SDK Resources > Redirection Library > Secure Session Support

Secure Session Support

Security is important for many Intel AMT features, especially for redirection. The usage model of SOL and Storage Redirection includes remote troubleshooting, including remote diagnostics, boot, and OS installation. These procedures usually involve authentication steps, so usernames and passwords will be sent over the LAN as part of the redirection session. To prevent sniffing of network passwords, redirection should be used only over a secure connection.

If the Intel AMT device supports TLS, the KVM proxy or user application can establish a TLS session with it before opening SOL or Storage Redirection sessions, thus ensuring that all relevant network communications are secure.  If trying to push large quantities of SOL data over TLS, note that the session is closed if pushing more than 300KB.

From the TLS protocol point of view, the Intel AMT device is an SSL server and the Redirection Library is an SSL client. When establishing a TLS session, the library attempts to verify the validity of the SSL certificate it receives from the Intel AMT device.

In addition to authenticating the SSL server certificate that is sent from the Intel AMT device, Intel AMT provides a mechanism for TLS mutual authentication, which means that the Redirection Library will send its own SSL client certificate. This feature can increase the security level of the redirection session.
Note: When using TLS mutual authentication, the user must first configure the Intel AMT system time.

There are special requirements for the Intel AMT client certificates:

   The certificate needs to contain the OID 1.3.6.1.5.5.7.3.2, which marks the certificate as a TLS client certificate.

   Intel AMT mandates that the "Enhanced Key Usage" OID list field of the leaf certificate contains the OID 2.16.840.1.113741.1.2.1 (this OID is used by the Intel AMT device to authenticate the Redirection Library).

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/ImagesExt/image1385_0.png Note:

To use the mutual authentication capability, the Intel AMT device should have as part of its trust list the CA certificate that has signed the SSL client certificate. This CA certificate should be provided to the Intel AMT device during the setup and configuration process.

The root certificate is in cer format and needs to be used for all secure sessions.  Those sessions which use mutual authentication need to be in pem format.

The Redirection library has functionality to open secure session by either OpenSSL library or Microsoft® Security Support Provider Interface (SSPI). On Linux OS the only way is working with OpenSSL functionality as described below.

On Linux OS, to establish secure session, the IMR_SetCertificateInfo() function should be called.

On Windows OS, if IMR_SetCertificateInfo() is called with valid parameters, OpenSSL functionality will be used. If IMR_SetCertificateInfo() is called with empty parameters or isn’t called, SSPI functionality will be used.

Working with OpenSSL Secure Sessions

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/ImagesExt/image1385_0.png Note:

     Support for OpenSSL on Windows systems was removed in Intel AMT version 11.5. All connections now use the Redirection-SSPI API.

In order to perform the verification of the SSL certificates were received from the Intel AMT device, the library must be provided with trusted Certificate Authority (CA) certificates that were used to sign the SSL server-provided certificate. The location of the trusted CA certificates is passed to the library using the IMR_SetCertificateInfo() function. If this file name is not provided, the library may not be able to verify SSL certificates, and thus will not be able to establish TLS sessions.

The specified file must contain the trusted root certificate in PEM format. Convert a certificate in PKCS12 (.p12) format to PEM using the OpenSSL pkcs12 command. The file can also contain subsequent subordinate certificates in the authorization path, identified by sequences of:

-----BEGIN CERTIFICATE-----

... (CA certificate in base64 encoding) ...

-----END CERTIFICATE-----

Before, between, and after the certificates, text is allowed that can be used for purposes such as descriptions of the certificates.

note-icon Note:

Intel AMT expects keys that are in RSA format. OpenSSL version 1.0.0 does not create keys in this format automatically. When working on a Linux environment, use the openssl rsa command to convert a PEM file to RSA format, then replace the encrypted key in the original PEM with the newly created key.

When mutual authentication capability is used, the SSL client certificate (with the required OIDs are described above) should be supplied to the Redirection Library using the IMR_SetCertificateInfo() function. The file supplied to the library should contain the complete certificate chain and the private key in PEM format.

Working with SSPI Secure Sessions

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/ImagesExt/image1385_0.png Note:

     SSPI secure session functionality is not supported in Windows XP. Users of Windows XP should use OpenSSL instead. Note that support for Windows XP and for OpenSSL were both removed in Intel AMT version 11.5.

     In Windows OS, the way to open SSPI secure session is open secure session without calling to IMR_SetCertificateInfo() function or calling it with empty strings. When this function isn’t called or called with empty input parameters, the library automatically performs SSPI secure session flow.

In order to perform the verification of the SSL certificates were received from the Intel AMT device, the library uses the Microsoft® certificates store. During the handshake process, the library verifies the certificates were received from the Intel AMT device with the certificates were installed in the certificates store, therefor all the trusted Certificate Authority (CA) certificates that were used to sign the SSL server-provided certificate should be installed in the Microsoft® certificates store.

When mutual authentication capability is used, the SSL client certificate (with the required OIDs are described above) should be installed in the “MY” store, and the IMR_SetClientCertificate() function should be called with the Subject:CN string of the desired client certificate.

See Also:

   Creating a Client Certificate Using Windows 2003 CA

   IMR_SetCertificateInfo()

   IMR_SetClientCertificate()

Copyright © 2006-2022, Intel Corporation. All rights reserved.