Intel EMA setup CCM to ACM

AndrewChan · ‎08-02-2024

setting up a Proof of Concept for OOB management/support.

My ultimate goalof this PoC is to have clients on ACM and CIRA

I don't have the Public Certificate (PoC right?), I enrolled my own AMT certificate with a cert template with that needed OID 2.16.840.1.113741.1.2.3.

I have emaconfigtool result attached.

A few questions

1. is CIRA and ACM goes together? CIRA and must be working to have ACM?

2. When I import the EMA cert into the EMA, do I need to import a full cert with public key and private key or the one with public key enough given that the full cert is enrolled in the server's cert store

Arun_Intel1 · ‎08-02-2024

Hi Andrewchan,

Greetings!

1. is CIRA and ACM goes together? CIRA and must be working to have ACM?

CIRA is a Client Initiated Remote Access, which works on both CCM(Client Control Mode) and ACM(Admin control Mode), It is the Intel AMT PKI Cert that needs to be used for the EMA to work in the ACM.

2. When I import the EMA cert into the EMA, do I need to import a full cert with public key and private key or the one with public key enough given that the full cert is enrolled in the server's cert store

The Public key should be used to enroll in the servers cert store,

Please refer to 3.5.1 Upload Intel® AMT PKI Certificates, in the link given below :

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf

Best Regards

Arun_Intel

Arun_Intel1 · ‎08-02-2024

.

AndrewChan · ‎08-05-2024

isn't Intel SCS deprecated?

Is ACUConfig still a supported application?

AndrewChan · ‎08-05-2024

I am stuck in the CCM and been troubleshooting for some time. Also CIRA is not connecting.

as I am using Internal CA.

What's the most common thing I can check on that?

Arun_Intel1 · ‎08-06-2024

Hi AndrewChan,

Greetings!

The client control mode does not require the certificate chain, In the CCM the user consent is necessary to access the endpoint.

Please make sure that the server and the endpoint are in the same domain, For the Initial configuration, make sure the OS (windows 10 /windows 11) is running on the endpoints, please use a wired connection;

If you are using a Wi-Fi connection, make sure that the machine has Embedded Intel Wi-Fi NIC card.

For the first time, I suggest creating a profile for CCM and a second profile for ACM. Test the provisioning in CCM and share us the ECT logs with the provisioning results. For the initial configuration, updating the endpoint BIOS and drivers is a good practice.\

Steps to collect the ECT logs:

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a-Open a command prompt as administrator (alternatively, you can run the tool from Windows PowerShell*).

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c-Run the command: EMAConfigTool.exe --verbose

Best Regards

Arun_Intel

Arun_Intel1 · ‎08-09-2024

Hi AndrewChan,

Greetings!

This is a first follow up, kindly confirm if you were able to execute the plan of action shared, or is there any concerns that you are facing.

Best Regards

Arun_Intel

AndrewChan · ‎08-14-2024

Thanks for reply.

I first attach the log files of the EMA server

seems there's a cert issue

I'd like to ask that I am using an internal CA, which I knew I need to manually insert the hash in the MEBx

the CA SHA256 and from what I've read, MEBx interface does not support input SHA256 hashes as anything entered is SHA1.

is it a must to insert the CA hash using USBfile tool?

vij1 · ‎08-14-2024

Dear Andrew,

Thank you for reaching out to us regarding your Proof of Concept setup for OOB management/support.

To address your questions:

1. CIRA and ACM can work together, but CIRA is not a prerequisite for ACM to function.

2. When importing the EMA cert into the EMA, you only need to import the cert with the public key, as the full cert is already enrolled in the server's cert store.

Yes, it is a must to use the USB tool.

https://www.intel.com/content/www/us/en/support/articles/000059996/software.html

If you have any further questions or need assistance with the setup, please feel free to reach out.

Best regards,

Vijay Nalla.

AndrewChan · ‎08-16-2024

ACM and CIRA is connect now.

manually entered PKI DNS Suffix and the server IP/FQDN

Also, the main issue was the EMA server had splunk installed which also listen to 8089 port, similar to below case

https://community.intel.com/t5/Intel-vPro-Platform/Invalid-certificate/m-p/1508547

uninstalled splunk and things get connected, now have a desktop PoC working.

Next step, to provision AMT on 802.1x WiFi clients, they use certificate to authenticate.

Arun_Intel1 · ‎08-16-2024

Hi Andrewchan,

Greetings!

Glad to hear that the issue has been resolved, please complete the next Plan of action and keep us posted about the status of the issue.

Best_Regards

Arun_Intel

Arun_Intel1 · ‎08-21-2024

Hi Andrewchan,

Greetings!

This is the second follow up, kindly confirm if the issue has been resolved and are we good to close this case?

Best regards

Arun_Intel

AndrewChan · ‎08-27-2024

Yes, please close.

The lessons here are :

1. For testing/PoC , if the CA is SHA256, you must use USBtool to create a provisioning USB to add them into MEBx

2. Same for testing/PoC, you need to manually enter the DNS suffix of the provisioning server so server01.domain.com you need to enter domain.com

3. 8089 port was occupied by other apps

Thanks

Andrew