For example, at the IDF 2010 great content was showed (demos, sessions and so on) about host based configuration, KVM and virtualization.  The IDF 2011 looks great too, the technical session catalog was published and there are many excellent tracks, one of them is by Brian Cockrell, Chris Piper and Jake Gauthier:

Title:   Supercharge Your Intel® Core™ vPro™ Processor Management Solution
Abstract:   Enable your software product with Intel® vPro™ Technology! This session will demonstrate how to solve real world IT problems utilizing Intel® vPro Technology.
Included in this session:
• Methods and building blocks that aid in developing end to end products and solutions
• Solutions utilizing:
- Host Based Configuration
- Intel® vPro™ Technology module for Microsoft* PowerShell*
- Use Case Reference Designs
- Intel® KVM technology
- Intel® Setup and Configuration Service (Intel® SCS) version 7.1

Another valuable resource is networking with peers so you can connect with colleagues, friends, ISV's and authors you have probably read and listened everyday.  Look this interview by Michele Gartner or this post I blogged last year to know what I'm talking about.

The IDF 2011 will start at September 13 and the countdown has just started. I hope to meet some of you. See you there!

Javier Andrés Cáceres Alvis

The profile Wizard most important features are reloaded on the AMT Configuration Utility (ACU,   previously known as the Activator) but without the burden of a complex infrastructure.  As the next partial diagram of the SCS components shows, the ACU has a Profile Designer which you’ll find familiar.

As the next two pictures show, the profile designer is the replacement of the AMT Profile Creator Wizard, all the previous functionality you used is still here but improved, for example you will find again the  Active Directory integration, the ACL  customization, the home domain definition, the remote access policies, the TLS definition, the WiFi settings and so on.

Intel ACU Profile Designer on SCS 7.0.

Intel AMT Profile Creator Wizard on SCS 5.X.
When I say the functionality was improved, it’s a serious statement because many core information flows were reorganized and  many usability aspects were taken into account, for example in previous versions it was necessary performing two clicks to complete a simple task like editing the advanced settings. In SCS 7.0 version, the information was correctly grouped  into one single page and placed as a last step in the wizard (given its advanced nature). In the new version there are also available features that did not exist before, like the Fast Call For Help feature, the KVM feature and so on.

Intel AMT Profile Creator Advanced Settings Page on SCS 5.X.

Intel ACU System Settings Page on SCS 7.0.
If during the release of new versions you did not realize the value of migrating, let me tell you that it’s time to upgrade  for many reasons, the first one it’s because the complex infrastructure is not required anymore, the second one it’s because all old AMT systems (since 2.1 and higher) are also supported, the third one because all new (and relative new)  features you have dismissed should be used now, the fourth is because it’s easier than ever performing any task and so on… I can continue counting reasons, but I would like to emphasize that new features and options introduced within AMT 7.0 systems are not supported by SCS 5.X (detailed information on the download page).
At this point I hope you’re convinced of the benefits of migrating to SCS 7.0, if it’s so, you are probably thinking that  starting from the ground it’s your only one option, but good news!, there is also included a migration utility. This utility lets you easily move your profiles, PSK keys and passwords by connecting to your SQL Database server and saving into XML files. As you can see in following picture you will know which profiles will be migrated.  Just remember that migration from SCS 6.X is not supported.

Migration Utility.

Finally, don’t forget checking this quick video about SCS 7.0 (showing a host based configuration scenario) and don’t hesitate  using the Discovery utility (for answering the all-time question: which systems support which features). Bye.

Javier Andrés Cáceres Alvis

Microsoft Windows Phone MVP

Intel Black Belt vPro/AMT

After starting the Intel Manageability Checker (on step 2) a new button (Figure 1) which lets you export the Pcap generated file it’s noticeable, this is very useful when you have the checker installed in a server and you want to capture the network traffic and analyze it later, -in an offline fashion- (maybe in another computer). The import button seen in the previous version is also present

Figure 1. The new import functionality.

In the Step 3 (Figure 2) one can select the usage cases which will be checked later against the capture result (for some of you who haven’t tried out the “14. Other” feature it can be helpful when working in a functionality that falls outside of one of the predefined usage cases, maybe here it’s where innovation comes!).

Figure 2. Usage case options.

On step 4 there is a new “Submit report” button, which will take you directly to the Intel’s Partner Portal in order to send the report to Intel and associate it with an existing or new project (Figure 3). A project can be associate it with only one report.

The Intel Manageability Checker is a good tool to for vendors (and clients) to perform a quickly and accurate checking of the coverage of the usage cases of any Intel AMT compliant software.  For further reading of previous version here there is a review.

Javier Andrés Cáceres Alvis

Online P2V uses the underlying OS, so the machine must be on. This method is usually performed on servers or desktops by installing an agent. On Windows machines a common way of agents to ensure a consistent file copy is using the Volume Shadow Service (this service can also be accessed through command line, for example: vssadmin create shadow /for=c:). To get better copies, all software installed in the machine must be VSS compliant (most database systems and mail servers are VSS compliant). The agent should guarantee that it incurs in a minimum overhead.

Offline P2V by other hand is performed without booting into the OS and here it’s where WinPE comes into action. WinPE lets third party applications run and access most of the host machine resources (like hard disks, network and so on), so it’s widely used to create ISO or VHD copies of physical disks (there is a recent post about optimizing ISO image using WinPE here). When AMT IDE-R is not used, the hard disk and boot registry is modified to install and run the WinPE-based agent, but if it’s used, you can boot into a WinPE redirected image by using IDE-R and run the application remotely by using KVM.

Depending on the scenario, online or offline P2V are the options, but if offline P2V is the election, AMT (IDE-R and KVM) is definitely a great partner for WinPE. WinPE is popular for imaging, restore, virtualization, backup and other purposes, so AMT has a big applicability, especially since Windows 7 native VHD support. For more information on Offline P2V here there is a good article.

Javier Andrés Cáceres Alvis

My purpose was building two sample applications: the first one for accessing the AMT machine Web User Interface (WebUI) and the second one for consuming the AMT machine’s Web Services for performing some of the remote control functionality.

Accessing the AMT Machine’s WebUI.

For accessing the AMT machine’s WebUI inside Windows Phone I built an application like a browser. The Windows Phone development has been restricted to two frameworks: XNA for game development and Silverlight for all other, so I created a Silverlight page with one button, one web browser control and one text box for typing the WebUI URL. The application looks like the picture shown below:

I could happily access to the AMT machine WebUI start page inside Windows Phone. This application is simple and introductory.

Accessing the AMT Machine’s Web Services.

Here is where the fun starts. Currently there are two major Microsoft technologies for handling Web Services: Windows Communication Foundation (WCF) and the well known ASMX services. I have done some previous work in consuming AMT machine’s Web Services using ASMX (and I’m sure you have too), which ones aren’t available in the Windows Phone platform, so the option was clear: WCF.

I started developing a Silverlight page with three buttons for performing the shutdown, power up and restart of a remote AMT machine. The application looks like below picture:

All three remote functions call to the same underlying web method changing the input parameters, so the call to that web method is the most important code. For consuming a web method with WCF take into account these important concepts:

End Point Address: unique network address that a client uses to communicate with a service endpoint. .Net implementation of end point is compliant with the WS-Addressing protocol.

Data Contract: agreement to describe the data been exchanged. In ASMX technology this is similar to the proxy classes.

End point addresses and data contracts can be declarative (in a XML configuration file) or imperatively (using code). After knowing those basic concepts (which ones are a bit different compared with ASMX web services), we can advance into the implementation of the restart operation:

       private void btnRestart_Click(object sender, RoutedEventArgs e)

        {

            uint IanaOemNumber = 0x157;

            byte SpecialCommand = 0xc1;

            ushort SpecialCommandParameter = 0x0;

            ushort BootOptions = 0x0;

            ushort OEMparameters = 0x1;           

            RemoteControlSoapPortTypeClient client = new RemoteControlSoapPortTypeClient("RemoteControlSoapPort");

            client.Endpoint.Address = new EndpointAddress(txtUrl.Text);

            client.RemoteControlCompleted += new EventHandler<RemoteControlCompletedEventArgs>(client_RemoteControlCompleted);                                   

            client.ClientCredentials.UserName.UserName="admin";

            client.ClientCredentials.UserName.Password = "XXXXX";

            client.RemoteControlAsync(0x10,

                                      IanaOemNumber, SpecialCommand,

                                      SpecialCommandParameter,

                                      BootOptions,

                                      OEMparameters);

        }

        void client_RemoteControlCompleted(object sender, RemoteControlCompletedEventArgs e)

        {

            AmtCallStatus retValue = (AmtCallStatus)e.Result;

            if (retValue!=AmtCallStatus.SUCCESS)

                MessageBox.Show("An error has ocurred");

        }

In code sample above, the most important things to check out are:

• The call to the RemoteControl method is asynchronous.
• The credential (username and password) being used is the same set in the MEBx.
• The binding and endpoint are configured in a XML file and referenced by their name (RemoteControlSoapBinding).  The XML client configuration file is:

<?xml version="1.0" encoding="utf-8"?>

<configuration>

    <system.serviceModel>

        <bindings>

            <basicHttpBinding>

                <binding name="RemoteControlSoapBinding" maxBufferSize="2147483647"

                    maxReceivedMessageSize="2147483647" >

                    <security mode="None" />

                </binding>

            </basicHttpBinding>

        </bindings>

        <client>

            <endpoint address="http://hostname:16992/RemoteControlService"

                binding="basicHttpBinding" bindingConfiguration="RemoteControlSoapBinding"

                contract="RemoteControlInterface.RemoteControlSoapPortType"

                name="RemoteControlSoapPort"  />

        </client>

    </system.serviceModel>

</configuration>

I hope this sample has given you an insight when starting an AMT project using Windows Communication Foundation -WCF-, Silverlight/Windows Presentation Foundation –WPF- or a Windows Phone mobile client.

Javier Andrés Cáceres Alvis
Twitter: @jacace

I first downloaded the English version because I like working with the English versions of any software. The English installer name is iMChkSetupENU1.0.msi. After installing it and launching it I got the next error:

I first thought that it was due to an antivirus blocking some ports but after reading the message I understand that it was a language problem with the operative system, so I came back to the partner site and looked for other versions; I didn’t find them but I got the feeling that I have to set up the portal to Spanish in order to download an Spanish installer as shown in below picture:

I downloaded the installer again and the name this time was iMChkSetupESM1.0.msi. I launched the application and it worked fine. The Intel manageability checker has a wizard which makes the process painless, quickly and easy. Here there some screenshots of the capturing and validation process:

In the last step I saved the results and exited the application. I forgot to mention that our AMT capable product is made of two components: a terminal and a Windows service, which perform different use cases, so I did the same process for both components.

There are two features I tougth were covered: the use of security (HTTPS) and Enterprise mode features; maybe in other releases of the Intel(R) Manageabilty Checker they will be included.  Finally, don’t forget to participate in the Fast Track Experience by July 16!.

Javier Andrés Cáceres Alvis
MVP Windows Phone

http://speechflow.spaces.live.com/

• Check if KVM is Enabled or Disabled
• Enable/Disable the KVM Interface
• Change the Listener Enabled Setting

In the AMT SDK under “Intel(r)_AMT_6.0\Windows\Intel_AMT\Samples\KVM”  directory there is a sample KVM control application which can be useful when you require a guide or starting point (Figure 1) .

Figure 1: KVM control application.

Following code implements the three mentioned steps:

        private static WSMAN_STATUS_CODE EnableKVMCommonPart(bool enable, IPS_KVMRedirectionSettingData kvm)

        {

            if (!kvm.EnabledByMEBx)

            {

                return WSMAN_STATUS_CODE.KVM_DISABLED_IN_MEBX;

            }

            // perform request state change if needed

            CIM_RedirectionService redirectionService = new CIM_RedirectionService(WsmanOperation.GetInstance().WsmanClient);

            redirectionService.Get();

            ushort desiredState = (enable) ? (ushort)Configuration.KVM_STATE.KVM_STATE_ENABLE : (ushort)Configuration.KVM_STATE.KVM_STATE_DISABLED;

            if (redirectionService.EnabledState != desiredState)

            {

                CIM_KVMRedirectionSAP kvmSap = new CIM_KVMRedirectionSAP(WsmanOperation.GetInstance().WsmanClient);

                kvmSap.Get();

                CimReference job;

                uint status = kvmSap.RequestStateChange(desiredState, null, out job);

                if (status != 0)

                {

                    return WSMAN_STATUS_CODE.KVM_REQUEST_STATE_CHANGE_FAILED;

                }

            }

            return WSMAN_STATUS_CODE.OK;

        }

Code above first checks is KVM is enabled in the MEBx and if it is, then it requests the change of the state of the setting.  After changing the state of the KVM interface, it’s necessary to enable the listener and surprise! Listener is enabled in the same way than SOL, so my last post works fine here too.

Two things are important when working with KVM, so you should have it into account: protocol used by KVM is RealVNC* Remote Frame Buffer (RFB) and KVM Requires Active Integrated Graphics. If you need more information about KVM please review the "Keyboard, Video & Mouse Remote Control“presentation by Thomas Propst.

I’ll continue working on implications of porting AMT 3.X, 4.X and 5.X to, so keep looking at this blog for updates.

Greetings,

Javier Andrés Cáceres Alvis.

http://speechflow.spaces.live.com/

http://software.intel.com/en-us/blogs/author/javierandrescaceres/

Both implementations are the same for the end user, but at low level they use different application interfaces. The Microsoft’s Bluetooth stack has a Win32 API which main function is BthGetHardwareStatus. As I always comment on demos or presentations, the Windows Mobile documentation depends on the underlying Windows CE version, in this case that method belongs to Windows CE .NET 4.2.

To use statically the Microsoft’s Bluetooth implementation you must to include the header Bt_api.h and its dependencies: Btdrt.lib y btdrtstubs.lib, as shown on Picture 1.

Picture 1. Additional dependencies.

By other hand, the Broadcomm’s Bluetooth stack SDK can be downloaded from here. You need to include the header BtSdkCE.h from that SDK and add a reference to its dependency: BtSdkCE30.lib. The method to start using this implementation is IsDeviceReady().

Now, let’s jump into code. First, activate the Bluetooth functionality in your device (Smartphone or Pocket PC) to be able to access the Microsoft or Broadcomm hardware, in this sample activation is shown on Picture 2. If you don’t activate the hardware, the code provided won’t read the hardware information.

Picture 2. Bluetooth activation.

After activating Bluetooth, start a new Smart Device C++ project  and copy /paste the following code:

/*

      Author: Javier Andrés Cáceres Alvis

      2009

      This code is for academic purposes only.

.

*/

#include "stdafx.h"

#include <windows.h>

#include <commctrl.h>

#include <Bt_api.h>

#define MIN_HW_VALUE 32

void ParseManufacturer(unsigned short usManufacturer, TCHAR *pszValue)

{

      switch(usManufacturer)

      {

            /*

            ... Many others

            */

            case 13:

                  wcscpy(pszValue,TEXT("TexasInstruments"));

                  break;                 

            default:

                  wcscpy(pszValue,TEXT("Unknown"));

      }                      

}

int _tmain(int argc, _TCHAR* argv[])

{

      int errorCode=0;

      int btStatus=0;

      errorCode=BthGetHardwareStatus(&btStatus);

      if(errorCode==ERROR_SUCCESS)

      {

            if(btStatus!=HCI_HARDWARE_NOT_PRESENT && btStatus!=HCI_HARDWARE_UNKNOWN)

            {

                  HRESULT     retValue=E_FAIL;            

                  unsigned char phci_version;

                  unsigned short phci_revision;

                  unsigned char plmp_version;

                  unsigned short plmp_subversion;

                  unsigned short pmanufacturer;

                  unsigned char plmp_features;

                        if(BthReadLocalVersion(&phci_version,&phci_revision,&plmp_version,

                                                       &plmp_subversion,&pmanufacturer,&plmp_features)==ERROR_SUCCESS)

                        {

                             TCHAR pszManufacturer[MIN_HW_VALUE];

                             ParseManufacturer(pmanufacturer,pszManufacturer);

                             wsprintf(TEXT("The manufacturer is: %s"),pszManufacturer);

                        }

            }

      }

      return 0;

}

The above code is simple, it uses the Microsoft stack and only accesses to Texas Instruments hardware. But, what about this code running on BroadComm devices? Well, it won’t break, but it won’t be able to read device information using the method BthReadLocalVersion. In this exercise I used to HP devices with different stacks: a HP iPAQ h4150 and a HP iPAQ Voice Messenger (Picture 3), with Broadcomm and Microsoft implementations, correspondingly.

Picture 3. Broadcomm and Microsoft stacks.

Finally, the next code works for Broadcomm’s stack implementations:

                        if(!bRetValue)

                        {

                             CBtIf broadInfo;

                             if(broadInfo.IsDeviceReady())

                             {

                                   DEV_VER_INFO dvInfo=(DEV_VER_INFO) sizeof(DEV_VER_INFO);

                                   GetLocalDeviceVersionInfo(&dvInfo);

                                   if(broadInfo.IsDeviceConnectable())

                                   {

                                         if(broadInfo.IsDeviceDiscoverable())

                                         {

                                         }

                                   }

                             }

                        }

Well, this is the end for now, I hope it saves you time.

Greetings,

Javier Andrés Cáceres Alvis

http://speechflow.spaces.live.com/
http://software.intel.com/en-us/blogs/author/javierandrescaceres/

As an AMT developer, I started working with AMT 3.X and have been updating to major releases. For me and other colleagues, one of the most important transitions was to the Intel® AMT 4.0 mobile version, since that new release had come without a long wait. Now, there are a lot of expectations around Intel®  AMT 6.0 and I guess a proportional wave of questions will occur.

Intel representatives have mentioned some interesting features I will look for first: the WMI provider;  mobile and desktop support; DASH compliance; disk protection and the KVM redirection.

Intel ME WMI Provider - Many developers start working on manageability by using the WMI command line and/or the object browser, so it will be easier than ever  to get familiar with AMT, specially for IT administrators, because they will be able to add new manageability scripts to their toolboxes.

Mobile and Desktop Support - From the ISV perspective, Intel ® AMT 4.0 and 5.0 meant having many development, testing and production machines, so there is an overhead reduction for us.

DASH Compliance - For ISVs, this is valuable because  the IT ecosystem market requires particular high standards in order to offer an industry-class product.

Disk Protection - Many enterprise customers request this feature on laptops used by their employees. No one is exempt from being attacked by a thief. My cell phone was stolen last weekend so I do know how important this is.

KVM Redirection - As far as I understand and based on current documentation, users will continue seeing/controlling AMT machines after they boot, I mean when machines enter to graphics mode (usually, when they load the OS).

One of the features in which I am most interested is WiFi/WiMax support. I suspect it will be a kind of out-of-band secure transportation channel for manageability purposes, like the current SOL or IDE-R.

Well that’s all for now. In the meantime I will participate on the virtual seminar and play with the latest DTK. 

Javier Andrés Cáceres Alvis

03/02/2010

Let’s jump into code:

                if (bSupportWSMan)

                {

                    WsManDirectClient client = SetUpWsMan(ip, port, credential);

                    AMT_RedirectionServiceType rs = (AMT_RedirectionServiceType)client.Get(typeof(AMT_RedirectionServiceType));

                    if (rs == null) return;

                    rs.ListenerEnabled = true;

                    client.Put(rs);

                }

                else

                {

                    RedirectionService redSvc = SetUpEoi(ip, port, credential);

                    redSvc.SetRedirectionListenerState(true);

                }

The code shown above is simple, it supposes there is a way to know if WSMan is supported or not. If WSMan is supported, then the Listener Enabled property is set to true and the standard Put is called. If WSMan is not supported, then the web service object named RedirectionService is used by calling to the SetRedirectionListenerState with true. In both cases, the credential configuration is required, but, in the interest of simplicity, the function definition is not shown.

If you want to get more information about the standard WS-Tansfer Get, Put, Create and other operations, please read this good introduction: http://msdn.microsoft.com/en-us/library/aa384470(VS.85).aspx .

This is an important step to be performed after device provisioning, as I mentioned here (step 8), after a SCS enterprise provisioning this parameter is disabled by default, so it must be verified and/or enabled by your application.

1. You will learn about the vPro architecture and components (like AMT/VT/TXT).
2. You will identify the Active Management Technology use cases and then you will probably find out how your solution addresses them.
3. You will discover opportunities to build new software to use AMT technology (like a power monitoring solution).
4. You will discover AMT features you haven’t used (I didn’t know AMT had a case instruction sensor!).
5. You will find new ways to perform certain tasks (Did you know about terminal scripting existence? – It’s useful to change many computer BIOS settings).
6. You will learn how some AMT components integrate with well-known technologies (like Active Directory).
7. You will learn how to address end user problems with any AMT functionality, for example: preventing a worm infection by pushing a network filter or repairing and updating security agents.
8. You will discover a way to detect that a console is talking to Intel AMT locally through LMS service.
9. You will find the difference between the SNMP traps and WS Eventing.
10. You will find samples on how to scan, connect and gather information of computers using Intel AMT. There are other useful samples like how to build a serial relay application to use a standard terminal like Putty or Microsoft Windows XP HyperTerminal.

Maybe you will find your own reasons and want read it twice! Then don't be shy and share them!

Javier Andrés Cáceres Alvis
Personal Blog: http://speechflow.spaces.live.com/
Intel Blog: http://software.intel.com/en-us/blogs/author/javierandrescaceres/

Some of the components required by SCS are not very popular with regular IT departments. Let’s say Microsoft Certification Authority is that kind of Windows component that you rarely install, so it becomes an obstacle for most of people who don't wish toread the whole SCS’s 146-page installation guide.

SCS Setup Wizard is the dream tool for all of us. It puts the complete SCS installation steps and options available in a standardized flow (as shown in Picture 1).  This tool is a 261-MB sized .EXE which contains the SCS console/service installer, SQL Express, .Net Framework 3.0 and other goodies (installation media for other components can be requested during execution).

Picture 1. Wizard Flow. 

But wait, SQL Express? Yeah, for demo scenarios this can be useful. Framework 3.0? Yeah, it’s a Wizard requirement (not a SCS requirement). This tool automates all of what we had to previously do manually: it installs (and configures) SQL Server, DNS, DHCP, IIS, Certificate Authority and the SCS itself (console and service). Isn't that great news?

 For me, the most appreciated Wizard features are:

·         Active Directory Schema: by doing manually, you had to run/verify some .vbs scripts.

·         DHCP: this service is installed and a scope is created for you.

·         Certificate Authority: this is my favorite one. Microsoft’s Certification Authority (CA) can be installed in one of two supported modes: Stand-Alone and Enterprise. This usually was a pain in the neck because most people are not familiar with configuration supported by each mode (and its differences). Want more? The coolest part is that certificates (for Server and Intel AMT client) are automatically generated (I mean, requested, issued and installed)! By doing it manually, the hardest (an error probe) part was configuring the certificate policies, attributes (remember the OID?) and so on – but that’s history now. See Picture 2.

Picture 2. Certificate Authority.

 Until now I have stated all the positives of this Wizard but as with every software application, there are possibilities to improve. I particularly don’t like these facts:

·         SCS Setup Wizard does not perform any rollback or un-installation steps.

·         DHCP needs the 192.168.1.150 IP address and after configuration it keeps in an “unauthorized" state.

·         The Certificate Authority uses the Web Server template (and no other one).

My conclusion is that if you need a demo or a standard installation, this tool is for you. But if you want more control over installation and you have more time, you can go ahead with a classic, single product installation.

Cheers and try it out too!

Javier Andrés Cáceres Alvis

Blog Personal: http://speechflow.spaces.live.com/

Blog Intel: http://software.intel.com/en-us/blogs/author/javierandrescaceres/

Hello everybody!

 I was reading the last Gael’s blog post about the community response and I think it’s a good time to share something different than AMT, parallelism and so on.

Today I want to share my second life as a community guy; in my free time I use to participate in community events like presentations, training and so on. I started when I was in college in a Latin American academic initiative called “Student Clubs”; I had a love hate relationship with this initiative but the truth is that it let a lot of people learned about the latest technologies without getting out their group of friends. 

Then I joined a non-profit organization called “Ineta", there we organized and presented a lot of events  focused on people and knowledge more than tools or products. I have always found that people tend to not feeling comfortable with this kind of event format so it’s a challenge to lead on them, but it feels great to participate in that kind of activities, you know there are few things money cannot buy and this feeling is one of them. I agree with Gael when she says one really does make the difference. After Ineta I took a break and then I joined this great community =).

In my work We are also trying to build community, We are currently hosting a free event about Software Testing . And in my other free time (maybe I need a plutonian day) I’m presenting sessions on Windows Mobile native development.

Ok, I hope I was not boring =)

Bye!

Javier Andrés Cáceres Alvis.

Here a cool song.

My other Blog.

Ok, the DTK and other applications that use SOL and IDE-R capabilities consume the functionality exposed by the Redirection Library. This library is included in the imrsdk.dll file and is the one in charge of establishing a TCP (port 16994) or TLS (port 16995) connection, so if you’re sure you’ve check all the possible error sources I talked in my first post then it’s a good time to take the next steps.

Picture 1. Key values.

First that all, please verify that your SSL client and server certificates contains the keys shown in picture 1; these values must be 1.3.6.1.5.5.7.3.2 and 2.16.840.1.113741.1.2.1, or both (no matter if you used a customized template or a standard one). If your client application is still having the same error, please find the imrsdk.ini file (which must be in the same folder that imrsdk.dll), open it and set the debug level to “2”:
[COMMON]
Debug_Level=2
Storage_Enabled=0

With Debug_Level=2 you will get a log file that specifies what the concrete error is; in my case I got these entries in my log.txt:
LOG STARTED Fri Mar 13 11:09:37 2009
NETMGR: added UDP socket to read socks: 1456
NETMGR: Signal socket created: 1500
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
LOG ENDED Fri Mar 13 11:13:07 2009

With those entries and looking at the code, I thought that error was due a duplicated certificate in my store, so I checked it and eureka!!!:

 
Picture 2. Duplicate certificate.

As shown in picture 2, for some reason the same certificate was twice in my “Trust root certification Authorities“; I thought I should go ahead and delete one of them, but which one?; so I navigate to the IAMT machine’s WebUI, I viewed the issuer certificates’ serial number (Picture 3), I deleted the bad one and the DTK worked fine.
 
Picture 3. Issuer certificate’s serial number.

Don’t forget that the DTK takes ALL the trusted root certificates to a *.pem file called “Trusted Root Certificates.pem” the first time is started, so if you changed something in your environment please delete this file and start the application again. Maybe your error message is because another stuff, but with this log you can isolate your issue.

I hope this helps you!. If you got another log entry solved this is a good place to comment it

=)

Javier Andres Caceres Alvis

Hello everybody,

One of the coolest Intel AMT’s features is security, but one can be lost among the jargon and get discouraged quickly. The purpose of this post is to talk a little about System Defense, network security policies and heuristic filters to finally build an Agent monitor (or "Agent Presence").

Introduction

OK, Intel AMT has two closely related features: System Defense and Agent Presence. Here they’re briefly described to quickly understand what they are and how to use them:

• System Defense (previously known as "circuit breaker"): is in short the capacity of a machine to block the traffic of packets through a network security policy. A network security policy is the way to group filters and a filter is a test made to the incoming or outgoing traffic from one machine to verify if it meets certain conditions (for example, a common condition is to review the packages’ IP).

There are pre-loaded filters and the possibility of creating new ones. Heuristic filters are a special type of filter that can block the outgoing traffic from one machine to prevent it from infecting / attacking other machines on the network. The traffic blocking is done through the inspection of outgoing packets in order to find unusual operating conditions. There are very good resources that describe this topic deeply.

• Agent Presence: This feature allows to an independent vendor’s software agent (like: a firewall, an anti viruses, an asset tracker) reports to Intel AMT that: 1) it is started, 2) it is running 3) it is shutdown. This very important because a user or an exceptional condition may terminate or stop a software agent unexpectedly.

The way Agent Presence and policies interact with an agent monitor is through state transitions. For example: when monitor reports that an agent changes from "Running" to "expired" state, it’s possible to automatically activate/disable a policy to allow / block all inbound / outbound traffic.

Building an agent monitor

Agent monitors are built in two pieces: one in the AMT machine (local) and one in the monitoring console (remote). The remote part is for agent monitor management functions: like creation, selection, and deletion. The local part is for agent monitor registration (previously created in the remote interface) and reporting (of its currently state through “heartbeat” signals). The way in which both parts communicate is via a shared GUID.

After Reading the DTK I wanted to build an agent monitor, so that’s why I wrote this post. There is an application called “Intel AMT Outpost” which one simulates to be an agent monitor and it attracted my attention because it lets making a relation between the heartbeat signals and any application’s execution.

So I started by taking the DTK’s source code as a basis to write a C# solution made of a monitor console and an agent; they both consume the AMT machine’s web services (EOI, not WS-Man). Agent monitors are also known as watchdogs. The results of this exercise are two sample applications: a remote one (Figure 1) for watchdog creation, deletion and selection and a local one (Figure 2) for watchdog registration and reporting.

Figure 1. Agent monitor console.

Both applications share a GUID to uniquely identify each other. The applications’ source code is available. Some agent monitor’s parameters (like heartbeats) are static and please have into account that it’s a sample, so it does not meet the best design practices.

Figure 2. Agent monitor.

During the development of this sample I learnt two things: 1) it’s necessary to increment the heartbeat sequence and 2) the relation between a heartbeat signal and an application’s execution shown in “Intel AMT Outpost” is merely descriptive; I mean, it is an agent monitor‘s task to perform any action to verify the application’s execution and it is not an built-in AMT function.

During the testing stage I found that it is not necessary to create a “watchdog” before performing a registration or a reporting action. General recommendations: 1) Use “localhost” instead of IP in Windows Vista machines, 2) Don’t use the remote interfaces from AMT host, 3) If you get a "Failed to parse the request" exception while calling any web service method it’s probably that you need to change the WSDL files’ version (in my case, I first added a web service reference to SDK 5.0.1.4 WSDL files and then I needed to change them) and 4) be careful with the heartbeat sequence increments because your unsigned int variable (that holds this value) can become huge.

Before say good bye, I would like to ask you what Agent Presence’s features would you like to see in next versions? Maybe another registration mechanism between agent monitor and console (stronger than Guid)? Or maybe any built-in monitor functionality?

Greetings from Bogotá and in a next post I’ll write the C++ version of the agent monitor.