Skip to content

Commit

Permalink
Merge branch 'main' into mar24-release-notes
Browse files Browse the repository at this point in the history
  • Loading branch information
@bwendlandt-intel
bwendlandt-intel authored Mar 12, 2024
2 parents 20a120c + 86b25ce commit bd129e5
Show file tree
Hide file tree
Showing 12 changed files with 212 additions and 19 deletions.
114 changes: 114 additions & 0 deletions docs/Reference/EA/localtlsconfig.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
--8<-- "References/abbreviations.md"

# Local TLS Configuration with RPC-Go

!!! warning "Local TLS Configuration using RPC-Go is a Preview Feature"
Local TLS Configuration using RPC-Go is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub.

The TLS protocol includes the following types of authentication:

- Server Authentication – Only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated. This means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating.

- Mutual Authentication – The next level of security in which both ends of the “conversation” are sure with whom they are communicating.

When Intel AMT is configured for mutual authentication, it validates incoming client certificates based on the root of trust configured.

## Overview

AMT can be configured to use TLS without the need for a remote server (i.e. RPS). RPC-Go can directly communicate with Enterprise Assistant to perform the configuration.

The following steps highlight how to:

- Configure the connection of EA and RPC-Go
- Run TLS configuration using RPC-Go

## Prerequisites

The following are requirements to configure and connect an AMT device using TLS.

- [Enterprise Assistant](overview.md)
- [RPC-Go](../../GetStarted/buildRPC.md)
- Management Tool supporting TLS (ex: [Meshcommander](https://www.meshcommander.com/meshcommander))

This is not required for configuration and therefore not needed for this guide. However, a management tool will be needed if you want to manage the device post-configuration.

### Services

The following services are assumed to be configured and running in your enterprise environment.

- Microsoft* Certificate Authority (CA)
- An AMT TLS Certificate template is required. See [TLS Certificate Template](tlsCertTemplate.md) for additional steps on creating a template.

- Microsoft* Active Directory (AD)

## Configure Enterprise Assistant

1. Run the Enterprise Assistant executable.

2. Open the `File > Settings` menu to configure the RPC-Go connection.

<figure class="figure-image">
<img src="..\..\..\assets\images\EA_SettingsEmpty.png" alt="Figure 1: Enterprise Assistant Settings Menu">
<figcaption>Figure 1: Enterprise Assistant Settings Menu</figcaption>
</figure>

3. Under **RPC Client** section, set a **Username** of your choice.

4. Set a **Password** of your choice.

5. Set an alpha-numeric **Security Key** of your choice. This key is used when generating JWT tokens for authentication between RPC-Go and EA communication.

6. The `Device Name` is the name used to configure the domain controller for each device account. Using `Node Identifier` is more secure due to the inability to be tampered with but is less friendly to maintain as a user.

7. `Security Groups` will list all of the security groups of the domain controller that have been created within the Computers group. When Enterprise Assistant creates a new Computer account (like a new AMT device), it will join the selected Security Groups.

8. Provide the Certificate Authority and click the checkmark.

9. It will then list the available Certificate Templates to choose from. This will let you select a template specifically created for AMT. See [TLS Certificate Template](tlsCertTemplate.md) for additional steps on creating a template.

10. Choose how to issue the certificate. Typically, `SAM Account Name` is most commonly used as the `Common Name`.

!!! example "Example - Configured Settings"
<figure class="figure-image">
<img src="..\..\..\assets\images\EA_RPCSettingsFull.png" alt="Figure 2: Enterprise Assistant RPC-Go Settings Example">
<figcaption>Figure 2: Enterprise Assistant RPC-Go Settings Example</figcaption>
</figure>

11. Press **OK** to save the Settings.

!!! success "Success - HTTP Server Started"
<figure class="figure-image">
<img width=400px src="..\..\..\assets\images\EA_RPCHTTPStart.png" alt="Figure 3: HTTP Server Started Example">
<figcaption>Figure 3: HTTP Server Started Example</figcaption>
</figure>

## Configure the AMT Device

1. Open Command Prompt as Administrator.

2. Navigate to the directory with RPC-Go.

3. Run the `rpc configure tls` command. Replace the [bracketed] values with your own.

```
rpc configure tls -mode [configurationMode] -password [AMTPassword] -eaAddress [IP-Address-or-FQDN] -eaUsername [myUsername] -eaPassword [myPassword]
```
The toolkit offers four configuration modes to support various usage models:
| CONFIGURATION MODE | DESCRIPTION |
| :---------------------| :----------------------------------------------------------------------------------------------------- |
| Server | The client authenticates the server request and accepts only those servers with a digital certificate. |
| ServerAndNonTLS | **Used primarily for testing.** The client authenticates the server request and accepts legitimate digital certificates from TLS-enabled servers. However, if the server is not TLS-enabled, the client defaults to a CIRA connection.|
| Mutual | Both client and server **must** have certs. The client cert is signed by the server cert. |
| MutualAndNonTLS | **Used primarily for testing.** Both client and server certs are expected. The client authenticates the server request and accepts legitimate digital certificates from TLS-enabled servers. However, if the server is not TLS-enabled, the client defaults to a CIRA connection. |
!!! success "Success - TLS Configured"
<figure class="figure-image">
<img src="..\..\..\assets\images\RPC_EALocalTLSSuccess.png" alt="Figure 4: TLS Configured Example">
<figcaption>Figure 4: TLS Configured Example</figcaption>
</figure>
4. Now, the device is manageable via a TLS connection using the management tool of your choice!
<br><br>
15 changes: 8 additions & 7 deletions docs/Reference/EA/overview.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@

--8<-- "References/abbreviations.md"

Enterprise Assistant is a Windows application that can run as a normal application or as a background Windows service. Once setup to connect to RPS (hosted in either the cloud or enterprise), it can be used to assist with the configuration of AMT devices using TLS. Enterprise Assistant will handle certificate signing requests (CSRs) to Microsoft CA.

Expand Down Expand Up @@ -29,6 +29,7 @@ It is suggested to run Enterprise Assistant as a normal Windows application at f
The following services are assumed to be configured and running in your enterprise environment.

- Microsoft* Certificate Authority (CA)
- An AMT TLS Certificate template is required. See [TLS Certificate Template](tlsCertTemplate.md) for additional steps on creating a template.
- Microsoft* Active Directory (AD)

## Setup
Expand All @@ -37,12 +38,12 @@ The Enterprise Assistant repository is a codebase that needs to be compiled into

1. Clone the Enterprise Assistant Repository.
```
https://github.com/open-amt-cloud-toolkit/enterprise-assistant.git
git clone https://github.com/open-amt-cloud-toolkit/enterprise-assistant.git
```
2. Open the project in Visual Studio.
2. Open the project file `OpenAMTEnterpriseAssistant.csproj` in Visual Studio.
3. From the menus, choose `Build > Build Solution`.
3. From the menus, choose `Build > Build OpenAMTEnterpriseAssistant`.
4. By default after compiling, the `.exe` will be saved in `.\enterprise-assistant\bin\Debug\OpenAMTEnterpriseAssistant.exe`.
Expand Down Expand Up @@ -84,7 +85,7 @@ To use Enterprise Assistant with Kong API Gateway, we need to configure a new ro
1. Open the Enterprise Assistant `File > Settings` menu to configure the RPS connection.
<figure class="figure-image">
<img width="450" height="253" src="..\..\..\assets\images\EA_SettingsEmpty.png" alt="Figure 3: Enterprise Assistant Settings Menu">
<img src="..\..\..\assets\images\EA_SettingsEmpty.png" alt="Figure 3: Enterprise Assistant Settings Menu">
<figcaption>Figure 3: Enterprise Assistant Settings Menu</figcaption>
</figure>
Expand All @@ -98,7 +99,7 @@ To use Enterprise Assistant with Kong API Gateway, we need to configure a new ro
5. Provide the Certificate Authority and click the checkmark.
6. It will then list the available Certificate Templates to choose from. This will let you select a template specifically created for AMT.
6. It will then list the available Certificate Templates to choose from. This will let you select a template specifically created for AMT. See [TLS Certificate Template](tlsCertTemplate.md) for additional steps.
7. Choose how to issue the certificate. Typically, `SAM Account Name` is most commonly used as the `Common Name`.
Expand All @@ -108,7 +109,7 @@ To use Enterprise Assistant with Kong API Gateway, we need to configure a new ro
<figcaption>Figure 4: Enterprise Assistant Settings Example</figcaption>
</figure>
8. Save the Settings.
8. Press **OK** to save the Settings.
9. Start the connection by going to `File > Local Connect`.
Expand Down
42 changes: 42 additions & 0 deletions docs/Reference/EA/tlsCertTemplate.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
--8<-- "References/abbreviations.md"

This template is used by EA to request certificates on behalf of your AMT devices. These certificates will be installed into the AMT device firmware and used for traffic authentication.

## Create AMT TLS Certificate Template

1. On your Enterprise Subordinate CA server, open the Start menu.

2. Choose Run, then enter `certtmpl.msc`.

3. Right-click the certificate template named **Web Server** and choose **Duplicate**.

4. Name the new template **AMT TLS Certificate**.

5. Navigate to the **Request Handling** tab, and check the box labeled **Allow private key to be exported**.

6. Navigate to the **Subject Name** tab, and ensure that the radio button **Supply in the request** is selected.

7. Click **OK** to save the template.

## Enable the Template

1. On the Enterprise Subordinate CA server, run the **Certification Authority** tool.

2. Navigate to the **Certificate Templates** folder on the left pane.

3. Right-click the **Certificate Templates** folder and choose **New** -> **Certificate Template to Issue**.

4. Choose the **AMT TLS Certificate** template.

5. Click **OK**.


## Select the Template in Enterprise Assistant

When configuring the Settings menu of Enterprise Assistant, choose the **AMT TLS Certificate** from the **TLS Template** drop down menu under **Certificate Authority**.

!!! example "Example - Configured TLS Template in Settings"
<figure class="figure-image">
<img src="..\..\..\assets\images\EA_RPCSettings_TLSTemplate.png" alt="Figure 1: Enterprise Assistant Settings Example">
<figcaption>Figure 1: Enterprise Assistant Settings Example</figcaption>
</figure>
Loading

0 comments on commit bd129e5

Please sign in to comment.