CAC/PIV PKI Solution Installation Survey & Checklist



Similar documents
Smart Card Authentication. Administrator's Guide

AU-211P CAC/PIV Solution. Network Configuration Guide

PKI-Enabled Device. Installation and Configuration Guide

Smart Card Authentication Client. Administrator's Guide

Authentication Unit AU-211P User s Guide

Setting Up Scan to SMB on TaskALFA series MFP s.

F-Secure Messaging Security Gateway. Deployment Guide

PKI-Enabled MFP. Installation and Configuration Guide

Simple Scan to Setup Guide

Smart Card Installation and Configuration Guide

WirelessOffice Administrator LDAP/Active Directory Support

HP Access Control Smartcard Solution

bizhub C3850/C3350 USER S GUIDE Applied Functions

User s Guide. Security Operations Ver. 1.02

PineApp Surf-SeCure Quick

Embedded Web Server Security

User s Guide [Security Operations]

Contents. 2 Pre-installation checklist

Configuration Network Management Card-2

Embedded Web Server Security

Quality of Service (bandwidth limitation): Default is 2 megabits per second.

Advanced Administration

Scan Features Minimum Requirements Guide WorkCentre M123/M128 WorkCentre Pro 123/ P42081

Installing and Configuring vcenter Support Assistant

Quick Scan Features Setup Guide

PageScope Enterprise Suite

Configuring Sponsor Authentication

System Administration Guide Xerox WorkCentre 4250/4260 Series

KM-1820 FS-1118MFP. Network Scanner Setup Guide

Canon WFT-E1 (A) Wireless File Transmitter. Network Support Guide

efficient workflow security capability streamlined productivity SOFTWARE SOLUTIONS

V Series Rapid Deployment Version 7.5

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

READYNAS INSTANT STORAGE. Quick Installation Guide

Click Studios. Passwordstate. Installation Instructions

Version /12. Xerox Smart Card. Xerox WorkCentre 7755/7765/ 7775 Xerox ColorQube 9201/9202/9203 Xerox ColorQube 9301/9302/9303

ecopy ShareScan v4.3 Pre-Installation Checklist

KM-1820 FS-1118MFP. Network Scanner Setup Guide

Click Studios. Passwordstate. Installation Instructions

Customer Tips. Basic Configuration and Troubleshooting. for the user. Overview. Basic Configuration. Xerox Multifunction Devices.

Administering the Web Server (IIS) Role of Windows Server

Polycom RealPresence Resource Manager System Getting Started Guide

SET UP AND OPERATION GUIDE

Virtual Managment Appliance Setup Guide

Device Log Export ENGLISH

KM Embedded. Configuration Guide. AIT Ltd 2 Hawthorn Park Coal Road Leeds LS14 1PQ UK

ReadyNAS Setup Manual

Configuring the WT-4 for ftp (Ad-hoc Mode)

Virtual Web Appliance Setup Guide

VMware Identity Manager Connector Installation and Configuration

MS 10972A Administering the Web Server (IIS) Role of Windows Server

LDAP Operation Guide

10972-Administering the Web Server (IIS) Role of Windows Server

Installing, Uninstalling, and Upgrading Service Monitor

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

Setting up Scan to

PageScope Router. Version 1.5. Configuration Guide

Active Directory 2008 Implementation. Version 6.410

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Software installation and configuration IEC-line series

It should be noted that the installer will delete any existing partitions on your disk in order to install the software required to use BLËSK.

The Mac OS X Server Essentials v10.5 Exam Skills Assessment Guide

FTP, IIS, and Firewall Reference and Troubleshooting

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

FileCruiser. VA2600 SR1 Quick Configuration Guide

Administrator Guide. v 11

Network Storage System with 2 Bays

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Setting Up Your FTP Server

Customer Tips. Configuration and Use of the MeterAssistant Option. for the user. Purpose. Xerox Device Configuration. Xerox Multifunction Devices

NETASQ SSO Agent Installation and deployment

Secure . Administrator's Guide

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

efficient workflow security features streamlined productivity SOFTWARE SOLUTIONS

Configuring the WT-4 for ftp (Infrastructure Mode)

MULTIFUNCTIONAL DIGITAL SYSTEMS. Operator s Manual for AddressBook Viewer

Configuring the WT-4 for ftp (Ad-hoc Mode)

Introduction to the EIS Guide

SevOne NMS Download Installation and Implementation Guide

Scanning Guide for Current Colour Machines

Dual Bay Home Media Store. User Manual

User s Guide [Network Administrator]

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

CONTENTS. Contents > 3

Administrator's Guide

Cyber-Ark Software. Version 4.5

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Skyward LDAP Launch Kit Table of Contents

LAN TCP/IP and DHCP Setup

Digitus DN / DN / DN-13018

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

CONTENTS. 1. Outline of how to use.1 2. How to setup each step...1

Plunder Pillage & Print

Xerox WorkCentre 7220/7225 Color Multifunction Printer Xerox ConnectKey 1.5 Technology System Administrator Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Black & White Scanning Guide

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Scan to Network and Scan to Network Premium. Administrator's Guide

Transcription:

CAC/PIV PKI Solution Installation Survey & Checklist Konica Minolta CAC/PIV Solution Revision: 1.3 Date: 10/19/09

1 Document Overview This document must be completed and used as a checklist or questionnaire prior to the installation of a Konica Minolta PKI Solution. The intent is to gather all the network and security information necessary to configure the PKI solution on the Multi-Function Printer (MFP). The data collected in this guide will greatly enhance the installation procedure. 1.1 PKI/Active Directory (AD) Solution The Konica Minolta PKI Solution allows a user to authenticate against Active Directory using a Common Access Card (CAC) or a Personal Identification Verification (PIV) card (as used by the Department of Defense or the US Government). This solution consists of: PKI Authentication via Active Directory Scan to Email Scan to Me Scan To Network Folder Scan to Home PKI Card Print The PKI Solution can secure the entire MFP where authentication is needed to use any feature or it can secure those features that touch the network; Scan to Email, Scan to Network Folder, FTP, etc. 1.2 Supported PKI Solution Features and Functions for this install Please check all the features and options that will be required within your network. PKI Authentication via Active Directory Scan to Email via Scan to Me (Active Directory provided) Scan to Email via LDAP name search Scan to Email via Adhoc name entry (manual entry of any email address) Scan to Network Folder SMB Scan to Me (Active Directory provided user email address) Scan to Home (Active Directory provided network folder path) Scan to FTP Scan to WebDAV Fax OCSP Responder/Repeater (IP Address/URL) Email with Digital Signature Email with Encryption PKI Card Print Public Access to functions without CAC/PIV card authentication Copy Allow Scan Allow

1.2 Network Port Access This MFP will need to access the network via several ports. The following table lists the default ports needed based on the features that are used. Port Protocol Required by which Feature 25 SMTP Scan to Email 53 DNS DNS Lookups 80 Web Web Configuration / OCSP Validation 88 Kerberos Active Directory Authentication 389 LDAP (non-ssl) Email Address / Home Directory LDAP Lookup 445 Windows File Sharing Scan To Network 636 LDAP (SSL) Email Address / Home Directory LDAP Lookup 1.3 Key IT/Network Contacts It will be helpful to identify the appropriate people on-site that can be contacted for assistance during the CAC/PKI installation. Administrator Name Phone Active Directory Network Tumbleweed/OCSP Email Information Assurance Officer 1.4 USB Flash Drive Policy Please describe the current policy for USB Flash Drive usage. The loadable drivers for our CAC/PIV card Reader are installed via a USB Flash Drive.

2 Basic Network Configuration This section is required to setup the MFP on the network. If the MFP has already been added to the network, please complete this section so that this information can be used as needed during the CAC/PKI installation. Active Directory User Authentication Yes No explain Is SSL required for Authentication Yes No 2.1 IP Address This MFP can be configured to acquire an IP Address via DHCP or a static IP Address can be assigned to it. Which method is preferred? DHCP Static IP Address If using a static IP Address, the following information is needed: IP Address for the MFP: IP Address of the Gateway: Subnet mask: 2.2 DNS Servers In order for this MFP to function correctly on the network it will need to resolve DNS names. Please provide the IP Address for the following servers: Primary DNS Server: Backup DNS Server (optional): 2.3 Time Server In order for the MFP to authenticate, its time must be synced with the domain controller. Time Server (NTP) NO Time Server (NTP) IP Address : 2.4 Domain Names The Default Domain Name is required to resolve DNS names. Provide the appropriate domain names: 1. Primary Domain Controller Host Name: 2. Secondary Domain Host Controller Name: 3. The Fully Qualified Domain Name: The fully Qualified Domain Name is required. This is the fully qualified name of your primary authentication server.

2.5 Default LDAP Configuration The MFP supports a default LDAP configuration, if LDAP is needed complete this section. LDAP Required LDAP w/ssl Required LDAP NOT Required 1. IP address or name of a LDAP directory IP Address or Name: 2. Port used to communicate with the LDAP server. Typically this is 389 for non-ssl connections; 636 for SSL connections. Port: 3. If SSL is required to communicate with the server, then the LDAP Server s SSL certificate will need to be installed on the device. SSL is not required SSL is required Certificate: Please have file ready at install time. If SSL is used, then the fully qualified domain name (instead of just the IP Address) needs to be used in item 1. 4. If using SSL, the LDAP Certification Validation method must be selected. If not using SSL, you can skip this step. The available validation methods are: Never Allow Try Demand Never The certificate will not be requested or checked. A certificate will be requested. If provided, it will be checked, but invalid certificates will be ignored. A certificate will be requested. If a certificate is provided, it must be valid. If a certificate is not provided, no error will occur. A certificate will be requested. If the certificate is not provided, or is invalid, the LDAP connection will be terminated. Select the validation method: Never Allow Try Demand 5. Base name for search. This defines the section of the LDAP directory in which to start the search. The value is typically something like dc=branch,dc=mil. Search Base: 6. Search Timeout. The timeout in seconds after which the search is cancelled. Valid values are 5 to 300 seconds. The default of 30 seconds is recommended. Search Timeout: seconds 7. Maximum Search Results. The maximum number of search results to be displayed to the user. Valid values are 5 to 500 results. The default value of 100 is recommended. Maximum Search Results:

8. Access rights needed to access the LDAP directory. The device supports anonymous binding, the authenticated user s credentials, or a service account using a Distinguished Name and password. Anonymous User s Credentials (Cannot be used in Pin Only mode) Service Account Distinguished Name: Password: To be provided at installation 2.6 Email Server Setup The Email Server Settings are needed to use the scan to email function of the MFP. 1. IP Address or Hostname of SMTP Server and the port used (typically 25). A primary and secondary address can be specified. IP Address or Name: Port: IP Address or Name: Port: 2. SMTP servers may require some type of authentication before allowing an email to be sent. Select the authentication required by the SMTP Server. Anonymous User s Credentials Service Account Distinguished Name: Password: 3. All emails sent from the device will have a default subject that can be changed (if allowed) by the user. A suggested default is: Scanned Document. Default Email Subject: 4. All emails sent from the device will have a default message that can be changed (if allowed) by the user. A suggested default is: Please see the attached document. Default Email Message: 2.6.1 Scan to Me email option Scan to Me is an option that restricts a user to emailing only to their own email address as defined in Active Directory. When this function is enabled the users email address appears in the email address field on the MFP automatically. 1. Should this feature be enabled at MFP setup? Enabled Disabled

2.6.2 Email Encryption Emails can only be encrypted when the encryption certificate can be found for each of the recipients this limits encrypted emails to those users in the global address book. The encryption certificate on the card (if available) is used for the authenticated user if he/she sends email to his/herself. 1. This feature can be always disabled, always enabled, or the user can select this setting manually; Always Disabled Always Sign 2. When the email is both signed and encrypted, it can be signed once or twice. When signed twice, the email is signed, encrypted, and then the resulting message is signed again. Choosing the double-signing methods reduces the maximum allowed email size to approximately 15MB. Which method should be used? Sign and Encrypt Sign and Encrypt and Sign Again 3. The LDAP configuration designated for the Address Book Lookup in section 5.5 is used for searching for the encryption certificates. A primary and alternate LDAP attribute can be specified for the location of the user s certificates. The defaults are usersmimecertificate and usercertificate, respectively. If different attributes should be used, specify below. Primary LDAP Attribute: Alternate LDAP Attribute: 2.7 Scan to Network Folder Configuration The PKI Scan To Network Folder provides the ability to scan pages and store the resulting image onto a network fileshare. 2.7.1 General Settings IP Address where shared file is located: Host Name where shared file is located: File Share Name: UNC Path: 2.7.2 Scan to Home option Scan to Home is an option that restricts a user s ability to scan. The user will only be able to scan to a designated network folder as defined in Active Directory. Should this feature be enabled at MFP setup? Enabled Disabled

2.8 Domain Controller Certificates Please have copies of the Root CA, Sub CA and OCSP certificates available at the time of installation. 2.8.1 Security Certificates Root CA Sub CA OCSP MUST be provided by on-site IT at time of install MUST be provided by on-site IT at time of install MUST be provided by on-site IT at time of install 2.9 OCSP Responder/Repeater Information 2.9.1 OCSP Server Validation Authority URL: Server IP Address: Is a Proxy Server used? IP Address: Additional Notes: