Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2835 Discussions

Enabling TLS via SCS Hoste-based method

RKell5
Beginner
‎08-09-2017 06:32 AM
1,927 Views

My office pc has an AMT 11 enabled board, and I want to switch it on/off and reboot out-of-band via Internet (port 16992).

 

I've managed to get the WebUI of AMT working perfectly, but the conncetion is not encrypted. So I want to enable the TLS function of AMT (port 16993).

From the documentation I learned that I should choose the Host-based Provisioning method which is provided by Intel's configuration utility (ACUconfig.exe). The utility works and is able to modify some settings in my board's AMT/ME firmware. But if I check the TLS box and enter certificate files, it doesn't work anymore but displays "File decryption failed".

So far I used a self-signed certificate, created by the Manageability Director tool and exported as files. Maybe this is a wrong way. How can I enable TLS? I don't need remote provisioning, KVM, SOL etc. I need WebUI only, but with TLS.

0 Kudos

Link Copied

4 Replies
Alan_A_Intel2
Employee
‎08-23-2017 04:58 PM
962 Views

Translator

You'll need to make sure your certificate and private key are in the correct format. Using the Manageability Director tool you'll want to make sure you select either Intel AMT Remote Console Certificate or All Permissions Certificate and enter the FQDN of the AMT computer for the Common name. Once created you will need to save off the certificate as a base-64 .CER file as well as a .PFX file that includes your private key.

Take the PFX file and extract the private key using Openssl.

  1. Openssl pkcs12 –in c:\path\cert.pfx –out c:\path\cert.key
  2. Enter password used to secure PFX certificate
  3. Enter a PEM pass phrase
  4. Verify PEM pass phrase

After extracting your private key you'll need to convert the Encrypted Private Key file to an RSA Private Key.

  1. Openssl rsa –in c:\path\cert.key –out c:\path\newcert.key

The new private key should begin and end with:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

Use this new private key in your configuration profile.

Regards,

Alan

0 Kudos
Copy link
RKell5
Beginner
‎08-25-2017 02:15 AM
962 Views
In response to Alan_A_Intel2

Thanks for your answer. I had to modify your receipe slightly, because the Manageability Director exports binary .cer but not base64 .cer. So I imported the binary .cer into the Windows Cert Manager and exported it back as a base64 .cer file.

Then, after having followed all remaining steps of your receipe, I had the two files as described in Intel(R)_AMT_Configuration_Utility.pdf V11.1. But it doesn't work.

Log file:

 

2017-08-25 10:12:32: Thread:5384(ERROR) : ACU.dll, Category: Configure Profile Source: ACUDll.cpp : ConfigureAMT Line: 1905: Failed to read certificates from given files. Reason: File decryption failed.

 

2017-08-25 10:12:32: Thread:5384(ERROR) : RDESK3, Category: Configure Profile Source: ACUDll.cpp : ConfigureAMT Line: 2389: Configure Profile Failed: File decryption failed. (0xc000028f).

 

2017-08-25 10:12:32: Thread:5384(DETAIL) : localhost, Category: end function Source: ACUDll.cpp : ConfigureAMT Line: 2499:

 

2017-08-25 10:12:32: Thread:5384(ERROR) : ACU.dll, Category: Profile Configuration Source: ACUDll.cpp : ClientControlConfiguration Line: 3399: File decryption failed. (0xc000028f).

 

2017-08-25 10:12:32: Thread:5384(DETAIL) : ACU Configurator , Category: -END- Source: ACUDll.cpp : ClientControlConfiguration Line: 3418: ***** END

I could look into ACUDll.cpp but there are no source files available?

In response to Alan_A_Intel2
0 Kudos
Copy link
Alan_A_Intel2
Employee
‎08-28-2017 12:18 PM
962 Views
In response to RKell5

When you open your key file how does the BEGIN and END read, what's the exact text?

-----BEGIN RSA PRIVATE KEY-----

OR

 

-----BEGIN ENCRYPTED PRIVATE KEY-----

Also, did you install the Manageability Director Self-signed Root certificate into the target client's Computer account Trusted Root Certificate store?

Regards,

Alan

In response to RKell5
0 Kudos
Copy link
RKell5
Beginner
‎08-29-2017 05:27 AM
962 Views
In response to RKell5

"When you open your key file how does the BEGIN and END read, what's the exact text?"

Copy from the file:

-----BEGIN RSA PRIVATE KEY-----

and

-----END RSA PRIVATE KEY-----

"did you install the Manageability Director Self-signed Root certificate into the target client's Computer account Trusted Root Certificate store"

Yes, I did. Additionally I put a copy into the Admin account Trusted Root Certificate store.

In response to RKell5
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.