You can also try out the SCS 6.0 Lightweight Version of the full SCS provisioning tool. You can find it HERE on our Manageability Community site. The Lightweight version does require that you install the service on a system in your network (different than your Intel AMT system that you want to provision.) You would also then install the Console and choose a profile that you want to use for enabling AMT. The installation guide has pretty good information on how to set everything up as well as how to install your provisioning certificate. Note also that the Lightweight version does not require a Database (It uses XML files instead.)

Hi Gael,

Thanks for you suggestion. A few questions on the Lightweight version of the SCS provisioning tool.
1. Will it work properly where it needs to manage 10000 systems?
2.While creating the Certificate template, the CA servershould be in a Domain. Will it create any issue if the SCS server is not in the same domain. (say in workgroup)

Thanks.

Sayantan

Hello Sayantan,

1. I'm guessing that if you want to provision 1000 systems at a time, you would have to create a script that calls the Activator.exe (not the Gui - since the Gui requires your interaction) - you would want to have some software that pushes your provisioning script to your amt clients and then gets executed. The lightweight version should support this number of clients. The SCS 6.0 Full version hasbeen validated tosupport provisioning of 200,000 clients.
2. Workgroup works. Certificate can have a different domain than what you have in your environment. Here is a blog that I wrote to describe how to set this up.

Please let us know if this helps. Also, if we manage to answer your question, it would be great if you could indicate that by clicking on the "My Question was Answered" option on your forum question.

Thanks!

Hi Gael,

Thanks for your quick response. I would surely mark the thread as "My question is answered" and mark the best answer too. I understand that this helps in maintaining the forum properly.

I am aware that I need to create the script to automate this procedure. I was trying to use the light weight version of SCS. I followed the steps mentioned in the user guide. I created m own certificate and pushed the thumbprint into the Intel AMT 3.0 device. Now while I executed the activator from the AMT device, I got following log in the SCS server,

7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 10:21:43:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Initial connection to Intel AMT failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (FAILED) : Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014 Status:3221227474

Any idea what is going wrong? Or what could be my path forward here. Thanks..

Sayantan

Ok - well it should work with AMT 3.0. One idea that might be wrong, that I found when I was trying it out was the SCS 6.0 Lite version seems to expect the AMT Client to be in factory mode, ie, the MEBx password must be "admin." If you have changed the password it will not be able to log in and complete the provisioning. You may have to remove the CMOS battery on your system in order to return it to Factory mode.

Another thing about the SCS Lite is that it does not use a database and does not keep track of which systems were provisioned so if this is important for your environment, you might want to eventually shift over to the Full SCS version.

So the conclusion is I cannot use SCS Lite then :). However, thanks for all your input.

Couple of question...
1. Are you sure that SCS lite does not work if the MEBx password in the device is chaged from "Admin" to something else? The reason I am asking this question is, user guide says that we can create our own root certificate and push the thumbprint into the AMT device and make it ready for ZTC provisioning. Now while pushing the thumbprint we have to change the MEBx password. How will the SCS lite provision the system in that case?

2. I have created a certificate and pushed the certificate thumbprint in the AMT device. While running the activator from the AMT platform I am getting following log in the SCS server

7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 20:19:40:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:

But there is no log after that and SCS service hang at this stage. I could not stop the service at this time. I had to kill the process manually. Any idea whats going on at this time?

Hi there,
I have sent a question to our Dev Team regarding this Password issue that I found. Since you had to sign on to the MEBx to enter your provisioning certificate hash, I suspect you won't be able to provision due to this issue because you had to change the password. I'm not sure why the service is hanging. I did find that it tried for quite a while and eventually came back and said that provisioning was unsuccessful - how long did you wait until you killed it? As soon as I cleared the CMOS and started the provisioning with the system in factory mode, provisioning was successful almost instantly.

Gael.

Hi,

Do you mean that if Icreate my own certificate and push the hash in the AMT device then SCS lite wont provision that system? If so then this should be mentioned in the user guide. From user guide it seems that I can create my own certificate and use it for ZTC.

Thanks.
Sayantan

Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael

Thanks a lot for the information. If it's a bug could you please let meknow if I could expect any release of SCS light in near future?

Regards,
Sayantan

Hi, you can create your own certificate and use it to do zero-touch remote provisioning with SCS and SCS Light.
Are you still having problems with this?

Yes I am still having problem with this. I was trying with the SCS light. But the problem is like, when I create my own certificate and want to push the hash in the AMT device then I need to change the admin password. And looks like SCS light does not work if the admin password is something other than the default password "admin". Is it correct?

I don't believe that is correct.
I have tested with full SCS and it works.
Gael tested with Lightweight and it worked.

You may want to try to doa CMOS reset your system (power down, remove power cord, remove CMOS battery for 15 sec, plug in, power up). Then try again following the instructions in the Installation & User's Guide.
Make sure to use the numbers and dashes format (xxxx-xxxx-...) for the hash when entering in the ME.

I have done all these.

The issue is, when I am inserting the hash into the AMT device I have to change the admin password. Is there any way so that I can let SCS Light know that the default password has been changed and it should work with the new password.

Please see Gael's response to the same question:

=======================================================================
Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael
========================================================================

Yes, Gael tried again later and was able to get it working.

The new password should be used in the Activator tool.
SCS should use the certificate.

You should also keep in mind the passwords for the profile you create to be used with that system.

Oh.. Thats so encouraging. Thanks a lot. But may I know how I could supply the new password. I am using UI based activator tool and going for a PKI based configuration.

Thank you Roger. As my goal is to setup a ZTC in PKI mode provisioning, I need to push the certificate hash. The first approach could be good for me. One question, if I insert the hash the way you suggested and unprovision the device, would the device retain the inserted hash? Because I need to test the PKI mode provisioning after that.