Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2942 Discussions

Intel EMA / CIRA not connected

ManuelK1
Beginner
9,402 Views

Hello

 

I'm still trying to setup a self hosted Intel EMA server. I've tested with one client in LAN during the last months and now I wanted to migrate it to a new production server:

I've still bought a valid SSL cert for my vPro URL from comodo/sectigo (redacted with amt.domain.tld below) and installed it. It's listed in the certificates list inside EMA with the blue PKI tag.

 

I've created a tenant, a tenant admin and a endpoint group with an new AMT profile "AlwaysCIRA" - Always use CIRA because my clients are managed through WAN and there is no LAN access.

 

I've also created a dhcp user class and custom option 15 to fake match the domain with the amt server url. ("amt.domain.tld") ipconfig /all is showing amt.domain.tld correctly as domain suffix.

I've re-installed my test client (which was already working with CIRA at the test server) but I'm unable to get it working with CIRA again.

 

The current state of the client is

Intel ME 16.1.27.225 Admin Control Mode

CIRA selected: No (<- why??)

Intel AMT setup status: Provisioning Completed

Interface: IP 10.0.0.x / amt.domain.tld

 

Power On

Connected

CIRA Not Connected

 

When clicking Provisioning it does not show a Intel AMT profile (NONE) (<- why? I've configured and selected it!)

Activation Method: Certificate Provisioning (TLS-PKI)

[x] TLS Security

[ ] CIRA tunnel

 

Available Certificates: [x] amt.domain.tld

 

Provisioning Status: Intel AMT provisioned

Provisioning Record State: Provisioning Completed

 

 

I've already tried to unprovision (with AcuConfig), uninstalling / reinstalling.

 

I'm using EMA v1.12.1.0 (the test server was 1.11.x when I was able to join the test machine successfully the last time; I did the upgrade to 1.12 afterwards IIRC)

 

 

0 Kudos
25 Replies
ManuelK1
Beginner
855 Views

Hello Miguel,

today I've added another client to my test-setting and now have 1 test server with 1 test client (working with CIRA) and another 1 prod server with 1 prod client (NOT working with CIRA).

 

I've compared the logs from EmaLog-ManageabiltyServer.txt, replaced the variable parts (Client ID, Client name and found 2 interesting differences).

Some remarks to the screnshot: It's a beyond compare between the 2 provisioning logs.

-) On the left side - my test EMA server with the additional SHA 1 certificate (AAA Certificate Services) and a successful CIRA connection

-) On the right side - my prod EMA server without SHA1 certificate (1 line missing compared to left)

-) missing value in line Message:ConfigurationServerFQDN not set <- why is it missing? From where does the value come from? It should be (the redacted) amt.domain.tld which is configured as "CIRA Server Host" and "Ajax Server Host".

-) second attempt (?) on Configuring redirection port <- why?

-) The certificate and host name is the same for both servers (it's a split dns config in separate networks)

-) The client is during testing in the same LAN/subnet as the ema server for test and prod!

 

ManuelK1_0-1708526535085.png

Reply to your previous questions: I've verified the AMT profile settings with your screenshots, I didn't find any differences.

The fake domain suffix was successfuly created (randomly).

I've already done full unprovisioning and configured the hostname manually without success (question: Do I need to specify the port? -> amt.domain.tld:8080 or just amt.domain.tld)

0 Kudos
MIGUEL_C_Intel
Moderator
842 Views

Hello, ManuelK1,


I reviewed the information provided and I believe the issue is related to the network configuration.  The DNS of the DHCP option 15 is not matching the DNS (PKI DNS suffix) of the EMA Server or something is blocking the communication.


If the Certificate chain matches the encryption SHA256 we should be able to provision the endpoints in Admin Mode.  I suggest validating this by entering the PKI DNS suffix manually in the MEBx BIOS of the endpoint.  Keep disable the Network Access Setup option.  I encourage you to follow the provisioning method for Laptops (LAN-less machines).


Intel® Endpoint Management Assistant (Intel® EMA) Configuring LAN-less Endpoints to ACM https://downloadmirror.intel.com/646990/Configuring_LAN-less_Endpoints_to_ACM.pdf


I want to validate the supported Domains for Intel® EMA.  The EMA domain needs to end with .com or .net usually.  There are exceptions for country and geography. The full list is available in the link below:


PKI Certificate Verification Methods

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm


If the issue continues with this test, please send me screenshots of how the Certificate chain looks in the EMA settings tab and the ECT log from the endpoint after the changes.


Regards,

Miguel C.

Intel Customer Support Technician



0 Kudos
Victor_G_Intel
Employee
802 Views

Hello  ManuelK1,

 

We hope this message finds you well.

 

Do you have any updates for this thread?


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
786 Views

Hello, ManuelK1,


We will gladly provide further assistance if necessary; do not hesitate to reply.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
ManuelK1
Beginner
742 Views

Hello Miguel,

currently I don't have time to continue this project. My last try was to Setup a fresh Server with MeshCentral2 and there I was successfully able to provision my first test client with ACM and CIRA using the same AMT certficate. 

 

After this successful cross-check IMHO the problem is located at the EMA server / configuration and not at the certificate, DNS or ME! Do you agree?

 

I don't have any more input at the moment and hope that I can continue my work in the next weeks.

It would be *very* *very* helpful if there is a verbose/debug log which I can enable at the EMA server!

 

0 Kudos
Reply