This facilitates the bootstrap of a OpenAMT Cloud Toolkit sandbox by creating a private AMT provisioning certificate and AMT configuration file.
This creates:
- A private AMT CA for the
amt.testAMT domain. - The AMT domain provisioning certificate.
- The
Setup.binAMT configuration file. - The
Setup.bin.imgUSB key disk image with the AMT configuration file.
Install openssl.
Install docker and docker compose.
Configure your network to resolve the mps.amt.test domain to your local
machine IP address.
Clone the open-amt-cloud-toolkit repository.
Copy the .env.template file to the .env file.
Open the .env file and set/modify the following variables:
MPS_COMMON_NAME=mps.amt.test
MPS_WEB_ADMIN_USER=standalone
MPS_WEB_ADMIN_PASSWORD=G@ppm0ym
MPS_JWT_SECRET=Yq3t6w9z6CbE3HRMcQfTjWnZr4u7x6AJ
POSTGRES_PASSWORD=postgresadmin
VAULT_TOKEN=root
For more information see https://open-amt-cloud-toolkit.github.io/docs/2.17/Reference/architectureOverview/#passwords.
Start OpenAMT in foreground:
docker compose upCreate the AMT CA, the AMT provisioning certificate, and the Setup.bin AMT configuration file:
./create-provisioning-certificate.shNB View/Change the passwords at the top of the create-provisioning-certificate.sh file.
Create the new amt.test OpenAMT Domain and import the amt-ca/amt.test.pfx file.
Burn the amt-ca/Setup.bin.img disk image into a USB key, or copy the amt-ca/Setup.bin file to the root directory of an empty FAT32 USB key.
At each AMT device:
- Plug-in the USB key, (re)boot the device, then let AMT be configured from the USB key.
- If you end-up at the OS, you can force a reboot into the firmware with:
- Linux OS:
sudo systemctl reboot --firmware-setup - Windows OS:
shutdown /r /fw
- Linux OS:
- If you end-up at the OS, you can force a reboot into the firmware with:
- At the device OS, using the rpc tool, active AMT with:
sudo ./rpc activate -u wss://mps.amt.test/activate -n -v -profile acm- NB The
-nflag will blindly trust themps.amt.testcertificate.
- At the device OS, using the rpc tool, verify the AMT state and certificates:
sudo ./rpc amtinfo -password 'HeyH0Password!' -cert
- To immediately trigger the AMT CIRA connection to OpenAMT MPS:
- Unplug the network cable.
- Wait a couple of minutes.
- Plug the network cable.
At the OpenAMT UI:
- Wait until the device appears as connected.
- Try to access the device (e.g. start a
KVMsession).
- The AMT domain can be anything, as long as you use it as the AMT device PKI DNS Suffix. it will not be used in any actual endpoint or request. the associated certificate and pfx will be only used once, at the AMT device activation time.
- But to keep things simpler to reason about, it should be the same domain (or a suffix) that is returned by the DHCP server (DHCP Option 15) that is in the AMT device LAN.
- If it's signed by a private CA, as we do here, that private CA certificate hash must be manually added to the AMT device, similar to what we do with the Setup.bin file that is copied to the USB key used to manually configure AMT at the AMT device.
- This is not related to the MPS domain or certificate. Therefore, it does not matter which CA signs the MPS certificate. In the case of OpenAMT, it is signed by an OpenAMT-created private CA (the MPSRoot CA). That CA is injected into the AMT device at its activation time (by the rpc tool).
- When the rpc tool is activating the AMT device, the AMT device will challenge the rpc tool to sign a message with this AMT domain private key.
- For more details, see: https://open-amt-cloud-toolkit.github.io/docs/2.17/Reference/Certificates/generateProvisioningCert/.