Konica Minolta bizhub 950i bizhub 950i/850i Security Operations User Guide - Page 39

bizhub 950i/850i/AccurioPrint 950i/850i

2-16

2.4

Setting IPsec

2

2.4

Setting IPsec

The following are the authentication algorithms for the IPsec communication.

*

The ESP authentication algorithm means HMAC-SHA. The same applies below.

2.4.1

IPsec setting

The

Web connection

needs to be used to set the device certificate and an external certificate used in the

IPsec network setting. Refer to "Home > Web Management Tool > Reinforcing Security > Encrypting Com-

munications > Using IPsec communication" in the HTML manual for registration before setting [Enhanced Se-

curity Mode] to [ON].

Any certificate other than the IPsec certificate cannot be registered.

Use [IPsec Setting] in the settings below.

When using [Pre-Shared Key] in the machine for the authentication method of the communication counter-

part, set a hard-to-guess value to [Pre-Shared Key Text] to prevent the value from leaking to nobody but the

counterpart, in an appropriate manner.

Do not set a value that can be easily guessed such as a birthday and an employee identification number. It

is recommended, from the viewpoint of security, to set a large-size key of 128 characters or less.

Leakage of the Pre-Shared Key strings of IPsec that have been set to the MFP results in an increased risk of

spoofing of the MFP. Set different Pre-Shared Key strings for each device and safely keep them. Set and use

strings that cannot be deciphered by dictionary attack and brute force attack, without using words in a dic-

tionary and/or easily guessable strings. This machine gains ISO/IEC15408 certification with a Pre-Shared Key

of 22 characters for ASCII input or 44 characters for HEX input.

[SHA-1] of [IPsec Setting] - [IKEv-1] - [Authentication Algorithm] and [Digital Signature] of [IPsec Setting] -

[SA] - [IKE Setting] - [Authentication Method] cannot be set simultaneously. The setting set earlier is given

priority.

A certificate for the machine that has been issued by the reliable CA (certification authority) is required to

adopt [Digital Signature] for the authentication method. To verify the chain of a presented certificate, the cer-

tificate for the CA issuing the presented certificate needs to be imported. For details of the procedure, see

page 2-19.

IPsec IKE authentication algorithm

•

SHA-1

•

SHA-2 (256bit/384bit/512bit)

IPsec ESP authentication algorithm

Setting item

Setting value

IKEv1

[Encryption Algorithm]

AES-CBC (128bit/256bit)

[Authentication Algorithm]

SHA-1 or SHA-2 (256bit/384bit/512bit)

[Encryption Key Validity Period]

600 to 86,400 sec. (set within 24 hours)

[Diffie-Hellman Group]

Group 14

[Negotiation Mode]

Main Mode (default)

SA

[Encapsulation Mode]

Transport (default)

[Security Protocol]

ESP

[Key Exchange Method]

IKEv1 (default)

[Lifetime After Establishing SA]

600 to 28,800 sec. (set within 8 hours)

[Authentication Method]

Pre-Shared Key or Digital Signature

[ESP Encryption Algorithm]

AES-CBC (128bit/256bit)

[ESP Authentication Algorithm]

SHA-1 or SHA-2 (256bit/384bit/512bit)

Peer

[Pre-Shared Key Text]

ASCII code (22 characters) or HEX code (44 char-

acters)

Protocol

Setting

[Protocol Setting]

ON

[Protocol Identification Setting]

No Selection (Any)

Section	Page
Contents	2
1 Security	6
1.1 Introduction	6
1.1.1 Persons using the machine	6
1.1.2 Relation between user and job deletion	7
1.2 Compliance with the ISO15408 Standard	8
1.2.1 Hardware and software	8
1.2.2 Operating precautions	8
1.3 Installation procedure	10
1.3.1 Setting of password rules	11
1.3.2 Setting of IP address and DNS host	11
1.3.3 Setting of administrator password	11
1.3.4 Setting of user authentication	12
1.3.5 Setting of accurate date and time	12
1.3.6 Setting of job log obtaining method	12
1.3.7 Setting of operation of ID & Print function	12
1.3.8 Setting of Memory RX	12
1.3.9 Setting of FW Update (USB) Password	13
1.3.10 Setting of FIPS mode	13
1.3.11 Setting of function pattern customization	13
1.3.12 Setting of Enhanced Security Mode	13
1.3.13 Setting of IPsec communication certificate	14
1.3.14 Setting of network	14
1.3.15 Check of IPsec setting for communication with each server	14
1.3.16 Check of settings banned for operation	14
1.3.17 Check of device information	14
1.4 Enhanced security mode	15
1.4.1 Major security functions in operation under ISO15408 certification	15
1.5 Precautions for operation control	16
1.5.1 Roles of the owner of the machine	16
1.5.2 Maintenance of the security environment	16
1.5.3 Roles of the administrator	17
1.5.4 Password usage requirements	17
1.5.5 External authentication server control requirements	17
1.5.6 Security function operation setting operating requirements	18
1.5.7 Operation and control of the machine	18
1.5.8 Machine maintenance control	20
1.5.9 Precautions for using the printer driver	20
1.6 Miscellaneous	21
1.6.1 Password rules	21
1.6.2 Precautions for use of various types of applications	21
1.6.3 Encrypting communications	22
1.6.4 Print functions	22
IPP printing	22
1.6.5 FAX functions	22
1.6.6 USB keyboard	22
1.6.7 Different types of boxes	22
1.6.8 Terminating a session and logging out	23
1.6.9 Occurrence of authentication error during external server authentication	23
1.6.10 Finding the version information	23
2 Administrator Operations	25
2.1 Accessing the administrator mode	25
2.1.1 Accessing the administrator mode	25
2.1.2 Accessing the user mode	30
2.1.3 Checking the number of wrong entries in authentication	32
Conditions to clear the number of times of check	32
2.2 Enhancing the security function	33
2.2.1 Items cleared by format	36
2.2.2 Setting the Enhanced Security Mode	37
2.3 Setting the password rules	38
2.3.1 Setting the password rules	38
2.4 Setting IPsec	39
2.4.1 IPsec setting	39
2.4.2 Introducing the device certificate for IPsec communication	41
2.4.3 Deleting the IPsec communication device certificate	42
2.4.4 Introducing the CA (certification authority) certificate for IPsec communication	42
2.5 Firmware verification function at the time of starting the machine	43
2.5.1 Setting the firmware verification function	43
2.5.2 Self-test function	43
2.6 Preventing unauthorized access	44
2.6.1 Setting Prohibited Functions	44
2.7 Canceling the operation prohibited state	46
2.7.1 Performing release setting	46
2.8 Setting the authentication method	47
2.8.1 Setting the authentication method	47
2.8.2 Setting the external server	48
2.9 ID & Print setting function	49
2.9.1 Setting ID & Print	49
2.10 System auto reset function	50
2.10.1 Setting the system auto reset function	50
2.11 User setting function	51
2.11.1 Making user setting	51
2.12 User box function	53
2.12.1 Setting user box usage restriction	53
2.12.2 Setting the user box	54
2.12.3 Changing the user attributes and box password	55
2.12.4 Setting Memory RX	56
2.12.5 Batch deleting the documents in the Memory RX User Box	56
2.13 Changing the administrator password	57
2.13.1 Changing the administrator password	57
2.14 Obtaining job log	58
2.14.1 Obtaining and deleting a job log	58
2.14.2 Job log data	60
2.15 Setting time/date in machine	89
2.15.1 Setting time/date	89
2.15.2 Setting daylight saving time	89
2.16 TCP/IP setting function	90
2.16.1 Setting the IP Address	90
2.16.2 Registering the DNS server	90
2.17 E-mail setting function	91
2.17.1 Setting the SMTP server (E-mail server)	91
2.18 SMB setting function	92
2.18.1 Setting a client	92
2.19 WebDAV setting function	93
2.19.1 Setting a client	93
2.20 Automatic logoff setting function	94
2.20.1 Setting automatic logoff	94
2.21 FIPS mode setting function	95
2.21.1 Setting the FIPS mode	95
2.22 Firmware update function	96
2.22.1 Updating the firmware	96
2.23 Job deletion setting function	97
2.23.1 Setting the job deletion	97
3 User Operations	99
3.1 User authentication function	99
3.1.1 Performing user authentication	99
3.1.2 Accessing the ID & Print document	102
3.1.3 Number of wrong entries in authentication	102
Conditions to clear the number of times of check	102
3.2 Change password function	103
3.2.1 Performing change password	103
3.3 User box function	104
3.3.1 Setting the user box	104
3.3.2 Changing the user attributes and box password	105
3.3.3 Accessing the user box and user box file	106
3.3.4 Number of wrong entries in entering the box password	107

Konica Minolta bizhub 950i bizhub 950i/850i Security Operations User Guide - Page 39

Setting IPsec

Page 39 highlights