Class AMT_KerberosSettingData
Used in features: Security
Administration
Compatible with the following Intel AMT Releases: 3.0,
3.2, 4.0, 5.0, 5.1, 6.0, 6.1, 6.2, 7.0, 8.0, 8.1, 9.0, 9.5, 10.0, 11.0
CIM_ManagedElement
CIM_SettingData
AMT_KerberosSettingData
class AMT_KerberosSettingData
- extends CIM_SettingData
General Information:
The AMT_KerberosSettingData class represents
configuration-related and operational parameters for the kerberos service in the
Intel(R)
AMT.
Qualifiers:
-------------
Version=8.0.0
Supported Fields
Summary |
string
|
ElementName The
user-friendly name for this instance of SettingData . . .
|
string
|
InstanceID Within the scope of the instantiating Namespace,
InstanceID opaquely and uniquely identifies an instance of this class . .
.
|
string
|
RealmName Kerberos
Realm name.
|
string[4]
|
ServicePrincipalName
An array of strings, each of which names a distinct service
principal.
|
uint16[4]
|
ServicePrincipalProtocol
An array of 16-bit enumeration values, each of which
corresponds to the string in the same position of
ServicePrincipalName.
|
uint32
|
KeyVersion Key
version number . . .
|
uint16
|
EncryptionAlgorithm
A 16-bit enumeration value that identifies the encryption
algorithm used in Kerberos authentication.
|
uint8[16]
|
MasterKey A 128-bit
binary key value . . .
|
uint32
|
MaximumClockTolerance The
number of minutes by which the clocks of the Intel(R) AMT device and the
client and KDC can be out of sync - typically 5 minutes.
|
boolean
|
KrbEnabled Indicates
whether Kerberos authentication is enabled or disable.
|
string
|
Passphrase Used when
the key generation method is chosen (RFC 3961,3962) . . .
|
string
|
Salt Used when the key
generation method is chosen (RFC 3961,3962)
|
uint32
|
IterationCount
Can be used when the key generation method is chosen (RFC
3961,3962)
|
uint16[3]
|
SupportedEncryptionAlgorithms
A 16-bit enumeration values that identifier the supported
encryption algorithms used in Kerberos authentication.
|
uint16[3]
|
ConfiguredEncryptionAlgorithms
A 16-bit enumeration values that identifier the configured
encryption algorithms used in Kerberos
authentication.
|
Methods Summary |
uint32 |
GetCredentialCacheState(Enabled)
GetCredentialCacheState gets the current state of the credential
caching functionality
|
uint32 |
SetCredentialCacheState(Enable)
SetCredentialCacheState enables/disables the credential caching
functionality
|
|
Put(Instance) Changes
properties of the selected instance
|
|
Get(Instance) Gets the
representation of the instance
|
|
Pull(EnumerationContext,
MaxElements) Pulls instances of this class, following an
Enumerate operation
|
|
Enumerate()
Enumerates the instances of this class
|
|
Release(EnumerationContext)
Releases an enumeration context
|
ElementName
public string ElementName
- General Information:
The user-friendly name for this instance of
SettingData. In addition, the user-friendly name can be used as an index
property for a search or query. (Note: The name does not have to be unique
within a namespace.)
Product Specific Usage:
In Intel AMT
Release 6.0 and later releases value is "Intel(r) AMT: Kerberos
Settings"
Qualifiers:
-------------
Required
Override=ElementName
MaxLen=64
InstanceID
public string InstanceID
- General Information:
Within the scope of the instantiating
Namespace, InstanceID opaquely and uniquely identifies an instance of this
class. To ensure uniqueness within the NameSpace, the value of InstanceID
should be constructed using the following "preferred" algorithm:
<OrgID>:<LocalID>
Where <OrgID> and <LocalID>
are separated by a colon (:), and where <OrgID> must include a
copyrighted, trademarked, or otherwise unique name that is owned by the
business entity that is creating or defining the InstanceID or that is a
registered ID assigned to the business entity by a recognized global
authority. (This requirement is similar to the <Schema Name>_<Class
Name> structure of Schema class names.) In addition, to ensure uniqueness,
<OrgID> must not contain a colon (:). When using this algorithm, the
first colon to appear in InstanceID must appear between <OrgID> and
<LocalID>.
<LocalID> is chosen by the business entity and
should not be reused to identify different underlying (real-world) elements.
If the above "preferred" algorithm is not used, the defining entity must
assure that the resulting InstanceID is not reused across any InstanceIDs
produced by this or other providers for the NameSpace of this instance.
For DMTF-defined instances, the "preferred" algorithm must be used with
the <OrgID> set to CIM.
Product Specific Usage:
In
Intel AMT Release 6.0 and later releases value is "Intel (r) AMT: Kerberos
Settings"
Qualifiers:
-------------
Key
Override=InstanceID
MaxLen=32
RealmName
public string RealmName
- General Information:
Kerberos Realm name.
Product
Specific Usage:
The realm name is the Domain name which it belongs
to.
Qualifiers:
-------------
MinLen=1
MaxLen=64
ServicePrincipalName
public string[4] ServicePrincipalName
- General Information:
An array of strings, each of which names a
distinct service principal.
Product Specific Usage:
In Intel
AMT Release 6.0 and later releases this field is not in use and has no
impact
Qualifiers:
-------------
MaxLen=267
ServicePrincipalProtocol
public uint16[4] ServicePrincipalProtocol
- General Information:
An array of 16-bit enumeration values, each
of which corresponds to the string in the same position of
ServicePrincipalName.
Product Specific Usage:
In Intel AMT
Release 6.0 and later releases this field is not in use and has no
impact
Qualifiers:
-------------
ValueMap={0, 1, 2,
3}
Values={HTTP Protocol definition, HTTPS Protocol definition,
SOL&IDER protocol definition, SOL&IDER protocol definition (using
SSL)}
KeyVersion
public uint32 KeyVersion
- General Information:
Key version number. User can update the
value each time the master key is changed.
Product Specific
Usage:
In Intel AMT Release 6.0 and later releases the initial value is
1.
EncryptionAlgorithm
public uint16 EncryptionAlgorithm
- General Information:
A 16-bit enumeration value that identifies
the encryption algorithm used in Kerberos
authentication.
Qualifiers:
-------------
ValueMap={0}
Values={RC4
encryption and HMAC authentication}
Note: Support for RC4-HMAC was removed in Intel CSME 18.0.
MasterKey
public uint8[16] MasterKey
- General Information:
A 128-bit binary key value. MasterKey
cannot be used if the key generation method is used (using the Passphrase
property)
Qualifiers:
-------------
OctetString
MaxLen=16
Note: This property is deprecated in Release 18.0 in favor of
using the Passphrase/Salt combination to set the master key. See Set Kerberos Settings to Support AES Ciphers.
MaximumClockTolerance
public uint32 MaximumClockTolerance
- General Information:
The number of minutes by which the clocks
of the Intel(R) AMT device and the client and KDC can be out of sync -
typically 5 minutes.
Product Specific Usage:
The maximum
supported value is
5.
Qualifiers:
-------------
ValueMap={1..255}
KrbEnabled
public boolean KrbEnabled
- General Information:
Indicates whether Kerberos authentication
is enabled or
disable.
Qualifiers:
-------------
Required
Passphrase
public string Passphrase
- General Information:
Used when the key generation method is
chosen (RFC 3961,3962). Salt and IterationCount must be supplied
also.
Qualifiers:
-------------
MinLen=1
MaxLen=256
Salt
public string Salt
- General Information:
Used when the key generation method is
chosen (RFC
3961,3962)
Qualifiers:
-------------
MinLen=1
MaxLen=256
IterationCount
public uint32 IterationCount
- General Information:
Can be used when the key generation method
is chosen (RFC 3961,3962)
Product Specific Usage:
Maximum
supported value (and default value, if not supplied) is 4096.
SupportedEncryptionAlgorithms
public uint16[3] SupportedEncryptionAlgorithms
- General Information:
A 16-bit enumeration value that identifies
the supported encryption algorithms used in Kerberos
authentication.
Qualifiers:
-------------
ValueMap={0, 1,
2, ..}
Values={RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96,
Reserved}
Note: Support for RC4-HMAC was removed in Intel CSME 18.0. Intel recommends using AES256-CTS-HMAC-SHA1-96.
ConfiguredEncryptionAlgorithms
public uint16[3] ConfiguredEncryptionAlgorithms
- General Information:
A 16-bit enumeration values that identifies
the configured encryption algorithms used in Kerberos
authentication.
Qualifiers:
-------------
ValueMap={0, 1,
2, ..}
Values={RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96,
Reserved}
Note: Support for RC4-HMAC was removed in Intel CSME 18.0. Intel recommends using AES256-CTS-HMAC-SHA1-96.
Note: Intel AMT does not choose the encryption algorithm to configure based on the values specified by the user. Intel AMT attempts to enable RC4. If a Passphrase and Salt are provided, the AES suites are also configured.
GetCredentialCacheState
public uint32 GetCredentialCacheState([OUT]boolean Enabled)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM,
ADMIN_SECURITY_GENERAL_INFO_REALM
General
Information:
GetCredentialCacheState gets the current state of the
credential caching functionality
Product Specific
Usage:
Additional Notes:
1) 'GetCredentialCacheState' is not
supported in Intel AMT Release
3.0.
Parameters:
--------------
- Enabled
- General Information:
Output state of the credential caching
functionality
Qualifiers:
-------------
Required
OUT
SetCredentialCacheState
public uint32 SetCredentialCacheState([IN]boolean Enable)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General
Information:
SetCredentialCacheState enables/disables the credential
caching functionality
Product Specific Usage:
Additional
Notes:
1) 'SetCredentialCacheState' is not supported in Intel AMT Release
3.0.
Parameters:
--------------
- Enable
- General Information:
New state of the
functionality
Qualifiers:
-------------
Required
IN
Put
public Put([IN]AMT_KerberosSettingData Instance)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General
Information:
Changes properties of the selected
instance
Product Specific Usage:
The following properties
must be included in any representation of AMT_KerberosSettingData:
ElementName (cannot be modified)
InstanceID (cannot be modified)
KrbEnabled
MasterKey
MaximumClockTolerance
KeyVersion
EncryptionAlgorithm
In AMT release 8.0 and later, the MasterKey
field can be replaced by passphrase, salt and iteration counts fields.
Get
public Get([OUT]AMT_KerberosSettingData Instance)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM,
ADMIN_SECURITY_GENERAL_INFO_REALM
General Information:
Gets
the representation of the instance
Pull
public Pull([IN]String EnumerationContext, [IN]String MaxElements)
- Permission Information:
All users permitted to use method, only
instances to whom the user has permissions will be returned
General
Information:
Pulls instances of this class, following an Enumerate
operation
Enumerate
public Enumerate()
- Permission Information:
All users permitted to use
method
General Information:
Enumerates the instances of this
class
Release
public Release([IN]String EnumerationContext)
- Permission Information:
All users permitted to use
method
General Information:
Releases an enumeration
context