In this post I’ll talk about my experience connecting an AMT machine (Enterprise mode with mutual TLS enabled) with a server machine running the SCS and with a machine running a management console; this connection can be from the SCS, the DTK or from your application (based on the DTK’s source code) to an AMT machine in order to retrieve its asset information and perform a SOL or an IDE-R session. For complete instructions please check the SCS installation guide.
These tips use the configuration shown in above picture. You can change this configuration by using a virtual machine instead a real one to run the SCS. The provided information is from an end user perspective, so I won’t make emphasis on technical details:
1. Check if server machine running the SCS can be reached from the AMT machine and from the machine running the management console. To check this you can make a ping between these machines. Error sources can vary, so these are only what I found:
a. Any client machine is not in the same IP range and its preferred DNS server can’t translate the machine name into an IP address. To solve it, change the preferred DNS on clients to address the server with the destination machine registered in its DNS and DHCP services.
b. Any client machine has started up its operative system, so it’s possible that a firewall application or an antivirus application is blocking the ping response.
2. If Certification Authority service is installed in Enterprise mode, make sure you supply the server’s FQDN in the “common name for this ca” field when you’re installing it (Intel AMT Installation Guide, page 43, step 8).
3. If Certification Authority service is installed in Enterprise mode, make sure you have chosen the WebServer template to create the AMT machine’s server certificates. Otherwise, check if the template you’re using has the “Server Authentication” policy in its certificate extensions.
4. If you have heard about something called intel_oid or something like 2.16.840.1.1137188.8.131.52 you can go ahead, otherwise it’s probably that there is a parameter missing in your configuration; this parameter is described on page 136 (Certification Authority in Enterprise mode) or page 52 (Certification Authority in Stand-alone mode) of installation guide.
5. Check if you can browse the AMT machine’s WebUI from the SCS server and from the machine running the management console; if you can access it from the machine running the management console and you can’t from the SCS server machine, you should check the SCS server’s client certificate because it’s possible that the SCS console’s operations log contains many failed connection attempts records.
To solve it, check if the root certificate is the only one in the personal store; if it’s so, maybe you’ll need to create a new client certificate (based on the root certificate) and try to authenticate yourself with it; it’s also a good idea to test with more than one web browser (Internet Explorer, FireFox).
6. Check if you’re trying to connect by using the AMT machine’s IP address instead its FQDN; remember that certificate subject must match the machine’s FQDN, otherwise the automatic validation process (performed by the web browser or by the execution environment) will fail and connection will be refused.
7. If the DTK or your application (based on the DTK’s source code) is unable to perform an IDE-R session or a SOL session but it’s able to retrieve asset information, have into account that OpenSSL is the component used to deal with SSL and TLS and it requires a file structure similar to this:
Check if you have a file structure similar to the one used by OpenSSL; it’s also required to have at least these AMT SDK’s files:
The DTK also creates some temporal files that are read by OpenSSL, so please check if the user account under you’re running it has the read/write/delete permissions on high security level operative systems; some of the temporal files are:
b. Drive:\My_App\Trusted Root Certificates.pem
By other hand, if you’ve connected the AMT machine once and you have not been able to do it again after provisioning, it’s possible that you need to delete the temporal files if they exist in order to the DTK creates them again.
8. If the DTK or your application (based on the DTK’s source code) is unable to perform an IDE-R session or a SOL session but it’s able to retrieve asset information and you’re sure previous tip does not apply, then it’s possible that the AMT machine’s “Redirection Port” parameter is disabled; this parameter is not the same that the “IDE Redirection” parameter defined during the profile creation process (in the SCS Console). The easiest way to enable this parameter again is by using the DTK’s Commander Utility (in “Remote Control” tab).
9. My last general suggestion is having more than one profile in the SCS console. I mean, try to have profiles with different TLS security levels (for instance: no TLS, basic TLS and mutual TLS) so you’ll be able to: improve security by applying the next higher security profile and stop when one doesn’t work.
If you still have connection problems, maybe you have a new tip to add to this list ;-)
Cheers and good luck!
Javier Andrés Cáceres Alvis