When preparing an Intel AMT device for use, there are different authentication methods available for use, each with its advantages and disadvantages. Two of these methods use TLS and operate over the network. The others are done locally and depend on an operator or an application to provide credentials. Using the TLS methods, a server-based application can perform a full configuration of Intel AMT before completing the process. For example, Intel AMT can exit the process with the appropriate certificates to support TLS. The other options complete setup before doing configuration. Subsequent settings (for example, enabling TLS, defining user permissions) will depend on use of admin credentials supplied during the shorter local process. Once Intel AMT is enabled, an application performing configuration can run over the network or locally.
When using a setup and configuration server, the server downloads TLS certificates to the Intel AMT platform, which stores them in non-volatile memory. The certificates trace to an enterprise certificate authority and are used by Intel AMT to authenticate to management console applications. If Intel AMT is configured for mutual authentication, the setup and configuration server must provide a client certificate for each application that will communicate with Intel AMT.
The setup and configuration server also establishes an Access Control List, enables certain Intel AMT features, and configures device settings. At the end of the setup and configuration process, the keys generated and used during the process are deleted. All subsequent communications use the certificates and Transport Layer Security (TLS) for authentication, confidentiality (encryption), and integrity (mutual authentication). Intel AMT performs authorization using the Access Control List, as described in Access Control Lists and Realms.
Setup and Configuration Methods
Intel AMT and Security Considerations
|
See Also: |
|
Copyright © 2006-2022, Intel Corporation. All rights reserved. |