Blog

03/06/2019

How to remotely access Intel AMT KVM from Linux desktop



I have enabled Intel AMT/ME in my Xeon server grade CPU hosted in remote data center building for OOB purpose. I do not want to use Windows 10 Pro edition. Is it possible to access Intel AMT/ME KVM session from Linux? How do I remotely access Intel AMT KVM from Linux desktop and do out of band management of my server?

Introduction: You can remotely control Intel vPro based CPU that includes AMT using Linux. Intel Active Management Technology (AMT) is a combination of hardware, software and firmware technology for remote out-of-band management of servers, desktops, and laptop computers. AMT is built into modern CPUs such as i7, i5, Xeon (look for vPro) and based on Intel ME. This page shows how to remotely access Intel AMT KVM from Linux desktop when you have vPro enabled system from Intel. DASH is an acronym for Desktop and Mobile Architecture for System Hardware. A set of DMTF specifications for standardizing the management and security of desktop and mobile client systems independent of the machine state, operating system, and hardware vendor. DASH takes full advantage of WS-Management. As DASH has evolved, Intel AMT has moved towards increasing support for DASH standards. Intel AMT Release 5.1 and later releases comply with DASH 1.0.

How to install wsmancli/wsman on Linux to access KVM

Starting with Intel AMT version0 3.2, all Intel AMT features supported with WS-Management (Web Services Management protocol) DASH specification supported by both Intel vPro and AMD Pro CPUs. Openwsman is an opensource implementation of WS-Management. To interact with a wsman server.

Debian/Ubuntu Linux install wsmancli

Use the following apt command/apt-get command to install wsmancli:
$ sudo apt install wsmancli

RHEL/CentOS Linux Linux install wsmancli

Type the following yum command to install wsmancli:
$ sudo yum install wsmancli

Fedora Linux Linux install wsmancli

Enter the following dnf command to install wsmancli:
$ sudo dnf install wsmancli

How to configure Intel AMT/MEBx as for remote access

As pointed out earlier only vPro CPUs such as i7, i5 and Xeon CPU support Intel AMT. Intel does not support AMT on all processors but does include Intel ME in every CPU made since 2008. Boot your system and visit BIOS settings. For demo purpose I am going to use ThinkPad x230 laptop with Intel vPro. To enable Hardware KVM and Intel AMT find option that read as follows in your BIOS and enable it:

You mist save setting in BIOS and restart the computer. Press CTRL+p to configure the Intel Management engine and AMT hardware KVM by login into MBEx:

You must log in to MEBx. If AMT has never been set up on your server or desktop, use admin as password:

Setting up an IP address

  1. Enter “AMT Configuration
  2. Set “Manageability feature Selection” to Enabled
  3. Press Enter to select “Network Setup” and choose TCP/IP Settings


Finally choose Wired LAN IPv4 Configurations. Set “DHCP Mode” to “Disabled” and set all IPv4 settings as per your network:

You are all. Press “ESC” key to get back to main menu. Enter “MEBx Exit” and wait until the system reboot. I suggest that you unplug your system for 1 minute and then plug it back.

How to access Intel AMT web interface

Once your system turned on. Go back to your Linux desktop. Fire a web browser and type the following url:
http://192.168.2.88:16992
Type username as “admin” and password set previously:

Remotely access Intel AMT KVM from Linux desktop

Create a Linux shell script as follows:

#!/bin/bash
# Name: kvm.sh
# Purpose : Control remote server/laptop/desktop using KVM and VNC client
# Author: nixCraft {https://sxi.io/} under GPL v3.x
# ----------------------------------------------------------------------
xIP='192.168.2.88'
xPASSWORD='PasssordHere'
xVNC_PWD='In9t8el@' # random but must be 8 charter long
xVNC_PORT='5900'
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k RFBPassword=${xVNC_PWD}
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k Is5900PortEnabled=true
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k OptInPolicy=false
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k SessionTimeout=0
wsman invoke -a RequestStateChange http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP -h ${xIP} -P 16992 -u admin -p ${xPASSWORD} -k RequestedState=2
echo "Open Linux vnc client. Use "$xIP:$xVNC_PORT" as host and when promoted enter "$xVNC_PWD" as password"

#!/bin/bash # Name: kvm.sh # Purpose : Control remote server/laptop/desktop using KVM and VNC client # Author: nixCraft {https://sxi.io/} under GPL v3.x # ———————————————————————- xIP=’192.168.2.88′ xPASSWORD=’PasssordHere’ xVNC_PWD=’In9t8el@’ # random but must be 8 charter long xVNC_PORT=’5900′ wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k RFBPassword=${xVNC_PWD} wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k Is5900PortEnabled=true wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k OptInPolicy=false wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k SessionTimeout=0 wsman invoke -a RequestStateChange http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP -h ${xIP} -P 16992 -u admin -p ${xPASSWORD} -k RequestedState=2 echo "Open Linux vnc client. Use "$xIP:$xVNC_PORT" as host and when promoted enter "$xVNC_PWD" as password"

Run the script:
chmod +x kvm.sh
./kvm.sh

For remote KVM use any standard Linux VNC client

So far we verified that web UI worked and ran the Linux shell script. It is time to access KVM console. Intel AMT KVM allows you to access the desktop remotely, install the operating system, change bios settings, turn on/off the system and much more. Open Linux VNC client:

Type the password as set in $xVNC_PWD and you should able to login to remote desktop using Intel AMT. You can reboot the device. Access BIOS. Unlock disk. Turn off PC. Turn it on from Web interface. Fix OS disk or networking. Install a new OS and so on.

(click to enlarge image)

Here is a quick demo that shows remotely access Intel AMT KVM from Linux desktop, BIOS, power on/off and other stuff one can do with it:

Conclusion

I just used Intel AMT with vPro to remotely manage my laptop or server. Intel AMT enables sysadmin to manage remote servers, desktops, laptops regardless of the operating system installed. Intel AMT can be disabled or unprovisioned by the sysadmin to reduce security risk. Intel ME cannot be disabled on any Intel CPUs since 2008. Some vendor such as System76 and Dell allows disabling Intel Me. Next time I will talk about MeshCommander a web based tool for remote management of your Intel AMT computers.

(adsbygoogle = window.adsbygoogle || []).push({});

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...