McAfee Deep Command Installation Guide - Step 2

Version 4

    Configure Certificates for Intel AMT

    Intel AMT configuration is a process that involves server components and client components. Before the client components can be deployed, the server components must be configured. The process for installing and configuring these server components and certificates is detailed below as a sequence of tasks.

     

    Task: Create AMT Configuration Service Account

    Create a new account in Microsoft Active Directory. This account will be used to run the Intel Remote Configuration Service (RCS) on the server, to interact with the Microsoft Certificate Authority. and can be used by the Intel AMT configurator (ACUconfig.exe) during AMT configuration events on the client. Since this is a service account, be sure to use a strong password.  Set the account properties such that the user cannot change the password and the password never expires.

     

    Note: This account does not need domain admin rights. Standard user privileges in addition to the privileges specified in this document are sufficient.

     

    On a server with Administrative Tools for your domain, launch Active Directory Users and Computers and create a new account.

    step3a01.png

     

    Make this service account a local administrator on the server that will run the Intel Remote Configuration Service (RCS).   In this example, the server running ePO Console is also running Intel RCS.

     

    Login to the server and launch Server Manager.  Expand Configuration > Local Users and Groups. Right click on Administrators and select Add to Group

    step3a02.png

     

    Click Add and then select your service account. Click OK to finish the process.

    step3a05.png

    The service account is now created. Additional privileges will be granted to this account later in the document.

     

     

    Task: Export the public root certificate from your Microsoft Certificate Authority

    If you do not have a Microsoft Certificate Authority with Web Enrollment enabled in your environment, please see McAfee Deep Command Installation Guide Appendix A.

     

    The public root certificate for your Microsoft Certificate Authority must be installed on all server components used by McAfee Deep Command and must also be checked in to McAfee ePO. Use the following task to export the public root certificate from the Microsoft Certificate Authority.

     

    Login to your  Microsoft Certificate Authority server. Launch the Server Manager and expand Roles > Active Directory Certificate Services. Right-click your Certificate Authority (RootCA in this example) and select Properties.

    step3b16.png

     

    Select the General tab. Select your certificate (Certificate #0 in this example) and click View Certificate.

    step3b17.png

     

    Select the Details tab. Then click Copy to File to start the certificate export process.

    step3b18.png

     

    You will see the Certificate Export Wizard. Click Next to proceed.

     

    In the Export File Format screen, select Base-64 encoded X.509 (.CER). Then click Next to proceed.

    step3b20.png

     

    In the Files to Export screen, select a destination for the file. Then click Next to proceed.

    step3b21.png

     

    In the Completing the Certificate Export Wizard, simply click Finish to complete the process. This certificate will be checked into ePO in Step 4 of this guide.

     

    Note: Domain services will replicate this root certificate to all servers that are members of the domain. If your McAfee ePO server or Agent Handlers are not members of a domain, then you must manually install the root certificate. See Appendix B for instructions on how to manually install the root certificate.

     

     

    Task: Grant Service Account Privileges to Microsoft Certificate Authority

    The final steps of configuring the Microsoft Certificate Authority for use with Intel RCS is to grant specific privileges for your service account to interact with the Microsoft Certificate Authority. This will allow the service account to distribute TLS certificates to Intel AMT clients during configuration.


    Login to your Microsoft Certificate Authority server. Launch Server Manager and expand Roles > Active Directory Certificate Services. Select Certificate Templates and then right-click on Web Server and select properties.

    step3b25d.png

     

    In the Web Server Properties screen, select the Security tab. Then click Add to add your service account. With your service account highlighted, grant both Read and Enroll privileges. Click Apply to complete the process.

    step3b25e.png

     

    Right-click your Certificate Authority (RootCA in this example) and select Properties.

    step3b16.png

     

    In the Security tab, click Add and add your service account. Grant the service account permissions to Request Certificates and also to Issue and Manage Certificates.

    step3b25c.png

     

    The service account now has the ability to Request, Issue, and Manage WebServer certificates to all Intel AMT clients during configuration.

     

    Task: Get SSL Certificate for Remote Intel AMT Configuration

    An SSL certificate is used to establish initial trust between your AMT clients and Intel RCS when initiating client configuration. All AMT clients ship with root hashes for defined vendors (Verisign, GoDaddy, Comodo, Starfield, Entrust,  Cybertrust, etc) embedded in the firmware. Therefore, a certificate from one of these vendors is required to configure AMT clients. This single certificate is completely separate from the one-per-client TLS certificates that will be issued by your Microsoft Certificate Authority.


    Note: This SSL certificate is commonly referred to as the Remote Configuration Certificate.


    Getting the SSL certificate is a three step process:

    1. Create a certificate signing request.
    2. Complete the certificate request.
    3. Export the SSL certificate so that it can be used in Intel AMT configuration.

     

    To start the process, you need access to a server with IIS installed. You can use the Microsoft Certificate Authority server since that has IIS installed.


    Login to a server with IIS installed. Launch Server Manager and expand Roles > Web Server (IIS) and select Internet Information Services (IIS) Manager. Select your server in the Connections column and open Server Certificates.

    step3c01.png

     

    In the Actions column, select Create Certificate Request.

    step3c02.png

     

    Complete the Certificate Request wizard. Be sure that the Common Name field includes the correct DNS suffix as defined by the DHCP option 15 value for your environment. This can be verified on clients by running ipconfig and looking at the connection-specific DNS suffix.

     

    Once the fields are completed similar to the example below, click Next to proceed.

    step3c03.png

    Note: The Organization unit value must be set to Intel(R) Client Setup Certificate

     

    In the Cryptographic Service Provider Properties screen, use the default values of Microsoft RSA SChannel Cryptographic Provider with Bit length of 1024. Click Next to proceed.

     

    Microsoft RSA 2048bit.png

    Note: The bit length can be 1024 or 2048.  Most Certificate Authorities will prefer 2048 bit length.

     

    In the File Name screen, give the certificate request a name and save it on the Desktop. Then click Next to proceed.

    step3c05.png

    The resulting file can be sent to an approved certificate authority, and they will provide a certificate response file.

     

    Note: For more information on valid Certificate Authorities, see http://communities.intel.com/docs/DOC-1277

     

    When the certificate authority provides a certificate response file, go back into IIS and select Complete Certificate Request.  

    step3c06.png

     

    In the Certificate Authority Response screen, select the file that was provided by the external certificate authority. Give the certificate a friendly name (AMT Remote Configuration Certificate is used in this example). Click OK to proceed.

    step3c07.png

     

    The SSL certificate will now appear in IIS.

    step3c08.png

    Note: You must also have valid root and intermediate certificates from the external CA.  If not already present on your system, contact your certificate authority.

     

    Double click on the certificate to open and visually inspect, ensuring key properties and settings have been applied.

     

    The General tab will show the certificate is valid for specific purposes with a clear statement of “You have a private key that corresponds to this certificate”.

    step3c08b.png

     

    Select the Details tab. Select the Subject under the Field column. The CN value must show the expected DNS suffix as aligned to your DHCP option 15 value used within the environment. The OU value must show Intel(R) Client Setup Certificate


    Note: The OU value may be different for certificates signed by Comodo. Comodo certificates use a specific OID value to designate an Intel(R) Client Setup Certificate.

    step3c08c.png

    Note: An additional validation step is to confirm the root certificate thumbprint hash value against a list of known root certificates stored within the Intel AMT firmware. If the previous two validation points are correct, the root certificate is commonly valid.

     

    Click OK to close the certificate. Close IIS to complete this process.

     

    Task: Export SSL Certificate for Remote Intel AMT Configuration

    The SSL certificate must now be exported so that it can be imported into the server where Intel RCS will be installed.   In this document, Intel RCS will be installed on the same server as the McAfee ePO Console.

     

    To export the SSL certificate, launch MMC and add the certificates snap-in (choose Computer Account). Expand Certificates (Local Computer) > Personal and select Certificates. Then right-click on the certificate and choose All Tasks > Export.

    step3c08f.png


    Note: Do not export the certificate from IIS, as the full certificate chain may not be included.

     

    In the Export Private Key screen choose Yes, export the private key. Click Next to proceed.

    step3c08g.png

     

    In the Export File Format screen, select Personal Information Exchange – PKCS #12 (.PFX). Select options to ‘Include all certificates in the certification path if possible’ and ’Export all extended properties’. Click Next to proceed.

    step3c08h.png

     

    In the Password screen, enter a strong password. Click Next to proceed.

    step3c08i.png

     

    In the Certificate Export Wizard screen, provide path and file name for the resulting PFX file.   In the example below, the file will be saved to the desktop of the server.

    step3c09.png

     

    In the Completing the Certificate Export Wizard, choose Finish to complete the process.

     

    Per the instructions provided thus far, you should have two certificates exported and ready for use.   The first is the internal TLS public root certificate from your Microsoft Certificate Authority, shown below as rootcert.cer.   The second is the remote configuration certificate (an SSL certificate from your external Certificate Authority) with all chain certificates, shown below as AMT_Configuration_cert.pfx.

    step3c10.png

     

     

    Task: Import SSL Certificate for Remote Intel AMT Configuration to User Certificate Store

    The remote configuration certificate must be installed in the correct user certificate store on the server that is running the Remote Configuration Service. In this example, that is the McAfee ePO server. . The previously created service account will be used in this example.


    To ensure the certificate is placed in the correct personal certificate store, open Microsoft Management Console (MMC) using the following command:

    • runas /user:vprodemo\AMTConfigService mmc.exe

    step3c11.png

    Note: In this example our domain is vprodemo.  Adjust the command according to your domain and environment.

     

    The user’s password can then be entered into the command window that appears.

     

    Add the certificates snap-in with “My user account” selected and click Finish to proceed.

    step3a06.png

     

    In the Microsoft Management Console, expand Certificates – Current User and select Personal. Then right-click and select All Tasks > Import.

    step3c13.png

     

    In the Welcome to the Certificate Import Wizard, click Next to proceed.

     

    In the File to Import screen, browse to the exported remote configuration certificate (AMT_configuration_cert.pfx in this example). Click Next to proceed.

    step3c15.png

    Note: If you don’t see the certificate, remember that you are running MMC as the service account. You may need to browse to another location (e.g. the desktop of your administrator’s account) to find the certificate.

     

    In the Password screen, enter the password and also select “Include all extended properties”.

     

    Note: The Enable Strong Private Key Protection must not be selected.   If selected and unchangeable, check the group policy settings for the server.

     

    Click Next to proceed.

    step3c16.png

     

    In the Certificate Store screen, select ‘Automatically select the certificate store based on the type of certificate. Then click Next to proceed.

    step3c17.png

     

    On the Completing the Certificate Import wizard, click Finish to proceed.

     

    The certificate will now appear in the certificate store.

    step3c19.png

     

    You are now done with the SSL certificate. The trusted root certificate from your Microsoft CA (rootcer.cer) has been exported and will not be used until Step 4 where it will be checked-in to ePO.

     

     

    More resources for installing McAfee Deep Command


    McAfee Deep Command Installation Guide Introduction

     

    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
    Step 2: Configure Certificates for Intel AMT
    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command

     

    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee Deep Command Setup Checklist