CollapseAll image

Set TLS to Server/Mutual Authentication

After adding the relevant certificate and key, and associating them to the service, you must change the TLS mode in the Intel AMT. The following steps describe how to retrieve and change the TLS mode.

1.  Select the instance of AMT_TLSSettingData,where the key “InstanceID” equals “Intel(r) AMT 802.3 TLS Settings” (the remote, or network, interface) or“Intel(r) AMT LMS TLS Settings” (the local interface).

2.  In the selected AMT_TLSSettingData instance, set the following properties:

Property                               

Value

Enabled

True

MutualAuthenticationSpecified

Valid values:

     True – Defines mutual authentication

     False – Defines server authentication

3.  Invoke AMT_TLSSettingData.Put.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

# Update the remote interface.

$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel(r) AMT 802.3 TLS Settings'")

$tlsSettingDataInstance = $tlsSettingDataRef.Get()

$tlsSettingDataInstance.SetProperty("Enabled", "true")

$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")

$tlsSettingDataRef.Put($tlsSettingDataInstance)

 

 

4.  Repeat steps 2 and 3 for the second AMT_TLSSettingData instance, where the key “InstanceID” equals  “Intel(r) AMT LMS TLS Settings” (the local interface).

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

# Update the local interface.

$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel(r) AMT LMS TLS Settings'")

$tlsSettingDataInstance = $tlsSettingDataRef.Get()

$tlsSettingDataInstance.SetProperty("Enabled", "true")

$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")

$tlsSettingDataRef.Put($tlsSettingDataInstance)

 

 

5.  Retrieve the instance of AMT_SetupAndConfigurationService, where the “Name” key equals “Intel(r) AMT Setup and Configuration Service”.

6.  Invoke AMT_SetupAndConfigurationService.CommitChanges.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

function CommitChanges

{

    $setupAndConfigurationServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM  AMT_SetupAndConfigurationService WHERE Name='Intel(r) AMT Setup and Configuration Service'")

    $inputObject = $setupAndConfigurationServiceRef.CreateMethodInput("CommitChanges")

    $outputObject = $setupAndConfigurationServiceRef.InvokeMethod($inputObject)

    $returnValue = $outputObject.GetProperty("ReturnValue")

}

 

 

 Note:

   In releases before Release 8.0, both the local and remote interfaces must be configured for TLS (Enabled set to True) for Intel AMT to support TLS connections. For example, if you enable only the Remote interface for TLS and perform commit changes, you will not receive an error, but if you attempt to make a TLS connection to a secure port (16993 or 16995) the attempt will fail.

   Starting with Release 8.0, configuring only one interface for TLS leaves the unsecure ports (16992 and 16994) open on the other interface, although it is possible to make a secure connection on the other interface.

   Starting with Release 6.0, support for mutual authentication on the local interface is deprecated. This capability will be removed in a future release.

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Not applicable

 

See Also:

   Certificate Management

Copyright © 2006-2013, Intel Corporation. All rights reserved.