Intel,Altiris Group

How to Enable TLS Within Out of Band Management After the install 

Oct 23, 2007 05:15 PM

Many implementations of Out of Band Management contain phases or both deployment and functionality execution. If TLS (Transport Layer Security) is not chosen during the install, it must be enabled to be properly used within the environment. Incorrectly configuring TLS could result in loss of connectivity to managed Intel AMT systems. This article addresses how to enable TLS after the products have already been implemented without it.

Introduction

This article provides a step-by-step process to enable TLS after Out of Band Management and Intel SCS has been implemented in the Notification Server environment. This article will address the basic implementation. More complex certificate environments can be implemented in a hierarchal infrastructure. For new installs please see the reference and admin guides for Out of Band Management Solution.

Introduction to TLS

Transport Layer Security (TLS) is the next generation of Secure Socket Layer (SSL). The TLS model permits application and firmware (in AMT's case) to authenticate and communicate with a network in a completely secure environment. TLS stops snooping, altering, and forged impersonation.

In an Intel AMT environment TLS provides AMT authentication and communications privacy over the Network, whether public or private, using cryptography. The standard model for TLS creates a secure server environment where only the server is verified and authenticated. The endpoint (AMT) remains unauthenticated which means that AMT can be sure of the Server's authenticity.

Greater security, where both points of the communication are authenticated so both the client (AMT) and the server (SCS) can be assured of the other's identity, is called mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment or TLS-PSK.

TLS involves three basic phases:

  1. Peer negotiation
  2. Public key exchange with certificate-based authentication
  3. Symmetric code encryption

The benefits of enabling TLS are:

  1. Greater security
  2. Ensured authentic communication between AMT and the server
  3. Data integrity
  4. Data theft prevention

The following outline details the TLS handshake process:

Preparing the Environment

The walkthrough will work through the steps required to setup TLS however preparing the environment will make the process run smoothly. Please note that there are different levels of implementation to include more than one CA and authentication level (hierarchal) but for this article the focus will be a simple one-server authentication.

Prerequisites

The following items are required to be in place before TLS will be successful in an environment. Understanding what items will be needed can help you prepare all necessary components so that enabling TLS will be a quick process.

  1. Microsoft Certificate Authority (CA) – This required piece can be implemented on a Windows Server operating system.
  2. Internet Information Services (IIS) running in secure certificate mode.
  3. All AMT systems configured to use TLS when communicating with the Server (whether Notification Server or Intel SCS).

Best Practices

  • It is best to have everything ready before running through the enabling of TLS. This means to secure a valid certificate (for the best results, use VeriSign, Comodo, GoDaddy, or other trusted certificate source), have Microsoft CA licenses ready, and any other environmental components to make the TLS implementation successful.
  • Make sure any CA you setup is set with its proper computer name and joined to the proper Domain. Changing either will invalidate any certificates served before the change.
  • It's recommended to run through this on a test server to ensure all the components will work in your environment. If possible, mirror the production network so you can work out any kinks before making the changes on the production network.
  • Make sure you follow the steps to enable RTSM if you are using this tool with provisioned AMT systems.

Enabling TLS

The process for enabling TLS isn't as simple as throwing a switch or checking a box. The enabling requires all parts of the infrastructure to be in place and configured properly.

Walkthrough

The following walkthrough covers all basic steps to enable TLS in an Altiris Out of Band Management Solution environment with Intel SCS.

Install Microsoft's CA for use with TLS.

  1. Open Add/Remove Programs and click the option 'Add/Remove Windows Components' in the left-hand pane.
  2. Highlight 'Certificate Services' and click 'Details'.
  3. Check the option 'Certificate Services CA'. NOTE: you will see a warning indicating that changing the server name or switching domains will invalidate any certificates this CA has issued. Make sure you have the final name-domain applied to the server.
  4. Click 'Ok', and on the initial page click 'Next'.
  5. For stand-alone root CA select the appropriate radial slot. If you are using a hierarchal model, please reference Microsoft's documentation on how to setup root and subordinate CAs. Click 'Next'.
  6. Provide a Common name for the CA in the top-most field. If applicable, provide a Distinguished name suffix. Select the Validity period as appropriate for your environment. Click 'Next'.
  7. Unless otherwise required, leave the Certificate Database Settings at default and click 'Next'.
  8. Click 'Yes' when prompted to stop IIS services.
  9. The installation will proceed.

Configure IIS to run in TLS mode.

  1. On the Notification Server open the IIS Manager (Start > Administrative Tools > Internet Information Services (IIS) Manager).
  2. Expand the left-hand tree under the Server name, and then Web Sites.
  3. Select the Web Site used by both Notification Server and Intel SCS. The default site will be labeled 'Default Web Site'. Right-click and choose 'Properties'.
  4. Click the tab 'Directory Security'.
  5. Click the button labeled 'Server Certificate' under the 'Secure communications' section at the bottom of the screen.
  6. This will launch the Web Server Certificate Wizard. Click 'Next'.
  7. Select the option 'Send the request immediately to an online certificate authority' and click 'Next.
  8. Note the following article if the above options is grayed out: http://www.microsoft.com/technet/prodtechnol/Wind...
  9. Input a name for the certificate, or leave the default and click 'Next'.
  10. Input a name for your Organization and Organizational Unit. Typically this will be your Company name or other identifier in your environment. Click 'Next'.
  11. Usually leave the Common name field as is. This will typically be the name of your server. This name must be a valid DNS entry. Click 'Next'.
  12. Enter your locale details as appropriate for your environment. Click 'Next'.
  13. Review your entered criteria, and if satisfied all is correct click 'Next'.
  14. Click Finish to complete the process.

Configure all AMT systems to use TLS

  1. A profile must be modified or created to set TLS as the communication method on the target AMT systems.
  2. In the Altiris Console, go to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > and select 'Provision Profiles'.
  3. Choose the profile to edit and click the edit icon (pencil).
  4. Click on the TLS tab.
  5. Check the box labeled 'Use TLS'.
  6. Select the two radial buttons for 'Local Interface TLS Server Authentication' and 'Network Interface TLS Server Authentication'.
  7. Select the appropriate CA in the 'Server Certificate' field.
  8. When complete, click 'OK' to save the application of the CA.
  9. This profile should now be the default for new systems Provisioned by Out of Band Management. The following steps detail how to apply either the new policy, or the changes to the policy to existing managed AMT systems.
  10. In the Altiris Console, under View > Solutions > Out of Band Management > Configuration > Provisioning > Intel® AMT Systems > and select 'Intel® AMT Systems'.
  11. Select all applicable systems (you can use the shift to select all between two points, or Ctrl to select multiple systems individually).
  12. If you edited the profile already assigned to these sytems, Right-click and choose 'Re-provision...'.
  13. If you need to switch profiles, first choose 'Un-provision...' with the Partial option selected, followed by another right-click and choose 'Create assignments', select the right profile from the dropdown, and click 'OK'.

If all steps have been completed successfully, TLS communication will now be utilized in all communication between Out of Band Management, Intel SCS, and the AMT client systems. If Real-Time System Manager will be used, one additional set of steps must be completed.

TLS with RTSM

To use TLS with RTSM and AMT/vPro functionality, you must complete the necessary steps to properly register the certificate.

Configure RTSM to use TLS

  1. First, you'll need to export the CA root certificate in Base-64 encoded X.509 format.
  2. In the Altiris Console, under View > Solutions > Real-Time Console Infrastructure > Configuration > and select 'Configuration'.
  3. Click on the tab 'Intel® AMT Connection Settings'.
  4. Under 'Transport Level Security' Add your trusted domain suffix for the CA on the NS.
  5. Under 'Redirection Security' input the values for 'Trusted CA certificate location:'.

Mutual Authentication

If you will be using Mutual Authentication, there are additional steps to be completed. These are not covered in this article.

Conclusion

For secure communication, TLS is the standard. By enabling this encryption/authentication technology you not only secure your internal network, but also the end points trying to connect and authenticate with the server. Remember to test your infrastructure before implementing into production. If authentication fails after the setup it will leave systems in an unmanaged state for AMT.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jun 10, 2008 09:53 AM

If enabling SSL on the AMTSCS web directory, the Service Location setting within the Altiris provisioning console (Out of Band Management > Configuration Service Settings > Provisioning) must also be updated to reflect the change.
For example:

https://altiris.vprodemo.com:443/AMTSCS

More will be written on this soon...

Related Entries and Links

No Related Resource entered.