● Clear the Credentials
● Manage the Global SNMPv1 Get Community Names
● Manage the Global SNMPv1 Set Community Names
● Manage the Global SNMPv3 Credentials
● Manage the Global EWS Passwords
● Manage the Global File System Passwords
● Manage the Domain Credentials
All About Credentials
● Credentials Store
● Credentials Delegation
● Credentials Needed
● What happened to the HP Jetdirect Device Password?
● Restricting Configuration by Device Group
ENWW Shared Configuration Options for all Views 47
HP Web Jetadmin can configure many devices simultaneously. This saves device administrators from having to contact every device separately for the purpose of assigning configuration items like passwords and other credentials. Many environments have password policies that make the device administrator have to
reconfigure security credentials periodically. The power of HP Web Jetadmin fleet management lends itself to configuration of many devices simultaneously.
Credentials Store
The concept of a Credentials Store is not new to HP Web Jetadmin. Older versions of HP Web Jetadmin stored credentials onto the devices as they were used and configured. This feature keeps HP Web Jetadmin users from having to provide a credential every time a device is configured that requires one.
The Credentials Store is a portion of the HP Web Jetadmin database that securely encrypts and stores device credentials when ever a correct credential value is authenticated at the device. These values are stored on a per credential and per device basis.
Here is a list of HP device credentials used by HP Web Jetadmin:
● EWS Password: Blocks unauthorized access to the device-embedded HTTP interface. It is also synchronized with the HP Jetdirect telnet password.
● File System Password: Protects the printer disk and other storage facilities from unauthorized access.
● SNMPv3 Credentials: Consists of user name, passphrase1, and passphrase2 which are all used when SNMPv3 is enabled. This version of SNMP secures and authenticates communication between management applications like HP Web Jetadmin and the device. This protocol is used when strong security is required.
● SNMP Set Community Name: A grouping mechanism for SNMPv1/v2 used as a security mechanism by many customers. Device configuration is not possible without knowledge of the Set name value. The Set name value traverses the network in clear text and can be “sniffed” by eavesdroppers.
● SNMP Get Community Name: Sometimes used to prevent device discovery from other HP Web Jetadmin installations. Devices only respond to Get packets that have the correct value. The Get name value traverses the network in clear text and can be “sniffed” by eavesdroppers.
Two actions cause the value of any credential to be stored:
● Configuration: The credential becomes stored once it has been configured onto the device.
● Use: The credential value, when used successfully, becomes stored.
HP Web Jetadmin reuses stored credentials any time it encounters the requirement for them. When configuring a device that has had a credential stored, you are not required to re-enter the credential into HP Web Jetadmin. The application uses the credential in the background. In fact, you are not even required to know the credential because HP Web Jetadmin is using stored values.
Credentials Delegation
With credentials stored in the Credentials Store, HP Web Jetadmin can apply them transparently any time the need arises. This is known as credentials delegation. While configuring devices, you do not have to remember or even know the credential to perform the configuration. You just need access to HP Web Jetadmin and device configuration features. Characteristics of credentials delegation are:
● Only one or a few device administrators know the device credentials.
● Some HP Web Jetadmin users are allowed configuration access to the devices via Roles and User Security.
● Users can be added or removed from this delegation through Roles and User Security (User Security on page 274).
48 Chapter 2 Introduction to HP Web Jetadmin ENWW
● Other HP Web Jetadmin users can be restricted from device configuration.
● Knowledge about device passwords is required before you can change any password value.
Credentials delegation is used to allow configuration of devices without having to share the credential
“secrets” across a large distribution. Staffs can control and configure devices while administrators control and configure passwords. Any user with access to devices and configuration features has delegated access to the Credential Store.
Credentials Needed
When HP Web Jetadmin, during an action such as device configuration, encounters a device with a credential such as SNMP Set Community Name, it follows a specific sequence. Here is a simplified example showing how HP Web Jetadmin attempts to resolve a credential:
● HP Web Jetadmin checks the Credential Store for a credential.
● If a credential exists, HP Web Jetadmin attempts the configuration using the credential value.
If a credential does not exist, HP Web Jetadmin checks Global Credentials.
● If the configuration is successful, the credential check is resolved and complete.
If it fails, HP Web Jetadmin checks Global Credentials.
During a user-attended configuration session, HP Web Jetadmin prompts for credentials. If the user does not supply the credential or the session is not live, the device is flagged as Credentials Required and listed in the Credentials Required column that can be enabled in any device list (Columns for Device Lists on page 97).
You can right-click the device and add the needed credential to the system in order to resolve this state.
What happened to the HP Jetdirect Device Password?
HP Web Jetadmin enables device security by providing management over appropriate, device-based security settings. The HP Jetdirect password that was used by HP Web Jetadmin in the past is a software security solution and not a device-based security solution. That is, the password itself had to be recognized and authenticated by earlier revisions of HP Web Jetadmin software. Other applications did not recognize this password and did not force users to prove knowledge of the password.
As security features have become more sophisticated and device based security has improved, HP Web Jetadmin developers have opted out of using the HP Jetdirect device password as a protective mechanism for device authentication. Instead, HP recommends that you choose one of the following two recommendations providing device security:
● SNMP Set Community Name: Devices will not allow an SNMP Set from any application without the Set Community Name correctly embedded in the SNMP packet. If the Set name in the packet is “public” and the Set name on the device is “George”, the device will not accept or acknowledge the packet. Set Community Names traverse the network in clear text and, therefore, can be “sniffed” or viewed by eavesdroppers. In most environments, security provided a Set Community Name may provide adequate security.
● SNMPv3: Devices configured via SNMPv3 offer significant security benefits. First, SNMPv3 configures a user account and two pass-phrases onto the device that the user (or application) must authenticate.
This blocks unauthorized management of devices, and the account/pass-phrase details do not traverse the network in clear text which makes it difficult for eavesdroppers to learn the “secrets”. Second, the communication between the management application and the device is encrypted using the SNMP credentials so information about the device is protected. SNMPv3 is recommended in security-sensitive environments.
ENWW Shared Configuration Options for all Views 49
Restricting Configuration by Device Group
Within the model of device credential delegation, restriction to specific device configuration can be further defined in User Security using the Restriction type Groups (Restrict Roles to Device Groups on page 277).
Consider the following layers of security:
● Access to device credential values: Credential Store/selected device administrators (Credentials Store on page 48).
● Access to HP Web Jetadmin: Users and Roles (User Security on page 274).
● Access to device credentials store: Roles/Feature Permissions (Roles on page 276).
● Access to specific devices: Roles/Device Group Membership/Device Feature Permissions (Roles on page 276).
Each layer uses HP Web Jetadmin security to protect against unauthorized access:
1. First, device passwords are protected by one administrator or a few select administrators.
2. Second, Users and Roles allow only authorized users to log onto HP Web Jetadmin.
3. Third, Roles and Feature Permissions allow only authorized users access to configuration access to all devices.
4. Finally, Roles, Device Group Membership, and Device Feature Permissions allow authorized users to specific devices based on device group membership and specified device configuration features.
All devices and configuration options outside of the Group Restriction Type are secured from unauthorized access.