Zero touch remote provisioning?

Zero touch remote provisioning?

Hello everyone,

I'm trying to test the zero touch remote provision flow by using the SCS setup wizard application from a Virtual machine.

The installation completes with success but the instructions on the reference manual are unclear.

Is there an easy way to create a Virtual machine test/lab so that I can do zero touch provisioning.

Thanks.

13 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Quoting - ph3ar
Hello everyone,

I'm trying to test the zero touch remote provision flow by using the SCS setup wizard application from a Virtual machine.

The installation completes with success but the instructions on the reference manual are unclear.

Is there an easy way to create a Virtual machine test/lab so that I can do zero touch provisioning.

Thanks.

So the wizard completed successfully, can you open up the SCS console and connect to the installed server? The SCS wizard should work well enough for setting up a test lab for test purposes, you should be able to confirm that it installed correctly by bringing up the console and connecting.

Andy

Quoting - Andrew Schiestl (Intel)

So the wizard completed successfully, can you open up the SCS console and connect to the installed server? The SCS wizard should work well enough for setting up a test lab for test purposes, you should be able to confirm that it installed correctly by bringing up the console and connecting.

Andy

I can confirm that the SCS service is up and running.

However I cannot find clear documentation on where I can add the certificate information that I bought with the help of RCFG tool.

Quoting - ph3ar

I can confirm that the SCS service is up and running.

However I cannot find clear documentation on where I can add the certificate information that I bought with the help of RCFG tool.

Which option did you pick in the wizard on installing the Certificate Authority (starting on page 24 of the Automation Installation Guide.pdf)? That will affect how you add the certificate. Or if you chose not to install the CA, whether you can add the certificate information.

Quoting - Andrew Schiestl (Intel)

Which option did you pick in the wizard on installing the Certificate Authority (starting on page 24 of the Automation Installation Guide.pdf)? That will affect how you add the certificate. Or if you chose not to install the CA, whether you can add the certificate information.

I have choose the 1st option "Install Microsoft certificate authority on this machine as a stand-alone root CA".

So, I made a clean install and I have selected the 2nd option 'Enterprise root CA' but still I can't import the certificate!

Quoting - ph3ar
So, I made a clean install and I have selected the 2nd option 'Enterprise root CA' but still I can't import the certificate!

The first option of the Stand-alone root CA should be fine. Have you imported the certificate you have into the personal store for SCS? You should be able to follow the instructions in the SCS Console guide under the "Selecting the certificate Used by the SCS for Remote Configuration" section.

Quoting - Andrew Schiestl (Intel)

The first option of the Stand-alone root CA should be fine. Have you imported the certificate you have into the personal store for SCS? You should be able to follow the instructions in the SCS Console guide under the "Selecting the certificate Used by the SCS for Remote Configuration" section.

I have followed the instructions on section "Selecting the certificate Used by the SCS for Remote Configuration" but still I'm not able to "see" and select the appropriate certificate on the basic tls configuration option window while I'm setting up the profile on SCS.

Any ideas?

Quoting - ph3ar
Any ideas?

Hmmm. Well I don't have a lot of experience using the Wizard, but I did blog the steps in what you must do in order to have a successful ZTC session.

Which version of the SCS are you using? Could you try the SCS 6.0 Lightwieght version? (The user guides are fairly well documented.) It supports PKI provisioning and it doesn't have all the overhead that the full version of the SCS has. The only thing is that you can't provision in TLS mode using the Lightweight version. But we should try small peices at a time.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

Hmmm. Well I don't have a lot of experience using the Wizard, but I did blog the steps in what you must do in order to have a successful ZTC session.

Which version of the SCS are you using? Could you try the SCS 6.0 Lightwieght version? (The user guides are fairly well documented.) It supports PKI provisioning and it doesn't have all the overhead that the full version of the SCS has. The only thing is that you can't provision in TLS mode using the Lightweight version. But we should try small peices at a time.

As I replied on another post the blog covers the steps but not the 'real' ZTC needed for remote provisioning, because you still need to use a client side aid thus the activator utility (step 2 on your blog post).

The SCS version that I'm using is 5.1.0.50.

I guess that I can use the lightweight version but still are you sure that supports no touch (ZTC) remote provisioning?

Quoting - ph3ar

As I replied on another post the blog covers the steps but not the 'real' ZTC needed for remote provisioning, because you still need to use a client side aid thus the activator utility (step 2 on your blog post).

The SCS version that I'm using is 5.1.0.50.

I guess that I can use the lightweight version but still are you sure that supports no touch (ZTC) remote provisioning?

Ok - SCS 6.0 Lightweight does require the use of the Activator which does require the presence of an OS, etc. That you are wanting to do Bare Metal Provisioning (ZTC) changes the story. It sounded to me like you were simply having problems with your certificate.

First, you will need to go read (if you haven't already) the paragraph pertaining to Bare Metal Provisioning in the AMT Setup and Configuration Service Console User's Guide (It's in the Intel AMT Realse 3.0 Additional Features section.) Note that once the system comes from the factory and is powered up it starts sending out Hello Packets - this happens for 24 hours. Once it has timed out, you will have to either use the Activator to restart them, or pull the CMOS battery in order to reset the system into Factory Mode.

Next you will need to go to the section that has information about Server Scripts (Using a Script to Import Intel AMT Configuration Properties) Read through the whole section - you will want to run the server script that fills in the information (like FQDN and Host Name) to the SCS Profile so that provisioning can continue (without this, it will just sit there waiting for this information.

The SCS package will have a "Sample Scripts" folder where you can find the scripts.

Also, I highly recommend Enabling the SCS Debug Log (Instructions on page 94.)

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Quoting - Gael Holmes (Intel)

Ok - SCS 6.0 Lightweight does require the use of the Activator which does require the presence of an OS, etc. That you are wanting to do Bare Metal Provisioning (ZTC) changes the story. It sounded to me like you were simply having problems with your certificate.

First, you will need to go read (if you haven't already) the paragraph pertaining to Bare Metal Provisioning in the AMT Setup and Configuration Service Console User's Guide (It's in the Intel AMT Realse 3.0 Additional Features section.) Note that once the system comes from the factory and is powered up it starts sending out Hello Packets - this happens for 24 hours. Once it has timed out, you will have to either use the Activator to restart them, or pull the CMOS battery in order to reset the system into Factory Mode.

Next you will need to go to the section that has information about Server Scripts (Using a Script to Import Intel AMT Configuration Properties) Read through the whole section - you will want to run the server script that fills in the information (like FQDN and Host Name) to the SCS Profile so that provisioning can continue (without this, it will just sit there waiting for this information.

The SCS package will have a "Sample Scripts" folder where you can find the scripts.

Also, I highly recommend Enabling the SCS Debug Log (Instructions on page 94.)

As I posted previously on this post the SCS has been successfully installed. Following the instructions of the user guide I configured the appropriate options (like FQDN and hostname) but the problem is that I cannot "see" the certificate (the one intended for provisioning) from the SCS.

Leave a Comment

Please sign in to add a comment. Not a member? Join today