Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2917 Discussions

How to manage vpro clients using MTLS/TLS kerberos based communication

idata
Employee
1,949 Views

Hi vpro Experts,

I have 100+ vpro clients with a mix of AMT 6 and AMT 7 machines. All of them have already been provisioned using the basic SMB / Manual configuration method and are now part of the corporate domain.

I now wish to capitalize on the AMT features like KVM, IDER, SOL, FCFH by securely and remotely managing these provisioned vpro systems using MTLS / TLS kerberos based communication with VNC as my management console. My current setup is windows server 2008 with roles of ADS, DNS , DHCP, IIS, ADCS along with SCS 8.0 and VNC Plus. I am able to perform most of the AMT features without TLS using the digest MeBX account, however for security reasons my objective is to integrate kerberos based authentication and MTLS/TLS communication between the Managament console (VNC) and the vpro clients.

Could you help me with a high level breakup on how to achieve the same.

In order to achieve the above objectives please clarify on the following as well:

>Do I need to create / purchase any SSL certificates for this purpose?

>If yes, What certificate do I need for implementing MTLS communcation for remotely managing the vpro clients for performing jobs like KVM, IDER,SOL, FCFH?

>How can I create a SSL certificate from our internal root CA using the ADCS running on one of the domain controllers for MTLS?TLS communication?

>Am I correct to say that the certificate hashes that are already embedded into the MeBX (like GoDaddy, verisign, Comodo etc), are only used for initial provisioning? Which further means that these external SSL certificates are of no use to me since all my vpro clients are already SMB / Manually provisioned as stated above?

Regards

Mohammed

0 Kudos
3 Replies
idata
Employee
1,117 Views

Hi Mohammed,

Have you had a chance to read the User Guide?

Appendix A & B Has all the information on setting up your CA and working with the certificates that is needed for Remote Configuration, Creating templates and Creating and installing your own certificate.

Greg

0 Kudos
idata
Employee
1,117 Views

Hi Greg,

How is it going? Hope all is well at your end. Well, I am still working on it. The user guides are really helpful as I found it to be an improved version of the earlier documents. However for some reason I have had to stall the remote configuration testing for a while. I am trying to get my head around using MTLS/TLS kerberos based authentication and communication for security reasons which I found in the pages 66-70 of the user guide.

Q: Does that mean, for MTLS/TLS you dont really have to create a certificate? Do you?

Q: Is setting up a CA and Issuing a customised certifcate template to the AD (page 170) is all you got to do for using MTLS/TLS?

Thanks in advance

Mohammed

0 Kudos
idata
Employee
1,117 Views

Hi Mohammed,

Yes you need to have a certificate for TLS communication

When doing remote configuration you will need a third party certificate for provisioning (Go Daddy, Verisign, ect) or create your own as explained on pages 178 - 183.

Greg

0 Kudos
Reply