Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
3051 Discussions

Upgrade Intel EMA from 1.6 to 1.11

George71
Beginner
11,986 Views

Hello,

 

we are trying to upgrade our Intel EMA from 1.6.0.0 to 1.11.0.0.

 

The installation ends with an error: "This target recovery cert cannot be saved in cert store. The thumbprint:78...." .

 

How can I solve the problem?

 

BTW, where can be downloaded Intel EMA 1.10 or 1.9?

 

Thanks

0 Kudos
49 Replies
George71
Beginner
3,524 Views

Hello, Miguel,


We are dealing with version 1.11.0 and it runs on Windows Server 2016. We have Windows Server 2016. We don't want to install a newer one just yet. Therefore, it is not even necessary to enable older TLS.  Version 1.11.0 and 1.11.1 behave equally badly.

 

Regards

George71

 

0 Kudos
MIGUEL_C_Intel
Moderator
3,513 Views

Hello, George71,


The new security update affects the server and the endpoints. The validation between them is impossible if the old TLS protocols are closed.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
3,489 Views

Hello, Miguel,

 

yes, I have verified that TLS 1.0 is still working.

 

Regards

George71

0 Kudos
MIGUEL_C_Intel
Moderator
3,479 Views

Hello, George71,

 

1) Do you mind clarifying your last post?

 

Intel® EMA updates since version 1.8 finished the TLS 1.0 support. Intel® Core processors Gen 12 and 13 only support TLS 1.2.  

 

2) Did you enable TLS 1.0 with the Nartac software?

 

3) Please perform the following steps

Open the Manage Computer Services tool in the EMA Server

Go to the Personal Certificate store.

Open the Certificate

From the Certification Path tab, select the Root; as an example, from the Picture, it is Sectigo (AAA)

Review Root Cert.PNG

Click the View Certificate icon.

From the new window, select the Details tab.

Could you check if it says SHA or SHA256?

 

I look forward to your reply.

 

Regards,

Miguel C.

Intel Customer Support Technician

 

0 Kudos
George71
Beginner
3,470 Views

Hello, Miguel,

 

1) Yes, I have verified that TLS 1.0 is still working. = In Windows Server 2016, TLS 1.0 is not disabled (Client and Server) in the HKLM registry keys. The Nartac software is only a GUI for these registry keys.

 

2) So yes, the Nartac software shows TLS 1.0,1.1,1.2,1.3 (server and client protocol) enabled.

 

3) You already asked about this. I replied in a post dated 09-04-2023 01:56 PM.

 

Regards

George71

0 Kudos
MIGUEL_C_Intel
Moderator
3,459 Views

Hello, George71,


Thank you for your confirmation, please allow me time to review all the documentation provided.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
3,450 Views

Hello, George71,

We reviewed the symptoms of the EMA software version update from 1.6 to 1.11.1, and our conclusion is related to the operating system. Windows Server 2016 is old; the mainstream support expired on 11/01/2022.  It seems some crypto files are missing.

George71, we encourage you to create a development environment (virtual machine) with a fresh installation of Windows Server 2022.
It is possible to continue using the old Database.  Create a backup of the Certificates (MeshSettingsCertificate), and import the keys.  Use the same Admin User for the OS installation in the new EMA server.
Remember only one EMA instance can run at a time.

Regards,
Miguel C.
Intel Customer Support Technician

0 Kudos
George71
Beginner
3,421 Views

Hello, Miguel,

Windows Server 2016 is supported until 11/01/2027 (extended). Intel EMA 1.11.0 is supported Windows Server 2016. I see no reason why it shouldn't work. The problem is with Intel EMA, not the OS. Intel EMA doens't display the status well, but everything works. For what reason would the OS be to blame?
I can do snapshot and upgrade OS on Windows Server 2019 (the mainstream support 2024). If that's the only way.
Were the supplied logs useless? Wouldn't it be better to make a better debug log?

Regards,
George71

0 Kudos
MIGUEL_C_Intel
Moderator
3,408 Views

Hello, George71,


We apologize for the inconvenience. Intel and Microsoft have implemented security features and they block the communication between the EMA server and the endpoints.


Jumping to Windows Server 2019 would be an excellent idea. Remember to keep a backup of the EMA SQL DataBase and MeshCertSettings outlined in the EMA installation guide section 1.4.1- Backup Important Data

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=11


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
3,398 Views

Hello, George71,


I want to add some clarifications to my previous post.


We (Intel) are not saying the issue is related only to Microsoft OS.  There is a tight relationship between the OS and EMA.  Microsoft will continue releasing security patches, but Windows Server 2016 will no longer extend its functionality beyond 11/01/22, which likely implies new functionality like upgraded crypto libraries.  


I am adding for reference the changes experienced with the new EMA version 1.11.0, section 3 of the Release Notes PDF.

https://downloadmirror.intel.com/646990/Intel_EMA_Release_Notes.pdf#page=9

  • Microsoft Windows Server 2019 (Note: The getPFX API requires the Intel EMA server to be installed on Windows Server 2019 or later)
  • Microsoft Windows Server 2022 (Note: Crypto for Intel ME 11 systems is disabled by default on Windows Server 2022)


We need to test if Windows Server 2019 or 2022 eliminates your issues since there is a marriage between EMA and the OS that needs to be considered since loosening the crypto requirements with Nartac didn't work.  


We encourage you to test with a snapshot in a development environment.  We want to see if your issues are resolved in 2019 or 2022. 


The logs showed crypto issues, we used them for the troubleshooting. We suggested enabling the old TLS options with the third-party tool Nartac.


Look forward to your outcome.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
3,344 Views

Hello, George71,


I hope this post finds you well.


By any chance, have you been able to review my previous post?


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
3,306 Views

Hello, George71,


We will gladly provide further assistance, if necessary, do not hesitate to reply.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
3,286 Views

Hello, Miguel,

 

I installed new clean Windows Server 2019 + SQL 2019 + EMA 1.11.1. I migrated DB+Cert. Everything works, but AMT setup status still shows wrong "Pending Configuration".

 

Regards

George71

 

 

0 Kudos
MIGUEL_C_Intel
Moderator
3,277 Views

Hello, George71,


Do you mind sending the EMA Server logs? They will provide more details of the issue.  


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
3,197 Views

Hello, Miguel,

 

I send you private message with EMALogs.zip (08-23-2023).
Later I had questions:
Were the supplied logs useless?
Wouldn't it be better to make a better debug log?
I don't have an answer to them yet.

Why should EMA Server logs on W2019 be different from EMA Server logs on W2016?

 

Regards
George71

0 Kudos
MIGUEL_C_Intel
Moderator
3,189 Views

Hello, George71,


As I mentioned before, Microsoft Windows Server 2016 is not supported anymore with the latest versions of Intel® EMA.  There are some crypto versions not supported by this OS version.


The EMA Server logs are the best debug logs to find the issue and the solution. 


EMA logs from the Server

Default Path: [System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
3,172 Views

Hello, Miguel,

 

I am sending you a private message with EMALogs2019.zip now.
If the problem was in W2016 and their "unsupported crypto version" surely it would be described exactly in the debug EMA logs, right?
I remind you that the original version 1.11.0 still supported W2016.
I also remind you that I asked for lower versions, for example, 1.10 - 1.7. I understand the arguments that there are security issues, but they are certainly in the current working version of 1.6, and yet we are forced to use it.

 

Regards
George71

0 Kudos
MIGUEL_C_Intel
Moderator
3,153 Views

Hello, George71,


I got the EMA Server logs.  Please allow me to finish reviewing them with the engineering team.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
3,152 Views

Hello, George71,


While I finish the revision with the engineering team, please let me know if you follow the update process instructions.


First, we need to keep a backup of the EMA SQL DataBase and Mesh Settings Certificate.

Both are outlined in the EMA installation guide section 1.4.1- Backup Important Data

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=13


Then, update the database connection string.

2.2 Performing an update Installation using the Setup Wizard

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-distibuted-seve-installation-and-maintenance-guide.pdf#page=40

 

4.5 Updating the database connection string.

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-distibuted-seve-installation-and-maintenance-guide.pdf#page=57

 

2.5 Intel® EMA Installer advanced mode menu bar

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-distibuted-seve-installation-and-maintenance-guide.pdf#page=47

 

Contains the database connection string (encrypted).

C:\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\app.config and connections.config


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
George71
Beginner
3,134 Views

Hello, Miguel,

 

Yes, I followed the instructions.

 

Yes, the XML contains a "CipherValue", I don't know if there is a ConnectionString in it, but it probably wouldn't work without it.

 

I remind you that everything works, it just shows a strange status.

 

Regards
George71

0 Kudos
MIGUEL_C_Intel
Moderator
3,110 Views

Hello, George71,


Thank you for your feedback.


Yes, I am aware the connection between the EMA server and the new AMT workstations is working, you can see the hardware manageability details; however, you are getting the error message at the Intel AMT setup status shows "Pending Configuration.”


As well you are getting this error message from the installer log:

"This target recovery cert cannot be saved in the cert store. The thumbprint:78...." .


George71, we appreciate your patience and all the troubleshooting performed so far.  The issue is odd, there is no documentation about it.


Please share with us the results of the workaround below:


1- Please send the EMA server Installation log, the path: [System drive]\EMALog-Intel EMAInstaller.txt


2- Go into the EMA SQL DB and check if the table dbo.EndpointHistory exists after the upgrade. Please review the status before the upgrade. Bear in mind it is necessary to keep a back of the database and the Mesh Settings Certificate.

Both are outlined in the EMA installation guide section 1.4.1- Backup Important Data

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=13


3- For our documentation purposes, do you mind sharing the brand name, model, current BIOS version, and current Management Engine driver of any of the new machines showing the issue?


We look forward to hearing back from you.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply