Intel AMT SCS Installation and User Manual
Contents
1. MEBs password AMT 1 0 BIOS Fassword E Re Enter BIOS Password OSM So SE oe oer New MEBs password for certificate based configuration ia Re Enter New MEBs password for certificate based configuratior Ea Kerberos Max Clack Tolerance E Minutes OF Cancel 8 New MEBx password for certificate based configuration Enter and confirm the password used during Remote Configuration The Remote Configuration process requires that the MEBx password be changed before the setup and configuration can complete 9 Enter Kerberos Max Clock Tolerance This is the allowable difference between the clock of an Intel AMT device and the timestamp of a received message This is part of the mechanism used to eliminate replay attacks 10 Click OK 11 Click Apply Intel SCS Console 83 The Profile Configuration Network Tab A Add Edit Profiles Wiew and Configure the profile Network settings General TLS Settings Enable ping response C Use TLS Environment Detection VLAN C Use VLAN VLAN Tag N TLS Server Authentication Enabled Interfaces TLS Mutual Authentication C web UI Seral Over LAN IDE Redirection TLS FSK Encrypted O Plain Text Both TLS Server Authentication TLS Mutual 4uthentication Mutual Authentication On this tab define the network settings for this profile 12 In the G2. 5 Expand the SQL Server 2005 Network Configuration branch 6 Select the Protocols for SQLEXPRESS branch 7 Ensure that Shared Memory Named Pipes and TCP IP are enabled 26 Intel AMT SCS Installation And User Manual If they are not select each right click and from the popup menu select Enable Er SQL Server Configuration Manager File Action View Help Re SQL Server Configuration Manager Local Protocol Name vee SOL Server 2005 Services EE Shared Memory ap SOL Server 2005 Network Configuration Named Pipes SF TCP IP Enabled Disable fe Protocols For SOLEXPRESS Ea Protocols for MS5OLSERYVER a g SOL Native Client Configuration Client Protocols E Aliases Y VIA Enabled Properties Help Enable selected protocol 8 To enable secured database communication using the internal SQL Server encryption option right click on Protocols for SQLEXPRESS and select Properties Set ForceEncryption to Yes 9 Expand the SQL Native Client Configuration branch 10 Select the Client Protocols branch 11 Ensure that Shared Memory Named Pipes and TCP IP are enabled If they are not select each right click and from the popup menu select Enable 12 If database service is currently running restart the service so that the changes take affect Right click on My Computer and select Manage Open the Services and Applications element in the control tree and select Services
3. O0 C One time password required No of Slow Worker Threads ew O _ x First common name CN in e AEE Delayer Polling Time 1 BaSS SERNER Minutes certificate subject name Fully qualified domain name A i Keep Log Time BU Days Log Level Verbose We l Keep Security Audit Time 2 Service Version NYA igen Get New Intel AMT Properties From DB Script Location 4 Define the General parameters TCP Listen Port Each instance of Intel SCS listens for Hello messages from Intel AMT devices on a defined TCP port Enter the TCP port used for listening The default port is 9971 Integrate with Active Directory Selecting this checkbox will cause the SCS server to add AMT objects to Active Directory This enables the use of Kerberos authentication and the AD users list This option must be selected to configure an Intel AMT device for wired 802 1x or for wireless when the wireless profile uses 802 1x for authentication AMT requires authorization before provisioning When the SCS receives a Hello message from an Intel AMT device setup and configuration will proceed automatically unless this checkbox is selected Selecting Intel AMT SCS Installation And User Manual Intel SCS Console this checkbox requires the Console operator to authorize setup and configuration via the Operations function on the Intel AMT Systems pane See Ad Hoc Operations on an Individual Intel AMT Device on
4. Profiles using the control Use the l control to remove a selected profile from the list Use the z and B controls to adjust the relative priorities of the profiles The profile at the top of the list will have the highest priority The Wired 802 1x Tab Use the Wired 802 1x tab to select an optional 802 1x profile used by the Intel AMT device to authenticate on a wired LAN when the device is active in S3 S4 or S5 power states This tab applies only to Intel AMT Releases 2 5 2 6 and 3 0 See Defining 802 1x Profiles on page 98 Note that Integrate with Active Directory must be selected on the General Configuration page to be able to configure an Intel AMT device with a wired 802 1x profile a Add Edit Profiles zjx Configure 602 1 properties Enable 802 1 in S0 B02 18 FSE Pre boot Execution Environment Timeout sec E IM 902 1 Profile Eems SSC Select the Enable 802 1x in S0 checkbox to allow Intel AMT to authenticate using the 802 1x profile even when the host is active This mode of operation allows manageability traffic even if the host is unable to complete authentication to the network Set the PXE boot timeout up to 86 400 seconds This parameter defines the period allowed for completion of an 802 1x authentication This parameter can be set only when an 802 1x profile has been selected If the 802 1x profile is deleted this value will be forced to zero Intel SCS Console 95 Select the 802 1
5. Web Site Name Default Web Site isd Application Pool Name Default4ppPool v Virtual Directory Name AMTSCS Td Force Secure Connections HTTPS InstallShield 8 Select a web site from the list of sites defined within IIS 9 Enter the IIS Web Server Virtual Directory name The default name is AMTSCS The Virtual Directory name must be unique If a Virtual Directory already exists with this name the existing Virtual Directory will be preserved As a result the SOAP Virtual Directory will not be created 10 Check or uncheck the Force Secure Connections HTTPS option Selecting this option means that TLS will be used for communications between the SCS console or an IS V developed console and the API applications in the AMTSCS virtual directory Unchecking it means that the connection will use TLS Click Next Environment Prerequisites and Installation 41 11 The Remote Configuration IIS Web Server Configuration page is displayed Intel Active Management Technology Setup and Configuration Service InstallShield Wizard 11S Configuration 12 13 14 15 Configure IIS Web Server Virtual Directory Select Remote Configuration IIS Web Server Virtual Directory application pool and Web Site Web Site Name Default Web Site v Application Pool Name AMTSCS Remote Configuration me Virtual Directory Name AMTSCS_RCFG rd Force Secure Connections HTTPS Select a web site f
6. 2 ee Exception in add storage FPACL E Exception in add storage FPACL worker See the specific error code 784 worker 0x 1 X 2 ee SCS Support Content 147 l e lO OUUU Message Text Type Cause Exception in clean Intel AMT E Exception in clean Intel AMT operations worker See the specific error code 785 operations worker 0x 1 X 2 on Oe RA E Exception in clean log worker See the specific error code 786 Ox 1 X 2 rror Exception in clean request status E Exception in clean request status worker See the specific error code 787 worker Ox 1 X 2 rror r een OGh E Exception in clock sync worker See the specific error code 789 Ox 1 X 2 rror Create AD AMT object Unexpected Unexpected exception when creating AD AMT See the specific error code exception when creating AD AMT 794 Object Object 1 d 2 Process Error interrupted Exception when trying to pop a request from the See the specific error code Error delayed requests list 0x 1 X 2 Unexpected error while handling E Unexpected error while handling generic exception N A 800 generic exception foe aaa Exception in power policies 0x 1 X Bo Exception in power policies See the specific error code 851 2 861 Cannot set ACL 1 Warning Cannot set ACL See the specific error code Processing of provisioning worker Processing of provisioning worker aborted See the specific error code aborted Exit code 0x 1 X 2 Intel AMT devi
7. A client application requires a root certificate from the CA that issued the IIS certificate so that it can authenticate IIS This applies to the platform running the SCS Console application Install the CA issuer certificate in the console s trusted root certificate store a Open a web browser b Enter the address of the CA Server web interface In the following example ca_machine is the host name of the CA Server http ca_machine certsrv Click Download a CA certificate certificate chain or CRL Click Download CA certificate Click Save and save the cer file in a known location Right click on the saved certificate and select Install Certificate 9m 2 BO Select Next on all options on the Certificate Import Wizard The wizard will display the default SSL port 443 Select Next in this display also Environment Prerequisites and Installation 35 Installing an Intel AMT Client Certificate for TLS Mutual Authentication If TLS Mutual Authentication will be used issue an Intel AMT client certificate and install the certificate in the certificate store of the service user This includes the SCS application and any Management Console applications There are differences in the process when working with a Stand alone CA and an Enterprise CA The procedure for an Enterprise CA is described below Creating and Installing a Client Certificate Using a Stand alone CA 36 OND UV This procedure must be performed on the SCS hos
8. Domain An authentication protocol string created each time authentication occurs and sent with the ticket to the server It contains a time stamp encrypted in the session key that can reliably show that the authentication request actually came from the client identified in the ticket The process of determining what types of activities are per mitted Usually authorization is in the context of authentication once you have authenticated a user the user may be authorized for different types of access or activity Certificate Revocation Lists The CRL 1s a list of time stamped entries which indicate which lists have been revoked Part of the DNS domain naming system name that specifies details about a host A domain is the main subdivision of Internet addresses the last three letters after the final dot and it tells you what kind of organization you are dealing with In the context of Active Directory every host is a member of a domain A user logs in to the domain of which he is a member A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP IP protocol For example when a Web site address is given to the DNS DNS servers return the IP address of the server associated with that name EACL Enterprise Access Control List FPACL Factory Partners Access Control List FQDN GSS API SCS Support Content Fully qualified domain name the human readable n
9. Radius Server Authentication Provide a link to the certificate authority that was the source of the server certificate installed on the Radius server The SCS will install a root certificate from that CA in Intel AMT devices configured with this profile Trusted Root CA for Radius server certificate Use the al control to add a root certificate from the CA Radius Server Certificate Subject Name Enter the subject name in the certificate installed in the Radius server The Full Suffix selection below this field indicates whether this is the FQDN of the Radius server or the domain name suffix of the Radius server Configuring Pre Setup and Configuration Security Keys Setup and configuration of Intel AMT Release 2 0 2 1 2 5 devices is done using the TLS PSK Pre Shared Key protocol The protocol requires a security key installed both in the Intel AMT device and in the SCS database This pane is used to generate the pre shared keys and associated parameters Each key has four elements the key itself PPS an identifier sent in the clear by the Intel AMT device in the Hello message called a PID an initial MEBx password and a replacement MEBx password See PID PPS on page 59 for additional information Sets of these parameters can be exported to a USB key and installed in new Intel AMT devices Alternately an OEM may ship platforms with PID PPS pairs and a default password already installed In this case the file from the OEM mu
10. When TLS is enabled the SCS interfaces with the Microsoft Certificate Authority to obtain a TLS certificate each time it sets up an Intel AMT device Setup and Configuration Service Overview 7 Management and Maintenance Intel SCS also facilitates life cycle management and maintenance operations These daily tasks can include e Entering the properties of new Intel AMT devices such as the UUID FQDN profiles and AD Organizational Unit required for adding new Intel AMT enabled platforms e Generating a dataset of PID PPS password data for export to a USB key e Importing TLS PSK lists from an OEM e Handling certificate expirations and certificate renewals Delivery of Certificate Revocations Lists CRL e Updating local account passwords e Checking the logs e Handling exceptions e Doing ad hoc configuration operations Single Intel AMT device All Intel AMT devices Performing un provisioning Performing re provisioning Updating system clock e Doing daily database backup In addition to these tasks certain maintenance tasks that enhance the security of the Intel AMT devices can be performed automatically These include e Reissuing digital certificates before they expire e Updating passwords e Updating random number generator seeds e Synchronizing the system clock e Performing re configuration periodically to ensure that all Intel AMT devices have the latest profile information Configuring Intel AM
11. e Data Files Shared Tools e Connectivity Components 14 Click Next The Authentication Mode screen is displayed i Microsoft SQL Server 2005 Express Edition Setup x Authentication Mode The authentication mode specifies the security used when connecting to SOL Serwer Sia Select the authentication mode to use For this installation Windows Authentication Mode Specify the sa logon password below Enter password Confirm password lt et Tues c 15 Select Mixed Mode 16 Enter the sa logon password sa is the default SQL server Login ID confirm the entry and click Next This password will be used by any application to log in to the SQL service This same password is entered when the SCS is installed and provides 24 Intel AMT SCS Installation And User Manual another level of security The Error and Usage Report screen is displayed 17 Select or clear the error handling options and click Next The Ready to Install screen is displayed 18 Click Install The Setup Progress screen is displayed A Microsoft SOL Server Z005 Setup Setup Progress The selected components are being configured Product G MSxML6 Setup Finished soi Setup Support Files Setup Finished P SQL Native Client Setup finished so v55 writer Setup finished soi Server Database Services Setup Finished workstation Components Books Onlin Setup finished a Back i lance 19 Click Next when the setup i
12. pollProcess Error could not receive all data from E could not receive all data from soliciting device N A 760 soliciting device bos Invalid Intel AMT version 1 Invalid Intel AMT version The server cannot process devices with E Unknown Intel AMT version in Hello message N A 763 Intel AMT version 1 d rror Error could not find Winsock DLL could not find Winsock DLL Error could not find Winsock DLL E could not find Winsock DLL version 2 2 N A 768 Iversion 2 2 ey Pa Error socket listen error 1 d Eror socket listen error Make sure the port is not occupied by another Error 769 software Warning Connection has type 1 d Warni Connection has unknown type N A 374 AF_INET apes Unexpected exception when E Unexpected exception when processing SCS N A 773 processing SCS Manager rror Manager Exception in add storage EACL worker E Exception in add storage EACL worker N A 774 Ox 1 X 2 tor Exception when processing E Exception when processing Maintenance worker See the specific error code 775 Maintenance worker 0x 1 X 2 TOS Exception in set mutual authentication Exception in set mutual authentication See the specific error code o o Error 776 0x 1 X 2 la This profile is not defined to work with Eror This profile is not defined to work with TLS Error 778 ILS Exception while reprovisioning Intel E Exception while reprovisioning Intel AMT device See the specific error code 783 AMT device 0x 1 X UUID
13. szPass sa ae Deae cunvel Jbiacieeioele tole iclvey SO Seseweie szServer local SQLEXPRESS szAuthen 1 Result 1 DAA EAO SOuBbZ 4509 OEB A 90 CPCI ne DBD takoa 0 Environment Prerequisites and Installation 47 Database name DB Name IntelAMT Application user to add when installing the Database App User DOMAIN user Result 1 DAZE AO Ss 6h B2 4500 o Ch B AcIUZCBC LZR SdsearreCopy2 Ui Result 1 i if there aS am exrsting Catabase this parameter determines ar the installer should update to a newer schema 1 yes O no ao ft the Gnstalled DEB has a mewer schema than the version bene ansta liked the installation will continue without updating the DB it wh ener inerta lern are mne CON npa e eae DS ame ftoumle rom exanp he ck Meire THoace OlMer Usero Shale active eabeacned to thie DEN then the wnerall swale fail Update _ DB 1 Appr Eron Name Intel Active Management Technology Setup and Configuration Server Version 3 1 0 5 1 Company Intel Lang 0009 L OBACE 40S 76h BZ AI 09 sorb As U0ZCEh CIM Ee Ma noer Ee insite a eke 0 If the user selected to run the service does not have sufficient to permi Sclons A local Secumury pO Mey tomrum fiasco serulce Eherinstal lecswill add the mecessary pravahkeges an Set Privileges is 1 0 to ignore Set _Privileges 1 DAZE 403 7 6FB2 4309 S6EB As90ZCBCI2RC Databaseschema Inst al led 0 When installing the Database might be alr
14. 2 v A a a 10 11 12 13 14 Select Prepare the request now but send it later and click Next Proceed through the Wizard entering the requested parameters e Provide a name for the certificate e Leave the bit length at 1024 e Enter an organization name and an organizational unit e Enter the platform FQDN as the Common Name e Enter geographical information e Enter a file name and location to store the certificate request Select Next and finish the Wizard Open the Stand alone CA from a browser window by entering the URL of the CA Click Request a certificate Click Advanced Certificate Request Click Submit a certificate request The browser opens a window with a field named Saved Request where the text of the certificate request can be pasted Open the certificate request in a text editor such as Notepad Select the body of the request without the Start certificate and End certificate lines Copy the request body from the text editor and paste it into the Saved Request window Click Submit Select DER format and Download Certificate Save the resulting certificate Return to the Default Web Site or user defined web site Properties gt Directory Security gt Server Certificate Select Process pending request and install the certificate Locate the saved certificate Select Next on the remaining panes and Finish to complete certificate installation Installing a CA Certificate to Authenticate IIS
15. Hello message the SCS can command the device to extend this period by up to an additional 24 hours Intel AMT Release 3 0 Additional Features Simplified One Touch Intel AMT Release 3 0 supports a one touch configuration mechanism that avoids the possibility of a malicious user masquerading as the SCS If an IT administrator enters the FQDN of the SCS via the MEBx menu then in Step 14 above the Intel AMT device verifies that the FQDN in the SCS client certificate matches the entered value Bare Metal Setup and Configuration With Intel AMT Release 3 0 a platform containing Intel AMT can be configured by the manufacturer to start sending Hello messages as soon as the platform is connected to AC power and to the network There may be no operating system up and running on the host thus the name bare metal With no operating system there is no way to run the Remote Configuration Tool to install a One Time Password This mode allows entering an optional FQDN for the SCS Either the manufacturer adds it before delivery or an IT administrator adds it as described in Simplified One Touch The Intel AMT device will acquire an IP address from a DHCP server and then start sending Hello messages There is no OTP to exchange in this case otherwise the setup and configuration flow is the same The SCS cannot setup Bare Metal platforms when an OTP is required See page 79 Remote Configuration Certificate Differences betwe
16. Mattenanee 20060927 0716 Succeeded AMT atrini uo Maneras 20060827 0711 Succeeded AMT adri O mo Maintenance 20060827 0706 Succeeded AMT adminin B Mattenance 20060827 0700 Succeeded AMT atrii O s Mainenanee 200608270665 Succeeded AMT adria U 1O Maemees 20060927 0660 Succeeded AMT adris Refresh Apply Filter a gt pl Page 1 of 1 Global Operations Statistics Updated 2 List Pending jo Ligt Failed jo Ligt Actions Filter Date and Time E By Action ID O From 2006 09 27 E 3006 09 27 Ep Name No Operation 09 42 14 09 42 14 By Status Jin Progress O By User O Order By Request Order By Actic The following is an example of a Security Audit log display Security Audit intel intel View Security Audit Logs Date Description Severity Originator UUIG 07 0401 71257 Userbnoedin tromaton ELS 007 0227 1201 08 adaro TLS server contese momaten ewen 007 0227 1201 07 adaro TLS server cotteae miomaion ewen 007 0227 20014 set gerer paramers torie itomaien Jeen T ee 2007 03 27 09 11 18 Adding TLS server certificate ELASUsert 2007 03 27 12 00 10 Set general parameters for profile ELA User 2007 03 27 09 11 16 Adding TLS server certificate ELA Usert 2007 03 27 09 11 12 Set general parameters for profile ELA User Print Esport Refresh Apply Fiter ia gt
17. Metwork ACL Power Policy Nac Configure the Profile General Parameters General Administrator Credentials User Mame admin Password Profile Mame default_2 Profile Descnption Default profile Random Creation Manual Enter Fassword SC XEX Re Enter Password fi E Advanced Cancel On this tab enter general information that pertains to this profile 5 82 In the General box enter Profile Name Enter a short descriptive name This name appears in the Intel AMT devices table Profile Description Enter a more complete description of the profile The description appears in the Profile Details screen In the Administrator Credentials box enter Password Select either Random Creation or Manual If Manual is selected enter the password and confirm the entry The above username and password will be the administrative username and password in the Admin ACL entry for all Intel AMT devices configured with this profile A third party Management Console application may have a pre defined username and password for Intel AMT device administration Those values should be used here Selecting Random Creation means that only the SCS can use the admin ACL entry for managing the Intel AMT device To edit the MEBx password and Kerberos clock tolerance click Advanced Intel AMT SCS Installation And User Manual ae Advanced Parameters i 3 x Configure the Profile advanced parameters
18. it can also be completed as a test to ensure that the system is configured and running properly Log in to the Intel SCS Console For details see Logging In on page 77 2 Add a new profile For details see Configuring Profiles on page 81 a From the navigation panel of the Intel SCS Console expand the Configuration Service Settings branch and select Profiles b Click Add The Profile Configuration dialog box is displayed and the General tab is selected c Configure the new profile and save it 3 Add configuration properties for Intel AMT devices For details see Configuration Parameters per Device on page 106 a From the navigation panel of the Intel SCS Console select Configuration Parameters The New Intel AMT Systems table is displayed b Click Add The New Intel AMT Device Properties dialog box is displayed c Enter the New Intel AMT device properties and click OK 4 Configure the BIOS administrator password for Intel AMT 2 0 2 1 For details see Configuring Pre Setup and Configuration Security Keys on page 99 a From the navigation panel of the Intel SCS Console expand the Configuration Service Settings branch and select Security Keys b Select a TLS PSK entry If there are no entries click Create Pre Provision data to create entries c Click View Copy or print the properties of the selected entry e The Administrator must enter these values in the appropriate place in the
19. AMT Preparation on page 56 for more information The platform can now be connected to a network in common with the SCS server An Intel AMT Release 2 2 2 6 3 0 device can be connected to the network without a password change or entry of any parameters to the BIOS extension using a mechanism called Remote Configuration See Remote Configuration on page 62 Intel AMT devices configured by the SCS receive their IP addresses from a DHCP server The SCS does not support static IP addresses Setup and Configuration Steps The following diagram illustrates the major setup and configuration steps The numbered steps are described below 4 DB access over TLS SP 3 Hello TCP SOAP over HTTPS l l SCS Console SCS Windows Service Database 7 SOAP Server lt g 2 DNS EP 1 DHCP a gt Platform with J DNS Intel AMT Device DHCP 1 An Intel AMT device that is ready for setup requests an IP address from a DHCP server 2 The device performs a DNS lookup with the default SCS service server name 3 The Intel AMT device sends a TCP IP Hello message 4 Based on the UUID in the Hello message the SCS service searches the database to locate the Profile and host name to be used to setup and configure the device If the SCS is configured to do so it may execute a script to acquire the necessary parameters from sources outside the database and then stor
20. AMT device me iew Security Key x View Pre Provisioning Security Keys PID fi ZMO G1WS PPS S07 6 FTYR ZROA L 2B Ww BK C 20JT 1Mw 011M Factory Default MEBs Password admin New MEBs password This MEBs password iz typed in into the MEBs screen or Uploaded from the USB Fey 5 09xnhR Pririt Mark as Used The following information is displayed PID Provisioning ID The PID is the 8 character identification string sent in the clear in the Hello message PPS Provisioning Pre Shared Key The PPS is a 32 character key string that is the secret shared between the Intel AMT device and the SCS service Factory Default MEBx Password The factory default MEBx password is the password assigned when the Intel AMT device is preconfigured whether by an OEM or from a previous installation The default value is admin New MEBx Password The New MEBx password is assigned to the Intel AMT device during setup and configuration Print prints the parameters of the single displayed key Before the print request executes the SCS displays the following message Print Confirmation x 4 The requested printout contains very sensitive data Do not print this output unattended Print to a local printer and store the listing in a secure location Please collect the printout as Fast as possible and store it in a secure place Mark as Used removes the selected key from the visible list I
21. AMTConsole 50 To install the Intel SCS Management Console See Installing the Intel AMT Management Console on page 50 l Ensure that the computer meets the system requirements listed in System Requirements on page 18 Locate the SCS distribution files Locate and double click the file named AMTConsole exe The Welcome screen is displayed Intel AMT SCS Console InstallShield Wizard Welcome to the InstallShield Wizard for Intel AMT SCS Console The InstallShield Wizard will install Intel AMT SCS Console on your computer To continue click Next InstallShield Click Next The License Agreement is displayed Accept the license agreement and click Next The Choose Destination Location screen is displayed Define the location where the Intel SCS Management Console will be installed and click Next The Ready to Install screen is displayed Click Install Installation begins A progress bar indicates the status of the installation When the installation is complete the InstallShield Wizard Complete screen is displayed Click Finish Intel AMT SCS Installation And User Manual Post Installation Operations After the components of the Intel SCS are installed we recommend completing the following procedures Intel AMT Configuration and the DNS Intel AMT device setup and configuration requires the presence of a Domain Name System DNS Server The DNS must have information for two entities The
22. Director object password update mutual authentication settings and re izsue of all certificates used by Intel AMT 5 To perform an operation click a button Security Set ACL This operation updates the list of Intel AMT users according to the ACL entries in the profile and their access privileges See also The Profile Configuration ACL Tab on page 89 Set CRL This operation updates the list of revoked certificates Renew RNG Key This operation replaces the random number generator seed Provisioning Re Provision This operation first removes all settings from the Intel AMT device and then applies all the current settings in the profile associated with the device in the configuration parameters table It also updates the AMT object in Active Directory based on the profile settings Intel SCS Console 111 112 When there is an enabled active wireless profile on the Intel AMT device that profile cannot be disabled by an external command since this might break the only manageability connection with the device Also if the wireless profile depends on a certificate that certificate cannot be deleted During reprovisioning if there is a wireless profile with the same name as the active profile in the configuration profile associated with the device the SCS will define a profile with the same name with an appended underscore and send it to the device For example if the active profile is named WP 1 the SCS
23. EAP FAST Client Certificate required Trusted root for Radius TLS server certificate required Intel AMT SCS Installation And User Manual Protocol Client Authentication Options Server Authentication Options EAP FAST Client Certificate required Trusted root for Radius GTC Roaming Identity optional server certificate required Client Authentication The client authentication options require defining a source for a client certificate for authenticating an Intel AMT device to a Radius server Client Certificate Select the control to enter a path to a certificate authority and select a template defined for creating the appropriate client certificate See Defining a New Template for an Enterprise CA on page 130 for information about creating a template for 802 1x client certificates Defining a template requires an Enterprise CA which requires presence of Active Directory Only three server and client certificates can be associated with a single profile These include the Server certificate required for TLS and any client certificates required for 802 1x profiles or for NAC posture signing In a normal installation a single client certificate would be purchased for all applications in the facility If a profile requires more than three certificates setup of an Intel AMT device based on this profile will fail Roaming Identity Selecting this checkbox enables roaming The user will have an identity of Anonymous
24. Factory mode setup process can be simplified by using a USB key containing a file of PID PPS pairs and replacement passwords when the BIOS supports this method This method can be used for one touch configuration if all the defaults listed below are suitable for an enterprise installation Even if additional parameters need to be changed the USB key can install the PID and PPS without the problem of operator error Use this method also for preparing platforms for future Intel AMT configuration Requirements The following items are required to be able to use a USB key for Intel AMT device configuration e A dedicated USB key with no data on it e The function within the SCS service that generates a file of PID PPS password triplets in the proper format e Good security procedures for controlling the USB key Preparation All that is required is to execute the SCS function which will do the following 1 Create a list of PID PPS password triplets See Configuring Pre Setup and Configuration Security Keys on page 99 2 Use the export function to create a file to write to the USB key The SCS automatically formats the key file format to FAT16 and copies the file to the key Initializing a Platform To install the PID PPS information on an Intel AMT device an Administrator will 1 Take the platform out of the box and connect cables a monitor and a keyboard 2 Connect the USB key to a USB port 3 Turn on the platform The BIOS
25. Global Operations used to configure Intel AMT oB ne devices select Configuration i tea parameters Actions Status To review existing Intel AMT devices devices that have sent at least one Hello message that the SCS received select Intel AMT Systems Intel SCS Console 75 Console Configuration Pane The SCS Console Configuration pane includes standard user interface elements that enable configuration of the Intel SCS Selecting a sub branch in the navigation pane opens a configuration pane For example selecting Configuration Settings General opens the General Configuration Pane General Contigure the Intel AMT Setup and Configuration Service General parameters General Server settings TCP Listen Port 3371 2 Queue Polling Period Integrate with Active Directory Mas Queue Size AMT requires authorization before provisionin L i No of Worker Threads Allow Remote Configuration One time password required First common name CN in ee eee Delayer Polling Time certificate subject name Fully qualified comain name iy i keep Log Time Log Level Verbose we Keep Security Audit Time Service Version AAA Get New Intel AMT Properties From DE Script Location Commands and Navigation using the Console Mo of Slow Worker Threads ee a A yt q a tek Milligeconds Requests Minutes Days Months The console controls are activated using m
26. Global Operations page is displayed Global Operations Apply operations to all Intel AMT systems using the settings in the assigned profiles Provisioning Re Provisian Allow Browisioning Re provision includes among many other configurations also renew Active Director object password Update mutual authentication settings and re issue of all certificates used by Intel AMT Un Provision f Full E Partial Securty SetACL Seca Renew ARNG Kep Other Set Power Policy Corage Sune Clack 4 Intel SCS Console To perform an operation click a button Re Provision This operation applies all the current settings in the profile associated with each Intel AMT device See page 111 for a note on re provisioning wireless profiles Un Provision This operation disables each Intel AMT device and leaves it without any Setup and Configuration parameters There are two modes e Faull unprovisioning Deletes all data from each Intel AMT device The Intel AMT devices are not functional 113 114 e Partial unprovisioning Deletes all data on every Intel AMT device except for the PID PPS admin ACL settings host name domain name and provisioning server IP and port number The devices will immediately start sending Hello messages The SCS will setup and configure the devices according to the profiles associated with them Set ACL This operation updates the list of Intel AMT use
27. Intel SCS database The default name of the Intel SCS database is IntelAMT Be sure that the backup is stored securely preferably encrypted Setup and Configuration Service Overview 1 SCS and Active Directory Tasks and Permissions Interaction between Management Console applications and the Intel AMT API is optionally authenticated with the Integrated Windows Authentication mode via the API authentication mechanisms The Active Directory AD service is used optionally to authenticate between ISV management console applications and Intel AMT devices To enable use of AD the following tasks have to be completed by an enterprise administrator e Create instances of Intel Management Engine which is the special class added to the AD schema each time the SCS completes setup and configuration of an Intel AMT device These instances are called AMT objects e Periodically change the password of these objects automatically e Delete an AMT object when it is no longer needed To enable Intel AMT use of AD the following permissions have to be granted to user accounts associated with the SCS This is the user account entered when the SCS service is started as defined during installation on page 40 Create Delete Intel Management Engine objects permission in the relevant Organization Unit OU where objects are created e Full Control over Intel Management Engine objects One way to do this is by using the Delegate
28. NAC posture signature certificate and the 802 1x server authentication certificate the SCS will request one certificate and configure the Intel AMT device to use it for all of these purposes 92 Intel AMT SCS Installation And User Manual Intel SCS Console Only three server and client certificates can be associated with a single profile These include the Server certificate required for TLS and any client certificates required for S802 1x profiles or for NAC posture signing In a normal installation a single client certificate would be purchased for all applications in the facility If a profile requires more than three certificates setup of an Intel AMT device based on this profile will fail 93 The Wireless Profiles Tab 94 Use the Wireless Profiles Tab to select wireless profiles to use to configure mobile platforms This tab applies only to Intel AMT Release 2 5 See Defining Wireless Profiles on page 96 for information on creating wireless profiles When the Intel AMT device on a mobile platform is active in S3 S4 or S5 power states it will attempt to authenticate according to the selected wireless profiles in order of priority The SCS allows up to fifteen wireless profiles to be added to a profile Note that Integrate with Active Directory must be selected on the General Configuration page to be able to configure an Intel AMT device with a wireless profile if that profile uses 802 1x for authentication cca A
29. No of Slow Worker Threads This parameter limits the number of Slow Worker Threads permitted simultaneously Delayer Polling Time When a process fails it is sent to the Delayer A process may fail because information is missing For example an Intel AMT device sends a Hello message before the device has an entry in the New Intel AMT devices list so there is no profile associated with the device and configuration cannot complete The Delayer is a thread that manages rerunning delayed processes This parameter determines how frequently the Delayer attempts to rerun a process Keep Log Time This parameter determines how long log entries are saved Keep Security Audit Time This parameter determines how long security status entries are saved Click Apply Intel AMT SCS Installation And User Manual Configuring Profiles Profiles contain the Intel AMT device configuration parameters Profiles determine which features are enabled in the device what authentication mechanism will be used and which users have access to device features One or many profiles can be defined For example use a different profile for different sites Each profile can be assigned to one or more Intel AMT devices Entries in New Intel AMT Systems associate a profile name with a specific Intel AMT device Viewing Existing Profiles To view existing Profiles 1 Open the Intel SCS Console 2 Expand the Configuration Service Settings branch 3 Select
30. On in SO ME WoL in S3 AC The Intel ME and Intel AMT are on when the host is on When the host is in S3 and the platform is connected to AC power the ME will shut down after a defined period of time but will awaken when it receives a network message Wake on LAN Mobile On in SO WoL in S3 AC S4 5 AC The Intel ME and Intel AMT are on when the host is on When the host is in S3 to S5 and the platform is connected to AC power the ME will shut down after a defined period of time but will awaken when it receives a network message Wake on LAN Intel AMT Release 3 0 Select Desktop ON in SO S3 S4 5 Return to the previous menu Exit all menus The computer will restart Press lt Ctrl P gt and enter the Main Menu Select Intel AMT Configuration and press Enter The Intel BIOS extension screen is displayed Intel AMT SCS Installation And User Manual Copyright 2003 2006 Intel Corporation All Rights Reserved Intel R AMT CONFIGURATION Host Name TCP IP Provisioning Server Provision Model set PID and PPS Un Provision VLAN SOL IDER Remote Firmware Update set PRTC Return to previous menu 16 Configure the parameters as described in the following sections Host Name This parameter is set by the SCS TCP IP Settings Enable the network interface and DHCP These are the default settings in enterprise mode and are required for interoperability with the SCS The Intel AMT device will share the IP add
31. Start Sa CE Databases eas Security et H Server Objects baa jj Replication Refresh Properties 5 Select Properties The Server Properties Window is displayed Select the Security page 7 Inthe Server authentication section select SQL Server and Windows Authen tication mode 8 Click OK SQL Server Verification To verify that the SQL server is running 1 On the computer where the SQL Server is installed click the Windows Start button and click Programs 2 From the Microsoft SQL Server 2005 program group select Configuration Tools gt SQL Server Configuration Manager The SQL Server Configuration Manager opens 3 From the left pane select SQL Server 2005 Services In the right pane check the State column and ensure that SQL Server and SQL Server Browser are both running If they are not select each right click and from the popup menu select Start It may be necessary the first time after installation to right click on the server or server browser entry select Properties select the Service tab and change the Start Mode to Automatic and then start the server and or the browser File Action View Help A ig oluga SQL Server Configuration Manager iLocal SOL Server 2005 Services peages antes srt a a noo fA a BE SQL Server 2005 Network Configuration e ENRERE Eca o r a SOL Native Client Configuration HSQL Server Browser Running Pause Resume Restart Properties Help Start selected service
32. Technology Setup and Configuration Server Version 3 1 0 5 1 Company Intel Lang 0009 DA4E4037 6EB2 4309 S6EB As90ZCBCIZEC Dakabaseschema Uninstalling 0 ie WNIMS Teka Kona Sole eC ua eumronyies alae Dis ilokeiey ewe Sie cul e a Ile Vers hs IN Remove_DB 1 OAA FAN I T PEB A070 jon BTA 0 V0 CECI EC ESOL Og I n O User Password for SQL Server login t LO use Wandows authenti carron simply use blank values for example szUser ANo ee Iie Usenm Password ae nee solladatoed sa kene mode lr access ai Lesa denied eleven unint di will oiL ahenn ais reS una Clee srry to access the DB szUser sa szPass sa Result 1 DAA FANS I 6h BZ 4309 SorB AsJUZeECIZEe AskYvesno v ignored Result 0 A DAAR AOS 6b BZ A300 oonB AovUZeB l2n Ce Sab imi si O Result 1 bOpt1 0 bOpEeZ O fA DAAr AOS 6h BZ 4309 56h Bho 70ZCBCIZEC Sdbimnitshkesoor 0 pot eae COM Peat oe remove e ys eines Umit ikea Mey kecquest ta reboot BootOption 0 ignores the reguest BootOption 1 uninstaller does reboot it Ome On menee KOO Ecole sc OC Poll Gae SO me LheieSs reCuesrecCCes cious OAP API after IIS restart Result 1 BootOption 0 EES SIMBA cha SW mM ED eave re vans D20 SBO C Dlke uate lena Count 0 Environment Prerequisites and Installation 49 Installing the Intel AMT Management Console Installing the Intel SCS Management Console requires no user intervention The default installation folder is C Program Files Intel
33. button Click Apply 10 Select the Security tab Select Administrator or the SCS user or the group the SCS user is in and assign Read and Enroll permissions The SCS user must be added to this list if the SCS requests certificates using this template Click Apply Properties of New Template 2 xi General Request Handling Subject Name Issuance Requirements Superseded Templates Extensions Security Group or user names f Administrator SHARONAD Administrator 8 Authenticated Users gi Domain Admins SHARONADS Domain Admins 8 Domain Users SHARONAD Domain Users 8 Enterprise Admins SHARONAD Enterprise Admins Add Remove Permissions for Administrator Allow Deny Full Control Cl go Read go Write E O Enroll M CO Autoenroll gO go For special permissions or for advanced settings Advanced click Advanced ox eae ay SCS Support Content 131 11 Select Add to add a user that is not already in the template list Then set the permissions for the added user Select Users Computers or Groups ajx Select this object type Users Groups or Built in security principals Object Types From this location intel com Locations Common Queries Mame Starts with Columns Desorption Starts with gt F Disabled accounts Stop F Hon expiting password Days since last logon OF Cancel Search results E Mail Address Description In Fold
34. code 59 execution failed 1 d oe EN O1 N Cannot execute properties script file 5g not found 1 Er aso r 501 Request ID not found Error The given request id does not exist N A 01 SOAP cannot be created Error SOAP cannot be created N A r O gt Certificate failure E Out of memory when trying to allocate keyBlob Try to restart the server machine Or Insufficient memory Exception when trying to push request N A Unexpected exception when trying to push request N A Exception when trying to delay request N A Unexpected exception when trying to delay N A request 46 Intel AMT SCS Installation And User Manual 701 Crypto failure 1 d Error Crypto failure N A Exception when trying to push request 52 Ox 1 X 2 Unexpected exception when trying to 53 push request Exception when trying to delay request 754 Ox 1 X 2 Unexpected exception when trying to 755 delay request Er N N N N E E or rror rror rror E _ i Message Text Type Cause Exception when trying to update IP E Exception when trying to update IP 756 0x 1 X 2 cel Unexpected exception when trying to Unexpected exception when trying to update IP N A Error 757 update IP Exception when processing E Exception when processing pollProcess N A 758 pollProcess 0x 1 X 2 bw Unexpected exception when E Unexpected exception when processing N A 759 processing pollProcess Or
35. continue View the accompanying message and click Exit Then correct the error and try again 9 Ifall checks are successful click Next The Registration Information screen is displayed 10 Enter your name and the company name 11 Select or clear the Hide advanced configuration options checkbox When the checkbox is cleared the Instance Name Service Account User Instances and Collation can also be configured Environment Prerequisites and Installation 23 Select the Hide advanced configuration options checkbox and accept the default settings This manual does not document the advanced configuration options 12 Click Next The Feature Selection screen is displayed iz Microsoft SOL Server 2005 Express Edition Setup l xX Feature Selection Select the program Features you want installed g d Click an icon in the Following list to change how a Feature is installed ee Data Files M Replication Petai Shared Tools _ Clent once CSRS Gade E See Component is Feature description Installs components For communication between clients and servers including network libraries for ODBC and OLE DE El canes This Feature requires 21 MB on your hard drive Installation path Browse Disk Cost lt e e e 13 As pictured above select the following features For each feature select the Will be installed on local hard drive option
36. database queue Requests via the SOAP API to perform an update to an Intel AMT device are added to the queue directly by the API Worker threads in the SCS poll the queue for tasks A worker thread will perform all steps required for setup and configuration except those that are relatively time consuming such as a request to a Certificate Authority for a certificate or a request to add an entry to Active Directory These tasks are handed off to a slow worker thread If a task cannot be completed due to unavailability of a resource for example configuration cannot proceed because there is no profile associated with an Intel AMT device that sent a Hello message the task is passed to a delayer thread to wait for a defined period before retrying As processing for requests completes threads are freed up to process subsequent requests The SCS logs all transactions so that if the service is interrupted the service can recover partially completed tasks IT administration can configure the number of worker and slow worker threads the queue size and various times to maximize performance of the SCS In an enterprise installation that has the potential of many Intel AMT devices requesting setup simultaneously the number of worker threads can be increased consistent with the number of processors and the amount of memory installed in the server platform See Defining General Parameters on page 78 for the tuning parameters accessible from t
37. eS AOL Innota lled Allow installation of SOAP API even if IIS6 is not installed IIS6 Warning 1 PI DACE403 76h BZ 4309 EBR As O CECI FOE AS kree No Ignored Result 1 EDAARAD aR EBEA A O0 CEE A O0 P EE EOM Oe ae a e a e Domain User Password for the main service Note when running in silent mode the Domain User Password is not validated Domain User DOMAIN user Password password WAGE SOs One A 50 Ore oO O CBC IP EC Aro Dra l og o The IIS SOAP API virtual directory name and 7 Wel Slee shame Lies wep sive mMamec Mist mex1ct benorce Waist alelawron SOAP Name AMTSCS Result 1 SOAP Web Site Name Default Web Site SOAP Secure Connection 0 SOAP Application Pool Name DefaultAppPool EDAAFA O0 e ORB A SOS O OEBSA 2 Cla CBC I T EFC ELT RCE CTA iog 10 The IIS SOAP API virtual directory name and web site name used by the RCT The web site named must exist before t instal lataonm SOAP Name AMTSCS RCFG Result 1 SOAP Web Site Name Default Web Site SOAP Secure Connection 0 SOAP Application _ Pool Name AMTSCS Remote Configuration DAZF4037 6HEB2Z 4309 86EB A890ZCBCIZEC solbserverse lLeckLogin 0 User Password for SQL Server login i UO Use Wancdews authentrcatron samoly use blank values for example szUser Note The User Password is not validated in silent mode If access ft LS denred the anstallativon will taal when dk Eraves unsuccesstully to access the DB szUser sa
38. each time it performs a setup of an Intel AMT device Otherwise an Administrator will have to intervene each time a device is set up Microsoft s Enterprise CA requires Microsoft Windows 2003 Enterprise Edition with Service Pack 1 To enable web enrollment for certificates install IIS before installing the CA The following prerequisites must be met to install an Enterprise CA e The host must be a member of an Active Directory domain It can be the same host as the domain controller e The user performing the installation must be a member of the domain and have sufficient administration privileges e g is a member of the Domain Admins group Installing the Microsoft CA To install the Microsoft Certificate Authority as a Stand alone or Enterprise root CA Environment Prerequisites and Installation 29 1 Click the Windows Start button and select Control Panel 2 Double click Add or Remove Programs 3 From the left panel click Add Remove Windows Components Fo Add or Remove Programs g i ol xj Wee Windows Components Wizard E Gl Change or Windows Components Remove You can add or remove components of Windows Programs ty To add or remove a component click the checkbox A shaded box means that only Add New part of the component will be installed To see what s included in a component click Programs Details Components ir onn am E Certhcate senices AddiRemnave E m E mail Services
39. in SQL Server e A chent script named AddConfigPropertiesToAuxDB vbs that runs at least once on each client platform The client script reads the UUID and the FQDN and writes them to the database e A server script named GetConfigPropertiesFromAuxDB vbs that searches the database for an entry that matches the UUID in a Hello message and returns the UUID FQDN Profile name and Active Directory OU to the SCS The sample script returns a a profile and OU based on the FQDN The SCS would call this script on receipt of a Hello message when there is no entry in the SCS database for the UUID in the Hello message The client script 1 Sets up script parameters 2 Using the WMI protocol requests the Win32_ComputerSystemProduct object to recover the platform UUID and FQDN 3 Writes a record to the database The server script 1 Queries the database using the UUID 2 Erases the row in the database so future updates by the client script will be successful for example after changing the FQDN of the platform 3 Builds an XML fragment with the returned parameters Returns the XML fragment to the SCS Add the path to the batch file that executes the script to the General Properties page of the SCS Console As with the server script GetConfigPropertiesFromAuxDB vbs can be executed with runscript bat and tested with testme bat Remote Configuration Tool The Remote Configuration Tool described above on page 66 elimina
40. intel gt Intel Active Management Technology Setup and Configuration Service Version 3 3 Installation and User Manual Document Release Date January 24 2008 Information in this document is provided in connection with Intel products No license express or implied by estoppels or otherwise to any intellectual property rights is granted by this document Except as provided in Intel s Terms and Conditions of Sale for such products Intel assumes no liability whatsoever and Intel disclaims any express or implied warranty relating to sale and or use of Intel products including liability or warranties relating to fitness for a particular purpose merchantability or infringement of any patent copyright or other intellectual property right Intel products are not intended for use in medical life saving or life sustaining applications Intel may make changes to specifications and product descriptions at any time without notice The API and software may contain design defects or errors known as errata which may cause the product to deviate from published specifications Current characterized errata are available on request This document and the software described in it are furnished under license and may only be used or copied in accordance with the terms of the license This document may be reproduced in whole or in part solely for the purpose of end user documentation in support of products that use the Setup and Configuration
41. local security policy that needs to be added Once the security policy is added the service can run To overcome this problem the user needs to open the service in the Service Manager and re enter the password Windows then automatically opens the security policy The installer failed to locate the SOAP Directory Virtual Directory in the registry This failure will prevent the installer from disabling web extensions added earlier during installation and from deleting the Virtual Directory The installer successfully ran the build Database Schema script but the script returned error code X The installer failed to create or set registry values Make sure you are logged in as an Administrator user This problem might occur during installation or removing of the Database Schema The Microsoft SQL Server Management Studio Express does not present the Database in the list of Databases but the Database files exist To resolve this problem delete the Database files LDF and MDF extension manually from Program Files Microsoft SQL Server MSSQL I MSSQL Data Restart and reinstall Open the Windows Management Console and select the Services tab Locate the AMTConfig service Open it Go to Log on and re type the password Then restart the service Intel AMT SCS Installation And User Manual IIS application pool has a protec tion from rapid failures in a given time default 5 failures in 5 min ut
42. lt xs complexT ype gt lt xs sequence gt lt xs element ref cert maxOccurs unbounded gt lt xs sequence gt lt xsattribute name name type xs string use required gt lt xs complexT ype gt lt xs element gt lt xs schema gt SCS Support Content 139 Troubleshooting This section includes miscellaneous tables for troubleshooting and maintenance Table 8 Troubleshooting Received Cannot contact CA error in SCS Service log during provisioning and re provisioning process I m having an authentication prob lem when running the AMTConfig Windows Service I m trying to uninstall the SOAP API and I m getting an error Failed to extract SOAP directory from the registry or Failed to extract SOAP virtual directory name from the registry I m trying to uninstall the Data base schema and I m getting an error Build Database script failed Error code X I m getting an error RegDBCre ateKeyEx failed Or RegDBSet Key ValueEx failed I can t install remove the Database XR KKK I ve checked Start AMT Config Service at the end of the installa tion but got an error that the ser vice can t be started On the SCS Console select Profile gt Certificate tab Verify that the CA Server Name field has no leading spaces Do this for each profile in the system The installer inserts the password for the windows service correctly but there is a
43. manually as described below based on values generated by the SCS e If the device was prepared for configuration with a PID PPS pair by an OEM or by previous IT actions then no further preparation is needed It is already in Setup Mode The Intel AMT device will send Hello messages once it 1s connected to the network e Intel AMT Releases 2 2 2 6 and 3 0 have an option for Remote Configuration and do not need any of the above three approaches See Remote Configuration on page 62 Preparation Without a USB Device If there is no USB device or USB enablement is not supported the platform displays the BIOS startup screen and then the BIOS Extensions will be processed Intel AMT reference platforms display a screen prompting the user to press lt Ctrl P gt Pressing lt Ctrl P gt passes control to the Intel Management Engine BIOS extension MEBx Main Menu This step may vary as a function of an OEM provided BIOS Follow the manufacturer s directions for accessing the ME BIOS sub menu Steps 1 through 11 or some subset of them may not be required Perform the following steps 1 Enter the MEBx default password The default password is admin 2 Change the default password to a new value This step is required The password must contain at least eight characters including an upper case letter a lower case letter numbers and one of the amp symbols at a minimum This password is either generated by the S
44. message e The SCS activates the script e The script locates the necessary parameters and creates a file consisting of an XML fragment e When the script completes the SCS reads the file and adds an entry to the New Intel AMT table using the values returned by the script in the file e The SCS performs setup and configuration using the information in the file Environment Variables The SCS sets the following environment variables to pass values to a script e CS_AMT_UUID The UUID from the Hello message e CS_AMT_STATUS status of the device to be setup U Unprovisioned T In provisioning or P Already provisioned e CS _AMT_ADDRESS The value depends on the value of the previous parameter o IfCS_AMT_STATUS U or T CS_AMT_ADDRESS the source IP address from the Hello message o IfCS_AMT_STATUS P CS_AMT_ADDRESS the FQDN of the Intel AMT device to be set up e CS_OUT_FILE_NAME A file name generated by the SCS The script returns the Intel AMT properties in a file with this name in the same directory as the script in the format described below Output File Format The output file generated by a script must be an XML fragment interpretable by the SCS The fragment has the tag amtConfiguration and contains the following attributes e fqdn The FQDN of the platform containing the Intel AMT device e addn The Active Directory OU to be used for this device or NA when the SCS is
45. not interact with the SCS service directly SCS Server SOAP over HTTPS Secure DB access Ooo SCS Console Secure DB access An ISV developed Management Console can also use the SOAP API for platform discovery It can query the SCS database for a list of configured Intel AMT devices or a list of those devices configured recently The API is implemented with three dll files that are installed on the same platform as the SCS service An application addresses the API with SOAP requests addressed to the IIS web server virtual directory in this case AMTSCS requests are directed to the appropriate API dll The API functions are segmented into four groups and each group has a WSDL that defines the parameters of each function within the group The groups are e Authentication Interface Used to log in define users and set database parameters e Profile Interface Manages Profile objects in the database e AMT Interface Manages AMT System objects in the database e Service Interface manages all other SCS service functions The SCS distribution includes the four WSDLs the SOAP API description document Configuration Service SOAP API doc and the Console source code contained in AMTConsoleSIn zip Intel AMT SCS Installation And User Manual SOAP Faults Each API may throw a standard SOAP Fault Response The structure of the SOAP Fault response depends on the client request SOAP version SOAP Fault v
46. of Intel AMT devices A list of device information entered into the database by the administrator provided by a script or entered by external calls to the API Each entry relates a specific Intel AMT device defined by its UUID and FQDN to a Profile and an Active Directory storage location The SCS Console displays and manages this list with the Configuration Parameters branch of the tree e A list of Intel AMT devices that have sent Hello messages to the SCS These devices may have been configured or not The administrator can update the configuration of one or all of the already configured devices among other operations The console performs these functions and manages the list from the Intel AMT Systems branch of the tree This section describes the Configuration Parameters features The opening screen shows a list of Intel AMT devices that are known to the SCS service A device requires an entry in this database table for the SCS service to complete setup and configuration If there is no entry configuration will not complete due to the lack of critical setup information The SCS may be configured to acquire the necessary Intel AMT device information using a script that executes when the SCS receives a Hello message In this case the script will create an entry in the table for the device Viewing Defined Intel AMT Devices To view a list of Intel AMT Devices already defined in the SCS database 1 Open the Intel SCS C
47. on a single computer or on separate computers In addition the environment must include several pre installed and configured Microsoft components Description of Intel SCS Components The following are components of the Intel SCS Main Service This is the software component that processes Setup and Configuration Service requests from Intel AMT devices and is implemented as a Windows Service For complete details see Setup and Configuration Operational Overview on page 6 SOAP API This is the Application Programming Interface API that Independent Software Vendors ISVs use to create and productize a User Interface It is used by the SCS Console to interact with the Main Service indirectly via the database server Database Server This is the repository that stores the Setup and Configuration data organized according to the SCS database schema and installed as a database instance in Microsoft SQL Server Administrative Tools Active Directory Schema These are scripts that extend the Active Directory schema for Intel AMT See Active Directory AD and Changes to the AD Schema on page 37 and the script description on page 125 Intel SCS Console The Intel SCS Console is an application that is installed separately from the SCS It is an open application that uses the SCS SOAP API to manage the SCS and the SCS database The source is distributed with the SCS An ISV can take the source add value to it and integrate i
48. on the platform will detect the presence of the USB key read the next available entry in the file authenticate the password save the PID PPS values optionally update with the replacement password and mark the entry on the USB key as used A message displayed on the monitor informs the technician that the process is complete The Administrator powers down the platform Moving to Setup Mode The platform may now be ready for moving to Setup mode if the default parameters are appropriate for the specific enterprise The critical defaults are e DHCP mode with no domain defined Setup and Configuration Service with the default host name and port e No DNS IP defined The DHCP server must be configured to provide a DNS IP which will be required to discover the IP of the Setup and Configuration Server If these defaults are acceptable the platform can now be connected to the network and powered on Otherwise the Administrator can power on the platform enter the MEBx sub menu and configure additional parameters Preparing Intel AMT for Future Configuration A user may wish to postpone Intel AMT device setup and configuration until a later date An OEM may supply platforms with a PID PPS pair already written to the Intel AMT Intel AMT Preparation 6l device Flash memory In this case the platform may be already prepared for configuration as described earlier The OEM will have to securely deliver a file of the PID PPS pairs to t
49. parameters table Make sure that the SCS service user has sufficient permission add the AMT object to AD This means it is a member of the domain admin group or you gave it permissions to add AMT objects to a specific OU in AD The SCS console communicates with the service API using TLS https Therefore a server certificate must be imported to IIS The error may be caused by not having the root certificate installed on the platform running the console Also make sure that server certificate is exported to HS correctly To connect using webUI with the IE browser the user needs to run Microsoft patches KB899900 and KB908209 which fix the authentication issue 141 Windows Service Messages The SCS service and the API issue error messages and information messages that are displayed on the console log The messages actually displayed will be based on the filter selection on the Log page The following table lists the possible messages their cause and a suggested action to remedy the situation in the case of an error The message text may contain values that help identify a device or event tied to the error These values are indicated by notation possible followed by a numeric formatting notation e g d Table 9 Windows Service Messages Msg Message ID Message Text Type Cause Action Queue is Full E The queue is full cannot push more messages at Increase the queue size 101 Or this time Intel AMT device is a
50. profile must be set in order to N A 1980 MO enable 8021X PXE boot 158 Intel AMT SCS Installation And User Manual Log Mapping Several logs on the service platform capture messages that can be used to analyze events including difficulties with installation or performance problems during execution Additional logs and tools can aid in looking a performance issues and other problems The following table lists the location of installation logs and the GUI console execution log Table 10 Log Mapping Component Name Windows Service Web Service DB Client Sample Installation InstallDrive Program Files InstallShield Installation Informa tion DA4F4037 6EB2 4309 86EB A8902CBC12EC setup ilg UConsole Inciallanon InstallDrive Program Files InstallShield Installation Informa tion 66469B6E D328 4416 BD1E C4692C4A 1A96 setup ilg GUI Console InstallDrive Program Files Intel AMTConsole amtconsole log Other Logging Sources The Management Console displays the three logs kept within the SCS database the system log the actions status log and the security log and can export these logs for further analysis The Windows Event log contains errors that cannot be written to the database for example failure to connect to the database or an SCS crash Look for SCS message in both the Application and System sections of the log Use network tracing tools such as Ethereal to analyze low level connection problems Error
51. provisioning make sure at least one Era PKI provisioning certificate is selected for PKI 1204 provisioning Failed to extend provisioning period Failed to extend provisioning period If Intel AMT device is already provisioned there 1 will no other attempt to extend the period If device Error is not provisioned check connectivity to the 1300 device Cannot contact provisioned Intel AMT E Cannot contact provisioned Intel AMT device Check connectivity to Intel AMT device 1500 device at FQDN 1 Kas Cannot extract provisioned Intel AMT E Cannot extract provisioned Intel AMT device state N A 1501 device state nO Intel AMT device reports un Intel AMT device reports un provisioned state N A provisioned state although it was Warning although it was successfully provisioned 1502 Successfully provisioned certificates 2 d exceeded the D maximum 3 d Cannot connect to unknown Intel AMT E Cannot connect to unknown Intel AMT version N 1613 version ner Cannot connect to provisioned PKI E Cannot connect to PKI based Intel AMT device 1614 based Intel AMT device in Error Cannot add certificate 1 d to Cannot add certificate to certificate store map Remove one or more certificates from the certificate store map number of Inf number of certificates exceeded the maximum certificate store map nfo 161 A N A Invalid 802 1x profile type Eror Invalid 802 1x profile type Provide valid type or check profile integrity
52. required for establishing secure communication during the Setup and Configuration of Intel AMT Release 2 0 2 1 platforms Intel AMT Preparation 59 The SCS service generates a file of PID PPS pairs used either for manual installation or for loading onto a USB storage device To load a PID PPS pair manually 1 Atthe SCS Console print the values to be installed manually from the security keys screen and then mark the selected keys as used so they will not be installed on more than one platform 2 At the platform being prepared for configuration enter the values as prompted when the Set PID and PPS menu item is selected The PID PPS pair may have been preloaded by a platform OEM or loaded using a USB storage device See Using a USB Storage Device for Factory Mode Setup on page 61 The PID and PPS are 64 bit quantities made up of ASCII codes of some combination of characters capital alphabet characters A Z and numbers 0 9 The PID is an eight character entry of the form XXXX XXXX and is sent in unencrypted format in the Hello message The PPS is a thirty two character quantity of the form XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX and is a secret shared between the Intel AMT device and the SCA Here is an example pair PID 0000 037M PPS NKLD GSDC RRNQ E9Y Z ZIJL 7LFL VJED 69XJ The firmware checks for checksum characters embedded in the values The last character of the PID is expected to be a ch
53. the certificates in the chain to the certificate from the root CA not including the leaf certificate itself The way to do this is to convert each certificate in the chain to a PEM file then concatenate the PEM files When the subordinate CA was installed certificates for all the CAs in the chain were also installed in the Trusted Certificate Store on the server where the subordinate CA was installed Go to the web interface for the CA for example open a web browser and navigate to http lt CA hostname gt certcrv and download the certificates for each subordinate CA Downloading in Base 64 format results in a cer file that is in PEM format The file starts with the string BEGIN CERTIFICATE and ends with the string Concatenate the files by combining the files using copy and paste in a text editor including the opening and ending strings Rename the file as a PEM file SCS Support Content 137 138 The resultant file is used as an input to the redirection library function IMR_SetCertificateInfo see the Redirection Library Design Guide Intel AMT SCS Installation And User Manual CRL XML Format The Intel AMT SCS Console can import a Certificate Revocation List CRL into a Profile The following file is an example of the XML format lt xml version 1 0 encoding UTF 8 gt lt This file maps the untrusted certificates serial number to the URI of the issuer The URI value represents the a valid CRL dist
54. to focus 2 Install the CA root certificate in the certificate store as a trusted root certificate This step is not required if the CA is installed on the local platform a d e Find the certificate If it was exported directly to another computer find it on the other computer If it was exported to a USB key move it from the USB key to the computer Right click on the certificate and from the popup menu select Install Certificate The welcome screen of the Certificate Import Wizard is displayed Click Next Select Place all certificates in the following store and click Browse The Select Certificate Store window opens Certificate Import Wizare xj Certificate Store Certificate stores are system areas where certificates are kept Select Certificate Store x Windows CAN Select the certificate store you want to use C Autom ie Place z Ta ia Tr took Certificatio E Enterprise Trust E Intermediate Certification Authorities iid Active Directory User Object eed Trusted Publishers Certific 4 Show physical stores cme lt Back Next gt Cancel Select Trusted Root Certification Authorities and click OK Click Next gt Finish A message indicates that the import was successful Click OK Adding the SCS User to the Web Services Template If the Intel AMT platform will be configured for TLS see page 84 the SCS will be required to request ser
55. 03 with Service Pack 1 525 MB NET Framework 2 0 Internet Information Services IIS 6 0 PCI X 10 100 1000T Table 2 Requirements for Computer Running SQL Server PC Processor Memory Operating System Hard Disk Platform Networking 18 Intel Pentium III processor 600 MHz minimum 1 GHz or faster is recommended 192 MB minimum 512 MB or more is recommended Windows Server 2003 with Service Pack 1 525 MB NET Framework 2 0 Minimum Ethernet 1OBASE T Intel AMT SCS Installation And User Manual Table 3 Requirements for Computer Running the Console PC Processor Intel Pentium 4 processor or higher or compatible 256 MB minimum Operating System Windows 2000 XP or 2003 Hard Disk 80 MB Networking Minimum Ethernet LOBASE T USB ports For export of security keys Internet Browser Microsoft IE 5 5 or 6 The following Microsoft system patches should be applied to the appropriate operating systems for interactions with Intel AMT systems to operate properly Table 4 Required System Patches Operating System Patch ID and Link KB889388 Windows Server 2003 http support microsoft com kb 889388 Windows Server 2003 KB908209 ue http support microsoft com kb 908209 Windows Server 2003 KB899900 and XP http support microsoft com kb 899900 Environment Prerequisites and Installation 19 Environment Overview The Intel SCS includes several components They can be installed
56. 1024 11 Click Submit The CA may display the following warning message Click Yes Potential Scripting Violation AN This Web site is requesting a new certificate on your behalf ou should allow only trusted Web sites to request a certificate for you Do you want to request a certificate now 12 The CA will display a Certificate Issued page Click Install this certificate There may be another warning message Click Yes Active Directory AD and Changes to the AD Schema AD provides users with a single network logon and a single point of administration and replication It provides Kerberos Authentication DNS and X 500 naming standards as well as Lightweight Directory Access Protocol LDAP It also includes several important protocols and various useful APIs This manual assumes that AD is installed For installation instructions see Microsoft documentation Adding an OU for AMT Objects Active Directory allows dividing a domain into substructures called organizational units OUs OUs are container objects that can be nested within other OUs An OU can contain Users Groups and other OUs OUs are part of the Active Directory scheme for managing privileges and accesses One of the parameters that must be specified for each Intel AMT device before it can be setup in an AD environment is the OU where it will be installed The OU created for holding AMT objects does not need special privileges However if the SCS u
57. 161 Trusted root certificate handle is E Trusted root certificate handle is missing N A 1616 missing a N A 153 1617 Client certificate handle is missing Client certificate handle is missing N Failed to convert existing certificate E Failed to convert existing certificate base object 1618 base object type ne type SCS Support Content as L es Message Text Type Cause hn Unable to update certificate Unable to update certificate in Intel AMT device 1619 1621 Failed to convert certificate object type Failed to convert certificate object type 1622 Unexpected Intel AMT device status Unexpected Intel AMT device status 1623 Failed to run script 1 Failed to get script failure attribute Provide the attribute in the script Missing UUID of Intel AMT device in E Missing UUID of Intel AMT device in create AD N A 4624 create AD AMT object Or J AMT object 1625 Missing UUID Missing UUID Supply UUID 1626 Memory allocation error Memory allocation error The required Intel AMT device is in E The required Intel AMT device is in unprovisioning N A 627 unprovisioning state ror state 628 Failed to retrieve TLS client certificate Error Failed to retrieve TLS client certificate Missing expiry date for certificates The supplied certificate has no expiration date Provide valid certificate with defined expiration date Cannot connect to Intel AMT device Cannot connect to Intel AMT device with the Use MEBx to reprovision t
58. 3 Acquiring and Configuring a Certificate that Supports Remote Configuration Contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware A list of the hashes should be provided by the platform vendor Go to the vendor s website and purchase an SSL certificate For example the following link to Verisign s site http www verisign com ssl buy ssl certificates index html shows how to purchase an appropriate certificate The site documents in detail the steps required to request enroll install and move an SSL certificate The following settings are required for the certificate to be compatible for Remote Configuration use e The OU or the OID must match the values defined above in step 5 the OU is the usual value entered when purchasing a certificate commercially e The CN must match the Intel AMT platform domain suffix see Remote Configuration Certificate Differences between Releases on page 66 below e The keys should be exportable to support IT key backup policies e The request type should be PKCS1O After completion export the acquired certificate in p7c format Selecting the Certificate Used by the SCS for Remote Configuration The SCS only works with one Remote Configuration certificate at a time matching one of the hashes in the Intel AMT devices in the enterprise Perform the following two steps to select the desired certificate 1 Install the certificate created a
59. 6 The SCS Database on page 10 SCS and Active Directory Tasks and Permissions on page 12 Intel AMT Device Configuration Information on page 14 Setup and Configuration Service Overview l Introduction to Intel SCS The Intel Active Management Technology Intel AMT Setup and Configuration Service Intel SCS or SCS provides an enterprise with the tools to set up and configure Intel AMT devices Intel AMT is an integral part of Intel vPro and Intel Centrino Pro processor technology Intel AMT enhances the ability of IT organizations to manage enterprise computing facilities Intel AMT operates independently of the platform processor and operating system Remote platform management applications can access Intel AMT securely even when the platform is turned off as long as the platform is connected to line power and to a network Intel AMT can e discover platform assets using data retained in non volatile storage e heal systems remotely even when the operating system is down e protect against malicious software attacks by making it easier to keep software and virus protection consistent and up to date across the enterprise e limit the effect of malware and platform misuse by containing outbreaks and soft ware tampering on the managed client isolating the infected network element from the rest of the network The platform can be viewed as having two separate elements a host processor running a genera
60. 8 8848 dcc397514b41 amp displaylang en For summary information about SQL Server Express and a download link see http msdn microsoft com vstudio express sql download To install the SQL Server 2005 Express Edition 1 Ensure that NET Framework is installed 2 Ensure that the server meets the system requirements listed in Table 2 Requirements for Computer Running SQL Server on page 18 3 Double click the installation file named sql expr exe The installation files are extracted and the Installation Options screen is displayed 4 Select Install SQL Server 2005 Express Edition and click Next The End User License Agreement is displayed 5 Select the I accept the licensing terms checkbox and click Next A message is displayed indicating that Setup is configuring the install The Installing Pre requisites screen is displayed 6 Click Install Setup installs the necessary components A message is displayed indicating that The required components were installed successfully 7 Click Next The Welcome to the Microsoft SQL Server Installation Wizard screen is displayed 8 Click Next The System Configuration Check screen is displayed and the Wizard inspects the system If the Wizard detects problems it will display the status of the problem and possibly a message The status Warning will usually allow the installation to continue However the status Error indicates that the installation cannot
61. A087 ohne 4500S one AO 0 CBO IZ EOST TORC FCD a TOGA Digs DAZE4037 6GEBZ 4309 S6EB AsJO02ZCBCIZEC mS OLS erve r o el e E Loan Dike S DAAR AOS ALEBA 09S OEB A0 20C ROTIRE IE PBD Ka FOGO PETOS PACEA0S Ciba tooo C ER AC IOCP IEC ana ar eC OpY AN Diglil DA4r4037 6EB2Z 4309 S6EB As902ZCBCIZEC Mainservice Installed 0 Dlg12 DA4F4037 6EB2 4309 8 6EB A8 902CBC12EC DatabaseSchema_Installed 0O Digis DACP 406 GEB 4309 con ba No V0ZerelZE eG Aokwesho Ditqikt DACP A0S ORB Z AsO coke No VO CrCl Zne ocr mito 46 Intel AMT SCS Installation And User Manual KFEDATF 4037 okB2 4309 GEB AcJUZCBeIZEe OnAppsearch 0 tr in ene Sem ks NOt adara or ha neta ller depla al Warn g message In silent install a warning message will terminate the installer so the Admin_logged_On parameter was added ie Hoe UIC A akigusne e a Lenal sending ab Genie l veabisieue GLS eS ghone woudl T simiecierens ote Ul eD ome se o sins ea lewd OUE Acme oe tema SS iO ms Admin _Logged_On 1 eA own ans Galella tonne ANER 210M aes voles linseed ale NET 2 0 Exists 1 Paras 6b eZ Oo A EBA OCBC II E E mee ome a Result 1 FEDAL FAO TEGER EA UNE GEBEA G 2O CEOIL ERO o Ee ense ARE O Result 1 DAZE4037 6GEBZ 43 09 8 6EB A8 90ZCBCIZEC sertuplypez 0 Result 304 PM BACEAOS OnBZ 45 09 56h BEAG IO CEO IZRECI imme FEW This warning message is presented in case the user selects to install SOAP APU On 4S seni TSO
62. AMT with RADIUS servers or other external servers must be in a format compatible with those servers In particular the Common Name must be in the form that the server expects When the SCS requests a certificate for an Intel AMT device the SCS generated certificate request will use the selection made here for the Common Name in the request The selection box provides three choices Fully qualified domain name FQDN of the Intel AMT device Host name Host name of the platform SAM account name Active Directory account name for the AMT object The Funk RADIUS server expects a host name Cisco ACS and Microsoft IAS require a SAM account name All others tested with the SCS accept an FQDN Log Level Logs can be recorded at several levels The more detail recorded the more system resources and bandwidth must be allocated Select a Get New Intel AMT Properties option This option determines how the SCS acquires the necessary information defining the Intel AMT device properties e From DB When this option is selected the SCS searches for properties in the Configuration parameters table stored in the SCS database e Get AMT Configuration From Script When this option is selected the SCS first searches the Configuration parameters table for a matching entry based on the UUID in the Hello 79 80 message If there is no matching entry the SCS determines the properties by invoking a script written by the controlling enterprise an
63. ASCS1 Configuration Client eo Global Operations 5 Logs INTELSSCS2 Log Viewer Log INTELSSCS3 Enterprise Administrator B Actions Status B Security Audit INTELSSCS4 Administrator GS Configuration parameters INTELSSCS5 Enterprise Administrator INTELSSCSUSER Administrator INTELSTEMP Configuration Client Add Remove Edit Adding a User To add a new user 1 Open the Intel SCS Console Expand the Configuration Service Settings branch Select Users The Users table is displayed Click Add The New User dialog box is displayed Click Select User The Select dialog box is displayed a eS a Intel SCS Console 103 104 E ANew User 21x Select a user and assign a role Administrator User Name Select User Role Enterprise Administrator Select User or Group 2i xi Select this object type OK Cancel User or Group Object Types From this location Entire Directory Locations Enter the object name to select examples Advanced Gt Cancel p Remove Edit 6 Enter all or part of a user name 7 Click Check Name The Intel SCS searches the AD and completes or confirms the user name 8 Click OK From the Role dropdown menu select a role Select userlgroup and assign a role User Group Mame fF Select Role Enterprise Administrator Configuration Client Enterprise Administrator The Enterprise Admi
64. Action sub requests status is out of 1792 range range Log cursor size 1 d is out of range Specified Log cursor size is out of range 1793 2 d 3 d Invalid combination of Access Invalid combination of Access Permission and Provide valid combination The specified FQDN 1 contains The specified FQDN contains invalid characters or Supply valid FQDN accordingly to product invalid characters or bad format See Error 1796 Product documentation for valid name bad format documentation Cannot set user got error 1 d 2 Cannot set user the specified error occurred Act accordingly to the error AMT cursor size 1 d is out of range Specified cursor size is out of range Provide valid cursor size 2 d 3 d Error 1801 2 d 3 d AMT cursor status is out of range Specified AMT cursor size is out of range Provide valid size 1802 156 Intel AMT SCS Installation And User Manual i L N NI N N O Co 00 00 ice 00 ook _ _ N NI O Co N A Ep gene Message Text Type Cause Trusted Root Certificate already exists E Trusted Root Certificate already exists with newer Select another certificate with newer expiration 1854 with newer or similar expiration date Or Jor similar expiration date date There is no TLS server certificate inf There is no TLS server certificate defined for Provide TLS server certificate defined for profile 1856 defined for profile 1 d O prof
65. CS or entered manually in the SCS security keys definition The Intel AMT device uses this password for authentication during Setup and Configuration Once Setup mode has begun a management console application can change the Intel AMT device password without modifying the MEBx password 3 Select Intel ME Platform Configuration A warning message is displayed saying that a reset will occur after configuration is complete 4 Enter Y 5 Select Intel ME Features Control 6 Select Manageability Feature Selection Intel AMT Preparation 57 10 11 12 13 14 15 58 Select Intel AMT and return to the previous menu Select the Intel ME Power Control menu Intel AMT Release 2 0 2 1 2 2 Set the following power control settings e Intel ME State upon Initial Power On ON e Intel ME ON in Host Sleep States Always e Intel ME Visual LED Indicator ON Intel AMT Release 2 5 2 6 Select from one of the following choices OEMs can select which options will be available in this list Mobile On in SO The Intel ME and Intel AMT are on only when the host is on this is the default setting Mobile On in SO S3 AC The Intel ME and Intel AMT are on when the host is on or when the host is in S3 as long as the platform is connected to AC power Mobile On in SO S3 AC S4 5 AC The Intel ME and Intel AMT are on when the host is on or when the host is in S3 to S5 as long as the platform is connected to AC power Mobile
66. Control Wizard of the Active Directory Users and Computers MMC See Give the SCS User Permission to Create Delete AMT Objects on page 45 for a procedure for doing this In an installation with multiple AD domains and multiple instances of the SCS running and sharing the same database each SCS user account needs permission to create and delete AMT objects in all domains Perform the delegate control process for each user account in every domain serviced by an instance of the SCS Active Directory Schema The Intel SCS installation contains an LDF AD schema extension definition and a script that is used to extend the Active Directory schema for Intel AMT For more information see Active Directory AD and Changes to the AD Schema on page 37 AMT Object 12 The Intel SCS Active Directory BuildSchema script when executed by the user with Enterprise Admin permissions creates the new object class Intel Management Engine Objects created with this class called AMT objects are used to represent the Intel AMT device itself For more information see Active Directory AD and Changes to the AD Schema on page 37 Intel AMT SCS Installation And User Manual Computer Object Deploying a platform containing Intel AMT creates a new object in the AD which identifies the host on the Intel AMT enabled platform This occurs independently of the Intel AMT setup process and happens when the host joins the local domain Fo
67. E 200 094 15858 tering on pot 97 frinconing conection iometon 5EeBREEZE ami OT 4115358 siat deeem itometon Eere 2724175050 Saves tated vith use SEAGREEZEWiniiatn oman 5EaBREEZE i 200 0914 11 5356 Stat HELLO Kero wu SEABREEZE AG hfomaton SEABREEZE vmi araa sase Eero SS idtomain SEARREEZENNE 200 0814 11480 severse O s amra 114800 Seversonped SSS S S lt i ln SEEDERS 2007081411 4800 HELL Litres boon domed ifmaonSEABREEZEVRGR mzoa 1480 Siopao O iometon sEaBReEzE emi 2007 03 14 11 48 00 Finishing HELLO listener in port 9971 Information SEABRE EZE dm Print Export Refresh Apply Fiter Ka al gt w Fage 1 of 2 Log Filter Ep Description Date and Time By Severity AM AIN From 2007 04 01 z To 2007 04 01 r WY aNg aa 12 29 48 70 Onder By Ordinal Number 12 29 48 E By UUID E By Request ID E By Source C E The following is an example of the Actions Status log display 118 Intel AMT SCS Installation And User Manual Actions Status View the status of asynchronous actions initiated by the console or by other SOAP AFI requests Name Execute Time Status Applied By UUIG 2 Martenance 20060927 0736 Succeeded AMT3adriisn a Meerane 20060927 0731 Succeeded _ AMTadnrstatx a Maneras 200609270726 Succeeded AMT odriin a Martenance 20060827 0721 Succeeded AMT adris OOOO m
68. ENTAL LICENSE TERMS MICROSOFT NET FRAMEWORK 2 0 supplement to vou system software the sof Setup is configuring the install This may if you do not have a license 1 take a minute or two with each validly licensed coy By clicking I accept the terms of the License Agreement and proceeding to use the product I indicate that I have read understood and agreed to the terms of the End User License Agreement I I accept the terms of the License Agreement Setup then installs the components An installation progress bar is displayed Installation may take a few minutes Upon completion the Setup Complete screen is displayed Click Finish Intel AMT SCS Installation And User Manual Microsoft SQL Server Express Microsoft SQL Server 2005 Express Edition SQL Server Express is a data management product for embedded application clients light Web applications and local data stores Designed for easy deployment and rapid prototyping SQL Server Express is available at no cost There are various editions of Microsoft SOL Server For an overview see http www microsoft com sql prodinfo features compare features mspx This manual only describes installation of the Express edition An Enterprise solution will require the full SQL Server 2005 or SQL Server 2000 application For detailed information about SQL Server Express and a download link see http www microsoft com downloads details aspx familyid 220549b5 0b07 444
69. Fage 1 of 1 Security Log Filter By Description Date and Time UTC l By Sever Fatal C From 2007 04 01 E m 2007 04 01 y Severity e 11 17 37 11 17 37 By Creator Onder By Ordinal Number a Filtering a Log Display The Log Displays can be filtered After a filter is applied only log entries that match the specific filtering criteria are displayed To filter the display Intel SCS Console 119 120 Select one or more of the checkboxes 2 As applicable either select an entry from the dropdown list or complete the entry in the available field 3 Click Apply Filter The filtering capability is especially useful with the Action Status log The administrator can view recently configured Intel AMT devices or which ones are queued to be configured or which ones failed configuration and require manual action Intel AMT SCS Installation And User Manual Chapter 5 SOAP API This section includes Overview of the SOAP APT on page 122 SOAP Faults on page 123 SOAP API 121 Overview of the SOAP API 122 The SCS service receives a stimulus from Intel AMT devices sending Hello messages requesting that they be configured The SCS service polls and updates the database and Active Directory An external application such as the SCS Console configures the service indirectly by sending SOAP requests via the SOAP API to modify or query the database The SOAP API does
70. INA SOAP Failure 1 d 2 SOAP Failure Aee accordingly to the error Intel AMT device is provisioned unable E Intel AMT device is provisioned unable to extend N A 1715 to extend configuration time rror configuration time This Hello message version does not ini This Hello message version does not support N A 1716 support extending configuration time hi extending configuration time The specified Active Directory E The specified Active Directory Organizational Unit Provide existing Active Directory Organizational 1753 Organizational Unit 1 not found Or Ihot found Unit No Intel AMT device exists in the E No Intel AMT device exists in the database with Provide existing UUID 4754 database with UUID 1 MO specified UUID BA place 1 d is out of range Specified cursor place is out of range Provide valid cursor place o o Error anal Y2 d 3 d Set number of Security Keys error Set number of Security Keys error Value out of Value must be in specified range 1 d Value out of range for Error ange for no_tls_psk_pairs 17 no_tls_psk_pairs Value must be 58 between 2 d and 3 d Set Certificate Authority 1 Invalid Set Certificate Authority Invalid value CA not Register CA in the Active Directory as an value CA not registered in the Active Error registered in the Active Directory as an Enrollment Enrollment Service 1765 Directory as an Enrollment Service Service Set Certificate ae Host 1 Set Certifi
71. Intel AMT device BIOS screen 5 If using TLS based Authentication configure the CA parameters a From the navigation panel of the Intel SCS Console expand the Configuration Service Settings branch and select Profiles b Enable TLS and if applicable mutual authentication c Select the profile being used and click Edit d Click the Network tab e Configure the TLS server certificate details f If using Mutual Authentication select the Mutual Authentication button Locate one or more trusted certificates and add any available CTRL information g Click Apply Without a proper CA configuration the SCS service will not be able to work with TLS based Authentication Environment Prerequisites and Installation 53 54 Improper Network settings can cause some of the SCS service s features to malfunction For example changing only the Network Interface to TLS Server Authentication causes an API failure Test the Intel SCS Main Service a Click the Windows Start button gt Programs gt Administrative Tools gt Services b Right click on AMT Config and from the popup menu select Start A progress bar indicates the advancement of the start up c Click the Windows Start button gt Programs gt Administrative Tools gt Event Viewer d Click Application In the Information entries double click the AMTConfig message A popup message should say Service Started Successfully 210 x File Actio
72. L for accessing ser Simple Object Access vices on the Web SOAP employs XML syntax to send text Protocol commands across the Internet using HTTP SOL IDER The proprietary protocols defined for Intel AMT for Serial over LAN IDE Redi redirecting keyboard text or floppy disk CD transfers from a rection local host to a remote workstation SPEGNO SPNEGO is a standard GSS API pseudo mechanism for Simple and Protected GSS peers to determine which GSS API mechanisms are shared API Negotiation Mechanism select one and then establish a security context with it A service principal name the name by which a client uniquely identifies an instance of a service A Kerberos element in a KDC that creates tickets used to b Ticket Granting Server TGS l y clients to access servers SCS Support Content 163 A protocol intended to secure and authenticate communications across a public network by using data encryption TLS uses digital certificates to authenticate the user as well as authenticate the network in a wireless network the user could be logging on to a rogue access point The TLS client uses the public key from the server to encrypt a random number and send it back to the server The random number combined with additional random numbers previously sent to each other is used to generate a secret session key to encrypt the subsequent message exchange Taken In Kerberos a fixed length element that contains a user s SID and includes
73. Pools cle DeFaulkoopPool fi System Tools E Storage El Services and Applications EI A Telephony pe Ay Services WMI Control A SOL Server Configuration Manager G88 Indexing Service See Internet Information Services 115 Manager FJ Application Pools Bgl DefaultAppPool Fi Web Sites I Web Sites fil Default Web Site fi Default Web Site Stopped i Aa best fa best Gl Web Service Extensions Fl Web Service Extensions E If it is stopped right click DefaultAppPool and from the popup menu select Start 6 Expand the Web Sites branch If Default Web Site will be used as the SCS Website then ensure that Default Web Site is in run mode If it is stopped right click Default Web Site and from the popup menu select Start 7 Ifa website other than Default Web Site will be used create right click on Web Sites and start that site If the newly created web site is to use the default port 80 Default Web Site must not be started If the new web site has a dedicated port other than port 80 include the port number with the FQDN when connecting to the web site Microsoft Certificate Authority Intel SCS requires that Microsoft s Certificate Authority CA be installed and configured when TLS will be used in communications with Intel AMT devices The CA can be either a Stand alone CA or an Enterprise CA The CA should be configured to generate certificates automatically so that the SCS can request a certificate
74. Profiles The Profiles screen is displayed This screen lists all defined Profiles and the number of devices assigned to each profile Intel AMT Setup Console H 8 Configuration Service Settings Profiles gt General System Profiles View be Maintenance Policies Wireless Profiles ea 802 1 Profiles Profile Id Profile Name No of Devices PA Security Keys defauit_2 B Users and Groups H a Intel AMT Systems Mutual EAP TLS B Global Operations Logs EAP_PEAP_MSCHAP EAP_TLS Log Actions Status EAP_TTLS_MSCHAP EAP_GTC Security Audit Pa Configuration parameters EAP_EAPFAST_GTC EAP_EAPFAST_MSC PASS_PHRASE ServerTLS Mutual TLS wo voi nati mi M S w Bes CoO co oo ol 0 0 oo 0 0j oj gt i Kerberos default_15 Ecrypted disable ACL D11010 oo Parmar al cane Edit Delete Adding a Profile 1 Open the Intel SCS Console Expand the Configuration Service Settings branch Select Profiles The Profiles screen is displayed Click Add The Profile Configuration dialog box is displayed and the General tab is selected poo a Each Profile tab is self contained Changes to a tab require confirmation before moving to another tab Perform Confirmation by clicking Apply Intel SCS Console 81 The Profile Configuration General Tab cia Add Edit Profiles i ajx General wireless Profiles Wired 802 1
75. Right click on SQL Server SQLEXPRESS and select Restart Internet Information Services IIS 6 0 Internet Information Services is Microsoft s HTTP server IS adds full HTTP capability to the Windows operating system Install ITS before installing the Microsoft Certificate Authority on the same server so that Certificate Authority web enrollment can be supported If IIS is not already enabled on this platform enable the service 1 Click the Windows Start button and select Control Panel 2 Double click Add or Remove Programs 3 From the left panel click Add Remove Windows Components Environment Prerequisites and Installation 27 fe Add or Remove Programs IOl x pn Sas gi Currently installed programs O Show updates Sort by Mame mae Windows Components Wizard Programs Windows Components g You can add or remove components of windows Add Hew Programs To add or remove a component click the checkbox A shaded bos means that only part of the component will be installed To see what s included in a component click T Details E ts Add Remove lla windows Components Application Server X To add or remove a component click the check bos 4 shaded bos means that only part of the component will be installed To see what s included in a component click Details Subcomponents of Application Server E Application Server Console Cy ASP NET gD Enable network COM access O FH Enable network DTC access
76. S sends a certificate chain that includes a trusted root certificate matching one of the received hashes 13 The Intel AMT device validates the SCS certificate It checks that the OID or the OU is correct as described above and that it is derived from a certificate authority that matches one of the root certificate hashes 14 The Intel AMT device verifies that the domain suffix matches the DNS suffix in the SCS certificate See Remote Configuration Certificate Differences between Releases on page 66 below 15 The SCS and the Intel AMT device perform a complete mutual authentication session key exchange a The Intel AMT device uses a self signed certificate sending its public key b The SCS creates a TLS session master key encrypts it with the Intel AMT device public key and sends it to the Intel AMT device c The device decrypts the master key with its private key The key is the shared secret used to establish the setup and configuration TLS session 16 One Time Password verification The SCS requests the OTP from the Intel AMT device The device sends the OTP securely The SCS verifies the OTP for correctness 17 Setup and configuration continues At some point before the SCS sends a CommitChanges command to complete the setup and configuration process it must send a SetMEBx password command to change the password from its default 18 Since the Intel AMT device network interface is open for a limited period after sending the first
77. SCS Server must be registered in the DNS A configured operational Intel AMT device must be registered within DNS Intel SCS The platform running the SCS Service the Main Service must be registered in the DNS as ProvisionServer in every domain in the enterprise If there is more than one instance of the SCS running then each instance can register in each domain using a DNS alias To register a server in the DNS as ProvisionServer when the server itself has a different hostname add a CNAME canonical name record to the DNS To do this with a Microsoft DNS server open the MMC DNS branch open the Forward Lookup Zones branch right click the entry for the server running the SCS and select New Alias Then enter ProvisionServer as the alias name Intel AMT Devices Ensure that the DNS is configured with the Fully Qualified Domain Names FQDN of the Intel AMT enabled machines that are being configured Intel AMT devices must be configured to have the same FQDN as the host OS This stems from the fact the Intel AMT device is not a secure DNS client and it relies on the host OS to maintain the DNS record For this reason the Intel AMT device snoops the DHCP requests and responses issued by the host OS The Intel AMT device then uses the IP provided by the DHCP to the host OS as its own When the host OS is down the Intel AMT device requests DNS registration of its con figured FQDN from the DHCP option 81 This works only i
78. SCS receives the configuration from the script it stores the information in the database Adding device information to the SCS database manually This is the simplest approach but it is the most difficult for IT personnel They have to manually enter the UUID along with the other parameters into the New Intel AMT table The SCS Console has a page that supports this method See Configuration Parameters per Device on page 106 Adding device information to the SCS database using the SOAP API The SOAP API has a method called AddServiceNewAMTProperties that adds an entry to SCS database table An external management console can acquire the platform information using scripts its own database or a local agent and pass the information to the SCS either before or after the Intel AMT device starts sending Hello messages Remote Configuration Tool The Remote Configuration Tool RCT is a client based tool that captures platform information and sends it directly to the SCS See page 66 Scripting Option This option acquires the configuration information using a script if the required parameters are not in the New Intel AMT database table The SCS runs a script that retrieves the parameters from an external source The SCS distribution and documentation include sample scripts and directions for several of these options See Using a Script to Import Intel AMT Configuration Properties on page 127 14 Intel AMT SCS Installation And User Man
79. SCS that the Intel AMT system s FQDN has changed rct s https ProvisionServer yourenterprise com amtscs_rcfg p 3 o OU AMT_Users DC East DC yourenterprise DC com t on f This example shows how to use the RCT to send a hello packet with a PID from an Intel AMT system that uses PSK but does not allow retrieval of its PID rct s httos ProvisionServer yourenterprise com amtscs_rcfg p 3 o OU AMT_Users DC East DC yourenterprise DC com t on h d 0000037M Transitioning to Intel AMT Manageability mode does not take affect until the platform reboots Therefore the IT script that activates the RCT should schedule it to re run at the next startup to complete initiation of setup and configuration Distributing and Running the Remote Configuration Tool To distribute and run the RCT 1 Copy the RCT executable to the Intel AMT platform 2 Run the RCT using an account on the Intel AMT platform that has local administrator permissions Note You can use different methods to automatically distribute and execute the RCT on multiple platforms RCT Messages The RCT returns a message code that describes the state that the tool detected The table below itemizes the codes and their meaning Table 5 RCT Return Codes 70 Return Meaning Value 0 All operations succeeded interface opened Setup and configuration already completed 2 Platform is already in setup and configuration mode This may be due to bare meta
80. STALLATION This section contains System Requirements on page 18 Environment Overview on page 20 Environment Prerequisites on page 22 NET Framework 2 0 on page 22 Microsoft SQL Server Express on page 23 Internet Information Services IIS 6 0 on page 27 Microsoft Certificate Authority on page 29 Active Directory AD and Changes to the AD Schema on page 37 Installation of the SCS Server Components on page 39 Installing the Intel AMT Management Console on page 50 Post Installation Operations on page 51 Environment Prerequisites and Installation 17 System Requirements In a typical installation components of the Intel AMT Setup and Configuration Service SCS can be installed on more than one computer or on the same computer depending on the enterprise requirements This section lists the system requirements for the computers supporting various components of the SCS If Active Directory is not used the Certificate Authority must be installed on the same platform as the SCS The database must be accessible and the database credentials known to the person installing the Intel SCS Table 1 Requirements for Computer Running the SCS Windows Service the SOAP API and the IIS Platform Processor Memory Operating System Hard Disk Platform Networking Dual Core Intel Xeon Processor 5X XX series 2 to 4 GB RAM Windows Server 20
81. Server or its components so long as proper attribution is provided to Intel and all proprietary marks are preserved Intel Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this document or any software that may be provided in association with this document Except as permitted by such license no part of this document may be reproduced stored in a retrieval system or transmitted in any form or by any means without the express written consent of Intel Corporation Contact your local Intel sales office or your distributor to obtain the latest specifica tions and before placing your product order Copies of documents which have an ordering number and are referenced in this docu ment or other Intel literature may be obtained by calling 1 800 548 4725 or by visiting Intel s web site at http www intel com Copyright 2006 2008 Intel Corporation All rights reserved Intel the Intel logo and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries Third party other names and brands may be claimed as the property of others ll Table of Contents Setup and Configuration Service Overview Introduction to Intel SCS Setup and Configuration Process SCS Database Preparation Preparation of Platform Containing Intel AMT Device Setup and Configuration Steps Intel AMT SCS Functional Flow Setup and Configuration Operat
82. Startup E Cannot initialize the service Startup aborted Check the development log for more information aborted e Exception when processing Poller E Exception when processing Poller checker See the specific error code checker 0x 1 X 2 me SCSThread ColnitializeEx failed E Failed to initialize COM N A 1 ld vee SCSThread CreateEvent failed Failed to initialize window event Unexpected exception Error Unexpected exception SCS Support Content 149 id Message Text Type Cause 904 invalid parameter Eror_ irvaid parameter Provide valid parameter SSS F909 invalid profiled Error The supplied profile idisinvalid Provide vadi SSS Too many trusted root certificates in Too many trusted root certificates in one profile Remove one or more certificates from profile 911 One profile Proceed accordingly to the request Object not found Stored procedure did not return expected values A 914 The FQDN is already mapped Error The FQDN is already mapped Provide different FQDN A INTERNAL ERROR Duplicated E INTERNAL ERROR Duplicated request in the N 915 requests found in the delayer Or delayer The 1 has a non strong 2 The nn has a non strong nn password Provide strong password password It must meet strong CO Oo Error password requirements The PID 1 2 checksum failed Error The PID checksum failed CO O1 5 l 1 list length should be between 2li and 3li T
83. T in a Secure Environment Intel AMT supports Transport Layer Security TLS for secure communications between Intel AMT devices and management console applications Use of TLS is recommended in an Enterprise environment TLS is a protocol intended to secure and authenticate communications across a public network by using data encryption It depends on the existence of a public key infrastructure PKI A PKI enables users of an unsecured network to securely and privately exchange information through the use of an asymmetric public and private cryptographic key pair The key pair is obtained and shared through a trusted authority known as a Certificate Authority CA The CA generates digital certificates that can identify an individual or an organization The PKI includes directory services that can store and when necessary revoke the certificates The SCS SOAP API requires a certificate so it can be hosted by the Microsoft Internet Information Server IIS This is necessary even in environments when TLS will not be used If TLS will be used with Intel AMT devices then there must be access to the Microsoft Certificate Authority as the SCS requires it to enroll for certificates on behalf of each Intel AMT device The Microsoft CA can be installed as Stand alone CA or as an Enterprise CA An Enterprise CA can be configured only in conjunction with Active Directory A Stand alone CA can operate with or without Active Directory but if Active Direct
84. TIME Windows C gg Fax Services 7 OMB ss bul CO GP Indexing Service Certificate Services f To add or remove a component click the check box amp shaded box means that only part of the component will be installed To see what s included in a component click Details ubcomponents of Certificate Services l a Certificate Services Web Enrollment Support Description Sets up a CA that issues and manages digital certificates Total disk space required 3 1 MB Details Space available on disk 61761 9 MB Bss a 4 Select the Certificate Services checkbox A warning is displayed indicating that the machine name or the domain membership of the machine cannot be changed while it acts as a certificate server Click Yes 5 Click Details 6 Select both the Certificate Services CA checkbox and the Certificate Services Web Enrollment Support checkbox and click OK 7 Click Next The CA Type screen is displayed Intel AMT SCS Installation And User Manual Windows Components Wizard i 7 CA Type Select the type of CA wou want to set up Enterprise subordinate CA Stand alone root CA Stand alone subordinate CA Description of CA type The most trusted CA in an enterprise Should be installed before any other CA Use custom settings to generate the key pair and CA certificate Back Cancel Help 8 Select either Enterprise root CA or Stand alone root CA and click Next The CA Iden
85. USB key or the manufacturer enters the value before delivery the CN in the certificate must either exactly match all fields of the FQDN or it must be a wildcard entry with a match in all but the first field of the FQDN For example if the FQDN is east corp yourenterprise com the CN must also be east corp yourenterprise com or corp yourenterprise com e Ifa DSN suffix is entered then all fields in the suffix must be included in the CN For example if the entered suffix is corp yourenterprise com then the CN could be corp yourenterprise com or east corp yourenterprise com or main east corp yourenterprise com but not east yourenterprise com Using one of the above options requires a single touch which should be balanced against the need for an SCS installation and unique certificate for each domain Intel AMT Release 2 6 Release 2 6 supports the 2 2 functionality with the following additions e Wildcard CN If the CN in the certificate is preceded by then the domain suffix received from DHCP need only match the CN where they have overlapping fields For example if the CN is a b org then yyy a b org a b org and b org would all match but c b org would not e If the CN ends with com or net then the domain suffix received from DHCP needs to match only last two fields in the CN For example 1f the CN is east corp yourenterprise com then west mkting yourenterprise com would match e Release 2 6 supp
86. ailed with ae Set 802 1x wired profile failed See specific error code 1008 72 Remove existing 802 1x wired profile Remove existing 802 1x wired profile failed See specific error code failed 1 d ete 1012 failed 1 d This function is deprecated See This function is deprecated See product N A product documentation for newer Warning documentation for newer function 1013 function 1014 Invalid LAN interface handle Invalid LAN interface handle 1015 Could not construct 802 1x profile Could not construct 802 1x profile Lease Same record already exists The record you have selected already exists in the Select another record 1016 list Please provide at least one Trusted E No Trusted Certificate provided for Mutual Provide at least one Trusted Certificate for Mutual 1017 Certificate for Mutual Authentication FOr Authentication Authentication Invalid 802 1x protocol type EAP GTC E Invalid 802 1x protocol type EAP GTC is not Provide 802 1x profile that does not use EAP GTC 1018 S not supported for wireless usage IOA supported for wireless usage protocol One or more of the priorities of the One or more of the priorities of the specified Priority values should be sequential specified profiles are incorrect or profiles are incorrect or duplicated Priority values duplicated Priority values should be Error should be sequential 1019 sequential Cannot modify the AMT password E Error when tried to change Intel AMT dev
87. ainer objects InetOrgPerson objects FJ IntelliMiror Group objects m C InteliMiror Service objects intel anagementE ngine objects meCOM Partition objects If Create selected objects in this folder z Back Cancel 8 On the Permissions pane select Full Control Click Next and Finish Environment Prerequisites and Installation 45 Upgrading the Intel SCS to a New Version If there is an existing version of the SCS already installed and a new version is to be installed perform the following steps 1 Using locally available tools backup the database 2 Start installation of the new version of the SCS as described above 3 Ifthe new version has a newer version of the database schema a message is displayed reminding the user to perform a database backup Do so now if step 2 was skipped 4 Continue with the installation The installer will update the database so that it conforms to the latest version of the schema Silent Install The SCS installation image is an InstallShield executable Besides the interactive install described above the SCS can be installed from a command line using a script file to respond to the installer questions This capability is called silent install Another application can invoke the silent install with a properly prepared installation script This can be used by ISVs that wish to embed the SCS into their application The usage is AMTContServer exe 79 f1 cr scsinstall
88. allow retrieving the PID the user must include it in the RCT command The actions of the RCT depend on the type of security employed on the Intel AMT system and on whether the security credentials are present o Remote Configuration If the system uses remote configuration the RCT extracts the certificate hashes from Intel AMT and transmits them and the Hello packet to the SCS o PSK with PID present on Intel AMT Releases 2 0 2 1 2 5 The RCT cannot retrieve the PID from these platforms The user must include the PID in the RCT command line o PSK with PID present on other Intel AMT releases If the PID is present on the Intel AMT system the RCT extracts it and sends it with the Hello packet to the PID o PSK but PID not present on system If the system is supposed to use PSK but no PID is present on the Intel AMT system the Hello packet cannot be sent to the SCS If the Intel AMT system s host FQDN has been changed the RCT can be used with the f command to send the new FQDN to the SCS service For example the FQDN might have been changed by giving the system to another user or moving it to another domain The SCS service then changes the machine s FQDN in the SCS database and reprovisions the machine if possible updating the AMT Intel AMT SCS Installation And User Manual FQDN with the new host FQDN The SCS ignores the FQDN mismatch between the new FQDN and the existing Intel AMT certificate s CN If
89. also known as two way authentica tion is a process whereby two parties typically a client and a server authenticate each other in such a way that both parties are assured of the others identity In mutual authentication the server also requests a certificate from the client Mutual Authentication Provisioning deals with planning setting up and configuring the hardware software and networks that deliver access to Provisioning data and network resources for the users A firewall mechanism that replaces the IP address of a host on the internal protected network with its own IP address for all traffic passing through it A software agent that acts on behalf of a user typical proxies accept a connection from a user make a decision as to whether or not the user or client IP address is permitted to use the proxy perhaps does additional authentication and then completes a connection on behalf of the user to a remote destination The use of secret passwords or encryption keys that are entered into both sides of the message exchange ahead of time Pre shared keys are typed into the clients and servers authentication servers access points etc or entered via floppy CD ROM or smart card Contrast with server based keys in which one side generates a key and sends it to the other side during the authentication session Pre Shared Key 162 Intel AMT SCS Installation And User Manual An encryption type based on the RC4 e
90. ame corresponding to the IP address of a network interface as found on a computer router or other networked device It includes both its host name and its domain name In Active Directory a collection of users and objects that share properties and permissions A group may have another group as a member The second group is then a sub group of the first group Generic Security Services Application Programming Inter face The generic API for performing client server authenti cation 161 Isy Independent Software Vendors that develop applications that use Intel AMT capabilities An Access Control System that was developed at MIT in the 1980s The Kerberos concept uses a master ticket Kerberos obtained at logon which is used to obtain additional service tickets when a particular resource is required Itis named after a mythological creature A key is a piece of information that controls the operation of a cryptography algorithm In encryption a key specifies the particular transformation of plaintext into ciphertext or vice versa during decryption Keys are also used in other crypto graphic algorithms such as digital signature schemes and keyed hash functions also known as MACs often used for authentication In the Kerberos protocol a trusted third party that has secret information passwords for all clients and services under its supervision Key Distribution Center KDC Mutual authentication
91. and Groups list defines identities with access to the Intel SCS Console Each user is assigned a role which defines the permissions allotted to the user See below for the permissions associated with each role The console supports assigning a role to a defined group of users This is a more manageable approach Create an SCS Admins Group for example and assign it the Administrator role Then IT can add users to the group or delete users from it without having to do this from the SCS console To improve performance the SCS maintains a cache of users that access the service This reduces the number of times that the service needs to access directory services to validate a user If a user is moved from one group to another the SCS will continue to use the cache entry to validate the user and validation may fail as a result To avoid this failure flush the cache by restarting IIS Viewing Existing Users To view a list of existing users 1 Open the Intel SCS Console 2 Expand the Configuration Service Settings branch 3 Select Users The Users table is displayed E s Intel AMT Setup Console Configuration Service Settings Users and Groups y General Configure Intel AMT Setup Configuration be Maintenance Policies System users and groups Profiles A ii User or Group Name Role PA Security Keys INTELS8021 Configuration Client asp Users and Groups INTELSADMINISTRATOR Enterprise Administrator F Intel AMT Systems INTEL
92. and manage certificate templates Add Close 4 From the displayed list select Certificate Template click Add then Close then click OK in the previous window 5 Select Certificate Template on the console display Select User from the list of displayed templates Right click and choose Duplicate Template Intel AMT SCS Installation And User Manual The new display is a tabbed form called Properties of New Template Ti nn 2x Issuance Requirements Superseded Templates Extensions Security General Reguest Handling Subject Name Template display name scs User Minimum Supported LAs Windows Server 2003 Enterprise Edition After you apply changes to this tab you can no longer change the template name Template name ECSUser Validity period Renewal period years ir E weeks z M Publish certificate in Active Directory Do not automatically reenroll if a duplicate certificate exists in Active Directory concel Ano _ 6 Set the Template display name to SCS User or some other meaningful name For example name a template used to generate 802 1x client certificates 802 1x Redefine the validity and renewal periods as required by local policy Click Apply Select the Request Handling tab and click the CSPs button 8 Select the Microsoft Strong Cryptographic Provider checkbox Click OK and Apply 9 Select the Subject Name tab and select the Supply in the Request radio
93. ass si2 e scsinstall 166g where scsinstall iss isthe install script and scsinstall 1log is the log file created by the installer Note As with any script driven application the parameters included in the script must be verified before activating the script The silent install assumes that the supplied values are correct Create an install script from a GUI based installation sequence by running the installer with the record option AMTConfServer exe r f 1 lt path gt silentinstall iss where silentinstall iss isthe created file The following example of an scsinstall iss script provides the necessary parameters to the installer for a standard install The highlighted parameters are those that must be customized per installation instal lshrele Silene Version v7 00 File Response File File Transfer OverwrittenReadOnly NoToAll PeDACEA0S ECEB 4509 OER Ao J0ZCROIZ neh DEG Orde r DESTA FAO 6n bl 4500_ Soh B AS 70ZeCRCiIzZ he ONA pE oe aaa Countes o DISDA F40 ECEB TA UOO OEB AS V0 ZC EOIR sdweleome v DEJ DAIR A0 EC ERA 45005 GEB A J0ZCBOUZhG SdlmcenseZR tiv DEJT DAFA ECER 4509 CEB A 90 C BOI Z EOE oe EUI ype 0 DEGAS DAA FAO ECER A 0I LOEB ASVO CRO IZEOC ime clr low BEJ S PACE AO IEC EB ZS A O0 EO OEB noc C BO EC Ao reS NoN Dlg6 DA4F4037 6EB2 4309 8 6EB A8 902CBC12EC OnMainServicelInitialize O Dlg PAAP AOS ohBe 4509 O EBRA JOG BCI he 1s bile l ci DiGs DACP
94. ates so no more than four should be added to a profile See Exporting and Installing the CA Root Certificate on page 32 Select Add to display the Trusted Root Certificates template a Select Import navigate to where the root certificate is stored and select the certificate b Alternatively in an Active Directory environment select Get from CA pick a CA from a displayed list of known Cas and select OK c If there is a root certificate displayed that should not be sent to the Intel AMT devices using the profile select the certificate and then select Remove d Select OK 22 Service Mutual Authentication Certificate This feature is not implemented the SCS uses the first Intel AMT remote client certificate in the SCS user s personal certificate store A certificate with the dedicated OID 23 Import a Certificate Revocation List CRL The CRL is a list of entries which indicate which certificates have been revoked The CRL contains certificate authority URLs and the serial numbers of revoked certificates See CRL XML Format on page 137 for the xml file format Enter information about the list into the Description field 24 Define the Fully Qualified Domain Name suffixes that will be used by mutual authentication The Intel AMT device will validate that any client certificates used by the SCS or Management Consoles have one of the listed suffixes in the certificate subject 25 Click OK Click Apply Intel AMT SCS In
95. bove in the System Certificate Store on the platform where the SCS executes Follow the following steps a Open certificates local computer using the Microsoft Management Console MMC To add the certificates plug in to the MMC i Select file add snap in li Select Add i Select Certificates iv Select computer account click Next v Select Local computer click Next vi Select Finish Close select Certificates and click OK b In the console tree click the logical store where the MMC will import the certificate c On the Action menu point to All Tasks and then click Import to start the Certificate Import Wizard d Type the path and file name of the certificate to be imported or click Browse and navigate to the file e Select Automatically select the certificate store based on the type of certificate 2 Invoke the loadcert utility located at lt install_root gt Program files Intel AMTConfServer Tools Double click on loadcert exe Select the certificate that was just imported The utility writes the certificate to the registry after deleting any previously stored certificates It will report any problems in the certificates that it detects that would prevent using it as a Remote Configuration certificate If the SSL certificate comes from a CA whose chain of trust certificates are not automatically included in the Window 2003 trusted certificates store it will be necessary to install the root certificate a
96. cate Authority Host Invalid value The Provide host with specified CA 1766 given host Set Certificate Template error 1 Set Certificate Template error Invalid value Value must be WebServer for StandAlone CA Invalid value Value must be Error 1767 WebServer for StandAlone CA Set Certificate Template error 1 E Set Certificate Template error Invalid value Provide valid certificate name 1768 Invalid value Invalid certificate name or Set queue polling period error 1 Set queue polling period error Value out of range Value must be between 1 and 60000 Value out of range Value must be Error 1771 between 1 and 60000 Set listen port error 1 Value out of Set listen port error Value out of range for Provide value between 1025 and 65535 range for hello_listen_port Value must Error hello_listen_port 177 3 be between 1025 and 65535 SCS Support Content 155 Pee ne Message Text Type Cause Set VlanTag error 1 Value out of Specified VlanTag is out of range Provide valid VianTag range Value must be between 2 d Error 1778 and 3 d 17ealoeresteis enabled eror genabed o SS oncate rabe sorsom ontos 1783 certificate is enabled is enabled 1786 S out of range 2 d 3 d range 1787 must be between 2 d and 3 d Action status cursor size 1 d is out Specified Action status cursor size is out of of range 2 d 3 d range Action sub requests status is out of Specified
97. ce requires a different Intel AMT device requires a different cipher See the specific error code 868 cipher 1 d Exception while provisioning Intel AMT Exception while provisioning Intel AMT device See the specific error code device 0x 1 X UUID 2 Cannot handle provisioning exception Cannot handle provisioning exception See the specific error code 870 Ox 1 X 2 Finishing re issue digital certificate for inf Finishing re issue digital certificate for Intel AMT See the specific error code 8741 Intel AMT device UUID 1 MO device with specified UUID Set certificates and key in Intel AMT Set certificates and key in Intel AMT device with See the specific error code 872 device UUID 1 specified UUID Processing of re issue digital certificate E Processing of re issue digital certificate final See the specific error code 874 final worker aborted 1 worker aborted 148 Intel AMT SCS Installation And User Manual Exception when trying to pop a request from the delayed requests list 798 Error Error Error Error Info rror a a l O Message Text Type Cause 875 Maintenance worker 0x 1 X 2 ON 00 19 882 00 O ee 83 884 886 89 891 892 94 895 896 98 9 O o J O 01 Unexpected error when requesting E Unexpected error when requesting certificate N A 878 certificate rror Exception in set ACL worker 0x 1 X Exception in set ACL worker See the s
98. ctory to a user or group of users Subsets of users groups and or computers can be delegated to different groups allowing a greater degree of control and granularity without the need to run dedicated domain controllers for that group Intel Active Management Technology is a technology developed by Intel that enables Administrators to remotely manage and repair networked computers even when they are powered down Three primary features of Intel AMT are better asset management reduced downtime and minimized desk side visits also called by Intel the discover heal and protect process Application Programming Interface A language and message format used by an application program to communicate with the operating system or some other control program such as a database management system DBMS or communications protocol APIs are implemented by writing function calls in the program which provide the linkage to the required subroutine for execution Thus an API implies that some program module is available in the computer to perform the operation or that it must be linked into the existing program to perform the tasks A security measure designed to establish the validity of a transmission message or originator Intel AMT SCS Installation And User Manual A Kerberos element in a KDS that recognizes a client at log on time based on information in its trusted database Authentication Server AS Authenticator Authorization
99. d the instance is SQLEXPRESS Use the FQDN of Intel AMT SCS Installation And User Manual the SQL server platform when the SCS and the SQL server are on different platforms Select SQL Server authentication using Login ID and password below and enter the password defined during the SQL server installation see page 24 sa is the default SQL server Login ID Click Next The Database Configuration screen is displayed The default Server name is the name of the local computer In an environment with one shared database and more than one Intel SCS ensure that the Server name is the name of the computer hosting the database Intel Active Management Technology Setup and Configuration Server InstallShield Wizard Database Configuration Configure Database Details Database Details Database Name IntelAMT Console User Name AMT administrator InstallShield 16 If Database Schema is being installed enter both the Database Name that is the name assigned to the database the default name is IntelAMT and the Console User Name 17 There may be a notice displayed saying that the user does not have necessary privileges Click Yes to assign the user the necessary privileges If the database was previously installed the installer displays a notice asking if the database should be replaced Respond No to this request Install the database only once 11 From the Ready to Install screen click Install Installat
100. d to the top computer object class When the SCS performs setup for an Intel AMT device the SCS service e creates an AMT Object with the first three attributes listed above e creates a link between the attribute Intel Management Engine Host Computer in the AMT Object and the AMT Host object e creates a link between the attribute Intel Management Engine Host Computer BL found on the AMT Host and the AMT Object Active Directory will display the AMT Object as the representation of the Intel AMT device itself and show it as having the type Intel Management Engine Intel AMT SCS Installation And User Manual Installation of the SCS Server Components The Intel SCS components can be installed on a single computer or on separate computers Setup facilitates those options In either case required user intervention presumes knowledge of SQL Server administration Internet Information Services IIS 6 0 administration Windows Service installation Installing the Intel SCS Server Components To install the Intel SCS components 1 Ensure that the computer meets the system requirements listed in System Requirements on page 18 Locate the distribution files as downloaded to the server platform 3 Locate and double click the file named AMTConf Server exe The Welcome screen is displayed Click Next The License Agreement screen is displayed Accept the license agreement and click Next The Setup Type screen is d
101. d which either refers to an independent database or file or requests the identifying information from the host platform After the script returns the required information the SCS stores the information in the Configuration data table See Using a Script to Import Intel AMT Configuration Properties on page 127 e Script Location Enter the path to the location of the script on the platform where the SCS executes If there is more than one instance of the service running in the domain the script must be in the same location on all platforms running the service e g C program files intel AMTConfserver scripts Warning lf the script is not in the location defined here the SCS will not complete setup for any Intel AMT devices Enter the Service Maintenance parameters These are the parameters used to tune the performance of the SCS as described in Intel AMT SCS Functional Flow on page 5 Queue Polling Period This parameter determines how frequently the Intel SCS checks the queue in the database for new tasks Max Queue Size This parameter sets the maximum permitted length of the database queue If the queue is full when the server or the API tries to add an additional entry the entry will be lost The following three parameters define quantities for several multithreading transactions that are processed by the Intel SCS No of Worker Threads This parameter limits the number of Worker Threads permitted simultaneously
102. dd Edit Profiles ajx Configure the Wireless Network Settings M Enable Host VPN Routing F Allow wireless connection without profiles Add Remove Wireless Profile Select Wireless profiles Selected Wireless profiles EAF_TLS EAF_PEAF_MSCHAF Y2 P amp S5_ PHRASE E4P_TTLS_ MSCHAPy2 EAP EAPFAST_GTC E4P EAPFAST_ MSCHAPy2 fd E4P PEAP WL Select the Enable Host VPN Routing checkbox to configure Intel AMT devices to accept management traffic over a Virtual Private Network connection when Intel AMT detects that the platform is operating outside the enterprise network Select the Allow wireless connection without profiles checkbox if Intel AMT devices will depend exclusively on host platform wireless profiles for out of band manageability over wireless networks This feature applies only to platforms running Intel AMT Release 2 6 This feature operates under the following conditions e Environment detection is enabled See page 84 e The platform is operating within the enterprise e The host wireless system is WPA RSN secure WEP is not considered secure If the host wireless connection fails then the Intel AMT device will also lose wireless connectivity Intel AMT SCS Installation And User Manual An Intel AMT device managed over a wireless LAN that does not have a wireless profile installed cannot perform SOL IDER functions Select from the available wireless profiles and move the desired ones to Selected Wireless
103. e As part of the Hello message the Intel AMT device sends all of the hashes to the SCS When the SCS authenticates to the Intel AMT device it must do so with a certificate compatible with one of the hashed root certificates Self signed certificate The Intel AMT device produces a self signed certificate that it uses to authenticate to the SCS The SCS must be configured to accept such a certificate One time password OTP Security policy may require use of a one time password to improve security The Remote Configuration Tool RCT running on the local host requests the OTP from the SCS and sends it to the Intel AMT device The SCS saves the OTP in the database entry associated with the specific Intel AMT device and uses it to validate the connection to the device Limited network access The network interface opens for a limited period of time to send Hello messages and to complete the setup and configuration process After 24 hours the interface will close if the setup and configuration time was not extended by a network command from the SCS Overview of Remote Configuration Flow Initial Conditions Before Remote Configuration begins the following initial conditions must be met 1 The Intel AMT device is configured to receive its IP address from a DHCP server The DHCP server supports option 15 and will return the local domain suffix 2 The Intel AMT device is pre programmed with at least one active root certificate
104. e Directory schema has been updated the SCS user needs permission to add and delete AMT objects in the OU defined for holding the objects The following procedure explains how to do this 1 Open a command window and enter mmc 2 Pres Ctrl M followed byAlt D 3 Select Active Directory Users and Computers and click Add Close and OK 4 In the tree on the left open the domain containing the OU where AMT objects will be stored Right click on the OU folder and select Delegate Control 5 The Delegation of Control Wizard opens Click Next and Add and then enter the name of the SCS user Click OK and Next Select Users Computers or Groups 7 x Select this object type Users Groups or Built in security principals Object Types Erom this locations fintel com Locations Enter the object names to select examples CSUser SCS User intel com Check Names Advanced Cancel te 6 On the Tasks to Delegate pane select Create a custom task to delegate and click Next 7 Find intelIManagementEngine objects in the displayed list and select it Also select the Create and Delete options and click Next Delegation of Control Wizard l Active Directory Object Type Indicate the scope of the task you want to delegate Delegate control of This folder existing objects in this folder and creation of new objects in this folder f Only the following objects in the folder L groupPolicyCont
105. e SCS The SCS sends an OTP to the RCT The RCT sends the OTP to the Intel AMT device and commands it to open the network interface The Intel AMT device generates a self signed certificate This process may take up to seven minutes to generate the necessary keys The Intel AMT device starts sending version 3 Hello messages Setup and configuration begins using the PKI CH protocol The SCS requests the Intel AMT device to send an OTP The device responds with the value it received from the RCT IT request Setup and Configuration Service Setup and Configuration Service Host Platform Remote Control Tool Management Engine Interface Intel AMT device Intel AMT device Host Platform Remote Control Tool Management Engine Interface 10 After the RCT commands the Intel AMT device to start configuration the device Intel AMT Preparation opens its network interface for 24 hours and starts sending Hello messages Note 65 The interface is open for 24 hours configurable by the OEM only the first time that it is enabled If the time runs out before setup and configuration completes or the Intel AMT device is unprovisioned or partially unprovisioned any subsequent calls from the RCT to start configuration will open the interface for only six hours 11 The SCS extracts the hashes from the Hello message 12 The SC
106. e every 24 hours Security Audit This log displays potential breaches in security such as unauthorized attempts to log in and unauthorized attempts to perform the re provision function on all Intel AMT devices The security log also registers valid events that have security impact such as user log ins The SCS logs the following events in the security log Table 7 SCS Security Log Events Message Event Type Cannot contact CA server Process delayed Certificate cannot be issued Process interrupted Cannot request CA Process interrupted Error Working without CA Process interrupted Invalid network TLS authentication value Fail to delete Certificate User is not authorized Failed to remove profile Process interrupted Error Cannot contact unprovisioned Intel AMT device without PID PPS Cannot obtain connection to Intel AMT device on nn Information Certificate request already under submission Process delayed Set Certificate Template User logged in Intel SCS Console 117 Message Event a Set FPACL Set general parameters for profile Adding TLS server certificate The following is an example of the System log display Lo a nan the Logs intel po perry ane sever Originator amra eze Severse iomain aeaa 20070325082338 HELL Liters been dod wiometon 5EeBREE zeai 20070225082838 Stop dey marngs viomeion sEeaReEzE ei 200 0925 08285 Frisia HELLO erarnan iiomaion sEaBREE z
107. e the information in the database 5 The SCS service requests a certificate for the device from a Certificate Authority server This step is optional It is required for installations using Transport Layer Security TLS and Mutual TLS 6 The Intel AMT device is defined as an AMT object in the Active Directory domain controller when integration with Active Directory is enabled 7 The SCS service completes setup and configuration using SOAP commands All critical parameters are kept in the secure database The Administrator configures the SCS service defines profiles updates individual device parameters and so on from the 4 Intel AMT SCS Installation And User Manual Intel SCS Console The console communicates only with the SOAP API which queries and updates the database All instances of the SCS service poll the database periodically or query and update the database as needed as part of the setup and configuration process All of the above steps are described in this guide Intel AMT SCS Functional Flow The SCS is designed to perform setup and configuration of multiple Intel AMT devices simultaneously All requests to the SCS for service are maintained in a queue in the SCS database A thread performs the processing for each portion of a task A single thread waits for Hello messages from Intel AMT devices This thread passes the message to a queuing thread which then adds this request for setup and configuration to the
108. e transition If this optional parameter is not provided the default value is off Optional By default the RCT does not validate certificate expiration dates against CRLs or attempt to contact issuing certification authorities Entering e requires RCT to validate expiration dates This is significant if the certificate provided by IIS is from an external CA The platform running the RCT will either need an updated CRL installed or it will need access to the external CA This optional parameter causes the RCT to send a Hello packet to the SCS If the h parameter is used this optional parameter specifies the port on the SCS server to which the RCT should send the Hello packet If this parameter is not used the packet is sent to port 9971 If the h parameter is used and the Intel AMT system uses PSK but does not allow retrieval of its PID this command must be used to transmit the PID with the Hello packet to the SCS This optional parameter is used to inform the SCS that the Intel AMT system s FQDN has changed The RCT sends the new FQDN to the SCS service which then changes the machine s FQDN in the SCS database and reprovisions the machine if possible updating the AMT FQDN with the new host FQDN 69 Examples of Use rct s https ProvisionServer yourenterprise com amtscs_rcfg p 3 o OU AMT_Users DC East DC yourenterprise DC com t on This example shows how to use the RCT to inform the
109. e used to configure this device To filter the view select a filter options from the bottom of the screen and click Apply Filter Defining a New Intel AMT Device Record When the AddServicNewAmtProperties exe program is included in a platform initial configuration script it can be used to create an entry in the SCS database without additional operator intervention Use the console to add devices one by one To add a new Intel AMT device to the table manually l 2 3 Intel SCS Console Open the Intel SCS Console Select Configuration parameters The New Intel AMT Systems table is displayed Click Add The Edit New Intel AMT Properties dialog box is displayed ts Edit New Intel AMT Properties wales Edit New Intel AMIT Properties OUID Hexadecimal 14 FODH Jionesr east yourenterprise com Active Director Organizational Urt LDAF Distinguished Name format OU e 0C foo DC com E Us MT Devs DC E ast DC yourenterprise DC corm Protile Standard user g OF Cancel Enter the parameters UUID This is the 128 bit value represented as a hexadecimal string that uniquely identifies an Intel AMT device Enter the UUID in the format shown with hyphens separating the sub strings FQDN Fully Qualified Domain Name Enter the combined host name and the domain where the platform will be installed Active Directory Organizational Unit The AD element where the AMT object will be loca
110. eady installed The te Uce Eiee Bley Eara ie e els tehe shiarsie ci len hae accor Clo a e mele e DE a A e E e a e e a e oE antec Use_Exist_DB 1 Pi DBA4Zr 0S 6ChB2 45 09 36Rh RB A CSUC PCT ZEC Askre SNo l ignored Result 1 A DAARAO GERA A OOT OEB A C V UAC BECIE C ma Erana ona Result 1 bOptl controls whether or not to start the windows service after the installation bOpt1 0 do not start the service bOptl1 1 start the windows service bOpt1 0 bOpt2 0 PEO Za DG aA OL oS Ay roe i Com Biko eo Chi Dik Ore er Count 0 Use the following script to perform a silent uninstall The highlighted fields must match the corresponding fields in the install script ltlnstallsShreld Silence Versvon v 4 00 File Response File File Transfer OverwrittenReadOnly NoToAll KEDAI FANS IT GEBR2 A 09 SO bane JO eRe lhe bil cOmcertcs D1lg0 DA4F4037 6EB2 4309 8 6EB A8 902CBC12EC MessageBox 0 Count 6 Dlg il DA4E4A03 6h BZ 4 309 S6ERB Acl0ZCBClZEC Wababaseschema Uninstall lang 0 PAES 2 IWATA SW Cth S10 Seiler 0 C18 Ia S Ov hve xe pilin Dkgs PAGE 4037 6HB2 4500 66H EB AclUZCECIZ EG AS kres No O 48 Intel AMT SCS Installation And User Manual BESAS DPA ITFAO O o de A A 0E CEE An wl Oval Gs Cal AO Syol nran Digs PDAIR O 7 6ChBZ 4500 cobb Ao VO CBC I he Sdbaimiusmnepoor 0 DA4F4037 6EB2 4309 8 6EB A8902CBC12EC MessageBox 0 Result 6 Appl recatvon Name Intel Active Management
111. ecksum of the previous seven characters and the fourth character in each group of four characters in the PPS is expected to be a checksum of the previous three characters This check is made to reduce the pos sibility of operator error when entering these values Other Settings The SOL IDER Remote Firmware Update and Set PRTC menu options are not required for setup and configuration The SOL IDER option enables the Intel AMT device redirection capabilities The Remote Firmware Update option enables the ability to perform remote updates to the firmware The Set PRTC allows an Administrator to set the programmable real time clock to a correct value if the clock lost its value inadvertently in a situation where it could not be reset remotely Exit Intel AMT Configuration Highlight the Return to Previous Menu option and press Enter Upon exiting the Intel AMT BIOS extension the Intel AMT device will enter Setup Mode and begin sending Hello messages to the SCS service Hello Message Retry Frequency The Intel AMT device sends Hello messages according to the following algorithm 5 retries on 1 minute intervals 5 retries on 10 minute intervals 5 retries on 1 hour intervals The retry algorithm will restart after a firmware reset which requires disconnecting AC power from the platform containing the Intel AMT device Intel AMT SCS Installation And User Manual Using a USB Storage Device for Factory Mode Setup The
112. ectory enabled To complete the entry Click the e control The Select User dialog box is displayed Select User or Group x Select this object type User or Group Object Types From this location Entire Directory Locations Enter the object name to select examples amtservice arntsenvice intel com Check Names Advanced OF Cancel EA Enter all or part of a user name The user must be an individual for Digest ACL entries but can be a Group for a Kerberos ACL entry Click Check Names The Intel SCS searches the AD and completes or confirms the user name Click OK Select an Access Permission This parameter defines user access that is locations from where the user is allowed to perform an action A user might be limited to local actions or might also be able to perform actions from the network Local Access The user is limited to access to the Intel AMT device via the local host Network Access The user can execute an action via the network Any The user can execute an action both locally or from the network This option is not recommended Select the realms that is specific functional capabilities such as Redirection or PT Administration available to this ACL entry Optionally add additional ACL entries Click OK Click Apply Intel AMT SCS Installation And User Manual The Profile Configuration Power Policy Tab Add Edit Profiles ajx Configure the Profile P
113. en Releases Intel AMT validates the SCS certificate by comparing a domain suffix or FQDN against the CN in the certificate Different Intel AMT releases perform this comparison differently This can have an impact on the certificate that an organization acquires Note 66 Intel AMT SCS Installation And User Manual that an SCS installation that will set up platforms with a mix of Intel AMT releases will need to acquire a certificate that is appropriate for all the versions that will be configured Intel AMT Release 2 2 Intel AMT retrieves its domain suffix using DHCP Option 15 The CN in the SCS certificate must match the full domain suffix The result is that a separate certificate is required for each domain For example the CN in the certificate is corp east yourenterprise com and DHCP returns a domain suffix of east yourenterprise com The CN contains the full suffix so there is a match A CN of yourenterprise com would not match east yourenterprise com Since an SCS installation can only work with one Remote Configuration at a time a separate certificate and SCS instance is required for each domain where Intel AMT based platforms are located Intel AMT Release 3 0 If a Release 3 0 platform depends exclusively on the domain suffix returned by DHCP it behaves the same as Release 2 2 The Release 3 0 FQDN option and domain extension option add the following e If IT enters the FQDN of the SCS via the MEBx menu or with a formatted
114. enabled platform remotely by encapsulating keystrokes and character display data in a TCP IP stream IDE Redirection Use this feature to remotely enable disable format or configure individual floppy or IDE CD drives and to reload operating systems and software from remote locations These actions are independent of and transparent to the host 16 In the TLS PSK box select an option The Encrypted option limits setup and configuration to platforms that support encryption The Plain Text option limits setup to platforms that do not support encryption Both allows a mix of platforms Do not select either the Plain Text or Both options if all platforms containing Intel AMT devices in the enterprise are supposed to support encryption Use an unencrypted PSK only in cases where Intel AMT does not support encryption due to import restrictions 17 Inthe TLS Settings box select or clear the Use TLS checkbox When TLS is enabled the Intel AMT device will require a server certificate used to authenticate itself with other applications If mutual TLS authentication is enabled then any applications that interact with the device will need to supply client certificates that the device will use to authenticate the applications When Use TLS is selected configure the interfaces to indicate which will use TLS or mutual TLS or neither Only three server and client certificates can be associated with a single profile These include the Server certificate r
115. eneral box select or clear the Enable ping response checkbox When enabled the Intel AMT device will respond to a ping 13 Click the Environment Detection button to setup this capability Releases 2 5 2 6 and 3 0 a Click Add to enter up to five domain suffixes that define permitted domains within the enterprise network The Intel AMT device uses this list to determine whether the platform is operating inside or outside the enterprise network Management consoles can define the behavior of the device when it is outside the enterprise including setting a policy that will block network traffic Click Delete to delete a selected suffix from the list Environment Detection Suffixes Environment Detection Suffices o Cancel 84 Intel AMT SCS Installation And User Manual 14 Inthe VLAN box select or clear the Use VLAN checkbox If a VLAN is used set the VLAN Tag Integer used to distinguish between different VLANs Be careful when configuring the VLAN value If the value is incorrect the Intel AMT devices will not be accessible 15 The Intel AMT device includes three special interfaces or features that can be enabled or disabled at configuration time In the Enabled Interfaces box select the checkboxes to activate one or more interface Web UI Administrators can use this browser based interface for management and maintenance of Intel AMT devices Serial Over LAN This feature is used to manage an Intel AMT
116. equired for TLS and any client certificates required for 802 1x profiles or for NAC posture signing In a normal installation a single client certificate would be purchased for all applications in the facility If a profile requires more than three certificates setup of an Intel AMT device based on this profile will fail Local Interface When enabled host communications with the Intel AMT device will require TLS or TLS with mutual authentication Intel SCS Console 85 86 18 Network Interface When enabled network communications with the Intel AMT device will use TLS or TLS with mutual authentication TLS Server Certificate Identify the certificate authority CA associated with this profile that will be used to generate server certificates for the Intel AMT devices associated with the profile Selecting the Ey control opens a window for entering the CA information pral Select Certificate Generation Properties Select a Certificates Generation Properties dd CA Host name Mame eae Template u e enepica Enaniee Ju a cream enoma enemi fws OF Cancel To add a new CA to the list or edit an existing entry click Add or Edit Either option will open a window for entering or modifying CA propertiess me Certificate Generation Properties Edit Certificate Generation Properties CA Host Name OC intel com Mame i E nterpriseLA Type Enterprize Template LDAP Mame
117. er f a021 intel com Users P Account Oper Intel com Builtini f Administrator Built in account f intel com Users PF Administrators intel comBuiltin E amtcosole intel com U sere intel come sers Famtservic f amtservice intel com sers tE ANONYMOL fF Authenticated eR Backup Oper intel com Builtin BATCH p An 802 1x certificate does not need changes to the Extensions Skip to step 16 To build a template for a Mutual Authentication client certificate perform the following four steps 12 Select the Extensions tab Properties of New Template ajx General Request Handling Subject Name lssuance Requirements Superseded Templates Extensions Security To modify an extension select it and then click Edit Extensions included in this template Application Policies Certificate Template Information I lssuance Policies Kev Usage Description of Application Policies Client Authentication Secure Email Encrypting File System OF Cancel Apply 13 Select Application Policies and Edit 132 Intel AMT SCS Installation And User Manual Edit Application Policies Extension 2 i An application policy defines how a certificate can be used Application policies Chent Authentication Add Edit Remove Make this extension critical coca 14 Select Add New ax Type a name for the
118. er expects a port number other than port 80 include the port number after the FQDN For example https provisionserver yourenterprise com 123 AMTSCS A file named amtconsole log is generated in the console install directory It contains a log of transactions of the client application The Intel SCS Console opens If the application does not open there may be a security problem See Secure the Connection to IIS Using SSL on page 34 Intel SCS Console 71 Configuring Main Service Settings Use the Intel SCS Console to configure control and manage the Intel SCS Main Service Defining General Parameters 78 General settings define the configuration of the Intel AMT Main Service The Integrate with Active Directory option can be changed dynamically All of the other parameters on this pane will not take effect until the SCS service is stopped and restarted To configure General settings 1 Open the AMT Setup and Configuration Console 2 Expand the Configuration Service Settings branch 3 Select General The General screen is displayed General Configure the Intel AMT Setup and Configuration intel Serice General parameters General Server settings TCP Listen Fort 3371 Z Queue Polling Period 1 000 Milliseconds Integrate with Active Directory blas Queue Size 1 000 7 a Requests AMT requires authorization before provisioning No of Worker Threads 10 z Allow Remote Configuration O
119. erated stored and organized as Profiles before they are requested Profiles contain values such as An Access Control List that is a list of authorized Intel AMT device users and their privileges in accessing device capabilities e Trusted root certificates e Kerberos options e TLS and mutual authentication settings e Power saving options e Wireless profiles e 802 1x profiles e Per Intel AMT device data objects defined before configuration can start The data in these objects includes e Administrator password Host name TLS settings UUID e A link to one of the Profiles e Logs of all transactions performed by the SCS including transactions in progress and any detected errors e A queue containing operations used to configure Intel AMT devices The Intel AMT database requires Microsoft SQL Server 2000 Microsoft SQL Server 2005 or Microsoft SQL Server 2005 Express Edition SQL Server Express The database contains sensitive secrets such as passwords and keys If this data is compromised it can result in major security problems for the enterprise Make certain that access to the database is controlled by limited permissions a strong password and by limited physical access to the database server and the database itself Considerations 10 For optimal performance the Intel SCS must have adequate access to the database These issues must be taken into consideration e If the database is accessed via a WAN e
120. ersion 1 1 lt SOAP ENV Fault gt lt faultcode gt 301 lt faultcode gt lt faultstring xsi tyoe xsd string gt User is not authorized lt faultstring gt lt detail gt Profile get error 301 Action not allowed for the user lt detail gt lt SOAP ENV Fault gt SOAP Fault version 1 2 lt SOAP ENV Fault gt lt SOAP ENV Code gt lt SOAP ENV Value gt SOAP ENV Sender lt SOAP ENV Value gt lt SOAP ENV Subcode gt lt SOAP ENV Value gt 301 lt SOAP ENV Value gt lt SOAP ENV Subcode gt lt SOAP ENV Code gt lt SOAP ENV Reason gt lt SOAP ENV Text gt User is not authorized lt SOAP ENV Text gt lt SOAP ENV Reason gt lt SOAP ENV Detail gt Profile get error 301 Action not allowed for the user lt SOAP ENV Detail gt lt SOAP ENV Fault gt SOAP API 123 Chapter 6 124 SCS SUPPORT CONTENT This section includes e SCS Tools on page 125 e Using a Script to Import Intel AMT Configuration Properties on page 127 e Defining a New Template for an Enterprise CA on page 130 e Internationalization of SCS Messages on page 135 e Retrieving a Certificate for Use by a Posture Validation Server on page 136 e Configuring PEM Files for Redirection Applications on page 137 e CRL XML Format on page 139 e Troubleshooting on page 140 e Windows Service Messages on page 142 e Glossary on page 160 Intel AMT SCS Installation And User Manual SCS Tools This section d
121. es If that condition occurs the application pool shuts down The server seems to be stuck The symptoms are 100 CPU usage for more than 10 minutes and the service does not respond to setup requests from Intel AMT devices I am having trouble connecting to the Intel AMT device either during or after setup and configuration There 1s no row in the AMT table in the database with the UUID I am trying to configure I am unable to create an AD AMT object When I try to logon from remote SCS console I get the message underlying connect failed I can t login to WebUI after the Intel AMT platform is configured when the Integrate with AD mode is selected in the SCS SCS Support Content Restart the default application pool If that does not help restart the IIS On the Console Configuration Service Settings General pane decrease the number of threads Restart the service If using PSK make sure that the PID PPS that has been entered to the Intel AMT device are available in the SCS database and the passwords match If using remote configuration make sure that the root certificate is loaded to the SCS using the loadcert tool If using TLS mode make sure that certificates are defined and set properly in the SCS profile Make sure that there is no double DNS registration the FQDN of the Intel AMT device and the host must be the same Make sure that a record exists for the machine in the configuration
122. escribes the command line and administrative tools installed with the SCS Command Line Tools Add new Intel AMT Properties The Administrator can use this command line tool to add a new record to the NewAMTs table in the SCS database The tool runs on the platform host and retrieves the UUID and the platform FQDN It takes as input the URL of the IIS virtual directory so it can send a request to the SOAP API to add the entry to the database It also takes as input the Profile name and the AD OU where the entry should be stored The trusted root certificate for the IIS instance on the SCS service platform must be installed on the host to enable the tool to send the entry to the database 1 Navigate to the directory named InstallDrive Program Files Intel AMTConfServer Tools 2 From the command line run AddServicNewAMTProperties exe The function displays a usage message Database Dump The Administrator uses this tool to dump the contents of the setup and configuration database The tool uses ADO NET and Window authentication to access the database 1 Navigate to the directory named InstallDrive Program Files Intel AMTConfServer Tools 2 From the command line run DumpDB exe A usage message will be printed The parameters are DB Server name Server Instance and DB name Optionally provide a DB User and password for SQL Server authentication The program dumps the DB contents to a file in the same directory as the command Adm
123. etails of a Device To view a list of existing Intel AMT devices 1 Open the Intel SCS Console 2 Select Intel AMT Systems The Intel AMT Systems table is displayed Intel AMT Systems 4 t List of Intel AMIT devices inte Comm Profile ete E Status Provision Date Type Te Authorized esi ENDPOEEENEHEEEENE bene roia O P 22 fe GEG ERE GEER GEROATEGEERERND ainlcom Pivson 2007090506056 PSK 2 df Fake 280 ese GED ES ER ORHEGEERE ratanar nt Uno 20070804131284 PSK 2 dau Fake 257 a Bree Se Details Operations Esport Refresh Loa Apply Filter Intel AMT Filter Ep Version PSK By Status Un Provisioned By Profile ID C By UUID m aj M Page 1 of 1 Set Prope M Order By AMT Order By UUID From Provisioning Date 2007 09 05 3 Select an Intel AMT device and click Log for a display of system log entries for the selected device 4 To review specific details about the configuration of a device select a device and click Details The Details screen has two tabs see below The General pane shows basic information for the Intel AMT device while the Status pane shows the last time that certain functions were performed 5 Click Export to create and save an XML file containing the information in the device table Intel SCS Console 109 me Intel AMT Configuration ajx Versiory PSK FOON bw intel com Status Frovisioned P
124. f the DNS and DHCP are configured to operate in this way This is a default feature of Microsoft DNS and DHCP servers When an Intel SCS contacts a configured Intel AMT device it uses the FQDN of the Intel AMT device When using TLS and or Kerberos this is essential as the platform and the Intel AMT device are identified in certificates and Kerberos tickets with the FQDN This necessitates that the DNS server contain a Host A record for every configured Intel AMT device This is the responsibility of the Administrator There are several methods to do this Manual entry of the Host A record e A successful boot of the host OS that registers a DNS entry with the same name This method is good as long as the IP lease and DNS entry are maintained e Configure DNS and DHCP to enable AMT use of option 81 Environment Prerequisites and Installation 51 AMTConfig Service Verification To verify that the AMTConfig Windows service is running 1 Click the Windows Start button and click Run 2 Inthe Open field enter services msc and click OK The Services Local Window is displayed 3 In the Status column check the status of AMTConfig If there is no listing in the column the service is not running 4 Select AMTConfig Start the service is displayed i Services HA File Action View Help l0 me nBI2 i gt Ry Services Local i Services Local Descri
125. f the SCS Server Components Installing the Intel SCS Server Components Give the SCS User Permission to Create Delete AMT Objects Upgrading the Intel SCS to a New Version i OC Mm ODNANANAA NH BW WWW Silent Install Installing the Intel AMT Management Console Post Installation Operations Intel AMT Configuration and the DNS Intel SCS Intel AMT Devices AMTConfig Service Verification Quick Start and System Test Recommended Daily Workflow Intel AMT Preparation Preparation Without a USB Device Using a USB Storage Device for Factory Mode Setup Requirements Preparation Initializing a Platform Moving to Setup Mode Preparing Intel AMT for Future Configuration Remote Configuration Overview of Remote Configuration Flow Intel AMT Release 3 0 Additional Features Remote Configuration Certificate Differences between Releases Remote Configuration Tool Intel SCS Console SCS Console Overview Using the SCS Console for the First time Console Navigation Pane Console Configuration Pane Commands and Navigation using the Console Logging In Configuring Main Service Settings Defining General Parameters Configuring Profiles Viewing Existing Profiles Adding a Profile Defining Wireless Profiles Defining 802 1x Profiles Configuring Pre Setup and Configuration Security Keys Configuring Users and Groups Viewing Existing Users Adding a User Configuration Parameters per Device Viewing Defined Intel AMT Devices Defining a New Intel AMT Device Record Fil
126. fferent uses 1973 allowed 2 d Mutual authentication is enabled Mutual authentication is enabled hence you must Disable mutual authentication hence you must have at least one have at least one trusted root certificate in the trusted root certificate in the profile E profile Please disable mutual authentication for be Be rror ye Please disable mutual authentication able to remove trusted root certificate for be able to remove trusted root 1974 certificate A Wired 8021X profile must be set in E A Wired 8021X profile must be set in order to A Wired 8021X profile must be set in order to 1975 order to enable 8021X PXE boot MOr enable 8021X PXE boot enable 8021X PXE boot A Wired 8021X profile must be set in E A Wired 8021X profile must be set in order to A Wired 8021X profile must be set in order to 1976 order to enable 8021X in SO MOr enable 8021X in SO enable 8021X in S0 Environment detection must be Environment detection must be enabled in order to Environment detection must be enabled in order to enabled in order to enable wireless Error enable wireless without profiles enable wireless without profiles 4977 without profiles Wireless without profiles was disabled Environment detection must be enabled in order to N A Info enable wireless without profiles 1978 8021X in SO was disabled inf A Wired 8021X profile must be set in order to N A 1979 aO fenable 8021X in SO 8021X PXE boot was disabled inf A Wired 8021X
127. fy those that did not complete the setup and configuration sequence Management Console Co existence Issues 16 A typical Enterprise installation that takes advantage of Intel AMT s capabilities will depend on management consoles from different vendors to accomplish mutually independent tasks All consoles need to know the platforms within their scope that have Intel AMT configured Some of these consoles will use the SCS as database that identifies the Intel AMT based platforms and their state The SCS in this context serves as a discovery engine A different class of consoles usually only one console in the enterprise will have setup and configuration responsibility and tell the SCS which platforms to set up This console should be aware of the other type of console that interacts with the SCS on a read only basis The SCS configuration parameters can be changed by any user with administrator role permissions The general settings are global for all parts of an SCS installation sharing a database This can be multiple instances of the server and also multiple instances of the SCS console or an ISV console that communicates with the SOAP API The IT organization must establish a policy that determines which console is responsible for setting the SCS parameters Don t assume that the Management Console and the SCS execute on the same platform Intel AMT SCS Installation And User Manual Chapter 2 ENVIRONMENT PREREQUISITES AND IN
128. guration settings to the Intel AMT devices Intel AMT devices can be located on for example a desktop computer a mobile computer or a workstation This process includes pre setup and configuration setup and configuration integration with Active Directory gathering security information and maintenance Pre Setup and Configuration Intel SCS generates data used to configure Intel AMT devices This data includes e PPS PID and MEBx password generation e USB key file containing a list of PPS PID and MEBx password sets Remote configuration does not use these values 6 Intel AMT SCS Installation And User Manual Setup and Configuration Intel SCS delivers initial values to Intel AMT devices Before Setup and configuration begins administrators add these initial values to the database The administrator enters the values into Profiles or into descriptions of individual Intel AMT devices or the information is generated automatically The information includes Administrator account credentials Username and password Access control list ACL entries for Digest and or Kerberos user accounts e Networking settings Host Name and domain name e RSA key pair and X 509 certificate for TLS TLS Certificate and RSA private key automatic Pseudo Random Number Generator PRNG value e Intel AMT Kerberos secret key generated automatically SPNs operational parameters Time and date automatic Trusted root certif
129. hash 3 For the delayed installation sequence described below delayed meaning that the Intel AMT device was not setup immediately upon being connected to the network see Bare Metal Setup and Configuration on page 66 the Remote Configuration Tool must be executed on the host platform 4 The SCS is registered with a DNS server accessible to the Intel AMT device with the name Provisionserver or the name defined by the OEM and is in either the same 62 Intel AMT SCS Installation And User Manual domain as the device or it is in a domain with the same suffix 5 The SCS has a certificate with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device The OID in the Extended Key Usage field must be a Server Authentication Certificate with an Intel setup extension 1 3 6 1 5 5 7 3 1 2 16 840 1 113741 1 2 3 or the OU value in the Subject field must be Intel R Client Setup Certificate The Subject CN must match the domain suffix of the Intel AMT platform see Remote Configuration Certificate Differences between Releases on page 66 below 6 The SCS is configured to allow remote configuration The checkbox on the Console Service Settings General screen for Allow configuration with certificate based configuration must be checked One time password required should be checked if one time passwords will be used See page 78 Intel AMT Preparation 6
130. he 1 2 3 has invalid format The expected format is 4 Er The supplied list length is out of range Provide list length as indicated The parameter has invalid format Provide format as indicated The enumeration is out of range 5 ror Error 5 ror ee CO O CO CO N 57 The enumeration 1 is out of range Error 958 The required parameter 1 is missing Error The parameter 1 should be between 959 2li and 3li r N The required parameter is missing Provide the required parameter The parameter is not in specified range The parameter should be in specified range E The url format is invalid The expected format is Provide valid URL expected format is http x x crl MOF http x x crl The 1 url format is invalid The FQDN 1 Validate that the FQDN does not exist if it DOES N A Error NOT an exception will be thrown One or more required parameters are Eiai One or more required parameters are missing Provide requested parameters 64 missing Intel AMT device name 1 UUID inf Intel AMT device is not authorized for provisioning Authorize the Intel AMT device 965 2 is not authorized for provisioning nto 983 Failed to set wireless profile 1 Error Failed to set wireless profile See the specific error code O ee _ 50 Intel AMT SCS Installation And User Manual Ee ee Message Text Type Cause PA 1 with the same name already exists The parameter with the sa
131. he Console display and select Add to create a new profile Edit to modify an existing profile or Delete to delete an existing profile Configure the 602 1 settings Protile Hame EAP_T LS Protocol EAP TLS r AMT Client Authentication AMT uses Active Director credentials for 802 1 client authentication Radius Server Suthentication Radius Server Identity Trusted Root CA for Radius server M Client Certificate Details certificate Issuer DC intel com a eT Name Enterprisela SUMED ALESIS T Issuer Intel VEP ae Si z Walid 2056 11 08 04 44 01 W Radius Server Certificate Subject Name Roaming Identity ACS Full Suffix Profile Name Enter a name for the new 802 1x profile Protocol Select from one of the available options The client and server authentication methods enabled on the 802 1x Profile tab vary according to the protocol selected Table 6 802 1x Protocol Options Protocol Client Authentication Options Server Authentication Options EAP TLS Client Certificate required Trusted root for Radius server certificate required EAP TTLS Client Certificate required Trusted root for Radius MS CHAP v2 Roaming Identity optional server certificate required EAP PEAP Not required Trusted root for Radius MS CHAP v2 server certificate required EAP GTO EAP FAST Client Certificate required Trusted root for Radius MS CHAP v2 Roaming Identity optional server certificate required
132. he Intel AMT device un with the previous password The Intel Error previous password The Intel AMT device is s ak _ O NO Co provision and send Hello message again AMT device is inaccessible inaccessible 1630 1640 Failed to retrieve NAC certificate Error Failed to retrieve NAC certificate N A The Intel AMT device with UUID 1 is The Intel AMT device is not registered as N A 1642 Unknown Certificate status Error Failed to extract domain from AD OU Failed to extract domain from AD OU on update N A 1643 1 on update Kerberos Password Error Kerberos Password 644 Error 1645 Invalid PPS 1 Eror_ Invalid PPS Failed in database command creation Failed in database command creation 1700 1 A 1701 Cannot add parameter for column 1 Cannot add parameter for column 1702 Cannot get column at index 1 d Cannot get column Time has invalid format expected E Time has invalid format Provide date in following format yyyy MM dd format is yyyy MM dd hh mm ss oe hh mm ss Cannot contact unprovisioned Intel E Cannot contact unprovisioned Intel AMT device Make sure there are valid PID PPS 1705 AMT device without PID PPS Or without PID PPS 154 Intel AMT SCS Installation And User Manual ta a ee hg Ba Message Text Type Cause Cannot obtain connection to Intel AMT Cannot obtain connection to Intel AMT device 1708 device on 1 Invalid access permission type Invalid access permission type
133. he SCS Console 9 The figure below presents a simplified flow within the SCS Setup and Configuration Service Overview 5 Hello Message from Intel AMT device Handoff to Queuing Hello Queuing thread Place request on DB Hello Listening queue Thread Service request from API Database queue Time consuming task passed to slow worker thread low Worke Worker Threads Worker threads take requests from the DB queue A slow worker thread processes time consuming tasks Control returns to worker thread when task completes A worker thread processes a request from the queue and updates the Intel AMT device according to the request including complete setup and configuration When a request requires a time consuming operation such as requesting a certificate or adding or updating an Active Directory entry the worker thread requests a slow worker thread Delayer Threads When a worker or slow worker thread cannot complete a task due to lack of a resource or some other cause the task is passed to a delayer thread and the worker thread is released to start another task After the delay period completes the delayer thread passes the task back to a worker or slow worker thread SCS Operational Flow Setup and Configuration Operational Overview The primary purpose of the Intel SCS is to deliver the Intel AMT Setup and Confi
134. he customer IT organization for use in the setup and configuration process The import function on the SCS Console Security Keys screen can import such a file The platform will start sending Hello messages as soon as it is powered on and connected to a network If no SCS server is present to respond to the messages the platform will have to be disconnected from AC power and then reconnected to start the Hello sequence again as described on page 60 It is also possible to prepare the Intel AMT based platform for configuration without entering Setup Mode Either use a USB storage device as described above or follow the Factory Mode Setup steps but under the TCP IP menu item select Y at the Disable Network Interface option Enter a PID PPS pair as well When the time comes to configure and enable the Intel AMT device re enter the BIOS sub menu and change the TCP IP settings to make the network interface operational by responding Y to Enable Network Interface and setting DHCP as the IP source Remote Configuration Remote Configuration is a feature added with Intel AMT Releases 2 2 2 6 and 3 0 It eliminates the need for IT personnel to manually install a PID PPS pair to enable setup The Remote Configuration process depends on several Intel AMT enhancements Embedded hashed root certificates The Intel AMT device contains one or more root certificate hashes from worldwide SSL certificate providers in the firmware imag
135. icates Mutual TLS Trusted domain name suffixes Mutual TLS Certificate Revocation Lists CRLs e Power policy options e Replacement PID PPS Wireless Profiles 802 1x Profiles NAC Profiles e Third party data storage parameters not implemented in this release The information is used to communicate securely with an Intel AMT device to configure it and to create an Active Directory entry Integration with Active Directory Intel SCS integrates the Intel AMT device with Microsoft Active Directory by creating a directory entry based on the Intel Management Engine class The SCS installation includes scripts used by the enterprise administrator to e Extend the Active Directory schema to support the Intel Management Engine class e Populate the Intel Management Engine attributes During setup Intel SCS e Creates an Active Directory object representing the Intel AMT device e Creates an attribute for connecting the AD computer object to the AMT object Gathering Security Information Intel SCS collects required operational security parameters e As part of setting up the SCS the administrator defines Active Directory users and permissions for those administrators and operators that will work with Intel SCS The administrator uses scripts to define the necessary groups and users within Active Directory and then uses the SCS User commands to define which users have specific permissions to operate the service
136. ice admin Check connection and password validity format 1020 or password Cannot modify the AMT password inf Cannot modify the Intel AMT device password N A 1021 using old password atO Jusing old password Cannot use AMT old password E Error when tried to use Intel AMT old admin Check connection 1022 unknown current password A password Hash list does not contain Root None of the hashes sent by the Intel AMT device Verify the Intel AMT device contains the correct Certificate hash PKI Provisioning in Remote Configuration process matches the root hash 4200 failed certificate held by SCS Invalid Intel AMT OTP The OTP one time password installed in the use console soap to modify the OTP in Intel AMT device does not match the expected database 1201 OTP as exist in database 152 Intel AMT SCS Installation And User Manual E ume Message Text Type Cause Remote Configuration provisioning is Intel AMT device sends PKI based hello message use console soap to support pki based not supported by SCS Error but provisioning based on this type of hello is not provision 1202 allowed OTP is required but not Assigned No OTP record was found in the database for Intel Enter the OTP in the Database for the Intel AMT aeaa RESON Bree La geua o DUE ISDST aygo O 1 ne DaDa Ore MOAM Missing registry key for PKI Missing registry key for PKI provisioning Make sure at least one certificate is selected for
137. ile nn nn 1857 Failed to generate unique profile name Failed to generate unique profile name Try to create another profile 1859 Client certificate is missing Client certificate is missing Provide client certificate 1860 Server certificate is missing Server certificate is missing Provide server certificate The configuration profile ID 1 d is The configuration profile ID is configured with Select a wired 802 1x profile with EAP FAST configured with wired 802 1x profile containing a protocol which is not supported by NAC Please select a Info wired 802 1x profile with EAP FAST MSCHAPV2 or EAP FAST GTC wired 802 1x profile containing a protocol which is MSCHAPV2 or EAP FAST GTC protocol not supported by NAC protocol 1862 User 1 does not have sufficient E The user does not have sufficient privileges to N A 1863 privileges to perform the operation ee perform the operation The specified FQDN and UUID already The specified FQDN and UUID already included Please revise your mapping included at different mapping please Error lat different mapping 1864 revise your mapping 1 attempted to assume another E FQDN attempted to assume another platforms N A 1865 platforms identity mOr identity Failed to search for user s group Lost connection to DB Check connection to DB membership Application will check Error 1866 authorization of user account itself Failed to allow dial in on Intel AMT Failed to al
138. iled with the specified Proceed accordingly to the error error 2 d arning error P 1 must not contain A lt gt Error The specified field contains lt gt characters Remove these characters A lt gt from the field Error 997 characters The selected profile is in use and The selected profile is in use and cannot be Remove the profile from Profiles Wireless 998 cannot be deleted Error deleted profiles etc to allow its deletion Attempt to enumerate wireless profiles Attempt to enumerate wireless profiles for an Intel See details specific error for an Intel AMT device failed Details Error AMT device failed 1 Set wireless profile 1 failed Details Set wireless profile failed See details specific error Invalid credentials were specified for an Invalid credentials were specified for an Intel AMT Supply valid credentials 1002 Intel AMT device Error device 1003 1 must not be empty The parameter is empty Provide the parameter The path must start with drive letter E The path was supplied incorrectly The path must start with drive letter preceded with 1005 preceded with y pa SCS Support Content 151 hl Message Text Type Cause The selected certificate is in use and The selected certificate is in use and cannot be Remove the certificate from Profiles Wireless cannot be deleted Error deleted profiles etc to allow its deletion 1006 Set 802 1x wired profile 1 f
139. inistrative Tools Administrative Tools are vbs scripts that extend and test the Active Directory schema They are located in folders under InstallDrive Program Files Intel AMTConfServer AdminScripts We recommend running the scripts from the command line prompt using cscript for example cscript myscript vbs This ensures that instead of opening separate messages all messages are printed on the command line Active Directory Schema This folder contains three scripts BuildSchema VBS Extends the Active Directory Schema to support the Intel Management Engine class This script is run only once per domain The file ntel AMT LDF must be in the same folder Parameters None SCS Support Content 125 CheckSchemaKExists VBS Checks that the Schema is properly extended Parameters None ExportSchema VBS Exports the portion of the Intel Management Engine Schema to ntel AMTExport LDF Parameters None 126 Intel AMT SCS Installation And User Manual Using a Script to Import Intel AMT Configuration Properties When the SCS is configured to use a script to obtain information about an Intel AMT device that sent a setup request the following occurs e The Intel AMT device sends a Hello message e When the SCS receives the Hello message it first searches the New Intel AMT table for a matching UUID entry e If there is no matching entry the SCS sets environment variables based on values in the
140. ion begins A progress bar indicates the status of the installation When the installation is complete the InstallShield Wizard Complete screen is displayed Environment Prerequisites and Installation 43 44 i Intel Active Management Technology Setup and Configuration Server InstallShield Wizard InstallShield Wizard Complete The InstallShield Wizard has successfully installed Intel Active Management Technology Setup and Configuration Server Click Finish to exit the wizard Td Start Intel AMT Config Service For proper Active Directory Integration The AD Schema must be extended to accommodate intel anagementEngine Class The file C Program Files Intel 4MT ConfServer AdminScripts Active Directory Schema intelAMT LDF contains the class and attributes definitions For your convenience in the same folder scripts are available for building and testing the Schema extension install Sil lt Back f rnin Lancet The Installation Complete screen has a reminder to run the scripts required to add the the IntelManagementEngine class to Active Directory To do this a user with Enterprise Admin permissions runs BuildSchema vbs at installdrive Program Files Intel AMTConfServer AdminScripts Active Directory Schema Optionally select the checkbox to start the SCS immediately 12 Click Finish Intel AMT SCS Installation And User Manual Give the SCS User Permission to Create Delete AMT Objects Once the Activ
141. ional Overview Pre Setup and Configuration Setup and Configuration Integration with Active Directory Gathering Security Information Management and Maintenance Configuring Intel AMT in a Secure Environment Support for Wireless Environments and Wired 802 1x Protecting Against Platforms Masquerading as an Intel AMT Device The SCS Database Considerations Database Security Backup amp Restore SCS and Active Directory Tasks and Permissions Active Directory Schema AMT Object Computer Object Intel AMT Device Configuration Information Information for ISVs Remote Configuration Tool Ecosystem Management Console Co existence Issues Environment Prerequisites and Installation System Requirements Environment Overview Description of Intel SCS Components Intel SCS Console List of Required Microsoft Components Environment Prerequisites NET Framework 2 0 Microsoft SQL Server Express Enable SQL Server and Windows Authentication Mode SQL Server Verification Internet Information Services IIS 6 0 IIS Verification Microsoft Certificate Authority Installing the Microsoft CA Exporting and Installing the CA Root Certificate Adding the SCS User to the Web Services Template Secure the Connection to IIS Using SSL Installing a CA Certificate to Authenticate IIS Installing an Intel AMT Client Certificate for TLS Mutual Authentication Active Directory AD and Changes to the AD Schema Adding an OU for AMT Objects Updating the Schema for Intel AMT Installation o
142. is With 802 1x EAP GTC and EAP TLS e Microsoft IAS With 802 1x EAP TLS Protecting Against Platforms Masquerading as an Intel AMT Device The SCS starts its setup and configuration process upon receipt of a Hello message from an Intel AMT device If the SCS receives a request from an Intel AMT device that is recorded in the database as having completed setup the request will be ignored This protects against a rogue platform masquerading as an Intel AMT device waiting for setup If the Intel AMT device was reset to the Factory Setup pre provisioning state by an application other than the SCS or by entering an Un provision command using the ME BIOS extension see the MEBx menu on page 59 then the device must be removed from the SCS database before setup can take place See Delete AMT on page 112 to do this using the SCS Management Console Setup and Configuration Service Overview 9 The SCS Database A Setup and Configuration Domain has only one SCS database This supports deployment of a platform containing Intel AMT in any segment of the enterprise which may be an entire enterprise network or a subset of it Both the Setup and Configuration Service and the SOAP API access the database directly Thus all SCS service instances share a common set of service configuration parameters This localizes the impact of changes in database components The database stores configuration data that includes Shared objects that are gen
143. isplayed 5 From the Setup Type screen select Complete Intel SCS Setup inspects the computer s software Messages are displayed if any of the prerequisites are missing If any prerequisites are missing click Cancel and add them Use the Custom option only if there is a need to use a target directory that is different from the default The default is lt root directory gt Program Files Intel AMTConf Server Although there is an option to select features install all components 6 The Select Main Service User screen is displayed Environment Prerequisites and Installation 39 40 Intel Active Management Technology Setup and Configuration Service InstallShield Wizard f Select Main Service User To use Intel AMT SCS Windows service you must supply domain name user name and password for the Windows service User name SEABREEZE Administrator Password Select the button below to specify information about a new user that will be created during the installation Mew User za P install Stel lt Back ne gt P Carel Enter the user name in the format NetBIOS Name Username In an Active Directory environment the NetBIOS name will be the domain name In the absence of Active Directory this will be the computer name where the installation is taking place This user must have the necessary permissions to run as a service The installer prompts to add this permissi
144. l setup or because the RCT was already run This error can be ignored if the RCT was executed to send the FQDN to the SCS without opening the Intel AMT network interface 3 Platform does not support Intel AMT or the MEI driver is either not installed or is not responding 4 Unable to connect to Intel AMT device drivers may not be installed on the host 5 SCS Internal error Intel AMT SCS Installation And User Manual Return Meaning Value Unable to authenticate to the SCS IIS does not recognize the user credentials This may be due to an incorrect password or the user does not have sufficient permissions Unable to connect to the SCS This may be due to a number of causes such as TCP error HTTP error or server not found This may result from e An incorrect FQDN for the SCS in the command line e A failed HTTPS connection due to a missing trusted root certificate e IIS is stopped on the SCS platform Error code received from SCS See the SCS logs for the specific error Requires one touch this platform either does not support remote configuration and requires a PID PPS pair before setup and configuration can start or the MEBx password has not been changed from its default value Invalid command line input parameters For example a malformed OU or a non numeric entry for profile number Manageability mode is not Intel AMT and transitioning to Intel AMT was not enabled Try using the t on parameter Manageabi
145. l purpose operating system such as Windows XP e an Intel AMT device operating independently of the host The Intel AMT firmware executes on the Intel Management Engine Intel ME Host running OS Local traffic between Host and Intel AMT device Intel AMT Davice Host network traffic w i j intel AMT device Platform with Intel DEAE AE vPro Technology iii When an Intel AMT enabled platform is delivered the Intel AMT device is present but disabled The Intel AMT device must undergo setup and configuration before it is operational In Enterprise environments the setup and configuration must be done over the network interface In addition to the term Setup and Configuration the process of enabling an Intel AMT device is also called provisioning The Intel AMT Setup and Configuration Service performs all the necessary steps to make an Intel AMT device operational This includes Intel AMT Release 2 0 and later releases Once the Intel SCS has been installed and its database has been loaded with initial data setup and configuration starts when an Intel AMT device sends a message called a Hello message to the SCS The SCS and the Intel AMT device communicate securely as the SCS generates and sends the device 2 Intel AMT SCS Installation And User Manual certificates from a public key infrastructure PKI access control lists ACLs e other setup parameters as defined in a profi
146. late e Creating a client certificate to install in an Intel AMT device so it can authenticate to a Radius server as a requirement of IEEE802 1x The SCS creates this certificate automatically for each device that requires one Using an Enterprise CA to generate server certificates for Intel AMT devices does not require a customized template but it does require that the SCS user have Read and Enroll permissions for the default WebServer template Use the following procedure to create a template based on an existing default template 1 Log onto the platform running the Enterprise CA The user must have Administrator permissions on this platform Click Start Run type MMC and click OK 3 A Microsoft Management Console window will open Select File Add Remove Snap in Click Add 4 Add Standalone Snap in d x Available Standalone Snap ins Snap in Vendor 42 NET Framework 1 1 Configuration Microsoft Corporation SE Active Directory Domains and Trusts Microsoft Corporation BS Active Directory Schema Microsoft Corporation EA Active Directory Sites and Services Microsoft Corporation active Directory Users and Comput Microsoft Corporation fy ActiveX Control Microsoft Corporation ADSI Edit Microsoft Corporation Ed Authorization Manager Microsoft Corporation P Certificate Templates Microsoft Corporation Certificates Microsoft Corporation Description The Certificate Templates snap in allows you to create
147. le attribute Missing profile attribute Make sure the properties script returns the profile 414 SCS Support Content 145 i a S Message Text Type Cause Cannot create kerberos credentials for Cannot create kerberos credentials N A Missing PID PPS entry for Intel AMT Missing PID PPS entry for Intel AMT device Make sure PID PPS entry exists in the DB for Intel aag ames enor RP on orme AMT doves far dovea SY SS m Re DA oriel Cannot set power options Cannot set power options Invalid UUID Invalid UUID Provide valid UUID rror Maintenance not found N A Improper version Check components version either the service or Database have older version upgrade the m mmm m g 450 Maintenance not found Improper version used appropriate component Missing wireless profile rror Missing wireless profile Provide different wireless profile 55 Missing wireless profile mapping rror Missing wireless profile mapping N A 56 Missing 802 1x profile rror Missing 802 1x profile Provide different 802 1 x profile Missing version specific information Version specific information is missing for Intel Make sure the Database contains the version table AMT device specific information for the Intel AMT version you O1 KIA ALA O1 O1 AIN Error are trying to use y Cannot execute properties script file not found Make sure the file can be found Cannot execute properties script E Execution of properties script failed Check the return
148. le of setup and configuration information specific to the platform or to a family of platforms The SCS also registers the Intel AMT device in Active Directory and in its own secure database The SCS is used for various maintenance functions such as updating passwords and ACLs and keeps logs of all performed transactions The SCS components can be distributed across several platforms Itis recommended for performance reasons to configure a distributed installation except for demo purposes or for small enterprise installations It is possible to have multiple instances of the SCS installed across an enterprise but there is only one SCS database for the enterprise The major elements of the SCS are a Windows service the SCS Main Service a secure database a SOAP API e a console application the Intel SCS Console Intended Use of this Manual The Intel AMT SCS is provided to ISVs as a binary executable The source code of the SCS Console is included in the product distribution as well as a description of the SOAP API ISVs are expected to add value to the Console or to create their own equivalent using the API The Intel AMT SCS will not be provided to end users directly by Intel Rather it will be part of an ISV s product offering either stand alone or embedded in a management console product This manual is designed to be used by ISVs to learn about the SCS and its components The manual can also be used as a basis for c
149. lity mode changed to Intel AMT The platform must be restarted and the RCT re executed before setup and configuration can start Transition to Intel AMT Manageability mode did not succeed RCT internal error RCT did not succeed in retrieving the platform s PID The platform s version of Intel AMT does not support PID retrieval and the PID was not included in the RCT command line via the d parameter After the RCT was run with the f command the SCS did not need to change the Intel AMT system s FQDN because the system already had the new FQDN The RCT did not succeed in sending the Hello packet to the SCS service The RCT did not change the FQDN because the platform was in In Provisioning state RCT Logging The RCT logs its actions in two ways e Windows event log The RCT logs each action it takes as well as any errors that occur e RCT log The RCT creates a file called rctlog txt with more detailed information about the last execution of the tool The tool deletes the previous log before creating a new one for the current execution The tool creates the log in the same directory as the executable User Permissions for the Remote Configuration Tool The RCT user requires special permissions so the tool can perform its functions e The RCT must be run from the Local System account to retrieve platform information and to communicate with Intel AMT via the Management Interface driver Intel AMT Preparatio
150. llowing steps as described in sections of this chapter 1 Configure the Main SCS Service settings See page 78 2 Add Users who have the appropriate privileges to use and to administer the SCS See page 103 3 Create one or more Profiles with settings for groups of Intel AMT devices Profile parameters include the administrative username and password use of TLS and mutual authentication the certificates and certificate servers to be used Digest and Kerberos ACL entries See page 81 4 Create entries in the New Intel AMT Systems list for all platforms to be setup and configured See page 106 5 Create keys PID PPS current password new password sets to prepare Intel AMT devices for configuration There is now adequate information in the SCS database to respond to Hello messages automatically There are two panes on the SCS Console the Navigation Pane and the Configuration Pane Intel AMT SCS Installation And User Manual Console Navigation Pane The Navigation pane enables easy 8 Intel AMT Setup Console access to each of the major Configuration Service Settings SOTE General subdivisions of the Intel SCS bee Maintenance Policies e To view the Configuration E i Profiles Service Settings the Profiles Ee or the Logs expand the o hl B021 Profiles branch and select a sub TA Security Keys branch poi Users and Groups a Intel AMT Spstems T fi h o define the settings to be wf
151. low dial in on Intel AMT device Active device Active Directory object Host Error Directory object 1 error 2 d 1958 Environment detection suffix is missing Error Environment detection suffix is missing Too many environment detection E Too many environment detection suffixes in one Remove one or more environment detection 1963 suffixes in one profile Or profile suffixes from profile SCS Support Content 157 id l U oO Message Text Type Cause 1965 Invalid environment detection suffix Invalid environment detection suffix The maximum number of profiles has E The maximum number of profiles has been N A 4970 been reached ror reached The specified profile is associated with Trying to delete configuration profile which is used De associate all Intel AMT devices from this profile at least one Intel AMT System and Warning by at least one Intel AMT device and try to delete it again 4971 cannot be deleted You must disable NAC before you can NAC is currently enabled in this profile You must Please disable NAC prior to the operation complete this operation E use EAP FAST protocol in either both wired rror 1972 802 1x profile or at least one of the wireless profiles Client certificates count in profile Client certificates count in profile has exceeded Remove unused client certificates or share same id 1 d has exceeded the maximum Error Ithe maximum allowed certificate for di
152. lready Hello message arrived from a provisioned Intel Delete the Intel AMT device manually from the provisioned Error AMT device SCS rejects hello for provisioned Intel Database using console 102 AMT devices Request is already in the queue The request is already in the queue The queue Wait until the first identical request is processed Error does not allow duplications 103 Invalid request type Invalid request type request type could be either Contact SCS support Error N Normal or S Slow Database was corrupted 105 request cannot be rescued Invalid Intel AMT version E SCS not familiar with this Intel AMT version New Upgrade to newer version of SCS 107 Or JIntel AMT features will not be configured Missing version argument Database info about Intel AMT version is missing Delete Intel AMT device from DB 110 Error from entry Missing PID argument E Database info about Intel AMT device PID is Make sure the PID list in the Database is up to 111 as missing date Import OEM supplied pre provision data 112 Missing IP argument Error Database info about Intel AMT device IP is corrupt N A Intel AMT device is not provisioned E Try to unprovision Intel AMT device that already N A rror marked in database as unprovision Cannot connect to Intel AMT device Network problem or Intel AMT device refuses to Make sure the Intel AMT device is connected to answer to SCS the network registered in the DNS and no firewall blocks the u
153. me name already exists Provide alternative name 984 2 Invalid certificate handle was specified Invalid certificate handle was specified Wireless profile not allowed to use Wireless profile not allowed to use 802 1x when Enable Active Directory 802 1x when Active Directory Error Active Directory integration is disabled 98 g integration is disabled Update 802 1x profile with Kerberos E Update 802 1x profile with Kerberos password See the specific error code 987 password failed 0x 1 X 2 ror failed Wireless profile name is too long 1 E Specified Wireless profile name is too long Provide name s valid length 989 maximum length is 2 d docu Wireless profile 1 priority 2 d Warni Wireless profile with specified priority already in Provide different priority already in use for other profile arning use for other profile Specify priority up to maximum allowed Wireless profile priority 1 d has Wireless profile priority has exceeded the exceeded the maximum allowed Warning maximum allowed maximum priority is 2 d 99 Invalid pass phrase was specified pass Invalid pass phrase was specified pass phrase Invalid pass phrase was specified pass phrase phrase must be between 8 and 63 Error must be between 8 and 63 printable ASCII must be between 8 and 63 printable ASCII 992 printable ASCII characters characters characters Remove wireless profile 1 failed with Ww Remove wireless profile fa
154. n 71 RCT Source 12 e The platform must have a Client Configuration role to enable the RCT to perform its regular tasks If the RCT will be used for changing the Intel AMT platform s FQDN in the SCS repository it will also need the Operator role See Adding a User on page 103 A straightforward way to do this is to define a Group for all platforms with Intel AMT that need setup and configuration grant the group the Client Configuration role and add platforms to this group when they are added to the domain or when it is time to configure the Intel AMT capability Note that the default Domain Computers Group cannot be granted the Client Configuration role The SCS delivery includes the RCT source files and supporting libraries The RCT source demonstrates how to work with the host interface to Intel AMT and with the SCS SOAP API ISVs can use the RCT source as a starting point for creation of tools more specific to their applications To compile the RCT project see the readme file included with the distribution Intel AMT SCS Installation And User Manual Chapter 4 INTEL SCS CONSOLE This section includes Intel SCS Console SCS Console Overview on page 74 Logging In on page 77 Defining General Parameters on page 78 Configuring Profiles on page 81 Configuring Pre Setup and Configuration Security Keys on page 99 Configuring Users on page 103 Configuration Parameters per Device o
155. n page 106 Configuring Existing Intel AMT Devices on page 109 Maintenance Policies on page 115 Intel AMT SCS Console Logs on page 117 73 SCS Console Overview The SOAP API used to query and manage the SCS service is available for ISVs to create their own interface to the SCS The Intel SCS also includes an implementation of such an interface a software component with a graphic user interface This component called the SCS Console supports stand alone operation of Intel SCS The SCS distribution includes documentation of the API the WSDLs that define the interface functions sample applications and the full source of the SCS console ISVs can add value to the console and incorporate it into their Management Console products The SCS Console works by communicating with the SOAP API that in turn updates and accesses the SCS database The API does not interact with the SCS service directly There are pairs of get set SOAP calls to update and retrieve database parameters For example to change the Power Policy parameter for a selected Profile the SCS Console first fetches the data from the database using the SOAP API call get ProfilePowerPolicy After the Administrator sets the new policy via the console GUI the console performs the SOAP API callset Profil ePowerPolicy to save the changes in the database Using the SCS Console for the First time 74 To use the SCS Console and the SCS for the first time perform the fo
156. n view Help zjm E Application 9 513 eventis Event viewer iLocal E pplication egy Security i Information AMTConfig o4fosiz0068 11 02 55 None e g System ai iAH File Replication 5 2 x Event Date 4 08 2006 Source AMTConfig gt Time 11 02 55 Categor None art Type Information EventID O User NA Computer HANEEN Description Service stared successtully For more information 226 Help and Support Center at http go microsott com fwiink events asp Date f Bytes 7 Words coed n f Click OK The Event Viewer returns to focus g From the File menu click Exit Intel AMT SCS Installation And User Manual Recommended Daily Workflow After the Intel SCS components are installed and the first Intel AMT devices are configured and operational we recommend that the following tasks be completed on a regular basis preferably daily Check for new Intel AMT devices Optionally authorize provisioning of new Intel AMT systems Review the list of Existing Intel AMT Systems for anomalies devices that have not completed setup and configuration pending addition of information to the device definition e g a missing UUID or FQDN Review the logs Note anomalies and fix them See Intel AMT SCS Console Logs on page 117 Backup the database Environment Prerequisites and Installation 55 Chapter 3 INTEL AMT PREPARATION This secti
157. ncryption E ae er eee RC4 HMAC that uses an MDS HMAC for checksum It is included in the Windows implementation of Kerberos In Kerberos a realm is the same as an Active Directory domain Kerberos V5 expects realms to have all capital letters Realm Intel AMT functionality is divided among different realms for example the Storage Realm and the Storage Administra tion Realm ACLs associate a user or an SID with one or more realms A computer Random Number Generator is a software rou tine that implements an algorithm to generate random RNG numbers Modern cryptography rests on the assumption that Random Number Generator ciphers can be constructed whose output is indistinguishable from random noise without knowledge of a secret key used in the algorithm See Key A conceptual model of the structure of a database that defines the data contents and relationships The Microsoft Active Directory schema contains formal definitions of every object class that can be created One of these objects is the computer object The Intel Schema Management Engine Class based on the computer object is added to the Active Directory schema and used to define AMT objects The SCS database schema defines the data tables maintained in the database and the relationships of the tables A numeric value that identifies a logged on user who has o i been authenticated by Active Directory or a user group SOAP A message based protocol based on XM
158. nd any intermediate certificates in the local computer store on the processor where the SCS executes To save the root certificate follow the brief procedure below 64 Intel AMT SCS Installation And User Manual Installing a Root Certificate and Intermediate Certificates on the Server Running the SCS I Steps leading to the start of Setup and Configuration Retrieve the root certificate and the certificates of any intermediate CAs according to the instructions of the certificate vendor It may be possible to download them from the vendor website or the vendor may e mail the trusted root Save the certificate in cer format Navigate to each stored certificate and right click on it Select Install certificate A certificate manager Import Wizard will appear Click Next Select Automatically select the certificate store based on the type of the certificate and click OK Click Next then Finish When prompted and asked if you wish to add the following certificate to the root Store click Yes Once the above preparations are complete the following steps are performed Remote Configuration Setup and Configuration Process IT activates the Remote Control Tool RCT via a startup script or an enablement script The RCT detects Intel AMT and requests the UUID and the FQDN Intel AMT device returns the values to the RCT The RCT sends the platform information to the SCS The RCT requests a one time password OTP from th
159. nd writes it to a database and a Server Script that reads the database entry and returns it to the SCS In either case the controlling enterprise has to modify these scripts for local use Server Script 128 The Server Script approach requires a copy of the script only on the platform running the SCS It has the disadvantage of requiring the SCS user to have administrator permissions on every client see box below The SCS distribution includes a script called GetConfigProperties vbs The script sends a WMI query to the host platform that sent the Hello message and therefore requires that the host is operational and running a version of Microsoft Windows that processes WMI queries The SCS user requires appropriate permissions to invoke WMI remotely To use this script the SCS user must be an administrator on the local host a member of the local Administrators group The sample script has a 30 second timeout in case WMI freezes on the host however the script may require 10 to 20 seconds to execute normally due to WMI timing on the host The script 1 Validates the environment variables 2 Using the WMI protocol requests the Win32_ComputerSystemProduct object to recover the platform UUID from the host platform 3 Using the WMI protocol requests the Win32_ComputerSystem object to recover the platform name and domain from the host platform Creates the FQDN by concatenating the name and domain Validates that the
160. new application policy and if necessa change the object identifier Name lintel_oid Object identifier 2 16 840 1 113741 1 21 Cancel 15 Enter the following name intel_oid or something similar Enter the second half of the OID the first half is generated automatically as this is a client certificate Ze hO2 OG e de lL OAL eh 2e Select OK OK Edit Application Policies Extension An application policy defines how a certificate can be used Application policies Client Authentication Add Remove Make this extension critical OF Cancel 16 Select OK to save the completed template Now that the template has been created add it to the list of templates known to the CA 17 Open the Certificate Authority by selecting Start Programs Administrative Tools Certificate Authority 18 Select Certificate Templates in the navigation tree and right click Select SCS Support Content 133 New Certificate Template to Issue 19 The newly created template will appear in the Enable Certificate Templates window Select the template and click OK The new template will now appear in the list of templates 134 Intel AMT SCS Installation And User Manual Internationalization of SCS Messages The SCS was designed to support internationalization of the user interface The service and the associated API display all status warning and error messages based on a single file The application exec
161. nique Intel AMT ports 16992 and 16993 119 Cannot contact CA server 1 E Cannot connect to CA server to request a Make sure there is routing to the CA server and 123 Process delayed rror certificate that it is operational 142 Intel AMT SCS Installation And User Manual Lo a S Message Text Type Cause Certificate cannot be issued 1 E Cannot retrieve certificate from the CA server Check the CA server log for more information 426 Process interrupted on Create AD AMT object Cannot locate Cannot bind to AD schema Make sure the schema is extended to contain the AD AMT Schema 1 Process Error Intel management object 130 delayed Cannot create AD AMT Object 1 Failed to create AD AMT object Make sure the schema is extended to contain the Cannot open AD AMT Object Failed Cannot open AD AMT object Make sure the AD OU is correct on 1 with call to 2 input 3 ae return value 4 d Process 132 delayed Failed to update AD Object 1 2 d Cannot update AD AMT object Make sure the object exists if not try to re 38 Invalid PID Bad PID format N A r Active Directory integration is disabled Tried to perform operation that requires AD Enable AD integration Error r s _ _ gt 1c oO Co on server integration such as configuring 802 1X and AD integration is disabled Missing mandatory parameter 1 Missing the specified mandatory parameter in a Provide the specified mandatory
162. nistrator has access to all Intel SCS Console configuration and management screens fields and parameters Administrator The Administrator role has the same permissions as the Enterprise Administrator but does not have permission to create or edit Profiles or access to the Users General Configuration or Maintenance functions Operator The Operator role has access to the following e Access Security Keys on the Configuration Service Settings branch e View the Status table on the Intel AMT Systems branch e View the standard log and the security audit log e Access the complete configuration parameters branch Log Viewer This role allows a user to view the standard log and the security audit log Configuration Client Users with this role can add platform parameters and request a one time password OTP Intel AMT SCS Installation And User Manual The Configuration Client role is required by all platforms executing a client script that communicates directly with the SCS API This includes the Remote Configuration Tool RCT Add IT defined groups that contain all computers in each domain that the SCS supports The SCS does not grant the Configuration Client role to the default Domain Computers Group 10 Click OK Never remove the user that is used by the SCS service when it is started Removing this user causes the service to fail Intel SCS Console 105 Configuration Parameters per Device The SCS maintains two lists
163. nnot be found in the requests N A 314 requests table ror table A dependent operation terminated E A dependency terminated abnormally N A 315 abnormally Ol Request cannot be continued ina E Request cannot be continued in a different server N A 346 different server instance Or instance ae Intel AMT device is missing Error Cannot found Intel AMT device in the Database 401 Profile is missing Profile is missing Provide another profile 144 Intel AMT SCS Installation And User Manual a a a Message Text Type Cause P Cannot execute properties script Cannot execute properties script Make sure the script exists in the path defined 406 Properties script failed E Failed to execute the properties script Check the script can be executed properly use 407 Bier test script Pa Cannot get properties script exit code Eror Cannot get properties script exit code Check the script can be executed properly use Error 408 test script p Cannot read properties script output Eror Cannot read properties script output Check the script can be executed properly use Error 3 410 test script UUID properties mapping is missing E UUID properties mapping is missing Enter the UUID mapping in the configuration 411 ITOT parameters Po Missing FQDN attribute Missing FQDN attribute Make sure the properties script returns the FQDN 412 ea Missing ADDN attribute Missing AD OU attribute Make sure the properties script returns the AD OU 413 eal Missing profi
164. not integrated with Active Directory e profile or profile_id Either the SCS Profile name or the index of the profile to be used when setting up this device only one of these can be used The file will have the structure shown in the following examples lt amtConfiguration fqdn jonesr west yourenterprise com addn 0U AMTDevs DC west DC yourenterprise DC com profile Standard_user gt or lt amtConfiguration fqdn jonesr west yourenterprise com addn 0U AMTDevs DC west DC yourenterprise DC com profile td 277 gt SCS Support Content 127 Script Functionality Script functionality is the responsibility of the ISV or the IT organization The script may retrieve the information from an external source or from the platform containing the Intel AMT device or some combination of the two methods For example the script may request the FQDN from the platform using the IP address then determine the Active Directory OU and SCS Profile based on the FQDN Sample Scripts The SCS distribution includes several sample scripts They each have advantages and disadvantages The scripts take two approaches to acquiring the necessary device data The first approach is a Server Script that requests the data remotely from the platform sending the Hello message The second approach is a pair of scripts a Client Script that runs on the host processor of a platform containing Intel AMT and requests the platform information a
165. nsole Profile Name Enter a name for this profile SSID Enter an optional Service Set ID a 1 to 32 character string naming a specific wireless LAN Security Settings Select a Key Management scheme WPA or RSN and an Encryption Algorithm TKIP or COMP These choices must correspond to the settings used in the specific wireless LAN environment Authentication Either provide a passphrase or select an 802 1x profile Intel AMT Release 2 5 requires a strong passphrase It must be at least eight characters and contain an upper case letter a lower case letter numbers and one of the amp symbols at a minimum The SCS does not validate for a strong passphrase Intel AMT Release 2 6 requires only that the passphrase be at least eight printable ASCII characters To assign an 802 1x profile to the wireless profile select the control to display a list of defined 802 1x profiles and then select one of them Select Add to define a new profile Select OK OK to complete the profile definition Intel AMT must be integrated with Active Directory to use 802 1x profiles 97 Defining 802 1x Profiles 98 TEEE802 1x defines an extendable set of layer 2 protocols used to authenticate LAN communications The profiles defined here can apply to any Intel AMT Profile and apply to either wired or wireless connections This capability only applies to Intel AMT releases 2 5 and 3 0 Select 802 1x Profiles in the left hand pane of t
166. nsure that the areas of the database used by the Intel SCS are accessible from all installations of the SCS e Ensure that there is adequate bandwidth to access the database e The location of the database can affect performance Attempt to locate the database at a central site e The database must be reliably available so techniques such as replication clustering and backup and restore should be used Intel AMT SCS Installation And User Manual Database Security Because the data in the database is extremely sensitive it is recommended that the connection to the database be secure See Enable SQL Server and Windows Authentication Mode step 8 on page 27 for the steps required to configure a secure database connection Also consider the use of disk volume encryption Limit access to physical copies of the database Database stored procedures may be executed only by the users that have appropriate permissions to use them There are two types of database users Windows Service users and API users The console application defines SCS users and user permissions that are saved in the database Where possible limit the network connectivity to the database server Limit it for example to those servers that need to connect to it 1 e those servers hosting instances of the SCS Use a separate physical LAN or a dedicated VLAN to establish isolation Backup amp Restore We recommend that an Administrator perform a daily backup of the
167. ntel AMT and that creates several new attributes Environment Prerequisites and Installation 21 Environment Prerequisites This section details the environment required by the various Intel AMT Setup and Configuration Service components The section System Requirements on page 18 specifies which components require which environment elements NET Framework 2 0 NET Framework 2 0 is a prerequisite for the installation of both SQL Server Express and the Intel SCS Windows Service For summary information about NET Framework and a download link see http www microsoft com downloads details aspx familyid 0856eacb 4362 4b0d 8edd aab15c5e04f5 amp displaylang en To install NET Framework 2 0 l 22 Install the Windows Installer 3 0 or later if it is not already installed See http www microsoft com downloads details aspx familyid 5FBC5470 B259 4733 A914 A956122E08E8 amp displaylang en Ensure that all instances of Microsoft Internet Explorer are closed Double click the installation file named dot netf x exe The installation files are extracted and the Welcome to Setup screen is displayed Click Next The End User License Agreement is displayed Select the I accept the terms checkbox and click Install A message is displayed indicating that Setup is configuring the install iz Microsoft NET Framew ork z ioj x End User License Agreement End User License Agreement MICROSOFT SOFTWARE SUPPLEM
168. ntel AMT device from the database A warning message is displayed which requires confirmation of intent to delete Other Set Power Policy This operation updates the power policy according to the parameters defined in the profile See also The Profile Configuration Power Policy Tab on page 91 Sync Clock This operation synchronizes the clocks between the Intel AMT device and the SCS service Authorization When AMT requires authorization before provisioning is selected on the General page an operator must select AuthorizeAMT on the Device Operations page for a selected Intel AMT device before setup and configuration can continue One time password Intel AMT SCS Installation And User Manual When One time password required is selected on the General page the OTP used when starting the Remote Configuration process should be entered here to allow setup and configuration to proceed Filtering the Display The display of existing Intel AMT devices can be filtered When filtered only Intel AMT devices that match the specific filtering criteria are displayed To filter the display 1 Select one or more of the checkboxes 2 As applicable either select an entry from the dropdown list or complete the entry in the available field 3 Click Apply Filter Global Operations To apply new settings to all existing Intel AMT devices 1 Open the Intel SCS Console 2 Expand the Intel AMT Systems branch 3 Select Global Operations The
169. ole e Platforms running Management Console applications that authenticate Intel AMT devices that have TLS enabled in their profile especially the SCS when it interacts with Intel AMT devices after setup e Intel AMT devices need this certificate for authenticating clients when TLS mutual authentication is used if this CA was used to issue client certificates The certificate must be included in the Profile for devices supporting mutual authentication See Installing an Intel AMT Client Certificate for TLS Mutual Authentication on page 36 The following steps show how to save the certificate as a file and then install it as a trusted root certificate 1 Export the CA certificate There are multiple ways to do this This procedure describes one of them 32 Intel AMT SCS Installation And User Manual mo ao os Click the Windows Start button gt Programs gt Administrative Tools gt Certificate Authority Right click on the first sub branch A popup menu is displayed Click Properties and click the General tab Select the certificate and click View Certificate Click the Details tab and click Copy to file Follow the steps in the Wizard Select an export format any of the options is acceptable name the certificate file and save it in a known location A message indicates that the export was successful Click OK The Details tab returns to focus Click OK gt OK The Certificate Authority Management Console returns
170. on automatically The user must have all the permissions described in SCS and Active Directory Tasks and Permissions on page 12 including permissions to access the CA In an Active Directory environment it is recommended to configure the SCS user to have the property Password never expires Otherwise it will be necessary to change the password both in AD and in the SCS service properties according to the organization password update policy every few months for example Enter the User name and Password and click Next In a TLS environment the SCS user must have permissions to issue certificates Issue and Manage Certificates and Request Certificates permission on a Stand alone certificate authority CA On an Enterprise CA the user must have Read and Enroll permissions on the template to be used to create certificates If a new user will be created later that will be the one associated with the service select New User Intel AMT SCS Installation And User Manual Enter the parameters defining this user and select OK then click Next The installer validates the user account and may prompt that it will add proper permissions to the account 7 The US Configuration screen is displayed Intel Active Management Technology Setup and Configuration Service InstallShield Wizard 11S Configuration Configure IIS Web Server Virtual Directory Select IIS Web Server Virtual Directory application pool and Web Site
171. on contains e Preparation Without a USB Device on page 57 e Using a USB Storage Device for Factory Mode Setup on page 61 e Preparing Intel AMT for Future Configuration on page 61 e Remote Configuration on page 62 56 Intel AMT SCS Installation And User Manual This section describes the steps required to prepare an Intel AMT device to receive its configuration settings from the Intel SCS An Intel AMT device is considered in Factory Mode until it is ready to send Hello messages to the SCS Once the appropriate preparation is performed the device transitions to Setup Mode sending Hello messages periodically until it receives a response from an SCS When setup and configuration is complete the Intel AMT device is in Operational Mode There are four possibilities e During power up if the BIOS implementation supports this capability the Intel AMT device first checks for the presence of a USB storage device If the device is present the setup proceeds as described in Using a USB Storage Device for Factory Mode Setup on page 61 The PID PPS pair 1s installed and optionally the Intel Management Engine BIOS extension password may be changed e If there is no USB device or USB enablement is not supported the technician enters the BIOS extension using the method defined by the BIOS vendor The BIOS implementation may require that the user enable the BIOS extension from the BIOS The PID PPS pair is entered
172. onsole 2 Select Configuration Parameters The screen displays a list of Intel AMT devices ordered by UUID The display can be ordered by any of the columns by clicking on the column header or it can be paged through using the controls below the table Configuration parameters Configure the New Intel AMT Properties intel AD Organizational Unit _ Profile Name bw intel com OU amts de intel dc com EAP_TLS 88888888 8810 8888 8888 10888 matanzas intel com OU 4MTs DC intel DC com default_2 88888888 8887 8888 8888 87988 sf2Z intel com ou amts dc intel dc com default_2 030201 00 0504 0706 0809 040B0 bw4 intel com OU 4MTs DC intel DC com default_2 E1EQDFDE E3E2 E5E4 E6E E8 bearlake intel com ou amts dce intel de com default_2 Refresh Add Delete Edt Apply Fier Ha eaf b gt ppt Paget of 1 M New Intel AMT Devices Filter By UUID l By Profile Name By FQDN By AD Organizational Unit V Order by New Amt Order By Ordinal Number X The UUID is a unique value for a specific Intel AMT device and its platform The FQDN Fully Qualified Domain Name is the combination of host name and domain 106 Intel AMT SCS Installation And User Manual that is unique for the platform containing the device The Active Directory Organizational Unit determines where the AMT object for this device should be placed in the directory system The profile name is the profile to b
173. orts certificates that use theSubjectAltName SAN DNS Name extension The certificates have multiple DNS names and each one is compared consecutively with the domain suffix received from DHCP When one of the names matches Intel AMT accepts the certificate A certificate with multiple DNS names would be useful when the root domain is not com or net With one of these methods is used a single SCS can support Intel AMT devices with Release 2 6 in multiple domains with a single remote configuration certificate Intel AMT Preparation 67 Remote Configuration Tool The Remote Configuration process includes the Remote Configuration Tool RCT that runs on the host RCT exe is included in the SCS distribution It is recommended to copy the RCT to the Intel AMT system and run it from the Intel AMT system with a local user The RCT tool does the following 68 It sends platform identification information directly to the SCS API eliminating the need for a separate script to perform this function The RCT can be used for this purpose for all Intel AMT releases from 2 0 onwards The platform information includes the UUID and FQDN and optionally the SCS Profile and Active Directory Operational Unit to be used when configuring the platform It checks that the platform is configured for Intel AMT manageability If it is not the RCT optionally transitions the platform to Intel AMT manageability The RCT must be re run after a restart of the pla
174. ory is not 8 Intel AMT SCS Installation And User Manual present there can be only one SCS instance and the Stand alone CA must be installed on the same platform as the SCS A PKI may have a hierarchy of Certificate Authorities with subordinate CAs and a root CA This is beyond the scope of this discussion IT personnel who manage a facility that depends on PKI need in depth knowledge of PKI protocols and supporting tools The installation example later shows how to install a single tier Enterprise or Stand alone CA Support for Wireless Environments and Wired 802 1x Intel AMT Releases 2 5 and 2 6 run on mobile platforms The SCS configures Intel AMT devices with these versions so that they can receive management traffic over wireless links The SCS supports defining wireless profiles and 802 1x profiles Intel AMT Releases 2 5 2 6 and 3 0 also support wired 802 1x links See page 94 for wireless profile and 802 1x profile definition using the SCS console Setup of wired 802 1x profiles and wireless profiles that authenticate using 802 1x is permitted only if the SCS is configured to integrate with Active Directory The SCS has been tested with the Cisco Aironet 1200 Access Point and the following Radius servers authentication with EAP GTC is for wired 802 1x only e Cisco ACS With 802 1x EAP TLS EAP PEAP EAP FAST GTC EAP FAST TLS and EAP FAST MS CHAPv2 e Funk Odyssey With 802 1x EAP TLS EAP PEAP and EAP TTLS e Meetinghouse Aeg
175. osoft CA either an Enterprise CA or a Stand alone CA Perform the following steps on the platform where IIS is installed Right click on My Computer and select Manage Expand the Services and Applications branch Open the Internet Information Services IIS Manager branch Open Web Sites Right click on Default Web Site or the user defined site and select Properties Select the Directory Security tab Under Secure Communications select Server Certificate Soe ae on a ee ee The IIS Certificate wizard opens Click Next Select Create a new certificate and click Next The process proceeds differently depending on the type of CA used Perform the following steps to create and install a certificate using an Enterprise CA 1 Select Send the request immediately to an online certificate authority and click Next 2 Proceed through the Wizard entering the requested parameters e Provide a name for the certificate e Leave the bit length at 1024 e Enter an organization name and an organizational unit e Enter the platform FQDN as the Common Name e Enter geographical information 34 Intel AMT SCS Installation And User Manual On the Choose a Certificate Authority pane select the Enterprise CA from the displayed list Select Next and finish the Wizard The Enterprise CA will generate the certificate and the wizard will install it Perform the following steps to create and install a certificate using a Stand alone CA l
176. ouse clicks It is also possible to use many of the controls from the keyboard When the display focus is in the same region as a control that has an underlined letter in its legend typing the underlined letter will activate the control Use the Tab key to move from one control to the next and one display region to the next When a control is highlighted press Enter to activate the control 76 Intel AMT SCS Installation And User Manual Logging In To log in to the Intel SCS Console 1 Click the Windows Start button to select the Intel AMT Configuration program group rm lr j T Programs Accessories d Administrative Tools ay Fe Documents t Microsoft Word f Microsoft SQL Server Z005 Settings l pu as J p cre r Intel AMT Configuration BE Intel AMT SCS Console ye Search y 2 Select Intel AMT SCS Console The Console displays the log in screen Type the Intel SMT web serice URL Service Mame https rr DIOVISIONServer pourenterprise com amtscs 3 Enter the SOAP web service URL path including the virtual directory The entry format is https FQDN lt Virtual Directory gt For example https provisionserver yourenterprise com AMTSCS Use http or https depending on the installation option selected see page 41 In this example provisionserver yourenterprise comis the FQDN of the HS host of the web service and AMTSCS is the virtual directory of soap web service in the IIS host If the web serv
177. ower Policy AMT ts ON in the following host sleep states Host ig ON 80 of in Standby 53 or in Hibernate 54 Idle Timeout 0 Minutes Use the Power Policy settings to determine the highest power state as defined by the ACPI specification when the Intel AMT devices assigned this profile will be active or will activate from a sleep state SO is the normal working state of a computer platform S1 to S5 are successively deeper sleep states A platform in S5 is shut down but still connected to AC power Intel SCS Console AMT is ON in the following host sleep states This parameter defines the highest power state at which Intel AMT will operate while the device is connected to AC power Note that this includes operation in higher power states For example if the platform is in S3 and this parameter is set to Host is ON S0 the Intel AMT device will not operate until the platform returns to SO Idle Timeout Once the Intel AMT device wakes up and the host system is not turned on this parameter determines the minimum time in minutes that the Intel AMT device will remain operable when there is no activity The device will return to a sleep state after the idle timeout period The timeout timer is restarted whenever the device is serving requests If the value of the parameter is zero the device will remain on when there is no activity For example the AMT is ON parameter is set to Host is ON SO or in Standby S3 When
178. page 110 Allow Remote Configuration Intel AMT Releases 2 2 2 6 and 3 0 support Remote Configuration As part of this feature the Intel AMT device sends a self signed certificate for the TLS Mutual Authentication process This certificate is used for setup and configuration only The device creates the self signed certificate just before sending the first Hello message Selecting this checkbox enables the SCS to accept self signed certificates from Intel AMT devices One time password required Selecting this checkbox adds an additional security feature An enterprise policy may require a one time password OTP exchange between the SCS and the Intel AMT device requesting setup See page 65 If an operator entered the OTP manually on the platform containing the Intel AMT device then an SCS operator must enter it via the Operations function on the Intel AMT Systems pane See Ad Hoc Operations on an Individual Intel AMT Device on page 110 So called Bare Metal platforms are certain platforms that contain Intel AMT Release 3 0 or higher that are configured by the manufacturer to start sending Remote Configuration Hello messages as soon as they are connected to the network Bare Metal platforms do not support one time passwords Therefore selecting the One time Password Required option prevents configuring bare metal platforms First common name CN in certificate subject name Client certificates used to validate Intel
179. parameter Error SOAP call Parameter 1 is out of range Allowed E Specified SOAP parameter is out of range Provide valid parameter 444 range is 2 h PN O1 ro Invalid length for parameter 1 Specified SOAP parameter has an invalid length Provide valid parameter Allowed length is min 2 d Error max 3 d Invalid length for parameter 1 E Specified SOAP parameter has an invalid length Provide valid parameter 446 Allowed length is max 2 d uae Invalid length for parameter 1 E Specified SOAP parameter has an invalid length Provide valid parameter 47 Allowed length is min 2 d WoL Parameter 1 must be one of these E Specified SOAP parameter is out of range of Provide valid parameter 48 values 2 rror available values Failed on ADsGetObject with 1 E Failed to get AD AMT object Make sure the schema is extended to contain the o 2 d a Intel management object Failed on CreateDSObject with 1 ae Failed to create AD AMT object Make sure the schema is extended to contain the 171 2 d 172 Failed to create SPN s on 1 Failed to create AD SPN s SCS Support Content ook s ooh N Intel management object gt _ K 09 i ed Message Text Type Cause OS error code 0x 1 X General error for failed retrieving of certificate Error 177 Invalid maintenance wakeup time Invalid maintenance wakeup time value Provide valid value for maintenance settings 178 value 1 d E
180. pecific error code 2 Err Exception in set admin password E Exception in set admin password worker See the specific error code worker 0x 1 X 2 HOF Exception in set CRL worker 0x 1 X Exception in set CRL worker See the specific error code A2 Cannot delay task 0x 1 X 2 Cannot delay task See the specific error code Exception in unprovision worker Exception in unprovision worker See the specific error code Ox 1 X 2 Exception in update Kerberos Password See the specific error code Exception in update Kerberos Password Ox 1 X 2 Unexpected exception while processing Command ID 1 d User 1 does not have the privileges required to execute the SCS Server E E E E E E Unexpected exception while processing Command See the specific command ID for more information ID User does not have the privileges required to Start the service with sufficient privileges execute the SCS Server Startup aborted Error Startup aborted Exception in set rng key worker Exception in set rng key worker See the specific error code o o rror 0x 1 X 2 Cannot register the SCS Server 1 in E Cannot register the SCS Server in the database Check the development log for more information the database Startup aborted oe Startup aborted The connection with the server E The connection with the server database has been Try to renew the connection database has been lost IOF lost Cannot initialize program
181. pends on how the CA policy module was configured 10 Issue the certificate A Click the Windows Start button gt Programs gt Administrative Tools gt Certificate Authority The Certificate Authority Management Console is displayed B Expand the first sub branch and click Pending Requests C Right click on your request and from the popup menu select All Tasks gt Issue Intel AMT SCS Installation And User Manual D Return to the CA web enrollment home page and select View the Status of a Pending Certificate Request Click on the relevant certificate request 11 Click Install this certificate Creating and Installing a Client Certificate Using an Enterprise CA 1 Create and install a template that supports generating Intel AMT client certificates See Defining a New Template for an Enterprise CA on page 130 2 Run Internet Explorer as the SCS user Start gt Programs gt right click Internet Explorer gt Run as 3 Inthe Run As dialog click The Following User and enter the username and password of the SCS user the name must be in the format domain username Press OK Enter the following address http ca_machine certsrv where ca_machine is the FQDN of the platform hosting the CA 6 Click Request a certificate a e 7 Click advanced certificate request 8 Click Create and submit a request to this CA 9 Select the template to be used the one created in step 1 10 Set the key size to
182. ption Sa NET Runtime Opti Microsoft Manual Local System amp amp Alerter Notifies sel Disabled Local Service AMTConfig Start the service 2 AMT Config Intel AM Automatic GSTEPS m Description Re Application Experie Processes Started Automatic Local System Intel AMT Configuration Sa Application Layer G Provides s Manual Local Service Sa Application Manage Processes i Manual Local System SRy ASP NET State Ser Provides s Manual Network 5 By Automatic Updates Enables th Started Automatic Local System Ry Background Intellig Transfers Manual Local System Sy Certificate Services Creates m Started Automatic Local System Ry ClipBook Enables Cli Disabled Local System Sy COM Event System Supports 5 Started Automatic Local System By CcOM System Appl Manages t Manual Local System Sa Computer Browser Maintains a Started Automatic Local System Sa Cryptographic Serv Provides th Started Automatic Local System DCOM Server Proc Provides la Started Automatic Local System gt EATA ee ae m TTET T Ael alael A Finch mms mbie Lanal Cooh Extended 5 Click Start A progress message is displayed When completed the word Started appears in the Status column 52 Intel AMT SCS Installation And User Manual Quick Start and System Test This procedure is a summary of the Intel SCS Management Console section which begins on page 74 However
183. r more information see Active Directory AD and Changes to the AD Schema on page 37 Setup and Configuration Service Overview 13 Intel AMT Device Configuration Information The SCS needs identification information for each Intel AMT device to know its FQDN which Profile to use and where to put the AMT object in Active Directory The identifying parameter for a device and the platform that it is on is the platform UUID Entering the information manually in an enterprise environment is not practical on a large scale Also the FQDN will change as a machine is moved around in the enterprise and assigned to different individuals The SCS supports multiple methods for loading configuration information each with its uses advantages and disadvantages Source of Configuration Information Database or Script The SCS can be configured to locate Intel AMT device configuration information in one of two ways either from within the SCS database or via a script When the SCS receives a Hello message from a device it will look in the SCS database for a configuration entry matching the UUID in the Hello message If there is no match and the there is no script the SCS will revisit the queued Hello message periodically to see if an entry was added to the database If the script option was selected the SCS will activate a script to find the necessary information given the UUID and the source IP in the Hello message When the
184. reating end user documentation for IT staff Setup and Configuration Process For setup and configuration to proceed the SCS database and server require preparation as well as the platform containing the Intel AMT device Once the preparation is complete connecting the platform to the network starts the setup and configuration process SCS Database Preparation Before setup and configuration can begin the SCS server database must be configured with basic information e SCS service configuration parameters e Profiles that define the setup parameters for the Intel AMT enabled platforms to be configured e Entries identifying each Intel AMT device to be configured with a link to a profile e A list of valid TLS PSK keys that match what is installed on the Intel AMT devices awaiting configuration At this point the SCS service waits for a configuration request from an Intel AMT device Preparation of Platform Containing Intel AMT Device An Intel AMT Release 2 0 2 1 2 5 device must have its MEBx password changed from the default Setup and Configuration Service Overview 3 password A TLS PSK key and identifier must be loaded into the device The values are entered manually by the IT administrator through the BIOS extension or the administrator can use a USB key with values exported from the SCS or the values may have been preloaded by an OEM This is the minimum requirement although other parameters may be required See Intel
185. ress received from a DHCP server with the host platform The SCS does not support static IP addresses for the host and the Intel AMT device SCS Service IP Address Provisioning Server By default the SCS Service IP address is set to 0 0 0 0 A value of 0 0 0 0 means that the Intel AMT device will attempt to obtain the actual IP address of the SCA by performing a DNS lookup for a host named ProvisionServer If the DNS is unable to resolve the host name the IP address of the SCS must be supplied manually The name ProvisionServer can be configured by an OEM to a different value so verify the delivered value of this parameter By default port 9971 is used to establish a connection to the SCS This default may be changed by an OEM If the SCS has been configured to listen on a different port then enter the actual port the SCS is listening on Setup Type Provision Model The default setup type of Intel AMT is Enterprise The Small Business Setup option is used in environments where infrastructure required for TLS is not available and configuration can be completed from the BIOS menu The SCS service does not support Small Business setups The Setup Type menu also allows selection of Legacy Mode The SCS does not support configuration of Intel AMT devices that are in Legacy Mode Virtual Local Area Network VLAN Settings Set by the SCS PID PPS The Provisioning ID PID and the Provisioning Pre Shared Key PPS settings are
186. returned UUID is the same as the UUID environment variable Creates an amtConfiguration XML fragment using the FQDN and a hard coded OU and profile name 7 Writes the fragment to an output file The script is run by executing runscript bat which invokes cScript exe the command line version of the Windows script host The script writes output files to the same directory as the one containing the script and runscript bat The distribution also includes testme bat a batch file that sets the environment variables and then invokes the script Intel AMT SCS Installation And User Manual On the General Properties pane of the SCS Console select Get New Intel AMT Properties Get Intel AMT Configuration from Script and enter the path name to the batch file on each platform running the SCS for example C program files intel AMTConfserver scripts runscript bat See Step 5 on page 79 Client Script The sample client script has the advantage of requiring only local system privileges It has the disadvantage of requiring an auxiliary database and deployment to all client platforms This approach has three elements e A database accessible to all machines in the Active Directory group account Each row in this database contains information about a platform that has Intel AMT on it The unique key is the UUID The client platforms only have Add Row privileges to this database The sample includes an SQL file CreateAuxDB SQL that creates the database
187. ribution point of a Certificate Authority gt lt crl gt lt uri name http crl myenterprise com pki mscorp crl mswww 2 crl gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 01 gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 02 gt lt cert serialnumber 15278220000000000003 gt lt uri gt lt uri name http corppki crl mswww 2 crl gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 04 gt lt cert serialnumber 15 27 82 20 00 00 00 00 00 05 gt lt uri gt lt crl gt The serialnumber attribute must contain the following format 1 Use exactly two hexadecimal characters for each byte a byte with a single character will be ignored 2 The serial number can be represented as a single hexadecimal number If the bytes are separated from each other use any non hexadecimal character separator between each pair The file format is defined with following XSL style sheet lt xml version 1 0 encoding UTF 8 gt lt xs schema xmins xs http www ws org 2001 XMLSchema elementFormDefault qualified gt lt xs element name cert gt lt xs complexT ype gt lt xs attribute name serialnumber type xs base64Binary use required gt lt xs complexType gt lt xs element gt lt xs element name crl gt lt xs complexT ype gt lt xs sequence gt lt xs element ref uri maxOccurs unbounded gt lt xs sequence gt lt xs complexT ype gt lt xs element gt lt xs element name uri gt
188. rom the list of sites defined within IIS Enter the Remote Configuration IS Web Server Virtual Directory name The default name is AMTSCS_RCEG Check or uncheck the Force Secure Connections HTTPS option Selecting this option means that TLS will be used for communications between the RCT and the API applications in the AMTSCS_RCFG virtual directory Unchecking it means that the connection will use TLS Click Next The Database Server Login screen is displayed Intel Active Management Technology Setup and Configuration Service InstallShield Wi Zar d Database Server Login Select database server and authentication method Select the database server to install to from the list below or click Browse to see a list of all database servers You can also specify the way to authenticate your login using your current credentials or a SQL Login ID and Password For example the database server can be one of the following servername domain or servername domain SGLEXPRESS or servername domainssQLSERVER Database Server local SSQLEXPRESS Yv Browse Connect using windows authentication SOL Server authentication using Login ID and password below Login ID Password lt Back Next gt Cancel Define the database server that is the name of the computer functioning as the database server and the database instance and the connection type In the above screenshot the server is local an
189. ros authentication It ensures that the clocks do not differ by more than the Kerberos Max Clock Tolerance defined in the Profiles Intel AMT SCS Installation And User Manual Intel AMT SCS Console Logs The Intel AMT Console logs activity into the database There are three log categories Log This log displays system wide actions This includes actions that succeeded and actions that failed In particular this log highlights failed actions The log messages can be filtered by date by message type and by severity The Log Level setting on the General Settings screen determines the number and level of messages displayed in the log See Windows Service Messages on page 142 for a description of these messages and the action to take to correct a detected error Actions Status This log displays asynchronous actions such as global operations or operations per Intel AMT device that are entered into the queue Their status in the queue is also displayed The Name field shows the attempted action the Status field shows success or failure or whether an action is queued delayed or in progress The SCS checks its queues every five minutes to see if it is time to perform a scheduled maintenance task The SCS records this in the Actions Status log as a maintenance task even if no other activity was performed Each of the maintenance events are noted as a CleanLog and ClearRequestStatus event Note that an actual CleanLog event occurs only onc
190. rovision Date 2007 09 05 06 31 56 Admin Password Admiri 98 FE Intel AMT Configuration Last re provisioned time 2007 09 05 06 31 57 Last changed Administrator password time Not performed yet Last clock synchronization time Not performed yet Last Pseudo Random Generator Seed create time IN of performed yet Ad Hoc Operations on an Individual Intel AMT Device To configure a single Intel AMT device that has sent at least one Hello message The profile last used to configure an Intel AMT device will be used for the operations in this section except for reprovision 110 Intel AMT SCS Installation And User Manual 1 Update the profile used when the device was configured with any new parameters that will be needed for the desired ad hoc operations 2 Open the Intel SCS Console 3 Select Intel AMT Systems The Intel AMT Systems table is displayed 4 Select a device and click Operations The Operations screen is displayed gd intel AMT Device Operations Configure Intel AMT instance using the values in the assigned Profile Provisioning FRie Provision Un Provision f Ful i Fartial General Host Hame Set Hoet Hame Delete AMT Authorization Security Set ACL Set CAL Renew ANG kep Other Set Power Policy Sel Storage Syne Clock Suthoree Amin One time password Re provision includes among many other configurations alzo renew Active
191. rror Invalid delayer polling value 1 d Invalid delayer polling value Provide valid value Invalid number of normal workers Error Invalid number of normal workers Provide valid value 180 1Idl Invalid queue polling value 1 d Invalid queue polling value Provide valid value Invalid number of slow workers 1 d Invalid number of slow workers Provide valid value Invalid delayer polling value 1 dl Invalid delayer polling value Provide valid value Cannot connect Intel AMT device to E Network problem or Intel AMT device does not ping Intel AMT device to check network alive 185 1 rror answer to SCS Missing PID PPS Map for Intel AMT E Database is not contain PID PPS record for this Make sure Intel AMT device has PID PPS and the 186 device UUID 1 PID 2 OF Intel AMT device record is entered the database No log code E General placeholder for errors with no specific N A 201 rror error code User is not authorized 1 User is not authorized Use authorized user Role not found Role not found Add the role F303 User is dupicated Error User already exists 305 User is not found Error User is not found Role already exists Role already exists 7 Cannot remove Intel AMT device It has Cannot remove Intel AMT device It has some Wait until the operations in the queue are done some operations in queue operations in queue then try to delete the Intel AMT device again A dependent operation not found in the E A dependency ca
192. rs according to the ACL entries in the profile associated with each device and their access privileges See also The Profile Configuration ACL Tab on page 89 Set CRL This operation updates the list of revoked certificates Renew RNG Key This operation resets the random number generator key for each device Set Power Policy This operation updates the power policy for all devices according to the parameters defined in the profiles See also The Profile Configuration Power Policy Tab on page 91 Sync Clock This operation synchronizes the clocks of the Intel AMT devices with the SCS service Intel AMT SCS Installation And User Manual Maintenance Policies The Maintenance Policies pane defines actions that the SCS will perform periodically on all configured Intel AMT devices The items enabled with a checkbox can be used to implement a specific site security policy If TLS is not enabled maintenance messages to the Intel AMT devices are sent in the clear without encryption It is recommended that in non TLS environments passwords for the AMT objects in Active Directory should be configured as Password Never Expires The maintenance function should be used only to synchronize the Intel AMT clock Maintenance Policies Contigure the Intel AMT Setup and Configuration Service Maintenance Policies Re provision Intel AMT FRe provision includes among many other configurations also renew Acti
193. s finished 20 Click Finish We recommend that the SQL Server Management Studio Express tool be installed now as it is needed for initial setup of the database server It is a free easy to use graphical management tool for managing SQL Server 2005 Express Edition Download of this program and installation instructions can be found at http www microsoft com downloads details aspx familyid C243A5AE 4BD1 4E3D 94B8 5A0F62BF7796 amp displaylang en Enable SQL Server and Windows Authentication Mode Following installation enable the SQL Server 1 Click the Windows Start button and click Programs 2 From the Microsoft SQL Server 2005 program group select SQL Server Man agement Studio Express The Connect to Server window is displayed x Microsott SOL S Fi Windows Server System Server type Database Engine of Server name b Authentication Windows Authentication ai User name z Password Remember password Cancel Help Options gt 3 Enter the Server name if it is not already displayed select Windows Authentication and click Connect Environment Prerequisites and Installation 25 4 Right click on the root node A popup menu is displayed R Microsoft SQL Server Management Studio Express joj x File Edit wiew Tools Window Help TI Mew Query Li g Gel a i Uj eB Se L objec EEw plorer i Connect a La Security e H Qg Server Ob O R Replicatior wew TR Manageme
194. s using the SOAP API may be recorded in the HS log file Enabling the SCS Debug Log The SCS will produce a detailed debug log if it is configured specially to do so To enable the debug log do the following Run regedit 2 Open HKEY_LOCAL_MACHINE SOFTWARE Mntel AMTConfServer 3 Create a new key with the name Log 4 Create a New String Value LogLevel in Log 5 Set LogLevel to V The SCS will create a log file in folder C This is a fixed location regardless of the root drive where the service is installed SCS Support Content 159 Glossary 160 Access Control List ACL Active Directory AD AD OU Active Directory Organizational Unit Intel AMT Authentication A set of data associated with a file directory or other net work resource that defines the permissions that users groups processes or devices have for accessing it In Intel AMT a list of users and their access privileges Active Directory is an advanced hierarchical directory ser vice that comes with Windows 2000 2003 servers It is LDAP Lightweight Directory Access Protocol a protocol used to access a directory listing compliant and built on the Internet s Domain Naming System DNS Workgroups are given domain names just like Web sites and any LDAP compliant client Windows Mac Unix etc can gain access to it Organizational Units OUs within an Active Directory are a way to delegate control over part of the dire
195. ser does not have sufficient permissions to add users to Active Directory the SCS will not be able to add new entries to the OU The SCS user needs Create Delete Intel Environment Prerequisites and Installation 37 Management Engine objects permission in the OU as well as full control over Intel Management Engine object To add an OU to an Active Directory domain in an Active Directory management window right click on the domain select New Organizational Unit and supply the desired OU name In an installation with Intel AMT based platforms deployed in multiple domains add an OU to each domain Updating the Schema for Intel AMT 38 Installation of the SCS optionally adds a schema definition and script that are used to extend the Active Directory schema for Intel AMT When a user with Enterprise Admin permissions runs it the script creates a new class Intel Management Engine based on the AD computer object with the following new attributes e Intel Management Engine Version received in the Hello message from the Intel AMT device e Intel Management Engine Host Computer a link to the platform computer object created when the host joins the domain e Intel Management Engine Platform UUID received in the Hello message e Intel Management Engine Host Computer BL added to the computer object class as a back link to an AMT object Intel Management Engine Host computer BL adde
196. st be imported into the SCS database The third option entering the PID and PPS Intel SCS Console 99 100 manually is also described at the above reference To configure the Security Keys 1 2 3 4 Open the Intel SCS Console Expand the Configuration Service Settings branch Select Security Keys The Security Keys screen is displayed Click Create Pre Provision data Intel SCS creates a list of Security Keys See the MEBx Settings pane to configure the number of keys generated Each record consists of an 8 byte PID a 32 byte PPS and the administrator s password Security Keys Contigure Intel Ah Setup and Configuration Service Pre shared key pairs TLS P5K KMOS AY TE BL43 HN WE Wi MS AARP MAS4 D4k GL23 Bb4U Wi TEABE 4 1ZNU GTWS Ga k OWHA ROSS AHYF NO2 PMw Refresh Select Export to write the current list of keys to a file on a USB Key in the format expected by the platform BIOS Select Import to incorporate a file of keys from an OEM into the SCS database Optionally to view the details of a particular Security Key select the Security Key and click View Intel AMT SCS Installation And User Manual Intel SCS Console This screen is used to print and reserve a single set of security parameters that will be used to configure an Intel AMT device manually First print the parameters using the Print option then select Mark as Used so that the key will not be used with more than one Intel
197. stallation And User Manual The Profile Configuration ACL Tab cia Add Edit Profiles ajx General wireless Profiles wired 802 1 x Network ACL Power Policy NAC Yiew and Configure the Frotile ACL User Access Permission Realms zari PT Administration Realm CN amtservice CM Users DC Any PT Administration Realm Delete Apply 26 Use the ACL Access Control List tab to review users already associated with this profile and to add new users and define their access privileges User identification and realm selection must be coordinated with the requirements and instructions of third party Management Consoles 27 Click Add The New ACL Entry dialog box is displayed Fill in the ACL entry properties Digest User f Kerberos User pead Active Director User or Group CH amtservice CM Users 0C inte Re Enter Password LOC com Access Permission Ary T m Realms Selected Realms PT Administration Realm Redirection Realm gt gt Hardware 4scet Realm Remote Control Realm 44 Storage Realm Event Manager A ealn OF Cancel 28 Select one of the following Intel SCS Console 89 90 29 30 31 J2 33 1V yi Vil Digest User Digest authentication is a password based authentication If selected enter the user name Then enter the new password and confirm the entry Kerberos User Select this option only if the profile has Active Dir
198. t eventually link to a certificate from the root certificate authority ertiticate from N Subordinate CALS Leaf Certificate The Issuer Field of a certificate equals the Subject Field of the certificate of the issuing CA In this way each certificate points to the next certificate in the chain until the path reaches a certificate created by the root CA When the Intel AMT Setup and Configuration Server enrolls a certificate installs it in an Intel AMT device it only sends the leaf certificate and does not include any subordinate certificates When a client initiates a TLS session with an Intel AMT device the device only sends the leaf certificate to the client application an ISV Management console application The client needs to know the full chain and must acquire the intermediate subordinate CA certificates In a correctly configured Microsoft environment the client dynamically retrieves the intermediate CA certificates based on the information in the issued leaf certificate This can succeed if the IT administrator has set up the environment correctly by ensuring that the application has the necessary privileges to obtain the subordinate certificate information If a TLS stack other than the Microsoft stack is used for example if the application uses the Intel AMT redirection library that depends on OpenSSL then the certificate chain must be provided explicitly The user must create a PEM file that contains all of
199. t by the same user as the one that will be identified as the SCS service user see page 40 Run Internet Explorer as the SCS user Start gt Programs gt right click Internet Explorer gt Run as In the Run As dialog click The Following User and enter the username and password of the SCS user the name must be in the format domain username Press OK Enter the following address http ca_machine certsrv where ca_machine is the FQDN of the platform hosting the CA Click Request a certificate Click advanced certificate request Click Create and submit a request to this CA Complete the request form Ensure that the following critical parameters are completed correctly The Name field must be the fully qualified name FQDN of the host running the SCS or Management Console To find this name from the Windows desktop right click My Computer select Properties and click the Computer Name tab e The Type of Certificate Needed field must be Other In the OID field enter the client certificate OID and the remote certificate OID The complete OID value must appear as le Oe Ou dec De Te On 222d 0 OAs 113741 1 2 1 Select 1024 1536 or 2048 as a key size Select the Mark keys as exportable checkbox Click Submit Depending on the selected parameters one or more confirmation messages are displayed If the resulting page says Certificate Pending perform step 10 Otherwise skip to step 11 The behavior de
200. t into a Management Console product List of Required Microsoft Components 20 The following Microsoft components must be installed and configured for the Intel SCS to function NET Framework 2 0 is a prerequisite for the installation of SQL Server or SQL Server Express the Intel SCS Main Service and the SCS console e Either Microsoft SQL Server 2005 or Microsoft SQL Server 2005 Express Edition SQL Server Express is required This manual describes installation of the Express edition but if the full edition is exists it may be used The Express Edition is a data management product for embedded application clients light Web applications and local data stores Intel SCS requires that Microsoft s Internet Information Services 6 0 IIS 6 0 be installed and configured IIS is Microsoft s HTTP server IIS adds full HTTP capability to the Windows operating system IIS should be installed before the Certificate Authority is installed e If Transport Layer Security TLS is required in an installation then Intel SCS requires that Microsoft s Certificate Authority CA be installed Intel AMT SCS Installation And User Manual Microsoft s Active Directory AD is a directory service that is integrated with Windows 2003 Server AD is an optional environment pre requisite Intel SCS uses AD for e Kerberos authentication using AMT objects e User lists The Intel AMT installation adds a script that extends the AD schema for I
201. t support the Server Authentication application policy The SCS user must have Read and Enroll permissions on an Enterprise CA WebServer template or custom template See Defining a New Template for an Enterprise CA on page 130 19 Click OK OK Applications using the Intel AMT redirection library with TLS require additional steps for authentication with Intel AMT devices to be performed successfully See Configuring PEM Files for Redirection Applications on page 137 20 Mutual Authentication Selecting this option opens a template for entering TLS Mutual Authentication settings Intel SCS Console 87 CaTLS Mutual Authentication Settings View and configure configuration profile TLS Mutual Authentication Settings CAL Update Time 2007 09 05 08 0619 Ho of Certificates E Description Import Remove FODH Suttizes Intel com Add Trusted Certificates lssued To Name Expi CH Enterpisels4 CN Enterprisel4 2056 Add Remove Semice Mutual Authentication Certificate ee Delete OF Cancel 21 Inthe Trusted Certificates box click Import to add a list of Trusted Root Certif icates These are the issuers of the client certificates that the Intel AMT device will recognize as authentic These certificates are stored in the database and then sent to the Intel AMT device during setup and configuration Intel AMT can accept up to four trusted root certific
202. t will remain in the database but will not be exported to a USB Key Select this if the keys were printed 101 8 To set the passwords and the maximum number of security keys that can be stored on a single USB key click MEBx Settings c 4Security Key Settings 2 xi View and configure the security keys settings Number of security keys in a USB key 50 Factory Default MEBs Password m New MEBs Password Random creation Admin01 y z C Manual creation OK Cancel a Enter a number in the Number of security keys field This number determines the number of keys created by clicking Create Pre Provision data and how many keys are exported when Export is clicked b Select the factory assigned OEM password If it is not in the dropdown list add it to the list by performing the following steps 1 Click within the Current Password field The content is selected ii Begin typing The old content disappears but is not deleted iu Enter the new Current Password iv Click OK The new OEM MEBx password is added to the list c Inthe New MEBx Password box select either Random or Manual If Manual is selected enter the new password This will be the MEBx password after setup and configuration completes d Click OK Passwords are stored in the Intel AMT table saved in the database 102 Intel AMT SCS Installation And User Manual Configuring Users and Groups The Users
203. tc the diagram above shows the steps that follow 1 The Management Console puts the list of platforms in an Active Directory group that was has the SCS Configuration Client role assigned to it see page 103 2 The Management Console sends configuration authorization for the platforms on the list to the SCS using the authorize SOAP API Each platform can be identified with the platform FQDN or the platform UUID 3 The Management Console sends the RCT or other local agent to each platform on the list The agent executes under the Local System account on each platform 4 The agent starts the remote configuration flow This results in the platforms sending Hello messages to the SCS The SCS performs setup and configuration of the platforms By using the authorization required option means that platforms are configured only when the IT group is ready 5 A while later for example after three hours or the next day the Management Console checks on which platforms were configured by attempting discovery of the platforms If setup and configuration of the some of the platforms did not complete Setup and Configuration Service Overview 15 it may be necessary to restart the RCT or agent sequence as the Intel AMT network interface may have closed The Management Console re initiates the agent to start the process again Using the SOAP API the Management Console can query the SCS for a list of configured platforms to identi
204. ted after setup and configuration is completed A value must be entered for this parameter even if Active Directory use is not enabled If use of Active Directory is possible in the future select values for this field that will be usable with the AD deployment Profile Enter the profile to be used for this device Click OK 107 Filtering the Display The display of potential Intel AMT devices can be filtered When filtered only devices that match the specific filtering criteria are displayed 108 To filter the display l 2 gt Select one or more of the checkboxes As applicable either select an entry from the dropdown list or complete the entry in the available field The dropdown list includes the following options New Amt Order By Ordinal Humber il Mew Art Order By Ordinal Muriber New Amt Order By UUID New Amt Order By FOCH New Amt Order By ARDOU New Ant Order By Profile ID Click Apply Filter To sort by a specific parameter click on the appropriate column title Click again to alternate between an ascending and a descending sort Intel AMT SCS Installation And User Manual Configuring Existing Intel AMT Devices Use the Intel AMT Devices screen to view the status of all Intel AMT devices that have sent a Hello message at least once to the SCS review details about a single Intel AMT device and configure an individual Intel AMT device Viewing Intel AMT Devices and Reviewing the D
205. tering the Display Configuring Existing Intel AMT Devices Viewing Intel AMT Devices and Reviewing the Details of a Device Ad Hoc Operations on an Individual Intel AMT Device Filtering the Display Global Operations Maintenance Policies Intel AMT SCS Console Logs Filtering a Log Display SOAP API Overview of the SOAP API SOAP Faults SCS Support Content SCS Tools 1V 109 109 110 113 113 115 117 119 121 122 123 124 125 Command Line Tools Add new Intel AMT Properties Database Dump Administrative Tools Active Directory Schema Using a Script to Import Intel AMT Configuration Properties Environment Variables Output File Format Script Functionality Sample Scripts Server Script Client Script Remote Configuration Tool Defining a New Template for an Enterprise CA Internationalization of SCS Messages Retrieving a Certificate for Use by a Posture Validation Server Configuring PEM Files for Redirection Applications CRL XML Format Troubleshooting Windows Service Messages Log Mapping Other Logging Sources Enabling the SCS Debug Log Glossary 125 125 125 125 125 127 127 127 128 128 128 129 129 130 135 136 137 139 140 142 159 159 159 160 Chapter 1 SETUP AND CONFIGURATION SERVICE OVERVIEW This section contains Introduction to Intel SCS on page 2 Setup and Configuration Process on page 3 Intel AMT SCS Functional Flow on page 5 Setup and Configuration Operational Overview on page
206. tes the need for a script by sending platform description information directly to the SCS via calls to the SOAP API The tool executes on the Intel AMT Host platform SCS Support Content 129 Defining a New Template for an Enterprise CA 130 When requesting a certificate from a Stand alone CA it is possible to change many of the fields in the certificate request manually This is not true for an Enterprise CA certificate request The parameters in a template are largely predefined This is particularly the case for certificates that the SCS requests automatically for an individual Intel AMT device The following procedures show how to define a certificate template how to give the SCS user the necessary rights to create certificates from that template and add the template to the list of templates known to the Enterprise CA Organizational security policies may determine certain template properties such as certificate expiration Adjust the values in the following examples to the local policy The following conditions require creation of an Enterprise CA template e Creating a Mutual Authentication client certificate for use by the SCS ora Management Console Rather than filling in fields manually in the user template as with a Stand alone CA first define a template with the necessary parameters and then request a certificate using the template The procedure below shows specific steps required for the Intel AMT client certificate temp
207. tform to complete the following steps if the transition was required If the platform is configured for Remote Configuration mode the RCT requests an OTP from the SCS The tool sends the OTP to the Intel AMT device and commands the device to start configuration and open the network interface If the platform has already started remote configuration but it has not completed the process the tool will request an OTP and send it to the platform and command it once again to open the network interface If the platform does not support remote configuration or is has already started setup and configuration using a PID PPS pair or it has already completed setup and configuration the tool exits with a status code indicating the platform state If the Intel AMT system is in In Provisioning mode and no longer sends Hello messages the RCT can be used to send a Hello packet to the SCS to allow it to complete the provisioning process The Hello packet is sent to the SCS server port specified by the I parameter if the l parameter is not used the packet is sent to port 9971 Since the Hello packet needs to include the authentication hint PID for a PSK configuration or certificate hashes of the trusted root certificates for remote configuration the RCT can retrieve this information from the Intel AMT system on those versions of Intel AMT that allow retrieving the information If the Intel AMT system uses PSK but does not
208. the platform transitions to S3 the Intel AMT device will remain awake until there is no activity for the number of minutes set in the Idle Timeout At that point the device reduces power Any network access to the Intel AMT device will cause it to wake up and restart the timeout timer This parameter should be set to three minutes at a minimum Click Apply 91 Some platforms that support Intel AMT Release 3 0 have a power loss option where Intel AMT stays off until the platform is rebooted after a power failure The SCS does not support configuring this option The NAC Tab The NAC Tab is used to identify the certificate used to sign NAC posture messages ia Add Edit Profiles ajx Configure HAC properties W Enabled NAC Posture signing certificate details Selecting Enabled NAC means that the NAC Posture generation capability will be enabled in Intel AMT devices configured using this profile See Retrieving a Certificate for Use by a Posture Validation Server on page 136 for a description of how to export the certificate designated here so its public key is available for validating the signature created using the private key Enter a definition for the certificate source CA identification information that the SCS will use to create a certificate for signing NAC postures If the certificate source Certificate Authority name and template type are the same for the TLS Server Authentication certificate the
209. the system s UUID has been changed for example as the result of replacing part of the hardware the SCS returns an error code which the calling program is responsible for handling If the platform is in In Provisioning state the RCT does not change its FQDN If the f command is used with an Intel AMT system that has not been provisioned the f command is ignored and provisioning proceeds Note The user running the RCT requires SCS Operator permissions in order to enable it to change the FQDN The RCT has the following command interface rct s lt full URL of SCS including port 1f this is a nonstandard port gt p profile id o lt organizational unit gt t onloff e h A d lt PID gt f Intel AMT Preparation This URL is the one that was defined for remote configuration use when the SCS was installed for example AMTSCS_RCFG Use http or https depending on the installation option selected see page 42 This optional field is the numerical profile ID shown on SCS Console profile page This is the optional Active Directory OU where the Intel AMT device AMT object will be placed in LDAP format This is a string with no embedded blank characters If the RCT detects that the platform manageability mode is not Intel AMT Manageability on indicates that the RCT will transition the platform to Intel AMT Manageability mode off indicates that the tool should not perform th
210. the user s rights and group memberships A UUID 1s an identifier standard used in software construction The intent of UUIDs is to enable distributed systems to uniquely identify information without central coordination Thus anyone can create a UUID and use it to UUID identify something Information labelled with UUIDs can therefore be combined into a single database without need to resolve name conflicts TLS Transport Layer Security Universally Unique Identifier A UUID is essentially a 16 byte number and in its canonical form a UUID may look like this SS0E8400 E29B 11D4 A716 446655440000 A VLAN 1s a logical subgroup within a local area network that is created via software rather than manually moving cables in VLAN the wiring closet It combines user stations and network Virtual LAN devices into a single unit regardless of the physical LAN seg ment they are attached to and thereby allows traffic to flow more efficiently within populations of mutual interest 164 Intel AMT SCS Installation And User Manual
211. tificate from the SCS database converts the certificate to DER format and renames it with the certificate serial number This is a manual procedure IT organizations or ISVs supporting this functionality should provide scripts to accomplish the same thing on an enterprise scale 1 Extract the certificate by executing the SCS API SOAP function GetAMT Certificate The function accepts either the FQDN or the UUID to identify a unique Intel AMT device See the SCS API document for details of the function Save the returned certificate as a cer file This file is in Base 64 format Double click on the certificate file Select the Details tab and Copy to File In the Certificate Export Wizard Select DER encoded binary as the file format a ee Name the file temporarily and complete the wizard The resulting file is still a cer file but its contents will be in the DER format 6 Double click again on the certificate select the Details tab select the serial number and copy it 7 Rename the newly exported certificate by pasting the serial number over the temporary name Remove the blanks in the name so that it is a continuous hexadecimal number 9 Move the renamed certificate to the CERT folder in the directory containing the PVS sample executable Intel AMT SCS Installation And User Manual Configuring PEM Files for Redirection Applications A certificate generated by a subordinate CA is linked to a sequence of certificates tha
212. tifying Information screen is displayed 9 Enter the CA Identifying Information Windows Components Wizard gt CA Identifying Information Enter information to identity this CA Common name for this CA rour Root Cal Distinguished name suffis pom C intel DC com Preview of distinguished name P y our Root CA DC amt 0C intel OC com Validity period Expiration date 5 Years 10 17 2011 4 01 FM Back Cancel Help a Enter the Common Name The name by which the CA will be known b Enter the distinguished name suffix This is the domain suffix of the host It will be generated automatically in an AD environment Click Next 10 Choose the default location for the Certificate Database Settings and click Next There may be a message requesting to stop IIS Click Yes 11 There may be a message saying that ASP has to be enabled to use web enrollment Services Click on Yes The installation will run to completion 12 Configure the CA to automatically issue certificates This option is recommended as it allows the SCS to process Intel AMT device setups automatically without operator intervention Environment Prerequisites and Installation 31 a Click the Windows Start button gt Programs gt Administrative Tools gt Certificate Authority The Certificate Authority Management Console opens b Right click on the first sub branch which will be the Common Name selected above A popup menu is displa
213. ual Information for ISVs The following information is intended to aid developers of consoles that will work in conjunction with the SCS in an enterprise environment with consoles from other vendors Remote Configuration Tool Ecosystem The Remote Configuration mechanism uses the Remote Configuration Tool or an equivalent ISV developed agent to locally initiate the remote configuration process see page 62 In an Enterprise deployment when there is a critical mass of platforms with Intel AMT configuring many platforms to take advantage of Intel AMT is a more global task for the IT group The group has to plan deployment of Intel AMT deciding on which platforms to enable the Intel AMT capability Assume that there is a management console that has the task of managing platforms their presence their identity and their current state This might be tied to Active Directory or some other database used to track an organization s computing assets The following steps generally describe the flow of preparing for and deploying a number of Intel AMT devices fod LL Active Directory Platform with Intel vPro technology Domain Controller Running RCT or ISV created agent The Management Console first builds a list of platforms to configure all the platforms in a building on one floor of a building a campus a department e
214. utables retrieve a message based on a message number and the current language on the platform where the application executes If the message file supports the current language then the file will return the message in the proper language If the file does not support the current language it will return the message in English See the document I nternationalization of SCS Messages doc for the steps required to add an additional language to the message file SCS Support Content 135 Retrieving a Certificate for Use by a Posture Validation Server 136 The Cisco NAC scheme uses a Posture Validation Server PVS to check each posture type for validity A PVS can check the fields in the posture and the signature in the posture The signature is a hash of fields in the posture encrypted using the private key of a PKI public private key pair The PVS validates the signature by calculating a hash over the same fields decrypting the signature using the public key and comparing the results The key pair used by Intel AMT is in the certificate specified on the NAC tab of the profile used to set up the Intel AMT device The PVS needs this certificate to perform signature validation The SCS API includes a function to recover the certificate for a selected Intel AMT device The Intel AMT SDK includes a sample PVS that expects the certificates to be in DER format with a name set to the serial number of the certificate The following procedure retrieves a cer
215. vE Intemet Information Services IS i O e Message Queuing Descriptor I5 Includes web FTF SMTP and NNTP support along with support for FrontPage Server Extensions and Active Server Pages ASP Total disk space required 15 1 MB Details Space available on disk 2188 7 MB Cancel Select the Application Server checkbox Click Details Select the Internet Information Services checkbox Click OK IIS installation process begins oE a a Follow the installation wizard instructions and choose the default options IIS Verification 28 To verify that HS is running 1 From the Windows desktop right click My Computer A popup menu is displayed Click Manage The Computer Management Window is displayed From the left pane expand the Services and Applications branch Expand the Internet Information Services branch Expand the Application Pools branch and ensure that DefaultAppPool is in run mode oe gee ee Intel AMT SCS Installation And User Manual mi Computer Management Ci Computer Management m Fil Action wiew Window Help m File Action View Window Help gt e gt e e Computer Management Local E Computer Management Local fl System Tools I Storage El Services and Applications E A Telephony a Amy Services WMI Control E SQL Server Configuration Manager H A Indexing Service Se Internet Information Services IIS Manager I Application
216. ve Directory object password Update mutual authentication settings and re issue of all certificates used by Intel AMT Ewer 11 Months E very fi Months V Renew Pseudo Random Generator Seed Every fi Months e Synchronize Intel AMT Clock E verp 30 E Minutes Apply Refresh Re provision Intel AMT If this item is checked all parameters in each device will be updated according to the latest values in the associated profile New certificates and passwords will be issued See page 111 for a note on re provisioning wireless profiles Intel SCS Console 115 116 Change Intel AMT Administrator Password The administrative user has access to all functions of the Intel AMT device Only the SCS has access to this ACL entry When this option is selected the administrative password is changed periodically to either a randomly generated password or to a fixed password The option used is defined on the Profiles Configuration General Tab for the profile associated with each Intel AMT device Normally this maintenance function is used only with the random password option Renew Pseudo Random Generator Seed When this option is selected the SCS generates and sends a new random number generator seed to each Intel AMT device Synchronize Intel AMT Clock This option synchronizes the clock in each Intel AMT device to the clock on the SCS platform This operation is critical when using Kerbe
217. ver certificates for each Intel AMT device When the SCS works with an Enterprise CA the SCS user needs to have permission to use the Web Services template for this purpose Perform the following steps see Defining a New Template for an Enterprise CA on page 130 for additional details l 2 Enter mmc in a command window Press Ctrl M followed by Alt D Environment Prerequisites and Installation 33 X Select Certificate Templates and click Add Close and OK Right click on the relevant template in the list in the right pane Web Services and repeat for any other templates to be used in this installation and choose Properties 5 Select the Security tab Add a group or use an existing group that includes the SCS user and check all permissions for it except the Full control option 7 Click OK Secure the Connection to IIS Using SSL Connection to IS requires a digital certificate A certificate can be purchased from an outside vendor such as Verisign If the Microsoft CA was installed because TLS will be used for Intel AMT communications in the enterprise use that CA as a source for a certificate Installing a Certificate on IIS Each instance of IIS that supports SCS requires a server certificate installed for the website that supports the SCS This will be either the Default Web Site or another user specified site see page 42 The following procedure shows how to create and install a server certificate using a Micr
218. webs Ever a OF Cancel Intel AMT SCS Installation And User Manual CA Host Name Enter the FQDN of the computer that handles stores and issues digital certificates It is the platform hosting the Microsoft CA used to generate individual certificates for Intel AMT devices Name Enter the name of the CA The name is listed in the CA Administration Manager Click the Windows Start button gt Programs gt Administrative Tools gt Certificate Authority The name is listed in the first sub branch in the left pane Type Windows Server 2003 Certificate Services supports two types of CAs Enterprise and Stand alone Enterprise Cas are integrated with Active Directory and use information stored in Active Directory Stand alone Cas do not require Active Directory but require that all information about the requested certificate type be included in the certificate request Templates cannot be edited when using a Stand alone CA The default template is WebServer Certificate Template When working with an Enterprise CA enter the name of the Certificate Template to be used The name must be the LDAP name stored in Active Directory When the template is displayed using the CA management tools it is the Template Name and not the Template Display Name A template allows customization of the content of the certificates issued by the Certificate Services The template defaults to WebServer If a custom template is defined the template mus
219. will install a profile named WP 1_ Continuing the above example after reprovisioning completes and the wireless link is eventually dropped the next wireless connection attempt may fail This occurs because the Intel AMT device will try to establish a link using WP1 and the RADIUS server may try to authenticate using Active Directory The credentials in the old profile WP will not match the new Active Directory credentials created during reprovisioning After WP1 fails the device tries to connect using the next wireless profile WP_ and will succeed as this profile has up to date credentials Un Provision This operation disables the Intel AMT device and leaves it without any Setup and Configuration parameters There are two modes General Full unprovisioning Deletes all data from the Intel AMT device The Intel AMT device is not functional If it is configured for bare metal remote configuration the device will open the network interface and start sending Hello messages Partial unprovisioning Deletes all data on the Intel AMT device except for the PID PPS admin ACL settings host name domain name and provisioning server IP and port number The device will immediately start sending Hello messages The SCS will setup and configure the device according to the profile associated with it Host name Changes the host name of the selected device in the SCS database Delete AMT This operation deletes the selected I
220. x Profile checkbox to allow selection of a profile to include in the field below Select the Sy control to display a list of defined profiles and select one of them 2 802 1x Profiles System 802 14 Profiles 802 1 Profile Id B02 1 Profile Name Used in configuration Profiles 1 p oe EAP TLS EAF GIC EAP_PEAP_MSCHAPY2 eT SEP EaPrasT MSC fp C E C 2c Select Add to define a new profile Select OK OK to complete the profile selection Defining Wireless Profiles A wireless profile defines which protocol will be used between an Intel AMT device and a wireless access point If the Intel AMT device is to receive manageability messages over a wireless connection there must be a wireless profile installed on the device that corresponds with the wireless profile active on the host The profiles conform to IEEE 802 111 Select Wireless Profiles in the left hand pane of the Console display and select Add to create a new profile Edit to modify an existing profile or Delete to delete an existing profile 96 Intel AMT SCS Installation And User Manual SE Wireless Profile Configure Wireless Profile Settings General Profile name SSID NormalProfile Office Security Settings Data Encryption Key management wii Protected Access WPA s Encryption Algorithm Temporal kep Integrity Protocol TKIF Authentication Pass phrase 802 1 profile i OF Cancel Intel SCS Co
221. yed c Click Properties and click the Policy Module tab x Pro 2 x Storage Auditing Security General Policy Module Exit Module Extensions Description of active policy module Mame windows default Description Species how to handle certificate requests for Enterprise and Stand alone CAs Version A297 90 18530 Copyright Microsoft Corporation All rights reserved Properties Select Request Handling The Windows default policy module controls how this CA should handle certificate requests by default Do the following when a cerbficate request is recewed Set the certificate request status to pending The administrator must explicitly sue the certificate Follow the settings in the certificate template if applicable Othenvise automatically issue the certificate f Carcel ae d Click Properties and select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate e Click OK respond to the message and click OK The Certificate Authority Management Console returns to focus f Right click on the Common Name right click and select All Tasks gt Start Service Exporting and Installing the CA Root Certificate The CA root certificate should be stored locally on any platform that authenticates certificates from this CA This includes e Clients of IIS Gf HS used this CA for its certificate for example the SCS Cons
Download Pdf Manuals
Related Search