HP Access Control Smartcard for U. S. Government Administrator s Guide
HP Access Control Smartcard for U.S. Government Administrator's Guide
Copyright information 2009 Copyright Hewlett-Packard Development Company, L.P. Reproduction, adaptation or translation without prior written permission is prohibited, except as allowed under the copyright laws. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Edition 2, 11/2009 Trademark credits Microsoft and Outlook are U.S. registered trademarks of Microsoft Corporation.
Table of contents 1 Installation Upgrade the device firmware... 2 Supported devices... 2 Enable remote firmware upgrades... 2 Upgrade the Smartcard and MFP/digital sender firmware... 3 Install the hardware... 6 2 Configuring the MFP/digital sender Configure the IPv4 settings... 8 Configure the MFP/digital sender for Kerberos authentication... 10 Accessing the Kerberos Authentication page... 10 Enter the Kerberos authentication information... 11 Accessing the LDAP server... 12 Install the Kerberos Server Root Certificate Authority Certificate... 13 Configure validation of the KDC certificate... 15 Configure authentication using the Smartcard accessory... 19 Configure access to the network destination folders... 20 Configure LDAP access for address books... 22 Configuring LDAP over SSL... 23 Configure Send to E-mail... 25 3 Normal use of the HP Access Control Smartcard 4 Troubleshooting General troubleshooting... 32 Kerberos troubleshooting... 34 LDAP server troubleshooting... 37 PKINIT troubleshooting... 39 OCSP/CRL troubleshooting... 41 E-mail troubleshooting... 45 Appendix A Licenses Heimdal Kerberos 5... 48 ENWW iii
OpenSSL... 51 Appendix B Warranty Service Hewlett-Packard Limited Warranty Statement... 53 Customer self repair warranty service... 54 iv ENWW
1 Installation Use this section to upgrade the HP Access Control Smartcard firmware (if required) and then install the Smartcard reader. Upgrade the device firmware Install the hardware ENWW 1
Upgrade the device firmware This section provides instructions for upgrading the firmware on the MFP/digital sender to allow it to work with the HP Access Control Smartcard for U. S. Government. You must have the correct MFP/digital sender Internet Protocol (IP) address to install the firmware. Obtain the IP address of the MFP/digital sender by printing a configuration page or using the control panel. See the MFP/digital sender user guide for instructions. Make sure that the MFP/digital sender is connected to the network, turned on, and in the Ready mode. Supported devices Enable remote firmware upgrades Upgrade the Smartcard and MFP/digital sender firmware Supported devices The following lists the supported HP MFPs/digital senders. NOTE: HP recommends that you upgrade your MFP/digital sender to the latest firmware version and the corresponding authentication agent. (You download the upgrades from the HP Access Control Smartcard Web site.) For more information, see Upgrade the Smartcard and MFP/digital sender firmware on page 3. HP Color Laserjet CM3530 CM4730 CM6030/6040 HP Digital Sender DS9250C HP Laserjet M3035 M4345 M5035 M9040/M9050 Enable remote firmware upgrades If you are upgrading the firmware (recommended), the MFP/digital sender might be configured with the recommended security settings, which disables remote firmware upgrades. Use the following instructions to enable the option. 2 Chapter 1 Installation ENWW
NOTE: The instructions are for an HP LaserJet M3035. Your MFP/digital sender might access this option differently. For complete instructions about accessing the Remote Firmware Upgrade option, see the MFP/digital sender user guide. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. NOTE: Recommended security settings typically disable the MFP/digital sender from accessing the HP Embedded Web Server from a Web browser. If the HP Embedded Web Server page does not display, enable access using HP Web Jetadmin. For more information, see the MFP/digital sender user guide. 2. Click the Settings tab. Enter the administrator password if you are prompted for administrator credentials. 3. On the left menu bar, click Security 4. On the Device Security Settings page, scroll down to the Options for Services section. 5. Verify that the Remote Firmware Upgrade check box is selected. Figure 1-1 Enable Remote Firmware Upgrade option in the EWS. 6. Click Apply and close the browser window. NOTE: To maintain the recommended security settings, disable the setting after upgrading the firmware on the MFP/digital sender. Upgrade the Smartcard and MFP/digital sender firmware HP recommends that you upgrade your MFP/digital sender with the latest authentication agent and the corresponding firmware version. (You must have Internet access to download the files to your computer.) The upgrade consists of an authentication agent file (.pjl), which upgrades the Smartcard, and a firmware image file (.rfu), which allows the MFP/digital sender to detect and use the Smartcard reader. You will download both of these files from the HP Access Control Smartcard Web site. To download the firmware upgrades, use the following steps: 1. Start a supported Web browser. 2. Go to the following URL: www.hp.com/go/smartcard_firmware ENWW Upgrade the device firmware 3
3. First, download the authentication agent file: a. Go to the Software section and click Download. b. When the File Download Security Warning is displayed, click Run and run the usgovt_auth_agent_v2.xx.exe file. c. When the Self-Extractor window is displayed, click Browse to select a temporary folder to unzip the file, or use the default (C:\Temp\AuthAgent), and click Unzip. The file named usgovt_auth_agent_v2.xx.pjl is extracted to the selected folder. 4. If you need to download the firmware upgrade image for your MFP/digital sender, use the following steps: a. Go to the Software section and click Smartcard Authentication Agent and Required Firmware. b. Select your MFP/digital sender from the list. (For example, HP LaserJet M5035mfp Firmware.) c. Use the Description field to locate the correct operating system for your MFP/digital sender and click Download. d. When the File Download Security Warning is displayed, click Run and select the file (for example, ljm5025 35mfpfw_win_48.xxx.x.exe). e. When the Internet Explorer Security Warning window is displayed, click Run. f. Click Browse to choose a folder, or use the default (for example, C:\HP_M5025 M5035_printer_rfu_xx.xxx.x), and click Extract. The files are extracted to the selected folder. To copy the files to the MFP/digital sender using FTP, use the following steps: If the necessary firmware is already installed, skip to step 7 below. 1. Open an MS DOS command prompt window by clicking Start, then click Run, type cmd at the run prompt, and then press Enter. 2. Type the following command, using the IP address of the MFP/digital sender: ftp <MFP IP address> (example: ftp 192.168.0.90). Press Enter. A prompt is displayed for the user name. 3. By default, neither a user name or password are required for ftp access to the MFP/digital sender. Press Enter at the user name and password prompts. An FTP> prompt is displayed. 4. Type bin and press Enter. The FTP prompt is again displayed. 5. Use the FTP put command to copy the.pjl file to the MFP/digital sender. Type the following command, using the path to the location of the file: put <path of the file> (for example: put C:\Temp\AuthAgent\usgovt_auth_agent_v2.xx.pjl ). 6. Press Enter. Text is displayed in the command window to indicate that the FTP copy job is processing. 7. Use the FTP put command to copy the.rfu file to the MFP/digital sender. Type the following command, using the path to the location of the file: put <path of the file> (for example: put C:\HP_M5025 M5035_rfu_xx.xxx.x\ljM5025 35mfpfw_xx_xxx_x.rfu ). 4 Chapter 1 Installation ENWW
8. Press Enter. Text is displayed in the command window to indicate that the FTP copy job is processing. When the file is copied, the control panel displays Performing Upgrade and then the MFP/digital sender restarts. 9. After the file is copied to the MFP/digital sender, type bye and press Enter. The session ends. If the firmware on the MFP/digital sender is current and only the.pjl file is installed, the MFP/digital sender must be restarted before U.S. Gov't Smartcard v2.xx appears on the Authentication Manager page. NOTE: After installing the firmware upgrade, print a configuration page from the MFP/digital sender to verify that the new firmware is installed. See the MFP/digital sender user guide for information about how to print a configuration page. To verify that the HP Access Control Smartcard authentication and firmware upgrades were installed correctly, start the HP Embedded Web Server, click the Settings tab, then click the Authentication Manager from the left menu bar. Click on a Sign In Method for any of the device functions. If the authentication upgrade installed correctly, the sign in methods include U.S. Gov't Smartcard 2.xx as a selection. CAUTION: A 49.4c18 error might occur when the MFP/digital sender restarts. The most common cause of this error is installing the Smartcard authentication (.pjl) upgrade and restarting without the necessary firmware (.rfu) installed. For more information, see Troubleshooting on page 31. ENWW Upgrade the device firmware 5
Install the hardware 1. Plug the Smartcard reader into the external universal serial bus (USB) port on a supported MFP/ digital sender. NOTE: If a label covers the USB port on the MFP/digital sender, remove the label before plugging in the Smartcard reader. 2. Attach the Smartcard reader to an appropriate location on the MFP/digital sender. Ensure that the USB cable from the Smartcard reader does not interfere with any other functions of the MFP/digital sender. 3. Restart the MFP/digital sender. 4. Print a configuration page to verify that the MFP/digital sender recognizes the installed Smartcard reader. If installed correctly, the Smartcard reader is listed as MFP Smart Card in the USB Accessories section of the configuration page. 6 Chapter 1 Installation ENWW
2 Configuring the MFP/digital sender After the HP Access Control Smartcard firmware and hardware are installed, the MFP/digital sender is ready to configure. This chapter provides information about the following topics: Configure the IPv4 settings Configure the MFP/digital sender for Kerberos authentication Configure authentication using the Smartcard accessory Configure access to the network destination folders Configure LDAP access for address books Configure Send to E-mail ENWW 7
Configure the IPv4 settings 1. Open a supported Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/ digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Configure Device. The Configure Device page is displayed. Figure 2-1 Configure Device Page 8 Chapter 2 Configuring the MFP/digital sender ENWW
4. From the menu on the main page, navigate to the IPV4 settings. Click Initial Setup, click Networking and I/O, click Embedded Jetdirect, click TCP/IP, and then click IPV4 Settings. Figure 2-2 Access the IPV4 settings 5. Scroll down to the IPV4 SETTINGS section. Figure 2-3 IPV4 options 6. Type the IP address of the Kerberos server in the Primary DNS text box. 7. Click Apply. ENWW Configure the IPv4 settings 9
Configure the MFP/digital sender for Kerberos authentication For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is also available for download from HP at: h20000.www2.hp.com/bc/docs/support/supportmanual/c00646187/c00646187.pdf TIP: When installing this solution for the first time in a new environment, it is recommended that you configure and test the Kerberos settings first. Once Kerberos is working correctly, then configure LDAP settings. Once LDAP is working correctly, then configure PKINIT settings. Accessing the Kerberos Authentication page Many of the steps required to configure the MFP/digital sender for Kerberos authentication are completed on the Kerberos Authentication page. Follow the steps below to access the page. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Kerberos Authentication. The following panel is displayed: Figure 2-4 Kerberos Authentication page (part 1) 10 Chapter 2 Configuring the MFP/digital sender ENWW
4. Select the domain name and click Edit, or click Add to enter a new domain name. The Kerberos Authentication detail panel is displayed. Figure 2-5 Kerberos Authentication page (part 2) Enter the Kerberos authentication information On the Kerberos Authentication detail page, complete the Accessing the Kerberos Authentication Server section using the following steps: 1. Enter the Kerberos Realm (Domain). NOTE: You must enter the Kerberos Realm using all uppercase letters. 2. Enter the Kerberos Server Hostname. 3. Enter the Kerberos Server Port if required. 4. Click Apply to save the settings. ENWW Configure the MFP/digital sender for Kerberos authentication 11
Kerberos settings test If the settings for the Kerberos Realm (Domain) and Kerberos Server Hostname are correct, you can partially authenticate on the MFP/digital sender. To see if you have configured your Kerberos settings correctly, use the following steps: 1. Using the HP Embedded Web Server, click the Settings tab and then select Authentication Manager from the left menu bar. 2. Select Kerberos from the Sign In At Walk Up drop-down list and click Apply. The MFP/digital sender control panel should display a Sign In > Windows prompt. 3. At the MFP/digital sender control panel, attempt to log in using a valid username and password for your domain. If the following error message is displayed Authentication Failed: Kerberos LDAP server not configured. Please contact the administrator., the Kerberos Authentication settings were successfully configured. If a different error message is displayed, see Kerberos troubleshooting on page 34. Accessing the LDAP server Using the Kerberos Authentication page, complete the Accessing the LDAP server section using the following steps: LDAP settings test 1. Select the LDAP Server Bind Method (Kerberos or Kerberos Over SSL). 2. Click the Use Device User's Credentials check box. 3. Enter the LDAP Server name. (You can use the same name as used for the Kerberos Server Hostname.) 4. Enter the LDAP server Port number. 5. Click Apply to save the settings. On HP MFPs and digital senders with embedded Kerberos authentication capability, Kerberos authentication is a two step process. The first step obtains a Kerberos TGT (ticket granting ticket). The Kerberos settings test (see Kerberos settings test on page 12) will indicate if this is successful. The second step looks up the authenticated user s E-mail address from an LDAP directory. To test your LDAP server access, use the following steps: 1. Using the HP Embedded Web Server, go to the Authentication Manager page by clicking on the Settings tab and then select Authentication Manager from the left menu bar. 2. Select Kerberos from the Send to email drop-down list and click Apply. 12 Chapter 2 Configuring the MFP/digital sender ENWW
3. Verify that a valid SMTP gateway is specified on the E-mail Settings page by selecting the Digital Sending tab and clicking E-mail Settings from the left menu bar. Figure 2-6 E-mail Settings 4. Access the menu on the MFP/digital sender control panel and touch E-mail. If you authenticate with no error message and the correct name displays in the From field on the E-mail Settings screen, then the LDAP settings are configured correctly. If you receive an error message or do not see the correct display name, see LDAP server troubleshooting on page 37. Install the Kerberos Server Root Certificate Authority Certificate The issuer s certificate for your KDC certificate must be installed on the MFP/digital sender in order to perform PKINIT authentication. To install this certificate: 1. Using the HP Embedded Web Server, select the Settings tab. 2. On the left menu bar, click Kerberos Authentication. 3. Select the domain name and click Edit, or enter a new domain name by clicking Add. The Kerberos Authentication page is displayed. ENWW Configure the MFP/digital sender for Kerberos authentication 13
4. Scroll down to the Using PKINIT Authentication (Smart Card Authentication Only) section and click PKINIT Settings. The following screen is displayed: Figure 2-7 Kerberos Authentication page (PKINIT Settings) 5. From the Kerberos Server Root Certificate Authority (CA) Certificate section, click Edit. 6. On the Certificates page, click Browse and locate the certificate file. 7. Once the file is located, click Import. If you can use Smartcard to log on to a PC, you may be able to find the certificates that must be installed on the MFP/digital sender on that PC. To find certificates installed on a PC: 1. Log on to a PC using a Smartcard. 2. Open Internet Explorer. 3. On the Tools menu, select Internet Options. 4. Select the Content tab and click Certificates. 5. On the Intermediate Certification Authorities and Trusted Root Certification Authorities tabs you may find certificates that allow the MFP/digital sender to authenticate successfully. 14 Chapter 2 Configuring the MFP/digital sender ENWW
If there is a certificate problem, the error message on the MFP/digital sender often contains the subject of the required certificate. The subject normally has a CN=<some name> value in it. The <some name> portion is the value that Internet Explorer shows in the Issued To column of the Certificates dialog box. Once the following steps are completed, you are ready to test PKINIT Smartcard authentication. Verify the following before you begin: The HP Smartcard reader is attached to the MFP/digital sender. The Kerberos settings are configured and working correctly. The LDAP settings are configured and working correctly. The KDC issuer certificate is loaded. PKINIT Smartcard authentication test To test PKINIT Smartcard authentication: 1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication Manager from the left menu bar. 2. Select U.S. Gov't Smartcard v2.xx from the Sign In At Walk Up drop-down list. 3. Select U.S. Gov't Smartcard v2.xx from the Send to E-mail drop-down list. NOTE: If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists on the Authentication Manager page, the HP Access Control Smartcard authentication upgrade is not installed. (See Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.) 4. Click Apply. 5. The MFP/digital sender should now have the following prompt: Please insert your Smartcard, then press OK. 6. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch OK. If you authenticate successfully, then the correct certificate is properly installed. If you cannot authenticate, see PKINIT troubleshooting on page 39. Configure validation of the KDC certificate KDCs validate that the client requesting authentication has possession of a valid digital certificate (not expired or revoked). However, to verify that the KDC s certificate is not revoked, and to ensure that the MFP/digital sender does not use an insecure Kerberos server for authentication, the remaining items listed in the Using PKINIT Authentication (Smart Card Authentication Only) section of the Kerberos Authentication page should be configured. The KDC certificate is received by the MFP/digital sender during the PKINIT handshake. It does not need to be stored on the MFP/digital sender. NOTE: The MFP/digital sender performs certificate revocation list (CRL) checking on the KDC's certificate only. Therefore, it is not necessary to install user CRLs during the configuration process. ENWW Configure the MFP/digital sender for Kerberos authentication 15
The MFP/digital sender supports two methods for validating the KDC s certificate: OCSP (Online Certificate Status Protocol) One or more OCSP responders can be used for validation. OCSP responders are contacted in the order entered. As soon as a good or bad response is received from a responder, no more responders are contacted. If all known OCSP servers are exhausted and no response is received, CRL checking commences if the check box for Perform CRL checking on the Kerberos Server certificate chain is selected. OCSP validation is the preferred method for validating the server s certificate. CRL (Certificate Revocation List) checking HP MFPs and digital senders support two different mutually exclusive modes for CRL checking. CRL distribution point (CDP) The CDP method assumes that the CRL is installed off the MFP/digital sender. In this case, the CDP referencing the CRL location must exist in the server's certificate, or the administrator must configure the MFP/digital sender with the location of the CRL. Only full CRLs (also known as base CRLs) are currently supported. Partitioned CRLs (also known as distributed or delta CRLs) are not supported. Local device CRL A full CRL is loaded onto the MFP/digital sender hard drive. NOTE: Because CRLs change often (sometimes daily), the local device CRL method requires a process to copy the updated CRL to the MFP/digital sender at regular intervals. For this reason, local MFP/digital sender CRLs are not recommended. To configure OCSP validation of the KDC certificate: 1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos Authentication from the left menu bar. 2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT Settings. 3. In the OCSP validation of Kerberos Server Certificate section, select the check box for Perform OCSP Validation on the Kerberos Server certificate chain. 4. Click Edit below the OCSP server certificates. 5. On the Load Certificate page, click Browse and locate the certificate file. 6. Click Load Certificate. 7. If the OCSP responder certificate is not a Root CA (self-signed), then continue to load all certificates in the OCSP responder trust chain. To configure CDP validation of the KDC certificate: 1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos Authentication from the left menu bar. 2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT Settings. 3. In the CRL validation of Kerberos Server Certificate section, select the check box for Perform CRL checking on the Kerberos Server certificate chain. 4. Select the CRL Distribution Point (CDP) check box. In many cases, this is all that is required, since the MFP/digital sender can get the location of the CRL from a location described by the CDP entries in the server's certificate. However, if the CRL 16 Chapter 2 Configuring the MFP/digital sender ENWW
cannot be obtained solely from the CDP information provided in the server's certificate, then the MFP/digital sender attempts to use the following fields to help locate a CRL: CDP Distinguished Name (DN) standard DN format LDAP Server IP address or hostname Port LDAP server port NOTE: Anonymous is the only LDAP Server Bind Method that is currently supported. To obtain the location of a CRL from the server certificate, the certificate must contain a CDP extension (specifically, one named CRL Distribution Points ). The extension must contain an LDAP URL (HTTP URLs and Directory Address formats, usually associated with delta CRLs, are not currently supported). If no LDAP URL exists, the MFP/digital sender attempts to locate the CRL using the CDP Distinguished Name, LDAP Server, and Port fields in the HP Embedded Web Server configuration page as previously described. If the entries exist in the HP Embedded Web Server fields, they override any corresponding values in any LDAP URL found in the CDP extension. The location of the CRL on the LDAP server must have the attribute: certificaterevocationlist The LDAP filter and LDAP scope, which are used internally and not configured using the HP Embedded Web Server, default to the following values if they are not specified in the CDP extension: filter: objectclass=* scope: base To configure local device CRL validation of the KDC certificate (not recommended): A script for delivering CRLs to the MFPs/digital senders in your organization is required. The script should run at regular intervals. Running the script at shorter intervals than the certificate expiration cycle is recommended. This ensures that if an MFP/digital sender misses an update due to maintenance or being powered off, it still has a chance to receive the update before the certificate expires. Before running the script, the administrator should ensure that PJL access to the file system is available. This means that the PJL password is not set and PJL disk access is enabled. For security reasons, it is recommended that PJL access to the file system should always be restricted by a password and that disk access be turned off except when executing scripts or commands to load objects onto the MFP/ digital sender. For more information on how to secure LaserJet devices, see the NIST Security Checklist available for download at checklists.nist.gov/repository/1087.html. (You can also search for the latest checklist at: checklists.nist.gov/ ) 1. Ensure that the script ran and loaded the CRL to the MFP/digital sender. Verify by printing a file system listing from the MFP/digital sender control panel. 2. In the Kerberos PKINIT Configuration section of the Kerberos Authentication page, select the Validate the Kerberos Server Certificate check box. 3. Enter the file location in the CRL URL(s) text box. This location is controlled by the script that pushes the CRL to the MFP/digital sender. 4. Click Apply. ENWW Configure the MFP/digital sender for Kerberos authentication 17
KDC Certificate Validation Test 1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication Manager from the left menu bar. 2. Verify that U.S. Gov't Smartcard v2.xx is selected from the Sign In At Walk Up drop-down list and click Apply. 3. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch OK. If you authenticate successfully, then the correct certificates are properly installed. If you cannot authenticate, see OCSP/CRL troubleshooting on page 41. 18 Chapter 2 Configuring the MFP/digital sender ENWW
Configure authentication using the Smartcard accessory 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Authentication Manager. The Authentication Manager page is displayed. Figure 2-8 Authentication Manager page 4. Review each of the MFP/digital sender functions on this page. Select U.S. Gov't Smartcard v2.xx from the drop-down list next to each function for which Smartcard authentication is required. NOTE: When U.S. Gov't Smartcard v2.xx is selected from the Sign in at Walk Up drop-down list, all other functions are also restricted to Smartcard authentication. To require the authenticated user's E-mail address be used in the From field when sending E-mail, make sure that U.S. Gov't Smartcard v2.xx is selected from the Send to E-mail drop-down list. If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists, the HP Access Control Smartcard authentication upgrade is not installed. (see Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.) 5. Click Apply. ENWW Configure authentication using the Smartcard accessory 19
Configure access to the network destination folders Configure the access options for each folder to Use Public Credentials, and then configure the public credentials with those of a known authorized user (such as an administrator account). 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click Send to Folder. The Send to Folder page is displayed. Figure 2-9 Send to Folder page 3. Select Kerberos from the Authentication Setting drop-down list and click Apply. 4. Select a folder in the Predefined Folders list. NOTE: To select a folder, one or more network folders must already be configured. If you need to add a new folder, click Add under the Predefined Folders list, and complete the applicable fields. 20 Chapter 2 Configuring the MFP/digital sender ENWW
5. Click Edit. The Edit Shared Folder page is displayed. Figure 2-10 Edit Folder Access settings 6. In the Access Credentials drop-down list, select Use Device User's Credentials or Use Public Credentials. If Use Device User's Credentials is selected, then the MFP/digital sender uses the credentials of the current user to access the shared folder. If Use Public Credentials is selected, then the credentials that were specified during the configuration are used. 7. If Use Public Credentials was selected, type the appropriate values for a known authorized user in the Domain, Username, and Password text fields. 8. Click Test Folder Access to verify that the supplied credentials provide access to the folder. 9. Click OK. 10. Repeat the preceding steps for each folder in the Predefined Folders list. When the configuration is complete, the MFP/digital sender requires an authorized Smartcard in order to use the selected features. ENWW Configure access to the network destination folders 21
Configure LDAP access for address books When a user enters the send to E-mail screen, next to each recipient field ( To, Cc, Bcc ) is an address book icon. As the user types a recipient on the keyboard screen, the recipient name can be autocompleted. This auto-complete feature is enabled by specifying the LDAP addressing settings in the HP Embedded Web Server. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click LDAP Settings. The Addressing Settings page is displayed. Figure 2-11 LDAP addressing settings 3. Select the Allow Device to directly access an LDAP Address Book check box. 4. Select Kerberos Bind from the LDAP Server Bind Method drop-down list. 5. Enter the appropriate information in each of the applicable fields to configure the settings. 22 Chapter 2 Configuring the MFP/digital sender ENWW
NOTE: You should be able to use the same values used to configure LDAP access on the Kerberos page to configure the LDAP address settings. 6. Click Apply. The search root might need to be refined to return only LDAP records, which represent users in your organization. If entries are returned which do not contain an E-mail address or a display name, the MFP/digital sender considers the results invalid. The MFP/digital sender might not display any entries and may fail to auto-complete addresses that would otherwise work. Use the ldp tool (as described in the Kerberos setup guide Configuring Embedded Kerberos Authentication) to find the search root that returns only valid results from your LDAP server. NOTE: The Kerberos setup guide Configuring Embedded Kerberos Authentication comes bundled on the product CD and is available for download from HP at h20000.www2.hp.com/bc/docs/support/ SupportManual/c00646187/c00646187.pdf LDAP performance can be severely impacted by the lack of DNS entries for referrals returned by your LDAP server. Unfortunately there is no indication on the MFP/digital sender that it is waiting for a referral. The best way to diagnose this situation is with a network trace. Configuring LDAP over SSL If your LDAP server allows binds over SSL only, then you must install the digital certificate for the LDAP server onto the MFP/digital sender and change the bind type to Simple over SSL or Kerberos over SSL. 1. Install the digital certificate for the LDAP server onto the MFP/digital sender. a. Start the HP Embedded Web Server and click the Networking tab. On the left menu bar, click Authorization. The Authorization page is displayed. b. Select the Certificates tab. The Certificates page is displayed. Figure 2-12 Network Authorization - Certificates ENWW Configure LDAP access for address books 23
c. In the CA Certificate section, click Configure. The Certificate Options page is displayed. Figure 2-13 Network Authorization - Certificate Options d. Make sure the Install CA Certificate option is selected and then click Next. The Install CA Certificate page is displayed. Figure 2-14 Network Authorization - Install CA Certificate e. Click Browse and search for the root CA certificate. Click Finish to install the specified certificate. 2. Change the bind type to Simple over SSL or Kerberos over SSL. a. On the LDAP settings page, change the bind type to Simple over SSL. b. Select Use Public Credentials and enter credentials for a service account which can be used to access the LDAP server. NOTE: Kerberos binds to the LDAP server also cause all communication to and from the LDAP server to be encrypted, even without the use of SSL. 24 Chapter 2 Configuring the MFP/digital sender ENWW
Configure Send to E-mail E-mail messages are digitally signed by default when Smartcard authentication is used. However, this can be changed on the advanced E-mail settings screen. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click E-mail Settings. The Addressing Settings page is displayed. Figure 2-15 E-mail settings 3. Enter the appropriate information in each of the applicable fields to configure the E-mail settings. ENWW Configure Send to E-mail 25
4. Click the Advanced button. The Advanced E-mail Settings panel is displayed: Figure 2-16 Advanced E-mail settings 5. If E-mail signing is preferred for outgoing operations: a. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Sign Message in the Digital Signature section. b. If signing is preferred but not required, select the Allow users to send unsigned messages check box. (If signing is required, do not select this check the box.) c. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Do Not Sign Message in the Digital Signature section. d. If signing is not preferred but allowed, select the Allow users to send signed messages check box. (If signing is not allowed, do not select this check the box.) 6. If E-mail encryption is preferred for outgoing operations: a. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Encrypt Message in the Encryption section. b. If encryption is preferred but not required, select the Allow users to send unencrypted messages check box. (If encryption is required, do not select this check the box.) c. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Do Not Encrypt Message in the Encryption section. d. If encryption is not preferred but allowed, select the Allow users to send encrypted messages check box. (If encryption is not allowed, do not select this check the box.) To ensure that recipients of signed E-mails can trust the associated digital signatures, install certificates in the E-mail signature chain onto the MFP/digital sender. Certificates must be installed on the MFP/ 26 Chapter 2 Configuring the MFP/digital sender ENWW
digital sender by clicking Edit in the Signed E-mail Certificate Chains section on the Kerberos Authentication page. If you use Microsoft Outlook and already have signed E-mail configured for your personal account, here is one way to gather certificates in your E-mail signature chain: 1. Send a signed E-mail to yourself. 2. Click on the certificate icon. 3. Click Details. 4. Click on the signer, and then click View Details. 5. Click View Certificate. 6. Click on the Certification Path tab. 7. For each certificate above yourself in the chain: a. Click View Certificate. b. Click on the Details tab. c. Click Copy To File. d. Export the file in DER or Base-64 format. e. Import the file into the MFP/digital sender. TIP: Once all required certificates related to the KDC, OCSP, and E-mail signing trust chain have been installed on the MFP/digital sender, these can be exported to a single file on the HP Embedded Web Server Kerberos Certificates page. This file can then be imported to another MFP/ digital sender. If you are using Simple over SSL for your LDAP binds, this certificate must be imported separately on the Networking tab. ENWW Configure Send to E-mail 27
28 Chapter 2 Configuring the MFP/digital sender ENWW
3 Normal use of the HP Access Control Smartcard After the firmware and hardware are installed and the MFP/digital sender is configured for HP Access Control Smartcard authentication, the MFP/digital sender restricts access according to the specified options. When a user attempts to use a Smartcard-restricted function, the following actions occur: 1. The MFP/digital sender prompts for a valid card to be placed in the Smartcard reader. The user places the card into the reader and leaves it there while using the MFP/digital sender. 2. The MFP/digital sender prompts for a personal identification number (PIN) before continuing. The user types the PIN on the number pad on the MFP/digital sender control panel, and then touches OK on the touchscreen. 3. The MFP/digital sender authenticates the user by accessing the Active Directory user attributes through a PKI version of the Kerberos authentication protocol. When authentication is complete, the MFP/digital sender provides access to the selected function. If the user types an incorrect PIN, the MFP/digital sender prompts for the number again. If the user enters the wrong PIN three times, the Smartcard is disabled and no longer usable. ENWW 29
30 Chapter 3 Normal use of the HP Access Control Smartcard ENWW
4 Troubleshooting NOTE: For the most current troubleshooting information regarding this product, go to: www.hp.com/ support/usdodsmartcard. NOTE: For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is available for download from HP at h20000.www2.hp.com/bc/docs/support/supportmanual/c00646187/ c00646187.pdf If you are experiencing an issue that is not documented here or the steps here do not resolve the issue, contact HP support. ENWW 31
General troubleshooting 49.4c18 error displays when restarting device An unsupported firmware version is installed on the device. The authentication upgrade was installed on the device without the correct firmware. To enable the device to boot to Ready after this message has appeared: CAUTION: The following procedure is for resolving the 49.4c18 error only and is not recommended for any other operation of the device. 1. Turn the device off and back on. 2. Hold down the 9 key during the memory test. 3. After all 3 LEDs are a solid color, release 9 key and then press and release the 3 key. 4. Press and release the Start key. The device should now say SKIP DISK LOAD. 5. Press and release the 6 key. 6. The device should then proceed to boot to ready. Smartcard authentication does not work after performing a Secure Storage Erase or Disk Init on the MFP/digital sender. Performing a Secure Storage Erase or Disk Init erases information that is critical for the Smartcard authentication to work. The entire HP Access Control Smartcard installation and configuration must be completed again. This includes reinstalling the authentication upgrade and performing all of the necessary HP Embedded Web Server configuration steps. Refer to Installation on page 1 and Configuring the MFP/digital sender on page 7 for instructions. MFP/digital sender authentication is working, but remote features such as Send to email and LDAP lookup are not. The MFP/digital sender clock is out of sync with the server clock. The DNS lookup zone is not properly configured. Kerberos Realm names are not listed in upper case. Clients and servers must be synced to within 5 minutes of each other. Either configure both the MFP/digital sender and the KDC server to use the same NTP server, or configure the MFP/ digital sender to use the KDC server as the clock drift correction server. Hostnames must be used for all Kerberos and SSL servers. Verify that the servers listed in the HP Embedded Web Server for Kerberos, Send to Folder, and LDAP addressing configuration are listed as hostnames and not IP addresses. Check the Kerberos configuration in the HP Embedded Web Server and verify that all Realm names specified are listed in upper case. 32 Chapter 4 Troubleshooting ENWW
Error: No card detected when using a valid Smartcard If the Smartcard is valid then the mechanical switch on the card reader may have failed. Replace the card reader. Error: Please insert a valid card when using a valid Smartcard If the Smartcard is valid then the card contacts on the reader may have failed. Replace the card reader. The configured device no longer recognizes the Smartcard. An incorrect PIN for the Smartcard has been entered successively three or more times. After entering an incorrect PIN successively three or more times, the Smartcard is disabled as a security measure. Once a Smartcard is disabled, it must be replaced. ENWW General troubleshooting 33
Kerberos troubleshooting Error message: Authentication Failed: Kerberos server not available. Please contact the administrator. The Kerberos server hostname was not entered correctly or is not a valid hostname. To determine if the hostname is valid, open a Windows command shell and type: ping <kerberos hostname>. If ping cannot find the host you are typing, then it is probably not the correct hostname. The DNS settings on the device are not correct. To determine if the device s DNS settings are not correct, try using the IP address of the Kerberos server instead of a hostname. Open a Windows command shell and type: nslookup <kerberos hostname>. The nslookup command should return the name of the DNS server that resolved the Kerberos host and the IP address of the host. Try entering the Kerberos server IP address on the settings page and performing authentication again. If this works, then open the HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the Primary DNS text box, enter the IP address of the DNS server returned by the nslookup command. The Kerberos server is powered off or not reachable. The host is not a valid Kerberos server. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server. If the host is a valid Kerberos server, it should accept connections through port 88. Open a Windows command shell, type: telnet <kerberos hostname> 88. If the telnet command returns Connecting To <host> Could not open connection to the host, or port 88: Connect failed, then the host is not a valid Kerberos server. If the window becomes blank, then it is accepting connections on port 88. Most likely the device network settings are not correct or the device is not operating correctly. Error message: Authentication Failed: Realm not recognized. Please contact the administrator. or Authentication Failed: Kerberos server not available for provided domain. Please contact the administrator. The domain field is not correct for the server that is being contacted. If the hostname for the server were ad1.technical.marketing, then the realm name is probably TECHNICAL.MARKETING. If you have followed the procedure for finding the default realm from the Configuring Embedded Kerberos Authentication guide and it does not work, try this alternative method for discovering the domain: 1. On the Windows desktop, click Start, then right-click on My Computer and select Properties. 2. Select the Computer Name tab. 3. Copy the value in the Domain field to the Kerberos Default Realm field on the device. NOTE: letters. The Domain name must be entered in all capital 34 Chapter 4 Troubleshooting ENWW
Error message: Authentication Failed: Device time not synchronized with server. Set correct time, then turn device off and back on. The device clock is offset more than five minutes from the Kerberos server. The Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server, in order to prevent replay attacks. On the device control panel press Administration, then press Time/Scheduling, then press Date/Time. Use the control panel keys to change the time. After changing the time setting, turn the device off and back on for the change to take effect. The device s Network Time Protocol (NTP) server is reporting a different time from the KDC time. The device uses the NTP server to determine if the device is in a different time zone than the KDC and if the time stamp reported by the device to the KDC should be adjusted by half hour increments. Most KDC servers are also hosting a NTP service, so try setting your NTP server to the same hostname as your Kerberos server. 1. Start the HP Embedded Web Server and select the Settings tab. 2. On the left menu bar, click Date & Time, then click Clock Drift Correction. 3. Copy the value from the Kerberos Server text box on the Kerberos Settings page into the Network Time Server Address text field. After changing your NTP setting, turn the device off and back on for the change to take effect. NOTE: Because of the NTP adjustment, the time zone and daylight savings settings on the device do not affect the time reported by the device. Error message: Login failed. Please try again Incorrect credentials were entered, or the user is unknown on the server to which you are authenticating. Verify that the user is authorized and using valid credentials. Error message: Authentication Failed: Kerberos LDAP server not configured. Please contact the administrator. or any other LDAP related error The settings under Accessing the LDAP Server are not correct. See the Configuring Embedded Kerberos Authentication guide for help in determining your organization s LDAP configuration. See LDAP server troubleshooting on page 37 for other possible issues. ENWW Kerberos troubleshooting 35
Error message: Authentication Failed: Error code XXXXX Unknown Contact HP support 36 Chapter 4 Troubleshooting ENWW
LDAP server troubleshooting Error message: LDAP bind at server X failure: Server down The LDAP server hostname was not entered correctly or is not a valid hostname. To determine if the hostname is valid, open a Windows command shell and type: ping <LDAP hostname>. If ping cannot find the host you are typing, then it is probably not the correct hostname. The DNS settings on the device are not correct. To determine if the device s DNS settings are not correct, try using the IP address of the LDAP server instead of a hostname. Open a Windows command shell and type: nslookup <LDAP hostname>. The nslookup command should return the name of the DNS server that resolved the LDAP host and the IP address of the host. Try entering the LDAP server IP address on the settings page and performing authentication again. If this works, then open the device's HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the Primary DNS text box, enter the IP address of the DNS server returned by the nslookup command. The LDAP server is powered off or not reachable. The host is not a valid LDAP server. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server. If the host is a valid LDAP server, it should accept connections through port 389 or 3268. Open a Windows command shell, type: telnet <LDAP hostname> 389. If the telnet command returns Connecting To <host> Could not open connection to the host, or port 389: Connect failed, then the host is not a valid Kerberos server. If the window becomes blank, then it is accepting connections on port 389. Most likely the device network settings are not correct or the device is not operating correctly. Error message: LDAP bind at server X failure: Local error A DNS reverse lookup zone for your LDAP server s IP address is not configured. To confirm this, open a Windows command shell and type: nslookup <IP address of host>. If the nslookup command returns the correct hostname, then the reverse DNS zone is configured correctly. If the nslookup command does not come back with the correct hostname, the DNS administrator needs to add a reverse lookup zone to resolve the issue. An unhandled error has occurred on the device and is preventing it from operating correctly. Try rebooting the device. ENWW LDAP server troubleshooting 37
Error message: LDAP bind at server X failure: SSL bind required The LDAP server requires that the connection be made using Secure Sockets Layer (SSL). See Configuring LDAP over SSL on page 23 Error message: LDAP failure retrieving display name. Result code: Fail The search root is incorrect. Typically if your domain is TECHNICAL.MARKETING.COM, then your search root would be: DC=TECHNICAL,DC=MARKETING,DC=COM It may also have CN=Users. The attribute used to retrieve the username is incorrect. This attribute is often displayname, but it may different depending on the LDAP schema. Contact your LDAP administrator to obtain the correct LDAP settings, or use the ldp tool as described in theconfiguring Embedded Kerberos Authentication guide to discover them. Error message: LDAP failure retrieving E-mail address. Result code: Fail The attribute used to retrieve the E-mail address is incorrect. The LDAP database does not have an E-mail address populated for this user. This attribute is often email, but it may be different depending on the LDAP schema. Contact your LDAP administrator to verify this, or use the ldp tool as described in the Configuring Embedded Kerberos Authentication guide. 38 Chapter 4 Troubleshooting ENWW
PKINIT troubleshooting Error message: HP smart card reader not detected. Please connect the HP reader #nnnnn to the device, and turn the device off and back on. The reader detection algorithm may have failed. The connection may be loose. The reader may be faulty. Reboot the device and try again. If the device reboots and the same problem persists, power the device off and check that the reader is connected firmly. After ensuring the connection is secure, power the device back on. Try replacing the card reader with a different reader. Return the faulty reader to HP for replacement. Error message: Authentication Failed: CMS verify signed failed: Failed to find issuer with subject X for certificate with subject Y. Please contact the administrator. The issuer certificate of the KDC certificate is not installed on the device. Installing the issuer s certificate on the device enables the device to verify that the response from the KDC is valid. To see the certificates that have been installed on the device: 1. Start the device HP Embedded Web Server and select the Settings tab. 2. On the left menu bar, click Kerberos Authentication. Select the domain name and click Edit, or enter a new domain name. The Kerberos Authentication page displays. 3. Scroll down to the Kerberos PKINIT Configuration section and click Certificates. Error: Authentication Failed: KDC issuer certificate with subject 'X' is expired. Please contact the administrator. The issuer certificate of the KDC certificate is installed on the device, but it is no longer valid. Every digital certificate is only valid for a specific time period. Once that time period is expired the certificate is no longer considered valid. You need to install a new certificate on the device. To see certificates that have been installed on the device, go to the Kerberos Authentication page, and click Edit under the appropriate certificate type heading in the Using PKINIT Authentication (Smart Card Authentication Only) section. You do not see a prompt to enter your PIN or insert your card when you try to access the device. The device is not configured properly for Smartcard authentication. See Configure authentication using the Smartcard accessory on page 19 for additional information. ENWW PKINIT troubleshooting 39
Error: Authentication Failed: Authentication Method Not Found. Please contact the administrator Smartcard authentication was previously installed on the device, but the device configuration has been changed because the hard disk was re-initialized. The entire HP Access Control Smartcard installation and configuration must be completed again. This includes reinstalling the HP Access Control Smartcard authentication upgrade and performing all of the necessary HP Embedded Web Server configuration steps. Refer to Installation on page 1 and Configuring the MFP/digital sender on page 7 for instructions. If the hard disk was not intentionally reinitialized, then you may want to secure the device so that only an administrator can reinitialize the hard disk. Please contact HP for more information on protecting the device from unauthorized bootloader access. Error: Authentication Failed: User certificate has been revoked The user is trying to authenticate with an invalid Smartcard. Try using a different Smartcard for authentication. Error: Authentication Failed: User certificate is expired The user is trying to authenticate with an expired Smartcard. Try using a different Smartcard for authentication. Error: Authentication Failed: Kerberos Server unable to validate user certificate The Kerberos server may have an outdated CRL or may be unable to contact the OCSP server for validation. Work with IT personnel maintaining the server to resolve the problem. 40 Chapter 4 Troubleshooting ENWW
OCSP/CRL troubleshooting Error message: Authentication Failed: KDC certificate with subject X has been revoked. The OCSP responder returned a revoked status for the KDC certificate with subject X Contact your PKI administrator. Error message: Authentication Failed: KDC certificate status with subject X is unknown. The OCSP responder returned an unknown status for the KDC certificate with subject X Contact your PKI administrator. Error message: Authentication Failed: Unable to contact OCSP responder. The OCSP responder URL was not entered correctly or is not a valid URL DNS settings on the device are not correct. To determine if the URL is valid, open a Web browser and copy the Web URL into the address bar. If the Web browser is unable to connect to the host or it returns a page not found error, then the URL is not the address of a valid OCSP responder. To determine if the device DNS settings are incorrect, use the IP address of the OCSP responder instead of a hostname as the URL. To determine the IP address, open a Windows command shell, type: nslookup <OCSP responder hostname> The nslookup command should return the name of the DNS server that resolved the host and the IP address of the host. Try entering the OCSP responder IP address on the settings page and performing authentication again. If this works, start the device's HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the Primary DNS text box, enter the IP address of the DNS server returned by the nslookup command. The OCSP responder is powered off or not reachable. The OCSP responder is only accessible through a proxy server. If the URL is correct but accessing the OCSP responder through a Web browser is failing, the responder may be powered off or network problems may be preventing access. Check the Web browser settings to determine if it is configured to use a proxy server. Disable the proxy settings and try contacting the OCSP responder through the Web browser again. If the Web browser indicates that it is not able to connect to this host or it returns a page not found error, then a proxy connection is required. The device only supports direct HTTP connections to OCSP responders. ENWW OCSP/CRL troubleshooting 41
Error message: Authentication Failed: OCSP request failed: Failed to find issuer with subject X for certificate with subject Y. Please contact the administrator. A certificate in the issuing chain of the KDC certificate is not installed on the device. In order for the KDC certificate to be trusted, if the KDC certificate is not self-signed, then all certificates in the KDC certificate chain must be validated. One of the certificates in this chain is not installed on the device. To see the certificates that have been installed on the device: 1. Start the device's HP Embedded Web Server and select the Settings tab. 2. On the left menu bar, click Kerberos Authentication. Select the domain name and click Edit, or enter a new domain name. The Kerberos Authentication page displays. 3. Scroll down to the Kerberos PKINIT Configuration section and click Certificates. Error message: Authentication Failed: OCSP response verification failed. Responder certificate with subject X not installed. Please contact the administrator. OCSP responder certificate is not installed on the device. The device will only trust the OCSP response if the OCSP responder s certificate is installed on the device. The OCSP response is signed, and installing the responder s certificate on the device allows the device to verify that the response should be trusted. To see the certificates that have been installed on the device: 1. Start the device's HP Embedded Web Server and select the Settings tab. 2. On the left menu bar, click Kerberos Authentication. Select the domain name and click Edit, or enter a new domain name. The Kerberos Authentication page displays. 3. Scroll down to the Kerberos PKINIT Configuration section and click Certificates. Error: Authentication Failed: OCSP responder certificate with subject 'X' is expired. Please contact the administrator. The OCSP responder certificate is installed on the device, but it is no longer valid. Every digital certificate is only valid for a specific time period. Once that time period is expired the certificate is no longer considered valid. You need to install a new certificate on the device. 42 Chapter 4 Troubleshooting ENWW
Error: Authentication Failed: CRL X not found. Please contact the administrator. A CRL specified in the PKINIT configuration settings is not found. This may be because the file path was entered incorrectly, the device hard disk was reinitialized, or the CRL file has never been installed onto the device. To view files on the device hard disk, on the control panel touch: Administration, then touch Information, then touch Configuration / Status Pages, and then touch File Directory. Touch Print to print the file directory list. The CRL file should be at the same location as the path indicated in the PKINIT configuration settings. Error: Authentication Failed: No valid CRL found for this KDC. Please contact the administrator. All of the CRL(s) specified in the PKINIT configuration settings are present on the device, but none are signed by the proper certificate authority A CRL file needs to present for each certificate in the KDC issuer chain, and each CRL should be signed by the same certificate authority which issued the certificate. Error: Authentication Failed: CRL X is expired. Please contact the administrator. The specified CRL is no longer valid. CRL files, like certificates, are only valid for a specific period of time. Once that time period expires the CRL is not considered valid. A new CRL needs to be installed on the device. Error: Unable to decode CDP extension. CDP was enabled but the server certificate did not contain a valid CDP extension. Contact the administrator responsible for server certificates to resolve the problem. Error: No CDP is present in server certificate. The server certificate contained a valid CDP extension but the extension contained no CDP entries. Contact the administrator responsible for server certificates to resolve the problem. ENWW OCSP/CRL troubleshooting 43
Error: Unable to obtain CRL from Distribution Point A valid CDP extension was found on the server certificate, but the CRL could not be obtained. Possible causes are: An improperly formatted CDP entry, incomplete or inaccurate LDAP parameters in the CDP entry, problems communicating with the LDAP server, or the CRL is not present on the LDAP server in the location referenced by the CDP. Using an LDAP browsing tool, verify that the LDAP server is responding and contains a CRL in the location referenced by the CDP on the server s certificate. Ensure that the location of the CRL on the LDAP server has the attribute certificaterevocationlist. If the error persists, try entering the LDAP parameters in the CDP configuration section of the HP Embedded Web Server. If that succeeds, the server certificate does not contain a correct CDP entry. 44 Chapter 4 Troubleshooting ENWW
E-mail troubleshooting Error: "E-mail Gateway rejected the job because of the addressing information. Job Failed" The E-mail address attribute under "Searching the LDAP Database" on the Kerberos settings page is incorrect. The E- mail address attribute is used to set the authenticated user s from address. The E-mail gateway is trying to make sure that the "from" address is a valid from address. Try changing the E-mail address attribute on the Kerberos page to reflect the correct LDAP attribute. Error: "There are problems with the signature. Click the signature button for details." Using Microsoft Outlook, E-mail sent by the device have an invalid digital signature. Viewing details on the signature shows: "Error: The system cannot validate the certificate used to create this signature because the issuer's certificate is either unavailable or invalid." The recipient of the E-mail message does not have the intermediate and/or root certificate necessary to validate the client s E-mail certificate installed on their PC, and the device is not appending the intermediate and root certificates in the E-mail message because they have not been installed on the device. Check the Kerberos page to see if the E-mail signing certificates are installed. Even if the device shows the certificates are installed, this does not mean the correct certificates are installed. To ensure that the correct certificates are installed, you need to know which CA issued the user s E-mail signing certificate. To do this, while viewing details for the digital signature in Microsoft Outlook, click on the signer and then click the "View Details" button. Under "Certificate Information" look at "Issued By". This certificate should be installed on the recipient s PC. For more information on exporting the E-mail certificate chain to the device, follow the steps under "Configure Send to E- mail". Error: "Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority." Using Microsoft Outlook, E-mail sent by the device have an invalid digital signature and a window with the following message is displayed when the user views details on the signature: "Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority. The signature is invalid because you have either distrusted or not yet chosen to trust the following Certificate Authority: The correct E-mail signing certificates have been installed on the device, however, the user has not yet chosen to trust the certificate chain which signed the user's E-mail certificate. When the user decides to trust the signature, the CA certificate (s) are installed on their PC and future messages appear to have valid signatures. The recipient of the message needs to decide whether or not to trust the CA that issued your digital certificate. Issued By: <CA Issuer Name> Valid From: <Validity Dates> At the bottom of the window is a prompt to Trust the Certificate Authority. ENWW E-mail troubleshooting 45
46 Chapter 4 Troubleshooting ENWW
A Licenses This solution from HP uses and contains open source code and libraries from Heimdal Kerberos 5 and the OpenSSL project. Following are acknowledgements, copyrights, and license information associated to these open source solutions. Heimdal Kerberos 5 OpenSSL ENWW 47
Heimdal Kerberos 5 This solution from HP uses and contains open source code and libraries from Heimdal Kerberos 5 and the OpenSSL project. Following are acknowledgements, copyrights, and license information associated to these open source solutions. Heimdal is a free implementation of Kerberos 5. The goals are to: have an implementation that can be freely used by anyone be protocol compatible with existing implementations and, if not in conflict, with RFC 1510 (and any future updated RFC) be reasonably compatible with the M.I.T Kerberos V5 API have support for Kerberos V5 over GSS-API (RFC1964) include the most important and useful application programs (rsh, telnet, popper, etc.) include enough backwards compatibility with Kerberos V4 Copyright (c) 1997 Kungliga Tekniska Högskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Eric Young wrote libdes. Heimdal used to use libdes, without it kth-krb would never have existed. All functions in libdes have been re-implemented or used available public domain code. The core AES function where written by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto. The core DES SBOX transformation was written by Richard Outerbridge. The University of California at Berkeley initially wrote telnet, and telnetd. The authentication and encryption code of telnet and telnetd was added by David Borman (then of Cray Research, Inc). The encryption code was removed when this was exported and then added back by Juha Eskelinen, esc@magic.fi. The popper was also a Berkeley program initially. 48 Appendix A Licenses ENWW
Some of the functions in libroken also come from Berkeley by way of NetBSD/FreeBSD. editline was written by Simmule Turner and Rich Salz. Heimdal contains a modifed copy. The getifaddrs implementation for Linux was written by Hideaki YOSHIFUJI for the Usagi project. Bugfixes, documentation, encouragement, and code has been contributed by: Derrick J Brashear shadow@dementia.org Ken Hornstein kenh@cmf.nrl.navy.mil Johan Ihrén johani@pdc.kth.se Love Hörnquist Åstrand lha@kth.se Magnus Ahltorp map@stacken.kth.se Mark Eichin eichin@cygnus.com Marc Horowitz marc@cygnus.com Luke Howard lukeh@padl.com Brandon S. Allbery KF8NH allbery@kf8nh.apk.net Jun-ichiro itojun Hagino itojun@kame.net Daniel Kouril kouril@informatics.muni.cz Åke Sandgren ake@cs.umu.se Michal Vocu michal@karlin.mff.cuni.cz Miroslav Ruda ENWW Heimdal Kerberos 5 49
ruda@ics.muni.cz Brian A May bmay@snoopy.apana.org.au Chaskiel M Grundman cg2v@andrew.cmu.edu Richard Nyberg rnyberg@it.su.se Frank van der Linden fvdl@netbsd.org Cizzi Storm cizzi@it.su.se Petr Holub Holub.Petr@atlas.cz Mario Strasser mario.strasser@zhwin.ch David Love fx@gnu.org and we hope that those not mentioned here will forgive us. All bugs were introduced by ourselves. 50 Appendix A Licenses ENWW
OpenSSL Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http:// www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). /* crypto/mem.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). ENWW OpenSSL 51
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] 52 Appendix A Licenses ENWW
B Warranty Service Hewlett-Packard Limited Warranty Statement HP Product HP Access Control Smartcard for U. S. Government Duration of Limited Warranty 1 Year 1. HP warrants to you, the original end-user customer, that HP hardware and accessories will be free from defects in materials and workmanship after the original date of purchase, for the period specified above. If HP receives notice of such defects during the warranty period, HP will, at its option, either repair or replace, products, that prove to be defective. Replacement products may be either new or equivalent in performance to new. If the original end-user customer transfers the HP hardware and accessories to another user, warranty service is available to that user only for the remainder of the original warranty period. This Limited Warranty applies only to authentic HP-branded hardware products sold by or leased from Hewlett-Packard Company, its worldwide subsidiaries, affiliates, authorized resellers, or authorized country/region distributors. 2. HP warrants to you that HP software will not fail to execute its programming instructions after the date of purchase, for a period specified above, due to defects in material and workmanship when properly installed and used. If HP receives notice of such defects during the warranty period, HP will replace software that does not execute its programming instructions due to such defects. 3. HP does not warrant that the operation of HP products will be uninterrupted or error free. If HP is unable, within a reasonable time, to repair or replace any product to a condition as warranted, you will be entitled to a refund of the purchase price upon prompt return of the product. 4. HP products may contain remanufactured parts equivalent to new in performance or may have been subject to incidental use. 5. Warranty does not apply to defects resulting from (a) improper or inadequate maintenance or calibration, (b) software, interfacing, parts or supplies not supplied by HP, (c) unauthorized modification or misuse, (d) operation outside of the published environmental specifications for the product, or (e) improper site preparation or maintenance. 6. TO THE EXTENT ALLOWED BY LOCAL LAW, THE ABOVE WARRANTIES ARE EXCLUSIVE AND NO OTHER WARRANTY OR CONDITION, WHETHER WRITTEN OR ORAL, IS EXPRESSED OR IMPLIED AND HP SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, AND FITNESS FOR A PARTICULAR PURPOSE. Some countries/regions, states or provinces do not allow limitations on the duration of an implied warranty, so the above limitation or exclusion might not apply to you. This warranty gives you specific legal rights and you might also have other rights that vary from country/region to country/region, state to state, or province to province. ENWW Hewlett-Packard Limited Warranty Statement 53
7. HP s limited warranty is valid in any country/region or locality where HP has a support presence for this product and where HP has marketed this product. The level of warranty service you receive may vary according to local standards. HP will not alter form, fit or function of the product to make it operate in a country/region for which it was never intended to function for legal or regulatory reasons. 8. TO THE EXTENT ALLOWED BY LOCAL LAW, THE REMEDIES IN THIS WARRANTY STATEMENT ARE YOUR SOLE AND EXCLUSIVE REMEDIES. EXCEPT AS INDICATED ABOVE, IN NO EVENT WILL HP OR ITS SUPPLIERS BE LIABLE FOR LOSS OF DATA OR FOR DIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL (INCLUDING LOST PROFIT OR DATA), OR OTHER DAMAGE, WHETHER BASED IN CONTRACT, TORT, OR OTHERWISE. Some countries/regions, states or provinces do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you. THE WARRANTY TERMS CONTAINED IN THIS STATEMENT, EXCEPT TO THE EXTENT LAWFULLY PERMITTED, DO NOT EXCLUDE, RESTRICT OR MODIFY AND ARE IN ADDITION TO THE MANDATORY STATUTORY RIGHTS APPLICABLE TO THE SALE OF THIS PRODUCT TO YOU. Customer self repair warranty service HP products are designed with many Customer Self Repair (CSR) parts to minimize repair time and allow for greater flexibility in performing defective parts replacement. If during the diagnosis period, HP identifies that the repair can be accomplished by the use of a CSR part, HP will ship that part directly to you for replacement. There are two categories of CSR parts: 1) Parts for which customer self repair is mandatory. If you request HP to replace these parts, you will be charged for the travel and labor costs of this service. 2) Parts for which customer self repair is optional. These parts are also designed for Customer Self Repair. If, however, you require that HP replace them for you, this may be done at no additional charge under the type of warranty service designated for your product. Based on availability and where geography permits, CSR parts will be shipped for next business day delivery. Same-day or four-hour delivery may be offered at an additional charge where geography permits. If assistance is required, you can call the HP Technical Support Center and a technician will help you over the phone. HP specifies in the materials shipped with a replacement CSR part whether a defective part must be returned to HP. In cases where it is required to return the defective part to HP, you must ship the defective part back to HP within a defined period of time, normally five (5) business days. The defective part must be returned with the associated documentation in the provided shipping material. Failure to return the defective part may result in HP billing you for the replacement. With a customer self repair, HP will pay all shipping and part return costs and determine the courier/carrier to be used. 54 Appendix B Warranty Service ENWW
2009 Hewlett-Packard Development C ompany, L.P. www.hp.c om