Intel,Altiris Group

When implementing Out of Band Management 7.0, two major phases need to be considered. Both the initial setup and rollout in an enterprise environment need to be considered. If TLS (Transport Layer Security) is not chosen in the profile as a management feature during the install, it must be enabled post-install to be properly used within the environment. Incorrectly configuring TLS could result in loss of connectivity to managed Intel AMT systems. This article addresses how to enable TLS after the installs have been implemented with TLS disabled.

Introduction

This article provides a step-by-step process to enable TLS after Out of Band Management 7.x and Intel SCS 5.x have been implemented in the Notification Server environment. This article will address the basic implementation. More complex certificate environments can be implemented in a hierarchal infrastructure. For new installs please see the reference and admin guides for Out of Band Management 7.0.

Introduction to TLS

Transport Layer Security (TLS) is the next generation of Secure Socket Layer (SSL). The TLS model permits applications (Notification Server Infrastructure) and firmware (Intel's vPro technology) to authenticate and communicate within a network in a vastly secure environment. TLS stops security threats by disallowing snooping, altering, and forgery of authentication impersonation.

In an Intel AMT environment TLS protects AMT authentication and communication over the Network, whether that network is public or private facing, using cryptography. The standard model for TLS creates a secure server environment where only the server is verified and authenticated. The endpoint (AMT) remains unauthenticated. In practical tears this means that AMT can be certain of the Server's authenticity when passed AMT or other vPro commands.

Greater security, where both points of the communication are authenticated so both the client (AMT) and the server (SCS) can be assured of the other's identity, is called mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment.

TLS involves three basic phases:

1. Peer negotiation
2. Public key exchange with certificate-based authentication
3. Symmetric code encryption

The benefits of enabling TLS are:

1. Greater security
2. Ensured authentic communication between AMT and the server
3. Data integrity
4. Data theft prevention
5. Disallowing un-trusted sources any ability to make use of vPro's powerful functionality

The following outline details the TLS handshake process:

Transport Layer Security (TLS) Handshake in Detail

1. A client system sends a client-'Hello' message specifying the highest TLS protocol version it supports, a random number, and a list of suggested cipher suites and compression methods.
2. The Server responds with a server-'Hello', containing the chosen protocol version, a random number, cipher suite, and compression method from the choices offered by the client.
3. The Server sends its Certificate (depending on the selected cipher suite, this may be omitted by the server).
   1. These certificates are currently X.5.0, but there is also a draft specifying the use of OpenPGP based certificates.
4. The server may request a certificate from the client, so that the connection can be mutually authenticated, using a CertficateRequest.
5. The Server sends a ServerHelloDone message, indicating it is done with the handshake negotiation.
6. The Client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again this depends on the selected cipher.)
7. The Client and Server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed "pseudorandom function".
8. The Client now sends a ChangeCipherSpec message, essentially telling the Server, "Everything I tell you from now on will be encrypted." Note that the ChangeCipheerSpec is itself a record-level protocol, and has type 20, and not 22.
9. Finally, the Client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
10. The Server will attempt to decrypt the Client's Finished message, and verify the hash and MAC. If the decryption or verification failed, the handshake is considered to have failed and the connection should be torn down.
11. Finally, the Server sends a ChangeCipherSpec and its encrypted Finished message, and the Client performs the same decryption and verification.
12. At this point, the "handshake" is complete and the Application protocol is enabled, with content type of 23. Application messages exchanged between Client and Server will be encrypted.

Source: http://en.wikipedia.org/wiki/Secure_Sockets_Layer

Preparing the Environment

The walkthrough will work through the steps required to setup TLS, however preparing the environment will allow the process to run smoothly. Please note that there are different levels of implementation to include more than one CA and authentication level (hierarchal) but for this article the focus will be a simple one-server (root) authentication for certificate exchanges.

Prerequisites

The following items are required to be in place before TLS will be successful in an environment. The walkthrough covers these items, but having the applicable components installed and ready to use will be helpful.

1. Microsoft Certificate Authority (CA) - This required piece can be implemented on a Windows Server operating system by adding Certificate Services via the Add/Remove Windows Components section of Add/Remove Programs.
2. Internet Information Services (IIS) running in secure certificate mode. The options for this are found under the specific web site in the IIS Manager (Default Web Site by default) under the Directory Security tab under the Secure communications section.
3. All AMT systems configured to use TLS when communicating with the Server (this will be covered

Best Practices

• It is best to have everything ready before running through the enabling of TLS. This means to secure a valid certificate (for validated results, use VeriSign, Comodo, GoDaddy, or another trusted certificate source), have Microsoft CA licenses ready, and any other environmental components to make the TLS implementation successful.
• Make sure any CA you setup is set with its proper computer name and joined to the proper Domain. Changing either will invalidate any certificates served before the change.
• It's recommended to run through this on a test server to ensure all the components will work in your environment. If possible, mirror the production network so you can work out any kinks before making the changes on the production network.
• Make sure you follow the steps to enable TLS for Management (RTSM, Task Server, etc) if you are using this tool with provisioned AMT systems.

Enabling TLS

The process for enabling TLS isn't as simple as throwing a switch or checking a box. The enabling process requires all parts of the infrastructure to be in place and configured properly.

Walkthrough

The following walkthrough covers all basic steps to enable TLS in an Altiris Out of Band Management 7.0 environment with Intel SCS.

Install Microsoft's CA for use with TLS.

1. Open Add/Remove Programs and click the option 'Add/Remove Windows Components' in the left-hand pane.
2. Highlight 'Certificate Services' and click 'Details'.
3. Check the option 'Certificate Services CA'. NOTE: you will see a warning indicating that changing the server name or switching domains will invalidate any certificates this CA has issued. Make sure you have the final name-domain applied to the server.
4. Click 'Ok', and on the initial page click 'Next'.
5. For stand-alone root CA select the appropriate radial slot. If you are using a hierarchal model, please reference Microsoft's documentation on how to setup root and subordinate CAs. Click 'Next'.
6. Provide a Common name for the CA in the top-most field. If applicable, provide a Distinguished name suffix (this will be specific for your Domain). Select the Validity period as appropriate for your environment. Click 'Next'.
7. Unless otherwise required, leave the Certificate Database Settings at default and click 'Next'.
8. Click 'Yes' when prompted to stop IIS services.
9. The installation will proceed.

Configure IIS to run in TLS mode.

1. On the Notification Server open the IIS Manager (Start > Administrative Tools > Internet Information Services (IIS) Manager).
2. Expand the left-hand tree under the Server name, and then Web Sites.
3. Select the Web Site used by both Notification Server and Intel SCS. The default site will be labeled 'Default Web Site'. Right-click and choose 'Properties'.
4. Click the tab 'Directory Security'.
5. Click the button labeled 'Server Certificate' under the 'Secure communications' section at the bottom of the screen.
6. This will launch the Web Server Certificate Wizard. Click 'Next'.
7. Select the option 'Send the request immediately to an online certificate authority' and click 'Next.
8. Note the following article if the above options shows as grayed out: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2f42b637-5bfd-44e0-abd3-4738db388fab.mspx?mfr=true.
9. Input a name for the certificate, or leave the default and click 'Next'.
10. Input a name for your Organization and Organizational Unit. Typically this will be your Company name or other identifier in your environment. Click 'Next'.
11. Usually leave the Common name field as is. This will typically be the name of your server. This name must be a valid DNS entry. Click 'Next'.
12. Enter your locale details as appropriate for your environment. Click 'Next'.
13. Review your entered criteria, and if satisfied all is correct click 'Next'.
14. Click Finish to complete the process.

Configure all AMT systems to use TLS

1. A profile must be modified or created to set TLS as the communication method on the target AMT systems.
2. In the Symantec Management Console, go to Home > Remote Management > Out of Band Management > Configuration > Configuration Service Settings > and select 'Configuration Profiles'.
3. Choose the profile to edit and click the edit icon (pencil) or click the blue Plus + to create a new Profile. If creating a new profile enter the other options as needed.
4. Click on the TLS tab. Here is a screenshot of the user interface:

   

5. Check the box labeled 'Use TLS'.
6. Select the two radial buttons for 'Local Interface TLS Server Authentication' and 'Network Interface TLS Server Authentication' (the other radial options for Mutual Authentication should be used if this is what you will use in the environment).
7. Select the Server Certificate installed in the previous steps under Configure IIS to run in TLS mode.
8. Next to the CRL label under Trusted Certificates click the browse "..." to select your certificate.
9. When complete, click 'OK' to save all configured settings in the profile.
10. This profile should now be used as the default for new systems Configured by Out of Band Management 7.0. To set this profile as the default profile, follow these steps:
    1. In the Symantec Management Console, go to Home > Remote Management > Out of Band Management > Configuration > Intel(R) AMT Systems > and select Resource Synchronization.
    2. Under the Profile assignment settings click the blue plus + or select your existing assignment and click the edit icon (pencil).
    3. Next to the Domain field verify that it is set correctly.
    4. Under the dropdown Profile choose the newly edited or created profile. See this screenshot for an example:

       

    5. Click OK to save the changes or creation.
    6. Click Save changes to apply the new profile.
11. The following steps detail how to apply either the new policy, or the changes to the policy to existing managed AMT systems.
    1. In the Symantec Management Console, go to Home > Remote Management > Out of Band Management > Configuration > Intel® AMT Systems > and select 'Intel® AMT Systems'.
    2. Select all applicable systems (you can use the shift to select all between two points, or Ctrl to select multiple systems individually).
    3. If you edited the profile already assigned to these systems, Right-click and choose 'Re-provision...'.
    4. If you need to switch profiles, first choose 'Un-provision...' with the Partial option selected, followed by another right-click and choose 'Create assignments', select the right profile from the dropdown, and click 'OK'.

If all steps have been completed successfully, TLS communication will now be utilized in all communication between Out of Band Management, Intel SCS, and the AMT client systems.

Mutual Authentication

If you will be using Mutual Authentication, there are additional steps to be completed. These are not covered in this article. Please note that most of the steps are both how the certificates are created and how they are installed into the environment. The configuration on the Symantec Management side is similar.

Conclusion

For secure communication, TLS is the standard. By enabling this encryption/authentication technology you not only secure your internal network, but also the end points trying to connect and authenticate with the server. Remember to test your infrastructure before implementing into production. If authentication fails after the setup it will leave systems in an unmanaged state for AMT!