This facilitates the bootstrap of a OpenAMT Cloud Toolkit sandbox by creating a private AMT provisioning certificate and AMT configuration file.
This creates:
- A private AMT CA for the
amt.test
AMT domain. - The AMT domain provisioning certificate.
- The
Setup.bin
AMT configuration file. - The
Setup.bin.img
USB key disk image with the AMT configuration file.
Install openssl
.
Install docker
and docker compose
.
Configure your network to resolve the mps.amt.test
domain to your local
machine IP address.
Clone the open-amt-cloud-toolkit repository.
Copy the .env.template
file to the .env
file.
Open the .env
file and set/modify the following variables:
MPS_COMMON_NAME=mps.amt.test
MPS_WEB_ADMIN_USER=standalone
MPS_WEB_ADMIN_PASSWORD=G@ppm0ym
MPS_JWT_SECRET=Yq3t6w9z6CbE3HRMcQfTjWnZr4u7x6AJ
POSTGRES_PASSWORD=postgresadmin
VAULT_TOKEN=root
For more information see https://open-amt-cloud-toolkit.github.io/docs/2.17/Reference/architectureOverview/#passwords.
Start OpenAMT in foreground:
docker compose up
Create the AMT CA, the AMT provisioning certificate, and the Setup.bin
AMT configuration file:
./create-provisioning-certificate.sh
NB View/Change the passwords at the top of the create-provisioning-certificate.sh
file.
Create the new amt.test
OpenAMT Domain and import the amt-ca/amt.test.pfx
file.
Burn the amt-ca/Setup.bin.img
disk image into a USB key, or copy the amt-ca/Setup.bin
file to the root directory of an empty FAT32 USB key.
At each AMT device:
- Plug-in the USB key, (re)boot the device, then let AMT be configured from the USB key.
- If you end-up at the OS, you can force a reboot into the firmware with:
- Linux OS:
sudo systemctl reboot --firmware-setup
- Windows OS:
shutdown /r /fw
- Linux OS:
- If you end-up at the OS, you can force a reboot into the firmware with:
- At the device OS, using the rpc tool, active AMT with:
sudo ./rpc activate -u wss://mps.amt.test/activate -n -v -profile acm
- NB The
-n
flag will blindly trust themps.amt.test
certificate.
- At the device OS, using the rpc tool, verify the AMT state and certificates:
sudo ./rpc amtinfo -password 'HeyH0Password!' -cert
- To immediately trigger the AMT CIRA connection to OpenAMT MPS:
- Unplug the network cable.
- Wait a couple of minutes.
- Plug the network cable.
At the OpenAMT UI:
- Wait until the device appears as connected.
- Try to access the device (e.g. start a
KVM
session).
- The AMT domain can be anything, as long as you use it as the AMT device PKI DNS Suffix. it will not be used in any actual endpoint or request. the associated certificate and pfx will be only used once, at the AMT device activation time.
- But to keep things simpler to reason about, it should be the same domain (or a suffix) that is returned by the DHCP server (DHCP Option 15) that is in the AMT device LAN.
- If it's signed by a private CA, as we do here, that private CA certificate hash must be manually added to the AMT device, similar to what we do with the Setup.bin file that is copied to the USB key used to manually configure AMT at the AMT device.
- This is not related to the MPS domain or certificate. Therefore, it does not matter which CA signs the MPS certificate. In the case of OpenAMT, it is signed by an OpenAMT-created private CA (the MPSRoot CA). That CA is injected into the AMT device at its activation time (by the rpc tool).
- When the rpc tool is activating the AMT device, the AMT device will challenge the rpc tool to sign a message with this AMT domain private key.
- For more details, see: https://open-amt-cloud-toolkit.github.io/docs/2.17/Reference/Certificates/generateProvisioningCert/.