SDK Resources > System Health Validation (NAP) > Configuring Intel AMT to Generate SoH Messages

Configuring Intel AMT to Generate SoH Messages

Intel AMT uses the EndpointAccessControlAdminService to enable SoH generation (See Endpoint Access Control (EAC)). In addition, methods from the SecurityAdministrationService are required to install the certificate and key used to sign the SoH. See Certificate Management for use cases for adding keys and certificates.

Add a Certificate and Key

To add the certificate and key required to sign a posture, use the following flows:

   Add a certificate . The method returns a handle that will be required later.

   Add a key pair

Set the Posture Signer

Associate a certificate with the posture signing mechanism Use the handle returned when the certificate was added.

Set the EAC Options

the Set EAC Options process defines the format of the active mode SoH and selects the hash algorithm used in creating the signature field. The EacVendors parameter in this command should be set to EAC_NAP.

Enable EAC

Invoke Enable EAC. to enable the Intel AMT device to respond to GetPosture requests coming from the local interface.

Configure to Use 802.1x

When the host processor is in an Sx state — a sleep state or powered down — or the host operating system is not functional or fails 802.1x authentication, Intel AMT can still respond to requests for an SoH in a networking environment based on PEAP-TLV, or to a hybrid NAC/ACS-NAP environment using EAP-FAST. It requires an 802.1x profile that uses the appropriate protocol.

note-icon Note:

Beginning in Intel AMT Release 9.0 NAC is no longer supported.

Perform the following steps:

1.  Add a certificate to use as the 802.1x client certificate.

2.  Add a key pair corresponding to this certificate.

3.  Add the trusted root certificate for the NAP or ACS platform.

4.  Define an 802.1x profile that uses PEAP-TLV or EAP-FAST and activate the profile. Use the handles returned in steps 1 and 2.

5.  If a different certificate will be used for signing profiles, add the certificate and keys.

6.  Set the posture signer certificate (either the one just added, or same certificate used for 802.1x).

7.  Enable EAC.

Copyright © 2006-2022, Intel Corporation. All rights reserved.