How the UNS works. Part 6 in the Intel AMT software series.

By Shmuel Gershon (Intel) (21 posts) on April 13, 2009 at 3:21 pm

Hi!
In the last installment of this (lengthy :)) series, we explained what kind of information the User Notification Service (UNS) provides.

We'll look this time at how the UNS service works, and how can it be configured and controlled.
Note: Giving Intel AMT events information is not the only function of UNS, the app is also responsible for updating and setting NAC and EAC parameters to use in NAC enabled networks. I'll not enter into details about this feature, as I don't know it in depth. :(
Note 2: What we comment here applies to UNS for platforms with version from 2.5 to 3.2. Earlier versions don't sport the app, and newer versions incorporate additional functionality (to be covered in the future).
Note 3: The "sc" commands mentioned below are to be run in Windows command line, SC is Microsoft's Service Controller application. You may need Administrator rights for some of the commands.

UNS communicates with Intel AMT using normal HTTP (SOAP (EOI) or WSMan) requests -- you can see how these requests are used in the SDK, under the "User Notification Service" section of the Intel AMT Network Interface document.

This is how it all works:

UNS subscribes for alerts with Intel AMT, asking for a special type of alerts, which are SOAP based (destined for local communications) instead of PET based (alerts used for remote notifications).
For this, UNS has to authenticate with the firmware. The service can use a determined username/password set by the IT Admin, or rely on the 'anonymous' or '$$uns' user defined specially for local alerts (the latter is the default).
If the system is set to work on TLS, UNS will use this protocol to communicate. The service simply asks from the Operating System to connect using the TLS protocol, and all the connection overhead is dealt by the OS.
From this moment on, UNS performs as a server and Intel AMT performs as a client -- whenever something happens to trigger an event (see the list of events in the previous post), Intel AMT will send to UNS the alert and receive a Success Status from UNS.

Using the same procedure and following the steps in the SDK, an ISV can make use of the local alerting to provide a similar functionality.

How can one configure the UNS?
According to the functions specified above, there are a few possible configurations:

Username and password:
- If an IT Admin doesn't want to use anonymous authentication, he can disable its permissions using the SetRealmAuthOptions SOAP command (Security Administration interface) and create another user with UN permissions. To use this new user, UNS should be started with the following arguments: "-unsUser <user name> -unsPass <password>".
  - Note: A property of the above arguments is that the UNS saves them for the next time it is run and then stops. This means that the UNS should be started once with the credentials as arguments, and then restarted without the credentials -- which will still be used (as long as Intel AMT is configured to require them).
  - Thus, a good batch file to configure UNS with new user credentials would look like this:
    - REM assumes US is already installed
    - sc stop uns
    - sc start uns -unsuser <username> -unspass <password>
    - sc start uns
Choosing a specific TLS certificate.
- We commented that the whole TLS communication overhead can be left to the OS. In fact, the OS will also choose one certificate from the ones in store when mutual authentication is set. But in case you want to specify a specific certificate to us, please use the "-cert <cert name>" arguments as explained above.
Installing certificates.
- Being a service, the UNS runs in the system context (not as a user process), and as such does not see the same certificate store the user account sees. For the UNS to have access to the root certificate, it must be installed on the computer account using the "mmc" tool, as is specified in step 4 of http://support.microsoft.com/kb/901183/
Restoring defaults.
- The "-clear" argument is used to delete the username, password and certificate information
Disabling UNS.
- You can prevent UNS from loading at startup by setting it to load 'manually' instead of 'automatically'. Use the "sc config uns start= demand" for this.

That's the internal flow of the local user notification.
Now, this flow can present problems in special cases -- if you're experiencing difficulties with the UNS service, you'll be interested to see our next post: UNS Error Messages.

See you there!

Articles in the Intel® AMT software series: