Intel EMA / CIRA not connected

ManuelK1 · ‎01-29-2024

Hello

I'm still trying to setup a self hosted Intel EMA server. I've tested with one client in LAN during the last months and now I wanted to migrate it to a new production server:

I've still bought a valid SSL cert for my vPro URL from comodo/sectigo (redacted with amt.domain.tld below) and installed it. It's listed in the certificates list inside EMA with the blue PKI tag.

I've created a tenant, a tenant admin and a endpoint group with an new AMT profile "AlwaysCIRA" - Always use CIRA because my clients are managed through WAN and there is no LAN access.

I've also created a dhcp user class and custom option 15 to fake match the domain with the amt server url. ("amt.domain.tld") ipconfig /all is showing amt.domain.tld correctly as domain suffix.

I've re-installed my test client (which was already working with CIRA at the test server) but I'm unable to get it working with CIRA again.

The current state of the client is

Intel ME 16.1.27.225 Admin Control Mode

CIRA selected: No (<- why??)

Intel AMT setup status: Provisioning Completed

Interface: IP 10.0.0.x / amt.domain.tld

Power On

Connected

CIRA Not Connected

When clicking Provisioning it does not show a Intel AMT profile (NONE) (<- why? I've configured and selected it!)

Activation Method: Certificate Provisioning (TLS-PKI)

[x] TLS Security

[ ] CIRA tunnel

Available Certificates: [x] amt.domain.tld

Provisioning Status: Intel AMT provisioned

Provisioning Record State: Provisioning Completed

I've already tried to unprovision (with AcuConfig), uninstalling / reinstalling.

I'm using EMA v1.12.1.0 (the test server was 1.11.x when I was able to join the test machine successfully the last time; I did the upgrade to 1.12 afterwards IIRC)

MIGUEL_C_Intel · ‎01-29-2024

Hello, ManuelK1,

I understand you want to create a production environment of Intel® EMA and you are trying to configure remotely an endpoint.

Please let me know if you perform a full unprovision of the endpoint from MEBx before trying the new provision. Intel® Endpoint Management Configuration Tool does not erase previous PKI DNS suffixes.

In the AMT profile, we need to enable CIRA. Intel® EMA offers CIRA or TLS relay. The TLS SSL Certificate is in charge of the provisioning and validation. CIRA Tunnel is necessary for communication.

I understand the Server and endpoint share the same domain (same LAN). Please confirm.

Let me know if you installed the Certificate chain in IIS and EMA settings tab (using the Tenant Admin account). If yes, please validate that each component of the Certificate chain is SHA256.

Gathering an EMA server log will give me more details of the issue.

Default Path:[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

Please send me the files without the date called:

EMAlog-Webserver.txt

EMAlog-Swarmserver.txt

EMAlog-Manageabilityserver.txt

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎01-30-2024

Hello Miguel,

yes I did a full unprovisioning before. I tried it with AcuConfig UnConfigure /AdminPassword ... and with reset&reboot through bios.

>I understand the Server and endpoint share the same domain (same LAN). Please confirm.

No, the server is hosted and only reachable through Port 8080 and not in the same LAN.

>Let me know if you installed the Certificate chain in IIS and EMA settings tab (using the Tenant Admin account). If yes, please validate that each component of the Certificate chain is SHA256.

The certificate is installed in IIS and EMA, but the chain is not completely SHA256

Sectigo (AAA) sha1RSA / sha1

USERTrust RSA CA sha384RSA / sha384

Sectigo RSA Domain Validation Secure Server CA sha384RSA / sha384

amt.domain.tld sha256RSA / sha256

During the previous tests I did use the same certificate without a problem.

The log files are sparsely populated:

WebServer:

2024-01-29 12:17:59.4771|INFO||7604|1|SetupBackendLogger - MeshWebCore.WebApi.WebApiConfig, EMAWebCore, Version=1.12.1.0, Culture=neutral, PublicKeyToken=null - EVENT: Information, Web API server is starting up.

ManageabilityServer:

2024-01-30 03:19:42.6386|INFO||8276|75|TimerCleanupElapsed - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [0] - Message:Performing database cleanup.
2024-01-30 07:19:42.6524|INFO||8276|53|TimerCleanupElapsed - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [0] - Message:Performing database cleanup.

SwarmServer:

2024-01-30 07:25:29.6208|INFO||9180|13|<RunReceivedMessageProcess>b__65_0 - MeshServersCommon.code.TcpStack.MessageManager, EMAServersCommon, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Received ServerState for server type 1 id 1 with state AGENT_START. Endpoint count is 1. Endpoint id list is 478E342F092EDF96BF0...
2024-01-30 07:32:37.7495|INFO||9180|29|ProcessCommand - MeshServer.MeshAgent, EMASwarmServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Message:Confirm Power Operation 2.
2024-01-30 07:33:01.5268|INFO||9180|13|<RunReceivedMessageProcess>b__65_0 - MeshServersCommon.code.TcpStack.MessageManager, EMAServersCommon, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Received ServerState for server type 1 id 1 with state AGENT_STOP. Endpoint count is 1. Endpoint id list is EE9269C83FD5A2CCEB...
2024-01-30 07:35:02.1471|INFO||9180|13|<RunReceivedMessageProcess>b__65_0 - MeshServersCommon.code.TcpStack.MessageManager, EMAServersCommon, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - Received ServerState for server type 1 id 1 with state AGENT_START. Endpoint count is 1. Endpoint id list is EE9269C83FD5A2CCE...

MIGUEL_C_Intel · ‎01-30-2024

Hello, ManuelK1,

Thank you for your quick response.

I would like to clarify the following, ACUConfig was a great tool; however, it is out of support and does not work properly with Intel® EMA. The compatible tool is Intel® EMA Configuration Tool (ECT).

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Bear in mind, that none of the software tools will erase the PKI DNS suffix. We need to access MEBx BIOS and perform a Full unprovision.

If endpoints are working remotely (using different domains to the EMA Server); we need to type the PKI DNS suffix in the MEBx BIOS of each endpoint (only once for the provisioning).

Endpoints with Intel® ME 14 and higher only support TLS 1.2. We need a Certificate chain SHA256. Please verify if the Comodo/Sectigo Certificate matches the Intel® AMT OID 2.16.840.1.113741.1.2.3.

Open the Certificate from IIS

Open the Details tab and look for the Enhanced Key Usage option.

I look forward to hearing back from you.

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎01-30-2024

Hello Miguel,

I already tried to reset Intel ME through bios but the result was the same. How can I check the pki suffix in Intel ME? The bios has only very limited options (HP Elite Mini 800 G9), I only found an option to completey unprovision but there is no info about the current config ...

The previous cert was also sha256 with sha384 chain. Both certs have the correct oid / key usage and the same dns name (I only reinstalled the vm).

MIGUEL_C_Intel · ‎01-30-2024

Hello, ManuelK1,

We can access MEBx BIOS by pressing (ctrl + P) during the starting process (boot) of the machine. The Intel® EMA Configuration Tool (ECT) gives the PKI DNS suffix status.

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a-Open a command prompt as administrator (alternatively, you can run the tool from Windows PowerShell*).

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c-Run the command: EMAConfigTool.exe –verbose

Thank you for confirming the OID number of the Certificate chain. It seems you received the wrong Certificate component (from vendor email). We can help you fix the issue. Please send us a private message including a range of days and hours to set up a web meeting with you.

I look forward to hearing back from you.

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎01-31-2024

Hello Miguel,

meanwhile I've found the Intel ME BIOS - its reachable through F6 during BIOS Post and CIRA is available through F4, but CIRA is not working - it's showing only connecting ... and at the end
"could not connect to MPS Host".

I've tried several things:

-) Removing the CR2032 battery for 5 minutes.
-) Unconfiguring with EmaConfigTool - it says INVALID_AMT_MODE, with or without password parameter
-) Unconfiguring with EmaAgent.exe
-) Resetting AMT through BIOS -> OK ME Password is cleared afterwards
-) doing a fresh install with Emaagent.exe

Afterwards the the PKI DNS suffix in the ME BIOS seems to be set correctly, but CIRA is still not connected.

Meanwhile I've asked comodo support about the certificate. What do you mean about the wrong component?

Output from EmaConfigTool

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 31.01.2024 15:43:21

*** Host Computer Information ***
Computer Name: CLIENT1
Manufacturer: HP
Model: HP Elite Mini 800 G9 Desktop PC
Processor: 12th Gen Intel(R) Core(TM) i5-12500
Windows Version: Microsoft Windows 10 Pro
BIOS Version: U21 Ver. 02.12.02
UUID: 2AB3ACFC-A.....

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 16.1.27.2225
KVM Supported: True 
SOL Supported: True 
USB-R supported in BIOS: True 
RSE Supported: True 

*** ME Information ***
Version: 16.1.27.2225
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2306.4.3.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2306.4.3.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: True
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: False
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: True
RSE Enabled: True

*** Power Management Capabilities ***
Supported Power States:
   5: PowerCycle_Off_Soft
   8: Off_Soft
   2: On
   10: Master_Bus_Reset
   11: NMI
   12: Off_Soft_Graceful
   14: MasterBusReset_Graceful
Power Change Capabilities:
   2: On
   3: SleepLight
   4: SleepDeep
   7: Hibernate
   8: Off_Soft

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 0.0.0.0
MAC Address: ...47:4C
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): amt.domain.tld

*** ME Wireless Network Information ***
ME Wireless Interface Not Detected

*** Last AMT Provisioning Attempt Details ***
Host Initiated: True
Provisioning TLS Mode: PKI
Provisioning Root Cert: D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
Provisioning Cert Hash Type: SHA256
Provisioning Server FQDN: amt.domain.tld
Provisioning Server IP: Not Set
Secure DNS Mode: False
TLS Start Time: 31.01.2024 13:01:08

*** Root Certificate Hash Entries ***
Root Cert 1: Go Daddy Class 2 CA, SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default;
Root Cert 2: Go Daddy Root CA-G2, SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default;
Root Cert 3: Comodo AAA CA, SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default;
Root Cert 4: Starfield Class 2 CA, SHA256, 14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58, Active, Default;
Root Cert 5: Starfield Root CA-G2, SHA256, 2C:E1:CB:0B:F9:D2:F9:E1:02:99:3F:BE:21:51:52:C3:B2:DD:0C:AB:DE:1C:68:E5:31:9B:83:91:54:DB:B7:F5, Active, Default;
Root Cert 6: VeriSign Class 3 Primary CA-G5, SHA256, 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF, Active, Default;
Root Cert 7: Baltimore CyberTrust Root, SHA256, 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB, Active, Default;
Root Cert 8: USERTrust RSA CA, SHA256, E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2, Active, Default;
Root Cert 9: Verizon Global Root, SHA256, 68:AD:50:90:9B:04:36:3C:60:5E:F1:35:81:A9:39:FF:2C:96:37:2E:3F:12:32:5B:0A:68:61:E1:D5:9F:66:03, Active, Default;
Root Cert 10: Entrust.net CA (2048), SHA256, 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77, Active, Default;
Root Cert 11: Entrust Root CA, SHA256, 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C, Active, Default;
Root Cert 12: Entrust Root CA-G2, SHA256, 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39, Active, Default;
Root Cert 13: VeriSign Universal Root CA, SHA256, 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C, Active, Default;
Root Cert 14: Affirm Trust Premium, SHA256, 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A, Active, Default;
Root Cert 15: DigiCert Global Root CA, SHA256, 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61, Active, Default;
Root Cert 16: DigiCert Global Root G2, SHA256, CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F, Active, Default;
Root Cert 17: DigiCert Global Root G3, SHA256, 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0, Active, Default;
Root Cert 18: DigiCert Trusted Root G4, SHA256, 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88, Active, Default;
Root Cert 19: GlobalSign Root CA - R3, SHA256, CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B, Active, Default;
Root Cert 20: GlobalSign ECC Root CA - R5, SHA256, 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24, Active, Default;
Root Cert 21: GlobalSign Root CA - R6, SHA256, 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69, Active, Default;

Pausing before ending process in 3 sec.  The duration of this pause can be adjusted using the --delayterm option.

After doing a full AMT reset I can find something in the ManageabilityServer-Log - I've shortened the output and redacted some details

2024-01-31 13:00:41.6460|INFO||8276|65|MessageManager_ReceivedMessageEx - 7d11e903ea1ca2c - [0] - Message:Received activation trigger command for endpoint: 0xD07A0F2A 
2024-01-31 13:00:48.4112|INFO||8276|12|AttemptPhase1_Pki - 7d11e903ea1ca2c - [1] - Attempting phase 1 PKI provisioning : (client1,D07A0F2A). 
2024-01-31 13:00:48.4112|INFO||8276|12|PerformPkiSetup - 7d11e903ea1ca2c - [1] - Get Mesh information (Tenant) : (client1,D07A0F2A). 
2024-01-31 13:00:48.4112|INFO||8276|12|PerformPkiSetup - 7d11e903ea1ca2c - [1] - Message:Starting PKI Setup process for endpoint: (client1,D07A0F2A) ComputerName: client1 
2024-01-31 13:00:48.4893|INFO||8276|12|PerformPkiSetup - 7d11e903ea1ca2c - [1] - Message:Setup computer name client1 : (client1,D07A0F2A). 
2024-01-31 13:00:48.4893|INFO||8276|12|RequestHostBasedProvisioningEx - 7d11e903ea1ca2c - [1] - Message:Setup computer name client1 : (client1,D07A0F2A). 
2024-01-31 13:00:48.4893|INFO||8276|12|RequestHostBasedProvisioningEx - 7d11e903ea1ca2c - [1] - Message:Sending Agent Stop Remote Configuration Message : (client1,D07A0F2A). 
2024-01-31 13:00:48.4893|INFO||8276|12|RequestHostBasedProvisioningEx - 7d11e903ea1ca2c - [1] - Message:Connecting to Swarm Server : (client1,D07A0F2A). 
2024-01-31 13:00:48.5206|WARN||8276|65|MessageManager_ReceivedMessageEx - 7d11e903ea1ca2c - [0] - Warning:Received stop remote configuration status from: D07A0F2A, status: INVALID_PT_MODE (3) 
2024-01-31 13:00:48.6143|INFO||8276|12|RequestHostBasedProvisioningEx - 7d11e903ea1ca2c - [1] - Message:Requesting ME administrator account : (client1,D07A0F2A). 
2024-01-31 13:00:49.1301|INFO||8276|12|RequestHostBasedProvisioningEx - 7d11e903ea1ca2c - [1] - Message:Disconnecting Swarm Server : (client1,D07A0F2A). 
2024-01-31 13:00:49.1301|INFO||8276|12|StartRouter - 7d11e903ea1ca2c - [1] - Message:Starting Mesh Router 51673 -> D07A0F2A:16992, SYSTEM 
2024-01-31 13:00:49.3334|INFO||8276|12|HostBasedSetup - 7d11e903ea1ca2c - [1] - Message:Attempting host based provisioning : (client1,D07A0F2A). 
2024-01-31 13:00:49.3334|INFO||8276|12|HostBasedSetup - 7d11e903ea1ca2c - [1] - Message:Creating DotNetWSManClient object : (client1,D07A0F2A). 
2024-01-31 13:00:49.5549|INFO||8276|12|HostBasedSetup - 7d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (client1,D07A0F2A). 
2024-01-31 13:00:49.5549|INFO||8276|12|HostBasedSetup - 7d11e903ea1ca2c - [1] - Message:Checking if the client control mode is enabled : (client1,D07A0F2A). 
2024-01-31 13:00:49.5549|INFO||8276|12|HostBasedSetup - 7d11e903ea1ca2c - [1] - Message:Fetching the digest realms : (client1,D07A0F2A). 
2024-01-31 13:00:49.6331|INFO||8276|12|HostBasedSetup - 7d11e903ea1ca2c - [1] - Message:Check digest realm : (client1,D07A0F2A). 
2024-01-31 13:00:49.6331|INFO||8276|12|HostBasedSetup - 7d11e903ea1ca2c - [1] - Message:Performing Signed Host Based Client Mode Setup : (client1,D07A0F2A). 
2024-01-31 13:00:50.0209|INFO||8276|12|RequestHostBasedProvisioningEx - 7d11e903ea1ca2c - [1] - Message:Host Based Setup (1st try) - SUCCESS : (client1,D07A0F2A). 
2024-01-31 13:00:53.0834|INFO||8276|12|GetTlsOptions - M1e903ea1ca2c - [1] - Checking TLS state : (client1,D07A0F2A). 
2024-01-31 13:00:53.3019|INFO||8276|12|GetTlsOptions - M1e903ea1ca2c - [1] - Message:TLS State, Local=NoAuth, Remote=ServerAuth : (client1,D07A0F2A). 
2024-01-31 13:00:53.3019|INFO||8276|12|SetupTls - M1e903ea1ca2c - [1] - AMT is not in TLS and the target is CIRA. Non-secure port needs to be opened. : (client1,D07A0F2A). 
2024-01-31 13:00:53.3019|INFO||8276|12|CleanEnvironmentDetection - M1e903ea1ca2c - [1] - Clearing environment detection : (client1,D07A0F2A). 
2024-01-31 13:00:53.3488|INFO||8276|12|SetupTls - M1e903ea1ca2c - [1] - In TLS conn?=False, AMT Port=16992, Current TLS state=NoTls : (client1,D07A0F2A). 
2024-01-31 13:00:53.5050|INFO||8276|12|CheckExistingTlsCert - M1e903ea1ca2c - [1] - Existing TLS cert issuer name CN=Intel® AMT self-signed certificate, O=Intel Corporation, L=Santa Clara, S=California, C=US does not match the stored AMT TLS root cert subject CN=MeshRoot-15D8167F, O=Mesh : (client1,D07A0F2A). 
2024-01-31 13:00:53.5050|INFO||8276|12|CreateNewTlsCert - M1e903ea1ca2c - [1] - Creating new TLS Cert....: (client1,D07A0F2A). 
2024-01-31 13:01:04.2238|INFO||8276|12|EnableTls - M1e903ea1ca2c - [1] - Enabling TLS... : (client1,D07A0F2A). 
2024-01-31 13:01:05.6284|INFO||8276|12|SetupTls - M1e903ea1ca2c - [1] - TLS is set. Enabling non secure port is done.: (client1,D07A0F2A). 
2024-01-31 13:01:05.6284|INFO||8276|12|HostBasedAdminSetup - 7d11e903ea1ca2c - [1] - Message:Getting mesh information (Tenant) : (client1,D07A0F2A). 
2024-01-31 13:01:05.6284|INFO||8276|12|HostBasedAdminSetup - 7d11e903ea1ca2c - [1] - Message:Attempting host based admin provisioning: (client1,D07A0F2A). 
2024-01-31 13:01:05.6284|INFO||8276|12|StartRouter - 7d11e903ea1ca2c - [1] - Message:Starting Mesh Router 51688 -> D07A0F2A:16993, SYSTEM 
2024-01-31 13:01:05.8489|INFO||8276|12|HostBasedAdminSetup - 7d11e903ea1ca2c - [1] - Message:Creating DotNetWSManClient object : (client1,D07A0F2A). 
2024-01-31 13:01:07.3119|INFO||8276|12|HostBasedAdminSetup - 7d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (client1,D07A0F2A). 
2024-01-31 13:01:07.3119|INFO||8276|12|HostBasedAdminSetup - 7d11e903ea1ca2c - [1] - Message:Current Control mode - Client : (client1,D07A0F2A). 
2024-01-31 13:01:07.3119|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Get mesh information (Tenant) : (client1,D07A0F2A). 
2024-01-31 13:01:07.3119|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Attempting host based admin provisioning : (client1,D07A0F2A). 
2024-01-31 13:01:07.4073|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (client1,D07A0F2A). 
2024-01-31 13:01:07.4073|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (client1,D07A0F2A). 
2024-01-31 13:01:07.4581|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (client1,D07A0F2A). 
2024-01-31 13:01:07.4581|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Pushing activation certificate - amt.domain.tld : (client1,D07A0F2A). 
2024-01-31 13:01:07.5493|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Pushing activation certificate - Sectigo RSA Domain Validation Secure Server CA : (client1,D07A0F2A). 
2024-01-31 13:01:07.6587|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Pushing activation certificate - USERTrust RSA Certification Authority : (client1,D07A0F2A). 
2024-01-31 13:01:07.7682|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Pushing activation certificate - AAA Certificate Services : (client1,D07A0F2A). 
2024-01-31 13:01:07.9897|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Current certificate chain status - ChainComplete : (client1,D07A0F2A). 
2024-01-31 13:01:08.0520|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:ConfigurationServerFQDN not set : (client1,D07A0F2A). 
2024-01-31 13:01:08.0677|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Attempting Host Based Admin Setup : (client1,D07A0F2A). 
2024-01-31 13:01:08.3033|INFO||8276|12|HostBasedAdminUpdate - 7d11e903ea1ca2c - [1] - Message:Host Based Admin Setup successful : (client1,D07A0F2A). 
2024-01-31 13:01:08.3033|INFO||8276|12|RequestHostBasedProvisioningEx - 7d11e903ea1ca2c - [1] - Message:Host Based Admin Setup (1st try) - SUCCESS : (client1,D07A0F2A). 
2024-01-31 13:01:08.3033|INFO||8276|12|StartRouter - 7d11e903ea1ca2c - [1] - Message:Starting Mesh Router 51695 -> D07A0F2A:16993, SYSTEM 
2024-01-31 13:01:08.3033|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Message:AMT Profile detected : (client1,D07A0F2A). 
2024-01-31 13:01:11.8555|INFO||8276|12|GetTlsOptions - M1e903ea1ca2c - [1] - Checking TLS state : (client1,D07A0F2A). 
2024-01-31 13:01:12.0522|INFO||8276|12|GetTlsOptions - M1e903ea1ca2c - [1] - Message:TLS State, Local=ServerAuth, Remote=ServerAuth : (client1,D07A0F2A). 
2024-01-31 13:01:12.0522|INFO||8276|12|SetupTls - M1e903ea1ca2c - [1] - AMT is in TLS and the target is CIRA. Non-secure port needs to be opened. : (client1,D07A0F2A). 
2024-01-31 13:01:12.0522|INFO||8276|12|CleanEnvironmentDetection - M1e903ea1ca2c - [1] - Clearing environment detection : (client1,D07A0F2A). 
2024-01-31 13:01:12.1147|INFO||8276|12|SetupTls - M1e903ea1ca2c - [1] - In TLS conn?=True, AMT Port=16993, Current TLS state=TlsNoAuth : (client1,D07A0F2A). 
2024-01-31 13:01:12.5679|INFO||8276|12|SetupTls - M1e903ea1ca2c - [1] - Valid TLS Cert already exists. Using existing TLS cert : (client1,D07A0F2A). 
2024-01-31 13:01:12.5679|INFO||8276|12|CheckAdminAccount - MeshManageabilityServer.code.AmtSetup.AdminAclManager, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Checking user account : (client1,D07A0F2A). 
2024-01-31 13:01:12.6927|INFO||8276|12|ConfigureHostName - 7d11e903ea1ca2c - [1] - Setting Intel AMT hostname : (client1,D07A0F2A). 
2024-01-31 13:01:12.8802|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Configuring PING response : (client1,D07A0F2A). 
2024-01-31 13:01:12.9581|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Configuring redirection port : (client1,D07A0F2A). 
2024-01-31 13:01:14.2395|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Configuring web interface : (client1,D07A0F2A). 
2024-01-31 13:01:15.0051|INFO||8276|12|SetIdleWakeTimeout - 7d11e903ea1ca2c - [1] - Fetching AMT_GeneralSettings : (client1,D07A0F2A). 
2024-01-31 13:01:15.1769|INFO||8276|12|SetAmtPowerProfile - 7d11e903ea1ca2c - [1] - Configuring power profile : (client1,D07A0F2A). 
2024-01-31 13:01:15.7096|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Removing all private keys : (client1,D07A0F2A). 
2024-01-31 13:01:16.0871|INFO||8276|12|GetTargetCustomUserAccount - =57d11e903ea1ca2c - [1] - Checking user accounts : (client1,D07A0F2A). 
2024-01-31 13:01:16.9067|INFO||8276|12|CreateCustomUserAccount - =57d11e903ea1ca2c - [1] - Creating new AMT user account: "EMA-user" : (client1,D07A0F2A). 
2024-01-31 13:01:17.1147|INFO||8276|12|PushCredentialsToMeshAgent - 7d11e903ea1ca2c - [1] - Sending password to ema agent : (client1,D07A0F2A). 
2024-01-31 13:01:17.1147|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Enabling hardware KVM from profile : (client1,D07A0F2A). 
2024-01-31 13:01:17.9114|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Setting KVM user consent timeout from profile : (client1,D07A0F2A). 
2024-01-31 13:01:18.2742|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Attempting to configure user consent from profile : (client1,D07A0F2A). 
2024-01-31 13:01:18.8562|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Checking trusted certificates : (client1,D07A0F2A). 
2024-01-31 13:01:19.1087|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Adding trusted Swarm server certificate : (client1,D07A0F2A). 
2024-01-31 13:01:19.6928|INFO||8276|12|SetMebxPasswordInFw - 7d11e903ea1ca2c - [1] - MEBx password set in Endpoint (client1,D07A0F2A). 
2024-01-31 13:01:19.7083|WARN||8276|12|ApplyWirelessConfiguration - n=57d11e903ea1ca2c - [1] - No wireless available : (client1,D07A0F2A). 
2024-01-31 13:01:19.7083|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Applying network configuration : (client1,D07A0F2A). 
2024-01-31 13:01:20.9894|INFO||8276|12|RemoveRemoteAccessPolicies - d11e903ea1ca2c - [1] - Removing remote access policies : (client1,D07A0F2A). 
2024-01-31 13:01:21.2552|INFO||8276|12|RemoveRemoteAccessServers - d11e903ea1ca2c - [1] - Removing remote access servers : (client1,D07A0F2A). 
2024-01-31 13:01:21.9273|INFO||8276|12|CreateCiraRootCertificate - d11e903ea1ca2c - [1] - Creating CIRA root certificate : (client1,D07A0F2A). 
2024-01-31 13:01:23.5050|INFO||8276|12|IssueCiraLeafCertificate - d11e903ea1ca2c - [1] - Issuing CIRA certificate : (client1,D07A0F2A). 
2024-01-31 13:01:23.6457|INFO||8276|12|BindCiraLeafCertToEndpoint - d11e903ea1ca2c - [1] - Binding CIRA certificate : (client1,D07A0F2A). 
2024-01-31 13:01:23.6457|INFO||8276|12|AddCiraRootCertToAmt - d11e903ea1ca2c - [1] - Adding CIRA root and CIRA certificates : (client1,D07A0F2A) 
2024-01-31 13:01:24.0051|INFO||8276|12|EnableUserInitiatedInterface - d11e903ea1ca2c - [1] - Enabling user remote access activation : (client1,D07A0F2A). 
2024-01-31 13:01:24.5250|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Adding remote access server (amt.domain.tld:8080, 3) : (client1,D07A0F2A). 
2024-01-31 13:01:25.7225|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Adding remote access policies : (client1,D07A0F2A). 
2024-01-31 13:01:26.8181|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Adding environment detection - cqtnpgfnzxzckafz : (client1,D07A0F2A). 
2024-01-31 13:01:27.0207|INFO||8276|12|PerformRound2Provisioning - 7d11e903ea1ca2c - [1] - Message:Completed round 2 provisioning : (client1,D07A0F2A). 
2024-01-31 13:01:27.0207|INFO||8276|12|AttemptPhase2 - 7d11e903ea1ca2c - [1] - Message:-- Successful provisioning - PKIX-XXXX : (client1,D07A0F2A). 
2024-01-31 13:01:27.0207|INFO||8276|12|PerformPkiSetup - 7d11e903ea1ca2c - [1] - Message: Intel AMT SetupAdmin activation Successful : (client1,D07A0F2A). 
2024-01-31 13:01:27.0207|INFO||8276|12|AttemptPhase1 - 7d11e903ea1ca2c - [1] - Successful PKI provisioning : (client1,D07A0F2A).

ManuelK1 · ‎01-31-2024

After my last post I've tried to re-attach the machine to my first testserver and with full unprovisioning it's working with the same certificate. The only difference is that there's a WAN&NAT between the client and the server. Are there any other portforwardings / firewall-rules needed except than tcp 8080?

When doing a trace with wireshark I can see communication with port 16993 (local) to 8080 (testserver). When trying with the production server It's another local client port (49749) to 8080 (server). Is this part of the problem?

MIGUEL_C_Intel · ‎01-31-2024

Hello, ManuelK1,

Thank you for the log and explanation.

The default settings of Intel® AMT are below:

The combination of Control + P (ctrl+p) keys allows access to MEBx BIOS; OEM can change the option.
If the endpoint is located in a different domain, we must add the PKI DNS suffix of the Certificate in MEBx BIOS. Bear in mind, that we need to perform a Full unprovision. According to log, it is empty. I am adding the instructions.

*** ME Information ***

Version: 16.1.27.2225

SKU: Intel(R) Full AMT Manageability

State: Provisioned

Control Mode: Admin

Driver Installed: True

Driver Version: 2306.4.3.0

PKI DNS Suffix: Not Found

Machines with Intel® AMT version 15 and higher required a Certificate chain with SHA256 encryption.

Steps to Unprovision the Endpoint

From the MEBx Main Menu, click MEBx Login, type your password. The Default is admin.

Click over Intel® AMT Configuration

Scroll down to Uncofigure Network Access <Full Unprovision>

Enter <Full Unprovision>

Enter Full Unprovision

Select yes to Reset network settings

Wait until the Main Intel® AMT Configuration is displayed.

Exit

Adding PKI DNS suffix to MEBx

From the MEBx Main Menu, click MEBx Login, and type your password. The Default is admin.

Click over Intel® AMT Configuration

Scroll down and select Remote Setup and Configuration

Select TLS PKI

Select PKI DNS Suffix, hit enter

Type your PKI DNS Suffix, hit Enter

The new Window will display the new PKI DNS Suffix

Then, keep pressing Exit until you close MEBX.

I suggest adding the PKI DNS suffix into MEBx. If the problem continues, we need to fix the Certificate chain encryption.

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎01-31-2024

Hello Miguel,

as you can see my last post, I've already done a full unprovision and managed to get CIRA enabled with my test server (which is in the same LAN) but not with the new production server. So we can exclude any cert issues, because I'm using the same cert for both test and production server (split-dns for testing/debugging).

Do I need anything more than Port 8080 to be forwarded (NAT+Firewall) to the production server? Why isn't it using Port 16993 as source?

MIGUEL_C_Intel · ‎01-31-2024

Hello, ManuelK1,

Only port 8080 is necessary for the connection.

Please review if the configuration fulfills the Intel® EMA requirements.

EMA Server is running Windows Server 2019 or 2022.

The database was created using SQL 2017 or higher.

The certificate needs to have an encryption SHA256 (Root, Intermediate, and Leaf)

The certificate chain needs to have the OID number 2.16.840.1.113741.1.2.3

Make sure, the BIOS and ME driver are the latest from the OEM website.

Details at Intel® Endpoint Management Assistant (Intel® EMA) Server Installation Guide v1.12.1

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf

Intel (I and colleagues) are open to setting up a web meeting to review and suggest changes to the configuration. We will resolve the issue together.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎02-05-2024

Hello, ManuelK1,

I hope you are doing well.

If further assistance is necessary, do not hesitate to reply.

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎02-06-2024

Hello Miguel,

I'm currently in contact with Comodo to get a new certificate with an updated certificate. I'll notify you when this is completed.

Meanwhile I've tried to simulate a NAT/Port-Forwarding with my test-server and I can reproduce that CIRA is not working anymore when I'm using windows netsh portproxy (to forward port 8080 from another machine in the same LAN to the cira serverl).

I've also found a configuration setting for "Cira Server IP (for trouble-shooting purpose only and normally empty)" in "Server Settings" > "Manageability Server". Is this related to NAT? Should I try to insert the public IP from the firewall there?

-EMA Server is running Windows Server 2019 or 2022.

yes, 2022

-The database was created using SQL 2017 or higher.

yes, SQL 2022

-The certificate needs to have an encryption SHA256 (Root, Intermediate, and Leaf)

in progress

-The certificate chain needs to have the OID number 2.16.840.1.113741.1.2.3

done

-Make sure, the BIOS and ME driver are the latest from the OEM website.

done

MIGUEL_C_Intel · ‎02-06-2024

Hello, ManuelK1,

Thank you for your update on the Certificate request status.

You are right the settings tabs (using the Global account) offer the configuration option of CIRA. This is for custom builds (when it is necessary to have the Manageability and Web components different from the FQDN of the Swarm Server.

In your case, without the Certificate; CIRA will fail, the configuration was created in Admin, and it is looking for a Cert.

I will wait for your reply with the Certificate resolution.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎02-09-2024

Hello, ManuelK1,

I am following up on the case and wondering if you got the Certificate chain from the vendor. I will gladly provide further assistance.

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎02-13-2024

Hello Miguel,

meanwhile I've talked with Sectigo and they said that's no problem when the root is SHA1 and I should not import the top root (AAA ... SHA1) into EMA because it's known to make problems regarding to CIRA.

So I've deleted the group, deleted all certificates and re-imported the certificates. -> There are only:
amt.domain.tld (PKI Certificate)
SectigoRSA
UserTrustRSA

there.

The SHA1 AAA is not here anymore.

Now I can see that there's a problem in the EMALog-ManageabilityServer.txt:

2024-02-13 16:21:29.2820|ERROR||8340|37|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.12.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - System.NullReferenceException: Object reference not set to an instance of an object.
at MeshManageabilityServer.CentralManageabilityServer.HostBasedSetup(Int32 slot, String adminuser, String adminpass, X509Certificate2 rootCertificate, String strEndpointString, AmtSetupRecord amtSetupRecord, MiniMeshRouter miniMeshRouter, NodeInfoBlock block)
at MeshManageabilityServer.CentralManageabilityServer.RequestHostBasedProvisioningEx(Int32 slot, AmtSetupRecord key, X509Certificate2 rootCert, String strEndpointString)
at MeshManageabilityServer.CentralManageabilityServer.PerformPkiSetup(Int32 slot, AmtSetupRecord key, IPEndPoint helloaddr)
at MeshManageabilityServer.CentralManageabilityServer.AttemptPhase1_Pki(AmtSetupRecord key, Int32 slot, IPEndPoint helloAddress, String strEndpointString)
at MeshManageabilityServer.CentralManageabilityServer.AttemptPhase1(AmtSetupRecord key, Int32 slot, IPEndPoint helloAddress, String strEndpointString)
at MeshManageabilityServer.CentralManageabilityServer.PerformAction()

CIRA is not connected, but CIRA selected: Yes and

Intel® AMT setup status: Pending Activation

Intel® ME: v16.1.27.2225 Not Provisioned

MIGUEL_C_Intel · ‎02-13-2024

Hello, ManuelK1,

Thank you for sharing the logs. EMA is not recognizing the Certificate; it seems the Cert still has an encryption SHA1 or something else is missing.

I am sending a workaround, if you want; I can set up a web meeting and help you with the Certificate installation in IIS or MMC.

First, open MMC and select the My User account and Computer Account views.

Filter by SHA1 in all the options and erase them.

I am sending a Sectigo website, which provides the instructions on how to install the Cert. It describes the standard procedure on how to install an SSL certificate.

Installation of Sectigo Root and Intermediate Certificate in MMC

https://www.sectigo.com/knowledge-base/detail/PositiveSSL-Certificate-Installation-Microsoft-IIS-Root-and-Intermediate-Certificate-installation-1527076104226/kA01N000000zFQq

Note:

Instead of using the Root AddTrustExternalCARoot.crt file provided by Sectigo.

Go to the Sectigo Repository website: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates

Scroll down to Root Certificates

Download SHA-2 Root : USERTrust RSA Certification Authority

Install this file into the Trusted Root Certification Authorities

Please remember to restart the Server after the installation. In ISS, all the Certificate lines will be SHA256. The Domain Certificate will have the OID 2.16.840.1.113741.1.2.3 at Details/Enhanced Key Usage.

For the web meeting, please send a range of hours and days including the time zone.

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎02-14-2024

Hello Miguel,

thanks, we're one step forward: According to another post in these forum the Comodo/Sectigo cert is cross signed. So it depends on the installed parent cert which chain is selected (SHA256 or SHA1) I've cleaned EMA and windows cert store from the SHA1 certificates and successfully able to get the client becoming connected, BUT not with CIRA:

Is there any possibility to debug why CIRA is in the state CONNECTING and not further?

My working hours are normally between 8 and 16 CET, but I'm not allowed to accept incoming remote connections to the PROD system. I can try to get the TEST system back running and working, but this will need some time. Further I'd prefer to be able to debug and maintain our used software components myself without the need to get remote support from the manufacturer. I understand that's easier to check it through a remote session, but I don't understand why there is no easy possibility to find out why it's not working or do some tests on the client side to see whats wrong.

Operating System: Microsoft® Windows 10

Intel® EMA Agent: Win64-Service v1.12.0

Intel® ME: v16.1.27.2225 Admin Control Mode

CIRA selected: Yes

Intel® AMT setup status: Provisioning Completed

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 14.02.2024 16:33:03

*** Host Computer Information ***
Computer Name: CLIENT1
Manufacturer: HP
Model: HP Elite Mini 800 G9 Desktop PC
Processor: 12th Gen Intel(R) Core(TM) i5-12500
Windows Version: Microsoft Windows 10 Pro
BIOS Version: U21 Ver. 02.12.02
UUID: 2AB3ACFC-A1B1-4FF7-ABE5-CD90F20F50EE

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 16.1.27.2225
KVM Supported: True
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 16.1.27.2225
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2306.4.3.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2306.4.3.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: True
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: True
RSE Enabled: True

*** Power Management Capabilities ***
Supported Power States:
   5: PowerCycle_Off_Soft
   8: Off_Soft
   2: On
   10: Master_Bus_Reset
   11: NMI
   12: Off_Soft_Graceful
   14: MasterBusReset_Graceful
Power Change Capabilities:
   2: On
   3: SleepLight
   4: SleepDeep
   7: Hibernate
   8: Off_Soft

*** CIRA Information ***
CIRA Server: amt.domain.tld (REDACTED)
CIRA Connection Status: CONNECTING
CIRA Connection Trigger: TRIGGER_PERIODIC

*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 0.0.0.0
MAC Address: 7C:4D:8F:02:47:4C
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): amt.domain.tld (REDACTED)

*** ME Wireless Network Information ***
ME Wireless Interface Not Detected

*** Last AMT Provisioning Attempt Details ***
Host Initiated: True
Provisioning TLS Mode: PKI
Provisioning Root Cert: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
Provisioning Cert Hash Type: SHA256
Provisioning Server FQDN: amt.domain.tld (REDACTED)
Provisioning Server IP: Not Set
Secure DNS Mode: False
TLS Start Time: 14.02.2024 12:36:58

*** Root Certificate Hash Entries ***
Root Cert 1: Go Daddy Class 2 CA, SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default;
Root Cert 2: Go Daddy Root CA-G2, SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default;
Root Cert 3: Comodo AAA CA, SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default;
Root Cert 4: Starfield Class 2 CA, SHA256, 14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58, Active, Default;
Root Cert 5: Starfield Root CA-G2, SHA256, 2C:E1:CB:0B:F9:D2:F9:E1:02:99:3F:BE:21:51:52:C3:B2:DD:0C:AB:DE:1C:68:E5:31:9B:83:91:54:DB:B7:F5, Active, Default;
Root Cert 6: VeriSign Class 3 Primary CA-G5, SHA256, 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF, Active, Default;
Root Cert 7: Baltimore CyberTrust Root, SHA256, 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB, Active, Default;
Root Cert 8: USERTrust RSA CA, SHA256, E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2, Active, Default;
Root Cert 9: Verizon Global Root, SHA256, 68:AD:50:90:9B:04:36:3C:60:5E:F1:35:81:A9:39:FF:2C:96:37:2E:3F:12:32:5B:0A:68:61:E1:D5:9F:66:03, Active, Default;
Root Cert 10: Entrust.net CA (2048), SHA256, 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77, Active, Default;
Root Cert 11: Entrust Root CA, SHA256, 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C, Active, Default;
Root Cert 12: Entrust Root CA-G2, SHA256, 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39, Active, Default;
Root Cert 13: VeriSign Universal Root CA, SHA256, 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C, Active, Default;
Root Cert 14: Affirm Trust Premium, SHA256, 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A, Active, Default;
Root Cert 15: DigiCert Global Root CA, SHA256, 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61, Active, Default;
Root Cert 16: DigiCert Global Root G2, SHA256, CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F, Active, Default;
Root Cert 17: DigiCert Global Root G3, SHA256, 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0, Active, Default;
Root Cert 18: DigiCert Trusted Root G4, SHA256, 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88, Active, Default;
Root Cert 19: GlobalSign Root CA - R3, SHA256, CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B, Active, Default;
Root Cert 20: GlobalSign ECC Root CA - R5, SHA256, 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24, Active, Default;
Root Cert 21: GlobalSign Root CA - R6, SHA256, 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69, Active, Default;

MIGUEL_C_Intel · ‎02-14-2024

Hello, ManuelK1,

Thank you for your explanation, I understand the security limitations.

We can gather more details of the provisioning issue from the Manageability and Swarm Server logs. It includes the details of the Certificate and CIRA.

I got some issues, and it is necessary the changes below:

The HP Elite Mini 800 G9 Desktop uses the latest BIOS version 02.12.02 and it uses a wired connection (embedded Network adapter) with no docking station. However, the DNS of the Server is different from the endpoint.

The Certificate validation is failing. It is necessary to install manually the PKI DNS suffix in MEBx. Intel® ECT is showing it as PKI DNS Suffix: Not Found.

In addition, ECT is showing CIRA Server: amt.domain.tld (REDACTED). For security purposes, it was changed. I just want to clarify we need to let EMA create the fake domain (it is different from the PKI DNS suffix of the Certificate).

In EMA web Console, if we are using CIRA, the basic settings are the following:

Note:

User Consent can be unchecked from the Management Interfaces tab.

Regarding the Certificate, if it is possible, send a screenshot of the Certificate chain from the Certification Path tab. Make sure each section is SHA256. You can send me in a private message the Certificate chain screenshots from the General and Details tab.

We have been talking about the Certificate chain and its domain. I know that you have been changing the real name. I am sending the requirements.

PKI Certificate Verification Methods

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

I suggest doing the Full unprovision from MEBx and then, installing the PKI DNS suffix. Do not enable the Network Access option.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎02-19-2024

Hello, ManuelK1,

I hope you are doing well.

By any chance, have you been able to work on the EMA provisioning issue?

Regards,

Miguel C.

Intel Customer Support Technician

ManuelK1 · ‎02-20-2024

Hello Miguel,

I was able to continue testing today, but I didn't finish. The incomplete results:

I'm again able to successfully provision the client with CIRA with my first test machine. So I think we can completely skip further tests with the official comodo cert, because it's working. I'm also able to get it working without editing the BIOS / ME, just with the EMAAgent-Installer in windows.

But: The production server is still *not* working with CIRA. I've compared the output from the logs and it's nearly the same I'll post the differences tomorrow - this was just a quick follow up for you to keep this topic open. I'll post more infos tomorrow!