Note: This document compliments guidance on page 32 of the McAfee ePO Deep Command Product Guide
Communications between McAfee ePO Deep Command and Intel® AMT require a TLS session to be established. During the configuration process of Intel AMT, a TLS WebServer certificate is applied into the firmware of the target client system. The public root and intermediate certificates must be known by the requesting application, in this case ePO Deep Command, to complete the connection.
Understanding what certificates are needed and where those certificates should be placed is important to the success of using ePO Deep Command. This article provides an example and explains the core principles to be understood.
The information applies to ePO Deep Command version 1.5 or higher. The PEM file defining the certificate chain and McAfee KVM Viewer references are not supported with ePO Deep Command version 1.0.
The error is commonly due to missing or incorrect certificates known by the server hosting McAfee ePO. The main steps to resolve this error include:
The changes and steps are necessary for TLS communication to work correctly. Imported certificates can be removed or updated as needed.
One method to determine what certificates apply to a configured Intel AMT system is to open the Intel AMT WebUI. This is done by opening a web browser to the FQDN of the client on port 16993 using the following format: https://FQDN:16993
The example below shows the Intel AMT WebUI login page, with a security lock to the right of the address. Click on the security lock, select View Certificates, and select the Certificate Path tab similar to the example.
The above example shows the public certificates in the chain, namely:
The issued or leaf certificate is for the client: HP8460p.ent.vprodemo.com
If the Intel AMT WebUI has been disabled within your environment, an internal discussion with your peers who configured Intel AMT is required. The focus of the discussion is to determine what certificate authorities and associated public certificates are used in connection with the Intel AMT configuration settings.
In a Microsoft Enterprise Certificate Authority infrastructure with Active Directory integration, the root and intermediate are automatically replicated to all domain servers.
In the example below, the Trusted Root Certificate store of the Local Computer has DC1.vprodemo.com
Similarly, the Intermediate Certificate store has PKI-ACS.vprodemo.com and DC2.ent.vprodemo.com.
By double clicking on the DC2.ent.vprodemo.com certificate and viewing the Certification Path the intermediate to root certificate chain is shown as complete
Common reasons for your environment to not show the certificate chain is that all servers are not joined to a single Microsoft Active Directory domain or you are using a Standalone Microsoft Certificate Authority. Certificates created by a standalone CA will not be replicated through the Microsoft Active Directory infrastructure.
If a root or intermediate public certificate is missing from your local computer store, you will need to export and import each root and intermediate certificate associated with Intel AMT. For convenience and re-use in a later section of the article, export the certificates in Base64 format.
When viewing a certificate, select the Detail tab and click the Copy to File button.
When prompted for an Export File Format, select Base-64 encoded X.509 (.CER).
Save the file to a location of your choice.
To import, right click on the target certificate store. Select All Tasks > Import
Start with the root certificate followed by intermediate certificates as shown in the original order. Validate the certificate chain similar to the previous example, ensuring an unbroken chain from lowest intermediate to root certificate.
The above steps will resolve TLS communications for all ePO Deep Command operations except Serial-over-LAN and Boot\Reboot from Image.
The AMTservice.log will show errors similar to the following, with the specific error in bold.
When attempting to open a Serial-over-LAN (SoL) session:
When attempting to start a Boot\Reboot from Image
The reason for this error is the Intel AMT Credentials settings within the McAfee ePO Console. These specific operations of Serial-over-LAN and Boot\Reboot to Image do not utilize the Microsoft Certificate store. The certificate chain must be defined within the McAfee ePO Console under Configuration > Server Settings > Intel AMT Credentials.
In the example below, the Intel AMT Credentials setting shows only the root certificate (DC1.vprodemo.com). This certificate was obtained by exporting the .CER file in Base-64 format as explained earlier, and then imported here. This approach would be sufficient if the certificate chain included only the root certificate, a very common scenario when using a Standalone CA.
Note: ePO Deep Command version 1 allowed only one certificate to be imported into the Intel AMT Credentials settings. If your environment has a certificate chain, upgrading to ePO Deep Command version 1.5 is recommended. (Targeted for late September 2012 release)
In the previous examples of this article, a root and two intermediate certificates are part of the chain. Only a single certificate or chain can be selected when importing to Intel AMT credentials in the McAfee ePO Console. To define the chain in a single file for import, a PEM file must be created.
The PEM file is simply a concatenation of the certificates starting from the root to the intermediate certificates in a top-down order. To create the PEM file, first export each certificate in Base-64 format. Open each certificate file via Notepad. Copy and paste the complete contents similar to the following example:
A brief explanation of the above image:
Using the created PEM file, import into Intel AMT Credentials within the McAfee ePO Console. The Trusted Root Certificates will show the chain from lowest to highest. The Trusted Root Certificate option in blue is the current active selection.
In the example below, the final step is to select the second option and “Activate”
The desired operations for Serial-over-LAN and Boot\Reboot from Image will now function correctly.
The McAfee KVM Viewer, introduced with ePO Deep Command version 1.5, also utilizes a PEM file to complete the TLS session connection. The McAfee KVM Viewer application can be started on a system separate from the McAfee ePO Console server. When first started on the system, the McAfee KVM Viewer will generate a PEM file based on the root and immediate certificates already in the Local Computer certificate store for that particular system.
Shown below, the McAfee KVM Viewer application is initializing. At the bottom of the image the output reads “Generating trusted Root certificate file…”. The resulting PEM file is stored in c:\ProgramData\McAfee\McAfee KVM Viewer. This is the file path for Microsoft Windows 2008 Server and Microsoft Windows 7 clients.
Ensure the desired root and intermediate public certificates are already in the Local Computer Certificate store before starting the McAfee KVM Viewer. If this is not the case at the first initialization, import the required certificates, delete or rename the KVMcerts.PEM file as shown, and start the McAfee KVM Viewer. The initialization process will recreate the PEM file used for this application.
Interested in other articles associated to Intel AMT and McAfee ePO Deep Command? Click here for an index listing
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries