Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

HP CAE and v-pro, using PKI mode

idata
Employee
‎05-06-2011 01:11 AM
1,793 Views

I have a question regarding HPCAE OOBM and v-pro devices implementation with TLS-PKI mode.

what we have tested:

  1. Server side: hp dc7800 mini tower workstation, Windows 2003 R2 32bit , HPCAE 7.9, SQL 2005, MS Certificate Services Enterprise CA, SCS 5.3 (within HPCAE 7.9 image), domain Controller, DNS, DHCP server, IIS 6

     

  2. Client: hp dc7800 mini tower workstation, Windows 7, OOBM agent, AMT ME 3.2.20 (upgrade from 3.0/1?), HPCAE agent,

     

  3. security settings:

     

  • secured Connection to IIS Using SSL for SCS server (Install a Certificate on IIS)

     

  • Secure Access between OOBM and SCS, (root certificate to Java key store)

     

  • on client ME: enterprise RootCA , TLS-PKI mode

     

what we reached:

  1. v-pro device provisioned in SCS (please view picture 001.jpg)

     

  2. v-pro device detected in HPCAE oobm (see 002.jpg)

     

  3. HPCAE OOBM remote power on/off remote v-pro devices with non-TLS mode (or saying TLS-PSK mode)

     

the problem we are facing:

I. HPCAE OOBM failed to connect to remote device with TLS-PKI mode and secured OOBM settings.

II. error see picture err01-2.jpg

III. in log file: something like this, which prevent us moving further.

Caused by: java.net.SocketException: Connection reset

at java.net.SocketInputStream.read(Unknown Source)

at java.io.BufferedInputStream.fill(Unknown Source)

at java.io.BufferedInputStream.read(Unknown Source)

Question:

  1. did anybody has idea on this problem?

     

vpro-hpcae.zip
0 Kudos

Link Copied

2 Replies
Keith_G_Intel
Employee
‎05-10-2011 09:04 AM
773 Views

Hi Edward,

Thank you for your post. We are currently experiencing a similar issue with HPCA and are working with HP to resolve the issue.

Just to confirm, all servers are Windows 2003 R2 version, correct?

Thank you,

Keith

0 Kudos
Copy link
idata
Employee
‎05-10-2011 11:37 PM
773 Views
In response to Keith_G_Intel

Hi,

 

 

first of all, yes, Windows 2003 R2 is our server platform. (we certainly hope we are using win2008 and we did while similar problem, since the intel/hp manual mentioned to use win2003R2, then we use it. meanwhile, SQL2008 failed to work - stop at the scs installation phase then we use sql 2005)

 

 

meanwhile, upon my previous post, we enabled mutual authentication and the latest error is when we click the device in hpcae OOBM, we encounter error

 

"javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca"

 

 

so we are looking at the certificate Authority documents... vpro device -> scs -> hpcae server -> console.

 

 

if someone has good knowledge/document/idea to share in the certificate Authority fields, we do appreciate it saying, in an Enterprise CA environment,

 

 

1. in vpro- firmware, except root CA need to pre-input any other cerificate needed?

 

2. in vpro devices client OS like Windows 7, if the certificate needed?

 

3. SCS IIS server, server certificate?

 

4. HPCAE Tomcat server, root ca, and client ca?

 

5. HPCAE need to enable SSL in the configuration interface?

 

6. HPCAE console?

 

and

 

what if we only use one sever to play the role SCS/hpcae/console...
In response to Keith_G_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.