What is the meaning of isCA in the zman iamt-create-csr command? How does Discovery Work

  • Document ID:7008340
  • Creation Date:09-Apr-2011
  • Modified Date:27-Apr-2012
    • Micro Focus Products:
      ZENworks Configuration Management

Environment

Novell ZENworks 11 Configuration Management

Situation

The documentation at "3.2.1 Configure the ZENworks Primary Server for Intel AMT Management" in the "ZENworks 11 Out-of-Band Management Reference" may not fully describe the meaning of using isCA true or false  for zman icc .
 
The documentation discusses Discovering iAmt devices.  How does this work?

Resolution

Certificates:
 
For Enterprise Mode provisioning both parties (the Management/ZENworks Server and the iiAMT Device) should be provisioned with a key-pair/certificate.
 
When provisioning the iiAMT devices in a ZENworks Zone configured with External Certificate Authority, there are two options:
 
  1. Generate a Management Certificate capable of minting device certificates (isCA = true in the zman icc command).
    When the Management Certificate is minted with the isCA flag as true , it has the capability of minting all of the iAMT Device Certificates.  In this workflow the ZENworks Administrator does not have to generate each iAMT Device certificate.

    The iAMT Device would have to be configured with the Management Certificate hash. This can be done either using the USBFile.exe utility or configuring it via the MEBx Menu, refer documentation for more details.

    Once this is done the Device should be discovered and should start appearing in ZCC (in Discovered state).  The ZENworks Administrator can now provision the iAMT device.  The ZENworks Server uses the Management Certificate that was imported earlier to mint the iiAMT Device certificates and completes the Enterprise mode provisioning.

    If using isCA was set to true, then the way that the devices receive certificate is by following this step in the provisioning documentation:
     
    Provisioning iAMT Devices with the Device Certificate and a Private Key
     
  2. Generate a Management Certificate which does not have the capability to mint device certificates (isCA = false, in zman icc cmd).

    When the Management Certificate is minted with the isCA flag as false, it means the ZENworks Administrator is choosing to mint the iiAMT Device certificates directly from the external CA and does not want ZENworks to mint the iiAMT Device certificates.   The Device Certificates also in this workflow would have to be minted using the external CA of the Zone.

    If isCA was set to false, then the way that devices receive a certificate is by manually minting one using the external CA server, then applying by following this step in the provisioning documentation:

    Provisioning iAMT Devices with an External Certificate
Note:  The zman commands are only for setting up the zone server.  Each device will either receive certificate from the ZENserver as intermediary CA (if method 1 is used) or directly from the external CA (if method 2 above is used).
 
Discovery:
 
iAMT Discovery does not happen automatically, one will have to configure the Intel iAMT Devices for it to be aware of the ZENworks Server first.  
 
Note: this is unlike other Discovery Mechanisms that ZENworks supports (Eg: IP - SSH, WMI etc) where  the ZENworks Server initiates the discovery by connecting to the devices.
 
The iAMT Discovery happens by making the iAMT device aware of the ZENworks Server, after which the iAMT device starts sending 'Hello' packets to the ZENworks Server.  There is a iAMT 'Hello' listener on the ZENworks Server which helps in discovering the iAMT Devices in the zone.  After discovery, the iAMT Devices start appearing under Devices -> Discovered -> Intel iAMT Devices.  Once this occurs, discovered the devices are ready for provisioning.


 

Additional Information

  1.  If the external CA used to mint the iAMT Management Certificate is well known (like VeriSign or GoDaddy), then all that the Administrator has to do is to configure the iAMT Devices with Provisioning Server as the ZENworks Server. Now on a restart of the iAMT Device, one would see that the ZENworks Server would have discovered the AMT Device and it would appear in the ZCC under the Discovered iAMT Devices section (Devices -> Discovered -> Intel® AMT Devices). 
  2. If the external CA used to mint the iAMT Management Certificate is not well known (not part of the factory default trust list of the iAMT Device), then the Administrator would have to configure the iAMT Devices with the Management Certificate Hash. This can be done either using the USBFile.exe utility or configuring it via the MEBx Menu. Once the iAMT Device is configured with the Provisioning Server details and the Management Certificate Hash, one should see the AMT Device appear in the ZCC under the Discovered iAMT Devices section.
In either case, once the AMT Device is Discovered using either of the above paths, one can provision the Device using the "Provision" Action provided in the Actions Menu.
 
NOTE:  When the ZENserver acts as certificate signer (isCA true), the iAMT workstation's DNS domain name must match the ZEN server's.  For example, if the primary server is zen1.novell.com, the iAMT device must be wks1.novell.com.  If this is not true in the environment, then the certificates issued for the iAMT device must be issued by a third party.  For more information see the Intel documentation at http://www.vproexpert.com/59JHE//RCFG-Cert-Util/docs/RemoteConfigurationCertificateSelection.pdf.  Section: "Client computer gets domain from DHCP Option 15 setting and verifies this suffix matches the CN field from the certificate. Provisioning stops here if no match is found."