From 323fc50f479c0b1406e1268a8365499d67a80bab Mon Sep 17 00:00:00 2001
From: github-actions <github-actions@github.com>
Date: Mon, 25 Sep 2023 16:28:29 +0000
Subject: [PATCH] ci: docs(reference): new flags for displaying certs (#329)

* docs(reference): new flags for displaying certs

* docs(reference): align flags to direction change

---------

Co-authored-by: bwendlandt-intel <bryan.wendlandt@intel.com>
Co-authored-by: Bryan Wendlandt <74682355+bwendlandt-intel@users.noreply.github.com>
---
 2.15/Reference/RPC/commandsRPC/index.html |   9 +-
 2.15/search/search_index.json             |   2 +-
 2.15/sitemap.xml                          | 124 +++++++++++-----------
 2.15/sitemap.xml.gz                       | Bin 870 -> 870 bytes
 4 files changed, 70 insertions(+), 65 deletions(-)

diff --git a/2.15/Reference/RPC/commandsRPC/index.html b/2.15/Reference/RPC/commandsRPC/index.html
index be9729673..3cad633a7 100644
--- a/2.15/Reference/RPC/commandsRPC/index.html
+++ b/2.15/Reference/RPC/commandsRPC/index.html
@@ -3320,9 +3320,14 @@ <h3 id="amtinfo">amtinfo<a class="headerlink" href="#amtinfo" title="Permanent l
 <td>Intel AMT Build Number.</td>
 </tr>
 <tr>
-<td>Certificate</td>
+<td>System Certificates</td>
 <td>-cert</td>
-<td>Certificate Hashes</td>
+<td>System Certificate Hashes. If given <code>-password</code>, will print both System and User Certificate Hashes.</td>
+</tr>
+<tr>
+<td>User Certificates</td>
+<td>-userCert</td>
+<td>User Certificate Hashes. Will prompt for AMT password. Or, provide <code>-password</code> flag.</td>
 </tr>
 <tr>
 <td>SKU</td>
diff --git a/2.15/search/search_index.json b/2.15/search/search_index.json
index 55e00f470..5c1cd1d87 100644
--- a/2.15/search/search_index.json
+++ b/2.15/search/search_index.json
@@ -1 +1 @@
-{"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Overview \u00b6 Open Active Management Technology Cloud Toolkit ( Open AMT Cloud Toolkit ) provides open-source, modular microservices and libraries for integration of Intel\u00ae Active Management Technology ( Intel\u00ae AMT ). As an open source implementation, the toolkit makes it easier for IT departments and independent software vendors (ISVs) to adopt, integrate, and customize Out-of-band Management ( OOB Management ) solutions for Intel vPro\u00ae Platforms. Long-Term Support (LTS) Version Not looking for the current rapid release with the latest features? See the documentation for our Long-Term Support release. Get Started Jump in to the Open AMT Cloud Toolkit by deploying locally with Docker containers. Get Started Now Tutorials Get hands-on with tutorials for topics like the UI-Toolkit, APIs, and Scaling (Docker, Kubernetes, and more). Explore Tutorials APIs Check out the supported APIs for both the Management Presence Server (MPS) and the Remote Provisioning Server (RPS). See APIs Join Our Community The Intel vPro\u00ae Platform, featuring Intel\u00ae AMT , enables Out-of-Band (OOB) Management for remote devices. No matter if the device is powered off or the operating system has crashed, issue power actions and take over keyboard, video, mouse ( KVM ) control. Reduce the need for costly on-site IT, minimize the downtime of key, business-critical devices, and more. Read more about the Intel vPro\u00ae Platform . Figure 1: Open AMT Cloud Toolkit features OOB Management Intel\u00ae AMT supports remote manageability with: OOB Management : This hardware-based remote management solution operates below the operating system. Call Home : This capability enables administrators to control, update, and modify remote clients with OOB Management . Goals \u00b6 The toolkit guide provides instructions to: Deploy the Management Presence Server ( MPS ) and Remote Provisioning Server ( RPS ) on the development system. Build and run Remote Provisioning Client ( RPC ) on the managed device. Connect the managed device (edge device). Additional sections provide guidance on the reference implementation UI Toolkit , REST API usage, asset security, and more. Figure 2: High-level architecture: major software components As shown in Figure 2, Open AMT Cloud Toolkit high-level architecture consists of five components: MPS - A microservice that uses an Intel vPro\u00ae Platform feature, Client Initiated Remote Access ( CIRA ), for enabling edge, cloud devices to maintain a persistent connection for out-of-band manageability features, such as power control or Keyboard, Video, Mouse ( KVM ) control. RPS - A microservice that activates Intel\u00ae AMT platforms using predefined profiles and connects them to the MPS for manageability use cases. RPC - A lightweight client application that communicates with the RPS server to activate Intel\u00ae AMT . UI Toolkit - A toolkit that includes prebuilt React components and a reference implementation web console. The React-based snippets simplify the task of adding complex manageability-related UI controls, such as the KVM , to a console. Sample Web UI - A web based UI that demonstrates how to use the UI-Toolkit. It also provides a way to interact with the microservices and to help provide context as to how each microservice is used. Integrate the Open AMT Cloud Toolkit into new and existing management consoles, software solutions, and more. Toolkit Setup \u00b6 Microservices as Containers \u00b6 Set up microservices quickly as Docker containers with this recommended method. Get Started Now Estimated completion time: Approximately 30 minutes Additional Intel\u00ae AMT Resources \u00b6 For additional information about Intel\u00ae AMT , see the following links: Intel vPro\u00ae Platform Overview Video Link Detailed Setup document","title":"Overview"},{"location":"#overview","text":"Open Active Management Technology Cloud Toolkit ( Open AMT Cloud Toolkit ) provides open-source, modular microservices and libraries for integration of Intel\u00ae Active Management Technology ( Intel\u00ae AMT ). As an open source implementation, the toolkit makes it easier for IT departments and independent software vendors (ISVs) to adopt, integrate, and customize Out-of-band Management ( OOB Management ) solutions for Intel vPro\u00ae Platforms. Long-Term Support (LTS) Version Not looking for the current rapid release with the latest features? See the documentation for our Long-Term Support release.","title":"Overview"},{"location":"#goals","text":"The toolkit guide provides instructions to: Deploy the Management Presence Server ( MPS ) and Remote Provisioning Server ( RPS ) on the development system. Build and run Remote Provisioning Client ( RPC ) on the managed device. Connect the managed device (edge device). Additional sections provide guidance on the reference implementation UI Toolkit , REST API usage, asset security, and more. Figure 2: High-level architecture: major software components As shown in Figure 2, Open AMT Cloud Toolkit high-level architecture consists of five components: MPS - A microservice that uses an Intel vPro\u00ae Platform feature, Client Initiated Remote Access ( CIRA ), for enabling edge, cloud devices to maintain a persistent connection for out-of-band manageability features, such as power control or Keyboard, Video, Mouse ( KVM ) control. RPS - A microservice that activates Intel\u00ae AMT platforms using predefined profiles and connects them to the MPS for manageability use cases. RPC - A lightweight client application that communicates with the RPS server to activate Intel\u00ae AMT . UI Toolkit - A toolkit that includes prebuilt React components and a reference implementation web console. The React-based snippets simplify the task of adding complex manageability-related UI controls, such as the KVM , to a console. Sample Web UI - A web based UI that demonstrates how to use the UI-Toolkit. It also provides a way to interact with the microservices and to help provide context as to how each microservice is used. Integrate the Open AMT Cloud Toolkit into new and existing management consoles, software solutions, and more.","title":"Goals"},{"location":"#toolkit-setup","text":"","title":"Toolkit Setup"},{"location":"#microservices-as-containers","text":"Set up microservices quickly as Docker containers with this recommended method. Get Started Now Estimated completion time: Approximately 30 minutes","title":"Microservices as Containers"},{"location":"#additional-intel-amt-resources","text":"For additional information about Intel\u00ae AMT , see the following links: Intel vPro\u00ae Platform Overview Video Link Detailed Setup document","title":"Additional Intel\u00ae AMT Resources"},{"location":"Glossary/","text":"Glossary \u00b6 Open Active Management Technology (Open AMT) Cloud Toolkit, also referred to as (OAMTCT) Related Terminology, Technologies, and Acronyms A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z A \u00b6 admin control mode (ACM): A mode of provisioning Intel\u00ae AMT that requires a purchased provisioning certificate from a Certificate Authority (CA), the creation of a domain, and the creation of a profile in the Remote Provisioning Server (RPS) application. ACM achieves a higher level of trust than client control mode (CCM). This is the required mode for Keyboard, Video, Mouse (KVM) or Redirection without user consent. See also CCM and provisioning . ACM Activation: The act of loading a purchased certificate and associating it with an OAMTCT profile. allowlist: A list permitting access to a privilege, service, network, etc. B \u00b6 Basic Input/Output System (BIOS): Firmware that performs hardware initialization and configuration upon startup. See MEBX . C \u00b6 certificate (provisioning): A digitally signed document used in the provisioning of an edge device featuring Intel\u00ae AMT. The Intel\u00ae AMT firmware is pre-loaded with Transport Layer Security (TLS) certificate thumbprints of different certificate vendors. A digital certificate binds the identity of the certificate holder to vendor-specific thumbprints. To provision an edge device, users must purchase a certificate from an approved vendor. Client Initiated Remote Access (CIRA): An out-of-band (OOB) management communication protocol that network clients can use to initiate a secure connection with a server. Client Control Mode (CCM): An alternative to ACM provisioning mode that does not require a purchased certificate. Use this mode to set up OAMTCT software features quickly. Container (Docker*): The instantiation, or running instance, of a Docker image. D \u00b6 development system: The system on which Management Presence Server (MPS) and Remote Provision Server (RPS) are installed. Docker*: A platform that employs the idea of containerization, isolating a unit of software, such as an application, from its environment. Containerization creates applications as lightweight, discrete processes that can be deployed to the cloud as services. See Docker for more information. Domain Name System (DNS) suffix: A suffix appended to the hostname of a DNS name. domain suffix: The top-level portion or end of a domain name (i.e., com, net, org). E \u00b6 Edge Devices: A device or piece of hardware that serves as an entry point into an enterprise or service provider network. Edge devices include those related to banking, retail, hospitality, point-of-sale, etc. G \u00b6 Globally Unique Identifier (GUID): A 128-bit integer used to identify a system resource. I \u00b6 Intel\u00ae Active Management Technology (Intel\u00ae AMT): A technology that provides out-of-band management and security features on an Intel vPro\u00ae Platform. See general overview of features. Intel vPro\u00ae Platform: An Intel\u00ae platform created for business environments. Intel vPro\u00ae technology features Intel\u00ae Core\u2122 i5, Intel\u00ae Core\u2122 i7, and Intel\u00ae Core\u2122 i9 vPro\u00ae processors, built-in security features, and out-of-band manageability using Intel\u00ae AMT. See more about the platform. Images (Docker*): a set of instructions that determine the creation of an instantiated container on a Docker platform. K \u00b6 Keyboard, Video, Mouse (KVM): A technology, often a device, that allows a user to control multiple computers from a single keyboard, mouse, and video source. L \u00b6 lights-out management (LOM): See out-of-band management . M \u00b6 managed (edge) device: An Intel vPro\u00ae Platform that features Intel\u00ae AMT and functions as an edge device. Manageability Engine BIOS Extensions (MEBX): A BIOS extension that enables the configuration of the Intel\u00ae AMT. Management Presence Server (MPS): A microservice that resides on the development system and enables platforms featuring featuring Intel\u00ae AMT. The MPS receives CIRA requests from the managed device. microservice: A software unit or module of a microservice architecture. In OAMTCT architecture, MPS and RPS are microservices residing on the development system. microservice architecture: An architecture in which the component parts are broken into discrete services, called microservices, that perform specific, limited functions. N \u00b6 Node.js*: An open source JavaScript* runtime created for asynchronous, event-driven backend network applications. See more about node.js. Node Package Manager (npm): a command line utility in node.js. The utility enables the management of packages, versions, and dependencies in node projects. O \u00b6 Open Active Management Technology (Open AMT) Cloud Toolkit: An open source software architecture consisting of modular microservices and libraries for integration of out-of-band manageability into existing network infrastructures. The software enables network administrators and independent software vendors (ISVs) to explore key Intel\u00ae AMT features. See more about Open AMT Cloud Toolkit features. out-of-band (OOB) manageability: A remote management technology that allows administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, OAMTCT software can perform remote management, including powering up a system that is currently powered down. P \u00b6 profile : A set of configuration information, including a password and provisioning method, provided to Intel\u00ae AMT firmware during the activation process. provision or provisioning: The act of setting up a remote client, system, or device, on a network using a digitally signed certificate as a security credential. Q \u00b6 R \u00b6 Remote Provision Client (RPC): A lightweight client application that resides on the managed device. The RPC communicates with the Manageability Engine Interface (MEI) in the Management Engine (ME) driver to activate Intel\u00ae AMT. Remote Provision Server (RPS): A node.js-based microservice that works with the Remote Provision Client (RPC) to activate Intel\u00ae AMT using a pre-defined profile. REpresentational State Transfer (REST) API : An architectural style or set of rules describing constraints that allow administrators and developers to take advantage of various Web services. In the context of OAMTCT, administrators can construct REST API calls and run them with node, use provided REST code snippets to expand the reference implementation console, and use provided REST code snippets as a springboard for developing and expanding custom consoles. S \u00b6 Sample Web UI: A reference UI implementation serving as a demo vehicle and utilizing components of the UI toolkit. T \u00b6 U \u00b6 UI Toolkit: A modular, REST-based API consisting of code snippets developers can use to implement AMT features and services to their manageability console. V \u00b6 vcpkg : A command-line application that helps manage package creation and C and C++ libraries on Windows , Linux , and MacOS*. Vault storage : A service that manages encryption and storage of infrastructure secrets. W \u00b6 WebSocket*: A communication protocol that enables persistent connections and full-duplex communication between clients and servers. Web Service Management (WS-MAN): A SOAP-based protocol for exchanging management data between network devices. X \u00b6 Y \u00b6 Z \u00b6","title":"Glossary"},{"location":"Glossary/#glossary","text":"Open Active Management Technology (Open AMT) Cloud Toolkit, also referred to as (OAMTCT) Related Terminology, Technologies, and Acronyms A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z","title":"Glossary"},{"location":"Glossary/#a","text":"admin control mode (ACM): A mode of provisioning Intel\u00ae AMT that requires a purchased provisioning certificate from a Certificate Authority (CA), the creation of a domain, and the creation of a profile in the Remote Provisioning Server (RPS) application. ACM achieves a higher level of trust than client control mode (CCM). This is the required mode for Keyboard, Video, Mouse (KVM) or Redirection without user consent. See also CCM and provisioning . ACM Activation: The act of loading a purchased certificate and associating it with an OAMTCT profile. allowlist: A list permitting access to a privilege, service, network, etc.","title":"A"},{"location":"Glossary/#b","text":"Basic Input/Output System (BIOS): Firmware that performs hardware initialization and configuration upon startup. See MEBX .","title":"B"},{"location":"Glossary/#c","text":"certificate (provisioning): A digitally signed document used in the provisioning of an edge device featuring Intel\u00ae AMT. The Intel\u00ae AMT firmware is pre-loaded with Transport Layer Security (TLS) certificate thumbprints of different certificate vendors. A digital certificate binds the identity of the certificate holder to vendor-specific thumbprints. To provision an edge device, users must purchase a certificate from an approved vendor. Client Initiated Remote Access (CIRA): An out-of-band (OOB) management communication protocol that network clients can use to initiate a secure connection with a server. Client Control Mode (CCM): An alternative to ACM provisioning mode that does not require a purchased certificate. Use this mode to set up OAMTCT software features quickly. Container (Docker*): The instantiation, or running instance, of a Docker image.","title":"C"},{"location":"Glossary/#d","text":"development system: The system on which Management Presence Server (MPS) and Remote Provision Server (RPS) are installed. Docker*: A platform that employs the idea of containerization, isolating a unit of software, such as an application, from its environment. Containerization creates applications as lightweight, discrete processes that can be deployed to the cloud as services. See Docker for more information. Domain Name System (DNS) suffix: A suffix appended to the hostname of a DNS name. domain suffix: The top-level portion or end of a domain name (i.e., com, net, org).","title":"D"},{"location":"Glossary/#e","text":"Edge Devices: A device or piece of hardware that serves as an entry point into an enterprise or service provider network. Edge devices include those related to banking, retail, hospitality, point-of-sale, etc.","title":"E"},{"location":"Glossary/#g","text":"Globally Unique Identifier (GUID): A 128-bit integer used to identify a system resource.","title":"G"},{"location":"Glossary/#i","text":"Intel\u00ae Active Management Technology (Intel\u00ae AMT): A technology that provides out-of-band management and security features on an Intel vPro\u00ae Platform. See general overview of features. Intel vPro\u00ae Platform: An Intel\u00ae platform created for business environments. Intel vPro\u00ae technology features Intel\u00ae Core\u2122 i5, Intel\u00ae Core\u2122 i7, and Intel\u00ae Core\u2122 i9 vPro\u00ae processors, built-in security features, and out-of-band manageability using Intel\u00ae AMT. See more about the platform. Images (Docker*): a set of instructions that determine the creation of an instantiated container on a Docker platform.","title":"I"},{"location":"Glossary/#k","text":"Keyboard, Video, Mouse (KVM): A technology, often a device, that allows a user to control multiple computers from a single keyboard, mouse, and video source.","title":"K"},{"location":"Glossary/#l","text":"lights-out management (LOM): See out-of-band management .","title":"L"},{"location":"Glossary/#m","text":"managed (edge) device: An Intel vPro\u00ae Platform that features Intel\u00ae AMT and functions as an edge device. Manageability Engine BIOS Extensions (MEBX): A BIOS extension that enables the configuration of the Intel\u00ae AMT. Management Presence Server (MPS): A microservice that resides on the development system and enables platforms featuring featuring Intel\u00ae AMT. The MPS receives CIRA requests from the managed device. microservice: A software unit or module of a microservice architecture. In OAMTCT architecture, MPS and RPS are microservices residing on the development system. microservice architecture: An architecture in which the component parts are broken into discrete services, called microservices, that perform specific, limited functions.","title":"M"},{"location":"Glossary/#n","text":"Node.js*: An open source JavaScript* runtime created for asynchronous, event-driven backend network applications. See more about node.js. Node Package Manager (npm): a command line utility in node.js. The utility enables the management of packages, versions, and dependencies in node projects.","title":"N"},{"location":"Glossary/#o","text":"Open Active Management Technology (Open AMT) Cloud Toolkit: An open source software architecture consisting of modular microservices and libraries for integration of out-of-band manageability into existing network infrastructures. The software enables network administrators and independent software vendors (ISVs) to explore key Intel\u00ae AMT features. See more about Open AMT Cloud Toolkit features. out-of-band (OOB) manageability: A remote management technology that allows administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, OAMTCT software can perform remote management, including powering up a system that is currently powered down.","title":"O"},{"location":"Glossary/#p","text":"profile : A set of configuration information, including a password and provisioning method, provided to Intel\u00ae AMT firmware during the activation process. provision or provisioning: The act of setting up a remote client, system, or device, on a network using a digitally signed certificate as a security credential.","title":"P"},{"location":"Glossary/#q","text":"","title":"Q"},{"location":"Glossary/#r","text":"Remote Provision Client (RPC): A lightweight client application that resides on the managed device. The RPC communicates with the Manageability Engine Interface (MEI) in the Management Engine (ME) driver to activate Intel\u00ae AMT. Remote Provision Server (RPS): A node.js-based microservice that works with the Remote Provision Client (RPC) to activate Intel\u00ae AMT using a pre-defined profile. REpresentational State Transfer (REST) API : An architectural style or set of rules describing constraints that allow administrators and developers to take advantage of various Web services. In the context of OAMTCT, administrators can construct REST API calls and run them with node, use provided REST code snippets to expand the reference implementation console, and use provided REST code snippets as a springboard for developing and expanding custom consoles.","title":"R"},{"location":"Glossary/#s","text":"Sample Web UI: A reference UI implementation serving as a demo vehicle and utilizing components of the UI toolkit.","title":"S"},{"location":"Glossary/#t","text":"","title":"T"},{"location":"Glossary/#u","text":"UI Toolkit: A modular, REST-based API consisting of code snippets developers can use to implement AMT features and services to their manageability console.","title":"U"},{"location":"Glossary/#v","text":"vcpkg : A command-line application that helps manage package creation and C and C++ libraries on Windows , Linux , and MacOS*. Vault storage : A service that manages encryption and storage of infrastructure secrets.","title":"V"},{"location":"Glossary/#w","text":"WebSocket*: A communication protocol that enables persistent connections and full-duplex communication between clients and servers. Web Service Management (WS-MAN): A SOAP-based protocol for exchanging management data between network devices.","title":"W"},{"location":"Glossary/#x","text":"","title":"X"},{"location":"Glossary/#y","text":"","title":"Y"},{"location":"Glossary/#z","text":"","title":"Z"},{"location":"announcements/","text":"Announcements \u00b6 Open AMT Cloud Toolkit 2.0 is here! \u00b6 We have been preparing for this for quite a while and we know many of our customers have been eagerly awaiting this announcement, our Long Term Support (LTS) release is here! What does having an LTS release mean? \u00b6 Starting with LTS, Open AMT Cloud Toolkit will now have two release streams that customers can use. The current Rapid release stream continues to operate as it has been since the beginning of this year. Every six weeks we'll release new features and fixes that customers can use to add out-of-band functionality to their device management solution. For Long Term Support releases, new features will be added roughly every six months. Only critical security and bug fixes will be applied between feature releases, maintaining a stable feature set for the LTS release. When we release a new LTS version, all of the features in the current Rapid release stream will be merged to the LTS release stream. Similar to Rapid Releases, only the latest LTS release will be actively supported and maintained. With this release, both the Rapid and LTS releases are set to 2.0 and have the exact same feature set. As we continue to release new Rapid releases, the Rapid release stream will continue to add new features while the LTS release stream will continue with the 2.0 feature set. Compatibility between versions \u00b6 As we previously announced, with the major version change, we are strictly following semantic versioning, making all 2.X components compatible with each other. It also means that our 1.X components are not supported with 2.X components. In this release, all of our components have been versioned up to 2.0 and validated together to ensure compatibility. While both Rapid and LTS releases that share the same major version should be compatible with each other, we won't be validating Rapid and LTS combinations, so it is recommended that customers use either all Rapid or all LTS components. Changes coming for Remote Provisioning Client \u00b6 For 2.0, we are deprecating the C++ version of RPC in favor of our Go-based implementation. The reason for this is two-fold. First, we want to be able to take advantage of more modern tooling such as Snyk for Vulnerability Scanning, and Dependabot for dependency updates, among others. Secondly, the cloud focused technologies and protocols we use, which include REST and Websockets, have better support in modern languages. We still needed to balance the interaction between the AMT Firmware and the cloud which led to Go being a natural choice to use. With the 2.0 release, we are providing an early look at the Go version of RPC . Over the next few Rapid releases the functionality of the Go version will exceed that of the C++ version and customers will be encouraged to migrate. The entire Open AMT Cloud Toolkit team hopes you are as excited about this release as we are and we look forward to continuing to working with you! You can read more about this release in our release notes .","title":"Announcements"},{"location":"announcements/#announcements","text":"","title":"Announcements"},{"location":"announcements/#open-amt-cloud-toolkit-20-is-here","text":"We have been preparing for this for quite a while and we know many of our customers have been eagerly awaiting this announcement, our Long Term Support (LTS) release is here!","title":"Open AMT Cloud Toolkit 2.0 is here!"},{"location":"announcements/#what-does-having-an-lts-release-mean","text":"Starting with LTS, Open AMT Cloud Toolkit will now have two release streams that customers can use. The current Rapid release stream continues to operate as it has been since the beginning of this year. Every six weeks we'll release new features and fixes that customers can use to add out-of-band functionality to their device management solution. For Long Term Support releases, new features will be added roughly every six months. Only critical security and bug fixes will be applied between feature releases, maintaining a stable feature set for the LTS release. When we release a new LTS version, all of the features in the current Rapid release stream will be merged to the LTS release stream. Similar to Rapid Releases, only the latest LTS release will be actively supported and maintained. With this release, both the Rapid and LTS releases are set to 2.0 and have the exact same feature set. As we continue to release new Rapid releases, the Rapid release stream will continue to add new features while the LTS release stream will continue with the 2.0 feature set.","title":"What does having an LTS release mean?"},{"location":"announcements/#compatibility-between-versions","text":"As we previously announced, with the major version change, we are strictly following semantic versioning, making all 2.X components compatible with each other. It also means that our 1.X components are not supported with 2.X components. In this release, all of our components have been versioned up to 2.0 and validated together to ensure compatibility. While both Rapid and LTS releases that share the same major version should be compatible with each other, we won't be validating Rapid and LTS combinations, so it is recommended that customers use either all Rapid or all LTS components.","title":"Compatibility between versions"},{"location":"announcements/#changes-coming-for-remote-provisioning-client","text":"For 2.0, we are deprecating the C++ version of RPC in favor of our Go-based implementation. The reason for this is two-fold. First, we want to be able to take advantage of more modern tooling such as Snyk for Vulnerability Scanning, and Dependabot for dependency updates, among others. Secondly, the cloud focused technologies and protocols we use, which include REST and Websockets, have better support in modern languages. We still needed to balance the interaction between the AMT Firmware and the cloud which led to Go being a natural choice to use. With the 2.0 release, we are providing an early look at the Go version of RPC . Over the next few Rapid releases the functionality of the Go version will exceed that of the C++ version and customers will be encouraged to migrate. The entire Open AMT Cloud Toolkit team hopes you are as excited about this release as we are and we look forward to continuing to working with you! You can read more about this release in our release notes .","title":"Changes coming for Remote Provisioning Client"},{"location":"license/","text":"License \u00b6 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions. \"License\" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. \"Licensor\" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. \"Legal Entity\" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, \"control\" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. \"You\" (or \"Your\") shall mean an individual or Legal Entity exercising permissions granted by this License. \"Source\" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. \"Object\" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. \"Work\" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). \"Derivative Works\" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. \"Contribution\" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, \"submitted\" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as \"Not a Contribution.\" \"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a \"NOTICE\" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets \"[]\" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same \"printed page\" as the copyright notice for easier identification within third-party archives. Copyright 2019 Intel Corporation Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.","title":"License"},{"location":"license/#license","text":"Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions. \"License\" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. \"Licensor\" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. \"Legal Entity\" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, \"control\" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. \"You\" (or \"Your\") shall mean an individual or Legal Entity exercising permissions granted by this License. \"Source\" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. \"Object\" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. \"Work\" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). \"Derivative Works\" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. \"Contribution\" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, \"submitted\" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as \"Not a Contribution.\" \"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a \"NOTICE\" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets \"[]\" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same \"printed page\" as the copyright notice for easier identification within third-party archives. Copyright 2019 Intel Corporation Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.","title":"License"},{"location":"release-notes/","text":"Release Highlights \u00b6 Note From the Team Greetings everyone, While Arizona experiences a welcome cooldown, the Open AMT Cloud Toolkit team is cranking up the heat with our latest release! In this month's update, we're thrilled to announce two exciting new features added to RPC -Go. It's now more versatile than ever with ACM activation and Wifi configuration capabilities. With these enhancements, RPC -Go empowers users to configure AMT into either ACM or CCM without the necessity of engaging with a cloud service. This newfound autonomy provides our customers with a level of flexibility that was previously unattainable. Furthermore, RPC -Go now extends its support to configure any type of wifi profile that AMT supports locally. We're excited about these advancements and look forward to hearing your feedback. Best wishes, The Open AMT Cloud Toolkit Team What's New? \u00b6 New Feature: Local ACM Activation With this release, you can now activate AMT into ACM just using RPC using the -local flag. Similar to local CCM activation, local ACM activation will require secrets to be passed to the AMT device, so users of this feature will need to have high trust in the local OS. View full command line options in Activate Device Locally Local activate command: rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword New Feature: Local Wifi Configuration In this release, we have added the ability to configure any wifi profile, not just 802.1x wifi profiles. Users will also be able to configure multiple wifi profiles at the same time by providing the details either via the command line or by passing in a config file. View full command line options in addwifisettings RPC Configure command Local wifi configuration command: rpc configure addwifisettings -config config.yaml -secrets secrets.yaml Get the Details \u00b6 Additions, Modifications, and Removals \u00b6 RPS \u00b6 v2.16.1 Fix: blocks AMT 11.12 system activation if build number < 3000 ( #1176 ) (#a3e527b) v2.16.0 Feat: support for sha1 hash added via mebx ( #1155 ) (#b630e11) RPC \u00b6 v2.14.2 ensure warning for CCM deactivation password flag v2.14.1 addwifisettings - track added certs to prevent duplicates error v2.14.0 local wifi configuration v2.13.1 update ProjectVersion to 2.13.0 v2.13.0 activate in acm using local command Sample Web UI \u00b6 v2.13.1 remove UI override of AMT feature settings ( #1328 ) (#510dff3) update status message ( #1334 ) (#bd80ebf) v2.13.0 display component versions ( #1267 ) (#2dbca39) fix dark theme (#cdea729) wsman-messages \u00b6 v5.5.1 update build tasks, package.json and changelog (#9274dab) go-wsman-messages \u00b6 v1.8.2 AddWifiSettings check for empty client cert ( c19c9b4 ) v1.8.1 undo breaking changes ( 23c91ed ) v1.8.0 Adds structs to parse xml for deleting all wifi configs ( d64d4d4 ) amt: adds amt PublicPrivateKeyPair struct for response ( eca5a6e ) amt: adds pull responses for publickey and publicprivate ( 10bf4a8 ) amt: adds wifiportconfiguration.AddWiFiSettingsResponse ( 2158757 ) cim: adds concrete.dependency support ( ae8f3d3 ) cim: adds credential.context support ( 6db69ad ) v1.7.0 cim: adds responses for WiFiPortConfigurationService and WifiPort ( 6cbaa36 ) v1.6.0 ips: add additional strongly typed output for ( 90aa393 ), closes #18115 Project Board \u00b6 Check out our new Feature Backlog project board to see issues and prioritized items we're working on across all of our repositories. You'll also see what is coming in our next release!","title":"Release Notes"},{"location":"release-notes/#release-highlights","text":"Note From the Team Greetings everyone, While Arizona experiences a welcome cooldown, the Open AMT Cloud Toolkit team is cranking up the heat with our latest release! In this month's update, we're thrilled to announce two exciting new features added to RPC -Go. It's now more versatile than ever with ACM activation and Wifi configuration capabilities. With these enhancements, RPC -Go empowers users to configure AMT into either ACM or CCM without the necessity of engaging with a cloud service. This newfound autonomy provides our customers with a level of flexibility that was previously unattainable. Furthermore, RPC -Go now extends its support to configure any type of wifi profile that AMT supports locally. We're excited about these advancements and look forward to hearing your feedback. Best wishes, The Open AMT Cloud Toolkit Team","title":"Release Highlights"},{"location":"release-notes/#whats-new","text":"New Feature: Local ACM Activation With this release, you can now activate AMT into ACM just using RPC using the -local flag. Similar to local CCM activation, local ACM activation will require secrets to be passed to the AMT device, so users of this feature will need to have high trust in the local OS. View full command line options in Activate Device Locally Local activate command: rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword New Feature: Local Wifi Configuration In this release, we have added the ability to configure any wifi profile, not just 802.1x wifi profiles. Users will also be able to configure multiple wifi profiles at the same time by providing the details either via the command line or by passing in a config file. View full command line options in addwifisettings RPC Configure command Local wifi configuration command: rpc configure addwifisettings -config config.yaml -secrets secrets.yaml","title":"What's New?"},{"location":"release-notes/#get-the-details","text":"","title":"Get the Details"},{"location":"release-notes/#additions-modifications-and-removals","text":"","title":"Additions, Modifications, and Removals"},{"location":"release-notes/#rps","text":"v2.16.1 Fix: blocks AMT 11.12 system activation if build number < 3000 ( #1176 ) (#a3e527b) v2.16.0 Feat: support for sha1 hash added via mebx ( #1155 ) (#b630e11)","title":"RPS"},{"location":"release-notes/#rpc","text":"v2.14.2 ensure warning for CCM deactivation password flag v2.14.1 addwifisettings - track added certs to prevent duplicates error v2.14.0 local wifi configuration v2.13.1 update ProjectVersion to 2.13.0 v2.13.0 activate in acm using local command","title":"RPC"},{"location":"release-notes/#sample-web-ui","text":"v2.13.1 remove UI override of AMT feature settings ( #1328 ) (#510dff3) update status message ( #1334 ) (#bd80ebf) v2.13.0 display component versions ( #1267 ) (#2dbca39) fix dark theme (#cdea729)","title":"Sample Web UI"},{"location":"release-notes/#wsman-messages","text":"v5.5.1 update build tasks, package.json and changelog (#9274dab)","title":"wsman-messages"},{"location":"release-notes/#go-wsman-messages","text":"v1.8.2 AddWifiSettings check for empty client cert ( c19c9b4 ) v1.8.1 undo breaking changes ( 23c91ed ) v1.8.0 Adds structs to parse xml for deleting all wifi configs ( d64d4d4 ) amt: adds amt PublicPrivateKeyPair struct for response ( eca5a6e ) amt: adds pull responses for publickey and publicprivate ( 10bf4a8 ) amt: adds wifiportconfiguration.AddWiFiSettingsResponse ( 2158757 ) cim: adds concrete.dependency support ( ae8f3d3 ) cim: adds credential.context support ( 6db69ad ) v1.7.0 cim: adds responses for WiFiPortConfigurationService and WifiPort ( 6cbaa36 ) v1.6.0 ips: add additional strongly typed output for ( 90aa393 ), closes #18115","title":"go-wsman-messages"},{"location":"release-notes/#project-board","text":"Check out our new Feature Backlog project board to see issues and prioritized items we're working on across all of our repositories. You'll also see what is coming in our next release!","title":"Project Board"},{"location":"videos/","text":"What is Open AMT \u00b6 Learn the high-level basics and get familiar with the toolkit. Learn about the different microservices and their roles then get up to speed with the latest features, changes, and fixes. Overview of Open AMT Cloud Toolkit See what Open AMT Cloud Toolkit is and what you can do with it. Additional Resources: Architecture Overview , MPS Security Considerations , and RPS Security Considerations Getting Started \u00b6 Watch how to go from cloning the toolkit to managing a device out-of-band remotely in under 20 minutes. Connect with Keyboard, Video, Mouse redirection and issue power commands. Setting Up the Stack Configuring the Stack See how to setup Open AMT Cloud Toolkit locally using Docker. Additional Resources: Intel vPro Platform Learn how to create custom profiles for device configuration and activation. Additional Resources: Passwords and What They Mean , Provisioning Certificates , and Setting a DNS Suffix via MEBX Provisioning a Device Managing a Device See how to build the Remote Provisioning Client and use it to activate and configure an AMT device. Additional Resources: RPC as a Library and RPC Commands and Flags Try some of the out-of-band manageability features like remote KVM and different Power Actions. Next Steps: Using REST APIs and Deploying with Kubernetes","title":"Video Walkthroughs"},{"location":"videos/#what-is-open-amt","text":"Learn the high-level basics and get familiar with the toolkit. Learn about the different microservices and their roles then get up to speed with the latest features, changes, and fixes.","title":"What is Open AMT"},{"location":"videos/#getting-started","text":"Watch how to go from cloning the toolkit to managing a device out-of-band remotely in under 20 minutes. Connect with Keyboard, Video, Mouse redirection and issue power commands.","title":"Getting Started"},{"location":"APIs/indexMPS/","text":".md-typeset h1, .md-content__button { display: none; } SwaggerUIBundle({ url: 'https://api.swaggerhub.com/apis/rbheopenamt/mps/2.11.0', dom_id: '#swagger-ui', })","title":"Management Presence Server"},{"location":"APIs/indexRPS/","text":".md-typeset h1, .md-content__button { display: none; } SwaggerUIBundle({ url: 'https://api.swaggerhub.com/apis/rbheopenamt/rps/2.16.0', dom_id: '#swagger-ui', })","title":"Remote Provisioning Server"},{"location":"Deployment/centralizedConfiguration/","text":"Centralized Configuration (Consul) is a Preview Feature The Consul implementation feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. Consul is a service networking solution and service mesh providing a wide variety of features to handle key networking or service management use cases. Read more about Consul in their documentation . Consul Use Cases: mTLS Encryption between Services Dynamic Load Balancing Observability (Health and Metrics) Centralized Configuration of Services Consul and Open AMT \u00b6 As part of Open AMT, we are currently focused on the last bullet point. We've introduced Hashicorp Consul as an optional deployable service to centralize and ease configuration of the MPS and RPS services. In the future, we may expand and incorporate other capabilities offered by Consul. MPS/RPS Startup Flows: If Consul exists on startup and empty, copy local configs into Consul. If Consul exists on startup and not empty, copy Consul configs down locally. If Consul does not exist on startup, load local configs into MPS/RPS. The two configuration files are stored as K/V pairs within Consul under: /MPS/config /RPS/config Consul Configuration \u00b6 By default, Consul is deployed as part of the local Docker deployment in the docker-compose.yml file. This is the default configuration. Currently, we do not provide a Kubernetes deployment example. The Consul configurations are stored in a local volume. When cleaning up containers, make sure to delete existing volumes. consul : restart : always image : hashicorp/consul networks : - openamtnetwork ports : - 8500:8500 volumes : - type : volume source : consul-config target : /consul/config volume : {} - type : volume source : consul-data target : /consul/data volume : {} command : \"agent -server -ui -node=OACT-1 -bootstrap-expect=1 -client=0.0.0.0\" Enable Consul \u00b6 This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In the .env , enable Consul and Save. # CONSUL CONSUL_ENABLED=true #update from false to true CONSUL_HOST=consul CONSUL_PORT=8500 Pull the Consul image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile consul pull Start the Consul container. docker compose --profile consul up -d To view the Consul UI, visit http://localhost:8500 . Click Key/Value from the left-hand menu. Figure 1: Consul K/V Overview Page Choose either the /MPS or /RPS directory, then /config . Figure 2: Consul K/V MPS Configuration From here, users can make edits to the config files and save. Note - Cleaning up Consul Container When stopping and cleaning up containers deployed using the consul profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile consul down -v Today, the current preview implementation does not update the MPS or RPS services realtime. They must be restarted manually to apply the new configurations. Follow along with any new updates and features using Consul in our Feature Backlog.","title":"Centralized Configuration"},{"location":"Deployment/centralizedConfiguration/#consul-and-open-amt","text":"As part of Open AMT, we are currently focused on the last bullet point. We've introduced Hashicorp Consul as an optional deployable service to centralize and ease configuration of the MPS and RPS services. In the future, we may expand and incorporate other capabilities offered by Consul. MPS/RPS Startup Flows: If Consul exists on startup and empty, copy local configs into Consul. If Consul exists on startup and not empty, copy Consul configs down locally. If Consul does not exist on startup, load local configs into MPS/RPS. The two configuration files are stored as K/V pairs within Consul under: /MPS/config /RPS/config","title":"Consul and Open AMT"},{"location":"Deployment/centralizedConfiguration/#consul-configuration","text":"By default, Consul is deployed as part of the local Docker deployment in the docker-compose.yml file. This is the default configuration. Currently, we do not provide a Kubernetes deployment example. The Consul configurations are stored in a local volume. When cleaning up containers, make sure to delete existing volumes. consul : restart : always image : hashicorp/consul networks : - openamtnetwork ports : - 8500:8500 volumes : - type : volume source : consul-config target : /consul/config volume : {} - type : volume source : consul-data target : /consul/data volume : {} command : \"agent -server -ui -node=OACT-1 -bootstrap-expect=1 -client=0.0.0.0\"","title":"Consul Configuration"},{"location":"Deployment/centralizedConfiguration/#enable-consul","text":"This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In the .env , enable Consul and Save. # CONSUL CONSUL_ENABLED=true #update from false to true CONSUL_HOST=consul CONSUL_PORT=8500 Pull the Consul image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile consul pull Start the Consul container. docker compose --profile consul up -d To view the Consul UI, visit http://localhost:8500 . Click Key/Value from the left-hand menu. Figure 1: Consul K/V Overview Page Choose either the /MPS or /RPS directory, then /config . Figure 2: Consul K/V MPS Configuration From here, users can make edits to the config files and save. Note - Cleaning up Consul Container When stopping and cleaning up containers deployed using the consul profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile consul down -v Today, the current preview implementation does not update the MPS or RPS services realtime. They must be restarted manually to apply the new configurations. Follow along with any new updates and features using Consul in our Feature Backlog.","title":"Enable Consul"},{"location":"Deployment/database/","text":"To prepare for a production environment, replace the PostgreSQL* database with that of another provider. To replace the database, update these services: MPS RPS What You'll Do \u00b6 This guide focuses on updating the RPS with an MS SQL Server (MSSQL) relational database. Here are the main tasks: Review DB Schema Add DB Client Dependency Update Configuration Implement the Code Database Recipe The example implementation below provides a step-by-step outline of database deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution. Review DB Schema \u00b6 The diagrams below illustrates the database schema and relationships. RPS \u00b6 erDiagram DOMAIN { string name string domain_suffix string provisioning_cert string provisioning_cert_storage_format string provisioning_cert_key datetime creation_date string created_by string tenant_id } erDiagram PROFILE o|--o| CIRACONFIGS : has PROFILE ||--|{ PROFILES_WIRELESSCONFIGS : associated PROFILE ||--o| IEEE8021XCONFIGS : has PROFILE { string profile_name string activation string amt_password boolean generate_random_password string cira_config_name datetime creation_date string created_by string mebx_password boolean generate_random_mebx_password string[] tags boolean dhcp_enabled string tenant_id int tls_mode string user_consent boolean ider_enabled boolean kvm_enabled boolean sol_enabled string tls_signing_authority string ieee8021x_profile_name } CIRACONFIGS CIRACONFIGS { string cira_config_name string mps_server_address int mps_port string user_name string password string common_name int server_address_format int auth_method string mps_root_certificate string proxydetails string tenant_id } WIRELESSCONFIGS ||--|{ PROFILES_WIRELESSCONFIGS : belongs WIRELESSCONFIGS ||--o| IEEE8021XCONFIGS : has WIRELESSCONFIGS { string wireless_profile_name int authentication_method int encryption_method string ssid int psk_value string psk_passphrase int[] link_policy datetime creation_date string created_by string tenant_id string ieee8021x_profile_name } PROFILES_WIRELESSCONFIGS { string wireless_profile_name string profile_name int priority datetime creation_date string created_by string tenant_id } IEEE8021XCONFIGS { string profile_name int auth_protocol string servername string domain string username string password string roaming_identity boolean active_in_s0 int pxe_timeout boolean wired_interface string tenant_id } MPS \u00b6 erDiagram DEVICE { guid uuid string[] tags string hostname string mpsinstance boolean connectionstatus string mpsusername string tenantid string friendlyname string dnssuffix } Add DB Client \u00b6 Add the database client library you will use to connect to your database. To support MSSQL, this example uses the Microsoft SQL Server client* for Node.js, node-mssql . To add the database: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install node-mssql --save Update Configuration \u00b6 Update the connection string and a folder name for your db either in your ENV or .rc file. To modify the configuration: \"db_provider\" : \"mssql\" , //This will be the name of the folder you create in the next section. \"connection_string\" : \"Server=localhost,1433;Database=database;User Id=username;Password=password;Encrypt=true'\" , Implement the Code \u00b6 To support the new database: Create a new folder in ./src/data . The name of the new folder should be the name you supplied for the db_provider property, which is mssql in the example above. Figure 2: New folder mssql Create a file called index.ts that implements our IDB interface. Below is an example interface and query method: Interface export interface IDB { ciraConfigs : ICiraConfigTable domains : IDomainsTable profiles : IProfilesTable wirelessProfiles : IWirelessProfilesTable profileWirelessConfigs : IProfilesWifiConfigsTable query : ( text : string , params? : any ) => Promise < any > } Query Method This query function is responsible for taking in the query parameters and performing the execution. async query < T > ( text : string , params? : any ) : Promise < mssql . IResult < T >> { let result const start = Date . now () return await new Promise (( resolve , reject ) => { this . sqlPool . connect ( async ( err ) => { if ( err ) { this . log . error ( err ) reject ( err ) } result = await this . sqlPool . request (). query ( text ) const duration = Date . now () - start this . log . verbose ( `executed query: ${ JSON . stringify ({ text , duration , rows : result.recordset.length } )}` ) resolve ( result ) }) }) } Implement each of the table interfaces. The base interface looks like this: export interface ITable < T > { getCount : ( tenantId? : string ) => Promise < number > get : ( limit : number , offset : number , tenantId? : string ) => Promise < T [] > getByName : ( name : string , tenantId? : string ) => Promise < T > delete : ( name : string , tenantId? : string ) => Promise < boolean > insert : ( item : T ) => Promise < T > update : ( item : T ) => Promise < T > } There are interfaces for each table in the ./interfaces/database which adds specific functions on top of the base ITable<> interface. Here's an example of the get implementation for Domains: /** * @description Get all Domains from DB * @param {number} top * @param {number} skip * @returns {AMTDomain[]} returns an array of AMT Domain objects from DB */ async get ( top : number = DEFAULT_TOP , skip : number = DEFAULT_SKIP , tenantId : string = '' ) : Promise < AMTDomain [] > { const results = await this . db . query ( ` SELECT name as profileName, domain_suffix as domainSuffix, provisioning_cert as provisioningCert, provisioning_cert_storage_format as provisioningCertStorageFormat, provisioning_cert_key as provisioningCertPassword, tenant_id tenantId FROM domains ORDER BY name` ) return result } Complete all the queries for each table's functions to finish the implementation. Best Practice That's it! Deployment complete. After replacing the database, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Database Replacement"},{"location":"Deployment/database/#what-youll-do","text":"This guide focuses on updating the RPS with an MS SQL Server (MSSQL) relational database. Here are the main tasks: Review DB Schema Add DB Client Dependency Update Configuration Implement the Code Database Recipe The example implementation below provides a step-by-step outline of database deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution.","title":"What You'll Do"},{"location":"Deployment/database/#review-db-schema","text":"The diagrams below illustrates the database schema and relationships.","title":"Review DB Schema"},{"location":"Deployment/database/#rps","text":"erDiagram DOMAIN { string name string domain_suffix string provisioning_cert string provisioning_cert_storage_format string provisioning_cert_key datetime creation_date string created_by string tenant_id } erDiagram PROFILE o|--o| CIRACONFIGS : has PROFILE ||--|{ PROFILES_WIRELESSCONFIGS : associated PROFILE ||--o| IEEE8021XCONFIGS : has PROFILE { string profile_name string activation string amt_password boolean generate_random_password string cira_config_name datetime creation_date string created_by string mebx_password boolean generate_random_mebx_password string[] tags boolean dhcp_enabled string tenant_id int tls_mode string user_consent boolean ider_enabled boolean kvm_enabled boolean sol_enabled string tls_signing_authority string ieee8021x_profile_name } CIRACONFIGS CIRACONFIGS { string cira_config_name string mps_server_address int mps_port string user_name string password string common_name int server_address_format int auth_method string mps_root_certificate string proxydetails string tenant_id } WIRELESSCONFIGS ||--|{ PROFILES_WIRELESSCONFIGS : belongs WIRELESSCONFIGS ||--o| IEEE8021XCONFIGS : has WIRELESSCONFIGS { string wireless_profile_name int authentication_method int encryption_method string ssid int psk_value string psk_passphrase int[] link_policy datetime creation_date string created_by string tenant_id string ieee8021x_profile_name } PROFILES_WIRELESSCONFIGS { string wireless_profile_name string profile_name int priority datetime creation_date string created_by string tenant_id } IEEE8021XCONFIGS { string profile_name int auth_protocol string servername string domain string username string password string roaming_identity boolean active_in_s0 int pxe_timeout boolean wired_interface string tenant_id }","title":"RPS"},{"location":"Deployment/database/#mps","text":"erDiagram DEVICE { guid uuid string[] tags string hostname string mpsinstance boolean connectionstatus string mpsusername string tenantid string friendlyname string dnssuffix }","title":"MPS"},{"location":"Deployment/database/#add-db-client","text":"Add the database client library you will use to connect to your database. To support MSSQL, this example uses the Microsoft SQL Server client* for Node.js, node-mssql . To add the database: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install node-mssql --save","title":"Add DB Client"},{"location":"Deployment/database/#update-configuration","text":"Update the connection string and a folder name for your db either in your ENV or .rc file. To modify the configuration: \"db_provider\" : \"mssql\" , //This will be the name of the folder you create in the next section. \"connection_string\" : \"Server=localhost,1433;Database=database;User Id=username;Password=password;Encrypt=true'\" ,","title":"Update Configuration"},{"location":"Deployment/database/#implement-the-code","text":"To support the new database: Create a new folder in ./src/data . The name of the new folder should be the name you supplied for the db_provider property, which is mssql in the example above. Figure 2: New folder mssql Create a file called index.ts that implements our IDB interface. Below is an example interface and query method: Interface export interface IDB { ciraConfigs : ICiraConfigTable domains : IDomainsTable profiles : IProfilesTable wirelessProfiles : IWirelessProfilesTable profileWirelessConfigs : IProfilesWifiConfigsTable query : ( text : string , params? : any ) => Promise < any > } Query Method This query function is responsible for taking in the query parameters and performing the execution. async query < T > ( text : string , params? : any ) : Promise < mssql . IResult < T >> { let result const start = Date . now () return await new Promise (( resolve , reject ) => { this . sqlPool . connect ( async ( err ) => { if ( err ) { this . log . error ( err ) reject ( err ) } result = await this . sqlPool . request (). query ( text ) const duration = Date . now () - start this . log . verbose ( `executed query: ${ JSON . stringify ({ text , duration , rows : result.recordset.length } )}` ) resolve ( result ) }) }) } Implement each of the table interfaces. The base interface looks like this: export interface ITable < T > { getCount : ( tenantId? : string ) => Promise < number > get : ( limit : number , offset : number , tenantId? : string ) => Promise < T [] > getByName : ( name : string , tenantId? : string ) => Promise < T > delete : ( name : string , tenantId? : string ) => Promise < boolean > insert : ( item : T ) => Promise < T > update : ( item : T ) => Promise < T > } There are interfaces for each table in the ./interfaces/database which adds specific functions on top of the base ITable<> interface. Here's an example of the get implementation for Domains: /** * @description Get all Domains from DB * @param {number} top * @param {number} skip * @returns {AMTDomain[]} returns an array of AMT Domain objects from DB */ async get ( top : number = DEFAULT_TOP , skip : number = DEFAULT_SKIP , tenantId : string = '' ) : Promise < AMTDomain [] > { const results = await this . db . query ( ` SELECT name as profileName, domain_suffix as domainSuffix, provisioning_cert as provisioningCert, provisioning_cert_storage_format as provisioningCertStorageFormat, provisioning_cert_key as provisioningCertPassword, tenant_id tenantId FROM domains ORDER BY name` ) return result } Complete all the queries for each table's functions to finish the implementation. Best Practice That's it! Deployment complete. After replacing the database, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Implement the Code"},{"location":"Deployment/overview/","text":"To deploy the Open AMT Cloud Toolkit to a production environment, replace default reference implementation components with more robust or full-featured components. Each section below lists the default reference implementation component included with toolkit along with suggestions for replacement. Database Selection \u00b6 The Docker-based PostgreSQL* image used in docker-compose.yml provides enough functionality for proof-of-concept creation and development. However, to enable the toolkit for production, leverage a managed database instance offered by a public cloud provider or a database hosted by your internal IT. Regardless of the deployment scenario (i.e., a VM, Kubernetes, Docker Swarm, a native environment), managing state in your cluster comes with a higher risk of data loss than that of a managed database instance. Default Component \u00b6 PostgreSQL Example Replacements \u00b6 Azure Database for PostgreSQL Azure SQL Database Amazon Relational Database Service (RDS) MS SQL Server MariaDB For more information about replacing the default toolkit database, see the Database Replacement guide . Secrets Management \u00b6 A secret is any asset requiring controlled access, such as API keys, passwords, or certificates. The toolkit enables secrets management with HashiCorp Vault*, which provides a secure repository for storing and accessing sensitive assets. Vault offers a unified interface to any secret, tight access control, and a detailed audit log. While Vault provides a comprehensive solution for managing and persisting state in a K8s cluster, use of a managed secret provider, such as Azure Key Vault, offloads this role and helps reduce the overhead of secrets management in the toolkit. Additionally, if a secret provider is not necessary for your deployment, consider removing it and leveraging some other backing store for secrets. Default Component \u00b6 HashiCorp Vault Example Replacements \u00b6 Azure Key Vault AWS Key Management Service (KMS) For more information about replacing the default secret provider, see the Secrets Management guide . API Gateway \u00b6 The toolkit uses Kong as its open source API gateway. Kong provides an entry point for external clients, anything not a part of the microservice system, and a comprehensive suite of plugins for various scenarios. Default Component \u00b6 Kong Example Replacements \u00b6 Azure API Gateway Amazon API Gateway Google Cloud Endpoints Tyk Centralized Configuration \u00b6 Centralized Configuration (Consul) is a Preview Feature The Consul implementation feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. The toolkit utilizes Consul to implement centralized configuration of the MPS and RPS services. This is an optional, opt-in service that is deployed, but not enabled by default. Default Component \u00b6 Hashicorp Consul Example Replacements \u00b6 etcd Apache Zookeeper By default, Consul is deployed, but not utilized. For more information about enabling Consul, see the Service Mesh guide .","title":"Overview"},{"location":"Deployment/overview/#database-selection","text":"The Docker-based PostgreSQL* image used in docker-compose.yml provides enough functionality for proof-of-concept creation and development. However, to enable the toolkit for production, leverage a managed database instance offered by a public cloud provider or a database hosted by your internal IT. Regardless of the deployment scenario (i.e., a VM, Kubernetes, Docker Swarm, a native environment), managing state in your cluster comes with a higher risk of data loss than that of a managed database instance.","title":"Database Selection"},{"location":"Deployment/overview/#default-component","text":"PostgreSQL","title":"Default Component"},{"location":"Deployment/overview/#example-replacements","text":"Azure Database for PostgreSQL Azure SQL Database Amazon Relational Database Service (RDS) MS SQL Server MariaDB For more information about replacing the default toolkit database, see the Database Replacement guide .","title":"Example Replacements"},{"location":"Deployment/overview/#secrets-management","text":"A secret is any asset requiring controlled access, such as API keys, passwords, or certificates. The toolkit enables secrets management with HashiCorp Vault*, which provides a secure repository for storing and accessing sensitive assets. Vault offers a unified interface to any secret, tight access control, and a detailed audit log. While Vault provides a comprehensive solution for managing and persisting state in a K8s cluster, use of a managed secret provider, such as Azure Key Vault, offloads this role and helps reduce the overhead of secrets management in the toolkit. Additionally, if a secret provider is not necessary for your deployment, consider removing it and leveraging some other backing store for secrets.","title":"Secrets Management"},{"location":"Deployment/overview/#default-component_1","text":"HashiCorp Vault","title":"Default Component"},{"location":"Deployment/overview/#example-replacements_1","text":"Azure Key Vault AWS Key Management Service (KMS) For more information about replacing the default secret provider, see the Secrets Management guide .","title":"Example Replacements"},{"location":"Deployment/overview/#api-gateway","text":"The toolkit uses Kong as its open source API gateway. Kong provides an entry point for external clients, anything not a part of the microservice system, and a comprehensive suite of plugins for various scenarios.","title":"API Gateway"},{"location":"Deployment/overview/#default-component_2","text":"Kong","title":"Default Component"},{"location":"Deployment/overview/#example-replacements_2","text":"Azure API Gateway Amazon API Gateway Google Cloud Endpoints Tyk","title":"Example Replacements"},{"location":"Deployment/overview/#centralized-configuration","text":"Centralized Configuration (Consul) is a Preview Feature The Consul implementation feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. The toolkit utilizes Consul to implement centralized configuration of the MPS and RPS services. This is an optional, opt-in service that is deployed, but not enabled by default.","title":"Centralized Configuration"},{"location":"Deployment/overview/#default-component_3","text":"Hashicorp Consul","title":"Default Component"},{"location":"Deployment/overview/#example-replacements_3","text":"etcd Apache Zookeeper By default, Consul is deployed, but not utilized. For more information about enabling Consul, see the Service Mesh guide .","title":"Example Replacements"},{"location":"Deployment/secrets/","text":"To prepare for a production environment, replace Hashicorp Vault* with a secrets management provider. To replace secrets management, update these services: MPS RPS What You'll Do \u00b6 This guide focuses on updating the secrets management with Azure Key Vault*. Here are the main tasks: Review Vault Schema Add Secret Provider Dependency (if necessary) Update Configuration Implement the Code Secrets Management Recipe The example implementation below provides a step-by-step outline of secrets management deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution. Note This guide will assume Azure Key Vault is already configured and ready for use as it focuses on the code that needs to be implemented in the microservices. Review Vault Schema \u00b6 Below are the paths/keys in the vault that are used by the Open AMT Cloud Toolkit . # RPS CIRAConfigs/[cira_config_name]/MPS_PASSWORD certs/[domain_profile_name]/CERT certs/[domain_profile_name]/CERT_PASSWORD profiles/[profile_name]/AMT_PASSWORD profiles/[profile_name]/MEBX_PASSWORD wireless/[wireless_profile_name]/PSK_PASSPHRASE # MPS devices/[device_guid]/AMT_PASSWORD devices/[device_guid]/MEBX_PASSWORD devices/[device_guid]/MPS_PASSWORD Add Dependency \u00b6 To install the required dependencies: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install @azure/keyvault-secrets npm install @azure/identity Note To read more about this dependency, check out Azure Key Value Secret Client library for JavaScript . Update Configuration \u00b6 To modify the configuration: Modify the properties for Hashicorp Vault: Before: { \"secrets_path\" : \"secret/data/\" , \"vault_address\" : \"http://localhost:8200\" , \"vault_token\" : \"myroot\" , } After: For Azure Key Vault, you only need the address: { \"secrets_path\" : \"\" , \"vault_address\" : \"https://<YOUR KEYVAULT NAME>.vault.azure.net\" , \"vault_token\" : \"\" , } Set these three ENV variables: AZURE_TENANT_ID = <YOUR-TENANT-ID> AZURE_CLIENT_ID = <YOUR-CLIENT-ID> AZURE_CLIENT_SECRET = <YOUR-CLIENT-SECRET> Implement the Code \u00b6 To support secrets management: Consider the exported interface ISecretManagerService . export interface ISecretManagerService { getSecretFromKey : ( path : string , key : string ) => Promise < string > getSecretAtPath : ( path : string ) => Promise < any > listSecretsAtPath : ( path : string ) => Promise < any > readJsonFromKey : ( path : string , key : string ) => Promise < string > writeSecretWithKey : ( path : string , key : string , keyvalue : any ) => Promise < void > writeSecretWithObject : ( path : string , data : any ) => Promise < void > deleteSecretWithPath : ( path : string ) => Promise < void > } This example focuses on getSecretFromKey , set up and implemented below: const { DefaultAzureCredential } = require ( \"@azure/identity\" ) const { SecretClient } = require ( \"@azure/keyvault-secrets\" ) export class AzureSecretManagerService implements ISecretManagerService { vaultClient : SecretClient logger : ILogger constructor ( logger : ILogger ) { // DefaultAzureCredential expects the following three environment variables: // * AZURE_TENANT_ID: The tenant ID in Azure Active Directory // * AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant // * AZURE_CLIENT_SECRET: The client secret for the registered application const credential = new DefaultAzureCredential () // Lastly, create our secrets client and connect to the service const client = new SecretClient ( EnvReader . GlobalEnvConfig . VaultConfig . address , credential ); } async getSecretFromKey ( path : string , key : string ) : Promise < string > { try { this . logger . verbose ( `getting secret from vault: ${ path } , ${ key } ` ) const latestSecret = await client . getSecret ( key ); this . logger . debug ( `got data back from vault: ${ path } , ${ key } ` ) return latestSecret } catch ( error ) { this . logger . error ( 'getSecretFromKey error \\r\\n' ) this . logger . error ( error ) return null } } } The example above is for one interface. You'll need to implement each interface defined in ISecretManagerService . After all the functions have been implemented, finish up by instantiating the AzureSecretManagerService in the src/Configurator.ts file. constructor () { //existing //this.secretsManager = new SecretManagerService(new Logger('SecretManagerService')) //new implementation this . secretsManager = new AzureSecretManagerService ( new Logger ( 'AzureSecretManagerService' )) } Best Practice That's it! Deployment complete. After replacing the secrets management, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Secrets Management"},{"location":"Deployment/secrets/#what-youll-do","text":"This guide focuses on updating the secrets management with Azure Key Vault*. Here are the main tasks: Review Vault Schema Add Secret Provider Dependency (if necessary) Update Configuration Implement the Code Secrets Management Recipe The example implementation below provides a step-by-step outline of secrets management deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution. Note This guide will assume Azure Key Vault is already configured and ready for use as it focuses on the code that needs to be implemented in the microservices.","title":"What You'll Do"},{"location":"Deployment/secrets/#review-vault-schema","text":"Below are the paths/keys in the vault that are used by the Open AMT Cloud Toolkit . # RPS CIRAConfigs/[cira_config_name]/MPS_PASSWORD certs/[domain_profile_name]/CERT certs/[domain_profile_name]/CERT_PASSWORD profiles/[profile_name]/AMT_PASSWORD profiles/[profile_name]/MEBX_PASSWORD wireless/[wireless_profile_name]/PSK_PASSPHRASE # MPS devices/[device_guid]/AMT_PASSWORD devices/[device_guid]/MEBX_PASSWORD devices/[device_guid]/MPS_PASSWORD","title":"Review Vault Schema"},{"location":"Deployment/secrets/#add-dependency","text":"To install the required dependencies: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install @azure/keyvault-secrets npm install @azure/identity Note To read more about this dependency, check out Azure Key Value Secret Client library for JavaScript .","title":"Add Dependency"},{"location":"Deployment/secrets/#update-configuration","text":"To modify the configuration: Modify the properties for Hashicorp Vault: Before: { \"secrets_path\" : \"secret/data/\" , \"vault_address\" : \"http://localhost:8200\" , \"vault_token\" : \"myroot\" , } After: For Azure Key Vault, you only need the address: { \"secrets_path\" : \"\" , \"vault_address\" : \"https://<YOUR KEYVAULT NAME>.vault.azure.net\" , \"vault_token\" : \"\" , } Set these three ENV variables: AZURE_TENANT_ID = <YOUR-TENANT-ID> AZURE_CLIENT_ID = <YOUR-CLIENT-ID> AZURE_CLIENT_SECRET = <YOUR-CLIENT-SECRET>","title":"Update Configuration"},{"location":"Deployment/secrets/#implement-the-code","text":"To support secrets management: Consider the exported interface ISecretManagerService . export interface ISecretManagerService { getSecretFromKey : ( path : string , key : string ) => Promise < string > getSecretAtPath : ( path : string ) => Promise < any > listSecretsAtPath : ( path : string ) => Promise < any > readJsonFromKey : ( path : string , key : string ) => Promise < string > writeSecretWithKey : ( path : string , key : string , keyvalue : any ) => Promise < void > writeSecretWithObject : ( path : string , data : any ) => Promise < void > deleteSecretWithPath : ( path : string ) => Promise < void > } This example focuses on getSecretFromKey , set up and implemented below: const { DefaultAzureCredential } = require ( \"@azure/identity\" ) const { SecretClient } = require ( \"@azure/keyvault-secrets\" ) export class AzureSecretManagerService implements ISecretManagerService { vaultClient : SecretClient logger : ILogger constructor ( logger : ILogger ) { // DefaultAzureCredential expects the following three environment variables: // * AZURE_TENANT_ID: The tenant ID in Azure Active Directory // * AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant // * AZURE_CLIENT_SECRET: The client secret for the registered application const credential = new DefaultAzureCredential () // Lastly, create our secrets client and connect to the service const client = new SecretClient ( EnvReader . GlobalEnvConfig . VaultConfig . address , credential ); } async getSecretFromKey ( path : string , key : string ) : Promise < string > { try { this . logger . verbose ( `getting secret from vault: ${ path } , ${ key } ` ) const latestSecret = await client . getSecret ( key ); this . logger . debug ( `got data back from vault: ${ path } , ${ key } ` ) return latestSecret } catch ( error ) { this . logger . error ( 'getSecretFromKey error \\r\\n' ) this . logger . error ( error ) return null } } } The example above is for one interface. You'll need to implement each interface defined in ISecretManagerService . After all the functions have been implemented, finish up by instantiating the AzureSecretManagerService in the src/Configurator.ts file. constructor () { //existing //this.secretsManager = new SecretManagerService(new Logger('SecretManagerService')) //new implementation this . secretsManager = new AzureSecretManagerService ( new Logger ( 'AzureSecretManagerService' )) } Best Practice That's it! Deployment complete. After replacing the secrets management, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Implement the Code"},{"location":"Deployment/upgradeVersion/","text":"Specific Changes Required for Version Upgrades \u00b6 Upgrade to 2.11 from 2.10 \u00b6 The 2.11 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ip_sync_enabled BOOLEAN NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below. Upgrade to 2.10 from 2.9 \u00b6 The 2.10 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS wirelessconfigs ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM wirelessconfigs ; Continue with general upgrade steps below. Upgrade to 2.9 from 2.8 \u00b6 The 2.9 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. CREATE TABLE IF NOT EXISTS ieee8021xconfigs ( profile_name citext , auth_protocol integer , servername VARCHAR ( 255 ), domain VARCHAR ( 255 ), username VARCHAR ( 255 ), password VARCHAR ( 255 ), roaming_identity VARCHAR ( 255 ), active_in_s0 BOOLEAN , pxe_timeout integer , wired_interface BOOLEAN NOT NULL , tenant_id varchar ( 36 ) NOT NULL , PRIMARY KEY ( profile_name , tenant_id ), ); Update the Profiles table. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM ieee8021xconfigs ; Continue with general upgrade steps below. Upgrade to 2.8 from 2.7 \u00b6 The 2.8 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new column before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS tls_signing_authority varchar ( 40 ) NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below. Upgrade to 2.7 from 2.6 \u00b6 The 2.7 release of MPS requires an upgrade to the mpsdb database. Run the following SQL script to add two new columns before upgrading the services. ALTER TABLE devices ADD COLUMN IF NOT EXISTS friendlyname varchar ( 256 ), ADD COLUMN IF NOT EXISTS dnssuffix varchar ( 256 ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and mpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database mpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d mpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d mpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d mpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the columns were added to the table. SELECT * FROM devices ; Continue with general upgrade steps below. Upgrade a Minor Version (i.e. 2.X to 2.Y) \u00b6 Kubernetes Upgrade \u00b6 Upgrading from a previous minor version to a new minor version release is simple using Helm. By updating your image tags and upgrading through Helm, a seamless transition can be made. Stored profiles and secrets will be unaffected and any connected devices will transition over to the new MPS pod. Note - Using Private Images The steps are the same if using your own images built and stored on a platform like Azure Container Registry (ACR) or Elastic Container Registry (ECR). Simply point to the new private images rather than the public Intel Dockerhub. Pull the latest release within .\\open-amt-cloud-toolkit directory. git pull Merge the latest changes into your existing branch. git merge v2.14.0 In the values.yaml file, update the images to the new version wanted. Alternatively, you can use the latest tags. Example - values.yaml File images : mps : \"intel/oact-mps:latest\" rps : \"intel/oact-rps:latest\" webui : \"intel/oact-webui:latest\" mpsrouter : \"intel/oact-mpsrouter:latest\" mps : ... In Terminal or Command Prompt, go to the deployed open-amt-cloud-toolkit repository directory. cd ./YOUR-DIRECTORY-PATH/open-amt-cloud-toolkit Use Helm to upgrade and deploy the new images. helm upgrade openamtstack ./kubernetes/charts Successful Helm Upgrade Release \"openamtstack\" has been upgraded. Happy Helming! NAME: openamtstack LAST DEPLOYED: Wed Mar 23 09:36:10 2022 NAMESPACE: default STATUS: deployed REVISION: 2 Verify the new pods are running. Notice the only restarted and recreated pods are MPS, RPS, and the WebUI. kubectl get pods Example - Upgraded Running Pods NAME READY STATUS RESTARTS AGE mps-55f558666b-5m9bq 1/1 Running 0 2m47s mpsrouter-6975577696-wn8wm 1/1 Running 0 27d openamtstack-kong-5999cc6b97-wbmdw 2/2 Running 0 27d openamtstack-vault-0 1/1 Running 0 27d openamtstack-vault-agent-injector-6d6c75f7d5-sh5nm 1/1 Running 0 27d rps-597d7894b5-mbdz5 1/1 Running 0 2m47s webui-6d9b96c989-29r9z 1/1 Running 0 2m47s Rollback a Version \u00b6 Is the functionality not working as expected? Rollback to the previous deployment using Helm. Use the Helm rollback command with the Revision you want to rollback to. In this example deployment, we would rollback to the original deployment revision which would be 1. helm rollback openamtstack [Revision-Number] Successful Rollback Rollback was a success! Happy Helming! Local Docker Upgrade \u00b6 The following steps outline how to upgrade using the public Docker Hub images. Data will not be lost unless Postgres or Vault need to be upgraded and restarted. From the .\\open-amt-cloud-toolkit\\ directory, pull the latest branches. git pull Checkout the new release. git checkout v2.14.0 Note - Rebuilding New Images Locally If building your own images, you will also have to checkout the newer release from each repo within .\\open-amt-cloud-toolkit\\ . Pull the new releases of the submodules. git submodule update --recursive Checkout the release for each of the services you want to upgrade. cd mps git checkout v2.11.0 Repeat for other services. Build the new images. docker compose up -d --build Pull the new release Docker Hub images. docker compose pull Start the new containers. docker compose up -d --remove-orphans OPTIONAL. If using versioned tags rather than latest , you can delete older tagged images using the following. This will delete all unused images . If you have other non Open AMT images you wish to keep, do NOT run this command. docker image prune -a","title":"Upgrade Toolkit Version"},{"location":"Deployment/upgradeVersion/#specific-changes-required-for-version-upgrades","text":"","title":"Specific Changes Required for Version Upgrades"},{"location":"Deployment/upgradeVersion/#upgrade-to-211-from-210","text":"The 2.11 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ip_sync_enabled BOOLEAN NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below.","title":"Upgrade to 2.11 from 2.10"},{"location":"Deployment/upgradeVersion/#upgrade-to-210-from-29","text":"The 2.10 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS wirelessconfigs ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM wirelessconfigs ; Continue with general upgrade steps below.","title":"Upgrade to 2.10 from 2.9"},{"location":"Deployment/upgradeVersion/#upgrade-to-29-from-28","text":"The 2.9 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. CREATE TABLE IF NOT EXISTS ieee8021xconfigs ( profile_name citext , auth_protocol integer , servername VARCHAR ( 255 ), domain VARCHAR ( 255 ), username VARCHAR ( 255 ), password VARCHAR ( 255 ), roaming_identity VARCHAR ( 255 ), active_in_s0 BOOLEAN , pxe_timeout integer , wired_interface BOOLEAN NOT NULL , tenant_id varchar ( 36 ) NOT NULL , PRIMARY KEY ( profile_name , tenant_id ), ); Update the Profiles table. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM ieee8021xconfigs ; Continue with general upgrade steps below.","title":"Upgrade to 2.9 from 2.8"},{"location":"Deployment/upgradeVersion/#upgrade-to-28-from-27","text":"The 2.8 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new column before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS tls_signing_authority varchar ( 40 ) NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below.","title":"Upgrade to 2.8 from 2.7"},{"location":"Deployment/upgradeVersion/#upgrade-to-27-from-26","text":"The 2.7 release of MPS requires an upgrade to the mpsdb database. Run the following SQL script to add two new columns before upgrading the services. ALTER TABLE devices ADD COLUMN IF NOT EXISTS friendlyname varchar ( 256 ), ADD COLUMN IF NOT EXISTS dnssuffix varchar ( 256 ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and mpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database mpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d mpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d mpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d mpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the columns were added to the table. SELECT * FROM devices ; Continue with general upgrade steps below.","title":"Upgrade to 2.7 from 2.6"},{"location":"Deployment/upgradeVersion/#upgrade-a-minor-version-ie-2x-to-2y","text":"","title":"Upgrade a Minor Version (i.e. 2.X to 2.Y)"},{"location":"Deployment/upgradeVersion/#kubernetes-upgrade","text":"Upgrading from a previous minor version to a new minor version release is simple using Helm. By updating your image tags and upgrading through Helm, a seamless transition can be made. Stored profiles and secrets will be unaffected and any connected devices will transition over to the new MPS pod. Note - Using Private Images The steps are the same if using your own images built and stored on a platform like Azure Container Registry (ACR) or Elastic Container Registry (ECR). Simply point to the new private images rather than the public Intel Dockerhub. Pull the latest release within .\\open-amt-cloud-toolkit directory. git pull Merge the latest changes into your existing branch. git merge v2.14.0 In the values.yaml file, update the images to the new version wanted. Alternatively, you can use the latest tags. Example - values.yaml File images : mps : \"intel/oact-mps:latest\" rps : \"intel/oact-rps:latest\" webui : \"intel/oact-webui:latest\" mpsrouter : \"intel/oact-mpsrouter:latest\" mps : ... In Terminal or Command Prompt, go to the deployed open-amt-cloud-toolkit repository directory. cd ./YOUR-DIRECTORY-PATH/open-amt-cloud-toolkit Use Helm to upgrade and deploy the new images. helm upgrade openamtstack ./kubernetes/charts Successful Helm Upgrade Release \"openamtstack\" has been upgraded. Happy Helming! NAME: openamtstack LAST DEPLOYED: Wed Mar 23 09:36:10 2022 NAMESPACE: default STATUS: deployed REVISION: 2 Verify the new pods are running. Notice the only restarted and recreated pods are MPS, RPS, and the WebUI. kubectl get pods Example - Upgraded Running Pods NAME READY STATUS RESTARTS AGE mps-55f558666b-5m9bq 1/1 Running 0 2m47s mpsrouter-6975577696-wn8wm 1/1 Running 0 27d openamtstack-kong-5999cc6b97-wbmdw 2/2 Running 0 27d openamtstack-vault-0 1/1 Running 0 27d openamtstack-vault-agent-injector-6d6c75f7d5-sh5nm 1/1 Running 0 27d rps-597d7894b5-mbdz5 1/1 Running 0 2m47s webui-6d9b96c989-29r9z 1/1 Running 0 2m47s","title":"Kubernetes Upgrade"},{"location":"Deployment/upgradeVersion/#rollback-a-version","text":"Is the functionality not working as expected? Rollback to the previous deployment using Helm. Use the Helm rollback command with the Revision you want to rollback to. In this example deployment, we would rollback to the original deployment revision which would be 1. helm rollback openamtstack [Revision-Number] Successful Rollback Rollback was a success! Happy Helming!","title":"Rollback a Version"},{"location":"Deployment/upgradeVersion/#local-docker-upgrade","text":"The following steps outline how to upgrade using the public Docker Hub images. Data will not be lost unless Postgres or Vault need to be upgraded and restarted. From the .\\open-amt-cloud-toolkit\\ directory, pull the latest branches. git pull Checkout the new release. git checkout v2.14.0 Note - Rebuilding New Images Locally If building your own images, you will also have to checkout the newer release from each repo within .\\open-amt-cloud-toolkit\\ . Pull the new releases of the submodules. git submodule update --recursive Checkout the release for each of the services you want to upgrade. cd mps git checkout v2.11.0 Repeat for other services. Build the new images. docker compose up -d --build Pull the new release Docker Hub images. docker compose pull Start the new containers. docker compose up -d --remove-orphans OPTIONAL. If using versioned tags rather than latest , you can delete older tagged images using the following. This will delete all unused images . If you have other non Open AMT images you wish to keep, do NOT run this command. docker image prune -a","title":"Local Docker Upgrade"},{"location":"GetStarted/buildRPC/","text":"Developed in Go* programming language, the Remote Provisioning Client ( RPC ) application runs on the managed device and communicates with the Remote Provisioning Server ( RPS ) microservice on the development system. The RPC and RPS configure and activate Intel\u00ae AMT on the managed device. Once properly configured, the remote managed device can call home to the Management Presence Server ( MPS ) by establishing a Client Initiated Remote Access ( CIRA ) connection with the MPS . See Figure 1. Getting Started Part 3 : Follow along to learn about how to build RPC, some of the information it can provide, and how to activate an AMT device. Additional Resources: RPC as a Library and RPC Commands and Flags Important - Production Environment In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices. Figure 1: RPC configuration Figure 1 Details The RPC on a managed device communicates with the Intel\u00ae Management Engine Interface (Intel\u00ae MEI, previously known as HECI) Driver and the Remote Provisioning Server ( RPS ) interfaces. The Driver uses the Intel\u00ae MEI to talk to Intel\u00ae AMT . The RPC activates Intel\u00ae AMT with an AMT profile, which is associated with a CIRA configuration (Step 3). The profile, which also distinguishes between Client Control Mode ( CCM ) or Admin Control Mode ( ACM ), and configuration were created in Create a CIRA Config or Create an AMT Profile . After running RPC with a profile, Intel\u00ae AMT will establish a CIRA connection with the MPS (Step 4) allowing MPS to manage the remote device and issue AMT commands (Step 5). Build the RPC \u00b6 Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: If you are building an executable on a development system, you will copy the executable to the managed device. Change to the rpc-go directory of the cloned open-amt-cloud-toolkit repository. cd rpc-go Haven't Cloned the open-amt-cloud-toolkit Repository? Only clone the rpc-go repository: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Alternatively, clone the whole toolkit repository: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Note The image created with the Docker instruction above is only suitable for Docker on a Linux host. Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version Run RPC to Activate and Connect the AMT Device \u00b6 The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] Note - RPC Arguments See more about the flag and other arguments . Note - Transition Activated Device To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform device, see Transition Activated Device . Success Example Output after Activating and Configuring a device into ACM : Figure 2: Example output after configuration Troubleshooting Run into an issue? Try these troubleshooting steps . Next up \u00b6 Manage AMT Device","title":"Build & Run RPC"},{"location":"GetStarted/buildRPC/#build-the-rpc","text":"Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: If you are building an executable on a development system, you will copy the executable to the managed device. Change to the rpc-go directory of the cloned open-amt-cloud-toolkit repository. cd rpc-go Haven't Cloned the open-amt-cloud-toolkit Repository? Only clone the rpc-go repository: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Alternatively, clone the whole toolkit repository: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Note The image created with the Docker instruction above is only suitable for Docker on a Linux host. Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version","title":"Build the RPC"},{"location":"GetStarted/buildRPC/#run-rpc-to-activate-and-connect-the-amt-device","text":"The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] Note - RPC Arguments See more about the flag and other arguments . Note - Transition Activated Device To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform device, see Transition Activated Device . Success Example Output after Activating and Configuring a device into ACM : Figure 2: Example output after configuration Troubleshooting Run into an issue? Try these troubleshooting steps .","title":"Run RPC to Activate and Connect the AMT Device"},{"location":"GetStarted/buildRPC/#next-up","text":"Manage AMT Device","title":"Next up"},{"location":"GetStarted/createCIRAConfig/","text":"Client Initiated Remote Access ( CIRA ) enables a CIRA -capable edge device to initiate and establish a persistent connection to the MPS . As long as the managed device is connected to the network and to a power source, it can maintain a persistent connection. Note - Wireless Activations This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . To create a CIRA Config: Select the CIRA Configs tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new CIRA Config Specify a Config Name of your choice. Select IPv4 . For MPS Address , provide your development system's IP Address. Cert Common Name (CN=) should auto-populate. If not, provide your development system's IP Address. Leave Port as the default, 4433. Leave the Username as admin or choose your own. Click Save. Example CIRA Config Figure 2: Example CIRA Config Next up \u00b6 Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features including, but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices such as digital signage or kiosks may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Create a CIRA Config"},{"location":"GetStarted/createCIRAConfig/#next-up","text":"Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features including, but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices such as digital signage or kiosks may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Next up"},{"location":"GetStarted/createProfileACM/","text":"Admin Control Mode ( ACM ) provides full access to Intel\u00ae Active Management Technology ( Intel\u00ae AMT ) functionality. User consent is optional for supported redirection features: Keyboard, Video, Mouse ( KVM ): Control multiple devices with one keyboard, monitor, and mouse. Serial-over-LAN ( SOL ): Manage devices with a command line interface (CLI) through SOL . IDE Redirection: Share and mount images remotely with a specified storage media (e.g., USB flash drive). Important - IDE Redirection While AMT supports this feature, the toolkit doesn't natively support it. Figure 1: Set up configuration and profiles for n number of clients What You'll Need \u00b6 Provisioning Certificate \u00b6 By purchasing a certificate, you'll be able to remotely activate an Intel\u00ae AMT device in ACM . This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities. Find more information about Provisioning Certificates . Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT . Alternatively, for development, custom provisioning certificates can be generated. See Custom Provisioning Certificate for additional details. DNS Suffix \u00b6 The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example: Example - DNS DNS Name: cb-vending1.burgerbusiness.com In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com. **To set the DNS suffix : ** Manually set it using MEBX on the managed device. Find instructions here . Alternately, change the DHCP Option 15 to DNS suffix within the Router settings. **To find the the DNS suffix , use the following command: ** Linux Windows ifconfig ipconfig /all Create a Profile \u00b6 A Profile provides configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Important - Production Environment In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios. Note - More Information about Passwords Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create an ACM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click Add New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation , select Admin Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Choose level of User Consent . By default for ACM , None is selected. This will disable all User Consent for ACM . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! Provide or generate a strong MEBX Password . This password can be used to access Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) on the AMT device. Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example ACM Profile Figure 3: Example ACM profile Create a Domain Profile \u00b6 In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain profile. Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority. To create a domain: Select the Domains tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new Domain profile Specify a name of your choice for the Domain Profile for the Name field. This does not have to be the actual network Domain Name/Suffix. Provide your DNS suffix as the Domain Name . This is the actual DNS suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX. Click Choose File and select your purchased Provisioning Certificate. This certificate must contain the private key. Provide the Provisioning Certificate Password used to encrypt the .pfx file. Click Save. Example Domain Figure 5: Example Domain profile Next Up \u00b6 Build & Run RPC","title":"Create a Profile with ACM"},{"location":"GetStarted/createProfileACM/#what-youll-need","text":"","title":"What You'll Need"},{"location":"GetStarted/createProfileACM/#provisioning-certificate","text":"By purchasing a certificate, you'll be able to remotely activate an Intel\u00ae AMT device in ACM . This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities. Find more information about Provisioning Certificates . Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT . Alternatively, for development, custom provisioning certificates can be generated. See Custom Provisioning Certificate for additional details.","title":"Provisioning Certificate"},{"location":"GetStarted/createProfileACM/#dns-suffix","text":"The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example: Example - DNS DNS Name: cb-vending1.burgerbusiness.com In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com. **To set the DNS suffix : ** Manually set it using MEBX on the managed device. Find instructions here . Alternately, change the DHCP Option 15 to DNS suffix within the Router settings. **To find the the DNS suffix , use the following command: ** Linux Windows ifconfig ipconfig /all","title":"DNS Suffix"},{"location":"GetStarted/createProfileACM/#create-a-profile","text":"A Profile provides configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Important - Production Environment In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios. Note - More Information about Passwords Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create an ACM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click Add New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation , select Admin Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Choose level of User Consent . By default for ACM , None is selected. This will disable all User Consent for ACM . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! Provide or generate a strong MEBX Password . This password can be used to access Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) on the AMT device. Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example ACM Profile Figure 3: Example ACM profile","title":"Create a Profile"},{"location":"GetStarted/createProfileACM/#create-a-domain-profile","text":"In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain profile. Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority. To create a domain: Select the Domains tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new Domain profile Specify a name of your choice for the Domain Profile for the Name field. This does not have to be the actual network Domain Name/Suffix. Provide your DNS suffix as the Domain Name . This is the actual DNS suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX. Click Choose File and select your purchased Provisioning Certificate. This certificate must contain the private key. Provide the Provisioning Certificate Password used to encrypt the .pfx file. Click Save. Example Domain Figure 5: Example Domain profile","title":"Create a Domain Profile"},{"location":"GetStarted/createProfileACM/#next-up","text":"Build & Run RPC","title":"Next Up"},{"location":"GetStarted/createProfileCCM/","text":"Client Control Mode ( CCM ) provides full access to features of Intel\u00ae Active Management Technology ( Intel\u00ae AMT ), but it does require user consent for all redirection features. These features require user consent in CCM : Keyboard, Video, Mouse ( KVM ): Control multiple devices with one keyboard, monitor, and mouse. Serial-over-LAN ( SOL ): Manage devices with a command line interface (CLI) through SOL . IDE Redirection: Share and mount images remotely with a specified storage media (e.g., USB flash drive). Important - IDE Redirection While AMT supports this feature, the toolkit doesn't natively support it. Figure 1: Set up configuration and profiles for n number of clients Create a Profile \u00b6 Profiles provide configuration information to the firmware on platforms featuring Intel\u00ae AMT during the activation process with the Remote Provisioning Client ( RPC ). Note - More Information about Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create a CCM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation Mode , select Client Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! The MEBX Password field is disabled. The password for Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) cannot be set when activating in CCM due to the lower level of trust when compared to ACM . Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example CCM Profile Figure 3: Example CCM profile Next up \u00b6 Build & Run RPC","title":"Create a Profile with CCM"},{"location":"GetStarted/createProfileCCM/#create-a-profile","text":"Profiles provide configuration information to the firmware on platforms featuring Intel\u00ae AMT during the activation process with the Remote Provisioning Client ( RPC ). Note - More Information about Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create a CCM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation Mode , select Client Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! The MEBX Password field is disabled. The password for Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) cannot be set when activating in CCM due to the lower level of trust when compared to ACM . Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example CCM Profile Figure 3: Example CCM profile","title":"Create a Profile"},{"location":"GetStarted/createProfileCCM/#next-up","text":"Build & Run RPC","title":"Next up"},{"location":"GetStarted/loginToUI/","text":"The web portal is available for login after the deployment of the MPS , RPS , and Sample Web UI . Make sure all microservices are successfully running before attempting to login. Getting Started Part 2 : Follow along to learn about the Sample Web UI and the various profiles: CIRA Configs, AMT Profiles, and Domain Profiles. Additional Resources: Passwords and What They Mean , Provisioning Certificates , and Setting a DNS Suffix via MEBX Log In \u00b6 Open any modern web browser and navigate to the following link. https://<Development-IP-Address> Important - URL of Sample Web UI You must use the development system's IP address in the URL. Localhost or 127.0.0.1 will NOT work . Read more about Kong API Gateway to find out why . The development system's IP address is where the Docker containers are running. A warning screen will prompt because the MPS Server is using self-signed certificates for testing. Click Advanced and then Proceed to continue to connect to the Sample Web UI . Example - Chrome* Browser Warning Message Figure 1: MPS warning message Log in to the web portal with the login credentials set for the environment variables MPS_WEB_ADMIN_USER and MPS_WEB_ADMIN_PASSWORD in the .env file. The home page is shown below in Figure 2. Example - Sample Web UI Home Page Figure 2: Sample Web UI home page Next up \u00b6 Create a CIRA Config","title":"Login to Sample Web UI"},{"location":"GetStarted/loginToUI/#log-in","text":"Open any modern web browser and navigate to the following link. https://<Development-IP-Address> Important - URL of Sample Web UI You must use the development system's IP address in the URL. Localhost or 127.0.0.1 will NOT work . Read more about Kong API Gateway to find out why . The development system's IP address is where the Docker containers are running. A warning screen will prompt because the MPS Server is using self-signed certificates for testing. Click Advanced and then Proceed to continue to connect to the Sample Web UI . Example - Chrome* Browser Warning Message Figure 1: MPS warning message Log in to the web portal with the login credentials set for the environment variables MPS_WEB_ADMIN_USER and MPS_WEB_ADMIN_PASSWORD in the .env file. The home page is shown below in Figure 2. Example - Sample Web UI Home Page Figure 2: Sample Web UI home page","title":"Log In"},{"location":"GetStarted/loginToUI/#next-up","text":"Create a CIRA Config","title":"Next up"},{"location":"GetStarted/manageDevice/","text":"Getting Started Part 4 : Follow along to learn about the different Out-of-Band capabilities of Intel AMT. Next Steps: Using REST APIs and Deploying with Kubernetes Try out Intel AMT Capabilities \u00b6 Go back to the Sample Web UI on your development system. Click the Devices tab from the menu on the left. Figure 1: Devices tab Troubleshooting If the activated device is not listed or if it is listed as unconnected, try restarting the AMT device. After successfully restarting the device, refresh the Sample Web UI to see if the Status changes to connected . Click on your connected device. Select an action to perform from the Power Actions in the center screen or Redirection options in the top-right. Warning - Power Actions in KVM Turn off active redirection sessions, such as KVM or SOL , before specific power state transitions. Power Cycle (Code 5) and Unconditional Power Down (Power Off, Code 8) will be rejected as invalid if there is an active redirection session. Reset (Code 10) will function in KVM along with the other unmentioned Power Actions . Figure 2: Action options User Consent \u00b6 If activated in Client Control Mode( CCM ), the keyboard, video, mouse ( KVM ) and serial-over-LAN ( SOL ) features require entering a user consent code, which will be displayed on the managed device. To use KVM / SOL without user consent, follow the ACM Activation Path for how to configure a device into Admin Control Mode. When performing a KVM action for a device activated in CCM or ACM with user consent enabled, input the user consent code displayed on the client device. Figure 3: User Consent Next steps \u00b6 After successfully deploying the Open AMT Cloud Toolkit microservices and client, explore other tools and topics in the Open AMT Cloud Toolkit architecture: REST API Calls \u00b6 Learn how to send commands to AMT devices with the curl -based REST API tutorial. Generate a JWT token for Authorization and construct an API call to get a list of devices. Get Started with REST API Calls UI Toolkit \u00b6 Explore the Open AMT Cloud Toolkit reference implementation console by adding manageability features with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit Security \u00b6 Learn how to use the Open AMT Cloud Toolkit architecture to secure assets. Topics include credentials, allowlisting, best known security methods, and more. Learn More about Security and Hardening","title":"Manage AMT Device"},{"location":"GetStarted/manageDevice/#try-out-intel-amt-capabilities","text":"Go back to the Sample Web UI on your development system. Click the Devices tab from the menu on the left. Figure 1: Devices tab Troubleshooting If the activated device is not listed or if it is listed as unconnected, try restarting the AMT device. After successfully restarting the device, refresh the Sample Web UI to see if the Status changes to connected . Click on your connected device. Select an action to perform from the Power Actions in the center screen or Redirection options in the top-right. Warning - Power Actions in KVM Turn off active redirection sessions, such as KVM or SOL , before specific power state transitions. Power Cycle (Code 5) and Unconditional Power Down (Power Off, Code 8) will be rejected as invalid if there is an active redirection session. Reset (Code 10) will function in KVM along with the other unmentioned Power Actions . Figure 2: Action options","title":"Try out Intel AMT Capabilities"},{"location":"GetStarted/manageDevice/#user-consent","text":"If activated in Client Control Mode( CCM ), the keyboard, video, mouse ( KVM ) and serial-over-LAN ( SOL ) features require entering a user consent code, which will be displayed on the managed device. To use KVM / SOL without user consent, follow the ACM Activation Path for how to configure a device into Admin Control Mode. When performing a KVM action for a device activated in CCM or ACM with user consent enabled, input the user consent code displayed on the client device. Figure 3: User Consent","title":"User Consent"},{"location":"GetStarted/manageDevice/#next-steps","text":"After successfully deploying the Open AMT Cloud Toolkit microservices and client, explore other tools and topics in the Open AMT Cloud Toolkit architecture:","title":"Next steps"},{"location":"GetStarted/manageDevice/#rest-api-calls","text":"Learn how to send commands to AMT devices with the curl -based REST API tutorial. Generate a JWT token for Authorization and construct an API call to get a list of devices. Get Started with REST API Calls","title":"REST API Calls"},{"location":"GetStarted/manageDevice/#ui-toolkit","text":"Explore the Open AMT Cloud Toolkit reference implementation console by adding manageability features with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit","title":"UI Toolkit"},{"location":"GetStarted/manageDevice/#security","text":"Learn how to use the Open AMT Cloud Toolkit architecture to secure assets. Topics include credentials, allowlisting, best known security methods, and more. Learn More about Security and Hardening","title":"Security"},{"location":"GetStarted/prerequisites/","text":"Prerequisites \u00b6 This section contains prerequisites for deploying Open AMT Cloud Toolkit 's MPS and RPS microservices on a local development system as Docker* containers. Getting Started Part 1 : Follow along to learn about the prerequisites, environment configuration, and using Docker to get your stack started. Additional Resources: Intel vPro Platform What You'll Need \u00b6 Hardware \u00b6 Configure a network that includes: A development system At least one Intel vPro\u00ae Platform A flash drive or equivalent means to transfer files between Both systems must use a wired (i.e., cable) connection on the same network. Development System Software \u00b6 Before MPS and RPS installation, install the following software on your development system: git* Docker for Windows or Docker for Linux For RPC setup, install the following software on your development system: Go* Programming Language What You'll Do \u00b6 Figure 1: Deploy microservices on a local development system as Docker containers To complete a deployment: Install the prerequisites. Pull and deploy microservices with Docker. Login to the Sample Web UI and configure profiles. Build RPC . Copy RPC to a managed device. To connect the managed device: Run RPC on a managed device. Manage the device with MPS through the Sample Web UI . These sections include instructions for Windows and Linux* environments. Run instructions in a terminal window, the Windows Command Prompt in Administrator mode or the Linux shell/terminal. Why Docker*? \u00b6 A Docker container is the instantiation of a Docker image as a virtualized unit that separates the application from the environment. Docker containers start and run reliably, securely, and portably inside different environments, eliminating some of the problems that occur with software deployment on varying platforms. Docker streamlines installation to get you up and running faster. Get more information about Docker images and containers at Docker resources. Next up \u00b6 Setup - Pull Docker* Images","title":"Prerequisites"},{"location":"GetStarted/prerequisites/#prerequisites","text":"This section contains prerequisites for deploying Open AMT Cloud Toolkit 's MPS and RPS microservices on a local development system as Docker* containers. Getting Started Part 1 : Follow along to learn about the prerequisites, environment configuration, and using Docker to get your stack started. Additional Resources: Intel vPro Platform","title":"Prerequisites"},{"location":"GetStarted/prerequisites/#what-youll-need","text":"","title":"What You'll Need"},{"location":"GetStarted/prerequisites/#hardware","text":"Configure a network that includes: A development system At least one Intel vPro\u00ae Platform A flash drive or equivalent means to transfer files between Both systems must use a wired (i.e., cable) connection on the same network.","title":"Hardware"},{"location":"GetStarted/prerequisites/#development-system-software","text":"Before MPS and RPS installation, install the following software on your development system: git* Docker for Windows or Docker for Linux For RPC setup, install the following software on your development system: Go* Programming Language","title":"Development System Software"},{"location":"GetStarted/prerequisites/#what-youll-do","text":"Figure 1: Deploy microservices on a local development system as Docker containers To complete a deployment: Install the prerequisites. Pull and deploy microservices with Docker. Login to the Sample Web UI and configure profiles. Build RPC . Copy RPC to a managed device. To connect the managed device: Run RPC on a managed device. Manage the device with MPS through the Sample Web UI . These sections include instructions for Windows and Linux* environments. Run instructions in a terminal window, the Windows Command Prompt in Administrator mode or the Linux shell/terminal.","title":"What You'll Do"},{"location":"GetStarted/prerequisites/#why-docker","text":"A Docker container is the instantiation of a Docker image as a virtualized unit that separates the application from the environment. Docker containers start and run reliably, securely, and portably inside different environments, eliminating some of the problems that occur with software deployment on varying platforms. Docker streamlines installation to get you up and running faster. Get more information about Docker images and containers at Docker resources.","title":"Why Docker*?"},{"location":"GetStarted/prerequisites/#next-up","text":"Setup - Pull Docker* Images","title":"Next up"},{"location":"GetStarted/setup/","text":"This setup runs the MPS and RPS microservices as Docker* containers, standardized packages containing an application's source code, libraries, environment, and dependencies. Get the Toolkit \u00b6 To clone the repositories: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit Set Environment Variables \u00b6 The .env.template file is used by docker to set environment variables. To set the environment variables: Copy the .env.template file to .env : Linux/Powershell Windows (Cmd Prompt) cp .env.template .env copy .env.template .env In a text editor or IDE of choice, open the new .env file to edit. Update the following fields for configuring the MPS , Sample Web UI , Vault and Postgres. Save and keep track of the values you choose. Field Name Required Usage MPS_COMMON_NAME Development System IP Address. For connecting to MPS server via UI or APIs. WARNING: Do not use localhost. Use the development system IP Address. MPS_WEB_ADMIN_USER Username of your choice For logging into the Sample Web UI MPS_WEB_ADMIN_PASSWORD Strong password of your choice For logging into the Sample Web UI MPS_JWT_SECRET A strong secret of your choice (Example: A unique, random 256-bit string. See another example in code snippet below ). Used when generating a JSON Web Token (JWT) for authentication. This example implementation uses a symmetrical key and HS256 to create the signature. Learn more about JWT . POSTGRES_PASSWORD Strong password of your choice For logging into the Postgres VAULT_TOKEN Strong token of your choice For logging into the vault Important - Using Strong Passwords The MPS_WEB_ADMIN_PASSWORD must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character Save the file. Set Kong JSON Web Token (JWT) \u00b6 Set the shared secret used in Kong for JWT authentication. Open the kong.yaml file. Update the secret field with your MPS_JWT_SECRET. jwt_secrets : - consumer : admin key : 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc #sample key secret : \"Yq3t6w9z$C&E)H@McQfTjWnZr4u7x!A%\" #sample secret, DO NOT use for production Save and close the file. Pull and Run the Docker Images \u00b6 Pull the Docker images from Intel's Docker Hub repository . Important for Linux - Using sudo with Docker The Docker daemon always runs as the root user and therefore requires sudo . If you do not want to preface all Docker commands with sudo , see Linux post-installation steps for Docker Engine in the Docker Documentation. docker compose pull Note for ARM - ARM-based Devices must Build Images ARM-based devices (i.e. newer-generation Mac products and others) will need to build the images rather than use the prebuilt Dockerhub images. docker compose up -d --build Note - Using SSL with Postgres Container By default in the Getting Started Guide, we do not enable an SSL connection for Postgres for ease of development. See SSL with Local Postgres for how to enable SSL in your local Postgres container. For production environments, using a cloud-hosted database with an SSL connection to MPS / RPS is highly recommended as one step to maintain a secure deployment. Read more about cloud deployments for Azure or AWS here . Start the containers. docker compose up -d Check that all the containers are running and healthy. docker ps --format \"table {{.Image}}\\t{{.Status}}\\t{{.Names}}\" Success IMAGE STATUS NAMES intel/oact-rps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-rps-1 hashicorp/vault Up 2 minutes open-amt-cloud-toolkit-vault-1 intel/oact-mpsrouter:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mpsrouter-1 postgres:15 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-db-1 intel/oact-webui:latest Up 2 minutes open-amt-cloud-toolkit-webui-1 kong:3.1 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-kong-1 intel/oact-mps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mps-1 Warning - Container Issues If any of the above containers are not running, walk through the steps again or file a GitHub issue here . If the kong container reloads repeatedly, verify kong.yaml edits. Misconfiguration of this file will cause the container to reload. Important - Losing Data without Prod Mode Vault Because the vault is running in a dev mode, stored secrets will be lost upon a restart, and profiles and configs must be recreated. They are not persistent in this mode. Be sure to run docker compose down -v when bringing down the stack, which removes the volumes, and start fresh upon docker compose up . To run vault in production mode, follow the guide here . Next up \u00b6 Login to Sample Web UI","title":"Set Up"},{"location":"GetStarted/setup/#get-the-toolkit","text":"To clone the repositories: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit","title":"Get the Toolkit"},{"location":"GetStarted/setup/#set-environment-variables","text":"The .env.template file is used by docker to set environment variables. To set the environment variables: Copy the .env.template file to .env : Linux/Powershell Windows (Cmd Prompt) cp .env.template .env copy .env.template .env In a text editor or IDE of choice, open the new .env file to edit. Update the following fields for configuring the MPS , Sample Web UI , Vault and Postgres. Save and keep track of the values you choose. Field Name Required Usage MPS_COMMON_NAME Development System IP Address. For connecting to MPS server via UI or APIs. WARNING: Do not use localhost. Use the development system IP Address. MPS_WEB_ADMIN_USER Username of your choice For logging into the Sample Web UI MPS_WEB_ADMIN_PASSWORD Strong password of your choice For logging into the Sample Web UI MPS_JWT_SECRET A strong secret of your choice (Example: A unique, random 256-bit string. See another example in code snippet below ). Used when generating a JSON Web Token (JWT) for authentication. This example implementation uses a symmetrical key and HS256 to create the signature. Learn more about JWT . POSTGRES_PASSWORD Strong password of your choice For logging into the Postgres VAULT_TOKEN Strong token of your choice For logging into the vault Important - Using Strong Passwords The MPS_WEB_ADMIN_PASSWORD must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character Save the file.","title":"Set Environment Variables"},{"location":"GetStarted/setup/#set-kong-json-web-token-jwt","text":"Set the shared secret used in Kong for JWT authentication. Open the kong.yaml file. Update the secret field with your MPS_JWT_SECRET. jwt_secrets : - consumer : admin key : 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc #sample key secret : \"Yq3t6w9z$C&E)H@McQfTjWnZr4u7x!A%\" #sample secret, DO NOT use for production Save and close the file.","title":"Set Kong JSON Web Token (JWT)"},{"location":"GetStarted/setup/#pull-and-run-the-docker-images","text":"Pull the Docker images from Intel's Docker Hub repository . Important for Linux - Using sudo with Docker The Docker daemon always runs as the root user and therefore requires sudo . If you do not want to preface all Docker commands with sudo , see Linux post-installation steps for Docker Engine in the Docker Documentation. docker compose pull Note for ARM - ARM-based Devices must Build Images ARM-based devices (i.e. newer-generation Mac products and others) will need to build the images rather than use the prebuilt Dockerhub images. docker compose up -d --build Note - Using SSL with Postgres Container By default in the Getting Started Guide, we do not enable an SSL connection for Postgres for ease of development. See SSL with Local Postgres for how to enable SSL in your local Postgres container. For production environments, using a cloud-hosted database with an SSL connection to MPS / RPS is highly recommended as one step to maintain a secure deployment. Read more about cloud deployments for Azure or AWS here . Start the containers. docker compose up -d Check that all the containers are running and healthy. docker ps --format \"table {{.Image}}\\t{{.Status}}\\t{{.Names}}\" Success IMAGE STATUS NAMES intel/oact-rps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-rps-1 hashicorp/vault Up 2 minutes open-amt-cloud-toolkit-vault-1 intel/oact-mpsrouter:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mpsrouter-1 postgres:15 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-db-1 intel/oact-webui:latest Up 2 minutes open-amt-cloud-toolkit-webui-1 kong:3.1 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-kong-1 intel/oact-mps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mps-1 Warning - Container Issues If any of the above containers are not running, walk through the steps again or file a GitHub issue here . If the kong container reloads repeatedly, verify kong.yaml edits. Misconfiguration of this file will cause the container to reload. Important - Losing Data without Prod Mode Vault Because the vault is running in a dev mode, stored secrets will be lost upon a restart, and profiles and configs must be recreated. They are not persistent in this mode. Be sure to run docker compose down -v when bringing down the stack, which removes the volumes, and start fresh upon docker compose up . To run vault in production mode, follow the guide here .","title":"Pull and Run the Docker Images"},{"location":"GetStarted/setup/#next-up","text":"Login to Sample Web UI","title":"Next up"},{"location":"Reference/architectureOverview/","text":"Figure 1 illustrates the high-level architecture of Open AMT Cloud Toolkit microservice architecture . Figure 1: Deploy Open AMT Cloud Toolkit Figure 1 illustrates the high-level steps for basic deployment: Deploy Microservices - Install the microservices on a development system as Docker* containers, which can run locally or on the cloud. Deploy RPC Architecture - Transfer the lightweight clients to managed devices. Configure AMT - Through the RPS , configure AMT by creating control mode profile(s). Connect AMT - Use the MPS to manage connectivity, as this microservice listens for the call home messaging of managed devices. Issue AMT Command - Send power commands (e.g., power off) through the MPS . Add AMT functionality - Explore the additional functionality provided by Open AMT Cloud Toolkit to develop your own web console or application. Out-of-band Management ( OOB Management ) \u00b6 Open AMT Cloud Toolkit uses remote management technology, also known as OOB Management , to allow administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, Open AMT Cloud Toolkit software can perform remote management, including powering up as a system that is currently powered down. Remote management can offer potential cost-savings by decreasing the need for in-person technician visits to remote IT sites and reducing downtime. What's the difference between in-band and OOB Management ? \u00b6 Remote monitoring and management software solutions often require the managed devices to be in the powered on state. The IT administrator connects to and updates the managed device while it is in the powered on state. With out-of-band management, the administrator can connect to the device when it has been powered down or it is unresponsive. CIRA Configuration \u00b6 CIRA enables OOB connections between Intel\u00ae AMT platforms and administrative development systems running Open AMT on the same network. The following steps occur via a CIRA channel: A remote Intel vPro\u00ae Platform featuring Intel\u00ae AMT is activated and a CIRA configuration is applied. The remote platform is referred to as the managed device. The managed device connects to the MPS and establishes an encrypted connection using Transport Layer Security ( TLS ) The Intel vPro\u00ae Platform maintains a long standing connection with the MPS through the use of small keep-alive messages to the MPS . A management console sends a command to the MPS , via provided RESTful interfaces, with the command indicating the managed device should take some action. The MPS authenticates the RESTful command and proxies the command for the management console to the managed device. The MPS handles the authentication process with the managed device. Control Mode Profile \u00b6 Managed devices featuring Intel\u00ae AMT support two control modes: Admin Control Mode ( ACM ): In this mode, there are no limitations to Intel\u00ae AMT functionality. This reflects the higher level of trust associated with these setup methods. No user consent is required. Client Control Mode ( CCM ): This mode limits some of Intel\u00ae AMT functionality, reflecting the lower level of trust. Features requiring User Consent: Keyboard, Video, Mouse ( KVM ) Control IDE-Redirection for sharing and mounting images remotely Domains \u00b6 In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain Profile . Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. Intel\u00ae AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority. Power Control \u00b6 With the established CIRA channel, Open AMT Cloud Toolkit enables the administrator to manage remote devices and trigger power actions to: power up power down power up to BIOS reset reset to BIOS For more information about power states supported by the REST APIs, see Intel\u00ae AMT Implementation and Reference Guide for more details. Keyboard, Video, Mouse ( KVM ) Control \u00b6 Intel\u00ae AMT enables remote management of a device, even when the OS isn't running, through KVM over IP support. No additional equipment is needed for this feature. With KVM control, IT administrators can access and update PCs and devices as if they were onsite. It eliminates the need for remote KVM switches and other hardware. Passwords \u00b6 There are five levels of passwords: **Intel\u00ae Manageability Engine BIOS Extensions (MEBX) Password: MEBX Password - ** Use this password to secure the local Intel\u00ae MEBX menu. This password is only used when physically accessing the managed device during system boot. Access the menu with Ctrl-P on most devices. ** Sample Web UI Password: MPS_WEB_ADMIN_PASSWORD - ** Use this password when logging into the Sample Web UI . The Sample Web UI Password uses this default MPS user authentication credential when it triggers MPS to issue a JWT (JSON Web Token). In most production environments, this default credential is replaced by a more rigorous authentication protocol. Examples include OAuth2, OpenID, or an authentication service that can issue an Auth Token to be validated by the API gateway. ** ACM & CCM Profiles: AMT Password - ** RPS uses this password to activate and configure Intel\u00ae AMT . When MPS requests an action of a managed device, such as a power action, it uses this password. Intel\u00ae AMT verifies this password when it gets a command from the MPS server. **Provisioning Certificate Password - ** The AMT Provisioning certificate is a special certificate used by Intel\u00ae AMT devices to establish trust with the configuration service when activating in Admin Control Mode. RPS requires the .pfx version of this certificate along with the password used to export the .pfx certificate to perform ACM activation. ** MPS CIRA Credential: MPS_USER and MPS_PASSWORD - ** This CIRA credential is used by Intel\u00ae AMT managed devices to authenticate the MPS when establishing the CIRA connection. Multiple passwords enhance the security of Open AMT Cloud Toolkit . What Security Default Values Modify 1. Intel MEBX Password Prevention of Physical Security Violations admin In MEBX (Ctrl-P) 2. Sample Web UI Password Remote Role Management Username: standalone Password: G@ppm0ym .env file 3. ACM & CCM Profiles: AMT Password Authentication of MPS / RPS Access Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. 4. Provisioning Certificate Password Signed Certificate Usage Not applicable. 1.Re-export certificate with another password. 2. Create a new profile. 3. Make an API call to update. 4. Update Vault. 5. MPS CIRA Credential MPS credential used by AMT Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. Table 1: Summary of Open AMT Passwords Log Files \u00b6 Each microservice has an associated log file which can contain helpful debug information. Use docker logs to print log information to the terminal. Docker Logs \u00b6 To run docker log files in a terminal window as needed: Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Copy the first three digits of the container ID of interest. Run the docker logs command followed by the container ID: Linux Windows (Powershell) sudo docker logs <container ID> docker logs <container ID> See more help options for the docker logs command in Docker Documentation . Log Level \u00b6 Set the log levels in the .env file by altering the configuration levels, MPS_LOG_LEVEL and RPS_LOG_LEVEL . Find the log level descriptions in the tables contained in MPS Configuration and RPS Configuration .","title":"Architecture Overview"},{"location":"Reference/architectureOverview/#out-of-band-management-oob-management","text":"Open AMT Cloud Toolkit uses remote management technology, also known as OOB Management , to allow administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, Open AMT Cloud Toolkit software can perform remote management, including powering up as a system that is currently powered down. Remote management can offer potential cost-savings by decreasing the need for in-person technician visits to remote IT sites and reducing downtime.","title":"Out-of-band Management (OOB Management)"},{"location":"Reference/architectureOverview/#whats-the-difference-between-in-band-and-oob-management","text":"Remote monitoring and management software solutions often require the managed devices to be in the powered on state. The IT administrator connects to and updates the managed device while it is in the powered on state. With out-of-band management, the administrator can connect to the device when it has been powered down or it is unresponsive.","title":"What's the difference between in-band and OOB Management?"},{"location":"Reference/architectureOverview/#cira-configuration","text":"CIRA enables OOB connections between Intel\u00ae AMT platforms and administrative development systems running Open AMT on the same network. The following steps occur via a CIRA channel: A remote Intel vPro\u00ae Platform featuring Intel\u00ae AMT is activated and a CIRA configuration is applied. The remote platform is referred to as the managed device. The managed device connects to the MPS and establishes an encrypted connection using Transport Layer Security ( TLS ) The Intel vPro\u00ae Platform maintains a long standing connection with the MPS through the use of small keep-alive messages to the MPS . A management console sends a command to the MPS , via provided RESTful interfaces, with the command indicating the managed device should take some action. The MPS authenticates the RESTful command and proxies the command for the management console to the managed device. The MPS handles the authentication process with the managed device.","title":"CIRA Configuration"},{"location":"Reference/architectureOverview/#control-mode-profile","text":"Managed devices featuring Intel\u00ae AMT support two control modes: Admin Control Mode ( ACM ): In this mode, there are no limitations to Intel\u00ae AMT functionality. This reflects the higher level of trust associated with these setup methods. No user consent is required. Client Control Mode ( CCM ): This mode limits some of Intel\u00ae AMT functionality, reflecting the lower level of trust. Features requiring User Consent: Keyboard, Video, Mouse ( KVM ) Control IDE-Redirection for sharing and mounting images remotely","title":"Control Mode Profile"},{"location":"Reference/architectureOverview/#domains","text":"In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain Profile . Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. Intel\u00ae AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority.","title":"Domains"},{"location":"Reference/architectureOverview/#power-control","text":"With the established CIRA channel, Open AMT Cloud Toolkit enables the administrator to manage remote devices and trigger power actions to: power up power down power up to BIOS reset reset to BIOS For more information about power states supported by the REST APIs, see Intel\u00ae AMT Implementation and Reference Guide for more details.","title":"Power Control"},{"location":"Reference/architectureOverview/#keyboard-video-mouse-kvm-control","text":"Intel\u00ae AMT enables remote management of a device, even when the OS isn't running, through KVM over IP support. No additional equipment is needed for this feature. With KVM control, IT administrators can access and update PCs and devices as if they were onsite. It eliminates the need for remote KVM switches and other hardware.","title":"Keyboard, Video, Mouse (KVM) Control"},{"location":"Reference/architectureOverview/#passwords","text":"There are five levels of passwords: **Intel\u00ae Manageability Engine BIOS Extensions (MEBX) Password: MEBX Password - ** Use this password to secure the local Intel\u00ae MEBX menu. This password is only used when physically accessing the managed device during system boot. Access the menu with Ctrl-P on most devices. ** Sample Web UI Password: MPS_WEB_ADMIN_PASSWORD - ** Use this password when logging into the Sample Web UI . The Sample Web UI Password uses this default MPS user authentication credential when it triggers MPS to issue a JWT (JSON Web Token). In most production environments, this default credential is replaced by a more rigorous authentication protocol. Examples include OAuth2, OpenID, or an authentication service that can issue an Auth Token to be validated by the API gateway. ** ACM & CCM Profiles: AMT Password - ** RPS uses this password to activate and configure Intel\u00ae AMT . When MPS requests an action of a managed device, such as a power action, it uses this password. Intel\u00ae AMT verifies this password when it gets a command from the MPS server. **Provisioning Certificate Password - ** The AMT Provisioning certificate is a special certificate used by Intel\u00ae AMT devices to establish trust with the configuration service when activating in Admin Control Mode. RPS requires the .pfx version of this certificate along with the password used to export the .pfx certificate to perform ACM activation. ** MPS CIRA Credential: MPS_USER and MPS_PASSWORD - ** This CIRA credential is used by Intel\u00ae AMT managed devices to authenticate the MPS when establishing the CIRA connection. Multiple passwords enhance the security of Open AMT Cloud Toolkit . What Security Default Values Modify 1. Intel MEBX Password Prevention of Physical Security Violations admin In MEBX (Ctrl-P) 2. Sample Web UI Password Remote Role Management Username: standalone Password: G@ppm0ym .env file 3. ACM & CCM Profiles: AMT Password Authentication of MPS / RPS Access Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. 4. Provisioning Certificate Password Signed Certificate Usage Not applicable. 1.Re-export certificate with another password. 2. Create a new profile. 3. Make an API call to update. 4. Update Vault. 5. MPS CIRA Credential MPS credential used by AMT Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. Table 1: Summary of Open AMT Passwords","title":"Passwords"},{"location":"Reference/architectureOverview/#log-files","text":"Each microservice has an associated log file which can contain helpful debug information. Use docker logs to print log information to the terminal.","title":"Log Files"},{"location":"Reference/architectureOverview/#docker-logs","text":"To run docker log files in a terminal window as needed: Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Copy the first three digits of the container ID of interest. Run the docker logs command followed by the container ID: Linux Windows (Powershell) sudo docker logs <container ID> docker logs <container ID> See more help options for the docker logs command in Docker Documentation .","title":"Docker Logs"},{"location":"Reference/architectureOverview/#log-level","text":"Set the log levels in the .env file by altering the configuration levels, MPS_LOG_LEVEL and RPS_LOG_LEVEL . Find the log level descriptions in the tables contained in MPS Configuration and RPS Configuration .","title":"Log Level"},{"location":"Reference/guids/","text":"GUIDs in Intel\u00ae AMT \u00b6 Each Intel\u00ae AMT device has a Global Unique Identifier (GUID) assigned to it by default. This GUID will be used as the reference to each device record. Typically, device GUIDs are required to perform power actions and other device-specific manageability features. There are a number of ways to obtain the GUID on the Intel\u00ae AMT device: Sample Web UI of the Open AMT Cloud Toolkit Devices API Method Via Sample Web UI \u00b6 Login to your Sample Web UI . Navigate to the Devices tab. Your AMT device's GUID is listed in the 2nd column. Figure 1: MPS Connected Device Via API Method \u00b6 A device's GUID can also be found via the AllDevices or ConnectedDevices MPS methods. Users can follow the Construct a Rest API Call tutorial on constructing and running the ConnectedDevices method as an example. Example ConnectedDevices Output: [{ \"host\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" , \"amtuser\" : \"admin\" , \"mpsuser\" : \"standalone\" , \"conn\" : 1 , \"name\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" }]","title":"GUIDs in Intel\u00ae AMT"},{"location":"Reference/guids/#guids-in-intel-amt","text":"Each Intel\u00ae AMT device has a Global Unique Identifier (GUID) assigned to it by default. This GUID will be used as the reference to each device record. Typically, device GUIDs are required to perform power actions and other device-specific manageability features. There are a number of ways to obtain the GUID on the Intel\u00ae AMT device: Sample Web UI of the Open AMT Cloud Toolkit Devices API Method","title":"GUIDs in Intel\u00ae AMT"},{"location":"Reference/guids/#via-sample-web-ui","text":"Login to your Sample Web UI . Navigate to the Devices tab. Your AMT device's GUID is listed in the 2nd column. Figure 1: MPS Connected Device","title":"Via Sample Web UI"},{"location":"Reference/guids/#via-api-method","text":"A device's GUID can also be found via the AllDevices or ConnectedDevices MPS methods. Users can follow the Construct a Rest API Call tutorial on constructing and running the ConnectedDevices method as an example. Example ConnectedDevices Output: [{ \"host\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" , \"amtuser\" : \"admin\" , \"mpsuser\" : \"standalone\" , \"conn\" : 1 , \"name\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" }]","title":"Via API Method"},{"location":"Reference/logging/","text":"Logging \u00b6 Introduction \u00b6 Microservices logging uses the Winston logging format. Log levels for both MPS and RPS microservices are controlled by the environmental variables MPS_LOG_LEVEL and RPS_LOG_LEVEL respectively. Logging levels are listed in the table below by increasing level of detail: error , warn , info , verbose , debug , and silly . Log levels \u00b6 Log level Description error only critical errors such as exceptions; 500 level api responses warn unexpected issue which don't affect service operation info service startup and shutdown messages (default level for MPS and RPS services) verbose database query messages; device heartbeat; 200 level api responses debug level useful for diagnosing issues with the services; 400 level api responses silly all logs","title":"Logging"},{"location":"Reference/logging/#logging","text":"","title":"Logging"},{"location":"Reference/logging/#introduction","text":"Microservices logging uses the Winston logging format. Log levels for both MPS and RPS microservices are controlled by the environmental variables MPS_LOG_LEVEL and RPS_LOG_LEVEL respectively. Logging levels are listed in the table below by increasing level of detail: error , warn , info , verbose , debug , and silly .","title":"Introduction"},{"location":"Reference/logging/#log-levels","text":"Log level Description error only critical errors such as exceptions; 500 level api responses warn unexpected issue which don't affect service operation info service startup and shutdown messages (default level for MPS and RPS services) verbose database query messages; device heartbeat; 200 level api responses debug level useful for diagnosing issues with the services; 400 level api responses silly all logs","title":"Log levels"},{"location":"Reference/middlewareExtensibility/","text":"Middleware extensibility allows developers to implement new middleware handlers to both MPS or RPS . By adding custom functions, MPS and RPS will process and load these during server startup. The loadCustomMiddleware function that executes on startup can be found in mps/src/server/webserver.ts or rps/src/index.ts . Example use-cases: Multitenancy Handling Custom Authentication Tokens Adding Trace IDs Debugging Requests To demonstrate the execution, we'll use an example. Let's say a custom auth token handler was implemented across all API endpoints. When a call is then made against an API endpoint, the custom handler will execute first. This handler might process the token. After executing the custom function and calling next() , API execution will then continue as normal. Add a Custom Middleware Function \u00b6 To add a new function, create a new typescript file in /src/middleware/custom/ . An example.ts file is already provided in this directory. The file must have two key parts in order to successfully load: The desired function must be exported as a default. Only the single, default function will be what is loaded into MPS or RPS . Additional functions that need to be loaded will need their own separate .ts files. Must call next() . This will allow execution to continue after processing the custom function. Multitenancy Code Example \u00b6 Implementation might vary depending on cloud provider or other 3rd party solutions. This specific example implements against Microsoft Azure and the default Open AMT components. The following code might not be a final solution, but provides a starting point and template example. The example implementation has a tenantId that is passed as part of the JWT token header when an API is called. The token is decoded and its tenantId is checked against the available tenants in MPS or RPS . This verifies that the user has the correct access to the MPS or RPS data being added, modified, or deleted. Multitenancy Example Code import { Request , Response } from 'express' import { devices } from '../../server/mpsserver' import { Environment } from '../../utils/Environment' const tenantMiddleware = ( req : Request , res : Response , next ) : void => { const jwtTokenHeader = Environment . Config . jwt_token_header ?? 'x-id-token' const token = req . headers [ jwtTokenHeader ] req . tenantId = '' if ( token != null && token !== '' ) { try { const decodedToken = Buffer . from ( token as string , 'base64' ). toString () if ( decodedToken != null && decodedToken !== '' ) { const dt = JSON . parse ( decodedToken ) const tenantProp = Environment . Config . jwt_tenant_property ?? '' req . tenantId = dt [ tenantProp ] ?? '' } } catch ( err ) { console . error ( err ) } } next () } export default tenantMiddleware After implementing the multitenancy code changes and starting the services, profiles and configs can be created by providing a tenantID as part of the API calls . Then when activating and configuring the AMT device using RPC , provide the -tenant flag with the tenantID of the profile. Find all RPC flags in the RPC CLI docs . See example command below. Linux Windows sudo ./rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID .\\rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID","title":"Middleware Extensibility"},{"location":"Reference/middlewareExtensibility/#add-a-custom-middleware-function","text":"To add a new function, create a new typescript file in /src/middleware/custom/ . An example.ts file is already provided in this directory. The file must have two key parts in order to successfully load: The desired function must be exported as a default. Only the single, default function will be what is loaded into MPS or RPS . Additional functions that need to be loaded will need their own separate .ts files. Must call next() . This will allow execution to continue after processing the custom function.","title":"Add a Custom Middleware Function"},{"location":"Reference/middlewareExtensibility/#multitenancy-code-example","text":"Implementation might vary depending on cloud provider or other 3rd party solutions. This specific example implements against Microsoft Azure and the default Open AMT components. The following code might not be a final solution, but provides a starting point and template example. The example implementation has a tenantId that is passed as part of the JWT token header when an API is called. The token is decoded and its tenantId is checked against the available tenants in MPS or RPS . This verifies that the user has the correct access to the MPS or RPS data being added, modified, or deleted. Multitenancy Example Code import { Request , Response } from 'express' import { devices } from '../../server/mpsserver' import { Environment } from '../../utils/Environment' const tenantMiddleware = ( req : Request , res : Response , next ) : void => { const jwtTokenHeader = Environment . Config . jwt_token_header ?? 'x-id-token' const token = req . headers [ jwtTokenHeader ] req . tenantId = '' if ( token != null && token !== '' ) { try { const decodedToken = Buffer . from ( token as string , 'base64' ). toString () if ( decodedToken != null && decodedToken !== '' ) { const dt = JSON . parse ( decodedToken ) const tenantProp = Environment . Config . jwt_tenant_property ?? '' req . tenantId = dt [ tenantProp ] ?? '' } } catch ( err ) { console . error ( err ) } } next () } export default tenantMiddleware After implementing the multitenancy code changes and starting the services, profiles and configs can be created by providing a tenantID as part of the API calls . Then when activating and configuring the AMT device using RPC , provide the -tenant flag with the tenantID of the profile. Find all RPC flags in the RPC CLI docs . See example command below. Linux Windows sudo ./rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID .\\rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID","title":"Multitenancy Code Example"},{"location":"Reference/powerstates/","text":"Possible power actions are listed in the tables below. Power actions are specified by number. To obtain information about power actions, use the following methods: PowerCapabilities : returns the power actions available for a specific device. PowerState : returns current power state. Start State or Current Power State Consider the current state of the system when implementing a possible action, for example: Reset to BIOS implies that the current system state is on or powered up. Power up to BIOS implies that current system state is off or powered down. Hibernate implies that the current system state is powered up. If the system is already powered up, choosing to Power Up to BIOS will not have any effect on the system. A better choice is Reset to BIOS . Out-of-band \u00b6 The power actions below can be used in-band or out-of-band. Commands 100 and above use a combination of HW level power controls (i.e., 2, 5, 8, 10) and some boot option, such as Boot to BIOS . Action # Power Action Start State Transition Description ACPI State(s) 2 Power up/on Powered down/off, Asleep, Hibernating Power up/on fully G0/S0 5 Power cycle Powered up/on Transition to minimal power state and then power up/on fully G2/S5 > G0/S0 8 Power down/off (hard) Powered up/on Transition to a fully powered down state G2/S5 10 Reset Powered up/on Perform hardware reset on the bus N/A 100 Power up to BIOS settings Powered down/off Power to BIOS to verify or modify system configuration G2/S5 101 Reset to BIOS settings Powered up/on Perform hardware reset on the bus to BIOS to verify or modify system configuration G2/S5 400 Reset to PXE Powered up/on Reset to pre-boot execution environment (PXE)(i.e., a network boot N/A 401 Power on to PXE Powered down/off Power up/on fully to pre-boot execution environment (PXE) (i.e., a network boot) N/A In-band Required \u00b6 The power actions below require an in-band agent, Local Management Service (LMS), or Intel\u00ae Integrated Management and Security Status (Intel\u00ae IMSS). LMS is a service that runs locally on an Intel AMT device and enables local management applications to send requests and receive responses to and from the device. The LMS listens for and intercepts requests directed to the Intel AMT local host and routes them to to the Management Engine via the Intel Management Engine Interface (MEI) driver. Installing LMS and Drivers The service installer is packaged with the Intel MEI drivers on the OEM websites. If Windows OS is reimaged or reinstalled, only the Intel MEI Driver is reinstalled, not LMS or IMSS. If the LMS is not installed, visit the OEM website and look for download packages for Intel\u00ae IMSS or the Intel CSME driver. Action # Power Action Start State Transition Description ACPI State(s) 4 Sleep (deep) Powered up/on Transition to a standby state of low-power usage and store system context (e.g., open applications) in memory G1/S3 7 Hibernate Powered up/on Transition to zero power usage and store system context in non-volatile storage G1/S4 12 Power down/off (soft) Powered up/on Transition to a very minimal power state G2/S5 14 Soft reset Powered up/on Perform a shutdown and then a hardware reset N/A Alternative Boot Options \u00b6 Currently, the Toolkit doesn't natively support secure erase or 200-level calls. Action # Power Action Start State Transition Description 104 Reset to secure erase Powered up/on Perform hardware reset on the bus to secure erase, a process of completely erasing a solid state drive (SSD) 200 Reset to IDE-R floppy disc Powered up/on Perform hardware reset on the bus to a peripheral IDE-R drive, usually reserved for a remote ISO boot 201 Power on to IDE-R floppy disc Powered down/off Power up/on fully to a peripheral IDE-R drive, usually reserved for a remote ISO boot 202 Reset to IDE-R CD-ROM Powered up/on Perform hardware reset on the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot 203 Power on to IDE-R CD-ROM Powered down/off Power up/on to the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot","title":"AMT Power States"},{"location":"Reference/powerstates/#out-of-band","text":"The power actions below can be used in-band or out-of-band. Commands 100 and above use a combination of HW level power controls (i.e., 2, 5, 8, 10) and some boot option, such as Boot to BIOS . Action # Power Action Start State Transition Description ACPI State(s) 2 Power up/on Powered down/off, Asleep, Hibernating Power up/on fully G0/S0 5 Power cycle Powered up/on Transition to minimal power state and then power up/on fully G2/S5 > G0/S0 8 Power down/off (hard) Powered up/on Transition to a fully powered down state G2/S5 10 Reset Powered up/on Perform hardware reset on the bus N/A 100 Power up to BIOS settings Powered down/off Power to BIOS to verify or modify system configuration G2/S5 101 Reset to BIOS settings Powered up/on Perform hardware reset on the bus to BIOS to verify or modify system configuration G2/S5 400 Reset to PXE Powered up/on Reset to pre-boot execution environment (PXE)(i.e., a network boot N/A 401 Power on to PXE Powered down/off Power up/on fully to pre-boot execution environment (PXE) (i.e., a network boot) N/A","title":"Out-of-band"},{"location":"Reference/powerstates/#in-band-required","text":"The power actions below require an in-band agent, Local Management Service (LMS), or Intel\u00ae Integrated Management and Security Status (Intel\u00ae IMSS). LMS is a service that runs locally on an Intel AMT device and enables local management applications to send requests and receive responses to and from the device. The LMS listens for and intercepts requests directed to the Intel AMT local host and routes them to to the Management Engine via the Intel Management Engine Interface (MEI) driver. Installing LMS and Drivers The service installer is packaged with the Intel MEI drivers on the OEM websites. If Windows OS is reimaged or reinstalled, only the Intel MEI Driver is reinstalled, not LMS or IMSS. If the LMS is not installed, visit the OEM website and look for download packages for Intel\u00ae IMSS or the Intel CSME driver. Action # Power Action Start State Transition Description ACPI State(s) 4 Sleep (deep) Powered up/on Transition to a standby state of low-power usage and store system context (e.g., open applications) in memory G1/S3 7 Hibernate Powered up/on Transition to zero power usage and store system context in non-volatile storage G1/S4 12 Power down/off (soft) Powered up/on Transition to a very minimal power state G2/S5 14 Soft reset Powered up/on Perform a shutdown and then a hardware reset N/A","title":"In-band Required"},{"location":"Reference/powerstates/#alternative-boot-options","text":"Currently, the Toolkit doesn't natively support secure erase or 200-level calls. Action # Power Action Start State Transition Description 104 Reset to secure erase Powered up/on Perform hardware reset on the bus to secure erase, a process of completely erasing a solid state drive (SSD) 200 Reset to IDE-R floppy disc Powered up/on Perform hardware reset on the bus to a peripheral IDE-R drive, usually reserved for a remote ISO boot 201 Power on to IDE-R floppy disc Powered down/off Power up/on fully to a peripheral IDE-R drive, usually reserved for a remote ISO boot 202 Reset to IDE-R CD-ROM Powered up/on Perform hardware reset on the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot 203 Power on to IDE-R CD-ROM Powered down/off Power up/on to the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot","title":"Alternative Boot Options"},{"location":"Reference/productionVault/","text":"Learn how to run MPS and RPS using Vault in production server mode. The current local docker-compose.yml file runs Vault in development mode which makes experimenting with the services easier since static tokens can be used for access and unsealing Vault is not required. The downside to this approach is that all Vault data is only stored in memory and is lost once the Vault container is stopped. Running Vault in production mode requires additional steps, but allows Vault data to persist on host filesystem after the container restarts. Configure the Toolkit \u00b6 Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide . Update the vault section in the docker-compose.yml file with the section below. vault : restart : always image : \"vault\" networks : - openamtnetwork ports : - \"8200:8200\" volumes : - private-volume:/vault/data:rw - ./vault:/vault/config:rw environment : VAULT_DEV_ROOT_TOKEN_ID : ${VAULT_TOKEN} VAULT_DEV_LISTEN_ADDRESS : 0.0.0.0:8200 cap_add : - IPC_LOCK entrypoint : vault server -config=/vault/config/vault.json Create a folder named vault located in ./open-amt-cloud-toolkit driectory and create a new file named vault.json with the contents below: { \"storage\" :{ \"file\" :{ \"path\" : \"/vault/data\" } }, \"listener\" :{ \"tcp\" :{ \"address\" : \"0.0.0.0:8200\" , \"tls_disable\" : \"true\" } }, \"default_lease_ttl\" : \"168h\" , \"max_lease_ttl\" : \"0h\" , \"ui\" : true , \"log_level\" : \"Debug\" } Run `docker compose`` to start the containers from the ./open-amt-cloud-toolkit directory. docker compose up -d --build Initialize and Unseal Vault \u00b6 Navigate to http://localhost:8200 to initialize and unseal Vault. Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down under Method Options. Click Enable Engine . Update ENV Variables \u00b6 Open your .env file. Change the SECRETS_PATH to kv/data/ . Update the VAULT_TOKEN to the Root Token generated by Vault. Example - Vault Section of .env file # VAULT SECRETS_PATH=kv/data/ VAULT_ADDRESS=http://vault:8200 VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I Rebuild and restart your Docker images and containers. docker compose up -d --build Unseal Vault at http://localhost:8200 after restarting the container. Next Steps \u00b6 Continue from the Get Started steps to log in to the Sample Web UI and activate a device.","title":"Production Mode Vault"},{"location":"Reference/productionVault/#configure-the-toolkit","text":"Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide . Update the vault section in the docker-compose.yml file with the section below. vault : restart : always image : \"vault\" networks : - openamtnetwork ports : - \"8200:8200\" volumes : - private-volume:/vault/data:rw - ./vault:/vault/config:rw environment : VAULT_DEV_ROOT_TOKEN_ID : ${VAULT_TOKEN} VAULT_DEV_LISTEN_ADDRESS : 0.0.0.0:8200 cap_add : - IPC_LOCK entrypoint : vault server -config=/vault/config/vault.json Create a folder named vault located in ./open-amt-cloud-toolkit driectory and create a new file named vault.json with the contents below: { \"storage\" :{ \"file\" :{ \"path\" : \"/vault/data\" } }, \"listener\" :{ \"tcp\" :{ \"address\" : \"0.0.0.0:8200\" , \"tls_disable\" : \"true\" } }, \"default_lease_ttl\" : \"168h\" , \"max_lease_ttl\" : \"0h\" , \"ui\" : true , \"log_level\" : \"Debug\" } Run `docker compose`` to start the containers from the ./open-amt-cloud-toolkit directory. docker compose up -d --build","title":"Configure the Toolkit"},{"location":"Reference/productionVault/#initialize-and-unseal-vault","text":"Navigate to http://localhost:8200 to initialize and unseal Vault. Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down under Method Options. Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Reference/productionVault/#update-env-variables","text":"Open your .env file. Change the SECRETS_PATH to kv/data/ . Update the VAULT_TOKEN to the Root Token generated by Vault. Example - Vault Section of .env file # VAULT SECRETS_PATH=kv/data/ VAULT_ADDRESS=http://vault:8200 VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I Rebuild and restart your Docker images and containers. docker compose up -d --build Unseal Vault at http://localhost:8200 after restarting the container.","title":"Update ENV Variables"},{"location":"Reference/productionVault/#next-steps","text":"Continue from the Get Started steps to log in to the Sample Web UI and activate a device.","title":"Next Steps"},{"location":"Reference/sslpostgresLocal/","text":"This guide will walk through how to enable an SSL connection in the Postgres Docker container. By default in the Getting Started Guide, we disable it to ease the setup process and environment for development. For production environments, using a cloud-hosted database with an SSL connection to MPS / RPS is highly recommended as one step to maintain a secure deployment. Read more about cloud deployments for Azure or AWS here . Edit 'docker-compose.yml' \u00b6 Update the RPS and MPS connection strings to no-verify instead of disable . ... environment : RPS_MPS_SERVER : http://mps:3000 RPS_SECRETS_PATH : ${SECRETS_PATH} RPS_VAULT_TOKEN : ${VAULT_TOKEN} RPS_VAULT_ADDRESS : ${VAULT_ADDRESS} RPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/rpsdb?sslmode=no-verify ... ... environment : MPS_INSTANCE_NAME : '{{.Task.Name}}' MPS_SECRETS_PATH : ${SECRETS_PATH} MPS_VAULT_TOKEN : ${VAULT_TOKEN} MPS_VAULT_ADDRESS : ${VAULT_ADDRESS} MPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/mpsdb?sslmode=no-verify ... Uncomment the command: line in the db section. ... build : context : ./pg dockerfile : ./Dockerfile command : -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key networks : - openamtnetwork ... Build Image \u00b6 Build the new Postgres image with SSL enabled. docker compose up -d --build","title":"SSL with Local Postgres"},{"location":"Reference/sslpostgresLocal/#edit-docker-composeyml","text":"Update the RPS and MPS connection strings to no-verify instead of disable . ... environment : RPS_MPS_SERVER : http://mps:3000 RPS_SECRETS_PATH : ${SECRETS_PATH} RPS_VAULT_TOKEN : ${VAULT_TOKEN} RPS_VAULT_ADDRESS : ${VAULT_ADDRESS} RPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/rpsdb?sslmode=no-verify ... ... environment : MPS_INSTANCE_NAME : '{{.Task.Name}}' MPS_SECRETS_PATH : ${SECRETS_PATH} MPS_VAULT_TOKEN : ${VAULT_TOKEN} MPS_VAULT_ADDRESS : ${VAULT_ADDRESS} MPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/mpsdb?sslmode=no-verify ... Uncomment the command: line in the db section. ... build : context : ./pg dockerfile : ./Dockerfile command : -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key networks : - openamtnetwork ...","title":"Edit 'docker-compose.yml'"},{"location":"Reference/sslpostgresLocal/#build-image","text":"Build the new Postgres image with SSL enabled. docker compose up -d --build","title":"Build Image"},{"location":"Reference/troubleshooting/","text":"The sections below detail commonly asked questions about Open AMT Cloud toolkit as well as possible errors that may occur when activating or deactivating managed devices along with some potential solutions. Can't find the answer to your questions or issue below? Reach out to the team via Discord for direct help. Or file a GitHub issue. Commonly Asked Questions \u00b6 How do releases work with Open AMT? \u00b6 Open AMT carries two releases, the Rapid (\"Monthly\") Release and the Long-Term Support (LTS) Release. Rapid Releases occur every 4-6 weeks. Support for security and bug fixes is only for the duration of that rapid release. Customers will be encouraged to move to a latest rapid release for the most up to date security and bug fixes. LTS Releases occur roughly every 1 to 1.5 years. Support for security and bug fixes exist until the next LTS version is available. At that point, we will provide migration documentation and support to help customers move over to the new LTS release. How does versioning work with Open AMT? \u00b6 Open AMT follows SemVer practices for versioning. This means: Major Version Increment - Breaking Changes (ex: 2.0.0 -> 3.0.0) Minor Version Increment - New Features (ex: 2.0.0 -> 2.1.0) Patch Version Increment - Security and Bug Fixes (ex: 2.0.0 -> 2.0.1) All microservices with the same minor version should be compatible. The separate repos for microservices and libraries are versioned individually. These versions are separate from the open-amt-cloud-toolkit repo version. The open-amt-cloud-toolkit repo is where we have the monthly release. This repo might carry a higher version than some of the individual repos but is tagged as {Month} {Year} . All sub-repos referenced within open-amt-cloud-toolkit for a specific release are guaranteed to be compatible. What versions of Intel\u00ae AMT are supported? \u00b6 Open AMT aligns to the Intel Network and Edge (NEX) Group support roadmap for Intel vPro\u00ae Platform and Intel\u00ae AMT devices. This is currently calculated as Latest AMT Version - 7 . How do I migrate versions to a new release? \u00b6 Resources and information for migrating releases for either a Kubernetes deployment or local Docker deployment can be found in the Upgrade Toolkit Version documentation . How do I find more information about the MPS and RPS configuration files and security details? \u00b6 Details and descriptions of configuration options can be found in MPS Configuration and RPS Configuration . Security information can be found in MPS Security Information and RPS Security Information . Most Common Issues \u00b6 Why does an activated device show disconnected in MPS ? \u00b6 Are your login credentials stale? Try to log out of the Sample Web UI and back in. Is your Vault service initialized and unsealed? (Only applicable if using production mode Vault) Is your CIRA certificate correct? You can verify this by going to https://[your-stack]:4433 and looking at the certificate. The Issued party should match either your IP Address or FQDN. If it is incorrect, delete your Profile and CIRA Config. Delete the existing MPS Certificate from Vault and restart the MPS service. This will generate a new, correct certificate. Then create new CIRA Config/ Profile and run RPC to reconfigure the AMT device with the new profiles. Try to unplug the ethernet or power cable of the AMT device and replug. Wait 30 seconds and refresh the Sample Web UI to see if the device has connected. Alternatively, run amtinfo via RPC to see if the status has changed to Connected. Try updating the AMT device's BIOS/AMT version. Why can't I login to the Sample Web UI ? \u00b6 Have you accepted the certificate warning? If not, re-navigate to https://[your-stack] and accept the warning. Is the Kong service running and healthy? For local deployment, does the Kong secret match in the .env and the kong.yaml files? For cloud deployment, is the Vault initialized and unsealed? Vault will reseal itself if the pod is restarted and must be unsealed again. Why does MPS or RPS show as Unhealthy \u00b6 Both MPS and RPS have health API routes that they perform as part of startup for both Docker and Kubernetes. The health check verifies that the database and Vault are both available and reachable by the microservices. If MPS or RPS return unhealthy, then one of the two, database or Vault, are unavailable. Why is there an 'Error Retrieving Device Stats' on Login? \u00b6 This warning typically means that the Sample Web UI and MPS is unable to reach the MPS database. Is the MPS service healthy? For cloud deployment, is the Kubernetes secret for the MPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct? Why do 'Profiles/ CIRA Configs/Domains' tabs in the Sample Web UI return errors?\" \u00b6 This warning typically means that the Sample Web UI and RPS is unable to reach the RPS database. Is the RPS service healthy? For cloud deployment, is the Kubernetes secret for the RPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct? Specific Microservice or Library Errors \u00b6 RPC \u00b6 More information about specific RPC error codes can be found in the RPC Library Documentation . Error Issue or Message Possible Solutions \"Decrypting provisioning certificate failed\" Double check the password is correct on the certificate loaded into the \"domains\" on the UI \"Exception reading from device\" If MPS and RPS are running in Docker, check to ensure Vault has been unsealed. \"Unable to connect to Local Management Service (LMS). Please ensure LMS is running\" Check to ensure no application has bound to port 16992 \"Unable to launch MicroLMS.\" Check that Intel ME is present, MEI Driver installed and run this executable as administrator Check to ensure no application has bound to port 16992 \"Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Error while adding the certificates to AMT.\" Unplug the device, from both network and power, let it sit for a while. If that doesn't work, file a github issue Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Missing DNS suffix . Run .\\rpc amtinfo and ensure there is a DNS suffix . If it is blank, double check your router settings for DHCP. Alternatively, you can override the DNS suffix with -d mycompany.com . To learn more, see DNS Suffix and Create a Profile with ACM . Error: amt password DOES NOT match stored version for Device 6c4243ba-334d-11ea-94b5-caba2a773d00 Ensure you have provided the -password flag for the -cmd you are trying to execute, and that it is the password you used when provisioning the device. Unable to connect to websocket server. Please check url. After ensuring you can reach your server. Ensure that the certificate common name on the server matches the FQDN/IP of your host address. Error while activating the AMT in admin mode. Check the logs on the RPS server. The rpc.exe fails to connect. If a device has already been provisioned, unprovision it and then reprovision. To deactivate and reactivate devices, see the Mircoservices section for RPC , RPC Activate/Deactivate Examples MPS \u00b6 Additional logging details can be enabled by modifying the log_level field in the MPS configuration. Error Issue or Message Possible Solutions Vault is empty in dev mode. Profiles and configs are not persistent in this mode. To run vault in production mode, follow the Use Docker and Vault in Production Mode . MPS is missing from list of running services. (1) Check for error messages in the logs. (2) Verify that the .env file contains correct values in each field. (3) Verify that the Kong secret provided in the .env matches the secret in kong.yaml RPS \u00b6 Additional logging details can be enabled by modifying the log_level field in the RPS configuration. Error Issue or Message Possible Solutions Create a profile fails or information cannot be read from vault. Make sure both Vault and Postgres are running. For details, see the docker ps command in Build and Run Docker Images . An error occurred during provisioning. (1) Verify that the correct certificate is being used. (2) Verify the Domain suffix. (3) Verify RPS is able to reach the AMT device. Check firewalls and pings. UI Toolkit \u00b6 If you encounter an error during the installation, verify the prerequisites and version numbers, such as Node.js* LTS, by consulting the tutorial Add MPS UI Toolkit Controls to a WebUI . If adding a control results in an error, double-check the device ID, mpsServer IP address value, and authToken. General Troubleshooting Tips \u00b6 If a configuration becomes unworkable, it may be necessary to clean up the environment by: unprovisioning, also known as deactivating, the managed device stopping all Docker services Do all the above if it becomes necessary to reset your environment completely. See instructions below. Unprovision the Managed Device: Use rpc.exe to dectivate the managed device as described in RPC Activate/Deactivate Examples . The deactivate parameter executes a full unprovision of the managed device. It is also possible to implement a full unprovision via MEBX. See Unprovisioning . Shut down Docker Services: Use docker image prune and docker image rm to stop or remove all images, containers, and volumes, as described in Build and Run Docker Images . The best practice example below stops Docker and then prunes all volumes. Example - Cleanup of Docker Images Stop Docker containers. docker compose down -v Prune the images and volumes. docker system prune -a --volumes","title":"Troubleshooting"},{"location":"Reference/troubleshooting/#commonly-asked-questions","text":"","title":"Commonly Asked Questions"},{"location":"Reference/troubleshooting/#how-do-releases-work-with-open-amt","text":"Open AMT carries two releases, the Rapid (\"Monthly\") Release and the Long-Term Support (LTS) Release. Rapid Releases occur every 4-6 weeks. Support for security and bug fixes is only for the duration of that rapid release. Customers will be encouraged to move to a latest rapid release for the most up to date security and bug fixes. LTS Releases occur roughly every 1 to 1.5 years. Support for security and bug fixes exist until the next LTS version is available. At that point, we will provide migration documentation and support to help customers move over to the new LTS release.","title":"How do releases work with Open AMT?"},{"location":"Reference/troubleshooting/#how-does-versioning-work-with-open-amt","text":"Open AMT follows SemVer practices for versioning. This means: Major Version Increment - Breaking Changes (ex: 2.0.0 -> 3.0.0) Minor Version Increment - New Features (ex: 2.0.0 -> 2.1.0) Patch Version Increment - Security and Bug Fixes (ex: 2.0.0 -> 2.0.1) All microservices with the same minor version should be compatible. The separate repos for microservices and libraries are versioned individually. These versions are separate from the open-amt-cloud-toolkit repo version. The open-amt-cloud-toolkit repo is where we have the monthly release. This repo might carry a higher version than some of the individual repos but is tagged as {Month} {Year} . All sub-repos referenced within open-amt-cloud-toolkit for a specific release are guaranteed to be compatible.","title":"How does versioning work with Open AMT?"},{"location":"Reference/troubleshooting/#what-versions-of-intel-amt-are-supported","text":"Open AMT aligns to the Intel Network and Edge (NEX) Group support roadmap for Intel vPro\u00ae Platform and Intel\u00ae AMT devices. This is currently calculated as Latest AMT Version - 7 .","title":"What versions of Intel&reg; AMT are supported?"},{"location":"Reference/troubleshooting/#how-do-i-migrate-versions-to-a-new-release","text":"Resources and information for migrating releases for either a Kubernetes deployment or local Docker deployment can be found in the Upgrade Toolkit Version documentation .","title":"How do I migrate versions to a new release?"},{"location":"Reference/troubleshooting/#how-do-i-find-more-information-about-the-mps-and-rps-configuration-files-and-security-details","text":"Details and descriptions of configuration options can be found in MPS Configuration and RPS Configuration . Security information can be found in MPS Security Information and RPS Security Information .","title":"How do I find more information about the MPS and RPS configuration files and security details?"},{"location":"Reference/troubleshooting/#most-common-issues","text":"","title":"Most Common Issues"},{"location":"Reference/troubleshooting/#why-does-an-activated-device-show-disconnected-in-mps","text":"Are your login credentials stale? Try to log out of the Sample Web UI and back in. Is your Vault service initialized and unsealed? (Only applicable if using production mode Vault) Is your CIRA certificate correct? You can verify this by going to https://[your-stack]:4433 and looking at the certificate. The Issued party should match either your IP Address or FQDN. If it is incorrect, delete your Profile and CIRA Config. Delete the existing MPS Certificate from Vault and restart the MPS service. This will generate a new, correct certificate. Then create new CIRA Config/ Profile and run RPC to reconfigure the AMT device with the new profiles. Try to unplug the ethernet or power cable of the AMT device and replug. Wait 30 seconds and refresh the Sample Web UI to see if the device has connected. Alternatively, run amtinfo via RPC to see if the status has changed to Connected. Try updating the AMT device's BIOS/AMT version.","title":"Why does an activated device show disconnected in MPS?"},{"location":"Reference/troubleshooting/#why-cant-i-login-to-the-sample-web-ui","text":"Have you accepted the certificate warning? If not, re-navigate to https://[your-stack] and accept the warning. Is the Kong service running and healthy? For local deployment, does the Kong secret match in the .env and the kong.yaml files? For cloud deployment, is the Vault initialized and unsealed? Vault will reseal itself if the pod is restarted and must be unsealed again.","title":"Why can't I login to the Sample Web UI?"},{"location":"Reference/troubleshooting/#why-does-mps-or-rps-show-as-unhealthy","text":"Both MPS and RPS have health API routes that they perform as part of startup for both Docker and Kubernetes. The health check verifies that the database and Vault are both available and reachable by the microservices. If MPS or RPS return unhealthy, then one of the two, database or Vault, are unavailable.","title":"Why does MPS or RPS show as Unhealthy"},{"location":"Reference/troubleshooting/#why-is-there-an-error-retrieving-device-stats-on-login","text":"This warning typically means that the Sample Web UI and MPS is unable to reach the MPS database. Is the MPS service healthy? For cloud deployment, is the Kubernetes secret for the MPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct?","title":"Why is there an 'Error Retrieving Device Stats' on Login?"},{"location":"Reference/troubleshooting/#why-do-profilescira-configsdomains-tabs-in-the-sample-web-ui-return-errors","text":"This warning typically means that the Sample Web UI and RPS is unable to reach the RPS database. Is the RPS service healthy? For cloud deployment, is the Kubernetes secret for the RPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct?","title":"Why do 'Profiles/CIRA Configs/Domains' tabs in the Sample Web UI return errors?\""},{"location":"Reference/troubleshooting/#specific-microservice-or-library-errors","text":"","title":"Specific Microservice or Library Errors"},{"location":"Reference/troubleshooting/#rpc","text":"More information about specific RPC error codes can be found in the RPC Library Documentation . Error Issue or Message Possible Solutions \"Decrypting provisioning certificate failed\" Double check the password is correct on the certificate loaded into the \"domains\" on the UI \"Exception reading from device\" If MPS and RPS are running in Docker, check to ensure Vault has been unsealed. \"Unable to connect to Local Management Service (LMS). Please ensure LMS is running\" Check to ensure no application has bound to port 16992 \"Unable to launch MicroLMS.\" Check that Intel ME is present, MEI Driver installed and run this executable as administrator Check to ensure no application has bound to port 16992 \"Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Error while adding the certificates to AMT.\" Unplug the device, from both network and power, let it sit for a while. If that doesn't work, file a github issue Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Missing DNS suffix . Run .\\rpc amtinfo and ensure there is a DNS suffix . If it is blank, double check your router settings for DHCP. Alternatively, you can override the DNS suffix with -d mycompany.com . To learn more, see DNS Suffix and Create a Profile with ACM . Error: amt password DOES NOT match stored version for Device 6c4243ba-334d-11ea-94b5-caba2a773d00 Ensure you have provided the -password flag for the -cmd you are trying to execute, and that it is the password you used when provisioning the device. Unable to connect to websocket server. Please check url. After ensuring you can reach your server. Ensure that the certificate common name on the server matches the FQDN/IP of your host address. Error while activating the AMT in admin mode. Check the logs on the RPS server. The rpc.exe fails to connect. If a device has already been provisioned, unprovision it and then reprovision. To deactivate and reactivate devices, see the Mircoservices section for RPC , RPC Activate/Deactivate Examples","title":"RPC"},{"location":"Reference/troubleshooting/#mps","text":"Additional logging details can be enabled by modifying the log_level field in the MPS configuration. Error Issue or Message Possible Solutions Vault is empty in dev mode. Profiles and configs are not persistent in this mode. To run vault in production mode, follow the Use Docker and Vault in Production Mode . MPS is missing from list of running services. (1) Check for error messages in the logs. (2) Verify that the .env file contains correct values in each field. (3) Verify that the Kong secret provided in the .env matches the secret in kong.yaml","title":"MPS"},{"location":"Reference/troubleshooting/#rps","text":"Additional logging details can be enabled by modifying the log_level field in the RPS configuration. Error Issue or Message Possible Solutions Create a profile fails or information cannot be read from vault. Make sure both Vault and Postgres are running. For details, see the docker ps command in Build and Run Docker Images . An error occurred during provisioning. (1) Verify that the correct certificate is being used. (2) Verify the Domain suffix. (3) Verify RPS is able to reach the AMT device. Check firewalls and pings.","title":"RPS"},{"location":"Reference/troubleshooting/#ui-toolkit","text":"If you encounter an error during the installation, verify the prerequisites and version numbers, such as Node.js* LTS, by consulting the tutorial Add MPS UI Toolkit Controls to a WebUI . If adding a control results in an error, double-check the device ID, mpsServer IP address value, and authToken.","title":"UI Toolkit"},{"location":"Reference/troubleshooting/#general-troubleshooting-tips","text":"If a configuration becomes unworkable, it may be necessary to clean up the environment by: unprovisioning, also known as deactivating, the managed device stopping all Docker services Do all the above if it becomes necessary to reset your environment completely. See instructions below. Unprovision the Managed Device: Use rpc.exe to dectivate the managed device as described in RPC Activate/Deactivate Examples . The deactivate parameter executes a full unprovision of the managed device. It is also possible to implement a full unprovision via MEBX. See Unprovisioning . Shut down Docker Services: Use docker image prune and docker image rm to stop or remove all images, containers, and volumes, as described in Build and Run Docker Images . The best practice example below stops Docker and then prunes all volumes. Example - Cleanup of Docker Images Stop Docker containers. docker compose down -v Prune the images and volumes. docker system prune -a --volumes","title":"General Troubleshooting Tips"},{"location":"Reference/Certificates/generateProvisioningCert/","text":"For production deployments, we highly recommend purchasing a 3rd party provisioning certificate. See all available vendors here. Warning - Custom Provisioning Certificates in Production Deployments The hash of custom provisioning certificates must be manually added to all devices that will be configured into ACM . This can be done through MEBx or USB Configuration. Both options require manual, hands-on configuration of each AMT device. Adding the hash to AMT's trusted list is a mandatory requirement for the device to successfully activate. However, some developers opt to use a custom provisioning certificate for testing and validation purposes. The steps below outline how to generate a custom certificate based on the requirements within the Intel\u00ae AMT SDK . Note - Unprovisioning will Delete Custom Hashes When a device is unprovisioned, AMT will delete and remove all hashes inserted. If you want to then activate the device again, you will have to reinsert the certificate hash again. Generate Custom Provisioning Certificate \u00b6 These steps create a certificate for a domain example.com and walk through how to successfully activate a device using the example.com DNS suffix . What You'll Need \u00b6 Software OpenSSL Configuration Files \u00b6 First, we need to prepare two files: cert.conf - Certificate configuration file. It is used to define the specific settings for the certificate. csr.conf - Certificate signing request configuration file. Create cert.conf \u00b6 Create a new file named cert.conf . Copy and paste the below example into the file. Do not remove the OID 2.16.840.1.113741.1.2.3 from the extendedKeyUsage . This is an AMT requirement. Optionally , update the [alt_names] section with your own server DNS information. cert.conf basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, 2.16.840.1.113741.1.2.3 subjectAltName = @alt_names [alt_names] DNS.1 = test.example.com DNS.2 = example.com IP.1 = 192.168.1.1 Save and close. Create csr.conf \u00b6 Create a new file named csr.conf . Copy and paste the below example into the file. Optionally , update the [dn] section and CN field with your own server FQDN and information. csr.conf [ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = US ST = Arizona L = Chandler O = Organization OU = Department CN = test.example.com Save and close. Create the Certificate and Hash \u00b6 Open a terminal and verify OpenSSL is installed. openssl version Create a self-signed CA root certificate file named rootCA.crt with a key file named rootCA.key . openssl req -x509 -sha256 -days 3560 -nodes -newkey rsa:2048 -subj \"//SKIP=skip/CN=CA Custom Root Certificate/C=US/ST=Arizona/L=Chandler\" -keyout rootCA.key -out rootCA.crt Generate a RSA private key named server.key . openssl genrsa -out server.key 2048 Generate a Certificate Signing Request using the private key and cert.conf file. openssl req -new -key server.key -out server.csr -config csr.conf Sign the Certificate Signing Request with the CA certificate and cert.conf file. openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile cert.conf Create a .pfx file using the private key, server certificate, and CA root certificate. It will prompt to create a password. This password will be used when creating a Domain profile. openssl pkcs12 -export -out vprodemo_custom.pfx -inkey server.key -in server.crt -certfile rootCA.crt Get the SHA1 hash of the root certificate. openssl x509 -noout -fingerprint -sha1 -inform pem -in rootCA.crt Success - SHA1 Output SHA1 Fingerprint=51:45:E3:A4:AE:66:88:E0:AF:85:EC:EB:06:74:6B:8D:C3:07:C1:9D Upload Provisioning Certificate \u00b6 Create Domain Profile \u00b6 Open the Sample Web UI and Login. Create a domain profile. Upload the .pfx file and enter the password set for it. See Create a Domain Profile for more details. Insert the Hash using MEBx \u00b6 Warning - Adding Hash for AMT 16 or Newer These steps may not be exact or available within MEBx on AMT 16 or newer devices due to OEM restrictions. USB Configuration may be required. Switch to the AMT device. Restart the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note - Other Keybinds to Enter MEBx The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the MEBx password. Note - Default MEBx Password for First Time Use If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel(r) AMT Configuration . Verify that the device is in pre-provisioning mode. If not, perform a full unprovision under Unconfigure Network Access . Select Remote Setup and Configuration . Select TLS PKI . Set the PKI DNS suffix to example.com . Or, if using a different DNS suffix , set it to that instead. See DNS Suffix for more details. Select Manage Hashes . Figure 1: Manage Hashes Press the Insert key. Provide a name for the new hash and press Enter. Insert the new SHA1 hash using the fingerprint obtained from Step 7 in Create the Certificate and Hash . The hash must be formatted as shown in example. Figure 2: Hash Input Press the Y key to set the hash as active. Press the esc key repeatedly to exit MEBx and reboot the device. Verify the Hash \u00b6 After the device reboots, open Terminal or Command Prompt as Administrator. Verify the certificate hash was inserted correctly. The new hash should be listed. Linux Windows sudo ./rpc amtinfo -cert .\\rpc amtinfo -cert Success - Hash Inserted Correctly Figure 4: Hash Output Activate the AMT device with an ACM Profile . See Create a Profile with ACM and Build & Run RPC for more details. Troubleshoot - Error During Activation The following error may occur during the first attempt at activation. time=\"2023-08-17T11:38:57-07:00\" level=trace msg=\"HTTP/1.1 200 OK\\r\\nDate: Thu, 17 Aug 2023 18:38:57 GMT\\r\\nServer: Intel(R) Active Management Technology 15.0.35.2039\\r\\nX-Frame-Options: DENY\\r\\nContent-Type: application/soap+xml; charset=UTF-8\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n043E\\r\\n<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><a:Envelope xmlns:a=\\\"http://www.w3.org/2003/05/soap-envelope\\\" xmlns:b=\\\"http://schemas.xmlsoap.org/ws/2004/08/addressing\\\" xmlns:c=\\\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\\\" xmlns:d=\\\"http://schemas.xmlsoap.org/ws/2005/02/trust\\\" xmlns:e=\\\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\\\" xmlns:f=\\\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\\\" xmlns:g=\\\"http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\"><a:Header><b:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</b:To><b:RelatesTo>3</b:RelatesTo><b:Action a:mustUnderstand=\\\"true\\\">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService/AdminSetupResponse</b:Acti\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"sending message to RPS\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"received messages from RPS\" time=\"2023-08-17T11:38:57-07:00\" level=error msg=\"Unknown error has occured\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" If this error occurs, verify the device was activated successfully. rpc amtinfo If the device shows it was activated into admin control mode , rerun the activate command to successfully finish AMT configuration. During device unprovisioning, AMT will delete any inserted hashes and will have to be manually reinserted.","title":"Custom Provisioning Certificate"},{"location":"Reference/Certificates/generateProvisioningCert/#generate-custom-provisioning-certificate","text":"These steps create a certificate for a domain example.com and walk through how to successfully activate a device using the example.com DNS suffix .","title":"Generate Custom Provisioning Certificate"},{"location":"Reference/Certificates/generateProvisioningCert/#what-youll-need","text":"Software OpenSSL","title":"What You'll Need"},{"location":"Reference/Certificates/generateProvisioningCert/#configuration-files","text":"First, we need to prepare two files: cert.conf - Certificate configuration file. It is used to define the specific settings for the certificate. csr.conf - Certificate signing request configuration file.","title":"Configuration Files"},{"location":"Reference/Certificates/generateProvisioningCert/#create-certconf","text":"Create a new file named cert.conf . Copy and paste the below example into the file. Do not remove the OID 2.16.840.1.113741.1.2.3 from the extendedKeyUsage . This is an AMT requirement. Optionally , update the [alt_names] section with your own server DNS information. cert.conf basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, 2.16.840.1.113741.1.2.3 subjectAltName = @alt_names [alt_names] DNS.1 = test.example.com DNS.2 = example.com IP.1 = 192.168.1.1 Save and close.","title":"Create cert.conf"},{"location":"Reference/Certificates/generateProvisioningCert/#create-csrconf","text":"Create a new file named csr.conf . Copy and paste the below example into the file. Optionally , update the [dn] section and CN field with your own server FQDN and information. csr.conf [ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = US ST = Arizona L = Chandler O = Organization OU = Department CN = test.example.com Save and close.","title":"Create csr.conf"},{"location":"Reference/Certificates/generateProvisioningCert/#create-the-certificate-and-hash","text":"Open a terminal and verify OpenSSL is installed. openssl version Create a self-signed CA root certificate file named rootCA.crt with a key file named rootCA.key . openssl req -x509 -sha256 -days 3560 -nodes -newkey rsa:2048 -subj \"//SKIP=skip/CN=CA Custom Root Certificate/C=US/ST=Arizona/L=Chandler\" -keyout rootCA.key -out rootCA.crt Generate a RSA private key named server.key . openssl genrsa -out server.key 2048 Generate a Certificate Signing Request using the private key and cert.conf file. openssl req -new -key server.key -out server.csr -config csr.conf Sign the Certificate Signing Request with the CA certificate and cert.conf file. openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile cert.conf Create a .pfx file using the private key, server certificate, and CA root certificate. It will prompt to create a password. This password will be used when creating a Domain profile. openssl pkcs12 -export -out vprodemo_custom.pfx -inkey server.key -in server.crt -certfile rootCA.crt Get the SHA1 hash of the root certificate. openssl x509 -noout -fingerprint -sha1 -inform pem -in rootCA.crt Success - SHA1 Output SHA1 Fingerprint=51:45:E3:A4:AE:66:88:E0:AF:85:EC:EB:06:74:6B:8D:C3:07:C1:9D","title":"Create the Certificate and Hash"},{"location":"Reference/Certificates/generateProvisioningCert/#upload-provisioning-certificate","text":"","title":"Upload Provisioning Certificate"},{"location":"Reference/Certificates/generateProvisioningCert/#create-domain-profile","text":"Open the Sample Web UI and Login. Create a domain profile. Upload the .pfx file and enter the password set for it. See Create a Domain Profile for more details.","title":"Create Domain Profile"},{"location":"Reference/Certificates/generateProvisioningCert/#insert-the-hash-using-mebx","text":"Warning - Adding Hash for AMT 16 or Newer These steps may not be exact or available within MEBx on AMT 16 or newer devices due to OEM restrictions. USB Configuration may be required. Switch to the AMT device. Restart the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note - Other Keybinds to Enter MEBx The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the MEBx password. Note - Default MEBx Password for First Time Use If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel(r) AMT Configuration . Verify that the device is in pre-provisioning mode. If not, perform a full unprovision under Unconfigure Network Access . Select Remote Setup and Configuration . Select TLS PKI . Set the PKI DNS suffix to example.com . Or, if using a different DNS suffix , set it to that instead. See DNS Suffix for more details. Select Manage Hashes . Figure 1: Manage Hashes Press the Insert key. Provide a name for the new hash and press Enter. Insert the new SHA1 hash using the fingerprint obtained from Step 7 in Create the Certificate and Hash . The hash must be formatted as shown in example. Figure 2: Hash Input Press the Y key to set the hash as active. Press the esc key repeatedly to exit MEBx and reboot the device.","title":"Insert the Hash using MEBx"},{"location":"Reference/Certificates/generateProvisioningCert/#verify-the-hash","text":"After the device reboots, open Terminal or Command Prompt as Administrator. Verify the certificate hash was inserted correctly. The new hash should be listed. Linux Windows sudo ./rpc amtinfo -cert .\\rpc amtinfo -cert Success - Hash Inserted Correctly Figure 4: Hash Output Activate the AMT device with an ACM Profile . See Create a Profile with ACM and Build & Run RPC for more details. Troubleshoot - Error During Activation The following error may occur during the first attempt at activation. time=\"2023-08-17T11:38:57-07:00\" level=trace msg=\"HTTP/1.1 200 OK\\r\\nDate: Thu, 17 Aug 2023 18:38:57 GMT\\r\\nServer: Intel(R) Active Management Technology 15.0.35.2039\\r\\nX-Frame-Options: DENY\\r\\nContent-Type: application/soap+xml; charset=UTF-8\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n043E\\r\\n<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><a:Envelope xmlns:a=\\\"http://www.w3.org/2003/05/soap-envelope\\\" xmlns:b=\\\"http://schemas.xmlsoap.org/ws/2004/08/addressing\\\" xmlns:c=\\\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\\\" xmlns:d=\\\"http://schemas.xmlsoap.org/ws/2005/02/trust\\\" xmlns:e=\\\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\\\" xmlns:f=\\\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\\\" xmlns:g=\\\"http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\"><a:Header><b:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</b:To><b:RelatesTo>3</b:RelatesTo><b:Action a:mustUnderstand=\\\"true\\\">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService/AdminSetupResponse</b:Acti\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"sending message to RPS\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"received messages from RPS\" time=\"2023-08-17T11:38:57-07:00\" level=error msg=\"Unknown error has occured\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" If this error occurs, verify the device was activated successfully. rpc amtinfo If the device shows it was activated into admin control mode , rerun the activate command to successfully finish AMT configuration. During device unprovisioning, AMT will delete any inserted hashes and will have to be manually reinserted.","title":"Verify the Hash"},{"location":"Reference/Certificates/remoteProvisioning/","text":"What is remote provisioning? \u00b6 Provisioning is the process of bringing a remote device under the management of the Management Presence Server ( MPS ). Ideally, the process activates and configures a remote device without physically touching it. To manage a device remotely, you must provision it, securely configure it using the Remote Provisioning Server ( RPS ), which communicates with the Management Presence Server ( MPS ). The table below describes the process: Step Significance to Provisioning 1. Create a Client Initiated Remote Access ( CIRA ) configuration This saved configuration will be used to configure the CIRA protocol for public cloud environments. 2. Set up the AMT Profile and choose an activation type Choose from two modes, Admin Control Mode ( ACM ) and Client Control Mode ( CCM ). If ACM is chosen, add a provisioning certificate in Step 3. CCM does not require a certificate. 3. Add a domain profile and associated signed provisioning certificate Upload a provisioning certificate. 4. Use the rpc-go client application to activate the remote device Deploy and run the client as Administrator on the desired remote platform. Leverage the profile you created in Step 2. Figure 1 illustrates the steps below. Also, see Get Started . The toolkit accomplishes secure provisioning with authentication and a secure tunnel using the Transport Layer Security ( TLS ) protocol. The authentication process involves: A provisioning certificate*: an electronic document used to establish the identity of the holder CIRA : a protocol used by the remote device to \"call home\", initiate remote connectivity, with an MPS . After a device is provisioned, the administrator can use the management console to perform different control activities, such as power actions (e.g., Reset) without an onsite visit. Figure 1: Provisioning and CIRA What about manual provisioning? \u00b6 Sometimes it's not possible to deploy the rpc-go client application to activate the device remotely. When remote provisioning is not an option, provision manually in the BIOS. To provision manually for ACM , see Set a DNS Suffix through MEBX . What is a remote provisioning certificate? \u00b6 A remote provisioning certificate is used for the activation of the remote device by the provisioning server. The activation phase of provisioning turns on or enables Intel AMT in the remote device. The Intel AMT firmware contains the root certificate hashes, TLS -based thumbprints, of participating vendors, known as certificate authorities (CA). The root certificate hash is compared with that certificate's hash. If they match, the certificate is deemed valid. Note The remote provisioning certificate is used only for initial provisioning of the device, bringing it under the management of the provisioning server. Purchase a separate certificate for website hosting. How do provisioning certificates work in the Toolkit? \u00b6 Acquire \u00b6 Purchase \u00b6 To use a provisioning certificate in the toolkit, purchase the certificate from a CA. Note You do not have to purchase a certificate for each device in a fleet. The certificate is purchased for the provisioning server. Prices vary per vendor. Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT . Generate \u00b6 Alternatively, for development, custom provisioning certificates can be generated for use using tools like OpenSSL. See Custom Provisioning Certificate for additional details. Upload \u00b6 After purchasing a certificate: Download the personal exchange format (PFX) file. This file contains public and private objects in a single file. It also contains a certificate chain, including the public key of the root certificate, the public key the intermediate certificate, public key of the SSL certificate. Upload it during the domain profile stage of provisioning. The PFX is saved to Vault. This uploaded file is used during the activation stage. Activate \u00b6 After you switch Intel AMT on, or activate it, CIRA is configured. In order to configure CIRA , another certificate is necessary. Currently, the toolkit uses a self-signed certificate generated by MPS and stored in Vault. The certificate generation happens during deployment of the MPS . This certificate cannot be obtained from a vendor. MPS automatically loads the CIRA self-signed certificate into Vault. Intel AMT checks the common name of the self-signed certificate. It must match the one you've supplied in the CIRA Config Profile on the MPS Address line. Learn More \u00b6 Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process. What is the vPro\u00ae Platform? Describes the certificate purchase process.","title":"Provisioning Certificate"},{"location":"Reference/Certificates/remoteProvisioning/#what-is-remote-provisioning","text":"Provisioning is the process of bringing a remote device under the management of the Management Presence Server ( MPS ). Ideally, the process activates and configures a remote device without physically touching it. To manage a device remotely, you must provision it, securely configure it using the Remote Provisioning Server ( RPS ), which communicates with the Management Presence Server ( MPS ). The table below describes the process: Step Significance to Provisioning 1. Create a Client Initiated Remote Access ( CIRA ) configuration This saved configuration will be used to configure the CIRA protocol for public cloud environments. 2. Set up the AMT Profile and choose an activation type Choose from two modes, Admin Control Mode ( ACM ) and Client Control Mode ( CCM ). If ACM is chosen, add a provisioning certificate in Step 3. CCM does not require a certificate. 3. Add a domain profile and associated signed provisioning certificate Upload a provisioning certificate. 4. Use the rpc-go client application to activate the remote device Deploy and run the client as Administrator on the desired remote platform. Leverage the profile you created in Step 2. Figure 1 illustrates the steps below. Also, see Get Started . The toolkit accomplishes secure provisioning with authentication and a secure tunnel using the Transport Layer Security ( TLS ) protocol. The authentication process involves: A provisioning certificate*: an electronic document used to establish the identity of the holder CIRA : a protocol used by the remote device to \"call home\", initiate remote connectivity, with an MPS . After a device is provisioned, the administrator can use the management console to perform different control activities, such as power actions (e.g., Reset) without an onsite visit. Figure 1: Provisioning and CIRA","title":"What is remote provisioning?"},{"location":"Reference/Certificates/remoteProvisioning/#what-about-manual-provisioning","text":"Sometimes it's not possible to deploy the rpc-go client application to activate the device remotely. When remote provisioning is not an option, provision manually in the BIOS. To provision manually for ACM , see Set a DNS Suffix through MEBX .","title":"What about manual provisioning?"},{"location":"Reference/Certificates/remoteProvisioning/#what-is-a-remote-provisioning-certificate","text":"A remote provisioning certificate is used for the activation of the remote device by the provisioning server. The activation phase of provisioning turns on or enables Intel AMT in the remote device. The Intel AMT firmware contains the root certificate hashes, TLS -based thumbprints, of participating vendors, known as certificate authorities (CA). The root certificate hash is compared with that certificate's hash. If they match, the certificate is deemed valid. Note The remote provisioning certificate is used only for initial provisioning of the device, bringing it under the management of the provisioning server. Purchase a separate certificate for website hosting.","title":"What is a remote provisioning certificate?"},{"location":"Reference/Certificates/remoteProvisioning/#how-do-provisioning-certificates-work-in-the-toolkit","text":"","title":"How do provisioning certificates work in the Toolkit?"},{"location":"Reference/Certificates/remoteProvisioning/#acquire","text":"","title":"Acquire"},{"location":"Reference/Certificates/remoteProvisioning/#purchase","text":"To use a provisioning certificate in the toolkit, purchase the certificate from a CA. Note You do not have to purchase a certificate for each device in a fleet. The certificate is purchased for the provisioning server. Prices vary per vendor. Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT .","title":"Purchase"},{"location":"Reference/Certificates/remoteProvisioning/#generate","text":"Alternatively, for development, custom provisioning certificates can be generated for use using tools like OpenSSL. See Custom Provisioning Certificate for additional details.","title":"Generate"},{"location":"Reference/Certificates/remoteProvisioning/#upload","text":"After purchasing a certificate: Download the personal exchange format (PFX) file. This file contains public and private objects in a single file. It also contains a certificate chain, including the public key of the root certificate, the public key the intermediate certificate, public key of the SSL certificate. Upload it during the domain profile stage of provisioning. The PFX is saved to Vault. This uploaded file is used during the activation stage.","title":"Upload"},{"location":"Reference/Certificates/remoteProvisioning/#activate","text":"After you switch Intel AMT on, or activate it, CIRA is configured. In order to configure CIRA , another certificate is necessary. Currently, the toolkit uses a self-signed certificate generated by MPS and stored in Vault. The certificate generation happens during deployment of the MPS . This certificate cannot be obtained from a vendor. MPS automatically loads the CIRA self-signed certificate into Vault. Intel AMT checks the common name of the self-signed certificate. It must match the one you've supplied in the CIRA Config Profile on the MPS Address line.","title":"Activate"},{"location":"Reference/Certificates/remoteProvisioning/#learn-more","text":"Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process. What is the vPro\u00ae Platform? Describes the certificate purchase process.","title":"Learn More"},{"location":"Reference/Certificates/tls/","text":"What is TLS ? \u00b6 Transport Layer Security ( TLS ) is a protocol used to establish encrypted communication sessions over an IP network between an application and server. As the most widely-used encryption protocol, it secures email, instant messaging, voice over IP (VoIP), HTTPS, and more. Encrypted TLS sessions promote data security and prevent tampering, eavesdropping, and other malicious activity. The protocol involves: Public-key Cryptography: public-private key pairs generated by cryptographic algorithms Digital Certificates: an electronic document used to establish identity of the holder with the use of the public key What is a TLS digital certificate? \u00b6 Electronic documents, called certificates, are issued by and purchased from Certificate Authorities (CA), organizations that comply with TLS industry regulations, requirements, and standards. When a client running a web application, such as a browser, connects to a server, the server sends a TLS certificate that can be used to verify the authenticity of a server. The web application uses certificates present on the client to establish a secure connection. There are two ways to use TLS in the toolkit: Purchase a certificate from a CA and inject it via a proxy application Generate a self-signed certificate with mesh commander There are three types of TLS certificates available for purchase from CAs: Certificate Type CA issues to Authentication Level Appropriate for Domain Validated an applicant listed in domain name's admin contact list Low Individuals and very small businesses Organization Validated an organization that submits required documentation Medium Businesses that collect sensitive data, confidential information, social media information, etc. Extended Validation an organization that submits required documentation and passes an EV validation guideline High Businesses that deal with payments, sensitive data, confidential information, etc. All certificate types use 256-bit encryption. What is a self-signed certificate? \u00b6 In addition to purchasing a certificate from a CA, it is possible to generate free self-signed certificates. Self-signed certificates offer trust value within an organization and are appropriate for development, but they are not appropriate for securing content that is presented to outside world. How does TLS work in the Toolkit? \u00b6 Intel\u00ae AMT is preloaded with TLS -based certificate thumbprints, a string of hexadecimal characters that identifies a certificate, of participating vendors. When you purchase and install a certificate from a participating vendor, you'll be able to use the toolkit to perform remote configuration. To get a list of participating vendors, see Intel Developer Zone . MPS and RPS contain TLS -based self-signed certificates that are involved in the device activation. See Remote Provisioning . Learn More \u00b6 Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process.","title":"TLS Certificate"},{"location":"Reference/Certificates/tls/#what-is-tls","text":"Transport Layer Security ( TLS ) is a protocol used to establish encrypted communication sessions over an IP network between an application and server. As the most widely-used encryption protocol, it secures email, instant messaging, voice over IP (VoIP), HTTPS, and more. Encrypted TLS sessions promote data security and prevent tampering, eavesdropping, and other malicious activity. The protocol involves: Public-key Cryptography: public-private key pairs generated by cryptographic algorithms Digital Certificates: an electronic document used to establish identity of the holder with the use of the public key","title":"What is TLS?"},{"location":"Reference/Certificates/tls/#what-is-a-tls-digital-certificate","text":"Electronic documents, called certificates, are issued by and purchased from Certificate Authorities (CA), organizations that comply with TLS industry regulations, requirements, and standards. When a client running a web application, such as a browser, connects to a server, the server sends a TLS certificate that can be used to verify the authenticity of a server. The web application uses certificates present on the client to establish a secure connection. There are two ways to use TLS in the toolkit: Purchase a certificate from a CA and inject it via a proxy application Generate a self-signed certificate with mesh commander There are three types of TLS certificates available for purchase from CAs: Certificate Type CA issues to Authentication Level Appropriate for Domain Validated an applicant listed in domain name's admin contact list Low Individuals and very small businesses Organization Validated an organization that submits required documentation Medium Businesses that collect sensitive data, confidential information, social media information, etc. Extended Validation an organization that submits required documentation and passes an EV validation guideline High Businesses that deal with payments, sensitive data, confidential information, etc. All certificate types use 256-bit encryption.","title":"What is a TLS digital certificate?"},{"location":"Reference/Certificates/tls/#what-is-a-self-signed-certificate","text":"In addition to purchasing a certificate from a CA, it is possible to generate free self-signed certificates. Self-signed certificates offer trust value within an organization and are appropriate for development, but they are not appropriate for securing content that is presented to outside world.","title":"What is a self-signed certificate?"},{"location":"Reference/Certificates/tls/#how-does-tls-work-in-the-toolkit","text":"Intel\u00ae AMT is preloaded with TLS -based certificate thumbprints, a string of hexadecimal characters that identifies a certificate, of participating vendors. When you purchase and install a certificate from a participating vendor, you'll be able to use the toolkit to perform remote configuration. To get a list of participating vendors, see Intel Developer Zone . MPS and RPS contain TLS -based self-signed certificates that are involved in the device activation. See Remote Provisioning .","title":"How does TLS work in the Toolkit?"},{"location":"Reference/Certificates/tls/#learn-more","text":"Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process.","title":"Learn More"},{"location":"Reference/EA/ieee8021xconfig/","text":"802.1x Configuration is a Preview Feature 802.1x Configuration feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It typically consists of three parts: Supplicant (Client-end User, AMT Device) Authenticator (Access Point or Switch) Authentication Server (RADIUS Server) Prerequisites \u00b6 The following are requirements to configure and connect an AMT device within an 802.1x environment. However, these are not required for the RPS profile creation steps below. Enterprise Assistant configured, running, and connected to an RPS server. Updated to latest AMT Firmware version Note - System Name Length The System Names of the AMT devices must be 15 characters or less. If the name is greater than 15 characters long, it will exceed the system name length allowed by Active Directory and Enterprise Assistant will fail to add the device. Wired 802.1x Configuration \u00b6 Only one wired IEEE8021x Config can be created (per tenant). The following steps walk through how to create the required configs and profiles. To create a Wired IEEE802.1x Config: \u00b6 Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new IEEE802.1x Config Select the Wired option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wired authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. PEAPv1/EAP-GTC 3 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 1 EAP type specified in draft-josefsson-pppext-eap-tls-eap , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/GTC 5 Indicates that the desired EAP type is the Flexible Authentication Extensible Authentication Protocol EAP type specified in IETF RFC 4851 , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/TLS 10 Indicates that the desired EAP type is the Flexible Authentication EAP type specified in IETF RFC 4851 , with TLS as the inner authentication method. Optionally, change the PXE Timeout . PXE Timeout is the number of seconds in which the Intel(R) AMT will hold an authenticated 802.1X session. During the defined period, Intel(R) AMT manages the 802.1X negotiation while a PXE boot takes place. After the timeout, control of the negotiation passes to the host. Click Save. Example Wired IEEE802.1x Config Figure 2: Example Wired IEEE802.1x Config To link to an AMT Profile: \u00b6 Select the Profiles tab from the left-hand menu. Choose an existing profile or create a new one. Under Network Configuration, select the Wired 802.1x Config from the Wired 802.1x Configuration dropdown. Click Save . After creating the profile and configs, AMT can now be configured for wired 802.1x. Example ACM Profile with IEEE802.1x Figure 3: Example ACM profile with IEEE802.1x Wireless 802.1x Configuration \u00b6 There can be a maximum of 8 wireless IEEE8021x Config created (per tenant). 8 profiles is the maximum AMT can accept. The following steps walk through how to create the required configs and profiles. Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new IEEE802.1x Config Select the Wireless option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wireless authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. Click Save. Example Wireless IEEE802.1x Config Figure 5: Example Wireless IEEE802.1x Config To link to a Wireless Config: \u00b6 Select the Wireless tab from the left-hand menu. Choose an existing profile or create a new one. Under Authentication Method , there should now be two new options. Select either WPA IEEE 802.1x or WPA2 IEEE 802.1x . Click Save . The new wireless config can now be included in an AMT profile. After creating the profile and configs, AMT can now be configured for wireless 802.1x. Example Wireless Config with IEEE802.1x Figure 6: Example Wireless Config with IEEE802.1x","title":"802.1x Configuration"},{"location":"Reference/EA/ieee8021xconfig/#prerequisites","text":"The following are requirements to configure and connect an AMT device within an 802.1x environment. However, these are not required for the RPS profile creation steps below. Enterprise Assistant configured, running, and connected to an RPS server. Updated to latest AMT Firmware version Note - System Name Length The System Names of the AMT devices must be 15 characters or less. If the name is greater than 15 characters long, it will exceed the system name length allowed by Active Directory and Enterprise Assistant will fail to add the device.","title":"Prerequisites"},{"location":"Reference/EA/ieee8021xconfig/#wired-8021x-configuration","text":"Only one wired IEEE8021x Config can be created (per tenant). The following steps walk through how to create the required configs and profiles.","title":"Wired 802.1x Configuration"},{"location":"Reference/EA/ieee8021xconfig/#to-create-a-wired-ieee8021x-config","text":"Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new IEEE802.1x Config Select the Wired option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wired authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. PEAPv1/EAP-GTC 3 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 1 EAP type specified in draft-josefsson-pppext-eap-tls-eap , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/GTC 5 Indicates that the desired EAP type is the Flexible Authentication Extensible Authentication Protocol EAP type specified in IETF RFC 4851 , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/TLS 10 Indicates that the desired EAP type is the Flexible Authentication EAP type specified in IETF RFC 4851 , with TLS as the inner authentication method. Optionally, change the PXE Timeout . PXE Timeout is the number of seconds in which the Intel(R) AMT will hold an authenticated 802.1X session. During the defined period, Intel(R) AMT manages the 802.1X negotiation while a PXE boot takes place. After the timeout, control of the negotiation passes to the host. Click Save. Example Wired IEEE802.1x Config Figure 2: Example Wired IEEE802.1x Config","title":"To create a Wired IEEE802.1x Config:"},{"location":"Reference/EA/ieee8021xconfig/#to-link-to-an-amt-profile","text":"Select the Profiles tab from the left-hand menu. Choose an existing profile or create a new one. Under Network Configuration, select the Wired 802.1x Config from the Wired 802.1x Configuration dropdown. Click Save . After creating the profile and configs, AMT can now be configured for wired 802.1x. Example ACM Profile with IEEE802.1x Figure 3: Example ACM profile with IEEE802.1x","title":"To link to an AMT Profile:"},{"location":"Reference/EA/ieee8021xconfig/#wireless-8021x-configuration","text":"There can be a maximum of 8 wireless IEEE8021x Config created (per tenant). 8 profiles is the maximum AMT can accept. The following steps walk through how to create the required configs and profiles. Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new IEEE802.1x Config Select the Wireless option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wireless authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. Click Save. Example Wireless IEEE802.1x Config Figure 5: Example Wireless IEEE802.1x Config","title":"Wireless 802.1x Configuration"},{"location":"Reference/EA/ieee8021xconfig/#to-link-to-a-wireless-config","text":"Select the Wireless tab from the left-hand menu. Choose an existing profile or create a new one. Under Authentication Method , there should now be two new options. Select either WPA IEEE 802.1x or WPA2 IEEE 802.1x . Click Save . The new wireless config can now be included in an AMT profile. After creating the profile and configs, AMT can now be configured for wireless 802.1x. Example Wireless Config with IEEE802.1x Figure 6: Example Wireless Config with IEEE802.1x","title":"To link to a Wireless Config:"},{"location":"Reference/EA/overview/","text":"Enterprise Assistant is a Windows application that can run as a normal application or as a background Windows service. Once setup to connect to RPS (hosted in either the cloud or enterprise), it can be used to assist with the configuration of AMT devices using TLS. Enterprise Assistant will handle certificate signing requests (CSRs) to Microsoft CA. Enterprise Assistant is based off the open-source project MeshCentral Satellite . Figure 1: Enterprise Assistant Architecture Details \u00b6 Enterprise Assistant must run on a computer that is joined to your domain and with sufficient rights that it can create LDAP computer objects. It must have access to the Domain Certificate Authority so it can request that certificates be signed. RPS can be run from either the cloud or the local enterprise network. It is suggested to run Enterprise Assistant as a normal Windows application at first to make sure everything works correctly before running it as a background Windows service. You can start by going in the \"Settings\" option in the menus. Settings are also saved in a local .config file that can be referenced when running as a background Windows service. Prerequisites \u00b6 Software \u00b6 git Microsoft* Visual Studio Services \u00b6 The following services are assumed to be configured and running in your enterprise environment. Microsoft* Certificate Authority (CA) Microsoft* Active Directory (AD) Setup \u00b6 The Enterprise Assistant repository is a codebase that needs to be compiled into a Windows executable before being able to run. Clone the Enterprise Assistant Repository. https://github.com/open-amt-cloud-toolkit/enterprise-assistant.git Open the project in Visual Studio. From the menus, choose Build > Build Solution . By default after compiling, the .exe will be saved in .\\enterprise-assistant\\bin\\Debug\\OpenAMTEnterpriseAssistant.exe . Figure 2: Enterprise Assistant Startup Configuration \u00b6 These steps assume you have either an existing, local or cloud, Open AMT deployment. Kong Configuration \u00b6 To use Enterprise Assistant with Kong API Gateway, we need to configure a new route. Open the kong.yaml file in the ./open-amt-cloud-toolkit/ directory. Uncomment the rps-ea block to enable the /ea route. # uncomment to use with enterprise assistant # - name: rps-ea # host: rps # port: 8082 # tags: # - rps # routes: # - name: rps-ea-route # strip_path: true # paths: # - /ea Restart the Kong service. Enterprise Assistant Configuration \u00b6 Open the Enterprise Assistant File > Settings menu to configure the RPS connection. Figure 3: Enterprise Assistant Settings Menu Provide the RPS Server Hostname. Enterprise Assistant communicates via Websocket. Make sure to include the route /ea (e.g. wss://192.168.1.34/ea ). The Device Name is the name used to configure the domain controller for each device account. Using Node Identifier is more secure due to the inability to be tampered with but is less friendly to maintain as a user. Security Groups will list all of the security groups of the domain controller that have been created within the Computers group. When Enterprise Assistant creates a new Computer account (like a new AMT device), it will join the selected Security Groups. Provide the Certificate Authority and click the checkmark. It will then list the available Certificate Templates to choose from. This will let you select a template specifically created for AMT. Choose how to issue the certificate. Typically, SAM Account Name is most commonly used as the Common Name . Example - Configured Settings Figure 4: Enterprise Assistant Settings Example Save the Settings. Start the connection by going to File > Local Connect . Figure 5: Enterprise Assistant Connecting to RPS After connecting, Enterprise Assistant will wait and listen for RPS to make requests to either add/revoke Computers or issue/revoke Certificates.","title":"Overview"},{"location":"Reference/EA/overview/#details","text":"Enterprise Assistant must run on a computer that is joined to your domain and with sufficient rights that it can create LDAP computer objects. It must have access to the Domain Certificate Authority so it can request that certificates be signed. RPS can be run from either the cloud or the local enterprise network. It is suggested to run Enterprise Assistant as a normal Windows application at first to make sure everything works correctly before running it as a background Windows service. You can start by going in the \"Settings\" option in the menus. Settings are also saved in a local .config file that can be referenced when running as a background Windows service.","title":"Details"},{"location":"Reference/EA/overview/#prerequisites","text":"","title":"Prerequisites"},{"location":"Reference/EA/overview/#software","text":"git Microsoft* Visual Studio","title":"Software"},{"location":"Reference/EA/overview/#services","text":"The following services are assumed to be configured and running in your enterprise environment. Microsoft* Certificate Authority (CA) Microsoft* Active Directory (AD)","title":"Services"},{"location":"Reference/EA/overview/#setup","text":"The Enterprise Assistant repository is a codebase that needs to be compiled into a Windows executable before being able to run. Clone the Enterprise Assistant Repository. https://github.com/open-amt-cloud-toolkit/enterprise-assistant.git Open the project in Visual Studio. From the menus, choose Build > Build Solution . By default after compiling, the .exe will be saved in .\\enterprise-assistant\\bin\\Debug\\OpenAMTEnterpriseAssistant.exe . Figure 2: Enterprise Assistant Startup","title":"Setup"},{"location":"Reference/EA/overview/#configuration","text":"These steps assume you have either an existing, local or cloud, Open AMT deployment.","title":"Configuration"},{"location":"Reference/EA/overview/#kong-configuration","text":"To use Enterprise Assistant with Kong API Gateway, we need to configure a new route. Open the kong.yaml file in the ./open-amt-cloud-toolkit/ directory. Uncomment the rps-ea block to enable the /ea route. # uncomment to use with enterprise assistant # - name: rps-ea # host: rps # port: 8082 # tags: # - rps # routes: # - name: rps-ea-route # strip_path: true # paths: # - /ea Restart the Kong service.","title":"Kong Configuration"},{"location":"Reference/EA/overview/#enterprise-assistant-configuration","text":"Open the Enterprise Assistant File > Settings menu to configure the RPS connection. Figure 3: Enterprise Assistant Settings Menu Provide the RPS Server Hostname. Enterprise Assistant communicates via Websocket. Make sure to include the route /ea (e.g. wss://192.168.1.34/ea ). The Device Name is the name used to configure the domain controller for each device account. Using Node Identifier is more secure due to the inability to be tampered with but is less friendly to maintain as a user. Security Groups will list all of the security groups of the domain controller that have been created within the Computers group. When Enterprise Assistant creates a new Computer account (like a new AMT device), it will join the selected Security Groups. Provide the Certificate Authority and click the checkmark. It will then list the available Certificate Templates to choose from. This will let you select a template specifically created for AMT. Choose how to issue the certificate. Typically, SAM Account Name is most commonly used as the Common Name . Example - Configured Settings Figure 4: Enterprise Assistant Settings Example Save the Settings. Start the connection by going to File > Local Connect . Figure 5: Enterprise Assistant Connecting to RPS After connecting, Enterprise Assistant will wait and listen for RPS to make requests to either add/revoke Computers or issue/revoke Certificates.","title":"Enterprise Assistant Configuration"},{"location":"Reference/MEBX/dnsSuffix/","text":"Manageability Engine BIOS Extensions (MEBX) \u00b6 Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Through this interface, you can provision AMT and customize a variety of settings manually. Set a DNS Suffix through MEBX \u00b6 If DHCP option15 is not set, configure the DNS Suffix manually through MEBX. This enables the reactivation of the device remotely at a later time. Important MEBX Must Be Enabled in the BIOS The MEBX screens must be enabled in the BIOS to perform the instructions below. Enter the BIOS configuration at boot to verify MEBX availability. Enable according to manufacturers instructions. To configure the DNS Suffix in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Remote Setup and Configuration . Select TLS PKI . Select PKI DNS Suffix . Provide a DNS suffix name and press Enter . Press Esc three times to reach the main menu. Select MEBX Exit , and then press y to confirm the exit.","title":"DNS Suffix"},{"location":"Reference/MEBX/dnsSuffix/#manageability-engine-bios-extensions-mebx","text":"Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Through this interface, you can provision AMT and customize a variety of settings manually.","title":"Manageability Engine BIOS Extensions (MEBX)"},{"location":"Reference/MEBX/dnsSuffix/#set-a-dns-suffix-through-mebx","text":"If DHCP option15 is not set, configure the DNS Suffix manually through MEBX. This enables the reactivation of the device remotely at a later time. Important MEBX Must Be Enabled in the BIOS The MEBX screens must be enabled in the BIOS to perform the instructions below. Enter the BIOS configuration at boot to verify MEBX availability. Enable according to manufacturers instructions. To configure the DNS Suffix in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Remote Setup and Configuration . Select TLS PKI . Select PKI DNS Suffix . Provide a DNS suffix name and press Enter . Press Esc three times to reach the main menu. Select MEBX Exit , and then press y to confirm the exit.","title":"Set a DNS Suffix through MEBX"},{"location":"Reference/MEBX/unprovision/","text":"Manageability Engine BIOS Extensions (MEBX) \u00b6 Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Use this interface to provision and unprovision AMT. It also provides a variety of settings to configure manually. Use the unprovision functionality to remove a device from MPS control. Unprovision an AMT Device Through MEBX \u00b6 To unprovision in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel AMT configuration . Select Unconfigure Network access . Select Full unprovision , and then press y to continue It takes 30 seconds to a minute to unprovision the device. While it is unprovisioning, the up/down arrow keys will not work.","title":"Unprovisioning"},{"location":"Reference/MEBX/unprovision/#manageability-engine-bios-extensions-mebx","text":"Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Use this interface to provision and unprovision AMT. It also provides a variety of settings to configure manually. Use the unprovision functionality to remove a device from MPS control.","title":"Manageability Engine BIOS Extensions (MEBX)"},{"location":"Reference/MEBX/unprovision/#unprovision-an-amt-device-through-mebx","text":"To unprovision in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel AMT configuration . Select Unconfigure Network access . Select Full unprovision , and then press y to continue It takes 30 seconds to a minute to unprovision the device. While it is unprovisioning, the up/down arrow keys will not work.","title":"Unprovision an AMT Device Through MEBX"},{"location":"Reference/MPS/configuration/","text":"MPS Configuration Options \u00b6 Environment Variable Default Description MPS_IMAGE mps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for MPS MPS_USE_VAULT true Whether or not the vault should be used MPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted MPS_VAULT_TOKEN myroot Token used to access the vault MPS_SECRETS_PATH secret/data/ Path to where secrets are stored in the vault MPS_GENERATE_CERTS true Enables/Disables generation of self signed certificates based on MPS_COMMON_NAME MPS_COMMON_NAME localhost Development system's IP address. Note: For this guide, you cannot use localhost because the managed device would be unable to reach the MPS and RPS servers. MPS_PORT 4433 MPS_WEB_PORT 3000 MPS_WEB_ADMIN_USER n/a Specifies the username for API authentication MPS_WEB_ADMIN_PASSWORD n/a Specifies the password for API authentication MPS_WEB_AUTH_ENABLED n/a Specifies whether or not to enable MPS authentication MPS_HTTPS true Specifies whether or not to enable https MPS_TLS_OFFLOAD false MPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly . MPS_JWT_SECRET n/a Secret used for generating a JWT Token. IMPORTANT: This must match the secret in your Kong.yaml file for the jwt plugin configuration. MPS_JWT_ISSUER 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc The issuer that will be populated in the token. This is a not considered a secret. IMPORTANT: This must match the key: property in the Kong.yaml file for the jwt plugin configuration. MPS_JWT_EXPIRATION 1440 The default expiration in minutes for the JWT Token. Default is 24 hours. MPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on) MPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/mpsdb?sslmode=no-verify The database connection string","title":"Configuration"},{"location":"Reference/MPS/configuration/#mps-configuration-options","text":"Environment Variable Default Description MPS_IMAGE mps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for MPS MPS_USE_VAULT true Whether or not the vault should be used MPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted MPS_VAULT_TOKEN myroot Token used to access the vault MPS_SECRETS_PATH secret/data/ Path to where secrets are stored in the vault MPS_GENERATE_CERTS true Enables/Disables generation of self signed certificates based on MPS_COMMON_NAME MPS_COMMON_NAME localhost Development system's IP address. Note: For this guide, you cannot use localhost because the managed device would be unable to reach the MPS and RPS servers. MPS_PORT 4433 MPS_WEB_PORT 3000 MPS_WEB_ADMIN_USER n/a Specifies the username for API authentication MPS_WEB_ADMIN_PASSWORD n/a Specifies the password for API authentication MPS_WEB_AUTH_ENABLED n/a Specifies whether or not to enable MPS authentication MPS_HTTPS true Specifies whether or not to enable https MPS_TLS_OFFLOAD false MPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly . MPS_JWT_SECRET n/a Secret used for generating a JWT Token. IMPORTANT: This must match the secret in your Kong.yaml file for the jwt plugin configuration. MPS_JWT_ISSUER 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc The issuer that will be populated in the token. This is a not considered a secret. IMPORTANT: This must match the key: property in the Kong.yaml file for the jwt plugin configuration. MPS_JWT_EXPIRATION 1440 The default expiration in minutes for the JWT Token. Default is 24 hours. MPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on) MPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/mpsdb?sslmode=no-verify The database connection string","title":"MPS Configuration Options"},{"location":"Reference/MPS/securityMPS/","text":"MPS Security Considerations \u00b6 The cloud agnostic microservice Management Presence Server ( MPS ) enables platforms featuring Intel\u00ae AMT to connect over the internet securely to manageability consoles. Secrets are used to ensure the security of the MPS REST APIs. In a deployment environment, consider these security assets: Intel\u00ae AMT remote admin credentials Intel\u00ae AMT CIRA credentials Authorize API end point Server Configuration Web User Credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets. Security Assets \u00b6 1. Intel\u00ae AMT remote admin credentials \u00b6 Intel\u00ae AMT remote admin credentials enable a user to remotely control a device featuring Intel\u00ae AMT. These credentials are configured in AMT Firmware by a configuration server (e.g., RPS ). When an administrator performs a REST API call, such as a power off action to the managed device, MPS fetches the corresponding credentials of that device from the configured secrets store (e.g., Vault). MPS uses the fetched secret as part of digest authentication with Intel\u00ae AMT. Intel discourages reuse of passwords among managed devices. Use a strong, unique password for each device to enhance security. 2. Intel\u00ae AMT CIRA credentials \u00b6 When a managed device attempts to establish a connection to the MPS , the MPS performs two checks prior to allowing the connection: 1. The Intel\u00ae AMT device's GUID: This GUID must be stored in the MPS database and is typically added by using the devices POST API. 2. MPS CIRA Credential: The Intel\u00ae AMT device needs to supply the correct credentials to MPS . These credentials are checked against the username, stored in the database, and password, stored in Vault. Use a strong, unique password for each device to enhance security. 3. Authorize API end point \u00b6 MPS supports basic user authentication to the REST APIs with an Authorize API endpoint for issuing a JSON Web Token (JWT). This eliminates the need to set up a full user authentication service before evaluating the software and enables developers to use the microservices right away. However, in a production deployment, use a robust user authentication service (e.g., OAuth2, OpenID, LDAP) and disable the Authorize API endpoint by leaving the MPS Web User credentials blank in the MPS configuration file. 4. Server Configuration \u00b6 To use secure protocols, MPS requires configured certificates and securely stored certificate keys. If the keys are compromised, an attacker will be able to decrypt messages that are encrypted with these certificates. For evaluation purposes, MPS will generate self-signed certificates used for encryption. For production deployment, purchase CA-signed certificates whose signatures can be independently verified. 5. Web User Credentials \u00b6 The Open AMT Cloud Toolkit is designed to operate behind an API gateway, such as Kong API Gateway. The API Gateway validates the Auth Tokens provided by an administrator who is requesting access to an API end point. Once verified, the API Gateway will forward the request to the appropriate microservice, MPS or RPS . To make evaluation easy, MPS has implemented an Authorize API end point that will issue a JWT when the proper web user credentials are provided. The Web User credentials are global credentials that are configured in the MPS configuration file and do not provide any fine-grain permissions. Integration with other user authentication models and fine-grain endpoint permissions are supported through Kong plug-ins and modification of the Kong API Gateway configuration file, respectively. Best Known Security Methods \u00b6 1. Enable TLS on Network Connections \u00b6 There are three potential places where TLS could be enabled to protect the security assets: HTTPS/WSS connection between Web UI and MPS (recommended) Connection between MPS and Vault - If communication between MPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Connection between MPS and Intel\u00ae AMT device (required and done automatically by MPS ) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication. 2. Secure and Isolate Execution Environment \u00b6 MPS holds several security assets in memory during execution. To protect these assets while in the memory of MPS , run MPS in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure. 3. Use Vault for Storing Credentials \u00b6 Vault is a tool used to secure, store, and tightly control access to secrets. Utilizing Vault to store passwords used by MPS will greatly increase the security of these assets. 4. Use Kubernetes Secrets for Storing Dynamic Configuration Values \u00b6 Kubernetes Secrets help you to store and manage sensitive information like Tokens. Use Kubernetes secrets for storing environment variables required for configuring MPS rather than putting them in the image/pod. Vault token, Session secret key, and Server configuration assets required for MPS should be stored in Kubernetes secrets.","title":"Security Information"},{"location":"Reference/MPS/securityMPS/#mps-security-considerations","text":"The cloud agnostic microservice Management Presence Server ( MPS ) enables platforms featuring Intel\u00ae AMT to connect over the internet securely to manageability consoles. Secrets are used to ensure the security of the MPS REST APIs. In a deployment environment, consider these security assets: Intel\u00ae AMT remote admin credentials Intel\u00ae AMT CIRA credentials Authorize API end point Server Configuration Web User Credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets.","title":"MPS Security Considerations"},{"location":"Reference/MPS/securityMPS/#security-assets","text":"","title":"Security Assets"},{"location":"Reference/MPS/securityMPS/#1-intel-amt-remote-admin-credentials","text":"Intel\u00ae AMT remote admin credentials enable a user to remotely control a device featuring Intel\u00ae AMT. These credentials are configured in AMT Firmware by a configuration server (e.g., RPS ). When an administrator performs a REST API call, such as a power off action to the managed device, MPS fetches the corresponding credentials of that device from the configured secrets store (e.g., Vault). MPS uses the fetched secret as part of digest authentication with Intel\u00ae AMT. Intel discourages reuse of passwords among managed devices. Use a strong, unique password for each device to enhance security.","title":"1. Intel&reg; AMT remote admin credentials"},{"location":"Reference/MPS/securityMPS/#2-intel-amt-cira-credentials","text":"When a managed device attempts to establish a connection to the MPS , the MPS performs two checks prior to allowing the connection: 1. The Intel\u00ae AMT device's GUID: This GUID must be stored in the MPS database and is typically added by using the devices POST API. 2. MPS CIRA Credential: The Intel\u00ae AMT device needs to supply the correct credentials to MPS . These credentials are checked against the username, stored in the database, and password, stored in Vault. Use a strong, unique password for each device to enhance security.","title":"2. Intel&reg; AMT CIRA credentials"},{"location":"Reference/MPS/securityMPS/#3-authorize-api-end-point","text":"MPS supports basic user authentication to the REST APIs with an Authorize API endpoint for issuing a JSON Web Token (JWT). This eliminates the need to set up a full user authentication service before evaluating the software and enables developers to use the microservices right away. However, in a production deployment, use a robust user authentication service (e.g., OAuth2, OpenID, LDAP) and disable the Authorize API endpoint by leaving the MPS Web User credentials blank in the MPS configuration file.","title":"3. Authorize API end point"},{"location":"Reference/MPS/securityMPS/#4-server-configuration","text":"To use secure protocols, MPS requires configured certificates and securely stored certificate keys. If the keys are compromised, an attacker will be able to decrypt messages that are encrypted with these certificates. For evaluation purposes, MPS will generate self-signed certificates used for encryption. For production deployment, purchase CA-signed certificates whose signatures can be independently verified.","title":"4. Server Configuration"},{"location":"Reference/MPS/securityMPS/#5-web-user-credentials","text":"The Open AMT Cloud Toolkit is designed to operate behind an API gateway, such as Kong API Gateway. The API Gateway validates the Auth Tokens provided by an administrator who is requesting access to an API end point. Once verified, the API Gateway will forward the request to the appropriate microservice, MPS or RPS . To make evaluation easy, MPS has implemented an Authorize API end point that will issue a JWT when the proper web user credentials are provided. The Web User credentials are global credentials that are configured in the MPS configuration file and do not provide any fine-grain permissions. Integration with other user authentication models and fine-grain endpoint permissions are supported through Kong plug-ins and modification of the Kong API Gateway configuration file, respectively.","title":"5. Web User Credentials"},{"location":"Reference/MPS/securityMPS/#best-known-security-methods","text":"","title":"Best Known Security Methods"},{"location":"Reference/MPS/securityMPS/#1-enable-tls-on-network-connections","text":"There are three potential places where TLS could be enabled to protect the security assets: HTTPS/WSS connection between Web UI and MPS (recommended) Connection between MPS and Vault - If communication between MPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Connection between MPS and Intel\u00ae AMT device (required and done automatically by MPS ) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication.","title":"1. Enable TLS on Network Connections"},{"location":"Reference/MPS/securityMPS/#2-secure-and-isolate-execution-environment","text":"MPS holds several security assets in memory during execution. To protect these assets while in the memory of MPS , run MPS in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure.","title":"2. Secure and Isolate Execution Environment"},{"location":"Reference/MPS/securityMPS/#3-use-vault-for-storing-credentials","text":"Vault is a tool used to secure, store, and tightly control access to secrets. Utilizing Vault to store passwords used by MPS will greatly increase the security of these assets.","title":"3. Use Vault for Storing Credentials"},{"location":"Reference/MPS/securityMPS/#4-use-kubernetes-secrets-for-storing-dynamic-configuration-values","text":"Kubernetes Secrets help you to store and manage sensitive information like Tokens. Use Kubernetes secrets for storing environment variables required for configuring MPS rather than putting them in the image/pod. Vault token, Session secret key, and Server configuration assets required for MPS should be stored in Kubernetes secrets.","title":"4. Use Kubernetes Secrets for Storing Dynamic Configuration Values"},{"location":"Reference/MQTT/customMqttEvents/","text":"RPS and MPS microservices can publish event messages through an MQTT Broker. The following instructions demonstrate how to add, remove, or edit the events published by the server. To learn more about subscribing to these events, see Viewing MQTT Events . Three main components can be manipulated within the MQTT event flow: Individual events throughout MPS and RPS MqttProvider class MQTT broker Individual Events \u00b6 Add Events \u00b6 To add an event: Import MqttProvider class. Use the publishEvent method to add RPS or MPS events. Example: import { MqttProvider } from '../../utils/mqttProvider' MqttProvider . publishEvent ( 'success' , [ 'Example' ], 'Hello World' , guid ) The publishEvent method parameters: Parameter Description message type string designating the message type array of methods methods associated with the message message string message to be published by the event broker GUID device GUID (optional) Note Learn more about publishEvent in the MqttProvider Class . Edit or Delete Events \u00b6 A number of default events have been added to RPS and MPS , such as API calls and action events. Edit or delete any events that are unnecessary or irrelevant for your deployment. Note Event publishing operates independently of the microservices. It will function normally with the addition, adaptation, or deletion of any individual events. MqttProvider Class \u00b6 Connect \u00b6 The MqttProvider class handles the interactions with the MQTT Broker. To establish a connection with the broker: Open the index.ts file of RPS or MPS . Add the following: const mqtt : MqttProvider = new MqttProvider ( config ) mqtt . connectBroker () The connectBroker method creates the connection between a client, stored in the class, and the mosquitto docker container, which acts as the MQTT Broker. The instance of the class, after it has been created and connected, is stored as a static object within the class. This storage enables access to the methods in the class with a simple import rather than passing the instance to MPS or RPS . The config parameter contains the config types of MPS and RPS . MqttProvider uses the MQTT_ADDRESS environment variable to establish a connection. Important The MQTT_ADDRESS environment variables for MPS and RPS are left blank in the .env.template file. This corresponds to the OFF state. To turn event logging with mosquitto ON provide the address of the MQTT Broker, mqtt://mosquitto:8883 , to the MPS_MQTT_ADDRESS and RPS_MQTT_ADDRESS environment variables. Usage \u00b6 The publishEvent method publishes events to the MQTT Broker where subscribers can access event data. The method accepts information about an event, organizes it, adds a timestamp, and sends it to the MQTT Broker. Expand the setup by changing the parameters and the elements within OpenAMTEvent , the interface used to organize the message, or by adding new methods. Indicate information you'd like to receive by subscribing to Topics, which are organized in a directory-like structure. Topics enable administrators to narrow eventing to subjects of interest. Example message type 'success' message: 'CarStarted' topic: cars/ford Subscribers of # , cars or cars/ford receive the above message while subscribers of trucks or cars/ferrari will not. Use publish to send a message to the MQTT Broker and supply a topic as the first argument. Currently, the topic is hard-coded to a default value. Alter this value by adding a parameter, tying the topic to existing parameters, or create different publishEvent methods that correspond to different topics. MQTT Broker \u00b6 The Broker for MQTT messages runs as the Docker* container mosquitto with the image eclipse-mosquitto:latest . Make changes to the functionality of the Broker through mosquitto.conf . Most of the Broker setup has been left in its default state but more information about customizing the broker can be found here .","title":"Customizing MQTT Events"},{"location":"Reference/MQTT/customMqttEvents/#individual-events","text":"","title":"Individual Events"},{"location":"Reference/MQTT/customMqttEvents/#add-events","text":"To add an event: Import MqttProvider class. Use the publishEvent method to add RPS or MPS events. Example: import { MqttProvider } from '../../utils/mqttProvider' MqttProvider . publishEvent ( 'success' , [ 'Example' ], 'Hello World' , guid ) The publishEvent method parameters: Parameter Description message type string designating the message type array of methods methods associated with the message message string message to be published by the event broker GUID device GUID (optional) Note Learn more about publishEvent in the MqttProvider Class .","title":"Add Events"},{"location":"Reference/MQTT/customMqttEvents/#edit-or-delete-events","text":"A number of default events have been added to RPS and MPS , such as API calls and action events. Edit or delete any events that are unnecessary or irrelevant for your deployment. Note Event publishing operates independently of the microservices. It will function normally with the addition, adaptation, or deletion of any individual events.","title":"Edit or Delete Events"},{"location":"Reference/MQTT/customMqttEvents/#mqttprovider-class","text":"","title":"MqttProvider Class"},{"location":"Reference/MQTT/customMqttEvents/#connect","text":"The MqttProvider class handles the interactions with the MQTT Broker. To establish a connection with the broker: Open the index.ts file of RPS or MPS . Add the following: const mqtt : MqttProvider = new MqttProvider ( config ) mqtt . connectBroker () The connectBroker method creates the connection between a client, stored in the class, and the mosquitto docker container, which acts as the MQTT Broker. The instance of the class, after it has been created and connected, is stored as a static object within the class. This storage enables access to the methods in the class with a simple import rather than passing the instance to MPS or RPS . The config parameter contains the config types of MPS and RPS . MqttProvider uses the MQTT_ADDRESS environment variable to establish a connection. Important The MQTT_ADDRESS environment variables for MPS and RPS are left blank in the .env.template file. This corresponds to the OFF state. To turn event logging with mosquitto ON provide the address of the MQTT Broker, mqtt://mosquitto:8883 , to the MPS_MQTT_ADDRESS and RPS_MQTT_ADDRESS environment variables.","title":"Connect"},{"location":"Reference/MQTT/customMqttEvents/#usage","text":"The publishEvent method publishes events to the MQTT Broker where subscribers can access event data. The method accepts information about an event, organizes it, adds a timestamp, and sends it to the MQTT Broker. Expand the setup by changing the parameters and the elements within OpenAMTEvent , the interface used to organize the message, or by adding new methods. Indicate information you'd like to receive by subscribing to Topics, which are organized in a directory-like structure. Topics enable administrators to narrow eventing to subjects of interest. Example message type 'success' message: 'CarStarted' topic: cars/ford Subscribers of # , cars or cars/ford receive the above message while subscribers of trucks or cars/ferrari will not. Use publish to send a message to the MQTT Broker and supply a topic as the first argument. Currently, the topic is hard-coded to a default value. Alter this value by adding a parameter, tying the topic to existing parameters, or create different publishEvent methods that correspond to different topics.","title":"Usage "},{"location":"Reference/MQTT/customMqttEvents/#mqtt-broker","text":"The Broker for MQTT messages runs as the Docker* container mosquitto with the image eclipse-mosquitto:latest . Make changes to the functionality of the Broker through mosquitto.conf . Most of the Broker setup has been left in its default state but more information about customizing the broker can be found here .","title":"MQTT Broker"},{"location":"Reference/MQTT/viewMqttEvents/","text":"Event Monitoring with MQTT ( MQTT Eventing) \u00b6 Open AMT Cloud Toolkit supports Eventing using Message Queuing Telemetry Transport ( MQTT ), an IoT publish-and-subscribe network protocol. With MQTT Eventing, administrators can subscribe to specific topics, categories of events, for server event monitoring. This eliminates the need to query or poll MPS to determine network events, such as a device's activation or deactivation. Administrators can subscribe to events and respond proactively. Important Currently, the implementation publishes all MPS and RPS REST API call events to the MQTT Broker. Figure 1: MQTT Eventing Examples MPS and RPS send JSON events to a Mosquitto* broker deployed as a Docker container. Administrators subscribe to the broker. As shown in Figure 1, proactive notifications are published in the MQTT Broker container. Set Up MQTT Support \u00b6 To enable support: This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In a text editor or IDE of choice, open the .env file to edit. Update the following fields. The mqtt: prefix indicates an MQTT broker is being used. Kong* will now route event messages to port 8883. Field Name Set to: RPS_MQTT_ADDRESS mqtt://mosquitto:8883 MPS_MQTT_ADDRESS mqtt://mosquitto:8883 Save and close the file. Pull the Mosquitto image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile mqtt pull Start the Mosquitto container. docker compose --profile mqtt up -d Note - Cleaning up Mosquitto Container When stopping and cleaning up containers deployed using the mqtt profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile mqtt down -v","title":"Viewing MQTT Events"},{"location":"Reference/MQTT/viewMqttEvents/#event-monitoring-with-mqtt-mqtt-eventing","text":"Open AMT Cloud Toolkit supports Eventing using Message Queuing Telemetry Transport ( MQTT ), an IoT publish-and-subscribe network protocol. With MQTT Eventing, administrators can subscribe to specific topics, categories of events, for server event monitoring. This eliminates the need to query or poll MPS to determine network events, such as a device's activation or deactivation. Administrators can subscribe to events and respond proactively. Important Currently, the implementation publishes all MPS and RPS REST API call events to the MQTT Broker. Figure 1: MQTT Eventing Examples MPS and RPS send JSON events to a Mosquitto* broker deployed as a Docker container. Administrators subscribe to the broker. As shown in Figure 1, proactive notifications are published in the MQTT Broker container.","title":"Event Monitoring with MQTT (MQTT Eventing)"},{"location":"Reference/MQTT/viewMqttEvents/#set-up-mqtt-support","text":"To enable support: This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In a text editor or IDE of choice, open the .env file to edit. Update the following fields. The mqtt: prefix indicates an MQTT broker is being used. Kong* will now route event messages to port 8883. Field Name Set to: RPS_MQTT_ADDRESS mqtt://mosquitto:8883 MPS_MQTT_ADDRESS mqtt://mosquitto:8883 Save and close the file. Pull the Mosquitto image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile mqtt pull Start the Mosquitto container. docker compose --profile mqtt up -d Note - Cleaning up Mosquitto Container When stopping and cleaning up containers deployed using the mqtt profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile mqtt down -v","title":"Set Up MQTT Support"},{"location":"Reference/RPC/buildRPC_Manual/","text":"Developed in Go* programming language, the Remote Provisioning Client ( RPC ) application runs on the managed device and communicates with the Remote Provisioning Server ( RPS ) microservice on the development system. The RPC and RPS configure and activate Intel\u00ae AMT on the managed device. Once properly configured, the remote managed device can call home to the Management Presence Server ( MPS ) by establishing a Client Initiated Remote Access ( CIRA ) connection with the MPS . See Figure 1. Production Environment In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices. Figure 1: RPC Configuration Figure 1 Details The RPC on a managed device communicates with the Intel\u00ae Management Engine Interface (Intel\u00ae MEI, previously known as HECI) Driver and the Remote Provisioning Server ( RPS ) interfaces. The Driver uses the Intel\u00ae MEI to talk to Intel\u00ae AMT . The RPC activates Intel\u00ae AMT with an AMT profile, which is associated with a CIRA configuration (Step 3). The profile, which also distinguishes between Client Control Mode ( CCM ) or Admin Control Mode ( ACM ), and configuration were created in Create a CIRA Config or Create an AMT Profile . After running RPC with a profile, Intel\u00ae AMT will establish a CIRA connection with the MPS (Step 4) allowing MPS to manage the remote device and issue AMT commands (Step 5). Prerequisites \u00b6 Before installing and building the RPC , install: Go* Programming Language Get RPC \u00b6 To clone the repository: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Change to the cloned rpc-go directory: cd rpc-go Build RPC \u00b6 Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version Run RPC to Activate and Connect the AMT Device \u00b6 The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n --profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] Note - RPC Arguments Find out more information about the flag and other arguments . Success Example Output after Activating and Configuring a device into ACM : Figure 1: RPC Success Troubleshooting Run into an issue? Try these troubleshooting steps . Transition Activated Device \u00b6 If an Intel vPro\u00ae Platform has been previously activated, either in the BIOS or with another management solution or tool, it can be brought under Open AMT Cloud Toolkit control with the rpc-go application. Additionally, use the following instructions to transition from a previously established toolkit stack to a fresh installation on a new development system. Note Use the following instructions to transition devices to either ACM or CCM profiles. You will need the AMT password. Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To transition the activated device: Check the activation status with amtinfo flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc amtinfo .\\rpc amtinfo sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest amtinfo The control mode indicates the managed device's state: pre-provisioning or deactivated activated in client control mode ( CCM ) activated in admin control mode ( ACM ) Run the rpc-go application with the activate command and the password flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] -password [AMT password] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] Success To verify the managed devices list after transitioning, log into the Sample Web UI on the development system. Go to the Devices tab. Alternatively, learn how to list the managed devices via a REST API Call .","title":"Build & Run RPC"},{"location":"Reference/RPC/buildRPC_Manual/#prerequisites","text":"Before installing and building the RPC , install: Go* Programming Language","title":"Prerequisites"},{"location":"Reference/RPC/buildRPC_Manual/#get-rpc","text":"To clone the repository: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Change to the cloned rpc-go directory: cd rpc-go","title":"Get RPC"},{"location":"Reference/RPC/buildRPC_Manual/#build-rpc","text":"Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version","title":"Build RPC"},{"location":"Reference/RPC/buildRPC_Manual/#run-rpc-to-activate-and-connect-the-amt-device","text":"The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n --profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] Note - RPC Arguments Find out more information about the flag and other arguments . Success Example Output after Activating and Configuring a device into ACM : Figure 1: RPC Success Troubleshooting Run into an issue? Try these troubleshooting steps .","title":"Run RPC to Activate and Connect the AMT Device"},{"location":"Reference/RPC/buildRPC_Manual/#transition-activated-device","text":"If an Intel vPro\u00ae Platform has been previously activated, either in the BIOS or with another management solution or tool, it can be brought under Open AMT Cloud Toolkit control with the rpc-go application. Additionally, use the following instructions to transition from a previously established toolkit stack to a fresh installation on a new development system. Note Use the following instructions to transition devices to either ACM or CCM profiles. You will need the AMT password. Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To transition the activated device: Check the activation status with amtinfo flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc amtinfo .\\rpc amtinfo sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest amtinfo The control mode indicates the managed device's state: pre-provisioning or deactivated activated in client control mode ( CCM ) activated in admin control mode ( ACM ) Run the rpc-go application with the activate command and the password flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] -password [AMT password] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] Success To verify the managed devices list after transitioning, log into the Sample Web UI on the development system. Go to the Devices tab. Alternatively, learn how to list the managed devices via a REST API Call .","title":"Transition Activated Device"},{"location":"Reference/RPC/commandsRPC/","text":"On the managed device, a Remote Provisioning Client ( RPC ) communicates with the Remote Provision Server ( RPS ) in the process of activating or deactivating the device. In addition to activation and deactivation, the RPC provides informational and maintenance commands. List Commands \u00b6 On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Run the RPC application on the command line with no arguments to see supported commands: Linux Windows sudo ./rpc .\\rpc.exe COMMAND DESCRIPTION EXAMPLE activate Activate this device with a specified profile. ./rpc activate -u wss://server/activate -profile profilename deactivate Deactivate this device. You will be prompted for the AMT password. ./rpc deactivate -u wss://server/deactivate maintenance Execute a maintenance task for the device. You will be prompted for the AMT password. ./rpc maintenance syncclock -u wss://server/maintenance configure Local configuration of a feature on this device. You will be prompted for the AMT password. ./rpc configure addwifisettings ... amtinfo Display AMT status and configuration. ./rpc amtinfo version Display the current version of RPC and the RPC Protocol version. ./rpc version List Command Options \u00b6 Run the application with a command to see available options for the command: Linux Windows sudo ./rpc [ COMMAND ] .\\rpc [COMMAND] activate \u00b6 Activate and Configure the device using RPS : \u00b6 Activate the device with a specified profile: Linux Windows sudo ./rpc activate -u wss://server/activate -profile profilename .\\rpc activate -u wss://server/activate -profile profilename Activate the device locally: \u00b6 This capability is only supported for activating unprovisioned (e.g. pre-provisioning state) devices. This command only activates AMT. It does not do profile-based configuration. CCM ACM rpc activate -local -ccm -amtPassword NewAMTPassword rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword activate General Options \u00b6 OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output activate Remote-Specific Options \u00b6 OPTION DESCRIPTION -d string DNS suffix override -h string Hostname override -n Skip WebSocket server certificate verification -name string Friendly name to associate with this device -p string Proxy address and port -password Existing set AMT password -profile string Name of the profile to use -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against activate Local-Specific Options \u00b6 OPTION DESCRIPTION -acm Flag for ACM Local Activation. -amtPassword string New AMT Password to set on device. -ccm Flag for CCM Local Activation. -local Execute command to AMT directly without cloud interaction. -provisioningCert Base64 string Base64 Encoded String of the .pfx provisioning certificate. -provisioningCertPwd string Password of provisioning certificate. For more information, see Build & Run RPC . To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform, see Transition Activated Device . deactivate \u00b6 Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /deactivate Kong route. The previous /activate route will still function for deactivate commands to avoid breaking changes. However, the /activate route's use with deactivate will be deprecated in the future and it is recommended to utilize the new, /deactivate route for new development. Deactivate the device using RPS : \u00b6 rpc deactivate -u wss://server/deactivate Deactivate the device locally: \u00b6 rpc deactivate -local -password AMTPassword deactivate Options \u00b6 OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -local Execute command to AMT directly without cloud interaction. -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output deactivate Remote-Specific Options \u00b6 OPTION DESCRIPTION -f Force deactivate even if device is not registered with the RPS server -n Skip WebSocket server certificate verification -p string Proxy address and port -token string JWT Token for Authorization -u string WebSocket address of server to activate against For more information, see Build & Run RPC . maintenance \u00b6 Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /maintenance Kong route. The previous /activate route will still function for maintenance commands to avoid breaking changes. However, the /activate route's use with maintenance will be deprecated in the future and it is recommended to utilize the new, /maintenance route for new development. Execute a maintenance command for the managed device: SUBCOMMAND DESCRIPTION changepassword Change the AMT password. A random password is generated by default if -static is not provided. syncclock Sync the host OS clock to AMT. synchostname Sync the OS hostname to AMT Network Settings. syncip Sync the static IP of host OS to AMT Network Settings. Common maintenance Options \u00b6 OPTION DESCRIPTION -f Force maintenance commands even if device is not registered with a server -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -p string Proxy address and port -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against -v Verbose output changepassword \u00b6 Change the AMT password. A random password is generated by default if static option is not passed. Linux Windows sudo ./rpc maintenance changepassword -u wss://server/maintenance .\\rpc maintenance changepassword -u wss://server/maintenance OPTION DESCRIPTION -static New password to be used syncclock \u00b6 Syncs the host OS clock to AMT. Linux Windows sudo ./rpc maintenance syncclock -u wss://server/maintenance .\\rpc maintenance syncclock -u wss://server/maintenance synchostname \u00b6 Sync the OS hostname to AMT Network Settings. Linux Windows sudo ./rpc maintenance synchostname -u wss://server/maintenance .\\rpc maintenance synchostname -u wss://server/maintenance syncip \u00b6 Sync the static IP of host OS to AMT Network Settings. Linux Windows sudo ./rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance .\\rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance OPTION DESCRIPTION -staticip IP address to be assigned to AMT If not specified, the IP address of the active OS newtork interface is used -netmask Network mask to be assigned to AMT If not specified, the network mask of the active OS newtork interface is used -gateway Gateway address to be assigned to AMT -primarydns Primary DNS address to be assigned to AMT -secondarydns Secondary DNS address to be assigned to AMT configure \u00b6 Execute a configuration command for the managed device: SUBCOMMAND DESCRIPTION addwifisettings Configure wireless 802.1x locally with RPC (no communication with RPS and EA) Common configuration Options \u00b6 OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -password string AMT password -v Verbose output addwifisettings \u00b6 Configure wireless 802.1x settings of an existing, activated AMT device by passing credentials and certificates directly to AMT rather than through RPS /EA/ RPC . More information on configuring AMT to use 802.1x can be found in 802.1x Configuration . On failure, the addwifisettings maintenance command will rollback any certificates added before the error occurred. Config File Config w/ Secrets File Individual Options -configJson String Option via Config file \u00b6 The Config file can be formatted as either YAML or JSON. This example shows YAML but a JSON template is provided as well. Create a new file called config.yaml . Copy and paste the corresponding template below. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . YAML JSON config.yaml password : 'amtPassword' # optionally, you can provide the AMT password of the device in the config file wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 pskPassphrase : '' - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' privateKey : '' config.json { \"password\" : \"amtPassword\" , \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , \"privateKey\" : \"\" } ] } Fill in fields with desired options and secrets. If the secrets are not provided (e.g. secret field is an empty string or not given), the secrets will be prompted for as user input in the command line. Alternatively, secrets can be stored and referenced in a separate file. See Config w/ Secrets File tab for more information. Provide the config.yaml file using the -config flag. rpc configure addwifisettings -config config.yaml via Config with Secrets file \u00b6 If a secrets file is included with the configuration file, those secrets will be used in the matching profileName configuration. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . Create a new file called config.yaml . Copy and paste the corresponding template below. This config.yaml is slightly different from the standard one as we either delete or leave blank the secret fields pskPassphrase , password , and privateKey . YAML JSON config.yaml wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' config.json { \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , } ] } Create a new file called secrets.yaml . Copy and paste the template below. YAML JSON secrets.yaml secrets : - profileName : 'exampleWifiWPA2' pskPassphrase : '' - profileName : 'exampleIeee8021xEAP-TLS' privateKey : '' - profileName : 'ieee8021xPEAPv0' password : '' secrets.json { \"secrets\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"privateKey\" : \"\" }, { \"profileName\" : \"ieee8021xPEAPv0\" , \"password\" : \"\" } ] } Fill in fields with the secrets. The profileName given in the secrets file must match the corresponding Wireless or 802.1x configuration profileName . Provide the secrets.yaml file using the -secrets flag. rpc configure addwifisettings -config config.yaml -secrets secrets.yaml via Individual Options \u00b6 Alternatively, provide all options directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. rpc configure addwifisettings -profileName profileName -authenticationMethod 7 -encryptionMethod 4 -ssid \"networkSSID\" -username \"username\" -authenticationProtocol 0 -priority 1 -clientCert \"{CLIENT_CERT}\" -caCert \"{CA_CERT}\" -privateKey \"{PRIVATE_KEY}\" via -configJson Option \u00b6 Or, provide the JSON string directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. Wireless Only Wireless w/ 802.1x rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi\", \"authenticationMethod\": 6, \"encryptionMethod\": 4, \"ssid\": \"networkSSID\", \"username\": \"username\", \"authenticationProtocol\": 0, \"priority\": 1 } ] }\" rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi8021x\", \"ssid\": \"networkSSID\", \"priority\": 1, \"authenticationMethod\": 7, \"encryptionMethod\": 4, \"ieee8021xProfileName\": \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\": [ { \"profileName\": \"exampleIeee8021xEAP-TLS\", \"username\": \"exampleUserName\", \"password\": \"\", \"authenticationProtocol\": 0, \"clientCert\": \"{CLIENT_CERT}\", \"caCert\": \"{CA_CERT}\", \"privateKey\": \"{PRIVATE_KEY}\" } ] }\" Example Successful Output of Configuring Two Wireless Profiles time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifi8021x\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifi8021x\" OPTION DESCRIPTION -authenticationMethod Wifi authentication method. Valid Values = {4, 5, 6, 7} where 4 = WPA PSK, 5 = WPA_IEEE8021X, 6 = WPA2 PSK, 7 = WPA2_IEEE8021X -authenticationProtocol 802.1x profile protocol. Valid Values = {0, 2} where 0 = EAP- TLS , 2 = EAP/MSCHAPv2 -caCert Trusted Microsoft root CA or 3rd-party root CA in Active Directory domain. -clientCert Client certificate chained to the caCert . Issued by enterprise CA or mapped to computer account in Active Directory. AMT provides this certificate to authenticate itself with the Radius Server. -config File path of a .yaml or .json file with desired wireless and/or wireless 802.1x configuration. -configJson Configuration as a JSON string -encryptionMethod Wifi encryption method. Valid Values = {3, 4} where 3 = TKIP, 4 = CCMP -ieee8021xPassword 802.1x profile password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2). -profileName Profile name (Friendly name), must be alphanumeric. -priority Ranked priority over other profiles. -privateKey 802.1x profile private key of the clientCert . -pskPassphrase Wifi pskPassphrase , if authenticationMethod is WPA PSK(4) or WPA2 PSK(6). -secrets File path of a .yaml or .json file with secrets to be applied to the configurations. -ssid Wifi SSID -username 802.1x username, must match the Common Name of the clientCert . amtinfo \u00b6 Display AMT status and configuration: Linux Windows sudo ./rpc amtinfo [ OPTIONS ] .\\rpc amtinfo [OPTIONS] Not passing [OPTIONS] will print all information. AMT INFO OPTION DESCRIPTION -json JSON Output Version -ver Intel AMT version. Build Number -bld Intel AMT Build Number. Certificate -cert Certificate Hashes SKU -sku Product SKU UUID -uuid Unique Universal Identifier of the device. Used when creating device-specific MPS API calls as part of the REST API's URL path. Control Mode -mode Control Mode below indicates the managed device's state: (a) pre-provisioning state (b) activated in client control mode (c) activated in admin control mode DNS Suffix -dns DNS Suffix set according to PKI DNS Suffix in Intel MEBX or through DHCP Option 15. Requried for ACM activation. DNS Suffix (OS) -dns Hostname (OS) -hostname Device's hostname as set in the Operating System. RAS Network -ras RAS Remote Status -ras Unconnected or connected. State of connection to a management server. RAS Trigger -ras User initiated or periodic. When activated, periodic signifies CIRA established. By default, CIRA sends a heartbeat to the server every 30 seconds to verify and maintain connection. RAS MPS Hostname -ras IP Address or FQDN of the MPS server. ---Wired/Wireless Adapters--- WIRED/WIRELESS ADAPTER OPTION DESCRIPTION DHCP Enabled -lan True/False. Whether or not the network is using DHCP or Static IPs. DHCP Mode -lan Link Status -lan Up/Down. Shows whether or not this adapter is being used by Intel AMT. IP Address -lan If using CIRA or the device is unactivated, this field will show 0.0.0.0 MAC Address -lan Device's MAC Address For more information, see Wireless Activation . version \u00b6 Display the current version of RPC and the RPC Protocol version: Linux Windows sudo ./rpc version .\\rpc version","title":"RPC CLI"},{"location":"Reference/RPC/commandsRPC/#list-commands","text":"On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Run the RPC application on the command line with no arguments to see supported commands: Linux Windows sudo ./rpc .\\rpc.exe COMMAND DESCRIPTION EXAMPLE activate Activate this device with a specified profile. ./rpc activate -u wss://server/activate -profile profilename deactivate Deactivate this device. You will be prompted for the AMT password. ./rpc deactivate -u wss://server/deactivate maintenance Execute a maintenance task for the device. You will be prompted for the AMT password. ./rpc maintenance syncclock -u wss://server/maintenance configure Local configuration of a feature on this device. You will be prompted for the AMT password. ./rpc configure addwifisettings ... amtinfo Display AMT status and configuration. ./rpc amtinfo version Display the current version of RPC and the RPC Protocol version. ./rpc version","title":"List Commands"},{"location":"Reference/RPC/commandsRPC/#list-command-options","text":"Run the application with a command to see available options for the command: Linux Windows sudo ./rpc [ COMMAND ] .\\rpc [COMMAND]","title":"List Command Options"},{"location":"Reference/RPC/commandsRPC/#activate","text":"","title":"activate"},{"location":"Reference/RPC/commandsRPC/#activate-and-configure-the-device-using-rps","text":"Activate the device with a specified profile: Linux Windows sudo ./rpc activate -u wss://server/activate -profile profilename .\\rpc activate -u wss://server/activate -profile profilename","title":"Activate and Configure the device using RPS:"},{"location":"Reference/RPC/commandsRPC/#activate-the-device-locally","text":"This capability is only supported for activating unprovisioned (e.g. pre-provisioning state) devices. This command only activates AMT. It does not do profile-based configuration. CCM ACM rpc activate -local -ccm -amtPassword NewAMTPassword rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword","title":"Activate the device locally:"},{"location":"Reference/RPC/commandsRPC/#activate-general-options","text":"OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output","title":"activate General Options"},{"location":"Reference/RPC/commandsRPC/#activate-remote-specific-options","text":"OPTION DESCRIPTION -d string DNS suffix override -h string Hostname override -n Skip WebSocket server certificate verification -name string Friendly name to associate with this device -p string Proxy address and port -password Existing set AMT password -profile string Name of the profile to use -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against","title":"activate Remote-Specific Options"},{"location":"Reference/RPC/commandsRPC/#activate-local-specific-options","text":"OPTION DESCRIPTION -acm Flag for ACM Local Activation. -amtPassword string New AMT Password to set on device. -ccm Flag for CCM Local Activation. -local Execute command to AMT directly without cloud interaction. -provisioningCert Base64 string Base64 Encoded String of the .pfx provisioning certificate. -provisioningCertPwd string Password of provisioning certificate. For more information, see Build & Run RPC . To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform, see Transition Activated Device .","title":"activate Local-Specific Options"},{"location":"Reference/RPC/commandsRPC/#deactivate","text":"Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /deactivate Kong route. The previous /activate route will still function for deactivate commands to avoid breaking changes. However, the /activate route's use with deactivate will be deprecated in the future and it is recommended to utilize the new, /deactivate route for new development.","title":"deactivate"},{"location":"Reference/RPC/commandsRPC/#deactivate-the-device-using-rps","text":"rpc deactivate -u wss://server/deactivate","title":"Deactivate the device using RPS:"},{"location":"Reference/RPC/commandsRPC/#deactivate-the-device-locally","text":"rpc deactivate -local -password AMTPassword","title":"Deactivate the device locally:"},{"location":"Reference/RPC/commandsRPC/#deactivate-options","text":"OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -local Execute command to AMT directly without cloud interaction. -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output","title":"deactivate Options"},{"location":"Reference/RPC/commandsRPC/#deactivate-remote-specific-options","text":"OPTION DESCRIPTION -f Force deactivate even if device is not registered with the RPS server -n Skip WebSocket server certificate verification -p string Proxy address and port -token string JWT Token for Authorization -u string WebSocket address of server to activate against For more information, see Build & Run RPC .","title":"deactivate Remote-Specific Options"},{"location":"Reference/RPC/commandsRPC/#maintenance","text":"Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /maintenance Kong route. The previous /activate route will still function for maintenance commands to avoid breaking changes. However, the /activate route's use with maintenance will be deprecated in the future and it is recommended to utilize the new, /maintenance route for new development. Execute a maintenance command for the managed device: SUBCOMMAND DESCRIPTION changepassword Change the AMT password. A random password is generated by default if -static is not provided. syncclock Sync the host OS clock to AMT. synchostname Sync the OS hostname to AMT Network Settings. syncip Sync the static IP of host OS to AMT Network Settings.","title":"maintenance"},{"location":"Reference/RPC/commandsRPC/#common-maintenance-options","text":"OPTION DESCRIPTION -f Force maintenance commands even if device is not registered with a server -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -p string Proxy address and port -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against -v Verbose output","title":"Common maintenance Options"},{"location":"Reference/RPC/commandsRPC/#changepassword","text":"Change the AMT password. A random password is generated by default if static option is not passed. Linux Windows sudo ./rpc maintenance changepassword -u wss://server/maintenance .\\rpc maintenance changepassword -u wss://server/maintenance OPTION DESCRIPTION -static New password to be used","title":"changepassword"},{"location":"Reference/RPC/commandsRPC/#syncclock","text":"Syncs the host OS clock to AMT. Linux Windows sudo ./rpc maintenance syncclock -u wss://server/maintenance .\\rpc maintenance syncclock -u wss://server/maintenance","title":"syncclock"},{"location":"Reference/RPC/commandsRPC/#synchostname","text":"Sync the OS hostname to AMT Network Settings. Linux Windows sudo ./rpc maintenance synchostname -u wss://server/maintenance .\\rpc maintenance synchostname -u wss://server/maintenance","title":"synchostname"},{"location":"Reference/RPC/commandsRPC/#syncip","text":"Sync the static IP of host OS to AMT Network Settings. Linux Windows sudo ./rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance .\\rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance OPTION DESCRIPTION -staticip IP address to be assigned to AMT If not specified, the IP address of the active OS newtork interface is used -netmask Network mask to be assigned to AMT If not specified, the network mask of the active OS newtork interface is used -gateway Gateway address to be assigned to AMT -primarydns Primary DNS address to be assigned to AMT -secondarydns Secondary DNS address to be assigned to AMT","title":"syncip"},{"location":"Reference/RPC/commandsRPC/#configure","text":"Execute a configuration command for the managed device: SUBCOMMAND DESCRIPTION addwifisettings Configure wireless 802.1x locally with RPC (no communication with RPS and EA)","title":"configure"},{"location":"Reference/RPC/commandsRPC/#common-configuration-options","text":"OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -password string AMT password -v Verbose output","title":"Common configuration Options"},{"location":"Reference/RPC/commandsRPC/#addwifisettings","text":"Configure wireless 802.1x settings of an existing, activated AMT device by passing credentials and certificates directly to AMT rather than through RPS /EA/ RPC . More information on configuring AMT to use 802.1x can be found in 802.1x Configuration . On failure, the addwifisettings maintenance command will rollback any certificates added before the error occurred. Config File Config w/ Secrets File Individual Options -configJson String Option","title":"addwifisettings"},{"location":"Reference/RPC/commandsRPC/#via-config-file","text":"The Config file can be formatted as either YAML or JSON. This example shows YAML but a JSON template is provided as well. Create a new file called config.yaml . Copy and paste the corresponding template below. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . YAML JSON config.yaml password : 'amtPassword' # optionally, you can provide the AMT password of the device in the config file wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 pskPassphrase : '' - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' privateKey : '' config.json { \"password\" : \"amtPassword\" , \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , \"privateKey\" : \"\" } ] } Fill in fields with desired options and secrets. If the secrets are not provided (e.g. secret field is an empty string or not given), the secrets will be prompted for as user input in the command line. Alternatively, secrets can be stored and referenced in a separate file. See Config w/ Secrets File tab for more information. Provide the config.yaml file using the -config flag. rpc configure addwifisettings -config config.yaml","title":"via Config file"},{"location":"Reference/RPC/commandsRPC/#via-config-with-secrets-file","text":"If a secrets file is included with the configuration file, those secrets will be used in the matching profileName configuration. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . Create a new file called config.yaml . Copy and paste the corresponding template below. This config.yaml is slightly different from the standard one as we either delete or leave blank the secret fields pskPassphrase , password , and privateKey . YAML JSON config.yaml wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' config.json { \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , } ] } Create a new file called secrets.yaml . Copy and paste the template below. YAML JSON secrets.yaml secrets : - profileName : 'exampleWifiWPA2' pskPassphrase : '' - profileName : 'exampleIeee8021xEAP-TLS' privateKey : '' - profileName : 'ieee8021xPEAPv0' password : '' secrets.json { \"secrets\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"privateKey\" : \"\" }, { \"profileName\" : \"ieee8021xPEAPv0\" , \"password\" : \"\" } ] } Fill in fields with the secrets. The profileName given in the secrets file must match the corresponding Wireless or 802.1x configuration profileName . Provide the secrets.yaml file using the -secrets flag. rpc configure addwifisettings -config config.yaml -secrets secrets.yaml","title":"via Config with Secrets file"},{"location":"Reference/RPC/commandsRPC/#via-individual-options","text":"Alternatively, provide all options directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. rpc configure addwifisettings -profileName profileName -authenticationMethod 7 -encryptionMethod 4 -ssid \"networkSSID\" -username \"username\" -authenticationProtocol 0 -priority 1 -clientCert \"{CLIENT_CERT}\" -caCert \"{CA_CERT}\" -privateKey \"{PRIVATE_KEY}\"","title":"via Individual Options"},{"location":"Reference/RPC/commandsRPC/#via-configjson-option","text":"Or, provide the JSON string directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. Wireless Only Wireless w/ 802.1x rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi\", \"authenticationMethod\": 6, \"encryptionMethod\": 4, \"ssid\": \"networkSSID\", \"username\": \"username\", \"authenticationProtocol\": 0, \"priority\": 1 } ] }\" rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi8021x\", \"ssid\": \"networkSSID\", \"priority\": 1, \"authenticationMethod\": 7, \"encryptionMethod\": 4, \"ieee8021xProfileName\": \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\": [ { \"profileName\": \"exampleIeee8021xEAP-TLS\", \"username\": \"exampleUserName\", \"password\": \"\", \"authenticationProtocol\": 0, \"clientCert\": \"{CLIENT_CERT}\", \"caCert\": \"{CA_CERT}\", \"privateKey\": \"{PRIVATE_KEY}\" } ] }\" Example Successful Output of Configuring Two Wireless Profiles time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifi8021x\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifi8021x\" OPTION DESCRIPTION -authenticationMethod Wifi authentication method. Valid Values = {4, 5, 6, 7} where 4 = WPA PSK, 5 = WPA_IEEE8021X, 6 = WPA2 PSK, 7 = WPA2_IEEE8021X -authenticationProtocol 802.1x profile protocol. Valid Values = {0, 2} where 0 = EAP- TLS , 2 = EAP/MSCHAPv2 -caCert Trusted Microsoft root CA or 3rd-party root CA in Active Directory domain. -clientCert Client certificate chained to the caCert . Issued by enterprise CA or mapped to computer account in Active Directory. AMT provides this certificate to authenticate itself with the Radius Server. -config File path of a .yaml or .json file with desired wireless and/or wireless 802.1x configuration. -configJson Configuration as a JSON string -encryptionMethod Wifi encryption method. Valid Values = {3, 4} where 3 = TKIP, 4 = CCMP -ieee8021xPassword 802.1x profile password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2). -profileName Profile name (Friendly name), must be alphanumeric. -priority Ranked priority over other profiles. -privateKey 802.1x profile private key of the clientCert . -pskPassphrase Wifi pskPassphrase , if authenticationMethod is WPA PSK(4) or WPA2 PSK(6). -secrets File path of a .yaml or .json file with secrets to be applied to the configurations. -ssid Wifi SSID -username 802.1x username, must match the Common Name of the clientCert .","title":"via -configJson Option"},{"location":"Reference/RPC/commandsRPC/#amtinfo","text":"Display AMT status and configuration: Linux Windows sudo ./rpc amtinfo [ OPTIONS ] .\\rpc amtinfo [OPTIONS] Not passing [OPTIONS] will print all information. AMT INFO OPTION DESCRIPTION -json JSON Output Version -ver Intel AMT version. Build Number -bld Intel AMT Build Number. Certificate -cert Certificate Hashes SKU -sku Product SKU UUID -uuid Unique Universal Identifier of the device. Used when creating device-specific MPS API calls as part of the REST API's URL path. Control Mode -mode Control Mode below indicates the managed device's state: (a) pre-provisioning state (b) activated in client control mode (c) activated in admin control mode DNS Suffix -dns DNS Suffix set according to PKI DNS Suffix in Intel MEBX or through DHCP Option 15. Requried for ACM activation. DNS Suffix (OS) -dns Hostname (OS) -hostname Device's hostname as set in the Operating System. RAS Network -ras RAS Remote Status -ras Unconnected or connected. State of connection to a management server. RAS Trigger -ras User initiated or periodic. When activated, periodic signifies CIRA established. By default, CIRA sends a heartbeat to the server every 30 seconds to verify and maintain connection. RAS MPS Hostname -ras IP Address or FQDN of the MPS server. ---Wired/Wireless Adapters--- WIRED/WIRELESS ADAPTER OPTION DESCRIPTION DHCP Enabled -lan True/False. Whether or not the network is using DHCP or Static IPs. DHCP Mode -lan Link Status -lan Up/Down. Shows whether or not this adapter is being used by Intel AMT. IP Address -lan If using CIRA or the device is unactivated, this field will show 0.0.0.0 MAC Address -lan Device's MAC Address For more information, see Wireless Activation .","title":"amtinfo"},{"location":"Reference/RPC/commandsRPC/#version","text":"Display the current version of RPC and the RPC Protocol version: Linux Windows sudo ./rpc version .\\rpc version","title":"version"},{"location":"Reference/RPC/libraryRPC/","text":"On the managed device, a Remote Provisioning Client ( RPC ) communicates with the Remote Provision Server ( RPS ) in the process of activating or deactivating the device. In addition to activation and deactivation, the RPC provides informational and maintenance commands. Find all RPC commands here . Prerequisites \u00b6 A GCC toolchain is required to compile RPC as a library. Linux Windows Run the following command to install: sudo apt install build-essential Download and Install tdm-gcc . Build Library \u00b6 Linux Lib (.so file) Windows Lib (.dll file) go build -buildmode = c-shared -o librpc.so ./cmd go build -buildmode = c-shared -o rpc.dll ./cmd Library Functions \u00b6 The library contains two functions: Function Description Usage checkAccess Determines if RPC is being run as admin, the ME driver is installed, and AMT is available. Use this function to check for basic AMT availability conditions. rpcExec Executes RPC commands. Use this function as you would the RPC executable, passing in arguments to activate, deactivate, perform maintenance, etc. Sample Client in C# \u00b6 Find a simple sample client in the RPC -go's dotnet folder . Include in C# \u00b6 This sample code demonstrates how to import the DLL's functions: //Linux-style example (.so extenstion) [DllImport(\"rpc\")] static extern int rpcCheckAccess (); Call a Function \u00b6 This sample provides an example of calling the rpcExec function to activate a device: //Import [DllImport(\"rpc\")] static extern int rpcExec ([ In ] byte [] rpccmd , ref IntPtr output ); int returnCode ; Console . WriteLine ( \"... CALLING rpcCheckAccess ...\" ); returnCode = rpcCheckAccess (); Console . WriteLine ( \"... rpcCheckAccess completed: return code[\" + returnCode + \"] \" ); Console . WriteLine (); var res = \"\" ; foreach ( var arg in args ) { res += $\"{arg} \" ; } // Example commands to be passed in // string res = \"activate -u wss://192.168.1.96/activate -n -profile Test_Profile\"; // string res = \"amtinfo\"; IntPtr output = IntPtr . Zero ; Console . WriteLine ( \"... CALLING rpcExec with argument string: \" + res ); returnCode = rpcExec ( Encoding . ASCII . GetBytes ( res ), ref output ); Console . WriteLine ( \"... rpcExec completed: return code[\" + returnCode + \"] \" + Marshal . PtrToStringAnsi ( output )); RPC Error Code Charts \u00b6 General Errors \u00b6 (1-19) Basic Errors Outside of Open AMT Cloud Toolkit \u00b6 Error Code Message 1 Incorrect permissions (not admin or sudo) 2 HECI driver not detected 3 AMT not detected 4 AMT not ready (20-69) Input errors to RPC \u00b6 Error Code Message 20 Missing or incorrect URL 21 Missing or incorrect profile 22 Server certificate verification failed 23 Missing or incorrect password 24 Missing DNS Suffix 25 Missing hostname 26 Missing proxy address and port 27 Missing static IP information (70-99) Connection Errors \u00b6 Error Code Message 70 RPS authentication failed 71 AMT connection failed 72 OS network interfaces lookup failed AMT-Specific Errors \u00b6 (100-149) Activation and Configuration Errors \u00b6 Error Code Message 100 AMT authentication failed 101 WSMAN message error 102 Activation failed 103 Network configuration failed 104 CIRA configuration failed 105 TLS configuration failed 106 WiFi configuration failed 107 AMT features configuration failed 108 802.1x configuration failed (150-199) Maintenance Errors \u00b6 Error Code Message 150 Clock sync failed 151 Hostname sync failed 152 Network sync failed","title":"RPC Library"},{"location":"Reference/RPC/libraryRPC/#prerequisites","text":"A GCC toolchain is required to compile RPC as a library. Linux Windows Run the following command to install: sudo apt install build-essential Download and Install tdm-gcc .","title":"Prerequisites"},{"location":"Reference/RPC/libraryRPC/#build-library","text":"Linux Lib (.so file) Windows Lib (.dll file) go build -buildmode = c-shared -o librpc.so ./cmd go build -buildmode = c-shared -o rpc.dll ./cmd","title":"Build Library"},{"location":"Reference/RPC/libraryRPC/#library-functions","text":"The library contains two functions: Function Description Usage checkAccess Determines if RPC is being run as admin, the ME driver is installed, and AMT is available. Use this function to check for basic AMT availability conditions. rpcExec Executes RPC commands. Use this function as you would the RPC executable, passing in arguments to activate, deactivate, perform maintenance, etc.","title":"Library Functions"},{"location":"Reference/RPC/libraryRPC/#sample-client-in-c","text":"Find a simple sample client in the RPC -go's dotnet folder .","title":"Sample Client in C#"},{"location":"Reference/RPC/libraryRPC/#include-in-c","text":"This sample code demonstrates how to import the DLL's functions: //Linux-style example (.so extenstion) [DllImport(\"rpc\")] static extern int rpcCheckAccess ();","title":"Include in C#"},{"location":"Reference/RPC/libraryRPC/#call-a-function","text":"This sample provides an example of calling the rpcExec function to activate a device: //Import [DllImport(\"rpc\")] static extern int rpcExec ([ In ] byte [] rpccmd , ref IntPtr output ); int returnCode ; Console . WriteLine ( \"... CALLING rpcCheckAccess ...\" ); returnCode = rpcCheckAccess (); Console . WriteLine ( \"... rpcCheckAccess completed: return code[\" + returnCode + \"] \" ); Console . WriteLine (); var res = \"\" ; foreach ( var arg in args ) { res += $\"{arg} \" ; } // Example commands to be passed in // string res = \"activate -u wss://192.168.1.96/activate -n -profile Test_Profile\"; // string res = \"amtinfo\"; IntPtr output = IntPtr . Zero ; Console . WriteLine ( \"... CALLING rpcExec with argument string: \" + res ); returnCode = rpcExec ( Encoding . ASCII . GetBytes ( res ), ref output ); Console . WriteLine ( \"... rpcExec completed: return code[\" + returnCode + \"] \" + Marshal . PtrToStringAnsi ( output ));","title":"Call a Function"},{"location":"Reference/RPC/libraryRPC/#rpc-error-code-charts","text":"","title":"RPC Error Code Charts"},{"location":"Reference/RPC/libraryRPC/#general-errors","text":"","title":"General Errors"},{"location":"Reference/RPC/libraryRPC/#1-19-basic-errors-outside-of-open-amt-cloud-toolkit","text":"Error Code Message 1 Incorrect permissions (not admin or sudo) 2 HECI driver not detected 3 AMT not detected 4 AMT not ready","title":"(1-19) Basic Errors Outside of Open AMT Cloud Toolkit"},{"location":"Reference/RPC/libraryRPC/#20-69-input-errors-to-rpc","text":"Error Code Message 20 Missing or incorrect URL 21 Missing or incorrect profile 22 Server certificate verification failed 23 Missing or incorrect password 24 Missing DNS Suffix 25 Missing hostname 26 Missing proxy address and port 27 Missing static IP information","title":"(20-69) Input errors to RPC"},{"location":"Reference/RPC/libraryRPC/#70-99-connection-errors","text":"Error Code Message 70 RPS authentication failed 71 AMT connection failed 72 OS network interfaces lookup failed","title":"(70-99) Connection Errors"},{"location":"Reference/RPC/libraryRPC/#amt-specific-errors","text":"","title":"AMT-Specific Errors"},{"location":"Reference/RPC/libraryRPC/#100-149-activation-and-configuration-errors","text":"Error Code Message 100 AMT authentication failed 101 WSMAN message error 102 Activation failed 103 Network configuration failed 104 CIRA configuration failed 105 TLS configuration failed 106 WiFi configuration failed 107 AMT features configuration failed 108 802.1x configuration failed","title":"(100-149) Activation and Configuration Errors"},{"location":"Reference/RPC/libraryRPC/#150-199-maintenance-errors","text":"Error Code Message 150 Clock sync failed 151 Hostname sync failed 152 Network sync failed","title":"(150-199) Maintenance Errors"},{"location":"Reference/RPS/configuration/","text":"RPS Configuration \u00b6 Environment Variable Default Description RPS_IMAGE rps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for RPS RPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/rpsdb?sslmode=no-verify The database connection string RPS_WEB_PORT 8081 Specifies the Web API port to listen on RPS_WEBSOCKETPORT 8080 Specifies the Websocket port to listen on RPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted RPS_VAULT_TOKEN myroot Token used to access the vault RPS_SECRETS_PATH secret/data/ Specifies the path for where secrets are stored in the vault RPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly RPS_MPS_SERVER http://localhost:3000 Specifies where the MPS is hosted -- required for metadata registration (i.e. hostname, and tags) RPS_DELAY_TIMER 12 Sets the number of seconds to wait after activation but before proceeding with final steps. By default it is set to 12 seconds. During this waiting period, RPS sends heartbeats to RPC to keep the connection alive. RPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on)","title":"Configuration"},{"location":"Reference/RPS/configuration/#rps-configuration","text":"Environment Variable Default Description RPS_IMAGE rps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for RPS RPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/rpsdb?sslmode=no-verify The database connection string RPS_WEB_PORT 8081 Specifies the Web API port to listen on RPS_WEBSOCKETPORT 8080 Specifies the Websocket port to listen on RPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted RPS_VAULT_TOKEN myroot Token used to access the vault RPS_SECRETS_PATH secret/data/ Specifies the path for where secrets are stored in the vault RPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly RPS_MPS_SERVER http://localhost:3000 Specifies where the MPS is hosted -- required for metadata registration (i.e. hostname, and tags) RPS_DELAY_TIMER 12 Sets the number of seconds to wait after activation but before proceeding with final steps. By default it is set to 12 seconds. During this waiting period, RPS sends heartbeats to RPC to keep the connection alive. RPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on)","title":"RPS Configuration"},{"location":"Reference/RPS/createProfileTLSConfig/","text":"During the activation process with the Remote Provisioning Client ( RPC ), profiles provide configuration information to the firmware on platforms featuring Intel\u00ae AMT . In Profiles , the Open AMT Cloud Toolkit supports Client Initiated Remote Access ( CIRA ) connections, which use Transport Layer Security ( TLS ). The toolkit also supports TLS without CIRA . TLS connections encrypt Intel\u00ae AMT network traffic, increasing data security and privacy. Important TLS works with both ACM And CCM . Because CIRA connections already use TLS , the option to use both in a profile is not available, as it would double the amount of encryption/decryption and potentially impact performance. To create a profile with TLS Config: Select the Profiles tab from the menu on the left. Under the Profiles tab, click + Add New in the top-right corner to create a profile. Figure 1: Create a new profile Specify a Profile Name of your choice. Under Activation Mode , select either Client Control Mode or Admin Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Tip The two buttons next to the password input are for toggling visibility and generating a new random password. Please note that if the Vault database is lost or corrupted, all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! If choosing to activate into ACM , provide or generate a strong MEBX Password . This password can be used to access Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) on the AMT device. Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select Connection Configuration to TLS (Enterprise) . Under TLS (Enterprise) , select the TLS Mode from the dropdown menu. The toolkit offers four configuration modes to support various usage models: CONFIGURATION MODE DESCRIPTION Server Authentication Only The client authenticates the server request and accepts only those servers with a digital certificate. Server and Non- TLS Authentication Used primarily for testing. The client authenticates the server request and accepts legitimate digital certificates from TLS -enabled servers. However, if the server is not TLS -enabled, the client defaults to a CIRA connection. Mutual TLS Authentication Only Both client and server must have certs. The client cert is signed by the server cert. Mutual and Non- TLS Authentication Used primarily for testing. Both client and server certs are expected. The client authenticates the server request and accepts legitimate digital certificates from TLS -enabled servers. However, if the server is not TLS -enabled, the client defaults to a CIRA connection. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example profile with TLS Config Figure 2: Example profile with TLS Config To confirm the digital certificates generated for the profile, open a browser and navigate to the Vault service at http://localhost:8200 for a local Docker deployment or [Cloud-FQDN]:8200 (Ex: openamt.eastus.cloudapp.azure.com:8200) for a cloud deployment. Sign in to Vault with the VAULT_TOKEN stored in the .env file or Root Token (Ex: s.QnhrbjXyH08UD7y6PHBDmjq9) generated when unsealing and initializing Vault in your cloud deployment. Figure 3: Login with the token Navigate to the path secret/TLS/[profile name] for a local dev mode Vault deployment. Or kv/TLS/[profile name] for a cloud deployment. Example of Certificate Storage Figure 4: Digital Certificate Next up \u00b6 Build & Run RPC","title":"Create Profile with TLS"},{"location":"Reference/RPS/createProfileTLSConfig/#next-up","text":"Build & Run RPC","title":"Next up"},{"location":"Reference/RPS/securityRPS/","text":"RPS Security Considerations \u00b6 The microservice Remote Provision Service ( RPS ) plays a component role in a larger set of services that makes up the device management software suite. In this role, RPS uses and creates secrets that are required to be able to successfully activate and use Intel\u00ae AMT . There are six key assets that must be protected: Remote admin password for Intel\u00ae AMT MEBX password for Intel\u00ae AMT Provisioning Certificate for each supported domain Password used to encrypt each Provisioning Certificate Device configuration information sent to Intel\u00ae AMT device MPS CIRA login credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets. Security Assets \u00b6 Remote Admin Password for Intel\u00ae AMT \u00b6 This password is what is configured in the Intel\u00ae AMT firmware that allows a remote user to remotely control the Intel\u00ae AMT device (power actions, remote desktop, remote terminal, etc). When RPS activates an Intel\u00ae AMT device, it sets this password in the Intel\u00ae AMT firmware. This password can either be statically set or can be randomly generated based on the profile defined by the user. It is highly recommended to use randomly generated passwords as this will make each Intel\u00ae AMT device more secure by using unique passwords per device. In a default docker or Kubernetes deployment, RPS will save the Remote Admin Password to the deployed Vault instance. MEBX Password for Intel\u00ae AMT \u00b6 The Management Engine BIOS Extension (MEBX) password is the password that protects the pre-boot menu option that provides access to Intel\u00ae AMT settings. To use this password a user needs to have physical access to the device. It is highly recommended to change this password from the factory default settings upon receiving a new Intel\u00ae AMT device. A RPS profile provides an option for either specifying a static password that is used for all devices configured with a given profile or a randomly generated password can be assigned uniquely per device. The MEBX password set in each device is saved in Vault. While a randomly generated password is more secure, in this case there is risk that if the Vault database is lost, access to the Intel\u00ae AMT device could be very difficult to recover. It is recommended to use the high availability and backup options provided by the Vault solution to ensure that these secrets are not lost. Provisioning Certificate for each supported domain \u00b6 This certificate is unique per owned domain where RPS needs to provision Intel\u00ae AMT devices. This certificate must be derived from a root certificate whose hash matches one of the trusted provisioning root certificate hashes that is listed in the Intel\u00ae AMT device firmware. Generally, the provisioning certificate is purchased from a trusted certificate authority (VeriSign, GoDaddy, Comodo, etc). The full list of supported CAs based on Intel\u00ae AMT version are listed here . This certificate must contain the leaf certificate, root certificate, and all of the intermediate certificates to form a complete certificate chain. Additionally, the certificate file must also include the private key for the certificate (.pfx format). The leaf certificate for the provisioning certificate must match the domain suffix that the Intel\u00ae AMT device is connected as specified by DHCP option 15 or the Trusted DNS suffix in the Management Engine BIOS Extensions (MEBX). Matching this is one of the ways in which the Intel\u00ae AMT firmware establishes trust with RPS . The provisioning certificate is provided by the user when defining an Intel\u00ae AMT profile. RPS fetches the Provisioning Certificate from Vault when it is needed to activate an Intel\u00ae AMT device. If users have provisioning certificates, they will need to understand which profile to use when configuring an Intel\u00ae AMT device based on the network to which the device is currently connected. Password used to encrypt Provisioning Certificate \u00b6 This is the password that is used to encrypt the provisioning certificate .pfx file that is discussed above. RPS uses this password to decrypt the provisioning certificate so that it can use the certificate components and the private key to activate Intel\u00ae AMT devices. RPS fetches the password from Vault and will use it when it is needed to decrypt a provisioning certificate. Device configuration information sent to Intel\u00ae AMT device \u00b6 Intel\u00ae AMT firmware uses configuration information to establish trust and then activate the Intel\u00ae AMT device. The information contains the hashed remote admin password and MEBX password. Protect this information while it is being used by RPS and while in transit to the Intel\u00ae AMT device. Ensure that a secure ( TLS -encrypted) WebSocket is used when RPS is communicating with the client device. This will protect data in transit. The configuration information uses nonces to prevent replay of this data. MPS CIRA Login Credentials \u00b6 To connect to the MPS over a CIRA connection, the Intel\u00ae AMT device needs to provide the correct login credentials for MPS . These credentials are specified as part of the AMT Profile created in RPS . When a device is configured by RPS , the MPS CIRA credentials will be sent to MPS using the Devices POST API call where MPS will then store the credentials. These credentials are verfied by the MPS when the CIRA connection is established. Best Known Security Methods \u00b6 1 Enable TLS on network connections \u00b6 There are two potential places where TLS could be enable to protect the security assets: * WebSocket connection between RPS and Intel\u00ae AMT client (recommended) * Connection between RPS and Vault - If communication between RPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication. 2 Secure and isolate execution environment \u00b6 RPS holds several of the described security assets in memory during execution. In order to protect these assets while in the memory of RPS , it is recommended that RPS be run in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure. 3 Utilize a Hashicorp Vault implementation to store security assets \u00b6 Utilizing Hashicorp Vault to store security assets either created by or used by RPS will greatly increase the security of these assets. Not only does Vault encrypt the data at rest, but it also manages access to the data itself. As the Vault owner, you decide who gets access to the security assets stored there, not RPS .","title":"Security Information"},{"location":"Reference/RPS/securityRPS/#rps-security-considerations","text":"The microservice Remote Provision Service ( RPS ) plays a component role in a larger set of services that makes up the device management software suite. In this role, RPS uses and creates secrets that are required to be able to successfully activate and use Intel\u00ae AMT . There are six key assets that must be protected: Remote admin password for Intel\u00ae AMT MEBX password for Intel\u00ae AMT Provisioning Certificate for each supported domain Password used to encrypt each Provisioning Certificate Device configuration information sent to Intel\u00ae AMT device MPS CIRA login credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets.","title":"RPS Security Considerations"},{"location":"Reference/RPS/securityRPS/#security-assets","text":"","title":"Security Assets"},{"location":"Reference/RPS/securityRPS/#remote-admin-password-for-intel-amt","text":"This password is what is configured in the Intel\u00ae AMT firmware that allows a remote user to remotely control the Intel\u00ae AMT device (power actions, remote desktop, remote terminal, etc). When RPS activates an Intel\u00ae AMT device, it sets this password in the Intel\u00ae AMT firmware. This password can either be statically set or can be randomly generated based on the profile defined by the user. It is highly recommended to use randomly generated passwords as this will make each Intel\u00ae AMT device more secure by using unique passwords per device. In a default docker or Kubernetes deployment, RPS will save the Remote Admin Password to the deployed Vault instance.","title":"Remote Admin Password for Intel&reg; AMT"},{"location":"Reference/RPS/securityRPS/#mebx-password-for-intel-amt","text":"The Management Engine BIOS Extension (MEBX) password is the password that protects the pre-boot menu option that provides access to Intel\u00ae AMT settings. To use this password a user needs to have physical access to the device. It is highly recommended to change this password from the factory default settings upon receiving a new Intel\u00ae AMT device. A RPS profile provides an option for either specifying a static password that is used for all devices configured with a given profile or a randomly generated password can be assigned uniquely per device. The MEBX password set in each device is saved in Vault. While a randomly generated password is more secure, in this case there is risk that if the Vault database is lost, access to the Intel\u00ae AMT device could be very difficult to recover. It is recommended to use the high availability and backup options provided by the Vault solution to ensure that these secrets are not lost.","title":"MEBX Password for Intel&reg; AMT"},{"location":"Reference/RPS/securityRPS/#provisioning-certificate-for-each-supported-domain","text":"This certificate is unique per owned domain where RPS needs to provision Intel\u00ae AMT devices. This certificate must be derived from a root certificate whose hash matches one of the trusted provisioning root certificate hashes that is listed in the Intel\u00ae AMT device firmware. Generally, the provisioning certificate is purchased from a trusted certificate authority (VeriSign, GoDaddy, Comodo, etc). The full list of supported CAs based on Intel\u00ae AMT version are listed here . This certificate must contain the leaf certificate, root certificate, and all of the intermediate certificates to form a complete certificate chain. Additionally, the certificate file must also include the private key for the certificate (.pfx format). The leaf certificate for the provisioning certificate must match the domain suffix that the Intel\u00ae AMT device is connected as specified by DHCP option 15 or the Trusted DNS suffix in the Management Engine BIOS Extensions (MEBX). Matching this is one of the ways in which the Intel\u00ae AMT firmware establishes trust with RPS . The provisioning certificate is provided by the user when defining an Intel\u00ae AMT profile. RPS fetches the Provisioning Certificate from Vault when it is needed to activate an Intel\u00ae AMT device. If users have provisioning certificates, they will need to understand which profile to use when configuring an Intel\u00ae AMT device based on the network to which the device is currently connected.","title":"Provisioning Certificate for each supported domain"},{"location":"Reference/RPS/securityRPS/#password-used-to-encrypt-provisioning-certificate","text":"This is the password that is used to encrypt the provisioning certificate .pfx file that is discussed above. RPS uses this password to decrypt the provisioning certificate so that it can use the certificate components and the private key to activate Intel\u00ae AMT devices. RPS fetches the password from Vault and will use it when it is needed to decrypt a provisioning certificate.","title":"Password used to encrypt Provisioning Certificate"},{"location":"Reference/RPS/securityRPS/#device-configuration-information-sent-to-intel-amt-device","text":"Intel\u00ae AMT firmware uses configuration information to establish trust and then activate the Intel\u00ae AMT device. The information contains the hashed remote admin password and MEBX password. Protect this information while it is being used by RPS and while in transit to the Intel\u00ae AMT device. Ensure that a secure ( TLS -encrypted) WebSocket is used when RPS is communicating with the client device. This will protect data in transit. The configuration information uses nonces to prevent replay of this data.","title":"Device configuration information sent to Intel\u00ae AMT device"},{"location":"Reference/RPS/securityRPS/#mps-cira-login-credentials","text":"To connect to the MPS over a CIRA connection, the Intel\u00ae AMT device needs to provide the correct login credentials for MPS . These credentials are specified as part of the AMT Profile created in RPS . When a device is configured by RPS , the MPS CIRA credentials will be sent to MPS using the Devices POST API call where MPS will then store the credentials. These credentials are verfied by the MPS when the CIRA connection is established.","title":"MPS CIRA Login Credentials"},{"location":"Reference/RPS/securityRPS/#best-known-security-methods","text":"","title":"Best Known Security Methods"},{"location":"Reference/RPS/securityRPS/#1-enable-tls-on-network-connections","text":"There are two potential places where TLS could be enable to protect the security assets: * WebSocket connection between RPS and Intel\u00ae AMT client (recommended) * Connection between RPS and Vault - If communication between RPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication.","title":"1 Enable TLS on network connections"},{"location":"Reference/RPS/securityRPS/#2-secure-and-isolate-execution-environment","text":"RPS holds several of the described security assets in memory during execution. In order to protect these assets while in the memory of RPS , it is recommended that RPS be run in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure.","title":"2 Secure and isolate execution environment"},{"location":"Reference/RPS/securityRPS/#3-utilize-a-hashicorp-vault-implementation-to-store-security-assets","text":"Utilizing Hashicorp Vault to store security assets either created by or used by RPS will greatly increase the security of these assets. Not only does Vault encrypt the data at rest, but it also manages access to the data itself. As the Vault owner, you decide who gets access to the security assets stored there, not RPS .","title":"3 Utilize a Hashicorp Vault implementation to store security assets"},{"location":"Reference/UIToolkit/localization/","text":"Localize Strings \u00b6 Create a new directory in the ui-toolkit/public/locales/ directory. The directory name must match one of the codes listed . Copy the translation.json file in the public/locales/en/ directory to the new language directory. Customize the required fields in the translation.json file. Example To support Kannada language: Create a new directory kn in /public/locales/ Copy translation.json from /locales/en/ to /locales/kn/ directory Update key-values in /kn/translation.json according to Kannada language Open the i18n.ts file in the ui-toolkit directory. Modify the file to import the newly added public/locales/Language/translation.json file and update the 'resources' constant to include the new translation. Example To support Kannada language: Create new import statement as 'translationKN' Edit resources constant to include new translation import translationEN from './public/locales/en/translation.json' import translationKN from './public/locales/kn/translation.json'; const resources = { en: { translations: translationEN }, kn: { translations: translationKN } }; Rebuild and generate a new bundle before testing the changes. Language can be changed in the browser under language section of the browser settings. English is the default if no customized translation file provided for the language. Get Localized Strings for Web Consoles with Localization Enabled \u00b6 If your web console already has localization enabled, make sure to add the translations of the UI-controls into your web console's translations file.","title":"Localization"},{"location":"Reference/UIToolkit/localization/#localize-strings","text":"Create a new directory in the ui-toolkit/public/locales/ directory. The directory name must match one of the codes listed . Copy the translation.json file in the public/locales/en/ directory to the new language directory. Customize the required fields in the translation.json file. Example To support Kannada language: Create a new directory kn in /public/locales/ Copy translation.json from /locales/en/ to /locales/kn/ directory Update key-values in /kn/translation.json according to Kannada language Open the i18n.ts file in the ui-toolkit directory. Modify the file to import the newly added public/locales/Language/translation.json file and update the 'resources' constant to include the new translation. Example To support Kannada language: Create new import statement as 'translationKN' Edit resources constant to include new translation import translationEN from './public/locales/en/translation.json' import translationKN from './public/locales/kn/translation.json'; const resources = { en: { translations: translationEN }, kn: { translations: translationKN } }; Rebuild and generate a new bundle before testing the changes. Language can be changed in the browser under language section of the browser settings. English is the default if no customized translation file provided for the language.","title":"Localize Strings"},{"location":"Reference/UIToolkit/localization/#get-localized-strings-for-web-consoles-with-localization-enabled","text":"If your web console already has localization enabled, make sure to add the translations of the UI-controls into your web console's translations file.","title":"Get Localized Strings for Web Consoles with Localization Enabled"},{"location":"Reference/UIToolkit/webpackConfig/","text":"To use Webpack *, understand its Core Concepts: Entry: The entry point such as /src/index.js , which is the default for Webpack 4 is what Webpack will use to start building out/resolving its dependencies. Output: The output property, such as ./dist , the default for Webpack 4, tells Webpack where to output the bundles it creates and how to name them. Loaders: Because Webpack only understands native Javascript code, these loaders enable Webpack to process different types of imported files and convert them into valid modules when it encounters a specific type of file. Loaders have two properties in the configuration file: The test property identifies the file or files that should be transformed The use property indicates the loader that can be used to do the transforming Plugins: The plugins enable the extension of Webpack capabilities to perform a wider range of tasks like bundle optimization, asset management, and injection of environment variables. Install Webpack \u00b6 Install both webpack and webpack cli as dev dependencies: npm i webpack webpack-cli -D webpack-dev-server . Configure Webpack for the Development Environment \u00b6 To configure: Create a Webpack config file webpack.config.dev.js in the root of the project folder. Add the development environment to the webpack.config.dev.js file:** const path = require ( 'path' ); module . exports = { mode : \"development\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple } Add Typescript \u00b6 The example code below resolves the file extensions, .tsx, .ts and .js. Files with the extensions .tsx or .ts are processed by awesome-typescript-loader. To add Typescript support: Install the Typescript dependency, awesome-typescript-loader: npm i awesome-typescript-loader -D 2. Add the configuration to the webpack.config.dev.js file: Example: const path = require ( 'path' ); module . exports = { .... resolve : { extensions : [ \".tsx\" , \".ts\" , \".js\" ] }, module : { rules : [ { test : /\\.tsx?$/ , loader : 'awesome-typescript-loader' } ] } } Add Styles \u00b6 To Add Styles support: Use npm to install css-loader and sass-loader: npm i style-loader css-loader sass-loader -D Add the configuration to the webpack.config.dev.js file: module . exports = { .... module : { rules : [ ... { test : /\\.(sc|sa|c)ss$/ , use : [ 'style-loader' , 'css-loader' , 'sass-loader' ], } ] } } Add HTML \u00b6 To add HTML support: Use the Webpack plugin html-webpack-plugin, which helps simplify the creation of HTML files to help serve our Webpack bundles: npm i html-webpack-plugin -D. Add the configuration to the webpack.config.dev.js file: const path = require ( 'path' ); const HtmlWebpackPlugin = require ( 'html-webpack-plugin' ); module . exports = { .... plugins : [ new HtmlWebpackPlugin ({ filename : \"kvm.htm\" , template : \"./src/sample/sampleKVM.htm\" , inject : true , chunks : [ \"kvm\" ], }), ] } Development Server \u00b6 Set up a development server using the webpack-dev-server. This server opens a default browser upon npm start and provide us with live reloading. npm i webpack-dev-server --D Update Package.json \u00b6 Add webpack-dev-server to the Package.json file: \"scripts\" : { \"start\" : \"webpack-dev-server --config webpack.config.dev.js\" } Example Sample usage: Open command prompt. Run npm start command. Configure Webpack for Production Environment \u00b6 To add production environment support: Create a Webpack config file webpack.config.prod.js in the root of our project folder. Add the configuration to the webpack.config.prod.js file: const path = require ( 'path' ); module . exports = { mode : \"production\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple output : { filename : \"[name].min.js\" , path : path . resolve ( __dirname , \"./dist\" ) }, .... } 3. Update Package.json: \"scripts\" : { \"build\" : \"webpack --config webpack.config.prod.js\" , } Example Sample usage: Open command prompt. Run npm run build. Configure Webpack for External Environment \u00b6 Create a Webpack config file webpack.config.externals.js in the root of our project folder. Add webpack-node-externals: Install webpack-node-externals dependencies: npm install webpack-node-externals -D The webpack-node-externals library creates an externals function that ignores node_modules when bundling in Webpack . Add the following to webpack.config.externals.js : const path = require ( \"path\" ); //No ES6 in webpack config const nodeExternals = require ( 'webpack-node-externals' ); module . exports = { .... externals : [ nodeExternals ()], }; 3. Update Package.json: \"scripts\" : { \"build-ext\" : \"webpack --config webpack.config.externals.js\" , } Example Sample usage: Open command prompt. Run npm run build-ext command.","title":"Webpack Configuration"},{"location":"Reference/UIToolkit/webpackConfig/#install-webpack","text":"Install both webpack and webpack cli as dev dependencies: npm i webpack webpack-cli -D webpack-dev-server .","title":"Install Webpack"},{"location":"Reference/UIToolkit/webpackConfig/#configure-webpack-for-the-development-environment","text":"To configure: Create a Webpack config file webpack.config.dev.js in the root of the project folder. Add the development environment to the webpack.config.dev.js file:** const path = require ( 'path' ); module . exports = { mode : \"development\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple }","title":"Configure Webpack for the Development Environment"},{"location":"Reference/UIToolkit/webpackConfig/#add-typescript","text":"The example code below resolves the file extensions, .tsx, .ts and .js. Files with the extensions .tsx or .ts are processed by awesome-typescript-loader. To add Typescript support: Install the Typescript dependency, awesome-typescript-loader: npm i awesome-typescript-loader -D 2. Add the configuration to the webpack.config.dev.js file: Example: const path = require ( 'path' ); module . exports = { .... resolve : { extensions : [ \".tsx\" , \".ts\" , \".js\" ] }, module : { rules : [ { test : /\\.tsx?$/ , loader : 'awesome-typescript-loader' } ] } }","title":"Add Typescript"},{"location":"Reference/UIToolkit/webpackConfig/#add-styles","text":"To Add Styles support: Use npm to install css-loader and sass-loader: npm i style-loader css-loader sass-loader -D Add the configuration to the webpack.config.dev.js file: module . exports = { .... module : { rules : [ ... { test : /\\.(sc|sa|c)ss$/ , use : [ 'style-loader' , 'css-loader' , 'sass-loader' ], } ] } }","title":"Add Styles"},{"location":"Reference/UIToolkit/webpackConfig/#add-html","text":"To add HTML support: Use the Webpack plugin html-webpack-plugin, which helps simplify the creation of HTML files to help serve our Webpack bundles: npm i html-webpack-plugin -D. Add the configuration to the webpack.config.dev.js file: const path = require ( 'path' ); const HtmlWebpackPlugin = require ( 'html-webpack-plugin' ); module . exports = { .... plugins : [ new HtmlWebpackPlugin ({ filename : \"kvm.htm\" , template : \"./src/sample/sampleKVM.htm\" , inject : true , chunks : [ \"kvm\" ], }), ] }","title":"Add HTML"},{"location":"Reference/UIToolkit/webpackConfig/#development-server","text":"Set up a development server using the webpack-dev-server. This server opens a default browser upon npm start and provide us with live reloading. npm i webpack-dev-server --D","title":"Development Server"},{"location":"Reference/UIToolkit/webpackConfig/#update-packagejson","text":"Add webpack-dev-server to the Package.json file: \"scripts\" : { \"start\" : \"webpack-dev-server --config webpack.config.dev.js\" } Example Sample usage: Open command prompt. Run npm start command.","title":"Update Package.json"},{"location":"Reference/UIToolkit/webpackConfig/#configure-webpack-for-production-environment","text":"To add production environment support: Create a Webpack config file webpack.config.prod.js in the root of our project folder. Add the configuration to the webpack.config.prod.js file: const path = require ( 'path' ); module . exports = { mode : \"production\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple output : { filename : \"[name].min.js\" , path : path . resolve ( __dirname , \"./dist\" ) }, .... } 3. Update Package.json: \"scripts\" : { \"build\" : \"webpack --config webpack.config.prod.js\" , } Example Sample usage: Open command prompt. Run npm run build.","title":"Configure Webpack for Production Environment"},{"location":"Reference/UIToolkit/webpackConfig/#configure-webpack-for-external-environment","text":"Create a Webpack config file webpack.config.externals.js in the root of our project folder. Add webpack-node-externals: Install webpack-node-externals dependencies: npm install webpack-node-externals -D The webpack-node-externals library creates an externals function that ignores node_modules when bundling in Webpack . Add the following to webpack.config.externals.js : const path = require ( \"path\" ); //No ES6 in webpack config const nodeExternals = require ( 'webpack-node-externals' ); module . exports = { .... externals : [ nodeExternals ()], }; 3. Update Package.json: \"scripts\" : { \"build-ext\" : \"webpack --config webpack.config.externals.js\" , } Example Sample usage: Open command prompt. Run npm run build-ext command.","title":"Configure Webpack for External Environment"},{"location":"Reference/UIToolkit/Bundles/kvmReact/","text":"Quickstart - Bundle Keyboard Video Mouse ( KVM ) Control \u00b6 Use these instructions to: Run the KVM control in development environment Create a bundle for KVM control Add bundle to a sample HTML file Prerequisites \u00b6 In order to deploy and make changes, the following tools and application has to be installed on your development machine: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected Download and Install UI Toolkit \u00b6 Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install Run in Development Environment \u00b6 To add and test new changes before bundling the control, use a webpack dev server: Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/kvm.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port. Create Bundle \u00b6 To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing kvm.min.js in the ui-toolkit/dist/ directory before building. Build the bundle: npm run build A new kvm.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the KVM control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control Add to Sample HTML Page \u00b6 Add the following code snippet to sampleKVM.htm in the ui-toolkit/src/reactjs/sample/ directory using an editor of your choice: <body> <div id=\"kvm\"></div> <script src=\"../../dist/kvm.min.js\" crossorigin></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory. Serve the HTML page: npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleKVM.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Keyboard, Video, Mouse"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#quickstart-bundle-keyboard-video-mouse-kvm-control","text":"Use these instructions to: Run the KVM control in development environment Create a bundle for KVM control Add bundle to a sample HTML file","title":"Quickstart - Bundle Keyboard Video Mouse (KVM) Control"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#prerequisites","text":"In order to deploy and make changes, the following tools and application has to be installed on your development machine: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected","title":"Prerequisites"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#download-and-install-ui-toolkit","text":"Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install","title":"Download and Install UI Toolkit"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#run-in-development-environment","text":"To add and test new changes before bundling the control, use a webpack dev server: Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/kvm.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port.","title":"Run in Development Environment"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#create-bundle","text":"To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing kvm.min.js in the ui-toolkit/dist/ directory before building. Build the bundle: npm run build A new kvm.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the KVM control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control","title":"Create Bundle"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#add-to-sample-html-page","text":"Add the following code snippet to sampleKVM.htm in the ui-toolkit/src/reactjs/sample/ directory using an editor of your choice: <body> <div id=\"kvm\"></div> <script src=\"../../dist/kvm.min.js\" crossorigin></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory. Serve the HTML page: npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleKVM.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Add to Sample HTML Page"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/","text":"Quickstart - Bundle Serial Over LAN ( SOL ) Control \u00b6 Use these instructions to: Run the SOL control in development environment Create a bundle for SOL control Add bundle to a sample HTML file Prerequisites \u00b6 In order to deploy and make changes, the following tools and application have to be installed on your development system: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected Download and Install UI Toolkit \u00b6 Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI-Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install Run in Development Environment \u00b6 To add and test new changes before bundling the control, use a webpack dev server. Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/sol.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port. Create Bundle \u00b6 To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing sol.min.js in the ui-toolkit/dist/ directory before building: Build the bundle: npm run build A new kvm.core.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the Serial-Over-LAN control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control Add to Sample HTML Page \u00b6 Add the following code snippet to sampleSOL.htm in the ui-toolkit/src/sample/ directory using an editor of your choice: <body> <div id= \"sol\" ></div> <script src= \"../../dist/sol.min.js\" crossorigin ></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory: Serve the HTML page. npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleSOL.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Serial Over LAN"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#quickstart-bundle-serial-over-lan-sol-control","text":"Use these instructions to: Run the SOL control in development environment Create a bundle for SOL control Add bundle to a sample HTML file","title":"Quickstart  - Bundle Serial Over LAN (SOL) Control"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#prerequisites","text":"In order to deploy and make changes, the following tools and application have to be installed on your development system: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected","title":"Prerequisites"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#download-and-install-ui-toolkit","text":"Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI-Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install","title":"Download and Install UI Toolkit"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#run-in-development-environment","text":"To add and test new changes before bundling the control, use a webpack dev server. Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/sol.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port.","title":"Run in Development Environment"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#create-bundle","text":"To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing sol.min.js in the ui-toolkit/dist/ directory before building: Build the bundle: npm run build A new kvm.core.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the Serial-Over-LAN control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control","title":"Create Bundle"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#add-to-sample-html-page","text":"Add the following code snippet to sampleSOL.htm in the ui-toolkit/src/sample/ directory using an editor of your choice: <body> <div id= \"sol\" ></div> <script src= \"../../dist/sol.min.js\" crossorigin ></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory: Serve the HTML page. npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleSOL.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Add to Sample HTML Page"},{"location":"Reference/UIToolkit/Controls/kvmControl/","text":"Not sure how to implement Keyboard, Video Mouse ( KVM )? View the UI Toolkit KVM Module Tutorial for a step-by-step walkthrough prerequisites and instructions for implementing a React Control using the UI Toolkit . Add KVM Control \u00b6 Use the following code snippet to add the KVM control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with Development System or MPS Server IP Address mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT provided during login of MPS canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ;","title":"Keyboard, Video, Mouse"},{"location":"Reference/UIToolkit/Controls/kvmControl/#add-kvm-control","text":"Use the following code snippet to add the KVM control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with Development System or MPS Server IP Address mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT provided during login of MPS canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ;","title":"Add KVM Control"},{"location":"Reference/UIToolkit/Controls/serialOverLANControl/","text":"Not sure how to implement Serial Over LAN ( SOL )? View the UI Toolkit KVM Module Tutorial for a step-by-step walkthrough of the prerequisites and instructions for implementing a React Control using the UI Toolkit . Add Serial Over LAN ( SOL ) Control \u00b6 Use the following code snippet to add the SOL control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import { Sol } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/sol.bundle\" ; function App () { return ( < div > < Sol deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws\" //Replace 'localhost' with Development System or MPS Server IP Address authToken = \"\" > // Replace with a valid JWT provided during login of MPS < /Sol> < /div> ); } \u200b export default App ;","title":"Serial Over LAN"},{"location":"Reference/UIToolkit/Controls/serialOverLANControl/#add-serial-over-lan-sol-control","text":"Use the following code snippet to add the SOL control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import { Sol } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/sol.bundle\" ; function App () { return ( < div > < Sol deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws\" //Replace 'localhost' with Development System or MPS Server IP Address authToken = \"\" > // Replace with a valid JWT provided during login of MPS < /Sol> < /div> ); } \u200b export default App ;","title":"Add Serial Over LAN (SOL) Control"},{"location":"Tutorials/apiTutorial/","text":"This tutorial demonstrates how to generate a JSON Web Token (JWT) for Authorization and construct an API call for Getting Devices using curl . This method will retrieve information about all devices, including device GUIDs. Figure 1: Tutorial flow using curl Figure 1: API Call to Get All Devices Figure 1 illustrates the flow of the tutorial below. Consult the API documentation for the MPS APIs (Steps A and C). Use the generated JWT, the return value from the Authorize method in Step B, with any of the MPS REST API methods that require a BearerAuth, an HTTP security scheme that provides access to the bearer of a token. The GetDevices method accepts the JWT as an authentication and returns a list of devices and associated data. Important Successfully deploy the Management Presence Server ( MPS ) and Remote Provisioning Server ( RPS ) and connect an Intel\u00ae vPro device to MPS before constructing the API call. Start here * to install microservices locally with Docker . What You'll Need \u00b6 Hardware A minimum network configuration must include: A Development system with Windows\u00ae 10 or Ubuntu 18.04 or newer An Activated and Configured Intel\u00ae vPro device as the managed device Software on the Development System MPS curl Any Text Editor What You'll Do \u00b6 The following sections describe how to: Generate a new JWT for Authorization Run an API Call to MPS for Devices See Other Example GET/POST Commands Generate a Token for Authorization \u00b6 See the Authorize Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] , [MPS_WEB_ADMIN_USER] , and [MPS_WEB_ADMIN_PASSWORD] fields. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize \\ -H \"Content-Type:application/json\" \\ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize ^ -H \"Content-Type:application/json\" ^ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" Info - Using the --insecure Flag Because we are using self-signed certificates for MPS for development and testing purposes, we must supply this flag to bypass SSL certificate verification. Run the command. Example - Response of Authorize Method { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" } This token will be used when making any other API call as part of the Authorization header. Run API Call for Get Devices \u00b6 See the GetDevices Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] and [JWT-Token] fields. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: Bearer [JWT-Token]\" Run the command. Example - Response of Devices Method Example Terminal Output: [{ \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" :[], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" }] Example JSON Pretty Print: [ { \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" : [], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" } ] Important This is one way to retrieve a device's GUID in the host field. For amt path methods (i.e., Power Actions , Audit Logs, etc), the device GUID is required as part of the GET path. Save this value if you want to try other MPS methods. Other ways to retrieve a GUID can be found here . Example GET/POST Templates \u00b6 The sample GET and POST curl commands below can be adapted for other MPS and RPS methods by changing the URL path and modifying the request body data, if applicable . Power Capabilities (GET Template) Power Action (POST Template) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] ^ -H \"Authorization: Bearer [JWT-Token]\" See Power Capabilities API Docs for more information and expected responses. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] \\ -H \"Content-Type: application/json\" \\ -H \"Authorization: Bearer [JWT-Token]\" \\ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] ^ -H \"Content-Type: application/json\" ^ -H \"Authorization: Bearer [JWT-Token]\" ^ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" See Power Action API Docs for more information and expected responses. Other Methods \u00b6 For MPS methods to manage a device, see: MPS API Docs For RPS Methods for server configuration and provisioning, see RPS API Docs Explore the UI Toolkit \u00b6 In addition to REST API calls, the Open AMT Cloud Toolkit provides a reference implementation console. Add manageability features to the console with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit","title":"REST API Call"},{"location":"Tutorials/apiTutorial/#what-youll-need","text":"Hardware A minimum network configuration must include: A Development system with Windows\u00ae 10 or Ubuntu 18.04 or newer An Activated and Configured Intel\u00ae vPro device as the managed device Software on the Development System MPS curl Any Text Editor","title":"What You'll Need"},{"location":"Tutorials/apiTutorial/#what-youll-do","text":"The following sections describe how to: Generate a new JWT for Authorization Run an API Call to MPS for Devices See Other Example GET/POST Commands","title":"What You'll Do"},{"location":"Tutorials/apiTutorial/#generate-a-token-for-authorization","text":"See the Authorize Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] , [MPS_WEB_ADMIN_USER] , and [MPS_WEB_ADMIN_PASSWORD] fields. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize \\ -H \"Content-Type:application/json\" \\ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize ^ -H \"Content-Type:application/json\" ^ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" Info - Using the --insecure Flag Because we are using self-signed certificates for MPS for development and testing purposes, we must supply this flag to bypass SSL certificate verification. Run the command. Example - Response of Authorize Method { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" } This token will be used when making any other API call as part of the Authorization header.","title":"Generate a Token for Authorization"},{"location":"Tutorials/apiTutorial/#run-api-call-for-get-devices","text":"See the GetDevices Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] and [JWT-Token] fields. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: Bearer [JWT-Token]\" Run the command. Example - Response of Devices Method Example Terminal Output: [{ \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" :[], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" }] Example JSON Pretty Print: [ { \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" : [], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" } ] Important This is one way to retrieve a device's GUID in the host field. For amt path methods (i.e., Power Actions , Audit Logs, etc), the device GUID is required as part of the GET path. Save this value if you want to try other MPS methods. Other ways to retrieve a GUID can be found here .","title":"Run API Call for Get Devices"},{"location":"Tutorials/apiTutorial/#example-getpost-templates","text":"The sample GET and POST curl commands below can be adapted for other MPS and RPS methods by changing the URL path and modifying the request body data, if applicable . Power Capabilities (GET Template) Power Action (POST Template) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] ^ -H \"Authorization: Bearer [JWT-Token]\" See Power Capabilities API Docs for more information and expected responses. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] \\ -H \"Content-Type: application/json\" \\ -H \"Authorization: Bearer [JWT-Token]\" \\ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] ^ -H \"Content-Type: application/json\" ^ -H \"Authorization: Bearer [JWT-Token]\" ^ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" See Power Action API Docs for more information and expected responses.","title":"Example GET/POST Templates"},{"location":"Tutorials/apiTutorial/#other-methods","text":"For MPS methods to manage a device, see: MPS API Docs For RPS Methods for server configuration and provisioning, see RPS API Docs","title":"Other Methods"},{"location":"Tutorials/apiTutorial/#explore-the-ui-toolkit","text":"In addition to REST API calls, the Open AMT Cloud Toolkit provides a reference implementation console. Add manageability features to the console with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit","title":"Explore the UI Toolkit"},{"location":"Tutorials/createWiFiConfig/","text":"Important - Windows 10 or Newer Supported Only This feature is currently only supported for systems on Windows 10 or newer (including Windows 11) operating systems. Wireless on Linux is not currently supported by Intel AMT. Warning - Support for Cellular While Open AMT Cloud Toolkit supports wireless and wired profiles, it does not currently offer support for managing devices through cellular connections. Products like Cradlepoint* offer a workaround for cellular connections. After activation and configuration of an AMT device with a wireless profile, remote devices can be managed wirelessly. For devices to be activated in Client Control Mode ( CCM ) : The managed AMT device can be activated and configured on a wireless connection. For devices to be activated in Admin Control Mode ( ACM ) : The managed AMT device MUST have a wired connection during the activation of AMT. After activation, devices are then able to be managed over the wireless network rather than a wired connection. Use RPC 's amtinfo feature to determine if your current device supports wireless functionality. For steps to obtain the RPC binary, see Build RPC . Run RPC with the amtinfo argument. Linux Windows sudo ./rpc amtinfo .\\rpc amtinfo Look at the output for the LAN Interface section as highlighted below. If RPC does NOT return a section for wireless , the AMT device does not support wireless functionality. Version : 15.0.10 Build Number : 1447 SKU : 16392 UUID : 4c4b4568-195a-4260-8097-a4c14f566733 Control Mode : pre-provisioning state DNS Suffix : vprodemo.com DNS Suffix (OS) : Hostname (OS) : DESKTOP-3YM6MPN RAS Network : outside enterprise RAS Remote Status : not connected RAS Trigger : user initiated RAS MPS Hostname : ---Wired Adapter--- DHCP Enabled : true DHCP Mode : passive Link Status : up IP Address : 0.0.0.0 MAC Address : 80:c4:a8:58:df:e9 ---Wireless Adapter--- DHCP Enabled : true DHCP Mode : passive Link Status : down IP Address : 0.0.0.0 MAC Address : 00:00:00:00:00:00 Certificate Hashes : ... Create a WiFi Config \u00b6 Select the Wireless tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new WiFi Config Specify a Wireless Profile Name of your choice. Under Authentication Method , select WPA PSK or WPA2 PSK . Provide the PSK Passphrase . This is the password to the WiFi Network. Under Encryption Method , select TKIP or CCMP . Specify the SSID . This is the name of your wireless network. Click Save. Example Wireless Profile Figure 1: Example wireless profile Important : After saving, continue on to create either a CCM or ACM profile. When prompted, search for and select your new Wireless Profile from the drop-down menu. The selected Wi-Fi Profiles will be shown under Associated Wireless Profiles and can be reordered by dragging them to give priority. Example - Select Wireless Profile Figure 3: RPS bottom of profile Next up \u00b6 Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features, including but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices, such as digital signage or kiosks, may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Wireless Activation"},{"location":"Tutorials/createWiFiConfig/#create-a-wifi-config","text":"Select the Wireless tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new WiFi Config Specify a Wireless Profile Name of your choice. Under Authentication Method , select WPA PSK or WPA2 PSK . Provide the PSK Passphrase . This is the password to the WiFi Network. Under Encryption Method , select TKIP or CCMP . Specify the SSID . This is the name of your wireless network. Click Save. Example Wireless Profile Figure 1: Example wireless profile Important : After saving, continue on to create either a CCM or ACM profile. When prompted, search for and select your new Wireless Profile from the drop-down menu. The selected Wi-Fi Profiles will be shown under Associated Wireless Profiles and can be reordered by dragging them to give priority. Example - Select Wireless Profile Figure 3: RPS bottom of profile","title":"Create a WiFi Config"},{"location":"Tutorials/createWiFiConfig/#next-up","text":"Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features, including but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices, such as digital signage or kiosks, may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Next up"},{"location":"Tutorials/modifyUserAuth/","text":"As part of the Open AMT Cloud Toolkit reference implementation, MPS and the Kong service issue and authenticate a JSON Web Token (JWT) for user authentication. The default configuration offers authentication functionality, but it does not support many common configuration options, such as user groups. In a production environment, alternative authentication is available in 0Auth 2 , Lightweight Directory Access Protocol (LDAP), Kerberos , and more. The instructions below explain how to add an LDAP plugin to Kong. User Authentication Flow \u00b6 The following diagrams help illustrate the typical user authentication flow. Learn more about the authorize API call in the REST API Call Tutorial or directly in our API Documentation . REST API User Authentication Flow \u00b6 To authenticate for REST APIs: \u00b6 Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Perform other desired API calls (e.g. Power Actions, Hardware Info, etc) using the new auth token from Step 1 . Redirection ( KVM / SOL ) User Authentication Flow \u00b6 To authenticate for Websocket connections: \u00b6 Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Call the MPS REST API /api/v1/authorize/redirection/{guid} using the auth token from Step 1 to receive a short-lived token directly from MPS for redirection sessions. Pass the short-lived token from Step 2 and the device's GUID to the UI Toolkit module implementation to start a redirection ( KVM / SOL ) session. Note - Additional Information When using a 3rd party auth service (e.g. Cognito, LDAP, etc), the token issued by the auth service is used to make calls to the MPS . For non-HTTP calls like redirection, a call must be made to the /api/v1/authorize/redirection/{guid} API to get a separate MPS -specific token required to be passed into the KVM / SOL UI-Toolkit module. API Gateways are only able to verify tokens on HTTP requests. Open AMT's redirection implementation uses WebSockets for KVM and SOL . Therefore, the API Gateway cannot verify tokens passed in over the WebSocket connections. Because of this, MPS must perform the verification of the token and it can only do that with tokens that it issues. Prerequisites \u00b6 Install and start a local LDAP server on the development system. For this tutorial, Go-lang LDAP Authentication* (GLAuth) is referenced. Find more info in the GLAuth Readme. To install, see steps 1 - 3 of the Quickstart section of the GLAuth Readme . We do not need to alter the sample-simple.cfg file. Allow the Terminal or Powershell to remain open to see LDAP activity as you proceed with the tutorial below. Optionally, download curl for testing the authentication with APIs at the end of this tutorial. Edit the kong.yaml File \u00b6 Reconfigure the Kong* API Gateway to use a different user authentication service: Open the kong.yaml file and comment out the plugins and consumer sections of the code by adding a # character at the beginning of each line. This disables the JWT authentication. Paste the new plugins section into the file. Modify the ldap_host to that of your development system or cloud instance. plugins : - name : cors - name : ldap-auth route : mps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap - name : ldap-auth route : rps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap Note The following code was adapted for the toolkit. For the default configuration details, see Enable the plugin on a route , on the tab Declarative YAML , in Kong documentation Restart the Kong Gateway Container \u00b6 Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Restart the Kong container: Linux Windows (Powershell) sudo docker restart <container ID> docker restart <container ID> Test the Configuration \u00b6 Authenticate a user to test the configuration by using an API of your choice. You will need to set the Authorization header to ldap base64encode(user:pass) . Test the configuration with curl : In the following examples, we use the base64 encoding of johndoe:TestAppPw1 as our encoded user:pass . This value is am9obmRvZTpUZXN0QXBwUHcx . These credentials are one of the default credentials in the sample-simple.cfg file provided by GLAuth*. Get Devices ( MPS Route) Get Profiles ( RPS Route) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Devices API Docs for more information and expected responses. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Get Profiles API Docs for more information and expected responses. Other APIs to test can be found in the MPS API Documentation and RPS API Documentation .","title":"Modify User Authentication"},{"location":"Tutorials/modifyUserAuth/#user-authentication-flow","text":"The following diagrams help illustrate the typical user authentication flow. Learn more about the authorize API call in the REST API Call Tutorial or directly in our API Documentation .","title":"User Authentication Flow"},{"location":"Tutorials/modifyUserAuth/#rest-api-user-authentication-flow","text":"","title":"REST API User Authentication Flow"},{"location":"Tutorials/modifyUserAuth/#to-authenticate-for-rest-apis","text":"Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Perform other desired API calls (e.g. Power Actions, Hardware Info, etc) using the new auth token from Step 1 .","title":"To authenticate for REST APIs:"},{"location":"Tutorials/modifyUserAuth/#redirection-kvmsol-user-authentication-flow","text":"","title":"Redirection (KVM/SOL) User Authentication Flow"},{"location":"Tutorials/modifyUserAuth/#to-authenticate-for-websocket-connections","text":"Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Call the MPS REST API /api/v1/authorize/redirection/{guid} using the auth token from Step 1 to receive a short-lived token directly from MPS for redirection sessions. Pass the short-lived token from Step 2 and the device's GUID to the UI Toolkit module implementation to start a redirection ( KVM / SOL ) session. Note - Additional Information When using a 3rd party auth service (e.g. Cognito, LDAP, etc), the token issued by the auth service is used to make calls to the MPS . For non-HTTP calls like redirection, a call must be made to the /api/v1/authorize/redirection/{guid} API to get a separate MPS -specific token required to be passed into the KVM / SOL UI-Toolkit module. API Gateways are only able to verify tokens on HTTP requests. Open AMT's redirection implementation uses WebSockets for KVM and SOL . Therefore, the API Gateway cannot verify tokens passed in over the WebSocket connections. Because of this, MPS must perform the verification of the token and it can only do that with tokens that it issues.","title":"To authenticate for Websocket connections:"},{"location":"Tutorials/modifyUserAuth/#prerequisites","text":"Install and start a local LDAP server on the development system. For this tutorial, Go-lang LDAP Authentication* (GLAuth) is referenced. Find more info in the GLAuth Readme. To install, see steps 1 - 3 of the Quickstart section of the GLAuth Readme . We do not need to alter the sample-simple.cfg file. Allow the Terminal or Powershell to remain open to see LDAP activity as you proceed with the tutorial below. Optionally, download curl for testing the authentication with APIs at the end of this tutorial.","title":"Prerequisites"},{"location":"Tutorials/modifyUserAuth/#edit-the-kongyaml-file","text":"Reconfigure the Kong* API Gateway to use a different user authentication service: Open the kong.yaml file and comment out the plugins and consumer sections of the code by adding a # character at the beginning of each line. This disables the JWT authentication. Paste the new plugins section into the file. Modify the ldap_host to that of your development system or cloud instance. plugins : - name : cors - name : ldap-auth route : mps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap - name : ldap-auth route : rps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap Note The following code was adapted for the toolkit. For the default configuration details, see Enable the plugin on a route , on the tab Declarative YAML , in Kong documentation","title":"Edit the kong.yaml File"},{"location":"Tutorials/modifyUserAuth/#restart-the-kong-gateway-container","text":"Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Restart the Kong container: Linux Windows (Powershell) sudo docker restart <container ID> docker restart <container ID>","title":"Restart the Kong Gateway Container"},{"location":"Tutorials/modifyUserAuth/#test-the-configuration","text":"Authenticate a user to test the configuration by using an API of your choice. You will need to set the Authorization header to ldap base64encode(user:pass) . Test the configuration with curl : In the following examples, we use the base64 encoding of johndoe:TestAppPw1 as our encoded user:pass . This value is am9obmRvZTpUZXN0QXBwUHcx . These credentials are one of the default credentials in the sample-simple.cfg file provided by GLAuth*. Get Devices ( MPS Route) Get Profiles ( RPS Route) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Devices API Docs for more information and expected responses. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Get Profiles API Docs for more information and expected responses. Other APIs to test can be found in the MPS API Documentation and RPS API Documentation .","title":"Test the Configuration"},{"location":"Tutorials/uitoolkitReact/","text":"Add MPS UI Toolkit Controls to a WebUI \u00b6 The UI Toolkit allows developers to add manageability features to a console with prebuilt React components. The code snippets simplify the task of adding complex manageability UI controls, such as the Keyboard, Video, Mouse ( KVM ). A sample web application, based on React.js, is provided for test and development. The tutorial outlines how to add various controls to the sample React web application provided. Developers can use the sample code below as a springboard for developing their own consoles. What You'll Need \u00b6 Hardware \u00b6 Configure a network that includes: A development system running Windows\u00ae 10 or Ubuntu* 18.04 or newer At least one Intel vPro\u00ae Platform to manage Software \u00b6 MPS , the Management Presence Server RPS , the Remote Provisioning Server Intel\u00ae vPro device, configured and connected to MPS Note For instructions to setup the MPS and RPS servers to connect a managed device, see the Get Started Guide The development system requires the following software: git Visual Studio Code or any other IDE Node.js What You'll Do \u00b6 Follow the steps in these sections sequentially: Create a new React app Add UI controls to the React app Figure 1: UI toolkit Create a New React App \u00b6 The React app can be created in any preferred development directory. The MPS can continue to run while creating and running the app. In a Terminal or Command Prompt, go to your preferred development directory. Run the following commands to create sample React app named my-app . npx create-react-app my-app Change to the my-app directory: cd my-app Add UI Toolkit \u00b6 Run the following command to add the UI Toolkit and install the required dependencies: npm install @open-amt-cloud-toolkit/ui-toolkit-react@3.0.2 Run the following commands to start the web UI locally: npm start By default, React apps run on port 3000 . If port 3000 is already used by the MPS server or any other application, you'll be prompted to use another port. If this happens, enter 'Y'. Success Figure 2: React reports successful deployment Note - Using Chromium Browser and Refreshing By default, React launches in your machine's default browser. However for best experience, navigate to the page using a Chromium based web browser. When you make changes, you do not need to stop the application and restart. It will update and refresh automatically as you make code changes. Add a Sample Control \u00b6 The following sections outline how to add controls. Refresh the web browser after adding a control if it does not update automatically after a few seconds. Add Keyboard, Video, Mouse ( KVM ) Redirection \u00b6 The code snippet below adds KVM control to the React application. Open ./my-app/src/App.js in a text editor or IDE of choice, such as Visual Studio Code or Notepad. Delete the existing code and replace it with the code snippet below. Change the following values: Field Value deviceId Replace the example deviceId value with the GUID of the Intel\u00ae AMT device. See How to Find GUIDs in Intel\u00ae AMT . mpsServer Replace the localhost with the IP Address or FQDN of your MPS Server. When using Kong , /mps/ws/relay must be appended to the IP or FQDN. authToken Provide valid JWT. Redirection requires a redirection-specific authentication token. See the /authorize/redirection/{guid} GET API in the Auth section. For a general example on how to make an API call and how to get a auth token from /authorize to pass to /authorize/redirection/{guid} , see Generating a JWT by using an Authorize API call . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with MPS Server IP Address or FQDN mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT token from 'Authorize Redirection' GET API Method canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ; Save and close the file. If the React app hasn't updated automatically, refresh the page. You are now able to remotely control your Intel\u00ae AMT device using Keyboard, Video, Mouse control. Success Figure 3: Successful KVM Connection You will see the errors in the following scenarios: If your browser is IE/Edge, there might be compatibility issues. Compilation errors if the ui-toolkit was not downloaded and installed to your react app. MPS / RPS server not running, appropriate controls will fail to work. MPS server running and device not connected. Incorrect or invalid JWT for authToken, see instructions on Generating a JWT by using an Authorize API call . Example authToken Format from API Call { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" } Next Steps \u00b6 Try Other Controls \u00b6 Try out other React controls such as Serial Over LAN . Customize and Create Bundles \u00b6 Try out creating and customizing React bundles for things such as Serial Over LAN or KVM here . License Note \u00b6 If you are distributing the FortAwesome Icons, please provide attribution to the source per the CC-by 4.0 license obligations.","title":"UI Toolkit KVM Module"},{"location":"Tutorials/uitoolkitReact/#add-mps-ui-toolkit-controls-to-a-webui","text":"The UI Toolkit allows developers to add manageability features to a console with prebuilt React components. The code snippets simplify the task of adding complex manageability UI controls, such as the Keyboard, Video, Mouse ( KVM ). A sample web application, based on React.js, is provided for test and development. The tutorial outlines how to add various controls to the sample React web application provided. Developers can use the sample code below as a springboard for developing their own consoles.","title":"Add MPS UI Toolkit Controls to a WebUI"},{"location":"Tutorials/uitoolkitReact/#what-youll-need","text":"","title":"What You'll Need"},{"location":"Tutorials/uitoolkitReact/#hardware","text":"Configure a network that includes: A development system running Windows\u00ae 10 or Ubuntu* 18.04 or newer At least one Intel vPro\u00ae Platform to manage","title":"Hardware"},{"location":"Tutorials/uitoolkitReact/#software","text":"MPS , the Management Presence Server RPS , the Remote Provisioning Server Intel\u00ae vPro device, configured and connected to MPS Note For instructions to setup the MPS and RPS servers to connect a managed device, see the Get Started Guide The development system requires the following software: git Visual Studio Code or any other IDE Node.js","title":"Software"},{"location":"Tutorials/uitoolkitReact/#what-youll-do","text":"Follow the steps in these sections sequentially: Create a new React app Add UI controls to the React app Figure 1: UI toolkit","title":"What You'll Do"},{"location":"Tutorials/uitoolkitReact/#create-a-new-react-app","text":"The React app can be created in any preferred development directory. The MPS can continue to run while creating and running the app. In a Terminal or Command Prompt, go to your preferred development directory. Run the following commands to create sample React app named my-app . npx create-react-app my-app Change to the my-app directory: cd my-app","title":"Create a New React App"},{"location":"Tutorials/uitoolkitReact/#add-ui-toolkit","text":"Run the following command to add the UI Toolkit and install the required dependencies: npm install @open-amt-cloud-toolkit/ui-toolkit-react@3.0.2 Run the following commands to start the web UI locally: npm start By default, React apps run on port 3000 . If port 3000 is already used by the MPS server or any other application, you'll be prompted to use another port. If this happens, enter 'Y'. Success Figure 2: React reports successful deployment Note - Using Chromium Browser and Refreshing By default, React launches in your machine's default browser. However for best experience, navigate to the page using a Chromium based web browser. When you make changes, you do not need to stop the application and restart. It will update and refresh automatically as you make code changes.","title":"Add UI Toolkit"},{"location":"Tutorials/uitoolkitReact/#add-a-sample-control","text":"The following sections outline how to add controls. Refresh the web browser after adding a control if it does not update automatically after a few seconds.","title":"Add a Sample Control"},{"location":"Tutorials/uitoolkitReact/#add-keyboard-video-mouse-kvm-redirection","text":"The code snippet below adds KVM control to the React application. Open ./my-app/src/App.js in a text editor or IDE of choice, such as Visual Studio Code or Notepad. Delete the existing code and replace it with the code snippet below. Change the following values: Field Value deviceId Replace the example deviceId value with the GUID of the Intel\u00ae AMT device. See How to Find GUIDs in Intel\u00ae AMT . mpsServer Replace the localhost with the IP Address or FQDN of your MPS Server. When using Kong , /mps/ws/relay must be appended to the IP or FQDN. authToken Provide valid JWT. Redirection requires a redirection-specific authentication token. See the /authorize/redirection/{guid} GET API in the Auth section. For a general example on how to make an API call and how to get a auth token from /authorize to pass to /authorize/redirection/{guid} , see Generating a JWT by using an Authorize API call . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with MPS Server IP Address or FQDN mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT token from 'Authorize Redirection' GET API Method canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ; Save and close the file. If the React app hasn't updated automatically, refresh the page. You are now able to remotely control your Intel\u00ae AMT device using Keyboard, Video, Mouse control. Success Figure 3: Successful KVM Connection You will see the errors in the following scenarios: If your browser is IE/Edge, there might be compatibility issues. Compilation errors if the ui-toolkit was not downloaded and installed to your react app. MPS / RPS server not running, appropriate controls will fail to work. MPS server running and device not connected. Incorrect or invalid JWT for authToken, see instructions on Generating a JWT by using an Authorize API call . Example authToken Format from API Call { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" }","title":"Add Keyboard, Video, Mouse (KVM) Redirection"},{"location":"Tutorials/uitoolkitReact/#next-steps","text":"","title":"Next Steps"},{"location":"Tutorials/uitoolkitReact/#try-other-controls","text":"Try out other React controls such as Serial Over LAN .","title":"Try Other Controls"},{"location":"Tutorials/uitoolkitReact/#customize-and-create-bundles","text":"Try out creating and customizing React bundles for things such as Serial Over LAN or KVM here .","title":"Customize and Create Bundles"},{"location":"Tutorials/uitoolkitReact/#license-note","text":"If you are distributing the FortAwesome Icons, please provide attribution to the source per the CC-by 4.0 license obligations.","title":"License Note"},{"location":"Tutorials/Scaling/docker-swarm/","text":"This sample deployment demonstrates the use of Docker* in swarm mode. The following conditions apply: All images are built and tested with docker compose . To learn more about building the images with docker compose , refer to Express Setup . Push images to the registry to make them available for deployment on other systems. Run the commands below from the open-amt-cloud-toolkit install directory. Important Not for production use. Get the Toolkit \u00b6 Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone --recursive https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit Deploy the stack to the swarm \u00b6 Important - For Linux Before running the following commands on Linux, confirm that the user has been added to the docker group. For instructions, refer to Add docker group . Otherwise, prefix each command with sudo . Initialize a swarm. docker swarm init Copy docker compose config to temporary swarm.yml file. docker compose -f .\\docker-compose.yml config > swarm.yml Set the network driver to overlay in the swarm.yml file. Linux Windows sed -i \"s|driver: bridge|driver: overlay|g\" swarm.yml ( Get-Content -Path './swarm.yml' ) -replace 'driver: bridge' , 'driver: overlay' | Set-Content -Path './swarm.yml' Important Open the swarm.yml file to check that driver: bridge was replaced with driver: overlay . If the result is incorrect or corrupted, delete the swarm.yml file, rerun Step 2, and manually replace the string. If you've run docker compose previously, as in the instructions in Express Setup , run docker compose down to stop the open-amt-cloud-toolkit services: docker compose down -v Create the stack. docker stack deploy -c swarm.yml scalingdemo Check all of the services are running. docker stack services scalingdemo Success The table below is an example of a services list: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 1/1 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Scale the mps service. docker service scale scalingdemo_mps=2 Success The table below is an example of a services list after scaling the mps: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 2/2 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Remove the stack: docker stack rm scalingdemo","title":"Docker Swarm*"},{"location":"Tutorials/Scaling/docker-swarm/#get-the-toolkit","text":"Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone --recursive https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/docker-swarm/#deploy-the-stack-to-the-swarm","text":"Important - For Linux Before running the following commands on Linux, confirm that the user has been added to the docker group. For instructions, refer to Add docker group . Otherwise, prefix each command with sudo . Initialize a swarm. docker swarm init Copy docker compose config to temporary swarm.yml file. docker compose -f .\\docker-compose.yml config > swarm.yml Set the network driver to overlay in the swarm.yml file. Linux Windows sed -i \"s|driver: bridge|driver: overlay|g\" swarm.yml ( Get-Content -Path './swarm.yml' ) -replace 'driver: bridge' , 'driver: overlay' | Set-Content -Path './swarm.yml' Important Open the swarm.yml file to check that driver: bridge was replaced with driver: overlay . If the result is incorrect or corrupted, delete the swarm.yml file, rerun Step 2, and manually replace the string. If you've run docker compose previously, as in the instructions in Express Setup , run docker compose down to stop the open-amt-cloud-toolkit services: docker compose down -v Create the stack. docker stack deploy -c swarm.yml scalingdemo Check all of the services are running. docker stack services scalingdemo Success The table below is an example of a services list: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 1/1 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Scale the mps service. docker service scale scalingdemo_mps=2 Success The table below is an example of a services list after scaling the mps: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 2/2 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Remove the stack: docker stack rm scalingdemo","title":"Deploy the stack to the swarm"},{"location":"Tutorials/Scaling/overview/","text":"Scaling Overview \u00b6 Scaling functionality in MPS enables Open AMT Cloud Toolkit to support a greater number of managed devices. The toolkit offers various methods for deploying scaling, including Local Kubernetes, Azure Kubernetes Service ( AKS ), Amazon Elasic Kubernetes Service (EKS), and Docker Swarm*. In addition, administrators can use kubectl to manage the AKS . Figure 1: High-level architecture of scaling implementation Figure 1 illustrates the basic high-level software flow: Managed devices use CIRA to connect and call home to instances of the MPS in the cloud. RPCs connect to an available instance of the MPS Server with WSS calls. These calls are funneled through Kong* API Gateway, which supports a variety of APIs. Kong manages load balancing, logging, authentication and more. The Kong* API Gateway handles requests from client apps, such as the Sample Web UI included in Open AMT Cloud Toolkit , sending them along to an available RPS . The MPS Router chooses an available instance of the MPS . The RPS microservices communicate with MPS microservices through the REST API. Vault is a tool used to secure, store, and tightly control access to secrets. Storing passwords used by MPS in Vault will increase the security of these assets. Docker in Swarm Mode \u00b6 If you're new to scaling, Docker in swarm mode is a great way to start developing a scaling proof of concept. Docker in swarm mode is a container orchestration tool, software used to deploy and manage large numbers of containers and services. In this mode, Docker enables the administrator to deploy and manage Docker nodes or worker nodes that are added to a Docker swarm instance. Administrator can then deploy a service to the swarm instance and expose ports to an external load balancer. Information To learn more about Docker in swarm mode, start with Swarm mode overview . Get Started with Docker Swarm Kubernetes (K8s) \u00b6 Warning The K8s deployment section is not a tutorial for beginners. It is intended for those who have prior knowledge of the service. To begin learning about K8s, start with Kubernetes , Azure Kubernetes Service , or Amazon Elastic Kubernetes Service . Local Kubernetes \u00b6 K8s is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. The instructions use kubectl, a command line tool for managing Kubernetes clusters. Get Started with K8s Azure Kubernetes Service ( AKS ) \u00b6 AKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with AKS Amazon Elastic Kubernetes Service (EKS) \u00b6 EKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with EKS","title":"Overview"},{"location":"Tutorials/Scaling/overview/#scaling-overview","text":"Scaling functionality in MPS enables Open AMT Cloud Toolkit to support a greater number of managed devices. The toolkit offers various methods for deploying scaling, including Local Kubernetes, Azure Kubernetes Service ( AKS ), Amazon Elasic Kubernetes Service (EKS), and Docker Swarm*. In addition, administrators can use kubectl to manage the AKS . Figure 1: High-level architecture of scaling implementation Figure 1 illustrates the basic high-level software flow: Managed devices use CIRA to connect and call home to instances of the MPS in the cloud. RPCs connect to an available instance of the MPS Server with WSS calls. These calls are funneled through Kong* API Gateway, which supports a variety of APIs. Kong manages load balancing, logging, authentication and more. The Kong* API Gateway handles requests from client apps, such as the Sample Web UI included in Open AMT Cloud Toolkit , sending them along to an available RPS . The MPS Router chooses an available instance of the MPS . The RPS microservices communicate with MPS microservices through the REST API. Vault is a tool used to secure, store, and tightly control access to secrets. Storing passwords used by MPS in Vault will increase the security of these assets.","title":"Scaling Overview"},{"location":"Tutorials/Scaling/overview/#docker-in-swarm-mode","text":"If you're new to scaling, Docker in swarm mode is a great way to start developing a scaling proof of concept. Docker in swarm mode is a container orchestration tool, software used to deploy and manage large numbers of containers and services. In this mode, Docker enables the administrator to deploy and manage Docker nodes or worker nodes that are added to a Docker swarm instance. Administrator can then deploy a service to the swarm instance and expose ports to an external load balancer. Information To learn more about Docker in swarm mode, start with Swarm mode overview . Get Started with Docker Swarm","title":"Docker in Swarm Mode"},{"location":"Tutorials/Scaling/overview/#kubernetes-k8s","text":"Warning The K8s deployment section is not a tutorial for beginners. It is intended for those who have prior knowledge of the service. To begin learning about K8s, start with Kubernetes , Azure Kubernetes Service , or Amazon Elastic Kubernetes Service .","title":"Kubernetes (K8s)"},{"location":"Tutorials/Scaling/overview/#local-kubernetes","text":"K8s is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. The instructions use kubectl, a command line tool for managing Kubernetes clusters. Get Started with K8s","title":"Local Kubernetes"},{"location":"Tutorials/Scaling/overview/#azure-kubernetes-service-aks","text":"AKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with AKS","title":"Azure Kubernetes Service (AKS)"},{"location":"Tutorials/Scaling/overview/#amazon-elastic-kubernetes-service-eks","text":"EKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with EKS","title":"Amazon Elastic Kubernetes Service (EKS)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/","text":"Azure Kubernetes Service ( AKS ) \u00b6 This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using AKS . Alternatively, you can also perform a simpler, test deployment using a single-node cluster locally. See Kubernetes (K8s) . Azure Kubernetes Service ( AKS ) offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about AKS here . Prerequisites \u00b6 kubectl Azure CLI (v2.24.0+) Helm CLI (v3.5+) PSQL CLI (11.13) Get the Toolkit \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Create SSH Key \u00b6 This key is required by Azure to create VMs that use SSH keys for authentication. For more details, see Detailed steps: Create and manage SSH keys . Create a new ssh key. ssh-keygen -m PEM -t rsa -b 4096 Take note of the location it was saved at. You will need the public key ( .pub file) in a following step. Deploy AKS \u00b6 Login to Azure. az login Provide a name and region to create a new resource group. az group create --name <your-resource-group-name> --location <region> Provide the name of your new resource group from the last step and start a deployment at that resource group based on aks.json in the ./open-amt-cloud-toolkit directory. az deployment group create --resource-group <your-resource-group-name> --template-file aks.json After running the previous command, you will be prompted for 3 different strings. After the final prompt, it will take about 5 minutes to finish running. Provide a name for the AKS Cluster. Provide a name (e.g. your name) for the linux user admin name. Provide the string of the ssh key from the .pub file. Take note of the fqdnSuffix in the outputs section of the JSON response (e.g. eastus.cloudapp.azure.com ) \"outputs\" : { \"controlPlaneFQDN\" : { \"type\" : \"String\" , \"value\" : \"bwcluster-9c68035a.hcp.westus.azmk8s.io\" }, \"fqdnSuffix\" : { \"type\" : \"String\" , \"value\" : \"eastus.cloudapp.azure.com\" } }, Connect to AKS Instance \u00b6 Ensure your kubectl is connected to the Kubernetes cluster you wish to deploy/manage. Provide your resource group name and cluster name, respectively. az aks get-credentials --resource-group <your-resource-group-name> --name <your-cluster-name> Create Secrets \u00b6 1. MPS /KONG JWT \u00b6 This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret. 2. KONG ACL for JWT \u00b6 This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin 3. MPS Web Username and Password \u00b6 This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character 4. Database connection strings \u00b6 Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the full username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the Azure-hosted Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Update Configuration \u00b6 Edit values.yaml \u00b6 Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the service.beta.kubernetes.io/azure-dns-label-name key in the kong section with a desired subdomain name for the URL that you would like for your cluster (i.e. myopenamtk8s). kong : proxy : annotations : service.beta.kubernetes.io/azure-dns-label-name : \"<your-subdomain-name>\" Update the commonName key to your FQDN in the mps section. For AKS , the format is <your-subdomain-name>.<location>.cloudapp.azure.com . This is the fqdnSuffix provided in the outputs section when you Deploy AKS . mps : commonName : \"<your-subdomain-name>.<location>.cloudapp.azure.com\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file. Create Databases and Schema \u00b6 Enable Access to Database \u00b6 Navigate to Home > Resource Groups > Resource Group Name using Microsoft Azure via online. Select the Postgres DB. It will have a Type of Azure Database for PostgreSQL Server . Under Settings in the left-hand menu, select Connection Security . Under Firewall rules, select Add current client IP address . Select Save. Under the Overview tab, take note of the 'Server name' and 'Admin username'. They will be needed in the next steps. Note Remember to delete this firewall rule when finished. Create Databases \u00b6 Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). <USERNAME> is the admin username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb' database. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql Deploy Open AMT Cloud Toolkit using Helm \u00b6 Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice mps , rps , and openamtstack-vault-0 are not ready. This will change after we initialize and unseal Vault. All others should be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 0/1 CreateContainerConfigError 0 2m6s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 2m6s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 2m6s openamtstack-vault-0 0/1 Running 0 2m6s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 2m6s rps-79877bf5c5-dsg5p 0/1 CreateContainerConfigError 0 2m6s webui-6cc48f4d68-6r8b5 1/1 Running 0 2m6s Initialize and Unseal Vault \u00b6 Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine . Vault Token Secret \u00b6 Add the root token as a secret to the AKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s Next Steps \u00b6 Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps","title":"AKS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#azure-kubernetes-service-aks","text":"This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using AKS . Alternatively, you can also perform a simpler, test deployment using a single-node cluster locally. See Kubernetes (K8s) . Azure Kubernetes Service ( AKS ) offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about AKS here .","title":"Azure Kubernetes Service (AKS)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#prerequisites","text":"kubectl Azure CLI (v2.24.0+) Helm CLI (v3.5+) PSQL CLI (11.13)","title":"Prerequisites"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#get-the-toolkit","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-ssh-key","text":"This key is required by Azure to create VMs that use SSH keys for authentication. For more details, see Detailed steps: Create and manage SSH keys . Create a new ssh key. ssh-keygen -m PEM -t rsa -b 4096 Take note of the location it was saved at. You will need the public key ( .pub file) in a following step.","title":"Create SSH Key"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#deploy-aks","text":"Login to Azure. az login Provide a name and region to create a new resource group. az group create --name <your-resource-group-name> --location <region> Provide the name of your new resource group from the last step and start a deployment at that resource group based on aks.json in the ./open-amt-cloud-toolkit directory. az deployment group create --resource-group <your-resource-group-name> --template-file aks.json After running the previous command, you will be prompted for 3 different strings. After the final prompt, it will take about 5 minutes to finish running. Provide a name for the AKS Cluster. Provide a name (e.g. your name) for the linux user admin name. Provide the string of the ssh key from the .pub file. Take note of the fqdnSuffix in the outputs section of the JSON response (e.g. eastus.cloudapp.azure.com ) \"outputs\" : { \"controlPlaneFQDN\" : { \"type\" : \"String\" , \"value\" : \"bwcluster-9c68035a.hcp.westus.azmk8s.io\" }, \"fqdnSuffix\" : { \"type\" : \"String\" , \"value\" : \"eastus.cloudapp.azure.com\" } },","title":"Deploy AKS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#connect-to-aks-instance","text":"Ensure your kubectl is connected to the Kubernetes cluster you wish to deploy/manage. Provide your resource group name and cluster name, respectively. az aks get-credentials --resource-group <your-resource-group-name> --name <your-cluster-name>","title":"Connect to AKS Instance"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-secrets","text":"","title":"Create Secrets"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#1-mpskong-jwt","text":"This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret.","title":"1. MPS/KONG JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#2-kong-acl-for-jwt","text":"This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin","title":"2. KONG ACL for JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#3-mps-web-username-and-password","text":"This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character","title":"3. MPS Web Username and Password"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#4-database-connection-strings","text":"Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the full username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the Azure-hosted Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require","title":"4. Database connection strings"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#update-configuration","text":"","title":"Update Configuration"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#edit-valuesyaml","text":"Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the service.beta.kubernetes.io/azure-dns-label-name key in the kong section with a desired subdomain name for the URL that you would like for your cluster (i.e. myopenamtk8s). kong : proxy : annotations : service.beta.kubernetes.io/azure-dns-label-name : \"<your-subdomain-name>\" Update the commonName key to your FQDN in the mps section. For AKS , the format is <your-subdomain-name>.<location>.cloudapp.azure.com . This is the fqdnSuffix provided in the outputs section when you Deploy AKS . mps : commonName : \"<your-subdomain-name>.<location>.cloudapp.azure.com\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file.","title":"Edit values.yaml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-databases-and-schema","text":"","title":"Create Databases and Schema"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#enable-access-to-database","text":"Navigate to Home > Resource Groups > Resource Group Name using Microsoft Azure via online. Select the Postgres DB. It will have a Type of Azure Database for PostgreSQL Server . Under Settings in the left-hand menu, select Connection Security . Under Firewall rules, select Add current client IP address . Select Save. Under the Overview tab, take note of the 'Server name' and 'Admin username'. They will be needed in the next steps. Note Remember to delete this firewall rule when finished.","title":"Enable Access to Database"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-databases","text":"Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). <USERNAME> is the admin username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb' database. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql","title":"Create Databases"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#deploy-open-amt-cloud-toolkit-using-helm","text":"Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice mps , rps , and openamtstack-vault-0 are not ready. This will change after we initialize and unseal Vault. All others should be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 0/1 CreateContainerConfigError 0 2m6s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 2m6s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 2m6s openamtstack-vault-0 0/1 Running 0 2m6s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 2m6s rps-79877bf5c5-dsg5p 0/1 CreateContainerConfigError 0 2m6s webui-6cc48f4d68-6r8b5 1/1 Running 0 2m6s","title":"Deploy Open AMT Cloud Toolkit using Helm"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#initialize-and-unseal-vault","text":"Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#vault-token-secret","text":"Add the root token as a secret to the AKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s","title":"Vault Token Secret"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#next-steps","text":"Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps","title":"Next Steps"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/","text":"Amazon Elastic Kubernetes Service (EKS) \u00b6 This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using EKS. To perform a simpler test deployment, use a single-mode cluster locally. See Kubernetes (K8s) . Amazon EKS offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about EKS here . Prerequisites \u00b6 kubectl AWS CLI eksctl CLI Helm CLI (v3.5+) PSQL CLI (11.13) Get the Toolkit \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Create a New EKS Cluster \u00b6 Follow steps for aws configure to finish configuration of AWS CLI. Follow steps to Create a key pair using Amazon EC2 to create a SSH key for accessing the cluster. Create a new EKS cluster and supporting components. eksctl create cluster --name <cluster-name> --region <region> --with-oidc --ssh-access --ssh-public-key <ssh-keypair-name> --managed Where: <cluster-name> is the name of the new EKS cluster. <region> is the AWS region to deploy the stack (Ex: us-west-2 ). <ssh-keypair-name> is the name of the SSH key from the previous step. Configure EKS Instance \u00b6 Ensure your kubectl is connected to the correct EKS cluster to manage. Provide your region and cluster name. aws eks update-kubeconfig --region <region> --name <cluster-name> Where: <cluster-name> is the name of your EKS cluster. <region> is the AWS region where the cluster is (Ex: us-west-2 ). Update Access Permissions \u00b6 In order to be able to see cluster details like resources, networking, and more with the Amazon EKS console, we must configure permissions in the ConfigMap . More information can be found at How do I resolve the \"Your current user or role does not have access to Kubernetes objects on this EKS cluster\" error in Amazon EKS? Get the configuration of your AWS CLI user or role. aws sts get-caller-identity Edit aws-auth ConfigMap in a text editor. kubectl edit configmap aws-auth -n kube-system Add the IAM user OR IAM role to the ConfigMap. To allow superuser access for performing any action on any resource, add system:masters instead of system:bootstrappers and system:nodes . Add a Role Add a User # Add under existing mapRoles section # Replace [ROLE-NAME] with your IAM Role mapRoles: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[ROLE-NAME] username: [ROLE-NAME] groups: - system:bootstrappers - system:nodes # Alternatively, you can create permissions for a single User rather than a Role # Create a new mapUsers section # Replace [USER-NAME] with your IAM User mapUsers: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[USER-NAME] username: [USER-NAME] groups: - system:bootstrappers - system:nodes Save and close the text editor window. A success or error message will print to the console after closing the text editor window. If an error shows, verify the correct syntax was used. Additionally, a more detailed error message will be printed within the ConfigMap text file. Add EBS CSI driver to Cluster \u00b6 The Amazon EBS CSI plugin requires IAM permissions to make calls to Amazon APIs on your behalf. This is required for Vault. Without the driver, Vault will be stuck pending since its volume will be unable to be created. This is a new requirement starting in Kubernetes 1.23 and later. Find additional information at Creating the Amazon EBS CSI driver IAM role for service accounts . Create a new IAM role and attach the required Amazon managed policy. Replace <cluster-name> with the name of your cluster. eksctl create iamserviceaccount \\ --name ebs-csi-controller-sa \\ --namespace kube-system \\ --cluster <cluster-name> \\ --attach-policy-arn arn:aws-cn:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \\ --approve \\ --role-only \\ --role-name AmazonEKS_EBS_CSI_DriverRole Add the EBS CSI add-on to the cluster. Replace <cluster-name> with the name of your cluster and <account-ID> with your Account ID. Find more information at Managing the Amazon EBS CSI driver as an Amazon EKS add-on . eksctl create addon --name aws-ebs-csi-driver --cluster <cluster-name> --service-account-role-arn arn:aws:iam::<account-ID>:role/AmazonEKS_EBS_CSI_DriverRole --force Create Postgres DB in RDS \u00b6 Create a Postgres DB by following the steps for Creating an Amazon RDS DB instance . Make sure to set the following configuration settings: Field Set to Virtual private cloud (VPC) Choose the VPC created from your cluster. It should follow the format: 'eksctl- <cluster-name> -cluster/VPC' Public access Yes. In the next steps, we will create Security rules to limit access. VPC security group Choose existing Existing VPC security groups default Configure Virtual Private Cloud (VPC) for access \u00b6 Go to RDS home . Select 'Databases' from the left-hand side menu. Select your created database (Ex: database-1). Under Security in Connectivity & security , click on the VPC under VPC security groups (Ex: default (sg-01b4767ggdcb52825) ). Select Inbound rules . Select Edit inbound rules . Add Two New Rules \u00b6 Rule One: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select My IP . Rule Two: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select Custom . In the search box, select the security group starting with the label 'eks-cluster-sg'. Select Save rules . Create Databases and Schema \u00b6 Use the database schema files to initialize the hosted Postgres DB in the following steps. Note The following commands will prompt for the database password you chose here . Where: <SERVERURL> is the location of the Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/initMPS.sql Create Secrets \u00b6 1. MPS /KONG JWT \u00b6 This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret. 2. KONG ACL for JWT \u00b6 This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin 3. MPS Web Username and Password \u00b6 This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character 4. Database connection strings \u00b6 Warning - Using SSL/ TLS with AWS RDS Postgres 14 By default, AWS pre-selects Postgres 14. This tutorial uses the connection string setting of no-verify for ease of setup. To fully configure SSL, follow the links below. For production, it is recommended to use a SSL connection. Find more information at Using SSL with a PostgreSQL DB instance and Updating applications to connect to PostgreSQL DB instances using new SSL/ TLS certificates . Postgres 15 Alternatively, if Postgres 15 is preferred and selected, the sslmode in the connection strings must be updated from no-verify / disable to require for the services to be able to connect to the database. No other work is required for a test environment. Note: For a fully secured, certificate-based SSL connection, the following steps must be taken in Using SSL with a PostgreSQL DB instance . It will also require updating sslmode to verify-full or verify-ca . For production, it is highly recommended. Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the AWS-hosted Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). Create RPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=no-verify kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=no-verify kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Update Configuration \u00b6 Edit values.yaml \u00b6 Open the values.yaml file in the ./open-amt-cloud-toolkit/kubernetes/charts/ directory. Remove the annotations section and service.beta.kubernetes.io/azure-dns-label-name key in the kong: section. These are Azure-specific implementations. kong : proxy : annotations : # Delete this line service.beta.kubernetes.io/azure-dns-label-name : \"<your-domain-name>\" # Delete this line Save and close the file. Deploy Open AMT Cloud Toolkit using Helm \u00b6 Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None Initialize and Unseal Vault \u00b6 Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine . Vault Token Secret \u00b6 Add the root token as a secret to the EKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. Update commonName in values.yml \u00b6 Get the External-IP for accessing the UI. Note and save the value under 'EXTERNAL-IP'. kubectl get service openamtstack-kong-proxy Update the value for commonName in the mps section in the values.yml file with the External-IP from above. Recall that values.yml is located in ./kubernetes/charts/ . mps : commonName : \"\" # update with External-IP from `kubectl get services` replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Update the stack using helm. helm upgrade openamtstack ./kubernetes/charts Verify running pods \u00b6 View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s Check that the MPS Certificate is correct in your browser. Go to your FQDN at port 4433. https://<Your-AWS-FQDN>:4433 Verify the MPS Certificate in your browser has the correct Issuer information and is Issued to your FQDN. Troubleshoot - Issued to field showing NaN or blank If your certificate is incorrect, the AMT device will not connect to the MPS server. See Figure 1. Follow the steps below to correct the problem. Example - Incorrect MPS Certificate Figure 1: Incorrect Certificate Open and Login to Vault UI. Go to kv/data/MPSCerts/ directory. Delete the existing MPS Certificate. In a terminal, run the following command. kubectl rollout restart deployment mps A new, correct MPS Cert should be generated. Go back to the webserver in your browser. https://<Your-AWS-FQDN>:4433 Verify the Issued to: field is no longer NaN/blank and now shows the correct FQDN. Continue to Next Steps section. Next Steps \u00b6 Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps .","title":"EKS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#amazon-elastic-kubernetes-service-eks","text":"This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using EKS. To perform a simpler test deployment, use a single-mode cluster locally. See Kubernetes (K8s) . Amazon EKS offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about EKS here .","title":"Amazon Elastic Kubernetes Service (EKS)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#prerequisites","text":"kubectl AWS CLI eksctl CLI Helm CLI (v3.5+) PSQL CLI (11.13)","title":"Prerequisites"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#get-the-toolkit","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-a-new-eks-cluster","text":"Follow steps for aws configure to finish configuration of AWS CLI. Follow steps to Create a key pair using Amazon EC2 to create a SSH key for accessing the cluster. Create a new EKS cluster and supporting components. eksctl create cluster --name <cluster-name> --region <region> --with-oidc --ssh-access --ssh-public-key <ssh-keypair-name> --managed Where: <cluster-name> is the name of the new EKS cluster. <region> is the AWS region to deploy the stack (Ex: us-west-2 ). <ssh-keypair-name> is the name of the SSH key from the previous step.","title":"Create a New EKS Cluster"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#configure-eks-instance","text":"Ensure your kubectl is connected to the correct EKS cluster to manage. Provide your region and cluster name. aws eks update-kubeconfig --region <region> --name <cluster-name> Where: <cluster-name> is the name of your EKS cluster. <region> is the AWS region where the cluster is (Ex: us-west-2 ).","title":"Configure EKS Instance"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#update-access-permissions","text":"In order to be able to see cluster details like resources, networking, and more with the Amazon EKS console, we must configure permissions in the ConfigMap . More information can be found at How do I resolve the \"Your current user or role does not have access to Kubernetes objects on this EKS cluster\" error in Amazon EKS? Get the configuration of your AWS CLI user or role. aws sts get-caller-identity Edit aws-auth ConfigMap in a text editor. kubectl edit configmap aws-auth -n kube-system Add the IAM user OR IAM role to the ConfigMap. To allow superuser access for performing any action on any resource, add system:masters instead of system:bootstrappers and system:nodes . Add a Role Add a User # Add under existing mapRoles section # Replace [ROLE-NAME] with your IAM Role mapRoles: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[ROLE-NAME] username: [ROLE-NAME] groups: - system:bootstrappers - system:nodes # Alternatively, you can create permissions for a single User rather than a Role # Create a new mapUsers section # Replace [USER-NAME] with your IAM User mapUsers: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[USER-NAME] username: [USER-NAME] groups: - system:bootstrappers - system:nodes Save and close the text editor window. A success or error message will print to the console after closing the text editor window. If an error shows, verify the correct syntax was used. Additionally, a more detailed error message will be printed within the ConfigMap text file.","title":"Update Access Permissions"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#add-ebs-csi-driver-to-cluster","text":"The Amazon EBS CSI plugin requires IAM permissions to make calls to Amazon APIs on your behalf. This is required for Vault. Without the driver, Vault will be stuck pending since its volume will be unable to be created. This is a new requirement starting in Kubernetes 1.23 and later. Find additional information at Creating the Amazon EBS CSI driver IAM role for service accounts . Create a new IAM role and attach the required Amazon managed policy. Replace <cluster-name> with the name of your cluster. eksctl create iamserviceaccount \\ --name ebs-csi-controller-sa \\ --namespace kube-system \\ --cluster <cluster-name> \\ --attach-policy-arn arn:aws-cn:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \\ --approve \\ --role-only \\ --role-name AmazonEKS_EBS_CSI_DriverRole Add the EBS CSI add-on to the cluster. Replace <cluster-name> with the name of your cluster and <account-ID> with your Account ID. Find more information at Managing the Amazon EBS CSI driver as an Amazon EKS add-on . eksctl create addon --name aws-ebs-csi-driver --cluster <cluster-name> --service-account-role-arn arn:aws:iam::<account-ID>:role/AmazonEKS_EBS_CSI_DriverRole --force","title":"Add EBS CSI driver to Cluster"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-postgres-db-in-rds","text":"Create a Postgres DB by following the steps for Creating an Amazon RDS DB instance . Make sure to set the following configuration settings: Field Set to Virtual private cloud (VPC) Choose the VPC created from your cluster. It should follow the format: 'eksctl- <cluster-name> -cluster/VPC' Public access Yes. In the next steps, we will create Security rules to limit access. VPC security group Choose existing Existing VPC security groups default","title":"Create Postgres DB in RDS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#configure-virtual-private-cloud-vpc-for-access","text":"Go to RDS home . Select 'Databases' from the left-hand side menu. Select your created database (Ex: database-1). Under Security in Connectivity & security , click on the VPC under VPC security groups (Ex: default (sg-01b4767ggdcb52825) ). Select Inbound rules . Select Edit inbound rules .","title":"Configure Virtual Private Cloud (VPC) for access"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#add-two-new-rules","text":"Rule One: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select My IP . Rule Two: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select Custom . In the search box, select the security group starting with the label 'eks-cluster-sg'. Select Save rules .","title":"Add Two New Rules"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-databases-and-schema","text":"Use the database schema files to initialize the hosted Postgres DB in the following steps. Note The following commands will prompt for the database password you chose here . Where: <SERVERURL> is the location of the Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/initMPS.sql","title":"Create Databases and Schema"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-secrets","text":"","title":"Create Secrets"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#1-mpskong-jwt","text":"This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret.","title":"1. MPS/KONG JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#2-kong-acl-for-jwt","text":"This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin","title":"2. KONG ACL for JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#3-mps-web-username-and-password","text":"This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character","title":"3. MPS Web Username and Password"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#4-database-connection-strings","text":"Warning - Using SSL/ TLS with AWS RDS Postgres 14 By default, AWS pre-selects Postgres 14. This tutorial uses the connection string setting of no-verify for ease of setup. To fully configure SSL, follow the links below. For production, it is recommended to use a SSL connection. Find more information at Using SSL with a PostgreSQL DB instance and Updating applications to connect to PostgreSQL DB instances using new SSL/ TLS certificates . Postgres 15 Alternatively, if Postgres 15 is preferred and selected, the sslmode in the connection strings must be updated from no-verify / disable to require for the services to be able to connect to the database. No other work is required for a test environment. Note: For a fully secured, certificate-based SSL connection, the following steps must be taken in Using SSL with a PostgreSQL DB instance . It will also require updating sslmode to verify-full or verify-ca . For production, it is highly recommended. Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the AWS-hosted Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). Create RPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=no-verify kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=no-verify kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require","title":"4. Database connection strings"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#update-configuration","text":"","title":"Update Configuration"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#edit-valuesyaml","text":"Open the values.yaml file in the ./open-amt-cloud-toolkit/kubernetes/charts/ directory. Remove the annotations section and service.beta.kubernetes.io/azure-dns-label-name key in the kong: section. These are Azure-specific implementations. kong : proxy : annotations : # Delete this line service.beta.kubernetes.io/azure-dns-label-name : \"<your-domain-name>\" # Delete this line Save and close the file.","title":"Edit values.yaml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#deploy-open-amt-cloud-toolkit-using-helm","text":"Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None","title":"Deploy Open AMT Cloud Toolkit using Helm"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#initialize-and-unseal-vault","text":"Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#vault-token-secret","text":"Add the root token as a secret to the EKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault.","title":"Vault Token Secret"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#update-commonname-in-valuesyml","text":"Get the External-IP for accessing the UI. Note and save the value under 'EXTERNAL-IP'. kubectl get service openamtstack-kong-proxy Update the value for commonName in the mps section in the values.yml file with the External-IP from above. Recall that values.yml is located in ./kubernetes/charts/ . mps : commonName : \"\" # update with External-IP from `kubectl get services` replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Update the stack using helm. helm upgrade openamtstack ./kubernetes/charts","title":"Update commonName in values.yml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#verify-running-pods","text":"View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s Check that the MPS Certificate is correct in your browser. Go to your FQDN at port 4433. https://<Your-AWS-FQDN>:4433 Verify the MPS Certificate in your browser has the correct Issuer information and is Issued to your FQDN. Troubleshoot - Issued to field showing NaN or blank If your certificate is incorrect, the AMT device will not connect to the MPS server. See Figure 1. Follow the steps below to correct the problem. Example - Incorrect MPS Certificate Figure 1: Incorrect Certificate Open and Login to Vault UI. Go to kv/data/MPSCerts/ directory. Delete the existing MPS Certificate. In a terminal, run the following command. kubectl rollout restart deployment mps A new, correct MPS Cert should be generated. Go back to the webserver in your browser. https://<Your-AWS-FQDN>:4433 Verify the Issued to: field is no longer NaN/blank and now shows the correct FQDN. Continue to Next Steps section.","title":"Verify running pods"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#next-steps","text":"Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps .","title":"Next Steps"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/","text":"This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a local Kubernetes single-node cluster. Alternatively, you can also deploy using a managed service through a Cloud Service Provider such as Azure Kubernetes Service ( AKS ). See AKS . Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications. Learn more about Kubernetes here . Prerequisites \u00b6 Docker Desktop with Kubernetes Enabled Important - For Linux If deploying on a Linux machine, Docker Desktop is not available. You must use Docker Engine alongside a local Kubernetes cluster tool such as minikube or kubeadm . kubectl Helm CLI (v3.5+) PostgreSQL Docker Container or Local PostgreSQL server Note - Database Required This guide requires a standalone database for storage. This can be done either as a Docker container or as a local Postgres server on your local IP. For production, a managed database instance, either by a cloud service provider or your enterprise IT, is highly recommended. Optional - How to Set up local PostgreSQL DB using Docker Build and Start \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Copy the .env.template file to .env . Windows (Cmd Prompt) Linux/Powershell copy .env.template .env cp .env.template .env Set the POSTGRES_USER and POSTGRES_PASSWORD to the credentials you want. Build and start the container. docker compose -f \"docker-compose.yml\" up -d db Continue from Create Kubernetes Secrets . Optional (Not Recommended) - How to Set up Local PostgreSQL server on local IP Address Download and Configure \u00b6 Download and Install PostgreSQL . You may have to add .\\bin and .\\lib to your PATH on Windows. Open the pg_hba.conf file under .\\PostgreSQL\\14\\data . Add your device's IP Address under IPv4 local connections . Example - pg_hba.conf File # TYPE DATABASE USER ADDRESS METHOD # \"local\" is for Unix domain socket connections only local all all scram-sha-256 # IPv4 local connections: host all all 127.0.0.1/32 scram-sha-256 host all all <Your-IP-Address>/24 scram-sha-256 # IPv6 local connections: host all all ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. local replication all scram-sha-256 host replication all 127.0.0.1/32 scram-sha-256 host replication all ::1/128 scram-sha-256 Reload the configuration file to use the updated values. psql -U <user> -p 5432 -c \"SELECT pg_reload_conf();\" **From here, use your IP Address as the <SERVERURL>. DO NOT use localhost or 127.0.0.1. ** Get the Toolkit \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Create Kubernetes Secrets \u00b6 1. MPS /KONG JWT \u00b6 This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret. 2. KONG ACL for JWT \u00b6 This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin 3. MPS Web Username and Password \u00b6 This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character 4. Database connection strings \u00b6 Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the loction for the Postgres database. Warning - Using an SSL Connection This tutorial uses the connection string setting of 'disable' for ease of setup. For production, it is recommended to use a SSL connection. Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=disable Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable Update Configuration \u00b6 Edit values.yaml \u00b6 Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the commonName key in the mps section with the IP Address of your development device. mps : commonName : \"<your-ip-address>\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file. Create Databases and Schema \u00b6 Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database. <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql Deploy Open AMT Cloud Toolkit Using Helm \u00b6 Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Wed Jul 14 12:59:29 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice openamtstack-vault-0 is not ready. This will change after we initialize and unseal Vault. MPS and RPS will both have a status of CreateContainerConfigError until Vault is Ready. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 0/1 CreateContainerConfigError 0 5m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 5m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 5m openamtstack-vault-0 0/1 Running 0 5m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 5m rps-79877bf5c5-hnv8t 0/1 CreateContainerConfigError 0 5m webui-784cd49976-bj7z5 1/1 Running 0 5m Initialize and Unseal Vault \u00b6 Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Connect to the Vault UI using a web browser. http://localhost:8200 Troubleshoot - Vault UI External IP If you cannot connect, verify the External IP Address by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Click Enable Engine . Vault Token Secret \u00b6 Add the root token as a secret to the k8s cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 1/1 Running 0 7m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 7m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 7m openamtstack-vault-0 1/1 Running 0 7m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 7m rps-79877bf5c5-hnv8t 1/1 Running 0 7m webui-784cd49976-bj7z5 1/1 Running 0 7m Next Steps \u00b6 Continue from the Get Started steps","title":"Kubernetes (K8s)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#prerequisites","text":"Docker Desktop with Kubernetes Enabled Important - For Linux If deploying on a Linux machine, Docker Desktop is not available. You must use Docker Engine alongside a local Kubernetes cluster tool such as minikube or kubeadm . kubectl Helm CLI (v3.5+) PostgreSQL Docker Container or Local PostgreSQL server Note - Database Required This guide requires a standalone database for storage. This can be done either as a Docker container or as a local Postgres server on your local IP. For production, a managed database instance, either by a cloud service provider or your enterprise IT, is highly recommended. Optional - How to Set up local PostgreSQL DB using Docker","title":"Prerequisites"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#build-and-start","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Copy the .env.template file to .env . Windows (Cmd Prompt) Linux/Powershell copy .env.template .env cp .env.template .env Set the POSTGRES_USER and POSTGRES_PASSWORD to the credentials you want. Build and start the container. docker compose -f \"docker-compose.yml\" up -d db Continue from Create Kubernetes Secrets . Optional (Not Recommended) - How to Set up Local PostgreSQL server on local IP Address","title":"Build and Start"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#download-and-configure","text":"Download and Install PostgreSQL . You may have to add .\\bin and .\\lib to your PATH on Windows. Open the pg_hba.conf file under .\\PostgreSQL\\14\\data . Add your device's IP Address under IPv4 local connections . Example - pg_hba.conf File # TYPE DATABASE USER ADDRESS METHOD # \"local\" is for Unix domain socket connections only local all all scram-sha-256 # IPv4 local connections: host all all 127.0.0.1/32 scram-sha-256 host all all <Your-IP-Address>/24 scram-sha-256 # IPv6 local connections: host all all ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. local replication all scram-sha-256 host replication all 127.0.0.1/32 scram-sha-256 host replication all ::1/128 scram-sha-256 Reload the configuration file to use the updated values. psql -U <user> -p 5432 -c \"SELECT pg_reload_conf();\" **From here, use your IP Address as the <SERVERURL>. DO NOT use localhost or 127.0.0.1. **","title":"Download and Configure"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#get-the-toolkit","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#create-kubernetes-secrets","text":"","title":"Create Kubernetes Secrets"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#1-mpskong-jwt","text":"This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret.","title":"1. MPS/KONG JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#2-kong-acl-for-jwt","text":"This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin","title":"2. KONG ACL for JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#3-mps-web-username-and-password","text":"This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character","title":"3. MPS Web Username and Password"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#4-database-connection-strings","text":"Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the loction for the Postgres database. Warning - Using an SSL Connection This tutorial uses the connection string setting of 'disable' for ease of setup. For production, it is recommended to use a SSL connection. Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=disable Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable","title":"4. Database connection strings"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#update-configuration","text":"","title":"Update Configuration"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#edit-valuesyaml","text":"Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the commonName key in the mps section with the IP Address of your development device. mps : commonName : \"<your-ip-address>\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file.","title":"Edit values.yaml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#create-databases-and-schema","text":"Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database. <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql","title":"Create Databases and Schema"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#deploy-open-amt-cloud-toolkit-using-helm","text":"Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Wed Jul 14 12:59:29 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice openamtstack-vault-0 is not ready. This will change after we initialize and unseal Vault. MPS and RPS will both have a status of CreateContainerConfigError until Vault is Ready. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 0/1 CreateContainerConfigError 0 5m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 5m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 5m openamtstack-vault-0 0/1 Running 0 5m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 5m rps-79877bf5c5-hnv8t 0/1 CreateContainerConfigError 0 5m webui-784cd49976-bj7z5 1/1 Running 0 5m","title":"Deploy Open AMT Cloud Toolkit Using Helm"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#initialize-and-unseal-vault","text":"Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Connect to the Vault UI using a web browser. http://localhost:8200 Troubleshoot - Vault UI External IP If you cannot connect, verify the External IP Address by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#vault-token-secret","text":"Add the root token as a secret to the k8s cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 1/1 Running 0 7m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 7m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 7m openamtstack-vault-0 1/1 Running 0 7m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 7m rps-79877bf5c5-hnv8t 1/1 Running 0 7m webui-784cd49976-bj7z5 1/1 Running 0 7m","title":"Vault Token Secret"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#next-steps","text":"Continue from the Get Started steps","title":"Next Steps"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/","text":"Enabling KUMA Service Mesh (Optional) \u00b6 For enhancing security in the Kubernetes deployment, use KUMA Service Mesh to enable mTLS between services. To learn more about KUMA visit their documentation . Install KUMA w/ Helm \u00b6 Follow the instructions for installing KUMA with helm . Create Service Mesh \u00b6 After KUMA is installed, next create a service mesh with mTLS enabled: echo \"apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: open-amt-cloud-toolkit-mesh spec: mtls: enabledBackend: open-amt-cloud-toolkit-cert backends: - name: open-amt-cloud-toolkit-cert type: builtin enabled: true\" | kubectl apply -f - Turn On Sidecar Injection \u00b6 After the mesh is created, turn on sidecar-injection for the open-amt-cloud-toolkit services with: echo \"apiVersion: v1 kind: Namespace metadata: name: default namespace: default annotations: kuma.io/sidecar-injection: enabled kuma.io/mesh: open-amt-cloud-toolkit-mesh\" | kubectl apply -f - Delete all pods to ensure updated annotations from previous command take effect: kubectl delete pod --all -n default Configure Traffic Permissions \u00b6 Finally, we need to allow traffic between services: echo \"apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: open-amt-cloud-toolkit-mesh metadata: namespace: default name: allow-all-open-amt-cloud-toolkit-mesh spec: sources: - match: kuma.io/service: '*' destinations: - match: kuma.io/service: '*'\" | kubectl apply -f - After applying traffic permissions, you should now be able to use the Open AMT Cloud Toolkit and continue logging into the web portal following the setup instructions in the Getting Started section .","title":"KUMA Service Mesh"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#enabling-kuma-service-mesh-optional","text":"For enhancing security in the Kubernetes deployment, use KUMA Service Mesh to enable mTLS between services. To learn more about KUMA visit their documentation .","title":"Enabling KUMA Service Mesh (Optional)"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#install-kuma-w-helm","text":"Follow the instructions for installing KUMA with helm .","title":"Install KUMA w/ Helm"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#create-service-mesh","text":"After KUMA is installed, next create a service mesh with mTLS enabled: echo \"apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: open-amt-cloud-toolkit-mesh spec: mtls: enabledBackend: open-amt-cloud-toolkit-cert backends: - name: open-amt-cloud-toolkit-cert type: builtin enabled: true\" | kubectl apply -f -","title":"Create Service Mesh"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#turn-on-sidecar-injection","text":"After the mesh is created, turn on sidecar-injection for the open-amt-cloud-toolkit services with: echo \"apiVersion: v1 kind: Namespace metadata: name: default namespace: default annotations: kuma.io/sidecar-injection: enabled kuma.io/mesh: open-amt-cloud-toolkit-mesh\" | kubectl apply -f - Delete all pods to ensure updated annotations from previous command take effect: kubectl delete pod --all -n default","title":"Turn On Sidecar Injection"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#configure-traffic-permissions","text":"Finally, we need to allow traffic between services: echo \"apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: open-amt-cloud-toolkit-mesh metadata: namespace: default name: allow-all-open-amt-cloud-toolkit-mesh spec: sources: - match: kuma.io/service: '*' destinations: - match: kuma.io/service: '*'\" | kubectl apply -f - After applying traffic permissions, you should now be able to use the Open AMT Cloud Toolkit and continue logging into the web portal following the setup instructions in the Getting Started section .","title":"Configure Traffic Permissions"}]}
\ No newline at end of file
+{"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Overview \u00b6 Open Active Management Technology Cloud Toolkit ( Open AMT Cloud Toolkit ) provides open-source, modular microservices and libraries for integration of Intel\u00ae Active Management Technology ( Intel\u00ae AMT ). As an open source implementation, the toolkit makes it easier for IT departments and independent software vendors (ISVs) to adopt, integrate, and customize Out-of-band Management ( OOB Management ) solutions for Intel vPro\u00ae Platforms. Long-Term Support (LTS) Version Not looking for the current rapid release with the latest features? See the documentation for our Long-Term Support release. Get Started Jump in to the Open AMT Cloud Toolkit by deploying locally with Docker containers. Get Started Now Tutorials Get hands-on with tutorials for topics like the UI-Toolkit, APIs, and Scaling (Docker, Kubernetes, and more). Explore Tutorials APIs Check out the supported APIs for both the Management Presence Server (MPS) and the Remote Provisioning Server (RPS). See APIs Join Our Community The Intel vPro\u00ae Platform, featuring Intel\u00ae AMT , enables Out-of-Band (OOB) Management for remote devices. No matter if the device is powered off or the operating system has crashed, issue power actions and take over keyboard, video, mouse ( KVM ) control. Reduce the need for costly on-site IT, minimize the downtime of key, business-critical devices, and more. Read more about the Intel vPro\u00ae Platform . Figure 1: Open AMT Cloud Toolkit features OOB Management Intel\u00ae AMT supports remote manageability with: OOB Management : This hardware-based remote management solution operates below the operating system. Call Home : This capability enables administrators to control, update, and modify remote clients with OOB Management . Goals \u00b6 The toolkit guide provides instructions to: Deploy the Management Presence Server ( MPS ) and Remote Provisioning Server ( RPS ) on the development system. Build and run Remote Provisioning Client ( RPC ) on the managed device. Connect the managed device (edge device). Additional sections provide guidance on the reference implementation UI Toolkit , REST API usage, asset security, and more. Figure 2: High-level architecture: major software components As shown in Figure 2, Open AMT Cloud Toolkit high-level architecture consists of five components: MPS - A microservice that uses an Intel vPro\u00ae Platform feature, Client Initiated Remote Access ( CIRA ), for enabling edge, cloud devices to maintain a persistent connection for out-of-band manageability features, such as power control or Keyboard, Video, Mouse ( KVM ) control. RPS - A microservice that activates Intel\u00ae AMT platforms using predefined profiles and connects them to the MPS for manageability use cases. RPC - A lightweight client application that communicates with the RPS server to activate Intel\u00ae AMT . UI Toolkit - A toolkit that includes prebuilt React components and a reference implementation web console. The React-based snippets simplify the task of adding complex manageability-related UI controls, such as the KVM , to a console. Sample Web UI - A web based UI that demonstrates how to use the UI-Toolkit. It also provides a way to interact with the microservices and to help provide context as to how each microservice is used. Integrate the Open AMT Cloud Toolkit into new and existing management consoles, software solutions, and more. Toolkit Setup \u00b6 Microservices as Containers \u00b6 Set up microservices quickly as Docker containers with this recommended method. Get Started Now Estimated completion time: Approximately 30 minutes Additional Intel\u00ae AMT Resources \u00b6 For additional information about Intel\u00ae AMT , see the following links: Intel vPro\u00ae Platform Overview Video Link Detailed Setup document","title":"Overview"},{"location":"#overview","text":"Open Active Management Technology Cloud Toolkit ( Open AMT Cloud Toolkit ) provides open-source, modular microservices and libraries for integration of Intel\u00ae Active Management Technology ( Intel\u00ae AMT ). As an open source implementation, the toolkit makes it easier for IT departments and independent software vendors (ISVs) to adopt, integrate, and customize Out-of-band Management ( OOB Management ) solutions for Intel vPro\u00ae Platforms. Long-Term Support (LTS) Version Not looking for the current rapid release with the latest features? See the documentation for our Long-Term Support release.","title":"Overview"},{"location":"#goals","text":"The toolkit guide provides instructions to: Deploy the Management Presence Server ( MPS ) and Remote Provisioning Server ( RPS ) on the development system. Build and run Remote Provisioning Client ( RPC ) on the managed device. Connect the managed device (edge device). Additional sections provide guidance on the reference implementation UI Toolkit , REST API usage, asset security, and more. Figure 2: High-level architecture: major software components As shown in Figure 2, Open AMT Cloud Toolkit high-level architecture consists of five components: MPS - A microservice that uses an Intel vPro\u00ae Platform feature, Client Initiated Remote Access ( CIRA ), for enabling edge, cloud devices to maintain a persistent connection for out-of-band manageability features, such as power control or Keyboard, Video, Mouse ( KVM ) control. RPS - A microservice that activates Intel\u00ae AMT platforms using predefined profiles and connects them to the MPS for manageability use cases. RPC - A lightweight client application that communicates with the RPS server to activate Intel\u00ae AMT . UI Toolkit - A toolkit that includes prebuilt React components and a reference implementation web console. The React-based snippets simplify the task of adding complex manageability-related UI controls, such as the KVM , to a console. Sample Web UI - A web based UI that demonstrates how to use the UI-Toolkit. It also provides a way to interact with the microservices and to help provide context as to how each microservice is used. Integrate the Open AMT Cloud Toolkit into new and existing management consoles, software solutions, and more.","title":"Goals"},{"location":"#toolkit-setup","text":"","title":"Toolkit Setup"},{"location":"#microservices-as-containers","text":"Set up microservices quickly as Docker containers with this recommended method. Get Started Now Estimated completion time: Approximately 30 minutes","title":"Microservices as Containers"},{"location":"#additional-intel-amt-resources","text":"For additional information about Intel\u00ae AMT , see the following links: Intel vPro\u00ae Platform Overview Video Link Detailed Setup document","title":"Additional Intel\u00ae AMT Resources"},{"location":"Glossary/","text":"Glossary \u00b6 Open Active Management Technology (Open AMT) Cloud Toolkit, also referred to as (OAMTCT) Related Terminology, Technologies, and Acronyms A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z A \u00b6 admin control mode (ACM): A mode of provisioning Intel\u00ae AMT that requires a purchased provisioning certificate from a Certificate Authority (CA), the creation of a domain, and the creation of a profile in the Remote Provisioning Server (RPS) application. ACM achieves a higher level of trust than client control mode (CCM). This is the required mode for Keyboard, Video, Mouse (KVM) or Redirection without user consent. See also CCM and provisioning . ACM Activation: The act of loading a purchased certificate and associating it with an OAMTCT profile. allowlist: A list permitting access to a privilege, service, network, etc. B \u00b6 Basic Input/Output System (BIOS): Firmware that performs hardware initialization and configuration upon startup. See MEBX . C \u00b6 certificate (provisioning): A digitally signed document used in the provisioning of an edge device featuring Intel\u00ae AMT. The Intel\u00ae AMT firmware is pre-loaded with Transport Layer Security (TLS) certificate thumbprints of different certificate vendors. A digital certificate binds the identity of the certificate holder to vendor-specific thumbprints. To provision an edge device, users must purchase a certificate from an approved vendor. Client Initiated Remote Access (CIRA): An out-of-band (OOB) management communication protocol that network clients can use to initiate a secure connection with a server. Client Control Mode (CCM): An alternative to ACM provisioning mode that does not require a purchased certificate. Use this mode to set up OAMTCT software features quickly. Container (Docker*): The instantiation, or running instance, of a Docker image. D \u00b6 development system: The system on which Management Presence Server (MPS) and Remote Provision Server (RPS) are installed. Docker*: A platform that employs the idea of containerization, isolating a unit of software, such as an application, from its environment. Containerization creates applications as lightweight, discrete processes that can be deployed to the cloud as services. See Docker for more information. Domain Name System (DNS) suffix: A suffix appended to the hostname of a DNS name. domain suffix: The top-level portion or end of a domain name (i.e., com, net, org). E \u00b6 Edge Devices: A device or piece of hardware that serves as an entry point into an enterprise or service provider network. Edge devices include those related to banking, retail, hospitality, point-of-sale, etc. G \u00b6 Globally Unique Identifier (GUID): A 128-bit integer used to identify a system resource. I \u00b6 Intel\u00ae Active Management Technology (Intel\u00ae AMT): A technology that provides out-of-band management and security features on an Intel vPro\u00ae Platform. See general overview of features. Intel vPro\u00ae Platform: An Intel\u00ae platform created for business environments. Intel vPro\u00ae technology features Intel\u00ae Core\u2122 i5, Intel\u00ae Core\u2122 i7, and Intel\u00ae Core\u2122 i9 vPro\u00ae processors, built-in security features, and out-of-band manageability using Intel\u00ae AMT. See more about the platform. Images (Docker*): a set of instructions that determine the creation of an instantiated container on a Docker platform. K \u00b6 Keyboard, Video, Mouse (KVM): A technology, often a device, that allows a user to control multiple computers from a single keyboard, mouse, and video source. L \u00b6 lights-out management (LOM): See out-of-band management . M \u00b6 managed (edge) device: An Intel vPro\u00ae Platform that features Intel\u00ae AMT and functions as an edge device. Manageability Engine BIOS Extensions (MEBX): A BIOS extension that enables the configuration of the Intel\u00ae AMT. Management Presence Server (MPS): A microservice that resides on the development system and enables platforms featuring featuring Intel\u00ae AMT. The MPS receives CIRA requests from the managed device. microservice: A software unit or module of a microservice architecture. In OAMTCT architecture, MPS and RPS are microservices residing on the development system. microservice architecture: An architecture in which the component parts are broken into discrete services, called microservices, that perform specific, limited functions. N \u00b6 Node.js*: An open source JavaScript* runtime created for asynchronous, event-driven backend network applications. See more about node.js. Node Package Manager (npm): a command line utility in node.js. The utility enables the management of packages, versions, and dependencies in node projects. O \u00b6 Open Active Management Technology (Open AMT) Cloud Toolkit: An open source software architecture consisting of modular microservices and libraries for integration of out-of-band manageability into existing network infrastructures. The software enables network administrators and independent software vendors (ISVs) to explore key Intel\u00ae AMT features. See more about Open AMT Cloud Toolkit features. out-of-band (OOB) manageability: A remote management technology that allows administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, OAMTCT software can perform remote management, including powering up a system that is currently powered down. P \u00b6 profile : A set of configuration information, including a password and provisioning method, provided to Intel\u00ae AMT firmware during the activation process. provision or provisioning: The act of setting up a remote client, system, or device, on a network using a digitally signed certificate as a security credential. Q \u00b6 R \u00b6 Remote Provision Client (RPC): A lightweight client application that resides on the managed device. The RPC communicates with the Manageability Engine Interface (MEI) in the Management Engine (ME) driver to activate Intel\u00ae AMT. Remote Provision Server (RPS): A node.js-based microservice that works with the Remote Provision Client (RPC) to activate Intel\u00ae AMT using a pre-defined profile. REpresentational State Transfer (REST) API : An architectural style or set of rules describing constraints that allow administrators and developers to take advantage of various Web services. In the context of OAMTCT, administrators can construct REST API calls and run them with node, use provided REST code snippets to expand the reference implementation console, and use provided REST code snippets as a springboard for developing and expanding custom consoles. S \u00b6 Sample Web UI: A reference UI implementation serving as a demo vehicle and utilizing components of the UI toolkit. T \u00b6 U \u00b6 UI Toolkit: A modular, REST-based API consisting of code snippets developers can use to implement AMT features and services to their manageability console. V \u00b6 vcpkg : A command-line application that helps manage package creation and C and C++ libraries on Windows , Linux , and MacOS*. Vault storage : A service that manages encryption and storage of infrastructure secrets. W \u00b6 WebSocket*: A communication protocol that enables persistent connections and full-duplex communication between clients and servers. Web Service Management (WS-MAN): A SOAP-based protocol for exchanging management data between network devices. X \u00b6 Y \u00b6 Z \u00b6","title":"Glossary"},{"location":"Glossary/#glossary","text":"Open Active Management Technology (Open AMT) Cloud Toolkit, also referred to as (OAMTCT) Related Terminology, Technologies, and Acronyms A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z","title":"Glossary"},{"location":"Glossary/#a","text":"admin control mode (ACM): A mode of provisioning Intel\u00ae AMT that requires a purchased provisioning certificate from a Certificate Authority (CA), the creation of a domain, and the creation of a profile in the Remote Provisioning Server (RPS) application. ACM achieves a higher level of trust than client control mode (CCM). This is the required mode for Keyboard, Video, Mouse (KVM) or Redirection without user consent. See also CCM and provisioning . ACM Activation: The act of loading a purchased certificate and associating it with an OAMTCT profile. allowlist: A list permitting access to a privilege, service, network, etc.","title":"A"},{"location":"Glossary/#b","text":"Basic Input/Output System (BIOS): Firmware that performs hardware initialization and configuration upon startup. See MEBX .","title":"B"},{"location":"Glossary/#c","text":"certificate (provisioning): A digitally signed document used in the provisioning of an edge device featuring Intel\u00ae AMT. The Intel\u00ae AMT firmware is pre-loaded with Transport Layer Security (TLS) certificate thumbprints of different certificate vendors. A digital certificate binds the identity of the certificate holder to vendor-specific thumbprints. To provision an edge device, users must purchase a certificate from an approved vendor. Client Initiated Remote Access (CIRA): An out-of-band (OOB) management communication protocol that network clients can use to initiate a secure connection with a server. Client Control Mode (CCM): An alternative to ACM provisioning mode that does not require a purchased certificate. Use this mode to set up OAMTCT software features quickly. Container (Docker*): The instantiation, or running instance, of a Docker image.","title":"C"},{"location":"Glossary/#d","text":"development system: The system on which Management Presence Server (MPS) and Remote Provision Server (RPS) are installed. Docker*: A platform that employs the idea of containerization, isolating a unit of software, such as an application, from its environment. Containerization creates applications as lightweight, discrete processes that can be deployed to the cloud as services. See Docker for more information. Domain Name System (DNS) suffix: A suffix appended to the hostname of a DNS name. domain suffix: The top-level portion or end of a domain name (i.e., com, net, org).","title":"D"},{"location":"Glossary/#e","text":"Edge Devices: A device or piece of hardware that serves as an entry point into an enterprise or service provider network. Edge devices include those related to banking, retail, hospitality, point-of-sale, etc.","title":"E"},{"location":"Glossary/#g","text":"Globally Unique Identifier (GUID): A 128-bit integer used to identify a system resource.","title":"G"},{"location":"Glossary/#i","text":"Intel\u00ae Active Management Technology (Intel\u00ae AMT): A technology that provides out-of-band management and security features on an Intel vPro\u00ae Platform. See general overview of features. Intel vPro\u00ae Platform: An Intel\u00ae platform created for business environments. Intel vPro\u00ae technology features Intel\u00ae Core\u2122 i5, Intel\u00ae Core\u2122 i7, and Intel\u00ae Core\u2122 i9 vPro\u00ae processors, built-in security features, and out-of-band manageability using Intel\u00ae AMT. See more about the platform. Images (Docker*): a set of instructions that determine the creation of an instantiated container on a Docker platform.","title":"I"},{"location":"Glossary/#k","text":"Keyboard, Video, Mouse (KVM): A technology, often a device, that allows a user to control multiple computers from a single keyboard, mouse, and video source.","title":"K"},{"location":"Glossary/#l","text":"lights-out management (LOM): See out-of-band management .","title":"L"},{"location":"Glossary/#m","text":"managed (edge) device: An Intel vPro\u00ae Platform that features Intel\u00ae AMT and functions as an edge device. Manageability Engine BIOS Extensions (MEBX): A BIOS extension that enables the configuration of the Intel\u00ae AMT. Management Presence Server (MPS): A microservice that resides on the development system and enables platforms featuring featuring Intel\u00ae AMT. The MPS receives CIRA requests from the managed device. microservice: A software unit or module of a microservice architecture. In OAMTCT architecture, MPS and RPS are microservices residing on the development system. microservice architecture: An architecture in which the component parts are broken into discrete services, called microservices, that perform specific, limited functions.","title":"M"},{"location":"Glossary/#n","text":"Node.js*: An open source JavaScript* runtime created for asynchronous, event-driven backend network applications. See more about node.js. Node Package Manager (npm): a command line utility in node.js. The utility enables the management of packages, versions, and dependencies in node projects.","title":"N"},{"location":"Glossary/#o","text":"Open Active Management Technology (Open AMT) Cloud Toolkit: An open source software architecture consisting of modular microservices and libraries for integration of out-of-band manageability into existing network infrastructures. The software enables network administrators and independent software vendors (ISVs) to explore key Intel\u00ae AMT features. See more about Open AMT Cloud Toolkit features. out-of-band (OOB) manageability: A remote management technology that allows administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, OAMTCT software can perform remote management, including powering up a system that is currently powered down.","title":"O"},{"location":"Glossary/#p","text":"profile : A set of configuration information, including a password and provisioning method, provided to Intel\u00ae AMT firmware during the activation process. provision or provisioning: The act of setting up a remote client, system, or device, on a network using a digitally signed certificate as a security credential.","title":"P"},{"location":"Glossary/#q","text":"","title":"Q"},{"location":"Glossary/#r","text":"Remote Provision Client (RPC): A lightweight client application that resides on the managed device. The RPC communicates with the Manageability Engine Interface (MEI) in the Management Engine (ME) driver to activate Intel\u00ae AMT. Remote Provision Server (RPS): A node.js-based microservice that works with the Remote Provision Client (RPC) to activate Intel\u00ae AMT using a pre-defined profile. REpresentational State Transfer (REST) API : An architectural style or set of rules describing constraints that allow administrators and developers to take advantage of various Web services. In the context of OAMTCT, administrators can construct REST API calls and run them with node, use provided REST code snippets to expand the reference implementation console, and use provided REST code snippets as a springboard for developing and expanding custom consoles.","title":"R"},{"location":"Glossary/#s","text":"Sample Web UI: A reference UI implementation serving as a demo vehicle and utilizing components of the UI toolkit.","title":"S"},{"location":"Glossary/#t","text":"","title":"T"},{"location":"Glossary/#u","text":"UI Toolkit: A modular, REST-based API consisting of code snippets developers can use to implement AMT features and services to their manageability console.","title":"U"},{"location":"Glossary/#v","text":"vcpkg : A command-line application that helps manage package creation and C and C++ libraries on Windows , Linux , and MacOS*. Vault storage : A service that manages encryption and storage of infrastructure secrets.","title":"V"},{"location":"Glossary/#w","text":"WebSocket*: A communication protocol that enables persistent connections and full-duplex communication between clients and servers. Web Service Management (WS-MAN): A SOAP-based protocol for exchanging management data between network devices.","title":"W"},{"location":"Glossary/#x","text":"","title":"X"},{"location":"Glossary/#y","text":"","title":"Y"},{"location":"Glossary/#z","text":"","title":"Z"},{"location":"announcements/","text":"Announcements \u00b6 Open AMT Cloud Toolkit 2.0 is here! \u00b6 We have been preparing for this for quite a while and we know many of our customers have been eagerly awaiting this announcement, our Long Term Support (LTS) release is here! What does having an LTS release mean? \u00b6 Starting with LTS, Open AMT Cloud Toolkit will now have two release streams that customers can use. The current Rapid release stream continues to operate as it has been since the beginning of this year. Every six weeks we'll release new features and fixes that customers can use to add out-of-band functionality to their device management solution. For Long Term Support releases, new features will be added roughly every six months. Only critical security and bug fixes will be applied between feature releases, maintaining a stable feature set for the LTS release. When we release a new LTS version, all of the features in the current Rapid release stream will be merged to the LTS release stream. Similar to Rapid Releases, only the latest LTS release will be actively supported and maintained. With this release, both the Rapid and LTS releases are set to 2.0 and have the exact same feature set. As we continue to release new Rapid releases, the Rapid release stream will continue to add new features while the LTS release stream will continue with the 2.0 feature set. Compatibility between versions \u00b6 As we previously announced, with the major version change, we are strictly following semantic versioning, making all 2.X components compatible with each other. It also means that our 1.X components are not supported with 2.X components. In this release, all of our components have been versioned up to 2.0 and validated together to ensure compatibility. While both Rapid and LTS releases that share the same major version should be compatible with each other, we won't be validating Rapid and LTS combinations, so it is recommended that customers use either all Rapid or all LTS components. Changes coming for Remote Provisioning Client \u00b6 For 2.0, we are deprecating the C++ version of RPC in favor of our Go-based implementation. The reason for this is two-fold. First, we want to be able to take advantage of more modern tooling such as Snyk for Vulnerability Scanning, and Dependabot for dependency updates, among others. Secondly, the cloud focused technologies and protocols we use, which include REST and Websockets, have better support in modern languages. We still needed to balance the interaction between the AMT Firmware and the cloud which led to Go being a natural choice to use. With the 2.0 release, we are providing an early look at the Go version of RPC . Over the next few Rapid releases the functionality of the Go version will exceed that of the C++ version and customers will be encouraged to migrate. The entire Open AMT Cloud Toolkit team hopes you are as excited about this release as we are and we look forward to continuing to working with you! You can read more about this release in our release notes .","title":"Announcements"},{"location":"announcements/#announcements","text":"","title":"Announcements"},{"location":"announcements/#open-amt-cloud-toolkit-20-is-here","text":"We have been preparing for this for quite a while and we know many of our customers have been eagerly awaiting this announcement, our Long Term Support (LTS) release is here!","title":"Open AMT Cloud Toolkit 2.0 is here!"},{"location":"announcements/#what-does-having-an-lts-release-mean","text":"Starting with LTS, Open AMT Cloud Toolkit will now have two release streams that customers can use. The current Rapid release stream continues to operate as it has been since the beginning of this year. Every six weeks we'll release new features and fixes that customers can use to add out-of-band functionality to their device management solution. For Long Term Support releases, new features will be added roughly every six months. Only critical security and bug fixes will be applied between feature releases, maintaining a stable feature set for the LTS release. When we release a new LTS version, all of the features in the current Rapid release stream will be merged to the LTS release stream. Similar to Rapid Releases, only the latest LTS release will be actively supported and maintained. With this release, both the Rapid and LTS releases are set to 2.0 and have the exact same feature set. As we continue to release new Rapid releases, the Rapid release stream will continue to add new features while the LTS release stream will continue with the 2.0 feature set.","title":"What does having an LTS release mean?"},{"location":"announcements/#compatibility-between-versions","text":"As we previously announced, with the major version change, we are strictly following semantic versioning, making all 2.X components compatible with each other. It also means that our 1.X components are not supported with 2.X components. In this release, all of our components have been versioned up to 2.0 and validated together to ensure compatibility. While both Rapid and LTS releases that share the same major version should be compatible with each other, we won't be validating Rapid and LTS combinations, so it is recommended that customers use either all Rapid or all LTS components.","title":"Compatibility between versions"},{"location":"announcements/#changes-coming-for-remote-provisioning-client","text":"For 2.0, we are deprecating the C++ version of RPC in favor of our Go-based implementation. The reason for this is two-fold. First, we want to be able to take advantage of more modern tooling such as Snyk for Vulnerability Scanning, and Dependabot for dependency updates, among others. Secondly, the cloud focused technologies and protocols we use, which include REST and Websockets, have better support in modern languages. We still needed to balance the interaction between the AMT Firmware and the cloud which led to Go being a natural choice to use. With the 2.0 release, we are providing an early look at the Go version of RPC . Over the next few Rapid releases the functionality of the Go version will exceed that of the C++ version and customers will be encouraged to migrate. The entire Open AMT Cloud Toolkit team hopes you are as excited about this release as we are and we look forward to continuing to working with you! You can read more about this release in our release notes .","title":"Changes coming for Remote Provisioning Client"},{"location":"license/","text":"License \u00b6 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions. \"License\" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. \"Licensor\" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. \"Legal Entity\" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, \"control\" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. \"You\" (or \"Your\") shall mean an individual or Legal Entity exercising permissions granted by this License. \"Source\" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. \"Object\" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. \"Work\" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). \"Derivative Works\" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. \"Contribution\" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, \"submitted\" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as \"Not a Contribution.\" \"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a \"NOTICE\" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets \"[]\" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same \"printed page\" as the copyright notice for easier identification within third-party archives. Copyright 2019 Intel Corporation Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.","title":"License"},{"location":"license/#license","text":"Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions. \"License\" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. \"Licensor\" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. \"Legal Entity\" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, \"control\" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. \"You\" (or \"Your\") shall mean an individual or Legal Entity exercising permissions granted by this License. \"Source\" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. \"Object\" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. \"Work\" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). \"Derivative Works\" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. \"Contribution\" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, \"submitted\" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as \"Not a Contribution.\" \"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a \"NOTICE\" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets \"[]\" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same \"printed page\" as the copyright notice for easier identification within third-party archives. Copyright 2019 Intel Corporation Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.","title":"License"},{"location":"release-notes/","text":"Release Highlights \u00b6 Note From the Team Greetings everyone, While Arizona experiences a welcome cooldown, the Open AMT Cloud Toolkit team is cranking up the heat with our latest release! In this month's update, we're thrilled to announce two exciting new features added to RPC -Go. It's now more versatile than ever with ACM activation and Wifi configuration capabilities. With these enhancements, RPC -Go empowers users to configure AMT into either ACM or CCM without the necessity of engaging with a cloud service. This newfound autonomy provides our customers with a level of flexibility that was previously unattainable. Furthermore, RPC -Go now extends its support to configure any type of wifi profile that AMT supports locally. We're excited about these advancements and look forward to hearing your feedback. Best wishes, The Open AMT Cloud Toolkit Team What's New? \u00b6 New Feature: Local ACM Activation With this release, you can now activate AMT into ACM just using RPC using the -local flag. Similar to local CCM activation, local ACM activation will require secrets to be passed to the AMT device, so users of this feature will need to have high trust in the local OS. View full command line options in Activate Device Locally Local activate command: rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword New Feature: Local Wifi Configuration In this release, we have added the ability to configure any wifi profile, not just 802.1x wifi profiles. Users will also be able to configure multiple wifi profiles at the same time by providing the details either via the command line or by passing in a config file. View full command line options in addwifisettings RPC Configure command Local wifi configuration command: rpc configure addwifisettings -config config.yaml -secrets secrets.yaml Get the Details \u00b6 Additions, Modifications, and Removals \u00b6 RPS \u00b6 v2.16.1 Fix: blocks AMT 11.12 system activation if build number < 3000 ( #1176 ) (#a3e527b) v2.16.0 Feat: support for sha1 hash added via mebx ( #1155 ) (#b630e11) RPC \u00b6 v2.14.2 ensure warning for CCM deactivation password flag v2.14.1 addwifisettings - track added certs to prevent duplicates error v2.14.0 local wifi configuration v2.13.1 update ProjectVersion to 2.13.0 v2.13.0 activate in acm using local command Sample Web UI \u00b6 v2.13.1 remove UI override of AMT feature settings ( #1328 ) (#510dff3) update status message ( #1334 ) (#bd80ebf) v2.13.0 display component versions ( #1267 ) (#2dbca39) fix dark theme (#cdea729) wsman-messages \u00b6 v5.5.1 update build tasks, package.json and changelog (#9274dab) go-wsman-messages \u00b6 v1.8.2 AddWifiSettings check for empty client cert ( c19c9b4 ) v1.8.1 undo breaking changes ( 23c91ed ) v1.8.0 Adds structs to parse xml for deleting all wifi configs ( d64d4d4 ) amt: adds amt PublicPrivateKeyPair struct for response ( eca5a6e ) amt: adds pull responses for publickey and publicprivate ( 10bf4a8 ) amt: adds wifiportconfiguration.AddWiFiSettingsResponse ( 2158757 ) cim: adds concrete.dependency support ( ae8f3d3 ) cim: adds credential.context support ( 6db69ad ) v1.7.0 cim: adds responses for WiFiPortConfigurationService and WifiPort ( 6cbaa36 ) v1.6.0 ips: add additional strongly typed output for ( 90aa393 ), closes #18115 Project Board \u00b6 Check out our new Feature Backlog project board to see issues and prioritized items we're working on across all of our repositories. You'll also see what is coming in our next release!","title":"Release Notes"},{"location":"release-notes/#release-highlights","text":"Note From the Team Greetings everyone, While Arizona experiences a welcome cooldown, the Open AMT Cloud Toolkit team is cranking up the heat with our latest release! In this month's update, we're thrilled to announce two exciting new features added to RPC -Go. It's now more versatile than ever with ACM activation and Wifi configuration capabilities. With these enhancements, RPC -Go empowers users to configure AMT into either ACM or CCM without the necessity of engaging with a cloud service. This newfound autonomy provides our customers with a level of flexibility that was previously unattainable. Furthermore, RPC -Go now extends its support to configure any type of wifi profile that AMT supports locally. We're excited about these advancements and look forward to hearing your feedback. Best wishes, The Open AMT Cloud Toolkit Team","title":"Release Highlights"},{"location":"release-notes/#whats-new","text":"New Feature: Local ACM Activation With this release, you can now activate AMT into ACM just using RPC using the -local flag. Similar to local CCM activation, local ACM activation will require secrets to be passed to the AMT device, so users of this feature will need to have high trust in the local OS. View full command line options in Activate Device Locally Local activate command: rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword New Feature: Local Wifi Configuration In this release, we have added the ability to configure any wifi profile, not just 802.1x wifi profiles. Users will also be able to configure multiple wifi profiles at the same time by providing the details either via the command line or by passing in a config file. View full command line options in addwifisettings RPC Configure command Local wifi configuration command: rpc configure addwifisettings -config config.yaml -secrets secrets.yaml","title":"What's New?"},{"location":"release-notes/#get-the-details","text":"","title":"Get the Details"},{"location":"release-notes/#additions-modifications-and-removals","text":"","title":"Additions, Modifications, and Removals"},{"location":"release-notes/#rps","text":"v2.16.1 Fix: blocks AMT 11.12 system activation if build number < 3000 ( #1176 ) (#a3e527b) v2.16.0 Feat: support for sha1 hash added via mebx ( #1155 ) (#b630e11)","title":"RPS"},{"location":"release-notes/#rpc","text":"v2.14.2 ensure warning for CCM deactivation password flag v2.14.1 addwifisettings - track added certs to prevent duplicates error v2.14.0 local wifi configuration v2.13.1 update ProjectVersion to 2.13.0 v2.13.0 activate in acm using local command","title":"RPC"},{"location":"release-notes/#sample-web-ui","text":"v2.13.1 remove UI override of AMT feature settings ( #1328 ) (#510dff3) update status message ( #1334 ) (#bd80ebf) v2.13.0 display component versions ( #1267 ) (#2dbca39) fix dark theme (#cdea729)","title":"Sample Web UI"},{"location":"release-notes/#wsman-messages","text":"v5.5.1 update build tasks, package.json and changelog (#9274dab)","title":"wsman-messages"},{"location":"release-notes/#go-wsman-messages","text":"v1.8.2 AddWifiSettings check for empty client cert ( c19c9b4 ) v1.8.1 undo breaking changes ( 23c91ed ) v1.8.0 Adds structs to parse xml for deleting all wifi configs ( d64d4d4 ) amt: adds amt PublicPrivateKeyPair struct for response ( eca5a6e ) amt: adds pull responses for publickey and publicprivate ( 10bf4a8 ) amt: adds wifiportconfiguration.AddWiFiSettingsResponse ( 2158757 ) cim: adds concrete.dependency support ( ae8f3d3 ) cim: adds credential.context support ( 6db69ad ) v1.7.0 cim: adds responses for WiFiPortConfigurationService and WifiPort ( 6cbaa36 ) v1.6.0 ips: add additional strongly typed output for ( 90aa393 ), closes #18115","title":"go-wsman-messages"},{"location":"release-notes/#project-board","text":"Check out our new Feature Backlog project board to see issues and prioritized items we're working on across all of our repositories. You'll also see what is coming in our next release!","title":"Project Board"},{"location":"videos/","text":"What is Open AMT \u00b6 Learn the high-level basics and get familiar with the toolkit. Learn about the different microservices and their roles then get up to speed with the latest features, changes, and fixes. Overview of Open AMT Cloud Toolkit See what Open AMT Cloud Toolkit is and what you can do with it. Additional Resources: Architecture Overview , MPS Security Considerations , and RPS Security Considerations Getting Started \u00b6 Watch how to go from cloning the toolkit to managing a device out-of-band remotely in under 20 minutes. Connect with Keyboard, Video, Mouse redirection and issue power commands. Setting Up the Stack Configuring the Stack See how to setup Open AMT Cloud Toolkit locally using Docker. Additional Resources: Intel vPro Platform Learn how to create custom profiles for device configuration and activation. Additional Resources: Passwords and What They Mean , Provisioning Certificates , and Setting a DNS Suffix via MEBX Provisioning a Device Managing a Device See how to build the Remote Provisioning Client and use it to activate and configure an AMT device. Additional Resources: RPC as a Library and RPC Commands and Flags Try some of the out-of-band manageability features like remote KVM and different Power Actions. Next Steps: Using REST APIs and Deploying with Kubernetes","title":"Video Walkthroughs"},{"location":"videos/#what-is-open-amt","text":"Learn the high-level basics and get familiar with the toolkit. Learn about the different microservices and their roles then get up to speed with the latest features, changes, and fixes.","title":"What is Open AMT"},{"location":"videos/#getting-started","text":"Watch how to go from cloning the toolkit to managing a device out-of-band remotely in under 20 minutes. Connect with Keyboard, Video, Mouse redirection and issue power commands.","title":"Getting Started"},{"location":"APIs/indexMPS/","text":".md-typeset h1, .md-content__button { display: none; } SwaggerUIBundle({ url: 'https://api.swaggerhub.com/apis/rbheopenamt/mps/2.11.0', dom_id: '#swagger-ui', })","title":"Management Presence Server"},{"location":"APIs/indexRPS/","text":".md-typeset h1, .md-content__button { display: none; } SwaggerUIBundle({ url: 'https://api.swaggerhub.com/apis/rbheopenamt/rps/2.16.0', dom_id: '#swagger-ui', })","title":"Remote Provisioning Server"},{"location":"Deployment/centralizedConfiguration/","text":"Centralized Configuration (Consul) is a Preview Feature The Consul implementation feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. Consul is a service networking solution and service mesh providing a wide variety of features to handle key networking or service management use cases. Read more about Consul in their documentation . Consul Use Cases: mTLS Encryption between Services Dynamic Load Balancing Observability (Health and Metrics) Centralized Configuration of Services Consul and Open AMT \u00b6 As part of Open AMT, we are currently focused on the last bullet point. We've introduced Hashicorp Consul as an optional deployable service to centralize and ease configuration of the MPS and RPS services. In the future, we may expand and incorporate other capabilities offered by Consul. MPS/RPS Startup Flows: If Consul exists on startup and empty, copy local configs into Consul. If Consul exists on startup and not empty, copy Consul configs down locally. If Consul does not exist on startup, load local configs into MPS/RPS. The two configuration files are stored as K/V pairs within Consul under: /MPS/config /RPS/config Consul Configuration \u00b6 By default, Consul is deployed as part of the local Docker deployment in the docker-compose.yml file. This is the default configuration. Currently, we do not provide a Kubernetes deployment example. The Consul configurations are stored in a local volume. When cleaning up containers, make sure to delete existing volumes. consul : restart : always image : hashicorp/consul networks : - openamtnetwork ports : - 8500:8500 volumes : - type : volume source : consul-config target : /consul/config volume : {} - type : volume source : consul-data target : /consul/data volume : {} command : \"agent -server -ui -node=OACT-1 -bootstrap-expect=1 -client=0.0.0.0\" Enable Consul \u00b6 This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In the .env , enable Consul and Save. # CONSUL CONSUL_ENABLED=true #update from false to true CONSUL_HOST=consul CONSUL_PORT=8500 Pull the Consul image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile consul pull Start the Consul container. docker compose --profile consul up -d To view the Consul UI, visit http://localhost:8500 . Click Key/Value from the left-hand menu. Figure 1: Consul K/V Overview Page Choose either the /MPS or /RPS directory, then /config . Figure 2: Consul K/V MPS Configuration From here, users can make edits to the config files and save. Note - Cleaning up Consul Container When stopping and cleaning up containers deployed using the consul profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile consul down -v Today, the current preview implementation does not update the MPS or RPS services realtime. They must be restarted manually to apply the new configurations. Follow along with any new updates and features using Consul in our Feature Backlog.","title":"Centralized Configuration"},{"location":"Deployment/centralizedConfiguration/#consul-and-open-amt","text":"As part of Open AMT, we are currently focused on the last bullet point. We've introduced Hashicorp Consul as an optional deployable service to centralize and ease configuration of the MPS and RPS services. In the future, we may expand and incorporate other capabilities offered by Consul. MPS/RPS Startup Flows: If Consul exists on startup and empty, copy local configs into Consul. If Consul exists on startup and not empty, copy Consul configs down locally. If Consul does not exist on startup, load local configs into MPS/RPS. The two configuration files are stored as K/V pairs within Consul under: /MPS/config /RPS/config","title":"Consul and Open AMT"},{"location":"Deployment/centralizedConfiguration/#consul-configuration","text":"By default, Consul is deployed as part of the local Docker deployment in the docker-compose.yml file. This is the default configuration. Currently, we do not provide a Kubernetes deployment example. The Consul configurations are stored in a local volume. When cleaning up containers, make sure to delete existing volumes. consul : restart : always image : hashicorp/consul networks : - openamtnetwork ports : - 8500:8500 volumes : - type : volume source : consul-config target : /consul/config volume : {} - type : volume source : consul-data target : /consul/data volume : {} command : \"agent -server -ui -node=OACT-1 -bootstrap-expect=1 -client=0.0.0.0\"","title":"Consul Configuration"},{"location":"Deployment/centralizedConfiguration/#enable-consul","text":"This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In the .env , enable Consul and Save. # CONSUL CONSUL_ENABLED=true #update from false to true CONSUL_HOST=consul CONSUL_PORT=8500 Pull the Consul image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile consul pull Start the Consul container. docker compose --profile consul up -d To view the Consul UI, visit http://localhost:8500 . Click Key/Value from the left-hand menu. Figure 1: Consul K/V Overview Page Choose either the /MPS or /RPS directory, then /config . Figure 2: Consul K/V MPS Configuration From here, users can make edits to the config files and save. Note - Cleaning up Consul Container When stopping and cleaning up containers deployed using the consul profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile consul down -v Today, the current preview implementation does not update the MPS or RPS services realtime. They must be restarted manually to apply the new configurations. Follow along with any new updates and features using Consul in our Feature Backlog.","title":"Enable Consul"},{"location":"Deployment/database/","text":"To prepare for a production environment, replace the PostgreSQL* database with that of another provider. To replace the database, update these services: MPS RPS What You'll Do \u00b6 This guide focuses on updating the RPS with an MS SQL Server (MSSQL) relational database. Here are the main tasks: Review DB Schema Add DB Client Dependency Update Configuration Implement the Code Database Recipe The example implementation below provides a step-by-step outline of database deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution. Review DB Schema \u00b6 The diagrams below illustrates the database schema and relationships. RPS \u00b6 erDiagram DOMAIN { string name string domain_suffix string provisioning_cert string provisioning_cert_storage_format string provisioning_cert_key datetime creation_date string created_by string tenant_id } erDiagram PROFILE o|--o| CIRACONFIGS : has PROFILE ||--|{ PROFILES_WIRELESSCONFIGS : associated PROFILE ||--o| IEEE8021XCONFIGS : has PROFILE { string profile_name string activation string amt_password boolean generate_random_password string cira_config_name datetime creation_date string created_by string mebx_password boolean generate_random_mebx_password string[] tags boolean dhcp_enabled string tenant_id int tls_mode string user_consent boolean ider_enabled boolean kvm_enabled boolean sol_enabled string tls_signing_authority string ieee8021x_profile_name } CIRACONFIGS CIRACONFIGS { string cira_config_name string mps_server_address int mps_port string user_name string password string common_name int server_address_format int auth_method string mps_root_certificate string proxydetails string tenant_id } WIRELESSCONFIGS ||--|{ PROFILES_WIRELESSCONFIGS : belongs WIRELESSCONFIGS ||--o| IEEE8021XCONFIGS : has WIRELESSCONFIGS { string wireless_profile_name int authentication_method int encryption_method string ssid int psk_value string psk_passphrase int[] link_policy datetime creation_date string created_by string tenant_id string ieee8021x_profile_name } PROFILES_WIRELESSCONFIGS { string wireless_profile_name string profile_name int priority datetime creation_date string created_by string tenant_id } IEEE8021XCONFIGS { string profile_name int auth_protocol string servername string domain string username string password string roaming_identity boolean active_in_s0 int pxe_timeout boolean wired_interface string tenant_id } MPS \u00b6 erDiagram DEVICE { guid uuid string[] tags string hostname string mpsinstance boolean connectionstatus string mpsusername string tenantid string friendlyname string dnssuffix } Add DB Client \u00b6 Add the database client library you will use to connect to your database. To support MSSQL, this example uses the Microsoft SQL Server client* for Node.js, node-mssql . To add the database: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install node-mssql --save Update Configuration \u00b6 Update the connection string and a folder name for your db either in your ENV or .rc file. To modify the configuration: \"db_provider\" : \"mssql\" , //This will be the name of the folder you create in the next section. \"connection_string\" : \"Server=localhost,1433;Database=database;User Id=username;Password=password;Encrypt=true'\" , Implement the Code \u00b6 To support the new database: Create a new folder in ./src/data . The name of the new folder should be the name you supplied for the db_provider property, which is mssql in the example above. Figure 2: New folder mssql Create a file called index.ts that implements our IDB interface. Below is an example interface and query method: Interface export interface IDB { ciraConfigs : ICiraConfigTable domains : IDomainsTable profiles : IProfilesTable wirelessProfiles : IWirelessProfilesTable profileWirelessConfigs : IProfilesWifiConfigsTable query : ( text : string , params? : any ) => Promise < any > } Query Method This query function is responsible for taking in the query parameters and performing the execution. async query < T > ( text : string , params? : any ) : Promise < mssql . IResult < T >> { let result const start = Date . now () return await new Promise (( resolve , reject ) => { this . sqlPool . connect ( async ( err ) => { if ( err ) { this . log . error ( err ) reject ( err ) } result = await this . sqlPool . request (). query ( text ) const duration = Date . now () - start this . log . verbose ( `executed query: ${ JSON . stringify ({ text , duration , rows : result.recordset.length } )}` ) resolve ( result ) }) }) } Implement each of the table interfaces. The base interface looks like this: export interface ITable < T > { getCount : ( tenantId? : string ) => Promise < number > get : ( limit : number , offset : number , tenantId? : string ) => Promise < T [] > getByName : ( name : string , tenantId? : string ) => Promise < T > delete : ( name : string , tenantId? : string ) => Promise < boolean > insert : ( item : T ) => Promise < T > update : ( item : T ) => Promise < T > } There are interfaces for each table in the ./interfaces/database which adds specific functions on top of the base ITable<> interface. Here's an example of the get implementation for Domains: /** * @description Get all Domains from DB * @param {number} top * @param {number} skip * @returns {AMTDomain[]} returns an array of AMT Domain objects from DB */ async get ( top : number = DEFAULT_TOP , skip : number = DEFAULT_SKIP , tenantId : string = '' ) : Promise < AMTDomain [] > { const results = await this . db . query ( ` SELECT name as profileName, domain_suffix as domainSuffix, provisioning_cert as provisioningCert, provisioning_cert_storage_format as provisioningCertStorageFormat, provisioning_cert_key as provisioningCertPassword, tenant_id tenantId FROM domains ORDER BY name` ) return result } Complete all the queries for each table's functions to finish the implementation. Best Practice That's it! Deployment complete. After replacing the database, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Database Replacement"},{"location":"Deployment/database/#what-youll-do","text":"This guide focuses on updating the RPS with an MS SQL Server (MSSQL) relational database. Here are the main tasks: Review DB Schema Add DB Client Dependency Update Configuration Implement the Code Database Recipe The example implementation below provides a step-by-step outline of database deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution.","title":"What You'll Do"},{"location":"Deployment/database/#review-db-schema","text":"The diagrams below illustrates the database schema and relationships.","title":"Review DB Schema"},{"location":"Deployment/database/#rps","text":"erDiagram DOMAIN { string name string domain_suffix string provisioning_cert string provisioning_cert_storage_format string provisioning_cert_key datetime creation_date string created_by string tenant_id } erDiagram PROFILE o|--o| CIRACONFIGS : has PROFILE ||--|{ PROFILES_WIRELESSCONFIGS : associated PROFILE ||--o| IEEE8021XCONFIGS : has PROFILE { string profile_name string activation string amt_password boolean generate_random_password string cira_config_name datetime creation_date string created_by string mebx_password boolean generate_random_mebx_password string[] tags boolean dhcp_enabled string tenant_id int tls_mode string user_consent boolean ider_enabled boolean kvm_enabled boolean sol_enabled string tls_signing_authority string ieee8021x_profile_name } CIRACONFIGS CIRACONFIGS { string cira_config_name string mps_server_address int mps_port string user_name string password string common_name int server_address_format int auth_method string mps_root_certificate string proxydetails string tenant_id } WIRELESSCONFIGS ||--|{ PROFILES_WIRELESSCONFIGS : belongs WIRELESSCONFIGS ||--o| IEEE8021XCONFIGS : has WIRELESSCONFIGS { string wireless_profile_name int authentication_method int encryption_method string ssid int psk_value string psk_passphrase int[] link_policy datetime creation_date string created_by string tenant_id string ieee8021x_profile_name } PROFILES_WIRELESSCONFIGS { string wireless_profile_name string profile_name int priority datetime creation_date string created_by string tenant_id } IEEE8021XCONFIGS { string profile_name int auth_protocol string servername string domain string username string password string roaming_identity boolean active_in_s0 int pxe_timeout boolean wired_interface string tenant_id }","title":"RPS"},{"location":"Deployment/database/#mps","text":"erDiagram DEVICE { guid uuid string[] tags string hostname string mpsinstance boolean connectionstatus string mpsusername string tenantid string friendlyname string dnssuffix }","title":"MPS"},{"location":"Deployment/database/#add-db-client","text":"Add the database client library you will use to connect to your database. To support MSSQL, this example uses the Microsoft SQL Server client* for Node.js, node-mssql . To add the database: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install node-mssql --save","title":"Add DB Client"},{"location":"Deployment/database/#update-configuration","text":"Update the connection string and a folder name for your db either in your ENV or .rc file. To modify the configuration: \"db_provider\" : \"mssql\" , //This will be the name of the folder you create in the next section. \"connection_string\" : \"Server=localhost,1433;Database=database;User Id=username;Password=password;Encrypt=true'\" ,","title":"Update Configuration"},{"location":"Deployment/database/#implement-the-code","text":"To support the new database: Create a new folder in ./src/data . The name of the new folder should be the name you supplied for the db_provider property, which is mssql in the example above. Figure 2: New folder mssql Create a file called index.ts that implements our IDB interface. Below is an example interface and query method: Interface export interface IDB { ciraConfigs : ICiraConfigTable domains : IDomainsTable profiles : IProfilesTable wirelessProfiles : IWirelessProfilesTable profileWirelessConfigs : IProfilesWifiConfigsTable query : ( text : string , params? : any ) => Promise < any > } Query Method This query function is responsible for taking in the query parameters and performing the execution. async query < T > ( text : string , params? : any ) : Promise < mssql . IResult < T >> { let result const start = Date . now () return await new Promise (( resolve , reject ) => { this . sqlPool . connect ( async ( err ) => { if ( err ) { this . log . error ( err ) reject ( err ) } result = await this . sqlPool . request (). query ( text ) const duration = Date . now () - start this . log . verbose ( `executed query: ${ JSON . stringify ({ text , duration , rows : result.recordset.length } )}` ) resolve ( result ) }) }) } Implement each of the table interfaces. The base interface looks like this: export interface ITable < T > { getCount : ( tenantId? : string ) => Promise < number > get : ( limit : number , offset : number , tenantId? : string ) => Promise < T [] > getByName : ( name : string , tenantId? : string ) => Promise < T > delete : ( name : string , tenantId? : string ) => Promise < boolean > insert : ( item : T ) => Promise < T > update : ( item : T ) => Promise < T > } There are interfaces for each table in the ./interfaces/database which adds specific functions on top of the base ITable<> interface. Here's an example of the get implementation for Domains: /** * @description Get all Domains from DB * @param {number} top * @param {number} skip * @returns {AMTDomain[]} returns an array of AMT Domain objects from DB */ async get ( top : number = DEFAULT_TOP , skip : number = DEFAULT_SKIP , tenantId : string = '' ) : Promise < AMTDomain [] > { const results = await this . db . query ( ` SELECT name as profileName, domain_suffix as domainSuffix, provisioning_cert as provisioningCert, provisioning_cert_storage_format as provisioningCertStorageFormat, provisioning_cert_key as provisioningCertPassword, tenant_id tenantId FROM domains ORDER BY name` ) return result } Complete all the queries for each table's functions to finish the implementation. Best Practice That's it! Deployment complete. After replacing the database, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Implement the Code"},{"location":"Deployment/overview/","text":"To deploy the Open AMT Cloud Toolkit to a production environment, replace default reference implementation components with more robust or full-featured components. Each section below lists the default reference implementation component included with toolkit along with suggestions for replacement. Database Selection \u00b6 The Docker-based PostgreSQL* image used in docker-compose.yml provides enough functionality for proof-of-concept creation and development. However, to enable the toolkit for production, leverage a managed database instance offered by a public cloud provider or a database hosted by your internal IT. Regardless of the deployment scenario (i.e., a VM, Kubernetes, Docker Swarm, a native environment), managing state in your cluster comes with a higher risk of data loss than that of a managed database instance. Default Component \u00b6 PostgreSQL Example Replacements \u00b6 Azure Database for PostgreSQL Azure SQL Database Amazon Relational Database Service (RDS) MS SQL Server MariaDB For more information about replacing the default toolkit database, see the Database Replacement guide . Secrets Management \u00b6 A secret is any asset requiring controlled access, such as API keys, passwords, or certificates. The toolkit enables secrets management with HashiCorp Vault*, which provides a secure repository for storing and accessing sensitive assets. Vault offers a unified interface to any secret, tight access control, and a detailed audit log. While Vault provides a comprehensive solution for managing and persisting state in a K8s cluster, use of a managed secret provider, such as Azure Key Vault, offloads this role and helps reduce the overhead of secrets management in the toolkit. Additionally, if a secret provider is not necessary for your deployment, consider removing it and leveraging some other backing store for secrets. Default Component \u00b6 HashiCorp Vault Example Replacements \u00b6 Azure Key Vault AWS Key Management Service (KMS) For more information about replacing the default secret provider, see the Secrets Management guide . API Gateway \u00b6 The toolkit uses Kong as its open source API gateway. Kong provides an entry point for external clients, anything not a part of the microservice system, and a comprehensive suite of plugins for various scenarios. Default Component \u00b6 Kong Example Replacements \u00b6 Azure API Gateway Amazon API Gateway Google Cloud Endpoints Tyk Centralized Configuration \u00b6 Centralized Configuration (Consul) is a Preview Feature The Consul implementation feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. The toolkit utilizes Consul to implement centralized configuration of the MPS and RPS services. This is an optional, opt-in service that is deployed, but not enabled by default. Default Component \u00b6 Hashicorp Consul Example Replacements \u00b6 etcd Apache Zookeeper By default, Consul is deployed, but not utilized. For more information about enabling Consul, see the Service Mesh guide .","title":"Overview"},{"location":"Deployment/overview/#database-selection","text":"The Docker-based PostgreSQL* image used in docker-compose.yml provides enough functionality for proof-of-concept creation and development. However, to enable the toolkit for production, leverage a managed database instance offered by a public cloud provider or a database hosted by your internal IT. Regardless of the deployment scenario (i.e., a VM, Kubernetes, Docker Swarm, a native environment), managing state in your cluster comes with a higher risk of data loss than that of a managed database instance.","title":"Database Selection"},{"location":"Deployment/overview/#default-component","text":"PostgreSQL","title":"Default Component"},{"location":"Deployment/overview/#example-replacements","text":"Azure Database for PostgreSQL Azure SQL Database Amazon Relational Database Service (RDS) MS SQL Server MariaDB For more information about replacing the default toolkit database, see the Database Replacement guide .","title":"Example Replacements"},{"location":"Deployment/overview/#secrets-management","text":"A secret is any asset requiring controlled access, such as API keys, passwords, or certificates. The toolkit enables secrets management with HashiCorp Vault*, which provides a secure repository for storing and accessing sensitive assets. Vault offers a unified interface to any secret, tight access control, and a detailed audit log. While Vault provides a comprehensive solution for managing and persisting state in a K8s cluster, use of a managed secret provider, such as Azure Key Vault, offloads this role and helps reduce the overhead of secrets management in the toolkit. Additionally, if a secret provider is not necessary for your deployment, consider removing it and leveraging some other backing store for secrets.","title":"Secrets Management"},{"location":"Deployment/overview/#default-component_1","text":"HashiCorp Vault","title":"Default Component"},{"location":"Deployment/overview/#example-replacements_1","text":"Azure Key Vault AWS Key Management Service (KMS) For more information about replacing the default secret provider, see the Secrets Management guide .","title":"Example Replacements"},{"location":"Deployment/overview/#api-gateway","text":"The toolkit uses Kong as its open source API gateway. Kong provides an entry point for external clients, anything not a part of the microservice system, and a comprehensive suite of plugins for various scenarios.","title":"API Gateway"},{"location":"Deployment/overview/#default-component_2","text":"Kong","title":"Default Component"},{"location":"Deployment/overview/#example-replacements_2","text":"Azure API Gateway Amazon API Gateway Google Cloud Endpoints Tyk","title":"Example Replacements"},{"location":"Deployment/overview/#centralized-configuration","text":"Centralized Configuration (Consul) is a Preview Feature The Consul implementation feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. The toolkit utilizes Consul to implement centralized configuration of the MPS and RPS services. This is an optional, opt-in service that is deployed, but not enabled by default.","title":"Centralized Configuration"},{"location":"Deployment/overview/#default-component_3","text":"Hashicorp Consul","title":"Default Component"},{"location":"Deployment/overview/#example-replacements_3","text":"etcd Apache Zookeeper By default, Consul is deployed, but not utilized. For more information about enabling Consul, see the Service Mesh guide .","title":"Example Replacements"},{"location":"Deployment/secrets/","text":"To prepare for a production environment, replace Hashicorp Vault* with a secrets management provider. To replace secrets management, update these services: MPS RPS What You'll Do \u00b6 This guide focuses on updating the secrets management with Azure Key Vault*. Here are the main tasks: Review Vault Schema Add Secret Provider Dependency (if necessary) Update Configuration Implement the Code Secrets Management Recipe The example implementation below provides a step-by-step outline of secrets management deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution. Note This guide will assume Azure Key Vault is already configured and ready for use as it focuses on the code that needs to be implemented in the microservices. Review Vault Schema \u00b6 Below are the paths/keys in the vault that are used by the Open AMT Cloud Toolkit . # RPS CIRAConfigs/[cira_config_name]/MPS_PASSWORD certs/[domain_profile_name]/CERT certs/[domain_profile_name]/CERT_PASSWORD profiles/[profile_name]/AMT_PASSWORD profiles/[profile_name]/MEBX_PASSWORD wireless/[wireless_profile_name]/PSK_PASSPHRASE # MPS devices/[device_guid]/AMT_PASSWORD devices/[device_guid]/MEBX_PASSWORD devices/[device_guid]/MPS_PASSWORD Add Dependency \u00b6 To install the required dependencies: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install @azure/keyvault-secrets npm install @azure/identity Note To read more about this dependency, check out Azure Key Value Secret Client library for JavaScript . Update Configuration \u00b6 To modify the configuration: Modify the properties for Hashicorp Vault: Before: { \"secrets_path\" : \"secret/data/\" , \"vault_address\" : \"http://localhost:8200\" , \"vault_token\" : \"myroot\" , } After: For Azure Key Vault, you only need the address: { \"secrets_path\" : \"\" , \"vault_address\" : \"https://<YOUR KEYVAULT NAME>.vault.azure.net\" , \"vault_token\" : \"\" , } Set these three ENV variables: AZURE_TENANT_ID = <YOUR-TENANT-ID> AZURE_CLIENT_ID = <YOUR-CLIENT-ID> AZURE_CLIENT_SECRET = <YOUR-CLIENT-SECRET> Implement the Code \u00b6 To support secrets management: Consider the exported interface ISecretManagerService . export interface ISecretManagerService { getSecretFromKey : ( path : string , key : string ) => Promise < string > getSecretAtPath : ( path : string ) => Promise < any > listSecretsAtPath : ( path : string ) => Promise < any > readJsonFromKey : ( path : string , key : string ) => Promise < string > writeSecretWithKey : ( path : string , key : string , keyvalue : any ) => Promise < void > writeSecretWithObject : ( path : string , data : any ) => Promise < void > deleteSecretWithPath : ( path : string ) => Promise < void > } This example focuses on getSecretFromKey , set up and implemented below: const { DefaultAzureCredential } = require ( \"@azure/identity\" ) const { SecretClient } = require ( \"@azure/keyvault-secrets\" ) export class AzureSecretManagerService implements ISecretManagerService { vaultClient : SecretClient logger : ILogger constructor ( logger : ILogger ) { // DefaultAzureCredential expects the following three environment variables: // * AZURE_TENANT_ID: The tenant ID in Azure Active Directory // * AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant // * AZURE_CLIENT_SECRET: The client secret for the registered application const credential = new DefaultAzureCredential () // Lastly, create our secrets client and connect to the service const client = new SecretClient ( EnvReader . GlobalEnvConfig . VaultConfig . address , credential ); } async getSecretFromKey ( path : string , key : string ) : Promise < string > { try { this . logger . verbose ( `getting secret from vault: ${ path } , ${ key } ` ) const latestSecret = await client . getSecret ( key ); this . logger . debug ( `got data back from vault: ${ path } , ${ key } ` ) return latestSecret } catch ( error ) { this . logger . error ( 'getSecretFromKey error \\r\\n' ) this . logger . error ( error ) return null } } } The example above is for one interface. You'll need to implement each interface defined in ISecretManagerService . After all the functions have been implemented, finish up by instantiating the AzureSecretManagerService in the src/Configurator.ts file. constructor () { //existing //this.secretsManager = new SecretManagerService(new Logger('SecretManagerService')) //new implementation this . secretsManager = new AzureSecretManagerService ( new Logger ( 'AzureSecretManagerService' )) } Best Practice That's it! Deployment complete. After replacing the secrets management, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Secrets Management"},{"location":"Deployment/secrets/#what-youll-do","text":"This guide focuses on updating the secrets management with Azure Key Vault*. Here are the main tasks: Review Vault Schema Add Secret Provider Dependency (if necessary) Update Configuration Implement the Code Secrets Management Recipe The example implementation below provides a step-by-step outline of secrets management deployment. However, it is intended as a general guideline. You will need to write specific source code to support your custom solution. Note This guide will assume Azure Key Vault is already configured and ready for use as it focuses on the code that needs to be implemented in the microservices.","title":"What You'll Do"},{"location":"Deployment/secrets/#review-vault-schema","text":"Below are the paths/keys in the vault that are used by the Open AMT Cloud Toolkit . # RPS CIRAConfigs/[cira_config_name]/MPS_PASSWORD certs/[domain_profile_name]/CERT certs/[domain_profile_name]/CERT_PASSWORD profiles/[profile_name]/AMT_PASSWORD profiles/[profile_name]/MEBX_PASSWORD wireless/[wireless_profile_name]/PSK_PASSPHRASE # MPS devices/[device_guid]/AMT_PASSWORD devices/[device_guid]/MEBX_PASSWORD devices/[device_guid]/MPS_PASSWORD","title":"Review Vault Schema"},{"location":"Deployment/secrets/#add-dependency","text":"To install the required dependencies: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: npm install @azure/keyvault-secrets npm install @azure/identity Note To read more about this dependency, check out Azure Key Value Secret Client library for JavaScript .","title":"Add Dependency"},{"location":"Deployment/secrets/#update-configuration","text":"To modify the configuration: Modify the properties for Hashicorp Vault: Before: { \"secrets_path\" : \"secret/data/\" , \"vault_address\" : \"http://localhost:8200\" , \"vault_token\" : \"myroot\" , } After: For Azure Key Vault, you only need the address: { \"secrets_path\" : \"\" , \"vault_address\" : \"https://<YOUR KEYVAULT NAME>.vault.azure.net\" , \"vault_token\" : \"\" , } Set these three ENV variables: AZURE_TENANT_ID = <YOUR-TENANT-ID> AZURE_CLIENT_ID = <YOUR-CLIENT-ID> AZURE_CLIENT_SECRET = <YOUR-CLIENT-SECRET>","title":"Update Configuration"},{"location":"Deployment/secrets/#implement-the-code","text":"To support secrets management: Consider the exported interface ISecretManagerService . export interface ISecretManagerService { getSecretFromKey : ( path : string , key : string ) => Promise < string > getSecretAtPath : ( path : string ) => Promise < any > listSecretsAtPath : ( path : string ) => Promise < any > readJsonFromKey : ( path : string , key : string ) => Promise < string > writeSecretWithKey : ( path : string , key : string , keyvalue : any ) => Promise < void > writeSecretWithObject : ( path : string , data : any ) => Promise < void > deleteSecretWithPath : ( path : string ) => Promise < void > } This example focuses on getSecretFromKey , set up and implemented below: const { DefaultAzureCredential } = require ( \"@azure/identity\" ) const { SecretClient } = require ( \"@azure/keyvault-secrets\" ) export class AzureSecretManagerService implements ISecretManagerService { vaultClient : SecretClient logger : ILogger constructor ( logger : ILogger ) { // DefaultAzureCredential expects the following three environment variables: // * AZURE_TENANT_ID: The tenant ID in Azure Active Directory // * AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant // * AZURE_CLIENT_SECRET: The client secret for the registered application const credential = new DefaultAzureCredential () // Lastly, create our secrets client and connect to the service const client = new SecretClient ( EnvReader . GlobalEnvConfig . VaultConfig . address , credential ); } async getSecretFromKey ( path : string , key : string ) : Promise < string > { try { this . logger . verbose ( `getting secret from vault: ${ path } , ${ key } ` ) const latestSecret = await client . getSecret ( key ); this . logger . debug ( `got data back from vault: ${ path } , ${ key } ` ) return latestSecret } catch ( error ) { this . logger . error ( 'getSecretFromKey error \\r\\n' ) this . logger . error ( error ) return null } } } The example above is for one interface. You'll need to implement each interface defined in ISecretManagerService . After all the functions have been implemented, finish up by instantiating the AzureSecretManagerService in the src/Configurator.ts file. constructor () { //existing //this.secretsManager = new SecretManagerService(new Logger('SecretManagerService')) //new implementation this . secretsManager = new AzureSecretManagerService ( new Logger ( 'AzureSecretManagerService' )) } Best Practice That's it! Deployment complete. After replacing the secrets management, ensure all the APIs are working as expected by running the API Tests with the Postman* application. You'll find the tests in the ./src/test/collections folder.","title":"Implement the Code"},{"location":"Deployment/upgradeVersion/","text":"Specific Changes Required for Version Upgrades \u00b6 Upgrade to 2.11 from 2.10 \u00b6 The 2.11 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ip_sync_enabled BOOLEAN NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below. Upgrade to 2.10 from 2.9 \u00b6 The 2.10 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS wirelessconfigs ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM wirelessconfigs ; Continue with general upgrade steps below. Upgrade to 2.9 from 2.8 \u00b6 The 2.9 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. CREATE TABLE IF NOT EXISTS ieee8021xconfigs ( profile_name citext , auth_protocol integer , servername VARCHAR ( 255 ), domain VARCHAR ( 255 ), username VARCHAR ( 255 ), password VARCHAR ( 255 ), roaming_identity VARCHAR ( 255 ), active_in_s0 BOOLEAN , pxe_timeout integer , wired_interface BOOLEAN NOT NULL , tenant_id varchar ( 36 ) NOT NULL , PRIMARY KEY ( profile_name , tenant_id ), ); Update the Profiles table. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM ieee8021xconfigs ; Continue with general upgrade steps below. Upgrade to 2.8 from 2.7 \u00b6 The 2.8 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new column before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS tls_signing_authority varchar ( 40 ) NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below. Upgrade to 2.7 from 2.6 \u00b6 The 2.7 release of MPS requires an upgrade to the mpsdb database. Run the following SQL script to add two new columns before upgrading the services. ALTER TABLE devices ADD COLUMN IF NOT EXISTS friendlyname varchar ( 256 ), ADD COLUMN IF NOT EXISTS dnssuffix varchar ( 256 ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and mpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database mpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d mpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d mpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d mpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the columns were added to the table. SELECT * FROM devices ; Continue with general upgrade steps below. Upgrade a Minor Version (i.e. 2.X to 2.Y) \u00b6 Kubernetes Upgrade \u00b6 Upgrading from a previous minor version to a new minor version release is simple using Helm. By updating your image tags and upgrading through Helm, a seamless transition can be made. Stored profiles and secrets will be unaffected and any connected devices will transition over to the new MPS pod. Note - Using Private Images The steps are the same if using your own images built and stored on a platform like Azure Container Registry (ACR) or Elastic Container Registry (ECR). Simply point to the new private images rather than the public Intel Dockerhub. Pull the latest release within .\\open-amt-cloud-toolkit directory. git pull Merge the latest changes into your existing branch. git merge v2.14.0 In the values.yaml file, update the images to the new version wanted. Alternatively, you can use the latest tags. Example - values.yaml File images : mps : \"intel/oact-mps:latest\" rps : \"intel/oact-rps:latest\" webui : \"intel/oact-webui:latest\" mpsrouter : \"intel/oact-mpsrouter:latest\" mps : ... In Terminal or Command Prompt, go to the deployed open-amt-cloud-toolkit repository directory. cd ./YOUR-DIRECTORY-PATH/open-amt-cloud-toolkit Use Helm to upgrade and deploy the new images. helm upgrade openamtstack ./kubernetes/charts Successful Helm Upgrade Release \"openamtstack\" has been upgraded. Happy Helming! NAME: openamtstack LAST DEPLOYED: Wed Mar 23 09:36:10 2022 NAMESPACE: default STATUS: deployed REVISION: 2 Verify the new pods are running. Notice the only restarted and recreated pods are MPS, RPS, and the WebUI. kubectl get pods Example - Upgraded Running Pods NAME READY STATUS RESTARTS AGE mps-55f558666b-5m9bq 1/1 Running 0 2m47s mpsrouter-6975577696-wn8wm 1/1 Running 0 27d openamtstack-kong-5999cc6b97-wbmdw 2/2 Running 0 27d openamtstack-vault-0 1/1 Running 0 27d openamtstack-vault-agent-injector-6d6c75f7d5-sh5nm 1/1 Running 0 27d rps-597d7894b5-mbdz5 1/1 Running 0 2m47s webui-6d9b96c989-29r9z 1/1 Running 0 2m47s Rollback a Version \u00b6 Is the functionality not working as expected? Rollback to the previous deployment using Helm. Use the Helm rollback command with the Revision you want to rollback to. In this example deployment, we would rollback to the original deployment revision which would be 1. helm rollback openamtstack [Revision-Number] Successful Rollback Rollback was a success! Happy Helming! Local Docker Upgrade \u00b6 The following steps outline how to upgrade using the public Docker Hub images. Data will not be lost unless Postgres or Vault need to be upgraded and restarted. From the .\\open-amt-cloud-toolkit\\ directory, pull the latest branches. git pull Checkout the new release. git checkout v2.14.0 Note - Rebuilding New Images Locally If building your own images, you will also have to checkout the newer release from each repo within .\\open-amt-cloud-toolkit\\ . Pull the new releases of the submodules. git submodule update --recursive Checkout the release for each of the services you want to upgrade. cd mps git checkout v2.11.0 Repeat for other services. Build the new images. docker compose up -d --build Pull the new release Docker Hub images. docker compose pull Start the new containers. docker compose up -d --remove-orphans OPTIONAL. If using versioned tags rather than latest , you can delete older tagged images using the following. This will delete all unused images . If you have other non Open AMT images you wish to keep, do NOT run this command. docker image prune -a","title":"Upgrade Toolkit Version"},{"location":"Deployment/upgradeVersion/#specific-changes-required-for-version-upgrades","text":"","title":"Specific Changes Required for Version Upgrades"},{"location":"Deployment/upgradeVersion/#upgrade-to-211-from-210","text":"The 2.11 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ip_sync_enabled BOOLEAN NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below.","title":"Upgrade to 2.11 from 2.10"},{"location":"Deployment/upgradeVersion/#upgrade-to-210-from-29","text":"The 2.10 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. ALTER TABLE IF EXISTS wirelessconfigs ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM wirelessconfigs ; Continue with general upgrade steps below.","title":"Upgrade to 2.10 from 2.9"},{"location":"Deployment/upgradeVersion/#upgrade-to-29-from-28","text":"The 2.9 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new table before upgrading the services. CREATE TABLE IF NOT EXISTS ieee8021xconfigs ( profile_name citext , auth_protocol integer , servername VARCHAR ( 255 ), domain VARCHAR ( 255 ), username VARCHAR ( 255 ), password VARCHAR ( 255 ), roaming_identity VARCHAR ( 255 ), active_in_s0 BOOLEAN , pxe_timeout integer , wired_interface BOOLEAN NOT NULL , tenant_id varchar ( 36 ) NOT NULL , PRIMARY KEY ( profile_name , tenant_id ), ); Update the Profiles table. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS ieee8021x_profile_name citext , ADD CONSTRAINT ieee8021xconfigs_fk FOREIGN KEY ( ieee8021x_profile_name , tenant_id ) REFERENCES ieee8021xconfigs ( profile_name , tenant_id ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statements. Verify the column was added to the table. SELECT * FROM ieee8021xconfigs ; Continue with general upgrade steps below.","title":"Upgrade to 2.9 from 2.8"},{"location":"Deployment/upgradeVersion/#upgrade-to-28-from-27","text":"The 2.8 release of RPS requires an upgrade to the rpsdb database. Run the following SQL script to add the new column before upgrading the services. ALTER TABLE IF EXISTS profiles ADD COLUMN IF NOT EXISTS tls_signing_authority varchar ( 40 ) NULL ; Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and rpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database rpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d rpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d rpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d rpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the column was added to the table. SELECT * FROM profiles ; Continue with general upgrade steps below.","title":"Upgrade to 2.8 from 2.7"},{"location":"Deployment/upgradeVersion/#upgrade-to-27-from-26","text":"The 2.7 release of MPS requires an upgrade to the mpsdb database. Run the following SQL script to add two new columns before upgrading the services. ALTER TABLE devices ADD COLUMN IF NOT EXISTS friendlyname varchar ( 256 ), ADD COLUMN IF NOT EXISTS dnssuffix varchar ( 256 ); Example - Adding Columns to PostgresDB using psql This example walks through one potential option to update a Postgres Database using psql. Open a Command Prompt or Terminal. Connect to your Postgres instance and mpsdb database. Provide the hostname of the database, the port (Postgres default is 5432), the database mpsdb , and your database user. psql -h [HOSTNAME] -p 5432 -d mpsdb -U [DATABASE USER] Example Commands Azure: psql -h myazuredb-sql.postgres.database.azure.com -p 5432 -d mpsdb -U postgresadmin@myazuredb-sql AWS: psql -h myawsdb-1.jotd7t2abapq.us-west-2.rds.amazonaws.com -p 5432 -d mpsdb -U postgresadmin Provide your Postgres user password. Run the SQL Statement. Verify the columns were added to the table. SELECT * FROM devices ; Continue with general upgrade steps below.","title":"Upgrade to 2.7 from 2.6"},{"location":"Deployment/upgradeVersion/#upgrade-a-minor-version-ie-2x-to-2y","text":"","title":"Upgrade a Minor Version (i.e. 2.X to 2.Y)"},{"location":"Deployment/upgradeVersion/#kubernetes-upgrade","text":"Upgrading from a previous minor version to a new minor version release is simple using Helm. By updating your image tags and upgrading through Helm, a seamless transition can be made. Stored profiles and secrets will be unaffected and any connected devices will transition over to the new MPS pod. Note - Using Private Images The steps are the same if using your own images built and stored on a platform like Azure Container Registry (ACR) or Elastic Container Registry (ECR). Simply point to the new private images rather than the public Intel Dockerhub. Pull the latest release within .\\open-amt-cloud-toolkit directory. git pull Merge the latest changes into your existing branch. git merge v2.14.0 In the values.yaml file, update the images to the new version wanted. Alternatively, you can use the latest tags. Example - values.yaml File images : mps : \"intel/oact-mps:latest\" rps : \"intel/oact-rps:latest\" webui : \"intel/oact-webui:latest\" mpsrouter : \"intel/oact-mpsrouter:latest\" mps : ... In Terminal or Command Prompt, go to the deployed open-amt-cloud-toolkit repository directory. cd ./YOUR-DIRECTORY-PATH/open-amt-cloud-toolkit Use Helm to upgrade and deploy the new images. helm upgrade openamtstack ./kubernetes/charts Successful Helm Upgrade Release \"openamtstack\" has been upgraded. Happy Helming! NAME: openamtstack LAST DEPLOYED: Wed Mar 23 09:36:10 2022 NAMESPACE: default STATUS: deployed REVISION: 2 Verify the new pods are running. Notice the only restarted and recreated pods are MPS, RPS, and the WebUI. kubectl get pods Example - Upgraded Running Pods NAME READY STATUS RESTARTS AGE mps-55f558666b-5m9bq 1/1 Running 0 2m47s mpsrouter-6975577696-wn8wm 1/1 Running 0 27d openamtstack-kong-5999cc6b97-wbmdw 2/2 Running 0 27d openamtstack-vault-0 1/1 Running 0 27d openamtstack-vault-agent-injector-6d6c75f7d5-sh5nm 1/1 Running 0 27d rps-597d7894b5-mbdz5 1/1 Running 0 2m47s webui-6d9b96c989-29r9z 1/1 Running 0 2m47s","title":"Kubernetes Upgrade"},{"location":"Deployment/upgradeVersion/#rollback-a-version","text":"Is the functionality not working as expected? Rollback to the previous deployment using Helm. Use the Helm rollback command with the Revision you want to rollback to. In this example deployment, we would rollback to the original deployment revision which would be 1. helm rollback openamtstack [Revision-Number] Successful Rollback Rollback was a success! Happy Helming!","title":"Rollback a Version"},{"location":"Deployment/upgradeVersion/#local-docker-upgrade","text":"The following steps outline how to upgrade using the public Docker Hub images. Data will not be lost unless Postgres or Vault need to be upgraded and restarted. From the .\\open-amt-cloud-toolkit\\ directory, pull the latest branches. git pull Checkout the new release. git checkout v2.14.0 Note - Rebuilding New Images Locally If building your own images, you will also have to checkout the newer release from each repo within .\\open-amt-cloud-toolkit\\ . Pull the new releases of the submodules. git submodule update --recursive Checkout the release for each of the services you want to upgrade. cd mps git checkout v2.11.0 Repeat for other services. Build the new images. docker compose up -d --build Pull the new release Docker Hub images. docker compose pull Start the new containers. docker compose up -d --remove-orphans OPTIONAL. If using versioned tags rather than latest , you can delete older tagged images using the following. This will delete all unused images . If you have other non Open AMT images you wish to keep, do NOT run this command. docker image prune -a","title":"Local Docker Upgrade"},{"location":"GetStarted/buildRPC/","text":"Developed in Go* programming language, the Remote Provisioning Client ( RPC ) application runs on the managed device and communicates with the Remote Provisioning Server ( RPS ) microservice on the development system. The RPC and RPS configure and activate Intel\u00ae AMT on the managed device. Once properly configured, the remote managed device can call home to the Management Presence Server ( MPS ) by establishing a Client Initiated Remote Access ( CIRA ) connection with the MPS . See Figure 1. Getting Started Part 3 : Follow along to learn about how to build RPC, some of the information it can provide, and how to activate an AMT device. Additional Resources: RPC as a Library and RPC Commands and Flags Important - Production Environment In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices. Figure 1: RPC configuration Figure 1 Details The RPC on a managed device communicates with the Intel\u00ae Management Engine Interface (Intel\u00ae MEI, previously known as HECI) Driver and the Remote Provisioning Server ( RPS ) interfaces. The Driver uses the Intel\u00ae MEI to talk to Intel\u00ae AMT . The RPC activates Intel\u00ae AMT with an AMT profile, which is associated with a CIRA configuration (Step 3). The profile, which also distinguishes between Client Control Mode ( CCM ) or Admin Control Mode ( ACM ), and configuration were created in Create a CIRA Config or Create an AMT Profile . After running RPC with a profile, Intel\u00ae AMT will establish a CIRA connection with the MPS (Step 4) allowing MPS to manage the remote device and issue AMT commands (Step 5). Build the RPC \u00b6 Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: If you are building an executable on a development system, you will copy the executable to the managed device. Change to the rpc-go directory of the cloned open-amt-cloud-toolkit repository. cd rpc-go Haven't Cloned the open-amt-cloud-toolkit Repository? Only clone the rpc-go repository: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Alternatively, clone the whole toolkit repository: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Note The image created with the Docker instruction above is only suitable for Docker on a Linux host. Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version Run RPC to Activate and Connect the AMT Device \u00b6 The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] Note - RPC Arguments See more about the flag and other arguments . Note - Transition Activated Device To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform device, see Transition Activated Device . Success Example Output after Activating and Configuring a device into ACM : Figure 2: Example output after configuration Troubleshooting Run into an issue? Try these troubleshooting steps . Next up \u00b6 Manage AMT Device","title":"Build & Run RPC"},{"location":"GetStarted/buildRPC/#build-the-rpc","text":"Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: If you are building an executable on a development system, you will copy the executable to the managed device. Change to the rpc-go directory of the cloned open-amt-cloud-toolkit repository. cd rpc-go Haven't Cloned the open-amt-cloud-toolkit Repository? Only clone the rpc-go repository: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Alternatively, clone the whole toolkit repository: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Note The image created with the Docker instruction above is only suitable for Docker on a Linux host. Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version","title":"Build the RPC"},{"location":"GetStarted/buildRPC/#run-rpc-to-activate-and-connect-the-amt-device","text":"The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] Note - RPC Arguments See more about the flag and other arguments . Note - Transition Activated Device To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform device, see Transition Activated Device . Success Example Output after Activating and Configuring a device into ACM : Figure 2: Example output after configuration Troubleshooting Run into an issue? Try these troubleshooting steps .","title":"Run RPC to Activate and Connect the AMT Device"},{"location":"GetStarted/buildRPC/#next-up","text":"Manage AMT Device","title":"Next up"},{"location":"GetStarted/createCIRAConfig/","text":"Client Initiated Remote Access ( CIRA ) enables a CIRA -capable edge device to initiate and establish a persistent connection to the MPS . As long as the managed device is connected to the network and to a power source, it can maintain a persistent connection. Note - Wireless Activations This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . To create a CIRA Config: Select the CIRA Configs tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new CIRA Config Specify a Config Name of your choice. Select IPv4 . For MPS Address , provide your development system's IP Address. Cert Common Name (CN=) should auto-populate. If not, provide your development system's IP Address. Leave Port as the default, 4433. Leave the Username as admin or choose your own. Click Save. Example CIRA Config Figure 2: Example CIRA Config Next up \u00b6 Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features including, but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices such as digital signage or kiosks may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Create a CIRA Config"},{"location":"GetStarted/createCIRAConfig/#next-up","text":"Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features including, but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices such as digital signage or kiosks may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Next up"},{"location":"GetStarted/createProfileACM/","text":"Admin Control Mode ( ACM ) provides full access to Intel\u00ae Active Management Technology ( Intel\u00ae AMT ) functionality. User consent is optional for supported redirection features: Keyboard, Video, Mouse ( KVM ): Control multiple devices with one keyboard, monitor, and mouse. Serial-over-LAN ( SOL ): Manage devices with a command line interface (CLI) through SOL . IDE Redirection: Share and mount images remotely with a specified storage media (e.g., USB flash drive). Important - IDE Redirection While AMT supports this feature, the toolkit doesn't natively support it. Figure 1: Set up configuration and profiles for n number of clients What You'll Need \u00b6 Provisioning Certificate \u00b6 By purchasing a certificate, you'll be able to remotely activate an Intel\u00ae AMT device in ACM . This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities. Find more information about Provisioning Certificates . Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT . Alternatively, for development, custom provisioning certificates can be generated. See Custom Provisioning Certificate for additional details. DNS Suffix \u00b6 The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example: Example - DNS DNS Name: cb-vending1.burgerbusiness.com In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com. **To set the DNS suffix : ** Manually set it using MEBX on the managed device. Find instructions here . Alternately, change the DHCP Option 15 to DNS suffix within the Router settings. **To find the the DNS suffix , use the following command: ** Linux Windows ifconfig ipconfig /all Create a Profile \u00b6 A Profile provides configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Important - Production Environment In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios. Note - More Information about Passwords Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create an ACM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click Add New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation , select Admin Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Choose level of User Consent . By default for ACM , None is selected. This will disable all User Consent for ACM . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! Provide or generate a strong MEBX Password . This password can be used to access Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) on the AMT device. Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example ACM Profile Figure 3: Example ACM profile Create a Domain Profile \u00b6 In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain profile. Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority. To create a domain: Select the Domains tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new Domain profile Specify a name of your choice for the Domain Profile for the Name field. This does not have to be the actual network Domain Name/Suffix. Provide your DNS suffix as the Domain Name . This is the actual DNS suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX. Click Choose File and select your purchased Provisioning Certificate. This certificate must contain the private key. Provide the Provisioning Certificate Password used to encrypt the .pfx file. Click Save. Example Domain Figure 5: Example Domain profile Next Up \u00b6 Build & Run RPC","title":"Create a Profile with ACM"},{"location":"GetStarted/createProfileACM/#what-youll-need","text":"","title":"What You'll Need"},{"location":"GetStarted/createProfileACM/#provisioning-certificate","text":"By purchasing a certificate, you'll be able to remotely activate an Intel\u00ae AMT device in ACM . This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities. Find more information about Provisioning Certificates . Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT . Alternatively, for development, custom provisioning certificates can be generated. See Custom Provisioning Certificate for additional details.","title":"Provisioning Certificate"},{"location":"GetStarted/createProfileACM/#dns-suffix","text":"The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example: Example - DNS DNS Name: cb-vending1.burgerbusiness.com In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com. **To set the DNS suffix : ** Manually set it using MEBX on the managed device. Find instructions here . Alternately, change the DHCP Option 15 to DNS suffix within the Router settings. **To find the the DNS suffix , use the following command: ** Linux Windows ifconfig ipconfig /all","title":"DNS Suffix"},{"location":"GetStarted/createProfileACM/#create-a-profile","text":"A Profile provides configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Important - Production Environment In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios. Note - More Information about Passwords Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create an ACM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click Add New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation , select Admin Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Choose level of User Consent . By default for ACM , None is selected. This will disable all User Consent for ACM . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! Provide or generate a strong MEBX Password . This password can be used to access Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) on the AMT device. Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example ACM Profile Figure 3: Example ACM profile","title":"Create a Profile"},{"location":"GetStarted/createProfileACM/#create-a-domain-profile","text":"In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain profile. Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority. To create a domain: Select the Domains tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new Domain profile Specify a name of your choice for the Domain Profile for the Name field. This does not have to be the actual network Domain Name/Suffix. Provide your DNS suffix as the Domain Name . This is the actual DNS suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX. Click Choose File and select your purchased Provisioning Certificate. This certificate must contain the private key. Provide the Provisioning Certificate Password used to encrypt the .pfx file. Click Save. Example Domain Figure 5: Example Domain profile","title":"Create a Domain Profile"},{"location":"GetStarted/createProfileACM/#next-up","text":"Build & Run RPC","title":"Next Up"},{"location":"GetStarted/createProfileCCM/","text":"Client Control Mode ( CCM ) provides full access to features of Intel\u00ae Active Management Technology ( Intel\u00ae AMT ), but it does require user consent for all redirection features. These features require user consent in CCM : Keyboard, Video, Mouse ( KVM ): Control multiple devices with one keyboard, monitor, and mouse. Serial-over-LAN ( SOL ): Manage devices with a command line interface (CLI) through SOL . IDE Redirection: Share and mount images remotely with a specified storage media (e.g., USB flash drive). Important - IDE Redirection While AMT supports this feature, the toolkit doesn't natively support it. Figure 1: Set up configuration and profiles for n number of clients Create a Profile \u00b6 Profiles provide configuration information to the firmware on platforms featuring Intel\u00ae AMT during the activation process with the Remote Provisioning Client ( RPC ). Note - More Information about Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create a CCM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation Mode , select Client Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! The MEBX Password field is disabled. The password for Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) cannot be set when activating in CCM due to the lower level of trust when compared to ACM . Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example CCM Profile Figure 3: Example CCM profile Next up \u00b6 Build & Run RPC","title":"Create a Profile with CCM"},{"location":"GetStarted/createProfileCCM/#create-a-profile","text":"Profiles provide configuration information to the firmware on platforms featuring Intel\u00ae AMT during the activation process with the Remote Provisioning Client ( RPC ). Note - More Information about Passwords Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To create a CCM profile: Select the Profiles tab from the menu on the left. Under the Profiles tab, click New in the top-right corner to create a profile. Figure 2: Create a new profile Specify a Profile Name of your choice. Under Activation Mode , select Client Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Warning - Viewing and Losing Random Passwords The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! The MEBX Password field is disabled. The password for Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) cannot be set when activating in CCM due to the lower level of trust when compared to ACM . Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select CIRA (Cloud) for Connection Configuration. Select the name of the CIRA Configuration you created previously from the drop-down menu. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example CCM Profile Figure 3: Example CCM profile","title":"Create a Profile"},{"location":"GetStarted/createProfileCCM/#next-up","text":"Build & Run RPC","title":"Next up"},{"location":"GetStarted/loginToUI/","text":"The web portal is available for login after the deployment of the MPS , RPS , and Sample Web UI . Make sure all microservices are successfully running before attempting to login. Getting Started Part 2 : Follow along to learn about the Sample Web UI and the various profiles: CIRA Configs, AMT Profiles, and Domain Profiles. Additional Resources: Passwords and What They Mean , Provisioning Certificates , and Setting a DNS Suffix via MEBX Log In \u00b6 Open any modern web browser and navigate to the following link. https://<Development-IP-Address> Important - URL of Sample Web UI You must use the development system's IP address in the URL. Localhost or 127.0.0.1 will NOT work . Read more about Kong API Gateway to find out why . The development system's IP address is where the Docker containers are running. A warning screen will prompt because the MPS Server is using self-signed certificates for testing. Click Advanced and then Proceed to continue to connect to the Sample Web UI . Example - Chrome* Browser Warning Message Figure 1: MPS warning message Log in to the web portal with the login credentials set for the environment variables MPS_WEB_ADMIN_USER and MPS_WEB_ADMIN_PASSWORD in the .env file. The home page is shown below in Figure 2. Example - Sample Web UI Home Page Figure 2: Sample Web UI home page Next up \u00b6 Create a CIRA Config","title":"Login to Sample Web UI"},{"location":"GetStarted/loginToUI/#log-in","text":"Open any modern web browser and navigate to the following link. https://<Development-IP-Address> Important - URL of Sample Web UI You must use the development system's IP address in the URL. Localhost or 127.0.0.1 will NOT work . Read more about Kong API Gateway to find out why . The development system's IP address is where the Docker containers are running. A warning screen will prompt because the MPS Server is using self-signed certificates for testing. Click Advanced and then Proceed to continue to connect to the Sample Web UI . Example - Chrome* Browser Warning Message Figure 1: MPS warning message Log in to the web portal with the login credentials set for the environment variables MPS_WEB_ADMIN_USER and MPS_WEB_ADMIN_PASSWORD in the .env file. The home page is shown below in Figure 2. Example - Sample Web UI Home Page Figure 2: Sample Web UI home page","title":"Log In"},{"location":"GetStarted/loginToUI/#next-up","text":"Create a CIRA Config","title":"Next up"},{"location":"GetStarted/manageDevice/","text":"Getting Started Part 4 : Follow along to learn about the different Out-of-Band capabilities of Intel AMT. Next Steps: Using REST APIs and Deploying with Kubernetes Try out Intel AMT Capabilities \u00b6 Go back to the Sample Web UI on your development system. Click the Devices tab from the menu on the left. Figure 1: Devices tab Troubleshooting If the activated device is not listed or if it is listed as unconnected, try restarting the AMT device. After successfully restarting the device, refresh the Sample Web UI to see if the Status changes to connected . Click on your connected device. Select an action to perform from the Power Actions in the center screen or Redirection options in the top-right. Warning - Power Actions in KVM Turn off active redirection sessions, such as KVM or SOL , before specific power state transitions. Power Cycle (Code 5) and Unconditional Power Down (Power Off, Code 8) will be rejected as invalid if there is an active redirection session. Reset (Code 10) will function in KVM along with the other unmentioned Power Actions . Figure 2: Action options User Consent \u00b6 If activated in Client Control Mode( CCM ), the keyboard, video, mouse ( KVM ) and serial-over-LAN ( SOL ) features require entering a user consent code, which will be displayed on the managed device. To use KVM / SOL without user consent, follow the ACM Activation Path for how to configure a device into Admin Control Mode. When performing a KVM action for a device activated in CCM or ACM with user consent enabled, input the user consent code displayed on the client device. Figure 3: User Consent Next steps \u00b6 After successfully deploying the Open AMT Cloud Toolkit microservices and client, explore other tools and topics in the Open AMT Cloud Toolkit architecture: REST API Calls \u00b6 Learn how to send commands to AMT devices with the curl -based REST API tutorial. Generate a JWT token for Authorization and construct an API call to get a list of devices. Get Started with REST API Calls UI Toolkit \u00b6 Explore the Open AMT Cloud Toolkit reference implementation console by adding manageability features with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit Security \u00b6 Learn how to use the Open AMT Cloud Toolkit architecture to secure assets. Topics include credentials, allowlisting, best known security methods, and more. Learn More about Security and Hardening","title":"Manage AMT Device"},{"location":"GetStarted/manageDevice/#try-out-intel-amt-capabilities","text":"Go back to the Sample Web UI on your development system. Click the Devices tab from the menu on the left. Figure 1: Devices tab Troubleshooting If the activated device is not listed or if it is listed as unconnected, try restarting the AMT device. After successfully restarting the device, refresh the Sample Web UI to see if the Status changes to connected . Click on your connected device. Select an action to perform from the Power Actions in the center screen or Redirection options in the top-right. Warning - Power Actions in KVM Turn off active redirection sessions, such as KVM or SOL , before specific power state transitions. Power Cycle (Code 5) and Unconditional Power Down (Power Off, Code 8) will be rejected as invalid if there is an active redirection session. Reset (Code 10) will function in KVM along with the other unmentioned Power Actions . Figure 2: Action options","title":"Try out Intel AMT Capabilities"},{"location":"GetStarted/manageDevice/#user-consent","text":"If activated in Client Control Mode( CCM ), the keyboard, video, mouse ( KVM ) and serial-over-LAN ( SOL ) features require entering a user consent code, which will be displayed on the managed device. To use KVM / SOL without user consent, follow the ACM Activation Path for how to configure a device into Admin Control Mode. When performing a KVM action for a device activated in CCM or ACM with user consent enabled, input the user consent code displayed on the client device. Figure 3: User Consent","title":"User Consent"},{"location":"GetStarted/manageDevice/#next-steps","text":"After successfully deploying the Open AMT Cloud Toolkit microservices and client, explore other tools and topics in the Open AMT Cloud Toolkit architecture:","title":"Next steps"},{"location":"GetStarted/manageDevice/#rest-api-calls","text":"Learn how to send commands to AMT devices with the curl -based REST API tutorial. Generate a JWT token for Authorization and construct an API call to get a list of devices. Get Started with REST API Calls","title":"REST API Calls"},{"location":"GetStarted/manageDevice/#ui-toolkit","text":"Explore the Open AMT Cloud Toolkit reference implementation console by adding manageability features with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit","title":"UI Toolkit"},{"location":"GetStarted/manageDevice/#security","text":"Learn how to use the Open AMT Cloud Toolkit architecture to secure assets. Topics include credentials, allowlisting, best known security methods, and more. Learn More about Security and Hardening","title":"Security"},{"location":"GetStarted/prerequisites/","text":"Prerequisites \u00b6 This section contains prerequisites for deploying Open AMT Cloud Toolkit 's MPS and RPS microservices on a local development system as Docker* containers. Getting Started Part 1 : Follow along to learn about the prerequisites, environment configuration, and using Docker to get your stack started. Additional Resources: Intel vPro Platform What You'll Need \u00b6 Hardware \u00b6 Configure a network that includes: A development system At least one Intel vPro\u00ae Platform A flash drive or equivalent means to transfer files between Both systems must use a wired (i.e., cable) connection on the same network. Development System Software \u00b6 Before MPS and RPS installation, install the following software on your development system: git* Docker for Windows or Docker for Linux For RPC setup, install the following software on your development system: Go* Programming Language What You'll Do \u00b6 Figure 1: Deploy microservices on a local development system as Docker containers To complete a deployment: Install the prerequisites. Pull and deploy microservices with Docker. Login to the Sample Web UI and configure profiles. Build RPC . Copy RPC to a managed device. To connect the managed device: Run RPC on a managed device. Manage the device with MPS through the Sample Web UI . These sections include instructions for Windows and Linux* environments. Run instructions in a terminal window, the Windows Command Prompt in Administrator mode or the Linux shell/terminal. Why Docker*? \u00b6 A Docker container is the instantiation of a Docker image as a virtualized unit that separates the application from the environment. Docker containers start and run reliably, securely, and portably inside different environments, eliminating some of the problems that occur with software deployment on varying platforms. Docker streamlines installation to get you up and running faster. Get more information about Docker images and containers at Docker resources. Next up \u00b6 Setup - Pull Docker* Images","title":"Prerequisites"},{"location":"GetStarted/prerequisites/#prerequisites","text":"This section contains prerequisites for deploying Open AMT Cloud Toolkit 's MPS and RPS microservices on a local development system as Docker* containers. Getting Started Part 1 : Follow along to learn about the prerequisites, environment configuration, and using Docker to get your stack started. Additional Resources: Intel vPro Platform","title":"Prerequisites"},{"location":"GetStarted/prerequisites/#what-youll-need","text":"","title":"What You'll Need"},{"location":"GetStarted/prerequisites/#hardware","text":"Configure a network that includes: A development system At least one Intel vPro\u00ae Platform A flash drive or equivalent means to transfer files between Both systems must use a wired (i.e., cable) connection on the same network.","title":"Hardware"},{"location":"GetStarted/prerequisites/#development-system-software","text":"Before MPS and RPS installation, install the following software on your development system: git* Docker for Windows or Docker for Linux For RPC setup, install the following software on your development system: Go* Programming Language","title":"Development System Software"},{"location":"GetStarted/prerequisites/#what-youll-do","text":"Figure 1: Deploy microservices on a local development system as Docker containers To complete a deployment: Install the prerequisites. Pull and deploy microservices with Docker. Login to the Sample Web UI and configure profiles. Build RPC . Copy RPC to a managed device. To connect the managed device: Run RPC on a managed device. Manage the device with MPS through the Sample Web UI . These sections include instructions for Windows and Linux* environments. Run instructions in a terminal window, the Windows Command Prompt in Administrator mode or the Linux shell/terminal.","title":"What You'll Do"},{"location":"GetStarted/prerequisites/#why-docker","text":"A Docker container is the instantiation of a Docker image as a virtualized unit that separates the application from the environment. Docker containers start and run reliably, securely, and portably inside different environments, eliminating some of the problems that occur with software deployment on varying platforms. Docker streamlines installation to get you up and running faster. Get more information about Docker images and containers at Docker resources.","title":"Why Docker*?"},{"location":"GetStarted/prerequisites/#next-up","text":"Setup - Pull Docker* Images","title":"Next up"},{"location":"GetStarted/setup/","text":"This setup runs the MPS and RPS microservices as Docker* containers, standardized packages containing an application's source code, libraries, environment, and dependencies. Get the Toolkit \u00b6 To clone the repositories: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit Set Environment Variables \u00b6 The .env.template file is used by docker to set environment variables. To set the environment variables: Copy the .env.template file to .env : Linux/Powershell Windows (Cmd Prompt) cp .env.template .env copy .env.template .env In a text editor or IDE of choice, open the new .env file to edit. Update the following fields for configuring the MPS , Sample Web UI , Vault and Postgres. Save and keep track of the values you choose. Field Name Required Usage MPS_COMMON_NAME Development System IP Address. For connecting to MPS server via UI or APIs. WARNING: Do not use localhost. Use the development system IP Address. MPS_WEB_ADMIN_USER Username of your choice For logging into the Sample Web UI MPS_WEB_ADMIN_PASSWORD Strong password of your choice For logging into the Sample Web UI MPS_JWT_SECRET A strong secret of your choice (Example: A unique, random 256-bit string. See another example in code snippet below ). Used when generating a JSON Web Token (JWT) for authentication. This example implementation uses a symmetrical key and HS256 to create the signature. Learn more about JWT . POSTGRES_PASSWORD Strong password of your choice For logging into the Postgres VAULT_TOKEN Strong token of your choice For logging into the vault Important - Using Strong Passwords The MPS_WEB_ADMIN_PASSWORD must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character Save the file. Set Kong JSON Web Token (JWT) \u00b6 Set the shared secret used in Kong for JWT authentication. Open the kong.yaml file. Update the secret field with your MPS_JWT_SECRET. jwt_secrets : - consumer : admin key : 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc #sample key secret : \"Yq3t6w9z$C&E)H@McQfTjWnZr4u7x!A%\" #sample secret, DO NOT use for production Save and close the file. Pull and Run the Docker Images \u00b6 Pull the Docker images from Intel's Docker Hub repository . Important for Linux - Using sudo with Docker The Docker daemon always runs as the root user and therefore requires sudo . If you do not want to preface all Docker commands with sudo , see Linux post-installation steps for Docker Engine in the Docker Documentation. docker compose pull Note for ARM - ARM-based Devices must Build Images ARM-based devices (i.e. newer-generation Mac products and others) will need to build the images rather than use the prebuilt Dockerhub images. docker compose up -d --build Note - Using SSL with Postgres Container By default in the Getting Started Guide, we do not enable an SSL connection for Postgres for ease of development. See SSL with Local Postgres for how to enable SSL in your local Postgres container. For production environments, using a cloud-hosted database with an SSL connection to MPS / RPS is highly recommended as one step to maintain a secure deployment. Read more about cloud deployments for Azure or AWS here . Start the containers. docker compose up -d Check that all the containers are running and healthy. docker ps --format \"table {{.Image}}\\t{{.Status}}\\t{{.Names}}\" Success IMAGE STATUS NAMES intel/oact-rps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-rps-1 hashicorp/vault Up 2 minutes open-amt-cloud-toolkit-vault-1 intel/oact-mpsrouter:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mpsrouter-1 postgres:15 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-db-1 intel/oact-webui:latest Up 2 minutes open-amt-cloud-toolkit-webui-1 kong:3.1 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-kong-1 intel/oact-mps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mps-1 Warning - Container Issues If any of the above containers are not running, walk through the steps again or file a GitHub issue here . If the kong container reloads repeatedly, verify kong.yaml edits. Misconfiguration of this file will cause the container to reload. Important - Losing Data without Prod Mode Vault Because the vault is running in a dev mode, stored secrets will be lost upon a restart, and profiles and configs must be recreated. They are not persistent in this mode. Be sure to run docker compose down -v when bringing down the stack, which removes the volumes, and start fresh upon docker compose up . To run vault in production mode, follow the guide here . Next up \u00b6 Login to Sample Web UI","title":"Set Up"},{"location":"GetStarted/setup/#get-the-toolkit","text":"To clone the repositories: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 --recursive Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit","title":"Get the Toolkit"},{"location":"GetStarted/setup/#set-environment-variables","text":"The .env.template file is used by docker to set environment variables. To set the environment variables: Copy the .env.template file to .env : Linux/Powershell Windows (Cmd Prompt) cp .env.template .env copy .env.template .env In a text editor or IDE of choice, open the new .env file to edit. Update the following fields for configuring the MPS , Sample Web UI , Vault and Postgres. Save and keep track of the values you choose. Field Name Required Usage MPS_COMMON_NAME Development System IP Address. For connecting to MPS server via UI or APIs. WARNING: Do not use localhost. Use the development system IP Address. MPS_WEB_ADMIN_USER Username of your choice For logging into the Sample Web UI MPS_WEB_ADMIN_PASSWORD Strong password of your choice For logging into the Sample Web UI MPS_JWT_SECRET A strong secret of your choice (Example: A unique, random 256-bit string. See another example in code snippet below ). Used when generating a JSON Web Token (JWT) for authentication. This example implementation uses a symmetrical key and HS256 to create the signature. Learn more about JWT . POSTGRES_PASSWORD Strong password of your choice For logging into the Postgres VAULT_TOKEN Strong token of your choice For logging into the vault Important - Using Strong Passwords The MPS_WEB_ADMIN_PASSWORD must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character Save the file.","title":"Set Environment Variables"},{"location":"GetStarted/setup/#set-kong-json-web-token-jwt","text":"Set the shared secret used in Kong for JWT authentication. Open the kong.yaml file. Update the secret field with your MPS_JWT_SECRET. jwt_secrets : - consumer : admin key : 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc #sample key secret : \"Yq3t6w9z$C&E)H@McQfTjWnZr4u7x!A%\" #sample secret, DO NOT use for production Save and close the file.","title":"Set Kong JSON Web Token (JWT)"},{"location":"GetStarted/setup/#pull-and-run-the-docker-images","text":"Pull the Docker images from Intel's Docker Hub repository . Important for Linux - Using sudo with Docker The Docker daemon always runs as the root user and therefore requires sudo . If you do not want to preface all Docker commands with sudo , see Linux post-installation steps for Docker Engine in the Docker Documentation. docker compose pull Note for ARM - ARM-based Devices must Build Images ARM-based devices (i.e. newer-generation Mac products and others) will need to build the images rather than use the prebuilt Dockerhub images. docker compose up -d --build Note - Using SSL with Postgres Container By default in the Getting Started Guide, we do not enable an SSL connection for Postgres for ease of development. See SSL with Local Postgres for how to enable SSL in your local Postgres container. For production environments, using a cloud-hosted database with an SSL connection to MPS / RPS is highly recommended as one step to maintain a secure deployment. Read more about cloud deployments for Azure or AWS here . Start the containers. docker compose up -d Check that all the containers are running and healthy. docker ps --format \"table {{.Image}}\\t{{.Status}}\\t{{.Names}}\" Success IMAGE STATUS NAMES intel/oact-rps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-rps-1 hashicorp/vault Up 2 minutes open-amt-cloud-toolkit-vault-1 intel/oact-mpsrouter:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mpsrouter-1 postgres:15 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-db-1 intel/oact-webui:latest Up 2 minutes open-amt-cloud-toolkit-webui-1 kong:3.1 Up 2 minutes ( healthy ) open-amt-cloud-toolkit-kong-1 intel/oact-mps:latest Up 2 minutes ( healthy ) open-amt-cloud-toolkit-mps-1 Warning - Container Issues If any of the above containers are not running, walk through the steps again or file a GitHub issue here . If the kong container reloads repeatedly, verify kong.yaml edits. Misconfiguration of this file will cause the container to reload. Important - Losing Data without Prod Mode Vault Because the vault is running in a dev mode, stored secrets will be lost upon a restart, and profiles and configs must be recreated. They are not persistent in this mode. Be sure to run docker compose down -v when bringing down the stack, which removes the volumes, and start fresh upon docker compose up . To run vault in production mode, follow the guide here .","title":"Pull and Run the Docker Images"},{"location":"GetStarted/setup/#next-up","text":"Login to Sample Web UI","title":"Next up"},{"location":"Reference/architectureOverview/","text":"Figure 1 illustrates the high-level architecture of Open AMT Cloud Toolkit microservice architecture . Figure 1: Deploy Open AMT Cloud Toolkit Figure 1 illustrates the high-level steps for basic deployment: Deploy Microservices - Install the microservices on a development system as Docker* containers, which can run locally or on the cloud. Deploy RPC Architecture - Transfer the lightweight clients to managed devices. Configure AMT - Through the RPS , configure AMT by creating control mode profile(s). Connect AMT - Use the MPS to manage connectivity, as this microservice listens for the call home messaging of managed devices. Issue AMT Command - Send power commands (e.g., power off) through the MPS . Add AMT functionality - Explore the additional functionality provided by Open AMT Cloud Toolkit to develop your own web console or application. Out-of-band Management ( OOB Management ) \u00b6 Open AMT Cloud Toolkit uses remote management technology, also known as OOB Management , to allow administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, Open AMT Cloud Toolkit software can perform remote management, including powering up as a system that is currently powered down. Remote management can offer potential cost-savings by decreasing the need for in-person technician visits to remote IT sites and reducing downtime. What's the difference between in-band and OOB Management ? \u00b6 Remote monitoring and management software solutions often require the managed devices to be in the powered on state. The IT administrator connects to and updates the managed device while it is in the powered on state. With out-of-band management, the administrator can connect to the device when it has been powered down or it is unresponsive. CIRA Configuration \u00b6 CIRA enables OOB connections between Intel\u00ae AMT platforms and administrative development systems running Open AMT on the same network. The following steps occur via a CIRA channel: A remote Intel vPro\u00ae Platform featuring Intel\u00ae AMT is activated and a CIRA configuration is applied. The remote platform is referred to as the managed device. The managed device connects to the MPS and establishes an encrypted connection using Transport Layer Security ( TLS ) The Intel vPro\u00ae Platform maintains a long standing connection with the MPS through the use of small keep-alive messages to the MPS . A management console sends a command to the MPS , via provided RESTful interfaces, with the command indicating the managed device should take some action. The MPS authenticates the RESTful command and proxies the command for the management console to the managed device. The MPS handles the authentication process with the managed device. Control Mode Profile \u00b6 Managed devices featuring Intel\u00ae AMT support two control modes: Admin Control Mode ( ACM ): In this mode, there are no limitations to Intel\u00ae AMT functionality. This reflects the higher level of trust associated with these setup methods. No user consent is required. Client Control Mode ( CCM ): This mode limits some of Intel\u00ae AMT functionality, reflecting the lower level of trust. Features requiring User Consent: Keyboard, Video, Mouse ( KVM ) Control IDE-Redirection for sharing and mounting images remotely Domains \u00b6 In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain Profile . Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. Intel\u00ae AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority. Power Control \u00b6 With the established CIRA channel, Open AMT Cloud Toolkit enables the administrator to manage remote devices and trigger power actions to: power up power down power up to BIOS reset reset to BIOS For more information about power states supported by the REST APIs, see Intel\u00ae AMT Implementation and Reference Guide for more details. Keyboard, Video, Mouse ( KVM ) Control \u00b6 Intel\u00ae AMT enables remote management of a device, even when the OS isn't running, through KVM over IP support. No additional equipment is needed for this feature. With KVM control, IT administrators can access and update PCs and devices as if they were onsite. It eliminates the need for remote KVM switches and other hardware. Passwords \u00b6 There are five levels of passwords: **Intel\u00ae Manageability Engine BIOS Extensions (MEBX) Password: MEBX Password - ** Use this password to secure the local Intel\u00ae MEBX menu. This password is only used when physically accessing the managed device during system boot. Access the menu with Ctrl-P on most devices. ** Sample Web UI Password: MPS_WEB_ADMIN_PASSWORD - ** Use this password when logging into the Sample Web UI . The Sample Web UI Password uses this default MPS user authentication credential when it triggers MPS to issue a JWT (JSON Web Token). In most production environments, this default credential is replaced by a more rigorous authentication protocol. Examples include OAuth2, OpenID, or an authentication service that can issue an Auth Token to be validated by the API gateway. ** ACM & CCM Profiles: AMT Password - ** RPS uses this password to activate and configure Intel\u00ae AMT . When MPS requests an action of a managed device, such as a power action, it uses this password. Intel\u00ae AMT verifies this password when it gets a command from the MPS server. **Provisioning Certificate Password - ** The AMT Provisioning certificate is a special certificate used by Intel\u00ae AMT devices to establish trust with the configuration service when activating in Admin Control Mode. RPS requires the .pfx version of this certificate along with the password used to export the .pfx certificate to perform ACM activation. ** MPS CIRA Credential: MPS_USER and MPS_PASSWORD - ** This CIRA credential is used by Intel\u00ae AMT managed devices to authenticate the MPS when establishing the CIRA connection. Multiple passwords enhance the security of Open AMT Cloud Toolkit . What Security Default Values Modify 1. Intel MEBX Password Prevention of Physical Security Violations admin In MEBX (Ctrl-P) 2. Sample Web UI Password Remote Role Management Username: standalone Password: G@ppm0ym .env file 3. ACM & CCM Profiles: AMT Password Authentication of MPS / RPS Access Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. 4. Provisioning Certificate Password Signed Certificate Usage Not applicable. 1.Re-export certificate with another password. 2. Create a new profile. 3. Make an API call to update. 4. Update Vault. 5. MPS CIRA Credential MPS credential used by AMT Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. Table 1: Summary of Open AMT Passwords Log Files \u00b6 Each microservice has an associated log file which can contain helpful debug information. Use docker logs to print log information to the terminal. Docker Logs \u00b6 To run docker log files in a terminal window as needed: Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Copy the first three digits of the container ID of interest. Run the docker logs command followed by the container ID: Linux Windows (Powershell) sudo docker logs <container ID> docker logs <container ID> See more help options for the docker logs command in Docker Documentation . Log Level \u00b6 Set the log levels in the .env file by altering the configuration levels, MPS_LOG_LEVEL and RPS_LOG_LEVEL . Find the log level descriptions in the tables contained in MPS Configuration and RPS Configuration .","title":"Architecture Overview"},{"location":"Reference/architectureOverview/#out-of-band-management-oob-management","text":"Open AMT Cloud Toolkit uses remote management technology, also known as OOB Management , to allow administrators to perform actions on network assets or devices using a secure alternative to LAN-based communication protocols. Actions include reboot, power up, power down, system updates, and more. As long as the network device or asset is connected to power, Open AMT Cloud Toolkit software can perform remote management, including powering up as a system that is currently powered down. Remote management can offer potential cost-savings by decreasing the need for in-person technician visits to remote IT sites and reducing downtime.","title":"Out-of-band Management (OOB Management)"},{"location":"Reference/architectureOverview/#whats-the-difference-between-in-band-and-oob-management","text":"Remote monitoring and management software solutions often require the managed devices to be in the powered on state. The IT administrator connects to and updates the managed device while it is in the powered on state. With out-of-band management, the administrator can connect to the device when it has been powered down or it is unresponsive.","title":"What's the difference between in-band and OOB Management?"},{"location":"Reference/architectureOverview/#cira-configuration","text":"CIRA enables OOB connections between Intel\u00ae AMT platforms and administrative development systems running Open AMT on the same network. The following steps occur via a CIRA channel: A remote Intel vPro\u00ae Platform featuring Intel\u00ae AMT is activated and a CIRA configuration is applied. The remote platform is referred to as the managed device. The managed device connects to the MPS and establishes an encrypted connection using Transport Layer Security ( TLS ) The Intel vPro\u00ae Platform maintains a long standing connection with the MPS through the use of small keep-alive messages to the MPS . A management console sends a command to the MPS , via provided RESTful interfaces, with the command indicating the managed device should take some action. The MPS authenticates the RESTful command and proxies the command for the management console to the managed device. The MPS handles the authentication process with the managed device.","title":"CIRA Configuration"},{"location":"Reference/architectureOverview/#control-mode-profile","text":"Managed devices featuring Intel\u00ae AMT support two control modes: Admin Control Mode ( ACM ): In this mode, there are no limitations to Intel\u00ae AMT functionality. This reflects the higher level of trust associated with these setup methods. No user consent is required. Client Control Mode ( CCM ): This mode limits some of Intel\u00ae AMT functionality, reflecting the lower level of trust. Features requiring User Consent: Keyboard, Video, Mouse ( KVM ) Control IDE-Redirection for sharing and mounting images remotely","title":"Control Mode Profile"},{"location":"Reference/architectureOverview/#domains","text":"In addition to a CIRA Config and an ACM Profile , ACM requires the creation of a Domain Profile . Intel\u00ae AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. Intel\u00ae AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority.","title":"Domains"},{"location":"Reference/architectureOverview/#power-control","text":"With the established CIRA channel, Open AMT Cloud Toolkit enables the administrator to manage remote devices and trigger power actions to: power up power down power up to BIOS reset reset to BIOS For more information about power states supported by the REST APIs, see Intel\u00ae AMT Implementation and Reference Guide for more details.","title":"Power Control"},{"location":"Reference/architectureOverview/#keyboard-video-mouse-kvm-control","text":"Intel\u00ae AMT enables remote management of a device, even when the OS isn't running, through KVM over IP support. No additional equipment is needed for this feature. With KVM control, IT administrators can access and update PCs and devices as if they were onsite. It eliminates the need for remote KVM switches and other hardware.","title":"Keyboard, Video, Mouse (KVM) Control"},{"location":"Reference/architectureOverview/#passwords","text":"There are five levels of passwords: **Intel\u00ae Manageability Engine BIOS Extensions (MEBX) Password: MEBX Password - ** Use this password to secure the local Intel\u00ae MEBX menu. This password is only used when physically accessing the managed device during system boot. Access the menu with Ctrl-P on most devices. ** Sample Web UI Password: MPS_WEB_ADMIN_PASSWORD - ** Use this password when logging into the Sample Web UI . The Sample Web UI Password uses this default MPS user authentication credential when it triggers MPS to issue a JWT (JSON Web Token). In most production environments, this default credential is replaced by a more rigorous authentication protocol. Examples include OAuth2, OpenID, or an authentication service that can issue an Auth Token to be validated by the API gateway. ** ACM & CCM Profiles: AMT Password - ** RPS uses this password to activate and configure Intel\u00ae AMT . When MPS requests an action of a managed device, such as a power action, it uses this password. Intel\u00ae AMT verifies this password when it gets a command from the MPS server. **Provisioning Certificate Password - ** The AMT Provisioning certificate is a special certificate used by Intel\u00ae AMT devices to establish trust with the configuration service when activating in Admin Control Mode. RPS requires the .pfx version of this certificate along with the password used to export the .pfx certificate to perform ACM activation. ** MPS CIRA Credential: MPS_USER and MPS_PASSWORD - ** This CIRA credential is used by Intel\u00ae AMT managed devices to authenticate the MPS when establishing the CIRA connection. Multiple passwords enhance the security of Open AMT Cloud Toolkit . What Security Default Values Modify 1. Intel MEBX Password Prevention of Physical Security Violations admin In MEBX (Ctrl-P) 2. Sample Web UI Password Remote Role Management Username: standalone Password: G@ppm0ym .env file 3. ACM & CCM Profiles: AMT Password Authentication of MPS / RPS Access Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. 4. Provisioning Certificate Password Signed Certificate Usage Not applicable. 1.Re-export certificate with another password. 2. Create a new profile. 3. Make an API call to update. 4. Update Vault. 5. MPS CIRA Credential MPS credential used by AMT Not applicable. 1. Create a new profile. 2. Make an API call to update. 3. Update Vault. Table 1: Summary of Open AMT Passwords","title":"Passwords"},{"location":"Reference/architectureOverview/#log-files","text":"Each microservice has an associated log file which can contain helpful debug information. Use docker logs to print log information to the terminal.","title":"Log Files"},{"location":"Reference/architectureOverview/#docker-logs","text":"To run docker log files in a terminal window as needed: Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Copy the first three digits of the container ID of interest. Run the docker logs command followed by the container ID: Linux Windows (Powershell) sudo docker logs <container ID> docker logs <container ID> See more help options for the docker logs command in Docker Documentation .","title":"Docker Logs"},{"location":"Reference/architectureOverview/#log-level","text":"Set the log levels in the .env file by altering the configuration levels, MPS_LOG_LEVEL and RPS_LOG_LEVEL . Find the log level descriptions in the tables contained in MPS Configuration and RPS Configuration .","title":"Log Level"},{"location":"Reference/guids/","text":"GUIDs in Intel\u00ae AMT \u00b6 Each Intel\u00ae AMT device has a Global Unique Identifier (GUID) assigned to it by default. This GUID will be used as the reference to each device record. Typically, device GUIDs are required to perform power actions and other device-specific manageability features. There are a number of ways to obtain the GUID on the Intel\u00ae AMT device: Sample Web UI of the Open AMT Cloud Toolkit Devices API Method Via Sample Web UI \u00b6 Login to your Sample Web UI . Navigate to the Devices tab. Your AMT device's GUID is listed in the 2nd column. Figure 1: MPS Connected Device Via API Method \u00b6 A device's GUID can also be found via the AllDevices or ConnectedDevices MPS methods. Users can follow the Construct a Rest API Call tutorial on constructing and running the ConnectedDevices method as an example. Example ConnectedDevices Output: [{ \"host\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" , \"amtuser\" : \"admin\" , \"mpsuser\" : \"standalone\" , \"conn\" : 1 , \"name\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" }]","title":"GUIDs in Intel\u00ae AMT"},{"location":"Reference/guids/#guids-in-intel-amt","text":"Each Intel\u00ae AMT device has a Global Unique Identifier (GUID) assigned to it by default. This GUID will be used as the reference to each device record. Typically, device GUIDs are required to perform power actions and other device-specific manageability features. There are a number of ways to obtain the GUID on the Intel\u00ae AMT device: Sample Web UI of the Open AMT Cloud Toolkit Devices API Method","title":"GUIDs in Intel\u00ae AMT"},{"location":"Reference/guids/#via-sample-web-ui","text":"Login to your Sample Web UI . Navigate to the Devices tab. Your AMT device's GUID is listed in the 2nd column. Figure 1: MPS Connected Device","title":"Via Sample Web UI"},{"location":"Reference/guids/#via-api-method","text":"A device's GUID can also be found via the AllDevices or ConnectedDevices MPS methods. Users can follow the Construct a Rest API Call tutorial on constructing and running the ConnectedDevices method as an example. Example ConnectedDevices Output: [{ \"host\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" , \"amtuser\" : \"admin\" , \"mpsuser\" : \"standalone\" , \"conn\" : 1 , \"name\" : \"d12428be-9fa1-4226-9784-54b2038beab6\" }]","title":"Via API Method"},{"location":"Reference/logging/","text":"Logging \u00b6 Introduction \u00b6 Microservices logging uses the Winston logging format. Log levels for both MPS and RPS microservices are controlled by the environmental variables MPS_LOG_LEVEL and RPS_LOG_LEVEL respectively. Logging levels are listed in the table below by increasing level of detail: error , warn , info , verbose , debug , and silly . Log levels \u00b6 Log level Description error only critical errors such as exceptions; 500 level api responses warn unexpected issue which don't affect service operation info service startup and shutdown messages (default level for MPS and RPS services) verbose database query messages; device heartbeat; 200 level api responses debug level useful for diagnosing issues with the services; 400 level api responses silly all logs","title":"Logging"},{"location":"Reference/logging/#logging","text":"","title":"Logging"},{"location":"Reference/logging/#introduction","text":"Microservices logging uses the Winston logging format. Log levels for both MPS and RPS microservices are controlled by the environmental variables MPS_LOG_LEVEL and RPS_LOG_LEVEL respectively. Logging levels are listed in the table below by increasing level of detail: error , warn , info , verbose , debug , and silly .","title":"Introduction"},{"location":"Reference/logging/#log-levels","text":"Log level Description error only critical errors such as exceptions; 500 level api responses warn unexpected issue which don't affect service operation info service startup and shutdown messages (default level for MPS and RPS services) verbose database query messages; device heartbeat; 200 level api responses debug level useful for diagnosing issues with the services; 400 level api responses silly all logs","title":"Log levels"},{"location":"Reference/middlewareExtensibility/","text":"Middleware extensibility allows developers to implement new middleware handlers to both MPS or RPS . By adding custom functions, MPS and RPS will process and load these during server startup. The loadCustomMiddleware function that executes on startup can be found in mps/src/server/webserver.ts or rps/src/index.ts . Example use-cases: Multitenancy Handling Custom Authentication Tokens Adding Trace IDs Debugging Requests To demonstrate the execution, we'll use an example. Let's say a custom auth token handler was implemented across all API endpoints. When a call is then made against an API endpoint, the custom handler will execute first. This handler might process the token. After executing the custom function and calling next() , API execution will then continue as normal. Add a Custom Middleware Function \u00b6 To add a new function, create a new typescript file in /src/middleware/custom/ . An example.ts file is already provided in this directory. The file must have two key parts in order to successfully load: The desired function must be exported as a default. Only the single, default function will be what is loaded into MPS or RPS . Additional functions that need to be loaded will need their own separate .ts files. Must call next() . This will allow execution to continue after processing the custom function. Multitenancy Code Example \u00b6 Implementation might vary depending on cloud provider or other 3rd party solutions. This specific example implements against Microsoft Azure and the default Open AMT components. The following code might not be a final solution, but provides a starting point and template example. The example implementation has a tenantId that is passed as part of the JWT token header when an API is called. The token is decoded and its tenantId is checked against the available tenants in MPS or RPS . This verifies that the user has the correct access to the MPS or RPS data being added, modified, or deleted. Multitenancy Example Code import { Request , Response } from 'express' import { devices } from '../../server/mpsserver' import { Environment } from '../../utils/Environment' const tenantMiddleware = ( req : Request , res : Response , next ) : void => { const jwtTokenHeader = Environment . Config . jwt_token_header ?? 'x-id-token' const token = req . headers [ jwtTokenHeader ] req . tenantId = '' if ( token != null && token !== '' ) { try { const decodedToken = Buffer . from ( token as string , 'base64' ). toString () if ( decodedToken != null && decodedToken !== '' ) { const dt = JSON . parse ( decodedToken ) const tenantProp = Environment . Config . jwt_tenant_property ?? '' req . tenantId = dt [ tenantProp ] ?? '' } } catch ( err ) { console . error ( err ) } } next () } export default tenantMiddleware After implementing the multitenancy code changes and starting the services, profiles and configs can be created by providing a tenantID as part of the API calls . Then when activating and configuring the AMT device using RPC , provide the -tenant flag with the tenantID of the profile. Find all RPC flags in the RPC CLI docs . See example command below. Linux Windows sudo ./rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID .\\rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID","title":"Middleware Extensibility"},{"location":"Reference/middlewareExtensibility/#add-a-custom-middleware-function","text":"To add a new function, create a new typescript file in /src/middleware/custom/ . An example.ts file is already provided in this directory. The file must have two key parts in order to successfully load: The desired function must be exported as a default. Only the single, default function will be what is loaded into MPS or RPS . Additional functions that need to be loaded will need their own separate .ts files. Must call next() . This will allow execution to continue after processing the custom function.","title":"Add a Custom Middleware Function"},{"location":"Reference/middlewareExtensibility/#multitenancy-code-example","text":"Implementation might vary depending on cloud provider or other 3rd party solutions. This specific example implements against Microsoft Azure and the default Open AMT components. The following code might not be a final solution, but provides a starting point and template example. The example implementation has a tenantId that is passed as part of the JWT token header when an API is called. The token is decoded and its tenantId is checked against the available tenants in MPS or RPS . This verifies that the user has the correct access to the MPS or RPS data being added, modified, or deleted. Multitenancy Example Code import { Request , Response } from 'express' import { devices } from '../../server/mpsserver' import { Environment } from '../../utils/Environment' const tenantMiddleware = ( req : Request , res : Response , next ) : void => { const jwtTokenHeader = Environment . Config . jwt_token_header ?? 'x-id-token' const token = req . headers [ jwtTokenHeader ] req . tenantId = '' if ( token != null && token !== '' ) { try { const decodedToken = Buffer . from ( token as string , 'base64' ). toString () if ( decodedToken != null && decodedToken !== '' ) { const dt = JSON . parse ( decodedToken ) const tenantProp = Environment . Config . jwt_tenant_property ?? '' req . tenantId = dt [ tenantProp ] ?? '' } } catch ( err ) { console . error ( err ) } } next () } export default tenantMiddleware After implementing the multitenancy code changes and starting the services, profiles and configs can be created by providing a tenantID as part of the API calls . Then when activating and configuring the AMT device using RPC , provide the -tenant flag with the tenantID of the profile. Find all RPC flags in the RPC CLI docs . See example command below. Linux Windows sudo ./rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID .\\rpc activate -u wss://server/activate -n -profile profilename -tenant profileTenantID","title":"Multitenancy Code Example"},{"location":"Reference/powerstates/","text":"Possible power actions are listed in the tables below. Power actions are specified by number. To obtain information about power actions, use the following methods: PowerCapabilities : returns the power actions available for a specific device. PowerState : returns current power state. Start State or Current Power State Consider the current state of the system when implementing a possible action, for example: Reset to BIOS implies that the current system state is on or powered up. Power up to BIOS implies that current system state is off or powered down. Hibernate implies that the current system state is powered up. If the system is already powered up, choosing to Power Up to BIOS will not have any effect on the system. A better choice is Reset to BIOS . Out-of-band \u00b6 The power actions below can be used in-band or out-of-band. Commands 100 and above use a combination of HW level power controls (i.e., 2, 5, 8, 10) and some boot option, such as Boot to BIOS . Action # Power Action Start State Transition Description ACPI State(s) 2 Power up/on Powered down/off, Asleep, Hibernating Power up/on fully G0/S0 5 Power cycle Powered up/on Transition to minimal power state and then power up/on fully G2/S5 > G0/S0 8 Power down/off (hard) Powered up/on Transition to a fully powered down state G2/S5 10 Reset Powered up/on Perform hardware reset on the bus N/A 100 Power up to BIOS settings Powered down/off Power to BIOS to verify or modify system configuration G2/S5 101 Reset to BIOS settings Powered up/on Perform hardware reset on the bus to BIOS to verify or modify system configuration G2/S5 400 Reset to PXE Powered up/on Reset to pre-boot execution environment (PXE)(i.e., a network boot N/A 401 Power on to PXE Powered down/off Power up/on fully to pre-boot execution environment (PXE) (i.e., a network boot) N/A In-band Required \u00b6 The power actions below require an in-band agent, Local Management Service (LMS), or Intel\u00ae Integrated Management and Security Status (Intel\u00ae IMSS). LMS is a service that runs locally on an Intel AMT device and enables local management applications to send requests and receive responses to and from the device. The LMS listens for and intercepts requests directed to the Intel AMT local host and routes them to to the Management Engine via the Intel Management Engine Interface (MEI) driver. Installing LMS and Drivers The service installer is packaged with the Intel MEI drivers on the OEM websites. If Windows OS is reimaged or reinstalled, only the Intel MEI Driver is reinstalled, not LMS or IMSS. If the LMS is not installed, visit the OEM website and look for download packages for Intel\u00ae IMSS or the Intel CSME driver. Action # Power Action Start State Transition Description ACPI State(s) 4 Sleep (deep) Powered up/on Transition to a standby state of low-power usage and store system context (e.g., open applications) in memory G1/S3 7 Hibernate Powered up/on Transition to zero power usage and store system context in non-volatile storage G1/S4 12 Power down/off (soft) Powered up/on Transition to a very minimal power state G2/S5 14 Soft reset Powered up/on Perform a shutdown and then a hardware reset N/A Alternative Boot Options \u00b6 Currently, the Toolkit doesn't natively support secure erase or 200-level calls. Action # Power Action Start State Transition Description 104 Reset to secure erase Powered up/on Perform hardware reset on the bus to secure erase, a process of completely erasing a solid state drive (SSD) 200 Reset to IDE-R floppy disc Powered up/on Perform hardware reset on the bus to a peripheral IDE-R drive, usually reserved for a remote ISO boot 201 Power on to IDE-R floppy disc Powered down/off Power up/on fully to a peripheral IDE-R drive, usually reserved for a remote ISO boot 202 Reset to IDE-R CD-ROM Powered up/on Perform hardware reset on the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot 203 Power on to IDE-R CD-ROM Powered down/off Power up/on to the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot","title":"AMT Power States"},{"location":"Reference/powerstates/#out-of-band","text":"The power actions below can be used in-band or out-of-band. Commands 100 and above use a combination of HW level power controls (i.e., 2, 5, 8, 10) and some boot option, such as Boot to BIOS . Action # Power Action Start State Transition Description ACPI State(s) 2 Power up/on Powered down/off, Asleep, Hibernating Power up/on fully G0/S0 5 Power cycle Powered up/on Transition to minimal power state and then power up/on fully G2/S5 > G0/S0 8 Power down/off (hard) Powered up/on Transition to a fully powered down state G2/S5 10 Reset Powered up/on Perform hardware reset on the bus N/A 100 Power up to BIOS settings Powered down/off Power to BIOS to verify or modify system configuration G2/S5 101 Reset to BIOS settings Powered up/on Perform hardware reset on the bus to BIOS to verify or modify system configuration G2/S5 400 Reset to PXE Powered up/on Reset to pre-boot execution environment (PXE)(i.e., a network boot N/A 401 Power on to PXE Powered down/off Power up/on fully to pre-boot execution environment (PXE) (i.e., a network boot) N/A","title":"Out-of-band"},{"location":"Reference/powerstates/#in-band-required","text":"The power actions below require an in-band agent, Local Management Service (LMS), or Intel\u00ae Integrated Management and Security Status (Intel\u00ae IMSS). LMS is a service that runs locally on an Intel AMT device and enables local management applications to send requests and receive responses to and from the device. The LMS listens for and intercepts requests directed to the Intel AMT local host and routes them to to the Management Engine via the Intel Management Engine Interface (MEI) driver. Installing LMS and Drivers The service installer is packaged with the Intel MEI drivers on the OEM websites. If Windows OS is reimaged or reinstalled, only the Intel MEI Driver is reinstalled, not LMS or IMSS. If the LMS is not installed, visit the OEM website and look for download packages for Intel\u00ae IMSS or the Intel CSME driver. Action # Power Action Start State Transition Description ACPI State(s) 4 Sleep (deep) Powered up/on Transition to a standby state of low-power usage and store system context (e.g., open applications) in memory G1/S3 7 Hibernate Powered up/on Transition to zero power usage and store system context in non-volatile storage G1/S4 12 Power down/off (soft) Powered up/on Transition to a very minimal power state G2/S5 14 Soft reset Powered up/on Perform a shutdown and then a hardware reset N/A","title":"In-band Required"},{"location":"Reference/powerstates/#alternative-boot-options","text":"Currently, the Toolkit doesn't natively support secure erase or 200-level calls. Action # Power Action Start State Transition Description 104 Reset to secure erase Powered up/on Perform hardware reset on the bus to secure erase, a process of completely erasing a solid state drive (SSD) 200 Reset to IDE-R floppy disc Powered up/on Perform hardware reset on the bus to a peripheral IDE-R drive, usually reserved for a remote ISO boot 201 Power on to IDE-R floppy disc Powered down/off Power up/on fully to a peripheral IDE-R drive, usually reserved for a remote ISO boot 202 Reset to IDE-R CD-ROM Powered up/on Perform hardware reset on the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot 203 Power on to IDE-R CD-ROM Powered down/off Power up/on to the bus to a peripheral IDE-R CD-ROM drive, usually reserved for a remote ISO boot","title":"Alternative Boot Options"},{"location":"Reference/productionVault/","text":"Learn how to run MPS and RPS using Vault in production server mode. The current local docker-compose.yml file runs Vault in development mode which makes experimenting with the services easier since static tokens can be used for access and unsealing Vault is not required. The downside to this approach is that all Vault data is only stored in memory and is lost once the Vault container is stopped. Running Vault in production mode requires additional steps, but allows Vault data to persist on host filesystem after the container restarts. Configure the Toolkit \u00b6 Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide . Update the vault section in the docker-compose.yml file with the section below. vault : restart : always image : \"vault\" networks : - openamtnetwork ports : - \"8200:8200\" volumes : - private-volume:/vault/data:rw - ./vault:/vault/config:rw environment : VAULT_DEV_ROOT_TOKEN_ID : ${VAULT_TOKEN} VAULT_DEV_LISTEN_ADDRESS : 0.0.0.0:8200 cap_add : - IPC_LOCK entrypoint : vault server -config=/vault/config/vault.json Create a folder named vault located in ./open-amt-cloud-toolkit driectory and create a new file named vault.json with the contents below: { \"storage\" :{ \"file\" :{ \"path\" : \"/vault/data\" } }, \"listener\" :{ \"tcp\" :{ \"address\" : \"0.0.0.0:8200\" , \"tls_disable\" : \"true\" } }, \"default_lease_ttl\" : \"168h\" , \"max_lease_ttl\" : \"0h\" , \"ui\" : true , \"log_level\" : \"Debug\" } Run `docker compose`` to start the containers from the ./open-amt-cloud-toolkit directory. docker compose up -d --build Initialize and Unseal Vault \u00b6 Navigate to http://localhost:8200 to initialize and unseal Vault. Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down under Method Options. Click Enable Engine . Update ENV Variables \u00b6 Open your .env file. Change the SECRETS_PATH to kv/data/ . Update the VAULT_TOKEN to the Root Token generated by Vault. Example - Vault Section of .env file # VAULT SECRETS_PATH=kv/data/ VAULT_ADDRESS=http://vault:8200 VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I Rebuild and restart your Docker images and containers. docker compose up -d --build Unseal Vault at http://localhost:8200 after restarting the container. Next Steps \u00b6 Continue from the Get Started steps to log in to the Sample Web UI and activate a device.","title":"Production Mode Vault"},{"location":"Reference/productionVault/#configure-the-toolkit","text":"Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide . Update the vault section in the docker-compose.yml file with the section below. vault : restart : always image : \"vault\" networks : - openamtnetwork ports : - \"8200:8200\" volumes : - private-volume:/vault/data:rw - ./vault:/vault/config:rw environment : VAULT_DEV_ROOT_TOKEN_ID : ${VAULT_TOKEN} VAULT_DEV_LISTEN_ADDRESS : 0.0.0.0:8200 cap_add : - IPC_LOCK entrypoint : vault server -config=/vault/config/vault.json Create a folder named vault located in ./open-amt-cloud-toolkit driectory and create a new file named vault.json with the contents below: { \"storage\" :{ \"file\" :{ \"path\" : \"/vault/data\" } }, \"listener\" :{ \"tcp\" :{ \"address\" : \"0.0.0.0:8200\" , \"tls_disable\" : \"true\" } }, \"default_lease_ttl\" : \"168h\" , \"max_lease_ttl\" : \"0h\" , \"ui\" : true , \"log_level\" : \"Debug\" } Run `docker compose`` to start the containers from the ./open-amt-cloud-toolkit directory. docker compose up -d --build","title":"Configure the Toolkit"},{"location":"Reference/productionVault/#initialize-and-unseal-vault","text":"Navigate to http://localhost:8200 to initialize and unseal Vault. Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down under Method Options. Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Reference/productionVault/#update-env-variables","text":"Open your .env file. Change the SECRETS_PATH to kv/data/ . Update the VAULT_TOKEN to the Root Token generated by Vault. Example - Vault Section of .env file # VAULT SECRETS_PATH=kv/data/ VAULT_ADDRESS=http://vault:8200 VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I Rebuild and restart your Docker images and containers. docker compose up -d --build Unseal Vault at http://localhost:8200 after restarting the container.","title":"Update ENV Variables"},{"location":"Reference/productionVault/#next-steps","text":"Continue from the Get Started steps to log in to the Sample Web UI and activate a device.","title":"Next Steps"},{"location":"Reference/sslpostgresLocal/","text":"This guide will walk through how to enable an SSL connection in the Postgres Docker container. By default in the Getting Started Guide, we disable it to ease the setup process and environment for development. For production environments, using a cloud-hosted database with an SSL connection to MPS / RPS is highly recommended as one step to maintain a secure deployment. Read more about cloud deployments for Azure or AWS here . Edit 'docker-compose.yml' \u00b6 Update the RPS and MPS connection strings to no-verify instead of disable . ... environment : RPS_MPS_SERVER : http://mps:3000 RPS_SECRETS_PATH : ${SECRETS_PATH} RPS_VAULT_TOKEN : ${VAULT_TOKEN} RPS_VAULT_ADDRESS : ${VAULT_ADDRESS} RPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/rpsdb?sslmode=no-verify ... ... environment : MPS_INSTANCE_NAME : '{{.Task.Name}}' MPS_SECRETS_PATH : ${SECRETS_PATH} MPS_VAULT_TOKEN : ${VAULT_TOKEN} MPS_VAULT_ADDRESS : ${VAULT_ADDRESS} MPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/mpsdb?sslmode=no-verify ... Uncomment the command: line in the db section. ... build : context : ./pg dockerfile : ./Dockerfile command : -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key networks : - openamtnetwork ... Build Image \u00b6 Build the new Postgres image with SSL enabled. docker compose up -d --build","title":"SSL with Local Postgres"},{"location":"Reference/sslpostgresLocal/#edit-docker-composeyml","text":"Update the RPS and MPS connection strings to no-verify instead of disable . ... environment : RPS_MPS_SERVER : http://mps:3000 RPS_SECRETS_PATH : ${SECRETS_PATH} RPS_VAULT_TOKEN : ${VAULT_TOKEN} RPS_VAULT_ADDRESS : ${VAULT_ADDRESS} RPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/rpsdb?sslmode=no-verify ... ... environment : MPS_INSTANCE_NAME : '{{.Task.Name}}' MPS_SECRETS_PATH : ${SECRETS_PATH} MPS_VAULT_TOKEN : ${VAULT_TOKEN} MPS_VAULT_ADDRESS : ${VAULT_ADDRESS} MPS_CONNECTION_STRING : postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/mpsdb?sslmode=no-verify ... Uncomment the command: line in the db section. ... build : context : ./pg dockerfile : ./Dockerfile command : -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key networks : - openamtnetwork ...","title":"Edit 'docker-compose.yml'"},{"location":"Reference/sslpostgresLocal/#build-image","text":"Build the new Postgres image with SSL enabled. docker compose up -d --build","title":"Build Image"},{"location":"Reference/troubleshooting/","text":"The sections below detail commonly asked questions about Open AMT Cloud toolkit as well as possible errors that may occur when activating or deactivating managed devices along with some potential solutions. Can't find the answer to your questions or issue below? Reach out to the team via Discord for direct help. Or file a GitHub issue. Commonly Asked Questions \u00b6 How do releases work with Open AMT? \u00b6 Open AMT carries two releases, the Rapid (\"Monthly\") Release and the Long-Term Support (LTS) Release. Rapid Releases occur every 4-6 weeks. Support for security and bug fixes is only for the duration of that rapid release. Customers will be encouraged to move to a latest rapid release for the most up to date security and bug fixes. LTS Releases occur roughly every 1 to 1.5 years. Support for security and bug fixes exist until the next LTS version is available. At that point, we will provide migration documentation and support to help customers move over to the new LTS release. How does versioning work with Open AMT? \u00b6 Open AMT follows SemVer practices for versioning. This means: Major Version Increment - Breaking Changes (ex: 2.0.0 -> 3.0.0) Minor Version Increment - New Features (ex: 2.0.0 -> 2.1.0) Patch Version Increment - Security and Bug Fixes (ex: 2.0.0 -> 2.0.1) All microservices with the same minor version should be compatible. The separate repos for microservices and libraries are versioned individually. These versions are separate from the open-amt-cloud-toolkit repo version. The open-amt-cloud-toolkit repo is where we have the monthly release. This repo might carry a higher version than some of the individual repos but is tagged as {Month} {Year} . All sub-repos referenced within open-amt-cloud-toolkit for a specific release are guaranteed to be compatible. What versions of Intel\u00ae AMT are supported? \u00b6 Open AMT aligns to the Intel Network and Edge (NEX) Group support roadmap for Intel vPro\u00ae Platform and Intel\u00ae AMT devices. This is currently calculated as Latest AMT Version - 7 . How do I migrate versions to a new release? \u00b6 Resources and information for migrating releases for either a Kubernetes deployment or local Docker deployment can be found in the Upgrade Toolkit Version documentation . How do I find more information about the MPS and RPS configuration files and security details? \u00b6 Details and descriptions of configuration options can be found in MPS Configuration and RPS Configuration . Security information can be found in MPS Security Information and RPS Security Information . Most Common Issues \u00b6 Why does an activated device show disconnected in MPS ? \u00b6 Are your login credentials stale? Try to log out of the Sample Web UI and back in. Is your Vault service initialized and unsealed? (Only applicable if using production mode Vault) Is your CIRA certificate correct? You can verify this by going to https://[your-stack]:4433 and looking at the certificate. The Issued party should match either your IP Address or FQDN. If it is incorrect, delete your Profile and CIRA Config. Delete the existing MPS Certificate from Vault and restart the MPS service. This will generate a new, correct certificate. Then create new CIRA Config/ Profile and run RPC to reconfigure the AMT device with the new profiles. Try to unplug the ethernet or power cable of the AMT device and replug. Wait 30 seconds and refresh the Sample Web UI to see if the device has connected. Alternatively, run amtinfo via RPC to see if the status has changed to Connected. Try updating the AMT device's BIOS/AMT version. Why can't I login to the Sample Web UI ? \u00b6 Have you accepted the certificate warning? If not, re-navigate to https://[your-stack] and accept the warning. Is the Kong service running and healthy? For local deployment, does the Kong secret match in the .env and the kong.yaml files? For cloud deployment, is the Vault initialized and unsealed? Vault will reseal itself if the pod is restarted and must be unsealed again. Why does MPS or RPS show as Unhealthy \u00b6 Both MPS and RPS have health API routes that they perform as part of startup for both Docker and Kubernetes. The health check verifies that the database and Vault are both available and reachable by the microservices. If MPS or RPS return unhealthy, then one of the two, database or Vault, are unavailable. Why is there an 'Error Retrieving Device Stats' on Login? \u00b6 This warning typically means that the Sample Web UI and MPS is unable to reach the MPS database. Is the MPS service healthy? For cloud deployment, is the Kubernetes secret for the MPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct? Why do 'Profiles/ CIRA Configs/Domains' tabs in the Sample Web UI return errors?\" \u00b6 This warning typically means that the Sample Web UI and RPS is unable to reach the RPS database. Is the RPS service healthy? For cloud deployment, is the Kubernetes secret for the RPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct? Specific Microservice or Library Errors \u00b6 RPC \u00b6 More information about specific RPC error codes can be found in the RPC Library Documentation . Error Issue or Message Possible Solutions \"Decrypting provisioning certificate failed\" Double check the password is correct on the certificate loaded into the \"domains\" on the UI \"Exception reading from device\" If MPS and RPS are running in Docker, check to ensure Vault has been unsealed. \"Unable to connect to Local Management Service (LMS). Please ensure LMS is running\" Check to ensure no application has bound to port 16992 \"Unable to launch MicroLMS.\" Check that Intel ME is present, MEI Driver installed and run this executable as administrator Check to ensure no application has bound to port 16992 \"Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Error while adding the certificates to AMT.\" Unplug the device, from both network and power, let it sit for a while. If that doesn't work, file a github issue Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Missing DNS suffix . Run .\\rpc amtinfo and ensure there is a DNS suffix . If it is blank, double check your router settings for DHCP. Alternatively, you can override the DNS suffix with -d mycompany.com . To learn more, see DNS Suffix and Create a Profile with ACM . Error: amt password DOES NOT match stored version for Device 6c4243ba-334d-11ea-94b5-caba2a773d00 Ensure you have provided the -password flag for the -cmd you are trying to execute, and that it is the password you used when provisioning the device. Unable to connect to websocket server. Please check url. After ensuring you can reach your server. Ensure that the certificate common name on the server matches the FQDN/IP of your host address. Error while activating the AMT in admin mode. Check the logs on the RPS server. The rpc.exe fails to connect. If a device has already been provisioned, unprovision it and then reprovision. To deactivate and reactivate devices, see the Mircoservices section for RPC , RPC Activate/Deactivate Examples MPS \u00b6 Additional logging details can be enabled by modifying the log_level field in the MPS configuration. Error Issue or Message Possible Solutions Vault is empty in dev mode. Profiles and configs are not persistent in this mode. To run vault in production mode, follow the Use Docker and Vault in Production Mode . MPS is missing from list of running services. (1) Check for error messages in the logs. (2) Verify that the .env file contains correct values in each field. (3) Verify that the Kong secret provided in the .env matches the secret in kong.yaml RPS \u00b6 Additional logging details can be enabled by modifying the log_level field in the RPS configuration. Error Issue or Message Possible Solutions Create a profile fails or information cannot be read from vault. Make sure both Vault and Postgres are running. For details, see the docker ps command in Build and Run Docker Images . An error occurred during provisioning. (1) Verify that the correct certificate is being used. (2) Verify the Domain suffix. (3) Verify RPS is able to reach the AMT device. Check firewalls and pings. UI Toolkit \u00b6 If you encounter an error during the installation, verify the prerequisites and version numbers, such as Node.js* LTS, by consulting the tutorial Add MPS UI Toolkit Controls to a WebUI . If adding a control results in an error, double-check the device ID, mpsServer IP address value, and authToken. General Troubleshooting Tips \u00b6 If a configuration becomes unworkable, it may be necessary to clean up the environment by: unprovisioning, also known as deactivating, the managed device stopping all Docker services Do all the above if it becomes necessary to reset your environment completely. See instructions below. Unprovision the Managed Device: Use rpc.exe to dectivate the managed device as described in RPC Activate/Deactivate Examples . The deactivate parameter executes a full unprovision of the managed device. It is also possible to implement a full unprovision via MEBX. See Unprovisioning . Shut down Docker Services: Use docker image prune and docker image rm to stop or remove all images, containers, and volumes, as described in Build and Run Docker Images . The best practice example below stops Docker and then prunes all volumes. Example - Cleanup of Docker Images Stop Docker containers. docker compose down -v Prune the images and volumes. docker system prune -a --volumes","title":"Troubleshooting"},{"location":"Reference/troubleshooting/#commonly-asked-questions","text":"","title":"Commonly Asked Questions"},{"location":"Reference/troubleshooting/#how-do-releases-work-with-open-amt","text":"Open AMT carries two releases, the Rapid (\"Monthly\") Release and the Long-Term Support (LTS) Release. Rapid Releases occur every 4-6 weeks. Support for security and bug fixes is only for the duration of that rapid release. Customers will be encouraged to move to a latest rapid release for the most up to date security and bug fixes. LTS Releases occur roughly every 1 to 1.5 years. Support for security and bug fixes exist until the next LTS version is available. At that point, we will provide migration documentation and support to help customers move over to the new LTS release.","title":"How do releases work with Open AMT?"},{"location":"Reference/troubleshooting/#how-does-versioning-work-with-open-amt","text":"Open AMT follows SemVer practices for versioning. This means: Major Version Increment - Breaking Changes (ex: 2.0.0 -> 3.0.0) Minor Version Increment - New Features (ex: 2.0.0 -> 2.1.0) Patch Version Increment - Security and Bug Fixes (ex: 2.0.0 -> 2.0.1) All microservices with the same minor version should be compatible. The separate repos for microservices and libraries are versioned individually. These versions are separate from the open-amt-cloud-toolkit repo version. The open-amt-cloud-toolkit repo is where we have the monthly release. This repo might carry a higher version than some of the individual repos but is tagged as {Month} {Year} . All sub-repos referenced within open-amt-cloud-toolkit for a specific release are guaranteed to be compatible.","title":"How does versioning work with Open AMT?"},{"location":"Reference/troubleshooting/#what-versions-of-intel-amt-are-supported","text":"Open AMT aligns to the Intel Network and Edge (NEX) Group support roadmap for Intel vPro\u00ae Platform and Intel\u00ae AMT devices. This is currently calculated as Latest AMT Version - 7 .","title":"What versions of Intel&reg; AMT are supported?"},{"location":"Reference/troubleshooting/#how-do-i-migrate-versions-to-a-new-release","text":"Resources and information for migrating releases for either a Kubernetes deployment or local Docker deployment can be found in the Upgrade Toolkit Version documentation .","title":"How do I migrate versions to a new release?"},{"location":"Reference/troubleshooting/#how-do-i-find-more-information-about-the-mps-and-rps-configuration-files-and-security-details","text":"Details and descriptions of configuration options can be found in MPS Configuration and RPS Configuration . Security information can be found in MPS Security Information and RPS Security Information .","title":"How do I find more information about the MPS and RPS configuration files and security details?"},{"location":"Reference/troubleshooting/#most-common-issues","text":"","title":"Most Common Issues"},{"location":"Reference/troubleshooting/#why-does-an-activated-device-show-disconnected-in-mps","text":"Are your login credentials stale? Try to log out of the Sample Web UI and back in. Is your Vault service initialized and unsealed? (Only applicable if using production mode Vault) Is your CIRA certificate correct? You can verify this by going to https://[your-stack]:4433 and looking at the certificate. The Issued party should match either your IP Address or FQDN. If it is incorrect, delete your Profile and CIRA Config. Delete the existing MPS Certificate from Vault and restart the MPS service. This will generate a new, correct certificate. Then create new CIRA Config/ Profile and run RPC to reconfigure the AMT device with the new profiles. Try to unplug the ethernet or power cable of the AMT device and replug. Wait 30 seconds and refresh the Sample Web UI to see if the device has connected. Alternatively, run amtinfo via RPC to see if the status has changed to Connected. Try updating the AMT device's BIOS/AMT version.","title":"Why does an activated device show disconnected in MPS?"},{"location":"Reference/troubleshooting/#why-cant-i-login-to-the-sample-web-ui","text":"Have you accepted the certificate warning? If not, re-navigate to https://[your-stack] and accept the warning. Is the Kong service running and healthy? For local deployment, does the Kong secret match in the .env and the kong.yaml files? For cloud deployment, is the Vault initialized and unsealed? Vault will reseal itself if the pod is restarted and must be unsealed again.","title":"Why can't I login to the Sample Web UI?"},{"location":"Reference/troubleshooting/#why-does-mps-or-rps-show-as-unhealthy","text":"Both MPS and RPS have health API routes that they perform as part of startup for both Docker and Kubernetes. The health check verifies that the database and Vault are both available and reachable by the microservices. If MPS or RPS return unhealthy, then one of the two, database or Vault, are unavailable.","title":"Why does MPS or RPS show as Unhealthy"},{"location":"Reference/troubleshooting/#why-is-there-an-error-retrieving-device-stats-on-login","text":"This warning typically means that the Sample Web UI and MPS is unable to reach the MPS database. Is the MPS service healthy? For cloud deployment, is the Kubernetes secret for the MPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct?","title":"Why is there an 'Error Retrieving Device Stats' on Login?"},{"location":"Reference/troubleshooting/#why-do-profilescira-configsdomains-tabs-in-the-sample-web-ui-return-errors","text":"This warning typically means that the Sample Web UI and RPS is unable to reach the RPS database. Is the RPS service healthy? For cloud deployment, is the Kubernetes secret for the RPS DB connection string correct? For cloud deployment, is the database reachable? Is the IP Address whitelisted and correct?","title":"Why do 'Profiles/CIRA Configs/Domains' tabs in the Sample Web UI return errors?\""},{"location":"Reference/troubleshooting/#specific-microservice-or-library-errors","text":"","title":"Specific Microservice or Library Errors"},{"location":"Reference/troubleshooting/#rpc","text":"More information about specific RPC error codes can be found in the RPC Library Documentation . Error Issue or Message Possible Solutions \"Decrypting provisioning certificate failed\" Double check the password is correct on the certificate loaded into the \"domains\" on the UI \"Exception reading from device\" If MPS and RPS are running in Docker, check to ensure Vault has been unsealed. \"Unable to connect to Local Management Service (LMS). Please ensure LMS is running\" Check to ensure no application has bound to port 16992 \"Unable to launch MicroLMS.\" Check that Intel ME is present, MEI Driver installed and run this executable as administrator Check to ensure no application has bound to port 16992 \"Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Error while adding the certificates to AMT.\" Unplug the device, from both network and power, let it sit for a while. If that doesn't work, file a github issue Device xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx activation failed. Missing DNS suffix . Run .\\rpc amtinfo and ensure there is a DNS suffix . If it is blank, double check your router settings for DHCP. Alternatively, you can override the DNS suffix with -d mycompany.com . To learn more, see DNS Suffix and Create a Profile with ACM . Error: amt password DOES NOT match stored version for Device 6c4243ba-334d-11ea-94b5-caba2a773d00 Ensure you have provided the -password flag for the -cmd you are trying to execute, and that it is the password you used when provisioning the device. Unable to connect to websocket server. Please check url. After ensuring you can reach your server. Ensure that the certificate common name on the server matches the FQDN/IP of your host address. Error while activating the AMT in admin mode. Check the logs on the RPS server. The rpc.exe fails to connect. If a device has already been provisioned, unprovision it and then reprovision. To deactivate and reactivate devices, see the Mircoservices section for RPC , RPC Activate/Deactivate Examples","title":"RPC"},{"location":"Reference/troubleshooting/#mps","text":"Additional logging details can be enabled by modifying the log_level field in the MPS configuration. Error Issue or Message Possible Solutions Vault is empty in dev mode. Profiles and configs are not persistent in this mode. To run vault in production mode, follow the Use Docker and Vault in Production Mode . MPS is missing from list of running services. (1) Check for error messages in the logs. (2) Verify that the .env file contains correct values in each field. (3) Verify that the Kong secret provided in the .env matches the secret in kong.yaml","title":"MPS"},{"location":"Reference/troubleshooting/#rps","text":"Additional logging details can be enabled by modifying the log_level field in the RPS configuration. Error Issue or Message Possible Solutions Create a profile fails or information cannot be read from vault. Make sure both Vault and Postgres are running. For details, see the docker ps command in Build and Run Docker Images . An error occurred during provisioning. (1) Verify that the correct certificate is being used. (2) Verify the Domain suffix. (3) Verify RPS is able to reach the AMT device. Check firewalls and pings.","title":"RPS"},{"location":"Reference/troubleshooting/#ui-toolkit","text":"If you encounter an error during the installation, verify the prerequisites and version numbers, such as Node.js* LTS, by consulting the tutorial Add MPS UI Toolkit Controls to a WebUI . If adding a control results in an error, double-check the device ID, mpsServer IP address value, and authToken.","title":"UI Toolkit"},{"location":"Reference/troubleshooting/#general-troubleshooting-tips","text":"If a configuration becomes unworkable, it may be necessary to clean up the environment by: unprovisioning, also known as deactivating, the managed device stopping all Docker services Do all the above if it becomes necessary to reset your environment completely. See instructions below. Unprovision the Managed Device: Use rpc.exe to dectivate the managed device as described in RPC Activate/Deactivate Examples . The deactivate parameter executes a full unprovision of the managed device. It is also possible to implement a full unprovision via MEBX. See Unprovisioning . Shut down Docker Services: Use docker image prune and docker image rm to stop or remove all images, containers, and volumes, as described in Build and Run Docker Images . The best practice example below stops Docker and then prunes all volumes. Example - Cleanup of Docker Images Stop Docker containers. docker compose down -v Prune the images and volumes. docker system prune -a --volumes","title":"General Troubleshooting Tips"},{"location":"Reference/Certificates/generateProvisioningCert/","text":"For production deployments, we highly recommend purchasing a 3rd party provisioning certificate. See all available vendors here. Warning - Custom Provisioning Certificates in Production Deployments The hash of custom provisioning certificates must be manually added to all devices that will be configured into ACM . This can be done through MEBx or USB Configuration. Both options require manual, hands-on configuration of each AMT device. Adding the hash to AMT's trusted list is a mandatory requirement for the device to successfully activate. However, some developers opt to use a custom provisioning certificate for testing and validation purposes. The steps below outline how to generate a custom certificate based on the requirements within the Intel\u00ae AMT SDK . Note - Unprovisioning will Delete Custom Hashes When a device is unprovisioned, AMT will delete and remove all hashes inserted. If you want to then activate the device again, you will have to reinsert the certificate hash again. Generate Custom Provisioning Certificate \u00b6 These steps create a certificate for a domain example.com and walk through how to successfully activate a device using the example.com DNS suffix . What You'll Need \u00b6 Software OpenSSL Configuration Files \u00b6 First, we need to prepare two files: cert.conf - Certificate configuration file. It is used to define the specific settings for the certificate. csr.conf - Certificate signing request configuration file. Create cert.conf \u00b6 Create a new file named cert.conf . Copy and paste the below example into the file. Do not remove the OID 2.16.840.1.113741.1.2.3 from the extendedKeyUsage . This is an AMT requirement. Optionally , update the [alt_names] section with your own server DNS information. cert.conf basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, 2.16.840.1.113741.1.2.3 subjectAltName = @alt_names [alt_names] DNS.1 = test.example.com DNS.2 = example.com IP.1 = 192.168.1.1 Save and close. Create csr.conf \u00b6 Create a new file named csr.conf . Copy and paste the below example into the file. Optionally , update the [dn] section and CN field with your own server FQDN and information. csr.conf [ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = US ST = Arizona L = Chandler O = Organization OU = Department CN = test.example.com Save and close. Create the Certificate and Hash \u00b6 Open a terminal and verify OpenSSL is installed. openssl version Create a self-signed CA root certificate file named rootCA.crt with a key file named rootCA.key . openssl req -x509 -sha256 -days 3560 -nodes -newkey rsa:2048 -subj \"//SKIP=skip/CN=CA Custom Root Certificate/C=US/ST=Arizona/L=Chandler\" -keyout rootCA.key -out rootCA.crt Generate a RSA private key named server.key . openssl genrsa -out server.key 2048 Generate a Certificate Signing Request using the private key and cert.conf file. openssl req -new -key server.key -out server.csr -config csr.conf Sign the Certificate Signing Request with the CA certificate and cert.conf file. openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile cert.conf Create a .pfx file using the private key, server certificate, and CA root certificate. It will prompt to create a password. This password will be used when creating a Domain profile. openssl pkcs12 -export -out vprodemo_custom.pfx -inkey server.key -in server.crt -certfile rootCA.crt Get the SHA1 hash of the root certificate. openssl x509 -noout -fingerprint -sha1 -inform pem -in rootCA.crt Success - SHA1 Output SHA1 Fingerprint=51:45:E3:A4:AE:66:88:E0:AF:85:EC:EB:06:74:6B:8D:C3:07:C1:9D Upload Provisioning Certificate \u00b6 Create Domain Profile \u00b6 Open the Sample Web UI and Login. Create a domain profile. Upload the .pfx file and enter the password set for it. See Create a Domain Profile for more details. Insert the Hash using MEBx \u00b6 Warning - Adding Hash for AMT 16 or Newer These steps may not be exact or available within MEBx on AMT 16 or newer devices due to OEM restrictions. USB Configuration may be required. Switch to the AMT device. Restart the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note - Other Keybinds to Enter MEBx The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the MEBx password. Note - Default MEBx Password for First Time Use If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel(r) AMT Configuration . Verify that the device is in pre-provisioning mode. If not, perform a full unprovision under Unconfigure Network Access . Select Remote Setup and Configuration . Select TLS PKI . Set the PKI DNS suffix to example.com . Or, if using a different DNS suffix , set it to that instead. See DNS Suffix for more details. Select Manage Hashes . Figure 1: Manage Hashes Press the Insert key. Provide a name for the new hash and press Enter. Insert the new SHA1 hash using the fingerprint obtained from Step 7 in Create the Certificate and Hash . The hash must be formatted as shown in example. Figure 2: Hash Input Press the Y key to set the hash as active. Press the esc key repeatedly to exit MEBx and reboot the device. Verify the Hash \u00b6 After the device reboots, open Terminal or Command Prompt as Administrator. Verify the certificate hash was inserted correctly. The new hash should be listed. Linux Windows sudo ./rpc amtinfo -cert .\\rpc amtinfo -cert Success - Hash Inserted Correctly Figure 4: Hash Output Activate the AMT device with an ACM Profile . See Create a Profile with ACM and Build & Run RPC for more details. Troubleshoot - Error During Activation The following error may occur during the first attempt at activation. time=\"2023-08-17T11:38:57-07:00\" level=trace msg=\"HTTP/1.1 200 OK\\r\\nDate: Thu, 17 Aug 2023 18:38:57 GMT\\r\\nServer: Intel(R) Active Management Technology 15.0.35.2039\\r\\nX-Frame-Options: DENY\\r\\nContent-Type: application/soap+xml; charset=UTF-8\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n043E\\r\\n<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><a:Envelope xmlns:a=\\\"http://www.w3.org/2003/05/soap-envelope\\\" xmlns:b=\\\"http://schemas.xmlsoap.org/ws/2004/08/addressing\\\" xmlns:c=\\\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\\\" xmlns:d=\\\"http://schemas.xmlsoap.org/ws/2005/02/trust\\\" xmlns:e=\\\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\\\" xmlns:f=\\\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\\\" xmlns:g=\\\"http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\"><a:Header><b:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</b:To><b:RelatesTo>3</b:RelatesTo><b:Action a:mustUnderstand=\\\"true\\\">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService/AdminSetupResponse</b:Acti\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"sending message to RPS\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"received messages from RPS\" time=\"2023-08-17T11:38:57-07:00\" level=error msg=\"Unknown error has occured\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" If this error occurs, verify the device was activated successfully. rpc amtinfo If the device shows it was activated into admin control mode , rerun the activate command to successfully finish AMT configuration. During device unprovisioning, AMT will delete any inserted hashes and will have to be manually reinserted.","title":"Custom Provisioning Certificate"},{"location":"Reference/Certificates/generateProvisioningCert/#generate-custom-provisioning-certificate","text":"These steps create a certificate for a domain example.com and walk through how to successfully activate a device using the example.com DNS suffix .","title":"Generate Custom Provisioning Certificate"},{"location":"Reference/Certificates/generateProvisioningCert/#what-youll-need","text":"Software OpenSSL","title":"What You'll Need"},{"location":"Reference/Certificates/generateProvisioningCert/#configuration-files","text":"First, we need to prepare two files: cert.conf - Certificate configuration file. It is used to define the specific settings for the certificate. csr.conf - Certificate signing request configuration file.","title":"Configuration Files"},{"location":"Reference/Certificates/generateProvisioningCert/#create-certconf","text":"Create a new file named cert.conf . Copy and paste the below example into the file. Do not remove the OID 2.16.840.1.113741.1.2.3 from the extendedKeyUsage . This is an AMT requirement. Optionally , update the [alt_names] section with your own server DNS information. cert.conf basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, 2.16.840.1.113741.1.2.3 subjectAltName = @alt_names [alt_names] DNS.1 = test.example.com DNS.2 = example.com IP.1 = 192.168.1.1 Save and close.","title":"Create cert.conf"},{"location":"Reference/Certificates/generateProvisioningCert/#create-csrconf","text":"Create a new file named csr.conf . Copy and paste the below example into the file. Optionally , update the [dn] section and CN field with your own server FQDN and information. csr.conf [ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = US ST = Arizona L = Chandler O = Organization OU = Department CN = test.example.com Save and close.","title":"Create csr.conf"},{"location":"Reference/Certificates/generateProvisioningCert/#create-the-certificate-and-hash","text":"Open a terminal and verify OpenSSL is installed. openssl version Create a self-signed CA root certificate file named rootCA.crt with a key file named rootCA.key . openssl req -x509 -sha256 -days 3560 -nodes -newkey rsa:2048 -subj \"//SKIP=skip/CN=CA Custom Root Certificate/C=US/ST=Arizona/L=Chandler\" -keyout rootCA.key -out rootCA.crt Generate a RSA private key named server.key . openssl genrsa -out server.key 2048 Generate a Certificate Signing Request using the private key and cert.conf file. openssl req -new -key server.key -out server.csr -config csr.conf Sign the Certificate Signing Request with the CA certificate and cert.conf file. openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile cert.conf Create a .pfx file using the private key, server certificate, and CA root certificate. It will prompt to create a password. This password will be used when creating a Domain profile. openssl pkcs12 -export -out vprodemo_custom.pfx -inkey server.key -in server.crt -certfile rootCA.crt Get the SHA1 hash of the root certificate. openssl x509 -noout -fingerprint -sha1 -inform pem -in rootCA.crt Success - SHA1 Output SHA1 Fingerprint=51:45:E3:A4:AE:66:88:E0:AF:85:EC:EB:06:74:6B:8D:C3:07:C1:9D","title":"Create the Certificate and Hash"},{"location":"Reference/Certificates/generateProvisioningCert/#upload-provisioning-certificate","text":"","title":"Upload Provisioning Certificate"},{"location":"Reference/Certificates/generateProvisioningCert/#create-domain-profile","text":"Open the Sample Web UI and Login. Create a domain profile. Upload the .pfx file and enter the password set for it. See Create a Domain Profile for more details.","title":"Create Domain Profile"},{"location":"Reference/Certificates/generateProvisioningCert/#insert-the-hash-using-mebx","text":"Warning - Adding Hash for AMT 16 or Newer These steps may not be exact or available within MEBx on AMT 16 or newer devices due to OEM restrictions. USB Configuration may be required. Switch to the AMT device. Restart the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note - Other Keybinds to Enter MEBx The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the MEBx password. Note - Default MEBx Password for First Time Use If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel(r) AMT Configuration . Verify that the device is in pre-provisioning mode. If not, perform a full unprovision under Unconfigure Network Access . Select Remote Setup and Configuration . Select TLS PKI . Set the PKI DNS suffix to example.com . Or, if using a different DNS suffix , set it to that instead. See DNS Suffix for more details. Select Manage Hashes . Figure 1: Manage Hashes Press the Insert key. Provide a name for the new hash and press Enter. Insert the new SHA1 hash using the fingerprint obtained from Step 7 in Create the Certificate and Hash . The hash must be formatted as shown in example. Figure 2: Hash Input Press the Y key to set the hash as active. Press the esc key repeatedly to exit MEBx and reboot the device.","title":"Insert the Hash using MEBx"},{"location":"Reference/Certificates/generateProvisioningCert/#verify-the-hash","text":"After the device reboots, open Terminal or Command Prompt as Administrator. Verify the certificate hash was inserted correctly. The new hash should be listed. Linux Windows sudo ./rpc amtinfo -cert .\\rpc amtinfo -cert Success - Hash Inserted Correctly Figure 4: Hash Output Activate the AMT device with an ACM Profile . See Create a Profile with ACM and Build & Run RPC for more details. Troubleshoot - Error During Activation The following error may occur during the first attempt at activation. time=\"2023-08-17T11:38:57-07:00\" level=trace msg=\"HTTP/1.1 200 OK\\r\\nDate: Thu, 17 Aug 2023 18:38:57 GMT\\r\\nServer: Intel(R) Active Management Technology 15.0.35.2039\\r\\nX-Frame-Options: DENY\\r\\nContent-Type: application/soap+xml; charset=UTF-8\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n043E\\r\\n<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><a:Envelope xmlns:a=\\\"http://www.w3.org/2003/05/soap-envelope\\\" xmlns:b=\\\"http://schemas.xmlsoap.org/ws/2004/08/addressing\\\" xmlns:c=\\\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\\\" xmlns:d=\\\"http://schemas.xmlsoap.org/ws/2005/02/trust\\\" xmlns:e=\\\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\\\" xmlns:f=\\\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\\\" xmlns:g=\\\"http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\"><a:Header><b:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</b:To><b:RelatesTo>3</b:RelatesTo><b:Action a:mustUnderstand=\\\"true\\\">http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService/AdminSetupResponse</b:Acti\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"sending message to RPS\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"received messages from RPS\" time=\"2023-08-17T11:38:57-07:00\" level=error msg=\"Unknown error has occured\" time=\"2023-08-17T11:38:57-07:00\" level=debug msg=\"closing connection to lms\" If this error occurs, verify the device was activated successfully. rpc amtinfo If the device shows it was activated into admin control mode , rerun the activate command to successfully finish AMT configuration. During device unprovisioning, AMT will delete any inserted hashes and will have to be manually reinserted.","title":"Verify the Hash"},{"location":"Reference/Certificates/remoteProvisioning/","text":"What is remote provisioning? \u00b6 Provisioning is the process of bringing a remote device under the management of the Management Presence Server ( MPS ). Ideally, the process activates and configures a remote device without physically touching it. To manage a device remotely, you must provision it, securely configure it using the Remote Provisioning Server ( RPS ), which communicates with the Management Presence Server ( MPS ). The table below describes the process: Step Significance to Provisioning 1. Create a Client Initiated Remote Access ( CIRA ) configuration This saved configuration will be used to configure the CIRA protocol for public cloud environments. 2. Set up the AMT Profile and choose an activation type Choose from two modes, Admin Control Mode ( ACM ) and Client Control Mode ( CCM ). If ACM is chosen, add a provisioning certificate in Step 3. CCM does not require a certificate. 3. Add a domain profile and associated signed provisioning certificate Upload a provisioning certificate. 4. Use the rpc-go client application to activate the remote device Deploy and run the client as Administrator on the desired remote platform. Leverage the profile you created in Step 2. Figure 1 illustrates the steps below. Also, see Get Started . The toolkit accomplishes secure provisioning with authentication and a secure tunnel using the Transport Layer Security ( TLS ) protocol. The authentication process involves: A provisioning certificate*: an electronic document used to establish the identity of the holder CIRA : a protocol used by the remote device to \"call home\", initiate remote connectivity, with an MPS . After a device is provisioned, the administrator can use the management console to perform different control activities, such as power actions (e.g., Reset) without an onsite visit. Figure 1: Provisioning and CIRA What about manual provisioning? \u00b6 Sometimes it's not possible to deploy the rpc-go client application to activate the device remotely. When remote provisioning is not an option, provision manually in the BIOS. To provision manually for ACM , see Set a DNS Suffix through MEBX . What is a remote provisioning certificate? \u00b6 A remote provisioning certificate is used for the activation of the remote device by the provisioning server. The activation phase of provisioning turns on or enables Intel AMT in the remote device. The Intel AMT firmware contains the root certificate hashes, TLS -based thumbprints, of participating vendors, known as certificate authorities (CA). The root certificate hash is compared with that certificate's hash. If they match, the certificate is deemed valid. Note The remote provisioning certificate is used only for initial provisioning of the device, bringing it under the management of the provisioning server. Purchase a separate certificate for website hosting. How do provisioning certificates work in the Toolkit? \u00b6 Acquire \u00b6 Purchase \u00b6 To use a provisioning certificate in the toolkit, purchase the certificate from a CA. Note You do not have to purchase a certificate for each device in a fleet. The certificate is purchased for the provisioning server. Prices vary per vendor. Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT . Generate \u00b6 Alternatively, for development, custom provisioning certificates can be generated for use using tools like OpenSSL. See Custom Provisioning Certificate for additional details. Upload \u00b6 After purchasing a certificate: Download the personal exchange format (PFX) file. This file contains public and private objects in a single file. It also contains a certificate chain, including the public key of the root certificate, the public key the intermediate certificate, public key of the SSL certificate. Upload it during the domain profile stage of provisioning. The PFX is saved to Vault. This uploaded file is used during the activation stage. Activate \u00b6 After you switch Intel AMT on, or activate it, CIRA is configured. In order to configure CIRA , another certificate is necessary. Currently, the toolkit uses a self-signed certificate generated by MPS and stored in Vault. The certificate generation happens during deployment of the MPS . This certificate cannot be obtained from a vendor. MPS automatically loads the CIRA self-signed certificate into Vault. Intel AMT checks the common name of the self-signed certificate. It must match the one you've supplied in the CIRA Config Profile on the MPS Address line. Learn More \u00b6 Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process. What is the vPro\u00ae Platform? Describes the certificate purchase process.","title":"Provisioning Certificate"},{"location":"Reference/Certificates/remoteProvisioning/#what-is-remote-provisioning","text":"Provisioning is the process of bringing a remote device under the management of the Management Presence Server ( MPS ). Ideally, the process activates and configures a remote device without physically touching it. To manage a device remotely, you must provision it, securely configure it using the Remote Provisioning Server ( RPS ), which communicates with the Management Presence Server ( MPS ). The table below describes the process: Step Significance to Provisioning 1. Create a Client Initiated Remote Access ( CIRA ) configuration This saved configuration will be used to configure the CIRA protocol for public cloud environments. 2. Set up the AMT Profile and choose an activation type Choose from two modes, Admin Control Mode ( ACM ) and Client Control Mode ( CCM ). If ACM is chosen, add a provisioning certificate in Step 3. CCM does not require a certificate. 3. Add a domain profile and associated signed provisioning certificate Upload a provisioning certificate. 4. Use the rpc-go client application to activate the remote device Deploy and run the client as Administrator on the desired remote platform. Leverage the profile you created in Step 2. Figure 1 illustrates the steps below. Also, see Get Started . The toolkit accomplishes secure provisioning with authentication and a secure tunnel using the Transport Layer Security ( TLS ) protocol. The authentication process involves: A provisioning certificate*: an electronic document used to establish the identity of the holder CIRA : a protocol used by the remote device to \"call home\", initiate remote connectivity, with an MPS . After a device is provisioned, the administrator can use the management console to perform different control activities, such as power actions (e.g., Reset) without an onsite visit. Figure 1: Provisioning and CIRA","title":"What is remote provisioning?"},{"location":"Reference/Certificates/remoteProvisioning/#what-about-manual-provisioning","text":"Sometimes it's not possible to deploy the rpc-go client application to activate the device remotely. When remote provisioning is not an option, provision manually in the BIOS. To provision manually for ACM , see Set a DNS Suffix through MEBX .","title":"What about manual provisioning?"},{"location":"Reference/Certificates/remoteProvisioning/#what-is-a-remote-provisioning-certificate","text":"A remote provisioning certificate is used for the activation of the remote device by the provisioning server. The activation phase of provisioning turns on or enables Intel AMT in the remote device. The Intel AMT firmware contains the root certificate hashes, TLS -based thumbprints, of participating vendors, known as certificate authorities (CA). The root certificate hash is compared with that certificate's hash. If they match, the certificate is deemed valid. Note The remote provisioning certificate is used only for initial provisioning of the device, bringing it under the management of the provisioning server. Purchase a separate certificate for website hosting.","title":"What is a remote provisioning certificate?"},{"location":"Reference/Certificates/remoteProvisioning/#how-do-provisioning-certificates-work-in-the-toolkit","text":"","title":"How do provisioning certificates work in the Toolkit?"},{"location":"Reference/Certificates/remoteProvisioning/#acquire","text":"","title":"Acquire"},{"location":"Reference/Certificates/remoteProvisioning/#purchase","text":"To use a provisioning certificate in the toolkit, purchase the certificate from a CA. Note You do not have to purchase a certificate for each device in a fleet. The certificate is purchased for the provisioning server. Prices vary per vendor. Comodo DigiCert Entrust GoDaddy Important - Intel AMT and using CAs For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel\u00ae AMT .","title":"Purchase"},{"location":"Reference/Certificates/remoteProvisioning/#generate","text":"Alternatively, for development, custom provisioning certificates can be generated for use using tools like OpenSSL. See Custom Provisioning Certificate for additional details.","title":"Generate"},{"location":"Reference/Certificates/remoteProvisioning/#upload","text":"After purchasing a certificate: Download the personal exchange format (PFX) file. This file contains public and private objects in a single file. It also contains a certificate chain, including the public key of the root certificate, the public key the intermediate certificate, public key of the SSL certificate. Upload it during the domain profile stage of provisioning. The PFX is saved to Vault. This uploaded file is used during the activation stage.","title":"Upload"},{"location":"Reference/Certificates/remoteProvisioning/#activate","text":"After you switch Intel AMT on, or activate it, CIRA is configured. In order to configure CIRA , another certificate is necessary. Currently, the toolkit uses a self-signed certificate generated by MPS and stored in Vault. The certificate generation happens during deployment of the MPS . This certificate cannot be obtained from a vendor. MPS automatically loads the CIRA self-signed certificate into Vault. Intel AMT checks the common name of the self-signed certificate. It must match the one you've supplied in the CIRA Config Profile on the MPS Address line.","title":"Activate"},{"location":"Reference/Certificates/remoteProvisioning/#learn-more","text":"Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process. What is the vPro\u00ae Platform? Describes the certificate purchase process.","title":"Learn More"},{"location":"Reference/Certificates/tls/","text":"What is TLS ? \u00b6 Transport Layer Security ( TLS ) is a protocol used to establish encrypted communication sessions over an IP network between an application and server. As the most widely-used encryption protocol, it secures email, instant messaging, voice over IP (VoIP), HTTPS, and more. Encrypted TLS sessions promote data security and prevent tampering, eavesdropping, and other malicious activity. The protocol involves: Public-key Cryptography: public-private key pairs generated by cryptographic algorithms Digital Certificates: an electronic document used to establish identity of the holder with the use of the public key What is a TLS digital certificate? \u00b6 Electronic documents, called certificates, are issued by and purchased from Certificate Authorities (CA), organizations that comply with TLS industry regulations, requirements, and standards. When a client running a web application, such as a browser, connects to a server, the server sends a TLS certificate that can be used to verify the authenticity of a server. The web application uses certificates present on the client to establish a secure connection. There are two ways to use TLS in the toolkit: Purchase a certificate from a CA and inject it via a proxy application Generate a self-signed certificate with mesh commander There are three types of TLS certificates available for purchase from CAs: Certificate Type CA issues to Authentication Level Appropriate for Domain Validated an applicant listed in domain name's admin contact list Low Individuals and very small businesses Organization Validated an organization that submits required documentation Medium Businesses that collect sensitive data, confidential information, social media information, etc. Extended Validation an organization that submits required documentation and passes an EV validation guideline High Businesses that deal with payments, sensitive data, confidential information, etc. All certificate types use 256-bit encryption. What is a self-signed certificate? \u00b6 In addition to purchasing a certificate from a CA, it is possible to generate free self-signed certificates. Self-signed certificates offer trust value within an organization and are appropriate for development, but they are not appropriate for securing content that is presented to outside world. How does TLS work in the Toolkit? \u00b6 Intel\u00ae AMT is preloaded with TLS -based certificate thumbprints, a string of hexadecimal characters that identifies a certificate, of participating vendors. When you purchase and install a certificate from a participating vendor, you'll be able to use the toolkit to perform remote configuration. To get a list of participating vendors, see Intel Developer Zone . MPS and RPS contain TLS -based self-signed certificates that are involved in the device activation. See Remote Provisioning . Learn More \u00b6 Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process.","title":"TLS Certificate"},{"location":"Reference/Certificates/tls/#what-is-tls","text":"Transport Layer Security ( TLS ) is a protocol used to establish encrypted communication sessions over an IP network between an application and server. As the most widely-used encryption protocol, it secures email, instant messaging, voice over IP (VoIP), HTTPS, and more. Encrypted TLS sessions promote data security and prevent tampering, eavesdropping, and other malicious activity. The protocol involves: Public-key Cryptography: public-private key pairs generated by cryptographic algorithms Digital Certificates: an electronic document used to establish identity of the holder with the use of the public key","title":"What is TLS?"},{"location":"Reference/Certificates/tls/#what-is-a-tls-digital-certificate","text":"Electronic documents, called certificates, are issued by and purchased from Certificate Authorities (CA), organizations that comply with TLS industry regulations, requirements, and standards. When a client running a web application, such as a browser, connects to a server, the server sends a TLS certificate that can be used to verify the authenticity of a server. The web application uses certificates present on the client to establish a secure connection. There are two ways to use TLS in the toolkit: Purchase a certificate from a CA and inject it via a proxy application Generate a self-signed certificate with mesh commander There are three types of TLS certificates available for purchase from CAs: Certificate Type CA issues to Authentication Level Appropriate for Domain Validated an applicant listed in domain name's admin contact list Low Individuals and very small businesses Organization Validated an organization that submits required documentation Medium Businesses that collect sensitive data, confidential information, social media information, etc. Extended Validation an organization that submits required documentation and passes an EV validation guideline High Businesses that deal with payments, sensitive data, confidential information, etc. All certificate types use 256-bit encryption.","title":"What is a TLS digital certificate?"},{"location":"Reference/Certificates/tls/#what-is-a-self-signed-certificate","text":"In addition to purchasing a certificate from a CA, it is possible to generate free self-signed certificates. Self-signed certificates offer trust value within an organization and are appropriate for development, but they are not appropriate for securing content that is presented to outside world.","title":"What is a self-signed certificate?"},{"location":"Reference/Certificates/tls/#how-does-tls-work-in-the-toolkit","text":"Intel\u00ae AMT is preloaded with TLS -based certificate thumbprints, a string of hexadecimal characters that identifies a certificate, of participating vendors. When you purchase and install a certificate from a participating vendor, you'll be able to use the toolkit to perform remote configuration. To get a list of participating vendors, see Intel Developer Zone . MPS and RPS contain TLS -based self-signed certificates that are involved in the device activation. See Remote Provisioning .","title":"How does TLS work in the Toolkit?"},{"location":"Reference/Certificates/tls/#learn-more","text":"Link Description An Introduction To Intel AMT Remote Configuration Selection Outlines the provisioning process. Certificate Setup and Configuration Video Describes the certificate purchase process.","title":"Learn More"},{"location":"Reference/EA/ieee8021xconfig/","text":"802.1x Configuration is a Preview Feature 802.1x Configuration feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub. IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It typically consists of three parts: Supplicant (Client-end User, AMT Device) Authenticator (Access Point or Switch) Authentication Server (RADIUS Server) Prerequisites \u00b6 The following are requirements to configure and connect an AMT device within an 802.1x environment. However, these are not required for the RPS profile creation steps below. Enterprise Assistant configured, running, and connected to an RPS server. Updated to latest AMT Firmware version Note - System Name Length The System Names of the AMT devices must be 15 characters or less. If the name is greater than 15 characters long, it will exceed the system name length allowed by Active Directory and Enterprise Assistant will fail to add the device. Wired 802.1x Configuration \u00b6 Only one wired IEEE8021x Config can be created (per tenant). The following steps walk through how to create the required configs and profiles. To create a Wired IEEE802.1x Config: \u00b6 Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new IEEE802.1x Config Select the Wired option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wired authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. PEAPv1/EAP-GTC 3 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 1 EAP type specified in draft-josefsson-pppext-eap-tls-eap , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/GTC 5 Indicates that the desired EAP type is the Flexible Authentication Extensible Authentication Protocol EAP type specified in IETF RFC 4851 , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/TLS 10 Indicates that the desired EAP type is the Flexible Authentication EAP type specified in IETF RFC 4851 , with TLS as the inner authentication method. Optionally, change the PXE Timeout . PXE Timeout is the number of seconds in which the Intel(R) AMT will hold an authenticated 802.1X session. During the defined period, Intel(R) AMT manages the 802.1X negotiation while a PXE boot takes place. After the timeout, control of the negotiation passes to the host. Click Save. Example Wired IEEE802.1x Config Figure 2: Example Wired IEEE802.1x Config To link to an AMT Profile: \u00b6 Select the Profiles tab from the left-hand menu. Choose an existing profile or create a new one. Under Network Configuration, select the Wired 802.1x Config from the Wired 802.1x Configuration dropdown. Click Save . After creating the profile and configs, AMT can now be configured for wired 802.1x. Example ACM Profile with IEEE802.1x Figure 3: Example ACM profile with IEEE802.1x Wireless 802.1x Configuration \u00b6 There can be a maximum of 8 wireless IEEE8021x Config created (per tenant). 8 profiles is the maximum AMT can accept. The following steps walk through how to create the required configs and profiles. Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new IEEE802.1x Config Select the Wireless option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wireless authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. Click Save. Example Wireless IEEE802.1x Config Figure 5: Example Wireless IEEE802.1x Config To link to a Wireless Config: \u00b6 Select the Wireless tab from the left-hand menu. Choose an existing profile or create a new one. Under Authentication Method , there should now be two new options. Select either WPA IEEE 802.1x or WPA2 IEEE 802.1x . Click Save . The new wireless config can now be included in an AMT profile. After creating the profile and configs, AMT can now be configured for wireless 802.1x. Example Wireless Config with IEEE802.1x Figure 6: Example Wireless Config with IEEE802.1x","title":"802.1x Configuration"},{"location":"Reference/EA/ieee8021xconfig/#prerequisites","text":"The following are requirements to configure and connect an AMT device within an 802.1x environment. However, these are not required for the RPS profile creation steps below. Enterprise Assistant configured, running, and connected to an RPS server. Updated to latest AMT Firmware version Note - System Name Length The System Names of the AMT devices must be 15 characters or less. If the name is greater than 15 characters long, it will exceed the system name length allowed by Active Directory and Enterprise Assistant will fail to add the device.","title":"Prerequisites"},{"location":"Reference/EA/ieee8021xconfig/#wired-8021x-configuration","text":"Only one wired IEEE8021x Config can be created (per tenant). The following steps walk through how to create the required configs and profiles.","title":"Wired 802.1x Configuration"},{"location":"Reference/EA/ieee8021xconfig/#to-create-a-wired-ieee8021x-config","text":"Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new IEEE802.1x Config Select the Wired option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wired authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. PEAPv1/EAP-GTC 3 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 1 EAP type specified in draft-josefsson-pppext-eap-tls-eap , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/GTC 5 Indicates that the desired EAP type is the Flexible Authentication Extensible Authentication Protocol EAP type specified in IETF RFC 4851 , with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/TLS 10 Indicates that the desired EAP type is the Flexible Authentication EAP type specified in IETF RFC 4851 , with TLS as the inner authentication method. Optionally, change the PXE Timeout . PXE Timeout is the number of seconds in which the Intel(R) AMT will hold an authenticated 802.1X session. During the defined period, Intel(R) AMT manages the 802.1X negotiation while a PXE boot takes place. After the timeout, control of the negotiation passes to the host. Click Save. Example Wired IEEE802.1x Config Figure 2: Example Wired IEEE802.1x Config","title":"To create a Wired IEEE802.1x Config:"},{"location":"Reference/EA/ieee8021xconfig/#to-link-to-an-amt-profile","text":"Select the Profiles tab from the left-hand menu. Choose an existing profile or create a new one. Under Network Configuration, select the Wired 802.1x Config from the Wired 802.1x Configuration dropdown. Click Save . After creating the profile and configs, AMT can now be configured for wired 802.1x. Example ACM Profile with IEEE802.1x Figure 3: Example ACM profile with IEEE802.1x","title":"To link to an AMT Profile:"},{"location":"Reference/EA/ieee8021xconfig/#wireless-8021x-configuration","text":"There can be a maximum of 8 wireless IEEE8021x Config created (per tenant). 8 profiles is the maximum AMT can accept. The following steps walk through how to create the required configs and profiles. Select the IEEE 802.1x tab from the left-hand menu. In the top-right corner, click Add New. Figure 4: Create a new IEEE802.1x Config Select the Wireless option. Specify a Profile Name of your choice. Select an Authentication Protocol . The following are the supported wireless authentication protocols. Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716 . PEAPv0/EAP-MSCHAPv2 2 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 0 EAP type specified in draft-kamath-pppext-peapv0 , with Microsoft PPP CHAP Extensions, Version 2 (MSCHAPv2) as the inner authentication method. Click Save. Example Wireless IEEE802.1x Config Figure 5: Example Wireless IEEE802.1x Config","title":"Wireless 802.1x Configuration"},{"location":"Reference/EA/ieee8021xconfig/#to-link-to-a-wireless-config","text":"Select the Wireless tab from the left-hand menu. Choose an existing profile or create a new one. Under Authentication Method , there should now be two new options. Select either WPA IEEE 802.1x or WPA2 IEEE 802.1x . Click Save . The new wireless config can now be included in an AMT profile. After creating the profile and configs, AMT can now be configured for wireless 802.1x. Example Wireless Config with IEEE802.1x Figure 6: Example Wireless Config with IEEE802.1x","title":"To link to a Wireless Config:"},{"location":"Reference/EA/overview/","text":"Enterprise Assistant is a Windows application that can run as a normal application or as a background Windows service. Once setup to connect to RPS (hosted in either the cloud or enterprise), it can be used to assist with the configuration of AMT devices using TLS. Enterprise Assistant will handle certificate signing requests (CSRs) to Microsoft CA. Enterprise Assistant is based off the open-source project MeshCentral Satellite . Figure 1: Enterprise Assistant Architecture Details \u00b6 Enterprise Assistant must run on a computer that is joined to your domain and with sufficient rights that it can create LDAP computer objects. It must have access to the Domain Certificate Authority so it can request that certificates be signed. RPS can be run from either the cloud or the local enterprise network. It is suggested to run Enterprise Assistant as a normal Windows application at first to make sure everything works correctly before running it as a background Windows service. You can start by going in the \"Settings\" option in the menus. Settings are also saved in a local .config file that can be referenced when running as a background Windows service. Prerequisites \u00b6 Software \u00b6 git Microsoft* Visual Studio Services \u00b6 The following services are assumed to be configured and running in your enterprise environment. Microsoft* Certificate Authority (CA) Microsoft* Active Directory (AD) Setup \u00b6 The Enterprise Assistant repository is a codebase that needs to be compiled into a Windows executable before being able to run. Clone the Enterprise Assistant Repository. https://github.com/open-amt-cloud-toolkit/enterprise-assistant.git Open the project in Visual Studio. From the menus, choose Build > Build Solution . By default after compiling, the .exe will be saved in .\\enterprise-assistant\\bin\\Debug\\OpenAMTEnterpriseAssistant.exe . Figure 2: Enterprise Assistant Startup Configuration \u00b6 These steps assume you have either an existing, local or cloud, Open AMT deployment. Kong Configuration \u00b6 To use Enterprise Assistant with Kong API Gateway, we need to configure a new route. Open the kong.yaml file in the ./open-amt-cloud-toolkit/ directory. Uncomment the rps-ea block to enable the /ea route. # uncomment to use with enterprise assistant # - name: rps-ea # host: rps # port: 8082 # tags: # - rps # routes: # - name: rps-ea-route # strip_path: true # paths: # - /ea Restart the Kong service. Enterprise Assistant Configuration \u00b6 Open the Enterprise Assistant File > Settings menu to configure the RPS connection. Figure 3: Enterprise Assistant Settings Menu Provide the RPS Server Hostname. Enterprise Assistant communicates via Websocket. Make sure to include the route /ea (e.g. wss://192.168.1.34/ea ). The Device Name is the name used to configure the domain controller for each device account. Using Node Identifier is more secure due to the inability to be tampered with but is less friendly to maintain as a user. Security Groups will list all of the security groups of the domain controller that have been created within the Computers group. When Enterprise Assistant creates a new Computer account (like a new AMT device), it will join the selected Security Groups. Provide the Certificate Authority and click the checkmark. It will then list the available Certificate Templates to choose from. This will let you select a template specifically created for AMT. Choose how to issue the certificate. Typically, SAM Account Name is most commonly used as the Common Name . Example - Configured Settings Figure 4: Enterprise Assistant Settings Example Save the Settings. Start the connection by going to File > Local Connect . Figure 5: Enterprise Assistant Connecting to RPS After connecting, Enterprise Assistant will wait and listen for RPS to make requests to either add/revoke Computers or issue/revoke Certificates.","title":"Overview"},{"location":"Reference/EA/overview/#details","text":"Enterprise Assistant must run on a computer that is joined to your domain and with sufficient rights that it can create LDAP computer objects. It must have access to the Domain Certificate Authority so it can request that certificates be signed. RPS can be run from either the cloud or the local enterprise network. It is suggested to run Enterprise Assistant as a normal Windows application at first to make sure everything works correctly before running it as a background Windows service. You can start by going in the \"Settings\" option in the menus. Settings are also saved in a local .config file that can be referenced when running as a background Windows service.","title":"Details"},{"location":"Reference/EA/overview/#prerequisites","text":"","title":"Prerequisites"},{"location":"Reference/EA/overview/#software","text":"git Microsoft* Visual Studio","title":"Software"},{"location":"Reference/EA/overview/#services","text":"The following services are assumed to be configured and running in your enterprise environment. Microsoft* Certificate Authority (CA) Microsoft* Active Directory (AD)","title":"Services"},{"location":"Reference/EA/overview/#setup","text":"The Enterprise Assistant repository is a codebase that needs to be compiled into a Windows executable before being able to run. Clone the Enterprise Assistant Repository. https://github.com/open-amt-cloud-toolkit/enterprise-assistant.git Open the project in Visual Studio. From the menus, choose Build > Build Solution . By default after compiling, the .exe will be saved in .\\enterprise-assistant\\bin\\Debug\\OpenAMTEnterpriseAssistant.exe . Figure 2: Enterprise Assistant Startup","title":"Setup"},{"location":"Reference/EA/overview/#configuration","text":"These steps assume you have either an existing, local or cloud, Open AMT deployment.","title":"Configuration"},{"location":"Reference/EA/overview/#kong-configuration","text":"To use Enterprise Assistant with Kong API Gateway, we need to configure a new route. Open the kong.yaml file in the ./open-amt-cloud-toolkit/ directory. Uncomment the rps-ea block to enable the /ea route. # uncomment to use with enterprise assistant # - name: rps-ea # host: rps # port: 8082 # tags: # - rps # routes: # - name: rps-ea-route # strip_path: true # paths: # - /ea Restart the Kong service.","title":"Kong Configuration"},{"location":"Reference/EA/overview/#enterprise-assistant-configuration","text":"Open the Enterprise Assistant File > Settings menu to configure the RPS connection. Figure 3: Enterprise Assistant Settings Menu Provide the RPS Server Hostname. Enterprise Assistant communicates via Websocket. Make sure to include the route /ea (e.g. wss://192.168.1.34/ea ). The Device Name is the name used to configure the domain controller for each device account. Using Node Identifier is more secure due to the inability to be tampered with but is less friendly to maintain as a user. Security Groups will list all of the security groups of the domain controller that have been created within the Computers group. When Enterprise Assistant creates a new Computer account (like a new AMT device), it will join the selected Security Groups. Provide the Certificate Authority and click the checkmark. It will then list the available Certificate Templates to choose from. This will let you select a template specifically created for AMT. Choose how to issue the certificate. Typically, SAM Account Name is most commonly used as the Common Name . Example - Configured Settings Figure 4: Enterprise Assistant Settings Example Save the Settings. Start the connection by going to File > Local Connect . Figure 5: Enterprise Assistant Connecting to RPS After connecting, Enterprise Assistant will wait and listen for RPS to make requests to either add/revoke Computers or issue/revoke Certificates.","title":"Enterprise Assistant Configuration"},{"location":"Reference/MEBX/dnsSuffix/","text":"Manageability Engine BIOS Extensions (MEBX) \u00b6 Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Through this interface, you can provision AMT and customize a variety of settings manually. Set a DNS Suffix through MEBX \u00b6 If DHCP option15 is not set, configure the DNS Suffix manually through MEBX. This enables the reactivation of the device remotely at a later time. Important MEBX Must Be Enabled in the BIOS The MEBX screens must be enabled in the BIOS to perform the instructions below. Enter the BIOS configuration at boot to verify MEBX availability. Enable according to manufacturers instructions. To configure the DNS Suffix in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Remote Setup and Configuration . Select TLS PKI . Select PKI DNS Suffix . Provide a DNS suffix name and press Enter . Press Esc three times to reach the main menu. Select MEBX Exit , and then press y to confirm the exit.","title":"DNS Suffix"},{"location":"Reference/MEBX/dnsSuffix/#manageability-engine-bios-extensions-mebx","text":"Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Through this interface, you can provision AMT and customize a variety of settings manually.","title":"Manageability Engine BIOS Extensions (MEBX)"},{"location":"Reference/MEBX/dnsSuffix/#set-a-dns-suffix-through-mebx","text":"If DHCP option15 is not set, configure the DNS Suffix manually through MEBX. This enables the reactivation of the device remotely at a later time. Important MEBX Must Be Enabled in the BIOS The MEBX screens must be enabled in the BIOS to perform the instructions below. Enter the BIOS configuration at boot to verify MEBX availability. Enable according to manufacturers instructions. To configure the DNS Suffix in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen. Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Remote Setup and Configuration . Select TLS PKI . Select PKI DNS Suffix . Provide a DNS suffix name and press Enter . Press Esc three times to reach the main menu. Select MEBX Exit , and then press y to confirm the exit.","title":"Set a DNS Suffix through MEBX"},{"location":"Reference/MEBX/unprovision/","text":"Manageability Engine BIOS Extensions (MEBX) \u00b6 Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Use this interface to provision and unprovision AMT. It also provides a variety of settings to configure manually. Use the unprovision functionality to remove a device from MPS control. Unprovision an AMT Device Through MEBX \u00b6 To unprovision in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel AMT configuration . Select Unconfigure Network access . Select Full unprovision , and then press y to continue It takes 30 seconds to a minute to unprovision the device. While it is unprovisioning, the up/down arrow keys will not work.","title":"Unprovisioning"},{"location":"Reference/MEBX/unprovision/#manageability-engine-bios-extensions-mebx","text":"Intel\u00ae MEBX allows for configuration of the Intel Manageability Engine (ME) platform. Use this interface to provision and unprovision AMT. It also provides a variety of settings to configure manually. Use the unprovision functionality to remove a device from MPS control.","title":"Manageability Engine BIOS Extensions (MEBX)"},{"location":"Reference/MEBX/unprovision/#unprovision-an-amt-device-through-mebx","text":"To unprovision in the BIOS: Restart or power on the device. While the device is booting up, press Ctrl+P to reach the MEBX login screen Note The keystroke combination Ctrl+P typically invokes the BIOS to display the MEBX login screen. If this does not work, check the manufacturer's instructions or try function keys (e.g., F2, F12). Enter the AMT password. Note If it is the first time entering MEBX and the device has not been provisioned previously, the default password is admin . Create a new password when prompted. Select Intel AMT configuration . Select Unconfigure Network access . Select Full unprovision , and then press y to continue It takes 30 seconds to a minute to unprovision the device. While it is unprovisioning, the up/down arrow keys will not work.","title":"Unprovision an AMT Device Through MEBX"},{"location":"Reference/MPS/configuration/","text":"MPS Configuration Options \u00b6 Environment Variable Default Description MPS_IMAGE mps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for MPS MPS_USE_VAULT true Whether or not the vault should be used MPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted MPS_VAULT_TOKEN myroot Token used to access the vault MPS_SECRETS_PATH secret/data/ Path to where secrets are stored in the vault MPS_GENERATE_CERTS true Enables/Disables generation of self signed certificates based on MPS_COMMON_NAME MPS_COMMON_NAME localhost Development system's IP address. Note: For this guide, you cannot use localhost because the managed device would be unable to reach the MPS and RPS servers. MPS_PORT 4433 MPS_WEB_PORT 3000 MPS_WEB_ADMIN_USER n/a Specifies the username for API authentication MPS_WEB_ADMIN_PASSWORD n/a Specifies the password for API authentication MPS_WEB_AUTH_ENABLED n/a Specifies whether or not to enable MPS authentication MPS_HTTPS true Specifies whether or not to enable https MPS_TLS_OFFLOAD false MPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly . MPS_JWT_SECRET n/a Secret used for generating a JWT Token. IMPORTANT: This must match the secret in your Kong.yaml file for the jwt plugin configuration. MPS_JWT_ISSUER 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc The issuer that will be populated in the token. This is a not considered a secret. IMPORTANT: This must match the key: property in the Kong.yaml file for the jwt plugin configuration. MPS_JWT_EXPIRATION 1440 The default expiration in minutes for the JWT Token. Default is 24 hours. MPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on) MPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/mpsdb?sslmode=no-verify The database connection string","title":"Configuration"},{"location":"Reference/MPS/configuration/#mps-configuration-options","text":"Environment Variable Default Description MPS_IMAGE mps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for MPS MPS_USE_VAULT true Whether or not the vault should be used MPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted MPS_VAULT_TOKEN myroot Token used to access the vault MPS_SECRETS_PATH secret/data/ Path to where secrets are stored in the vault MPS_GENERATE_CERTS true Enables/Disables generation of self signed certificates based on MPS_COMMON_NAME MPS_COMMON_NAME localhost Development system's IP address. Note: For this guide, you cannot use localhost because the managed device would be unable to reach the MPS and RPS servers. MPS_PORT 4433 MPS_WEB_PORT 3000 MPS_WEB_ADMIN_USER n/a Specifies the username for API authentication MPS_WEB_ADMIN_PASSWORD n/a Specifies the password for API authentication MPS_WEB_AUTH_ENABLED n/a Specifies whether or not to enable MPS authentication MPS_HTTPS true Specifies whether or not to enable https MPS_TLS_OFFLOAD false MPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly . MPS_JWT_SECRET n/a Secret used for generating a JWT Token. IMPORTANT: This must match the secret in your Kong.yaml file for the jwt plugin configuration. MPS_JWT_ISSUER 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc The issuer that will be populated in the token. This is a not considered a secret. IMPORTANT: This must match the key: property in the Kong.yaml file for the jwt plugin configuration. MPS_JWT_EXPIRATION 1440 The default expiration in minutes for the JWT Token. Default is 24 hours. MPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on) MPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/mpsdb?sslmode=no-verify The database connection string","title":"MPS Configuration Options"},{"location":"Reference/MPS/securityMPS/","text":"MPS Security Considerations \u00b6 The cloud agnostic microservice Management Presence Server ( MPS ) enables platforms featuring Intel\u00ae AMT to connect over the internet securely to manageability consoles. Secrets are used to ensure the security of the MPS REST APIs. In a deployment environment, consider these security assets: Intel\u00ae AMT remote admin credentials Intel\u00ae AMT CIRA credentials Authorize API end point Server Configuration Web User Credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets. Security Assets \u00b6 1. Intel\u00ae AMT remote admin credentials \u00b6 Intel\u00ae AMT remote admin credentials enable a user to remotely control a device featuring Intel\u00ae AMT. These credentials are configured in AMT Firmware by a configuration server (e.g., RPS ). When an administrator performs a REST API call, such as a power off action to the managed device, MPS fetches the corresponding credentials of that device from the configured secrets store (e.g., Vault). MPS uses the fetched secret as part of digest authentication with Intel\u00ae AMT. Intel discourages reuse of passwords among managed devices. Use a strong, unique password for each device to enhance security. 2. Intel\u00ae AMT CIRA credentials \u00b6 When a managed device attempts to establish a connection to the MPS , the MPS performs two checks prior to allowing the connection: 1. The Intel\u00ae AMT device's GUID: This GUID must be stored in the MPS database and is typically added by using the devices POST API. 2. MPS CIRA Credential: The Intel\u00ae AMT device needs to supply the correct credentials to MPS . These credentials are checked against the username, stored in the database, and password, stored in Vault. Use a strong, unique password for each device to enhance security. 3. Authorize API end point \u00b6 MPS supports basic user authentication to the REST APIs with an Authorize API endpoint for issuing a JSON Web Token (JWT). This eliminates the need to set up a full user authentication service before evaluating the software and enables developers to use the microservices right away. However, in a production deployment, use a robust user authentication service (e.g., OAuth2, OpenID, LDAP) and disable the Authorize API endpoint by leaving the MPS Web User credentials blank in the MPS configuration file. 4. Server Configuration \u00b6 To use secure protocols, MPS requires configured certificates and securely stored certificate keys. If the keys are compromised, an attacker will be able to decrypt messages that are encrypted with these certificates. For evaluation purposes, MPS will generate self-signed certificates used for encryption. For production deployment, purchase CA-signed certificates whose signatures can be independently verified. 5. Web User Credentials \u00b6 The Open AMT Cloud Toolkit is designed to operate behind an API gateway, such as Kong API Gateway. The API Gateway validates the Auth Tokens provided by an administrator who is requesting access to an API end point. Once verified, the API Gateway will forward the request to the appropriate microservice, MPS or RPS . To make evaluation easy, MPS has implemented an Authorize API end point that will issue a JWT when the proper web user credentials are provided. The Web User credentials are global credentials that are configured in the MPS configuration file and do not provide any fine-grain permissions. Integration with other user authentication models and fine-grain endpoint permissions are supported through Kong plug-ins and modification of the Kong API Gateway configuration file, respectively. Best Known Security Methods \u00b6 1. Enable TLS on Network Connections \u00b6 There are three potential places where TLS could be enabled to protect the security assets: HTTPS/WSS connection between Web UI and MPS (recommended) Connection between MPS and Vault - If communication between MPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Connection between MPS and Intel\u00ae AMT device (required and done automatically by MPS ) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication. 2. Secure and Isolate Execution Environment \u00b6 MPS holds several security assets in memory during execution. To protect these assets while in the memory of MPS , run MPS in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure. 3. Use Vault for Storing Credentials \u00b6 Vault is a tool used to secure, store, and tightly control access to secrets. Utilizing Vault to store passwords used by MPS will greatly increase the security of these assets. 4. Use Kubernetes Secrets for Storing Dynamic Configuration Values \u00b6 Kubernetes Secrets help you to store and manage sensitive information like Tokens. Use Kubernetes secrets for storing environment variables required for configuring MPS rather than putting them in the image/pod. Vault token, Session secret key, and Server configuration assets required for MPS should be stored in Kubernetes secrets.","title":"Security Information"},{"location":"Reference/MPS/securityMPS/#mps-security-considerations","text":"The cloud agnostic microservice Management Presence Server ( MPS ) enables platforms featuring Intel\u00ae AMT to connect over the internet securely to manageability consoles. Secrets are used to ensure the security of the MPS REST APIs. In a deployment environment, consider these security assets: Intel\u00ae AMT remote admin credentials Intel\u00ae AMT CIRA credentials Authorize API end point Server Configuration Web User Credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets.","title":"MPS Security Considerations"},{"location":"Reference/MPS/securityMPS/#security-assets","text":"","title":"Security Assets"},{"location":"Reference/MPS/securityMPS/#1-intel-amt-remote-admin-credentials","text":"Intel\u00ae AMT remote admin credentials enable a user to remotely control a device featuring Intel\u00ae AMT. These credentials are configured in AMT Firmware by a configuration server (e.g., RPS ). When an administrator performs a REST API call, such as a power off action to the managed device, MPS fetches the corresponding credentials of that device from the configured secrets store (e.g., Vault). MPS uses the fetched secret as part of digest authentication with Intel\u00ae AMT. Intel discourages reuse of passwords among managed devices. Use a strong, unique password for each device to enhance security.","title":"1. Intel&reg; AMT remote admin credentials"},{"location":"Reference/MPS/securityMPS/#2-intel-amt-cira-credentials","text":"When a managed device attempts to establish a connection to the MPS , the MPS performs two checks prior to allowing the connection: 1. The Intel\u00ae AMT device's GUID: This GUID must be stored in the MPS database and is typically added by using the devices POST API. 2. MPS CIRA Credential: The Intel\u00ae AMT device needs to supply the correct credentials to MPS . These credentials are checked against the username, stored in the database, and password, stored in Vault. Use a strong, unique password for each device to enhance security.","title":"2. Intel&reg; AMT CIRA credentials"},{"location":"Reference/MPS/securityMPS/#3-authorize-api-end-point","text":"MPS supports basic user authentication to the REST APIs with an Authorize API endpoint for issuing a JSON Web Token (JWT). This eliminates the need to set up a full user authentication service before evaluating the software and enables developers to use the microservices right away. However, in a production deployment, use a robust user authentication service (e.g., OAuth2, OpenID, LDAP) and disable the Authorize API endpoint by leaving the MPS Web User credentials blank in the MPS configuration file.","title":"3. Authorize API end point"},{"location":"Reference/MPS/securityMPS/#4-server-configuration","text":"To use secure protocols, MPS requires configured certificates and securely stored certificate keys. If the keys are compromised, an attacker will be able to decrypt messages that are encrypted with these certificates. For evaluation purposes, MPS will generate self-signed certificates used for encryption. For production deployment, purchase CA-signed certificates whose signatures can be independently verified.","title":"4. Server Configuration"},{"location":"Reference/MPS/securityMPS/#5-web-user-credentials","text":"The Open AMT Cloud Toolkit is designed to operate behind an API gateway, such as Kong API Gateway. The API Gateway validates the Auth Tokens provided by an administrator who is requesting access to an API end point. Once verified, the API Gateway will forward the request to the appropriate microservice, MPS or RPS . To make evaluation easy, MPS has implemented an Authorize API end point that will issue a JWT when the proper web user credentials are provided. The Web User credentials are global credentials that are configured in the MPS configuration file and do not provide any fine-grain permissions. Integration with other user authentication models and fine-grain endpoint permissions are supported through Kong plug-ins and modification of the Kong API Gateway configuration file, respectively.","title":"5. Web User Credentials"},{"location":"Reference/MPS/securityMPS/#best-known-security-methods","text":"","title":"Best Known Security Methods"},{"location":"Reference/MPS/securityMPS/#1-enable-tls-on-network-connections","text":"There are three potential places where TLS could be enabled to protect the security assets: HTTPS/WSS connection between Web UI and MPS (recommended) Connection between MPS and Vault - If communication between MPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Connection between MPS and Intel\u00ae AMT device (required and done automatically by MPS ) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication.","title":"1. Enable TLS on Network Connections"},{"location":"Reference/MPS/securityMPS/#2-secure-and-isolate-execution-environment","text":"MPS holds several security assets in memory during execution. To protect these assets while in the memory of MPS , run MPS in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure.","title":"2. Secure and Isolate Execution Environment"},{"location":"Reference/MPS/securityMPS/#3-use-vault-for-storing-credentials","text":"Vault is a tool used to secure, store, and tightly control access to secrets. Utilizing Vault to store passwords used by MPS will greatly increase the security of these assets.","title":"3. Use Vault for Storing Credentials"},{"location":"Reference/MPS/securityMPS/#4-use-kubernetes-secrets-for-storing-dynamic-configuration-values","text":"Kubernetes Secrets help you to store and manage sensitive information like Tokens. Use Kubernetes secrets for storing environment variables required for configuring MPS rather than putting them in the image/pod. Vault token, Session secret key, and Server configuration assets required for MPS should be stored in Kubernetes secrets.","title":"4. Use Kubernetes Secrets for Storing Dynamic Configuration Values"},{"location":"Reference/MQTT/customMqttEvents/","text":"RPS and MPS microservices can publish event messages through an MQTT Broker. The following instructions demonstrate how to add, remove, or edit the events published by the server. To learn more about subscribing to these events, see Viewing MQTT Events . Three main components can be manipulated within the MQTT event flow: Individual events throughout MPS and RPS MqttProvider class MQTT broker Individual Events \u00b6 Add Events \u00b6 To add an event: Import MqttProvider class. Use the publishEvent method to add RPS or MPS events. Example: import { MqttProvider } from '../../utils/mqttProvider' MqttProvider . publishEvent ( 'success' , [ 'Example' ], 'Hello World' , guid ) The publishEvent method parameters: Parameter Description message type string designating the message type array of methods methods associated with the message message string message to be published by the event broker GUID device GUID (optional) Note Learn more about publishEvent in the MqttProvider Class . Edit or Delete Events \u00b6 A number of default events have been added to RPS and MPS , such as API calls and action events. Edit or delete any events that are unnecessary or irrelevant for your deployment. Note Event publishing operates independently of the microservices. It will function normally with the addition, adaptation, or deletion of any individual events. MqttProvider Class \u00b6 Connect \u00b6 The MqttProvider class handles the interactions with the MQTT Broker. To establish a connection with the broker: Open the index.ts file of RPS or MPS . Add the following: const mqtt : MqttProvider = new MqttProvider ( config ) mqtt . connectBroker () The connectBroker method creates the connection between a client, stored in the class, and the mosquitto docker container, which acts as the MQTT Broker. The instance of the class, after it has been created and connected, is stored as a static object within the class. This storage enables access to the methods in the class with a simple import rather than passing the instance to MPS or RPS . The config parameter contains the config types of MPS and RPS . MqttProvider uses the MQTT_ADDRESS environment variable to establish a connection. Important The MQTT_ADDRESS environment variables for MPS and RPS are left blank in the .env.template file. This corresponds to the OFF state. To turn event logging with mosquitto ON provide the address of the MQTT Broker, mqtt://mosquitto:8883 , to the MPS_MQTT_ADDRESS and RPS_MQTT_ADDRESS environment variables. Usage \u00b6 The publishEvent method publishes events to the MQTT Broker where subscribers can access event data. The method accepts information about an event, organizes it, adds a timestamp, and sends it to the MQTT Broker. Expand the setup by changing the parameters and the elements within OpenAMTEvent , the interface used to organize the message, or by adding new methods. Indicate information you'd like to receive by subscribing to Topics, which are organized in a directory-like structure. Topics enable administrators to narrow eventing to subjects of interest. Example message type 'success' message: 'CarStarted' topic: cars/ford Subscribers of # , cars or cars/ford receive the above message while subscribers of trucks or cars/ferrari will not. Use publish to send a message to the MQTT Broker and supply a topic as the first argument. Currently, the topic is hard-coded to a default value. Alter this value by adding a parameter, tying the topic to existing parameters, or create different publishEvent methods that correspond to different topics. MQTT Broker \u00b6 The Broker for MQTT messages runs as the Docker* container mosquitto with the image eclipse-mosquitto:latest . Make changes to the functionality of the Broker through mosquitto.conf . Most of the Broker setup has been left in its default state but more information about customizing the broker can be found here .","title":"Customizing MQTT Events"},{"location":"Reference/MQTT/customMqttEvents/#individual-events","text":"","title":"Individual Events"},{"location":"Reference/MQTT/customMqttEvents/#add-events","text":"To add an event: Import MqttProvider class. Use the publishEvent method to add RPS or MPS events. Example: import { MqttProvider } from '../../utils/mqttProvider' MqttProvider . publishEvent ( 'success' , [ 'Example' ], 'Hello World' , guid ) The publishEvent method parameters: Parameter Description message type string designating the message type array of methods methods associated with the message message string message to be published by the event broker GUID device GUID (optional) Note Learn more about publishEvent in the MqttProvider Class .","title":"Add Events"},{"location":"Reference/MQTT/customMqttEvents/#edit-or-delete-events","text":"A number of default events have been added to RPS and MPS , such as API calls and action events. Edit or delete any events that are unnecessary or irrelevant for your deployment. Note Event publishing operates independently of the microservices. It will function normally with the addition, adaptation, or deletion of any individual events.","title":"Edit or Delete Events"},{"location":"Reference/MQTT/customMqttEvents/#mqttprovider-class","text":"","title":"MqttProvider Class"},{"location":"Reference/MQTT/customMqttEvents/#connect","text":"The MqttProvider class handles the interactions with the MQTT Broker. To establish a connection with the broker: Open the index.ts file of RPS or MPS . Add the following: const mqtt : MqttProvider = new MqttProvider ( config ) mqtt . connectBroker () The connectBroker method creates the connection between a client, stored in the class, and the mosquitto docker container, which acts as the MQTT Broker. The instance of the class, after it has been created and connected, is stored as a static object within the class. This storage enables access to the methods in the class with a simple import rather than passing the instance to MPS or RPS . The config parameter contains the config types of MPS and RPS . MqttProvider uses the MQTT_ADDRESS environment variable to establish a connection. Important The MQTT_ADDRESS environment variables for MPS and RPS are left blank in the .env.template file. This corresponds to the OFF state. To turn event logging with mosquitto ON provide the address of the MQTT Broker, mqtt://mosquitto:8883 , to the MPS_MQTT_ADDRESS and RPS_MQTT_ADDRESS environment variables.","title":"Connect"},{"location":"Reference/MQTT/customMqttEvents/#usage","text":"The publishEvent method publishes events to the MQTT Broker where subscribers can access event data. The method accepts information about an event, organizes it, adds a timestamp, and sends it to the MQTT Broker. Expand the setup by changing the parameters and the elements within OpenAMTEvent , the interface used to organize the message, or by adding new methods. Indicate information you'd like to receive by subscribing to Topics, which are organized in a directory-like structure. Topics enable administrators to narrow eventing to subjects of interest. Example message type 'success' message: 'CarStarted' topic: cars/ford Subscribers of # , cars or cars/ford receive the above message while subscribers of trucks or cars/ferrari will not. Use publish to send a message to the MQTT Broker and supply a topic as the first argument. Currently, the topic is hard-coded to a default value. Alter this value by adding a parameter, tying the topic to existing parameters, or create different publishEvent methods that correspond to different topics.","title":"Usage "},{"location":"Reference/MQTT/customMqttEvents/#mqtt-broker","text":"The Broker for MQTT messages runs as the Docker* container mosquitto with the image eclipse-mosquitto:latest . Make changes to the functionality of the Broker through mosquitto.conf . Most of the Broker setup has been left in its default state but more information about customizing the broker can be found here .","title":"MQTT Broker"},{"location":"Reference/MQTT/viewMqttEvents/","text":"Event Monitoring with MQTT ( MQTT Eventing) \u00b6 Open AMT Cloud Toolkit supports Eventing using Message Queuing Telemetry Transport ( MQTT ), an IoT publish-and-subscribe network protocol. With MQTT Eventing, administrators can subscribe to specific topics, categories of events, for server event monitoring. This eliminates the need to query or poll MPS to determine network events, such as a device's activation or deactivation. Administrators can subscribe to events and respond proactively. Important Currently, the implementation publishes all MPS and RPS REST API call events to the MQTT Broker. Figure 1: MQTT Eventing Examples MPS and RPS send JSON events to a Mosquitto* broker deployed as a Docker container. Administrators subscribe to the broker. As shown in Figure 1, proactive notifications are published in the MQTT Broker container. Set Up MQTT Support \u00b6 To enable support: This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In a text editor or IDE of choice, open the .env file to edit. Update the following fields. The mqtt: prefix indicates an MQTT broker is being used. Kong* will now route event messages to port 8883. Field Name Set to: RPS_MQTT_ADDRESS mqtt://mosquitto:8883 MPS_MQTT_ADDRESS mqtt://mosquitto:8883 Save and close the file. Pull the Mosquitto image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile mqtt pull Start the Mosquitto container. docker compose --profile mqtt up -d Note - Cleaning up Mosquitto Container When stopping and cleaning up containers deployed using the mqtt profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile mqtt down -v","title":"Viewing MQTT Events"},{"location":"Reference/MQTT/viewMqttEvents/#event-monitoring-with-mqtt-mqtt-eventing","text":"Open AMT Cloud Toolkit supports Eventing using Message Queuing Telemetry Transport ( MQTT ), an IoT publish-and-subscribe network protocol. With MQTT Eventing, administrators can subscribe to specific topics, categories of events, for server event monitoring. This eliminates the need to query or poll MPS to determine network events, such as a device's activation or deactivation. Administrators can subscribe to events and respond proactively. Important Currently, the implementation publishes all MPS and RPS REST API call events to the MQTT Broker. Figure 1: MQTT Eventing Examples MPS and RPS send JSON events to a Mosquitto* broker deployed as a Docker container. Administrators subscribe to the broker. As shown in Figure 1, proactive notifications are published in the MQTT Broker container.","title":"Event Monitoring with MQTT (MQTT Eventing)"},{"location":"Reference/MQTT/viewMqttEvents/#set-up-mqtt-support","text":"To enable support: This guide assumes you have completed the Getting Started Guide and have Open AMT currently running in Docker containers. If not, follow the Get Started Guide Setup page . Stop and return here after the your services are running. In a text editor or IDE of choice, open the .env file to edit. Update the following fields. The mqtt: prefix indicates an MQTT broker is being used. Kong* will now route event messages to port 8883. Field Name Set to: RPS_MQTT_ADDRESS mqtt://mosquitto:8883 MPS_MQTT_ADDRESS mqtt://mosquitto:8883 Save and close the file. Pull the Mosquitto image. Read more about profiles in the Docker docs at Using profiles with Compose . docker compose --profile mqtt pull Start the Mosquitto container. docker compose --profile mqtt up -d Note - Cleaning up Mosquitto Container When stopping and cleaning up containers deployed using the mqtt profile, you must also use that profile when running docker compose down in order to remove all resources. Example: docker compose --profile mqtt down -v","title":"Set Up MQTT Support"},{"location":"Reference/RPC/buildRPC_Manual/","text":"Developed in Go* programming language, the Remote Provisioning Client ( RPC ) application runs on the managed device and communicates with the Remote Provisioning Server ( RPS ) microservice on the development system. The RPC and RPS configure and activate Intel\u00ae AMT on the managed device. Once properly configured, the remote managed device can call home to the Management Presence Server ( MPS ) by establishing a Client Initiated Remote Access ( CIRA ) connection with the MPS . See Figure 1. Production Environment In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices. Figure 1: RPC Configuration Figure 1 Details The RPC on a managed device communicates with the Intel\u00ae Management Engine Interface (Intel\u00ae MEI, previously known as HECI) Driver and the Remote Provisioning Server ( RPS ) interfaces. The Driver uses the Intel\u00ae MEI to talk to Intel\u00ae AMT . The RPC activates Intel\u00ae AMT with an AMT profile, which is associated with a CIRA configuration (Step 3). The profile, which also distinguishes between Client Control Mode ( CCM ) or Admin Control Mode ( ACM ), and configuration were created in Create a CIRA Config or Create an AMT Profile . After running RPC with a profile, Intel\u00ae AMT will establish a CIRA connection with the MPS (Step 4) allowing MPS to manage the remote device and issue AMT commands (Step 5). Prerequisites \u00b6 Before installing and building the RPC , install: Go* Programming Language Get RPC \u00b6 To clone the repository: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Change to the cloned rpc-go directory: cd rpc-go Build RPC \u00b6 Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version Run RPC to Activate and Connect the AMT Device \u00b6 The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n --profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] Note - RPC Arguments Find out more information about the flag and other arguments . Success Example Output after Activating and Configuring a device into ACM : Figure 1: RPC Success Troubleshooting Run into an issue? Try these troubleshooting steps . Transition Activated Device \u00b6 If an Intel vPro\u00ae Platform has been previously activated, either in the BIOS or with another management solution or tool, it can be brought under Open AMT Cloud Toolkit control with the rpc-go application. Additionally, use the following instructions to transition from a previously established toolkit stack to a fresh installation on a new development system. Note Use the following instructions to transition devices to either ACM or CCM profiles. You will need the AMT password. Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To transition the activated device: Check the activation status with amtinfo flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc amtinfo .\\rpc amtinfo sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest amtinfo The control mode indicates the managed device's state: pre-provisioning or deactivated activated in client control mode ( CCM ) activated in admin control mode ( ACM ) Run the rpc-go application with the activate command and the password flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] -password [AMT password] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] Success To verify the managed devices list after transitioning, log into the Sample Web UI on the development system. Go to the Devices tab. Alternatively, learn how to list the managed devices via a REST API Call .","title":"Build & Run RPC"},{"location":"Reference/RPC/buildRPC_Manual/#prerequisites","text":"Before installing and building the RPC , install: Go* Programming Language","title":"Prerequisites"},{"location":"Reference/RPC/buildRPC_Manual/#get-rpc","text":"To clone the repository: Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone https://github.com/open-amt-cloud-toolkit/rpc-go --branch v2.14.2 Change to the cloned rpc-go directory: cd rpc-go","title":"Get RPC"},{"location":"Reference/RPC/buildRPC_Manual/#build-rpc","text":"Flexible Deployment - RPC as a Library The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. Read more about building RPC as a library here . To build the executable: Open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows): Linux Windows Docker (On Linux Host Only) go build -o rpc ./cmd/main.go go build -o rpc.exe ./cmd/main.go docker build -f \"Dockerfile\" -t rpc-go:latest . Confirm a successful build: Linux Windows Docker (On Linux Host Only) sudo ./rpc version . \\r pc version sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest version","title":"Build RPC"},{"location":"Reference/RPC/buildRPC_Manual/#run-rpc-to-activate-and-connect-the-amt-device","text":"The toolkit provides a reference implementation called the Sample Web UI to manage the device. After running device activation instructions below, your device will be listed on the Devices tab in the Sample Web UI . To run the application and connect the managed device: After building the RPC , copy the executable to the managed device. On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Navigate to the directory containing the RPC application. Running RPC with the activate command configures or provisions Intel\u00ae AMT . It will take 1-2 minutes to finish provisioning the device. In the instruction below: Replace [Development-IP-Address] with the development system's IP address, where the MPS and RPS servers are running. Replace [profile-name] with your created profile in the Sample Web UI . The RPC application command line parameters are case-sensitive. Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n --profile [profilename] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n --profile [ profilename ] Note - RPC Arguments Find out more information about the flag and other arguments . Success Example Output after Activating and Configuring a device into ACM : Figure 1: RPC Success Troubleshooting Run into an issue? Try these troubleshooting steps .","title":"Run RPC to Activate and Connect the AMT Device"},{"location":"Reference/RPC/buildRPC_Manual/#transition-activated-device","text":"If an Intel vPro\u00ae Platform has been previously activated, either in the BIOS or with another management solution or tool, it can be brought under Open AMT Cloud Toolkit control with the rpc-go application. Additionally, use the following instructions to transition from a previously established toolkit stack to a fresh installation on a new development system. Note Use the following instructions to transition devices to either ACM or CCM profiles. You will need the AMT password. Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview . To transition the activated device: Check the activation status with amtinfo flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc amtinfo .\\rpc amtinfo sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest amtinfo The control mode indicates the managed device's state: pre-provisioning or deactivated activated in client control mode ( CCM ) activated in admin control mode ( ACM ) Run the rpc-go application with the activate command and the password flag: Linux Windows Docker (On Linux Host Only) sudo ./rpc activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] .\\rpc activate -u wss://[Development-IP-Address]/activate -n -profile [profilename] -password [AMT password] sudo docker run --rm -it --device = /dev/mei0 rpc-go:latest activate -u wss:// [ Development-IP-Address ] /activate -n -profile [ profilename ] -password [ AMT password ] Success To verify the managed devices list after transitioning, log into the Sample Web UI on the development system. Go to the Devices tab. Alternatively, learn how to list the managed devices via a REST API Call .","title":"Transition Activated Device"},{"location":"Reference/RPC/commandsRPC/","text":"On the managed device, a Remote Provisioning Client ( RPC ) communicates with the Remote Provision Server ( RPS ) in the process of activating or deactivating the device. In addition to activation and deactivation, the RPC provides informational and maintenance commands. List Commands \u00b6 On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Run the RPC application on the command line with no arguments to see supported commands: Linux Windows sudo ./rpc .\\rpc.exe COMMAND DESCRIPTION EXAMPLE activate Activate this device with a specified profile. ./rpc activate -u wss://server/activate -profile profilename deactivate Deactivate this device. You will be prompted for the AMT password. ./rpc deactivate -u wss://server/deactivate maintenance Execute a maintenance task for the device. You will be prompted for the AMT password. ./rpc maintenance syncclock -u wss://server/maintenance configure Local configuration of a feature on this device. You will be prompted for the AMT password. ./rpc configure addwifisettings ... amtinfo Display AMT status and configuration. ./rpc amtinfo version Display the current version of RPC and the RPC Protocol version. ./rpc version List Command Options \u00b6 Run the application with a command to see available options for the command: Linux Windows sudo ./rpc [ COMMAND ] .\\rpc [COMMAND] activate \u00b6 Activate and Configure the device using RPS : \u00b6 Activate the device with a specified profile: Linux Windows sudo ./rpc activate -u wss://server/activate -profile profilename .\\rpc activate -u wss://server/activate -profile profilename Activate the device locally: \u00b6 This capability is only supported for activating unprovisioned (e.g. pre-provisioning state) devices. This command only activates AMT. It does not do profile-based configuration. CCM ACM rpc activate -local -ccm -amtPassword NewAMTPassword rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword activate General Options \u00b6 OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output activate Remote-Specific Options \u00b6 OPTION DESCRIPTION -d string DNS suffix override -h string Hostname override -n Skip WebSocket server certificate verification -name string Friendly name to associate with this device -p string Proxy address and port -password Existing set AMT password -profile string Name of the profile to use -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against activate Local-Specific Options \u00b6 OPTION DESCRIPTION -acm Flag for ACM Local Activation. -amtPassword string New AMT Password to set on device. -ccm Flag for CCM Local Activation. -local Execute command to AMT directly without cloud interaction. -provisioningCert Base64 string Base64 Encoded String of the .pfx provisioning certificate. -provisioningCertPwd string Password of provisioning certificate. For more information, see Build & Run RPC . To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform, see Transition Activated Device . deactivate \u00b6 Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /deactivate Kong route. The previous /activate route will still function for deactivate commands to avoid breaking changes. However, the /activate route's use with deactivate will be deprecated in the future and it is recommended to utilize the new, /deactivate route for new development. Deactivate the device using RPS : \u00b6 rpc deactivate -u wss://server/deactivate Deactivate the device locally: \u00b6 rpc deactivate -local -password AMTPassword deactivate Options \u00b6 OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -local Execute command to AMT directly without cloud interaction. -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output deactivate Remote-Specific Options \u00b6 OPTION DESCRIPTION -f Force deactivate even if device is not registered with the RPS server -n Skip WebSocket server certificate verification -p string Proxy address and port -token string JWT Token for Authorization -u string WebSocket address of server to activate against For more information, see Build & Run RPC . maintenance \u00b6 Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /maintenance Kong route. The previous /activate route will still function for maintenance commands to avoid breaking changes. However, the /activate route's use with maintenance will be deprecated in the future and it is recommended to utilize the new, /maintenance route for new development. Execute a maintenance command for the managed device: SUBCOMMAND DESCRIPTION changepassword Change the AMT password. A random password is generated by default if -static is not provided. syncclock Sync the host OS clock to AMT. synchostname Sync the OS hostname to AMT Network Settings. syncip Sync the static IP of host OS to AMT Network Settings. Common maintenance Options \u00b6 OPTION DESCRIPTION -f Force maintenance commands even if device is not registered with a server -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -p string Proxy address and port -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against -v Verbose output changepassword \u00b6 Change the AMT password. A random password is generated by default if static option is not passed. Linux Windows sudo ./rpc maintenance changepassword -u wss://server/maintenance .\\rpc maintenance changepassword -u wss://server/maintenance OPTION DESCRIPTION -static New password to be used syncclock \u00b6 Syncs the host OS clock to AMT. Linux Windows sudo ./rpc maintenance syncclock -u wss://server/maintenance .\\rpc maintenance syncclock -u wss://server/maintenance synchostname \u00b6 Sync the OS hostname to AMT Network Settings. Linux Windows sudo ./rpc maintenance synchostname -u wss://server/maintenance .\\rpc maintenance synchostname -u wss://server/maintenance syncip \u00b6 Sync the static IP of host OS to AMT Network Settings. Linux Windows sudo ./rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance .\\rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance OPTION DESCRIPTION -staticip IP address to be assigned to AMT If not specified, the IP address of the active OS newtork interface is used -netmask Network mask to be assigned to AMT If not specified, the network mask of the active OS newtork interface is used -gateway Gateway address to be assigned to AMT -primarydns Primary DNS address to be assigned to AMT -secondarydns Secondary DNS address to be assigned to AMT configure \u00b6 Execute a configuration command for the managed device: SUBCOMMAND DESCRIPTION addwifisettings Configure wireless 802.1x locally with RPC (no communication with RPS and EA) Common configuration Options \u00b6 OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -password string AMT password -v Verbose output addwifisettings \u00b6 Configure wireless 802.1x settings of an existing, activated AMT device by passing credentials and certificates directly to AMT rather than through RPS /EA/ RPC . More information on configuring AMT to use 802.1x can be found in 802.1x Configuration . On failure, the addwifisettings maintenance command will rollback any certificates added before the error occurred. Config File Config w/ Secrets File Individual Options -configJson String Option via Config file \u00b6 The Config file can be formatted as either YAML or JSON. This example shows YAML but a JSON template is provided as well. Create a new file called config.yaml . Copy and paste the corresponding template below. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . YAML JSON config.yaml password : 'amtPassword' # optionally, you can provide the AMT password of the device in the config file wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 pskPassphrase : '' - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' privateKey : '' config.json { \"password\" : \"amtPassword\" , \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , \"privateKey\" : \"\" } ] } Fill in fields with desired options and secrets. If the secrets are not provided (e.g. secret field is an empty string or not given), the secrets will be prompted for as user input in the command line. Alternatively, secrets can be stored and referenced in a separate file. See Config w/ Secrets File tab for more information. Provide the config.yaml file using the -config flag. rpc configure addwifisettings -config config.yaml via Config with Secrets file \u00b6 If a secrets file is included with the configuration file, those secrets will be used in the matching profileName configuration. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . Create a new file called config.yaml . Copy and paste the corresponding template below. This config.yaml is slightly different from the standard one as we either delete or leave blank the secret fields pskPassphrase , password , and privateKey . YAML JSON config.yaml wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' config.json { \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , } ] } Create a new file called secrets.yaml . Copy and paste the template below. YAML JSON secrets.yaml secrets : - profileName : 'exampleWifiWPA2' pskPassphrase : '' - profileName : 'exampleIeee8021xEAP-TLS' privateKey : '' - profileName : 'ieee8021xPEAPv0' password : '' secrets.json { \"secrets\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"privateKey\" : \"\" }, { \"profileName\" : \"ieee8021xPEAPv0\" , \"password\" : \"\" } ] } Fill in fields with the secrets. The profileName given in the secrets file must match the corresponding Wireless or 802.1x configuration profileName . Provide the secrets.yaml file using the -secrets flag. rpc configure addwifisettings -config config.yaml -secrets secrets.yaml via Individual Options \u00b6 Alternatively, provide all options directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. rpc configure addwifisettings -profileName profileName -authenticationMethod 7 -encryptionMethod 4 -ssid \"networkSSID\" -username \"username\" -authenticationProtocol 0 -priority 1 -clientCert \"{CLIENT_CERT}\" -caCert \"{CA_CERT}\" -privateKey \"{PRIVATE_KEY}\" via -configJson Option \u00b6 Or, provide the JSON string directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. Wireless Only Wireless w/ 802.1x rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi\", \"authenticationMethod\": 6, \"encryptionMethod\": 4, \"ssid\": \"networkSSID\", \"username\": \"username\", \"authenticationProtocol\": 0, \"priority\": 1 } ] }\" rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi8021x\", \"ssid\": \"networkSSID\", \"priority\": 1, \"authenticationMethod\": 7, \"encryptionMethod\": 4, \"ieee8021xProfileName\": \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\": [ { \"profileName\": \"exampleIeee8021xEAP-TLS\", \"username\": \"exampleUserName\", \"password\": \"\", \"authenticationProtocol\": 0, \"clientCert\": \"{CLIENT_CERT}\", \"caCert\": \"{CA_CERT}\", \"privateKey\": \"{PRIVATE_KEY}\" } ] }\" Example Successful Output of Configuring Two Wireless Profiles time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifi8021x\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifi8021x\" OPTION DESCRIPTION -authenticationMethod Wifi authentication method. Valid Values = {4, 5, 6, 7} where 4 = WPA PSK, 5 = WPA_IEEE8021X, 6 = WPA2 PSK, 7 = WPA2_IEEE8021X -authenticationProtocol 802.1x profile protocol. Valid Values = {0, 2} where 0 = EAP- TLS , 2 = EAP/MSCHAPv2 -caCert Trusted Microsoft root CA or 3rd-party root CA in Active Directory domain. -clientCert Client certificate chained to the caCert . Issued by enterprise CA or mapped to computer account in Active Directory. AMT provides this certificate to authenticate itself with the Radius Server. -config File path of a .yaml or .json file with desired wireless and/or wireless 802.1x configuration. -configJson Configuration as a JSON string -encryptionMethod Wifi encryption method. Valid Values = {3, 4} where 3 = TKIP, 4 = CCMP -ieee8021xPassword 802.1x profile password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2). -profileName Profile name (Friendly name), must be alphanumeric. -priority Ranked priority over other profiles. -privateKey 802.1x profile private key of the clientCert . -pskPassphrase Wifi pskPassphrase , if authenticationMethod is WPA PSK(4) or WPA2 PSK(6). -secrets File path of a .yaml or .json file with secrets to be applied to the configurations. -ssid Wifi SSID -username 802.1x username, must match the Common Name of the clientCert . amtinfo \u00b6 Display AMT status and configuration: Linux Windows sudo ./rpc amtinfo [ OPTIONS ] .\\rpc amtinfo [OPTIONS] Not passing [OPTIONS] will print all information. AMT INFO OPTION DESCRIPTION -json JSON Output Version -ver Intel AMT version. Build Number -bld Intel AMT Build Number. System Certificates -cert System Certificate Hashes. If given -password , will print both System and User Certificate Hashes. User Certificates -userCert User Certificate Hashes. Will prompt for AMT password. Or, provide -password flag. SKU -sku Product SKU UUID -uuid Unique Universal Identifier of the device. Used when creating device-specific MPS API calls as part of the REST API's URL path. Control Mode -mode Control Mode below indicates the managed device's state: (a) pre-provisioning state (b) activated in client control mode (c) activated in admin control mode DNS Suffix -dns DNS Suffix set according to PKI DNS Suffix in Intel MEBX or through DHCP Option 15. Requried for ACM activation. DNS Suffix (OS) -dns Hostname (OS) -hostname Device's hostname as set in the Operating System. RAS Network -ras RAS Remote Status -ras Unconnected or connected. State of connection to a management server. RAS Trigger -ras User initiated or periodic. When activated, periodic signifies CIRA established. By default, CIRA sends a heartbeat to the server every 30 seconds to verify and maintain connection. RAS MPS Hostname -ras IP Address or FQDN of the MPS server. ---Wired/Wireless Adapters--- WIRED/WIRELESS ADAPTER OPTION DESCRIPTION DHCP Enabled -lan True/False. Whether or not the network is using DHCP or Static IPs. DHCP Mode -lan Link Status -lan Up/Down. Shows whether or not this adapter is being used by Intel AMT. IP Address -lan If using CIRA or the device is unactivated, this field will show 0.0.0.0 MAC Address -lan Device's MAC Address For more information, see Wireless Activation . version \u00b6 Display the current version of RPC and the RPC Protocol version: Linux Windows sudo ./rpc version .\\rpc version","title":"RPC CLI"},{"location":"Reference/RPC/commandsRPC/#list-commands","text":"On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows). Run the RPC application on the command line with no arguments to see supported commands: Linux Windows sudo ./rpc .\\rpc.exe COMMAND DESCRIPTION EXAMPLE activate Activate this device with a specified profile. ./rpc activate -u wss://server/activate -profile profilename deactivate Deactivate this device. You will be prompted for the AMT password. ./rpc deactivate -u wss://server/deactivate maintenance Execute a maintenance task for the device. You will be prompted for the AMT password. ./rpc maintenance syncclock -u wss://server/maintenance configure Local configuration of a feature on this device. You will be prompted for the AMT password. ./rpc configure addwifisettings ... amtinfo Display AMT status and configuration. ./rpc amtinfo version Display the current version of RPC and the RPC Protocol version. ./rpc version","title":"List Commands"},{"location":"Reference/RPC/commandsRPC/#list-command-options","text":"Run the application with a command to see available options for the command: Linux Windows sudo ./rpc [ COMMAND ] .\\rpc [COMMAND]","title":"List Command Options"},{"location":"Reference/RPC/commandsRPC/#activate","text":"","title":"activate"},{"location":"Reference/RPC/commandsRPC/#activate-and-configure-the-device-using-rps","text":"Activate the device with a specified profile: Linux Windows sudo ./rpc activate -u wss://server/activate -profile profilename .\\rpc activate -u wss://server/activate -profile profilename","title":"Activate and Configure the device using RPS:"},{"location":"Reference/RPC/commandsRPC/#activate-the-device-locally","text":"This capability is only supported for activating unprovisioned (e.g. pre-provisioning state) devices. This command only activates AMT. It does not do profile-based configuration. CCM ACM rpc activate -local -ccm -amtPassword NewAMTPassword rpc activate -local -acm -amtPassword NewAMTPassword -provisioningCert \"{BASE64_PROV_CERT}\" -provivisioningCertPwd certPassword","title":"Activate the device locally:"},{"location":"Reference/RPC/commandsRPC/#activate-general-options","text":"OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output","title":"activate General Options"},{"location":"Reference/RPC/commandsRPC/#activate-remote-specific-options","text":"OPTION DESCRIPTION -d string DNS suffix override -h string Hostname override -n Skip WebSocket server certificate verification -name string Friendly name to associate with this device -p string Proxy address and port -password Existing set AMT password -profile string Name of the profile to use -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against","title":"activate Remote-Specific Options"},{"location":"Reference/RPC/commandsRPC/#activate-local-specific-options","text":"OPTION DESCRIPTION -acm Flag for ACM Local Activation. -amtPassword string New AMT Password to set on device. -ccm Flag for CCM Local Activation. -local Execute command to AMT directly without cloud interaction. -provisioningCert Base64 string Base64 Encoded String of the .pfx provisioning certificate. -provisioningCertPwd string Password of provisioning certificate. For more information, see Build & Run RPC . To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro\u00ae Platform, see Transition Activated Device .","title":"activate Local-Specific Options"},{"location":"Reference/RPC/commandsRPC/#deactivate","text":"Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /deactivate Kong route. The previous /activate route will still function for deactivate commands to avoid breaking changes. However, the /activate route's use with deactivate will be deprecated in the future and it is recommended to utilize the new, /deactivate route for new development.","title":"deactivate"},{"location":"Reference/RPC/commandsRPC/#deactivate-the-device-using-rps","text":"rpc deactivate -u wss://server/deactivate","title":"Deactivate the device using RPS:"},{"location":"Reference/RPC/commandsRPC/#deactivate-the-device-locally","text":"rpc deactivate -local -password AMTPassword","title":"Deactivate the device locally:"},{"location":"Reference/RPC/commandsRPC/#deactivate-options","text":"OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -local Execute command to AMT directly without cloud interaction. -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -v Verbose output","title":"deactivate Options"},{"location":"Reference/RPC/commandsRPC/#deactivate-remote-specific-options","text":"OPTION DESCRIPTION -f Force deactivate even if device is not registered with the RPS server -n Skip WebSocket server certificate verification -p string Proxy address and port -token string JWT Token for Authorization -u string WebSocket address of server to activate against For more information, see Build & Run RPC .","title":"deactivate Remote-Specific Options"},{"location":"Reference/RPC/commandsRPC/#maintenance","text":"Warning - Future Deprecation: Changing of Kong Routes We have now enabled the /maintenance Kong route. The previous /activate route will still function for maintenance commands to avoid breaking changes. However, the /activate route's use with maintenance will be deprecated in the future and it is recommended to utilize the new, /maintenance route for new development. Execute a maintenance command for the managed device: SUBCOMMAND DESCRIPTION changepassword Change the AMT password. A random password is generated by default if -static is not provided. syncclock Sync the host OS clock to AMT. synchostname Sync the OS hostname to AMT Network Settings. syncip Sync the static IP of host OS to AMT Network Settings.","title":"maintenance"},{"location":"Reference/RPC/commandsRPC/#common-maintenance-options","text":"OPTION DESCRIPTION -f Force maintenance commands even if device is not registered with a server -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -lmsaddress string LMS address (default \"localhost\"). Can be used to change location of LMS for debugging. -lmsport string LMS port (default \"16992\") -n Skip WebSocket server certificate verification -p string Proxy address and port -password string AMT password -t duration Time to wait until AMT is ready (e.g. 2m or 30s ), the default is 2m0s -tenant string TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled ) -token string JWT Token for Authorization -u string WebSocket address of server to activate against -v Verbose output","title":"Common maintenance Options"},{"location":"Reference/RPC/commandsRPC/#changepassword","text":"Change the AMT password. A random password is generated by default if static option is not passed. Linux Windows sudo ./rpc maintenance changepassword -u wss://server/maintenance .\\rpc maintenance changepassword -u wss://server/maintenance OPTION DESCRIPTION -static New password to be used","title":"changepassword"},{"location":"Reference/RPC/commandsRPC/#syncclock","text":"Syncs the host OS clock to AMT. Linux Windows sudo ./rpc maintenance syncclock -u wss://server/maintenance .\\rpc maintenance syncclock -u wss://server/maintenance","title":"syncclock"},{"location":"Reference/RPC/commandsRPC/#synchostname","text":"Sync the OS hostname to AMT Network Settings. Linux Windows sudo ./rpc maintenance synchostname -u wss://server/maintenance .\\rpc maintenance synchostname -u wss://server/maintenance","title":"synchostname"},{"location":"Reference/RPC/commandsRPC/#syncip","text":"Sync the static IP of host OS to AMT Network Settings. Linux Windows sudo ./rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance .\\rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/maintenance OPTION DESCRIPTION -staticip IP address to be assigned to AMT If not specified, the IP address of the active OS newtork interface is used -netmask Network mask to be assigned to AMT If not specified, the network mask of the active OS newtork interface is used -gateway Gateway address to be assigned to AMT -primarydns Primary DNS address to be assigned to AMT -secondarydns Secondary DNS address to be assigned to AMT","title":"syncip"},{"location":"Reference/RPC/commandsRPC/#configure","text":"Execute a configuration command for the managed device: SUBCOMMAND DESCRIPTION addwifisettings Configure wireless 802.1x locally with RPC (no communication with RPS and EA)","title":"configure"},{"location":"Reference/RPC/commandsRPC/#common-configuration-options","text":"OPTION DESCRIPTION -json JSON output -l string Log level (panic,fatal,error,warn,info,debug,trace) (default \"info\") -password string AMT password -v Verbose output","title":"Common configuration Options"},{"location":"Reference/RPC/commandsRPC/#addwifisettings","text":"Configure wireless 802.1x settings of an existing, activated AMT device by passing credentials and certificates directly to AMT rather than through RPS /EA/ RPC . More information on configuring AMT to use 802.1x can be found in 802.1x Configuration . On failure, the addwifisettings maintenance command will rollback any certificates added before the error occurred. Config File Config w/ Secrets File Individual Options -configJson String Option","title":"addwifisettings"},{"location":"Reference/RPC/commandsRPC/#via-config-file","text":"The Config file can be formatted as either YAML or JSON. This example shows YAML but a JSON template is provided as well. Create a new file called config.yaml . Copy and paste the corresponding template below. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . YAML JSON config.yaml password : 'amtPassword' # optionally, you can provide the AMT password of the device in the config file wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 pskPassphrase : '' - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' privateKey : '' config.json { \"password\" : \"amtPassword\" , \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , \"privateKey\" : \"\" } ] } Fill in fields with desired options and secrets. If the secrets are not provided (e.g. secret field is an empty string or not given), the secrets will be prompted for as user input in the command line. Alternatively, secrets can be stored and referenced in a separate file. See Config w/ Secrets File tab for more information. Provide the config.yaml file using the -config flag. rpc configure addwifisettings -config config.yaml","title":"via Config file"},{"location":"Reference/RPC/commandsRPC/#via-config-with-secrets-file","text":"If a secrets file is included with the configuration file, those secrets will be used in the matching profileName configuration. These templates show how to create a simple Wireless profile called exampleWifiWPA2 and a Wireless profile utilizing 802.1x called exampleWifi8021x . Create a new file called config.yaml . Copy and paste the corresponding template below. This config.yaml is slightly different from the standard one as we either delete or leave blank the secret fields pskPassphrase , password , and privateKey . YAML JSON config.yaml wifiConfigs : - profileName : 'exampleWifiWPA2' # friendly name (ex. Profile name) ssid : 'exampleSSID' priority : 1 authenticationMethod : 6 encryptionMethod : 4 - profileName : 'exampleWifi8021x' # friendly name (ex. Profile name) ssid : 'ssid' priority : 2 authenticationMethod : 7 encryptionMethod : 4 ieee8021xProfileName : 'exampleIeee8021xEAP-TLS' ieee8021xConfigs : - profileName : 'exampleIeee8021xEAP-TLS' username : \"exampleUserName\" password : \"\" # 8021x password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2) authenticationProtocol : 0 #8021x profile (ex. EAP-TLS(0)) clientCert : '' caCert : '' config.json { \"wifiConfigs\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"ssid\" : \"exampleSSID\" , \"priority\" : 1 , \"authenticationMethod\" : 6 , \"encryptionMethod\" : 4 , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleWifi8021x\" , \"ssid\" : \"ssid\" , \"priority\" : 2 , \"authenticationMethod\" : 7 , \"encryptionMethod\" : 4 , \"ieee8021xProfileName\" : \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\" : [ { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"username\" : \"exampleUserName\" , \"password\" : \"\" , \"authenticationProtocol\" : 0 , \"clientCert\" : \"\" , \"caCert\" : \"\" , } ] } Create a new file called secrets.yaml . Copy and paste the template below. YAML JSON secrets.yaml secrets : - profileName : 'exampleWifiWPA2' pskPassphrase : '' - profileName : 'exampleIeee8021xEAP-TLS' privateKey : '' - profileName : 'ieee8021xPEAPv0' password : '' secrets.json { \"secrets\" : [ { \"profileName\" : \"exampleWifiWPA2\" , \"pskPassphrase\" : \"\" }, { \"profileName\" : \"exampleIeee8021xEAP-TLS\" , \"privateKey\" : \"\" }, { \"profileName\" : \"ieee8021xPEAPv0\" , \"password\" : \"\" } ] } Fill in fields with the secrets. The profileName given in the secrets file must match the corresponding Wireless or 802.1x configuration profileName . Provide the secrets.yaml file using the -secrets flag. rpc configure addwifisettings -config config.yaml -secrets secrets.yaml","title":"via Config with Secrets file"},{"location":"Reference/RPC/commandsRPC/#via-individual-options","text":"Alternatively, provide all options directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. rpc configure addwifisettings -profileName profileName -authenticationMethod 7 -encryptionMethod 4 -ssid \"networkSSID\" -username \"username\" -authenticationProtocol 0 -priority 1 -clientCert \"{CLIENT_CERT}\" -caCert \"{CA_CERT}\" -privateKey \"{PRIVATE_KEY}\"","title":"via Individual Options"},{"location":"Reference/RPC/commandsRPC/#via-configjson-option","text":"Or, provide the JSON string directly in the command line. The user will be prompted for missing secrets (i.e. password, privateKey, pskPassphrase, ieee8021xPassword), if not provided. Warning - Use Case and Security The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended. Wireless Only Wireless w/ 802.1x rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi\", \"authenticationMethod\": 6, \"encryptionMethod\": 4, \"ssid\": \"networkSSID\", \"username\": \"username\", \"authenticationProtocol\": 0, \"priority\": 1 } ] }\" rpc configure addwifisettings -configJson \"{ \"wifiConfigs\": [ { \"profileName\": \"exampleWifi8021x\", \"ssid\": \"networkSSID\", \"priority\": 1, \"authenticationMethod\": 7, \"encryptionMethod\": 4, \"ieee8021xProfileName\": \"exampleIeee8021xEAP-TLS\" } ], \"ieee8021xConfigs\": [ { \"profileName\": \"exampleIeee8021xEAP-TLS\", \"username\": \"exampleUserName\", \"password\": \"\", \"authenticationProtocol\": 0, \"clientCert\": \"{CLIENT_CERT}\", \"caCert\": \"{CA_CERT}\", \"privateKey\": \"{PRIVATE_KEY}\" } ] }\" Example Successful Output of Configuring Two Wireless Profiles time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifiWPA2\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"configuring wifi profile: exampleWifi8021x\" time=\"2023-08-30T13:21:39-07:00\" level=info msg=\"successfully configured: exampleWifi8021x\" OPTION DESCRIPTION -authenticationMethod Wifi authentication method. Valid Values = {4, 5, 6, 7} where 4 = WPA PSK, 5 = WPA_IEEE8021X, 6 = WPA2 PSK, 7 = WPA2_IEEE8021X -authenticationProtocol 802.1x profile protocol. Valid Values = {0, 2} where 0 = EAP- TLS , 2 = EAP/MSCHAPv2 -caCert Trusted Microsoft root CA or 3rd-party root CA in Active Directory domain. -clientCert Client certificate chained to the caCert . Issued by enterprise CA or mapped to computer account in Active Directory. AMT provides this certificate to authenticate itself with the Radius Server. -config File path of a .yaml or .json file with desired wireless and/or wireless 802.1x configuration. -configJson Configuration as a JSON string -encryptionMethod Wifi encryption method. Valid Values = {3, 4} where 3 = TKIP, 4 = CCMP -ieee8021xPassword 802.1x profile password if authenticationProtocol is PEAPv0/EAP-MSCHAPv2(2). -profileName Profile name (Friendly name), must be alphanumeric. -priority Ranked priority over other profiles. -privateKey 802.1x profile private key of the clientCert . -pskPassphrase Wifi pskPassphrase , if authenticationMethod is WPA PSK(4) or WPA2 PSK(6). -secrets File path of a .yaml or .json file with secrets to be applied to the configurations. -ssid Wifi SSID -username 802.1x username, must match the Common Name of the clientCert .","title":"via -configJson Option"},{"location":"Reference/RPC/commandsRPC/#amtinfo","text":"Display AMT status and configuration: Linux Windows sudo ./rpc amtinfo [ OPTIONS ] .\\rpc amtinfo [OPTIONS] Not passing [OPTIONS] will print all information. AMT INFO OPTION DESCRIPTION -json JSON Output Version -ver Intel AMT version. Build Number -bld Intel AMT Build Number. System Certificates -cert System Certificate Hashes. If given -password , will print both System and User Certificate Hashes. User Certificates -userCert User Certificate Hashes. Will prompt for AMT password. Or, provide -password flag. SKU -sku Product SKU UUID -uuid Unique Universal Identifier of the device. Used when creating device-specific MPS API calls as part of the REST API's URL path. Control Mode -mode Control Mode below indicates the managed device's state: (a) pre-provisioning state (b) activated in client control mode (c) activated in admin control mode DNS Suffix -dns DNS Suffix set according to PKI DNS Suffix in Intel MEBX or through DHCP Option 15. Requried for ACM activation. DNS Suffix (OS) -dns Hostname (OS) -hostname Device's hostname as set in the Operating System. RAS Network -ras RAS Remote Status -ras Unconnected or connected. State of connection to a management server. RAS Trigger -ras User initiated or periodic. When activated, periodic signifies CIRA established. By default, CIRA sends a heartbeat to the server every 30 seconds to verify and maintain connection. RAS MPS Hostname -ras IP Address or FQDN of the MPS server. ---Wired/Wireless Adapters--- WIRED/WIRELESS ADAPTER OPTION DESCRIPTION DHCP Enabled -lan True/False. Whether or not the network is using DHCP or Static IPs. DHCP Mode -lan Link Status -lan Up/Down. Shows whether or not this adapter is being used by Intel AMT. IP Address -lan If using CIRA or the device is unactivated, this field will show 0.0.0.0 MAC Address -lan Device's MAC Address For more information, see Wireless Activation .","title":"amtinfo"},{"location":"Reference/RPC/commandsRPC/#version","text":"Display the current version of RPC and the RPC Protocol version: Linux Windows sudo ./rpc version .\\rpc version","title":"version"},{"location":"Reference/RPC/libraryRPC/","text":"On the managed device, a Remote Provisioning Client ( RPC ) communicates with the Remote Provision Server ( RPS ) in the process of activating or deactivating the device. In addition to activation and deactivation, the RPC provides informational and maintenance commands. Find all RPC commands here . Prerequisites \u00b6 A GCC toolchain is required to compile RPC as a library. Linux Windows Run the following command to install: sudo apt install build-essential Download and Install tdm-gcc . Build Library \u00b6 Linux Lib (.so file) Windows Lib (.dll file) go build -buildmode = c-shared -o librpc.so ./cmd go build -buildmode = c-shared -o rpc.dll ./cmd Library Functions \u00b6 The library contains two functions: Function Description Usage checkAccess Determines if RPC is being run as admin, the ME driver is installed, and AMT is available. Use this function to check for basic AMT availability conditions. rpcExec Executes RPC commands. Use this function as you would the RPC executable, passing in arguments to activate, deactivate, perform maintenance, etc. Sample Client in C# \u00b6 Find a simple sample client in the RPC -go's dotnet folder . Include in C# \u00b6 This sample code demonstrates how to import the DLL's functions: //Linux-style example (.so extenstion) [DllImport(\"rpc\")] static extern int rpcCheckAccess (); Call a Function \u00b6 This sample provides an example of calling the rpcExec function to activate a device: //Import [DllImport(\"rpc\")] static extern int rpcExec ([ In ] byte [] rpccmd , ref IntPtr output ); int returnCode ; Console . WriteLine ( \"... CALLING rpcCheckAccess ...\" ); returnCode = rpcCheckAccess (); Console . WriteLine ( \"... rpcCheckAccess completed: return code[\" + returnCode + \"] \" ); Console . WriteLine (); var res = \"\" ; foreach ( var arg in args ) { res += $\"{arg} \" ; } // Example commands to be passed in // string res = \"activate -u wss://192.168.1.96/activate -n -profile Test_Profile\"; // string res = \"amtinfo\"; IntPtr output = IntPtr . Zero ; Console . WriteLine ( \"... CALLING rpcExec with argument string: \" + res ); returnCode = rpcExec ( Encoding . ASCII . GetBytes ( res ), ref output ); Console . WriteLine ( \"... rpcExec completed: return code[\" + returnCode + \"] \" + Marshal . PtrToStringAnsi ( output )); RPC Error Code Charts \u00b6 General Errors \u00b6 (1-19) Basic Errors Outside of Open AMT Cloud Toolkit \u00b6 Error Code Message 1 Incorrect permissions (not admin or sudo) 2 HECI driver not detected 3 AMT not detected 4 AMT not ready (20-69) Input errors to RPC \u00b6 Error Code Message 20 Missing or incorrect URL 21 Missing or incorrect profile 22 Server certificate verification failed 23 Missing or incorrect password 24 Missing DNS Suffix 25 Missing hostname 26 Missing proxy address and port 27 Missing static IP information (70-99) Connection Errors \u00b6 Error Code Message 70 RPS authentication failed 71 AMT connection failed 72 OS network interfaces lookup failed AMT-Specific Errors \u00b6 (100-149) Activation and Configuration Errors \u00b6 Error Code Message 100 AMT authentication failed 101 WSMAN message error 102 Activation failed 103 Network configuration failed 104 CIRA configuration failed 105 TLS configuration failed 106 WiFi configuration failed 107 AMT features configuration failed 108 802.1x configuration failed (150-199) Maintenance Errors \u00b6 Error Code Message 150 Clock sync failed 151 Hostname sync failed 152 Network sync failed","title":"RPC Library"},{"location":"Reference/RPC/libraryRPC/#prerequisites","text":"A GCC toolchain is required to compile RPC as a library. Linux Windows Run the following command to install: sudo apt install build-essential Download and Install tdm-gcc .","title":"Prerequisites"},{"location":"Reference/RPC/libraryRPC/#build-library","text":"Linux Lib (.so file) Windows Lib (.dll file) go build -buildmode = c-shared -o librpc.so ./cmd go build -buildmode = c-shared -o rpc.dll ./cmd","title":"Build Library"},{"location":"Reference/RPC/libraryRPC/#library-functions","text":"The library contains two functions: Function Description Usage checkAccess Determines if RPC is being run as admin, the ME driver is installed, and AMT is available. Use this function to check for basic AMT availability conditions. rpcExec Executes RPC commands. Use this function as you would the RPC executable, passing in arguments to activate, deactivate, perform maintenance, etc.","title":"Library Functions"},{"location":"Reference/RPC/libraryRPC/#sample-client-in-c","text":"Find a simple sample client in the RPC -go's dotnet folder .","title":"Sample Client in C#"},{"location":"Reference/RPC/libraryRPC/#include-in-c","text":"This sample code demonstrates how to import the DLL's functions: //Linux-style example (.so extenstion) [DllImport(\"rpc\")] static extern int rpcCheckAccess ();","title":"Include in C#"},{"location":"Reference/RPC/libraryRPC/#call-a-function","text":"This sample provides an example of calling the rpcExec function to activate a device: //Import [DllImport(\"rpc\")] static extern int rpcExec ([ In ] byte [] rpccmd , ref IntPtr output ); int returnCode ; Console . WriteLine ( \"... CALLING rpcCheckAccess ...\" ); returnCode = rpcCheckAccess (); Console . WriteLine ( \"... rpcCheckAccess completed: return code[\" + returnCode + \"] \" ); Console . WriteLine (); var res = \"\" ; foreach ( var arg in args ) { res += $\"{arg} \" ; } // Example commands to be passed in // string res = \"activate -u wss://192.168.1.96/activate -n -profile Test_Profile\"; // string res = \"amtinfo\"; IntPtr output = IntPtr . Zero ; Console . WriteLine ( \"... CALLING rpcExec with argument string: \" + res ); returnCode = rpcExec ( Encoding . ASCII . GetBytes ( res ), ref output ); Console . WriteLine ( \"... rpcExec completed: return code[\" + returnCode + \"] \" + Marshal . PtrToStringAnsi ( output ));","title":"Call a Function"},{"location":"Reference/RPC/libraryRPC/#rpc-error-code-charts","text":"","title":"RPC Error Code Charts"},{"location":"Reference/RPC/libraryRPC/#general-errors","text":"","title":"General Errors"},{"location":"Reference/RPC/libraryRPC/#1-19-basic-errors-outside-of-open-amt-cloud-toolkit","text":"Error Code Message 1 Incorrect permissions (not admin or sudo) 2 HECI driver not detected 3 AMT not detected 4 AMT not ready","title":"(1-19) Basic Errors Outside of Open AMT Cloud Toolkit"},{"location":"Reference/RPC/libraryRPC/#20-69-input-errors-to-rpc","text":"Error Code Message 20 Missing or incorrect URL 21 Missing or incorrect profile 22 Server certificate verification failed 23 Missing or incorrect password 24 Missing DNS Suffix 25 Missing hostname 26 Missing proxy address and port 27 Missing static IP information","title":"(20-69) Input errors to RPC"},{"location":"Reference/RPC/libraryRPC/#70-99-connection-errors","text":"Error Code Message 70 RPS authentication failed 71 AMT connection failed 72 OS network interfaces lookup failed","title":"(70-99) Connection Errors"},{"location":"Reference/RPC/libraryRPC/#amt-specific-errors","text":"","title":"AMT-Specific Errors"},{"location":"Reference/RPC/libraryRPC/#100-149-activation-and-configuration-errors","text":"Error Code Message 100 AMT authentication failed 101 WSMAN message error 102 Activation failed 103 Network configuration failed 104 CIRA configuration failed 105 TLS configuration failed 106 WiFi configuration failed 107 AMT features configuration failed 108 802.1x configuration failed","title":"(100-149) Activation and Configuration Errors"},{"location":"Reference/RPC/libraryRPC/#150-199-maintenance-errors","text":"Error Code Message 150 Clock sync failed 151 Hostname sync failed 152 Network sync failed","title":"(150-199) Maintenance Errors"},{"location":"Reference/RPS/configuration/","text":"RPS Configuration \u00b6 Environment Variable Default Description RPS_IMAGE rps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for RPS RPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/rpsdb?sslmode=no-verify The database connection string RPS_WEB_PORT 8081 Specifies the Web API port to listen on RPS_WEBSOCKETPORT 8080 Specifies the Websocket port to listen on RPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted RPS_VAULT_TOKEN myroot Token used to access the vault RPS_SECRETS_PATH secret/data/ Specifies the path for where secrets are stored in the vault RPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly RPS_MPS_SERVER http://localhost:3000 Specifies where the MPS is hosted -- required for metadata registration (i.e. hostname, and tags) RPS_DELAY_TIMER 12 Sets the number of seconds to wait after activation but before proceeding with final steps. By default it is set to 12 seconds. During this waiting period, RPS sends heartbeats to RPC to keep the connection alive. RPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on)","title":"Configuration"},{"location":"Reference/RPS/configuration/#rps-configuration","text":"Environment Variable Default Description RPS_IMAGE rps-microservice:v1 Only used when using docker-compose.yml. Specifies image to use for RPS RPS_CONNECTION_STRING postgresql://postgresadmin@localhost:5432/rpsdb?sslmode=no-verify The database connection string RPS_WEB_PORT 8081 Specifies the Web API port to listen on RPS_WEBSOCKETPORT 8080 Specifies the Websocket port to listen on RPS_VAULT_ADDRESS http://vault:8200 Address of where the vault is hosted RPS_VAULT_TOKEN myroot Token used to access the vault RPS_SECRETS_PATH secret/data/ Specifies the path for where secrets are stored in the vault RPS_LOG_LEVEL info Controls the level of logging provided in the service. Options are (in order of increasing detail): error , warn , info , verbose , debug , and silly RPS_MPS_SERVER http://localhost:3000 Specifies where the MPS is hosted -- required for metadata registration (i.e. hostname, and tags) RPS_DELAY_TIMER 12 Sets the number of seconds to wait after activation but before proceeding with final steps. By default it is set to 12 seconds. During this waiting period, RPS sends heartbeats to RPC to keep the connection alive. RPS_MQTT_ADDRESS No Value Address of where the mqtt broker is hosted. Mqtt container is named mosquitto and is open to port 8883 . Thus unless setting are changed the value should be either empty (off) or mqtt://mosquitto:8883 (on)","title":"RPS Configuration"},{"location":"Reference/RPS/createProfileTLSConfig/","text":"During the activation process with the Remote Provisioning Client ( RPC ), profiles provide configuration information to the firmware on platforms featuring Intel\u00ae AMT . In Profiles , the Open AMT Cloud Toolkit supports Client Initiated Remote Access ( CIRA ) connections, which use Transport Layer Security ( TLS ). The toolkit also supports TLS without CIRA . TLS connections encrypt Intel\u00ae AMT network traffic, increasing data security and privacy. Important TLS works with both ACM And CCM . Because CIRA connections already use TLS , the option to use both in a profile is not available, as it would double the amount of encryption/decryption and potentially impact performance. To create a profile with TLS Config: Select the Profiles tab from the menu on the left. Under the Profiles tab, click + Add New in the top-right corner to create a profile. Figure 1: Create a new profile Specify a Profile Name of your choice. Under Activation Mode , select either Client Control Mode or Admin Control Mode from the dropdown menu. Enable desired redirection features for the profile under AMT Features - Enable/Disable features . Provide or generate a strong AMT Password . AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation. Tip The two buttons next to the password input are for toggling visibility and generating a new random password. Please note that if the Vault database is lost or corrupted, all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices! If choosing to activate into ACM , provide or generate a strong MEBX Password . This password can be used to access Intel\u00ae Manageability Engine BIOS Extensions ( Intel\u00ae MEBX ) on the AMT device. Leave DHCP as the default for Network Configuration . This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial . Select Connection Configuration to TLS (Enterprise) . Under TLS (Enterprise) , select the TLS Mode from the dropdown menu. The toolkit offers four configuration modes to support various usage models: CONFIGURATION MODE DESCRIPTION Server Authentication Only The client authenticates the server request and accepts only those servers with a digital certificate. Server and Non- TLS Authentication Used primarily for testing. The client authenticates the server request and accepts legitimate digital certificates from TLS -enabled servers. However, if the server is not TLS -enabled, the client defaults to a CIRA connection. Mutual TLS Authentication Only Both client and server must have certs. The client cert is signed by the server cert. Mutual and Non- TLS Authentication Used primarily for testing. Both client and server certs are expected. The client authenticates the server request and accepts legitimate digital certificates from TLS -enabled servers. However, if the server is not TLS -enabled, the client defaults to a CIRA connection. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow. Click Save. Example profile with TLS Config Figure 2: Example profile with TLS Config To confirm the digital certificates generated for the profile, open a browser and navigate to the Vault service at http://localhost:8200 for a local Docker deployment or [Cloud-FQDN]:8200 (Ex: openamt.eastus.cloudapp.azure.com:8200) for a cloud deployment. Sign in to Vault with the VAULT_TOKEN stored in the .env file or Root Token (Ex: s.QnhrbjXyH08UD7y6PHBDmjq9) generated when unsealing and initializing Vault in your cloud deployment. Figure 3: Login with the token Navigate to the path secret/TLS/[profile name] for a local dev mode Vault deployment. Or kv/TLS/[profile name] for a cloud deployment. Example of Certificate Storage Figure 4: Digital Certificate Next up \u00b6 Build & Run RPC","title":"Create Profile with TLS"},{"location":"Reference/RPS/createProfileTLSConfig/#next-up","text":"Build & Run RPC","title":"Next up"},{"location":"Reference/RPS/securityRPS/","text":"RPS Security Considerations \u00b6 The microservice Remote Provision Service ( RPS ) plays a component role in a larger set of services that makes up the device management software suite. In this role, RPS uses and creates secrets that are required to be able to successfully activate and use Intel\u00ae AMT . There are six key assets that must be protected: Remote admin password for Intel\u00ae AMT MEBX password for Intel\u00ae AMT Provisioning Certificate for each supported domain Password used to encrypt each Provisioning Certificate Device configuration information sent to Intel\u00ae AMT device MPS CIRA login credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets. Security Assets \u00b6 Remote Admin Password for Intel\u00ae AMT \u00b6 This password is what is configured in the Intel\u00ae AMT firmware that allows a remote user to remotely control the Intel\u00ae AMT device (power actions, remote desktop, remote terminal, etc). When RPS activates an Intel\u00ae AMT device, it sets this password in the Intel\u00ae AMT firmware. This password can either be statically set or can be randomly generated based on the profile defined by the user. It is highly recommended to use randomly generated passwords as this will make each Intel\u00ae AMT device more secure by using unique passwords per device. In a default docker or Kubernetes deployment, RPS will save the Remote Admin Password to the deployed Vault instance. MEBX Password for Intel\u00ae AMT \u00b6 The Management Engine BIOS Extension (MEBX) password is the password that protects the pre-boot menu option that provides access to Intel\u00ae AMT settings. To use this password a user needs to have physical access to the device. It is highly recommended to change this password from the factory default settings upon receiving a new Intel\u00ae AMT device. A RPS profile provides an option for either specifying a static password that is used for all devices configured with a given profile or a randomly generated password can be assigned uniquely per device. The MEBX password set in each device is saved in Vault. While a randomly generated password is more secure, in this case there is risk that if the Vault database is lost, access to the Intel\u00ae AMT device could be very difficult to recover. It is recommended to use the high availability and backup options provided by the Vault solution to ensure that these secrets are not lost. Provisioning Certificate for each supported domain \u00b6 This certificate is unique per owned domain where RPS needs to provision Intel\u00ae AMT devices. This certificate must be derived from a root certificate whose hash matches one of the trusted provisioning root certificate hashes that is listed in the Intel\u00ae AMT device firmware. Generally, the provisioning certificate is purchased from a trusted certificate authority (VeriSign, GoDaddy, Comodo, etc). The full list of supported CAs based on Intel\u00ae AMT version are listed here . This certificate must contain the leaf certificate, root certificate, and all of the intermediate certificates to form a complete certificate chain. Additionally, the certificate file must also include the private key for the certificate (.pfx format). The leaf certificate for the provisioning certificate must match the domain suffix that the Intel\u00ae AMT device is connected as specified by DHCP option 15 or the Trusted DNS suffix in the Management Engine BIOS Extensions (MEBX). Matching this is one of the ways in which the Intel\u00ae AMT firmware establishes trust with RPS . The provisioning certificate is provided by the user when defining an Intel\u00ae AMT profile. RPS fetches the Provisioning Certificate from Vault when it is needed to activate an Intel\u00ae AMT device. If users have provisioning certificates, they will need to understand which profile to use when configuring an Intel\u00ae AMT device based on the network to which the device is currently connected. Password used to encrypt Provisioning Certificate \u00b6 This is the password that is used to encrypt the provisioning certificate .pfx file that is discussed above. RPS uses this password to decrypt the provisioning certificate so that it can use the certificate components and the private key to activate Intel\u00ae AMT devices. RPS fetches the password from Vault and will use it when it is needed to decrypt a provisioning certificate. Device configuration information sent to Intel\u00ae AMT device \u00b6 Intel\u00ae AMT firmware uses configuration information to establish trust and then activate the Intel\u00ae AMT device. The information contains the hashed remote admin password and MEBX password. Protect this information while it is being used by RPS and while in transit to the Intel\u00ae AMT device. Ensure that a secure ( TLS -encrypted) WebSocket is used when RPS is communicating with the client device. This will protect data in transit. The configuration information uses nonces to prevent replay of this data. MPS CIRA Login Credentials \u00b6 To connect to the MPS over a CIRA connection, the Intel\u00ae AMT device needs to provide the correct login credentials for MPS . These credentials are specified as part of the AMT Profile created in RPS . When a device is configured by RPS , the MPS CIRA credentials will be sent to MPS using the Devices POST API call where MPS will then store the credentials. These credentials are verfied by the MPS when the CIRA connection is established. Best Known Security Methods \u00b6 1 Enable TLS on network connections \u00b6 There are two potential places where TLS could be enable to protect the security assets: * WebSocket connection between RPS and Intel\u00ae AMT client (recommended) * Connection between RPS and Vault - If communication between RPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication. 2 Secure and isolate execution environment \u00b6 RPS holds several of the described security assets in memory during execution. In order to protect these assets while in the memory of RPS , it is recommended that RPS be run in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure. 3 Utilize a Hashicorp Vault implementation to store security assets \u00b6 Utilizing Hashicorp Vault to store security assets either created by or used by RPS will greatly increase the security of these assets. Not only does Vault encrypt the data at rest, but it also manages access to the data itself. As the Vault owner, you decide who gets access to the security assets stored there, not RPS .","title":"Security Information"},{"location":"Reference/RPS/securityRPS/#rps-security-considerations","text":"The microservice Remote Provision Service ( RPS ) plays a component role in a larger set of services that makes up the device management software suite. In this role, RPS uses and creates secrets that are required to be able to successfully activate and use Intel\u00ae AMT . There are six key assets that must be protected: Remote admin password for Intel\u00ae AMT MEBX password for Intel\u00ae AMT Provisioning Certificate for each supported domain Password used to encrypt each Provisioning Certificate Device configuration information sent to Intel\u00ae AMT device MPS CIRA login credentials In addition to the above assets, there are best practices that are recommended to help secure these assets as they are used within the system. The following sections will cover each asset and the recommended practices to use to protect the assets.","title":"RPS Security Considerations"},{"location":"Reference/RPS/securityRPS/#security-assets","text":"","title":"Security Assets"},{"location":"Reference/RPS/securityRPS/#remote-admin-password-for-intel-amt","text":"This password is what is configured in the Intel\u00ae AMT firmware that allows a remote user to remotely control the Intel\u00ae AMT device (power actions, remote desktop, remote terminal, etc). When RPS activates an Intel\u00ae AMT device, it sets this password in the Intel\u00ae AMT firmware. This password can either be statically set or can be randomly generated based on the profile defined by the user. It is highly recommended to use randomly generated passwords as this will make each Intel\u00ae AMT device more secure by using unique passwords per device. In a default docker or Kubernetes deployment, RPS will save the Remote Admin Password to the deployed Vault instance.","title":"Remote Admin Password for Intel&reg; AMT"},{"location":"Reference/RPS/securityRPS/#mebx-password-for-intel-amt","text":"The Management Engine BIOS Extension (MEBX) password is the password that protects the pre-boot menu option that provides access to Intel\u00ae AMT settings. To use this password a user needs to have physical access to the device. It is highly recommended to change this password from the factory default settings upon receiving a new Intel\u00ae AMT device. A RPS profile provides an option for either specifying a static password that is used for all devices configured with a given profile or a randomly generated password can be assigned uniquely per device. The MEBX password set in each device is saved in Vault. While a randomly generated password is more secure, in this case there is risk that if the Vault database is lost, access to the Intel\u00ae AMT device could be very difficult to recover. It is recommended to use the high availability and backup options provided by the Vault solution to ensure that these secrets are not lost.","title":"MEBX Password for Intel&reg; AMT"},{"location":"Reference/RPS/securityRPS/#provisioning-certificate-for-each-supported-domain","text":"This certificate is unique per owned domain where RPS needs to provision Intel\u00ae AMT devices. This certificate must be derived from a root certificate whose hash matches one of the trusted provisioning root certificate hashes that is listed in the Intel\u00ae AMT device firmware. Generally, the provisioning certificate is purchased from a trusted certificate authority (VeriSign, GoDaddy, Comodo, etc). The full list of supported CAs based on Intel\u00ae AMT version are listed here . This certificate must contain the leaf certificate, root certificate, and all of the intermediate certificates to form a complete certificate chain. Additionally, the certificate file must also include the private key for the certificate (.pfx format). The leaf certificate for the provisioning certificate must match the domain suffix that the Intel\u00ae AMT device is connected as specified by DHCP option 15 or the Trusted DNS suffix in the Management Engine BIOS Extensions (MEBX). Matching this is one of the ways in which the Intel\u00ae AMT firmware establishes trust with RPS . The provisioning certificate is provided by the user when defining an Intel\u00ae AMT profile. RPS fetches the Provisioning Certificate from Vault when it is needed to activate an Intel\u00ae AMT device. If users have provisioning certificates, they will need to understand which profile to use when configuring an Intel\u00ae AMT device based on the network to which the device is currently connected.","title":"Provisioning Certificate for each supported domain"},{"location":"Reference/RPS/securityRPS/#password-used-to-encrypt-provisioning-certificate","text":"This is the password that is used to encrypt the provisioning certificate .pfx file that is discussed above. RPS uses this password to decrypt the provisioning certificate so that it can use the certificate components and the private key to activate Intel\u00ae AMT devices. RPS fetches the password from Vault and will use it when it is needed to decrypt a provisioning certificate.","title":"Password used to encrypt Provisioning Certificate"},{"location":"Reference/RPS/securityRPS/#device-configuration-information-sent-to-intel-amt-device","text":"Intel\u00ae AMT firmware uses configuration information to establish trust and then activate the Intel\u00ae AMT device. The information contains the hashed remote admin password and MEBX password. Protect this information while it is being used by RPS and while in transit to the Intel\u00ae AMT device. Ensure that a secure ( TLS -encrypted) WebSocket is used when RPS is communicating with the client device. This will protect data in transit. The configuration information uses nonces to prevent replay of this data.","title":"Device configuration information sent to Intel\u00ae AMT device"},{"location":"Reference/RPS/securityRPS/#mps-cira-login-credentials","text":"To connect to the MPS over a CIRA connection, the Intel\u00ae AMT device needs to provide the correct login credentials for MPS . These credentials are specified as part of the AMT Profile created in RPS . When a device is configured by RPS , the MPS CIRA credentials will be sent to MPS using the Devices POST API call where MPS will then store the credentials. These credentials are verfied by the MPS when the CIRA connection is established.","title":"MPS CIRA Login Credentials"},{"location":"Reference/RPS/securityRPS/#best-known-security-methods","text":"","title":"Best Known Security Methods"},{"location":"Reference/RPS/securityRPS/#1-enable-tls-on-network-connections","text":"There are two potential places where TLS could be enable to protect the security assets: * WebSocket connection between RPS and Intel\u00ae AMT client (recommended) * Connection between RPS and Vault - If communication between RPS and Vault is outside a secure container environment (not recommended deployment, see item 2 below) Securing these communication routes will help prevent security assets being exposed through network based attacks intercepting messages between components. It is recommended that the most modern version of TLS be used when encrypting communication.","title":"1 Enable TLS on network connections"},{"location":"Reference/RPS/securityRPS/#2-secure-and-isolate-execution-environment","text":"RPS holds several of the described security assets in memory during execution. In order to protect these assets while in the memory of RPS , it is recommended that RPS be run in a secure execution environment such as a dedicated container. Deploying into a secure container environment eases the burden of individually securing the assets while in memory or in transit between Open AMT Cloud Toolkit services. Running MPS , RPS , API Gateway, MPS Router, Vault, and Database all within the same secure container instance will help ensure that the communication between these services remains secure.","title":"2 Secure and isolate execution environment"},{"location":"Reference/RPS/securityRPS/#3-utilize-a-hashicorp-vault-implementation-to-store-security-assets","text":"Utilizing Hashicorp Vault to store security assets either created by or used by RPS will greatly increase the security of these assets. Not only does Vault encrypt the data at rest, but it also manages access to the data itself. As the Vault owner, you decide who gets access to the security assets stored there, not RPS .","title":"3 Utilize a Hashicorp Vault implementation to store security assets"},{"location":"Reference/UIToolkit/localization/","text":"Localize Strings \u00b6 Create a new directory in the ui-toolkit/public/locales/ directory. The directory name must match one of the codes listed . Copy the translation.json file in the public/locales/en/ directory to the new language directory. Customize the required fields in the translation.json file. Example To support Kannada language: Create a new directory kn in /public/locales/ Copy translation.json from /locales/en/ to /locales/kn/ directory Update key-values in /kn/translation.json according to Kannada language Open the i18n.ts file in the ui-toolkit directory. Modify the file to import the newly added public/locales/Language/translation.json file and update the 'resources' constant to include the new translation. Example To support Kannada language: Create new import statement as 'translationKN' Edit resources constant to include new translation import translationEN from './public/locales/en/translation.json' import translationKN from './public/locales/kn/translation.json'; const resources = { en: { translations: translationEN }, kn: { translations: translationKN } }; Rebuild and generate a new bundle before testing the changes. Language can be changed in the browser under language section of the browser settings. English is the default if no customized translation file provided for the language. Get Localized Strings for Web Consoles with Localization Enabled \u00b6 If your web console already has localization enabled, make sure to add the translations of the UI-controls into your web console's translations file.","title":"Localization"},{"location":"Reference/UIToolkit/localization/#localize-strings","text":"Create a new directory in the ui-toolkit/public/locales/ directory. The directory name must match one of the codes listed . Copy the translation.json file in the public/locales/en/ directory to the new language directory. Customize the required fields in the translation.json file. Example To support Kannada language: Create a new directory kn in /public/locales/ Copy translation.json from /locales/en/ to /locales/kn/ directory Update key-values in /kn/translation.json according to Kannada language Open the i18n.ts file in the ui-toolkit directory. Modify the file to import the newly added public/locales/Language/translation.json file and update the 'resources' constant to include the new translation. Example To support Kannada language: Create new import statement as 'translationKN' Edit resources constant to include new translation import translationEN from './public/locales/en/translation.json' import translationKN from './public/locales/kn/translation.json'; const resources = { en: { translations: translationEN }, kn: { translations: translationKN } }; Rebuild and generate a new bundle before testing the changes. Language can be changed in the browser under language section of the browser settings. English is the default if no customized translation file provided for the language.","title":"Localize Strings"},{"location":"Reference/UIToolkit/localization/#get-localized-strings-for-web-consoles-with-localization-enabled","text":"If your web console already has localization enabled, make sure to add the translations of the UI-controls into your web console's translations file.","title":"Get Localized Strings for Web Consoles with Localization Enabled"},{"location":"Reference/UIToolkit/webpackConfig/","text":"To use Webpack *, understand its Core Concepts: Entry: The entry point such as /src/index.js , which is the default for Webpack 4 is what Webpack will use to start building out/resolving its dependencies. Output: The output property, such as ./dist , the default for Webpack 4, tells Webpack where to output the bundles it creates and how to name them. Loaders: Because Webpack only understands native Javascript code, these loaders enable Webpack to process different types of imported files and convert them into valid modules when it encounters a specific type of file. Loaders have two properties in the configuration file: The test property identifies the file or files that should be transformed The use property indicates the loader that can be used to do the transforming Plugins: The plugins enable the extension of Webpack capabilities to perform a wider range of tasks like bundle optimization, asset management, and injection of environment variables. Install Webpack \u00b6 Install both webpack and webpack cli as dev dependencies: npm i webpack webpack-cli -D webpack-dev-server . Configure Webpack for the Development Environment \u00b6 To configure: Create a Webpack config file webpack.config.dev.js in the root of the project folder. Add the development environment to the webpack.config.dev.js file:** const path = require ( 'path' ); module . exports = { mode : \"development\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple } Add Typescript \u00b6 The example code below resolves the file extensions, .tsx, .ts and .js. Files with the extensions .tsx or .ts are processed by awesome-typescript-loader. To add Typescript support: Install the Typescript dependency, awesome-typescript-loader: npm i awesome-typescript-loader -D 2. Add the configuration to the webpack.config.dev.js file: Example: const path = require ( 'path' ); module . exports = { .... resolve : { extensions : [ \".tsx\" , \".ts\" , \".js\" ] }, module : { rules : [ { test : /\\.tsx?$/ , loader : 'awesome-typescript-loader' } ] } } Add Styles \u00b6 To Add Styles support: Use npm to install css-loader and sass-loader: npm i style-loader css-loader sass-loader -D Add the configuration to the webpack.config.dev.js file: module . exports = { .... module : { rules : [ ... { test : /\\.(sc|sa|c)ss$/ , use : [ 'style-loader' , 'css-loader' , 'sass-loader' ], } ] } } Add HTML \u00b6 To add HTML support: Use the Webpack plugin html-webpack-plugin, which helps simplify the creation of HTML files to help serve our Webpack bundles: npm i html-webpack-plugin -D. Add the configuration to the webpack.config.dev.js file: const path = require ( 'path' ); const HtmlWebpackPlugin = require ( 'html-webpack-plugin' ); module . exports = { .... plugins : [ new HtmlWebpackPlugin ({ filename : \"kvm.htm\" , template : \"./src/sample/sampleKVM.htm\" , inject : true , chunks : [ \"kvm\" ], }), ] } Development Server \u00b6 Set up a development server using the webpack-dev-server. This server opens a default browser upon npm start and provide us with live reloading. npm i webpack-dev-server --D Update Package.json \u00b6 Add webpack-dev-server to the Package.json file: \"scripts\" : { \"start\" : \"webpack-dev-server --config webpack.config.dev.js\" } Example Sample usage: Open command prompt. Run npm start command. Configure Webpack for Production Environment \u00b6 To add production environment support: Create a Webpack config file webpack.config.prod.js in the root of our project folder. Add the configuration to the webpack.config.prod.js file: const path = require ( 'path' ); module . exports = { mode : \"production\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple output : { filename : \"[name].min.js\" , path : path . resolve ( __dirname , \"./dist\" ) }, .... } 3. Update Package.json: \"scripts\" : { \"build\" : \"webpack --config webpack.config.prod.js\" , } Example Sample usage: Open command prompt. Run npm run build. Configure Webpack for External Environment \u00b6 Create a Webpack config file webpack.config.externals.js in the root of our project folder. Add webpack-node-externals: Install webpack-node-externals dependencies: npm install webpack-node-externals -D The webpack-node-externals library creates an externals function that ignores node_modules when bundling in Webpack . Add the following to webpack.config.externals.js : const path = require ( \"path\" ); //No ES6 in webpack config const nodeExternals = require ( 'webpack-node-externals' ); module . exports = { .... externals : [ nodeExternals ()], }; 3. Update Package.json: \"scripts\" : { \"build-ext\" : \"webpack --config webpack.config.externals.js\" , } Example Sample usage: Open command prompt. Run npm run build-ext command.","title":"Webpack Configuration"},{"location":"Reference/UIToolkit/webpackConfig/#install-webpack","text":"Install both webpack and webpack cli as dev dependencies: npm i webpack webpack-cli -D webpack-dev-server .","title":"Install Webpack"},{"location":"Reference/UIToolkit/webpackConfig/#configure-webpack-for-the-development-environment","text":"To configure: Create a Webpack config file webpack.config.dev.js in the root of the project folder. Add the development environment to the webpack.config.dev.js file:** const path = require ( 'path' ); module . exports = { mode : \"development\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple }","title":"Configure Webpack for the Development Environment"},{"location":"Reference/UIToolkit/webpackConfig/#add-typescript","text":"The example code below resolves the file extensions, .tsx, .ts and .js. Files with the extensions .tsx or .ts are processed by awesome-typescript-loader. To add Typescript support: Install the Typescript dependency, awesome-typescript-loader: npm i awesome-typescript-loader -D 2. Add the configuration to the webpack.config.dev.js file: Example: const path = require ( 'path' ); module . exports = { .... resolve : { extensions : [ \".tsx\" , \".ts\" , \".js\" ] }, module : { rules : [ { test : /\\.tsx?$/ , loader : 'awesome-typescript-loader' } ] } }","title":"Add Typescript"},{"location":"Reference/UIToolkit/webpackConfig/#add-styles","text":"To Add Styles support: Use npm to install css-loader and sass-loader: npm i style-loader css-loader sass-loader -D Add the configuration to the webpack.config.dev.js file: module . exports = { .... module : { rules : [ ... { test : /\\.(sc|sa|c)ss$/ , use : [ 'style-loader' , 'css-loader' , 'sass-loader' ], } ] } }","title":"Add Styles"},{"location":"Reference/UIToolkit/webpackConfig/#add-html","text":"To add HTML support: Use the Webpack plugin html-webpack-plugin, which helps simplify the creation of HTML files to help serve our Webpack bundles: npm i html-webpack-plugin -D. Add the configuration to the webpack.config.dev.js file: const path = require ( 'path' ); const HtmlWebpackPlugin = require ( 'html-webpack-plugin' ); module . exports = { .... plugins : [ new HtmlWebpackPlugin ({ filename : \"kvm.htm\" , template : \"./src/sample/sampleKVM.htm\" , inject : true , chunks : [ \"kvm\" ], }), ] }","title":"Add HTML"},{"location":"Reference/UIToolkit/webpackConfig/#development-server","text":"Set up a development server using the webpack-dev-server. This server opens a default browser upon npm start and provide us with live reloading. npm i webpack-dev-server --D","title":"Development Server"},{"location":"Reference/UIToolkit/webpackConfig/#update-packagejson","text":"Add webpack-dev-server to the Package.json file: \"scripts\" : { \"start\" : \"webpack-dev-server --config webpack.config.dev.js\" } Example Sample usage: Open command prompt. Run npm start command.","title":"Update Package.json"},{"location":"Reference/UIToolkit/webpackConfig/#configure-webpack-for-production-environment","text":"To add production environment support: Create a Webpack config file webpack.config.prod.js in the root of our project folder. Add the configuration to the webpack.config.prod.js file: const path = require ( 'path' ); module . exports = { mode : \"production\" , entry : './src/reactjs/components/KVM/index.tsx' , // entry points can be multiple output : { filename : \"[name].min.js\" , path : path . resolve ( __dirname , \"./dist\" ) }, .... } 3. Update Package.json: \"scripts\" : { \"build\" : \"webpack --config webpack.config.prod.js\" , } Example Sample usage: Open command prompt. Run npm run build.","title":"Configure Webpack for Production Environment"},{"location":"Reference/UIToolkit/webpackConfig/#configure-webpack-for-external-environment","text":"Create a Webpack config file webpack.config.externals.js in the root of our project folder. Add webpack-node-externals: Install webpack-node-externals dependencies: npm install webpack-node-externals -D The webpack-node-externals library creates an externals function that ignores node_modules when bundling in Webpack . Add the following to webpack.config.externals.js : const path = require ( \"path\" ); //No ES6 in webpack config const nodeExternals = require ( 'webpack-node-externals' ); module . exports = { .... externals : [ nodeExternals ()], }; 3. Update Package.json: \"scripts\" : { \"build-ext\" : \"webpack --config webpack.config.externals.js\" , } Example Sample usage: Open command prompt. Run npm run build-ext command.","title":"Configure Webpack for External Environment"},{"location":"Reference/UIToolkit/Bundles/kvmReact/","text":"Quickstart - Bundle Keyboard Video Mouse ( KVM ) Control \u00b6 Use these instructions to: Run the KVM control in development environment Create a bundle for KVM control Add bundle to a sample HTML file Prerequisites \u00b6 In order to deploy and make changes, the following tools and application has to be installed on your development machine: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected Download and Install UI Toolkit \u00b6 Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install Run in Development Environment \u00b6 To add and test new changes before bundling the control, use a webpack dev server: Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/kvm.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port. Create Bundle \u00b6 To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing kvm.min.js in the ui-toolkit/dist/ directory before building. Build the bundle: npm run build A new kvm.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the KVM control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control Add to Sample HTML Page \u00b6 Add the following code snippet to sampleKVM.htm in the ui-toolkit/src/reactjs/sample/ directory using an editor of your choice: <body> <div id=\"kvm\"></div> <script src=\"../../dist/kvm.min.js\" crossorigin></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory. Serve the HTML page: npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleKVM.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Keyboard, Video, Mouse"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#quickstart-bundle-keyboard-video-mouse-kvm-control","text":"Use these instructions to: Run the KVM control in development environment Create a bundle for KVM control Add bundle to a sample HTML file","title":"Quickstart - Bundle Keyboard Video Mouse (KVM) Control"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#prerequisites","text":"In order to deploy and make changes, the following tools and application has to be installed on your development machine: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected","title":"Prerequisites"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#download-and-install-ui-toolkit","text":"Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install","title":"Download and Install UI Toolkit"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#run-in-development-environment","text":"To add and test new changes before bundling the control, use a webpack dev server: Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/kvm.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port.","title":"Run in Development Environment"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#create-bundle","text":"To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing kvm.min.js in the ui-toolkit/dist/ directory before building. Build the bundle: npm run build A new kvm.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the KVM control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control","title":"Create Bundle"},{"location":"Reference/UIToolkit/Bundles/kvmReact/#add-to-sample-html-page","text":"Add the following code snippet to sampleKVM.htm in the ui-toolkit/src/reactjs/sample/ directory using an editor of your choice: <body> <div id=\"kvm\"></div> <script src=\"../../dist/kvm.min.js\" crossorigin></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory. Serve the HTML page: npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleKVM.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Add to Sample HTML Page"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/","text":"Quickstart - Bundle Serial Over LAN ( SOL ) Control \u00b6 Use these instructions to: Run the SOL control in development environment Create a bundle for SOL control Add bundle to a sample HTML file Prerequisites \u00b6 In order to deploy and make changes, the following tools and application have to be installed on your development system: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected Download and Install UI Toolkit \u00b6 Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI-Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install Run in Development Environment \u00b6 To add and test new changes before bundling the control, use a webpack dev server. Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/sol.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port. Create Bundle \u00b6 To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing sol.min.js in the ui-toolkit/dist/ directory before building: Build the bundle: npm run build A new kvm.core.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the Serial-Over-LAN control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control Add to Sample HTML Page \u00b6 Add the following code snippet to sampleSOL.htm in the ui-toolkit/src/sample/ directory using an editor of your choice: <body> <div id= \"sol\" ></div> <script src= \"../../dist/sol.min.js\" crossorigin ></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory: Serve the HTML page. npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleSOL.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Serial Over LAN"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#quickstart-bundle-serial-over-lan-sol-control","text":"Use these instructions to: Run the SOL control in development environment Create a bundle for SOL control Add bundle to a sample HTML file","title":"Quickstart  - Bundle Serial Over LAN (SOL) Control"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#prerequisites","text":"In order to deploy and make changes, the following tools and application have to be installed on your development system: Git Visual Studio Code or any other IDE Node.js Chrome* Browser MPS Server with an AMT Device Connected","title":"Prerequisites"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#download-and-install-ui-toolkit","text":"Open a Terminal (Linux) or Command Prompt (Windows) and navigate to a directory of your choice for development. Clone the UI-Toolkit Repository: git clone https://github.com/open-amt-cloud-toolkit/ui-toolkit --branch v3.0.2 Change to the ui-toolkit directory: cd ui_toolkit Install the dependencies: npm install","title":"Download and Install UI Toolkit"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#run-in-development-environment","text":"To add and test new changes before bundling the control, use a webpack dev server. Start the server: npm start Open a Chrome* browser and navigate to the following link to see changes: http://localhost:8080/sol.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Note By default, the webpack dev server runs on port 8080. If port 8080 is already in use, webpack automatically runs on the next immediate available port.","title":"Run in Development Environment"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#create-bundle","text":"To bundle, navigate to the ui-toolkit directory in a Terminal (Linux) or Command Prompt (Windows). Remove or rename the existing sol.min.js in the ui-toolkit/dist/ directory before building: Build the bundle: npm run build A new kvm.core.min.js will be created in the ui-toolkit/dist/ directory. Note To bundle the Serial-Over-LAN control without node_modules, run the following build command instead. npm run built-ext The bundle generated using the build-ext command can be used in react apps as an independent control","title":"Create Bundle"},{"location":"Reference/UIToolkit/Bundles/serialOverLANReact/#add-to-sample-html-page","text":"Add the following code snippet to sampleSOL.htm in the ui-toolkit/src/sample/ directory using an editor of your choice: <body> <div id= \"sol\" ></div> <script src= \"../../dist/sol.min.js\" crossorigin ></script> </body> In a Terminal (Linux) or Command Prompt (Windows), navigate to the ui-toolkit directory: Serve the HTML page. npx serve Open a new Chrome* browser and navigate to the following URL: http://localhost:5000/src/sample/sampleSOL.htm?deviceId=[AMT-Device-GUID]&mpsServer=https://[MPS-Server-IP-Address]:3000 Errors may occur in the following scenarios: UI-toolkit was not downloaded and installed into your react app MPS Server is not running MPS Server is running but the device is not connected","title":"Add to Sample HTML Page"},{"location":"Reference/UIToolkit/Controls/kvmControl/","text":"Not sure how to implement Keyboard, Video Mouse ( KVM )? View the UI Toolkit KVM Module Tutorial for a step-by-step walkthrough prerequisites and instructions for implementing a React Control using the UI Toolkit . Add KVM Control \u00b6 Use the following code snippet to add the KVM control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with Development System or MPS Server IP Address mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT provided during login of MPS canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ;","title":"Keyboard, Video, Mouse"},{"location":"Reference/UIToolkit/Controls/kvmControl/#add-kvm-control","text":"Use the following code snippet to add the KVM control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with Development System or MPS Server IP Address mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT provided during login of MPS canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ;","title":"Add KVM Control"},{"location":"Reference/UIToolkit/Controls/serialOverLANControl/","text":"Not sure how to implement Serial Over LAN ( SOL )? View the UI Toolkit KVM Module Tutorial for a step-by-step walkthrough of the prerequisites and instructions for implementing a React Control using the UI Toolkit . Add Serial Over LAN ( SOL ) Control \u00b6 Use the following code snippet to add the SOL control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import { Sol } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/sol.bundle\" ; function App () { return ( < div > < Sol deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws\" //Replace 'localhost' with Development System or MPS Server IP Address authToken = \"\" > // Replace with a valid JWT provided during login of MPS < /Sol> < /div> ); } \u200b export default App ;","title":"Serial Over LAN"},{"location":"Reference/UIToolkit/Controls/serialOverLANControl/#add-serial-over-lan-sol-control","text":"Use the following code snippet to add the SOL control to the React Application. Open src/App.js and add the code shown below: Note Change deviceId value to your device GUID, mpsServer value to your MPS server address, and pass in a valid JWT for authToken . import React from \"react\" ; import { Sol } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/sol.bundle\" ; function App () { return ( < div > < Sol deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws\" //Replace 'localhost' with Development System or MPS Server IP Address authToken = \"\" > // Replace with a valid JWT provided during login of MPS < /Sol> < /div> ); } \u200b export default App ;","title":"Add Serial Over LAN (SOL) Control"},{"location":"Tutorials/apiTutorial/","text":"This tutorial demonstrates how to generate a JSON Web Token (JWT) for Authorization and construct an API call for Getting Devices using curl . This method will retrieve information about all devices, including device GUIDs. Figure 1: Tutorial flow using curl Figure 1: API Call to Get All Devices Figure 1 illustrates the flow of the tutorial below. Consult the API documentation for the MPS APIs (Steps A and C). Use the generated JWT, the return value from the Authorize method in Step B, with any of the MPS REST API methods that require a BearerAuth, an HTTP security scheme that provides access to the bearer of a token. The GetDevices method accepts the JWT as an authentication and returns a list of devices and associated data. Important Successfully deploy the Management Presence Server ( MPS ) and Remote Provisioning Server ( RPS ) and connect an Intel\u00ae vPro device to MPS before constructing the API call. Start here * to install microservices locally with Docker . What You'll Need \u00b6 Hardware A minimum network configuration must include: A Development system with Windows\u00ae 10 or Ubuntu 18.04 or newer An Activated and Configured Intel\u00ae vPro device as the managed device Software on the Development System MPS curl Any Text Editor What You'll Do \u00b6 The following sections describe how to: Generate a new JWT for Authorization Run an API Call to MPS for Devices See Other Example GET/POST Commands Generate a Token for Authorization \u00b6 See the Authorize Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] , [MPS_WEB_ADMIN_USER] , and [MPS_WEB_ADMIN_PASSWORD] fields. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize \\ -H \"Content-Type:application/json\" \\ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize ^ -H \"Content-Type:application/json\" ^ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" Info - Using the --insecure Flag Because we are using self-signed certificates for MPS for development and testing purposes, we must supply this flag to bypass SSL certificate verification. Run the command. Example - Response of Authorize Method { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" } This token will be used when making any other API call as part of the Authorization header. Run API Call for Get Devices \u00b6 See the GetDevices Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] and [JWT-Token] fields. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: Bearer [JWT-Token]\" Run the command. Example - Response of Devices Method Example Terminal Output: [{ \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" :[], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" }] Example JSON Pretty Print: [ { \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" : [], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" } ] Important This is one way to retrieve a device's GUID in the host field. For amt path methods (i.e., Power Actions , Audit Logs, etc), the device GUID is required as part of the GET path. Save this value if you want to try other MPS methods. Other ways to retrieve a GUID can be found here . Example GET/POST Templates \u00b6 The sample GET and POST curl commands below can be adapted for other MPS and RPS methods by changing the URL path and modifying the request body data, if applicable . Power Capabilities (GET Template) Power Action (POST Template) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] ^ -H \"Authorization: Bearer [JWT-Token]\" See Power Capabilities API Docs for more information and expected responses. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] \\ -H \"Content-Type: application/json\" \\ -H \"Authorization: Bearer [JWT-Token]\" \\ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] ^ -H \"Content-Type: application/json\" ^ -H \"Authorization: Bearer [JWT-Token]\" ^ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" See Power Action API Docs for more information and expected responses. Other Methods \u00b6 For MPS methods to manage a device, see: MPS API Docs For RPS Methods for server configuration and provisioning, see RPS API Docs Explore the UI Toolkit \u00b6 In addition to REST API calls, the Open AMT Cloud Toolkit provides a reference implementation console. Add manageability features to the console with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit","title":"REST API Call"},{"location":"Tutorials/apiTutorial/#what-youll-need","text":"Hardware A minimum network configuration must include: A Development system with Windows\u00ae 10 or Ubuntu 18.04 or newer An Activated and Configured Intel\u00ae vPro device as the managed device Software on the Development System MPS curl Any Text Editor","title":"What You'll Need"},{"location":"Tutorials/apiTutorial/#what-youll-do","text":"The following sections describe how to: Generate a new JWT for Authorization Run an API Call to MPS for Devices See Other Example GET/POST Commands","title":"What You'll Do"},{"location":"Tutorials/apiTutorial/#generate-a-token-for-authorization","text":"See the Authorize Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] , [MPS_WEB_ADMIN_USER] , and [MPS_WEB_ADMIN_PASSWORD] fields. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize \\ -H \"Content-Type:application/json\" \\ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/login/api/v1/authorize ^ -H \"Content-Type:application/json\" ^ -d \"{\\\"username\\\":\\\"[MPS_WEB_ADMIN_USER]\\\", \\\"password\\\":\\\" [MPS_WEB_ADMIN_PASSWORD]\\\"}\" Info - Using the --insecure Flag Because we are using self-signed certificates for MPS for development and testing purposes, we must supply this flag to bypass SSL certificate verification. Run the command. Example - Response of Authorize Method { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" } This token will be used when making any other API call as part of the Authorization header.","title":"Generate a Token for Authorization"},{"location":"Tutorials/apiTutorial/#run-api-call-for-get-devices","text":"See the GetDevices Method in the API Documentation for more information. Open a Terminal or Command Prompt. Copy and paste the example code below into a text editor. Update the values of the [IP-Address or FQDN] and [JWT-Token] fields. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: Bearer [JWT-Token]\" Run the command. Example - Response of Devices Method Example Terminal Output: [{ \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" :[], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" }] Example JSON Pretty Print: [ { \"guid\" : \"3beae094-34f8-11ea-b6f5-ffed08129200\" , \"hostname\" : \"vpro3-NUC8v5PNK\" , \"tags\" : [], \"mpsInstance\" : \"mps\" , \"connectionStatus\" : true , \"mpsusername\" : \"admin\" } ] Important This is one way to retrieve a device's GUID in the host field. For amt path methods (i.e., Power Actions , Audit Logs, etc), the device GUID is required as part of the GET path. Save this value if you want to try other MPS methods. Other ways to retrieve a GUID can be found here .","title":"Run API Call for Get Devices"},{"location":"Tutorials/apiTutorial/#example-getpost-templates","text":"The sample GET and POST curl commands below can be adapted for other MPS and RPS methods by changing the URL path and modifying the request body data, if applicable . Power Capabilities (GET Template) Power Action (POST Template) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] \\ -H \"Authorization: Bearer [JWT-Token]\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/amt/powercapabilities/ [ AMT-Device-GUID ] ^ -H \"Authorization: Bearer [JWT-Token]\" See Power Capabilities API Docs for more information and expected responses. Linux Windows curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] \\ -H \"Content-Type: application/json\" \\ -H \"Authorization: Bearer [JWT-Token]\" \\ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" curl --insecure -X POST https:// [ IP-Address or FQDN ] /mps/api/v1/amt/power/action/ [ AMT-Device-GUID ] ^ -H \"Content-Type: application/json\" ^ -H \"Authorization: Bearer [JWT-Token]\" ^ -d \"{\\\"action\\\": [Power-Action], \\\"useSOL\\\": false}\" See Power Action API Docs for more information and expected responses.","title":"Example GET/POST Templates"},{"location":"Tutorials/apiTutorial/#other-methods","text":"For MPS methods to manage a device, see: MPS API Docs For RPS Methods for server configuration and provisioning, see RPS API Docs","title":"Other Methods"},{"location":"Tutorials/apiTutorial/#explore-the-ui-toolkit","text":"In addition to REST API calls, the Open AMT Cloud Toolkit provides a reference implementation console. Add manageability features to the console with prebuilt React components, such as Keyboard, Video, and Mouse ( KVM ). Get Started with the UI Toolkit","title":"Explore the UI Toolkit"},{"location":"Tutorials/createWiFiConfig/","text":"Important - Windows 10 or Newer Supported Only This feature is currently only supported for systems on Windows 10 or newer (including Windows 11) operating systems. Wireless on Linux is not currently supported by Intel AMT. Warning - Support for Cellular While Open AMT Cloud Toolkit supports wireless and wired profiles, it does not currently offer support for managing devices through cellular connections. Products like Cradlepoint* offer a workaround for cellular connections. After activation and configuration of an AMT device with a wireless profile, remote devices can be managed wirelessly. For devices to be activated in Client Control Mode ( CCM ) : The managed AMT device can be activated and configured on a wireless connection. For devices to be activated in Admin Control Mode ( ACM ) : The managed AMT device MUST have a wired connection during the activation of AMT. After activation, devices are then able to be managed over the wireless network rather than a wired connection. Use RPC 's amtinfo feature to determine if your current device supports wireless functionality. For steps to obtain the RPC binary, see Build RPC . Run RPC with the amtinfo argument. Linux Windows sudo ./rpc amtinfo .\\rpc amtinfo Look at the output for the LAN Interface section as highlighted below. If RPC does NOT return a section for wireless , the AMT device does not support wireless functionality. Version : 15.0.10 Build Number : 1447 SKU : 16392 UUID : 4c4b4568-195a-4260-8097-a4c14f566733 Control Mode : pre-provisioning state DNS Suffix : vprodemo.com DNS Suffix (OS) : Hostname (OS) : DESKTOP-3YM6MPN RAS Network : outside enterprise RAS Remote Status : not connected RAS Trigger : user initiated RAS MPS Hostname : ---Wired Adapter--- DHCP Enabled : true DHCP Mode : passive Link Status : up IP Address : 0.0.0.0 MAC Address : 80:c4:a8:58:df:e9 ---Wireless Adapter--- DHCP Enabled : true DHCP Mode : passive Link Status : down IP Address : 0.0.0.0 MAC Address : 00:00:00:00:00:00 Certificate Hashes : ... Create a WiFi Config \u00b6 Select the Wireless tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new WiFi Config Specify a Wireless Profile Name of your choice. Under Authentication Method , select WPA PSK or WPA2 PSK . Provide the PSK Passphrase . This is the password to the WiFi Network. Under Encryption Method , select TKIP or CCMP . Specify the SSID . This is the name of your wireless network. Click Save. Example Wireless Profile Figure 1: Example wireless profile Important : After saving, continue on to create either a CCM or ACM profile. When prompted, search for and select your new Wireless Profile from the drop-down menu. The selected Wi-Fi Profiles will be shown under Associated Wireless Profiles and can be reordered by dragging them to give priority. Example - Select Wireless Profile Figure 3: RPS bottom of profile Next up \u00b6 Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features, including but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices, such as digital signage or kiosks, may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Wireless Activation"},{"location":"Tutorials/createWiFiConfig/#create-a-wifi-config","text":"Select the Wireless tab from the left-hand menu. In the top-right corner, click Add New. Figure 1: Create a new WiFi Config Specify a Wireless Profile Name of your choice. Under Authentication Method , select WPA PSK or WPA2 PSK . Provide the PSK Passphrase . This is the password to the WiFi Network. Under Encryption Method , select TKIP or CCMP . Specify the SSID . This is the name of your wireless network. Click Save. Example Wireless Profile Figure 1: Example wireless profile Important : After saving, continue on to create either a CCM or ACM profile. When prompted, search for and select your new Wireless Profile from the drop-down menu. The selected Wi-Fi Profiles will be shown under Associated Wireless Profiles and can be reordered by dragging them to give priority. Example - Select Wireless Profile Figure 3: RPS bottom of profile","title":"Create a WiFi Config"},{"location":"Tutorials/createWiFiConfig/#next-up","text":"Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client ( RPC ). Profiles also distinguish between activating in: Client Control Mode ( CCM ): This mode offers all manageability features, including but not limited to, power control, audit logs, and hardware info. Redirection features, such as KVM or SOL , require user consent . The managed device will display a 6-digit code that must be entered by the remote admin to access the remote device via redirection. Create a CCM Profile Admin Control Mode ( ACM ): ACM mode supports all manageability features without requiring user consent . This means it is not necessary to have a person on-site to remote in and manage an edge device. In most IoT use cases, edge devices, such as digital signage or kiosks, may not be easily accessible or have available employees nearby. ACM mode proves immensely helpful in these scenarios. Create an ACM Profile","title":"Next up"},{"location":"Tutorials/modifyUserAuth/","text":"As part of the Open AMT Cloud Toolkit reference implementation, MPS and the Kong service issue and authenticate a JSON Web Token (JWT) for user authentication. The default configuration offers authentication functionality, but it does not support many common configuration options, such as user groups. In a production environment, alternative authentication is available in 0Auth 2 , Lightweight Directory Access Protocol (LDAP), Kerberos , and more. The instructions below explain how to add an LDAP plugin to Kong. User Authentication Flow \u00b6 The following diagrams help illustrate the typical user authentication flow. Learn more about the authorize API call in the REST API Call Tutorial or directly in our API Documentation . REST API User Authentication Flow \u00b6 To authenticate for REST APIs: \u00b6 Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Perform other desired API calls (e.g. Power Actions, Hardware Info, etc) using the new auth token from Step 1 . Redirection ( KVM / SOL ) User Authentication Flow \u00b6 To authenticate for Websocket connections: \u00b6 Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Call the MPS REST API /api/v1/authorize/redirection/{guid} using the auth token from Step 1 to receive a short-lived token directly from MPS for redirection sessions. Pass the short-lived token from Step 2 and the device's GUID to the UI Toolkit module implementation to start a redirection ( KVM / SOL ) session. Note - Additional Information When using a 3rd party auth service (e.g. Cognito, LDAP, etc), the token issued by the auth service is used to make calls to the MPS . For non-HTTP calls like redirection, a call must be made to the /api/v1/authorize/redirection/{guid} API to get a separate MPS -specific token required to be passed into the KVM / SOL UI-Toolkit module. API Gateways are only able to verify tokens on HTTP requests. Open AMT's redirection implementation uses WebSockets for KVM and SOL . Therefore, the API Gateway cannot verify tokens passed in over the WebSocket connections. Because of this, MPS must perform the verification of the token and it can only do that with tokens that it issues. Prerequisites \u00b6 Install and start a local LDAP server on the development system. For this tutorial, Go-lang LDAP Authentication* (GLAuth) is referenced. Find more info in the GLAuth Readme. To install, see steps 1 - 3 of the Quickstart section of the GLAuth Readme . We do not need to alter the sample-simple.cfg file. Allow the Terminal or Powershell to remain open to see LDAP activity as you proceed with the tutorial below. Optionally, download curl for testing the authentication with APIs at the end of this tutorial. Edit the kong.yaml File \u00b6 Reconfigure the Kong* API Gateway to use a different user authentication service: Open the kong.yaml file and comment out the plugins and consumer sections of the code by adding a # character at the beginning of each line. This disables the JWT authentication. Paste the new plugins section into the file. Modify the ldap_host to that of your development system or cloud instance. plugins : - name : cors - name : ldap-auth route : mps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap - name : ldap-auth route : rps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap Note The following code was adapted for the toolkit. For the default configuration details, see Enable the plugin on a route , on the tab Declarative YAML , in Kong documentation Restart the Kong Gateway Container \u00b6 Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Restart the Kong container: Linux Windows (Powershell) sudo docker restart <container ID> docker restart <container ID> Test the Configuration \u00b6 Authenticate a user to test the configuration by using an API of your choice. You will need to set the Authorization header to ldap base64encode(user:pass) . Test the configuration with curl : In the following examples, we use the base64 encoding of johndoe:TestAppPw1 as our encoded user:pass . This value is am9obmRvZTpUZXN0QXBwUHcx . These credentials are one of the default credentials in the sample-simple.cfg file provided by GLAuth*. Get Devices ( MPS Route) Get Profiles ( RPS Route) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Devices API Docs for more information and expected responses. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Get Profiles API Docs for more information and expected responses. Other APIs to test can be found in the MPS API Documentation and RPS API Documentation .","title":"Modify User Authentication"},{"location":"Tutorials/modifyUserAuth/#user-authentication-flow","text":"The following diagrams help illustrate the typical user authentication flow. Learn more about the authorize API call in the REST API Call Tutorial or directly in our API Documentation .","title":"User Authentication Flow"},{"location":"Tutorials/modifyUserAuth/#rest-api-user-authentication-flow","text":"","title":"REST API User Authentication Flow"},{"location":"Tutorials/modifyUserAuth/#to-authenticate-for-rest-apis","text":"Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Perform other desired API calls (e.g. Power Actions, Hardware Info, etc) using the new auth token from Step 1 .","title":"To authenticate for REST APIs:"},{"location":"Tutorials/modifyUserAuth/#redirection-kvmsol-user-authentication-flow","text":"","title":"Redirection (KVM/SOL) User Authentication Flow"},{"location":"Tutorials/modifyUserAuth/#to-authenticate-for-websocket-connections","text":"Call the MPS REST API /api/v1/authorize to receive an authentication token from the User Auth Service. Call the MPS REST API /api/v1/authorize/redirection/{guid} using the auth token from Step 1 to receive a short-lived token directly from MPS for redirection sessions. Pass the short-lived token from Step 2 and the device's GUID to the UI Toolkit module implementation to start a redirection ( KVM / SOL ) session. Note - Additional Information When using a 3rd party auth service (e.g. Cognito, LDAP, etc), the token issued by the auth service is used to make calls to the MPS . For non-HTTP calls like redirection, a call must be made to the /api/v1/authorize/redirection/{guid} API to get a separate MPS -specific token required to be passed into the KVM / SOL UI-Toolkit module. API Gateways are only able to verify tokens on HTTP requests. Open AMT's redirection implementation uses WebSockets for KVM and SOL . Therefore, the API Gateway cannot verify tokens passed in over the WebSocket connections. Because of this, MPS must perform the verification of the token and it can only do that with tokens that it issues.","title":"To authenticate for Websocket connections:"},{"location":"Tutorials/modifyUserAuth/#prerequisites","text":"Install and start a local LDAP server on the development system. For this tutorial, Go-lang LDAP Authentication* (GLAuth) is referenced. Find more info in the GLAuth Readme. To install, see steps 1 - 3 of the Quickstart section of the GLAuth Readme . We do not need to alter the sample-simple.cfg file. Allow the Terminal or Powershell to remain open to see LDAP activity as you proceed with the tutorial below. Optionally, download curl for testing the authentication with APIs at the end of this tutorial.","title":"Prerequisites"},{"location":"Tutorials/modifyUserAuth/#edit-the-kongyaml-file","text":"Reconfigure the Kong* API Gateway to use a different user authentication service: Open the kong.yaml file and comment out the plugins and consumer sections of the code by adding a # character at the beginning of each line. This disables the JWT authentication. Paste the new plugins section into the file. Modify the ldap_host to that of your development system or cloud instance. plugins : - name : cors - name : ldap-auth route : mps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap - name : ldap-auth route : rps-route config : hide_credentials : true ldap_host : <Server IP-Address or FQDN> # Replace ldap_port : 3893 start_tls : false ldaps : false base_dn : dc=glauth,dc=com verify_ldap_host : false attribute : cn cache_ttl : 60 header_type : ldap Note The following code was adapted for the toolkit. For the default configuration details, see Enable the plugin on a route , on the tab Declarative YAML , in Kong documentation","title":"Edit the kong.yaml File"},{"location":"Tutorials/modifyUserAuth/#restart-the-kong-gateway-container","text":"Open a Terminal or Powershell/Command Prompt and run the command to list the containers: Linux Windows (Powershell) sudo docker ps docker ps Restart the Kong container: Linux Windows (Powershell) sudo docker restart <container ID> docker restart <container ID>","title":"Restart the Kong Gateway Container"},{"location":"Tutorials/modifyUserAuth/#test-the-configuration","text":"Authenticate a user to test the configuration by using an API of your choice. You will need to set the Authorization header to ldap base64encode(user:pass) . Test the configuration with curl : In the following examples, we use the base64 encoding of johndoe:TestAppPw1 as our encoded user:pass . This value is am9obmRvZTpUZXN0QXBwUHcx . These credentials are one of the default credentials in the sample-simple.cfg file provided by GLAuth*. Get Devices ( MPS Route) Get Profiles ( RPS Route) Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /mps/api/v1/devices ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Devices API Docs for more information and expected responses. Linux Windows curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles \\ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" curl --insecure https:// [ IP-Address or FQDN ] /rps/api/v1/admin/profiles ^ -H \"Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx\" See Get Profiles API Docs for more information and expected responses. Other APIs to test can be found in the MPS API Documentation and RPS API Documentation .","title":"Test the Configuration"},{"location":"Tutorials/uitoolkitReact/","text":"Add MPS UI Toolkit Controls to a WebUI \u00b6 The UI Toolkit allows developers to add manageability features to a console with prebuilt React components. The code snippets simplify the task of adding complex manageability UI controls, such as the Keyboard, Video, Mouse ( KVM ). A sample web application, based on React.js, is provided for test and development. The tutorial outlines how to add various controls to the sample React web application provided. Developers can use the sample code below as a springboard for developing their own consoles. What You'll Need \u00b6 Hardware \u00b6 Configure a network that includes: A development system running Windows\u00ae 10 or Ubuntu* 18.04 or newer At least one Intel vPro\u00ae Platform to manage Software \u00b6 MPS , the Management Presence Server RPS , the Remote Provisioning Server Intel\u00ae vPro device, configured and connected to MPS Note For instructions to setup the MPS and RPS servers to connect a managed device, see the Get Started Guide The development system requires the following software: git Visual Studio Code or any other IDE Node.js What You'll Do \u00b6 Follow the steps in these sections sequentially: Create a new React app Add UI controls to the React app Figure 1: UI toolkit Create a New React App \u00b6 The React app can be created in any preferred development directory. The MPS can continue to run while creating and running the app. In a Terminal or Command Prompt, go to your preferred development directory. Run the following commands to create sample React app named my-app . npx create-react-app my-app Change to the my-app directory: cd my-app Add UI Toolkit \u00b6 Run the following command to add the UI Toolkit and install the required dependencies: npm install @open-amt-cloud-toolkit/ui-toolkit-react@3.0.2 Run the following commands to start the web UI locally: npm start By default, React apps run on port 3000 . If port 3000 is already used by the MPS server or any other application, you'll be prompted to use another port. If this happens, enter 'Y'. Success Figure 2: React reports successful deployment Note - Using Chromium Browser and Refreshing By default, React launches in your machine's default browser. However for best experience, navigate to the page using a Chromium based web browser. When you make changes, you do not need to stop the application and restart. It will update and refresh automatically as you make code changes. Add a Sample Control \u00b6 The following sections outline how to add controls. Refresh the web browser after adding a control if it does not update automatically after a few seconds. Add Keyboard, Video, Mouse ( KVM ) Redirection \u00b6 The code snippet below adds KVM control to the React application. Open ./my-app/src/App.js in a text editor or IDE of choice, such as Visual Studio Code or Notepad. Delete the existing code and replace it with the code snippet below. Change the following values: Field Value deviceId Replace the example deviceId value with the GUID of the Intel\u00ae AMT device. See How to Find GUIDs in Intel\u00ae AMT . mpsServer Replace the localhost with the IP Address or FQDN of your MPS Server. When using Kong , /mps/ws/relay must be appended to the IP or FQDN. authToken Provide valid JWT. Redirection requires a redirection-specific authentication token. See the /authorize/redirection/{guid} GET API in the Auth section. For a general example on how to make an API call and how to get a auth token from /authorize to pass to /authorize/redirection/{guid} , see Generating a JWT by using an Authorize API call . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with MPS Server IP Address or FQDN mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT token from 'Authorize Redirection' GET API Method canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ; Save and close the file. If the React app hasn't updated automatically, refresh the page. You are now able to remotely control your Intel\u00ae AMT device using Keyboard, Video, Mouse control. Success Figure 3: Successful KVM Connection You will see the errors in the following scenarios: If your browser is IE/Edge, there might be compatibility issues. Compilation errors if the ui-toolkit was not downloaded and installed to your react app. MPS / RPS server not running, appropriate controls will fail to work. MPS server running and device not connected. Incorrect or invalid JWT for authToken, see instructions on Generating a JWT by using an Authorize API call . Example authToken Format from API Call { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" } Next Steps \u00b6 Try Other Controls \u00b6 Try out other React controls such as Serial Over LAN . Customize and Create Bundles \u00b6 Try out creating and customizing React bundles for things such as Serial Over LAN or KVM here . License Note \u00b6 If you are distributing the FortAwesome Icons, please provide attribution to the source per the CC-by 4.0 license obligations.","title":"UI Toolkit KVM Module"},{"location":"Tutorials/uitoolkitReact/#add-mps-ui-toolkit-controls-to-a-webui","text":"The UI Toolkit allows developers to add manageability features to a console with prebuilt React components. The code snippets simplify the task of adding complex manageability UI controls, such as the Keyboard, Video, Mouse ( KVM ). A sample web application, based on React.js, is provided for test and development. The tutorial outlines how to add various controls to the sample React web application provided. Developers can use the sample code below as a springboard for developing their own consoles.","title":"Add MPS UI Toolkit Controls to a WebUI"},{"location":"Tutorials/uitoolkitReact/#what-youll-need","text":"","title":"What You'll Need"},{"location":"Tutorials/uitoolkitReact/#hardware","text":"Configure a network that includes: A development system running Windows\u00ae 10 or Ubuntu* 18.04 or newer At least one Intel vPro\u00ae Platform to manage","title":"Hardware"},{"location":"Tutorials/uitoolkitReact/#software","text":"MPS , the Management Presence Server RPS , the Remote Provisioning Server Intel\u00ae vPro device, configured and connected to MPS Note For instructions to setup the MPS and RPS servers to connect a managed device, see the Get Started Guide The development system requires the following software: git Visual Studio Code or any other IDE Node.js","title":"Software"},{"location":"Tutorials/uitoolkitReact/#what-youll-do","text":"Follow the steps in these sections sequentially: Create a new React app Add UI controls to the React app Figure 1: UI toolkit","title":"What You'll Do"},{"location":"Tutorials/uitoolkitReact/#create-a-new-react-app","text":"The React app can be created in any preferred development directory. The MPS can continue to run while creating and running the app. In a Terminal or Command Prompt, go to your preferred development directory. Run the following commands to create sample React app named my-app . npx create-react-app my-app Change to the my-app directory: cd my-app","title":"Create a New React App"},{"location":"Tutorials/uitoolkitReact/#add-ui-toolkit","text":"Run the following command to add the UI Toolkit and install the required dependencies: npm install @open-amt-cloud-toolkit/ui-toolkit-react@3.0.2 Run the following commands to start the web UI locally: npm start By default, React apps run on port 3000 . If port 3000 is already used by the MPS server or any other application, you'll be prompted to use another port. If this happens, enter 'Y'. Success Figure 2: React reports successful deployment Note - Using Chromium Browser and Refreshing By default, React launches in your machine's default browser. However for best experience, navigate to the page using a Chromium based web browser. When you make changes, you do not need to stop the application and restart. It will update and refresh automatically as you make code changes.","title":"Add UI Toolkit"},{"location":"Tutorials/uitoolkitReact/#add-a-sample-control","text":"The following sections outline how to add controls. Refresh the web browser after adding a control if it does not update automatically after a few seconds.","title":"Add a Sample Control"},{"location":"Tutorials/uitoolkitReact/#add-keyboard-video-mouse-kvm-redirection","text":"The code snippet below adds KVM control to the React application. Open ./my-app/src/App.js in a text editor or IDE of choice, such as Visual Studio Code or Notepad. Delete the existing code and replace it with the code snippet below. Change the following values: Field Value deviceId Replace the example deviceId value with the GUID of the Intel\u00ae AMT device. See How to Find GUIDs in Intel\u00ae AMT . mpsServer Replace the localhost with the IP Address or FQDN of your MPS Server. When using Kong , /mps/ws/relay must be appended to the IP or FQDN. authToken Provide valid JWT. Redirection requires a redirection-specific authentication token. See the /authorize/redirection/{guid} GET API in the Auth section. For a general example on how to make an API call and how to get a auth token from /authorize to pass to /authorize/redirection/{guid} , see Generating a JWT by using an Authorize API call . import React from \"react\" ; import \"./App.css\" ; import { KVM } from \"@open-amt-cloud-toolkit/ui-toolkit-react/reactjs/src/kvm.bundle\" ; function App () { return ( < div className = \"App\" > < KVM deviceId = \"038d0240-045c-05f4-7706-980700080009\" //Replace with AMT Device GUID mpsServer = \"https://localhost/mps/ws/relay\" //Replace 'localhost' with MPS Server IP Address or FQDN mouseDebounceTime = \"200\" authToken = \"\" // Replace with a valid JWT token from 'Authorize Redirection' GET API Method canvasHeight = \"100%\" canvasWidth = \"100%\" >< /KVM> < /div> ); } export default App ; Save and close the file. If the React app hasn't updated automatically, refresh the page. You are now able to remotely control your Intel\u00ae AMT device using Keyboard, Video, Mouse control. Success Figure 3: Successful KVM Connection You will see the errors in the following scenarios: If your browser is IE/Edge, there might be compatibility issues. Compilation errors if the ui-toolkit was not downloaded and installed to your react app. MPS / RPS server not running, appropriate controls will fail to work. MPS server running and device not connected. Incorrect or invalid JWT for authToken, see instructions on Generating a JWT by using an Authorize API call . Example authToken Format from API Call { \"token\" : \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5RW1SSlRiSWlJYjRiSWVTc21nY1dJanJSNkh5RVRxYyIsImV4cCI6MTYyMDE2OTg2NH0.GUib9sq0RWRLqJ7JpNNlj2AluuROLICCfdZaQzyWy90\" }","title":"Add Keyboard, Video, Mouse (KVM) Redirection"},{"location":"Tutorials/uitoolkitReact/#next-steps","text":"","title":"Next Steps"},{"location":"Tutorials/uitoolkitReact/#try-other-controls","text":"Try out other React controls such as Serial Over LAN .","title":"Try Other Controls"},{"location":"Tutorials/uitoolkitReact/#customize-and-create-bundles","text":"Try out creating and customizing React bundles for things such as Serial Over LAN or KVM here .","title":"Customize and Create Bundles"},{"location":"Tutorials/uitoolkitReact/#license-note","text":"If you are distributing the FortAwesome Icons, please provide attribution to the source per the CC-by 4.0 license obligations.","title":"License Note"},{"location":"Tutorials/Scaling/docker-swarm/","text":"This sample deployment demonstrates the use of Docker* in swarm mode. The following conditions apply: All images are built and tested with docker compose . To learn more about building the images with docker compose , refer to Express Setup . Push images to the registry to make them available for deployment on other systems. Run the commands below from the open-amt-cloud-toolkit install directory. Important Not for production use. Get the Toolkit \u00b6 Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone --recursive https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit Deploy the stack to the swarm \u00b6 Important - For Linux Before running the following commands on Linux, confirm that the user has been added to the docker group. For instructions, refer to Add docker group . Otherwise, prefix each command with sudo . Initialize a swarm. docker swarm init Copy docker compose config to temporary swarm.yml file. docker compose -f .\\docker-compose.yml config > swarm.yml Set the network driver to overlay in the swarm.yml file. Linux Windows sed -i \"s|driver: bridge|driver: overlay|g\" swarm.yml ( Get-Content -Path './swarm.yml' ) -replace 'driver: bridge' , 'driver: overlay' | Set-Content -Path './swarm.yml' Important Open the swarm.yml file to check that driver: bridge was replaced with driver: overlay . If the result is incorrect or corrupted, delete the swarm.yml file, rerun Step 2, and manually replace the string. If you've run docker compose previously, as in the instructions in Express Setup , run docker compose down to stop the open-amt-cloud-toolkit services: docker compose down -v Create the stack. docker stack deploy -c swarm.yml scalingdemo Check all of the services are running. docker stack services scalingdemo Success The table below is an example of a services list: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 1/1 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Scale the mps service. docker service scale scalingdemo_mps=2 Success The table below is an example of a services list after scaling the mps: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 2/2 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Remove the stack: docker stack rm scalingdemo","title":"Docker Swarm*"},{"location":"Tutorials/Scaling/docker-swarm/#get-the-toolkit","text":"Open a Terminal or Command Prompt and navigate to a directory of your choice for development: git clone --recursive https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Change to the cloned open-amt-cloud-toolkit directory. cd open-amt-cloud-toolkit","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/docker-swarm/#deploy-the-stack-to-the-swarm","text":"Important - For Linux Before running the following commands on Linux, confirm that the user has been added to the docker group. For instructions, refer to Add docker group . Otherwise, prefix each command with sudo . Initialize a swarm. docker swarm init Copy docker compose config to temporary swarm.yml file. docker compose -f .\\docker-compose.yml config > swarm.yml Set the network driver to overlay in the swarm.yml file. Linux Windows sed -i \"s|driver: bridge|driver: overlay|g\" swarm.yml ( Get-Content -Path './swarm.yml' ) -replace 'driver: bridge' , 'driver: overlay' | Set-Content -Path './swarm.yml' Important Open the swarm.yml file to check that driver: bridge was replaced with driver: overlay . If the result is incorrect or corrupted, delete the swarm.yml file, rerun Step 2, and manually replace the string. If you've run docker compose previously, as in the instructions in Express Setup , run docker compose down to stop the open-amt-cloud-toolkit services: docker compose down -v Create the stack. docker stack deploy -c swarm.yml scalingdemo Check all of the services are running. docker stack services scalingdemo Success The table below is an example of a services list: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 1/1 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Scale the mps service. docker service scale scalingdemo_mps=2 Success The table below is an example of a services list after scaling the mps: ID NAME MODE REPLICAS IMAGE PORTS 6dye78yg66zp scalingdemo_db replicated 1/1 postgres:latest *:5432->5432/tcp nahbub6fxrvu scalingdemo_kong replicated 1/1 kong:2.3 :443->8443/tcp, :8001->8001/tcp nltp54asb8kz scalingdemo_mps replicated 2/2 mps:latest *:4433->4433/tcp uc9jsf5554cv scalingdemo_mpsrouter replicated 1/1 mpsrouter:latest ojtcs8qjxct3 scalingdemo_rps replicated 1/1 rps:latest wbk4of70do63 scalingdemo_vault replicated 1/1 vault:latest *:8200->8200/tcp pc143h8ml4ua scalingdemo_webui replicated 1/1 webui:latest Remove the stack: docker stack rm scalingdemo","title":"Deploy the stack to the swarm"},{"location":"Tutorials/Scaling/overview/","text":"Scaling Overview \u00b6 Scaling functionality in MPS enables Open AMT Cloud Toolkit to support a greater number of managed devices. The toolkit offers various methods for deploying scaling, including Local Kubernetes, Azure Kubernetes Service ( AKS ), Amazon Elasic Kubernetes Service (EKS), and Docker Swarm*. In addition, administrators can use kubectl to manage the AKS . Figure 1: High-level architecture of scaling implementation Figure 1 illustrates the basic high-level software flow: Managed devices use CIRA to connect and call home to instances of the MPS in the cloud. RPCs connect to an available instance of the MPS Server with WSS calls. These calls are funneled through Kong* API Gateway, which supports a variety of APIs. Kong manages load balancing, logging, authentication and more. The Kong* API Gateway handles requests from client apps, such as the Sample Web UI included in Open AMT Cloud Toolkit , sending them along to an available RPS . The MPS Router chooses an available instance of the MPS . The RPS microservices communicate with MPS microservices through the REST API. Vault is a tool used to secure, store, and tightly control access to secrets. Storing passwords used by MPS in Vault will increase the security of these assets. Docker in Swarm Mode \u00b6 If you're new to scaling, Docker in swarm mode is a great way to start developing a scaling proof of concept. Docker in swarm mode is a container orchestration tool, software used to deploy and manage large numbers of containers and services. In this mode, Docker enables the administrator to deploy and manage Docker nodes or worker nodes that are added to a Docker swarm instance. Administrator can then deploy a service to the swarm instance and expose ports to an external load balancer. Information To learn more about Docker in swarm mode, start with Swarm mode overview . Get Started with Docker Swarm Kubernetes (K8s) \u00b6 Warning The K8s deployment section is not a tutorial for beginners. It is intended for those who have prior knowledge of the service. To begin learning about K8s, start with Kubernetes , Azure Kubernetes Service , or Amazon Elastic Kubernetes Service . Local Kubernetes \u00b6 K8s is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. The instructions use kubectl, a command line tool for managing Kubernetes clusters. Get Started with K8s Azure Kubernetes Service ( AKS ) \u00b6 AKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with AKS Amazon Elastic Kubernetes Service (EKS) \u00b6 EKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with EKS","title":"Overview"},{"location":"Tutorials/Scaling/overview/#scaling-overview","text":"Scaling functionality in MPS enables Open AMT Cloud Toolkit to support a greater number of managed devices. The toolkit offers various methods for deploying scaling, including Local Kubernetes, Azure Kubernetes Service ( AKS ), Amazon Elasic Kubernetes Service (EKS), and Docker Swarm*. In addition, administrators can use kubectl to manage the AKS . Figure 1: High-level architecture of scaling implementation Figure 1 illustrates the basic high-level software flow: Managed devices use CIRA to connect and call home to instances of the MPS in the cloud. RPCs connect to an available instance of the MPS Server with WSS calls. These calls are funneled through Kong* API Gateway, which supports a variety of APIs. Kong manages load balancing, logging, authentication and more. The Kong* API Gateway handles requests from client apps, such as the Sample Web UI included in Open AMT Cloud Toolkit , sending them along to an available RPS . The MPS Router chooses an available instance of the MPS . The RPS microservices communicate with MPS microservices through the REST API. Vault is a tool used to secure, store, and tightly control access to secrets. Storing passwords used by MPS in Vault will increase the security of these assets.","title":"Scaling Overview"},{"location":"Tutorials/Scaling/overview/#docker-in-swarm-mode","text":"If you're new to scaling, Docker in swarm mode is a great way to start developing a scaling proof of concept. Docker in swarm mode is a container orchestration tool, software used to deploy and manage large numbers of containers and services. In this mode, Docker enables the administrator to deploy and manage Docker nodes or worker nodes that are added to a Docker swarm instance. Administrator can then deploy a service to the swarm instance and expose ports to an external load balancer. Information To learn more about Docker in swarm mode, start with Swarm mode overview . Get Started with Docker Swarm","title":"Docker in Swarm Mode"},{"location":"Tutorials/Scaling/overview/#kubernetes-k8s","text":"Warning The K8s deployment section is not a tutorial for beginners. It is intended for those who have prior knowledge of the service. To begin learning about K8s, start with Kubernetes , Azure Kubernetes Service , or Amazon Elastic Kubernetes Service .","title":"Kubernetes (K8s)"},{"location":"Tutorials/Scaling/overview/#local-kubernetes","text":"K8s is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. The instructions use kubectl, a command line tool for managing Kubernetes clusters. Get Started with K8s","title":"Local Kubernetes"},{"location":"Tutorials/Scaling/overview/#azure-kubernetes-service-aks","text":"AKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with AKS","title":"Azure Kubernetes Service (AKS)"},{"location":"Tutorials/Scaling/overview/#amazon-elastic-kubernetes-service-eks","text":"EKS is a container orchestration system that enables administrators to deploy and manage large numbers of containers and services. Get Started with EKS","title":"Amazon Elastic Kubernetes Service (EKS)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/","text":"Azure Kubernetes Service ( AKS ) \u00b6 This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using AKS . Alternatively, you can also perform a simpler, test deployment using a single-node cluster locally. See Kubernetes (K8s) . Azure Kubernetes Service ( AKS ) offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about AKS here . Prerequisites \u00b6 kubectl Azure CLI (v2.24.0+) Helm CLI (v3.5+) PSQL CLI (11.13) Get the Toolkit \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Create SSH Key \u00b6 This key is required by Azure to create VMs that use SSH keys for authentication. For more details, see Detailed steps: Create and manage SSH keys . Create a new ssh key. ssh-keygen -m PEM -t rsa -b 4096 Take note of the location it was saved at. You will need the public key ( .pub file) in a following step. Deploy AKS \u00b6 Login to Azure. az login Provide a name and region to create a new resource group. az group create --name <your-resource-group-name> --location <region> Provide the name of your new resource group from the last step and start a deployment at that resource group based on aks.json in the ./open-amt-cloud-toolkit directory. az deployment group create --resource-group <your-resource-group-name> --template-file aks.json After running the previous command, you will be prompted for 3 different strings. After the final prompt, it will take about 5 minutes to finish running. Provide a name for the AKS Cluster. Provide a name (e.g. your name) for the linux user admin name. Provide the string of the ssh key from the .pub file. Take note of the fqdnSuffix in the outputs section of the JSON response (e.g. eastus.cloudapp.azure.com ) \"outputs\" : { \"controlPlaneFQDN\" : { \"type\" : \"String\" , \"value\" : \"bwcluster-9c68035a.hcp.westus.azmk8s.io\" }, \"fqdnSuffix\" : { \"type\" : \"String\" , \"value\" : \"eastus.cloudapp.azure.com\" } }, Connect to AKS Instance \u00b6 Ensure your kubectl is connected to the Kubernetes cluster you wish to deploy/manage. Provide your resource group name and cluster name, respectively. az aks get-credentials --resource-group <your-resource-group-name> --name <your-cluster-name> Create Secrets \u00b6 1. MPS /KONG JWT \u00b6 This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret. 2. KONG ACL for JWT \u00b6 This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin 3. MPS Web Username and Password \u00b6 This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character 4. Database connection strings \u00b6 Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the full username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the Azure-hosted Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Update Configuration \u00b6 Edit values.yaml \u00b6 Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the service.beta.kubernetes.io/azure-dns-label-name key in the kong section with a desired subdomain name for the URL that you would like for your cluster (i.e. myopenamtk8s). kong : proxy : annotations : service.beta.kubernetes.io/azure-dns-label-name : \"<your-subdomain-name>\" Update the commonName key to your FQDN in the mps section. For AKS , the format is <your-subdomain-name>.<location>.cloudapp.azure.com . This is the fqdnSuffix provided in the outputs section when you Deploy AKS . mps : commonName : \"<your-subdomain-name>.<location>.cloudapp.azure.com\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file. Create Databases and Schema \u00b6 Enable Access to Database \u00b6 Navigate to Home > Resource Groups > Resource Group Name using Microsoft Azure via online. Select the Postgres DB. It will have a Type of Azure Database for PostgreSQL Server . Under Settings in the left-hand menu, select Connection Security . Under Firewall rules, select Add current client IP address . Select Save. Under the Overview tab, take note of the 'Server name' and 'Admin username'. They will be needed in the next steps. Note Remember to delete this firewall rule when finished. Create Databases \u00b6 Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). <USERNAME> is the admin username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb' database. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql Deploy Open AMT Cloud Toolkit using Helm \u00b6 Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice mps , rps , and openamtstack-vault-0 are not ready. This will change after we initialize and unseal Vault. All others should be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 0/1 CreateContainerConfigError 0 2m6s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 2m6s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 2m6s openamtstack-vault-0 0/1 Running 0 2m6s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 2m6s rps-79877bf5c5-dsg5p 0/1 CreateContainerConfigError 0 2m6s webui-6cc48f4d68-6r8b5 1/1 Running 0 2m6s Initialize and Unseal Vault \u00b6 Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine . Vault Token Secret \u00b6 Add the root token as a secret to the AKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s Next Steps \u00b6 Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps","title":"AKS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#azure-kubernetes-service-aks","text":"This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using AKS . Alternatively, you can also perform a simpler, test deployment using a single-node cluster locally. See Kubernetes (K8s) . Azure Kubernetes Service ( AKS ) offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about AKS here .","title":"Azure Kubernetes Service (AKS)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#prerequisites","text":"kubectl Azure CLI (v2.24.0+) Helm CLI (v3.5+) PSQL CLI (11.13)","title":"Prerequisites"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#get-the-toolkit","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-ssh-key","text":"This key is required by Azure to create VMs that use SSH keys for authentication. For more details, see Detailed steps: Create and manage SSH keys . Create a new ssh key. ssh-keygen -m PEM -t rsa -b 4096 Take note of the location it was saved at. You will need the public key ( .pub file) in a following step.","title":"Create SSH Key"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#deploy-aks","text":"Login to Azure. az login Provide a name and region to create a new resource group. az group create --name <your-resource-group-name> --location <region> Provide the name of your new resource group from the last step and start a deployment at that resource group based on aks.json in the ./open-amt-cloud-toolkit directory. az deployment group create --resource-group <your-resource-group-name> --template-file aks.json After running the previous command, you will be prompted for 3 different strings. After the final prompt, it will take about 5 minutes to finish running. Provide a name for the AKS Cluster. Provide a name (e.g. your name) for the linux user admin name. Provide the string of the ssh key from the .pub file. Take note of the fqdnSuffix in the outputs section of the JSON response (e.g. eastus.cloudapp.azure.com ) \"outputs\" : { \"controlPlaneFQDN\" : { \"type\" : \"String\" , \"value\" : \"bwcluster-9c68035a.hcp.westus.azmk8s.io\" }, \"fqdnSuffix\" : { \"type\" : \"String\" , \"value\" : \"eastus.cloudapp.azure.com\" } },","title":"Deploy AKS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#connect-to-aks-instance","text":"Ensure your kubectl is connected to the Kubernetes cluster you wish to deploy/manage. Provide your resource group name and cluster name, respectively. az aks get-credentials --resource-group <your-resource-group-name> --name <your-cluster-name>","title":"Connect to AKS Instance"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-secrets","text":"","title":"Create Secrets"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#1-mpskong-jwt","text":"This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret.","title":"1. MPS/KONG JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#2-kong-acl-for-jwt","text":"This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin","title":"2. KONG ACL for JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#3-mps-web-username-and-password","text":"This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character","title":"3. MPS Web Username and Password"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#4-database-connection-strings","text":"Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the full username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the Azure-hosted Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require","title":"4. Database connection strings"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#update-configuration","text":"","title":"Update Configuration"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#edit-valuesyaml","text":"Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the service.beta.kubernetes.io/azure-dns-label-name key in the kong section with a desired subdomain name for the URL that you would like for your cluster (i.e. myopenamtk8s). kong : proxy : annotations : service.beta.kubernetes.io/azure-dns-label-name : \"<your-subdomain-name>\" Update the commonName key to your FQDN in the mps section. For AKS , the format is <your-subdomain-name>.<location>.cloudapp.azure.com . This is the fqdnSuffix provided in the outputs section when you Deploy AKS . mps : commonName : \"<your-subdomain-name>.<location>.cloudapp.azure.com\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file.","title":"Edit values.yaml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-databases-and-schema","text":"","title":"Create Databases and Schema"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#enable-access-to-database","text":"Navigate to Home > Resource Groups > Resource Group Name using Microsoft Azure via online. Select the Postgres DB. It will have a Type of Azure Database for PostgreSQL Server . Under Settings in the left-hand menu, select Connection Security . Under Firewall rules, select Add current client IP address . Select Save. Under the Overview tab, take note of the 'Server name' and 'Admin username'. They will be needed in the next steps. Note Remember to delete this firewall rule when finished.","title":"Enable Access to Database"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#create-databases","text":"Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database (Ex: <your-cluster-name>-sql.postgres.database.azure.com ). <USERNAME> is the admin username for the Postgres database (Ex: <postgres-username>@<your-cluster-name>-sql ). Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb' database. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql","title":"Create Databases"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#deploy-open-amt-cloud-toolkit-using-helm","text":"Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice mps , rps , and openamtstack-vault-0 are not ready. This will change after we initialize and unseal Vault. All others should be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 0/1 CreateContainerConfigError 0 2m6s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 2m6s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 2m6s openamtstack-vault-0 0/1 Running 0 2m6s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 2m6s rps-79877bf5c5-dsg5p 0/1 CreateContainerConfigError 0 2m6s webui-6cc48f4d68-6r8b5 1/1 Running 0 2m6s","title":"Deploy Open AMT Cloud Toolkit using Helm"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#initialize-and-unseal-vault","text":"Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#vault-token-secret","text":"Add the root token as a secret to the AKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s","title":"Vault Token Secret"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-aks/#next-steps","text":"Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps","title":"Next Steps"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/","text":"Amazon Elastic Kubernetes Service (EKS) \u00b6 This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using EKS. To perform a simpler test deployment, use a single-mode cluster locally. See Kubernetes (K8s) . Amazon EKS offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about EKS here . Prerequisites \u00b6 kubectl AWS CLI eksctl CLI Helm CLI (v3.5+) PSQL CLI (11.13) Get the Toolkit \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Create a New EKS Cluster \u00b6 Follow steps for aws configure to finish configuration of AWS CLI. Follow steps to Create a key pair using Amazon EC2 to create a SSH key for accessing the cluster. Create a new EKS cluster and supporting components. eksctl create cluster --name <cluster-name> --region <region> --with-oidc --ssh-access --ssh-public-key <ssh-keypair-name> --managed Where: <cluster-name> is the name of the new EKS cluster. <region> is the AWS region to deploy the stack (Ex: us-west-2 ). <ssh-keypair-name> is the name of the SSH key from the previous step. Configure EKS Instance \u00b6 Ensure your kubectl is connected to the correct EKS cluster to manage. Provide your region and cluster name. aws eks update-kubeconfig --region <region> --name <cluster-name> Where: <cluster-name> is the name of your EKS cluster. <region> is the AWS region where the cluster is (Ex: us-west-2 ). Update Access Permissions \u00b6 In order to be able to see cluster details like resources, networking, and more with the Amazon EKS console, we must configure permissions in the ConfigMap . More information can be found at How do I resolve the \"Your current user or role does not have access to Kubernetes objects on this EKS cluster\" error in Amazon EKS? Get the configuration of your AWS CLI user or role. aws sts get-caller-identity Edit aws-auth ConfigMap in a text editor. kubectl edit configmap aws-auth -n kube-system Add the IAM user OR IAM role to the ConfigMap. To allow superuser access for performing any action on any resource, add system:masters instead of system:bootstrappers and system:nodes . Add a Role Add a User # Add under existing mapRoles section # Replace [ROLE-NAME] with your IAM Role mapRoles: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[ROLE-NAME] username: [ROLE-NAME] groups: - system:bootstrappers - system:nodes # Alternatively, you can create permissions for a single User rather than a Role # Create a new mapUsers section # Replace [USER-NAME] with your IAM User mapUsers: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[USER-NAME] username: [USER-NAME] groups: - system:bootstrappers - system:nodes Save and close the text editor window. A success or error message will print to the console after closing the text editor window. If an error shows, verify the correct syntax was used. Additionally, a more detailed error message will be printed within the ConfigMap text file. Add EBS CSI driver to Cluster \u00b6 The Amazon EBS CSI plugin requires IAM permissions to make calls to Amazon APIs on your behalf. This is required for Vault. Without the driver, Vault will be stuck pending since its volume will be unable to be created. This is a new requirement starting in Kubernetes 1.23 and later. Find additional information at Creating the Amazon EBS CSI driver IAM role for service accounts . Create a new IAM role and attach the required Amazon managed policy. Replace <cluster-name> with the name of your cluster. eksctl create iamserviceaccount \\ --name ebs-csi-controller-sa \\ --namespace kube-system \\ --cluster <cluster-name> \\ --attach-policy-arn arn:aws-cn:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \\ --approve \\ --role-only \\ --role-name AmazonEKS_EBS_CSI_DriverRole Add the EBS CSI add-on to the cluster. Replace <cluster-name> with the name of your cluster and <account-ID> with your Account ID. Find more information at Managing the Amazon EBS CSI driver as an Amazon EKS add-on . eksctl create addon --name aws-ebs-csi-driver --cluster <cluster-name> --service-account-role-arn arn:aws:iam::<account-ID>:role/AmazonEKS_EBS_CSI_DriverRole --force Create Postgres DB in RDS \u00b6 Create a Postgres DB by following the steps for Creating an Amazon RDS DB instance . Make sure to set the following configuration settings: Field Set to Virtual private cloud (VPC) Choose the VPC created from your cluster. It should follow the format: 'eksctl- <cluster-name> -cluster/VPC' Public access Yes. In the next steps, we will create Security rules to limit access. VPC security group Choose existing Existing VPC security groups default Configure Virtual Private Cloud (VPC) for access \u00b6 Go to RDS home . Select 'Databases' from the left-hand side menu. Select your created database (Ex: database-1). Under Security in Connectivity & security , click on the VPC under VPC security groups (Ex: default (sg-01b4767ggdcb52825) ). Select Inbound rules . Select Edit inbound rules . Add Two New Rules \u00b6 Rule One: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select My IP . Rule Two: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select Custom . In the search box, select the security group starting with the label 'eks-cluster-sg'. Select Save rules . Create Databases and Schema \u00b6 Use the database schema files to initialize the hosted Postgres DB in the following steps. Note The following commands will prompt for the database password you chose here . Where: <SERVERURL> is the location of the Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/initMPS.sql Create Secrets \u00b6 1. MPS /KONG JWT \u00b6 This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret. 2. KONG ACL for JWT \u00b6 This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin 3. MPS Web Username and Password \u00b6 This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character 4. Database connection strings \u00b6 Warning - Using SSL/ TLS with AWS RDS Postgres 14 By default, AWS pre-selects Postgres 14. This tutorial uses the connection string setting of no-verify for ease of setup. To fully configure SSL, follow the links below. For production, it is recommended to use a SSL connection. Find more information at Using SSL with a PostgreSQL DB instance and Updating applications to connect to PostgreSQL DB instances using new SSL/ TLS certificates . Postgres 15 Alternatively, if Postgres 15 is preferred and selected, the sslmode in the connection strings must be updated from no-verify / disable to require for the services to be able to connect to the database. No other work is required for a test environment. Note: For a fully secured, certificate-based SSL connection, the following steps must be taken in Using SSL with a PostgreSQL DB instance . It will also require updating sslmode to verify-full or verify-ca . For production, it is highly recommended. Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the AWS-hosted Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). Create RPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=no-verify kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=no-verify kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Update Configuration \u00b6 Edit values.yaml \u00b6 Open the values.yaml file in the ./open-amt-cloud-toolkit/kubernetes/charts/ directory. Remove the annotations section and service.beta.kubernetes.io/azure-dns-label-name key in the kong: section. These are Azure-specific implementations. kong : proxy : annotations : # Delete this line service.beta.kubernetes.io/azure-dns-label-name : \"<your-domain-name>\" # Delete this line Save and close the file. Deploy Open AMT Cloud Toolkit using Helm \u00b6 Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None Initialize and Unseal Vault \u00b6 Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine . Vault Token Secret \u00b6 Add the root token as a secret to the EKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. Update commonName in values.yml \u00b6 Get the External-IP for accessing the UI. Note and save the value under 'EXTERNAL-IP'. kubectl get service openamtstack-kong-proxy Update the value for commonName in the mps section in the values.yml file with the External-IP from above. Recall that values.yml is located in ./kubernetes/charts/ . mps : commonName : \"\" # update with External-IP from `kubectl get services` replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Update the stack using helm. helm upgrade openamtstack ./kubernetes/charts Verify running pods \u00b6 View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s Check that the MPS Certificate is correct in your browser. Go to your FQDN at port 4433. https://<Your-AWS-FQDN>:4433 Verify the MPS Certificate in your browser has the correct Issuer information and is Issued to your FQDN. Troubleshoot - Issued to field showing NaN or blank If your certificate is incorrect, the AMT device will not connect to the MPS server. See Figure 1. Follow the steps below to correct the problem. Example - Incorrect MPS Certificate Figure 1: Incorrect Certificate Open and Login to Vault UI. Go to kv/data/MPSCerts/ directory. Delete the existing MPS Certificate. In a terminal, run the following command. kubectl rollout restart deployment mps A new, correct MPS Cert should be generated. Go back to the webserver in your browser. https://<Your-AWS-FQDN>:4433 Verify the Issued to: field is no longer NaN/blank and now shows the correct FQDN. Continue to Next Steps section. Next Steps \u00b6 Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps .","title":"EKS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#amazon-elastic-kubernetes-service-eks","text":"This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a Kubernetes cluster using EKS. To perform a simpler test deployment, use a single-mode cluster locally. See Kubernetes (K8s) . Amazon EKS offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Learn more about EKS here .","title":"Amazon Elastic Kubernetes Service (EKS)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#prerequisites","text":"kubectl AWS CLI eksctl CLI Helm CLI (v3.5+) PSQL CLI (11.13)","title":"Prerequisites"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#get-the-toolkit","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-a-new-eks-cluster","text":"Follow steps for aws configure to finish configuration of AWS CLI. Follow steps to Create a key pair using Amazon EC2 to create a SSH key for accessing the cluster. Create a new EKS cluster and supporting components. eksctl create cluster --name <cluster-name> --region <region> --with-oidc --ssh-access --ssh-public-key <ssh-keypair-name> --managed Where: <cluster-name> is the name of the new EKS cluster. <region> is the AWS region to deploy the stack (Ex: us-west-2 ). <ssh-keypair-name> is the name of the SSH key from the previous step.","title":"Create a New EKS Cluster"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#configure-eks-instance","text":"Ensure your kubectl is connected to the correct EKS cluster to manage. Provide your region and cluster name. aws eks update-kubeconfig --region <region> --name <cluster-name> Where: <cluster-name> is the name of your EKS cluster. <region> is the AWS region where the cluster is (Ex: us-west-2 ).","title":"Configure EKS Instance"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#update-access-permissions","text":"In order to be able to see cluster details like resources, networking, and more with the Amazon EKS console, we must configure permissions in the ConfigMap . More information can be found at How do I resolve the \"Your current user or role does not have access to Kubernetes objects on this EKS cluster\" error in Amazon EKS? Get the configuration of your AWS CLI user or role. aws sts get-caller-identity Edit aws-auth ConfigMap in a text editor. kubectl edit configmap aws-auth -n kube-system Add the IAM user OR IAM role to the ConfigMap. To allow superuser access for performing any action on any resource, add system:masters instead of system:bootstrappers and system:nodes . Add a Role Add a User # Add under existing mapRoles section # Replace [ROLE-NAME] with your IAM Role mapRoles: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[ROLE-NAME] username: [ROLE-NAME] groups: - system:bootstrappers - system:nodes # Alternatively, you can create permissions for a single User rather than a Role # Create a new mapUsers section # Replace [USER-NAME] with your IAM User mapUsers: | - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/[USER-NAME] username: [USER-NAME] groups: - system:bootstrappers - system:nodes Save and close the text editor window. A success or error message will print to the console after closing the text editor window. If an error shows, verify the correct syntax was used. Additionally, a more detailed error message will be printed within the ConfigMap text file.","title":"Update Access Permissions"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#add-ebs-csi-driver-to-cluster","text":"The Amazon EBS CSI plugin requires IAM permissions to make calls to Amazon APIs on your behalf. This is required for Vault. Without the driver, Vault will be stuck pending since its volume will be unable to be created. This is a new requirement starting in Kubernetes 1.23 and later. Find additional information at Creating the Amazon EBS CSI driver IAM role for service accounts . Create a new IAM role and attach the required Amazon managed policy. Replace <cluster-name> with the name of your cluster. eksctl create iamserviceaccount \\ --name ebs-csi-controller-sa \\ --namespace kube-system \\ --cluster <cluster-name> \\ --attach-policy-arn arn:aws-cn:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \\ --approve \\ --role-only \\ --role-name AmazonEKS_EBS_CSI_DriverRole Add the EBS CSI add-on to the cluster. Replace <cluster-name> with the name of your cluster and <account-ID> with your Account ID. Find more information at Managing the Amazon EBS CSI driver as an Amazon EKS add-on . eksctl create addon --name aws-ebs-csi-driver --cluster <cluster-name> --service-account-role-arn arn:aws:iam::<account-ID>:role/AmazonEKS_EBS_CSI_DriverRole --force","title":"Add EBS CSI driver to Cluster"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-postgres-db-in-rds","text":"Create a Postgres DB by following the steps for Creating an Amazon RDS DB instance . Make sure to set the following configuration settings: Field Set to Virtual private cloud (VPC) Choose the VPC created from your cluster. It should follow the format: 'eksctl- <cluster-name> -cluster/VPC' Public access Yes. In the next steps, we will create Security rules to limit access. VPC security group Choose existing Existing VPC security groups default","title":"Create Postgres DB in RDS"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#configure-virtual-private-cloud-vpc-for-access","text":"Go to RDS home . Select 'Databases' from the left-hand side menu. Select your created database (Ex: database-1). Under Security in Connectivity & security , click on the VPC under VPC security groups (Ex: default (sg-01b4767ggdcb52825) ). Select Inbound rules . Select Edit inbound rules .","title":"Configure Virtual Private Cloud (VPC) for access"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#add-two-new-rules","text":"Rule One: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select My IP . Rule Two: Select Add rule . Under 'Type' select PostgresSQL . Under 'Source' select Custom . In the search box, select the security group starting with the label 'eks-cluster-sg'. Select Save rules .","title":"Add Two New Rules"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-databases-and-schema","text":"Use the database schema files to initialize the hosted Postgres DB in the following steps. Note The following commands will prompt for the database password you chose here . Where: <SERVERURL> is the location of the Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/initMPS.sql","title":"Create Databases and Schema"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#create-secrets","text":"","title":"Create Secrets"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#1-mpskong-jwt","text":"This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret.","title":"1. MPS/KONG JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#2-kong-acl-for-jwt","text":"This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin","title":"2. KONG ACL for JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#3-mps-web-username-and-password","text":"This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character","title":"3. MPS Web Username and Password"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#4-database-connection-strings","text":"Warning - Using SSL/ TLS with AWS RDS Postgres 14 By default, AWS pre-selects Postgres 14. This tutorial uses the connection string setting of no-verify for ease of setup. To fully configure SSL, follow the links below. For production, it is recommended to use a SSL connection. Find more information at Using SSL with a PostgreSQL DB instance and Updating applications to connect to PostgreSQL DB instances using new SSL/ TLS certificates . Postgres 15 Alternatively, if Postgres 15 is preferred and selected, the sslmode in the connection strings must be updated from no-verify / disable to require for the services to be able to connect to the database. No other work is required for a test environment. Note: For a fully secured, certificate-based SSL connection, the following steps must be taken in Using SSL with a PostgreSQL DB instance . It will also require updating sslmode to verify-full or verify-ca . For production, it is highly recommended. Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the url for the AWS-hosted Postgres database (Ex: database-1.jotd7t2abapq.us-west-2.rds.amazonaws.com ). Create RPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=no-verify kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=require Create MPS Router connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require Create MPS connection string secret. Postgres 14 Postgres 15 kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=no-verify kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=require","title":"4. Database connection strings"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#update-configuration","text":"","title":"Update Configuration"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#edit-valuesyaml","text":"Open the values.yaml file in the ./open-amt-cloud-toolkit/kubernetes/charts/ directory. Remove the annotations section and service.beta.kubernetes.io/azure-dns-label-name key in the kong: section. These are Azure-specific implementations. kong : proxy : annotations : # Delete this line service.beta.kubernetes.io/azure-dns-label-name : \"<your-domain-name>\" # Delete this line Save and close the file.","title":"Edit values.yaml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#deploy-open-amt-cloud-toolkit-using-helm","text":"Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Thu Jul 15 11:17:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None","title":"Deploy Open AMT Cloud Toolkit using Helm"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#initialize-and-unseal-vault","text":"Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Tip - Finding the Vault UI External IP Address The external IP of your Vault UI service can be found by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Leave the default path and choose version 2 from the drop down. Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#vault-token-secret","text":"Add the root token as a secret to the EKS cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault.","title":"Vault Token Secret"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#update-commonname-in-valuesyml","text":"Get the External-IP for accessing the UI. Note and save the value under 'EXTERNAL-IP'. kubectl get service openamtstack-kong-proxy Update the value for commonName in the mps section in the values.yml file with the External-IP from above. Recall that values.yml is located in ./kubernetes/charts/ . mps : commonName : \"\" # update with External-IP from `kubectl get services` replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Update the stack using helm. helm upgrade openamtstack ./kubernetes/charts","title":"Update commonName in values.yml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#verify-running-pods","text":"View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-69786bfb47-92mpc 1/1 Running 0 4m5s mpsrouter-9b9bc499b-2tkb2 1/1 Running 0 4m5s openamtstack-kong-68d6c84bcc-fp8dl 2/2 Running 0 4m5s openamtstack-vault-0 1/1 Running 0 4m5s openamtstack-vault-agent-injector-6b564845db-zss78 1/1 Running 0 4m5s rps-79877bf5c5-dsg5p 1/1 Running 0 4m5s webui-6cc48f4d68-6r8b5 1/1 Running 0 4m5s Check that the MPS Certificate is correct in your browser. Go to your FQDN at port 4433. https://<Your-AWS-FQDN>:4433 Verify the MPS Certificate in your browser has the correct Issuer information and is Issued to your FQDN. Troubleshoot - Issued to field showing NaN or blank If your certificate is incorrect, the AMT device will not connect to the MPS server. See Figure 1. Follow the steps below to correct the problem. Example - Incorrect MPS Certificate Figure 1: Incorrect Certificate Open and Login to Vault UI. Go to kv/data/MPSCerts/ directory. Delete the existing MPS Certificate. In a terminal, run the following command. kubectl rollout restart deployment mps A new, correct MPS Cert should be generated. Go back to the webserver in your browser. https://<Your-AWS-FQDN>:4433 Verify the Issued to: field is no longer NaN/blank and now shows the correct FQDN. Continue to Next Steps section.","title":"Verify running pods"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s-eks/#next-steps","text":"Visit the Sample Web UI using the FQDN name and Continue from the Get Started steps .","title":"Next Steps"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/","text":"This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a local Kubernetes single-node cluster. Alternatively, you can also deploy using a managed service through a Cloud Service Provider such as Azure Kubernetes Service ( AKS ). See AKS . Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications. Learn more about Kubernetes here . Prerequisites \u00b6 Docker Desktop with Kubernetes Enabled Important - For Linux If deploying on a Linux machine, Docker Desktop is not available. You must use Docker Engine alongside a local Kubernetes cluster tool such as minikube or kubeadm . kubectl Helm CLI (v3.5+) PostgreSQL Docker Container or Local PostgreSQL server Note - Database Required This guide requires a standalone database for storage. This can be done either as a Docker container or as a local Postgres server on your local IP. For production, a managed database instance, either by a cloud service provider or your enterprise IT, is highly recommended. Optional - How to Set up local PostgreSQL DB using Docker Build and Start \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Copy the .env.template file to .env . Windows (Cmd Prompt) Linux/Powershell copy .env.template .env cp .env.template .env Set the POSTGRES_USER and POSTGRES_PASSWORD to the credentials you want. Build and start the container. docker compose -f \"docker-compose.yml\" up -d db Continue from Create Kubernetes Secrets . Optional (Not Recommended) - How to Set up Local PostgreSQL server on local IP Address Download and Configure \u00b6 Download and Install PostgreSQL . You may have to add .\\bin and .\\lib to your PATH on Windows. Open the pg_hba.conf file under .\\PostgreSQL\\14\\data . Add your device's IP Address under IPv4 local connections . Example - pg_hba.conf File # TYPE DATABASE USER ADDRESS METHOD # \"local\" is for Unix domain socket connections only local all all scram-sha-256 # IPv4 local connections: host all all 127.0.0.1/32 scram-sha-256 host all all <Your-IP-Address>/24 scram-sha-256 # IPv6 local connections: host all all ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. local replication all scram-sha-256 host replication all 127.0.0.1/32 scram-sha-256 host replication all ::1/128 scram-sha-256 Reload the configuration file to use the updated values. psql -U <user> -p 5432 -c \"SELECT pg_reload_conf();\" **From here, use your IP Address as the <SERVERURL>. DO NOT use localhost or 127.0.0.1. ** Get the Toolkit \u00b6 Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Create Kubernetes Secrets \u00b6 1. MPS /KONG JWT \u00b6 This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret. 2. KONG ACL for JWT \u00b6 This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin 3. MPS Web Username and Password \u00b6 This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character 4. Database connection strings \u00b6 Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the loction for the Postgres database. Warning - Using an SSL Connection This tutorial uses the connection string setting of 'disable' for ease of setup. For production, it is recommended to use a SSL connection. Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=disable Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable Update Configuration \u00b6 Edit values.yaml \u00b6 Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the commonName key in the mps section with the IP Address of your development device. mps : commonName : \"<your-ip-address>\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file. Create Databases and Schema \u00b6 Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database. <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql Deploy Open AMT Cloud Toolkit Using Helm \u00b6 Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Wed Jul 14 12:59:29 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice openamtstack-vault-0 is not ready. This will change after we initialize and unseal Vault. MPS and RPS will both have a status of CreateContainerConfigError until Vault is Ready. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 0/1 CreateContainerConfigError 0 5m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 5m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 5m openamtstack-vault-0 0/1 Running 0 5m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 5m rps-79877bf5c5-hnv8t 0/1 CreateContainerConfigError 0 5m webui-784cd49976-bj7z5 1/1 Running 0 5m Initialize and Unseal Vault \u00b6 Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Connect to the Vault UI using a web browser. http://localhost:8200 Troubleshoot - Vault UI External IP If you cannot connect, verify the External IP Address by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Click Enable Engine . Vault Token Secret \u00b6 Add the root token as a secret to the k8s cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 1/1 Running 0 7m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 7m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 7m openamtstack-vault-0 1/1 Running 0 7m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 7m rps-79877bf5c5-hnv8t 1/1 Running 0 7m webui-784cd49976-bj7z5 1/1 Running 0 7m Next Steps \u00b6 Continue from the Get Started steps","title":"Kubernetes (K8s)"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#prerequisites","text":"Docker Desktop with Kubernetes Enabled Important - For Linux If deploying on a Linux machine, Docker Desktop is not available. You must use Docker Engine alongside a local Kubernetes cluster tool such as minikube or kubeadm . kubectl Helm CLI (v3.5+) PostgreSQL Docker Container or Local PostgreSQL server Note - Database Required This guide requires a standalone database for storage. This can be done either as a Docker container or as a local Postgres server on your local IP. For production, a managed database instance, either by a cloud service provider or your enterprise IT, is highly recommended. Optional - How to Set up local PostgreSQL DB using Docker","title":"Prerequisites"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#build-and-start","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0 Copy the .env.template file to .env . Windows (Cmd Prompt) Linux/Powershell copy .env.template .env cp .env.template .env Set the POSTGRES_USER and POSTGRES_PASSWORD to the credentials you want. Build and start the container. docker compose -f \"docker-compose.yml\" up -d db Continue from Create Kubernetes Secrets . Optional (Not Recommended) - How to Set up Local PostgreSQL server on local IP Address","title":"Build and Start"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#download-and-configure","text":"Download and Install PostgreSQL . You may have to add .\\bin and .\\lib to your PATH on Windows. Open the pg_hba.conf file under .\\PostgreSQL\\14\\data . Add your device's IP Address under IPv4 local connections . Example - pg_hba.conf File # TYPE DATABASE USER ADDRESS METHOD # \"local\" is for Unix domain socket connections only local all all scram-sha-256 # IPv4 local connections: host all all 127.0.0.1/32 scram-sha-256 host all all <Your-IP-Address>/24 scram-sha-256 # IPv6 local connections: host all all ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. local replication all scram-sha-256 host replication all 127.0.0.1/32 scram-sha-256 host replication all ::1/128 scram-sha-256 Reload the configuration file to use the updated values. psql -U <user> -p 5432 -c \"SELECT pg_reload_conf();\" **From here, use your IP Address as the <SERVERURL>. DO NOT use localhost or 127.0.0.1. **","title":"Download and Configure"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#get-the-toolkit","text":"Clone the Open AMT Cloud Toolkit . git clone https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.14.0","title":"Get the Toolkit"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#create-kubernetes-secrets","text":"","title":"Create Kubernetes Secrets"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#1-mpskong-jwt","text":"This is the secret used for generating and verifying JWTs. kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key=\"admin-issuer\" --from-literal=algorithm=HS256 --from-literal=secret=\"<your-secret>\" Where: <your-secret> is your chosen strong secret.","title":"1. MPS/KONG JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#2-kong-acl-for-jwt","text":"This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin to access endpoints using the JWT retrieved when logging in. kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin","title":"2. KONG ACL for JWT"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#3-mps-web-username-and-password","text":"This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI . kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password> Where: <your-username> is a username of your choice. <your-password> is a strong password of your choice. Important - Using Strong Passwords The password must meet standard, strong password requirements: 8 to 32 characters One uppercase, one lowercase, one numerical digit, one special character","title":"3. MPS Web Username and Password"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#4-database-connection-strings","text":"Configure the database connection strings used by MPS , RPS , and MPS Router. Where: <USERNAME> is the username for the Postgres database. <PASSWORD> is the password for the Postgres database. <SERVERURL> is the loction for the Postgres database. Warning - Using an SSL Connection This tutorial uses the connection string setting of 'disable' for ease of setup. For production, it is recommended to use a SSL connection. Create RPS connection string secret. kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=disable Create MPS Router connection string secret. kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable Create MPS connection string secret. kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable","title":"4. Database connection strings"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#update-configuration","text":"","title":"Update Configuration"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#edit-valuesyaml","text":"Open the values.yaml file in ./open-amt-cloud-toolkit/kubernetes/charts/ . Update the commonName key in the mps section with the IP Address of your development device. mps : commonName : \"<your-ip-address>\" replicaCount : 1 logLevel : \"silly\" jwtExpiration : 1440 Save and close the file.","title":"Edit values.yaml"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#create-databases-and-schema","text":"Use the database schema files to initialize the hosted Postgres DB in the following steps. Where: <SERVERURL> is the location of the Postgres database. <USERNAME> is the username for the Postgres database. Create the RPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -c \"CREATE DATABASE rpsdb\" Create tables for the new 'rpsdb'. psql -h <SERVERURL> -p 5432 -d rpsdb -U <USERNAME> -W -f ./data/init.sql Create the MPS database. psql -h <SERVERURL> -p 5432 -d postgres -U <USERNAME> -W -f ./data/initMPS.sql","title":"Create Databases and Schema"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#deploy-open-amt-cloud-toolkit-using-helm","text":"Deploy using Helm. helm install openamtstack ./kubernetes/charts Success NAME: openamtstack LAST DEPLOYED: Wed Jul 14 12:59:29 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None View the pods. You might notice openamtstack-vault-0 is not ready. This will change after we initialize and unseal Vault. MPS and RPS will both have a status of CreateContainerConfigError until Vault is Ready. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 0/1 CreateContainerConfigError 0 5m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 5m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 5m openamtstack-vault-0 0/1 Running 0 5m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 5m rps-79877bf5c5-hnv8t 0/1 CreateContainerConfigError 0 5m webui-784cd49976-bj7z5 1/1 Running 0 5m","title":"Deploy Open AMT Cloud Toolkit Using Helm"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#initialize-and-unseal-vault","text":"Danger - Download and Save Vault Keys Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost. Connect to the Vault UI using a web browser. http://localhost:8200 Troubleshoot - Vault UI External IP If you cannot connect, verify the External IP Address by running: kubectl get services openamtstack-vault-ui Please refer to HashiCorp documentation on how to Initialize and unseal Vault . Stop and return here after signing in to Vault with the root_token . After initializing and unsealing the vault, you need to enable the Key Value engine. Click Enable New Engine + . Choose KV . Click Next . Click Enable Engine .","title":"Initialize and Unseal Vault"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#vault-token-secret","text":"Add the root token as a secret to the k8s cluster so that the services can access Vault. kubectl create secret generic vault --from-literal=vaultKey=<your-root-token> Where: <your-root-token> is your root_token generated by Vault. View the pods. All pods should now be Ready and Running. kubectl get pods Success NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 1/1 Running 0 7m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 7m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 7m openamtstack-vault-0 1/1 Running 0 7m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 7m rps-79877bf5c5-hnv8t 1/1 Running 0 7m webui-784cd49976-bj7z5 1/1 Running 0 7m","title":"Vault Token Secret"},{"location":"Tutorials/Scaling/Kubernetes/deployingk8s/#next-steps","text":"Continue from the Get Started steps","title":"Next Steps"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/","text":"Enabling KUMA Service Mesh (Optional) \u00b6 For enhancing security in the Kubernetes deployment, use KUMA Service Mesh to enable mTLS between services. To learn more about KUMA visit their documentation . Install KUMA w/ Helm \u00b6 Follow the instructions for installing KUMA with helm . Create Service Mesh \u00b6 After KUMA is installed, next create a service mesh with mTLS enabled: echo \"apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: open-amt-cloud-toolkit-mesh spec: mtls: enabledBackend: open-amt-cloud-toolkit-cert backends: - name: open-amt-cloud-toolkit-cert type: builtin enabled: true\" | kubectl apply -f - Turn On Sidecar Injection \u00b6 After the mesh is created, turn on sidecar-injection for the open-amt-cloud-toolkit services with: echo \"apiVersion: v1 kind: Namespace metadata: name: default namespace: default annotations: kuma.io/sidecar-injection: enabled kuma.io/mesh: open-amt-cloud-toolkit-mesh\" | kubectl apply -f - Delete all pods to ensure updated annotations from previous command take effect: kubectl delete pod --all -n default Configure Traffic Permissions \u00b6 Finally, we need to allow traffic between services: echo \"apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: open-amt-cloud-toolkit-mesh metadata: namespace: default name: allow-all-open-amt-cloud-toolkit-mesh spec: sources: - match: kuma.io/service: '*' destinations: - match: kuma.io/service: '*'\" | kubectl apply -f - After applying traffic permissions, you should now be able to use the Open AMT Cloud Toolkit and continue logging into the web portal following the setup instructions in the Getting Started section .","title":"KUMA Service Mesh"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#enabling-kuma-service-mesh-optional","text":"For enhancing security in the Kubernetes deployment, use KUMA Service Mesh to enable mTLS between services. To learn more about KUMA visit their documentation .","title":"Enabling KUMA Service Mesh (Optional)"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#install-kuma-w-helm","text":"Follow the instructions for installing KUMA with helm .","title":"Install KUMA w/ Helm"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#create-service-mesh","text":"After KUMA is installed, next create a service mesh with mTLS enabled: echo \"apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: open-amt-cloud-toolkit-mesh spec: mtls: enabledBackend: open-amt-cloud-toolkit-cert backends: - name: open-amt-cloud-toolkit-cert type: builtin enabled: true\" | kubectl apply -f -","title":"Create Service Mesh"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#turn-on-sidecar-injection","text":"After the mesh is created, turn on sidecar-injection for the open-amt-cloud-toolkit services with: echo \"apiVersion: v1 kind: Namespace metadata: name: default namespace: default annotations: kuma.io/sidecar-injection: enabled kuma.io/mesh: open-amt-cloud-toolkit-mesh\" | kubectl apply -f - Delete all pods to ensure updated annotations from previous command take effect: kubectl delete pod --all -n default","title":"Turn On Sidecar Injection"},{"location":"Tutorials/Scaling/Kubernetes/service-mesh/#configure-traffic-permissions","text":"Finally, we need to allow traffic between services: echo \"apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: open-amt-cloud-toolkit-mesh metadata: namespace: default name: allow-all-open-amt-cloud-toolkit-mesh spec: sources: - match: kuma.io/service: '*' destinations: - match: kuma.io/service: '*'\" | kubectl apply -f - After applying traffic permissions, you should now be able to use the Open AMT Cloud Toolkit and continue logging into the web portal following the setup instructions in the Getting Started section .","title":"Configure Traffic Permissions"}]}
\ No newline at end of file
diff --git a/2.15/sitemap.xml b/2.15/sitemap.xml
index 792a1b2dd..b289c1a40 100644
--- a/2.15/sitemap.xml
+++ b/2.15/sitemap.xml
@@ -2,312 +2,312 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Glossary/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/announcements/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/license/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/release-notes/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/videos/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/APIs/indexMPS/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/APIs/indexRPS/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Deployment/centralizedConfiguration/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Deployment/database/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Deployment/overview/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Deployment/secrets/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Deployment/upgradeVersion/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/buildRPC/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/createCIRAConfig/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/createProfileACM/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/createProfileCCM/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/loginToUI/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/manageDevice/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/prerequisites/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/GetStarted/setup/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/architectureOverview/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/guids/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/logging/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/middlewareExtensibility/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/powerstates/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/productionVault/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/sslpostgresLocal/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/troubleshooting/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/Certificates/generateProvisioningCert/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/Certificates/remoteProvisioning/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/Certificates/tls/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/EA/ieee8021xconfig/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/EA/overview/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/MEBX/dnsSuffix/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/MEBX/unprovision/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/MPS/configuration/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/MPS/securityMPS/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/MQTT/customMqttEvents/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/MQTT/viewMqttEvents/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/RPC/buildRPC_Manual/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/RPC/commandsRPC/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/RPC/libraryRPC/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/RPS/configuration/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/RPS/createProfileTLSConfig/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/RPS/securityRPS/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/UIToolkit/localization/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/UIToolkit/webpackConfig/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/UIToolkit/Bundles/kvmReact/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/UIToolkit/Bundles/serialOverLANReact/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/UIToolkit/Controls/kvmControl/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Reference/UIToolkit/Controls/serialOverLANControl/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/apiTutorial/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/createWiFiConfig/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/modifyUserAuth/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/uitoolkitReact/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/Scaling/docker-swarm/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/Scaling/overview/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/Scaling/Kubernetes/deployingk8s-aks/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/Scaling/Kubernetes/deployingk8s-eks/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/Scaling/Kubernetes/deployingk8s/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://open-amt-cloud-toolkit.github.io/docs/Tutorials/Scaling/Kubernetes/service-mesh/</loc>
-         <lastmod>2023-09-21</lastmod>
+         <lastmod>2023-09-25</lastmod>
          <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file
diff --git a/2.15/sitemap.xml.gz b/2.15/sitemap.xml.gz
index 370b5102dfa29604bf2cd25e727c5db5f5b57a73..44989834f2fafe27e98d6601e975e1a5654468fb 100644
GIT binary patch
literal 870
zcmV-s1DX6EiwFoOwGm|k|8r?{Wo=<_E_iKh0Nt8hj~X`=hVSz$R@@IJ8%5ewED<4_
zXw{{qz^1*6jC~j^JU$bjV?O%pYr}4V_Oeo?!`#e_<uUK$vCr4g|F~=X%?2Vl4ELS4
z-CpMgf<fy-ecySWf2r;|9|v#xDS86F$(;k;cUH{pPfBgK+b%hVMz_?(SSvECd_(G`
zQT4hXI)gVi`6vS%uMS7wqZyP@C=Y`zgi1GD8IQ?UjOf>nyS3w0T67&Mi-uHRm1oX}
z(8LYe!ENvMUDf+g-M-IVUfRyOnUxMTEF=6FSnd42ug+SI+SK3T{=3Yt9*K0^OVO)C
zz!VHL5LnD4duJdJNRb=CgC?i~GKiVujkADa)D9<)q+GDD8&78PL{H_2{tT_heK8j*
zZ$ggRyFbB>Ff3i2qUP*J1fp2YdZFc*lr!m=z4yk!R-kkO6G4vKIa8k6I%*5wj)9Yy
z-~@QaIx<+bNY2~oWF$~}UNf3u^f(<Jt&UiPNyMe|FdU7gBaB2Mc&uHR<MX3H?Trq)
zhR?9cp|C*tZG`+A$(2lz1nSSpaB8LKp29NEc24q?j%Jl-+;EEUtFXA?L{TSaNuKO%
zZnC|p<q2<`wH~%Q!o!Yp;_VjBJKoC!X>pqaHr9e{&YAd#Hkp!NebdRaJOCo!B5@so
zp3rD7kANelg$G(8vdEo0g2-;^%wY%A5Fj37xQ#1mOhzglgkwc$@DfTm5PN~v>S3rH
z0NnL%-|md4H0^=`#Rf^^hfjYf8)%l6OScoMKZW*n9}6Uy%#@K>7rjIvFe&D6Pf%g~
z4B)r<T$x0S&G-lN!$#6)u76+@J0uyRR2yH*j^D>RB#9wlfiT!KI#?1^KD`9+ZV`3d
z3)L^)svZ!|%ct|F*+^)NG(GbWQ;8np`Eh>iQiPX}nL-!UiDL_kR-3id6?Fpnl!DFK
zwpwqRDQLsjz(Nq6_NDgvH2g(8RbFEp(H~yX%k@>@T)ZV=VDrRS)RWS!d%ck-{^%fo
zcVC<=Lv|v_I^1&qoY&GY@k*Zl<X*anGE*o0v*OM}U7FVrE86PV$fb~0iTXFe&uIZM
wKq+b3!#`<q<NA&&y{7Aff-8i&3Lq-m$UxNq{SP+za3bKrUm6i`ZfP$704zVVQ~&?~

literal 870
zcmV-s1DX6EiwFqOm<(kC|8r?{Wo=<_E_iKh0Nt8Rk0Lh^hVT0;M%)`Slgn(xuwvQS
zXp|u#!0hH08M|mK+^$|%nUDSTv0)}a_82Kr(U<PF+~$4Uc6~Md54*<SY#@@u@X)#K
z_BuBZ3|bfJhtA9Vb9LYOFnHHb(G&1Z?i}c$vtn+4R%*N5cF8d`x}`40T9H}h8&a>0
zs@Hwr8N9p6M;YLFbvXJS&7h1zc^GUVRJ!5HcuclpM89_2tsSq@qU%suG^F~fJaayT
zCT`FU?s|7WRlWDs-EHpj+IH5>taPYh8R6T&YUlTTb=Gp!rv4H4-(~*dkx0kA6umkG
zOu;|{fyGR+cLoB16uA*RXo4yrgP1wqI14C7?Qrr$$^{F%@nj}X^i+=MPtbbY7jvQV
zCgiBS`wn)5Vd?4=HD^B}5XEZN3oXZ_oJq&*y*CcF0;Lm}2y)!cnex=uQCs+O44lLS
zC%`k-k-@4(a^6lSBZ1QMn$ZlSr|Ix$b;Ke}A}*bW;b<%!VI&g4W9`BmU!DYNZ*<T#
ze1c65g$2rQBjn#mu4IZNP=8K_Q!7RH6qb3mbCRcYG^;%0hEs&!g~bggiaI$<@?>Xo
zlkH6{Pk7_3^{~|u9(SA*Z?|yX@m?NCi`yKqu@+==&csKw$&~!+i%y>90TB5XiR%dT
zj7EET1ROCfJkSb}MegJgM0QJO4m+TR0Pz^ZZCpuXGE(Uv94kVDmr%li*bB5)k3;1E
z;J$ZvyECHFv<n6l8zhY%KmMs~pjlcj-A<_f6xz3aERbL_Q$}K4^b&!<q?p4!L51}*
zfIsGQWfCzq<8RE58%dwJ{)JKOkYtEbZG0;`{x#MiNelrCgu$lK!IGfz=_P=7i>TvX
zsDANQ^?-0*KAk_$MnYqx>6wR^O7svfPxE7!BD{Re6uPKR99vkl+N`Cns1wM?6l~76
z)q2xRK^wjX7J}%sFSXa_;cw!p@*3la{_u)kudf2<;w=dSn<vJio|JCg+l@T&M+f=U
zeRi@8*@+<QaLfHmUQ5HoD|z~pd+j31Or7-4iaQT=X<kFDXscr*mqJ=4>PLcK(*k0E
wQqr`Cf70Z}^*vR3P1gqnR|s_#KvcGofvN%eA8hjBM8Jc;0i(#<muW8m0IW{5W&i*H