Intel Trusted Execution Technology

Similar documents
Boot Attestation Service 3.0.0

McAfee Boot Attestation Service 3.5.0

Runtime VM Protection By Intel Multi-Key Total Memory Encryption (MKTME)

One-Stop Intel TXT Activation Guide

Intel Unite Solution Version 4.0

Intel Unite Solution Version 4.0

One-Stop Intel TXT Activation Guide

Intel Software Guard Extensions SDK for Linux* OS. Installation Guide

Intel Cloud Builder Guide: Cloud Design and Deployment on Intel Platforms

Citrix CloudPlatform (powered by Apache CloudStack) Version Patch D Release Notes. Revised July 02, :15 pm Pacific

Intel Unite Solution Intel Unite Plugin for WebEx*

Evaluation Quick Start Guide Version 10.0 FR1

Intel Platform Administration Technology Quick Start Guide

Using ZENworks with Novell Service Desk

Intel Unite Solution. Linux* Release Notes Software version 3.2

vsphere Upgrade Update 2 Modified on 4 OCT 2017 VMware vsphere 6.0 VMware ESXi 6.0 vcenter Server 6.0

The Road to a Secure, Compliant Cloud

Cisco UCS C-Series IMC Emulator Quick Start Guide. Cisco IMC Emulator 2 Overview 2 Setting up Cisco IMC Emulator 3 Using Cisco IMC Emulator 9

Intel Unite Solution Version 4.0

Intel System Debugger 2018 for System Trace Linux* host

Configuring Intel Compute Stick STK2MV64CC/L for Intel AMT

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

Intel Entry Storage System SS4000-E

Clear CMOS after Hardware Configuration Changes

How to Deploy a VHD Virtual Test Agent Image in Azure

HAProxy* with Intel QuickAssist Technology

Lifecycle Controller with Dell Repository Manager

Plexxi HCN Plexxi Connect Installation, Upgrade and Administration Guide Release 3.0.0

ZENworks Service Desk 8.0 Using ZENworks with ZENworks Service Desk. November 2018

User Guide for XenServer Fuel Plugin

Intel Entry Storage System SS4000-E

IBM Endpoint Manager. OS Deployment V3.5 User's Guide

Building an Android* command-line application using the NDK build tools

VMware AirWatch Content Gateway Guide for Linux For Linux

SafeNet Authentication Manager

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Virtualization Support in Dell Management Console

BIG-IP Virtual Edition and Cloud-Init. Version 13.0

Intel s Architecture for NFV

SonicWall SMA 8200v. Getting Started Guide

AUTHORIZED DOCUMENTATION. Using ZENworks with Novell Service Desk Novell Service Desk February 03,

Intel Integrated Native Developer Experience 2015 Build Edition for OS X* Installation Guide and Release Notes

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

Symantec ediscovery Platform

(Document Insight Evaluation Title) Quick Start Guide (Product Version 10.0

IBM Endpoint Manager. OS Deployment V3.8 User's Guide - DRAFT for Beta V.1.0 (do not distribute)

VMware AirWatch Content Gateway Guide For Linux

Intel Software Guard Extensions Platform Software for Windows* OS Release Notes

Movidius Neural Compute Stick

Intel Security Dev API 1.0 Production Release

Intel Cache Acceleration Software for Windows* Workstation

Autopology Installation & Quick Start Guide

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Tanium IaaS Cloud Solution Deployment Guide for Microsoft Azure

Intel Unite. Enterprise Test Environment Setup Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

vsphere Upgrade Update 1 Modified on 4 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Intel Core vpro Processors Common-Use Guide

Acronis Backup Version 11.5 Update 6 INSTALLATION GUIDE. For Linux Server APPLIES TO THE FOLLOWING PRODUCTS

Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

OpenManage Integration for VMware vcenter Using the vsphere Client Quick Install Guide Version 2.0

Intel Unite Solution Version 4.0

CloudLink SecureVM 3.1 for Microsoft Azure Deployment Guide

Getting Started with VMware View View 3.1

Dell EMC Ready Architectures for VDI

Nutanix InstantON for Citrix Cloud

Installing and Configuring vcloud Connector

GPUMODESWITCH. DU _v6.0 through 6.2 July User Guide

SaaSaMe Transport Workload Snapshot Export for. Alibaba Cloud

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Quest vworkspace. What s New. Version 7.5

Product overview. McAfee Web Protection Hybrid Integration Guide. Overview

Dell EMC Ready System for VDI on VxRail

VIRTUAL GPU SOFTWARE. QSG _v5.0 through 5.2 Revision 03 February Quick Start Guide

Intel Unite. Intel Unite Firewall Help Guide

LED Manager for Intel NUC

GUID Partition Table (GPT)

CloudLink SecureVM 3.1 for Microsoft Azure Deployment Guide

GPUMODESWITCH. DU April User Guide

IBM Endpoint Manager for OS Deployment Linux OS provisioning using a Server Automation Plan

Acronis Backup & Recovery 11.5

Citrix Connector 7.5 for Configuration Manager. Using Provisioning Services with Citrix Connector 7.5 for Configuration Manager

Dell Lifecycle Controller Integration Version 2.2 For Microsoft System Center Configuration Manager User's Guide

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

Intel Manageability Commander User Guide

UPGRADE GUIDE. Log & Event Manager. Version 6.4

Spotlight Management Pack for SCOM. User Guide

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Veeam Cloud Connect. Version 8.0. Administrator Guide

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

StoneFly SCVM Deployment Guide for VMware ESXi

Intel True Scale Fabric Switches Series

Cisco Expressway Authenticating Accounts Using LDAP

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Symantec Drive Encryption Evaluation Guide

Intel Unite Solution. Plugin Guide for Protected Guest Access

GPUMODESWITCH. DU June User Guide

Transcription:

May 2015 Revision 1.0

Revision History Revision Date Comments 1.0 May 2015 Initial Release (Intel Public). 2

Contents 1.0 Introduction... 5 1.1 Required Files... 5 1.1.1 Prerequisites... 5 1.2 Asset Tag Provisioning Workflow... 6 1.3 Example Deployment Topology... 7 1.4 Asset Tag Solution Components... 7 1.4.1 Asset Tag Management Service... 7 1.4.2 Asset Tag Management User Interface (UI)... 7 1.4.3 Asset Tag Provisioning Agent... 7 1.4.4 Asset Tag Provisioning Image... 8 1.4.5 Intel Cloud Integrity Technology Trust Attestation Server... 8 1.5 Asset Tag Provisioning Modes... 8 1.6 Asset Tag Provisioning Architecture... 8 2.0 Creating Tags and Selections... 9 2.1 Creating Tags... 9 2.2 Creating Selections... 9 3.0 Asset Tag Provisioning... 10 3.1 Push Provisioning Method (Manual Certificate Creation)... 10 3.2 Push Provisioning Method (Automated)... 11 3.3 Pull Provisioning Method... 11 3.3.1 PXE Image Configuration... 11 3.3.2 Asset Tag Provisioning Agent Script (PXE)... 12 4.0 Tag Visibility and Attestation... 13 5.0 Creating an XML for Certificate Provisioning... 14 6.0 XML Operational Logic and Security... 15 7.0 Encrypting XML... 16 7.1 Pre-provisioning Setup... 16 7.2 Encrypting the Selection XML File... 16 7.2.1 Decrypting and Verifying the Selection XML File... 17 7.2.2 Provisioning Usage... 17 7.2.3 Provisioning Using an XML... 17 8.0 Asset Tag Configuration Variables... 18 9.0 PXE Server Setup Guidelines... 19 3

NOTE: This page intentionally left blank. 4

1.0 Introduction The Asset Tag Management service leverages Intel TXT-enabled processors to securely write administrator-defined descriptors to hardware. These values can be made visible in the datacenter by using the Intel Cloud Integrity Technology trust attestation server, and can then be used to provide workload verification, remediation, reporting, and compliance in both public and private cloud environments. This document details the requirements, components, and procedures for deploying asset tags. It is targeted toward systems engineers who are proficient with Linux* administration, Preboot execution Environment (PXE) and related technologies, and the Citrix* Xen and/or VMware* ESXi hypervisors. For additional information on configuring and managing Intel Cloud Integrity Technology including the asset tag service, Refer to the Intel Cloud Integrity Technology Product Guide. For additional details on the new APIs introduced or modified to support asset tagging, please refer to the asset tag Javadoc. 1.1 Required Files The following files and documents are included on the FTP site for provisioning asset tags. Directory File Description Documentation Intel Trusted Execution Technology Asset Tag Provisioning Guide.pdf Javadoc.zip. Asset Tag API Documentation. Installer and files tpa.sh Asset Tag Provisioning Agent Script. Required for pull provisioning only. Crix XenServer* Supplemental Pack assettag.iso xenserver-measured-boot.iso Bootable ISO image containing the Tag Provisioning Agent script and all prerequisites. XenServer supplemental pack with support for asset tag. Only use if managing XenServer nodes. 1.1.1 Prerequisites An instance of the Intel Cloud Integrity Technology trust Attestation service with asset tag enabled One or more hosts with Intel TXT-enabled processors and active Trusted Platform Modules (TPMs). 5

1.2 Asset Tag Provisioning Workflow 6

1.3 Example Deployment Topology Note: This is used to provide host/nodes with assist tag using push or pull (PXE/NFS) mode. See the section on push or pull mode. 1.4 Asset Tag Solution Components The asset tag solution consists of several interacting components. This section details those components and their functions. 1.4.1 Asset Tag Management Service This is the underlying service that performs primary asset tag functionality. This service hosts the APIs that create asset tags and selections, and generates asset certificates. The asset tag management service uses its own independent database but can be integrated with Intel Cloud Integrity Technology to provide visibility and management functionality for the tags provisioned to hosts. 1.4.2 Asset Tag Management User Interface (UI) The asset tag management UI is a web portal that provides an easy web interface for the asset tag management service. 1.4.3 Asset Tag Provisioning Agent The provisioning agent is an application that runs on a host and provisions tags to the host's TPM. Currently, only Citrix XenServer with the measured boot supplemental pack installed, and Kernel-based Virtual Machine (KVM) hosts with the trust agent installed have a provisioning agent included. The agent communicates with the asset tag management service to request or receive asset certificate information for provisioning. 7

1.4.4 Asset Tag Provisioning Image The provisioning image is a PXE-bootable Operating System (OS) with the provisioning agent included. This enables hosts that are not running Citrix Xen (and therefore do not have a provisioning agent of their own) to be provisioned with asset tags. This image is used for the pull method of provisioning. 1.4.5 Intel Cloud Integrity Technology Trust Attestation Server The Intel Cloud Integrity Technology trust attestation server integrates with the asset tag management service and receives a copy of the asset certificates that are provisioned to hosts with their corresponding Universally Unique Identifier UUIDs. The asset certificates are mapped to their corresponding hosts when the hosts are registered in Intel Cloud Integrity Technology. After provisioning and registration, Intel Cloud Integrity Technology provides visibility for the tags that have been provisioned to hosts, as well as attestation of the validity of the asset certificates. 1.5 Asset Tag Provisioning Modes Asset tags can be provisioned to assets either by pushing the asset certificate from the asset tag management service to the asset, or by pulling an asset certificate to an asset by running a provisioning script on the host. Currently, ESXi hosts can only be provisioned using pull mode, while Citrix Xen hosts can be provisioned using either push or pull. Detailed steps for each method are provided in Section 8.0. 1.6 Asset Tag Provisioning Architecture The following figure details the asset tag provisioning architecture. Note: Tag certificates are imported into the Intel Cloud Integrity Technology trust attestation server. They are mapped to the host until the host is registered with the Intel Cloud Integrity Technology trust attestation server. 8

2.0 Creating Tags and Selections Tags and selections represent the core function of the asset tag service. A tag is an arbitrary classification name with one or more potential values. For example, a tag named State might have values like California or New York, and a tag names Department might have values like Accounting, Sales, etc. A selection is a set of one or more tag name/value pairs that are provisioned to an asset. For example, users might have a server tagged with a selection like State: California; Department: Accounting. 2.1 Creating Tags Creating a tag involves creating a name for the tag and its potential values. 1. From the Intel Cloud Integrity Technology portal, browse to Asset Tag Management > Tag Creation. 2. Enter a name for the new tag in the Tag name field. 3. Enter a value for the tag in the Tag values field and click Add. 4. Repeat step 4 to add any additional appropriate potential values for the new tag. 5. When all desired potential values for the tag have been created, click Save to save the tag. After tags have been created, they can be searched using the Search Tags function. To list all tags and their potential values, leave all of the fields blank and click Search 2.2 Creating Selections Creating a tag selection consists of naming the selection, and adding a set of one or more tags with appropriate values as name/value pairs. 1. From the Intel Cloud Integrity Technology portal, browse to Asset Tag Management > Tag Selection. 2. Enter a name for your selection in the Name field. 3. If desired, add a description for the new selection in the Description field (optional). 4. To add tags to the selection, select a tag from the Tags drop-down box on the left, select a value for the tag from the drop-down box on the right, and click Add. 5. Repeat step 3 until all desired tags have been added to the selection. 6. Click Save to save the selection. After selections have been created, they can be searched using the Search Selections function. To list all selections, leave all of the fields blank and click Search 9

3.0 Asset Tag Provisioning There are two methods supported for provisioning asset tags to assets. The push method involves creating an asset certificate using the asset's UUID and a tag selection and pushing the certificate from the asset tag service to asset. The pull method involves booting the asset itself to a provisioning image, which requests a new asset certificate from the asset tag service using a given selection. Note: Currently the push method is only supported for Citrix XenServer with the XenServer Measured Boot supplemental pack installed, and trust agent hosts. The pull method is supported for Citrix Xen, VMWare ESXi, and KVM. 3.1 Push Provisioning Method (Manual Certificate Creation) The push method for asset tag provisioning is initiated by the asset tag management service. The administrator creates a new asset certificate and provisions the certificate to a provisioning agent running on the asset. This section describes the steps needed to create a new asset certificate and provision it to a host using the push method. Note: Prerequisites: Because the asset must have a provisioning agent running in order to write the asset certificate to the TPM, only Citrix Xen hosts with the XenServer Measured Boot supplemental pack installed, or open-source Xen or KVM hosts with the trust agent installed can currently be provisioned using the push method. ESXi hosts must be provisioned using the pull method. One or more Citrix Xen or trust agent hosts registered in Intel Cloud Integrity Technology. Appropriate asset tags and asset selections to provision to the host(s) must have been created. 1. From the Intel Cloud Integrity Technology portal, browse to Asset Tag Management > Certificate Management. 2. Type the IP or hostname (as it appears in Intel Cloud Integrity Technology), or the hardware UUID of the server to be provisioned in the Hostname field. 3. Using the Tag Selection drop-down box, choose the tag selection to be provisioned to the host, and click Save. This creates a new asset certificate, and imports it into the Intel Cloud Integrity Technology database. The certificate is matched to the appropriate host for attestation using the host's hardware UUID. 4. Under Search Certificates, leaving all fields blank, click Search (this lists all asset certificates in the database). Users should see a certificate listed with the UUID entered. 5. To the right of the certificate details, Users see several hyperlinks. Click Deploy. 6. Below the certificate list, users see new fields appear. Enter the IP address or hostname of the host (along with the username and password for an account with root privileges if the host is a Citrix XenServer). Click Provision. The asset certificate is provisioned host's TPM. 7. Reboot the host to complete the provisioning process (the certificate information written to the TPM is not extended to PCR22 and thus is not available for attestation until the host's next boot cycle). 10

3.2 Push Provisioning Method (Automated) The push method for asset tag provisioning is initiated by the asset tag management service. The administrator creates a new asset certificate and provisions the certificate to a provisioning agent running on the asset. This section describes the steps needed to automatically generate and provision asset certificates for one or more hosts concurrently using identical tags. Note: Prerequisites: Because the asset must have a provisioning agent running in order to write the asset certificate to the TPM, only Citrix Xen hosts with the XenServer measured boot supplemental pack installed, or open-source Xen or KVM hosts with the trust agent installed can currently be provisioned using the push method. ESXi hosts must be provisioned using the pull method. One or more Citrix Xen or trust agent hosts registered in Intel Cloud Integrity Technology. Appropriate asset tags and asset selections to provision to the host(s) must have been created. 1. From the Intel Cloud Integrity Technology portal, browse to Asset Tag Management > Provision Tags. 2. Select the servers to be provisioned from the Available Servers list by double-clicking each server to be provisioned. 3. In the Tag Selection box, choose either a pre-existing selection from the Available Selections tab, or select Upload XML to use an XML file. Refer to Section 5.0 for XML formatting instructions. 4. Click the Provision button at the bottom of the page. This automatically generates new asset certificates for each host using the specified selection of tags, and provision the asset certificates to all servers in the Servers to Provision list. 5. After rebooting the provisioned hosts, the asset tag information is available for attestation. 3.3 Pull Provisioning Method The pull method for asset tag provisioning is initiated from the host by the provisioning agent. The agent works in two ways: it can send the UUID of the host to receive a pre-generated valid certificate if one exists, or the agent can send an XML file to the asset tag service, which creates certificates with tag selections according to the options in XML. In either case, the SHA1 hash value of the resulting certificate is written to the host's TPM. The asset tag provisioning agent must be run from an operating system with certain prerequisites installed, and therefore is provided on an ISO-format disk image (assettag.iso). This image is used with ipxe on a provisioning network to boot to the provisioning image remotely. 3.3.1 PXE Image Configuration Prerequisites: A working ipxe server with supporting technologies and an NFS share A deployed instance of the asset tag management service The asset tag provisioning image (assettag.iso) The TPM for any hosts to be provisioned using the pull method must be in the clear state with Intel TXT activated 11

Note: If provisioning a host running the trust agent using the pull method and the host is already registered for attestation in Intel Cloud Integrity Technology, the TPM ownership does NOT need to be cleared. For trust agent hosts, boot to PXE, allow the script to run, and then boot back into the normal OS. 1. Extract the contents of assettag.iso and copy the casper folder to the Network File System (NFS) share directory on the PXE server. 2. Copy the Secure Sockets Layer (SSL) certificate from your asset tag management server (located in /etc/intel/cloudsecurity/ssl.crt.pem) to the PXE server and place it in the NFS share directory of the PXE server. 3. On your PXE server, edit /tftpboot/ipxe/bootloader.cfg and add the following arguments: atag_cert='http://<pxe IP Address>/<nfsshare>/ssl.crt.pem' atag_username='admin' atag_password='password' xml='<path_to_xml>' atag_server='http://<ip Address>:<Port>/mtwilson/v2' Note: Replace <PXE IP Address> with the IP address or hostname of the PXE server. Replace <nfsshare> with the path to the NFS share. Replace <IP Address> and <Port> with the IP address or hostname and port of the asset tag management server on the PXE network. Refer to the following sample bootloader.cfg file: #!ipxe bootloader.cfg cpuid --ext 29 && set arch ia32e set arch ia32 echo!!!!pxebooting to Assettag Provisioning Agent..!!!! sleep 2 set nfs-root=<pxe_server_ip>:/var/www/nfsshare kernel nfs://<pxe_server_ip>/var/www/nfsshare/casper/vmlinuz initrd nfs://<pxe_server_ip>/var/www/nfsshare/casper/initrd.gz echo got the initrd and vmlinuz kernel sleep 2 echo now booting... sleep 1 echo... imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=<pxe_server_ip>:/var/ www/nfsshare atag_username='admin' atag_password='password' atag_cert='http:// <PXE_server_IP>/nfsshare/ ssl.crt.pem ' atag_xml='<path_to_xml>' atag_server='http:// <Asset Tag Server IP>:<Asset Tag Server Port>/mtwilson/v2' boot 3.3.2 Asset Tag Provisioning Agent Script (PXE) Prerequisites: An ipxe server configured as in Section 3.3.1 The TPM of any ESXi hosts or trust agent hosts that are not registered in Intel Cloud Integrity Technology must be set to the clear state and Intel TXT/TPM must be active. To provision a host, reboot it and use the Boot Options menu to boot to the provisioning PXE network during startup. The asset tag provisioning agent script automatically runs when the image loads. The script contacts the Intel Cloud Integrity Technology server and retrieve the latest valid asset certificate for the host's hardware UUID. If no certificate exists, new certificates can be created using an XML file containing host UUIDs and the tag name/value pairs that should be assigned to them. Refer to Section 5.0, Section 6.0 and Section 7.0 for details on XML creation, encryption, and provisioning. 1. Reboot the host to be provisioned. 2. Enter the boot menu and select the network device on the PXE network. The system boots and the provisioning agent script runs. 12

3. If the host is running ESXi or Citrix XenServer or is not yet registered in Intel Cloud Integrity Technology, enter the BIOS and re-enable TPM (the script automatically clears the TPM ownership). Note that this step is not required for trust agent hosts that are registered in Intel Cloud Integrity Technology. 4. Reboot the host to its normal operating system. 4.0 Tag Visibility and Attestation After tag selections have been provisioned to hosts, the Intel Cloud Integrity Technology trust attestation server can provide visibility and attestation for the tags and certificates. Integration with Intel Cloud Integrity Technology was already performed during the installation process. In the background, the asset tag management service replicates the asset certificates into the Intel Cloud Integrity Technology database along with the UUID of the hosts the certificates are provisioned to. Registering a host in Intel Cloud Integrity Technology after the host has been provisioned with asset tags enables the Intel Cloud Integrity Technology trust dashboard to display the tags provisioned to the host, and enables Intel Cloud Integrity Technology to attest to the validity of the asset certificate. After provisioning completes, follow the standard procedures for Whitelisting and host registration in Intel Cloud Integrity Technology. Refer to the Intel Cloud Integrity Technology Product Guide for instructions. After hosts are registered, the Intel Cloud Integrity Technology trust dashboard page shows the new Asset Tag trust status. Note that the asset tag details can be seen in the trust assertion. The hash of PCR-22 can be seen in the trust report. The trust assertion now also contains the asset tag information. 13

5.1 Creating an XML for Certificate Provisioning Asset tags can be defined for future provisioning using an XML file provided to the provisioning agent script. The determination of which tags are provisioned to which hosts can be configured in several ways: Provide the list of hosts to be provisioned with a set of tags as a list of one or more hardware UUID values or the IP address/hostname as it appears in Intel Cloud Integrity Technology (use <subject><uuid> to list UUIDs or <subject><ip> to list as the host(s) appear in Intel Cloud Integrity Technology). Provide a list of the tags with the <default> block and no <subject> to apply the same set of tags to all hosts. The <selection> block within the <default> block with no <subject> listed is used as a default set of tags to provision to all hosts not explicitly listed. The <cache mode=""> setting in the <options> block determines whether a new certificate is always created during provisioning, or if a pre-existing certificate is used if one is available. Set <cache mode="on"> to use an existing, valid certificate when one is available. Set to off to generate a new certificate at provisioning regardless of whether there is already an existing valid certificate for the specified host in the database. Tags are listed in the following format: <attribute oid="2.5.4.789.1"><text>name=value</text></attribute> All tags listed within a single <selection></selection> block are provisioned to the same host(s), according to any listed <subject> assignments. If a <selection name= > is provided, a new selection is created in the database using the specified name. If the specified selection name already exists, the existing selection is used. In this way, a <selection name= > block can be used without any key/value pairs listed in XML. If no name is specified for the selection, the key/value pairs are still used to create the certificate, but the selection object is not saved in the Intel Cloud Integrity Technology database. The oid 2.5.4.789.1 is required when using the text format name=value as shown here. Only one value is allowed in the name=value format, but multiple values for the same tag can be listed in a single selection. For example, Tenant=Tenant1 and Tenant=Tenant2 can both be applied to the same host by listing both name/value pairs in the same <selection> block). It's possible to create attributes other than name=value pairs by using the <der> tag instead of the <text> tag; however, <der> tags are incompatible with the Intel Cloud Integrity Technology UI. The entire asset tag certificate is provided in the SAML assertion, so any provisioned tags are still obtainable regardless of which format is chosen. 14

Sample XML: <?xml version="1.0" encoding="utf-8"?> <selections xmlns="urn:mtwilson-tag-selection"> <options> <cache mode="off"/> </options> <default> <selection> <attribute oid="2.5.4.789.1"><text>country=us</text></attribute> <attribute oid="2.5.4.789.1"><text>state=ny</text></attribute> <attribute oid="2.5.4.789.1"><text>city=new York</text></attribute> </selection> </default> <selection name="existingselection"> <subject><ip>192.168.1.101</ip></subject> </selection> <selection name="existingselection2"> <subject><uuid>21c26a6e-5401-41de-a168-d637e1e1b154</uuid></subject> <subject><uuid>f98cabf1-6ab1-47c2-8b5c-e3be3d6865ad</uuid></subject> </selection> </selections> 6.1 XML Operational Logic and Security When an XML file is used for provisioning: 1. All <selection> blocks in the XML file are filtered according to validity dates (notbefore and notafter attributes) and any selections that are not currently valid are ignored. 2. First selection that mentions the target host uuid. 3. First selection that mentions the target host ip or hostname that can be resolved by mtwilson to the hardware uuid. 4. First default selection in the file (one that has no subject elements, only attributes). The XML is sent from the provisioning agent to the asset tag Service. If the file in encrypted, the asset tag service decrypts XML. If the <subject> is not a UUID, the asset tag Service looks up the host UUID in Intel Cloud Integrity Technology. If the host is not found already registered in Intel Cloud Integrity Technology, no certificates are created, and nothing is provisioned to the host. If a <subject> is provided that contains no <attribute> listings, Intel Cloud Integrity Technology searches for an existing valid certificate for the specified <subject> and provisions that certificate to the host. If no valid certificates exist for the specified host, nothing is provisioned. If an external Certificate Authority (CA) is configured (tag.provision.external=true) or the provisioning agent has requested asynchronous processing, save the certificate request to the database and return a request ID to the provisioning agent. The agent can check back periodically until the request completes, then download the certificate. If the asset tag service is configured to auto-import certificates to Intel Cloud Integrity Technology (MTWILSON_TAG_CERT_IMPORT_AUTO=true), this is done immediately upon generating the new certificate. If there is an error importing the certificate into the Intel Cloud Integrity Technology database, the error is logged but does not prevent provisioning. 15

7.0 Encrypting XML When automating the provisioning of asset tags, there might be situations in which the selection of attributes is determined in advance by one person and is provisioned by another person who has access to the hosts for provisioning but is not authorized to change the attribute selections. This document describes how to create encrypted selection files that can be used in place of plaintext Selection files in order to protect the integrity of the pre-determined selections. 7.1 Pre-provisioning Setup Following are required to create an encrypted selection file: Encryption password from mtwilson.properties (tag.provision.xml.encryption.password) Selection XML file OpenSSL command line tools, with optional openssl.org patch #3254 The encrypt.sh script provided with the asset tag service The asset tag service automatically generates a file encryption password during installation and stores it in the Intel Cloud Integrity Technology configuration file mtwilson.properties. This password is used to encrypt the selection XML file and also to decrypt it. The asset tag provisioning service enables exporting a selection file in XML format. Support for exporting the selection file already encrypted is planned for a later release. Alternatively, users can create selection XML files using another process. An XML Schema Definition (XSD) for the selection XML files is available. The OpenSSL command line tools include the enc command that is used to encrypt files, and the dgst command that is used to provide an integrity digest for the selection. OpenSSL patch #3254 provides command-line support for the PBKDF2 algorithm and setting the iteration count for both the older password algorithm and the new PBKDF2 algorithm. The patch was prepared against openssl- 1.0.1f. 7.2 Encrypting the Selection XML File In this section, it is assumed that openssl and encrypt.sh are in the $PATH, and that the asset tag attribute selection file is in the current directory in a file named selection.xml. It is also assumed that the encryption password is known and in the following example is represented as the word password. The following commands generate an encrypted file using the chosen password: export PASSWORD=password (this must be the password from tag.provision.xml.encryption.password in mtwilson.properties) encrypt.sh -p PASSWORD selection.xml.enc selection.xml If you are using OpenSSL without patch #3254, add the --nopbkdf2 option: encrypt.sh --nopbkdf2 -p PASSWORD selection.xml.enc selection.xml 16

The content of the output file selection.xml.enc looks like this: Content-Type: encrypted/openssl; alg="aes-256-ofb"; digest-alg="sha256"; enclosed="application/zip" Date: Fri Feb 7 12:16:30 PST 2014 U2FsdGVkX1+/wg16dCIvM5w7fyBcXvTmtIBsvB5NqsyHMqVR2lqCaNbQGaVW42WE yn46ncwoqccl1olb5btecb9i5wcl8qb8oqzrmtz+wxwy4r28/1tzsmoeyobbxmcy /ltf+qlvdnuqu/tsszusswcpnxclcf9v8o0vodmrcas+5d9qu2z4yjh2zuknp/ji 8yYIRxge8UzsoG+AVwmoBk4ZWhzH6A5Lc/T1o0/uIw4M//2+cDCnGduuSLFrL1+q mo1xb/hp7zgjk+9wrlpgypjm2h58vqf8wwd/dqmwge07mln8ls4gnkn6omwj2dq5 nyhurueiwaz81cbx4ptdcpcnzhryybsw1yxdcru8jhba67owoynx8cxalnkdfau+ CnvitWqmSPJPvFHr6QbBzE/ziPRIzzYoRFksOmzkMjfsugdy8015PI9h36SUQc9Q y85ujorhb1ytt3haym0tpc3eyof/rqeid4lwuznvlbpytv6tzo18/kxiejnmkqfd Nbx2Tn+fopG1tIujUPhneBqK7DHMDSGvgWcVl6CCgA0bPm6hcZ8MoDywHcJK86yg 55cJwRwMEHt/PtV94JU//c+Nckq3nltuQTe17+bUTHTgmY1rvone93HV7R1jV5c3 svpxglbsfyhuax4l2yfxuxksiipxacuvwbg6oy7ncyhxci4u+gswj65adysoxlcj EtdiG33kOS3L5vYUBJMHzmZVaqIR3iw2Za35cT5g+iagThudKcI= 7.2.1 Decrypting and Verifying the Selection XML File This step is performed by the asset tag provisioning service upon receiving an encrypted selection file. Users can perform the same step in order to decrypt a previously encrypted selection XML file. In this section, it is assumed that openssl and decrypt.sh are in the $PATH, and that the encrypted asset tag attribute selection file is in the current directory in a file named selection.xml.enc. It is also assumed that the encryption password is known and in the following example is represented as the word password. The following commands generate an encrypted file using the chosen password: export PASSWORD=password (this must be the password from tag.provision.xml.encryption.password in mtwilson.properties) decrypt.sh -p PASSWORD selection.xml.enc ls selection.xml.enc.d The decryption script does not need a --nopbkdf2 option because it determines automatically from the encrypted file whether PBKDF2 should be used. The decryption script creates a directory named selection.xml.enc.d into which it extracts the original selection file selection.xml. Users can also see other files adjacent to selection.xml with.sig and.sig.doc extensions. These are used for the integrity check. If the decrypted file fails the integrity check the decryption script prints a message like this: Message failed verification: selection.xml.enc.d/selection.xml 7.2.2 Provisioning Usage When deploying asset tags using the provisioning agent, select the encrypted selection file instead of a plaintext selection file. The provisioning service automatically recognizes that it is encrypted and attempts to decrypt it using the password in mtwilson.properties. 7.2.3 Provisioning Using an XML Provide an XML file in the PXE configuration options. The XML is sent from TPA script to the Intel Cloud Integrity Technology server for processing. 17

8.1 Asset Tag Configuration Variables Located in mtwilson.properties. [tag.provision.external=false] whether to use external CA instead of the built-in CA. When set to true, tag certificate requests are stored for an external CA to poll them and post back the approved certificates, and provisioning agents are required to poll the server for approved certificates. [tag.provision.nocache=true] applicable only when using the built-in CA and cause the CA to always generate new certificates for incoming requests, even if an existing valid certificate for the same subject is already in the database. Set to false in order to enable pre-provisioning of certificates and still allow generation of new certificates when no matching certificate is available. [tag.provision.xml.encryption.pasword=(auto)] the password used to encrypt XML files used for tag selection during provisioning. Encrypting XML files enables the asset manager to create tag attribute selections to be used for one or more hosts with confidentiality and integrity. [tag.provision.xml.encryption.required=false] when enabled requires all tag selections used in provisioning requests to be encrypted, that is, enforces that only the administrator is able to select tags for new certificates. [tag.provision.selection.default=(none)] specifies a default selection on the server to use when a certificate request does not specify any selection to use. If it is not set then a default selection is not used and requests must specify a selection. [tag.provision.autoimport=true] whether new tag certificates should automatically be imported to Intel Cloud Integrity Technology. Also requires Intel Cloud Integrity Technology settings to be configured such as mtwilson.api.baseurl. [-tag.validity.seconds=31,536,000 (~1 year)] the validity period for new tag certificates. [tag.issuer.dn="cn=mtwilson-tag-ca"] the distinguished name of the issuer to display on tag certificates. The list of trusted tag certificate authorities is in a file called tag-cacerts.pem in the Intel Cloud Integrity Technology configuration folder. 18

9.1 PXE Server Setup Guidelines While there are many possible ways to configure PXE, the following steps detail the configuration of an ipxe server as a reference for using PXE with the pull method of asset tag provisioning. Follow the steps provided in Section 3.3.1 after installing the basic ipxe services to configure the ipxe server to serve the asset tag provisioning image. Prerequisites: A Virtual Machine (VM) running Ubuntu* 12.04 LTS Internet access $ sudo apt-get install gcc,binutils,make,perl,syslinux,zlib $ sudo apt-get install binutils header files $ sudo git clone http://git.ipxe.org/ipxe.git $ cd ipxe/src $ make $ make everything $ cd usr/lib/ipxe # copy bootloader.cfg undionly.kpxe boot.cfg mboot.c32 undionly.cfg to ipxe directory $ apt-get install isc-dhcp-server nfs-kernel-server tftpd-hpa 19

NOTE: This page intentionally left blank. 20

LEGAL No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest forecast, schedule, specifications and roadmaps. The products and services described may contain defects or errors which may cause deviations from published specifications. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting www.intel.com/design/literature.htm. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. * Other names and brands may be claimed as the property of others. 2015 Intel Corporation. 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback