Home » Lexmark Manuals » Multifunction Devices » Lexmark MX718 » Manual Viewer

Lexmark MX718 Embedded Web Server--Security: Administrator s Guide - Page 67

RAS and IAS Server, Request Certiﬁcate

Add to My Manuals
Save this manual to your list of manuals

Page 67 highlights

Appendix 67 For this application to function, the device must be joined to an Active Directory environment and a Certificate Enrollment Web Services (Server Role) application needs to be installed on the customer's network. Note: The example usage instructions given below assume the Certificate Enrollment Web Services is installed on a Windows 2008 R2 server. 1 Open a Web browser, and then type the IP address or host name of the printer in the address field. 2 From the Embedded Web Server, click Settings > Security > Certificate Management > Device Certificate Management. 3 Click Advanced Management to use the Automatic Certificate Enrollment application, and then click Request new Certificate. Note: The screen may refresh for 10 to 15 seconds. At this time, the device is contacting the Certificate Enrollment Web Service on the server and capturing the certificate templates that are available to the device. 4 From the "Device Certificate Management > Advanced > Templates" page, select any of the following displayed template options to use when requesting a certificate: • IPSec-If you want to install a device certificate that is used for IPSec negotiations. • Web Server-If you want to secure any SSL/TLS connections such as the EWS or LDAP over SSL. • RAS and IAS Server-If you want to install a device certificate that is used for 802.1X negotiations. 5 Click Request Certificate. From this screen, you will customize the certificate for this device. Note: If you want to view the template details first, then click View instead of Request Certificate. 6 Modify the settings from the Request Certificate Web page, but only when necessary. Notes: • The fields that are filled in with the data and the selected check boxes are the template defaults that were pulled from the CA. You can change them if you choose, but remember that the default templates are generally configured with the appropriate settings by the CA administrator and changing some settings may cause the request to be denied. • The "Collapse/Expand Subject Name" fields link is used to change any of the device information that is used to create or generate a certificate. This includes the same information as the Set Certificate Defaults link under Certificate Management. 7 Click Submit to send the Certificate Signing Request (CSR) to the CA. Note: The screen may refresh for 10 to 15 seconds. At this time, the device is contacting the Certificate Enrollment Web Service requesting the CA signed certificate be generated. 8 If successful, you will return to the "Device Certificate Management > Advanced" Web page and the new CA‑signed device certificate with the specified name will be included in the list of certificates. If not, an error message is displayed. Note: If a template is specified at the server to require CA administrator approval, then a separate table of pending certificates is displayed and a message indicating that a request is pending admin approval will be displayed on the Device Certificate Management screen where the certificate is listed. The certificate is not valid until approved. Once approval is granted, the message will disappear and the certificate(s) will be displayed in the installed certificates table. The link with the certificate name can be selected if you would like to see the information associated with the new certificate. The "Renew" link is used to renew the certificate when the current CA certificate is about to expire (default of 2 years).

Section	Page
Contents	2
Devices covered in this guide	4
Simple-security devices	4
Advanced-security devices	4
Managing authentication and authorization methods	5
Understanding the basics	5
Authentication and authorization	5
Groups	7
Access Controls	7
Security Templates	7
Accessing the Embedded Web Server	7
Simple-security device access controls	8
Creating a Web page password and applying access control restrictions	8
Creating a PIN and applying access control restrictions	9
Limiting access using Basic Security Setup	9
Advanced-security building blocks	10
Configuring advanced building blocks from the control panel	10
Creating a password building block for advanced security setup	10
Creating a PIN building block for advanced security setup	11
Setting up internal accounts	11
Connecting your printer to an Active Directory domain	13
Using LDAP	15
Using LDAP+GSSAPI	17
Configuring Kerberos 5 for use with LDAP+GSSAPI	19
Using a security template to control function access	20
Managing certificates and other settings	24
Installing a Certificate Authority certificate on the device	24
Configuring the device for certificate information	25
Sample certificate request data	25
Creating a new device certificate	26
Viewing, downloading, and deleting a certificate	26
Setting certificate defaults	27
Setting up a Certificate Authority certificate monitor	27
Downloading the Certificate Authority certificates	28
Managing devices remotely	29
Using HTTPS for device management	29
Setting a backup password	29
Setting up SNMP	30
Configuring security audit log settings	31
Updating firmware	33
Managing other access functions	34
Configuring confidential printing	34
Setting login restrictions	35
Enabling and disabling USB host ports	35
Enabling the security reset jumper	36
Enabling holding faxes	37
Enabling Operator Panel Lock	37
Securing network connections	39
Configuring 802.1X authentication	39
Configuring IP security settings	40
Connecting to a wireless network	41
Configuring the TCP/IP port access setting	42
Setting the restricted server list	42
Securing data	43
Physical lock	43
Disk encryption	44
Checking disk encryption status	45
Erasing settings (non-volatile memory)	45
Disk file wiping	48
Erasing temporary data files from the hard disk	48
Erasing hard disk data	49
Out-of-service wiping	50
Statement of volatility	51
Disposing of a hard disk	51
Erasing volatile memory	52
Erasing non-volatile memory	52
Security solutions	53
Print Release	53
Secure Held Print Jobs	53
Card Authentication	53
Smart Card authentication	54
Security scenarios	55
Scenario: Printer in a public place	55
Scenario: Standalone or small office	56
Scenario: Network running Active Directory	57
Scenario: More security-aware environment (802.1X) and SNMPv3	58
Scenario: Network-based usage restrictions using access card	58
Troubleshooting	60
Login troubleshooting	60
USB device is not supported	60
Make sure that a supported smart card reader is attached	60
Printer home screen fails to return to a locked state when not in use	60
Make sure that the authentication token is installed and running	60
Make sure that Smart Card Authentication is installed and running	60
Login screen does not appear when a smart card is inserted	60
Make sure that the smart card is recognized by the reader	60
KDC and MFP clocks are out of sync	61
Make sure that the date and time settings on the printer are correct	61
Kerberos configuration file is not uploaded	61
Make sure that the Kerberos file has been uploaded	61
Unable to authenticate users	61
Make sure that the Realm specified in the Kerberos settings is in uppercase	61
Domain controller certificate is not installed	61
Make sure that the correct certificate is installed on the printer	61
KDC did not respond within the required time	62
Make sure that the IP address or host name of the KDC is correct	62
Make sure that the KDC is available	62
Make sure that Port 88 is not blocked by a firewall	62
User realm not found in the Kerberos configuration file	62
Make sure that the Windows Domain is specified in the Kerberos settings	62
Cannot find realm on card in the Kerberos configuration file	62
Upload a Kerberos configuration file and make sure that the realm has been added to the file	62
Client is unknown	63
Make sure that the Domain Controller information is correct	63
Login does not respond at “Getting User Info”	63
User is logged out automatically	63
Increase the Panel Login Timeout interval	63
LDAP troubleshooting	63
LDAP lookups take a long time and then fail	63
Make sure that Port 389 (non-SSL) and Port 636 (SSL) are not blocked by a firewall	63
Make sure that the LDAP search base is not too broad in scope	63
LDAP lookups fail almost immediately	64
Make sure that the Address Book Setup contains the host name for the LDAP server	64
Make sure that the Address Book Setup settings are correct	64
Narrow the LDAP search base to the lowest possible scope that includes all necessary users	64
Make sure that the LDAP attributes for the user e-mail address and home directory are correct	64
Held Jobs / Print Release Lite troubleshooting	64
Cannot use the Held Jobs / Print Release feature	64
Add the user to the appropriate Active Directory group	64
Cannot determine Windows user ID	64
Make sure that Smart Card Authentication sets the user ID for the session	64
No jobs available for user	65
Make sure that the Smart Card Authentication sets the correct user ID	65
Make sure that the jobs were sent to the correct printer and were printed	65
Jobs are printing immediately	65
Make sure that Secure Held Print Jobs is installed and running	65
Make sure that all jobs are required to be held	65
Appendix	66
Appendix A: CA file creation	66
Appendix B: CA-Signed Device Certificate creation	66
Appendix C: Automatic Certificate Enrollment Application	66
Appendix D: Access controls	68
Appendix E: Common Criteria configuration	70
Overview	70
Supported printers	71
Before configuring the printer (required)	72
Checking physical interfaces and installed firmware	72
Attaching a lock	72
Encrypting the hard disk	73
Disabling the USB buffer	73
Installing the minimum Common Criteria configuration	74
Configuring disk wiping	74
Enabling the backup password (optional)	74
Creating user accounts	74
Creating security templates	75
Controlling access to device functions	75
Disabling home screen icons	77
Other settings required for Common Criteria configuration	78
Disabling the AppleTalk protocol	78
Shutting down port access	78
Network Time Protocol	79
Fax	79
Configuring and securing the application	80
Securing access to the home screen	81
Configuring user access for Common Criteria	81
Notices	84
Edition notice	84
Trademarks	84
GOVERNMENT END USERS	84
GifEncoder	85
ZXing 1.7	85
Apache License Version 2.0, January 2004	85
Glossary of Security Terms	89

Match case Limit results 1 per page

For this application to function, the device must be joined to an Active Directory environment and a Certiﬁcate

Enrollment Web Services (Server Role) application needs to be installed on the customer’s network.

Note:

The example usage instructions given below assume the Certiﬁcate Enrollment Web Services is

installed on a Windows 2008 R2 server.

Open a Web browser, and then type the IP address or host name of the printer in the address ﬁeld.

From the Embedded Web Server, click

Settings

Security

Certiﬁcate Management

Device Certiﬁcate

Management

Click

Advanced Management

to use the Automatic Certiﬁcate Enrollment application, and then click

Request new Certiﬁcate

Note:

The screen may refresh for 10 to 15 seconds. At this time, the device is contacting the Certiﬁcate

Enrollment Web Service on the server and capturing the certiﬁcate templates that are available to the

device.

From the “Device Certiﬁcate Management > Advanced > Templates” page, select any of the following

displayed template options to use when requesting a certiﬁcate:

•

IPSec

—If you want to install a device certiﬁcate that is used for IPSec negotiations.

•

Web Server

—If you want to secure any SSL/TLS connections such as the EWS or LDAP over SSL.

•

RAS and IAS Server

—If you want to install a device certiﬁcate that is used for 802.1X negotiations.

Click

Request Certiﬁcate

. From this screen, you will customize the certiﬁcate for this device.

Note:

If you want to view the template details ﬁrst, then click

View

instead of

Request Certiﬁcate

Modify the settings from the Request Certiﬁcate Web page, but only when necessary.

Notes:

•

The ﬁelds that are ﬁlled in with the data and the selected check boxes are the template defaults that

were pulled from the CA. You can change them if you choose, but remember that the default

templates are generally conﬁgured with the appropriate settings by the CA administrator and

changing some settings may cause the request to be denied.

•

The “Collapse/Expand Subject Name” ﬁelds link is used to change any of the device information that

is used to create or generate a certiﬁcate. This includes the same information as the Set Certiﬁcate

Defaults link under Certiﬁcate Management.

Click Submit to send the Certiﬁcate Signing Request (CSR) to the CA.

Note:

The screen may refresh for 10 to 15 seconds. At this time, the device is contacting the Certiﬁcate

Enrollment Web Service requesting the CA signed certiﬁcate be generated.

If successful, you will return to the “Device Certiﬁcate Management > Advanced” Web page and the new

‑

signed device certificate with the specified name will be included in the list of certificates. If not, an error

message is displayed.

Note:

If a template is speciﬁed at the server to require CA administrator approval, then a separate table

of pending certiﬁcates is displayed and a message indicating that a request is pending admin approval

will be displayed on the Device Certiﬁcate Management screen where the certiﬁcate is listed. The

certiﬁcate is not valid until approved. Once approval is granted, the message will disappear and the

certiﬁcate(s) will be displayed in the installed certiﬁcates table.

The link with the certiﬁcate name can be selected if you would like to see the information associated with the

new certificate. The “Renew” link is used to renew the certificate when the current CA certificate is about to

expire (default of 2 years).

Appendix