English | 中文 | Русский | Français
2,602 Posts served
8,350 Conversations started
Navigation
Posts By Category
- Academic
- Art, Music, & Animation
- Bit Stories
- Cool Software
- Customer Support
- Events
- Financial Services Industry
- Gaming
- Intel SW Partner Program
- Intel® Atom™ Developer Program
- Intel® Software Network 2.0
- Manageability
- Media
- Mobility
- Open Source
- Parallel Programming
- Social Media & Virtual Worlds
- Software Engineering
- Threading Building Blocks
- Virtualization
- Visual Computing
- What If Software
- XML Software
Popular Posts
Blog Roll
- Association for Computing Machinery TechNews (ACM)
- Go Parallel! (Dr. Dobbs)
- HPCwire (Tabor Communications, Inc.)
- insideHPC (John West)
- Joe Duffy's Weblog (Microsoft)
- Microsoft Parallel Programming Development Center (Microsoft Germany)
- MultiCoreInfo.com
- scalability.org (Scalable Informatics)
- Software Dev Blog (Intel Germany)
- Soft Talk Blog (Intel United Kingdom)
- The Moth (Microsoft)
Intel® AMT: Remote Provisioning - what happens there?
By Gael Holmes (Intel) (91 posts) on November 25, 2008 at 2:16 pm
Today I have posted a few blogs about the provisioning process with respect to Intel® AMT. But really, what most ISVs want to know about is how to do this without touching the Intel AMT system - after all, there may be hundreds, if not thousands of these in an environment, and who wants to spend time even sticking the USB key into every system in order to get it to be provisioned. So here is what is going on in a "Remote Provisioning" Scenario.
- SCA: Setup and Configuration Application. This could be your own Setup and Configuration App, or it could be the Intel SCS, for example.
- OTP: One Time Password
First of all, there are Initial Conditions that must be met before Remote Configuration can begin:
- The Intel AMT device is configured to receive its IP address from a DHCP server. The DHCP server must be configured to support option 15 to acquire the local domain suffix (Unsecure DNS mode) or the MEBx menu or a USB key must be used to supply the domain suffix or the FQDN of the setup and configuration application (available with Release 3.0 and later releases).
- The Intel AMT device is pre-programmed with at least one active root certificate hash.
- For the delayed installation sequence described below ("delayed" meaning that the Intel AMT device was not setup immediately upon being connected to the network), an ISV created local agent must be installed on the host platform (you can use the Activator tool for this.)
- The SCA is registered with a DNS server accessible to the Intel AMT device with the name "Provisionserver" (or the name defined by the OEM) and is in either the same domain as the device or it is in a domain with the same suffix.
- The SCA has a server certificate, used only for setup and configuration (this has nothing to do with AMT being configured for either Server or Mutual Authentication!!), with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device.
- The OID in the Extended Key Usage field must be 2.16.840.1.113741.1.2.3 (this is the unique Intel AMT OID) or
- the OU value in the Subject field must be "Intel® Client Setup Certificate". This OU value is case-sensitive and must be entered exactly.
Acquiring a Server Certificate from one of the vendors whose Certificate hashes are in the AMT Firmware:
- Contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. A list of the hashes should be provided by the platform vendor. Go to the vendor's website site and purchase an "SSL certificate" For example, the following link to Verisign's site http://www.verisign.com/ssl/buy-ssl-certificates/index.html shows how to purchase an appropriate certificate. Use the OID or the OU values above (or both) when defining the certificate.
Now the Setup and Configuration process can begin.
- The Management Console requests the Local Agent to check for Intel AMT capability on the platform and to return key parameters.
- The agent detects Intel AMT and requests the UUID and Intel AMT firmware version.
- Intel AMT device returns the values to the agent.
- The agent returns the information to the Management Console.
- Management Console sends OTP to agent.
- Management Console sends the identifying information and optionally an OTP to SCA.
- Agent optionally sends OTP to Intel AMT device and commands it to open the network interface. The Intel AMT device generates a self-signed certificate. This process may take up to seven minutes to generate the necessary keys.
- The Intel AMT device starts sending version 3 "Hello" messages.
Each hash corresponds to a root certificate from a certificate authority.
9. Setup and configuration begins using the PKI-CH protocol.
After the local agent commands the Intel AMT device to start configuration, the device opens its network interface for 24 hours, and starts sending "Hello" messages according to the retry algorithm, however this time, the Intel AMT device will send one message per hour until the interface closes.
- The SCA extracts the hashes from the "Hello" message.
- The SCA sends a certificate chain that includes a root certificate matching one of the received hashes.
- The Intel AMT device validates the SCA certificate: It checks that the OID or the OU is correct, that it is derived from a Certificate authority that matches one of the root certificate hashes and that it is a Server certificate.
- The Intel AMT device verifies that the domain suffix matches the DNS suffix in the SCA certificate.
- The SCA and the Intel AMT device perform a complete mutual authentication session key exchange:
- The Intel AMT device uses a self-signed certificate, sending its public key.
- The SCA creates a TLS session master key, encrypts it with the Intel AMT device public key, and sends it to the Intel AMT device.
- The device decrypts the master key with its private key. The key is the shared secret used to establish the setup and configuration TLS session.
- One Time Password verification: The SCA optionally requests the OTP from the Intel AMT device. The device sends the OTP securely. The SCA verifies the OTP for correctness.
- Setup and configuration continues as described in Setup and Configuration Application Flow Step 6. At some point before the SCA sends a CommitChanges command to complete the setup and configuration process, it sends a SetMEBx password command to change the password from its default, if it was not already changed.
- Since the Intel AMT device network interface is open only for a maximum of 24 hours after sending the first "Hello" message, the SCA can command the device to reset the period to a new value of 1 to 24 hours.
Categories: Manageability
Comments (3)
February 23, 2009 6:40 AM PST
 Roger |
in the Intel_AMT_SCS_Installation_Guide_5.0.pdf, page 136. said the OID must be 2.16.840.1.113741.1.2.1. so which one should be used? anyway I used 2.16.840.1.113741.1.2.1. and it works for me. |
| February 23, 2009 3:28 PM PST
Leonid Landsman (Intel)
|
Hi, I want to answer Roger's question. There are different certificates that are using for client authentication during communication with AMT. The certificate Gael is mentioning in the post above is a special certificate that is used to configure AMT. It means the AMT is not configured yet at this stage. This certificate indeed must contain OID 2.16.840.1.113741.1.2.3 or OU value “Intel(R) Client Setup Certificate” in its subject name. The certificate Intel_AMT_SCS_Installation_Guide is talked about is certificate for Remote Mutual TLS authentication after AMT is fully configured. In this case certificate should contain OID 2.16.840.1.113741.1.2.1. In addition application, which is running locally on the AMT machine, can perform Local Mutual TLS authentication. The client certificate used by this application should include OID 2.16.840.1.113741.1.2.2. Hope it makes an order. Landsman Leonid SCS team Intel |
Trackbacks (0)
Leave a comment 
To obtain technical support, please go to Software Support.
UX-admin