Manualshelf

Intel vPro Processor Technology Setup and Configuration for the HP Z1, Z210, Z420, Z620 and Z820 Workstations

ManualsBrandsHP ManualsDesktopHP Z820 Workstation
31323334353637383940
32
Remote Configuration (RCFG)
Remote Configuration (RCFG) is the ability to use a single OEM image to provision
systems securely without the need to manually modify AMT options. RCFG uses a
Public Key Infrastructure with Certificate Hashes (PKI-CH) protocol to maintain
security. A DHCP environment is required.
RCFG relies on several new AMT features:
Embedded Hash Root Certificates
Self Signed Certificate
One-Time Password
Delayed network access
One or more hash root certificates are embedded into the AMT FW. These
certificates are integrated into the Hello messages sent by the AMT system to the
SCS. The SCS must have compatible certificates to authenticate the AMT system.
A self signed certificate can be generated to create a secure connection between
the AMT system and the SCS. This certificate is used for encryption, not
authentication. The SCS will use the public key from the self signed certificate to
encrypt the session key it generates and sends it to the AMT system. The AMT
system can decrypt SCS session key with its private key.
The One-Time Password (OTP) is created during provisioning. This password is
used with the remote console to initiate RCFG and it is sent to both the AMT system
and the SCS. This password is used to improve security.
The network interface used to send out Hello messages is functional for a limited
amount of time once remote configuration has been activated which is known as
delayed remote provisioning.
Delayed as the name implies is remote configuration at a later time when an OS
has been installed on the AMT system. In this implementation, Setup and
Configuration is started when a remote console application initiates the process by
communicating with the ME through the HECI driver. This requires a functional OS
and agent to be installed on the AMT system. OTP authentication can be used, it is
optional. The remote console provides the OTP to the AMT system and to the SCS.
Consult your ISV management console provider for details on OS agents for
Delayed remote configuration support.
Remote Configuration Timeouts in HP Systems
HP Workstations are shipped out of the factory with the Remote Configuration Timer
set to 0 (no Hello message broadcasting). In order to enable ME to broadcast
Hello messages, an Intel Activator local agent must be used.
The Activator local agent will typically set ME to broadcast Hello messages for 6
hours when the ME is active and the system is connected to a network. Consult
your ISV management console provider for exact details concerning delay remote
configuration timeouts.
If no SCS responds to the Hello messages within the timeout period, then the
network interface that sends out the Hello messages will be disabled.