1,364 Posts served
5,674 Conversations started
- Academia
- Atom
- Bit Stories
- Cool Software
- Customer Support
- Events
- Financial Software Industry
- Gaming
- Graphics
- Intel SW Partner Program
- Intel® Software Network 2.0
- Manageability
- Mobility
- Multicore
- Open Source
- Social Media & Virtual Worlds
- Software Engineering
- Threading Building Blocks
- Virtualization
- What If Software
- XML Software
Provisioning : PSK vs. RCFG (PKI)
By Itai Peres-peretz (Intel) (1 posts) on August 28, 2007 at 2:17 am
Hi,
My name is Itai Peres and I am a software engineer in Intel, as part of my Job is to validate
Intel® AMT provisioning functionality.
Provisioning is the process for a new Intel® AMT machine that arrived from the factory, in order
to set its first basic configuration settings. Setting the basic configuration for each one of
the machines could be done by enter the settings value manually on each machine.
Configure machines in this way will be reasonable only if there is a small number of the machines,
and each one of them is accessible.
In order to provision (configure) a large number of machines, or any number of machines that
aren't accessible, one must run a software program (provision server) that can configure the
machines from remote.
Unsecured connection between this program and the remote machines will allow any unauthorized
user to configure the machines which of course might expose sensitive and secured information
(i.e., user password, machine hardware data and so on).
Therefore, there are two ways Intel® AMT machine can be secured configure by a console machine, the first
way is to enter a pre-shared key (32 bytes long) in each of the Intel® AMT machines and the
configuration server. By doing so the connection between the configuration server and the Intel® AMT
machine is encrypted and secured, and the provisioning process can be execute remotely to any number
of machines. The name of this configuration process called PSK configuration.
There are some disadvantage when using the PSK configuration, for example entering the pre-shred key
demands at least one touch configuration (meaning manually access each of Intel® AMT machine) by thus
the machine have to be handle by an IT personal.
One more problem that might rise is the need to constantly save and protect the pre-shred key list.
Those problems can be solved by the second configuration method called RCFG (Remote Configuration).
This method based on PKI technology (Public Key Infrastructure) required certificates usage
in order to secure the connection and validate the other side identity.
Certificate is a digital signature for secured connection -- that issued for a user or a group of users
by known authorized company. Each of the company IT group need to buy or create there own certificate
for there company domains names. Those certificate are using to establish the secured connection
between the provision server and the Intel® AMT machines.
Intel® AMT machine will independently validate the domain name of its network environment with the
certificate information. In addition Intel® AMT will confirm that the certificate issuer is known
certificate issuer company on the market (i.e. Verisign, Commodo and etc.), or the company itself.
This procedure will allow to configure the Intel® AMT machine with "zero touch" provisioning (no
manual access for the machine is required).
To conclude, each on of the methods (PSK and RCFG) has its own advantages.
By overall prospective the combination of the two methods provides the IT group the ability to
configure the Intel® AMT machine according to the company requirements.
Now the only thing left is to write me what is your preferred method.
Any question or comment will be more than welcome.
Itai Peres.
Categories: Manageability, Software Engineering
Comments (2) 
By Bill Pearson on August 28th, 2007 at 11:59 am
Zero touch provisioning is a wonderful way to simplify the configuration process. Thanks for explaining the difference between the two methods.
By Ajay Mungara on August 28th, 2007 at 12:16 pm
Hi Itai, Welcome to the software blogs. We all know that provisioning and AMT deployment has been a issue. I am really looking forward to reading your posts to understand some of the challenges and how best to overcome the provisioning hurdles.