Zero touch configuration with Manageability Director Tool

Zero touch configuration with Manageability Director Tool

I was trying to set up Zero Touch Configuration in AMT devices. I found Manageability Director tool to be pretty easy to use. But wanted to know the difference between the AMTSCS service and Manageability Director. Could either of those be used for ZTC configuration?

25 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Yes, the DTK Commander and the SCS can both be used for Remote Configuration. However, the SCS is meant to be more of a production tool, running in a production environment, but the Commander is more of testing tool, that's meant to be run in a development environment. The DTK is exactly what it's name says that it is, A developer's tool kit. The SCS is a full-blown setup and configuration system that's meant to run in a production environment.

Quoting - rogerb

Yes, the DTK Commander and the SCS can both be used for Remote Configuration. However, the SCS is meant to be more of a production tool, running in a production environment, but the Commander is more of testing tool, that's meant to be run in a development environment. The DTK is exactly what it's name says that it is, A developer's tool kit. The SCS is a full-blown setup and configuration system that's meant to run in a production environment.

You can also try out the SCS 6.0 Lightweight Version of the full SCS provisioning tool. You can find it HERE on our Manageability Community site. The Lightweight version does require that you install the service on a system in your network (different than your Intel AMT system that you want to provision.) You would also then install the Console and choose a profile that you want to use for enabling AMT. The installation guide has pretty good information on how to set everything up as well as how to install your provisioning certificate. Note also that the Lightweight version does not require a Database (It uses XML files instead.)

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

You can also try out the SCS 6.0 Lightweight Version of the full SCS provisioning tool. You can find it HERE on our Manageability Community site. The Lightweight version does require that you install the service on a system in your network (different than your Intel AMT system that you want to provision.) You would also then install the Console and choose a profile that you want to use for enabling AMT. The installation guide has pretty good information on how to set everything up as well as how to install your provisioning certificate. Note also that the Lightweight version does not require a Database (It uses XML files instead.)

Hi Gael,

Thanks for you suggestion. A few questions on the Lightweight version of the SCS provisioning tool.
1. Will it work properly where it needs to manage 10000 systems?
2.While creating the Certificate template, the CA servershould be in a Domain. Will it create any issue if the SCS server is not in the same domain. (say in workgroup)

Thanks.

Sayantan

Quoting - sayantan_majumdar

Hi Gael,

Thanks for you suggestion. A few questions on the Lightweight version of the SCS provisioning tool.
1. Will it work properly where it needs to manage 10000 systems?
2.While creating the Certificate template, the CA servershould be in a Domain. Will it create any issue if the SCS server is not in the same domain. (say in workgroup)

Thanks.

Sayantan

Hello Sayantan,

1. I'm guessing that if you want to provision 1000 systems at a time, you would have to create a script that calls the Activator.exe (not the Gui - since the Gui requires your interaction) - you would want to have some software that pushes your provisioning script to your amt clients and then gets executed. The lightweight version should support this number of clients. The SCS 6.0 Full version hasbeen validated tosupport provisioning of 200,000 clients.
2. Workgroup works. Certificate can have a different domain than what you have in your environment. Here is a blog that I wrote to describe how to set this up.

Please let us know if this helps. Also, if we manage to answer your question, it would be great if you could indicate that by clicking on the "My Question was Answered" option on your forum question.

Thanks!

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

Hello Sayantan,

1. I'm guessing that if you want to provision 1000 systems at a time, you would have to create a script that calls the Activator.exe (not the Gui - since the Gui requires your interaction) - you would want to have some software that pushes your provisioning script to your amt clients and then gets executed. The lightweight version should support this number of clients. The SCS 6.0 Full version hasbeen validated tosupport provisioning of 200,000 clients.
2. Workgroup works. Certificate can have a different domain than what you have in your environment. Here is a blog that I wrote to describe how to set this up.

Please let us know if this helps. Also, if we manage to answer your question, it would be great if you could indicate that by clicking on the "My Question was Answered" option on your forum question.

Thanks!

Hi Gael,

Thanks for your quick response. I would surely mark the thread as "My question is answered" and mark the best answer too. I understand that this helps in maintaining the forum properly.

I am aware that I need to create the script to automate this procedure. I was trying to use the light weight version of SCS. I followed the steps mentioned in the user guide. I created m own certificate and pushed the thumbprint into the Intel AMT 3.0 device. Now while I executed the activator from the AMT device, I got following log in the SCS server,

7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 10:21:43:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Initial connection to Intel AMT failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (FAILED) : Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014 Status:3221227474

Any idea what is going wrong? Or what could be my path forward here. Thanks..

Sayantan

Quoting - sayantan_majumdar

Hi Gael,

Thanks for your quick response. I would surely mark the thread as "My question is answered" and mark the best answer too. I understand that this helps in maintaining the forum properly.

I am aware that I need to create the script to automate this procedure. I was trying to use the light weight version of SCS. I followed the steps mentioned in the user guide. I created m own certificate and pushed the thumbprint into the Intel AMT 3.0 device. Now while I executed the activator from the AMT device, I got following log in the SCS server,

7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 10:21:43:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 10:21:43:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Initial connection to Intel AMT failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(ERROR) : remotetest1, Category: Operation Error: Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
7-10-2009 10:21:44:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (FAILED) : Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014 Status:3221227474

Any idea what is going wrong? Or what could be my path forward here. Thanks..

Sayantan

Ok - well it should work with AMT 3.0. One idea that might be wrong, that I found when I was trying it out was the SCS 6.0 Lite version seems to expect the AMT Client to be in factory mode, ie, the MEBx password must be "admin." If you have changed the password it will not be able to log in and complete the provisioning. You may have to remove the CMOS battery on your system in order to return it to Factory mode.

Another thing about the SCS Lite is that it does not use a database and does not keep track of which systems were provisioned so if this is important for your environment, you might want to eventually shift over to the Full SCS version.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

Ok - well it should work with AMT 3.0. One idea that might be wrong, that I found when I was trying it out was the SCS 6.0 Lite version seems to expect the AMT Client to be in factory mode, ie, the MEBx password must be "admin." If you have changed the password it will not be able to log in and complete the provisioning. You may have to remove the CMOS battery on your system in order to return it to Factory mode.

Another thing about the SCS Lite is that it does not use a database and does not keep track of which systems were provisioned so if this is important for your environment, you might want to eventually shift over to the Full SCS version.

So the conclusion is I cannot use SCS Lite then :). However, thanks for all your input.

Quoting - Gael Holmes (Intel)

Ok - well it should work with AMT 3.0. One idea that might be wrong, that I found when I was trying it out was the SCS 6.0 Lite version seems to expect the AMT Client to be in factory mode, ie, the MEBx password must be "admin." If you have changed the password it will not be able to log in and complete the provisioning. You may have to remove the CMOS battery on your system in order to return it to Factory mode.

Another thing about the SCS Lite is that it does not use a database and does not keep track of which systems were provisioned so if this is important for your environment, you might want to eventually shift over to the Full SCS version.

Couple of question...
1. Are you sure that SCS lite does not work if the MEBx password in the device is chaged from "Admin" to something else? The reason I am asking this question is, user guide says that we can create our own root certificate and push the thumbprint into the AMT device and make it ready for ZTC provisioning. Now while pushing the thumbprint we have to change the MEBx password. How will the SCS lite provision the system in that case?

2. I have created a certificate and pushed the certificate thumbprint in the AMT device. While running the activator from the AMT platform I am getting following log in the SCS server

7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 20:19:40:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:

But there is no log after that and SCS service hang at this stage. I could not stop the service at this time. I had to kill the process manually. Any idea whats going on at this time?

Quoting - sayantan_majumdar

Couple of question...
1. Are you sure that SCS lite does not work if the MEBx password in the device is chaged from "Admin" to something else? The reason I am asking this question is, user guide says that we can create our own root certificate and push the thumbprint into the AMT device and make it ready for ZTC provisioning. Now while pushing the thumbprint we have to change the MEBx password. How will the SCS lite provision the system in that case?

2. I have created a certificate and pushed the certificate thumbprint in the AMT device. While running the activator from the AMT platform I am getting following log in the SCS server

7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply New AMT Identity: started
7-10-2009 20:19:40:(INFO) : User: (PROVISIONSERVEProvisioner) : remotetest1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
7-10-2009 20:19:40:(INFO) : remotetest1, Category: Supply new AMT Identity request finished successfully:

But there is no log after that and SCS service hang at this stage. I could not stop the service at this time. I had to kill the process manually. Any idea whats going on at this time?

Hi there,
I have sent a question to our Dev Team regarding this Password issue that I found. Since you had to sign on to the MEBx to enter your provisioning certificate hash, I suspect you won't be able to provision due to this issue because you had to change the password. I'm not sure why the service is hanging. I did find that it tried for quite a while and eventually came back and said that provisioning was unsuccessful - how long did you wait until you killed it? As soon as I cleared the CMOS and started the provisioning with the system in factory mode, provisioning was successful almost instantly.

Gael.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

Hi there,
I have sent a question to our Dev Team regarding this Password issue that I found. Since you had to sign on to the MEBx to enter your provisioning certificate hash, I suspect you won't be able to provision due to this issue because you had to change the password. I'm not sure why the service is hanging. I did find that it tried for quite a while and eventually came back and said that provisioning was unsuccessful - how long did you wait until you killed it? As soon as I cleared the CMOS and started the provisioning with the system in factory mode, provisioning was successful almost instantly.

Gael.

Hi,

Do you mean that if Icreate my own certificate and push the hash in the AMT device then SCS lite wont provision that system? If so then this should be mentioned in the user guide. From user guide it seems that I can create my own certificate and use it for ZTC.

Thanks.
Sayantan

Quoting - sayantan_majumdar

Hi,

Do you mean that if Icreate my own certificate and push the hash in the AMT device then SCS lite wont provision that system? If so then this should be mentioned in the user guide. From user guide it seems that I can create my own certificate and use it for ZTC.

Thanks.
Sayantan

Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael

Thanks a lot for the information. If it's a bug could you please let meknow if I could expect any release of SCS light in near future?

Regards,
Sayantan

Hi, you can create your own certificate and use it to do zero-touch remote provisioning with SCS and SCS Light.
Are you still having problems with this?

Quoting - Lance Atencio (Intel)

Hi, you can create your own certificate and use it to do zero-touch remote provisioning with SCS and SCS Light.
Are you still having problems with this?

Yes I am still having problem with this. I was trying with the SCS light. But the problem is like, when I create my own certificate and want to push the hash in the AMT device then I need to change the admin password. And looks like SCS light does not work if the admin password is something other than the default password "admin". Is it correct?

I don't believe that is correct.
I have tested with full SCS and it works.
Gael tested with Lightweight and it worked.

You may want to try to doa CMOS reset your system (power down, remove power cord, remove CMOS battery for 15 sec, plug in, power up). Then try again following the instructions in the Installation & User's Guide.
Make sure to use the numbers and dashes format (xxxx-xxxx-...) for the hash when entering in the ME.

Quoting - Lance Atencio (Intel)

I don't believe that is correct.
I have tested with full SCS and it works.
Gael tested with Lightweight and it worked.

You may want to try to doa CMOS reset your system (power down, remove power cord, remove CMOS battery for 15 sec, plug in, power up). Then try again following the instructions in the Installation & User's Guide.
Make sure to use the numbers and dashes format (xxxx-xxxx-...) for the hash when entering in the ME.

I have done all these.

The issue is, when I am inserting the hash into the AMT device I have to change the admin password. Is there any way so that I can let SCS Light know that the default password has been changed and it should work with the new password.

Please see Gael's response to the same question:

=======================================================================
Hi - I have escalated this issue to our dev team. You should be able to to remotely provision the system after creating your own certificate hash (after changing the MEBx password.) I think this is a bug in that the SCS expects the system to still have the "admin" password. I'll let you know what I find out.

Thanks,
Gael
========================================================================

Yes, Gael tried again later and was able to get it working.

The new password should be used in the Activator tool.
SCS should use the certificate.

You should also keep in mind the passwords for the profile you create to be used with that system.

Quoting - Lance Atencio (Intel)

Yes, Gael tried again later and was able to get it working.

The new password should be used in the Activator tool.
SCS should use the certificate.

You should also keep in mind the passwords for the profile you create to be used with that system.

Oh.. Thats so encouraging. Thanks a lot. But may I know how I could supply the new password. I am using UI based activator tool and going for a PKI based configuration.

Hi Sayantan,

You don't have to go into MEBx to push the cert hash onto the system. You can use the USB key provisioning to push the hash into the system. Use the USB key tool out of the SDK and tell it that you want to create a 2.1 version of the file and supply the default password of "admin" and the new hash. Or, you can use PSK provisioning and push the PWD, PID, PPS triplet onto the system and use One-touch provisioning with the system, which doesn't need a custom cert hash.

Regards,
Roger

Quoting - rogerb

Hi Sayantan,

You don't have to go into MEBx to push the cert hash onto the system. You can use the USB key provisioning to push the hash into the system. Use the USB key tool out of the SDK and tell it that you want to create a 2.1 version of the file and supply the default password of "admin" and the new hash. Or, you can use PSK provisioning and push the PWD, PID, PPS triplet onto the system and use One-touch provisioning with the system, which doesn't need a custom cert hash.

Regards,
Roger

Thank you Roger. As my goal is to setup a ZTC in PKI mode provisioning, I need to push the certificate hash. The first approach could be good for me. One question, if I insert the hash the way you suggested and unprovision the device, would the device retain the inserted hash? Because I need to test the PKI mode provisioning after that.

Quoting - Lance Atencio (Intel)

Yes, Gael tried again later and was able to get it working.

The new password should be used in the Activator tool.
SCS should use the certificate.

You should also keep in mind the passwords for the profile you create to be used with that system.

Hi Lance,

I tried to use the password in activator tool but activator tool does not provide any option to use a changed password while provisioning in PKI mode. Could you please confirm if it's a known issue? And if not then could you please let me know how could I use a password other than "admin".

Regards,
Sayantan

Hello,
There is not an issue like this that is known.

I will need to test the configuration that you want to test. It will take a while to build that setup. Right now I only have a setup that includes Active Directory.

After looking back at the initial errors you supplied earlier in this thread it appears you were having networking issues and/or permissions issues. You need to have DHCP and DNS configured the same and properly for the server and clients. The account you are using for SCS needs to have appropriatepermissions for the SCS service and the provisioning certificate. There may be other configuration things to consider that I may come across when I try with you preferred setup.

Quoting - Lance Atencio (Intel)

Hello,
There is not an issue like this that is known.

I will need to test the configuration that you want to test. It will take a while to build that setup. Right now I only have a setup that includes Active Directory.

After looking back at the initial errors you supplied earlier in this thread it appears you were having networking issues and/or permissions issues. You need to have DHCP and DNS configured the same and properly for the server and clients. The account you are using for SCS needs to have appropriatepermissions for the SCS service and the provisioning certificate. There may be other configuration things to consider that I may come across when I try with you preferred setup.

Hi Gael and Lance,

Finally a good news!!!

I am able to provision the AMT device in TLS-PKI mode with SCS Light. The issue was a with the communication between the AMT device Workgroup and SCS domain.

A special thanks to you for all your help.

Regards,
Sayantan

That is great!
Glad it is working for you.
And saves me having to build it ;)

Login to leave a comment.