Intel AMT supports the Kerberos option based on the following standards:
• Kerberos V5 (RFC 1510)
• GSS-API (RFC 1964)
• SPNEGO (RFC 2578)
Intel AMT supports the RC4-HMAC cipher suite.
Starting with Release 8.0, Intel AMT also supports the Advanced EncryptionStandard (AES) and the AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96 cipher algorithms. To enable these ciphers, a setup and configuration application or other console must provide the appropriate field values. See Set Kerberos Settings to Support AES Ciphers.
Intel AMT is a Kerberized UNIX service from the point of view of Active Directory. Each device registers with Active Directory and provides six Service Principal Names (SPNs) for the six services it provides:
|
SPN |
Service |
|
HTTP/FQDN:16992 |
SOAP over HTTP |
|
HTTP/FQDN:16993 |
SOAP over HTTPS |
|
HTTP/FQDN:16994 |
Redirection over TCP |
|
HTTP/FQDN:16995 |
Redirection over TLS |
|
HTTP/FQDN:623 |
DMTF manageability over TCP |
|
HTTP/FQDN:664 |
DMTF manageability over TLS |
The SOAP SPNs support all of the Intel AMT functionality that uses SOAP over HTTP or HTTPS for remote communications. However, see Notes and Limitations.
The Intel AMT redirection functionality communicates using TCP/IP with or without TLS.
The DASH SPNs support WS-Management communications modeled on DASH profiles.
Each Intel AMT device is recorded in the Active Directory database as an Intel AMT object, which is defined as an Active Directory computer object with the version of Intel AMT linked to it. The Intel AMT device hostname makes the entry unique. Active Directory uses the Intel AMT device password to create the device secret.
The Sample Configuration Application performs this function in a simplified way by registering each Intel AMT device as a user with the associated SPNs. The Intel AMT Setup and Configuration Server provides scripts for extending the Active Directory schema, and creates AMT objects for all configured Intel AMT devices.
The Intel AMT device maintains an Access Control List (ACL) of those users that can access Realms within the device. When a Management Console client application manages the device directly and uses Digest authentication, the ACL contains an entry per user. Each entry contains a user ID, a password, a list of the Intel AMT realms to which the user has access, and whether the user has local access, remote access, or both.
|
Username |
Password |
Realms |
Access |
|
User01 |
************* |
Admin; Storage |
Remote |
|
User02 |
************* |
Agent Presence |
Remote; Local |
When the Intel AMT device is configured to work with Active Directory, an ACL entry contains an SID, a list of realms, and local/remote access permissions. An SID can be for an individual user or it can be an Active Directory Group and represent multiple users.
|
SID |
Realms |
Access |
|
01050000374FF6… |
Admin; Storage |
Remote |
|
0105000013AC81… |
Agent Presence |
Remote; Local |
An Intel AMT device can operate with both forms of ACL simultaneously, so that a Management Console application that is Kerberized can access an Intel AMT device using Kerberos, while another application can contact the same device using Digest authentication. Note that the MEBx SOL/IDER settings can limit redirection applications to Kerberos-only ACL entries.
|
Copyright © 2006-2012, Intel Corporation. All rights reserved. |