SCA's error dump

SCA's error dump

hi all,

I am configuring an AMT machine in enterprise mode and using the sample SCA thats included with sdk, I did necessary configurations on amt machine and for SCA I started SCA and AMT machine, AMT machine connected to SCA, but it failed showing this response ...

------------- SCA's response ------------

Server listens on port 9971 for incoming connections.

Waiting for incoming connection...

[2007-06-21 10:01:15] Incoming Connection from 192.168.1.38:16994

Incoming data is:

Version: 2

Count : 0

UUID : 08D4CF80-FEBA-DB11-9335-00E01888972E

PID : DILL-TTEQ

reading configuration from default.conf.xml

>> starting soap call sequence

soap call: GetCoreVersion ok

AMT version: 2.0.5

soap call: GetPkiCapabilities ok

[PKI capabilities]

CrlStoreSize = 1424

RootCertMaxSize = 1500

RootCertMaxInstances = 4

FqdnSuffixMaxEntries = 4

FqdnSuffixMaxEntryLength = 50

CertChainMaxSize = 4100

SupportedKeyLengths = 1024,1536,2048

[PKI capabilities]

soap call: SetHostName ok

soap call: SetDomainName ok

soap call: SetPingResponse ok

soap call: SetProvisioningMode ok

soap call: SetRngKey ok

soap call: SetTLSKeyAndCertificate ok

soap call: GetLowAccuracyTimeSynch ok

soap call: SetHighAccuracyTimeSynch ok

soap call: EnumerateTrustedRootCertificates ok

- No trusted root certificates to delete

soap call: AddTrustedRootCertificate ok

soap call: SetCRL ok

soap call: SetTrustedFqdnCN ok

soap call: SetTlsOptions ok

soap call: EnumerateUserAclEntries ok

- No existing ACLs to remove

soap call: GetCoreVersion ok

Error: failed while calling SetPowerOptions

Status = 36

soap call: SetEnabledInterfaces ok

Errors in configuration process - skip changing admin ACL and/or changing PID/PP

S

1 Errors in configuration process - configuration failed

Warning: SetProvisioningParameters() failed

------------- SCA's response ------------

any clue about the problem. as u can see most of the calls are working, pid/pps were matched , power option failed ...

The "Developers guide to the sample setup and configuration application" says

"If an operational error occurs during the setup and configuration process, then Intel AMT needs to be returned to the Factory Mode by using the BIOS sub-menu Unprovision option"

The above mentioned error that occurred, does this error requires me to start this process again from factory mode ???

- Sohaib

6 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hi Sohaib,

I notice that you still have that very old firmware on your system. I beleive there has been 12 updates since what is on your system. You are runing an AMT 2.0 firmware against AMT 2.1 capabilities. It is possible that the power options that the SCA is trying to set were not there in AMT 2.0. I'm not 100% sure this is your problem, but you do need to get your system to the current version of firmware - there have been a lot of issues fixed since the version that you are running. (remember the first question we usually have for people is: What version of the firmware are you running? )

If you are getting a message saying that you need to return your system back to the Factory mode, then I would say you need to do that.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hi Holmes,

I removed those power setting tags in default.conf.xml file, now the thing worked.

If I upgrade the firmware, can I roll that back to this state ? Actually I cannot upgrade firmware, because then it 'll be necessary to upgrade that at deployment site in all machines .

I enabled ServerAuthentication not mutual, I want to see the certificates SCA gives to AMT machines, does SCA stores them locally ?

- Sohaib

Hi!

I'm also working on a setup and configuration service that's more or less the same with SCA. I also encountered the same problem with the power settings. I think the value specified in the XML is incorrect. With regards to the certificates, SCA can use a pre-generated certificate or generate a new certificate. The Intel AMT SDK SetTLSKeyAndCertificate API asks for the key data and certificate chain data. The default filenames are cchain.raw and newkey.pem, which contains the certificate chain data and private key respectively. The file cchain.raw is generated by extracting information from the root certificate down to the certificate for the device. The root certificate is located in BinConfigurationCertGeneratorSecConfig.

To simply answer your question "does SCA stores them locally ?", yes, the certicates are stored locally. You may trace the *.bat files for the filenames.

// Pre-generated certificates

FileCertificate
CERTIFICATE_CHAIN_FILENAME
KEY_FILENAME

// To generate a new certificate

GenerateCertificate

Hi,

I am not using pre-generated certificates, SCA is generating certificates, so I am using

GenerateCertificate

option.

I think it creates newcert.pem file for each AMT client, but I am unable to find that file, newkey.pem exists there.

I more thing, when multiple clients will be connecting with SCA/SCS, it will be serving them simultaneously, then it should create different filenames for certificate files, it looks to me that SCA/SCS does't store AMT client certificates in any directory for easy access, however we can modify the batch files to store them ?

Sohaib

You are right, SCA creates those files. But you will not be able to see those files after executing SCA because they are deleted by calling "provend.bat". If you wanna see these files, you need to edit "configurationserver.cpp", comment out the line

if (0 != ExecBatchScript("PROVEND.BAT", NULL, true,configPath.c_str()))

and recompile the code in order to prevent the execution of provend.bat.

SCA/SCS stores the certificates in specific directories in order to use them again when authenticating the server/AMT device.

hope this helps!

Leave a Comment

Please sign in to add a comment. Not a member? Join today