Redirection Exception

Redirection Exception

Hi there,

I'm trying to use SOL/IDE-R in an Enterprise provisioned machine with TLS enabled (basic, not mutual) and I'm getting a Exception.

I'm able to see the asset information and to power up/down the machine (with EOI, NOT WsMan), but SOL/IDE-R does not work, so I'm sure it's not an access issue (cause the machine security certificate is added is the client trusted root certificate store and the user being used is admin).

The method which one returns the error is (AmtRedirectorWrapper.cs line 617):
r = IMR_SOLOpenTCPSession(clientId, login, data, IntPtr.Zero);

An the error is in r = IMRResult.IMR_RES_SOCKET_ERROR

Help!

Javier Andrs Cceres Alvis

35 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Usually this means some sort of connectivity error. Also, possibly due to certificate verification issues. Check to make sure you've set the value ClientInfo.ip to be the same as the CN of the AMT certificate. Also,check the value ofStorage_Enabled in your ini file (is it 0?).

-Jerome

Quoting - Jerome Esteban (Intel)

Usually this means some sort of connectivity error. Also, possibly due to certificate verification issues. Check to make sure you've set the value ClientInfo.ip to be the same as the CN of the AMT certificate. Also,check the value ofStorage_Enabled in your ini file (is it 0?).

-Jerome

Hello Jerome,

Sorry for delay.

The CN ofAMT certificate shows the machine FQDN, while the hostname is resolved as the same IP so when I try to connect with DTK Commander I can do it but shows me warnings and Remote control is disabled.

The problem is that SCS Console makes those certificates so I can not change the FQDN to use IP address; I also was trying to get the FQDN from machine but aways returns me the IP address instead.

Thanks a lot,

Javier Andrs Cceres Alvis

Hello Jerome,
I forgot to mention inprevius post thatI did not have a imrsdk.ini file, but now I have one I copied from abin DTK directory.
In this file the parameter is : Storage_Enabled=0 but I have a question, What does this parameter do?
By other hand, Is it possible to handle the certificate authentication process?
Thanks a lot,
Javier Andrs Cceres Alvis

Hello Jerome,
I have more feedback:
I did a test with bad results; I manually change the RedirectorWrapper IP parameter to Machine FQDN to be the same as certificate CN but I got the same error (RedirectorWrapper.IMRResult.IMR_RES_SOCKET_ERROR), so I do not think this is the reason.
Thanks a lot,
Javier Andrs Cceres Alvis

Hello there,
I'm still getting the error. Any help is welcome
=)
Javier Andrs Cceres Alvis

Hi Javier,

Can you also verify that the listener is active? I think you can use the Redirection samplein the bin directory to look at the current redirection settings.

Also, so that we can help you better could you send over your FW version, DTK code version, SDK version (5?)

Thanks

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

Hi Javier,

Can you also verify that the listener is active? I think you can use the Redirection samplein the bin directory to look at the current redirection settings.

Also, so that we can help you better could you send over your FW version, DTK code version, SDK version (5?)

Thanks

Hi Gael,

I verified listener is active.

I'm trying to use the RemoteControl.exe in many ways but I think I'm doing something wrong, can you pleasecheck this sintax:

RedirectionConfig.exe -g -user admin -pass PB4ehttp://192.168.1.6:16993/RedirectionService

But I got this message: "The system cannot find the file specified."

I also tried this:

RedirectionConfig.exe -g http://192.168.1.6:16993/RedirectionService

But I got this message:

Calling function GetRedirectionListenerState...
Error: failed while calling GetRedirectionListenerState
SOAP failure: error code = 22

I attached a picture of commander showing some connection warnings due to a mismatch bewteen the certificate name and the hostname.

Here the additional info:

DTK 0.54
SDK release 3.0 - Hotfix 2
FW 2.0

Thanks a lot,

Javier Andrs Cceres Alvis

Attachments: 

AttachmentSize
Downloadimage/jpeg CommanderScreenShot.JPG121.08 KB

Quoting - javierandrescaceres@gmail.com

Hi Gael,

I verified listener is active.

I'm trying to use the RemoteControl.exe in many ways but I think I'm doing something wrong, can you pleasecheck this sintax:

RedirectionConfig.exe -g -user admin -pass PB4ehttp://192.168.1.6:16993/RedirectionService

But I got this message: "The system cannot find the file specified."

I also tried this:

RedirectionConfig.exe -g http://192.168.1.6:16993/RedirectionService

But I got this message:

Calling function GetRedirectionListenerState...
Error: failed while calling GetRedirectionListenerState
SOAP failure: error code = 22

I attached a picture of commander showing some connection warnings due to a mismatch bewteen the certificate name and the hostname.

Here the additional info:

DTK 0.54
SDK release 3.0 - Hotfix 2
FW 2.0

Thanks a lot,

Javier Andrs Cceres Alvis

Hi,

Thesyntax with username and password is correct. Is there any reason you are using the 3.0 version of the sdk? Could you try with the latest sdk version (5.0)?

Thanks,

Sree

Javier,
For the two examples you gave, I'm pretty sure the error on the second is due to not having the name and password.
But for the first, if you used:
RedirectionConfig.exe -g -user admin -pass PB4ehttp://192.168.1.6:16993/RedirectionService,
the failure might be because you used the combination of http: and port 16993. Http should go to port 16992, down in the lab when I tried against one of our systems this query worked when I had 16992 and returned an error when I had 16993. It was a different error than you had, but I also didn't have TLS configured.
Andy

Quoting - Andrew Schiestl (Intel)

Javier,
For the two examples you gave, I'm pretty sure the error on the second is due to not having the name and password.
But for the first, if you used:
RedirectionConfig.exe -g -user admin -pass PB4ehttp://192.168.1.6:16993/RedirectionService,
the failure might be because you used the combination of http: and port 16993. Http should go to port 16992, down in the lab when I tried against one of our systems this query worked when I had 16992 and returned an error when I had 16993. It was a different error than you had, but I also didn't have TLS configured.
Andy

Hello Andy,

I Agree with this, I was wrong, so I switch to HTTPS but I'm still getting the error:

RedirectionConfig.exe -g -user admin -pass PB4ehttps://192.168.1.6:16993/RedirectionService

The system cannot find the file specified.

Thanks a lot!

Javier Andrs Cceres Alvis

Hi,
Coming back to my previous question - have you tried sdk 5.0?
Thanks,
Sree

Quoting - Sreelekshmy Syamalakumari (Intel)

Hi,
Coming back to my previous question - have you tried sdk 5.0?
Thanks,
Sree

Hello Sree,

I updated to SDK 5.0 but I'm still getting the same Exception.

Thanks,

Javier Andrs Cceres Alvis

Hi Javier,

You can't use an IP address with TLS. The TLS needs to use the certificate for authentication, but the IP address doesn't match the name on the cert, so the connection fails. To use TLS you have to use an FQDN, that way the lookup on the cert will match the name on the request.

Regards,

Roger

Quoting - rogerb

Hi Javier,

You can't use an IP address with TLS. The TLS needs to use the certificate for authentication, but the IP address doesn't match the name on the cert, so the connection fails. To use TLS you have to use an FQDN, that way the lookup on the cert will match the name on the request.

Regards,

Roger

Hello Roger,

I switch to:

RedirectionConfig.exe -g -user admin -pass >i;U3Ho$ http://LINTVPRO-PC.AMT.LOCAL:16993/RedirectionService

And I can see something like a log file in the bin directory with this text:

Calling function GetRedirectionListenerState...
Error: failed while calling GetRedirectionListenerState
SOAP failure: error code = 25

Thanks a lot,

Javier Andrs

Hi there,
Any help?
Thanks a lot,
Javier Andrs Cceres Alvis

Hi Javier,

As was said earlier, the protocol type and the port number have to match: http with 16992, and https with 16993. In your code, you show http with 16993, this will not work. Please try the code again with the corrrect protocol type.

Regards,

Roger

Quoting - rogerb

Hi Javier,

As was said earlier, the protocol type and the port number have to match: http with 16992, and https with 16993. In your code, you show http with 16993, this will not work. Please try the code again with the corrrect protocol type.

Regards,

Roger

Hello Roger,

It was a typing mistake, I have tried with HTTPS with the same results.

Thanks a lot,

Javier Andrs Cceres Alvis

Quoting - javierandrescaceres@gmail.com

Hello Roger,

It was a typing mistake, I have tried with HTTPS with the same results.

Thanks a lot,

Javier Andrs Cceres Alvis

I think the issue hereand the issue you raised in the other thread you started today (the SCS mutual authentication error) are both related to a certificate issue that's keeping the SDK example code or your code from being able to connect to the AMT system correctly. I'm looking more into how to try to resolve this, since setting up the certificates can be somewhat involved, especially in the mutual authentication case.

Andy

Quoting - Andrew Schiestl (Intel)

I think the issue hereand the issue you raised in the other thread you started today (the SCS mutual authentication error) are both related to a certificate issue that's keeping the SDK example code or your code from being able to connect to the AMT system correctly. I'm looking more into how to try to resolve this, since setting up the certificates can be somewhat involved, especially in the mutual authentication case.

Andy

Hello Andy,

Me too. I think both errors are related.
The certificate creation process is simple: my server is running Windows 2003 with the certificate authority services.
This authority issues all certificates in my enviroment (I mean, the ones used by the IIS, by SCS and by my Windows client application).
I googled it but the reasons why this error happens are verified or do not apply to my scenario (for example, this also happens when the client application is web and then the problem is about file permissions).

I have tried to connect to AMT machine with the DTK utilities but they raise the same exception.

Thanks a lot Andy,

Javier Andrs Cceres alvis

Quoting - javierandrescaceres@gmail.com

Quoting - Andrew Schiestl (Intel)

I think the issue hereand the issue you raised in the other thread you started today (the SCS mutual authentication error) are both related to a certificate issue that's keeping the SDK example code or your code from being able to connect to the AMT system correctly. I'm looking more into how to try to resolve this, since setting up the certificates can be somewhat involved, especially in the mutual authentication case.

Andy

Hello Andy,

Me too. I think both errors are related.
The certificate creation process is simple: my server is running Windows 2003 with the certificate authority services.
This authority issues all certificates in my enviroment (I mean, the ones used by the IIS, by SCS and by my Windows client application).
I googled it but the reasons why this error happens are verified or do not apply to my scenario (for example, this also happens when the client application is web and then the problem is about file permissions).

I have tried to connect to AMT machine with the DTK utilities but they raise the same exception.

Thanks a lot Andy,

Javier Andrs Cceres alvis

Hello Andy,

Ihave been trying many things and I give up.

This thread and the one related to mutual authentication are my current issues.

Thanks a lot,

Javier Andrs Cceres Alvis

I'll keep using this thread to answer questions about standard TLS (not mutual), and continue addressing the mutual TLS questions in the other thread.
When you set up the profile to provision in normal TLS, you checked the box for TLS in the profile, then chose the local system and set a profile of WebServer, correct? At that point an AMTsystem provisioned using that profile would automatically get the trusted root, and you should be able to access the webUI (assuming the profile is setup for that), from the CA without issueusing https:// :16993. For instance, if the AMT system FQDN was intelamt4.vprodemo.com, https://intelamt4.vprodemo.com:16993 should take you to the webUI login.
If you can't access the webUI, then something has gone wrong in the provisioning and we'll need to dig deeper there. If you can access the webUI, then we can start looking at the application or code. We'll start with the RedirectionConfig.exe, since most of the SDK examples are smart enough to look in the Windows trust store. If the same arguments you used before (RedirectionConfig.exe -g -user admin -pass PB4ehttp://:16993/RedirectionService) don't work, then the issue might be that the user the browser is running under can see the certificate, but the user your program is running as can't.
If you can get both the webui and redirection service working, then we can move on to your code example. If the previous two cases worked, could you go into a little more detail on the arguments used inyour code example? From above: r = IMR_SOLOpenTCPSession(clientId, login, data, IntPtr.Zero);

You need to double-check the name that was given to the AMT system by Director. Sometimes, Director will give the system a name that you didn't expect, and if the name given by Director in the configuration process doesn't match the name that has already been registered in DNS by the OS, then the certificate match to the system name will not match.

Quoting - rogerb

You need to double-check the name that was given to the AMT system by Director. Sometimes, Director will give the system a name that you didn't expect, and if the name given by Director in the configuration process doesn't match the name that has already been registered in DNS by the OS, then the certificate match to the system name will not match.

Hello Roger,

I have tried by repeating the provisionprocess but Director always gave a not expected name.

So at that point, I thinkcan not influence or change the way DIrector names machines.

Thanks a lot,

Javier Andrs Cceres Alvis

Quoting - Andrew Schiestl (Intel)

I'll keep using this thread to answer questions about standard TLS (not mutual), and continue addressing the mutual TLS questions in the other thread.
When you set up the profile to provision in normal TLS, you checked the box for TLS in the profile, then chose the local system and set a profile of WebServer, correct? At that point an AMTsystem provisioned using that profile would automatically get the trusted root, and you should be able to access the webUI (assuming the profile is setup for that), from the CA without issueusing https:// :16993. For instance, if the AMT system FQDN was intelamt4.vprodemo.com, https://intelamt4.vprodemo.com:16993 should take you to the webUI login.
If you can't access the webUI, then something has gone wrong in the provisioning and we'll need to dig deeper there. If you can access the webUI, then we can start looking at the application or code. We'll start with the RedirectionConfig.exe, since most of the SDK examples are smart enough to look in the Windows trust store. If the same arguments you used before (RedirectionConfig.exe -g -user admin -pass PB4ehttp://:16993/RedirectionService) don't work, then the issue might be that the user the browser is running under can see the certificate, but the user your program is running as can't.
If you can get both the webui and redirection service working, then we can move on to your code example. If the previous two cases worked, could you go into a little more detail on the arguments used inyour code example? From above: r = IMR_SOLOpenTCPSession(clientId, login, data, IntPtr.Zero);

Hello Andy ,

If I use TLS basic I can access the Web UI but when I switch to TLS mutual it appears a window like the one shown in the attached picture and no matter which certificate I select, becasue it's always rejected (I have selected the root trust certificate and others I have created by deriving itbut they do not work). I'm running the RedirectorConfig.exe tool under the machine I'm developing, and this machine has nothing to do with the test domain or amt test machine. It is necesary to run the tool for example in the SCS server? (under the SCS user)
I actually can notconnect the amt machine by WebUI neither RedirectorConfig.exe.

Thanks a lot,

Javier Andrs Cceres Alvis

Attachments: 

AttachmentSize
Downloadimage/jpeg Cert.JPG21.23 KB

Javier, can you do anything with the AMT on your system? It sounds like the provisioning did not complete correctly. I just put a blog out there that addresses thissituation. Basically if something goes wrong, you have to unconfigure the system and reprovision it.

Very Important Note:If a serious operational error occurs during the setup and configuration process (for example, TLS is configured incorrectly because a certificate or private key was installed inadvertently, or a certificate replacement was performed that does not align with current keys), and the platform is then transitioned to Operational Mode, the Intel AMT device may not be accessible remotely. The Intel AMT device needs to be returned to the Factory Mode by using the BIOS sub-menu Unprovision option.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hi Javier - I just wanted to add on to my last post that I don't think you shouldchange your provisioning method - I was just thinking that looking at what the SCA sample is doing might help you/us understand what is actually happening and why Mutual Authentication isn't working.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Quoting - javierandrescaceres@gmail.com

Hello Andy ,

If I use TLS basic I can access the Web UI but when I switch to TLS mutual it appears a window like the one shown in the attached picture and no matter which certificate I select, becasue it's always rejected (I have selected the root trust certificate and others I have created by deriving itbut they do not work). I'm running the RedirectorConfig.exe tool under the machine I'm developing, and this machine has nothing to do with the test domain or amt test machine. It is necesary to run the tool for example in the SCS server? (under the SCS user)
I actually can notconnect the amt machine by WebUI neither RedirectorConfig.exe.

Thanks a lot,

Javier Andrs Cceres Alvis

Javier,

The certificate that shows up in the image you attached, is that the one you created for mutual authentication? The machine you're running the tool or your code from should also have the certificate for mutual authentication, sincethat's how the AMT system is validating thatthe system has permission to connect. Every system thatwill be talking to AMT would needa cert in the mutual authentication case. You wouldn't necessarily need to runthrough the process on page 53 for each system, you could export the cert created from the CA into a file and import it in that manner (I can give you some more details here if you like).

You don't need to run the tool example on the SCS server, but I suggested it since I was guessing that's where you requested the cert from.

Hello Gael and Andy,

Please see these steps I did with Director:
First round:
1-I created a Basic profile
2-I created a Key
3-I entered the key into BIOS
4-Director received the Hello message and provisioned the machine
5-I was able to connect to machine with Director, Commander (redirection) and WebUI.

Second round:
1-I created created a root certificate and added it into windows trusted certificate store
2-I issued an all permissions certificate based on the root certificate
3-I issued a sub-ca certificate based on the root certificate
4-I created a server only TLS profile by selecting the certificate I created in (1) to be the issuer certificate and pushed it into machine:
5-Director configured the machine with the server only TLS profile correctly
6-I was able to connect to machine with Director, Commander (redirection) and WebUI.

Third (and most important) round:
1-I created a server + console TLS profile by selecting the certificate I created in (1-second round) to be the root trusted one and by I selecting the certificate I created in (1-second round) to be the issuer certificate. I finally entered the Director host machine FQDN name as the Trusted Certificate Names and pushed into machine
2-Director configured the machine with the server + console TLS profile correctly and it was able to connect only ONCE; as soon as I disconnected it and I tried to connect it again Director could not do it.
5-I was not able to connect to machine with Director, Commander.
6-When I tried to access the machine by its WebUI, IE browser prompted a window to choose one of the certificates I created in 1 or 2 (second round) but all of them were rejected.

I repeated the 3 rounds twice with same bad results.
I finally did all again with "streams events to file" option enabled for sending you but I don't know why Director and WebUI could connect to AMT machine after pushed the server + console TLS profile, so I went happily to run Commander and it could connect it, but when I clicked on the take control button I received the error what I have always received: "Serial-over-LAN error: IMR_RES_TLS_CONNECTION_FAILED" (see attached file).

So, I have a bitter sweet taste now:
Sweet bacause Director did not lose the connection as SCS did it
...and bad taste cause I do not why it "partially" worked if I have tried it before.
I'm going to repeat all steps again with other machine just to see that happens.

Thanks a lot,

Javier Andrs Cceres Alvis

Attachments: 

AttachmentSize
Downloadimage/jpeg Error.JPG0 bytes

Hello Gael& Andy,

I repeated the steps in another machine and I got the same resultsat first time.
Imean, I could connect with server + console TLS with Director and WebUI, but when I try to connect for using the "Remote Control" featuresin Commander I got the same error message: "Serial-over-LAN error: IMR_RES_TLS_CONNECTION_FAILED".
I'm going to move one of the machines to work with SCS just to test if works like Director (I mean, everything running ok except by Remote Control).

Thanks a lot,

Javier Andrs Cceres Alvis

Hello Gael and Andy,

I moved on SCS and this is my feedback:
I did these steps all afternon with SCS:

First round:
1-I created a Basic profile (NO TLS)
2-I created a key
3-I manually entered the key into BIOS
4-SCS applied configuration correctly
5-I was able to acces the machine by the WebUI, commander (redirection) and my code.

Second round:
1-I created a Basic TLS profile (only server) by selecting a root certificate I created in MS Cert. Authority
2-I changed the machine profile to the new one
4-SCS applied configuration correctly.
5-I was able to access the machine by the WebUI (but only typing the FQDN in IE browser) and commander showed me connections warnings, so I could not redirect it. It's really important redirecting the machine by using its IP because for example in discovery event you do not have other info or the host name property in AMT Sytem object is returned as the same IP.
My code did not work for redirection and I got the same error which one I started this thread.

I was not able to perform the third round cause I was not able to complete the second one.

After working all day in this issue I can say that SCS and Director name security certificates a bit different. Director names them with IP address and SCS names them with FQDN. This can be a pain in the neck. I actually try to connect with Commander and it shows me connections warnings because of the "Connection name, DNS name, certificate name mismatch.".

Thanks a lot,

Javier Andrs Cceres Alvis

Javier,
The handling of certificates will be dependent on the software you are using. There are options that some software may implement and others do not. Here is what is going on in the second round you describe above.

  • The SCS is indeed only using the FQDN in the certificate. This is the most robust option. Using the IP address in a DHCP environment wouldn't make sense since the IP address may change. SCS requires DHCP.
  • It is common for the client software in a TLS handshake to require a match between the FQDN and the certificate CN from the endpoint it is negotiating with. The SCS behaves this way and most browsers do to although some will allow you to override this after displaying a security warning. To demonstrate this, try pointing your browser to https://www.wellsfargo.com and again to https://151.151.88.144. In the latter case, you should see a warning from your browser about the certificate only being valid for the URL and not the IP address (unless Wells Fargo's IP has changed). If you require the use of TLS and connections through IP addresses, your software will have to allow a mismatch but this practice has security implications.

Hope this helps.

Tom

Quoting - Thomas Propst (Intel)

Javier,
The handling of certificates will be dependent on the software you are using. There are options that some software may implement and others do not. Here is what is going on in the second round you describe above.

  • The SCS is indeed only using the FQDN in the certificate. This is the most robust option. Using the IP address in a DHCP environment wouldn't make sense since the IP address may change. SCS requires DHCP.
  • It is common for the client software in a TLS handshake to require a match between the FQDN and the certificate CN from the endpoint it is negotiating with. The SCS behaves this way and most browsers do to although some will allow you to override this after displaying a security warning. To demonstrate this, try pointing your browser to https://www.wellsfargo.com and again to https://151.151.88.144. In the latter case, you should see a warning from your browser about the certificate only being valid for the URL and not the IP address (unless Wells Fargo's IP has changed). If you require the use of TLS and connections through IP addresses, your software will have to allow a mismatch but this practice has security implications.

Hope this helps.

Tom

Hello Tom,

I'm back again after holyday season.
I solved the redirection issue and I could find out the warnings you mentioned during the process; there were many things that made the problem happened but I'll discuss them in a next post, by the meanwhile I can say briefly that it was about certificate and settings.

Thanks a lot,

=)

Hi Javier,
I am glad that you solved this problem - again - we would love to see your next post - or perhaps a blog? :-)
I'm going to close this thread - please open a new thread for new questions.

Thanks,
Gael

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hi Javier,
I am glad that you solved this problem - again - we would love to see your next post - or perhaps a blog? :-)
I'm going to close this thread - please open a new thread for new questions.

Thanks,
Gael

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Leave a Comment

Please sign in to add a comment. Not a member? Join today