HP Z200 - Small Form Factor Workstation Setup And Configuration Manual

Hp z200 workstation - amt setup and configuration for the z200 workstation with intel amt technology

Hide thumbs Also See for Z200 - Small Form Factor Workstation:

Maintenance and service manual (210 pages)

User manual (87 pages)

Overview (54 pages)

Table of Contents

Quick Links

See also: Maintenance and Service Manual , User Manual

AMT Setup and Configuration

for the Z200 Workstation with

Intel AMT Technology

March 2010

Need help?

Do you have a question about the Z200 - Small Form Factor Workstation and is the answer not in the manual?

Questions and answers

Summary of Contents for HP Z200 - Small Form Factor Workstation

Page 1: Table Of Contents
AMT Setup and Configuration for the Z200 Workstation with Intel AMT Technology March 2010 Table of Contents: Introduction ......................2 AMT Setup and Configuration ................2 AMT System Phases ..................3 Manual Mode – AMT Setup and Configuration with MEBx ........ 3 BIOS Prerequisite ....................
Page 2: Introduction
Introduction The HP Z200 workstation utilizes Intel AMT processor technology to simplify PC management and reduce IT related expenditures. Intel AMT processor technology allows for improved management of PC systems and better security. AMT provides Out-of-Band (OOB) remote access to a system regardless of the system power state or operating system condition as long as the system is connected to a power source and a network.
Page 3: Amt System Phases
AMT System Phases An AMT system can be in one of three phases in regards to its current stage of AMT Setup and Configuration. Three Phases of AMT Setup and Configuration: Factory • In-Setup • Operational • The Factory phase is the initial stage. The system had been built from the factory. No AMT Setup and Configuration has been done.
Page 4 Criteria: Password must be between 8 and 32 characters long. • Password must contain both upper and lower case Latin characters (e.g. A, a, • B, b). Password must have at least one digit character (e.g. 0, 1, 2, … 9). •...
Page 5: Bios Prerequisite
BIOS Prerequisite This whitepaper is for the HP Z200 workstation. The HP Z200 workstation uses the 786H3 BIOS family. The system BIOS and the ME FW must be updated individually. Refer to the BIOS Flash Whitepaper at www.hp.com for more information on flashing the system BIOS and ME FW.
Page 6 The user must change the default password before any changes can be made in the MEBx. Change the password for the MEBx. The new password must meet the criteria defined in the Password Guideline Section, also known as a strong password. It must be entered twice for verification.
Page 7 Note that if the ME is disabled, then all AMT functions are also disabled. The system will not be remotely manageable. Check Password Policy. Default Setting : Default Password Only Recommended Setting : Default Password Only Select Default Password Only This option determines when the user is allowed to change the Intel MEBX password through the network.
Page 8 Default Setting : None Recommended Setting : User Dependent Note that spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Hostnames can be used in place of the system’s IP for any applications requiring the IP address. Domain Name Enter a domain name Default Setting...
Page 9 TCP/IP Settings. AMT 6.0 supports IPV4 and IPV6 interface. Follow steps 8a-8f to configure for IPV4 and 8g-8h for IPV6. Figure 4: Intel ME TCP/IP Settings Screen Wired LAN IPV4 Configuration DHCP Mode Default Setting : Enabled Recommended Setting : Enabled DHCP can be used if it is available (TCP/IP settings will be configured by a DHCP server).
Page 10 Figure 5: Intel ME Wired LAN IPv4 Configuration Screen IPV4 Address Enter a static address Default Setting : 0.0.0.0 Recommended Setting : Network Dependent Example: 192.168.0.1 Make sure all AMT systems have a unique static IP address. Multiple systems sharing the same IP address can lead to network collisions, which will cause the systems to not respond correctly.
Page 11 Alternate DNS Address Leave as default value and hit Enter Default Setting : 0.0.0.0 Recommended Setting : Network Dependent Wired LAN IPV6 Configuration Select Enabled option for IPv6 Feature Selection If DHCP is disabled, then steps 8h through 8i are required to configure the IPV6 static IP address.
Page 12 IPv6 Address. AMT 6.0 supports IPv6 network interface. Enter a static IPv6 address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab iii. IPv6 default Router. Enter the IPv6 Default Router address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab Preferred DNS IPv6 Address...
Page 13 Figure 7: Intel ME Activate Network Access Screen FW Update Settings. a. Local FW Update Qualifier. Intel ME Firmware Local Update Qualifier Default Setting : Always Open Recommended Setting : Always Open...
Page 14 Figure 8: Intel ME FW Update Settings Screen This option allows the BIOS to override the ME Firmware Locale Update option and to permit local updates. By default, the system BIOS allows for an unlimited number of local ME FW updates.
Page 15 b. Secure FW Update. Intel ME Firmware Local Update Qualifier Default Setting : Enabled Recommended Setting : Enabled The Secure Firmware Update function requires an administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot be updated. When the Secure Firmware Update feature is enabled, the IT administrator can update the firmware using the secure method.
Page 16 Note: The ME On in Host Sleep State mode will automatically set to Desktop: ON in S0, ME Wake in S3, S4-5 after Activating the Network Access (step 9). b. Idle Timeout Default Setting : 65535 Recommended Setting : 65535 This option sets the timeout value for Wake-On-ME.
Page 17 Go into the Intel AMT Configuration. Figure 10: Intel AMT Configuration Screen Press the Enter key when MEBx displays “Update Network settings in the General Settings menu”. Press ’Y’ at the MEBx prompt below:...
Page 18 Figure 1 1: Intel AMT Configuration Screen a. Check the Manageability Feature Selection. Default Setting : Enabled Recommended Setting : Enabled This option allows Intel AMT to be enabled or disabled. By default, the HP Z200 workstation is set to enable Intel AMT. Note that setting the Disabled option will disable all remote management capabilities.
Page 19 Figure 12: Intel ME Features Control Screen with AMT Selected b. Check SOL/IDE-R. Figure 13: Intel ME SOL-IDE-R Configuration Screen...
Page 20 a) Username & Password Default Setting : Enabled Recommended Setting : Enabled Select Enabled. This option allows users and passwords to be added from the WebGUI. If it is disabled, then only the administrator has MEBx remote access. b) SOL. Default Setting : Enabled Recommended Setting...
Page 21 Figure 14: Intel ME KVM Configuration Screen KVM feature Selection. Default Setting : Enabled Recommended Setting : Enabled Figure 15: Intel ME KVM Configuration Screen...
Page 22 ii. User opt-in. Default Setting : User Consent is required for KVM session Recommended Setting : User Dependent iii. Opt-in Configuration from remote IT Default Setting : Enabled Remote Control of KVM Opt-in Policy Recommended Setting : User Dependent Disable Remote Control of KVM Opt-in Policy – This option disables the Remote User’s ability to select User OPT-IN Policy.
Page 23: Intel Amt Webgui
Intel AMT WebGUI The Intel AMT WebGUI is a web browse-based interface for limited remote system management. The WebGUI is often used as a test to determine if AMT Setup and Configuration was performed properly on a system. A successful remote connection between a remote system and the host system running the WebGUI indicates proper AMT Setup and Configuration on the remote system.
Page 24: Important Note
Figure 16: Intel AMT WebGUI Screen 6) Review system information and/or make any necessary changes. Important Note: The MEBx password can be changed for the remote system in the WebGUI. Changing the password in the WebGUI or a remote console will result in two passwords.
Page 25: Setup And Configuration Server
Setup and Configuration Server A Setup and Configuration Server (SCS) is simply an application that executes over a network performing AMT Setup and Configuration. It is required for Enterprise mode setup and configuration. In a PSK Setup and Configuration, both the AMT client system and the SCS must share a set of Provisioning ID (PID) and Provisioning Passphrase (PPS).
Page 26: Enterprise Mode - Amt Setup And Configuration Steps
Enterprise Mode – AMT Setup and Configuration Steps: The AMT Setup portion for Enterprise mode is the same as SMB mode. Repeat Steps 1 through 15 to perform AMT Setup. This will take the system from Factory mode to In Setup Mode. Refer to Manual Mode –...
Page 27 Figure 17a: Intel ME Platform Configuration Screen Figure 17b: Intel AMT Configuration Screen Continued...
Page 28 10) Go into Network Setup & select Host Name. Enter a host name Default Setting : None Recommended Setting : User Dependent Spaces are not accepted in the host name. 11) Go into Network Setup and select TCP/IP. a. Wired LAN IPv4 Configuration DHCP Mode Default Setting : DHCP Enabled...
Page 29 Alternate DNS IPv6 Address Enter the Alternate DNS IPv6 Address Default Setting : None Recommended Setting : Network Dependent Example: 2001:db8::1428:57ab 12) Skip Activate Network Access. 13) Skip Un-Configure Network Access. 14) Go into Remote Setup And Configuration. Figure 18: Intel Setup and Configuration Screen This is the menu where the Enterprise mode provisioning data is entered.
Page 30 TLS Provisioning Mode Provisioning IP Date of Provisioning The provisioning record for a system with PKI provisioning will include the following information: TLS Provisioning Mode Host Initiated Hash Data Hash Algorithm Serial Number ISDefault Bit Time Validity Pass FQDN Provisioning IP Date of Provisioning This option is only for display, no changes can be made here.
Page 31 Figure 19: Intel TLS PSK Configuration Screen Go into Set PID and PPS. Default Setting : None Recommended Setting : System Dependent This option is for Provisioning ID (PID) and Provisioning Passphrase (PPS) entry. PIDs are 8 characters and PPS are 32 characters. There are dashes between every set of four characters so counting dashes PIDs are 9 characters and PPS are 40 characters.
Page 33 15) FW Update Settings. Local FW Update Qualifier. Intel ME Firmware Local Update Qualifier Default Setting : Always Open Recommended Setting : Always Open This option allows the BIOS to override the ME Firmware Locale Update option and to permit local updates. By default, the system BIOS allows for an unlimited number of local ME FW updates.
Page 34 b. Idle Timeout Default Setting : 65535 Recommended Setting :65534 This option sets the timeout value for Wake-On-ME. The default timeout value is 65535 from the factory and it is in units of a minute. A value of 0 means the Wake-On-ME feature is disabled and the ME will not go to sleep when not being used in a non-active system.
Page 35 d. IDE Redirection Default Setting : Enabled Recommended Setting : Enabled Select Enabled. e. Legacy Redirection Mode. Default Setting : Disabled Recommended Setting : Disabled Select Disabled. This option allows the Redirection feature to work with the pre-AMT 6.0 remote consoles (need to set to Enabled). 20) Check KVM Configuration.
Page 36 26) When power is reapplied to the system, it will immediately look for a Setup and Configuration Server. If one is found, the AMT system will send a “Hello” message to the server. DHCP and DNS must be available for the Setup and Configuration Server search to automatically succeed.
Page 37: Provisioning Methods
Provisioning Methods There are three methods of provisioning a system with Enterprise mode: Legacy • IT TLS-PSK • • OEM TLS-PSK Legacy Legacy method of AMT Setup and Configuration should be executed on an isolated network separate from the corporate network if TLS is desired. An S&CS server would have to have a secondary network connection to Certification Authority for TLS configuration.
Page 38: Oem Tls-Psk
OEM TLS-PSK OEM TLS-PSK AMT Setup and Configuration is done in two stages. The first stage is performed during OEM manufacturing and the second stage at the customer location. In the first stage, customers purchase systems from HP. HP will setup those systems during manufacturing bringing them to the In-Setup phase.
Page 39: Usb Drive Key Requirements
c. Return the information to the management console. 4) The management console writes the password, PID and PPS sets to a Setup.bin file in the USB Drive Key. 5) Technician takes the USB Drive Key to the staging area where new AMT platforms are located.
Page 40: Remote Configuration
Remote Configuration Remote Configuration (RCFG) is the ability to use a single OEM image to provision systems securely without the need to manually modify AMT options. RCFG uses a Public Key Infrastructure with Certificate Hashes (PKI-CH) protocol to maintain security. A DHCP environment is required. RCFG relies on several new AMT features: Embedded Hash Root Certificates •...
Page 41: Remote Configuration Prerequisites
If no SCS responds to the Hello messages within the timeout period, then the network interface that sends out the Hello messages will be disabled. The network interface can be re-enabled to send out Hello messages again by the following methods: Restarted by a local agent.
Page 42 Figure 20: Intel Remote Configuration Screen 1) Remote Configuration Enable/Disable Default Setting : Enabled Recommended Setting : Enabled This option enables or disables Remote Configuration. 2) Set PKI DNS Suffix This option allows the PKI DNS Suffix of the SCS to be entered. 3) Manage Certificate Hashes This option shows the hashes in the system including the name of the hash and whether it is active or not.
Page 43: List Of Supported Ca Certificates
List of Supported CA Certificates The following are a list of supported Certificate Authorities and certificates. Not all of the certificates might be populated in certain configurations. VeriSign Class 3 Primary CA-G1 • SHA1 Fingerprint: 74 2C 31 92 E6 07 E4 24 EB 45 49 54 2B E1 BB C5 3E 61 74 E2 VeriSign Class 3 Primary CA-G2 •...
Page 44: Return To Default
Return to Default Return to Default is also known as Unprovisioning. An AMT Setup and Configured system can be unprovisioned. It is done through the ME Platform Configuration Screen and the Un-Configure Network Access option. Figure 21: Intel AMT Un-configure Network Screen Depending on how the system was previously provisioned, one or both unprovisioning options may appear.
Page 45: Full Return To Factory Defaults
c. After unprovisioning is done, control is passed back to the AMT Configuration screen. Notice that the Setup and Configuration option is available again since the system is set to the default Enterprise mode. 2) Return to previous menu. 3) Exit. a.
Page 46 Appendix A: Frequently Asked Questions Q: How can the MEBx be locally accessed? A: The MEBx can be locally accessed by pressing CTRL-P during POST. Q: Why is the CTRL-P prompt not displayed during POST? A: By default the CTRL-P prompt is hidden during POST, but it can be display if set in F10 Setup.
Page 47 A: HP Client Configuration Manager and ISVs such as Altiris provide Setup and Configuration Servers. Check with your management console supplier to see if they offer this service. Q: Can AMT be set for static address and the OS set for DHCP or vice versa? A: No.
Page 48: Appendix B: Power / Sleep / Global States Explained
Appendix B: Power / Sleep / Global States Explained Under Advanced Configuration and Power Interface (ACPI) specification a PC can be in one of several Power states. These power states are also known as Sleep (Sx) states or Global (Gx) states. is the ON state.
Page 49: Appendix C: Wake-On-Me Explained
Wake-On-ME feature is disabled and the ME will not go to sleep when not being used. © 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.