Setting up Intel EMA to use VPro out-of-band KVM

NeroDo · ‎08-06-2023

Hi there,

I'm looking for advise and clarification on how to set up Intel EMA to use vpro out of band feature

Client system : Intel AMT 16.1.25 and earlier

Server Intel EMA version: 1.10.1.0

We have large number of machines (>100) from DELL that have vpro capability and have been relying on meshcommander for remote KVM. However, starting with Intel AMT version 14.x.x and higher, we have seen issue with meshcommander remote KVM crashing while our application is running. We are trying to assess using intel EMA and vpro as whole.

We have been trying to set up a test system in the lab with 2 machines. 1 running our normal application (client) and one running every component of Intel EMA.

We have the Vpro TLS PKO cert and have been able to import into the server. Setting up the profile as TLS relay (no CIRA) works but the Hardware Managebility tab does not work and keep loading. Setting the profile as CIRA always works but again Hardware Managebility tab does not work and keep loading and now terminal tab is grey out as well.

My first question is can Hardware Managebility work without CIRA connection? I have seen no mention in user guide or any where that it cannot.

Second, Does CIRA connection works with Static IP. In user guide it states that CIRA works with both DHCP and Static IP

But in the troubleshooting CIRA Forum post it state that remote manageability only works with DHCP
https://www.intel.com/content/www/us/en/support/articles/000059019/software/manageability-products.html

On the target machine, IMSS is showing disconnecting

Please advise,

Victor_G_Intel · ‎08-08-2023

Hello NeroDo,

Thank you so much for contacting Intel customer support,

To investigate this further we will require the information below:

What do you mean by the following: We have been trying to set up a test system in the lab with 2 machines. 1 running our normal application (client) and one running every component of Intel EMA? Do you have one computer provisioned and the other one don’t or are both computers fully provisioned?

In your test environment, the provision machines are in Admin control mode (ACM) or Client control mode (CCM)?

We will require some pictures of the certificate you are using with EMA, in specific we will require a screenshot showing the full enhanced key usage tab, the full certification path tab, and the OID. Additionally, you will have to make sure all the certificates found in the certificate path of the EMA certificate are SHA256.

Please run the Intel® EMA configuration tool on both computers in your test lab and send the log below from each system.

Intel® EMA Configuration Tool

https://www.intel.com/content/www/us/en/download/19805/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Double-click the .msi file and follow the prompts.

Run:

a- Open a command prompt as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe -filename XXXX –verbose

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-08-2023

Hi. Thank you for your response.

Test set up:

"We have been trying to set up a test system in the lab with 2 machines. 1 running our normal application (client) and one running every component of Intel EMA"

Client: DELL Optiplex 7000 Small Form Factor

Server: Intel NUC v11 as Intel EMA server

Both PC on the same subnet

Please address my question:

Does hardware manageability works without CIRA connection ?
Does CIRA works with static IP ?

Certificate

Client machine successfully provisioned in ACM but Hardware manageability stuck in loading.

EMA config log file is attached.

Some more info: Tried to test connection to port 8080 of the CIRA server defined in EMA as amt.icm.aero is successful

Victor_G_Intel · ‎08-09-2023

Hello NeroDo,

Thank you so much for your response.

To continue can you please help us with the information below:

Did you make sure to un-provision the client system from mesh commander before trying to provision it with EMA?

The log you previously provided from the endpoint shows a line that says: “AMT false” which means that either AMT is not fully supported or is not enabled, can you please check if AMT is enabled in the client’s BIOS?

We appreciate the pictures you sent; however, we need to make sure all the certs in the certificate chain of the EMA certificate are using SHA256, to check that, please go into each one of the 4 lines shown there (Sectigo AAA, USER trust RSA, Sectigo RSA, and amt.icm.aero) and send us a picture of the details tab of each line.

We will also need to see the enhanced key usage tab found in the details tab of the amt.icm.aero certificate; therefore, please send a picture of that as well.

We will need the following logs as well:

EMA logs from Server

Default Path:[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

To answer your questions:

Does hardware manageability work without a CIRA connection?

R/ Yes it should work, but using TLS relay requires you to have at least two endpoints so they can communicate with each other, if you only have one the hardware manageability won’t work.

Does CIRA work with static IP?

R/Yes it does, the article you mentioned will be updated.

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-09-2023

Hi Victor,

Thank you for your response.

Q/ Did you make sure to un-provision the client system from mesh commander before trying to provision it with EMA?

R/ Yes. I have not use meshcommander for this client for a while and have been testing only with Intel EMA and Intel Manageability Commander. Every time I make sure to un-provision intel AMT by following this process.

Uninstall EMAAgent from client PC
Stop manage client from intel EMA server
Restart the PC and disable both intel AMT manageability feature and intel AMT from MEBX
Restart the PC and enable intel AMT again in MEBX

Q/ The log you previously provided from the endpoint shows a line that says: “AMT false” which means that either AMT is not fully supported or is not enabled, can you please check if AMT is enabled in the client’s BIOS?

R/ Im assuming you are referring to the SMBIOS section. I don't think this is correct. I use the intel EMA agent remote provisioning method for provisioning following this process.

Enable intel AMT in BIOS
Configure and enable remote provisioning/configuration with TLS PKI DNS set to amt.icm.aero and Provisioning Server DNS being amt.icm.aero
Client machine turned up on intel EMA as fully provisioned so I believe AMT is enabled and there's no issue with certificate

Certificate:

amt.icm.aero
Sectigo RSA Domain Validation Secure Server CA
USERTrust RSA Certification Authority

I see that other from the main cert (amt.icm.aero), other cert using sha384 instead of sha256. Are you saying all of the certs in the chain must be sha256 ? We purchase this cert from official vendor with specific note to be used for intel AMT provisioning. So we mush specify with them that all the certs in the Chain MUST be SHA256 ? On a related note, if all cert in the chain is SHA256, can I use it for TLS connection using Intel Manageability Commander as well ?

Server log will be upload later.

Kind regard,

Victor_G_Intel · ‎08-10-2023

Hello NeroDo,

Thank you so much for your response.

We believe there has been a misunderstanding, the certs must be at least SHA256 if you are using an AMT version 14 and up, but they don’t necessarily need to be exactly SHA256 if they are at least that they are fine based on the AMT version you have. In regards to this “If all cert in the chain is SHA256, can I use it for TLS connection using Intel Manageability Commander as well ?” In Manageability Commander (MC) is the meshroot cert that gets created when EMA gets installed not the PKI cert that one that is needed, this works like this, the endpoints have to be provisioned within EMA so they can pull the EMA cert so it can be used for MC, that way the endpoints will be able to recognize to who they are speaking to.

We will be waiting for the pending log, feel free to provide it whenever you can so we can continue.

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-13-2023

Hi there,

Attached is the EMALog. its been a while since the last commission so you might need to look back a bit.

Regarding the certificate, the provided cert is perfectly valid to be used to provision intel AMT remotely right ?

For Intel MC, from what you are saying. intel MC can only be run from the Intel EMA server ? or is there a way to import the meshroot cert from intel EMA server into other server for intel MC to be used there ?

If fresh log is needed I can unprovision a client machine and provision again.

Kind regard,

Victor_G_Intel · ‎08-14-2023

Hello NeroDo,

Thank you so much for your response.

We appreciate that you shared with us the images from the certificates; however, remember that your certificate has 4 lines and usually from our experience problems like yours are present when one or more lines are not at least SHA256, the only line that we are missing to verify the details tab and the enhanced key usage is the certificate line called Sectigo (AAA); therefore, please provide a picture of it.

Additionally, we will require a picture of how the endpoint is seen from the EMA console once you open the EMA web GUI and select the endpoint.

Also, in order to see if the hardware manageability tab can start working please try to stop the ema server service directly from the client's OS by going to the services tab, once you find the EMA service proceed to stop it by right-clicking on it, and then select the option to stop it, once stopped, do the same but this time select the option to restart it.

In regards to your questions please find them answered below:

Regarding the certificate, the provided cert is perfectly valid to be used to provision Intel AMT remotely right?

R/The provided certificate and most of its lines look great to us; nevertheless, we need to verify that the Sectigo (AAA) line is also at least SHA256, once we do, we would be able to confirm that the cert is okay.

For Intel MC, from what you are saying. Intel MC can only be run from the Intel EMA server ? or is there a way to import the meshroot cert from the Intel EMA server into another server for Intel MC to be used there?

R/You can import the mesh root certificate from EMA and import it into an endpoint in order to be used with the Intel MC for communication; however, we recommend sticking to EMA instead of using MC since EMA is our most supported tool.

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-14-2023

Hi there,

Thank you for your response.

Here is the screen shot of AAA (Sectigo) certificate

Indeed it is not SHA256. What should be the correct details for this certificate ?

The main certificate for this domain have 4 certs in the chain

The vendor provided each cert separately. I used OpenSSL to create PFX files with only the first 3 certs in the chain and the pirvate key to be able to imported into EMA server. Do I have to use all 4 cert once I get the AAA cert to be reissued with SHA256 or up ?

Here is the machine in Intel EMA

EMA server has been restarted and machine re-provisioned with no change.

Attached are both EMA agent and server log

Kind regard

Victor_G_Intel · ‎08-15-2023

Hello NeroDo,

Thank you for your response.

According to the images that you sent the Sectigo (AAA) certificate is indeed SHA1; therefore, you will need to contact Sectigo’s support directly and ask them to help you by providing a SHA256 version of it, once you have it you will need to completely remove the SHA1 version of that certificate from the system and then import the new version making sure that it is imported correctly. If you eventually need help with importing the new cert don’t hesitate to let us know once you have it.

Best regards,

Victor G.

Intel Technical Support Technician

Victor_G_Intel · ‎08-22-2023

Hello NeroDo,

Were you able to check the previous message we sent?

Please let us know if you need further assistance.

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-22-2023

Hi there,

The certificate vendor had advised us that the AAA (Sectigo) root certificate can only be issued with SHA1. Given that intel AMT on the client machine can be activate remotely into ACM mode, I dont think its a certificate issue.

Is there any thing else we can look into regarding both the CIRA connection and Intel Manageability Commander (MC) TLS connection issue ?

For Intel MC, does it help if I send you the mesh root certificate from both he client and the server ?

Kind regard,

Victor_G_Intel · ‎08-23-2023

Hello NeroDo,

Thank you so much for contacting Intel customer support,

Please let me review this information internally, and kindly wait for an update.

Once we have more information to share, we will post it on this thread

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-23-2023

Hi there,

I have been able to provision 2 machines on local network with TLS relay (CIRA still not working).

Able to connect to Hardware manageability tab after provisioned

Steps taken that did the trick:

Change the PFX containing the amt cert to include all 4 certificates in the chain (before it was missing the AAA cert)
Reupload this PFX to EMA server
Install PFX on client machine

Another machine using CIRA still not working

Log attached.

Victor_G_Intel · ‎08-24-2023

Hello NeroDo,

Thank you for your patience.

After reviewing your situation, based on the AMT version your endpoint has the recommended encryption level for the certificates you have is SHA 256 or higher.

In this case, we recommend you have the vendor provide you with a sectigo AAA that is SHA256 or look for the possibility of manually removing the SHA1 cert.

Additionally, another workaround that has worked in other situations we have had is to go to the repository cert files on the vendor website and download a copy of the root cert, but you will have to make sure that this root cert does not point to the sectigo AAA cert. Once this has been downloaded you will have to go into the PC's cert store and delete the root cert that points to the sectigo AAA then import the new root cert and export the PXF with the new chain.

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-24-2023

Hi there,

Thank you for your input. I will try to contact vendor again and try to sort out the certificate as per instruction. However, I dont see why this issue with certificate related to my problem .

Intel EMA Hardware Manageability KVM crashed then failed to recover

The KVM works for up to 30 mins then crashed and failed to reconnect and stay on black screen as below

This same problem occurred when using Meshcommander with higher version of Intel AMT (14.000 onward)

Intel management and security status on the client machine KVM remote connection skill showing as connected

Restarting the Intel EMA server does not re establish the connection. Nothing seem to works aside from restart the client machine.

Client machine is managed/provisioned using TLS PKI certificate in TLS relay mode

Logs

MIGUEL_C_Intel · ‎08-25-2023

Hello, NeroDo,

Thank you for sharing the pictures with the summary of the issue.

TLS relay works when there are 2 endpoints discoverable; if one unit is off, the connection to the second unit will fail.

I understand you are interested in the Out-of-band connection. The best option is the CIRA mode with the Admin Client Mode.

As a background, endpoints can be managed by only 1 application at a time; if you provision the endpoint with MeshCommander, EMA manageability will fail.

CIRA supports DHCP and Static; for Dynamic, DHCP option 15 needs to be enabled in the router.

Certificate considerations:

The first line of your certificate Sectigo AAA is SHA1, it needs to be SHA256 or higher.

The DNS PKI suffix of the Certificate needs to match your company domain, for example, intel.com or ema.intel.com. It is different from the FQDN of the EMA instance.

The DNS PKI suffix has some restrictions; amt.icm.aero is not supported.

The link below gives the supported options.

PKI Certificate Verification Methods

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsetupandconfigurationofintelamt.htm

I suggest changing the Certificate DNS suffix; the chain needs to be SHA256.

Install the new Certificate

Then, stop managing all the endpoints from the EMA console, if you use the Random password method, keep the password for accessing each endpoint.

Erase the old EMA agent file from the endpoint.

Perform a full unprovisioning of the endpoint.

https://forums.ivanti.com/s/article/How-To-Unprovision-vPro?language=en_US

Provision the endpoint with a fresh EMA agent profile.

I will wait for the outcome of the troubleshooting.

Regards,

Miguel C.

Intel Customer Support Technician

Victor_G_Intel · ‎08-30-2023

Hello NeroDo,

Were you able to check the previous message we sent?

Please let us know if you need further assistance.

Best regards,

Victor G.

Intel Technical Support Technician

NeroDo · ‎08-30-2023

Hi there,

We are in the process of obtaining a valid AMT cert as recommended. Will update once we have the certificate and have more testing result.

Kind regards

Victor_G_Intel · ‎08-31-2023

Hello NeroDo,

We hope this message finds you well.

We will be waiting for your response.

Best regards,

Victor G.

Intel Technical Support Technician

Victor_G_Intel · ‎09-05-2023

Hello NeroDo,

We hope this message finds you well.

Do you have any updates for this thread?

Best regards,

Victor G.

Intel Technical Support Technician