Perform Signed Local Setup

Setup and Configuration of Intel AMT > Setup and Configuration Methods > Host-Based Setup and Configuration > Use Cases Demonstrating Host-Based Setup > Use Cases > Perform Signed Local Setup

Perform Signed Local Setup

The following steps describe how to perform a signed host-based setup to Client Control mode. This is the same as the Perform Local Setup use case, with the addition of a digital signature.

1. Retrieve the $$OsAdmin credentials by invoking the MEI command CFG_GetLocalSystemAccount, which returns the user ID (always $$OsAdmin) and a randomly generated password. Alternatively, invoke the WMI method OOB_Service.GetLocalAdminCredentials via the ME WMI provider. (See Intel ME WMI Provider). The PC user who performs this step must have OS Admin privileges on the host platform. Use the returned credentials for the following WS-Management requests.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$connectionWMI = Invoke-WmiMethod-Class OOB_Service -Namespace "ROOT\Intel_ME:OOB_Service" -ComputerName "localhost" -Name "GetLocalAdminCredentials"

$user =$connectionWMI.Username

$password =$connectionWMI.Password

2. Retrieve the value of the AMT_GeneralSettings.DigestRealm property by retrieving the instance of AMT_GeneralSettings, where the “InstanceID” key equals “Intel(r) AMT: General Settings”.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$generalSettingsRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_GeneralSettings WHERE InstanceID='Intel(r) AMT: General Settings'")

$generalSettingsInstance =$generalSettingsRef.Get()

$digestRealm =$generalSettingsInstance.GetProperty("DigestRealm")

3. Compute NetworkAdminPassword by using the MD5 Hashing function:

NetworkAdminPassword = MD5 (username + “:” + AMT_GeneralSettings.DigestRealm + “:” + plaintextPassword)

The password used in this calculation will be the password for the Intel AMT network admin user.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$user ="myUser" # The new Administrator user name to config.

$password ="P@ssw0rd" # The new Administrator password to config.

$hash =$user +":" +$digestRealm +":" +$password

$cryptoServiceProvider =[System.Security.Cryptography.MD5CryptoServiceProvider]

$md5Algorithm = New-Object$cryptoServiceProvider

$networkAdminPassword = New-Object System.Text.StringBuilder

# Convert to hex format.

$md5Algorithm.ComputeHash([Char[]]$hash) | % { [void]$networkAdminPassword.Append($_.ToString("x2")) }

4. Retrieve the instance of IPS_HostBasedSetupService, where the “Name” key equals “Intel(r) AMT Host Based Setup Service”.

5. Invoke IPS_HostBasedSetupService.Get and retrieve the ConfigurationNonce property.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$hostBasedSetupServiceInstance =$hostBasedSetupServiceRef.Get()

$configurationNonce =$hostBasedSetupServiceInstance.GetProperty("ConfigurationNonce")

The following two steps are normally performed on a server in a more secure environment under enterprise control. See <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\HostBasedSetup\DigSignScript
for an example of how to perform these steps.

6. Randomly create an McNonce. This is a 20 character string converted to Base 64.

7. Concatenate ConfigurationNonce|MCNonce. Create a hash using SHA-2_256 and sign the hash using the private key of the certificate acquired in step 1. This yields the digital signature (see Creating a Signed Configuration Request).

8. Invoke IPS_HostBasedSetupService.Setup, with the following parameters:

Property	Value
NetAdminPassEncryptionType	2 (HTTP Digest MD5)
NetworkAdminPassword	The password hash
McNonce	The 20-character randomly generated string
Certificate	The certificate used to create the signature
SigningAlgorithm	2 (RSA_SHA-2_256)
DigitalSignature	The encrypted hash of ConfigurationNonce \| MCNonce

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$inputObject =$hostBasedSetupServiceRef.CreateMethodInput("Setup")

$inputObject.SetProperty("NetAdminPassEncryptionType","2")

$inputObject.SetProperty("NetworkAdminPassword",$networkAdminPassword.ToString())

$inputObject.SetProperty("McNonce",$mcNonce)

$inputObject.SetProperty("Certificate",$certificate)

$inputObject.SetProperty("SigningAlgorithm","2")

$inputObject.SetProperty("DigitalSignature",$digitalSignature)

$outputObject =$hostBasedSetupServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

Note:

When IPS_HostBasedSetupService.Setup succeeds, Intel AMT creates an instance of IPS_ClientProvisioningAuditRecord with the certificate included.

Instance Diagram

Classes Used in This Flow

• IPS_HostBasedSetupService

SDK Sample

Located at: <SDK_Root>\Windows\ Intel_AMT\Samples\Configuration\HostBasedSetup.