Secure and automatic provisioning of computer systems having embedded network devices
First Claim
1. A provisioning mechanism for computer systems comprising:
- a computer platform having an in-band platform processor and an out-of-band (OOB) controller, a storage media, and a network interface, the storage media having a protected area only accessible to the controller, wherein initially booting up the computer platform causes the controller to;
automatically connect to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name;
concatenate the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;
establish a TCP connection to the provisioning server using the FQDN to open a secure session;
validate a server certificate chain received from the provisioning server; and
if the server certificate chain is validated,open a secure and encrypted session and attempt to login to the provisioning server, wherein if corporate security policy grants access to the computer platform, receive provisioning configuration data over a secured and encrypted channel,wherein the OOB controller is able to communicate when the in-band platform processor is not active.
1 Assignment
0 Petitions
Accused Products
Abstract
A provisioning method and mechanism for computer systems having embedded network devices. After an initial boot-up of a computer platform, an out-of-band (OOB) controller automatically connects to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running. The domain name is concatenated with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server. The OOB controller then establishes a TCP connection to the provisioning server. A server certificate chain received from the provisioning server is validated. An attempt to login to the provisioning server is made. If corporate security policy dictates granting access to the computer platform, then provisioning configuration data is received over a secure and encrypted channel.
-
Citations
54 Claims
-
1. A provisioning mechanism for computer systems comprising:
-
a computer platform having an in-band platform processor and an out-of-band (OOB) controller, a storage media, and a network interface, the storage media having a protected area only accessible to the controller, wherein initially booting up the computer platform causes the controller to; automatically connect to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name; concatenate the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server; establish a TCP connection to the provisioning server using the FQDN to open a secure session; validate a server certificate chain received from the provisioning server; and if the server certificate chain is validated, open a secure and encrypted session and attempt to login to the provisioning server, wherein if corporate security policy grants access to the computer platform, receive provisioning configuration data over a secured and encrypted channel, wherein the OOB controller is able to communicate when the in-band platform processor is not active. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A provisioning method for computer systems having embedded networked devices comprising:
on initial boot-up of a computer platform, connecting, via an out-of-band controller that is in the platform and distinct from man in-band platform processor, to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running; concatenating the domain name with a predefined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server; establishing, via the controller, a TCP connection to the provisioning server; validating a server certificate chain received from the provisioning server; and attempting to login to the provisioning server, wherein if corporate security policy dictates granting access to the computer platform, receiving provisioning configuration data over a secure and encrypted channel, wherein the OOB controller is able to communicate when the in-band platform processor is not active. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
29. A method for provisioning a computer system having an embedded networked devices comprising:
-
after a TCP connection has been established with an out-of-band (OOB) controller of a computer platform for provisioning, sending a server certificate chain to be validated; if the server certificate chain is validated, receiving a login request over a secure and encrypted channel from the OOB controller; determining whether to grant access to the OOB controller based on corporate security-based policy; and if access is granted, automatically sending provisioning data to the OOB controller over the secure and encrypted channel, wherein the OOB controller is able to communicate when an in-band platform processor in the computer platform is inactive. - View Dependent Claims (30, 31, 32, 33, 34)
-
-
35. An article comprising:
- a storage device having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provided for on initial boot-up of a computer platform,
connecting, via an out-of-band controller, distinct from an in-band platform processor in the computer platform, to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running; concatenating the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server; establishing, via the OOB controller, a TCP connection to the provisioning server; validating a server certificate chain received from the provisioning server; and attempting to login to the provisioning server, wherein if corporate security policy dictates granting access to the computer platform, receiving provisioning configuration data over a secure and encrypted channel, wherein the OOB controller is able to communicate when the in-band platform processor is inactive. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- a storage device having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provided for on initial boot-up of a computer platform,
-
49. An article comprising:
- a storage device having a plurality of machine accessible instructions, wherein the instructions are executed by a processor, the instructions provide for after a TCP connection has been established with an out-of-band (OOB) controller of the computer platform for provisioning, sending a server certificate chain to be validated;
if the server certificate chain is validated, receiving a login request over secure and encrypted channel from the OOB controller; determining whether to grant access to the OOB controller based on corporate security-based policy; and if access is granted, automatically sending provisioning data to the OOB controller over the secure and encrypted channel, wherein the processor is able to communicate with the OOB controller when an in-band platform processor on the computer platform is inactive. - View Dependent Claims (50, 51, 52, 53, 54)
- a storage device having a plurality of machine accessible instructions, wherein the instructions are executed by a processor, the instructions provide for after a TCP connection has been established with an out-of-band (OOB) controller of the computer platform for provisioning, sending a server certificate chain to be validated;
Specification