Describe the bug 🪲

Running RPC local and leveraging EA to request a TLS certificate works, but when EA logs the transaction, it says "802.1x eap-tls request". This can be very confusing to customers.

To Reproduce 🪜
Steps to reproduce the behavior:

1. Go to 'EA' to setup the details for TLS mode configuration
2. From the vPro system, run command. This is example of Minh's command = rpc2.29.exe configure tls -mode Server -password P@ssw0rd -eaAddress "http://10.0.0.61:8000/" -eaUsername admin -eaPassword P@ssw0rd -v
3. Go to EA > Console and view logging
4. There is a line that say "802.1x eap-ls request". See screenshot attached.

Expected behavior
Recommend changing this log to say something generic like "Certificate Request."

Screenshots 🖼️

AMT Device (please complete the following information): 🖥️

• OS: [e.g. Linux Kernel & Version]
• AMT Version: [e.g. 11.8.5, 12.0.45]
• AMT Configuration Mode: [e.g. Admin Control Mode or Client Control Mode]
• Network Configuration [e.g. Dynamic IP or Static IP]

Service Deployment (please complete the following information): ⛈️

• Deployment Type: RPC local provisioning
• Component & Version: EA version 2.29

As an enterprise customer utilizing RPC-Go -local configuration flows, I would like to have RPC-Go to support TLS configuration during a local configuration so that I can configure secure communications with AMT from my local network console

Acceptance Criteria

• Implement a configuration option to have EA host a REST API end point instead of WebSocket connection to RPS (Not needed in the UI)
• Implement login/JWT flow for RPC-Go to authenticate with EA
• EA processes CSRs from RPC-Go and returns signed certificates

Need to know if managed devices are Windows only or Windows/Linux. This is with respect to configuring TLS certificated signed by CA

• Windows
• Linux

For Linux, we can leverage the self-signed cert flow

EA can currently be deployed on Windows only and support Microsoft CA only.

• WebSocket API or HTTP API for EA?
  Should EA have a WebSocket API or HTTP API? Does RPS make just 1 call to EA to get a TLS certificate then HTTP API makes sense?

  1. Decided to implement a REST API in the Enterprise Application (EA) to facilitate communication with RPC-GO in an enterprise environment.
  2. Chose REST API over other protocols because there is no continuous data stream expected.
  3. Previously developed a WebSocket for cloud-based deployment, enabling easier access to the RPS with firewalls within enterprise
  4. Maintained an established connection so that RPS can communicate with EA as needed.

• Verify the CSR handling flow for TLS and IEEE 802.1x.
  Will only 1 API be enough for handling both flows?
  An End point "/Configure" will be created at EA

• TLS Session between EA and RPC-Go

• Authentication Mechanism for RPC-Go with EA
  Should we use an API Key, JWT Token, or another method for authentication?
  Determine the preferred authentication mechanism and discuss how to pass this information in RPC-GO for secure authentication.
  A few points were discussed regarding Authentication:

  1. There's a need to establish a dedicated authentication server to verify all endpoints across the entire toolkit.
  2. For the time being, we plan to introduce an additional endpoint named 'authentication' within the Enterprise Application (EA) to handle this task.

• Document findings and review with team
  Discussed with Mike and Ganesh. Updated the meeting notes.

Enable support for HTTPS endpoints in the EA service to allow secure configuration of 802.1X profiles using RPC-Go.

Acceptance Criteria:

• See if EA can be hosted using IIS and if IIS can help with enabling HTTPS
• Share results with team.
• Create implementation story

As an enterprise customer utilizing RPC-Go -local configuration flows, I would like to have RPC-Go fetch the TLS and 802.1x certificates from Enterprise Assistant during a local configuration. I desire the Enterprise Assistant to respond to CSR requests from RPC-Go during AMT Configuration.

Acceptance Criteria:

EA Tasks:

• Enterprise Assistant can be configured to handle requests from RPS or RPC-GO
• Enterprise Assistant must facilitate servicing RPC-Go CSRs for both TLS and IEEE 802.1x requests
• Enterprise Assistant should validate the API Key or Token passed by RPC-GO
• Enterprise Assistant should only accept TLS session from RPC-GO

RPC-GO Tasks:

• RPC-Go must be configured to send CSRs to EA when performing TLS AMT configuration
• When performing AMT TLS configuration locally, RPC-GO should successfully obtain certificates from EA without requiring manual intervention (dependent on what is decided for EA)
• Based on the findings from spike, give option to pass token or API Key via config.yaml and a flag

Validation Tasks:

• Sensitive certificate and password information should not be exposed during the AMT Configuration process
• Verification tests must validate that the certificate retrieval process is functioning securely and as intended