Community
cancel
Showing results for 
Search instead for 
Did you mean: 
112 Views

Zero touch configuration with Manageability Director Tool

I was trying to set up Zero Touch Configuration in AMT devices. I found Manageability Director tool to be pretty easy to use. But wanted to know the difference between the AMTSCS service and Manageability Director. Could either of those be used for ZTC configuration?
0 Kudos
24 Replies
RBens2
Valued Contributor I
108 Views

Yes, the DTK Commander and the SCS can both be used for Remote Configuration. However, the SCS is meant to be more of a production tool, running in a production environment, but the Commander is more of testing tool, that's meant to be run in a development environment. The DTK is exactly what it's name says that it is, A developer's tool kit. The SCS is a full-blown setup and configuration system that's meant to run in a production environment.

Gael_H_Intel
Moderator
108 Views

Quoting - rogerb
Yes, the DTK Commander and the SCS can both be used for Remote Configuration. However, the SCS is meant to be more of a production tool, running in a production environment, but the Commander is more of testing tool, that's meant to be run in a development environment. The DTK is exactly what it's name says that it is, A developer's tool kit. The SCS is a full-blown setup and configuration system that's meant to run in a production environment.


You can also try out the SCS 6.0 Lightweight Version of the full SCS provisioning tool. You can find it HERE on our Manageability Community site. The Lightweight version does require that you install the service on a system in your network (different than your Intel AMT system that you want to provision.) You would also then install the Console and choose a profile that you want to use for enabling AMT. The installation guide has pretty good information on how to set everything up as well as how to install your provisioning certificate. Note also that the Lightweight version does not require a Database (It uses XML files instead.)
108 Views


You can also try out the SCS 6.0 Lightweight Version of the full SCS provisioning tool. You can find it HERE on our Manageability Community site. The Lightweight version does require that you install the service on a system in your network (different than your Intel AMT system that you want to provision.) You would also then install the Console and choose a profile that you want to use for enabling AMT. The installation guide has pretty good information on how to set everything up as well as how to install your provisioning certificate. Note also that the Lightweight version does not require a Database (It uses XML files instead.)

Hi Gael,

Thanks for you suggestion. A few questions on the Lightweight version of the SCS provisioning tool.
1. Will it work properly where it needs to manage 10000 systems?
2.While creating the Certificate template, the CA servershould be in a Domain. Will it create any issue if the SCS server is not in the same domain. (say in workgroup)

Thanks.

Sayantan
Gael_H_Intel
Moderator
108 Views


Hi Gael,

Thanks for you suggestion. A few questions on the Lightweight version of the SCS provisioning tool.
1. Will it work properly where it needs to manage 10000 systems?
2.While creating the Certificate template, the CA servershould be in a Domain. Will it create any issue if the SCS server is not in the same domain. (say in workgroup)

Thanks.

Sayantan

Hello Sayantan,

1. I'm guessing that if you want to provision 1000 systems at a time, you would have to create a script that calls the Activator.exe (not the Gui - since the Gui requires your interaction) - you would want to have some software that pushes your provisioning script to your amt clients and then gets executed. The lightweight version should support this number of clients. The SCS 6.0 Full version hasbeen validated tosupport provisioning of 200,000 clients.
2. Workgroup works. Certificate can have a different domain than what you have in your environment. Here is a blog that I wrote to describe how to set this up.

Please let us know if this helps. Also, if we manage to answer your question, it would be great if you could indicate that by clicking on the "My Question was Answered" option on your forum question.

Thanks!

108 Views


Hello Sayantan,

1. I'm guessing that if you want to provision 1000 systems at a time, you would have to create a script that calls the Activator.exe (not the Gui - since the Gui requires your interaction) - you would want to have some software that pushes your provisioning script to your amt clients and then gets executed. The lightweight version should support this number of clients. The SCS 6.0 Full version hasbeen validated tosupport provisioning of 200,000 clients.
2. Workgroup works. Certificate can have a different domain than what you have in your environment. Here is a blog that I wrote to describe how to set this up.

Please let us know if this helps. Also, if we manage to answer your question, it would be great if you could indicate that by clicking on the "My Question was Answered" option on your forum question.

Thanks!


Hi Gael,

Thanks for your quick response. I would surely mark the thread as "My question is answered" and mark the best answer too. I understand that this helps in maintaining the forum properly.

I am aware that I need to create the script to automate this procedure. I was trying to use the light weight version of SCS. I followed the steps mentioned in the user guide. I created m own certificate and pushed the thumbprint into the Intel AMT 3.0 device. Now while I executed the activator from the AMT device, I got following log in the SCS server,

7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 10:21:43:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Initial connection to Intel AMT failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (FAILED) : Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014 Status:3221227474

Any idea what is going wrong? Or what could be my path forward here. Thanks..

Sayantan
Gael_H_Intel
Moderator
108 Views


Hi Gael,

Thanks for your quick response. I would surely mark the thread as "My question is answered" and mark the best answer too. I understand that this helps in maintaining the forum properly.

I am aware that I need to create the script to automate this procedure. I was trying to use the light weight version of SCS. I followed the steps mentioned in the user guide. I created m own certificate and pushed the thumbprint into the Intel AMT 3.0 device. Now while I executed the activator from the AMT device, I got following log in the SCS server,

7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 10:21:43:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Initial connection to Intel AMT failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (FAILED) : Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014 Status:3221227474

Any idea what is going wrong? Or what could be my path forward here. Thanks..

Sayantan

Ok - well it should work with AMT 3.0. One idea that might be wrong, that I found when I was trying it out was the SCS 6.0 Lite version seems to expect the AMT Client to be in factory mode, ie, the MEBx password must be "admin." If you have changed the password it will not be able to log in and complete the provisioning. You may have to remove the CMOS battery on your system in order to return it to Factory mode.

Another thing about the SCS Lite is that it does not use a database and does not keep track of which systems were provisioned so if this is important for your environment, you might want to eventually shift over to the Full SCS version.
108 Views


Ok - well it should work with AMT 3.0. One idea that might be wrong, that I found when I was trying it out was the SCS 6.0 Lite version seems to expect the AMT Client to be in factory mode, ie, the MEBx password must be "admin." If you have changed the password it will not be able to log in and complete the provisioning. You may have to remove the CMOS battery on your system in order to return it to Factory mode.

Another thing about the SCS Lite is that it does not use a database and does not keep track of which systems were provisioned so if this is important for your environment, you might want to eventually shift over to the Full SCS version.

So the conclusion is I cannot use SCS Lite then :). However, thanks for all your input.
108 Views


Ok - well it should work with AMT 3.0. One idea that might be wrong, that I found when I was trying it out was the SCS 6.0 Lite version seems to expect the AMT Client to be in factory mode, ie, the MEBx password must be "admin." If you have changed the password it will not be able to log in and complete the provisioning. You may have to remove the CMOS battery on your system in order to return it to Factory mode.

Another thing about the SCS Lite is that it does not use a database and does not keep track of which systems were provisioned so if this is important for your environment, you might want to eventually shift over to the Full SCS version.

Couple of question...
1. Are you sure that SCS lite does not work if the MEBx password in the device is chaged from "Admin" to something else? The reason I am asking this question is, user guide says that we can create our own root certificate and push the thumbprint into the AMT device and make it ready for ZTC provisioning. Now while pushing the thumbprint we have to change the MEBx password. How will the SCS lite provision the system in that case?

2. I have created a certificate and pushed the certificate thumbprint in the AMT device. While running the activator from the AMT platform I am getting following log in the SCS server

7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 20:19:40:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:

But there is no log after that and SCS service hang at this stage. I could not stop the service at this time. I had to kill the process manually. Any idea whats going on at this time?
Gael_H_Intel
Moderator
108 Views


Couple of question...
1. Are you sure that SCS lite does not work if the MEBx password in the device is chaged from "Admin" to something else? The reason I am asking this question is, user guide says that we can create our own root certificate and push the thumbprint into the AMT device and make it ready for ZTC provisioning. Now while pushing the thumbprint we have to change the MEBx password. How will the SCS lite provision the system in that case?

2. I have created a certificate and pushed the certificate thumbprint in the AMT device. While running the activator from the AMT platform I am getting following log in the SCS server

7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 20:19:40:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:

But there is no log after that and SCS service hang at this stage. I could not stop the service at this time. I had to kill the process manually. Any idea whats going on at this time?

Hi there,
I have sent a question to our Dev Team regarding this Password issue that I found. Since you had to sign on to the MEBx to enter your provisioning certificate hash, I suspect you won't be able to provision due to this issue because you had to change the password. I'm not sure why the service is hanging. I did find that it tried for quite a while and eventually came back and said that provisioning was unsuccessful - how long did you wait until you killed it? As soon as I cleared the CMOS and started the provisioning with the system in factory mode, provisioning was successful almost instantly.

Gael.
108 Views


Hi there,
I have sent a question to our Dev Team regarding this Password issue that I found. Since you had to sign on to the MEBx to enter your provisioning certificate hash, I suspect you won't be able to provision due to this issue because you had to change the password. I'm not sure why the service is hanging. I did find that it tried for quite a while and eventually came back and said that provisioning was unsuccessful - how long did you wait until you killed it? As soon as I cleared the CMOS and started the provisioning with the system in factory mode, provisioning was successful almost instantly.

Gael.

Hi,

Do you mean that if Icreate my own certificate and push the hash in the AMT device then SCS lite wont provision that system? If so then this should be mentioned in the user guide. From user guide it seems that I can create my own certificate and use it for ZTC.

Thanks.
Sayantan
Gael_H_Intel
Moderator
108 Views


Hi,

Do you mean that if Icreate my own certificate and push the hash in the AMT device then SCS lite wont provision that system? If so then this should be mentioned in the user guide. From user guide it seems that I can create my own certificate and use it for ZTC.

Thanks.
Sayantan

Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael
108 Views


Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael

Thanks a lot for the information. If it's a bug could you please let meknow if I could expect any release of SCS light in near future?

Regards,
Sayantan
Lance_A_Intel
Employee
108 Views


Hi, you can create your own certificate and use it to do zero-touch remote provisioning with SCS and SCS Light.
Are you still having problems with this?
108 Views


Hi, you can create your own certificate and use it to do zero-touch remote provisioning with SCS and SCS Light.
Are you still having problems with this?

Yes I am still having problem with this. I was trying with the SCS light. But the problem is like, when I create my own certificate and want to push the hash in the AMT device then I need to change the admin password. And looks like SCS light does not work if the admin password is something other than the default password "admin". Is it correct?
Lance_A_Intel
Employee
108 Views


I don't believe that is correct.
I have tested with full SCS and it works.
Gael tested with Lightweight and it worked.

You may want to try to doa CMOS reset your system (power down, remove power cord, remove CMOS battery for 15 sec, plug in, power up). Then try again following the instructions in the Installation & User's Guide.
Make sure to use the numbers and dashes format (xxxx-xxxx-...) for the hash when entering in the ME.
108 Views


I don't believe that is correct.
I have tested with full SCS and it works.
Gael tested with Lightweight and it worked.

You may want to try to doa CMOS reset your system (power down, remove power cord, remove CMOS battery for 15 sec, plug in, power up). Then try again following the instructions in the Installation & User's Guide.
Make sure to use the numbers and dashes format (xxxx-xxxx-...) for the hash when entering in the ME.


I have done all these.

The issue is, when I am inserting the hash into the AMT device I have to change the admin password. Is there any way so that I can let SCS Light know that the default password has been changed and it should work with the new password.

Please see Gael's response to the same question:

=======================================================================
Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael
========================================================================
Lance_A_Intel
Employee
108 Views


Yes, Gael tried again later and was able to get it working.

The new password should be used in the Activator tool.
SCS should use the certificate.

You should also keep in mind the passwords for the profile you create to be used with that system.
108 Views


Yes, Gael tried again later and was able to get it working.

The new password should be used in the Activator tool.
SCS should use the certificate.

You should also keep in mind the passwords for the profile you create to be used with that system.

Oh.. Thats so encouraging. Thanks a lot. But may I know how I could supply the new password. I am using UI based activator tool and going for a PKI based configuration.
RBens2
Valued Contributor I
108 Views

Hi Sayantan,

You don't have to go into MEBx to push the cert hash onto the system. You can use the USB key provisioning to push the hash into the system. Use the USB key tool out of the SDK and tell it that you want to create a 2.1 version of the file and supply the default password of "admin" and the new hash. Or, you can use PSK provisioning and push the PWD, PID, PPS triplet onto the system and use One-touch provisioning with the system, which doesn't need a custom cert hash.

Regards,
Roger

23 Views

Quoting - rogerb
Hi Sayantan,

You don't have to go into MEBx to push the cert hash onto the system. You can use the USB key provisioning to push the hash into the system. Use the USB key tool out of the SDK and tell it that you want to create a 2.1 version of the file and supply the default password of "admin" and the new hash. Or, you can use PSK provisioning and push the PWD, PID, PPS triplet onto the system and use One-touch provisioning with the system, which doesn't need a custom cert hash.

Regards,
Roger


Thank you Roger. As my goal is to setup a ZTC in PKI mode provisioning, I need to push the certificate hash. The first approach could be good for me. One question, if I insert the hash the way you suggested and unprovision the device, would the device retain the inserted hash? Because I need to test the PKI mode provisioning after that.
Reply