CIRA Not Connected

N0 · ‎05-14-2024

I have an Intel® EMA v1.12.1.0 server and have successfully provisioned an endpoint in Admin Control Mode with a PKI certificate.

The AMT Profile has the following configurations :

- General : Always Use Intel® AMT CIRA
- FQDN Source : Shared with host OS
- IP Address : From the DHCP Server

I try to have CIRA connect but still can't after following the troubleshooting guide here :

https://www.intel.com/content/www/us/en/support/articles/000059019/software/manageability-products.html

Here is the EMA Configuration Tool output from the endpoint :

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 2024-05-14 12:42:37

*** Host Computer Information ***
Computer Name: [REDACTED] (endpoint)
Manufacturer: HP
Model: HP ProDesk 600 G3 SFF
Processor: Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz
Windows Version: Microsoft Windows 11 Éducation
BIOS Version: P07 Ver. 02.46
UUID: 019B152B-15FF-FA7B-8903-581568888D0B

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Standard Manageability
SMBIOS ME Version: 11.8.92.4222
KVM Supported: False
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 11.8.92.4222
SKU: Intel(R) Standard Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2406.5.5.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2406.5.5.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: True
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: False
RSE Enabled: False

*** Power Management Capabilities ***
Supported Power States:
5: PowerCycle_Off_Soft
8: Off_Soft
2: On
10: Master_Bus_Reset
11: NMI
7: Hibernate
12: Off_Soft_Graceful
14: MasterBusReset_Graceful
Power Change Capabilities:
2: On
3: SleepLight
4: SleepDeep
7: Hibernate
8: Off_Soft

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: [REDACTED]
MAC Address: 40:B0:34:F8:0F:05
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): [REDACTED] (sub.domain.org)

*** ME Wireless Network Information ***
ME Wireless Interface Not Detected

*** Root Certificate Hash Entries ***
[REDACTED]

I checked that all DNS suffixes match; the EMA server DNS name, the PKI certificate DNS suffix, DHCP option 15 and the endpoint DNS suffix all match.

For example :
EMA Server DNS : intel-ema.sub.domain.org
PKI Certificate : CN=intel-ema.sub.domain.org
DHCP option 15 : sub.domain.org
Endpoint FQDN : endpoint.sub.domain.org

I am a bit out of ideas as to what is blocking CIRA ...

MIGUEL_C_Intel · ‎05-15-2024

Hello, No,

I reviewed the specifications of the endpoint HP ProDesk 600 G3 Small Form Factor and found some of the following:

HP website is saying only Windows 7, 8, and 10; the lack of fully compatible drivers could be blocking the connection.
In addition, there is a higher BIOS revision available. It improves the connection and security.

HP ProDesk 600 G3 Small Form Factor PC – BIOS version 00.02.49 Rev.A

https://support.hp.com/us-en/drivers/hp-prodesk-600-g3-small-form-factor-pc/15292277

Is the endpoint in the same domain as the EMA server?
Please tell me about the certificate. Is it a vPro Certificate from any of our Authorized vendors? The Root, intermediate, and leaf should be SHA256 or higher (Review it from IIS).
In addition, please tell me about the OS of the server. The endpoint is old and does not support the latest secure Cipher suites. Use an IIS crypto software such as Nartac in the Server machine and enable at least TLS_RSA_with_AES_128_GCM_SHA256.

Look forward to your outcome and details.

Regards,

Miguel C.

Intel Customer Support Technician

N0 · ‎05-15-2024

Hi Miguel, thank you for your quick reply.

This is indeed an older PC that I use to test the the integration of our EMA server.

As suggested I have upgraded the BIOS version to : P07 Ver. 02.49

[...] the lack of fully compatible drivers could be blocking the connection.

I used HP software to check that drivers are up to date, let me know if there are additionnal verifications I can make to ensure this is not the source of the problem.

Is the endpoint in the same domain as the EMA server?

Yes they both are in the same domain and share the same DNS suffix ( e.g. *.sub.domain.org )

Please tell me about the certificate. Is it a vPro Certificate from any of our Authorized vendors? The Root, intermediate, and leaf should be SHA256 or higher (Review it from IIS).

It is a vPro certificate issued by Sectigo (https://sectigostore.com/ssl-certificates/amt-certificate)

Intel EMA (Sectigo) certificate is SHA256 and the 2 above are SHA384.

In addition, please tell me about the OS of the server. The endpoint is old and does not support the latest secure Cipher suites. Use an IIS crypto software such as Nartac in the Server machine and enable at least TLS_RSA_with_AES_128_GCM_SHA256.

The EMA server OS is Windows server 2022 standard ( Version 21H2 - Build 20348.2402 )

I will check to enable TLS_RSA_with_AES_128_GCM_SHA256 and report back.

MIGUEL_C_Intel · ‎05-20-2024

Hello, No,

I am following up on your post, please let me know if I can help you with anything else.

Regards,

Miguel C.

Intel Customer Support Technician

N0 · ‎05-21-2024

I have verified the server and TLS_RSA_WITH_AES_128_GCM_SHA256 is enabled and available.

Is there some client logs I can extract to debug this further ?

MIGUEL_C_Intel · ‎05-21-2024

Hello, No,

Nice to hear you again.

Yes, there are logs from the endpoint that we can gather. In addition, please send me the Server logs (especially the Swarm and the Manageability logs).

EMA logs from the Server

Default Path: [System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

Please send me the files without the date called:

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Manageabilityserver.txt

EMA log from the endpoint:

Default Path: [System drive]\Program Files\Intel\EMA Agent\EMAagentlog

Look forward to your answer.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎05-24-2024

Hello, No,

I hope you are doing well.

By any chance, have you been able to gather the Server and endpoint logs?

Regards,

Miguel C.

Intel Customer Support Technician

N0 · ‎05-24-2024

Hello Miguel,

Sorry for the delay, I have checked the server logs but there doesn't seem to be anything related in these, just a few unrelated lines that seems like normal operations.

And unfortunately there is no logs on the endpoint at the specified location.

MIGUEL_C_Intel · ‎05-24-2024

Hello, No,

Do you mind sending me via community or private message the server logs?

Please send me the files without the date called:

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Manageabilityserver.txt

Look forward to hearing back from you.

Regards,

Miguel C.

Intel Customer Support Technician

N0 · ‎05-27-2024

EMALog-ManageabilityServer

2024-05-27 01:33:01.0667|INFO||9704|20|TimerCleanupElapsed - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [0] - Message:Performing database cleanup. 
2024-05-27 05:33:00.0803|INFO||9704|22|TimerFileUploadCleanupElapsed - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [0] - Message:Performing orphan files cleanup. 
2024-05-27 05:33:02.5650|INFO||9704|10|TimerCleanupElapsed - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [0] - Message:Performing database cleanup. 
2024-05-27 09:33:04.0694|INFO||9704|29|TimerCleanupElapsed - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [0] - Message:Performing database cleanup.

EMALog-SwarmServer

2024-05-25 05:32:42.6987|INFO||9920|10|UpdateAgentStore - MeshServer.AgentVersionControl, EMASwarmServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Pulled Agent: Type=2, Version=11200, Time=2024-02-01 4:39:36 PM, size=4217536 
2024-05-25 05:32:45.9955|INFO||9920|10|UpdateAgentStore - MeshServer.AgentVersionControl, EMASwarmServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Pulled Agent: Type=4, Version=11200, Time=2024-02-01 4:39:36 PM, size=4403904 
2024-05-25 05:32:46.0893|INFO||9920|10|.ctor - MeshServer.CentralServer, EMASwarmServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: ServerStart, 1 
2024-05-25 05:32:46.1361|INFO||9920|13|<RunReceivedMessageProcess>b__65_0 - MeshServersCommon.code.TcpStack.MessageManager, EMAServersCommon, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Received ServerState for server type 1 id 1 with state STARTING. 
2024-05-25 05:35:17.1560|INFO||9920|13|<RunReceivedMessageProcess>b__65_0 - MeshServersCommon.code.TcpStack.MessageManager, EMAServersCommon, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Received ServerState for server type 1 id 1 with state AGENT_START. Endpoint count is 1. Endpoint id list is DE2A04A28789936DF0AF667C97AD1FA3BD9A740B09242B48F36979214574E908.

EMALog-WebServer

2024-05-27 09:40:56.8806|INFO||9208|1|SetupBackendLogger - MeshWebCore.WebApi.WebApiConfig, EMAWebCore, Version=1.12.1.0, Culture=neutral, PublicKeyToken=null - EVENT: Information, Web API server is starting up.

MIGUEL_C_Intel · ‎05-27-2024

Hello, No,

Thank you for sharing the logs.

They are almost empty. Please tell me about the database, which SQL version you are using, and location. Also, tell me where Windows Server 2022 is installed.

Regarding the Certificate issue, we could set a web meeting; I will try to help you fix the SHA1 error. Please send me a private message with your schedule availability.

Regards,

Miguel C.

Intel Customer Support Technician

N0 · ‎05-28-2024

The database is MSSQL Server 2022 version 16.0.4120.1 residing on the same Windows server as the EMA Server, and this windows server is installed in a virtual infrastructure on premise.

MIGUEL_C_Intel · ‎05-28-2024

Hi, No,

Thank you for your quick reply.

I reviewed the issue from scratch and the configuration looks good. I am wondering if you are open to setting up a web meeting. I want to review the certificate closely and try to resolve the issue. I have availability tomorrow (5/29) at 12 PM US PST.

I am adding a summary of your environment, please let me know if something is wrong or missing.

Windows Server 2022 standard

MSSQL Server 2022 version 16.0.4120.1

Virtual machine with both

EMA 1.12.1.0

Admin Control Mode

Certificate: Sectigo

Remote Provisioning – DHCP DNS matches the EMA domain.

Endpoint in the same server domain: Yes

Certificate: Sectigo

Pictures show 4 lines

It is showing the AAA as SHA1

Endpoint:

Model: HP ProDesk 600 G3 SFF

BIOS Version: P07 Ver. 02.46 (02.49)

Windows 11 (not supported as per HP website)

https://support.hp.com/us-en/drivers/hp-prodesk-600-g3-small-form-factor-pc/15292277

Wind 11

ME: 11.8.92.4222

LMS State: Running

LMS Version: 2406.5.5.0

PKI DNS Suffix: Not Found

Intel® Standard Manageability

State: Provisioned

Control Mode: Admin

Network: wired

I look forward to your reply.

Regards,

Miguel C.

Intel Customer Support Technician

N0 · ‎05-28-2024

Information looks good, I am available for a meeting tomorrow at that time.

MIGUEL_C_Intel · ‎05-28-2024

Hi, No,

I am going to send a private message with the invite. See you soon.

Regards,

Miguel C.

Intel Customer Support Technician