Describe the bug 🪲
If secretProviderError doesn't match either of the if conditions then vault state will report "OK" even if it isn't.
try {
const secretManagerHealth = await req.secretsManager.health()
status.secretStore.status = secretManagerHealth
} catch (secretProviderError) {
if (secretProviderError.error) {
status.secretStore.status = secretProviderError.error.code
} else if (secretProviderError.response?.statusCode) {
status.secretStore.status = VAULT_RESPONSE_CODES(secretProviderError.response.statusCode)
}
}

AB#7128

We registered the AMT device with MPS using the RPC. We don't see the AMT device name in the MPS dashboard; rather we see the UUID as the name as well as the uuid for the device. To identify a device , it is difficult to do that with the uuid if say 100 devices are registered.

Describe the bug 🪲
We need a way to configure AMT with 802.1X certificate credentials to access our network

Expected behavior
RPS is able to set the 802.1X certificate credentials into AMT to enable AMT to access a 802.1X protected network

Service Deployment (please complete the following information): ⛈️

Deployment Type: Enterprise
Component & Version: RPS
Additional context
N/A

Describe the bug 🪲
Applying an AMT profile that doesn't include a wifi over the top of an AMT devices that has a wifi profile throws error.

Looks like RPS currently doesn't support removing wifi profiles from AMT.

To Reproduce 🪜
Steps to reproduce the behavior:

1. create two amt profiles, one with a wifi configuration and one without
2. activate amt using profile with wifi
3. run activate again on AMT device but use AMT profile without wifi configuration
4. see error message in RPS log stating AccessDenied

Expected behavior
Expect that RPS can handle applying AMT profile without wifi configuration

Screenshots 🖼️
If applicable, add screenshots to help explain your problem.

AMT Device (please complete the following information): 🖥️

• OS: agnostic (tested on ubuntu 20.04
• AMT Version: 15.0.23
• AMT Configuration Mode: Admin Control Mode
• Network Configuration DHCP

Service Deployment (please complete the following information): ⛈️

• Deployment Type: local Docker
• Node Version: 16
• Component & Version: RPS: Main 3/17/2022 prior to 2.2 release

Additional context
Add any other context about the problem here.

AB#6525

AMT device tags are not refreshing after re-activating with new amt profile with different tags. Below are repro steps:

1. Create amt profile1 with 'tag1' on rps.
2. Create amt profile2 with 'tag2' on rps.
3. Activate amt device with profile1.
4. Ensure 'tag1' shows up for activated amt device on sample web-ui.
5. De-activate amt device using mebx BIOS (not through rpc deactivate command).
6. Re-activate amt device with profile2.

Expected behavior: after re-activation, 'tag2' shows up for activated amt device on sample web-ui.
Actual behavior: after re-activation, still 'tag1' shows up for activated amt device on sample web-ui instead of 'tag2'.

Describe the bug 🪲
A clear and concise description of what the bug is.

To Reproduce 🪜
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots 🖼️
If applicable, add screenshots to help explain your problem.

AMT Device (please complete the following information): 🖥️

• OS: [e.g. Linux Kernel & Version]
• AMT Version: [e.g. 11.8.5, 12.0.45]
• AMT Configuration Mode: [e.g. Admin Control Mode or Client Control Mode]
• Network Configuration [e.g. Dynamic IP or Static IP]

Service Deployment (please complete the following information): ⛈️

• Deployment Type: [e.g. Azure, Docker, K8s]
• Node Version: [e.g. LTS 14]
• Component & Version: [e.g. RPS 2.0.0]

Additional context
Add any other context about the problem here.

Describe the bug 🪲
test issue to check project workflows

this is only a test

This parameter it is always going to match the MPS root certificate, this can be read by the backend instead of the client having to read it first before sending it.

AB#4235

Describe the bug 🪲
MEBX password in the vault shows NULL after reconfiguring device using updated AMT and MEBX password in ACM profile

To Reproduce 🪜
Steps to reproduce the behavior:

1. Deploy a local docker instance of toolkit using v2.5 release
2. Create ACM profile
3. Activate AMT using this profile
4. Update AMT and MEBX password in the ACM profile
5. Re-run rpc using the updated profile

Expected behavior
MEBX password in Vault should be updated correctly

AMT Device (please complete the following information): 🖥️

• OS: Win 10
• AMT Version: 12.x
• AMT Configuration Mode: Admin Control Mode
• Network Configuration DHCP

Service Deployment (please complete the following information): ⛈️

• Deployment Type: Docker
• Component & Version: v2.5 Release

Additional context
Add any other context about the problem here.

Describe the bug 🪲
To support enterprise deployments with device management over the local network, we need to have the TLS certificate signed by a Microsoft CA and then configured into AMT.

Expected behavior
During TLS configuration, RPS gets the TLS certificate signed by a Microsoft CA and then injects the signed certificate into AMT to enable TLS enabled communication between a management console and AMT

Service Deployment (please complete the following information): ⛈️

• Deployment Type: Enterprise Network
• Component & Version: RPS

Additional context
N/A

With wi-fi configuration, after powering off amt device, it disconnects from mps and does not connect back until manual power-on the system.

POST requests should return 201 status code for CREATED

I want to have a REST API that allows me to pull application specific information from RPS (Application Version and Protocol Version) so that I can check version compatibility between RPS and RPC.

Describe the bug 🪲
By default LMS on Windows will synchronize basic Wireless profiles with AMT if Wireless Local User Profile Synchronization is Enabled. It is Disabled in AMT by default.

To Reproduce 🪜
Steps to reproduce the behavior:
n/a

Expected behavior
Request option in Profiles to set this to enabled and if enabled to enable in in AMT.

Screenshots 🖼️
[If applicable, add screenshots to help explain your problem.]

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsetgetwirelesslocaluserprofilesynchronizationsettings.htm

AMT Device (please complete the following information): 🖥️

• OS: Windows
• AMT Version: 11.2 and higher
• AMT Configuration Mode: Admin Control Mode AND Client Control Mode]
• Network Configuration [e.g. Dynamic IP AND Static IP]

Service Deployment (please complete the following information): ⛈️

• Deployment Type: [e.g. Azure, Docker, K8s]
• Node Version: [e.g. LTS 14]
• Component & Version: [e.g. RPS 2.0.0]

Additional context
Add any other context about the problem here.

AB#14434

Current RPS database backend is hardcoded to PostgreSQL. As deployments environment varies, connecting to different database means intrusive code editing. In order to ease the adjustment to various deployment condition, database middleware such as knex, sequelize, bookshelf etc should be looked at to provide flexibility. Similar to MPS issue number 360

Describe the bug 🪲
RPS throwing error "FQDN not associated with provisioning certificate" when adding a valid Provisioning Certificate

To Reproduce 🪜
Steps to reproduce the behavior:

1. In Sample UI, click on create domain profile
2. Add "Domain Name" as test.domain.com ("common name" on the provisioning cert is test.domain.com)
3. Upload the provisioning certificate and add password
4. Click on save and notice the error

Expected behavior
Adding Provisioning Cert should work when "Common Name" on provisioning Certificate and "Domain Name" in the Sample Web UI's domain profile are same.

Additional context
I was able to save profile when "Domain Name" in domain profile is domain.com but get an error when it's test.domain.com

Describe the bug 🪲
When configuring a device with a TLS Profile, when trying to reprovision a device with another TLS Profile, it fails. This is due to the certificates not being removed.

To Reproduce 🪜
Steps to reproduce the behavior:

1. Create a TLS Profile
2. Activate a device with the created profile
3. Re-Activate the same device with same profile
4. See error

Expected behavior
A clear and concise description of what you expected to happen.
Device should re-provision with updated TLS Profile/
Screenshots 🖼️
If applicable, add screenshots to help explain your problem.

AMT Device (please complete the following information): 🖥️

• OS: [e.g. Linux Kernel & Version] Windows
• AMT Version: [e.g. 11.8.5, 12.0.45] 12
• AMT Configuration Mode: [e.g. Admin Control Mode or Client Control Mode] ACM
• Network Configuration [e.g. Dynamic IP or Static IP] Dynamic

Service Deployment (please complete the following information): ⛈️

• Deployment Type: [e.g. Azure, Docker, K8s] Docker
• Node Version: [e.g. LTS 14] 16
• Component & Version: [e.g. RPS 2.0.0] v2.x

Additional context
Add any other context about the problem here.

AB#12845

Was doing some testing on the RPC 0.9.1 release and noticed something in how the credentialspath works. Looks like RPS is expecting this path to start at the dist folder. However, other path configuration strings in the app.config.dev.json file start at the root of the RPS directory. For example, in the AMTDomains, the ProvisioningCert path is “private/cert.pfx” but for the credentialspath I’d need to set the credentialspath to “../../private/credentials.json” to use the same folder.

Can these paths start using the same relative path starting location?

It seems that currently only Username/Password authentication is possible for CIRA connections unconditionally.

Is planned for Mutual-TLS authentication?

AB#12562

With current code on rps master, user can create/edit amt profile with cira config that does not exist. It should check for available cira configs and give an error. Issue happens only in dev mode. In prod mode (i.e. using vault and db), it works correctly.

Describe the bug 🪲
Change error log message in SUCCESS event of PUT_IPS_OPT_IN_SERVICE context
https://github.com/open-amt-cloud-toolkit/rps/blob/main/src/stateMachines/featuresConfiguration.ts#L161

Expected behavior
Change error log message to info in SUCCESS event of PUT_IPS_OPT_IN_SERVICE

i.e. Version should return something like

{
"version":"3.0.0"
}

not a string literal

Currently, if vault calls fail (i.e. during creation of domain), the domain is successfully added to the database despite not being added to vault. Ideally, the database entry should be rolled back if vault call fails.

AB#5415

Describe the bug 🪲
Currently, unsupported Wifi configurations result in a generic error message: "Bad wsman response from AMT device". A more descriptive error, perhaps siting possible cause(s), would be helpful.

To Reproduce 🪜
Steps to reproduce the behavior:

1. Provision AMT 15 device with a wifi configuration using either TKIP, WPA PSK, or both.

Expected behavior
A more informative error message than "Bad wsman response"

**FYI... per AMT docs...**
Deprecation of TKIP (Temporal Key Integrity Protocol) and WEP (Wired Equivalent Privacy) Encryption Methods
Intel has removed Intel AMT support for the WEP and TKIP 802.11 encryption methods, starting from Intel CSME firmware running on Tiger Lake-H platforms. This also means that mixed TKIP/CCMP WiFi access-point mode is no longer supported by the Intel CSME WiFi stack. To allow Intel CSME WiFi connectivity, all crypto modes utilizing TKIP must be disabled in the AP.

Note: In "pipe" mode the WiFi connection (including encryption/decryption algorithm selection on WiFi connection establishment) is handled by the host operating system WiFi stack. In this mode, the data packets are sent to Intel AMT after they have been decrypted by the host side WiFi. In this mode there is currently no restriction in Intel CSME on the WiFi encryption protocols selected by the operating system. However, switching an TKIP or WEP based Intel AMT connection from the host to Intel CSME side WiFi will cause WiFi connection termination. (Document update: July 2021)

Service Deployment (please complete the following information): ⛈️

• Deployment Type: Found on local K8s
• Node Version:
• Component & Version: RPS 2.2

AB#6501

I believe it should not enforce a password policy for the domain certificate, the user is coming with a domain certificate that was purchased and most probably has a password already created that could not match this policy. They user just need to add the password.

AB#4231

Describe the bug 🪲
We need a way to configure AMT with 802.1X username and password credentials to access our network

Expected behavior
RPS is able to set the 802.1X username and password credentials into AMT to enable AMT to access a 802.1X protected network

Service Deployment (please complete the following information): ⛈️

• Deployment Type: Enterprise
• Component & Version: RPS

Additional context
N/A

Describe the bug 🪲
We want a way to configure Kerberos credentials into AMT so that we can manage AMT devices using Microsoft Active Directory accounts directly with the AMT device through our local network management console. Need to be able to configure groups and group access to AMT features based on AMT realms

Expected behavior
RPS is able to set specific Microsoft Active Directory group access to specific AMT permission realms during configuration.

Service Deployment (please complete the following information): ⛈️

• Deployment Type: Enterprise
• Component & Version: RPS

Additional context
N/A

I want to have a way for RPS to notify me when specific events happen in RPS so that I don't have to monitor the log files or repeatedly make REST calls to get notified.

Example of events:

• When a device is configured
• When a device is unconfigured

In RPS dashboard, while creating domains, it should take the wildcard domains. In cases where there are multiple subdomains present, it is difficult to create a Domain for each subdomain.

After completing all the steps as on the documentation, on running docker compose, it throws a NPM error rps.

Current documentation is missing key software security information. Need to add security asset descriptions as well as BKMs on how to handle these assets when using RPS.

I want to be able to create a profile that lets me configure the AMT wireless network settings so that my AMT device will connect to the wireless network even when the host OS is down.

I want to have RPS be able to configure the AMT Network settings during the activation of AMT so that I can specify the network settings that I want AMT to use to connect to my network. I want to be able to re-use these same network settings across multiple AMT profiles

Examples of settings that I want to be able to set:

• DHCP or Static IP assignment
• If the IP address is shared with the host OS or not (Always share it is priority)
• Syncing the IP address with the host OS (Always sync is priority)
• Sharing the FQDN with the host OS (Always share it is priority)
• RMCPing Response (true/false)
• AMT Network Enabled (Always enabled is priority)

With latest code, we don't get MQTT event message when device activated in admin and/or client mode.
also we get MQTT event msg stating "CIRA" configure even though CIRA is not actually configured on amt device.
Getting all profiles/cira configs/domains give incorrect msg stating "no profiles/domains/cira configs to found" even though profiles/domains/cira configs exists.

Repro steps:

1. Setup MQTT as per documentation provided at https://github.com/open-amt-cloud-toolkit/docs/blob/master/docs/Topics/mqtt.md

2. Create a profile with acm activation and without cira configuraiton

3. activate amt device using profile created in step 2

4. Check MQTT event msg
   Expected behavior: Gives msg stating "Device [guid] activated in admin mode"
   actual behavior: "Cira configured, and ethernet settings are updated"

5. Repeat steps 2 to 4 for client mode, observed same issue.

Repro steps for profiles/domains/cira configs:

1. Create at least one profile, cira config and domain
2. Navigate to profiles/cira configs/domains page on sample UI
3. Check MQTT messaging
   Expected behavior:
   Should display list of profiles/domains/cira configs

actual behavior:
Get mqtt msg stating "No profiles/domains/cira configs to get"

Describe the bug 🪲
Adding a device which is already activated in ACM to Open AMT Cloud Toolkit fails

Since AMT is already activated in ACM, I think we should remove the requirement of needing DNS suffix and Provisioning certificate for both network configurations (static and dhcp)

To Reproduce 🪜
Steps to reproduce the behavior:

1. Setup Open AMT instance locally
2. Create a ACM profile with network configuration as STATIC
3. Run activate command on AMT device

Expected behavior
Adding a device which is already activated in ACM to Open AMT Cloud Toolkit should work

Screenshots 🖼️

AMT Device (please complete the following information): 🖥️

• OS: Win 11
• AMT Version: 16.x
• AMT Configuration Mode: ACM
• Network Configuration: Static IP

Service Deployment (please complete the following information): ⛈️

• Deployment Type: Docker
• Component & Version: v2.6 Release

I want to be able to edit all of the different profiles that RPS lets me create so that I can just reuse the same profile with edits as I grow my AMT configuration.

Feature request to support the Intel AMT 'Alarm Clock' feature

AB#5516

Currently Intel AMT wi-fi configuration works only on windows operating system.

AB#4573

When the number of devices registered to the MPS increases, it becomes very difficult to search for a device.

Does this version needs to match the released version? 2.0.0 ?

AB#4232

Describe the bug 🪲
A clear and concise description of what the bug is.

To Reproduce 🪜
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots 🖼️
If applicable, add screenshots to help explain your problem.

AMT Device (please complete the following information): 🖥️

• OS: [e.g. Linux Kernel & Version]
• AMT Version: [e.g. 11.8.5, 12.0.45]
• AMT Configuration Mode: [e.g. Admin Control Mode or Client Control Mode]
• Network Configuration [e.g. Dynamic IP or Static IP]

Service Deployment (please complete the following information): ⛈️

• Deployment Type: [e.g. Azure, Docker, K8s]
• Node Version: [e.g. LTS 14]
• Component & Version: [e.g. RPS 2.0.0]

Additional context
Add any other context about the problem here.

To reproduce:
Use Lanless vPro machibe as Device
Create a Profile with CIRA and WLAN Profile
Use RPC activation commend to activate the device

Expected behavior
Activation will success - Device will be provisioned. Wireless Profile will be added to AMT profile store and CIRA configuration will be set.

Actual results

AMT is provisioned, but Network settings is not set. the Activation process terminates. Device is not reachable from open-amt-cloud-toolkit.
Attaching here verbose output of the activation command of same Profile from 2 Machines I have:
Successful activation of machine with LAN+WLAN and the failing activation from Lanless machine
adl_M_lanless_fail.txt
adlp_success.txt

Note: I suspect that the root cause is that the service is sending pull request of the first Ethernet instance and expects to get the LAN instance paramters, but in LANLESS device the first instance is the WLAN so the service get's WLAN parametrs which it is not expecting at that stage.

AMT Device (please complete the following information): 🖥️

• OS: [Windows 11 21H2]
• AMT Version: [16.0.15.1463]
• AMT Configuration Mode: [CCM]
• Network Configuration [DHCP, LANLESS]

Service Deployment (please complete the following information): ⛈️
I am using Azure Demo server provided by Bryan from the open-amt-cloud-toolkit team

Additional context

AB#7391

AMT device's Cira configuration failing, if Cira config name is not case aligned in amt profile. RPC gives an output "Failed to add management presence server". Below are repro steps:

1. Create Cira config name named 'cira1'.
2. Using postman, create amt profile named 'profile1' in payload with Cira config name as 'CIRA1'.
3. Activate and Cira configure amt device using profile1 created in step2.

Expected behavior: amt activation and Cira configuration succeeds.
Actual behavior: amt activation succeeds but Cira configuration fails with an error "Failed to add management presence server"

When a payload is POSTed to the server with camelCase keys, the response should return identically cased key names -- currently they are being returned as UpperCased key values. This makes integration challenging and does NOT following standard API conventions. Properties/Keys need to be treated as case sensitive to avoid confusion, bugs, performance, and complexity. An example can be found in the documentation: https://open-amt-cloud-toolkit.github.io/docs/1.0/APIs/RPSmethods/ciraconfig/

Describe the bug 🪲
When calling functions in the RPC library (ie. Activate) , nothing is success/error codes are not returned. Only output to std out.
Therefore, when trying to interface, there's no way to know if calls being made are successful or not.

To Reproduce 🪜
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
Success/error codes are returned when calling functions in the RPC library.

Screenshots 🖼️
If applicable, add screenshots to help explain your problem.

AMT Device (please complete the following information): 🖥️

• OS: [e.g. Linux Kernel & Version]
• AMT Version: [e.g. 11.8.5, 12.0.45]
• AMT Configuration Mode: [e.g. Admin Control Mode or Client Control Mode]
• Network Configuration [e.g. Dynamic IP or Static IP]

Service Deployment (please complete the following information): ⛈️

• Deployment Type: [e.g. Azure, Docker, K8s]
• Node Version: [e.g. LTS 14]
• Component & Version: [e.g. RPS 2.0.0]

Additional context
Add any other context about the problem here.

AB#13157

Describe the bug 🪲
The problem is that the update call of AMT Profile is not generating a self signed cert (like the create is) when it has been changed to a TLS profile from CIRA. A call needs to be made to see if the cert exists in vault first before generate if the profile has been updated from a non-TLS type to a TLS type.

To Reproduce 🪜
Steps to reproduce the behavior:

1. Create a AMT Profile with a CIRA Configuration
2. Update that profile with a TLS configuration
3. Try to activate a device with the updated profile.
4. Activation will fail due to self signed cert not being generated.

Expected behavior
I would expect the updated configuration to activate the device.

AB#13457

#754

Link to issues on snyk:
https://snyk.io/vuln/SNYK-JS-LODASH-1040724
https://snyk.io/vuln/SNYK-JS-LODASH-1018905

While creating a entry into the credentials file (MPS data) when a new device gets registered, the mps username and password are taken from the .rpsrc

But a single RPS can use multiple profiles with different CIRAs of different MPSs. This creates an issue. The credential file should be populated with the MPS username and password from the CIRA.

Example:

MPS1 , RPS1 -> creates CIRA and profile.
RPS2 -> migrate the data from RPS1 to RPS2 and use the same to register a device.

In this case if the .rpsrc of RPS2 has a different mps username and password other than MPS1, then this is an issue.

##This issue was seen when we were writing the stuff to data.json's

AB#3979