vPro Series of Posts
- Intel vPro – The Basics of vPro
- Intel vPro – Configuration – Part 1 – Architecture Overview
- Intel vPro – Configuration – Part 2 – PKI Installation
- Intel vPro – Configuration – Part 3 – PKI Configuration
- Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS
- Intel vPro – Configuration – Part 5 – Configure Active Directory
- Intel vPro – Configuration – Part 6 – Basic SCS Profile
- Intel vPro – Configuration – Part 7 – Provisioning Your First System
- Intel vPro – Configuration – Part 8 – Adding Kerberos
- Intel vPro – Configuration – Part 9 – Adding TLS
TLS: The Final Frontier. Here’s how it goes!
- Configuring a SCS Profile for TLS
- Reconfigure the AMT Device
- Try it out!
- Troubleshooting Options
Configuring a SCS Profile for TLS
- Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
- On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb-tls’ for the name, and then click ‘Next’.
- On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
- Active Directory Integration
- Access Control List (ACL)
- Transport Layer Security (TLS)
- On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
- On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
- On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
- On the ‘Transport Layer Security’ screen, choose your vPro SHA1 CA from the CA drop-down box, then choose the certificate template named “AMTTLSCertificates”, then click ‘Next’.
- On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
- Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
- Click the ‘set’ button next to the label ‘Edit IP and settings’.
- On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
- Under the IP frame, choose ‘Get the IP from the DHCP server’.
- Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
- On the ‘Finish’ screen, click ‘Finish’.
Reconfigure the AMT Device
The process for this is the same as the process in the previous blog post.
- Login to the target AMT system.
- Open a command prompt and navigate to C:\Temp\vPro.
- Run the following command:
acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>
You should see no errors.
Try it out!
First, try the WebUI in IE at https://amt-system.yourdomain.com:16993. Note that the protocol is ‘https’ and the port number is 16993. Next, try VNC+. Choose ‘TLS’ from the drop-down box labeled ‘Encryption’. Lastly, try Manageability Commander.
- If provisioning fails, you can try adding the /verbose switch to acuconfig. This might give you more information.
- For Manageability Commander, you can choose ‘help’ -> ‘show debug info’. This can be very useful.
- For any applications using the Intel DLLs, you can enable debug mode like in the last blog post’s troubleshooting section.
And there you have it! vPro with Kerberos and TLS. The next blog post will focus on polishing everything a bit and adding some automation.