Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2929 Discussions

TLS Relay Provisioned machines - Configuring IMC / MeshCommander to talk to them

Jools86
New Contributor II
2,831 Views

We have decided to use TLS Relay to provision instead of CIRA so we can connect to machines via IP address (in the event a machine gets wiped and no hostname is associated to it).

 

I have a few questions on TLS Relay provisioned machines:

 

Q1) Why do you allow this (TLS Relay) provisioning method in EMA if you then cannot connect to the AMT chip of the machine via the EMA console?

 

Q2) Intel Manageability Commander: How do we get TLS working on an Intel EMA TLS relay provisioned machine with IMC? Do we follow section 6 of this document: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/Intel_AMT_Configuration_Utility.pdf and then use Powershell to request a certificate on each machine?

         Jools86_0-1689593909118.png

 

Q3) Bearing in mind the above, will IMC work with the latest AMT Chipset (that only allows TLS connections) provisioned TLS Relay via EMA?

 

Q4) As of July 2023, what are the supported provisioning tools for an AMT chip, is ACUConfig/ACUWizard still supported? Or is that supposed to be discontinued with SCS?

 

 

0 Kudos
12 Replies
Victor_G_Intel
Employee
2,795 Views

Hello Jools86,

 

Thank you for posting on the Intel® communities.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician 


0 Kudos
Victor_G_Intel
Employee
2,780 Views

Hello Jools86,

 

Thank you for your patience.


Please find your questions answered below:


Q1) Why do you allow this (TLS Relay) provisioning method in EMA if you then cannot connect to the AMT chip of the machine via the EMA console?


R/TLS relay is offered as a provisioning method for deployments that don’t need an out-of-band connection but an in-band connection instead. Additionally, you can connect to an AMT chip using TLS Relay.


Q2) Intel Manageability Commander: How do we get TLS working on an Intel EMA TLS relay provisioned machine with IMC? Do we follow section 6 of this document:


https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/Intel_AMT_Configuration_Utility.pdf and then use Powershell to request a certificate on each machine?


R/You have to copy the meshroot certificate from the server to the client running IMC.


Q3) Bearing in mind the above, will IMC work with the latest AMT Chipset (that only allows TLS connections) provisioned TLS Relay via EMA?


R/Yes it will.

 

Q4) As of July 2023, what are the supported provisioning tools for an AMT chip, is ACUConfig/ACUWizard still supported? Or is that supposed to be discontinued with SCS?


R/The only provisioning tools you can use for an AMT chip are EMA and the ECT (EMA configuration tool). Additionally, both SCS and the ACUConfig/ACUWizard are no longer supported and have been fully decommissioned.

  

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,724 Views

Thanks Victor.

 

Q1) It doesn't explain why you cannot connect via EMA console to a TLS Relay machine, why allow this method of configuration if you have no tools available to connect to it, i.e. EMA and IMC dont work with a TLS Relay configured machine. This is even more pertinent as 16.x FW forces TLS connection.

Q2) I had already imported MESHROOT and I still get the TLS error (in first post), MeshCommander works fine with TLS btw.

Q3) Thanks

Q4) Thanks

0 Kudos
Avocado
Novice
2,723 Views

You have to think of it has EMA being the broker for each connection. There is no more one to one connections to the client, everything routes through EMA. 

 

So APIs would be your friend here. 

0 Kudos
Victor_G_Intel
Employee
2,629 Views

Hello Jools86,


Please let us know if you need further assistance.

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,578 Views

EMA console connection is only useful for Out-of-band CIRA AMT connection (i.e. machines outside the office). What tool do we use for in-band TLS-Relay AMT connections then, bearing in mind Intel Manageability Commander does not work.

 

FYI - I like the way CIRA works, however colleagues in my team prefer to be able to connect direct via IP address so we are configuring TLS relay, but would prefer it if they didn't have to use Meshcommander or the browser to do it.

 

Why doesn't EMA provide AMT connectivity to a machine configured via TLS relay? Or provide a tool that does, as only MeshCommander and browser seems to work with our TLS relay machines, it would be neater if we could through the EMA console.

 

 

 

0 Kudos
Victor_G_Intel
Employee
2,573 Views

Hello  Jools86,

 

Thank you for your response.

 

We will analyze your request and once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Employee
2,557 Views

Hello Jools86,

 

Thank you for your patience.

 

We appreciate your feedback and will provide it to our Product management and the dev team.

 

Don't hesitate to let us know if you need anything else or if we can move forward and close this thread.

 

Best regards,

 

Victor G.

Intel Technical Support Technician

 

0 Kudos
Victor_G_Intel
Employee
2,466 Views

Hello Jools86,

 

Were you able to check the previous message we sent?  

 

Please let us know if you need further assistance or if we can close this thread.

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,450 Views

Hi Victor,

 

"Why doesn't EMA provide AMT connectivity to a machine configured via TLS relay? Or provide a tool that does, as only MeshCommander and browser seems to work with our TLS relay machines, it would be neater if we could through the EMA console."

 

Still waiting for an answer to the above.

 

Even more disturbing knowing Mesh Commander employees have been let go.

 

Julian.

0 Kudos
Victor_G_Intel
Employee
2,441 Views

Hello Jools86,

 

Thank you for your response.


In regards to your question, as previously mentioned, we have provided your feedback to our product management and dev team. For now, there is no more information to be shared regarding that question; therefore, we will proceed to close this thread; however, if you have any other questions in the future don’t hesitate to contact us back.


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,413 Views

Thanks Victor. Got you.

0 Kudos
Reply