Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Ankündigungen
FPGA community forums and blogs on community.intel.com are migrating to the new Altera Community and are read-only. For urgent support needs during this transition, please visit the FPGA Design Resources page or contact an Altera Authorized Distributor.
3049 Diskussionen

Change CCM mode to ACM.

alex00900
Anfänger
‎08-31-2023 12:34 AM
5.182Aufrufe

Hello.

We have a problem with the AMT setup.

We can configure HBP without any problems.

But we can't configure TLS-PKI.

We created a self-signed certificate according to the requirements, with the addition of an OID and made a chain.

We entered the DNS suffix PKI server-ema.it-ktk.local.

And entered the fingerprint of the root certificate.

But the AMT status hangs on Pending Activation.
How to enable Admin Control correctly?

Datei-Vorschau
19 KB
Datei-Vorschau
33 KB
Datei-Vorschau
35 KB
Datei-Vorschau
52 KB
0 Kudos

Link kopiert

11 Antworten
MIGUEL_C_Intel
Moderator
‎08-31-2023 01:12 PM
5.153Aufrufe

Hello, alex00900,


The self-certificate option is tricky, it requires some extra steps due to the encryption requirements of the Certificate chain -SHA2.  The root and the cert need to be SHA256.  Then, it is necessary to install manually the certificate hash in the endpoint.  Please, be aware this process needs to be done in every single endpoint.


First, review if both are SHA256. 

Open the Microsoft Manage Computer Certificates app, and open the Certificate folder of the Certificate-Local Computer>Personal.

Open the Certificate

Go to the Certification Path tab.

Select the Root Cert and press the View Certificate icon.

In the new window, select the Details tab.

Make sure it is SHA256. 


Upload the Certificate chain in the EMA console Settings tab.  You should see both lines of the Certificate.


If both are SHA256, it is necessary to perform the steps below.

Hash manual installation using the USBFile.exe tool.  Endpoints with Intel® vPRO come with pre-installed hashes of Authorized Certificate vendors.

It is possible to download it from Intel® Active Management Technology SDK.

https://software.intel.com/content/www/us/en/develop/download/intel-active-management-technology-sdk.html


Note: 

USB drive needs to be formatted as FAT (FAT32 and UEFI are not supported)

AMT configuration via USB option needs to be activated in the BIOS of the endpoint.


Finally, add the PKI DCS suffix in the endpoint.


If the issue continues, please share pictures of the Certificate chain (both lines) from the Details tab showing the SHA type.

Add a picture from the settings tab of the EMA console showing the Certificate installation.

And share the results of running the EMA Configuration tool (ECT), which will show the hash inclusion.


Intel® EMA Configuration Tool (ECT)

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

 

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a- Open a command prompt (alternatively, you can run the tool from Windows PowerShell*) as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe --verbose


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
alex00900
Anfänger
‎08-31-2023 08:07 PM
5.146Aufrufe
Als Antwort auf MIGUEL_C_Intel

Hello, thanks for your reply, we tried to do with USBFile.exe tool but couldn't find a suitable one libcrypto.dll , taken from OpenSSL.

All our certificates have SHA256. We have made a chain and added it to the EMA server.

Error in the attached screenshot.

Need a specific version of the file libcrypto.dll ?
We renamed it and dropped it into a folder with USBFile.exe.

We executed the command USBFile.exe -create setup.bin passMEBx passMEBx -amt -hash SERVER-EMA-CA.cer SERVER-EMA-CA sha256

Als Antwort auf MIGUEL_C_Intel
Datei-Vorschau
20 KB
0 Kudos
Link kopieren
MIGUEL_C_Intel
Moderator
‎09-01-2023 08:16 AM
5.118Aufrufe

Hello, alex00900,


The case will require further investigation by the engineering team.  Please send me in a private message the self-certificate that you created. 


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
MIGUEL_C_Intel
Moderator
‎09-04-2023 06:42 AM
5.051Aufrufe

Hello, alex00900,


I got the private message with the self-cert.  Intel® AMT does not support the .local domain.  I am sending the Certificate requisites.


PKI Certificate Verification Methods

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
alex00900
Anfänger
‎09-04-2023 07:00 AM
5.044Aufrufe
Als Antwort auf MIGUEL_C_Intel

Hello, thank you for your reply. Please confirm my understanding of how I will start to redo the CA and create a separate domain.

I need to create a certificate so that it has a name, say "intel.it-ktk.ee". Following the table from your link.

Then it will be checked with libcrypto.dll ?

And will I be able to proceed to the above written procedure?

Als Antwort auf MIGUEL_C_Intel
0 Kudos
Link kopieren
MIGUEL_C_Intel
Moderator
‎09-04-2023 09:48 AM
5.035Aufrufe

Hello, alex00900,


The domain of the EMA Certificate needs to match the domain of your company. 


I am gathering more details about the libcrypto.dll file.  I will provide an update soon. 


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
MIGUEL_C_Intel
Moderator
‎09-10-2023 12:07 PM
4.869Aufrufe

Hello, alex00900,


We are still working on your case.  


Do you mind confirming the version of Intel® AMT SDK version that you are using?


Latest: Intel® AMT SDK version 16.0.7.1

https://www.intel.com/content/www/us/en/download/704388/intel-amt-sdk.html?cache=1639697797


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
alex00900
Anfänger
‎09-10-2023 08:18 PM
4.850Aufrufe
Als Antwort auf MIGUEL_C_Intel

We mainly use versions 12.0.x.

I'm afraid this topic is no longer relevant because of the necessary actions to enable Admin mode.

It is necessary to deploy a new domain, create all the existing infrastructure on it, reconnect all PCs to this domain, then generate a certificate and it will work.

Correct me if I'm wrong.

While we are using the program to turn on the PC.

Als Antwort auf MIGUEL_C_Intel
0 Kudos
Link kopieren
MIGUEL_C_Intel
Moderator
‎09-11-2023 07:31 AM
4.825Aufrufe

Hello, Alex00900,


You are right, it is necessary to create a new domain, Certificate, and provision all the PCs to the new domain.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
MIGUEL_C_Intel
Moderator
‎09-14-2023 05:47 PM
4.715Aufrufe

Hello, Alex00900,


By any chance, have you been able to work on your EMA configuration?  Please let us know if I can help you with anything else.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
MIGUEL_C_Intel
Moderator
‎09-18-2023 11:01 AM
4.587Aufrufe

Hello, Alex00900,


I hope this post finds you well.


If further assistance is necessary, do not hesitate to reply.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Link kopieren
Antworten

Community-Support wird von Montag bis Freitag angeboten. Andere Kontaktmethoden finden Sie hier.

Intel überprüft nicht alle Lösungen, darunter auch nicht alle Dateiübertragungen, die ggf. in der Community stattfinden. Dementsprechend lehnt Intel alle ausdrücklichen und stillschweigenden Garantien ab, einschließlich und ohne Einschränkung stillschweigender Garantien der Marktgängigkeit, der Eignung für einen bestimmten Zweck und der Nichtverletzung von Rechten sowie jeglicher Garantien, die sich aus der Ausführung, Bearbeitung oder handelsmäßigen Verwendung ergeben.

Vollständige Angaben zu Compiler-Optimierungen finden Sie in unseren Optimierungshinweis.