Configure the default.config.xml Kerberos parameters. The example parameters are:
<host_name>intel-sdp</host_name>
<domain_name>amt.intel.com</domain_name>
<kerberos>
<containerDN>CN=users,DC=amt,DC=intel,DC=com</containerDN>
<password>MY$root1</password>
<clock_tolerance>5</clock_tolerance>
<acls>
<acl>
<access>any</access>
<user_group_dn>CN=AMT,CN=users,DC=amt,DC=intel,DC=com</user_group_dn>
<realms>
<realm>3</realm>
</realms>
</acl>
</acls>
</kerberos>
The containerDN is set to the container name Users for the domain amt.intel.com.
The password entry is the “secret” held by Active Directory for the User object associated with the Intel AMT platform. It is not the password used to access the Intel AMT device when using non-Kerberos information. Rather, it is the password used by Intel AMT only for decrypting Kerberos tickets.
Access is set to “any”, meaning that both remote and local applications can authenticate using Kerberos.
The clock tolerance is set to five minutes. This is the length of time that entries are maintained in the replay cache.
In default.config.xml, also enable setting the system time so the Intel AMT device is synchronized to the server clock:
<set_network_time>true</set_network_time>
The example sets up one ACL entry. The Kerberos SID in the entry corresponds to the Group named AMT defined in the Users in the amt.intel.com domain. Any user who is a member of this group can access this Intel AMT platform. Realm 3 is the PTAdministrationRealm realm, so any user in the AMT group has sufficient privileges to access any realm.
TLS was not enabled in the example.
If the SCA process was run previously, there may be an existing User entry for the Intel AMT instance. This Active Directory user entry must be deleted; otherwise the SCA will generate an error indicating an attempt to create a duplicate user.
|
Copyright © 2006-2022, Intel Corporation. All rights reserved. |