Intel® AMT Use Case #11: Remote Configuration

Submit New Article

Last Modified On :   October 15, 2008 12:00 PM PDT
Rate
 


 

In this use case example, an IT manager receives shipment of several PCs that he wants to configure to use Intel® AMT. These PCs are all shipped with Intel AMT turned on (the manageability mode set to "AMT"), the configuration method set to "ZTC" (Zero Touch Configuration), and SOL/IDE-R turned on (assuming this feature is desired by the end user). Intel AMT must be configured so that the management console can securely identify and communicate with an Intel AMT enabled PC. 

Using Intel® AMT Remote Configuration to Enable Provisioning

Under Remote (previously known as Zero-Touch) Configuration, the PC is connected to power and the network, and Intel AMT automatically initiates the configuration process:

  • Delayed configuration: When an Intel AMT enabled system is first turned on, it automatically sends out "hello" packets. After a timeout period has elapsed, it stops sending these packets until it receives a message from the configuration server. When a configuration message is received by a third-party software agent running in the client PC operating system, the configuration process begins. Certificates are exchanged and compared to hashes stored in the Intel AMT firmware, and passwords are exchanged. The client system also ensures that the configuration request has been received from a server on its network before allowing configuration to occur. Once all of the proper checks have occurred, the configuration server loads the settings and data required to enable Intel AMT to reboot the system.
  • Bare Metal configuration: The process for bare metal configuration is the same as for delayed configuration, except that a third-party software agent is not needed, and the configuration server can configure Intel AMT without the one time password. Once Intel AMT is configured, an operating system can be loaded from the network onto the PC, allowing for a completely no-touch configuration of the system with an IT-specified operating system.

Key Functionality Enabled by Intel AMT that Underlies this Use Case

The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:

Feature

Functionality

Intel provides the Intel® AMT silicon, firmware image, LMS driver, Intel MEI driver, and the Intel® Setup and Configuration Service (SCS), if a third party does not provide a corresponding service.

These components form the basis for Intel AMT Remote Configuration support.

In addition, the following functionality is performed by third-party management applications:

  • Third parties must provide the configuration server services (if not provided by Intel) and the ability to configure an Intel AMT enabled PC. 
  • The PC manufacturer must ship the Intel AMT-capable PC with the manageability mode set to "AMT", configuration mode set to "ZTC", and SOL/IDE-R turned on (if that feature is desired). 

 

The Advantage of Intel AMT Remote Configuration§

Remote Configuration automates the process of setting up and configuring business PCs for use with Intel AMT, including the ability to configure them remotely. It is the most convenient option provided by Intel to set up systems to be managed via Intel AMT.

Business Value of the Intel AMT Solution

This use case enables IT organizations to save on deployment costs, relative to other Intel AMT setup and configuration options:

Remote Configuration automates the provisioning of business PCs.

Remote Configuration enables IT organizations to configure PCs for Intel AMT without being in physical proximity to them.

Remote Configuration Usage Model Implementation

The following steps represent an overview of Remote Configuration flow:

 

Before Remote Configuration begins, the following initial conditions must be met:

  • The Intel AMT device must be configured to receive its IP address from a DHCP server. The DHCP server must be configured to support option 15 and to return the local domain suffix.
  • The Intel AMT device must be pre-programmed with at least one active root certificate hash.
  • For the delayed installation sequence described below (“delayed” meaning that the Intel AMT device was not setup immediately upon being connected to the network), an ISV-created local agent must be installed on the host platform.
  • The Intel AMT Setup and Configuration Server Sample Application (SCA) must be registered with a DNS server accessible to the Intel AMT device with the name “Provisionserver” (or the name defined by the PC manufacturer) and be in either the same domain as the device or in a domain with the same suffix.
  • The SCA must have a server certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device. The OID in the Extended Key Usage field must be [amt]2.16.840.1.113741.1.2.3, or the OU value in the Subject field must be “Intel(R) Client Setup Certificate”.
  • Contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. A list of the hashes should be provided by the platform vendor. Go to the vendor’s web site and purchase an “SSL certificate” For example, the following link to Verisign’s* site http://www.verisign.com/ssl/buy-ssl-certificates/index.html shows how to purchase an appropriate certificate. Use the OID or the OU values above (or both) when defining the certificate.
  • The Management Console requests the Local Agent to check for Intel AMT capability on the platform and to return key parameters.
  • The agent detects Intel AMT and requests the UUID and Intel AMT firmware version.
  • The Intel AMT device returns the values to the agent.
  • The agent returns the information to the Management Console.
  • The Management Console sends OTP to agent.
  • The Management Console sends the identifying information and optionally a One-Time Password (OTP) to the SCA.
  • The agent optionally sends OTP to Intel AMT device and commands it to open the network interface. The Intel AMT device generates a self-signed certificate. This process may take up to seven minutes to generate the necessary keys.
  • The Intel AMT device starts sending “Hello” messages.
  • Setup and configuration begins using the PKI-CH protocol.

 

The following table introduces some of the key API calls associated with Remote Configuration:

API Call

Description

GetZeroTouchConfigurationMode

Returns a status showing whether Remote Configuration is enabled or disabled. One of the following status codes MUST be returned by this method:

  • PT_STATUS_SUCCESS – Request succeeded.
  • PT_STATUS_INTERNAL_ERROR – An internal error occurred in the Intel AMT device during this operation.

 

This routine is supported in Intel AMT Releases 2.2, 2.6, and 3.0.

SetZeroTouchConfigurationMode

Enables or disables Remote Configuration. One of the following status codes MUST be returned by this method:

  • PT_STATUS_SUCCESS – Request succeeded.
  • PT_STATUS_INTERNAL_ERROR – An internal error occurred in the Intel AMT device during this operation.
  • PT_STATUS_MAX_LIMIT_REACHED – Not enough space for storing the given Hash entry.
  • PT_STATUS_NOT_PERMITTED – Intel AMT is not in the right provisioning state. This command cannot be performed while the device is in the in-provisioning state.

 

This routine is supported in Intel AMT Releases 2.2, 2.6, and 3.0

 

Note: See the “System Defense Feature and Agent Presence Overview.pdf” [PDF 335KB] or the “Intel® AMT Network Interface Guide.pdf” [PDF 2.45MB] documents located in the Intel AMT SDK for further details.


The following assumptions underlie this use case:

  • The PC must be capable of running Intel AMT, the manageability mode must be set to "AMT", Remote Configuration must be enabled in BIOS, and SOL/IDE-R must be turned on in BIOS (assuming this feature is desired by the end user) by the PC manufacturer.
  • Intel SCS or a third-party equivalent, a management console with a management or security application capable of managing Intel AMT PCs and running Intel SCS or third party equivalent must be present on the network (Intel SCS could be installed on another server other than management console).
  • Remote configuration is only available with a PC that is physically connected to the network and is not available via wireless.
  • Intel AMT's provisioning communication mode must be set to "listen" by the PC manufacturer.
  • The end user must have a client certificate for AMT setup and configuration that is issued and signed by a recognized certificate authority.
  • A third-party application that allows for Remote Configuration must be available.
  • A DHCP environment is required as part of the authentication process.

 

RESOURCES: