Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander

CIRA Issues

XCEL
Beginner
3,554 Views

I've managed to get my EMA server online and clients connecting.

 

My server is in a workgroup and is publicly accessible over the internet via rmm.myhosteddomain.com I'm using nginx as the proxy and it has the signed certificate for the domain name. The workstations are on a windows domain clientdomain.local

 

I have 3 clients connected (only 2 support AMT) these clients are connected over the internet and not locally on the LAN.

 

None of them show the CIRA connected and I'm not sure why. Maybe it's the DNS issue? I'm confused about this part of the settings. Do the clients need to connect to a server that has their same local domain name for CIRA to connect?

XCEL_0-1704134304787.png

 

I'm also confused about the admin mode, which I'd like to implement. I attempted to export my certificate from nginx and import it into the certificates in EMA but it failed with:

Certificate import failed. Please check that the .PFX file and password are valid.
 
The pfx file is valid along with the password, I can import it into Windows just fine.
 
I'm happy to provide any logs, just need to know which ones.
0 Kudos
18 Replies
Meghak
Employee
3,523 Views

Hi XCEL,

 

Thank you for posting on Intel Community.

 

For the query reported, we request to post the query on the Software Development Technologies forum for further assistance.

 

https://community.intel.com/t5/Software-Development/ct-p/software-dev-technologies

 

We would like to inform you that we are closing this request as we have referred your query to Software Development Technologies forum.


Please don't hesitate to ask any further questions in the future.


Feel free to start a new conversation, as this thread will no longer be monitored.


Regards,

Megha K


0 Kudos
XCEL
Beginner
3,508 Views

Could you explain this action? This make no sense to be in the software development forum, this is the correct location as it's a vPro issue.

0 Kudos
MIGUEL_C_Intel
Moderator
3,485 Views

Hello, XCEL,


My name is Miguel, I am an Intel EMA support member. I will gladly assist you.


I understand this is a new configuration with the following:

EMA version: 1.12.1

FQDN: rmm.myhosteddomain.com

EMA Server accessible over the internet; signed certificate for the domain name (IIS).

Using nginx as the proxy.

Windows domain: clientdomain.local

EMA configuration in Client Control Mode

Endpoints are working remotely (2 with vPro, 1 non-vPro)

AMT setup: Provisioned Completed

CIRA Not Connected


I will need your confirmation on the questions below:

1- Do the endpoints belong to the domain clientdomain.local?

2- Did you create a CIRA Proxy Setting for the EMA agent file?

Log in as a Tenant and go to AMT profile>General>CIRA Proxy Settings

3- Do the endpoints share the same FQDN of the EMA Server?

4- Are the endpoints working with a wired or wireless connection?

5- Please share the EMA server logs.

Default Path: [System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

Please send me the files without the date called:

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Ajaxserver.txt

EMAlog-Recoveryserver.txt

EMAlog-Manageabilityserver.txt

6-Please share a log from an Intel® vPro system.

Intel® EMA Configuration Tool (ECT)

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a- Open a command prompt as administrator (alternatively, you can run the tool from Windows PowerShell*).

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe --verbose


Intel® EMA requires its certificate for Admin Control Mode (access without User consent to OS and BIOS).  It is a dedicated Certificate for Intel® vPro (AMT). This certificate contains the unique Intel® AMT OID number 2.16.840.1.113741.1.2.3.


XCEL, please share the information in a private message, for security reasons.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
XCEL
Beginner
3,484 Views

Thanks for the followup Miguel.

1- Do the endpoints belong to the domain clientdomain.local?

YES

2- Did you create a CIRA Proxy Setting for the EMA agent file?

Log in as a Tenant and go to AMT profile>General>CIRA Proxy Settings

NO, these are the settings:

XCEL_0-1704226438076.png

 

3- Do the endpoints share the same FQDN of the EMA Server?

NO, totally different networks. The EMA server is in a workgroup, not on a domain.

4- Are the endpoints working with a wired or wireless connection?

NO, CIRA has never worked.

5- Please share the EMA server logs.

Sending in PM

0 Kudos
MIGUEL_C_Intel
Moderator
3,439 Views

Hello, XCEL,


Thank you for sending the EMA Server logs and endpoint log. 


My findings are below:

The endpoint seems connected to the internet via a USB dongle or docking station. 

*** ME Wired Network Information ***

ME Wired Interface Not Detected

*** ME Wireless Network Information ***

Link Status: Down

IP Address: 0.0.0.0


Intel® EMA requires an Intel® network adapter connection; this can be a wired, wireless, or passthrough Thumber-bolt docking station (approved by Intel®).


Please remember, that the Client Control Mode option gives you access to the endpoints when they are in the operating system. To access the BIOS or wake up the machines an Intel® AMT certificate is necessary.

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/active-management-technology/implementation.html (bottom of the page).


If I understand correctly, the Windows Server machine containing the EMA configuration has a Proxy. If this is the case, it is necessary to access the EMA console and update the AMT profile with the Proxy requirements. Go to AMT profile > General > CIRA Proxy Settings


In addition, I noted the endpoint is using an old BIOS version. I suggest updating it to the latest version 1.26.0.

Dell Latitude 7310 and 7410 System BIOS

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=7y4dy&oscode=wt64a&productcode=latitude-14-7410-2-in-1-laptop


I look forward to hearing back from you.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
3,411 Views

Hello, XCEL,


It is necessary to validate the EMA web page with a valid TLS SSL Certificate in IIS.  In addition, if you want to have remote access to the endpoints without user consent or access to the endpoints' BIOS an AMT Certificate is necessary.  You can buy it from the authorized vendors.


Vendor Certificates to Support Intel® AMT (bottom of the page).

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/active-management-technology/implementation.html


Note: the AMT Certificate performs both validations and remote provisioning.

1- Allows remote configuration

2- Validate the EMA web page. The Certificate’s domain is usually equal to the company domain.

3- Validates the connection between the endpoints and the EMA server without OS and user consent.


Intel® EMA is prepared for adding extra security options such as a Proxy Server or adding 802.1x.  Additional Certificates are necessary. 


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
XCEL
Beginner
3,356 Views

2- Validate the EMA web page. The Certificate’s domain is usually equal to the company domain.

 

If the domain is NOT the same, what should I do? For instance, the computers local domain is domainabc.local and my webserver, secured by a Godaddy certificated as you mentioned, is rmm.cloudhost.com

0 Kudos
XCEL
Beginner
3,339 Views

Also, I've added the certificate to the IIS site and that part is working properly. However, in EMA if I go to the certificates section, there are none. Should my godaddy certificate also be in here?

0 Kudos
MIGUEL_C_Intel
Moderator
3,331 Views

Hello, XCEL,


The EMA domain (FQDN) needs to be validated by a dedicated Certificate for it.  The certificate for rmm.cloudhost.com will not work.  I suggest recreating the EMA configuration with the same domain cloudhost.com if it is possible.


It is necessary a dedicated Certificate chain for Intel® EMA.  The Certificate allows the remote configuration of endpoints and validates the connection between the EMA server and the endpoints when we are trying to access the BIOS and performing requests before the OS. This Certificate has a dedicated OID number for Intel® vPro. It is 2.16.840.1.113741.1.2.3.


This dedicated Certificate chain can also be used for validating the EMA website in IIS.


After adding the Certificate chain in IIS; it is necessary to export the PFX file to your desktop and then, upload it to the Settings tab in the EMA web console.


I am adding useful links related to the EMA Certificate and the installation.


1.3.6 Intel® AMT PKI Certificate

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=11


3.5 Upload Certificates

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=30


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
XCEL
Beginner
3,328 Views

I'm not sure I understand what you are saying about the domain certificate.

 

In my example (not the exact domain name I'm using but the same concept) I am using the URL rmm.cloudhost.com, which I also have a Godaddy certificate for. Are you saying the certificate from godaddy must only include cloudhost.com? Why can't a subdomain be used? I thought I read that a subdomain such as rmm.cloudhost.com could be used, in fact, there is a document stating the level of subdomains allowed for each type of extension i.e. .com .co .net etc.

 

I did find that the reason I was unable to import the certificate into the EMA web certificates was because the godaddy root had to be installed on the server first. I now have the certificate listed.

0 Kudos
MIGUEL_C_Intel
Moderator
3,311 Views

Hello, XCEL,


You are right.  The EMA certificate domain could be rmm.cloudhost.com.  The domain cloudhost.com covers more endpoint location possibilities.


I am glad to hear you were able to upload the Cert into the settings Tab.  If further assistance is necessary, please share a screenshot on how the Cert chain looks in the Settings tab.  Make sure the Intel® AMT OID number 2.16.840.1.113741.1.2.3 is included in the Cert (Go to IIS, open the Cert. from the Personal Certificate Store, go to Details tab then open the Enhanced Key Usage option.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
XCEL
Beginner
3,269 Views

I don't see Intel® AMT OID number 2.16.840.1.113741.1.2.3 I see:

 

XCEL_0-1704898638827.png

 

Am I looking in the right place?

0 Kudos
XCEL
Beginner
3,257 Views

I see the issue, Godaddy's process is a little confusing. Working on the new cert now.

0 Kudos
MIGUEL_C_Intel
Moderator
3,252 Views

Hello, XCEL,


I will wait for your feedback.


The Intel® AMT OID number 2.16.840.1.113741.1.2.3 is visible at: 

Go to IIS, and open the Certificate / Personal Certificate Store.

Go to the Details tab

Open the Enhanced Key Usage option.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
XCEL
Beginner
3,063 Views

I've managed to get the correct certificate from Godaddy, I have it installed and it shows as a PKI certificate in the settings.

 

I've connected a laptop to the EMA server and it's mostly connected:

XCEL_0-1705340078542.png

 

The problem appears to be that the client is not able to see or determine the CIRA server; as it shows CIRA Server: Not found. Where do I need to look to troubleshoot this issue?

 

*** Host Computer Information ***
Computer Name: DESKTOP-5PHS7B0
Manufacturer: Dell Inc.
Model: Latitude 5480
Processor: Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz
Windows Version: Microsoft Windows 10 Pro
BIOS Version: 1.17.1
UUID: 4C4C4544-0048-5210-8030-B5C04F424832

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 11.8.70.3626
KVM Supported: True
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 11.8.70.3626
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2316.5.0.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2316.5.0.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: False
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: False
RSE Enabled: False

*** Power Management Capabilities ***
Supported Power States:
5: PowerCycle_Off_Soft
8: Off_Soft
2: On
10: Master_Bus_Reset
11: NMI
7: Hibernate
12: Off_Soft_Graceful
14: MasterBusReset_Graceful
Power Change Capabilities:
2: On
3: SleepLight
4: SleepDeep
7: Hibernate
8: Off_Soft

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 192.168.89.115
MAC Address: <removed>
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): Not Found

*** ME Wireless Network Information ***
Wireless Interface Enabled: False
Link Status: Down
IP Address: 0.0.0.0
MAC Address: Information Unavailable
DHCP Enabled: True
DHCP Mode: Passive

0 Kudos
MIGUEL_C_Intel
Moderator
3,060 Views

Hello, Excel,


The Dell laptop Latitude 5480 is using an old BIOS version and the SMBIOS ME Version (Intel® AMT) is 11.8.70.3626.  Intel® EMA requires at least the version 11.8.79.  I reviewed Dell’s website and there are almost 15 newer versions available; the Intel® AMT version will be updated to this version or higher 11.8.92 or similar.


1.1 Usage Requirements - Intel® Endpoint Management Assistant (Intel® EMA) Administration and Usage Guide https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=6


In addition, I noticed the laptop DNS Suffix (from OS) was Not Found and the Network Interface was Enabled. If the endpoint has a different DNS from the Server.  I suggest typing the PKI DNS suffix of the Certificate in MEBx.  Before doing this, you must do a Full unprovision.  Keep the Network Interface Disable.


If you don’t mind, please share a screenshot of the Certificate chain from the Settings tab. Make sure from IIS, that each section of the chain is SHA256 from the Details tab.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
XCEL
Beginner
3,054 Views

I had already typed the domain (rmm.mydomain.co) into the mebx settings manually.

 

XCEL_0-1705349166333.png

 

XCEL_1-1705349242157.png

 

 

I just updated the firmware, here is the latest log file:

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 11.8.94.4494
KVM Supported: True
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 11.8.94.4494
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2316.5.0.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2316.5.0.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: False
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: False
RSE Enabled: False

*** Power Management Capabilities ***
Supported Power States:
5: PowerCycle_Off_Soft
8: Off_Soft
2: On
10: Master_Bus_Reset
11: NMI
7: Hibernate
12: Off_Soft_Graceful
14: MasterBusReset_Graceful
Power Change Capabilities:
2: On
3: SleepLight
4: SleepDeep
7: Hibernate
8: Off_Soft

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 192.168.89.115
MAC Address: <removed>
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): rmm.mydomain.co

*** ME Wireless Network Information ***
Wireless Interface Enabled: False
Link Status: Down
IP Address: 0.0.0.0
MAC Address: Information Unavailable
DHCP Enabled: True
DHCP Mode: Passive

0 Kudos
MIGUEL_C_Intel
Moderator
3,039 Views

Hello, XCEL,


It is nice to hear the Intel® AMT firmware was updated with the BIOS update.


I am afraid the PKI DNS Suffix in MEBx was not updated, it is still empty.

*** ME Information ***

Version: 11.8.94.4494

SKU: Intel(R) Full AMT Manageability

State: Provisioned

Control Mode: Admin

PKI DNS Suffix: Not Found


I am concerned about the Domain of the Certificate, EMA domain, and endpoints.  I have the information below:

EMA FQDN: rmm.myhosteddomain.com

Endpoint and Certificate DNS Suffix (from OS): rmm.mydomain.co


I understand you are changing the real DNS and FQDN for security purposes; however, I want to clarify the DNS of the EMA (FQDN) and the certificate should be the same: myhosteddomain.com.


1- Steps for Full unprovision and 2- Adding PKI DNS suffix to MEBx:

From the MEBx Main Menu, click MEBx Login, type your password.  The Default is admin.

Click over Intel® AMT Configuration

Scroll down to Uncofigure Network Access <Full Unprovision>

Enter <Full Unprovision>

Enter Full Unprovision

Select yes to Reset network settings.

Wait until the Main Intel® AMT Configuration is displayed.

Exit

---------

From the MEBx Main Menu, click MEBx Login, and type your password. The Default is admin.

Click over Intel® AMT Configuration

Scroll down and select Remote Setup and Configuration

Select TLS PKI

Select PKI DNS Suffix, and hit Enter.

Type your PKI DNS Suffix, and hit Enter.

The new Window will display the new PKI DNS Suffix.

Then, keep pressing Exit until you close MEBX.


At this point, the Endpoint will be in Admin Mode with the company PKI DNS Suffix.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply