Administrator Guide
Transcription
Administrator Guide
HP Access Control Secure Printing Administrator Guide 5: 02/2010 Legal notices (c) Copyright 2010 Hewlett-Packard Development Company, L.P. Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation. February 2010 Confidential computer software. Valid license from HEWLETT-PACKARD required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HEWLETT-PACKARD products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HEWLETT-PACKARD shall not be liable for technical or editorial errors or omissions contained herein. Contents Contents Figures and Tables Figures ................................................................................................................................................................. 8 Tables ................................................................................................................................................................... 9 1 Overview 1-1 HP Access Control Secure Printing ............................................................................................................. 10 1-2 Usage scenarios .......................................................................................................................................... 10 1-2-1 Secure scan to e-mail .......................................................................................................................... 10 1-2-2 Secure printing and retrieval of documents ......................................................................................... 10 1-2-3 Secure printing for a department recipient .......................................................................................... 11 1-2-4 Secure printing for a remote third party ............................................................................................... 11 2 Secure printing architecture 2-1 Overview ...................................................................................................................................................... 15 2-1-1 Installation notes.................................................................................................................................. 15 3 Install HPAC Secure Printing 3-1 Recommended installation process ............................................................................................................. 16 3-2 The authentication hardware ........................................................................................................................ 16 3-2-1 The installation kit ................................................................................................................................ 16 3-3 Printer network settings ................................................................................................................................ 17 3-4 Installation on printers and MFPs ................................................................................................................. 17 3-4-1 Connect the reader to the printer/MFP ................................................................................................ 17 3-4-1-1 CM8050 Color MFP and CM8060 Color MFP devices ............................................................... 17 3-4-1-2 Color LaserJet 4730MFP and Color LaserJet CM4730MFP devices ......................................... 17 3-4-1-3 Other devices ............................................................................................................................. 17 4 Install the HPAC Secure Printing Server 4-1 Installation on a non-cluster server .............................................................................................................. 18 4-1-1 Create pull printer queues on non-cluster servers............................................................................... 18 4-2 Installation on a cluster server ..................................................................................................................... 19 4-2-1 Cluster environment ............................................................................................................................ 19 4-2-2 Cluster requirements ........................................................................................................................... 19 4-2-3 Recommendation ................................................................................................................................ 20 4-2-4 Cluster environment ............................................................................................................................ 20 4-2-4-1 Create a cluster printer ............................................................................................................... 20 4-2-4-2 Create a pull printer queue in a cluster environment .................................................................. 21 4-2-5 Install and configure the HPAC Print Server in a cluster environment ................................................ 21 4-2-6 Install the Quota Notification tool ......................................................................................................... 24 4-2-6-1 Prerequisites ............................................................................................................................... 24 4-2-6-2 Installation procedure ................................................................................................................. 24 4-2-7 HPAC Print Server upgrade for a cluster environment ........................................................................ 24 4-3 Printer pull printing ports pooling .................................................................................................................. 24 4-3-1 Configure the printer pull printing ports pooling ................................................................................... 25 4-4 Configure job retention ................................................................................................................................. 25 4-5 Remote job storage ...................................................................................................................................... 26 4-5-1 Prerequisites........................................................................................................................................ 26 4-5-2 Share the print job directory ................................................................................................................ 27 4-5-3 Create the Authenticated Users group ................................................................................................ 27 4-5-4 Configure remote job storage .............................................................................................................. 28 4-5-5 Quota notification................................................................................................................................. 29 4-5-5-1 Advanced options ....................................................................................................................... 30 4-5-6 Print job purge ..................................................................................................................................... 32 5 Install the HPAC Admin Software on a print server 3 Contents 5-1 Installation prerequisites .............................................................................................................................. 33 5-2 HPAC Admin Software installation ............................................................................................................... 34 5-2-1 Save the configuration ......................................................................................................................... 35 6 Configure HP Access Control 6-1 The HPAC Admin Software interface ........................................................................................................... 36 6-1-1 Navigate the interface.......................................................................................................................... 36 6-2 Firmware viewer ........................................................................................................................................... 36 6-3 License management ................................................................................................................................... 36 6-4 License information summary ...................................................................................................................... 36 6-4-1 Upload license files.............................................................................................................................. 37 6-4-2 Delete license files............................................................................................................................... 38 6-4-3 Remove all license files ....................................................................................................................... 38 6-4-4 View a summary of each license file ................................................................................................... 38 6-5 Printer management ..................................................................................................................................... 38 6-5-1 All printers list ...................................................................................................................................... 38 6-5-1-1 Printers information summary ..................................................................................................... 38 6-5-2 All printers list actions .......................................................................................................................... 39 6-5-2-1 Add a printer to the list ................................................................................................................ 39 6-5-2-2 Move a printer from one group to another .................................................................................. 40 6-5-2-3 Delete one or more printers ........................................................................................................ 40 6-5-2-4 Ungrouped printer list – View a summary ................................................................................... 41 6-5-3 Ungrouped printers list actions ............................................................................................................ 41 6-5-4 All groups list – View a summary for printer groups ............................................................................ 41 6-5-4-1 Printer groups information summary .......................................................................................... 41 6-5-5 All groups list actions ........................................................................................................................... 41 6-5-5-1 Create a new printer group ......................................................................................................... 41 6-5-5-2 Delete a printer group ................................................................................................................. 42 6-5-5-3 Synchronize the printers with the configuration .......................................................................... 42 6-6 Manage printer group details and configuration ........................................................................................... 42 6-6-1 Group details actions ........................................................................................................................... 42 6-6-1-1 Link printers to this group ........................................................................................................... 42 6-6-1-2 Rename the group ...................................................................................................................... 43 6-6-1-3 Change the group language ....................................................................................................... 43 6-6-1-4 Remove printers from the group ................................................................................................. 43 6-6-1-5 Synchronize the printers with the configuration .......................................................................... 43 6-7 Configure printer groups .............................................................................................................................. 43 6-7-1 View detailed information about a configuration .................................................................................. 43 6-7-2 Configure group parameters................................................................................................................ 44 6-7-2-1 The Authentication configuration tab .......................................................................................... 44 6-7-3 Secure Print parameters...................................................................................................................... 47 6-7-4 Billing parameters ................................................................................................................................ 48 6-8 List management .......................................................................................................................................... 49 6-8-1 ID lists .................................................................................................................................................. 50 6-8-2 View a summary of ID lists .................................................................................................................. 51 6-8-3 Local ID list actions.............................................................................................................................. 51 6-8-3-1 Create a new ID list .................................................................................................................... 52 6-8-3-2 Delete an ID list .......................................................................................................................... 52 6-8-3-3 View the details for an ID list entry ............................................................................................. 52 6-8-4 Local ID list entry actions..................................................................................................................... 52 6-8-4-1 Add entries to an ID list .............................................................................................................. 52 6-8-4-2 Add ID list entries from CSV files ............................................................................................... 53 6-8-4-3 Edit the ID list entries .................................................................................................................. 53 6-8-4-4 Delete ID list entries ................................................................................................................... 53 6-8-4-5 Rename an ID list ....................................................................................................................... 54 6-8-4-6 Export ID lists in CSV format ...................................................................................................... 54 6-8-4-7 Notify users ................................................................................................................................. 54 6-8-4-8 Autogenerate PIN list – Import from LDAP ................................................................................. 55 6-9 LDAP list – Generate & Notify ...................................................................................................................... 55 6-9-1 SMTP settings ..................................................................................................................................... 55 6-9-2 PIN List Autogeneration parameters ................................................................................................... 56 Contents 6-9-2-1 LDAP settings ............................................................................................................................. 56 6-10 Billing lists .................................................................................................................................................. 56 6-10-1 Billing lists structure ........................................................................................................................... 57 6-10-2 View a summary of billing lists ........................................................................................................... 57 6-10-3 Billing list actions ............................................................................................................................... 57 6-10-3-1 Create a new billing list ............................................................................................................. 57 6-10-3-2 Delete a billing list ..................................................................................................................... 58 6-10-3-3 View the details for a billing list ................................................................................................. 58 6-10-4 Billing list details actions .................................................................................................................... 58 6-10-4-1 Add details to a billing list ......................................................................................................... 58 6-10-4-2 Import billing list codes from a CSV file .................................................................................... 59 6-10-4-3 Delete billing list codes ............................................................................................................. 59 6-10-4-4 Rename a billing list ................................................................................................................. 59 6-11 LDAP profiles ............................................................................................................................................. 59 6-12 View a summary for the LDAP profiles ...................................................................................................... 59 6-12-1 LDAP profile actions .......................................................................................................................... 60 6-12-1-1 Create a new LDAP profile ....................................................................................................... 60 6-12-1-2 Delete an LDAP profile ............................................................................................................. 61 6-12-1-3 View the details for an LDAP profile ......................................................................................... 61 6-12-1-4 Edit the details for an LDAP profile ........................................................................................... 61 6-13 HPAC Print Server management list .......................................................................................................... 62 6-13-1 View a summary of information ......................................................................................................... 62 6-13-2 HPAC server management list actions .............................................................................................. 62 6-13-2-1 Create a new server ................................................................................................................. 62 6-13-2-2 Delete a server ......................................................................................................................... 62 6-13-2-3 View the details for a server ..................................................................................................... 63 6-13-2-4 Edit the details for a server ....................................................................................................... 63 6-14 Smart Card profile ...................................................................................................................................... 63 6-14-1 Smart Card authentication ................................................................................................................. 63 6-14-2 Smart Card profile actions ................................................................................................................. 64 6-14-2-1 Create a new Smart Card profile .............................................................................................. 64 6-14-2-2 Delete a Smart Card profile ...................................................................................................... 65 6-15 HPAC corporate keys ................................................................................................................................. 65 6-15-1 View a summary of information ......................................................................................................... 66 6-15-2 Corporate key list actions .................................................................................................................. 66 6-15-2-1 Create a new HPAC corporate key .......................................................................................... 66 6-15-2-2 Delete an HPAC corporate key ................................................................................................ 66 6-15-2-3 View an HPAC corporate key ................................................................................................... 67 7 Direct live LDAP authentication 7-1 Introduction .................................................................................................................................................. 68 7-2 Direct live authentication with AD/LDAP databases ..................................................................................... 68 7-3 Configuration ................................................................................................................................................ 69 7-3-1 Configure alternate authentication for MFPs ....................................................................................... 69 7-4 LDAP profiles failover ................................................................................................................................... 69 8 Configure indirect live LDAP authentication 8-1 Introduction .................................................................................................................................................. 70 8-2 Indirect live authentication with AD/LDAP databases .................................................................................. 70 8-2-1 Support for multiple databases ............................................................................................................ 71 8-2-2 Failover capability ................................................................................................................................ 71 8-2-3 Support for multiple user logins (the alias system) .............................................................................. 71 8-3 Basic configuration sequence ...................................................................................................................... 71 8-3-1 Configure the authentication gateway ................................................................................................. 71 8-3-2 The Directory servers management tab .............................................................................................. 72 8-3-3 Create a profile .................................................................................................................................... 74 8-3-4 Configure the authentication settings .................................................................................................. 75 8-3-4-1 The Enrollment ID field name ..................................................................................................... 76 8-3-5 Save the configuration ......................................................................................................................... 76 8-4 Process graphical description dialog box ..................................................................................................... 77 5 Contents 8-4-1 View the chain of profiles..................................................................................................................... 77 8-5 Get domain information ................................................................................................................................ 77 8-5-1 Configure the Domain field name ........................................................................................................ 77 8-5-2 Customize domain field names in HPAC Print Server ......................................................................... 79 8-5-3 Set the Domain field name to a constant value ................................................................................... 79 9 User enrollment 9-1 Enrollment prerequisites .............................................................................................................................. 80 9-2 Define the enrollment mode ......................................................................................................................... 81 9-2-1 Enrollment ........................................................................................................................................... 81 9-2-2 Enrollment with roaming ...................................................................................................................... 81 9-2-3 Enrollment to Active Directive .............................................................................................................. 81 9-3 Manage enrolled users ................................................................................................................................. 82 9-3-1 Prerequisites........................................................................................................................................ 82 9-3-2 Browse the list of users ....................................................................................................................... 82 9-3-3 Select users ......................................................................................................................................... 82 9-3-4 Edit a user ........................................................................................................................................... 82 9-3-5 Delete users ........................................................................................................................................ 83 10 Install the driver plug-in for Windows 10-1 Installation procedure ................................................................................................................................. 84 10-2 Deployment to a fleet of PCs ..................................................................................................................... 84 10-3 Deactivate the HPAC Secure Printing Driver Plug-In ................................................................................. 85 10-4 Connect to a printer secured on the print server ........................................................................................ 85 10-5 Secure an MS-Windows printer port on a local PC .................................................................................... 85 10-5-1 Section A – Define a queue ............................................................................................................... 85 10-5-2 Section B – Secure the printer........................................................................................................... 86 10-6 Deactivate HPAC Secure Print on a printer ............................................................................................... 87 10-7 Uninstall the Windows driver plug-in .......................................................................................................... 87 10-8 Windows clients with Netware print server ................................................................................................. 87 10-8-1 Installation – Print server ................................................................................................................... 88 10-8-2 Installation – Client ............................................................................................................................ 88 10-8-3 Secure Printing through Novell Print Servers .................................................................................... 89 10-9 Printing from UNIX through a Windows print server .................................................................................. 89 10-10 Configure the secure print job parameters ............................................................................................... 89 10-11 Send a secure print job to the printer ....................................................................................................... 89 10-12 Print for yourself under Windows ............................................................................................................. 90 10-13 Send a document to other users under Windows .................................................................................... 91 10-14 Send a document to a department under Windows ................................................................................. 91 10-15 Release HPAC print jobs ......................................................................................................................... 91 10-15-1 Release the print job (multifunction printers) ................................................................................... 92 10-15-2 Release the print job (single function printers) ................................................................................ 92 11 Encryption schemes, corporate key 11-1 AES encryption .......................................................................................................................................... 93 11-2 DES encryption .......................................................................................................................................... 93 11-3 Raw Printing ............................................................................................................................................... 93 12 Unencrypted secure printing for ERPs 12-1 Unencrypted secure print files format ........................................................................................................ 94 13 Unencrypted secure printing for SAP R/3 13-1 Modify the device type ............................................................................................................................... 95 13-2 Replace the job header sequence ............................................................................................................. 95 13-3 Replace the job trailer sequence ................................................................................................................ 95 13-4 Activate the device type ............................................................................................................................. 95 14 HPAC Secure Printing Pull (roaming printing) 14-1-1 Prerequisites for roaming printing...................................................................................................... 96 14-1-2 Create a dedicated database login .................................................................................................... 97 Contents 14-1-3 Configuration of roaming ................................................................................................................... 97 14-1-4 Test the basic database connection .................................................................................................. 98 14-1-5 Create the tickets database ............................................................................................................... 98 14-1-6 Synchronize the roaming database ................................................................................................... 98 14-2 Job retention aliases – Single sign-on ....................................................................................................... 98 14-2-1 Configure the alias feature ................................................................................................................ 99 14-2-2 Syntax of search filters ...................................................................................................................... 99 14-2-3 Search across chained databases .................................................................................................. 100 15 Ports and communication 15-1 HPAC Secure Printing ports ..................................................................................................................... 102 16 Front panel messages and troubleshooting 16-1 HPAC Print Server logs ............................................................................................................................ 103 16-2 Information messages .............................................................................................................................. 104 16-3 Error messages ........................................................................................................................................ 104 16-3-1 Printer error messages .................................................................................................................... 104 16-3-2 MFP error messages ....................................................................................................................... 105 16-3-3 Smart Card error messages ............................................................................................................ 107 Appendix A Supported functions per device model ............................................................................................................. 109 Appendix B Backward compatibility ..................................................................................................................................... 111 Appendix C Prerequisites for PCs and servers .................................................................................................................... 112 Appendix D Prerequisites for printers and MFPs ................................................................................................................. 113 Glossary Index 7 Figures and Tables Figures Figure 1 Direct IP printing option ...................................................................................................................................... 12 Figure 2 Server-based printing option .............................................................................................................................. 13 Figure 3 Server-based printing option .............................................................................................................................. 13 Figure 4 Server-based pull printing option ....................................................................................................................... 14 Figure 5 Server-based pull printing option ....................................................................................................................... 14 Figure 6 Printer Ports ....................................................................................................................................................... 19 Figure 7 HP Access Control SecurePrint Server Port monitor ......................................................................................... 19 Figure 8 Cluster Administrator console ............................................................................................................................ 20 Figure 9 Run window with cluster name .......................................................................................................................... 20 Figure 10 Printers and Faxes .......................................................................................................................................... 21 Figure 11 Printer Ports .................................................................................................................................................... 21 Figure 12 Cluster Administrator – Move group ............................................................................................................... 22 Figure 13 Cluster Administrator – Create a new resource .............................................................................................. 23 Figure 14 Printer ports pooling ........................................................................................................................................ 24 Figure 15 Sharing Permissions ....................................................................................................................................... 27 Figure 16 Permissions for Everyone ............................................................................................................................... 27 Figure 17 Add Authenticated Users ................................................................................................................................ 28 Figure 18 Full Control for Authenticated Users ................................................................................................................ 28 Figure 19 Configure remote job storage .......................................................................................................................... 29 Figure 20 Quota Notification ............................................................................................................................................ 30 Figure 21 HPAC Secure Print Admin Software ............................................................................................................... 33 Figure 22 License Management ...................................................................................................................................... 37 Figure 23 All printers list .................................................................................................................................................. 38 Figure 24 Add a printer by hostname .............................................................................................................................. 40 Figure 25 Modify printer(s) .............................................................................................................................................. 40 Figure 26 Users and ID list local to the printer/MFP ....................................................................................................... 49 Figure 27 Users and ID information in AD/LDAP, direct live lookup ............................................................................... 49 Figure 28 Users and ID information in AD/LDAP, indirect live lookup ............................................................................ 49 Figure 29 Local ID list ..................................................................................................................................................... 52 Figure 30 Notify users ..................................................................................................................................................... 54 Figure 31 LDAP profile .................................................................................................................................................... 60 Figure 32 Smart Card profile ........................................................................................................................................... 64 Figure 33 Corporate Key List .......................................................................................................................................... 66 Figure 34 Direct live LDAP authentication ...................................................................................................................... 68 Figure 35 Indirect live LDAP authentication .................................................................................................................... 70 Figure 36 Directory servers management tab ................................................................................................................. 73 Figure 37 Directory server main parameters ................................................................................................................... 74 Figure 38 Directory server authentication parameters – Profile 1 ................................................................................... 75 Figure 39 Directory servers management tab – Select a profile ..................................................................................... 78 Figure 40 Directory server authentication parameters .................................................................................................... 78 Figure 41 Directory server main parameters ................................................................................................................... 78 Figure 42 Netware print server installation ...................................................................................................................... 88 Figure 43 Netware client installation ............................................................................................................................... 89 Figure 44 Recipients settings .......................................................................................................................................... 91 Figure 45 SQL Server managing console ....................................................................................................................... 97 //Figures and Tables Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Alias retrieval .................................................................................................................................................. 98 Alias retrieval settings ..................................................................................................................................... 99 Chained databases ....................................................................................................................................... 100 Value to search replacement settings ........................................................................................................... 101 HPAC Secure Printing logs ........................................................................................................................... 103 Tables Table 1 HPAC Secure Printing Server configuration tool ................................................................................................ 25 Table 2 Advanced Quota Notification options ................................................................................................................. 30 Table 3 License information summary ............................................................................................................................. 36 Table 4 Printers information summary ............................................................................................................................. 38 Table 5 Printer groups information summary .................................................................................................................. 41 Table 6 Authentication parameters .................................................................................................................................. 44 Table 7 Secure Print parameters ..................................................................................................................................... 47 Table 8 Billing parameters ............................................................................................................................................... 48 Table 9 CSV file structure for ID lists ............................................................................................................................... 50 Table 10 ID lists summary ............................................................................................................................................... 51 Table 11 ID list entry fields summary .............................................................................................................................. 53 Table 12 SMTP settings .................................................................................................................................................. 55 Table 13 LDAP settings ................................................................................................................................................... 56 Table 14 Billing list settings ............................................................................................................................................. 57 Table 15 Billing list details ............................................................................................................................................... 58 Table 16 LDAP profile settings ........................................................................................................................................ 59 Table 17 LDAP profile fields ............................................................................................................................................ 61 Table 18 HPAC Print server management list settings ................................................................................................... 62 Table 19 HPAC Print server details ................................................................................................................................. 63 Table 20 Smart Card profile settings ............................................................................................................................... 65 Table 21 HPAC corporate key list settings ...................................................................................................................... 66 Table 22 Direct live LDAP authentication data ................................................................................................................ 68 Table 23 Indirect live LDAP authentication data .............................................................................................................. 70 Table 24 Authentication parameters table ....................................................................................................................... 72 Table 25 Directory servers management parameters table ............................................................................................ 73 Table 26 Directory server main parameters table ........................................................................................................... 74 Table 27 Directory server authentication parameters table ............................................................................................. 75 Table 28 Chain of profile symbols ................................................................................................................................... 77 Table 29 Enrolled user settings ....................................................................................................................................... 83 Table 30 Secure printer port settings .............................................................................................................................. 86 Table 31 Secure print job parameters ............................................................................................................................. 90 Table 32 Sample unencrypted secure print file ............................................................................................................... 94 Table 33 Directory server alias retrieval parameters ....................................................................................................... 99 Table 34 HPAC Secure Printing ports ........................................................................................................................... 102 Table 35 Information messages .................................................................................................................................... 104 Table 36 Printer error messages ................................................................................................................................... 104 Table 37 MFP error messages ...................................................................................................................................... 105 Table 38 Smart Card error messages ........................................................................................................................... 107 Table 39 Supported functions per device model ........................................................................................................... 109 Table 40 Prerequisites for printers and MFPs ............................................................................................................... 113 9 1 Overview 1-1 HP Access Control Secure Printing HP Access Control Printing Solutions is a set of solutions for printers, MFPs, and Digital Senders designed to help mitigate security and compliance risks, prevent fraud, protect data privacy, and enhance fleet management. This manual covers the following HP Access Control Printing Solutions: • HP Access Control Secure Print This solution delivers enhanced print security through authentication and authorization. It proposes a breadth of authentication options ranging from PIN code login to card-based capabilities. It also helps mitigate security and compliance risks and reduces paper waste by allowing print jobs to be encrypted and stored on a server or printer, until users are ready to retrieve and print. • HP Access Control Secure Pull Printing This solution helps increase productivity and ease printing by providing print mobility for enterprise-class companies, through roaming printing and single sign-on. 1-2 Usage scenarios By way of example, below are sequences of events for four fictional HP Access Control Secure Printing scenarios. 1-2-1 Secure scan to e-mail • An administrative assistant needs to scan and e-mail a contract to a client. She walks up to a multifunction printer and quickly identifies herself using her proximity badge. • She loads the contract in the document loader and touches the E-mail button. The system automatically fills in her name and e-mail address as the e-mail sender. She enters the recipient email address. • The scanned contract is immediately sent to the client. She touches a button to sign out of the system. 1-2-2 Secure printing and retrieval of documents • It is Tuesday morning. An engineer arrives at work knowing that he has a series of documents to create and print that day. • • At 9:00 a.m., he writes a letter and prints it through HP Access Control Secure Print. • At 11:00 a.m., he writes his latest meeting report and prints it through HP Access Control Secure Print. All three of his documents are stored in a secure manner in the HP Access Control Secure Printing server. • At noon, he leaves for lunch, coming back at 1 p.m. He walks up to the first available printer and authenticates himself using his badge. • All of his morning print jobs are released, and he retrieves his printed documents. He logs out of the HP Access Control system and goes back to his desk to resume his work. At 9:45 a.m., he modifies a technical specification and prints it through HP Access Control Secure Print. //Overview 1-2-3 Secure printing for a department recipient • A hospital is organized with pools of nurses. The hospital software is configured to print documents for a nurse pool instead of individual nurses, because individual nurses may not be available to retrieve a specific patient document when needed. Patient documents are encrypted for HIPPA compliance and securely stored on the HP Access Control Secure Printing server. • A nurse belonging to a particular pool of nurses authenticates herself on an available printer/MFP using her badge. • The nurse requests the printing of a document. If one nurse is too busy to release a document, another nurse from the same pool can collect a document that was previously assigned to the nurse pool. • The document is printed. After the document is decrypted and printed, the stored print job is deleted so it is not processed twice. 1-2-4 Secure printing for a remote third party • A corporate attorney in London sends a confidential contract to be printed by his Chief Legal Officer in New York. • The London attorney enters a billing code for this print job, allocating the cost of the print job to Client A. • • The print job is encrypted and stored on the European server. • The Chief Legal Officer requests the release of the print job. He retrieves the confidential contract, decrypted and printed in New York. The Chief Legal Officer in New York goes to his local HP MFP and authenticates. He displays his pending print jobs and sees the print job sent by his London corporate attorney. 11 2 Secure printing architecture HP Access Control (HPAC) Secure Printing provides the following independent features to protect important information: • • Print job encryption to ensure no one can see or alter print job data Print job retention and controlled release, to ensure printed documents get in the hands of authorized persons It is possible to encrypt without controlling the job release, to control the job release without encrypting the document, and to both encrypt and control job release. HP Access Control provides two ways to perform print job retention: retention on the printer hard disk drive (HDD) and retention on the print server HDD. • Retention on the printer/MFP HDD is convenient as it makes a powerful serverless secure printing solution. On the other hand, hard disk drive capacity on printers is not as large as on servers—that may be an issue if very large jobs need to be retained. Print jobs can also only be released on the printer/MFP where they are stored. NOTE: This system is only usable if the target printer features a HDD (not available on CM8050 and CM8060 Color MFPs). • Retention on print servers requires more configuration, but is fully scalable, since high-capacity hard disk drivers are widely available for servers. The HP Access Control Driver plug-in software is installed where the encryption is required: on the server or on the client Windows PCs. The HP Access Control Secure Printing Server does not require the driver plug-in on the server to encrypt and protect jobs. Figure 1 Direct IP printing option 1 HPAC Secure Printing 2 Secure print jobs 3 HPAC Secure Printing /Secure printing architecture • Direct IP printing to physical printer with HPAC Secure Printing Plug-in installed on client PCs, no server involved. • • Print jobs can be encrypted all the way from the client PCs to the printer formatter. Print jobs can be stored on the printer/MFP hard disk drive for later release upon authentication. Figure 2 Server-based printing option 1 HPAC Secure Printing Driver Plug-in 2 Secure print jobs 3 HPAC Secure Printing • Server-based printing with HPAC Secure Printing Plug-in installed on client PCs, nothing installed on the server. • Print jobs can be encrypted all the way from the client PCs to the printer formatter, flowing encrypted through the print server print queues. • Print jobs can be stored on the printer/MFP hard disk drive for later release upon authentication. Figure 3 Server-based printing option 1 Windows, UNIX, Linux, etc. 2 HPAC Secure Printing Driver Plug-in 3 HPAC Secure Printing 4 HPAC Secure Printing • Server-based printing with HPAC Secure Printing Plug-in installed on the print server. 13 • • Print jobs can be encrypted from the server print queue to the printer formatter. Print jobs can be stored on the printer/MFP hard disk drive for later release upon authentication. Figure 4 Server-based pull printing option 1 HPAC Secure Printing Driver Plug-in 2 HPAC Secure Print Server 3 HPAC Secure Printing • Server-based pull printing with HPAC Secure Printing Plug-in installed on client PCs and HPAC Secure Printing Server installed on the print server. • • Print jobs can be encrypted all the way from the client PCs to the printer formatter. Print jobs are retained on the print server hard disk drive for later release from any HPAC-enabled printer upon user authentication. Figure 5 Server-based pull printing option 1 Mac, UNIX, AS/400, etc. 2 Windows printing 3 HPAC Secure Print Server 4 HPAC Secure Printing • • • Server-based pull printing with only HPAC Secure Printing Server installed on the print server. Print jobs can be encrypted from the server print queue to the printer formatter. Print jobs are retained on the print server hard disk drive for later release from any HPAC-enabled printer upon user authentication. /Secure printing architecture 2-1 Overview Secure jobs may be encrypted or not, and they can be secured for the person printing the job as well as for any other user. It is also possible to assign a secure job to a department; in which case, the first user from that department claiming it is able to release that print job, which is then deleted and not available to other users. To secure print jobs, a special secure driver plug-in (a print processor) must be installed on the client Windows PCs or on the Windows print server (in which case print jobs are not encrypted from the client PC to the server). The HPAC-equipped printer can be addressed using direct TCP/IP or through a server print queue. The HP Access Control Print Server software already includes encryption and retention technology. The plug-in does not need to be installed on clients except if encryption of print jobs end-to-end, starting at the client PCs instead of just between the print server and the printer, is needed. 2-1-1 Installation notes Jobs must be processed by the HP Access Control Secure Printing Plug-in to be accepted by HP Access Control. This driver plug-in exists for: • • • • • Windows 2000 (32-bit and 64-bit) Windows XP (32-bit and 64-bit) Windows 2003 (32-bit and 64-bit) Windows 2008 (32-bit and 64-bit) Windows Vista (32-bit and 64-bit) The HP Access Control Secure Printing Plug-in can be installed either on the client PCs or on the print server. NOTE: The print server cannot be both on a client’s PC printer and on the server print server queue attached to that same printer. Double encryption would occur. NOTE: Up to 100 print jobs can be stored simultaneously for one user or department on the HP LaserJet disk, within the limit of the HDD capacity. Be aware that some applications generate very large print files, up to a few GB. 15 3 Install HPAC Secure Printing This section provides an overview of the installation process, including the hardware components. 3-1 Recommended installation process 1. Install, configure, and test the printer/MFP. 2. If a reader needs to be connected, switch off the printer/MFP. Connect the HP Access Control reader to the printer/MFP and reboot the device. 3. Copy the required HP Access Control firmware files (RFU files) for the printer/MFP models from the HP Access Control Secure Printing software source files. Copy these files to a local PC or server. 4. Copy the HP Access Control Secure Printing Admin software from the HP Access Control Secure Printing software source files. Copy these files to a local PC or server. IMPORTANT: The firmware files are automatically loaded onto devices by the HPAC Secure Printing Admin software. If the printer/MFP displays Chosen personality not available, followed by Disk operation failed, do not click OK or reboot the device until the printer/MFP completes the installation and automatically reboots. 5. Install HP Access Control Secure Printing Server if at least one of the following features is used. If none of the following features are used (for example, only local device enrollment is used), the Printing Server does not need to be installed. ○ User badge self enrollment ○ Authentication gateway (indirect live Lightweight Directory Access Protocol (LDAP) validation) ○ Secure Printing with print job retention on the print server hard disk drive 6. Configure the HPAC Secure Printing firmware installed on devices. See the Configure HP Access Control chapter for details. 7. Use the HP Access Control Admin software to configure a group of printers/MFPs. 8. Configure the HP Access Control Secure Printing Server, if needed. 9. Install and configure the HP Access Control Secure Printing driver plug-in, if needed. This driver plug-in is required for push printing. 10. Test the installed solution and verify its settings are acceptable. 3-2 The authentication hardware This section applies to proximity badge or Smart Card authentication. 3-2-1 The installation kit The HP Access Control Secure Printing hardware contains the following parts: • HP Access Control proximity card/badge reader (connects to the Host Universal Serial Bus (USB) plug inside or outside the printer) or Smart Card reader. There is one reader per type of proximity card. The cards compatible with the reader are indicated on the back of the reader. • • An EIO slot plate with a hole to route the USB cable out of the device formatter. • Two adhesive cable brackets to route the reader cable from the back to the front of the device. A double-sided adhesive label, applied to the back of the reader, to affix the reader to the device case. / Install HPAC Secure Printing To correctly apply the adhesive labels onto the readers: • Affix the adhesive label on either side of the reader. Do not affix the adhesive label over the bar code on the back of the reader (that information is necessary for support). NOTE: For detailed information on installing card readers, see the Card Reader Install Guide. 3-3 Printer network settings Ensure that the Domain Name System (DNS) configured on printers equipped with HP Access Control is always active, otherwise technical problems may occur. Verify that the DNS is within the network and is not the DNS of an Internet service provider (ISP). 3-4 Installation on printers and MFPs Printers/MFPs feature a type A female USB slot that accepts special USB devices, such as the HP Access Control Secure Printing readers. 3-4-1 Connect the reader to the printer/MFP The reader must be connected to the printer/MFP before the device is started. The device will not recognize the reader if it is plugged in after the device is switched on. 3-4-1-1 CM8050 Color MFP and CM8060 Color MFP devices 1. Open the lower left side cover of the device next to the back wheel, by removing the four screws. 2. Connect the reader to the USB port located next to the digital counter. 3-4-1-2 Color LaserJet 4730MFP and Color LaserJet CM4730MFP devices These devices have no internal host USB connector. 1. Switch off the device and detach its power cable. 2. Locate the female Type A USB plug on the back of the formatter board. The plug may be hidden behind a square gray sticker (this sticker can be removed). 3. Connect the reader to the USB port. 4. Switch on the device. 3-4-1-3 Other devices 1. Switch off the device and detach its power cable. 2. Open the device formatter. 3. Locate the dual USB slots connector. 4. Remove the EIO slot plate and replace it with the supplied EIO plate with cable protection and the USB cable routed through it. 5. Plug the USB reader into the internal USB port. 6. Close the formatter, plug in the device, and switch it on. NOTE: If the device has no free EIO slot available to route the cable out, connect the reader to the USB connector located on the outside of the formatter. That plug may be hidden behind a square gray sticker (this sticker can be removed). 17 4 Install the HPAC Secure Printing Server HP Access Control Secure Printing Server is a service performing three primary functions: • Retention Retention and encryption of print jobs on the server, to provide pull printing service with release from any printer contacting that server. • Authentication gateway The authentication gateway performs complex daisy-chained validations against multiple LDAP/Active Directory (AD) directories and against MS SQL Server (converts and encrypts IDs). • Enrollment The enrollment service allows end users to link their credentials with their user LDAP/AD record. Enrollment is available on supported devices. No management is required. Enrollment can be performed on a device or PC and users can deenroll themselves. 4-1 Installation on a non-cluster server This section describes the standard HPAC Secure Printing Server installation procedure. In the case of servers in a cluster environment, a different installation procedure must be performed as described in the Installation on a cluster server section. The HPAC Secure Printing Server file is available on the supplied software source files. NOTE: Administrator rights must be on the server to install the HPAC Secure Printing Server. 1. Go to the Pre-requisite directory of the software source files. 2. Install the Microsoft libraries packs in the order of their titles (from 1 to 5). Some packs are not necessary based on the operating system (OS) service pack. 3. In the HPAC-SecurePrintingServer-{version} directory, click the HPACSecurePrintingServer-x86.exe file to launch the installation. 4. If the HPAC Secure Printing Server is already installed on the server, the installation process asks it to be removed using the Add or Remove Programs tool available in the Windows control panel. 5. An install wizard guides users through the installation process. Read the license agreement and accept it. Otherwise, the software installation will not proceed. 6. Click Next. A new screen prompts for the directory to install the files. NOTE: This directory is not where print jobs are stored. That storage directory is defined in the product configuration.) 7. Click Next to continue the installation. After a few seconds, it prompts to click Close to finish. 4-1-1 Create pull printer queues on non-cluster servers HP Access Control Secure Print Server receives print jobs from client PCs and servers using an input queue configured to use the exclusive Print-PS multi-thread port monitor. To create a pull printer queue: 1. Open the Printers and Faxes control panel. 2. Click the File menu and select Server Properties. Install the HPAC Secure Printing Server 3. Click the Ports tab and select Add port. The following window displays: Figure 6 Printer Ports 4. Select HP Access Control SecurePrint Server Port monitor and then click New Port. 5. Enter a port name and choose the temporary spool file directory (with enough free space). Figure 7 HP Access Control SecurePrint Server Port monitor 6. Click OK. 7. Right-click a device and select Properties. 8. In the Ports tab of the Properties window, choose the previously created HP Access Control Port as the port. 9. Click OK. 10. Re-open the Properties window of the device. The window has a new tab, HPAC Pull Printing. Settings for secure print jobs can be defined in this tab. 4-2 Installation on a cluster server This section provides information on a cluster environment and requirements, and describes how to install the HPAC Print Server on a cluster server. 4-2-1 Cluster environment A hardware cluster may be active-passive, in which case some redundant servers are reserved for failover duty and do not run any applications of their own. It can also be active-active, in which case all servers in the cluster run their own applications but also reserve resources to allow them to perform failover duty for each other. HPAC Print Server is compatible with active-passive cluster environments. 4-2-2 Cluster requirements HPAC Print Server is compatible with Windows 2000 and 2003 Servers. 1. The cluster must be up and running properly without any critical errors or warnings in the event viewer. 19 2. The Physical Disk and Print Spooler resource must be present on the cluster and running properly. If not, the system administrator must create it. 4-2-3 Recommendation It is strongly recommended to always work on the passive node to avoid any strange behavior during the installation. HPAC Print Server restarts the spooler during the installation process, which could affect the cluster failover. 4-2-4 Cluster environment NOTE: All of the cluster environment recommendations and examples are based on a 2 nodes cluster active-passive. Three IP addresses are needed: node1, node2, and the cluster. The Cluster Administrator console looks similar to the following example. Figure 8 Cluster Administrator console Multiple cluster groups are often used in a client environment. It is useful to regroup the dependencies resources by group. For example, the base resources are IP Address and Network Name. These can be left in the same cluster group and another one created for other resources (for example, printing). Cluster group resources may be owned by different nodes, which is not correct for an active-passive environment. Always verify that all resources from all groups are running on the same node. If not, request more information from the Cluster Administrator. 4-2-4-1 Create a cluster printer A special procedure is needed to create a cluster printer. Even if connected on the cluster IP address, a cluster printer cannot be created from the Printers and Faxes control panel. 1. To access the “real” Printers and Faxes cluster, launch a Run window and enter the cluster name. Figure 9 Run window with cluster name NOTE: If the Print Spooler resource is not present, the printers and faxes icon will not display. Install the HPAC Secure Printing Server 2. Click Printers and Faxes and add a cluster printer. Figure 10 Printers and Faxes 4-2-4-2 Create a pull printer queue in a cluster environment To create a pull printer queue in a cluster environment, perform the following additional steps. 1. Open the Printers and Faxes control panel. 2. Click the File menu and select Server Properties. 3. Click the Ports tab and select Add port. The Printer Ports window displays. Figure 11 Printer Ports 4. Select HP Access Control SecurePrint Server Port monitor, and then click New Port. 5. Enter a port name and choose the temporary spool file directory (with enough free space). 6. Click OK. 7. Right-click a device and select Properties. 8. In the Ports tab of the Properties window, choose the previously created HP Access Control Port as the port. 9. Click OK. 10. Re-open the Properties window of the device. The window has a new tab, HPAC Pull Printing. Settings for secure print jobs can be defined in this tab. 4-2-5 Install and configure the HPAC Print Server in a cluster environment Use the following steps to install and configure the HPAC Print Server in a cluster environment. 1. Verify which node is active and which is not, and connect to the passive node. 2. Run the HPAC Print Server install setup and follow the instructions for a non-cluster server. IMPORTANT: Do not use the cluster disk for the installation folder. 21 3. Run the HPAC Print Server configuration and apply the following modification: a. In the Job retention tab, change the Storage folder path to a new one pointing to the cluster disk. Print jobs will be stored on the cluster disk and are available to the active node even after a failover. b. All of the other parameters do not relate to the cluster environment and can be configured as desired. 4. Open the server services list and verify that the HPAC Print Server service is in manual startup mode. If not, change it. Its name is HPAC SP Server or SecureJet Print-PS. 5. Open the Cluster Administrator console and right-click the cluster group. Select Move Group. Figure 12 Cluster Administrator – Move group NOTE: The active node is now the passive one and the passive node is the active one. 6. Run the HPAC Print Server install setup and follow the instructions for a non-cluster server. IMPORTANT: Do not use the cluster disk for the installation folder. 7. Run the HPAC Print Server configuration and apply the following modification: a. In the Job retention tab, change the Storage folder path to a new one pointing to the cluster disk. Print jobs will be stored on the cluster disk and are available to the active node even after a failover. b. All of the other parameters do not relate to the cluster environment and can be configured as desired. 8. Open the server services list and verify that the HPAC Print Server service is in manual startup mode. If not, change it. Its name is HPAC SP Server or SJ Print-PS Server. 9. Open the Cluster Administrator console and select the cluster group to place the HPAC Print Server resource. NOTE: This resource is used to handle the HPAC Print Server service failover and the replication of the registry related to the HPAC Print Server parameters. For example: The disk quota per user is not enough for all users, so connect to the cluster IP address and modify this parameter on the HPAC Print Server configuration. Without the shared resource, this modification is applied to the active node but not to the passive node, unless it is connected to and the same change is performed. With the HPAC Print Server resource, if the HPAC Print Server configuration on the cluster (active node) is changed, in case of failover or move group, the resource copies the active HPAC Print Server registry parameters and copies it on the passive one when it switches to active. Install the HPAC Secure Printing Server 10. Right-click and create a new resource. Figure 13 Cluster Administrator – Create a new resource In the New Resource window, enter a name for the resource (for example, HP Access Control Print Server). There is no need to enter a description. 11. The resource type is Generic Service. If there are multiple groups, select the correct one. NOTE: If Run this resource in a separate Resource Monitor is checked, there will not be a failover if this resource gets an error because the HPAC Secure Printing Server service has stopped. 12. Click Next. 13. Specify the possible owners for this resource (required). NOTE: The possible Owners are nodes in the cluster on which the resource can be brought online. 14. Click Next. 15. Specify the dependencies for this resource (required). NOTE: Dependencies are resources that must be brought online by the cluster service first. The Print Spooler resource and Physical Disk cluster must be brought online before HP Access Control, because without printer and user jobs, the HPAC Print Server cannot run properly and answer print, release or authentication requests. 16. Click Next. 17. Enter the correct service name (required). For HP Access Control, the service name is HP AC SP Server or SJ Print-PS Server. 18. Click Next. 19. Specify the registry key SOFTWARE\Jetmobile\SecureJet\Print Server\Settings that should be replicated to all nodes in the cluster. NOTE: The HPAC Secure Printing Server service stores parameters in the registry. Therefore, it is important to have this data available on the node on which they are running. 20. Click Finish and wait for the message indicating a successful operation. 21. The HPAC Print Server created resource is offline. Right-click the resource and select it to bring it online. 22. Open the Printers and Faxes cluster and select the printer created previously. 23. Open the Properties window and select the Port tab. 24. Click Add Port and add a new HPAC Print Server port. 23 25. Select this port as the printer port and click Apply. 26. Close the Properties window. 27. Open the Properties window again and select the Secure Print tab to change secure printing queue parameters. 28. Print a job to verify that the job is correctly stored on the cluster disk folder path defined during the HPAC Print Server configuration. 4-2-6 Install the Quota Notification tool The Quota Notification tool is an optional tool that accompanies the HP Access Control Secure Printing Server. It allows the administrator to set up a system that automatically sends e-mails to users when they approach, reach, or breach their printing quotas. 4-2-6-1 Prerequisites For a complete list of technical prerequisites, see Appendix C. 4-2-6-2 Installation procedure 1. Double-click the HPAC-SecurePrintingQuotaNotification_x86.msi or HPACSecurePrintingQuotaNotification_x86.exe. 2. The installation launches. Follow the steps of the wizard until the tool is fully installed. 4-2-7 HPAC Print Server upgrade for a cluster environment TIP: It is strongly recommended to always work on the passive node. The procedure to upgrade the HPAC Print Server is to first uninstall the old version, and then install the new one. 1. Bring the HPAC Print Server resource offline (since the service name changed, it is possible to encounter a problem and failover during the upgrade procedure). 2. Use the Add or Remove Programs console to remove the HPAC Secure Printing Server module. 4-3 Printer pull printing ports pooling Printer ports pooling allows the HPAC Secure Printing Server to handle a large number of jobs flowing to one unique print queue. IMPORTANT: It is mandatory to define multiple ports. Otherwise, a bottleneck effect on incoming jobs occurs, with jobs delayed for release due to other large pending jobs. Figure 14 Printer ports pooling Install the HPAC Secure Printing Server 1 Printer queue Receives jobs from clients 2 Multiple HP Access Control Secure Printing Server port monitors Encryption and storage of print jobs on the server disk drive 4-3-1 Configure the printer pull printing ports pooling In the Ports tab of the print queue, activate the Enable printer pooling option. Multiple ports can now be activated for this queue so incoming print jobs are dispatched as they come in. In theory, there is no limit to the number of ports. 4-4 Configure job retention HPAC Secure Printing retains print jobs on the server or in a remote directory on another machine. The following parameters can be set in the HPAC Secure Printing server configuration tool to define where and how those files are kept. Other parameters are described later in this manual as they relate to authentication, alias, or enrollment. IMPORTANT: A power outage results in the deletion of pending print jobs stored on the print server. Run the HPAC Secure Printing server configuration software. Table 1 HPAC Secure Printing Server configuration tool Parameter Description/Instructions Job Server Tab Defines the communication settings for the retention server Max Simultaneous Printings HPAC Secure Printing features a sophisticated output load balancing mechanism that provides parallel printing. This system allows for the management of multiple simultaneous printing requests, while still regulating it to not overflow the server. The number of print jobs that can be concurrently sent to devices can be tuned (value: from 10 to 100) based on LAN available bandwidth and the server speed and performance. A value between 10 and 20 is enough for most users. NOTE: This feature does not split a single print job across multiple printers. TCP Port Enter the TCP port used to communicate with printers equipped with HPAC Secure Print. The value by default is 2000. The port must be open if communication between HPAC Secure Printing server and printers/MFPs is performed through a firewall. 25 Table 1 HPAC Secure Printing Server configuration tool Parameter Description/Instructions Load configuration This button allows a saved communication configuration to be loaded. Save configuration This button allows communication settings to be saved for future use. Job Retention Tab Defines the settings of print job retention Storage Location Defines in which directory retained user jobs are to be stored. Jobs are owned by users, so ensure that directory is accessible by all users (for example: C:\Program Files\Hewlett-Packard\HP Access Control Secure Printing Server\Jobs. The storage location can also be a remote directory provided that the machine with the remote directory belongs to the same domain as the HPAC Printing Server (for example, \\server1\shareduser\jobs). For more details, see Remote job storage. Disk quota per user/department (MB) Enter the maximum number of MB authorized for each user and department to store jobs. Be aware that color printing can result in very large jobs, sometimes greater than 1GB based on the application and the printer driver used. Jobs quota per user/department (jobs) Enter the maximum number of simultaneously stored jobs for each user and department. NOTE: Up to 50 print jobs can be stored simultaneously for a single user or department. To increase the number of print jobs, consult an HP representative. Retention limit (days) Enter the maximum number of days of retention authorized for user jobs. This value has priority over the settings defined by the users at print time. Jobs are deleted automatically by the system when the first expiration date is reached. Windows Terminal Server Check this option if the server is running Windows Terminal Server or Citrix Metaframe. This ensures the pop-up window is sent to a specific screen and not to all sessions. Quota Notification Use this button to configure the quota notification system (for example, automatic e-mail sending when users approach, reach , or exceed their print job quotas). Other Tabs Other tabs are for advanced authentication, enrollment, and alias features. They are described in the following chapters. 4-5 Remote job storage The print job storage location can also be a remote directory provided that the machine with the remote directory belongs to the same domain as the HPAC Printing Server (for example, \\server1\shareduser\jobs). 4-5-1 Prerequisites • The remote directory must be on a machine that belongs to the same domain as the HPAC Printing Server. • Users must have complete access to the remote directory (for example, a shared directory for all users with full rights). • The job storage folder must be configured to grant full rights to the Authenticated Users group. Install the HPAC Secure Printing Server 4-5-2 Share the print job directory Use the following steps to share the print job directory. 1. Browse to the location of the remote print job storage folder. 2. Right-click the folder and select Sharing and Security. 3. Click Permissions. Figure 15 Sharing Permissions 4. Select the Everyone group and check the Full Control box. Figure 16 Permissions for Everyone 5. Apply the changes by clicking OK in both windows. 4-5-3 Create the Authenticated Users group Use the following steps to create the Authenticated Users group. 1. Browse to the location of the remote print job storage folder. 2. Right-click the folder and select Properties. 27 3. Click Security. 4. Click Add. 5. In the Select Users or Groups window, enter Authenticated Users, and then click OK. Figure 17 Add Authenticated Users 6. In the Properties window, select Authenticated Users. 7. Check the Full Control box, and then click OK. Figure 18 Full Control for Authenticated Users 4-5-4 Configure remote job storage Use the following steps to configure remote job storage. 1. Open the HP Access Control Secure Printing Server configuration tool. 2. Click Job Retention and enter the remote directory path in the Storage Folder Path field. Make sure to use the server name, and not the server IP address. Install the HPAC Secure Printing Server Figure 19 Configure remote job storage 4-5-5 Quota notification A Quota Notification tool is available as an extension to the print job quota feature. This tool is not automatically installed with HP Access Control Secure Printing Server—it has to be installed separately. The quota notification system can be configured to send different types of warning e-mails to users. There are three types of quota notifications: • Approaching quota notification: This warning e-mail is sent when a user nears the defined printing quota. • Reached quota notification: This warning e-mail is sent when a user has reached the defined printing quota. • Exceeded quota notification: This warning e-mail is sent when a user has exceeded the defined printing quota. 29 Figure 20 Quota Notification Use the following tools to configure the notification settings. • Enter the number of jobs before the print job quota is reached that serves as the trigger for the notification. For example, if 5 is entered and the job quota is 50, the user receives an approaching quota notification after the 45th print job. • Enter the number of megabytes before the disk space quota is reached that serves as the trigger for the notification. For example, if 5 is entered and the disk space quota is 100, the user receives an approaching quota notification after the 95th megabyte is used. NOTE: These two notification thresholds can be combined so that a user receives the quota notification e-mail when the first of these thresholds is reached. 4-5-5-1 Advanced options The Advanced options link allows for the configuration of logs linked to the quota notification system. The table below provides a description of the data displayed in the different columns. Table 2 Advanced Quota Notification options Parameter Description/Instructions Internal Notification TCP Port The TCP port used for the internal quota notification system. Trace Level Defines the trace level (i.e. the amount of information written in the log files according to degrees of importance). Choose between: Trace Path ○ None ○ Error ○ Warning ○ Verbose ○ Extra verbose Defines where the log files are stored. Install the HPAC Secure Printing Server Table 2 Advanced Quota Notification options Parameter Description/Instructions Configure SMTP settings Server host name IP address of SMTP server (for example, 192.168.0.199) Server TCP Port Port of SMTP server (for example, 25) Account name Authorized login on SMTP server (for example, johnsmith) Password The password associated to the login Use SSL Check this box if to use SSL. Configure e-mail settings From E-mail address of the sender (usually the administrator email address) Approaching quota e-mail subject Subject of the e-mail sent when a user is approaching the quota. Variables are available for customization, as explained below. Reached quota e-mail subject Subject of the e-mail sent when a user has reached the quota. Variables are available for customization, as explained below. Exceeded quota e-mail subject Subject of the e-mail sent when a user has exceeded the quota. Variables are available for customization, as explained below. Approaching quota e-mail content The e-mail text sent to users notifying them that they are approaching the quota. Variables are available for customization, as explained below. Reached quota e-mail content The e-mail text sent to users notifying them that they have reached their quota. Variables are available for customization as explained below. Reset/Test links (at the bottom of the Quota Notification window) Reset “E-mail Settings” to default values This allows a reset of all values to the original values. Test the configuration This allows a test of whether the quota notification system is correctly configured. Variables can be used in some of the fields mentioned above. The available variables are the following: ○ {0} to indicate: − The number of remaining jobs or disk space before reaching the quota limit. This value must be above 0 and followed by ‘jobs’ or ‘MB’. − The number of jobs or disk space above the limit. This value must be above 0 and followed by ‘jobs’ or ‘MB’. ○ {1} to indicate the limit. This value must be followed by “jobs” or “MB.” ○ {2} to indicate the name of the job 31 ○ {3} to indicate the name of the user 4-5-6 Print job purge Print jobs are purged from the server at regular intervals. The expiration frequency is set to hourly by default. Use the following steps to modify the purge frequency: 1. In Windows, open the Control Panel, and then select Scheduled Tasks. 2. In the list of scheduled tasks, right-click Job Purge, and then select Properties. 3. Click the Schedule tab. 4. Click Advanced. 5. Configure the task frequency as desired. Install the HPAC Admin Software on a print server 5 Install the HPAC Admin Software on a print server HP Access Control Secure Print Admin Software is web-based central administration software to deploy, configure, license, and monitor the solution on a fleet of devices. Figure 21 HPAC Secure Print Admin Software NOTE: Administrator rights must be on the server to install HPAC Secure Print Server. 5-1 Installation prerequisites NOTE: For information regarding the technical prerequisites, see Appendix C, Prerequisites for PCs and servers. The following are the prerequisite steps for installing the HPAC Secure Print Server. 1. Install .NET Framework 3.5. 2. Install the C++ Libraries. Make sure that the installed C++Libraries match the server (32-bit or 64bit). 3. Create a new web site using the following steps. a. Install the Internet Information Services (IIS) Manager if it is not already installed. Make sure to use the Add/Remove Windows Components option. For Windows Server 2008, IIS 7.0 must have the IIS 6.0 Management Compatibility Components activated. i. Open the Server Manager (click Start > Administrative Tools > Server Manager). ii. In the left panel, expand Roles. iii. Right-click Web Server (IIS) and click Add Role. iv. In the Role Services panel, scroll to IIS 6 Management Compatibility. v. Check the check box for IIS 6 Management Compatibility (this will automatically check the check boxes of all elements contained in this category). vi. Click Next, then select Install. vii. Click Close to exit the Add Role Services wizard. b. Open the Internet Information Services (IIS) Manager. c. Right-click Web Sites and select New > Web Site on the menu. d. Follow the wizard steps to create a new Web site. 33 i. Assign a name to the Web site. ii. Enter a different TCP port used by the Default Web Site or stop the Default Web Site. iii. Set the Web site directory (default: C:\Inetpub\wwwroot). iv. Set the Web site access permission (Read permission is sufficient). e. After completing the wizard, go back to the IIS Manager and right-click the previously created Web site. Select Properties on the menu. f. In the Properties window, click the ASP.NET tab and change the ASP.NET version to 2.0.50727. g. Click the Directory Security tab. Edit the Anonymous access and authentication control by checking the Integrated Windows authentication option. The following steps only apply to Windows Server 2003: h. In the IIS Manager, open the Web Service Extensions folder. i. Select the ASP.NET Web service extension (the version should be 2.0.50727). j. Click Allow. 4. Install the appropriate .NET Framework extension (32-bit or 64-bit). Install the 32-bit .NET Framework extension: a. Open a command prompt (click Start > Run and enter cmd in the Run window). b. Enter the following command to disable the 32-bit mode: cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0 c. Enter the following command to install the version of ASP.NET 2.0 and the install the script maps at the IIS root: %SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe –i d. In the IIS Manager, click the Web Service Extensions folder. e. Select the ASP.NET Web service extension (version 2.0.50727) and click Allow. Install the 64-bit .NET Framework extension: a. Open a command prompt (click Start > Run and enter cmd in the Run window). b. Enter the following command to install the version of ASP.NET 2.0 and the install the script maps at the IIS root: %SYSTEMROOT%\ Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i c. In the IIS Manager, click the Web Service Extensions folder. d. Select the ASP.NET Web service extension (version 2.0.50727) and click Allow. 5. Install SQL Server Compact Edition 3.5 SP1. Make sure that the SQL Server Compact Edition version installed matches the server (32-bit or 64-bit). 5-2 HPAC Admin Software installation 1. Click SETUP or the MSI file of HPAC Admin Software source files to launch the installation. 2. Click Next in the first window. 3. In the second window, select the previously created Web site in the Site drop-down list. 4. Click Next. 5. Select HPAC manage all certificates and then click Next. 6. Enter the port for the SSL binding and click Next. 7. A window displays asking whether to load a previously saved configuration. Click Yes or No, depending on what is preferred. 8. Click OK and restart the IIS or the server. Install the HPAC Admin Software on a print server TIP: It is not recommended that HPAC Secure Print Admin Software be installed on the Default Web Site. Should it be installed, make sure that both the parent node and the HPAC site have the same configuration. Any modifications made require a restart of the IIS or the server. After HPAC is installed, it is recommended that the HPAC node of the IIS not be modified. 5-2-1 Save the configuration Should the HP Access Control Secure Print Admin Software need to be uninstalled, it is possible to save the configuration for future use. To do so, choose to save the configuration when prompted during the uninstallation process. Then load this saved configuration when installing the HP Access Control Secure Print Admin Software. All settings and licenses will be restored. If the software is being uninstalled, use the following steps to save the configuration for future use. 1. Click Start, Control Panel, and then Add or Remove Programs. 2. Select HP Access Control Secure Print Admin Software. 3. Click Remove. 4. When prompted by the uninstaller, choose to save the configuration and choose a directory (not in the C:\Inetpub\wwwroot\Hpac directory) to save the file. 35 6 Configure HP Access Control This chapter describes how to configure the HP Access Control Secure Print system. The HP Access Control Admin Software contains four main sections: • • • • Firmware Viewer: Displays the firmware used License management: License devices Printer management: List and group devices Lists and profiles management: Define users in lists and parameters as profiles, apply them to printer and printer groups 6-1 The HPAC Admin Software interface The interface is divided into three main sections: • • • The main menu on the left (Main Menu) The main content area in the center (HP Access Control) Possible actions on the right (Related Actions) 6-1-1 Navigate the interface On the left side of the screen, the Main Menu uses a hierarchical “open and close” tree structure. 1. Click the plus and minus signs to open or close menu sub-items. 2. To view the content related to a particular menu item, click directly on the desired menu item. Its related content displays in the main content area. Certain elements in the content area enable different actions to be performed. These actions display in the right column, the Related Actions column. 6-2 Firmware viewer The Firmware Viewer allows a user to obtain an overview of the RFUs used by the devices. It can also identify problematic RFUs. To only display the problematic RFUs, check the Incorrect firmware only box. 6-3 License management The License management section provides an overview of the available and used licenses, and allows license files to be uploaded and deleted. NOTE: Following installation, printers and MFPs can run HP Access Control and Secure Printing software for seven days without a license token. 6-4 License information summary The table below provides a description of the data displayed in the different columns. Table 3 License information summary Configure HP Access Control Parameter Description/Instructions File name Displays the name of the loaded license file License ID Displays the unique license ID. Authentication Displays the number of Authentication license tokens provided by the license file. Secure Print Displays the number of Secure Print license tokens provided by the license file. Tracking Displays the number of Tracking license tokens provided by the license file. Expiration Date Displays the license expiration date. A second table is provided to give an overall view of the available and used license tokens per module. 6-4-1 Upload license files To upload a license file: 1. Click License management. 2. In the Related Actions section, click Upload a license file. 3. In the pop-up window, browse to the location of the license file and click Upload file. 4. The license file is loaded. It is added to the list of license files and the number of license tokens per module is provided. Figure 22 License Management License tokens are automatically allocated to printers/MFPs after they are configured in the HP Access Control Admin software (for example, after they are added to a group). The devices obtain the tokens when they boot. A device can operate under HPAC for seven days without a license token. After this evaluation period, the device contacts the HPAC Print Server Admin Software server and requests a token. After it has the token, the device contacts the HPAC Print Server Admin Software server every 24 hours to check its licensing status. If the device does not reach the server, it enters into a grace period. During this grace period, the device attempts to contact the server every six hours. If it does not reach the server five times consecutively, HPAC ceases to function and the device attempts to reach the server every five minutes. Rebooting the device removes the token. 37 6-4-2 Delete license files To delete a license file: 1. Click License management. 2. Check the box next to the license file to delete. 3. In the Related Actions section, click Delete. 4. Click Yes to confirm the deletion of the license file. 6-4-3 Remove all license files To remove all license tokens from all printers/MFPs: 1. Click License management. 2. In the Related Actions section, click Remove all tokens. 3. Click Yes to confirm the removal of all tokens from the device. 6-4-4 View a summary of each license file To view a summary of information for each license file: 1. Click License management. 2. Click the license file. 3. The license file details display in the content area of the screen. 6-5 Printer management The Printer management section allows users to browse information related to the devices and to manage this information. It contains the following sub-sections: • • All printers list All groups list 6-5-1 All printers list To view a summary of information for all printers managed by the HPAC Secure Print Admin Software and manage the licenses: 1. In the main menu, click Printer management. 2. Click All printers list. Figure 23 All printers list 6-5-1-1 Printers information summary The table below explains each of the items listed in the content area. Sort the printers in the list by clicking the column titles. Table 4 Printers information summary Parameter Description/Instructions Configure HP Access Control Table 4 Printers information summary Parameter Description/Instructions Hostname The printer’s hostname IP The printer’s IP (resolved dynamically) Group The name of the group the printer belongs to. None designates a printer that does not belong to any group. Sync. Status The status for this printer: OK Pending Synchronization Awaiting response from printer/MFP Synchronizing Error HPAC License status per module: Aut: authentication Module licensed SP: Secure Printing Module using a trial license T: Tracking Grace period Module not licensed 6-5-2 All printers list actions A series of actions are available to manage the printers in the All printers list: • Add ○ By name ○ Create by CSV file • • Modify Delete 6-5-2-1 Add a printer to the list To add a printer to the All printers list: 1. In the main menu, click Printer management, and then All printers list. 2. In the Related Actions section, click the desired option for adding the printer: a. By name – In the empty field, enter the printer host name and click Add. Enter the login and password for the printer as configured in its EWS. Activate Add even if offline, if appropriate (otherwise the IP resolution is attempted immediately and the operation fails if the device is off). 39 Figure 24 Add a printer by hostname b. Create by CSV file – Browse the disk, select the file to add, and then click Upload file. Ideally, the CSV file with all devices listed comes from HP Web Jetadmin. IMPORTANT: All printers/MFPs must have EWS logins and passwords configured to function under HPAC. 6-5-2-2 Move a printer from one group to another To modify the group of a printer in the All printers list: 1. In the main menu, click Printer management, and then All printers list. 2. The content area displays a list of all printers. Check the box next to the name of the printer to move from one group to another. 3. In the Related Actions section, click Modify. 4. Select the new group in the list, and then click Ok. Figure 25 Modify printer(s) 6-5-2-3 Delete one or more printers To delete one or more printers from the All printers list: 1. In the main menu, click Printer management, and then All printers list. 2. The content area displays a list of all printers. Check the box next to the printers to delete. 3. In the Related Actions section, click Delete. 4. A list of the selected printers displays. Click Ok to confirm. Configure HP Access Control 6-5-2-4 Ungrouped printer list – View a summary To view a list of all printers that are not members of a group and might not be synchronized with settings: In the main menu, click Printer management, and then Ungrouped printers list. The description for the table elements are the same as for the All printers list. See the Printers information summary section for full details. 6-5-3 Ungrouped printers list actions A series of actions are available to manage the printers in the Ungrouped printers list: • Add printer ○ By name ○ Create by CSV • • Modify Delete The instructions for using these actions are the same as for the All printers list. See the All printers list actions section for full details. 6-5-4 All groups list – View a summary for printer groups HPAC Secure Printing allows users to organize devices into groups; for example, a group of devices with similar setups or located in a specific building. In the main menu, click Printer management, and then All printers list. 6-5-4-1 Printer groups information summary The table below explains each of the items listed in the content area. Table 5 Printer groups information summary Parameter Description/Instructions Name The name of printer group. Click Name to toggle the listing from descending to ascending order by printer group name. Printers count The total number of printers in this group 6-5-5 All groups list actions A series of actions are available to manage the printer groups in the All group list: • Create ○ By name ○ By copy • • Delete Synchronization 6-5-5-1 Create a new printer group To add a new printer group to the All groups list: 1. In the main menu, click Printers management, and then All groups list. 41 2. In the Related Actions section, click the desired option for creating the printer group: a. By name – In the empty field, enter the printer group name, choose the functions to activate and configure (Billing, Authentication, Secure Printing), and then click Add. b. By copy – Create a new group by copying an existing group. The drop-down list displays the existing groups. Select the desired group to copy, and then click Add. NOTE: It is recommended to have separate groups for single function printers and MFPs because MFP configurations control functions that do not exist on single function printers (such as Send to e-mail). 6-5-5-2 Delete a printer group To delete one or more printer groups from the All groups list: 1. In the main menu, click Printer management, and then All groups list. 2. The content area displays a list of all printer groups. Check the box next to the printer groups to delete. 3. In the Related Actions section, click Delete. 4. A list of the selected printer groups displays. Click Ok to confirm. 6-5-5-3 Synchronize the printers with the configuration To deploy the configuration of the different groups to printers: 1. Check the boxes next to the groups to synchronize. 2. Click Synchronization. 3. Printers on which the HPAC Secure Print firmware is not yet installed are first loaded with the software. The icon on the right side of the printer information reflects the synchronization status. 6-6 Manage printer group details and configuration Click a printer group name to view and edit its details and configuration. See the All printers list actions section for detailed information concerning the different actions for editing printer parameters. 6-6-1 Group details actions A series of actions are available to manage the printer groups in the All group list: • • • • • Link printers to this group Rename Change language Remove selected printers Synchronization 6-6-1-1 Link printers to this group To add a new printer to the group: 1. Click Link printers to this group. 2. A list of ungrouped printers displays. 3. Select the printers to add and click Yes. NOTE: A printer cannot be part of two groups. Configure HP Access Control NOTE: It is recommended to have separate groups for single function printers and MFPs because MFP configurations control functions that do not exist on single function printers (such as Send to e-mail). 6-6-1-2 Rename the group To rename a printer group: 1. Click Rename. 2. Enter a new name and click Rename. 6-6-1-3 Change the group language To change the language for the group of printers: 1. Click Change language. 2. Select a language on the drop-down menu. 3. Click Yes to apply. 6-6-1-4 Remove printers from the group To remove a printer from the group: 1. Click Remove selected printers. 2. A list of printers displays. 3. Click Remove. NOTE: Removing a printer from a group removes the HPAC SP solution from the printer. 6-6-1-5 Synchronize the printers with the configuration To deploy the current configuration for the group to printers: 1. Select the printers and click Synchronization. 2. Printers on which the HPAC Secure Print firmware is not yet installed are first loaded with the software. The icon on the right side of the printer information reflects the synchronization status. IMPORTANT: HPAC Secure Print Admin Software takes the HPAC Secure Print firmware files from the following directory of its website: App_Data\rfu. Copy and decompress all updates and new versions of HPAC Secure Print in that directory. 6-7 Configure printer groups Printer parameters for authentication, billing, secure printing, etc. are configured in the tabs displayed below a group’s list of printers. 6-7-1 View detailed information about a configuration To view detailed information about a configuration: 1. Display the summary of information for the desired configuration type (such as Billing or Authentication) by clicking the appropriate tab under the group’s list of printers. 2. The content area displays the details and configurable parameters. 3. Click Apply to save any changes made to the settings. For more information on all of the parameters that can be configured, see the respective section for each type of configuration under Configure group parameters. 43 6-7-2 Configure group parameters This section covers all of the parameters that can be configured for a group. 6-7-2-1 The Authentication configuration tab To configure the parameters for Authentication: 1. Follow the steps in View detailed information about a configuration to display the details for the group to configure. 2. Click Apply at the bottom of the screen to save any changes. The table below explains each of the Authentication parameters. Table 6 Authentication parameters Parameter Description/Instructions Authentication behavior Reader type Select the reader type from the drop-down list. Select None for PIN codes identification or when performing badge lookup through the HPAC Secure Print Server (acting as a gateway). PX: Proximity readers SW: Swipe cards readers SC: Smart Card readers (see the Smart Card profile section to configure Smart Card authentication) When authenticating through the HPAC Secure Print Server, the badge type and mask is defined in the Authentication tab. HID Site code allowed (only for HID Prox badges) This code uses the site code to discriminate badges. Select 0 (zero) to disable discrimination. Extraction mask Enter the extraction mask. Extraction Alignment Align the extraction mask on the right or left of the read ID. Custom extraction (only for HID Prox badges, using the PX-Custom format) Site Code – Enter the beginning and ending bit numbers for the site code, followed by the beginning and ending bit numbers for the badge number. Allow manual authentication from panel This option allows a user to log in by manually entering a badge number or network credentials using the touchscreen printer panel. Time-out Enter a maximum time (in seconds) to authenticate during interactive authentication (authentication request on the front panel). Display ID If this option is activated, the user ID displays on the printer/MFP screen when the user authenticates. Configure HP Access Control Table 6 Authentication parameters Parameter Description/Instructions Authentication process WARNING! If the Instant release option is selected in Secure Printing, the badge reader is only usable to release print jobs. It cannot authenticate for other activities. Enrollment is also not possible with this option. Authentication method(s) Select the primary authentication method (for example, Local ID list, HPAC Print Server, LDAP ID Lookup or Local Smart Card). In the field to the right, select the authentication method to use. Click Apply at the bottom of the window to configure one or more alternate authentication methods (the fields only display after Apply is clicked). When more than one authentication method is configured, an additional field (Rank) displays on the right, allowing modifications of the failover order. The following can be combined: • • • • 1 Local ID list with 5 LDAP Credentials Lookup 5 HPAC Print Servers with 5 LDAP Credentials Lookup 5 LDAP ID Lookups with 5 LDAP Credentials Lookup 1 Local Smart Card with 1 LDAP Credentials Lookup NOTE: It is not possible to configure alternate (failover) authentication for single function printers. Lock count Maximum number of authorized consecutive wrong user IDs. This is a numeric value between 1 and 9. After this maximum number is reached, the printer authentication enters into lock mode for the period specified in the Lock delay parameter. Lock delay Printer authentication lockout time in seconds after the maximum number of wrong IDs is reached. Failed over Login & Password LDAP This check box is editable when the first LDAP Credentials alternate authentication method is configured. Unchecking it deactivates the LDAP Credentials alternate authentication method(s). This allows the configuration to be saved for future use, even though it was not selected for present use. NOTE: It is not possible to configure alternate (failover) authentication for single function printers. Enable cache for LDAP process If this option is set, after a user succeeds in his first authentication procedure, the system stores the user’s ID information in RAM. The next time this user identifies himself on that device, the system searches the cache directly instead of searching the LDAP database for the user information. There can be up to 200 users in the circular cache list. Stored information: User login, User department, User e-mail, User HomeDirectory, User Fullname. The list is cleared when the device is switched off. Enable self enrollment Controls whether the Enroll me button displays on the device’s control panel. See the User enrollment chapter for details. 45 Table 6 Authentication parameters Parameter Description/Instructions Activity Select the authentication method for every activity. Use HP Web Jetadmin to configure authentication for activities not listed in HPAC Secure Print Admin software. Activity - Agent Set the Device Activity/Functions that require users to successfully sign in before use. Each function can require a different Sign In Method named Agent. The activities correspond to the list of activities found on the device EWS. See the printer/MFP documentation for further information. Send to E-mail HPAC Secure Printing Authentication can auto-complete the e-mail fields with the user information (e-mail address, full name) upon valid authentication. The From field can be predefined to • be blank • use the default MFP settings, or contain the authenticated user’s e-mail address. The To, Cc, and Bcc fields can be predefined to: • be blank or • contain the authenticated user’s e-mail address. Prevent the user from changing the information by checking the Prevent Changes boxes. NOTE: To use this function, the device web page’s Default From Address section must be configured. (See the E-mail Settings section on the Digital Sending tab.) Group List This field displays the names of all the groups that have this configuration. Apply Save changes by clicking Apply. For Authentication modules that include a badge reader, this badge reader can read some specific badge types. These types are indicated on the manufacturing label below the reader. Make sure that type matches your corporate badges or the badges supplied with HP Access Control. When HP Access Control starts, it verifies automatically what authentication hardware is connected to the printer/MFP (for example, swipe card reader, keypad, proximity badge). For Proximity badges, it detects what model is connected (for example, HID, Mifare, Hitag, Legic, EMMarin). The following settings can be tuned: • Mask applied on raw badge number (By default the mask is 111111111 applied from the right, to give a 9-digit user ID). • • HID Prox 125KHz badge model (there are various HID Prox badges models). • HID Prox badges site code: The Site code field can be different from 0 only if the badge holds a site code to be used for authentication. The mask allows extracting a smaller value from a raw badge value. It can be made of 1 and X: 1 keeps the digit, X drops it. Indicate if the mask applies from the right or the left of the number. For example, for badge 123456789 the mask 1111X1 gives 12346 when applied to the left, and 45679 when applied to the right. Configure HP Access Control 6-7-3 Secure Print parameters To configure the parameters for Secure Printing: 1. Follow the steps in View detailed information about a configuration to display the details for the group to configure. 2. Click Apply at the bottom of the screen to save any changes. The following table explains each of the Secure Print parameters. Table 7 Secure Print parameters Parameter Description/Instructions HP AC Secure Print Servers Host name Select the host from the drop-down list. Rank Designates the priority ranking for an HPAC print server. Click the arrow signs to increase or decrease the priority ranking of an HPAC print server. Secure Print corporate key Select the desired Secure Print encryption corporate key from the drop-down list. This is the private key associated with this configuration, securely stored on every device. Secure Print Jobs Release Instant release (MFP only) (with Proximity badges only) When this option is checked, the HPAC proximity cards reader permanently scans for badges. When a badge is within range, all of the user’s jobs are released. This allows instantaneous release of print jobs upon badge reading, without any front panel interaction. NOTE: This setting only works with HPAC Secure Printing installed. This setting is not active until the next MFP reboot. IMPORTANT: Due to the absence of any interaction, when this setting is activated the HP Access Control authentication cannot be used within the HP authentication manager to control other functions such as e-mail or copy. Print without confirmation On printers, if this option is not checked, the printer requests print jobs release confirmation and reader beeps until the user confirms the job release using the printer front panel. If there are no pending jobs, the user authenticates their badge and no message displays on the printer informing the user there are any jobs in the queue. On single function printers, when this option is checked, jobs are released and printed immediately when the user authenticates; confirmation is not required. For most cases, it is recommended to activate this option. With the option off, no printing can happen until the user validates or cancels the job release using the front panel (there is no time-out). On MFPs, if this option is checked, all jobs are released when the user presses the HPAC Secure Printing button (after being authenticated); no job list is proposed. This option saves time when users do not need to pick jobs to release in a list. Jobs type – Stop HP Access Control can stop some types of jobs from being processed, to help enforce security policies. Check the box next to a job type to filter them. 47 Table 7 Secure Print parameters Parameter Description/Instructions Anonymous print jobs These jobs do not contain the user information in the PJL header, preventing audit and accounting. Jobs linked to a user and machine either come from a PC equipped with the HPAC Secure Print driver plug-in, or an HP printer driver released after February 2002; and have a special PJL header bearing the user login name. Non-anonymous print jobs These jobs contain the user information in the PJL header. The HPAC Secure Print driver plug-in and HP printer drivers released after February 2002 generate this information. Secure Print Non-Encrypted jobs These jobs are processed by HPAC Secure Print but are not encrypted. Secure Print Encrypted jobs These jobs are processed by HPAC Secure Print and are encrypted. Apply Save changes by clicking Apply. 6-7-4 Billing parameters Users can optionally enter a billing code during authentication to allocate the cost of the action to a project or a client. The billing configuration allows users to enable the billing allocation functionality and to associate a billing list to this configuration. A list of billing codes is a CSV file that can be defined using an Excel spreadsheet or any other software capable of generating a CSV file. See the Billing lists section for detailed information on creating and configuring billing lists. To configure the parameters for Billing: 1. Follow the steps in View detailed information about a configuration to display the details for the group to configure. 2. Click Apply at the bottom of the screen to save any changes. The table below explains each of the Billing parameters. Table 8 Billing parameters Parameter Description/Instructions Enable billing Check this box to enable the billing functionality during authentication. Enable billing validation Check this box to validate entered billing codes against billing lists. Secure Print corporate key Select the desired Secure Print encryption corporate key from the drop-down list. This is the private key associated with this configuration, securely stored on every device. Billing list The name of the billing list file. See the Billing lists section for detailed information on creating and configuring billing lists. Select None to deactivate the billing code validation. Apply Save changes by clicking Apply. Configure HP Access Control 6-8 List management The List management section allows users to consult and manage information related to five different list types. The list types are: • • • • • • • Local ID list – Lists of authorized users and ID codes (PIN, badge number) for local authentication LDAP List Generate & Notify Billing list – Lists of billing codes. Users can enter a billing code at copy, fax, e-mail or print time to allocate the cost of the action to a project or a client LDAP Profiles – LDAP lookup configuration HPAC Print Server management – Lists for servers and their respective ports Smart Card Profiles Corporate Key Lists The ID list, LDAP settings and HPAC Secure Print Server relate to authentication and determining the user behind an ID (PIN code, badge). HP Access Control can validate the user ID in three different ways, each having its benefits. Figure 26 Users and ID list local to the printer/MFP 1 HPAC Admin Software 2 CSV file 3 LDAP/SLDAP Figure 27 Users and ID information in AD/LDAP, direct live lookup 1 LDAP/SLDAP NOTE: HPAC direct live LDAP validation is only for MFPs, except the CM8050 and CM8060 MPFs Figure 28 Users and ID information in AD/LDAP, indirect live lookup 1 HPAC Secure Print Server 2 LDAP/SLDAP 49 6-8-1 ID lists The list of users and PIN codes is a CSV file that can be defined in two ways: • Using the Excel spreadsheet or any other software capable of generating a CSV file (this software is not supplied with HP Access Control) • Using the LDAP synchronization function of HPAC Secure Print Admin Software A sample file is provided with the HPAC Secure Print Admin Software. Administrators can also build custom applications to interface the file with assisted data entry or database lookup using Excel Visual Basic scripts programming. The CSV file must comply with the structure in the following table. Data between “quotes” must be entered as shown. Data fields are separated by a semicolon ‘;’ or by a comma ‘,’. NOTE: The list must include a minimum of two users. Table 9 CSV file structure for ID lists Cell/Column Description/Instructions A-1 cell “VERSION” B-1 cell Users list version number. The string is alphanumeric with a maximum of 10 characters. C-1 cell “Sept08” A-2 cell “MAXWRONGPIN” B-2 cell Maximum number of authorized consecutive wrong user IDs. This is a numeric value between 1 and 9. A-3 cell “WRONGPINDELAY” B-3 cell Printer authentication lockout time in seconds after the maximum number of wrong IDs has been reached. A-4 cell “USERTIMEOUT” B-4 cell Set this parameter to 30. A-5 cell “LOCKOUTTIME” B-5 cell Maximum delay in seconds to show/enter an authentication on MFPs before the automatic cancellation of the process. A-6 cell “MAXWRONGADMINPIN” B-6 cell Maximum number of authorized consecutive wrong authentications for remote update. This is a numeric value between 1 and 9. A-7 cell “ADMINLOCKOUTTIME” B-7 cell Printer configuration update lockout time in minutes after the maximum number of wrong admin PIN codes has been reached during remote update attempts. Users information start at line 8 and column C Column C (required for every user) ID (PIN, badge number) Numeric from 4 to 9 digits. Configure HP Access Control Table 9 CSV file structure for ID lists Cell/Column Description/Instructions Column D (required for every user) Domain\Login name. Alphanumeric from 1 to 41 characters. If the domain name is omitted the \ must also be omitted. Column E (required for every user) User department. Alphanumeric from 1 to 30 characters or UNKNOWN for no department. Column F (required for every user) User e-mail address for automatic user information update notification (up to 180 characters) or UNKNOWN for no e-mail address Column G Date when the user was added to the list (format=YYYYMMDD). Column H User full name (up to 30 characters). If the name is omitted, the system uses the login name as user name. Columns I–Z Do not use columns I to Z for other personal information as future versions may use them. In the line following the last entry of the list, column A “ENDOFLIST” After the file has been filled out, it must be exported to CSV Semi-Colon-Delimited Format (File > Save As > Save-As-Type .csv) with semi-colon as delimiter to be loaded in the HPAC Admin Software. IMPORTANT: The HPAC Admin software cannot open invalid files. 6-8-2 View a summary of ID lists To view a summary of information on ID lists: In the main menu, open Lists management, and then click Local ID list. The table below explains each of the items listed in the content area. Table 10 ID lists summary Parameter Description/Instructions Name The name of the ID list List number The number of entries in each list Groups Total number of groups associated with this list 6-8-3 Local ID list actions The following actions are available to manage the ID lists: • • • Create Delete View the details 51 6-8-3-1 Create a new ID list To add a new ID list: 1. In the main menu, open List management, and then click Local ID list. 2. In the Related Actions section, click Create. 3. In the empty field, enter the new ID list name, and then click Ok. 4. After the list is created, select it to import data. 6-8-3-2 Delete an ID list To delete an ID list: 1. In the main menu, open List management, and then click Local ID list. 2. The content area displays a list of all ID lists. Check to box next to the ID list to delete. 3. In the Related Actions section, click Delete. 4. A list of the selected ID lists displays. Click Ok to confirm. 6-8-3-3 View the details for an ID list entry To view the details for an ID list entry: 1. In the main menu, open List management, and then click Local ID list. 2. Click the ID list entry to view. 3. The content area displays detailed information for the chosen ID list entry. 6-8-4 Local ID list entry actions The following actions are available to manage the ID lists: • Create ○ By Name ○ Create by CSV • • • • • • Edit Delete Rename Export as CSV Notify users Autogenerate PIN list 6-8-4-1 Add entries to an ID list To add entries to an ID list: 1. In the main menu, open List management, and then click Local ID list. 2. Click the ID list name to add entries. 3. The content area displays detailed information for the chosen ID list. 4. In the Related Actions section, click Create. 5. Enter the information for each field. 6. When finished, click Add. The table below explains each of the items listed in the content area. Figure 29 Local ID list Configure HP Access Control NOTE: Only the ID code and Login fields are mandatory. Table 11 ID list entry fields summary Parameter Description/Instructions Name (required) Name of the ID list entry ID code (required) ID must be a numeric value, from 1000 to 999999999. For HP Access Control PIN code authentication, the ID represents the PIN code. For the HP Access Control Proximity reader, it represents the badge number. Domain User domain Login (required) User login Department User department E-mail User e-mail Date Creation date The second table in the content area displays the groups associated to this list. 6-8-4-2 Add ID list entries from CSV files To import ID list entries from a CSV file: 1. In the main menu, open List management, and then click Local ID list. 2. Click the ID list name. 3. Click Create by CSV. 4. Browse to the location of the CSV file and click Upload file. 6-8-4-3 Edit the ID list entries 1. Display the details for an ID list entry by following the steps in the View the details for an ID list entry section. 2. Edit the fields as desired. 3. Click Ok to save changes. 6-8-4-4 Delete ID list entries 1. In the main menu, open List management, and then click ID list. 2. The content area displays a list of all ID lists. Check the boxes next to the ID list entries to delete. 3. In the Related Actions section, click Delete. 4. A list of the selected ID list entries displays. Click Ok to confirm. 53 6-8-4-5 Rename an ID list To rename an ID list: 1. In the main menu, open List management, and then click ID list. 2. The content area displays a list of all ID lists. Click the ID list to rename. 3. In the Related Actions section, click Rename. 4. Enter the new name for the ID list. 5. Click Ok to confirm. 6-8-4-6 Export ID lists in CSV format To export ID list entries in CSV format: 1. In the main menu, open List management, and then click Local ID list. 2. Click the ID list name. 3. Click Export as CSV. 4. Choose whether to open or save the CSV file. If the save option is selected, indicate where to save the file. 6-8-4-7 Notify users The Notify users option allows for the definition of which users should receive an e-mail containing the identifiers. Select All users if the list is new, Users since for users freshly added to the list, or Only users below if some users have forgotten their PIN code and request a new notification. NOTE: To use this option, the LDAP list Generate & Notify parameters must first be configured. To notify users of their identifiers: 1. In the main menu, open List management, and then click Local ID list. 2. Click the ID list name. 3. Click Notify users. 4. Select All users, Users since (select the date from which the users were added), or create a list of users to be notified. 5. Click Ok to confirm. Figure 30 Notify users Configure HP Access Control 6-8-4-8 Autogenerate PIN list – Import from LDAP Badge numbers and user information can be automatically extracted from LDAP. PIN codes and users information can be automatically generated for the users or extracted from LDAP (for example, to use the employee number as a PIN code). NOTE: To use this option, the LDAP list Generate & Notify parameters must first be configured. To import user information from LDAP into an ID list: 1. In the main menu, open List management, and then click Local ID list. 2. Click the ID list name to import data from LDAP. 3. In the Related Actions section, click Autogenerate PIN list. 4. Select whether to replace the existing users (check the Replace existing user(s) box) or just add the new users (leave the Replace existing user(s) box unchecked). NOTE: If the Replace existing user(s) box is checked, the process takes longer as all existing user entries are updated. HPAC Secure Print Admin Software replaces the content of the ID list with the data extracted from the LDAP server while extracting/creating the unique ID codes. This system allows adding users to printers, MFPs or Digital Senders without having to change the ID code of existing users. 6-9 LDAP list – Generate & Notify If required, users can be automatically notified of their ID code (PIN code, badge number) by the HPAC Secure Print Admin Software. We recommend validating the LDAP parameters using any third party LDAP browser. The following sections explain how to fill in the fields of this screen. 6-9-1 SMTP settings The SMTP setting information is required to send e-mails from the software. Ask the network administrator for all of the required information. Table 12 SMTP settings Parameter Description/Instructions SMTP server IP address IP address of SMTP server (for example, 192.168.0.199) SMTP server TCP/IP Port Port of SMTP server (for example, 25) Account name Authorized login on SMTP server (for example, johnsmith) Password The password associated to the login (for example, 4rk9812rwn) User name Check this box to use the account name and password for identification on the SMTP server. Leave the box unchecked to connect anonymously. Use SSL Check this box to use SSL. E-mail message 55 Table 12 SMTP settings Parameter Description/Instructions From E-mail address of the sender (usually the administrator e-mail address) Subject Subject of the e-mail Message The Message field allows entering the e-mail text sent to all users to notify them about their new or future valid PIN code. Variables are available for customization: the %u is replaced by the user name, and %c by the ID code given to that user. NOTE: The e-mail text cannot exceed 900 characters. 6-9-2 PIN List Autogeneration parameters 6-9-2-1 LDAP settings LDAP settings are fields that configure the access to the LDAP directory and its data. Table 13 LDAP settings Parameter Description/Instructions LDAP profile The LDAP profile that should be used to generate the PIN lists. LDAP version Specifies the protocol version that is used to perform the LDAP connection. The version can be either 2 or 3. Filter Defines the rule of search to access specific records. The standard LDAP search syntax must be used. Department Filter Can be used to extract users from a list of specific departments. Multiple department names can be entered (up to 2500 characters), separated by semi-colons ‘;’. NOTE: Department names cannot include the ‘;’ character as ‘;’ is a separator. This Directory filter is not linked to the LDAP filter and can replace it for department extractions. Authentication Type Define credential information to access the LDAP database. Anonymous Click Anonymous if no login is required. ID ID Size Defines how many digits the PIN codes must contain (from 4 to 9). Apply After all settings are defined, click Apply to save the parameters. 6-10 Billing lists Users can enter a billing code at copy, fax, e-mail or print time to allocate the cost of the action to a project or a client. This ensures all jobs can be allocated to a valid project/client. Billing codes entered on the MFP front panel can be used to allocate the cost of an operation to a client, a project, or a department. By default, any text can be entered. It is also possible to validate that billing Configure HP Access Control code against a predefined list of up to 1 million codes. Such validated billing codes can only be numeric, with values from 1000 to 999999999 (nine digits). The list of billing codes is a CSV file that can be defined using the Excel spreadsheet or any other software capable of generating a CSV file (this software is not supplied with HP Access Control). A sample file is provided with the admin software. Administrators can build custom applications to interface the file with assisted data entry or database lookup using Excel Visual Basic scripts programming. NOTE: The billing functionality is only available when local ID list authentication is used (for example, it cannot be combined with live LDAP/Active Directory authentication). 6-10-1 Billing lists structure The CSV file must comply with the following structure: • • • Billing code followed by a comma “,” Billing codes information starts at line 1, column A Column A: Billing code, from 1 to 9 digits For example: 12345678; 1234; 99999999; NOTE: There is no special command to end the list of billing codes. 6-10-2 View a summary of billing lists To view a summary of information on billing lists: In the main menu, open List management, and then click Billing list. The table below explains each of the items listed in the content area. Table 14 Billing list settings Parameter Description/Instructions Name The name of the billing list List number The number of billing codes assigned in each list Group number Total number of groups associated with this list 6-10-3 Billing list actions The following actions are available to manage the billing lists: • • • Create Delete View the details 6-10-3-1 Create a new billing list To add a new billing list: 1. In the main menu, open List management, and then click Billing list. 57 2. In the Related Actions section, click Create. 3. In the empty field, enter the new billing list name. 4. Click Add. 6-10-3-2 Delete a billing list To delete a billing list: 1. In the main menu, open List management, and then click Billing list. 2. The content area displays all billing lists. Check the box next to the billing list to delete. 3. In the Related Actions section, click Delete. 4. A list of selected billing lists displays. Click Yes to confirm. 6-10-3-3 View the details for a billing list To view the details for a billing list: 1. In the main menu, open List management, and then click Billing list. 2. Click the billing list name to view. 3. The content area displays the detailed information for the selected billing list. The table below explains each of the billing list details listed in the content area. Table 15 Billing list details Parameter Description/Instructions code Users can enter a billing code at copy, fax, e-mail or print time to allocate the cost of the action to a project or a client. By default, the billing code can be any numeric value from 1 to 9 digits, but HP Access Control can also control the entry against a list of authorized billing codes. This ensures all jobs can be allocated to a valid project/client. See the Billing lists section for more information. The second table in the content area displays the groups associated to this list. 6-10-4 Billing list details actions The following actions are available to manage a specific billing list: • Create ○ By Name ○ Create by CVS • • Delete Rename 6-10-4-1 Add details to a billing list To add details to a billing list: 1. In the main menu, open List management, and then click Billing list. 2. Click the billing list name to add the details. 3. The content area displays the detailed information for the selected billing lists. 4. In the Related Actions section, click By Name. 5. Enter the information for each field. 6. When finished, click Add. Configure HP Access Control 6-10-4-2 Import billing list codes from a CSV file To import a billing list: 1. In the main menu, open List management, and then click Billing list. 2. Click the list to import the data of the CSV file. 3. In the Related Actions section, click Create by CSV. 4. Browse to the location of the CSV file and click Upload file. 5. Click Yes to confirm. 6-10-4-3 Delete billing list codes To delete billing list codes: 1. In the main menu, open List management, and then click Billing list. 2. Click the list to import the data of the CSV file. 3. Check the box next to the billing code to delete. 4. Click Delete. 6-10-4-4 Rename a billing list To rename a billing list: 1. In the main menu, open List management, and then click Billing list. 2. The content area displays all billing lists. Click the billing list to rename. 3. In the Related Actions section, click Rename. 4. Enter the new name for the billing list. 5. Click Rename to confirm. 6-11 LDAP profiles The LDAP profile section enables the management of two types of LDAP profiles: • LDAP Authentication – The lookup for the user behind an ID (badge or PIN code) is done directly against the LDAP server, without going through the HPAC Secure Print Server gateway. • Alternate Authentication – Login and password authentication. 6-12 View a summary for the LDAP profiles To view a summary of information about LDAP profiles: 1. In the main menu, open List management. 2. Click LDAP profiles. The table below explains each of the details listed in the content area. Table 16 LDAP profile settings Parameter Description/Instructions Name The profile name Domain The host domain Hostname The host name of the LDAP server Host port The host port 59 Table 16 LDAP profile settings Parameter Description/Instructions SSL SSL Groups The total number of groups associated with this profile 6-12-1 LDAP profile actions The following actions are available to manage the LDAP profiles: • • • • Create Delete View Edit 6-12-1-1 Create a new LDAP profile To add a new LDAP profile: 1. In the main menu, open List management, and then click LDAP profiles. 2. Click LDAP profile. 3. In the Related Actions section, click Create. 4. Enter the name for the new LDAP profile. 5. Click Yes. 6. Click the newly created LDAP profile to configure it. Figure 31 LDAP profile The table below explains each of the LDAP profile fields. Configure HP Access Control Table 17 LDAP profile fields Parameter Description/Instructions Name The profile name Domain The host domain Hostname The host name of the LDAP server Host port The host port SSL SSL Login The login Password The password ID code field name Active Directory field for the ID code Login field name Active Directory field for the login Department field name Active Directory field for the department E-mail field name Active Directory field for the e-mail Full name field name Active Directory field for the full name Home directory field name Active Directory field for the home directory Search base LDAP search path Timeout Search timeout (in number of seconds) 6-12-1-2 Delete an LDAP profile To delete one or more LDAP profiles: 1. In the main menu, open List management, and then click LDAP profiles. 2. The content area displays all LDAP profiles. Check the box next to the LDAP profile to delete. 3. In the Related Actions section, click Delete. 4. A list of selected LDAP profiles displays. Click Yes to confirm. 6-12-1-3 View the details for an LDAP profile To view the details for a LDAP profile: 1. In the main menu, open List management, and then click LDAP profiles. 2. The content area displays all LDAP profiles. Click the LDAP profile to view. The previous table explains each of the LDAP profile details listed in the content area. The second table in the content area displays the groups associated to this LDAP profile. 6-12-1-4 Edit the details for an LDAP profile To edit the details for a LDAP profile: 1. In the main menu, open List management, and then click LDAP profiles. 2. The content area displays all LDAP profiles. Click the LDAP profile to edit. 61 3. Edit the fields as desired. 4. Click Apply to save changes. 6-13 HPAC Print Server management list 6-13-1 View a summary of information To view a summary of information for HP Access Control Print servers: In the main menu, open List management, and then click HP Access Control Print server management list. The table below explains each of the items listed in the content area. Table 18 HPAC Print server management list settings Parameter Description/Instructions HPAC Print Server The server host name Groups The total number of groups associated with this server 6-13-2 HPAC server management list actions The following actions are available to manage the HP Access Control Print server management lists: • • • • Create Delete View Edit 6-13-2-1 Create a new server To add a new HP Access Control Print server to the list: 1. In the main menu, open List management, and then click HP Access Control Print server management list. 2. In the Related Actions section, click Create. 3. In the empty field, enter the new HP Access Control Print server name. 4. Click Add. 6-13-2-2 Delete a server To delete one or more HP Access Control Print servers from the list: 1. In the main menu, open List management, and then click HP Access Control Print server management list. 2. The content area displays all HP Access Control Print servers. Check the box next to the HP Access Control Print server to delete. 3. In the Related Actions section, click Delete. 4. A list of selected HP Access Control Print servers displays. Click Ok to confirm. Configure HP Access Control 6-13-2-3 View the details for a server To view the details for an HP Access Control Print server profile: 1. In the main menu, open List management, and then click HP Access Control Print server management list. 2. The content area displays all HP Access Control Print servers. Check the box next to the HP Access Control Print server to view. 3. The content area displays the detailed information for the selected HP Access Control Print server. The table below explains each of the server details listed in the content area. Table 19 HPAC Print server details Parameter Description/Instructions Hostname The server host name Port The server port The second table in the content area displays the groups associated to this list. 6-13-2-4 Edit the details for a server To edit the details for a HP Access Control Print server: 1. In the main menu, open List management, and then click HP Access Control Print server management list. 2. The content area displays all HP Access Control Print servers. Click the HP Access Control Print server to edit. 3. Edit the fields as desired. 4. Click Apply to save changes. 6-14 Smart Card profile 6-14-1 Smart Card authentication HP Access Control Secure Print provides contact Smart Card authentication capabilities. Contact Smart Cards must not be confused with contactless Smart Cards. While contactless Smart Cards are mainly proximity badges with advanced communication encryption and secure storage sectors, contact Smart Cards consist of microchips embedded in a small plastic card with golden or silver contacts on the surface. Such Smart Cards have advanced computing and encryption capabilities, being able to run software in proprietary OS, in Java, or even .NET. All Smart Cards are different and communication protocol is proprietary, defined by the OS or the applet loaded and called on the Smart Card. Verify the compatibility of HPAC Secure Print Smart Card Authentication with both the Smart Card hardware platform and the OS or applet loaded on the Smart Card platform by the Smart Card middleware. HPAC Secure Print Smart Card Authentication supports the following Smart Card platforms: JCOP, Siemens CardOS M4, Micardo, Oberthur, OpenPGP, FineID, US DOD CAC/PIV, Setec Setcos, Giesecke & Devrient Starcos and Seccos , TCOS based NetKey E4, SignTrust, Smartkey and AKIS Smart Cards. HPAC Secure Print Smart Card Authentication is a middleware used to authenticate users with Smart Cards. It runs directly on the printer. 1. If validation is needed, the Certificate Revocation List CRL (.crl) and Certificate Authority CA (.ca) files have to be preloaded on the MFPs using the HPAC Admin software. This reduces traffic and allows a large CRL to be used and updated according to the administrator’s wishes. 63 2. The user selects a function requiring Smart Card authentication (for example, e-mail). 3. The user inserts his/her Smart Card in the Smart Card reader located on the MFP. 4. The printer/MFP keyboard is used to enter the card PIN code (numeric or alphanumeric). 5. The first authentication certificate is extracted from the Smart Card public container. 6. The PKI proof of ownership of the certificate verification is performed on the card. It can be deactivated, if needed. 7. The certificate signature is verified using the CA file. This can be deactivated, if needed. 8. The content of the SubjectAlternativeName extension of the X509 certificate is used directly or indirectly: ○ Directly: It is used for the e-mail address. The user name is the text preceding the @ character. ○ Indirectly: It is supplied to the HPAC Secure Printing Server authentication service that uses it to perform a lookup against one or more LDAP/SLDAP/AD servers. The user information (full name, login name, e-mail address, domain, department, home directory) is returned by the authentication service and injected in the printer authentication manager for usage by applications, such as e-mail sending, secure printing, and scan to folder. 6-14-2 Smart Card profile actions Two actions are available to manage the Smart Card profiles: • • Create Delete 6-14-2-1 Create a new Smart Card profile To add a new Smart Card profile: 1. In the main menu, select Smart Card profile. 2. In the Related Actions section, click Create. 3. In the empty field, enter the new Smart Card profile name and click Ok. 4. After the profile is created, configure the validation method. a. Click the newly created Smart Card profile (displayed on the left in the main section of the window). b. Configure the Smart Card profile validation parameters as desired (see the table below for further information). 5. Click Apply to save changes. Figure 32 Smart Card profile Configure HP Access Control Table 20 Smart Card profile settings Parameter Description/Instructions Name Displays the Smart Card profile name. To rename it, enter a new name. Use CA/CRL for validation Check this box to use both the CA and the CRL to validate the Smart Card. CA Gives the name of the CA file used. To upload a CA file, click Import file and browse to the desired file. CRL Gives the name of the CRL file used. To upload a CRL file, click Import file and browse to the desired file. A CRL file must only be loaded if the Use CA/CRL for validation option is checked. Use PS for lookup Check this option to perform the lookup against the Print Server user list. Verify the PIN code This option is currently unavailable. Parse the X509 certificate for field(s) This option is currently unavailable. Perform proof of possession challenge Check this option to verify that the certificate used belongs to the Smart Card used. Read the certificate This option is currently unavailable. 6-14-2-2 Delete a Smart Card profile To delete one or more Smart Card profiles: 1. In the main menu, select Smart Card profile. 2. Check the boxes next to the Smart Card profiles to delete, or check the top box to select all Smart Card profiles. 3. In the Related Actions section, click Delete. 4. A list of all the selected Smart Card profiles displays. 5. Click Ok to confirm the deletion. 6-15 HPAC corporate keys The HP Access Control system uses two encryption keys, a private and a public one. The public key is distributed to all users who might use Advanced Encryption Standard (AES) encryption for their jobs. The distribution is done through the Print-SMP Driver plug-in and it is configured by the system administrator. The private key is sent by the system to all printers. When a user sends a job to print, the job is first encrypted using the public key. When the user requests the release of this secure print job, the print job is decrypted using the private key. Generate a list of corporate keys and manage them in the Corporate Key list section. After the keys pair has been created, the private key is loaded securely on all devices by the HPAC Admin Software. For more information on the HPAC Secure Printing encryption, see the Encryption schemes, corporate key chapter of this manual. 65 6-15-1 View a summary of information To view a summary of information for HP Access Control corporate keys: In the main menu, open List management, and then click Corporate Key list. Figure 33 Corporate Key List The table below explains each of the items listed in the content area. Table 21 HPAC corporate key list settings Parameter Description/Instructions Name The name of corporate key Groups The total number of groups associated with this key 6-15-2 Corporate key list actions The following actions are available to manage the HP Access Control corporate keys: • • • Create Delete View key 6-15-2-1 Create a new HPAC corporate key To add a new HP Access Control corporate key to the list: 1. In the main menu, open List management, and then click Corporate Key list. 2. In the Related Actions section, click Create. 3. In the empty field, enter the new HP Access Control corporate key. 4. Click Ok. 6-15-2-2 Delete an HPAC corporate key To delete one or more HP Access Control corporate keys from the list: 1. In the main menu, open List management, and then click Corporate Key list. 2. The content area displays all HP Access Control corporate keys. Check the box next to the HP Access Control corporate keys to delete. 3. In the Related Actions section, click Delete. 4. A list of selected HP Access Control corporate keys displays. Click Ok to confirm. Configure HP Access Control 6-15-2-3 View an HPAC corporate key To view an HP Access Control corporate key: 1. In the main menu, open List management, and then click Corporate Key list. 2. Check the boxes next to the HP Access Control corporate keys to view. 3. In the Related Actions section, click View key. 4. In the Related Actions section, click a key to view. 67 7 Direct live LDAP authentication 7-1 Introduction HPAC Secure Print authentication modules installed on MFPs can directly validate a PIN code or swipe/proximity badge number against one or more Active Directory or LDAP servers and retrieve the user information. Table 22 Direct live LDAP authentication data Data Supplied to AD/LDAP Data Returned (Example) ID (1234) Domain (marketing) Login (jsmith) Department (sales) E-mail ([email protected]) Full name (John Smith) 7-2 Direct live authentication with AD/LDAP databases The HPAC Secure Print authentication module installed on the MFP can directly retrieve user information from Active Directory/LDAP servers. The complete retrieval of the user login name, department, e-mail address, and full name is carried out directly by the HPACSP firmware on the MFP. NOTE: If CM8050/CM8060 Color MFPs or single function printers are used, use the indirect live LDAP authentication procedure described in the next chapter, as direct LDAP lookup is not available for those devices. Figure 34 Direct live LDAP authentication 1 User ID (PIN, badge number) 2 Complete user information 3 Active Directory or LDAP /Direct live LDAP authentication When direct live authentication is activated, there is no need to load the user list on every MFP. On the other hand, authentication is not possible if the communication with the LDAP server is not permanently available and fast (in case of cable, router, switch, or server failure). 7-3 Configuration The procedure for configuring Live LDAP authentication is described in the LDAP profiles section of this manual. 7-3-1 Configure alternate authentication for MFPs If users forget their badges, HP Access Control offers two optional alternate authentication methods that can be used on MFPs: • • Badge number: Users type their badge number instead of using their badge/card. Network credentials: Users enter their LDAP login/password credentials instead of using their badge/card. To invoke alternate authentication: 1. Users need to press a function button (for example, Copy) instead of using their badge. 2. The screen requesting an alternate ID displays. Alternate authentication is activated and configured using the Authentication parameters. For more details, see The Authentication configuration tab. NOTE: On CM8050 and CM8060 Color MFPs, alternate authentication is featured by the MFP itself and not by HPAC Secure Printing. 1. Users press the function button of interest (for example, Copy). 2. The CM8050 or CM8060 Color MFP displays a screen requesting the badge, together with an Advanced button. 3. Users can press the Advanced button to default to another authorized authentication method for that function. 7-4 LDAP profiles failover When multiple LDAP profiles are defined, the profiles are used one after the other in a failover mode. This makes it possible to look for a user in multiple directories. 69 8 Configure indirect live LDAP authentication 8-1 Introduction With the Directory Server authentication service, HP Access Control Authentication modules installed on printers and MFPs supply the HPAC Secure Print server authentication service with a user ID and receive in return all the user information, extracted from an Active Directory or from LDAP directories. Table 23 Indirect live LDAP authentication data Data Supplied to HPAC SP Server Data Returned (Example) User ID from HPAC Authentication modules Domain (marketing) Login (jsmith) Department (sales) E-mail ([email protected]) Full name (John Smith) 8-2 Indirect live authentication with AD/LDAP databases The HP Access Control authentication module installed on the printer/MFP retrieves user information from the AD/LDAP. The complete retrieval of the user login name, department, e-mail address, and full name is carried out through the server hosting the HPAC Print Server. Figure 35 Indirect live LDAP authentication 1 User ID (PIN, badge number) 2 Complete user information 3 HPAC Print Server service 4 Server with Windows 2000, XP, 2003 or Vista and HPAC Print Server service /Configure indirect live LDAP authentication 5 Active Directory or LDAP When indirect live authentication is activated, there is no need to load the user list on every printer/MFP. On the other hand, authentication is not possible if the communication with the HPAC Print Server is not available (in case of cable, router, switch or server failure). 8-2-1 Support for multiple databases In some environments, multiple Active Directory and/or LDAP databases are used to store the badge number and the user information. HP Access Control features a highly flexible system to gather data from multiple databases, using common information to retrieve the correct record. 8-2-2 Failover capability Up to five HPAC Print Server addresses can be entered in the Authentication Module configuration. If the first address does not respond after a timeout, the second address is used, and so on. This allows setting up multiple HPAC Print servers for live authentication and to have a complete failover capability, should a server not respond in a timely manner. 8-2-3 Support for multiple user logins (the alias system) In a corporate IT environment, a user usually has more than one login: one for Windows, one for the mainframe, one for the UNIX system, one for Enterprise Resource Planning (ERP), and so on. This means that print jobs from these various systems come with a different login name, while the job owner is unique and has a unique ID (such as badge, PIN code). Furthermore, each login and user information might be in a system-specific Active Directory or LDAP database. HPAC Print Server allows defining an alias search in multiple AD and/or LDAP databases, using common information, such as the employee number, to find the appropriate user record in these different database systems. As a result, all print jobs pertaining to a single user, independently of the login used, are allocated to one unique (main) login. The user can then authenticate their print jobs using one unique ID. 8-3 Basic configuration sequence The basic sequence for configuring live authentication is to create a profile for the database, configure the parameters, and then save changes. Detailed instructions for these steps are in this section. To execute the configuration: 1. Run HP Access Control Print Server configuration. 2. Configure the authentication gateway in the Authentication tab. 3. Configure the authentication settings in the Directory server management tab. 4. Save the configuration. 8-3-1 Configure the authentication gateway To configure the authentication gateway: 1. In the HP Access Control Secure Printing Server window, click the Authentication tab. 2. Configure the authentication device settings. 3. Click Apply to validate and save the authentication settings. 71 Table 24 Authentication parameters table Parameter Description/Instructions Card Type Select the reader type from the drop-down list. Select: • FP for MFP front-panel PIN code identification or when performing badge lookup through the HPAC Secure Printing Server (acting as a gateway). • PX for Proximity readers • SW for Swipe cards readers • None for PIN code When authenticating through the HPAC Secure Printing Server, the badge type and mask do not need to be defined at the device level. Mask (decimal) The mask allows for the extraction of a smaller value from a raw badge value. It can be made of 1 and X. 1 keeps the digit, X drops it. Enter the extraction mask to apply to the badge number string. NOTE: Leading zeros are ignored in the string. 00140167 is considered as 140167. Mask alignment Indicate if the mask applies to the right or left of the number string. For example, for badge 123456789, the mask 1111X1 gives 12346 when applied to the left, and 45679 when applied to the right. Most and least significant bits positions Bit-wise extraction mask applied on the binary badge value between two bits positions. Define the position of the most and least significant bits for the extraction. ID search filter Customize the search filter to use. Can be left blank. 8-3-2 The Directory servers management tab The Directory servers management tab in the HPAC Print Server software enables the definition of how user information is retrieved across one or more AD and/or LDAP databases (profiles). /Configure indirect live LDAP authentication Figure 36 Directory servers management tab Table 25 Directory servers management parameters table Parameter Description/Instructions Directory servers actions Authenticate, start with profile Activate authentication alias (first create a profile). Click Show steps to view if one or more authentication steps were successful. Click Test to simulate the authentication of a badge ID. To perform a test, enter the desired badge ID. Retrieve alias, start with profile Activate alias (first create a profile). Click Show steps to view if one or more authentication steps were successful. Click Test to simulate the authentication of a user login. To perform a test, enter the desired user login. Directory servers profiles management Directory servers profiles management Enter a new profile. To save the profile, click Save current profile. To save current profile with another name, click Save current profile as. To delete the current profile, click Delete current profile. Current Directory server profile settings Main parameters settings See the Create a profile section. Authentication settings See the Configure the authentication gateway section. Alias retrieval settings See the Job retention aliases – Single sign-on section. Value to search replacement settings See the Search across chained databases section. 73 Table 25 Directory servers management parameters table Parameter Description/Instructions This profile is usable The check box displays a check if the necessary fields for Main parameters settings are entered. The displayed check only means that data has been entered. There is no verification procedure to check if the data is correct. This profile can be used for authentication Same as above for Authentication settings. This profile can be used for alias retrieval Same as above for Alias retrieval settings. This profile can replace the value to search Same as above for Value to search replacement settings. 8-3-3 Create a profile To create a new profile: 1. In the Directory server management tab, keep <New profile> set in the Directory servers profiles management box. 2. In the Current Directory server profile settings section, click Main parameters settings. 3. The following window displays. Enter specific data. For a detailed description of each parameter, see the table below. Figure 37 Directory server main parameters 4. After entering all the values and testing the binding, click OK to validate the settings. IMPORTANT: Do not forget to save the profile to save the settings. They are not saved automatically. Table 26 Directory server main parameters table Parameter Description/Instructions Directory server binding parameters Domain Enter the domain Server name Enter the server name NOTE: It is recommended to enter the IP address instead of the DNS name. Incorrectly configured DNS on MFPs or DNS lookup failures may lead to errors. /Configure indirect live LDAP authentication Table 26 Directory server main parameters table Parameter Description/Instructions Server port Enter the server port (default: 389) Other parameters In case of failure, use profile Enter the profile to use in case of failure. This parameter allows multiple authentications to be daisy chained. Use protocol Select Active Directory or LDAP Directory server binding credentials User login Login to access Active Directory information User password Password to access Active Directory information Test Directory server binding Test binding 8-3-4 Configure the authentication settings To configure the authentication settings: 1. In the Directory server management tab, under the Current Directory server profile settings section, click Authentication settings to define which data to use in the AD or LDAP database. 2. The following window displays: Figure 38 Directory server authentication parameters – Profile 1 Table 27 Directory server authentication parameters table Parameter Description/Instructions ID conversion Optional conversion to apply to the ID (PIN code, badge number) received from the printer/MFP. ID field name Optionally enter the field name where the user ID can be stored in AD/LDAP with the Direct AD/LDAP enrollment. Enrollment ID field name Enter the enrollment ID field name. For further information, see The Enrollment ID field name. ID search filter Customize the search filter to use. Can be left blank. 75 Table 27 Directory server authentication parameters table Parameter Description/Instructions AD/LDAP fields Domain field name AD/LDAP field where the user information is stored. For the Domain field name enter the following string: <domain> <domain_hr(1,2,n)> <domain_const(TEST)> Login field name AD/LDAP field where the user login information is stored. Department field name AD/LDAP field where the user department information is stored. E-mail field name AD/LDAP field where the user e-mail information is stored. Full name field name AD/LDAP field where the user full name information is stored. Home directory AD/LDAP field where the user information is stored. Double-factor Currently not used. Test buttons Test authentication with user Test the authentication by manually entering an ID Test authentication for enrollment with user Test authentication for enrollment with userTest the authentication by manually entering the user login NOTE: Each parameter must point to a different AD/LDAP field to be valid. If two parameters point to the same AD/LDAP field, when the Test authentication with user button is pressed, “UNKNOWN” returns for the second parameter. This is normal AD/LDAP behavior. 8-3-4-1 The Enrollment ID field name When HPAC Print Server receives the information from the user’s badge, it queries the Active Directory to obtain the desired data referring to this particular user. The Enrollment ID field name is the field searched in the Active Directory to match the user login name and get his information. See the Configure the authentication gateway section for an example of where the user’s login name (sAMAccountName) is entered. 8-3-5 Save the configuration 3. After entering all values and testing the binding, click OK to validate the settings. 4. Click Save current profile and enter a new profile name, reflecting the defined configuration parameters. The profile is now saved. Define a profile for each Active Directory and LDAP servers that are accessed for retrieving information concerning all users. NOTE: Multiple authentications can be daisy-chained by defining a profile in the field Other parameters / In case of failure, use profile. This option is found under Main parameters settings. /Configure indirect live LDAP authentication 8-4 Process graphical description dialog box Since profiles can lead to complex configurations, it can be difficult for administrators to visualize how profiles are involved in a process (authentication or alias retrieval). 8-4-1 View the chain of profiles To view the chain of profiles: 1. In the Directory servers management tab, click Show steps. 2. An Authentication process window opens in a tree view, displaying profiles in a chronological order of use. Profile chaining is represented as “father-son” relationships, meaning a chained profile is represented as a sub-element of its caller. The replacement and transmission of a value to another profile is represented as a “sibling” relationship, meaning such profiles are at the same level. Since chaining takes priority over replacement and transmission, these profiles are always at the top level in the tree. The following symbols are used. Table 28 Chain of profile symbols Symbol Description/Instructions Transfer Profile change (either by chaining or by replacement and transmission) Success The process can be performed successfully Failure The process cannot be performed successfully NOTE: Since no data is supplied to the dialog box, it shows whether the process may succeed, but not whether the process has succeeded for a specific value. A process may succeed only according to the search value it starts with. NOTE: Remember that in chained profiles, not all the profiles of the chain are used. If the final information is found in a profile that is not the last, all following profiles are skipped. 8-5 Get domain information 8-5-1 Configure the Domain field name For tracking purposes, or to allow the maximum flexibility for the Active Directory domain name, a Domain field name is in the HPAC Print Server. Use the following steps to configure the Domain field name. 1. Run HP Access Control Print Server configuration. 2. Click the Directory servers management tab. 3. Choose a profile from the drop-down list under Directory servers profiles management. 77 Figure 39 Directory servers management tab – Select a profile 4. Click Authentication settings. 5. The following screen displays (standard field contents are shown). Figure 40 Directory server authentication parameters 6. The Domain field name requests the information configured in the Domain field from the Directory server main parameters. Figure 41 Directory server main parameters For example, a Domain configured as follows: dc=Idaho,dc=USA,dc=Boise,dc=local <domain> returns: dc=Idaho,dc=USA,dc=Boise,dc=local /Configure indirect live LDAP authentication 8-5-2 Customize domain field names in HPAC Print Server Using the previous example, Domain is configured as follows: dc=Idaho,dc=USA,dc=Boise,dc=local For tracking purposes, or to report only partial information, the Domain field name can be configured as follows, where <domain_hr(1)> only returns the content of the first dc field, or Idaho. The number inside the parentheses specifies which dc field is returned. Any of the dc fields can be returned. For example, setting the Domain field name to <Domain_hr(1,3,4)> returns the first, third, and fourth dc field from domain. The result is: Idaho.Boise.local 8-5-3 Set the Domain field name to a constant value To retrieve a completely different value from the actual domain value, replace <Domain_hr(1,3,4)> with <domain_const(ABCD)>, where ABCD is the returned value. For example, if the domain field name is set to <Domain_const(Texas)>, it returns Texas. 79 9 User enrollment On MFPs, the enrollment functionality allows users to directly enroll their badge IDs into the HPAC Secure Printing authentication on the device. This feature is not available on single function printers due to the lack of embedded LDAP/Kerberos pre-authentication capabilities. 1. The user touches the Enrollment button on the MFP front panel (placed last in the buttons list because it is not used regularly). 2. This calls the authentication linked to the User enrollment agent in the MFP Authentication Manager (typically LDAP or Kerberos). 3. The user enters his/her network credentials to identify himself/herself. 4. If there is already a badge enrolled for that user, he/she is given the option by the enrollment system to de-enroll that badge. 5. Otherwise, the user is requested by the enrollment system to show his/her badge to the reader. After the badge ID is read, it is stored together with the user information in a secure place. HPAC Print Server offers three options related to the secure storage of the ID and user enrollment information. Only one enrollment behavior can be active at a given time. Each system has its own benefits; use the one that meets specific needs. Enrollment • Immediate and easy, does not require any database setup. IDs are stored on the server HDD in a proprietary format. They can be encrypted as a SHA256 hash for security purposes. • Enrollment data is only available on devices authenticating through that HPAC Secure Printing Server. • This enrollment is usable for a maximum of 5,000 enrolled users. Enrollment with roaming • • • User and ID information is stored in a local or remote Microsoft SQL Server or MSDE database. Enrollment data is accessible through multiple HPAC Secure Printing Server authentication gateways, therefore to all printers and MFPs. Database can be backed-up, browsed, and edited by standard MS SQL Server tools. Enrollment to Active Directory • • • User ID numbers are stored directly in the user Active Directory or LDAP record. This allows for standardization on AD or LDAP for all user-related authorizations and credentials. This enrollment mode requires a binding login/password that has write access to the field where the ID is written. 9-1 Enrollment prerequisites Enrollment is performed after the user pre-authenticates. The pre-authentication is not performed by HP Access Control, but by one of the MFP- built-in authentication agents, typically Kerberos or LDAP. 1. The authentication must be configured. See the HP MFP manual for more information. 2. Verify that authentication works as expected before applying it to enrollment pre-authentication. 3. In the HP Access Control Admin software, configure the Authentication with self enrollment. The pre-authentication is called when the user touches the Enrollment button on the MFP front panel. After a user is pre-authenticated, he/she is requested to show his/her badge. The information obtained from the pre-authentication is merged with the user ID read from the badge. The global information is /User enrollment stored either in the MS-SQL Server or on the server HDD, or the user ID is added to the AD or LDAP user record. 9-2 Define the enrollment mode 9-2-1 Enrollment Enrollment is done locally on the server HDD. No database is used to store user information. 1. User ID authentication must be performed through the HPAC Secure Printing server. 2. Activate remote authentication using the Authentication option of the HPAC Secure Print Admin software. 3. Open the HPAC Secure Printing Server software, and then click the Enrollment tab. 4. Check the Activate local Enrollment behavior box in the bottom left section of the window. Enrollment with storage of user IDs on the Server HDD is now configured. 9-2-2 Enrollment with roaming Enrollment with roaming uses a Microsoft SQL Server database to store the user and ID information. The SQL Server must accept SQL authentications, not only Windows authentications. 1. User ID authentication must be performed through the HPAC Secure Printing server. 2. Activate remote authentication using the Authentication option of the HPAC Secure Print Admin software. 3. Open the HPAC Secure Printing Server software, and then click the Enrollment tab. 4. Check the Activate Database Enrollment behavior box in the bottom left section of the window. 5. Fill in the database information: a. Enter sa in the User Name field. b. Enter the database password in the Password field. c. Enter the connection information in the Connection field. For example: Provider=SQLOLEDB;Data Source=192.168.8.3;address=192.168.8.3,1433 NOTE: 192.168.8.3 above should be substituted with the IP address of the machine where the SQL server is installed. 1433 is the default SQL TCP port number; change it if needed. 6. Test the connection by clicking Test Connection. A pop-up message displays, signaling the connection is successful. 7. Create the database: d. If the connection was successful, click Create Database to create the database. e. If there is an existing database, it is deleted. The following prompt displays Delete existing table, do you want to proceed? f. Click Yes to proceed with the creation of the new database. g. Upon the creation of the new database, the following message displays: Database upgrade has succeeded! h. Click OK. Enrollment with storage of user IDs in a MS SQL Server database is now configured. 9-2-3 Enrollment to Active Directive Enrollment to Active Directory stores user IDs directly in the Active Directory. 81 1. Launch the HP Access Control Print Server configuration software. 2. Select the Directory Servers Management tab. The Configure the authentication gateway section describes how to configure the AD/LDAP settings defined by the Authentication settings button. 3. Verify all parameters. The attribute/field name where the user ID is stored is defined in the ID field name entry field. 4. Select the Enrollment tab. 5. Check the Activate Active directory Enrollment behavior box in the bottom left section of the window. IMPORTANT: Be sure to click Apply, otherwise changes are not saved. 9-3 Manage enrolled users HP Access Control Enrollment Manager allows users to be selected, edited, and deleted from the enrollment database. This management is performed by the HP Access Control Enrollment Manager software, which is installed at the same time the HPAC Secure Printing server is installed. 9-3-1 Prerequisites • • • The user must be administrator on the PC where the Enrollment Manager is run. The Enrollment Manager must be run from the same server. HPAC Secure Printing Server enrollment must have been correctly installed and configured. Enrollment must have been successfully tested. 9-3-2 Browse the list of users The screen displays the list of all users who are enrolled on HPAC Secure Print. The screen displays the following fields and buttons: • • • Search for – Enter the string to look for in the list. Use the * as a wildcard. The search is not case sensitive. For example, smi* finds Smith and *hn finds John. In – Select the field where the string is to be found. Search button – Click Search to launch the user search. The screen displays the list of users matching the search query. NOTE: When enrollment is set without roaming and without Active Directory, user information can only be searched in two fields (ID and Login). The exact string must be entered—the wild card character * cannot be used. As a result, only one user can be searched for at a time in the list. For more advanced search capabilities, activate the enrollment with roaming capability. 9-3-3 Select users Every user record is preceded by a check box. Check the box to select an individual user or click Select All to select all the users displayed in the list. 9-3-4 Edit a user The record for a user can be edited. Only one record can be selected at a time for modification. When Modify is clicked, a new window displays where the user record can be edited. Click Validate to save the record after it has been edited, or click Cancel to cancel the editing. /User enrollment Table 29 Enrolled user settings Parameter Description/Instructions ID Badge number for the user Login Login name for the user Domain Domain name for the user Department Department name for the user Email E-mail address of the user Full name Full name of the user Home Directory Windows home directory for the user Double Factor Reserved for future use 9-3-5 Delete users User records can be deleted from the enrollment database. Deleted users have to re-enroll to gain access to devices. Select one or more users in the list and then click Delete. After confirmation, the users are permanently deleted from the enrollment database. 83 10 Install the driver plug-in for Windows The HPAC Secure Printing driver plug-in file is available in the supplied software source files. The HPAC Secure Printing Plug-in encrypts and tags data in memory, right out of the printer driver. To perform the HPAC Secure Printing Plug-in installation, the following are needed: ○ The HPAC Secure Printing Plug-in and ○ Sufficient administrator rights to install printers, create ports, and install system DLLs on the machine. The best profile is the ADMIN rights profile. 10-1 Installation procedure 1. The HPAC Secure Printing Plug-in installation can be copied from the supplied software source files to a network drive and launched from there. 2. Click the setup.exe program to run it. 3. The installation procedure starts. This procedure installs the HPAC Secure Printing Plug-in and encryption capability on the PC. NOTE: Carefully read the license agreement for HPAC Secure Print. The driver plug-in can be installed on an unlimited number of client PCs, as long as it is used exclusively to send secured print jobs to a printer equipped with a valid license of HP Access Control, and as long as the license terms are respected. 4. Click Yes to accept the license terms. Otherwise, click No and contact the distributor as per the license preamble terms. 5. The Driver Plug-In installs itself and a confirmation window displays. 10-2 Deployment to a fleet of PCs Network administrators can easily propagate the driver plug-in to remote PCs using the .msi and .reg files. The propagation and remote execution must be performed by a third party software, such as Microsoft SMS. Work on a freshly installed PC to create the master configuration with no prior HPAC Secure Printing installation on it. 1. Create the printer(s) with the same name(s) that users have displayed on their PCs. 2. Install the driver plug-in. 3. Configure the driver plug-in as needed for the printers to secure. 4. Open regedit and reach the following registry branch: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ HP Access Control SecurePrint Port monitor 5. Save the registry branch in a .reg file. This is the list and settings of the HPAC Secure Printing Driver Plug-in. 6. Open the printers registry branch: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers 7. Save the printer registry branch in a .reg file. 8. Use the software deployment system to: /Install the driver plug-in for Windows a. b. c. d. Create the same printer(s) with the same name(s) on remote PCs. Stop the spooler (net stop spooler). Propagate the printer registry .reg file, to be injected in the remote PCs registry. Propagate and run on those PCs the following files: − The HPAC-SecurePrintingDriverPlugin.msi file (to be executed with the /quiet parameter and admin rights) − The printer port monitors .reg file, to be injected in the remote PCs registry e. Start the spooler (net start spooler). 10-3 Deactivate the HPAC Secure Printing Driver Plug-In To deactivate the HPAC Secure Printing Driver Plug-In on a remote PC printer: Use the software deployment system to: 1. Stop the spooler (net stop spooler). 2. Change the value of the Port registry key in the printer definition, containing the port used by the printer. The HPAC Secure Printing port names start with lcl_ followed by the original port name (for example: lcl_IP_156.29.78.41). 3. Change the Port key to the printer port original name (without the lcl_ prefix) to deactivate HPAC Secure Printing for that printer (for example, IP_156.29.78.41). 4. Start the spooler (net start spooler). 10-4 Connect to a printer secured on the print server If the HPAC Secure Printing Plug-in secures the printer directly on the print server, there is no need to install anything. 1. Use Explorer to connect to the server. 2. Right-click the shared printer and select Connect. 10-5 Secure an MS-Windows printer port on a local PC This case only applies to situations where the HPAC Secure Printing Plug-in is not installed on a print server print queue. 10-5-1 Section A – Define a queue If a queue to address the secure printer is already defined, skip to Section B – Secure the printer. Otherwise, follow these steps: 1. Click Start > Settings > Printers and click Add printer. 2. Choose My computer. The secured driver must be local, otherwise unsecured data would communicate between the computer and a print server hosting the drivers. The list of all printer ports available in the computer displays on the screen. 85 NOTE: It is possible to install the HPAC Secure Printing Plug-in on the Windows Print Server, but data from print jobs are not encrypted from the PCs to the print server. Additionally, no window displays on client PCs for setting the different printing options. If HP Access Secure Printing server is used on the server, there is no need to also install the driver plug-in. 3. Click Create new port or Add port. In the list, choose the connection linking the computer to the shared printer on the server. If the link is a queue name, select Local port and enter the queue name in the following format: \\serverName\queueName. 4. Click Next. 5. Enter the connection information in the next windows. 6. Select the printer driver to install. HP Access Control works with any printer language. PCL5 and PCL-XL drivers are recommended for the compactness of their output, resulting in faster decryption. 7. Finish the process by answering the last questions. Adding -HPAC at the end of the printer name is recommended, so the computer user can easily find the device. 10-5-2 Section B – Secure the printer 1. Click Start > Settings > Printers. 2. Right-click the printer to secure, and click Properties. 3. An HP Access Control tab displays, together with the standard tabs. Select the HP Access Control tab. 4. Check the Activate HP Access Control Secure Print box. 5. Click Apply to activate the tab options. The port linked to the printer is updated to a virtual port. 6. Configure the following settings: the encryption parameters, the print-time pop-up window option, and the option to hide the pop-up window at print time and to use default values. See a detailed description of each option in the table below. 7. Apply the modifications by clicking Apply in the driver configuration window. The HP Access Control installation is now finished. Table 30 Secure printer port settings Parameter Description/Instructions Activate HP Access Control Secure Print Check this option and click Apply if the printer is equipped with HPAC Secure Print functionality. Encryption settings: Jobs can be encrypted on their way to the printer and decrypted only at print time. If None is selected, the job is not encrypted. Non-encryption AES encryption Default user recipient AES is a sophisticated encryption scheme using the AES 128bits algorithm combined with RSA PKI encryption public/private keys. A pair of PKI RSA keys unique to your organization can be generated from the HPAC Secure Printing Admin Software. The private key is securely propagated to the printers; the public key must be copied in the Corporate key field of that tab. The public key cannot decrypt the print job. If this option is checked, the pop-up requests the login name of the end user for the secure job. NOTE: This option must be disabled if the HPAC Secure Printing Plug-in is installed on a printer server with shared network printers. Ask for department recipient If this option is checked, the pop-up requests the name of the department for the secure print job. NOTE: This option must be disabled if the HPAC Secure Printing Plug-in is installed on a printer server with shared network printers. /Install the driver plug-in for Windows Table 30 Secure printer port settings Parameter Description/Instructions Default department recipient Force all print jobs going to this printer to be secure for a specific department. For example, a document can be sent to a pool of nurses, and any nurse in the pool can release and print the document. After it is printed, the document is deleted. Confirm recipient name If selected, the recipient name is asked twice, for confirmation. This option is useful in highly sensitive environments. NOTE: This option must be set to No if the HPAC Secure Printing Plug-in is installed on a printer server with shared network printers. Ask about retention If selected, the pop-up window asks if the job should be retained (see Default retention mode). NOTE: This option must be disabled if the HPAC Secure Printing Plug-in is installed on a printer server with shared network printers. Default retention mode This option is useful in PUSH printing mode, when print jobs are sent directly to the target printer. If set to Yes, print jobs are stored on the device HDD until their owner authenticates and requests the job release. This should be the setting in pull printing mode. If set to No, print jobs are printed immediately (after being decrypted if necessary). Ask for billing code If selected, the pop-up window prompts for the billing code for every print job and refuses empty entries. NOTE: This option must be disabled if the HPAC Secure Printing Plug-in is installed on a printer server with shared network printers. Default expiration time Define the default expiration date/time for secure print jobs. NOTE: The HP Access Control pop-up window does not display if all of the Ask check boxes are deselected and Apply is clicked. NOTE: This configuration is ideal if no user interaction is needed and the driver plug-in is installed on a print server. 10-6 Deactivate HPAC Secure Print on a printer To stop securing a printer, simply open its driver configuration page and unclick Activate HP Access Control Secure Printing Driver Plug-in. 10-7 Uninstall the Windows driver plug-in Should the driver plug-in files need to be removed, use the Add or Remove Programs option of the Windows control panel to uninstall the driver plug-in. 10-8 Windows clients with Netware print server HP Access Control Secure Pull Printing can be used in a Novell Netware network. Print jobs must be secured on the client PC, flow through the Netware print server, and be stored on the printer/MFP hard drive. 87 If the Novell print server redirects jobs to a Windows print server using LPR/LPD, the HPAC Print Server can also be used to provide pull printing. 10-8-1 Installation – Print server The printer is installed as a Novell Distributed Print Services (NDPS) printer agent with the Novell LPR and prints by LPR on the network printer. NOTE: The printer agent must be configured so that it enables LPR print jobs. Figure 42 Netware print server installation 10-8-2 Installation – Client The printer must be installed as a local printer, in standard TCP/IP. • • • • The IP address is the address of the print server. LPR queue is the printer agent object. No NPDS-client components are needed. The printer port configuration: Standard TCP/IP (for example, novellServer as the print server name). /Install the driver plug-in for Windows Figure 43 Netware client installation The HPAC Secure Printing Plug-in installed on the client has settings similar to direct IP printing. 10-8-3 Secure Printing through Novell Print Servers After a user prints a job: 1. The print job is generated as PCL/PS by the driver, and then encrypted by the HPAC Secure Printing Plug-in. 2. The print job is sent to the Novell print server by LPR through TCP/IP. 3. The print job is then sent to the printer or HPAC Print Server (with an LPR/LPD print queue) using LPR. 4. The printer receives the print job, and upon authentication decrypts and prints it; or the HPAC Print server receives the print job and stores it. 10-9 Printing from UNIX through a Windows print server If printing from UNIX through a Windows Server, make sure to create/set LpdPrinterPassThrough to 1 in the registry. For more information, see http://support.microsoft.com/kb/168457/en-us. This option prevents the Windows driver from altering the data coming from the UNIX spooler. 10-10 Configure the secure print job parameters The HP Access Control system can be configured to offer the user additional options when printing a secure document. To configure these options, see the Send a document to other users under Windows section. 10-11 Send a secure print job to the printer 1. To print a secure print job, proceed as normal to print the documents (from the application, select Print, configure the printing job options, and click OK). 2. If all of the secure printing parameters have been automatically set, immediately proceed to the retrieval of the print jobs. 89 3. If additional secure printing options for the user are set, the Secure print job parameters pop-up window displays. One or more of the secure print job parameters can be set. See the following table. 4. Configure the secure print job parameters shown in the pop-up window. 5. Click OK to send the print job to the printer. Table 31 Secure print job parameters Parameter Description/Instructions Print without retention Select this option to cancel the authentication procedure for the print job. This option is useful if the printer is located right next to a user, therefore making authentication unnecessary to assure security when releasing print jobs. Another possible scenario is if a user forgets their badge at home and they do not have access to an alternate authentication procedure. Billing code (may be required) Enter a billing code for the job. This billing code is assigned to the print job to charge back a client or project with the cost of the action. Expiration date (required - ranges from 1 hour to 48 days) This option determines how long the system keeps the unclaimed print job before deleting it. Recipient (required) Specify the recipient for the print job (user or department): User To assign the print job to a specific user: 1 Click the radio button next to User. 2 Type in or select from the drop-down list the login name of the user that will release the print job. 3 If prompted, retype the username in the Confirm recipient field. IMPORTANT: In case someone else is assigned as the print job recipient, you are responsible for notifying them that they have a secure print job pending. Depending on how the system is configured, the user field may be allowed to be left blank. The system then automatically inserts the Windows login in the User field. Department If a print job is assigned to a department, any user that belongs to this department is able to release the print job. For security purposes, documents are erased from the server or printer HDD after they are released by one of the department users. To assign a print job to a specific department: 1 Click the radio button next to Department. 2 Type in or select from the drop-down list the department name. 3 If prompted, retype the department name in the Confirm recipient field. 10-12 Print for yourself under Windows When printing from Windows, by default, the user login name displays in the User recipient field. Click OK to secure the document. If print jobs are always assigned to yourself (and never to other people), then the HPAC Secure Printing Plug-in pop-up window can be disabled. Printing is as simple as clicking the Print icon of the application. The driver plug-in can then be installed locally on the PC or on a remote server. /Install the driver plug-in for Windows 10-13 Send a document to other users under Windows The driver plug-in must be installed locally to type in a recipient addressee login name in the HPAC Secure Printing Plug-in pop-up window. If the driver plug-in is on a network printer, the pop-up displays on the server and not on the client (the server spooler runs as system and not with the credentials). The HPAC Secure Printing Plug-in remembers the last 20 entries, unless the Remember recipients option is unchecked in the driver plug-in configuration. Figure 44 Recipients settings A document can be sent to another user by forcing all print jobs of a queue to be secure for that specific user. In the Windows printer configuration HP Access Control tab, enter the recipient login name in the Default user recipient field. NOTE: The driver plug-in can then be installed on the print server and multiple queues can be set up, each securing jobs for a specific user. 10-14 Send a document to a department under Windows The driver plug-in must be installed locally to type in a department addressee name in the HPAC Secure Printing Plug-in pop-up windows. If the HPAC Secure Printing Plug-in is on a network printer, the pop-up displays on the server and not on the client (the server spooler runs as system and not with the credentials). HPAC Secure Printing Plug-in remembers the last 20 entries, unless the No history option is selected in the driver plug-in configuration. A document can be sent to a department by forcing all print jobs of a queue to be secure for that specific department. In the Windows printer configuration HP Access Control tab, enter the department login name in the Default department recipient field. NOTE: The HPAC Secure Printing Plug-in can then be installed on the print server and multiple queues can be set up, each securing jobs for a specific department. NOTE: Department jobs are currently only supported on MFPs, as single function printers currently do not provide a GUI to select user or department jobs. 10-15 Release HPAC print jobs Print jobs are retained securely by HP Access Control on the printer hard disk or on remote HPAC Secure Printing Servers until their release or deletion upon expiration. The procedure for releasing print 91 jobs for MFPs is slightly different than for single-function printers. See the HP Access Control User Guide for details. 10-15-1 Release the print job (multifunction printers) To release a secure print job, the user must first authenticate. This authentication is done directly on the printer where the job will be released. See the HP Access Control User Guide for more information. 1. Ensure the printer is loaded with paper. 2. The user should authenticate using their PIN code or badge. When their name displays at the top of the screen, press the HPAC Secure Printing button on the front touchscreen panel. 3. The system authenticates the ID, and then displays the print jobs list. 4. The following actions are available: Select all, Job info, Print, Delete and Back. 5. When finished using the MFP, log out of the system. 10-15-2 Release the print job (single function printers) To release a secure print job, users first need to authenticate where the job will be released. Upon authentication, pending print jobs are immediately decrypted and printed. For detailed instructions, see the HP Access Control User Guide. NOTE: If the device does not have the Release without confirmation option on, the reader flashes and the printer is in “pause” mode as long as the user has not acknowledged the status. NOTE: Department jobs cannot be released on non-MFP printers. /Encryption schemes, corporate key 11 Encryption schemes, corporate key HPAC Secure Printing can secure the print jobs’ content by encrypting its data and job ownership information. There are two levels of encryption: Advanced Encryption Standard (AES) and Data Encryption Standard (DES). 11-1 AES encryption This encryption technology benefits from the latest technologies in encryption. A random AES 128bits key is generated for every single print job, and is used to encrypt the document. The key is encrypted using a RSA public key, split and injected in the print job. The printer decrypts the key using a RSA private key and decrypts the print job using that decrypted key. HPAC Secure Print features a default pair of RSA keys so that encryption can be performed easily and quickly. For the best protection, generate a unique pair of corporate encryption keys using the HPAC Admin software. The public key needs to be propagated to clients (propagation together with the driver plug-in settings) and/or to the HP Access Control Secure Print server tab of the print queue property. The private key is propagated to devices equipped with HPAC Secure Print using the Print-SMP Driver plug-in. 11-2 DES encryption This encryption technology is based on the widely used DES symmetrical encryption. A random key is generated for every single job, and is used to encrypt the document. The key is encrypted and injected in the print job. The printer decrypts the key using some decryption patterns and decrypts the print job using that decrypted key. 11-3 Raw Printing The Raw Printing option is for troubleshooting. Do not use it unless requested by support. 93 12 Unencrypted secure printing for ERPs HPAC Secure Printing server can secure the release of unencrypted jobs sent directly to an HP Access Control-enabled printer or to HPAC Print Server. These jobs are controlled and tracked as HPAC nonencrypted jobs. The jobs themselves are not encrypted; only their release is made secure by being only feasible by the addressee. 12-1 Unencrypted secure print files format • • • • • • Jobs data must start with <Esc>%-12345X@PJL<LF> followed by header lines, as in the sample below. <Esc> is ASCII 27 decimal, 1B hexadecimal. Data in bold is sample text to be changed for the real values. Text in italics is information about the data and should not be included in the header. Dates have the following format: yyyymmddhhmmss00 Actual print spool data starts after @PJL EOSJ<LF>. Spool data must end with the following sequence: <Esc><Esc><Esc>E<Esc>%-12345X This open format secures the delivery of print jobs generated, for example, by DOS, UNIX, AS/400 (SCS) or Mainframe (SCS) applications. Table 32 Sample unencrypted secure print file <Esc>%-12345X@PJL @PJL ENTER LANGUAGE=SJLLIGHT @PJL SCOMMAND=STORE @PJL USERNAME=JOHN_SMITH user login @PJL SJOB NAME=This is a test job Job name @PJL SJOB ID=00982340 unique random job # @PJL SJOB DATE=2008070316300000 job date & time @PJL SJOB EXPIRYDATE=2008090110300000 job expiration date & time @PJL EOSJ end of HP Access Control Pre-existing PJL header is to be put here <Esc>%-12345X@PJL @PJL ENTER LANGUAGE=PCL Dear client, If you have any questions please contact your support contact. Sincerely, The security team <Esc>%-12345X<Esc><Esc><Esc>E<Esc>%-12345X /Unencrypted secure printing for SAP R/3 13 Unencrypted secure printing for SAP R/3 HP Access Control Pull Printing can secure the release of unencrypted Systems, Applications and Products (SAP) SAPScript and SmartForms print jobs sent directly to an HP Access Control-enabled printer or to an HPAC Print Server. These jobs are controlled and tracked as HP Access Control nonencrypted jobs. The jobs themselves are not encrypted; only their release is made secure by being only feasible by the addressee. NOTE: Advanced Business Application Programming (ABAP) list printing is not supported as its header cannot be modified. 13-1 Modify the device type The device type needs to be modified to interface R/3 and HP Access Control. See the R/3 technical guides on how to modify a device type. 13-2 Replace the job header sequence The existing job header in the device type must be replaced with the sequences listed below. NOTE: All lines shown should be appended one after the other without any carriage returns between them. (Carriage returns were inserted in the listing below only for the purpose of improved readability.) \e%-12345X@PJL\r\n@PJL ENTER LANGUAGE= SJLLIGHT\r\n @PJL SCOMMAND=STORE\r\n @PJL USERNAME=$(USER)\r\n @PJL SJOB NAME=$(DSN)$(SUFFIX1)$(SUFFIX2)\r\n @PJL SJOB ID=$(SPOOLID)\r\n @PJL SJOB DATE=$(LAUNCHED_UTC)\r\n @PJL SJOB EXPIRYDATE=2010030110300000\r\n @PJL EOSJ\r\n @PJL ENTER LANGUAGE=PCL\r\n\eE 13-3 Replace the job trailer sequence The following sequences must be used to replace the existing job trailer in the device type. \eE\eE\eE\e%-12345X 13-4 Activate the device type After the device type is saved, activate it in the production environment and use it to produce documents. To verify that the modification is active, print to a PCL5 file and verify its header/footer. 95 14 HPAC Secure Printing Pull (roaming printing) The HP Access Control Print Server roaming printing functionality allows the release of documents stored on any HPAC Print Server on the Intranet from a printer/MFP equipped with HPAC Secure Pull Printing. This functionality offers many powerful workflow capabilities, such as: • • • • • • A user in China prints a document for his colleague in New York The job is securely stored on the server closest to the user in China The American addressee reaches an MFP in New York and authenticates The document output by his Chinese colleague is listed The American addressee requests the job release The document is sent directly from the Chinese server to the New York MFP The HPAC Print Server architecture uses print job tickets stored on a shared Microsoft SQL Server database (software not provided with HPAC Secure Printing). The tickets only include information about print jobs—print job data remains on the servers where it is stored. Printers/MFPs get the list of print jobs from their contact print server. The list includes local jobs as well as all tickets stored on the shared database for that user. Local print job storage print queues can display on client PCs based on the IP address of the PC. This policy is defined in the Active Directory. A roaming user can then always have a local print pull printing queue defined on his/her laptop. This architecture allows local print job storage to always be used, ensuring no useless communication occurs between servers and MFPs. 14-1-1 Prerequisites for roaming printing Roaming printing requires a database on one server (this server does not need to have HPAC Print Server installed): • A functional Microsoft SQL Server 2000 or newer (with SQL or mixed Windows/SQL authentication) or • A MSDE database (SP3A with SQL or mixed Windows/SQL authentication), and administrator access • SQL/MSDE network configuration: TCP (default port 1433) On each server equipped with HPAC Secure Printing Server, MDAC 2.8 needs to be installed if the connection is not possible with the database server. The firewall of every gateway and every server equipped with HPAC Secure Printing Server network connection should be set up to accept communication through the MS SQL server port (1433 by default). NOTE: Before starting, make sure that the HPAC Secure Printing Server can ping the SQL database server. /HPAC Secure Printing Pull (roaming printing) 14-1-2 Create a dedicated database login NOTE: If the default login supplied by MS SQL Server (named sa) is preferred to be used, and its password is known, skip this chapter. 1. Open the SQL Server managing console (Start > Microsoft SQL Server > Enterprise Manager). 2. In the left side of the console, find the Logins object. It is located at Console Root > Microsoft SQL Servers > SQL Server Group > <SQL Server to use> > Security. Figure 45 SQL Server managing console 3. Create a new login (right-click the right part of the console, click the New Login entry of the pop-up menu). 4. In the General tab, enter any name in the Name field. 5. Click the SQL Server Authentication radio button. Enter a password in the Password field. IMPORTANT: This password is the one to be entered in the HPAC Print Server configuration. 6. In the Server Roles tab, check the Database Creators box. IMPORTANT: Do not modify the settings of the Database Access tab if the database has not yet been created by the HPAC Print Server configuration utility. 7. If the database already exists, select the Database Access tab. Check the SJPS box in the first list, and the public and db_owner boxes in the second list. NOTE: These rights have been determined as sufficient. To set an exact match for the rights of the default user (sa), check all boxes in the first list. 14-1-3 Configuration of roaming 1. Launch the HP Access Control Secure Printing Server configuration software. 2. Select the Roam Printing tab. 3. Check the Activate Database support box. 4. Fill in the User Name and Password fields with the login and passwords chosen in the previous section. 5. In the Connection field, replace the default string after Data Source= with the IP address of the database server. For example: Provider=SQLOLEDB;Data Source=99.99.999.999; initial catalog=SJPS 97 14-1-4 Test the basic database connection Click Test Connection to test the link with the database. If it succeeds, the Connection to the database server has succeeded message displays. Otherwise, an error message displays. NOTE: If the message This SQL server does not exist or access is denied displays, a firewall (on the database server, on a gateway, or on the HPAC Secure Printing Server) may be blocking the SQL communication. 14-1-5 Create the tickets database Create the database on the MS SQL or MSDE server. This operation must be performed only once, from any HPAC Print Server. Click Create Database. If the database already exists, a confirmation is requested before a new database erases the existing one. 14-1-6 Synchronize the roaming database HPAC Secure Printing Server still works if the roaming database communication is failing, but the roaming capability is disabled and only local jobs display. If an HPAC Print Server database goes offline and print jobs are received by the related HPAC Print Server, the roaming database server is not notified. The administrator can then resynchronize the database from any HPAC Print Server, by clicking Synchronize All Servers. The database queries all servers for their current jobs and updates itself. 14-2 Job retention aliases – Single sign-on Using Active Directory and/or LDAP to retrieve a user’s single sign-on is one of the features of HPAC Secure Pull Printing. The goal of this action is to allocate all jobs for a user to a single sign-on, even if that user has multiple identifiers/logins. To perform an alias retrieval, the program extracts the user login from the information related to the job, searches for a match within the Active Directory, and changes it to the corresponding AD data (that should be unique). Figure 46 Alias retrieval 1 Alias (for example, JS908) 2 HPAC Print Server 3 Login (for example, jsmith) /HPAC Secure Printing Pull (roaming printing) 4 Active Directory containing user information (for example, JS435, TSCHOLL JS908, JSMITH) 5 Disk storage 14-2-1 Configure the alias feature 1. In the Current Directory server profile settings section, click Alias retrieval settings. 2. The following window displays. Enter the specific data. For a detailed description of each parameter, see the following table. Figure 47 Alias retrieval settings The above dialog box enables the configuration of parameters to retrieve an alias for the job recipient value during the HP Access Control job processing. The job owner name is searched in the Active Directory field named in the first parameter of the dialog box (Search the login in field), using the second parameter as a search filter (using the search filter). If a record is found, the field value of that record is returned (named in the third parameter). NOTE: The user login fields used in the alias function must not contain the following value: UNKNOWN. 3. The Test alias retrieval with login button enables a test of whether the alias retrieval using the current profile works as expected. The user is first asked to provide a login to search, and then the test is performed. Table 33 Directory server alias retrieval parameters Parameter Description/Instructions Search the login in field Look for the incoming job login in this field, using the supplied search filter. using search filter Use this search filter – see the Syntax of search filters section for instructions on search filter syntax. and replace it with the value in field Replace it with the content of this field, in the same record 14-2-2 Syntax of search filters Search filters should be written using the LDAP syntax. Since information is usually searched on user records, two variables are supplied. The default search filter is as follows: (&(<src_field_name>=<src_value>)(objectCategory=user)) The <src_field_name> value is replaced during execution by the name of the field in which the search must be done. The <src_value> is replaced during execution by the value used as the search criteria. For example, with the value 1234 searched on the field customID, the dynamically generated filter would be: 99 (&(customID=1234)(objectCategory=user)) This filter can be modified to fit custom needs, as long as it contains both <src_field_name> and <src_value> variables. NOTE: Leaving a search filter blank is equivalent to using the default search filter: (&(<src_field_name>=<src_value>)(objectCategory=user)). 14-2-3 Search across chained databases It is possible to find a record using the user ID, and then use the data contained in a field of this retrieved record to look for another record in the same or another database. This action is available for both authentication and alias retrieval purposes, and these database searches can be daisy-chained. This daisy-chain search action is used, for example, when there are multiple databases: one that handles the badge numbers or PIN codes and links them to a global ID, and other databases that hold information linked to global IDs. Figure 48 Chained databases 1 PIN or badge number (for example, 1234) 2 Database 1 – search for PIN or badge number (1234) to find global ID 3 Global ID found (for example, U98E894) 4 Database 2 – search for global ID (for example, U98E894) linked user information found 5 User information retrieved For example: globalID: U98E894 sAMAccountName: jsmith displayName: John Smith mail: [email protected] department: Marketing For example: jsmith John Smith [email protected] Marketing /HPAC Secure Printing Pull (roaming printing) NOTE: Connection to an AD server might take some time, so it is strongly advised to make the number of AD servers involved in this action as small as possible. To set up the search parameters: 1. Click Value to search replacement settings. The following screen displays. Figure 49 Value to search replacement settings 2. Enter the data for the fields and click OK. The incoming information (job owner or user ID) is searched in the field named Search the value in field. If necessary (for IDs only - optional badge number), it can be converted using the data in the field using source conversion. Enter the search filter in the field on search filter. If a record matches the search data, the value in the field If found, replace it with the value in field replaces the value that was searched, and it is transmitted to the profile named in the fifth field (and transmit it to the profile), in a process of daisy-chained cross database searches. 101 Ports 15 Ports and communication 15-1 HPAC Secure Printing ports HPAC Secure Printing uses the following ports. Table 34 HPAC Secure Printing ports Usage Protocol Port Changeable Test Sending of HPACSP firmware files to printers TCP-IP 9100 N Install the printer under Windows using its IP address and print a test page. Configuration of HPACSP on printers TCP-IP 9400 N telnet <printer IP> 9400, a line with @PJL should display on the screen Direct ID lookup from printer to LDAP TCP-IP 389 Y Replace the printer with a PC and use LDAP test software such as Softerra LDAP browser. Communication between printer and HPAC Secure Printing Server TCP-IP 2000 Y Replace the printer with a PC, telnet <server IP> 2000, multiple lines of text should display. Communication between HPAC Secure Printing Server and LDAP TCP-IP 389 Y Use LDAP test software such as Softerra LDAP browser to test the LDAP settings and connection. Communication between HPAC Secure Printing Server and SQL TCP-IP 1433 Y In case of firewall issues: http://support.microsoft.com/kb/287932 http://support.microsoft.com/kb/914277 Print job release from HPAC Secure Printing Server to printer TCP-IP 9100 Y Install the printer under Windows using its IP address and print a test page. IMPORTANT: For corporate firewall users, packets sent to HPAC Secure Printing Server on port 2000 are intercepted by some firewalls ASA, even when the firewall seems wide open. Traffic to the port 2000 is inspected and matched to Skinny Call Protocol (SCCP), and packets are dropped. If this issue occurs, allow SCCP in the firewall. /Front panel messages and troubleshooting 16 Front panel messages and troubleshooting When using HP Access Control, information and/or error messages may display on the printer/MFP. NOTE: These messages may display in the language selected on the configuration page. 16-1 HPAC Print Server logs Activating the logging functionality can be helpful in detecting a problem and/or diagnosing if a simple solution is available to solve a problem. The communication log is encrypted and logs the communication between the printer and HPAC Print Server. Figure 50 HPAC Secure Printing logs Log tabs in the HPAC Print Server configuration software: • • • • Configuration utility log Job processing DLL log Service log CRL log for HP Access Control Auth-SC (Smart Cards) If, after activating the logging functionality and analyzing the logs, a solution to a problem cannot be found, contact technical support for further help in diagnosing and solving the problem. For the HPAC Secure Printing Admin Software, a message displays when there is a problem. If a critical problem develops, a tracking functionality is activated thanks to a special procedure furnished by technical support. 103 16-2 Information messages The following are information messages that may display on the device. Table 35 Information messages Message Cause Solution Retrieving from Printer. HPAC Secure Printing is in the process of retrieving the user or department jobs from the printer hard disk. N/A Retrieving from your server. HPAC Secure Printing is in the process of retrieving the user or department jobs from the HPAC Print Server hosting the account. N/A Releasing X jobs HPAC Secure Printing is in the process of releasing X jobs on a single function printer. N/A ID update in progress. Try Later. A users local ID list is being uploaded to the printer. Wait for the end of the list upload. 16-3 Error messages This section includes a list of the HP Access Control error messages. The listing also includes troubleshooting tips and/or instructions for some of the messages. If technical support needs to be contacted regarding an issue, make sure to note the error message code displayed within brackets. 16-3-1 Printer error messages Table 36 Printer error messages Message Troubleshooting [B4] HPACSP: ID update failed • Check the HPAC Secure Printing Server IP [B5] HPACSP: BILLING update failed • Check the HPAC Secure Printing Server port [B13] HPACSP: Invalid PS server • Check the HPAC Secure Printing Server service address. number. status. • Check the response time of the server. If > 20s, the error message displays. • Check the compatibility between the printer and the HPAC Secure Printing Server version. /Front panel messages and troubleshooting 16-3-2 MFP error messages Table 37 MFP error messages Message Cause Solution [A10] HPACSP: No Hard Disk, please contact Administrator HPAC Secure Printing could not release a stored job. Retry the process or delete the job. A hard disk read/write operation failed. The disk might need reformatting, or might be defective. [C15] HPACSP: System error, please power cycle device. [C16] HPACSP: Print request failed. [C17] HPACSP: Hard disk operation failed. IMPORTANT: This message is normal during product installation and must be ignored. [C23] HPACSP: IP connection failed (SC). HPAC Secure Printing could not establish an IP connection. Verify if the LAN is alive at the printer, routers, and firewalls and if the printer’s internal configuration web page can be accessed (this is not the Jetdirect web page). [C24] HPACSP: No server The HPAC Secure Printing Server response, server: [display hosting the jobs does not answer IP], please contact requests. Administrator. Verify the network, routers, firewalls, and the HPAC Print Server status. [C25] HPACSP: No server The HPAC Secure Printing Server response, server: [display hosting the jobs does not answer IP], please contact requests. Administrator. Verify the network, routers, firewalls, and the HPAC Print Server status. [C26] HPACSP: Out of The system ran out of memory. memory, please power cycle device. Reboot the device and notify support if this happens again. [C28] Read error from server: [display IP], please contact Administrator. Verify the network, routers, firewalls, and the version of HPAC Print Server. HPAC Secure Printing received corrupted data from the server. 105 Table 37 MFP error messages Message Cause Solution [C30] HPACSP: Invalid PS server: [display IP]. The HPAC Secure Printing Server hosting the jobs does not answer requests or sends incorrect data. Verify the network, routers, firewalls, and the HPAC Print Server version and status. Troubleshooting: • Check the HPAC Secure Printing Server IP address. • Check the HPAC Secure Printing Server port number. • Check the firewall status (read the special chapter on ports and firewalls) • Check the HPAC Secure Printing Server service status. • Check the response time of the server. If > 20s, the error message displays. • Check compatibility between the printer and the HPAC Secure Printing Server version. [C31] HPACSP: Write error The HPAC Secure Printing Server from server: [display IP]. hosting received incorrect data. Verify the network, routers, firewalls, and the HPAC Print Server version and status. [C42] HPACSP: Device is not licensed, please contact Administrator. The device does not have a valid license for HP Access Control. Verify the license status and number of devices already served. [C65] HPACSP: ID error (invalid badge). The badge is not compatible with authentication parameters. Verify the configuration: • Check the reader settings. • Check the ID validity. • Check the Active Directory field containing the ID. [C66] ID error (transmission failure). Data received from the badge reader is corrupted. Authenticate again, or contact support if the problem occurs again. [D14] HPACSP: Server [display IP] is unreachable, please contact Administrator. The HPAC Secure Printing Server hosting the jobs does not answer requests. Verify the network, routers, firewalls, and the HPAC Print Server status. [D26] HPACSP: Failed to contact host The HPAC Secure Printing Server hosting the jobs does not answer requests. Verify the network, routers, firewalls, and the HPAC Print Server status. [D29] HPACSP: An error occurred during the login process, please authenticate again. The function is not linked to any authentication agent in the authentication manager. Verify the settings in the HP Authentication Manager. NO ID LIST. CONTACT ADMIN The printer has not been initialized with a users list. Use the HPAC SP Admin Software to send a valid list to the printer, or link to enrollment or live LDAP validation. Corrupted user list. Contact Admin The list of users and IDs is corrupted on the printer. Reload the users list to the device. /Front panel messages and troubleshooting Table 37 MFP error messages Message Cause Solution Chosen language not available HPAC Secure Pull Printing is not active in the printer. Print the printer configuration pages and verify that the HP Access Control application is active. Server X does not respond. The HPAC Secure Pull Printing server hosting the jobs does not answer requests. Verify the network and the HPAC Secure Printing server status. 16-3-3 Smart Card error messages Table 38 Smart Card error messages Message Cause Solution [G2] HPACSP: Invalid Password [G3] ACSP: Failed to upgrade reader settings. The Smart Card reader could not get its parameters from the MFP. Regenerate the Smart Card configuration and reboot the MFP. [G4] HPACSP: Device is not The device does not have a valid licensed, please contact license for HP Access Control. Administrator. Verify the license status and number of devices already served. [G6] HPACSP: Internal error (ADK), please contact Administrator. The Smart Card library encountered an internal error. Reboot the MFP. Contact support if the problem happens again. [G11] HPACSP: Invalid Print Server: [display IP], please contact Administrator. Identification process between an HPAC Secure Printing server and HPAC Secure Printing authentication failed. Verify the HPAC Secure Printing server IP addresses and port, firewalls, antivirus, and compatibility between the versions of HPAC SPS Admin Software and HPAC Secure Printing. Troubleshooting: • Check the HPAC Secure Printing Server IP address. • Check the HPAC Secure Printing Server port number. • Check the HPAC Secure Printing Server service status. • Check the response time of the server. If > 20s, the error message displays. • Check compatibility between the printer and the HPAC Secure Printing Server version. [G12] ACSP: Invalid Card. The Smart Card is not sending expected data. Troubleshooting: • Check the reader settings. • Check the Smart Card compliance with the configuration. • Check the Active Directory lookup for Smart Cards. 107 Table 38 Smart Card error messages Message Cause Solution [G19] ACSP: Initialization The MFP cannot communicate with Check if the reader is ON. failed, please power cycle the Smart Cards reader. device. [G23] ACSP: LDAP Error – CONFIGURATION, please contact Administrator. The LDAP Smart Card configuration is incorrect. Verify the LDAP Smart Card validation. [G24] ACSP: LDAP Error – DATA, please contact Administrator. The LDAP Smart Card configuration is incorrect. Verify the Smart Card LDAP validation. [G25] ACSP: LDAP Error – The LDAP connection is not CONNECTION, please contact working. Administrator. Verify the LDAP Smart Card configuration. [G29] ACSP: Invalid login and/or password. The login/password entered for the alternate authentication are incorrect. Verify the network credentials. [G30] ACSP: Failed to get user information. The Smart Card LDAP configuration is incorrect. Verify the LDAP Smart Card configuration. /Appendix AAppendix Appendix A Supported functions per device model HPAC Secure Printing provides authentication and secure printing services. Some devices are not supported by all functions, or will be supported in the future. See the table below and get updates on support from http://www.hp.com. Table 39 Supported functions per device model HP Device Model Proximity Badges Authentication Smart Card Authentication PIN Code Authentication Secure Printing CLJ 3000 LJ P3005 P3014/3015 LJ CP3505 LJ CP3525 LJ CM3530 MFP 2 CLJ 3800 LJ P4014 LJ P4015 LJ P4515 LJ CP4020 LJ CP4025 LJ CP4520 LJ CP4525 LJ CM4730 MFP LJ M3035 MFP LJ M4345 MFP LJ M5035MFP LJ CP6015 LJ CM6030 MFP LJ CM6040 MFP LJ CM6049 MFP CM8050/8060 MFP LJ M9040/M9050 MFP LJ M9059 MFP 109 Appendix Table 39 Supported functions per device model HP Device Model Proximity Badges Authentication Smart Card Authentication PIN Code Authentication Secure Printing DS 9250c (no printing) LJ 2410 1 1 LJ 4250 LJ 4350 CLJ 4650 CLJ 4700 LJ 4345 MFP LJ 4730 MFP 2 LJ 2420 1 LJ 2430 LJ 5200/5200L CLJ 5550 LJ 9040/9050 LJ 9040/9050 MFP DS 9200c (no printing) CLJ 9500 1 2 No HDD available for these devices. One USB slot and one Compact Flash slot available only. /Appendix B Appendix B Backward compatibility • • • HPAC Print Server 6.2 is compatible with devices installed with 5.3.5, 6.0, and 6.1 RFU packages. HPAC Admin 6.2 software is compatible with devices installed with 5.3.5, 6.0, and 6.1 RFU packages. HPAC Admin 6.2 software cannot license devices installed with 5.3.5 and 5.3 RFU packages. 111 Appendix Appendix C Prerequisites for PCs and servers Prerequisites for the Administration PC running HPAC Secure Printing Admin Software: Windows 2003 or 2008 Server (32-bit and 64-bit) 512 MB of RAM 1 GB of free HDD capacity .NET Framework 3.5 Internet Information Services (IIS) Manager 6.0 or 7.0 ASP.NET 2.0.50727 SQL Server Compact Edition 3.5 SP1 Microsoft Visual C++ 2008 Redistributable Prerequisites for servers running the HPAC Secure Printing Server software: Windows XP (32-bit) / 2003 or 2008 Server (32-bit) / Vista (32-bit) 512 MB of RAM Enough HDD capacity to store user’s print jobs .NET Framework 3.5 .NET Framework 2.0 and Dotnetfx Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable Prerequisites for the optional Quota Notification tool: Windows XP / 2003 Server / Vista (32-bit) Windows Active Directory .NET Framework 3.5 Prerequisites for the HPAC Secure Print driver plug-in: Windows XP (32-bit and 64-bit) / 2003 or 2008 Server (32-bit and 64-bit) / Vista (32-bit and 64-bit) 512 MB of RAM .NET Framework 2.0 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable /Appendix D Appendix D Prerequisites for printers and MFPs As support for new devices is constantly evolving, visit http://www.hp.com for the most current list of supported printers, MFPs, and Digital Senders. Printers must have a storage media (HDD, USB stick) with 50 MB free, an active TCP/IP LAN connection, and one free host USB slot available when using a badge authentication solution. All printers/MFPs must have EWS logins and passwords configured to function under HPAC. NOTE: The printer/MFP must be connected to the LAN at boot time. Table 40 Prerequisites for printers and MFPs HP Device Model Support Media Minimum FW Minimum Memory CLJ 3000 USB 46.041.2 192 MB LJ P3005 USB 02.080.4 80 MB P3014/P3015 USB 06.042.0 128 MB LJ CP3505 USB 03.060.4 256 MB LJ CP3525 USB 06.040.4 512 MB LJ CM3530 MFP USB 53.040.7 512 MB CLJ 3800 USB 46.039.0 256 MB LJ P4014/P4015 USB 04.047.2 128 MB LJ P4515 USB 04.047.2 128 MB LJ CP4020/CP4025 USB 07.010.3 512 MB LJ CP4520/CP4525 USB 07.010.3 512 MB LJ CM4730 MFP USB 50.090.7 384 MB LJ M3035 MFP USB 48.110.7 256 MB LJ M4345 MFP USB 48.110.7 256 MB LJ M5035 MFP USB 48.110.7 256 MB LJ CP6015 USB 04.050.4 512 MB P翿 113 Table 40 Prerequisites for printers and MFPs HP Device Model Support Media Minimum FW Minimum Memory LJ CM6030 MFP USB 52.060.7 512 MB LJ CM6040 MFP USB 52.060.7 512 MB LJ CM6049 MFP USB 52.060.7 512 MB CM8050/CM8060 MFP 3 USB 74.020.0 1024 MB USB 51.060.7 384 MB USB 48.100.7 standard LJ 2410/2420/2430 Compact Flash 08.112.3 128 MB LJ 4250/4350/4240 Compact Flash 08.014.0 128 MB CLJ 4650 Compact Flash 07.006.0 128 MB CLJ 4700 Compact Flash/USB 46.120.4 128 MB LJ 4345 MFP Compact Flash 09.160.4 128 MB LJ 4730MFP Compact Flash/USB 46.240.4 256 MB LJ 5200/5200L 4 Compact Flash 08.059.2 128 MB CLJ 5550 Compact Flash 07.009.0 256 MB LJ 9040/9050 Compact Flash 08.130.4 128 MB LJ 9040/9050 MFP Compact Flash 08.150.3 256 MB DS 9200c (no printing Compact Flash 09.160.4 256 MB CLJ 9500 MFP Compact Flash 08.150.3 256 MB LJ M9040/M9050/M9059 MFP DS 9250c (no printing) 3 4 3 IMPORTANT: The HP LaserJet CP6015 does not support firmware more recent than 04.043.2. If printing documents with Asian characters (for example, Chinese, Japanese, Korean), be sure that the MFP front panel supports those languages and has the appropriate base firmware. The EWS page for the device displays the current firmware version. 3 4 No HDD available for these devices. For technical reasons the device must be equipped with a hard disk drive. P翿 /Glossary Glossary Glossary term Definition .NET Called “dot net,” this is a component of Microsoft Windows used to develop software. ABAP Advanced Business Application Programming AD Active Directory A directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. AES Advanced Encryption Standard AES is a sophisticated encryption scheme using the AES 128bits algorithm combined with RSA PKI encryption public/private keys. ASCII American Standard Code for Information Interchange Character encoding based on the English alphabet. authentication The process of gathering identifying information from a user and validating this information with a trusted source. CSV Comma Separated Values file format DES Data Encryption Standard An encryption technology based on DES symmetrical encryption. DNS Domain Name System A data query service for translating hostnames into Internet addresses. Also, the style of hostname used on the Internet, though such a name is properly called a fully qualified domain name. EIO Extended Input/Output ERP Enterprise Resource Planning EWS Embedded Web Server Web capabilities embedded in the device that allow a device to be managed from any location using a browser. FTP File Transfer Protocol GUI Graphical User Interface HDD Hard Disk Drive HPAC HP Access Control P翿 115 Glossary term Definition IIS Internet Information Services Internet-based services for servers created by Microsoft for use with Microsoft Windows. IOF I/O Filter SDK to allow applications to manipulate the print job stream (for example, decryption, e-forms, job accounting). IPA In-Printer Agent LDAP Lightweight Directory Access Protocol LDAP is a relatively simple protocol for accessing online directory services, to update and search directories running over TCP/IP. LPR Line Printer Remote protocol Provides printer spooling and network print server functionality for Unix-like systems. MB Megabyte MFP Multi-Function Peripheral A device consisting of printing, scanning, and copying; along with faxing and/or digital sending (for example, e-mail or folder) capabilities. NDPS Novell Distributed Print Services OS Operating System PIN Personal Identification Number A number that is used to gain access, similar to a password. A PIN is often not shown when typed, such as replacing each character with an asterisk '*'. PJL Printer Job Language PKI Public Key Infrastructure An arrangement with public and private keys to allow verification of identity. This is used to “sign” trusted applications on the device. RFU Remote Firmware Upgrade Upgrading printer/MFP firmware over the network, without using a parallel cable to connect the printer/MFP directly to a computer. SAP Systems, Applications and Products SMP Secure Mobile Printing SMTP Simple Mail Transfer Protocol A protocol used to transfer electronic mail between computers, usually over Ethernet. It is a server-to-server protocol, so other protocols are used to access the messages. P翿 /Glossary Glossary term Definition SSL Secure Sockets Layer A protocol that provides encrypted communications on the Internet. SSL is layered beneath application protocols such as HTTP, SMTP, Telnet, FTP, Gopher, and NNTP; and is layered above the connection protocol TCP/IP. It is used by the HTTPS access method. TCP/IP Transmission Control Protocol over Internet Protocol The standard Ethernet protocols. TCP/IP was developed for internetworking, and encompasses both network layer and transport layer protocols. While TCP and IP specify two protocols at specific protocol layers, TCP/IP is often used to refer to the entire DoD protocol suite based upon these, including telnet, FTP, UDP and RDP. UPD Universal Print Driver One driver for office printing, with simple discovery of devices and features, and centralized control and security—easy to use and manage. USB Universal Serial Bus WJA Web Jetadmin HP’s web-based network peripheral management software. XML eXtensible Markup Language A simple dialect of SGML suitable for use on the World Wide Web. P翿 117 Index Index A AD, 18, 64, 70, 71, 72, 75, 80, 81, 98, 101 alias, 25, 26, 71, 73, 77, 98, 99, 100 authentication gateway, 16, 18, 71, 80 authentication settings, 75 B badge reader, 16, 17, 45, 46, 106 billing code, 48, 49, 56, 57, 58, 87, 90 C firewall, 25, 96, 98, 102, 105, 106, 107 H HDD, 12, 15, 80, 81, 87, 90, 112, 113 I installation kit, 16 J job retention, 12, 16, 18, 25, 26, 98 K Kerberos, 80 cluster server, 19 corporate key, 47, 48, 49, 65, 66, 93 CSV, 39, 40, 41, 48, 50, 51, 54, 57, 59 L D M daisy chain, 18, 75, 76, 100, 101 DNS, 17 E EWS, 39 F failover, 19, 20, 22, 23, 24, 45, 69, 71 LDAP, 16, 18, 45, 49, 50, 55, 56, 59, 61, 64, 68, 69, 70, 71, 75, 76, 80, 81, 82, 98, 99, 102 license agreement, 18, 84 messages: error, 104; information, 104; Smart Card, 107 N non-cluster server, 18, 21, 22 P PIN code, 10, 44, 49, 50, 53, 54, 55, 56, 59, 64, 65, 68, 71, 72, 75, 92, 100 P翿 private key, 65, 86, 93 proximity card, 16, 47 public key, 65, 86, 93 R reboot, 16, 47, 105, 107 remote directory, 25, 26 RFU, 16, 43, 111 roaming printing, 10, 80, 81, 82, 96, 97, 98 S security, 10, 47, 80, 90 self enrollment, 16, 45, 80 server logs, 103 SLDAP, 64 Smart Card, 16, 44, 45, 49, 63, 64, 65, 103; error, 107 SMTP, 55 T TCP/IP, 15, 25, 34, 55, 88, 89, 102, 113 U uninstall, 24, 87 USB, 16, 17, 113