Re: EMA Server / Client with vpro won't finish configuration for PKI certificate. - Page 2

Mike_Modality · ‎05-04-2023

Hello,

I'm trying to deploy vpro / ema. I have an off net server running the EMA server with an AMT certificate installed. When I install the ema agent on a device and install the necessary msh file, it connects, I can reboot the system, but it's provisioning is pending configuration.

Any help with this would be greatly appreciated.

Here is some information about the setup.

Server is Server 2022 - I have enabled older SSL protocols for testing.

Intel® AMT profile: **removed**

Operating System: Microsoft® Windows 11

Intel® EMA Agent: Win64-Service v1.10.0

Intel® ME: v9.1.45.3000 Admin Control Mode

CIRA selected: Yes

Intel® AMT setup status: Pending Configuration

Interface: **removed**

Nearby endpoints: 0

Hardware Management Capability: Intel® Active Management Technology

On the client side, I see this error when it tries to connect.

[2023-05-04 01:46:48.411 PM] \Agent\MeshManageability\agent\microstack\ILibAsyncSocket.c:505 internalSocket ERROR: 0. Last error: 0

2023-05-04 11:52:21.9499|INFO||6740|50|PerformRound2Provisioning - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.10.1.0, Culture=neutral, PublicKeyToken=**removed**- [1] - Message:AMT Profile detected : (***removed***,5C675EE9).
2023-05-04 11:53:08.0998|WARN||6740|50|PerformRound2Provisioning - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.10.1.0, Culture=neutral, PublicKeyToken=***removed***- [1] - Warning:Unable to connect to Intel AMT computer for round 2, 127.0.0.1:50250
2023-05-04 11:53:08.0998|WARN||6740|50|PerformRound2Provisioning - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.10.1.0, Culture=neutral, PublicKeyToken=***removed*** - [1] - Warning:(Host=127.0.0.1, Computer=***removed***, Domain=, Tls=True, Endpoint=(***removed***,5C675EE9), User=SYSTEM, UserId=00000000-0000-0000-0000-000000000000)
2023-05-04 11:53:08.0998|WARN||6740|50|AttemptPhase1 - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.10.1.0, Culture=neutral, PublicKeyToken=***removed*** - [1] - Failed PKI provisioning : (***removed***,5C675EE9).

MIGUEL_C_Intel · ‎05-23-2023

Hello, Mike_Modality,

I hope this message finds you well.

By any chance, have you been able to work on my last request?

Look forward to your response; if there is no response to this email, I will send you a follow-up on 5/25/2023.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎05-26-2023

Hello, Mike_Modality,

If further support is necessary, do not hesitate to reply.

Regards,

Miguel C.

Intel Customer Support Technician

Mike_Modality · ‎05-30-2023

Hey Miguel.

Thank you for your support so far. It just got a little busy so I didn't have time to respond, I did some other testing with another system and have some interesting results.

I have a device an M80Q that I tested the vpro provisioning on running intel AMT Version v14.0.33, and, it provisioned 100% correctly. The certificate went through, CIRA connected, and I have full access to everything that I was expecting. Same configuration as for the other systems.

So a brief summary then:

Intel AMT v9.1.0 - Provisions, but CIRA will not connect with the latest version of vpro due to the AMT version of the client - Clear and understood.

Intel AMT v14.0.33 - Provisions properly with CIRA connecting, everything works great.

Intel AMT v16.0.15 - Does not provision, has a PKI provisioning failure with cert_verify_error.

This helps a ton in narrowing down the issue I think? Let me know if you need me to continue with the items from your previous request and I'll get that information to you.

MIGUEL_C_Intel · ‎05-30-2023

Hello, Mike_Modality,

It is my pleasure to assist you.

Intel improved the hardware security for all the new machines and only TLS 1.2 (HTTPS) is supported. This security is included in the firmware of the motherboard, and it affects the type of supported Certificates. This improvement started with AMT 15. I am including some documentation about the changes.

Root Certificate Hashes

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/rootcertificatehashes.htm

Please send me the pictures of the Certificate chain; I will validate it.

Go to the Settings tab of the EMA web console (tenant account).

From the details tab of the root, intermediate, and leaf; validate if they comply with SHA2 (2048bits). (share a picture for internal investigation).

Finally, for our records, please let me know the SQL version you are running, and where is installed. In the case of using Azure, please confirm if you are using Azure SQL app or did you create a VM and installed the database in it.

Intel® EMA supports machines with AMT 11.8 and higher versions; older versions can be configured and accessed with limitations.

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Mike_Modality · ‎05-30-2023

Hey Miguel.

We're using SQL Express 2022 on a VM through our own hyper-V.

As for the certificates, I do not have a details section within the tenant admin where it shows the certificates. If you would like as I have them installed to the cert manager on the server, it's the same ones I posted before, that has not changed. Do you want details of the chain off of the cert manager or is there somewhere else I should be looking in the EMA portal?

MIGUEL_C_Intel · ‎05-30-2023

Hello, Mike_Modality,

I requested the pictures from the settings tab of the EMA web console; however, I was referring to the personal store folder of IIS. The settings tab shows how the Certificate chain is recognized by EMA.

Open the Certificate chain:

From the details tab of the Sectigo, USERTrust RSA Certification Authority, Sectigo RSA Domain Validation Secure Server CA, and Comodo AMT Cert (4 lines); validate if they comply with SHA2 (2048bits). (Share a picture for internal investigation).

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎06-02-2023

Hello, Mike_Modality,

I hope this email finds you well.

Adding to my previous post. Please send me a picture of what you see from IIS. For security reasons, please send me the information in a private message.

1- Go to the EMA server

2- Open the tool called Manage Computer Certificates

3- Right-click over the personal folder

4- Select Find Certificates

5- In the contains box, type the Certificate manufacturer (Sectigo)

6- In Look in field: Select Issued by

7- Then, Hit Find now.

Please expand the columns: Issued to, Issued by, Intended Purposes

Do the same for:

In the contains box, type Certificate Manufacturer name

In the Look in field: Select SHA1 Hash

In my previous post, I requested the following:

Pictures from the personal store folder of IIS. The settings tab shows how the Certificate chain is recognized by EMA.

Open the Certificate chain:

From the details tab of the Sectigo, USERTrust RSA Certification Authority, Sectigo RSA Domain Validation Secure Server CA, and Comodo AMT Cert (4 lines); validate if they comply with SHA2 (2048bits). (Share a picture for internal investigation).

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Mike_Modality · ‎06-02-2023

Hey Miguel.

I apologize that I haven't had a chance to send that in yet, I've just been a bit slammed and will follow up early next week with the screen shots you requested (It's the 2048 but I'll make sure you can see it)

MIGUEL_C_Intel · ‎06-02-2023

Hello, Mike_Modality,

Thank you for your quick response. I will be waiting for your answer.

Regards,

Miguel C.

Intel Customer Support Technician

Mike_Modality · ‎06-05-2023

Thank you for your patience.

I've attached the screen shots of the general and details tab from each part of the chain and the chain itself, let me know if any of the relevant parts you need in details is not in the image and I'll grab that.

MIGUEL_C_Intel · ‎06-05-2023

Hello, Mike_Modality,

I hope this email finds you well. I appreciate your quick reply with the pictures.

There is an issue with the chain of the Certificate. The Sectigo (AAA) is SHA1, and we need a full Certificate chain of SHA2.

Please perform the following:

Go to IIS, and erase Sectigo (AAA) from all the folders of IIS. Before doing it, import this root (keep a copy of it).

Then, restart IIS and finally restart EMA Server.

Hopefully, it will resolve the issue.

I look forward to hearing from you.

Regards,

Miguel C.

Intel Customer Support Technician

Mike_Modality · ‎06-06-2023

Hello Miguel.

Import what root? Do you have a sha2 version of that root available? their website only has the sha1 available, and if I just try to remove the root it on it's own naturally it just comes back after a restart as it's part of the chain. That root comes in from the vpro certificate.

MIGUEL_C_Intel · ‎06-06-2023

Hello, Mike_Modality,

Thank you for your quick reply with the results of erasing the SHA1 section of the Certificate. I am working with the engineering team; an answer will be provided soon. I mentioned importing the SHA1 yesterday by mistake; the correct process was exporting it (keep a copy of it).

Regards,

Miguel C.

Intel Customer Support Technician