreelekshm_S_Intel
2,859 Views

Hi,

I have attached a document here on how to create the pem file.

Hope this helps.

Thanks,

Sree

0 Kudos
Ylian_S_Intel
Employee
2,859 Views

Another easy way to create a .PEM file is to create the certificate using Intel AMT Director, select it and press the export button. It supports .CER, .PEM, .P12 formats. Just a note that Director will put both the public and private key of the certificate in the .PEM file.

The other cool thing about Director is that you can create root certificates or certificates with various different Intel AMT related options with a few clicks. You can also import existing certificates.

Intel AMT Director is much easier than using OpenSSL command line tool, still, Director actualy calls OpenSSL in the background, so the results are exactly the same.

Ylian (Intel AMT Blog)

0 Kudos
calsboy
Beginner
2,859 Views

Hi Ylian,

I had successfully created the needed certificates that i can use for the zero touch configuration. Thanks for the information.

I tried to use the ConfigurationServer.exe utility to process the configuration. I have the root certificate hash to the AMT using by updating the BIOS. But i have encountered a problem during configuration. ConfigurationServer displays the following error message:

Error: failed while calling GetCoreVersion
Res = 21
SOAP 1.1 fault: SOAP-ENV:Client [no subcode]
"Timeout"
Detail: Connect failed in tcp_connect()
- failed to establish connection with AMT
- attempt to connect using default credentials...
Error: failed while calling GetCoreVersion
Res = 21
SOAP 1.1 fault: SOAP-ENV:Client [no subcode]

I have not yet changed the MEBx password. What could be the cause of this problem?

Thanks.

0 Kudos
Ylian_S_Intel
Employee
2,859 Views

Hi. Oh, you have a difficult problem. ConfigurationServerwill firsttry a password you provide, but if it fails, it will try "admin"/"admin". This is what it's trying to do when it says "attempt to connect using default credentials...".

The most difficult problem with RCFG is that is AMT does not like anything about your provisioning server, it will disconnect and not tell you why. Here is a check list for you:

  • Make sure you have a DNS server on your network.
  • Make sure you can ping the server from another computer using the server name.
  • Make sure the server name you can ping is also the same as the certificate name.
  • Make sure the RCFG configurate is signed by a root, and the root hash is in AMT.
  • You can't put the hash of the RCFG certificate in AMT, only the root of that cert.

You need a running DNS server because AMT will check that the name of the RCFG certificate is the same as reverse DNS lookup name of the server IP address.

Hope this helps,
Ylian (Intel AMT Blog)

0 Kudos
calsboy
Beginner
2,859 Views

Hi Ylian,

I have everything you have listed above already setup except for i can't ping the server from the system that hosts the AMT device.I can ping the server (using the server IP, computer name and host name)from another system not hosting an AMT device. Could my problem because i can't ping the server from the client hosting the AMT device?

Thanks.

0 Kudos
Ylian_S_Intel
Employee
2,859 Views

Yes, this could be your problem. Intel AMT will check that the IP address of the server when doing reverse lookup is the same as the server's certificate name. If they don't match, AMT will just "hang-up" and will not tell you why. This seems to be exactly what is happening.

As a side story, one of my friend decided to just add the server computer to Intel AMT machines OS host table. Obviously this does not work because AMT is going the reverse lookup, not the OS.

Hope this helps,
Ylian (Intel AMT Blog)

0 Kudos
calsboy
Beginner
2,859 Views

Hi,

I have finally configured an AMT device using Remote Configuration successfully.

Thanks a lot for all your help.

0 Kudos
calsboy
Beginner
2,859 Views

Hi,

I was able to successfully configure the AMT device and was able to access, but i can see a warning when using AMT Commander to access the AMT device. It says connection name, DNS name, certificate name mismatch. Because of this warning, i am not able to take control of the terminal. What could be the problem here?

Thanks.

0 Kudos
Ylian_S_Intel
Employee
2,859 Views

Hi. Ha yes, this is a very common problem. Intel AMT Commander will try to connect no matter what, but the IDE-R/SOL library does have certificate checks that I can't remove.

To fix this, go in the management engine tab of Intel AMT Commander and the first option in the tab is the AMT host name. Click the button to the right of that. You will see the connection name, AMT host name, DNS lookup name and TLS certificate name. Idealy, all of them should match.

To fix your problem, just remove the computer from Commander and re-add it using the proper host name, the same one used in the certificate.

Thanks,
Ylian (Intel AMT Blog)

0 Kudos
jdk2001
Beginner
2,859 Views

hello.

i want to use the zero-touch manner to provision my amt3.0(dell755)deviceon the landesk management software.

In landesk software's help is discribed as follow:

To obtain an Intel* Client Setup Certificate
1. Select a vendor and log in to the vendor's web site.
2. To generate a CSR file and private key:
3. In the LDMAIN share on the core server, in the amtprov directory, run AMTProvMgr2.exe
with the following arguments:
AMTProvMgr2.exe -domainName name.domain.com -country US
Use a two-letter country code; if none is specified the default is US. The domain name you
specify should include a namespace.
This executable saves two files to the amtprov directory: certreq.csr (certificate signing
request) and corecakey.pem (a private key file).
4. Open the certreq.csr file in a text editor and copy the contents.
5. At the vendor's web site, paste the contents of the certreq.csr file into the field provided,
and complete the application for the certificate.
After your certificate request is processed the vendor will send you two files: a root
certificate file (a common or public file) and a certificate file for the domain you specified.
6. Copy the vendor's root certificate file and rename the copy trusted_cert.pem.
7. Copy the vendor's certificate file for your domain and rename the copy corecacert.pem.
8. Save the above two files, along with the corecakey.pem file (generated in step 3 above),
to a folder in LDMAINamtprovcertStorecert_1. You can store up to eight certificates in
subfolders named cert_1, cert_2, and so on.

I want to kown how to generate thefiles of trusted_cert.pem ,corecacert.pem and corecakey.pem using the intel DTK tools.

thanks,

Jack

0 Kudos
Sreelekshm_S_Intel
2,658 Views

Hi,

Please watch the tutorial on remote configuration at http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit. Let us know if you have further questions.

Thanks,

Sree

0 Kudos
Reply