- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
setting up a Proof of Concept for OOB management/support.
My ultimate goalof this PoC is to have clients on ACM and CIRA
I don't have the Public Certificate (PoC right?), I enrolled my own AMT certificate with a cert template with that needed OID 2.16.840.1.113741.1.2.3.
I have emaconfigtool result attached.
A few questions
1. is CIRA and ACM goes together? CIRA and must be working to have ACM?
2. When I import the EMA cert into the EMA, do I need to import a full cert with public key and private key or the one with public key enough given that the full cert is enrolled in the server's cert store
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrewchan,
Greetings!
1. is CIRA and ACM goes together? CIRA and must be working to have ACM?
CIRA is a Client Initiated Remote Access, which works on both CCM(Client Control Mode) and ACM(Admin control Mode), It is the Intel AMT PKI Cert that needs to be used for the EMA to work in the ACM.
2. When I import the EMA cert into the EMA, do I need to import a full cert with public key and private key or the one with public key enough given that the full cert is enrolled in the server's cert store
The Public key should be used to enroll in the servers cert store,
Please refer to 3.5.1 Upload Intel® AMT PKI Certificates, in the link given below :
Best Regards
Arun_Intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
isn't Intel SCS deprecated?
Is ACUConfig still a supported application?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am stuck in the CCM and been troubleshooting for some time. Also CIRA is not connecting.
as I am using Internal CA.
What's the most common thing I can check on that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AndrewChan,
Greetings!
The client control mode does not require the certificate chain, In the CCM the user consent is necessary to access the endpoint.
Please make sure that the server and the endpoint are in the same domain, For the Initial configuration, make sure the OS (windows 10 /windows 11) is running on the endpoints, please use a wired connection;
If you are using a Wi-Fi connection, make sure that the machine has Embedded Intel Wi-Fi NIC card.
For the first time, I suggest creating a profile for CCM and a second profile for ACM. Test the provisioning in CCM and share us the ECT logs with the provisioning results. For the initial configuration, updating the endpoint BIOS and drivers is a good practice.\
Steps to collect the ECT logs:
Installation:
Download and unzip the tool.
Double-click the .msi file and follow the prompts.
Run:
a-Open a command prompt as administrator (alternatively, you can run the tool from Windows PowerShell*).
b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).
c-Run the command: EMAConfigTool.exe --verbose
Best Regards
Arun_Intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AndrewChan,
Greetings!
This is a first follow up, kindly confirm if you were able to execute the plan of action shared, or is there any concerns that you are facing.
Best Regards
Arun_Intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply.
I first attach the log files of the EMA server
seems there's a cert issue
I'd like to ask that I am using an internal CA, which I knew I need to manually insert the hash in the MEBx
the CA SHA256 and from what I've read, MEBx interface does not support input SHA256 hashes as anything entered is SHA1.
is it a must to insert the CA hash using USBfile tool?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Andrew,
Thank you for reaching out to us regarding your Proof of Concept setup for OOB management/support.
To address your questions:
1. CIRA and ACM can work together, but CIRA is not a prerequisite for ACM to function.
2. When importing the EMA cert into the EMA, you only need to import the cert with the public key, as the full cert is already enrolled in the server's cert store.
Yes, it is a must to use the USB tool.
https://www.intel.com/content/www/us/en/support/articles/000059996/software.html
If you have any further questions or need assistance with the setup, please feel free to reach out.
Best regards,
Vijay Nalla.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ACM and CIRA is connect now.
manually entered PKI DNS Suffix and the server IP/FQDN
Also, the main issue was the EMA server had splunk installed which also listen to 8089 port, similar to below case
https://community.intel.com/t5/Intel-vPro-Platform/Invalid-certificate/m-p/1508547
uninstalled splunk and things get connected, now have a desktop PoC working.
Next step, to provision AMT on 802.1x WiFi clients, they use certificate to authenticate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrewchan,
Greetings!
Glad to hear that the issue has been resolved, please complete the next Plan of action and keep us posted about the status of the issue.
Best_Regards
Arun_Intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrewchan,
Greetings!
This is the second follow up, kindly confirm if the issue has been resolved and are we good to close this case?
Best regards
Arun_Intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, please close.
The lessons here are :
1. For testing/PoC , if the CA is SHA256, you must use USBtool to create a provisioning USB to add them into MEBx
2. Same for testing/PoC, you need to manually enter the DNS suffix of the provisioning server so server01.domain.com you need to enter domain.com
3. 8089 port was occupied by other apps
Thanks
Andrew
 
					
				
				
			
		
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page