Konica Minolta bizhub 950i bizhub 950i/850i Security Operations User Guide - Page 40

bizhub 950i/850i/AccurioPrint 950i/850i

2-17

2.4

Setting IPsec

2

The administrator should regularly check the certificate for devices in communication with the machine by

using the digital signature certificate. When finding that the certificate is invalid (expired), the administrator

must immediately cease the communication with the relevant device. To resume the communication with the

device, confirm that a new certificate has been issued. For details on the procedure for changing the IPsec

communication settings, refer to the HTML User's Guide.

Use [Enable IPsec] in the settings below.

-

In the case of IPsec policy settings, to set multiple policies for the same destination, a priority will be

given to the action setting in the order of "Protected", "Deny", "Allow".

-

If the rules are applied to the IPsec policy in the processing of inbound/outbound packet, the actions

are as follows.

-

[Protected]: The packet will be encrypted.

-

[Allow]: The packet will not be encrypted.

-

[Deny]: The packet will be dropped.

NOTICE

Do not use an device certificate that is electronically signed by MD5 or SHA-1, as an increased risk results of

data to be protected being tampered with or leaked.

With FIPS enabled, only SHA-256 can be used for the digital signature certificate.

Turning off the

main power switch

results in discarding IKE SA (shared secret key for IKE) that is stored in

the memory managed by this machine, IPsec SA (shared secret key for IPsec) as well as the shared key man-

aged by each SA (key generated by converting the pre-shared key used for IPsec).

To eliminate the risk of the data to be protected being tampered with or leaked, refer to the recommended

ciphers list disclosed by, for example, NIST and CRYPTREC and use the appropriate cryptographic tech-

nique. If you turn off IPsec Setting by mistake, turn it on again according to this procedure. Also, if you set

inappropriate encryption technology to the IPsec communication parameters by mistake, turn off IPsec Set-

ting, modify the communication parameters, and then turn IPsec Setting on again.

If the communication is disconnected unintentionally, check the network setting again, and reboot the ma-

chine, connected server, computer or other devices constructing a network communication. Besides, check

the audit log because where the cause of an communication error may be recorded in.

Use the following browsers to ensure safety. Use of any of the following browsers achieves communication

that ensures confidentiality of the image data transmitted and received.

Google Chrome

-

Latest edition

Mozilla Firefox

-

Latest edition

Google Chrome is used for the ISO15408 evaluation for this machine.

0

The control panel and the

Web Connection

can be used for this setting.

0

For the procedure to access the administrator mode, see page 2-2.

0

Do not leave the machine with the setting screen of administrator mode left shown on the display. If it

is absolutely necessary to leave the machine, be sure first to log off from the administrator mode.

1

Call the administrator mode.

2

Tap [Network] - [TCP/IP Setting] - [IPsec].

Setting item

Setting value

[IPsec]

[ON]

[Default action]

[Deny]

[Certificate Verification Level Settings]

•

Expiration Date: ON (default)

•

Key Usage: OFF (default)

•

Chain: ON

•

Expiration Date Confirmation: OFF (default)

IPsec Policy

[action]: Any of [Protected], [Allow], and [Deny]

Section	Page
Contents	2
1 Security	6
1.1 Introduction	6
1.1.1 Persons using the machine	6
1.1.2 Relation between user and job deletion	7
1.2 Compliance with the ISO15408 Standard	8
1.2.1 Hardware and software	8
1.2.2 Operating precautions	8
1.3 Installation procedure	10
1.3.1 Setting of password rules	11
1.3.2 Setting of IP address and DNS host	11
1.3.3 Setting of administrator password	11
1.3.4 Setting of user authentication	12
1.3.5 Setting of accurate date and time	12
1.3.6 Setting of job log obtaining method	12
1.3.7 Setting of operation of ID & Print function	12
1.3.8 Setting of Memory RX	12
1.3.9 Setting of FW Update (USB) Password	13
1.3.10 Setting of FIPS mode	13
1.3.11 Setting of function pattern customization	13
1.3.12 Setting of Enhanced Security Mode	13
1.3.13 Setting of IPsec communication certificate	14
1.3.14 Setting of network	14
1.3.15 Check of IPsec setting for communication with each server	14
1.3.16 Check of settings banned for operation	14
1.3.17 Check of device information	14
1.4 Enhanced security mode	15
1.4.1 Major security functions in operation under ISO15408 certification	15
1.5 Precautions for operation control	16
1.5.1 Roles of the owner of the machine	16
1.5.2 Maintenance of the security environment	16
1.5.3 Roles of the administrator	17
1.5.4 Password usage requirements	17
1.5.5 External authentication server control requirements	17
1.5.6 Security function operation setting operating requirements	18
1.5.7 Operation and control of the machine	18
1.5.8 Machine maintenance control	20
1.5.9 Precautions for using the printer driver	20
1.6 Miscellaneous	21
1.6.1 Password rules	21
1.6.2 Precautions for use of various types of applications	21
1.6.3 Encrypting communications	22
1.6.4 Print functions	22
IPP printing	22
1.6.5 FAX functions	22
1.6.6 USB keyboard	22
1.6.7 Different types of boxes	22
1.6.8 Terminating a session and logging out	23
1.6.9 Occurrence of authentication error during external server authentication	23
1.6.10 Finding the version information	23
2 Administrator Operations	25
2.1 Accessing the administrator mode	25
2.1.1 Accessing the administrator mode	25
2.1.2 Accessing the user mode	30
2.1.3 Checking the number of wrong entries in authentication	32
Conditions to clear the number of times of check	32
2.2 Enhancing the security function	33
2.2.1 Items cleared by format	36
2.2.2 Setting the Enhanced Security Mode	37
2.3 Setting the password rules	38
2.3.1 Setting the password rules	38
2.4 Setting IPsec	39
2.4.1 IPsec setting	39
2.4.2 Introducing the device certificate for IPsec communication	41
2.4.3 Deleting the IPsec communication device certificate	42
2.4.4 Introducing the CA (certification authority) certificate for IPsec communication	42
2.5 Firmware verification function at the time of starting the machine	43
2.5.1 Setting the firmware verification function	43
2.5.2 Self-test function	43
2.6 Preventing unauthorized access	44
2.6.1 Setting Prohibited Functions	44
2.7 Canceling the operation prohibited state	46
2.7.1 Performing release setting	46
2.8 Setting the authentication method	47
2.8.1 Setting the authentication method	47
2.8.2 Setting the external server	48
2.9 ID & Print setting function	49
2.9.1 Setting ID & Print	49
2.10 System auto reset function	50
2.10.1 Setting the system auto reset function	50
2.11 User setting function	51
2.11.1 Making user setting	51
2.12 User box function	53
2.12.1 Setting user box usage restriction	53
2.12.2 Setting the user box	54
2.12.3 Changing the user attributes and box password	55
2.12.4 Setting Memory RX	56
2.12.5 Batch deleting the documents in the Memory RX User Box	56
2.13 Changing the administrator password	57
2.13.1 Changing the administrator password	57
2.14 Obtaining job log	58
2.14.1 Obtaining and deleting a job log	58
2.14.2 Job log data	60
2.15 Setting time/date in machine	89
2.15.1 Setting time/date	89
2.15.2 Setting daylight saving time	89
2.16 TCP/IP setting function	90
2.16.1 Setting the IP Address	90
2.16.2 Registering the DNS server	90
2.17 E-mail setting function	91
2.17.1 Setting the SMTP server (E-mail server)	91
2.18 SMB setting function	92
2.18.1 Setting a client	92
2.19 WebDAV setting function	93
2.19.1 Setting a client	93
2.20 Automatic logoff setting function	94
2.20.1 Setting automatic logoff	94
2.21 FIPS mode setting function	95
2.21.1 Setting the FIPS mode	95
2.22 Firmware update function	96
2.22.1 Updating the firmware	96
2.23 Job deletion setting function	97
2.23.1 Setting the job deletion	97
3 User Operations	99
3.1 User authentication function	99
3.1.1 Performing user authentication	99
3.1.2 Accessing the ID & Print document	102
3.1.3 Number of wrong entries in authentication	102
Conditions to clear the number of times of check	102
3.2 Change password function	103
3.2.1 Performing change password	103
3.3 User box function	104
3.3.1 Setting the user box	104
3.3.2 Changing the user attributes and box password	105
3.3.3 Accessing the user box and user box file	106
3.3.4 Number of wrong entries in entering the box password	107

Konica Minolta bizhub 950i bizhub 950i/850i Security Operations User Guide - Page 40

Tap [Network] - [TCP/IP Setting] - [IPsec].

Page 40 highlights