Intel AMT: Part 2 – Remote Configuration Service (RCS)

Remote Configuration Service (RCS)

Following on from the overview of Intel AMT these are a transcript of the notes I took when configuring our RCS server…

RCS can be used in either database mode or non-database mode. Database mode gives access to a greater array of AMT functions, however it requires either:

  • Microsoft SQL Server 2008 Enterprise (x32/x64)
  • Microsoft SQL server 2008 R2 Enterprise (x64)
  • Microsoft SQL server 2005 Enterprise (x32)

Our provisioning server is currently Microsoft SQL Server 2005 Standard, which RCS will apparently not work with so, sadly, we have to use non-database mode for the time being.

Installing RCS

If you are upgrading a previous version of RCS:

  • Back up the existing configuration data, the included migration tool may assist but in our case couldn’t find any of the configuration data!
  • Back up VBScript: D:\RCS_Scripts\ConfigAMT.bat and D:\RCS_Scripts\ConfigAMT.vbs

Follow RCS installation instructions!

You probably don’t want to be running RCS as the domain administrator:

  • Create a domain user (RCSuser) to run RCS as
  • Assign Full control to the OU in the Active Directory to be used by RCS to hold AMT computer objects

Logs can be found in:

  • C:\ProgramData\Intel_Corporation\RCSConfServer
  • D:\RCS_Scripts (Location of ConfigAMT.vbs script)

The user running the RCS server requires the following permissions:

  • Issue and Manage Certificates
  • Request Certificates
  • Read and Enroll (for Enterprise CA’s only)
  • In the CA: right-click the CA and select Properties
    • Policy Module->Properties
      • Ensure Follow settings in certificate template is selected
    • Security
      • Add RCSuser with Issue and Manage Certificates and Request Certificates

You now need to create the certificate for the server and the template for the AMT clients.

Client Certificates

Certificate Template

To create the client certificate template:

  • Run the Certificate Templates MMC snap-in
  • Select User Template from right-pane
  • Duplicate template, important you must select Windows Server 2003 Enterprise
    • Enter template name
    • Enter validity period (10 years?)
    • Select publish certificate in Active Directory
    • Request Handling->CSPs
      • Select Microsoft Strong Cryptographic Provider
    • Subject Nametab
      • Select Supply in the request
    • Securitytab
      • Add RCSuser with Read and Enroll permissions
    • Extensionstab
      • Applications Policies: Server Authentication
  • Template properties->Issuance Requirements
    • Ensure CA certificate manager approval is not selected

Adding the template:

  • Run the Certificate Authority MMM snap-in
  • Certificate Templates->New->Certificate Template to issue
  • Select the created template
  • Restart the CA

Assigning the template

The certificate template is then used in the TLS Server Certificate Template settings in the AMT profile. The Default CNs setting can be used or changed as necessary.

Server Certificate

Create Certificate Template

To create the server certificate template:

  • In Certificate Template MMC snap-in
  • Duplicate the Computer Template
  • Select Windows Server 2003 Enterprise
    • Enter name
    • Enter Validity period: 10 years?
    • Extensionstab
      • Application Policies: Server Authentication and AMT Provisioning
    • Subject nametab
      • Select Supply in the request
    • Request Handlingtab
      • Select Allow private key to be exported

Adding the template:

  • Run the Certificate Authority MMM snap-in
  • Certificate Templates->New->Certificate Template to issue
  • Select the created template
  • Restart the CA

Create the Certificate

The Intel AMT documentation uses IE to create a certificate from the url http://ca-srv/certsrv, but we don’t have this virtual directory in IIS on our CA, so we have to do it via mmc:

  • Use the Certficates MMC snap-in and connect as Computer account:
  • In the Personal certificate store Request new certificate
  • Select AMT RCS Server template
  • Set Subject name to Common name => FQDN of server
  • Select Enroll
  • Export the certificate to .pfx including the private key

Validity Period

If after creating the certificate you only get a two year validity period, the validity period of the certificate will be the lowest of:

1. The lifetime remaining for the issuing CA’s certificate.

2. The value in the certificate template (not applicable in your case).

3. Registry entries

To view the registry settings:

certutil -getreg ca\validityperiod
certutil -getreg ca\validityperiodunits

To change the settings – must restart CA after the change:

certutil -setreg ca\validityperiodunits 10

Install the Certificate

Install the certificate in the RCSusers personal certificate store:

  • Run mmc as the RCSuser
  • Add the Certificates snap-in
  • Select Personal certificate store
  • Import the .pfx file

Restart the RCSServer

Configuring Client PKI

Setup.bin versions

You need to create the correct version of the Setup.bin file otherwise AMT will ignore it. It’s been hard to find a definitive list of which version of the file goes with which version of AMT, but from our machines it appears to be the following:

  • V1 – AMT prior to 3.0
  • V2 – AMT 3.0 or higher
  • V3 – AMT 6.0
  • V4 – AMT 7.0

To avoid loaded certificate hashes manually into the Intel ME BIOS, a USB memory stick can be used. Create a setup.bin file via USBFile.exe which is part of the Intel AMT SDK:

USBFile.exe -create setup.bin admin <new-password> -consume 0 -amt 
            -kvm 1 -oHash 1 -oHash 0 -hash cca-ca.pem CCA-CA -prov 1

Copy setup.bin to a USB memory stick and boot the AMT client from it.

Configuring Server

RCS needs to be configured to respond to Hello

  • Configure Tools->Support configuration trigger by Hello messages
    • Enable
    • Point at ConfigAMT.bat
    • Add RCSuser permissions for read and write to folder and contents

Note: The RCSuser must have write permission to the folder containing the scripts

Restart the RCSServer

AMT Profiles

The profile name is hard coded into ConfigAMT.vbs so ensure you create the profile with the same name!

  • Optional Settings

    • Access Control List (ACL)
    • Transport Layer Security (TLS)
  • AD Integration
    • Active Directory OU: OU=Out of Band Management Controllers,….
  • Access Control List
    • Appropriate AD groups
  • Transport Layer Security
    • Certificate Authority: <your AD CCA>
    • Server Certificate Template: AMTTemplate
    • Common Names (CNs) in certificate: Default CNs
  • System Settings
    • Web UI, Serial Over Lan, IDE Redirection, KVM Redirection
    • KVM Settings: User consent required
    • System power states: Always On
    • ME Bios Extension passwd: <AMT password>
    • Use following password for all systems: <AMT Password>
    • Select Enable Intel AMT to respond to ping requests
    • Disable Fast Call
    • IP and FQDN settings:
      • Use Primary DNS FQDN
      • Device and OS will have same FQDN
      • Get IP from DHCP server
      • Do not update DNS

Pre-shared Key Provisioning

Older versions of AMT (e.g. v2.0) don’t support Enterprise PKI mode and need to be provisioned via PSK instead.

Plan A:

Use ACUConfig.exe to create the pre-shared key:

ACUConfig.exe CreatePSK <RCS Address> /NewMEBxPass <new password> 
              /CurrentMEBxPass <current password> /UsingDHCP

Plan B:

(Note: ACUConfig.exe didn’t work….trying USBFile.exe next…)

USBFile.exe -create psk.bin <oldPassword> <newPassword> -v 1 -dhcp 1
            -ztc 0 -rpsk -consume 0 -psadd <RCS address> -pspo 9971

Import the keys into the RCS Server:

  • Start the SCS Console
  • Tools->Import PSK Keys from File…
  • Select above psk.bin file

Intel AMT

Background

Having managed to get Intel AMT up and running a year or so ago, we found we’d pretty much forgotten how to configure it in Enterprise mode. Since our new machines were coming with AMT 7 we thought we revisit the technology. Having found a lot of people struggling to get AMT up and running we thought we’d share our findings in case it proved useful.

Overview of Intel AMT

Intel Active Management Technology (Intel AMT) is part of vPro and essentially allows out-of-band monitoring and management of hardware even when the machine is powered down. See the appropriate Intel AMT and Intel Setup & Configuration Software (SCS) documentation for more detailed information of the full capabilities.

Configuration Modes

There are several methods for configuring and operating Intel AMT:

  • Manual Mode – The configuration is carried out locally via the Intel ME section of the BIOS.
  • Host Based – The configuration is carried out locally on the machine under Windows by running the installed configuration tool.
  • Small Medium Business (SMB) Mode – The configuration is carried out via a USB memory stick containing setup.bin created via the configuration tool.
  • Enterprise Mode using PKI – This is uses the Remote Configuration Service (RCS) component of the Intel Setup & Configuration Software (SCS).

Manual

This the easiest way to get AMT up and running. Simply configure the AMT settings via Local Provisioning in the Intel ME section of the BIOS.

  • Configure hostname
  • Set network to DHCP/static
  • You may need to turn on Legacy SMB Support (See this article)

 Host Based

This mode requires Windows, run Intel SCS Configuration Tool and select Configure/Unconfigure this system.

Small Medium Business (SMB) Mode

Use the Intel SCS Configuration Tool to created a USB memory stick with setup.bin, then boot the machines off the memory stick.

Enterprise Mode using PKI

Enterprise mode allows automatic remote provisioning via the Remote Configuration Service (RCS) provisioning server, provided as part of the Intel SCS (Setup and Configuration Software). This mode is a little fiddly to get going but the real reason to use this over the previous methods is that AMT traffic use SSL rather than normal http, hence the encryption protects authentication credentials and AMT payload traffic.

This mode ideally requires write access to the Active Directory in order to create machine objects for the AMT host and access to a Microsoft Certificate Authority to create certificates for each AMT host.

The RCS server needs to be configured with a signed certificate, either from a commercial CA (a number of whose certificate hashes are in the Intel ME BIOS by default), or from a self signed CA. Ours is generated from the CA on SMS-1, this allows the clients to verify the authenticity of the server.

If you opt to use self signed certificates, the hash of the CA certificate needs to be loaded into the User Certificate section of the Intel ME BIOS. This can be done by hand but is time consuming especially if you need to do more than a couple of machines. The best way to quickly configure a large number of machines is to create a USB memory stick with the appropriate certificate hash via the USBFile.exe from the Intel AMT SDK.

A user configured script can also be assigned to the server in order determine the appropriate AMT configuration profile to assign to a host when it requests configuration. Ours essentially looks up the UUID in the Active Directory in order to determine the hostname. This requires machines to exist in the Active Directory before hand, but since all our hosts are either pre-staged or created via WDS this isn’t a problem for us.

A basic overview of the process follows below:

  • The AMT client sends Hello packets to provisionserver.<domain>
  • Various parameters, (UUID, IP address etc) from the calling host are passed the to configuration script
  • The script looks up the host from these parameters and determines the profile to apply
  • The script performs a WMI call to ConfigAMT(….)
  • The RCS server creates an AMT computer object in a specified Active Directory OU
  • The Certificate Authority issues a signed certificate for the client
  • The AMT configuration profile is sent to the client

See Part 2 for details on configuring the Remove Configuration Service.

Using AMT

Via Web Browser

For manual or SMB mode:

http://<fqdn>:16992/

For Enterprise mode:

https://<fqdn>:16993/

Via Linux Tools

  • amttool
  • amtterm
  • gamt

You need to set AMT_PASSWORD environment variable to the AMT admin password.

For Enterprise mode:

amttool <fqdn>:16993 <command>

Via RealVNC viewer

RealVNC viewer plus has support for accessing the AMT onboard KVM for remote diagnosis.

Musings on a Raspberry Pi

Well after ordering one back in April it finally arrived on Saturday. After waiting 10 weeks I’d nearly forgotten why I’d wanted one in the first place! However, my enthusiasm to play with it hadn’t waned and with much gusto I set about connecting my collection on accessories I’d amassed over my wait for its arrival.

Having faced compatibility issues with random devices at work over the years, I decided to buy from the list of compatible peripherals to avoid any potential issues. Here’s my list:

  • Logitech MK260 Keyboard
  • Duronic 1000mA USB Adapter
  • Micro USB Cable
  • 8GB SDHC Card
  • HDMI Cable
  • Tenda Wireless-N150 USB Adapter
  • New Link 4 Port USB Powered Hub
  • Case from ModMyPi

I’d already written Debian (debian6-19-04-2012) to the SD card in anticipation of the R-Pi arriving, so I was all set to power the beast up.

Things to note:

  1. The USB Hub will back feed the R-Pi – This probably isn’t a good thing so I power the board first then connect the hub.
  2. The Tenda USB wireless adapter needs:
    • apt-get install firmware-ralink
  3. After starting X the display started to randomly blank. Starting scratch caused it to blank totally! This may have been caused by the length (2m) of my HDMI cable. Adding the following to /boot/config.txt seemed to fix the problem
    • config_hdmi_boost = 2
  4. By default sound is disabled as the drivers are still experimental:
    • apt-get install alsa-utils
    • modprobe snd_bcm2835
    • Add snd_bcm2835 to /etc/modules to load the module on boot
  5. I get random key repeats or missing characters sometimes. This maybe due to
    1. Not enough power to the USB receiver, although from the powered hub should be ok.
    2. Interference between wireless and keyboard adapter.

Need to do further experimentation with the keyboard issue, unfortunately I don’t have a wired USB keyboard to try, but comments by various people on forums seems to indicated that the wired keyboard will most likely work fine.