HP Access Control Smartcard Solution

Transcription

1 HP Access Control Smartcard for U. S. Government Administrator s Guide

2

3 HP Access Control Smartcard for U.S. Government Administrator's Guide

4 Copyright information 2009 Copyright Hewlett-Packard Development Company, L.P. Reproduction, adaptation or translation without prior written permission is prohibited, except as allowed under the copyright laws. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Edition 2, 11/2009 Trademark credits Microsoft and Outlook are U.S. registered trademarks of Microsoft Corporation.

5 Table of contents 1 Installation Upgrade the device firmware... 2 Supported devices... 2 Enable remote firmware upgrades... 2 Upgrade the Smartcard and MFP/digital sender firmware... 3 Install the hardware Configuring the MFP/digital sender Configure the IPv4 settings... 8 Configure the MFP/digital sender for Kerberos authentication Accessing the Kerberos Authentication page Enter the Kerberos authentication information Accessing the LDAP server Install the Kerberos Server Root Certificate Authority Certificate Configure validation of the KDC certificate Configure authentication using the Smartcard accessory Configure access to the network destination folders Configure LDAP access for address books Configuring LDAP over SSL Configure Send to Normal use of the HP Access Control Smartcard 4 Troubleshooting General troubleshooting Kerberos troubleshooting LDAP server troubleshooting PKINIT troubleshooting OCSP/CRL troubleshooting troubleshooting Appendix A Licenses Heimdal Kerberos ENWW iii

6 OpenSSL Appendix B Warranty Service Hewlett-Packard Limited Warranty Statement Customer self repair warranty service iv ENWW

7 1 Installation Use this section to upgrade the HP Access Control Smartcard firmware (if required) and then install the Smartcard reader. Upgrade the device firmware Install the hardware ENWW 1

8 Upgrade the device firmware This section provides instructions for upgrading the firmware on the MFP/digital sender to allow it to work with the HP Access Control Smartcard for U. S. Government. You must have the correct MFP/digital sender Internet Protocol (IP) address to install the firmware. Obtain the IP address of the MFP/digital sender by printing a configuration page or using the control panel. See the MFP/digital sender user guide for instructions. Make sure that the MFP/digital sender is connected to the network, turned on, and in the Ready mode. Supported devices Enable remote firmware upgrades Upgrade the Smartcard and MFP/digital sender firmware Supported devices The following lists the supported HP MFPs/digital senders. NOTE: HP recommends that you upgrade your MFP/digital sender to the latest firmware version and the corresponding authentication agent. (You download the upgrades from the HP Access Control Smartcard Web site.) For more information, see Upgrade the Smartcard and MFP/digital sender firmware on page 3. HP Color Laserjet CM3530 CM4730 CM6030/6040 HP Digital Sender DS9250C HP Laserjet M3035 M4345 M5035 M9040/M9050 Enable remote firmware upgrades If you are upgrading the firmware (recommended), the MFP/digital sender might be configured with the recommended security settings, which disables remote firmware upgrades. Use the following instructions to enable the option. 2 Chapter 1 Installation ENWW

9 NOTE: The instructions are for an HP LaserJet M3035. Your MFP/digital sender might access this option differently. For complete instructions about accessing the Remote Firmware Upgrade option, see the MFP/digital sender user guide. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. NOTE: Recommended security settings typically disable the MFP/digital sender from accessing the HP Embedded Web Server from a Web browser. If the HP Embedded Web Server page does not display, enable access using HP Web Jetadmin. For more information, see the MFP/digital sender user guide. 2. Click the Settings tab. Enter the administrator password if you are prompted for administrator credentials. 3. On the left menu bar, click Security 4. On the Device Security Settings page, scroll down to the Options for Services section. 5. Verify that the Remote Firmware Upgrade check box is selected. Figure 1-1 Enable Remote Firmware Upgrade option in the EWS. 6. Click Apply and close the browser window. NOTE: To maintain the recommended security settings, disable the setting after upgrading the firmware on the MFP/digital sender. Upgrade the Smartcard and MFP/digital sender firmware HP recommends that you upgrade your MFP/digital sender with the latest authentication agent and the corresponding firmware version. (You must have Internet access to download the files to your computer.) The upgrade consists of an authentication agent file (.pjl), which upgrades the Smartcard, and a firmware image file (.rfu), which allows the MFP/digital sender to detect and use the Smartcard reader. You will download both of these files from the HP Access Control Smartcard Web site. To download the firmware upgrades, use the following steps: 1. Start a supported Web browser. 2. Go to the following URL: ENWW Upgrade the device firmware 3

10 3. First, download the authentication agent file: a. Go to the Software section and click Download. b. When the File Download Security Warning is displayed, click Run and run the usgovt_auth_agent_v2.xx.exe file. c. When the Self-Extractor window is displayed, click Browse to select a temporary folder to unzip the file, or use the default (C:\Temp\AuthAgent), and click Unzip. The file named usgovt_auth_agent_v2.xx.pjl is extracted to the selected folder. 4. If you need to download the firmware upgrade image for your MFP/digital sender, use the following steps: a. Go to the Software section and click Smartcard Authentication Agent and Required Firmware. b. Select your MFP/digital sender from the list. (For example, HP LaserJet M5035mfp Firmware.) c. Use the Description field to locate the correct operating system for your MFP/digital sender and click Download. d. When the File Download Security Warning is displayed, click Run and select the file (for example, ljm mfpfw_win_48.xxx.x.exe). e. When the Internet Explorer Security Warning window is displayed, click Run. f. Click Browse to choose a folder, or use the default (for example, C:\HP_M5025 M5035_printer_rfu_xx.xxx.x), and click Extract. The files are extracted to the selected folder. To copy the files to the MFP/digital sender using FTP, use the following steps: If the necessary firmware is already installed, skip to step 7 below. 1. Open an MS DOS command prompt window by clicking Start, then click Run, type cmd at the run prompt, and then press Enter. 2. Type the following command, using the IP address of the MFP/digital sender: ftp <MFP IP address> (example: ftp ). Press Enter. A prompt is displayed for the user name. 3. By default, neither a user name or password are required for ftp access to the MFP/digital sender. Press Enter at the user name and password prompts. An FTP> prompt is displayed. 4. Type bin and press Enter. The FTP prompt is again displayed. 5. Use the FTP put command to copy the.pjl file to the MFP/digital sender. Type the following command, using the path to the location of the file: put <path of the file> (for example: put C:\Temp\AuthAgent\usgovt_auth_agent_v2.xx.pjl ). 6. Press Enter. Text is displayed in the command window to indicate that the FTP copy job is processing. 7. Use the FTP put command to copy the.rfu file to the MFP/digital sender. Type the following command, using the path to the location of the file: put <path of the file> (for example: put C:\HP_M5025 M5035_rfu_xx.xxx.x\ljM mfpfw_xx_xxx_x.rfu ). 4 Chapter 1 Installation ENWW

11 8. Press Enter. Text is displayed in the command window to indicate that the FTP copy job is processing. When the file is copied, the control panel displays Performing Upgrade and then the MFP/digital sender restarts. 9. After the file is copied to the MFP/digital sender, type bye and press Enter. The session ends. If the firmware on the MFP/digital sender is current and only the.pjl file is installed, the MFP/digital sender must be restarted before U.S. Gov't Smartcard v2.xx appears on the Authentication Manager page. NOTE: After installing the firmware upgrade, print a configuration page from the MFP/digital sender to verify that the new firmware is installed. See the MFP/digital sender user guide for information about how to print a configuration page. To verify that the HP Access Control Smartcard authentication and firmware upgrades were installed correctly, start the HP Embedded Web Server, click the Settings tab, then click the Authentication Manager from the left menu bar. Click on a Sign In Method for any of the device functions. If the authentication upgrade installed correctly, the sign in methods include U.S. Gov't Smartcard 2.xx as a selection. CAUTION: A 49.4c18 error might occur when the MFP/digital sender restarts. The most common cause of this error is installing the Smartcard authentication (.pjl) upgrade and restarting without the necessary firmware (.rfu) installed. For more information, see Troubleshooting on page 31. ENWW Upgrade the device firmware 5

12 Install the hardware 1. Plug the Smartcard reader into the external universal serial bus (USB) port on a supported MFP/ digital sender. NOTE: If a label covers the USB port on the MFP/digital sender, remove the label before plugging in the Smartcard reader. 2. Attach the Smartcard reader to an appropriate location on the MFP/digital sender. Ensure that the USB cable from the Smartcard reader does not interfere with any other functions of the MFP/digital sender. 3. Restart the MFP/digital sender. 4. Print a configuration page to verify that the MFP/digital sender recognizes the installed Smartcard reader. If installed correctly, the Smartcard reader is listed as MFP Smart Card in the USB Accessories section of the configuration page. 6 Chapter 1 Installation ENWW

13 2 Configuring the MFP/digital sender After the HP Access Control Smartcard firmware and hardware are installed, the MFP/digital sender is ready to configure. This chapter provides information about the following topics: Configure the IPv4 settings Configure the MFP/digital sender for Kerberos authentication Configure authentication using the Smartcard accessory Configure access to the network destination folders Configure LDAP access for address books Configure Send to ENWW 7

14 Configure the IPv4 settings 1. Open a supported Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/ digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Configure Device. The Configure Device page is displayed. Figure 2-1 Configure Device Page 8 Chapter 2 Configuring the MFP/digital sender ENWW

15 4. From the menu on the main page, navigate to the IPV4 settings. Click Initial Setup, click Networking and I/O, click Embedded Jetdirect, click TCP/IP, and then click IPV4 Settings. Figure 2-2 Access the IPV4 settings 5. Scroll down to the IPV4 SETTINGS section. Figure 2-3 IPV4 options 6. Type the IP address of the Kerberos server in the Primary DNS text box. 7. Click Apply. ENWW Configure the IPv4 settings 9

16 Configure the MFP/digital sender for Kerberos authentication For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is also available for download from HP at: h20000.www2.hp.com/bc/docs/support/supportmanual/c /c pdf TIP: When installing this solution for the first time in a new environment, it is recommended that you configure and test the Kerberos settings first. Once Kerberos is working correctly, then configure LDAP settings. Once LDAP is working correctly, then configure PKINIT settings. Accessing the Kerberos Authentication page Many of the steps required to configure the MFP/digital sender for Kerberos authentication are completed on the Kerberos Authentication page. Follow the steps below to access the page. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Kerberos Authentication. The following panel is displayed: Figure 2-4 Kerberos Authentication page (part 1) 10 Chapter 2 Configuring the MFP/digital sender ENWW

17 4. Select the domain name and click Edit, or click Add to enter a new domain name. The Kerberos Authentication detail panel is displayed. Figure 2-5 Kerberos Authentication page (part 2) Enter the Kerberos authentication information On the Kerberos Authentication detail page, complete the Accessing the Kerberos Authentication Server section using the following steps: 1. Enter the Kerberos Realm (Domain). NOTE: You must enter the Kerberos Realm using all uppercase letters. 2. Enter the Kerberos Server Hostname. 3. Enter the Kerberos Server Port if required. 4. Click Apply to save the settings. ENWW Configure the MFP/digital sender for Kerberos authentication 11

18 Kerberos settings test If the settings for the Kerberos Realm (Domain) and Kerberos Server Hostname are correct, you can partially authenticate on the MFP/digital sender. To see if you have configured your Kerberos settings correctly, use the following steps: 1. Using the HP Embedded Web Server, click the Settings tab and then select Authentication Manager from the left menu bar. 2. Select Kerberos from the Sign In At Walk Up drop-down list and click Apply. The MFP/digital sender control panel should display a Sign In > Windows prompt. 3. At the MFP/digital sender control panel, attempt to log in using a valid username and password for your domain. If the following error message is displayed Authentication Failed: Kerberos LDAP server not configured. Please contact the administrator., the Kerberos Authentication settings were successfully configured. If a different error message is displayed, see Kerberos troubleshooting on page 34. Accessing the LDAP server Using the Kerberos Authentication page, complete the Accessing the LDAP server section using the following steps: LDAP settings test 1. Select the LDAP Server Bind Method (Kerberos or Kerberos Over SSL). 2. Click the Use Device User's Credentials check box. 3. Enter the LDAP Server name. (You can use the same name as used for the Kerberos Server Hostname.) 4. Enter the LDAP server Port number. 5. Click Apply to save the settings. On HP MFPs and digital senders with embedded Kerberos authentication capability, Kerberos authentication is a two step process. The first step obtains a Kerberos TGT (ticket granting ticket). The Kerberos settings test (see Kerberos settings test on page 12) will indicate if this is successful. The second step looks up the authenticated user s address from an LDAP directory. To test your LDAP server access, use the following steps: 1. Using the HP Embedded Web Server, go to the Authentication Manager page by clicking on the Settings tab and then select Authentication Manager from the left menu bar. 2. Select Kerberos from the Send to drop-down list and click Apply. 12 Chapter 2 Configuring the MFP/digital sender ENWW

19 3. Verify that a valid SMTP gateway is specified on the Settings page by selecting the Digital Sending tab and clicking Settings from the left menu bar. Figure 2-6 Settings 4. Access the menu on the MFP/digital sender control panel and touch . If you authenticate with no error message and the correct name displays in the From field on the Settings screen, then the LDAP settings are configured correctly. If you receive an error message or do not see the correct display name, see LDAP server troubleshooting on page 37. Install the Kerberos Server Root Certificate Authority Certificate The issuer s certificate for your KDC certificate must be installed on the MFP/digital sender in order to perform PKINIT authentication. To install this certificate: 1. Using the HP Embedded Web Server, select the Settings tab. 2. On the left menu bar, click Kerberos Authentication. 3. Select the domain name and click Edit, or enter a new domain name by clicking Add. The Kerberos Authentication page is displayed. ENWW Configure the MFP/digital sender for Kerberos authentication 13

20 4. Scroll down to the Using PKINIT Authentication (Smart Card Authentication Only) section and click PKINIT Settings. The following screen is displayed: Figure 2-7 Kerberos Authentication page (PKINIT Settings) 5. From the Kerberos Server Root Certificate Authority (CA) Certificate section, click Edit. 6. On the Certificates page, click Browse and locate the certificate file. 7. Once the file is located, click Import. If you can use Smartcard to log on to a PC, you may be able to find the certificates that must be installed on the MFP/digital sender on that PC. To find certificates installed on a PC: 1. Log on to a PC using a Smartcard. 2. Open Internet Explorer. 3. On the Tools menu, select Internet Options. 4. Select the Content tab and click Certificates. 5. On the Intermediate Certification Authorities and Trusted Root Certification Authorities tabs you may find certificates that allow the MFP/digital sender to authenticate successfully. 14 Chapter 2 Configuring the MFP/digital sender ENWW

21 If there is a certificate problem, the error message on the MFP/digital sender often contains the subject of the required certificate. The subject normally has a CN=<some name> value in it. The <some name> portion is the value that Internet Explorer shows in the Issued To column of the Certificates dialog box. Once the following steps are completed, you are ready to test PKINIT Smartcard authentication. Verify the following before you begin: The HP Smartcard reader is attached to the MFP/digital sender. The Kerberos settings are configured and working correctly. The LDAP settings are configured and working correctly. The KDC issuer certificate is loaded. PKINIT Smartcard authentication test To test PKINIT Smartcard authentication: 1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication Manager from the left menu bar. 2. Select U.S. Gov't Smartcard v2.xx from the Sign In At Walk Up drop-down list. 3. Select U.S. Gov't Smartcard v2.xx from the Send to drop-down list. NOTE: If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists on the Authentication Manager page, the HP Access Control Smartcard authentication upgrade is not installed. (See Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.) 4. Click Apply. 5. The MFP/digital sender should now have the following prompt: Please insert your Smartcard, then press OK. 6. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch OK. If you authenticate successfully, then the correct certificate is properly installed. If you cannot authenticate, see PKINIT troubleshooting on page 39. Configure validation of the KDC certificate KDCs validate that the client requesting authentication has possession of a valid digital certificate (not expired or revoked). However, to verify that the KDC s certificate is not revoked, and to ensure that the MFP/digital sender does not use an insecure Kerberos server for authentication, the remaining items listed in the Using PKINIT Authentication (Smart Card Authentication Only) section of the Kerberos Authentication page should be configured. The KDC certificate is received by the MFP/digital sender during the PKINIT handshake. It does not need to be stored on the MFP/digital sender. NOTE: The MFP/digital sender performs certificate revocation list (CRL) checking on the KDC's certificate only. Therefore, it is not necessary to install user CRLs during the configuration process. ENWW Configure the MFP/digital sender for Kerberos authentication 15

22 The MFP/digital sender supports two methods for validating the KDC s certificate: OCSP (Online Certificate Status Protocol) One or more OCSP responders can be used for validation. OCSP responders are contacted in the order entered. As soon as a good or bad response is received from a responder, no more responders are contacted. If all known OCSP servers are exhausted and no response is received, CRL checking commences if the check box for Perform CRL checking on the Kerberos Server certificate chain is selected. OCSP validation is the preferred method for validating the server s certificate. CRL (Certificate Revocation List) checking HP MFPs and digital senders support two different mutually exclusive modes for CRL checking. CRL distribution point (CDP) The CDP method assumes that the CRL is installed off the MFP/digital sender. In this case, the CDP referencing the CRL location must exist in the server's certificate, or the administrator must configure the MFP/digital sender with the location of the CRL. Only full CRLs (also known as base CRLs) are currently supported. Partitioned CRLs (also known as distributed or delta CRLs) are not supported. Local device CRL A full CRL is loaded onto the MFP/digital sender hard drive. NOTE: Because CRLs change often (sometimes daily), the local device CRL method requires a process to copy the updated CRL to the MFP/digital sender at regular intervals. For this reason, local MFP/digital sender CRLs are not recommended. To configure OCSP validation of the KDC certificate: 1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos Authentication from the left menu bar. 2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT Settings. 3. In the OCSP validation of Kerberos Server Certificate section, select the check box for Perform OCSP Validation on the Kerberos Server certificate chain. 4. Click Edit below the OCSP server certificates. 5. On the Load Certificate page, click Browse and locate the certificate file. 6. Click Load Certificate. 7. If the OCSP responder certificate is not a Root CA (self-signed), then continue to load all certificates in the OCSP responder trust chain. To configure CDP validation of the KDC certificate: 1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos Authentication from the left menu bar. 2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT Settings. 3. In the CRL validation of Kerberos Server Certificate section, select the check box for Perform CRL checking on the Kerberos Server certificate chain. 4. Select the CRL Distribution Point (CDP) check box. In many cases, this is all that is required, since the MFP/digital sender can get the location of the CRL from a location described by the CDP entries in the server's certificate. However, if the CRL 16 Chapter 2 Configuring the MFP/digital sender ENWW

23 cannot be obtained solely from the CDP information provided in the server's certificate, then the MFP/digital sender attempts to use the following fields to help locate a CRL: CDP Distinguished Name (DN) standard DN format LDAP Server IP address or hostname Port LDAP server port NOTE: Anonymous is the only LDAP Server Bind Method that is currently supported. To obtain the location of a CRL from the server certificate, the certificate must contain a CDP extension (specifically, one named CRL Distribution Points ). The extension must contain an LDAP URL (HTTP URLs and Directory Address formats, usually associated with delta CRLs, are not currently supported). If no LDAP URL exists, the MFP/digital sender attempts to locate the CRL using the CDP Distinguished Name, LDAP Server, and Port fields in the HP Embedded Web Server configuration page as previously described. If the entries exist in the HP Embedded Web Server fields, they override any corresponding values in any LDAP URL found in the CDP extension. The location of the CRL on the LDAP server must have the attribute: certificaterevocationlist The LDAP filter and LDAP scope, which are used internally and not configured using the HP Embedded Web Server, default to the following values if they are not specified in the CDP extension: filter: objectclass=* scope: base To configure local device CRL validation of the KDC certificate (not recommended): A script for delivering CRLs to the MFPs/digital senders in your organization is required. The script should run at regular intervals. Running the script at shorter intervals than the certificate expiration cycle is recommended. This ensures that if an MFP/digital sender misses an update due to maintenance or being powered off, it still has a chance to receive the update before the certificate expires. Before running the script, the administrator should ensure that PJL access to the file system is available. This means that the PJL password is not set and PJL disk access is enabled. For security reasons, it is recommended that PJL access to the file system should always be restricted by a password and that disk access be turned off except when executing scripts or commands to load objects onto the MFP/ digital sender. For more information on how to secure LaserJet devices, see the NIST Security Checklist available for download at checklists.nist.gov/repository/1087.html. (You can also search for the latest checklist at: checklists.nist.gov/ ) 1. Ensure that the script ran and loaded the CRL to the MFP/digital sender. Verify by printing a file system listing from the MFP/digital sender control panel. 2. In the Kerberos PKINIT Configuration section of the Kerberos Authentication page, select the Validate the Kerberos Server Certificate check box. 3. Enter the file location in the CRL URL(s) text box. This location is controlled by the script that pushes the CRL to the MFP/digital sender. 4. Click Apply. ENWW Configure the MFP/digital sender for Kerberos authentication 17

24 KDC Certificate Validation Test 1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication Manager from the left menu bar. 2. Verify that U.S. Gov't Smartcard v2.xx is selected from the Sign In At Walk Up drop-down list and click Apply. 3. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch OK. If you authenticate successfully, then the correct certificates are properly installed. If you cannot authenticate, see OCSP/CRL troubleshooting on page Chapter 2 Configuring the MFP/digital sender ENWW

25 Configure authentication using the Smartcard accessory 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Authentication Manager. The Authentication Manager page is displayed. Figure 2-8 Authentication Manager page 4. Review each of the MFP/digital sender functions on this page. Select U.S. Gov't Smartcard v2.xx from the drop-down list next to each function for which Smartcard authentication is required. NOTE: When U.S. Gov't Smartcard v2.xx is selected from the Sign in at Walk Up drop-down list, all other functions are also restricted to Smartcard authentication. To require the authenticated user's address be used in the From field when sending , make sure that U.S. Gov't Smartcard v2.xx is selected from the Send to drop-down list. If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists, the HP Access Control Smartcard authentication upgrade is not installed. (see Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.) 5. Click Apply. ENWW Configure authentication using the Smartcard accessory 19

26 Configure access to the network destination folders Configure the access options for each folder to Use Public Credentials, and then configure the public credentials with those of a known authorized user (such as an administrator account). 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click Send to Folder. The Send to Folder page is displayed. Figure 2-9 Send to Folder page 3. Select Kerberos from the Authentication Setting drop-down list and click Apply. 4. Select a folder in the Predefined Folders list. NOTE: To select a folder, one or more network folders must already be configured. If you need to add a new folder, click Add under the Predefined Folders list, and complete the applicable fields. 20 Chapter 2 Configuring the MFP/digital sender ENWW

27 5. Click Edit. The Edit Shared Folder page is displayed. Figure 2-10 Edit Folder Access settings 6. In the Access Credentials drop-down list, select Use Device User's Credentials or Use Public Credentials. If Use Device User's Credentials is selected, then the MFP/digital sender uses the credentials of the current user to access the shared folder. If Use Public Credentials is selected, then the credentials that were specified during the configuration are used. 7. If Use Public Credentials was selected, type the appropriate values for a known authorized user in the Domain, Username, and Password text fields. 8. Click Test Folder Access to verify that the supplied credentials provide access to the folder. 9. Click OK. 10. Repeat the preceding steps for each folder in the Predefined Folders list. When the configuration is complete, the MFP/digital sender requires an authorized Smartcard in order to use the selected features. ENWW Configure access to the network destination folders 21

28 Configure LDAP access for address books When a user enters the send to screen, next to each recipient field ( To, Cc, Bcc ) is an address book icon. As the user types a recipient on the keyboard screen, the recipient name can be autocompleted. This auto-complete feature is enabled by specifying the LDAP addressing settings in the HP Embedded Web Server. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click LDAP Settings. The Addressing Settings page is displayed. Figure 2-11 LDAP addressing settings 3. Select the Allow Device to directly access an LDAP Address Book check box. 4. Select Kerberos Bind from the LDAP Server Bind Method drop-down list. 5. Enter the appropriate information in each of the applicable fields to configure the settings. 22 Chapter 2 Configuring the MFP/digital sender ENWW

29 NOTE: You should be able to use the same values used to configure LDAP access on the Kerberos page to configure the LDAP address settings. 6. Click Apply. The search root might need to be refined to return only LDAP records, which represent users in your organization. If entries are returned which do not contain an address or a display name, the MFP/digital sender considers the results invalid. The MFP/digital sender might not display any entries and may fail to auto-complete addresses that would otherwise work. Use the ldp tool (as described in the Kerberos setup guide Configuring Embedded Kerberos Authentication) to find the search root that returns only valid results from your LDAP server. NOTE: The Kerberos setup guide Configuring Embedded Kerberos Authentication comes bundled on the product CD and is available for download from HP at h20000.www2.hp.com/bc/docs/support/ SupportManual/c /c pdf LDAP performance can be severely impacted by the lack of DNS entries for referrals returned by your LDAP server. Unfortunately there is no indication on the MFP/digital sender that it is waiting for a referral. The best way to diagnose this situation is with a network trace. Configuring LDAP over SSL If your LDAP server allows binds over SSL only, then you must install the digital certificate for the LDAP server onto the MFP/digital sender and change the bind type to Simple over SSL or Kerberos over SSL. 1. Install the digital certificate for the LDAP server onto the MFP/digital sender. a. Start the HP Embedded Web Server and click the Networking tab. On the left menu bar, click Authorization. The Authorization page is displayed. b. Select the Certificates tab. The Certificates page is displayed. Figure 2-12 Network Authorization - Certificates ENWW Configure LDAP access for address books 23

30 c. In the CA Certificate section, click Configure. The Certificate Options page is displayed. Figure 2-13 Network Authorization - Certificate Options d. Make sure the Install CA Certificate option is selected and then click Next. The Install CA Certificate page is displayed. Figure 2-14 Network Authorization - Install CA Certificate e. Click Browse and search for the root CA certificate. Click Finish to install the specified certificate. 2. Change the bind type to Simple over SSL or Kerberos over SSL. a. On the LDAP settings page, change the bind type to Simple over SSL. b. Select Use Public Credentials and enter credentials for a service account which can be used to access the LDAP server. NOTE: Kerberos binds to the LDAP server also cause all communication to and from the LDAP server to be encrypted, even without the use of SSL. 24 Chapter 2 Configuring the MFP/digital sender ENWW

31 Configure Send to messages are digitally signed by default when Smartcard authentication is used. However, this can be changed on the advanced settings screen. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click Settings. The Addressing Settings page is displayed. Figure settings 3. Enter the appropriate information in each of the applicable fields to configure the settings. ENWW Configure Send to 25

32 4. Click the Advanced button. The Advanced Settings panel is displayed: Figure 2-16 Advanced settings 5. If signing is preferred for outgoing operations: a. Using the S/MIME Settings (Signed/Encrypted ) section, select Sign Message in the Digital Signature section. b. If signing is preferred but not required, select the Allow users to send unsigned messages check box. (If signing is required, do not select this check the box.) c. Using the S/MIME Settings (Signed/Encrypted ) section, select Do Not Sign Message in the Digital Signature section. d. If signing is not preferred but allowed, select the Allow users to send signed messages check box. (If signing is not allowed, do not select this check the box.) 6. If encryption is preferred for outgoing operations: a. Using the S/MIME Settings (Signed/Encrypted ) section, select Encrypt Message in the Encryption section. b. If encryption is preferred but not required, select the Allow users to send unencrypted messages check box. (If encryption is required, do not select this check the box.) c. Using the S/MIME Settings (Signed/Encrypted ) section, select Do Not Encrypt Message in the Encryption section. d. If encryption is not preferred but allowed, select the Allow users to send encrypted messages check box. (If encryption is not allowed, do not select this check the box.) To ensure that recipients of signed s can trust the associated digital signatures, install certificates in the signature chain onto the MFP/digital sender. Certificates must be installed on the MFP/ 26 Chapter 2 Configuring the MFP/digital sender ENWW

33 digital sender by clicking Edit in the Signed Certificate Chains section on the Kerberos Authentication page. If you use Microsoft Outlook and already have signed configured for your personal account, here is one way to gather certificates in your signature chain: 1. Send a signed to yourself. 2. Click on the certificate icon. 3. Click Details. 4. Click on the signer, and then click View Details. 5. Click View Certificate. 6. Click on the Certification Path tab. 7. For each certificate above yourself in the chain: a. Click View Certificate. b. Click on the Details tab. c. Click Copy To File. d. Export the file in DER or Base-64 format. e. Import the file into the MFP/digital sender. TIP: Once all required certificates related to the KDC, OCSP, and signing trust chain have been installed on the MFP/digital sender, these can be exported to a single file on the HP Embedded Web Server Kerberos Certificates page. This file can then be imported to another MFP/ digital sender. If you are using Simple over SSL for your LDAP binds, this certificate must be imported separately on the Networking tab. ENWW Configure Send to 27

34 28 Chapter 2 Configuring the MFP/digital sender ENWW

35 3 Normal use of the HP Access Control Smartcard After the firmware and hardware are installed and the MFP/digital sender is configured for HP Access Control Smartcard authentication, the MFP/digital sender restricts access according to the specified options. When a user attempts to use a Smartcard-restricted function, the following actions occur: 1. The MFP/digital sender prompts for a valid card to be placed in the Smartcard reader. The user places the card into the reader and leaves it there while using the MFP/digital sender. 2. The MFP/digital sender prompts for a personal identification number (PIN) before continuing. The user types the PIN on the number pad on the MFP/digital sender control panel, and then touches OK on the touchscreen. 3. The MFP/digital sender authenticates the user by accessing the Active Directory user attributes through a PKI version of the Kerberos authentication protocol. When authentication is complete, the MFP/digital sender provides access to the selected function. If the user types an incorrect PIN, the MFP/digital sender prompts for the number again. If the user enters the wrong PIN three times, the Smartcard is disabled and no longer usable. ENWW 29

36 30 Chapter 3 Normal use of the HP Access Control Smartcard ENWW

37 4 Troubleshooting NOTE: For the most current troubleshooting information regarding this product, go to: support/usdodsmartcard. NOTE: For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is available for download from HP at h20000.www2.hp.com/bc/docs/support/supportmanual/c / c pdf If you are experiencing an issue that is not documented here or the steps here do not resolve the issue, contact HP support. ENWW 31

38 General troubleshooting 49.4c18 error displays when restarting device An unsupported firmware version is installed on the device. The authentication upgrade was installed on the device without the correct firmware. To enable the device to boot to Ready after this message has appeared: CAUTION: The following procedure is for resolving the 49.4c18 error only and is not recommended for any other operation of the device. 1. Turn the device off and back on. 2. Hold down the 9 key during the memory test. 3. After all 3 LEDs are a solid color, release 9 key and then press and release the 3 key. 4. Press and release the Start key. The device should now say SKIP DISK LOAD. 5. Press and release the 6 key. 6. The device should then proceed to boot to ready. Smartcard authentication does not work after performing a Secure Storage Erase or Disk Init on the MFP/digital sender. Performing a Secure Storage Erase or Disk Init erases information that is critical for the Smartcard authentication to work. The entire HP Access Control Smartcard installation and configuration must be completed again. This includes reinstalling the authentication upgrade and performing all of the necessary HP Embedded Web Server configuration steps. Refer to Installation on page 1 and Configuring the MFP/digital sender on page 7 for instructions. MFP/digital sender authentication is working, but remote features such as Send to and LDAP lookup are not. The MFP/digital sender clock is out of sync with the server clock. The DNS lookup zone is not properly configured. Kerberos Realm names are not listed in upper case. Clients and servers must be synced to within 5 minutes of each other. Either configure both the MFP/digital sender and the KDC server to use the same NTP server, or configure the MFP/ digital sender to use the KDC server as the clock drift correction server. Hostnames must be used for all Kerberos and SSL servers. Verify that the servers listed in the HP Embedded Web Server for Kerberos, Send to Folder, and LDAP addressing configuration are listed as hostnames and not IP addresses. Check the Kerberos configuration in the HP Embedded Web Server and verify that all Realm names specified are listed in upper case. 32 Chapter 4 Troubleshooting ENWW

39 Error: No card detected when using a valid Smartcard If the Smartcard is valid then the mechanical switch on the card reader may have failed. Replace the card reader. Error: Please insert a valid card when using a valid Smartcard If the Smartcard is valid then the card contacts on the reader may have failed. Replace the card reader. The configured device no longer recognizes the Smartcard. An incorrect PIN for the Smartcard has been entered successively three or more times. After entering an incorrect PIN successively three or more times, the Smartcard is disabled as a security measure. Once a Smartcard is disabled, it must be replaced. ENWW General troubleshooting 33

40 Kerberos troubleshooting Error message: Authentication Failed: Kerberos server not available. Please contact the administrator. The Kerberos server hostname was not entered correctly or is not a valid hostname. To determine if the hostname is valid, open a Windows command shell and type: ping <kerberos hostname>. If ping cannot find the host you are typing, then it is probably not the correct hostname. The DNS settings on the device are not correct. To determine if the device s DNS settings are not correct, try using the IP address of the Kerberos server instead of a hostname. Open a Windows command shell and type: nslookup <kerberos hostname>. The nslookup command should return the name of the DNS server that resolved the Kerberos host and the IP address of the host. Try entering the Kerberos server IP address on the settings page and performing authentication again. If this works, then open the HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the Primary DNS text box, enter the IP address of the DNS server returned by the nslookup command. The Kerberos server is powered off or not reachable. The host is not a valid Kerberos server. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server. If the host is a valid Kerberos server, it should accept connections through port 88. Open a Windows command shell, type: telnet <kerberos hostname> 88. If the telnet command returns Connecting To <host> Could not open connection to the host, or port 88: Connect failed, then the host is not a valid Kerberos server. If the window becomes blank, then it is accepting connections on port 88. Most likely the device network settings are not correct or the device is not operating correctly. Error message: Authentication Failed: Realm not recognized. Please contact the administrator. or Authentication Failed: Kerberos server not available for provided domain. Please contact the administrator. The domain field is not correct for the server that is being contacted. If the hostname for the server were ad1.technical.marketing, then the realm name is probably TECHNICAL.MARKETING. If you have followed the procedure for finding the default realm from the Configuring Embedded Kerberos Authentication guide and it does not work, try this alternative method for discovering the domain: 1. On the Windows desktop, click Start, then right-click on My Computer and select Properties. 2. Select the Computer Name tab. 3. Copy the value in the Domain field to the Kerberos Default Realm field on the device. NOTE: letters. The Domain name must be entered in all capital 34 Chapter 4 Troubleshooting ENWW

41 Error message: Authentication Failed: Device time not synchronized with server. Set correct time, then turn device off and back on. The device clock is offset more than five minutes from the Kerberos server. The Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server, in order to prevent replay attacks. On the device control panel press Administration, then press Time/Scheduling, then press Date/Time. Use the control panel keys to change the time. After changing the time setting, turn the device off and back on for the change to take effect. The device s Network Time Protocol (NTP) server is reporting a different time from the KDC time. The device uses the NTP server to determine if the device is in a different time zone than the KDC and if the time stamp reported by the device to the KDC should be adjusted by half hour increments. Most KDC servers are also hosting a NTP service, so try setting your NTP server to the same hostname as your Kerberos server. 1. Start the HP Embedded Web Server and select the Settings tab. 2. On the left menu bar, click Date & Time, then click Clock Drift Correction. 3. Copy the value from the Kerberos Server text box on the Kerberos Settings page into the Network Time Server Address text field. After changing your NTP setting, turn the device off and back on for the change to take effect. NOTE: Because of the NTP adjustment, the time zone and daylight savings settings on the device do not affect the time reported by the device. Error message: Login failed. Please try again Incorrect credentials were entered, or the user is unknown on the server to which you are authenticating. Verify that the user is authorized and using valid credentials. Error message: Authentication Failed: Kerberos LDAP server not configured. Please contact the administrator. or any other LDAP related error The settings under Accessing the LDAP Server are not correct. See the Configuring Embedded Kerberos Authentication guide for help in determining your organization s LDAP configuration. See LDAP server troubleshooting on page 37 for other possible issues. ENWW Kerberos troubleshooting 35

42 Error message: Authentication Failed: Error code XXXXX Unknown Contact HP support 36 Chapter 4 Troubleshooting ENWW

43 LDAP server troubleshooting Error message: LDAP bind at server X failure: Server down The LDAP server hostname was not entered correctly or is not a valid hostname. To determine if the hostname is valid, open a Windows command shell and type: ping <LDAP hostname>. If ping cannot find the host you are typing, then it is probably not the correct hostname. The DNS settings on the device are not correct. To determine if the device s DNS settings are not correct, try using the IP address of the LDAP server instead of a hostname. Open a Windows command shell and type: nslookup <LDAP hostname>. The nslookup command should return the name of the DNS server that resolved the LDAP host and the IP address of the host. Try entering the LDAP server IP address on the settings page and performing authentication again. If this works, then open the device's HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the Primary DNS text box, enter the IP address of the DNS server returned by the nslookup command. The LDAP server is powered off or not reachable. The host is not a valid LDAP server. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server. If the host is a valid LDAP server, it should accept connections through port 389 or Open a Windows command shell, type: telnet <LDAP hostname> 389. If the telnet command returns Connecting To <host> Could not open connection to the host, or port 389: Connect failed, then the host is not a valid Kerberos server. If the window becomes blank, then it is accepting connections on port 389. Most likely the device network settings are not correct or the device is not operating correctly. Error message: LDAP bind at server X failure: Local error A DNS reverse lookup zone for your LDAP server s IP address is not configured. To confirm this, open a Windows command shell and type: nslookup <IP address of host>. If the nslookup command returns the correct hostname, then the reverse DNS zone is configured correctly. If the nslookup command does not come back with the correct hostname, the DNS administrator needs to add a reverse lookup zone to resolve the issue. An unhandled error has occurred on the device and is preventing it from operating correctly. Try rebooting the device. ENWW LDAP server troubleshooting 37