ACM activation debug improvements, #2948

2025-01-12 15:33:20 -05:00 · 2021-07-28 15:03:06 -07:00 · 2021-07-28 15:03:06 -07:00 · 3329acc5a8
commit 3329acc5a8
parent 15ddd3cd00
3 changed files with 9 additions and 8 deletions
--- a/amtmanager.js
+++ b/amtmanager.js
@ -1898,6 +1898,7 @@ module.exports.CreateAmtManager = function (parent) {
                        if (dev.mpsConnection.tag.meiState.OsDnsSuffix != null) { trustedFqdn = dev.mpsConnection.tag.meiState.OsDnsSuffix; }
                        if (dev.mpsConnection.tag.meiState.DnsSuffix != null) { trustedFqdn = dev.mpsConnection.tag.meiState.DnsSuffix; }
                        dev.consoleMsg("No opportunity for ACM activation, trusted FQDN: " + ((trustedFqdn == null) ? "(Not Set)" : trustedFqdn));
+                        dev.consoleMsg("No opportunity for ACM activation, trusted FQDN: " + ((trustedFqdn == null) ? "(Not Set)" : (trustedFqdn + ", HEX: " + Buffer.from(trustedFqdn).toString('hex'))));
                        removeAmtDevice(dev, 38);
                        return false; // We are not in CCM and policy restricts use of CCM, so exit now.
                    } 
@ -1910,9 +1911,9 @@ module.exports.CreateAmtManager = function (parent) {
                } else {
                    // We are not activated now, go to ACM directly.
                    // Check if we are allowed to perform TLS ACM activation
-                    var TlsAcmActivation = true;
+                    var TlsAcmActivation = false;
                    var domain = parent.config.domains[dev.domainid];
-                    if (domain && domain.amtmanager && (domain.amtmanager.tlsacmactivation == false)) { TlsAcmActivation = false; }
+                    if (domain && domain.amtmanager && (domain.amtmanager.tlsacmactivation == true)) { TlsAcmActivation = true; }

                    // Check Intel AMT version
                    if (typeof dev.intelamt.ver == 'string') { var verSplit = dev.intelamt.ver.split('.'); if (verSplit.length >= 3) { dev.aquired.majorver = parseInt(verSplit[0]); dev.aquired.minorver = parseInt(verSplit[1]); } }
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@ -528,7 +528,7 @@
            "additionalProperties": false,
            "description": "Information passed to the AMT manager module that impacts all Intel AMT device managed within this domain.",
            "properties": {
-              "TlsAcmActivation": { "type": "boolean", "default": true, "description": "When set to false, MeshCentral will not attempt a TLS ACM activation on Intel AMT v14+" },
+              "TlsAcmActivation": { "type": "boolean", "default": false, "description": "When set to false, MeshCentral will not attempt a TLS ACM activation on Intel AMT v14+" },
              "AdminAccounts": {
                "description": "List of username and passwords to try when connecting to Intel AMT.",
                "type": "array",
--- a/mpsserver.js
+++ b/mpsserver.js
@ -600,8 +600,8 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
                    }
                    if (obj.parent.webserver.meshes[cookie.m] == null) {
                        meshNotFoundCount++;
-                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (1)' });
-                        parent.debug('mps', 'Device group not found (1)', username, password);
+                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (1): ' + cookie.m });
+                        parent.debug('mps', 'Device group not found (1): ' + cookie.m, username, password);
                        SendUserAuthFail(socket);
                        return -1;
                    }
@ -635,7 +635,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
                    }
                    // Find the device group for this CIRA connection. Since Intel AMT does not allow @ or $ in the username, we escape these.
                    // For possible for CIRA-LMS connections to still send @ or $, so we need to escape both sides.
-                    var meshIdStart = ('/' + username).replace(/\@/g, 'X').replace(/\$/g, 'X'), mesh = null;
+                    const meshIdStart = ('/' + username).replace(/\@/g, 'X').replace(/\$/g, 'X'), mesh = null;
                    if (obj.parent.webserver.meshes) {
                        for (var i in obj.parent.webserver.meshes) {
                            if (obj.parent.webserver.meshes[i]._id.replace(/\@/g, 'X').replace(/\$/g, 'X').indexOf(meshIdStart) > 0) {
@ -645,8 +645,8 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
                    }
                    if (mesh == null) {
                        meshNotFoundCount++;
-                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (2)' });
-                        parent.debug('mps', 'Device group not found (2)', username, password);
+                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (2): ' + meshIdStart + ', u: ' + username + ', p: ' + password });
+                        parent.debug('mps', 'Device group not found (2)', meshIdStart, username, password);
                        SendUserAuthFail(socket);
                        return -1;
                    }