Secure and automatic provisioning of computer systems having embedded network devices

US 20070297396A1
Filed: 06/22/2006
Published: 12/27/2007
Est. Priority Date: 06/22/2006
Status: Active Grant

First Claim

Patent Images

1. A provisioning mechanism for computer systems comprising:

a computer platform having a controller, a storage media, and a network interface, the storage media having a protected area only accessible to the controller, wherein initially booting-up the computer platform causes the controller to;

automatically connect to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name;

concatenate the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;

establish a TCP connection to the provisioning server using the FQDN to open a secure session;

validate a server certificate chain received from the provisioning server; and

if the server certificate chain is validated,open a secure and encrypted session and attempt to login to the provisioning server, wherein if corporate security policy grants access to the computer platform, receive provisioning configuration data over a secured and encrypted channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A provisioning method and mechanism for computer systems having embedded network devices. After an initial boot-up of a computer platform, an out-of-band (OOB) controller automatically connects to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running. The domain name is concatenated with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server. The OOB controller then establishes a TCP connection to the provisioning server. A server certificate chain received from the provisioning server is validated. An attempt to login to the provisioning server is made. If corporate security policy dictates granting access to the computer platform, then provisioning configuration data is received over a secure and encrypted channel.

Citations

57 Claims

1. A provisioning mechanism for computer systems comprising:
- a computer platform having a controller, a storage media, and a network interface, the storage media having a protected area only accessible to the controller, wherein initially booting-up the computer platform causes the controller to;
  
  automatically connect to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name;
  
  concatenate the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;
  
  establish a TCP connection to the provisioning server using the FQDN to open a secure session;
  
  validate a server certificate chain received from the provisioning server; and
  
  if the server certificate chain is validated,open a secure and encrypted session and attempt to login to the provisioning server, wherein if corporate security policy grants access to the computer platform, receive provisioning configuration data over a secured and encrypted channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The provisioning mechanism of claim 1, wherein to automatically connect to a corporate DHCP server to obtain an IP address and a domain name includes to automatically send a request to the DHCP server for the IP address;
    - to sniff for additional information, and to receive a reply from the DHCP server containing the IP address and additional information, including the domain name.
  - 3. The provisioning mechanism of claim 1, wherein a 3^rdParty Root of Trust vendor list is incorporated into the protected area of the storage media prior to the initial boot-up of the computer platform, wherein to validate a server certificate chain comprises to check the server certificate chain'"'"'s root certificate for an internal match with one of the 3^rdParty Root of Trust vendors from the 3^rdParty Root of Trust vendor list incorporated on the storage media and to determine that a leaf certificate of the certificate chain has been issued to the provisioning server.
  - 4. The provisioning mechanism of claim 1, wherein to open a secure session comprises to open a TLS (Transport Layer security) session and wherein to validate a server certificate chain comprises to validate a TLS server certificate chain signed by a 3^rdParty Root of Trust.
  - 5. The provisioning mechanism of claim 1, wherein to open a secure and encrypted session comprises to open an HTTPS (Secure HTTP (HyperText Transport Protocol)) session.
  - 6. The provisioning mechanism of claim 1, further comprising a corporate asset database, wherein an IT technician or end user to register unique information about the computer platform in the corporate asset database prior to the initial boot-up of the computer platform, the unique information comprising a serial number and a platform universally unique identifier (UUID).
  - 7. The provisioning mechanism of claim 6, wherein to attempt to login to the provisioning server comprises to attempt to login to the provisioning server using the UUID of the computer platform as an identification user password pair.
  - 8. The provisioning mechanism of claim 7, wherein the corporate security policy to grant access to the computer platform comprises to grant access to the computer platform when the UUID received at login matches the UUID in the corporate asset database when the computer platform was registered.
  - 9. The provisioning mechanism of claim 1, further comprising an isolated network to perform provisioning of the computer platform, wherein the corporate security policy to grant immediate access to the computer platform to receive the provisioning configuration data over the isolated network.
  - 10. The provisioning mechanism of claim 1, wherein the corporate security policy to grant access to the computer platform comprises to deny immediate access to the provisioning server until login with shared secret information is entered manually.
  - 11. The provisioning mechanism of claim 1, wherein if the server certificate chain was unable to be validated, the controller to disconnect from the provisioning server, wherein the computer platform to be manually provisioned.
  - 12. The provisioning mechanism of claim 1, wherein the storage media comprises a flash memory or any other non-volatile storage media.
  - 13. The provisioning mechanism of claim 1, wherein the controller comprises an out-of-band controller.
  - 14. The provisioning mechanism of claim 1, wherein to validate a server certificate chain received from the provisioning server includes to verify that the certificate chain is issued to the owner of the FQDN.
  - 15. The provisioning mechanism of claim 1, wherein the storage media further comprising a protected area only accessible to the controller.

16. A provisioning method for computer systems having embedded network devices comprising:
- on initial boot-up of a computer platform,connecting, via a controller, to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running;
  
  concatenating the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;
  
  establishing, via the controller, a TCP connection to the provisioning server;
  
  validating a server certificate chain received from the provisioning server; and
  
  attempting to login to the provisioning server, wherein if corporate security policy dictates granting access to the computer platform, receiving provisioning configuration data over a secure and encrypted channel.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The provisioning method of claim 16, wherein connecting to a corporate DHCP server to obtain an IP address and a domain name comprises:
    - sending a request for an IP address to the DHCP server;
      
      receiving a reply containing the IP address; and
      
      sniffing for additional information; and
      
      receiving additional information, including the domain name.
  - 18. The provisioning method of claim 16, wherein a 3^rdParty Root of Trust vendor list is incorporated into a protected area of a storage media in communication with the controller prior to the initial boot-up of the computer platform, wherein validating a server certificate chain comprises checking the server certificate chain'"'"'s root certificate for an internal match with one of the 3^rdParty Root of Trust vendors from the 3^rdParty Root of Trust vendor list incorporated on the storage media.
  - 19. The provisioning method of claim 18, wherein the storage media comprises a flash memory or any other non-volatile storage device.
  - 20. The provisioning method of claim 16, wherein establishing a connection to the provisioning server further comprises opening a secure session.
  - 21. The provisioning method of claim 20, wherein opening a secure session comprises opening a TLS (Transport Layer Security) session and wherein validating a server certificate comprises validating a TLS server certificate.
  - 22. The provisioning method of claim 16, wherein validating a server certificate comprises validating the certificate chain'"'"'s root certificate against a 3^rdParty Root of Trust vendor list that was incorporated into a system flash of the computer platform prior to the initial boot-up and determining that a leaf certificate of the certificate chain has been issued to the provisioning server.
  - 23. The provisioning method of claim 16, wherein attempting to login to the provisioning server comprises opening an HTTPS (Secure HTTP (HyperText Transport Protocol)) session and trying to login to provisioning server.
  - 24. The provisioning method of claim 16, further comprising registering the computer platform and storing unique information about the computer platform in a corporate asset database, wherein the unique information comprises a serial number and a platform universally unique identifier (UUID).
  - 25. The provisioning method of claim 24, wherein attempting to login to the provisioning server comprises attempting to login to the provisioning server using the UUID of the computer platform as an identification user password pair.
  - 26. The provisioning method of claim 24, wherein corporate security policy dictates granting access to the computer platform if the incoming UUID is validated with a value of the UUID in the corporate asset database.
  - 27. The provisioning method of claim 16, wherein corporate security policy dictates immediately granting access to the computer platform when an isolated network is used for provisioning.
  - 28. The provisioning method of claim 16, wherein corporate security policy granting access to the computer platform comprises denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 29. The provisioning method of claim 16, wherein if the provisioning server is unable to be validated, disconnecting from the provisioning server and manually performing provisioning of the computer platform.
  - 30. The provisioning method of claim 16, wherein the controller comprises an out-of-band controller.

31. A method for provisioning a computer system having an embedded network device comprising:
- after a TCP connection has been established with an out-of-band controller of a computer platform for provisioning, sending a server certificate chain to be validated;
  
  if the server certificate chain is validated, receiving a login request over a secure and encrypted channel from the OOB controller;
  
  determining whether to grant access to the OOB controller based on corporate security based policy; and
  
  if access is granted, automatically sending provisioning data to the OOB controller over the secure and encrypted channel.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The method of claim 31, wherein corporate security based policy dictates that access be immediately granted to the OOB controller when an isolated network is used for provisioning.
  - 33. The method of claim 31, wherein corporate security based policy dictates that access be granted to the OOB controller when a UUID (universally unique identifier), received from the OOB controller during the login, is validated against a value for the UUID placed in a corporate asset database during registration of the computer platform.
  - 34. The method of claim 31, wherein corporate security policy granting access to the computer platform comprises denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 35. The method of claim 31, wherein sending a server certificate chain to be validated comprises sending a TLS (Transport Layer Security) server certificate during a TLS session.
  - 36. The method of claim 31, wherein a secure and encrypted session comprises an HTTPS (Secure HTTP (HyperText Transport Protocol)) session, and a secure and encrypted channel comprises an HTTPS channel.

37. An article comprising:
- a storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provide for on initial boot-up of a computer platform,connecting, via a controller, to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running;
  
  concatenating the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;
  
  establishing, via the controller, a TCP connection to the provisioning server;
  
  validating a server certificate chain received from the provisioning server; and
  
  attempting to login to the provisioning server, wherein if corporate security policy dictates granting access to the computer platform, receiving provisioning configuration data over a secure and encrypted channel.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 38. The article of claim 37, wherein instructions for connecting to a corporate DHCP server to obtain an IP address and a domain name comprises instructions for:
    - sending a request for an IP address to the DHCP server;
      
      receiving a reply containing the IP address; and
      
      sniffing for additional information; and
      
      receiving additional information, including the domain name.
  - 39. The article of claim 37, wherein a 3^rdParty Root of Trust vendor list is incorporated into a protected area of a storage media in communication with the controller prior to the initial boot-up of the computer platform, wherein validating a server certificate chain comprises instructions for checking the server certificate chain'"'"'s root certificate for an internal match with one of the 3^rdParty Root of Trust vendors from the 3^rdParty Root of Trust vendor list incorporated on the storage media.
  - 40. The article of claim 39, wherein the storage media comprises a flash memory or any other non-volatile memory device.
  - 41. The article of claim 37, wherein instructions for establishing a connection to the provisioning server further comprises instructions for opening a secure session.
  - 42. The article of claim 41, wherein instructions for opening a secure session comprises instructions for opening a TLS (Transport Layer Security) session and wherein instructions for validating a server certificate comprises instructions for validating a TLS server certificate.
  - 43. The article of claim 37, wherein instructions for validating a server certificate comprises instructions for validating the certificate chain'"'"'s root certificate against a 3^rdParty Root of Trust vendor list that was incorporated into a system flash of the computer platform prior to the initial boot-up and determining that a leaf certificate of the certificate chain has been issued to the provisioning server.
  - 44. The article of claim 37, wherein instructions for attempting to login to the provisioning server comprises instructions for opening an HTTPS (Secure HTTP (HyperText Transport Protocol)) session and trying to login to provisioning server.
  - 45. The article of claim 37, further comprising instructions for registering the computer platform and storing unique information about the computer platform in a corporate asset database, wherein the unique information comprises a serial number and a platform universally unique identifier (UUID).
  - 46. The article of claim 45, wherein instructions for attempting to login to the provisioning server comprises instructions for attempting to login to the provisioning server using the UUID of the computer platform as an identification user password pair.
  - 47. The article of claim 45, wherein corporate security policy dictates granting access to the computer platform if the incoming UUID is validated with a value of the UUID in the corporate asset database.
  - 48. The article of claim 37, wherein corporate security policy dictates immediately granting access to the computer platform when an isolated network is used for provisioning.
  - 49. The article of claim 37, wherein corporate security policy granting access to the computer platform comprises instructions for denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 50. The article of claim 37, wherein if the provisioning server is unable to be validated, further comprising instructions for disconnecting from the provisioning server and manually performing provisioning of the computer platform.
  - 51. The article of claim 37, wherein the controller comprises an out-of-band controller.

52. An article comprising:
- a storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provide for after a TCP connection has been established with an out-of-band controller of a computer platform for provisioning, sending a server certificate chain to be validated;
  
  if the server certificate chain is validated, receiving a login request over a secure and encrypted channel from the OOB controller;
  
  determining whether to grant access to the OOB controller based on corporate security based policy; and
  
  if access is granted, automatically sending provisioning data to the OOB controller over the secure and encrypted channel.
- View Dependent Claims (53, 54, 55, 56, 57)
- - 53. The article of claim 52, wherein corporate security based policy dictates that access be immediately granted to the OOB controller when an isolated network is used for provisioning.
  - 54. The article of claim 52, wherein corporate security based policy dictates that access be granted to the OOB controller when a UUID (universally unique identifier), received from the OOB controller during the login, is validated against a value for the UUID placed in a corporate asset database during registration of the computer platform.
  - 55. The article of claim 52, wherein corporate security policy granting access to the computer platform comprises instructions for denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 56. The article of claim 52, wherein instructions for sending a server certificate chain to be validated comprises instructions for sending a TLS (Transport Layer Security) server certificate during a TLS session.
  - 57. The article of claim 52, wherein a secure and encrypted session comprises an HTTPS (Secure HTTP (HyperText Transport Protocol)) session, and a secure and encrypted channel comprises an HTTPS channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Eldar, Avigdor, Valenci, Moshe

Granted Patent

US 7,831,997 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/356
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/168 above the transport layer

Secure and automatic provisioning of computer systems having embedded network devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Secure and automatic provisioning of computer systems having embedded network devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links