Add Support for CIRA

[graikhel-intel]

Summary

Enable Console to accept Client-Initiated Remote Access (CIRA) connections from Intel® AMT devices, handling APF protocol sessions, and exposing basic configuration and observability similar to MPS.

This will allow AMT devices to establish persistent TLS connections to Console, enabling remote management through firewalls/NAT.

Background / Context

1. CIRA allows Intel AMT firmware to initiate a TLS tunnel to the management server (Console), enabling remote WS-Management, KVM, SOL, etc.
2. The APF (AMT Port Forwarding) protocol runs on top of the TLS tunnel and handles channel multiplexing.
3. APF processor logic already exists in go-wsman-messages. Console needs to use this to accept CIRA sessions.
4. Secrets and certificate storage will be available after completing Vault replacement (Implement Secrets Management and Provisioning Flows in Console + RPC-Go to Support Cloud Deployment #597).

Prerequisite

Implement Secrets Management and Provisioning Flows in Console + RPC-Go to Support Cloud Deployment
#597

Scope / Requirements

1. CIRA Listener & TLS Tunnel Termination

   • Start a TCP/TLS listener on a configurable host and port (default: 0.0.0.0:4433).
   • Terminate TLS using a self-signed certificate stored in the secrets backend (Implement Secrets Management and Provisioning Flows in Console + RPC-Go to Support Cloud Deployment #597).
   • Perform APF handshake using go-wsman-messages.
   • Support multiple concurrent CIRA tunnels.

2. Session Lifecycle & Policy

   • Authentication & logging:

     • Validate TLS handshake and APF session initiation.
     • Log device UUID, FQDN, and firmware version upon successful session establishment.

   • Configurable heartbeat interval --- default: 30 s.

   • Configurable idle timeout --- default: 90 s. Close session if no APF keepalive or channel activity occurs.

3. Certificate Management

   • Auto-generate a self-signed certificate on first run if none exists.
   • Persist certificate and private key in the secrets backend.
   • Follow TLS configuration and cipher requirements similar to MPS.
   • Private keys must never be logged.

4. Logs & Metrics

   • Log handshake success/failure, device identity, remote IP, disconnect reasons.
   • Metrics: Capture the same key metrics currently exposed by MPS for CIRA connections. (e.g., active sessions, accepted/rejected connections, handshake failures, idle timeouts)

5. Events (Separate Requirement - Needs brainstorming)

Emit domain events for connect, disconnect, and timeout to allow downstream consumers to react to CIRA session lifecycle changes.

Acceptance Criteria:

• Console accepts CIRA TLS tunnels from AMT devices and completes APF handshake using go-wsman-messages.
• Listener host/port and heartbeat/idle timeout values are configurable.
• A self-signed certificate is generated and stored in secrets on first run.
• CIRA session metrics are exposed and match what is available in MPS.
• Logs capture handshake status, device identifiers, and disconnect reasons.
• Security posture matches MPS TLS requirements.