Intel AMT - How to access CIM element AMT_PublicKeyManagementService

Intel AMT - How to access CIM element AMT_PublicKeyManagementService

Hi,

I am trying to provision a Lenovo Thinkpad T420 and T430 devices via Intel AMT. With Intel AMT enabled, I can see that these devices listen on non-TLS port 16992. But the requirement is to provision these devices using TLS PKI mode via TLS port 16993.

I have tried to follow the instructions given at:
https://software.intel.com/en-us/blogs/2012/01/18/how-to-create-amt-cert...

I created the powershell script with all the required details as mentioned in the above link. However, when I run the powershell script, I see the following error returned by these devices: "No route can be determined to reach the destination role defined by the WSAddressing To."

I have also verified that WinRM service is up and running on these devices as mentioned at https://software.intel.com/en-us/Intel%20-AMT-and-WS-Man-Tips

Using WMI tools I could see none of the CIM elements - AMT_PublicKeyManagementService, AMT_TLSProtocolEndpointCollection, AMT_TLSSettingData,  AMT_SetupAndConfigurationService in any of the namespaces on these devices. In fact, I do not see any of WS-Management AMT classes mentioned at  https://software.intel.com/sites/manageability/AMT_Implementation_and_Re...

On the other hand, the following CIM elements are visible in \\root\Intel_ME namespace after installing Intel Management Engine Interface Driver (which contains MeProv.dll)
    AMT_EthernetPortSettings
    AMT_ProvisioningCertificateHash
    AMT_Service
    AMT_SetupAuditRecord
    ME_Event
    ME_System
    OOB_Service

Can anyone please suggest how should I go about configuring the TLS port to provision the Lenovo Thinkpad T420/430 devices via Intel AMT?

Thanks in advance,
Anand Navale.

 

Thread Topic: 

How-To
2 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hey Anand

The method you are referencing above is not going to configure the device into a TLS mode. The certificate being discussed is the Remote configuration certificate that allows the client to be remotely configured without purchasing a third party certificate. In this case the communication for AMT configuration is SSL and does not leave AMT in a TLS state.

As you indicate you are wanting AMT to listen on the TLS port of 16993, you will need to change how the configuration profile is created.

If you are using SCS or ACUWizard to create the profile the process is the same, open the profile editor and modify your current profile by:

  1. Selecting the "Transport Layer Security (TLS)" option from within the "Optional Settings" menu item
  2. On the "Transport Layer Security" page you will need to specify the CA and template for the TLS certificate.
  3. Finish up the profile creation and perform your configuration process again using the new profile

 

 

 

 

 

 

Hope that Helps

Joe

Leave a Comment

Please sign in to add a comment. Not a member? Join today