Zero Touch Configuration

Hi, these are good questions.

1. Intel AMT must know what certificate it can trust. When performing ZTC, Intel AMT will verify that the server has a certificate that is signed by a trusted certificate. Instead of storing the entire root certificate in Intel AMT, we store only the has of the certificate... In hex, the hash looks like this:

bb 42 69 ad 56 5f ac 5c d8 d2 d2 9e f4 d4 24 c2 2d 22 6a 66

When you create a root certificate, you can use the Microsoft Windows built-in certificate viewer or using Intel AMT Director to look at may certificate and get it's hash.

2. The full source code to the "ConfigurationServer.exe" that does support ZTC is included in the Intel AMT SDK.

3. The Intel AMT SDK also include ZTCLocalAgent.exe, this tool will cause Intel AMT to start the ZTC process. As far as I know, the password is optional.

Ylian (Intel AMT Blog)

Last system I looked at had 4 certificate hashes included (Verisign and Godaddy were two of them.) you can check this on your system by going into the provisioning menus - there is one that displays them. There is also an option to add your own CH.

The AMT DTK might have examples of ConfigServer code, but the DTK is written in C#.

Yes, you need a local agent to provide the one-time password. (You can use the RCT (Remote Configuration Tool) tool that is provided with the SCS...)

Yes the certificate hash is the thumbprint.

The provisioning menus may vary according to your particular Bios/OEM system, but here is how I get to them on mine: (Noe that my system is not OEM branded.) From my experience, the ability to look at the hashes and add them is availablestarting withAMT 3.0.

F2 - get into System Setup

Choose "Intel Active Management Technology Configuration"

Enter ME Password

Choose "Provisioning Configuration"

Choose "Manage Certificates"

Choose "Manage Permanent Certificates"

My system has the following:

VeriSign Class 3 Primary CA-G1

VeriSign Class 3 Primary CA-G3

Go Daddy Class 2 CA

Comodo AAA CA

If these options are not on your system, you should be able to insert a hash using the USB setup.bin according to the options (we have not tried this yet.)

Go tothe AMTSDKBinConfigurationConfigScripts folder and enter "usbfile. " You should get a help screen that will show all the options for this particular script.

Let us know if this helps.

Hi,

You have to use a USB Key that is 128 MB or less. Note that not all USB keys work so you might want to play around with a few different varieties. (We have a 256 MB "Hello Kitty" USB key in our lab that actually works great! - however it is an exception to all of our rules.)

Hi,

Please refer to http://software.intel.com/en-us/forums/showpost.php?p=45771for details on how to create a certificate chain.

Thanks,

Sree

Hi,

I have attached a document here on how to create the pem file.

Hope this helps.

Thanks,

Sree

Another easy way to create a .PEM file is to create the certificate using Intel AMT Director, select it and press the export button. It supports .CER, .PEM, .P12 formats. Just a note that Director will put both the public and private key of the certificate in the .PEM file.

The other cool thing about Director is that you can create root certificates or certificates with various different Intel AMT related options with a few clicks. You can also import existing certificates.

Intel AMT Director is much easier than using OpenSSL command line tool, still, Director actualy calls OpenSSL in the background, so the results are exactly the same.

Ylian (Intel AMT Blog)

Hi. Oh, you have a difficult problem. ConfigurationServerwill firsttry a password you provide, but if it fails, it will try "admin"/"admin". This is what it's trying to do when it says "attempt to connect using default credentials...".

The most difficult problem with RCFG is that is AMT does not like anything about your provisioning server, it will disconnect and not tell you why. Here is a check list for you:

• Make sure you have a DNS server on your network.
• Make sure you can ping the server from another computer using the server name.
• Make sure the server name you can ping is also the same as the certificate name.
• Make sure the RCFG configurate is signed by a root, and the root hash is in AMT.
• You can't put the hash of the RCFG certificate in AMT, only the root of that cert.

You need a running DNS server because AMT will check that the name of the RCFG certificate is the same as reverse DNS lookup name of the server IP address.

Hope this helps,
Ylian (Intel AMT Blog)

Yes, this could be your problem. Intel AMT will check that the IP address of the server when doing reverse lookup is the same as the server's certificate name. If they don't match, AMT will just "hang-up" and will not tell you why. This seems to be exactly what is happening.

As a side story, one of my friend decided to just add the server computer to Intel AMT machines OS host table. Obviously this does not work because AMT is going the reverse lookup, not the OS.

Hope this helps,
Ylian (Intel AMT Blog)

Hi. Ha yes, this is a very common problem. Intel AMT Commander will try to connect no matter what, but the IDE-R/SOL library does have certificate checks that I can't remove.

To fix this, go in the management engine tab of Intel AMT Commander and the first option in the tab is the AMT host name. Click the button to the right of that. You will see the connection name, AMT host name, DNS lookup name and TLS certificate name. Idealy, all of them should match.

To fix your problem, just remove the computer from Commander and re-add it using the proper host name, the same one used in the certificate.

Thanks,
Ylian (Intel AMT Blog)

hello.

i want to use the zero-touch manner to provision my amt3.0(dell755)deviceon the landesk management software.

In landesk software's help is discribed as follow:

To obtain an Intel* Client Setup Certificate
1. Select a vendor and log in to the vendor's web site.
2. To generate a CSR file and private key:
3. In the LDMAIN share on the core server, in the amtprov directory, run AMTProvMgr2.exe
with the following arguments:
AMTProvMgr2.exe -domainName name.domain.com -country US
Use a two-letter country code; if none is specified the default is US. The domain name you
specify should include a namespace.
This executable saves two files to the amtprov directory: certreq.csr (certificate signing
request) and corecakey.pem (a private key file).
4. Open the certreq.csr file in a text editor and copy the contents.
5. At the vendor's web site, paste the contents of the certreq.csr file into the field provided,
and complete the application for the certificate.
After your certificate request is processed the vendor will send you two files: a root
certificate file (a common or public file) and a certificate file for the domain you specified.
6. Copy the vendor's root certificate file and rename the copy trusted_cert.pem.
7. Copy the vendor's certificate file for your domain and rename the copy corecacert.pem.
8. Save the above two files, along with the corecakey.pem file (generated in step 3 above),
to a folder in LDMAINamtprovcertStorecert_1. You can store up to eight certificates in
subfolders named cert_1, cert_2, and so on.

I want to kown how to generate thefiles of trusted_cert.pem ,corecacert.pem and corecakey.pem using the intel DTK tools.

thanks,

Jack

Hi,

Please watch the tutorial on remote configuration at http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit. Let us know if you have further questions.

Thanks,

Sree

Quoting - Sreelekshmy Syamalakumari (Intel)

That URL doesn't work

Quoting - mugwump
That URL doesn't work

Try this link: http://software.intel.com/en-us/articles/download-the-latest-version-of-...

Odd... this is the same URL, but click on "link" and it seems to work.