Intel® AMT Setup and Configuration Service: Technical Overview

Submit New Article

Last Modified On :   October 13, 2008 11:03 AM PDT
Rate
 


The Intel® Setup and Configuration Service (Intel® SCS) for Intel® Active Management Technology (Intel® AMT) is a free toolset that simplifies the preparation of hardware that supports Intel AMT for remote administration. It also provides sample configuration utility with source code that software developers can use for reference or as the basis for adding support for Intel SCS in their network management products.

By Matt Gillespie

Introduction

Businesses of all sizes can increase the efficiency of their network management and support operations using hardware that supports Intel® Active Management Technology (Intel® AMT), an integral part of platforms that support Intel® vPro™ technology. That benefit to end customers represents opportunity for software makers to add functionality to their products that support this hardware technology, helping to differentiate their network management products in the market.

Using Intel AMT in a network environment allows system administrators to remotely discover, heal, and protect Intel AMT-enabled devices in any operational state, even if they have been powered down or have a disabled operating system, as long as the system is connected to line power and the network. For an overview of the features and capabilities of Intel AMT, see the Intel Active Management Technology Overview.

As part of the introduction of this technology, Intel has provided a range of free tools for use by network administrators and makers of network management software. These include a Software Development Kit (SDK), which provides Simple Object Access Protocol (SOAP)-based application programming interfaces (APIs) and libraries. The Intel AMT Reference Design Kit (RDK) is also available, which provides a Java*-based utility for exploring the capabilities of Intel AMT-enabled platforms, as well as the means to implement those capabilities in network management applications. Details are available at the Intel® Manageability Developer Community.

Intel® Setup and Configuration Service (Intel® SCS) complements the SDK and RDK by automating the process of populating Intel AMT-managed platforms with the usernames, passwords, and network parameters that enable the platforms to be administered remotely. Intel SCS is used to set up Intel AMT devices in Enterprise Mode only—Intel AMT devices have two modes of operation: Enterprise Mode and Small/Medium Business (SMB) Mode.

An Intel AMT platform in Enterprise Mode is capable of using secure communications via Transport Layer Security (TLS) communication protocols. An Intel AMT platform operating in SMB Mode is not capable of using TLS. An Original Equipment Manufacturer (OEM) determines the initial factory mode setting of either Enterprise or Small Business. This value can be changed during the setup and configuration process.

In addition to the Intel SCS main Windows* service, which communicates with Intel AMT-enabled devices via a SOAP API, Intel SCS also provides an open source sample console application. This simple console, which ships with full source code, is useful either as a reference application for software makers or as th e basis for a more fully featured management application.

The Role of Intel® SCS for Software Vendors and Corporate IT

The functionality associated with Intel SCS is delivered to end customers as a set of value-added features in software applications from third-party software providers, including an administration console and underlying capabilities. Thus, software makers enable Intel SCS functionality in their solutions, which are installed and operated by corporate IT departments to connect Intel AMT solution ingredients together. The automation of these activities provides an efficient means of implementing Intel AMT hardware for enterprise customers, creating the opportunity for software vendors to achieve a competitive market advantage with products that streamline those implementations.

Intel SCS allows corporate IT to connect Intel AMT hardware to the network infrastructure, using widely used technologies such as Dynamic Host Configuration Protocol (DHCP), Domain Name Services (DNS), Public Key Infrastructure (PKI), and Microsoft Active Directory*. The roles of these technologies are described in the section of this paper titled "Operation of Intel SCS During Setup and Configuration." In practice, management setup and configuration solutions can use Intel SCS to provide management software with the necessary information to communicate with the managed hardware, including Intel AMT credentials, hostname data, and connection requirements.

In the context of Intel SCS, the distinction between setup and configuration is as follows:

  • Setup is the process of getting hardware that supports Intel AMT securely connected to an Intel SCS-enabled software solution. Setup involves the creation of passwords and other credentials for the hardware device on the network, which are entered into the machine's BIOS, either manually or by booting with a USB key.
  • Configuration involves delivering and maintaining configuration settings once setup is complete. These settings govern the full range of Intel AMT behaviors that concern the hardware device, including network settings, user accounts, the behavior and availability of the management engine in sleep and other low-power states, and many others.


The setup and configuration process is secured by means of Transport-Level Security (TLS). Certificate services are provided by Microsoft's Certificate Authority, automatically generating a certificate each time an Intel AMT device is set up. User names and passwords are integrated with Microsoft Active Directory using Kerberos. By providing the ability to readily implement a secure setup and configuration infrastructure for Intel AMT devices, Intel SCS greatly simplifies the implementation of this functionality for software developers, reducing solution complexity and improving time to market.

Overview of Intel SCS Architecture

Intel makes Intel SCS, including source code, publicly available; anyone can download the complete Intel SCS package for free from the Intel® Active Management Technology Setup and Configuration Service page. Installing the package requires Microsoft Windows Server* 2003 with Microsoft Internet Information Services, SQL Server*, and Microsoft Certificate Services. More complete system requirements are included in the documentation in the download package, which also includes installers for the Intel SCS server-side and client-side components, Web Services Description Language (WSDL) files to implement the Intel SCS SOAP APIs, and the sample console application with full source code.

At the core of Intel SCS is the main Intel SCS service, which resides on a Web server that is used as the setup and configuration server for the enterprise. System administrators communicate with the service by means of a secure SOAP channel from a management console application. The setup and configuration server uses SOAP to communicate with network devices that support Intel AMT,using a secure database as a data store. The major elements of the Intel SCS architecture are illustrated in Figure 1, including the following:

  • Intel SCS main service
  • Secure database
  • SOAP API
  • Intel SCS Console




Figure 1. High-level Intel® Setup and Configuration Service architecture

Each of the main components of this architecture is described in more detail below.

The Intel SCS Main Service
The primary purpose of Intel SCS is to deliver Intel AMT setup and configuration settings to Intel AMT-enabled devices, which can be located, for example, on desktop computers or workstations. Primary processes and operations carried out by the Intel SCS main service are encapsulated in the following sequence of steps:

Step 1. Pre-setup and configuration: In this step, Intel SCS generates data used to configure Intel AMT devices. This data includes passwords, as well as a USB key file that contains sets of Intel SCS credentials for individual devices. That file can be transferred to a USB key and used to configure individual Intel AMT devices.
Step 2. Setup and configuration: Once pre-setup and configuration is complete, Intel SCS delivers initial settings from the Intel SCS database to Intel AMT devices. Administrators populate these initial settings by means of profiles. Intel SCS uses these initial values to communicate securely with Intel AMT devices, to configure them and create Active Directory entries.
Step 3. Integration with Active Directory (optional): Intel SCS can integrate the Intel AMT device with Microsoft Active Directory by creating a directory entry based on the Intel-Management-Engine class. The Intel SCS installation includes scripts to extend the Active Directory schema to support this class and to populate the required attributes. Intel SCS creates an Active Directory object that represents each Intel AMT device and creates an attribute for connecting it to the AMT object.
Step 4. Gathering security information: Next, the system collects the required operational security parameters. As part of setting up Intel SCS, the administrator defines users and permissions for all administrators and operators who will work with Intel SCS. User accounts can be defined as HTTP digest accounts or Active Directory accounts. (In those cases where Intel AMT devices are not integrated with Active Directory, HTTP digest accounts are used.) When TLS is enabled, Intel SCS interfaces with the Microsoft Certificate Authority.
Step 5. Management and maintenance: Intel SCS facilitates lifecycle management and maintenance operations, including daily tasks such as adding and removing Intel AMT devices, managing password data and certificates, maintaining logs, and handling exceptions.


Intel SCS Database
A Setup and Configuration Domain uses Microsoft SQL Server (which must be installed separately from Intel SCS) to store all configuration data and profiles for individual devices in the domain, as well as logs and stored procedures to support configuration activities. This data supports deployment of a platform containing Intel AMT in any segment of the enterprise. Both Intel SCS and the SOAP API access the database directly. The database also stores Intel SCS user and permissions data defined by the Intel SCS console for integration with Microsoft Active Directory.

Before setup and configuration can begin, the Intel SCS database must be configured with the following basic information:

  • SCS service configuration parameters
  • Profiles that define the setup parameters for the Intel AMT-enabled platforms to be configured
  • Entries that identify each Intel AMT device to be configured, with a link to a profile
  • A list of valid TLS credentials that match what is installed on the Intel AMT devices awaiting configuration


Intel SCS SOAP API
The Intel SCS SOAP API provides support for communication between the remote management console and the Intel SCS main service. It also provides the basis for solution vendors to create and productize custom user interfaces.

The Intel SCS main service receives a stimulus from Intel AMT devices sending "Hello" messages requesting that they be configured, after which the Intel SCS main service polls and updates the database and Active Directory accordingly. An external application such as the Intel SCS console configures the service indirectly by sending SOAP requests via the SOAP API to modify or query the database. The SOAP API does not interact with the SCS service directly.

Management consoles created by solution vendors can also use the SOAP API for platform discovery, querying the Intel SCS database for a list of configured Intel AMT devices or a list of devices that have recently been configured. The API functions are segmented into four groups, each of which has an associated WSDL file that defines the parameters of each function within the group:

  • Authentication interface is used to log in, define users, and set database parameters.
  • Profile interface manages profile objects in the database.
  • Intel AMT interface manages Intel AMT System objects in the database.
  • Service interface manages all other Intel SCS service functions.


The Intel SCS distribution includes the four WSDL files, SOAP API documentation, and the console source code, contained in AMTConsoleSln.zip. The distribution also includes sample clients—a set of simple applications that demonstrate the functions in each group, with the source and binary of an application for each group.

The Intel SCS Console
The Intel SCS console is an open source application installed separately from Intel SCS that uses the Intel SCS SOAP API to configure, control, and manage the Intel SCS main service and the Intel SCS database. This graphical user interface (GUI)-based component, a portion of which is shown in Figure 2, supports stand-alone operation of Intel SCS. Source code is distributed with Intel SCS, allowing software vendors to add value to the console and integrate it into their products.



Figure 2. Intel® AMT SCS Console

Some key functionality available from the Intel SCS console includes the following:

  • Maintenance policies define actions that Intel SCS will perform periodically on all configured Intel AMT devices, which may include various security maintenance operations such as reissuing certificates.
  • Profiles each contain device configuration parameters that can be applied to one or more Intel AMT devices. They are highly configurable.
  • Global and individual (ad hoc) operations allow configuration operations to be applied to one platform at a time or all platforms in the enterprise, respectively.
  • Logs keep track of Intel AMT activities and include a system log for system-wide actions, an action-status log that tracks global and ad-hoc operations, and a security-audit log that displays potential security breaches.


Intel SCS also provides a set of additional tools that provide alternative means of controlling the SCS environment. These include command-line tools to add records to the SCS database and to dump the contents of the database, as well as a set of scripts to perform various management functions related to Active Directory.

Operation of Intel SCS During Setup and Configuration

Intel SCS is designed to perform setup and configuration of multiple Intel AMT devices simultaneously. All requests to Intel SCS for service are maintained in a queue in the Intel SCS database. A dedicated thread performs the processing for each portion of a task. A single thread waits for "hello" messages from Intel AMT devices. This thread passes the message to a queuing thread, which then adds this request for setup and configuration to the database queue.

Initial preparation of the server that will host Intel SCS includes installation of the Intel SCS software and providing domain/user account information, as well as the database connection parameters. Administrators must also provide the needed TLS certificate to the IIS Web container, a DNS alias entry called "ProvisionServer," and a default profile to be used in the configuration of Intel AMT devices. Once these steps are completed, the Intel SCS environment is ready to add individual Intel AMT devices.

When an Intel AMT-enabled platform is delivered from the hardware manufacturer, the Intel AMT device is present but disabled. Intel SCS performs all the necessary steps to make an Intel AMT device operational, over the network interface. In order to add an Intel AMT device to the Intel SCS environment, administrators must create or import a PID/PPS password combination and map between the device's unique user ID and the fully qualified domain name of the device, either manually on a client-by-client basis or using the provided automated script.

BIOS setup of the individual Intel AMT device is also required, and it can be accomplished by any of three methods:

  • USB method uses credential data exported from Intel SCS into a file that is stored on a USB key, and the client machine is booted from the key to complete the BIOS setup. This method must be supported by the BIOS vendor.
  • Manual method requires an administrator to write down or print the credential data from the Intel SCS console, boot the client machine and enter the Intel SCS Management Engine BIOS screens, and manually enter setup information into the BIOS.
  • OEM setup method enables a hardware manufacturer to set up Intel AMT hardware before it leaves the factory, pre-populating the credentials into the BIOS and providing it in a form that can be readily imported into the IT department's Intel SCS environment. This technique potentially allows for "zero-touch" deployment by IT organizations.


Once BIOS setup is complete, the Intel AMT device will begin sending "hello" messages to the Intel SCS main service. Figure 3 shows the overall setup and configuration process in more detail.



Figure 3. Setup and configuration steps under Intel® SCS

The following series of steps correspond to the numbers in Figure 3:

Step 1. An Intel AMT device that is ready for setup requests an IP address from a Dynamic Host Configuration Protocol (DHCP) server.
Step 2. The Intel AMT device performs a Domain Name System (DNS) lookup with the default hostname of "ProvisionServer".
Step 3. The Intel AMT device sends a TCP/IP "hello" message to the host resolved in Step 2.
Step 4. Based o n the Universally Unique ID (UUID) in the "hello" message, the Intel SCS main service searches the database to locate the profile and hostname to be used to set up and configure the Intel AMT device.
Step 5. The Intel SCS main service requests a certificate for the Intel AMT device from a Certificate Authority server. This step is optional; it is required for installations using TLS and Mutual TLS.
Step 6. If integration with Active Directory is used, the Intel AMT device is defined as an Intel AMT object on the Active Directory domain controller.
Step 7. The Intel SCS service completes setup and configuration using SOAP commands.

 

Conclusion

Intel SCS provides a comprehensive environment to support the addition of Intel AMT devices into enterprises. Software vendors can use the free, open source tools and other resources offered by Intel to incorporate this functionality into their solutions, dramatically simplifying the addition of this functionality and improving time to market for products used to provision next-generation manageability in enterprise hardware.

Additional Resources

The following materials provide further information on Intel SCS and the other topics discussed in this paper:

 

About the Author

Matt Gillespie is an independent technical author and editor working out of the Chicago area and specializing in emerging hardware and software technologies. Before going into business for himself, Matt developed training for software developers at Intel Corporation and worked in Internet Technical Services at California Federal Bank. He spent his early years as a writer and editor in the fields of financial publishing and neuroscience.