Intel AMT: Part 2 – Remote Configuration Service (RCS)

Remote Configuration Service (RCS)

Following on from the overview of Intel AMT these are a transcript of the notes I took when configuring our RCS server…

RCS can be used in either database mode or non-database mode. Database mode gives access to a greater array of AMT functions, however it requires either:

  • Microsoft SQL Server 2008 Enterprise (x32/x64)
  • Microsoft SQL server 2008 R2 Enterprise (x64)
  • Microsoft SQL server 2005 Enterprise (x32)

Our provisioning server is currently Microsoft SQL Server 2005 Standard, which RCS will apparently not work with so, sadly, we have to use non-database mode for the time being.

Installing RCS

If you are upgrading a previous version of RCS:

  • Back up the existing configuration data, the included migration tool may assist but in our case couldn’t find any of the configuration data!
  • Back up VBScript: D:\RCS_Scripts\ConfigAMT.bat and D:\RCS_Scripts\ConfigAMT.vbs

Follow RCS installation instructions!

You probably don’t want to be running RCS as the domain administrator:

  • Create a domain user (RCSuser) to run RCS as
  • Assign Full control to the OU in the Active Directory to be used by RCS to hold AMT computer objects

Logs can be found in:

  • C:\ProgramData\Intel_Corporation\RCSConfServer
  • D:\RCS_Scripts (Location of ConfigAMT.vbs script)

The user running the RCS server requires the following permissions:

  • Issue and Manage Certificates
  • Request Certificates
  • Read and Enroll (for Enterprise CA’s only)
  • In the CA: right-click the CA and select Properties
    • Policy Module->Properties
      • Ensure Follow settings in certificate template is selected
    • Security
      • Add RCSuser with Issue and Manage Certificates and Request Certificates

You now need to create the certificate for the server and the template for the AMT clients.

Client Certificates

Certificate Template

To create the client certificate template:

  • Run the Certificate Templates MMC snap-in
  • Select User Template from right-pane
  • Duplicate template, important you must select Windows Server 2003 Enterprise
    • Enter template name
    • Enter validity period (10 years?)
    • Select publish certificate in Active Directory
    • Request Handling->CSPs
      • Select Microsoft Strong Cryptographic Provider
    • Subject Nametab
      • Select Supply in the request
    • Securitytab
      • Add RCSuser with Read and Enroll permissions
    • Extensionstab
      • Applications Policies: Server Authentication
  • Template properties->Issuance Requirements
    • Ensure CA certificate manager approval is not selected

Adding the template:

  • Run the Certificate Authority MMM snap-in
  • Certificate Templates->New->Certificate Template to issue
  • Select the created template
  • Restart the CA

Assigning the template

The certificate template is then used in the TLS Server Certificate Template settings in the AMT profile. The Default CNs setting can be used or changed as necessary.

Server Certificate

Create Certificate Template

To create the server certificate template:

  • In Certificate Template MMC snap-in
  • Duplicate the Computer Template
  • Select Windows Server 2003 Enterprise
    • Enter name
    • Enter Validity period: 10 years?
    • Extensionstab
      • Application Policies: Server Authentication and AMT Provisioning
    • Subject nametab
      • Select Supply in the request
    • Request Handlingtab
      • Select Allow private key to be exported

Adding the template:

  • Run the Certificate Authority MMM snap-in
  • Certificate Templates->New->Certificate Template to issue
  • Select the created template
  • Restart the CA

Create the Certificate

The Intel AMT documentation uses IE to create a certificate from the url http://ca-srv/certsrv, but we don’t have this virtual directory in IIS on our CA, so we have to do it via mmc:

  • Use the Certficates MMC snap-in and connect as Computer account:
  • In the Personal certificate store Request new certificate
  • Select AMT RCS Server template
  • Set Subject name to Common name => FQDN of server
  • Select Enroll
  • Export the certificate to .pfx including the private key

Validity Period

If after creating the certificate you only get a two year validity period, the validity period of the certificate will be the lowest of:

1. The lifetime remaining for the issuing CA’s certificate.

2. The value in the certificate template (not applicable in your case).

3. Registry entries

To view the registry settings:

certutil -getreg ca\validityperiod
certutil -getreg ca\validityperiodunits

To change the settings – must restart CA after the change:

certutil -setreg ca\validityperiodunits 10

Install the Certificate

Install the certificate in the RCSusers personal certificate store:

  • Run mmc as the RCSuser
  • Add the Certificates snap-in
  • Select Personal certificate store
  • Import the .pfx file

Restart the RCSServer

Configuring Client PKI

Setup.bin versions

You need to create the correct version of the Setup.bin file otherwise AMT will ignore it. It’s been hard to find a definitive list of which version of the file goes with which version of AMT, but from our machines it appears to be the following:

  • V1 – AMT prior to 3.0
  • V2 – AMT 3.0 or higher
  • V3 – AMT 6.0
  • V4 – AMT 7.0

To avoid loaded certificate hashes manually into the Intel ME BIOS, a USB memory stick can be used. Create a setup.bin file via USBFile.exe which is part of the Intel AMT SDK:

USBFile.exe -create setup.bin admin <new-password> -consume 0 -amt 
            -kvm 1 -oHash 1 -oHash 0 -hash cca-ca.pem CCA-CA -prov 1

Copy setup.bin to a USB memory stick and boot the AMT client from it.

Configuring Server

RCS needs to be configured to respond to Hello

  • Configure Tools->Support configuration trigger by Hello messages
    • Enable
    • Point at ConfigAMT.bat
    • Add RCSuser permissions for read and write to folder and contents

Note: The RCSuser must have write permission to the folder containing the scripts

Restart the RCSServer

AMT Profiles

The profile name is hard coded into ConfigAMT.vbs so ensure you create the profile with the same name!

  • Optional Settings

    • Access Control List (ACL)
    • Transport Layer Security (TLS)
  • AD Integration
    • Active Directory OU: OU=Out of Band Management Controllers,….
  • Access Control List
    • Appropriate AD groups
  • Transport Layer Security
    • Certificate Authority: <your AD CCA>
    • Server Certificate Template: AMTTemplate
    • Common Names (CNs) in certificate: Default CNs
  • System Settings
    • Web UI, Serial Over Lan, IDE Redirection, KVM Redirection
    • KVM Settings: User consent required
    • System power states: Always On
    • ME Bios Extension passwd: <AMT password>
    • Use following password for all systems: <AMT Password>
    • Select Enable Intel AMT to respond to ping requests
    • Disable Fast Call
    • IP and FQDN settings:
      • Use Primary DNS FQDN
      • Device and OS will have same FQDN
      • Get IP from DHCP server
      • Do not update DNS

Pre-shared Key Provisioning

Older versions of AMT (e.g. v2.0) don’t support Enterprise PKI mode and need to be provisioned via PSK instead.

Plan A:

Use ACUConfig.exe to create the pre-shared key:

ACUConfig.exe CreatePSK <RCS Address> /NewMEBxPass <new password> 
              /CurrentMEBxPass <current password> /UsingDHCP

Plan B:

(Note: ACUConfig.exe didn’t work….trying USBFile.exe next…)

USBFile.exe -create psk.bin <oldPassword> <newPassword> -v 1 -dhcp 1
            -ztc 0 -rpsk -consume 0 -psadd <RCS address> -pspo 9971

Import the keys into the RCS Server:

  • Start the SCS Console
  • Tools->Import PSK Keys from File…
  • Select above psk.bin file

Comments are closed.