After the HP Access Control Smartcard Solution firmware and hardware are installed, the MFP/digital sender is ready to configure. This chapter provides information about the following topics:
● Configure the IPv4 settings
● Configure the MFP/digital sender for Kerberos authentication
● Configure authentication using the Smartcard accessory
● Configure access to the network destination folders
● Configure LDAP access for address books
● Configure Send to E-mail
ENWW 7
Configure the IPv4 settings
1. Open a supported Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/
digital sender.
2. Click the Settings tab.
3. On the left menu bar, click Configure Device. The Configure Device page is displayed.
Figure 2-1 Configure Device Page
4. From the menu on the main page, navigate to the IPV4 settings. Click Initial Setup, click Networking and I/O, click Embedded Jetdirect, click TCP/IP, and then click IPV4 Settings.
Figure 2-2 Access the IPV4 settings
5. Scroll down to the IPV4 SETTINGS section.
Figure 2-3 IPV4 options
6. Type the IP address of the Kerberos server in the Primary DNS text box.
7. Click Apply.
ENWW Configure the IPv4 settings 9
Configure the MFP/digital sender for Kerberos authentication
For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is also available for download from HP at: h20000.www2.hp.com/bc/docs/support/SupportManual/c00646187/c00646187.pdf TIP: When installing this solution for the first time in a new environment, it is recommended that you configure and test the Kerberos settings first. Once Kerberos is working correctly, then configure LDAP settings. Once LDAP is working correctly, then configure PKINIT settings.
Accessing the Kerberos Authentication page
Many of the steps required to configure the MFP/digital sender for Kerberos authentication are completed on the Kerberos Authentication page. Follow the steps below to access the page.
1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender.
2. Click the Settings tab.
3. On the left menu bar, click Kerberos Authentication. The following panel is displayed:
Figure 2-4 Kerberos Authentication page (part 1)
4. Select the domain name and click Edit, or click Add to enter a new domain name. The Kerberos Authentication detail panel is displayed.
Figure 2-5 Kerberos Authentication page (part 2)
Enter the Kerberos authentication information
On the Kerberos Authentication detail page, complete the Accessing the Kerberos Authentication Server section using the following steps:
1. Enter the Kerberos Realm (Domain).
NOTE: You must enter the Kerberos Realm using all uppercase letters.
2. Enter the Kerberos Server Hostname.
3. Enter the Kerberos Server Port if required.
4. Click Apply to save the settings.
ENWW Configure the MFP/digital sender for Kerberos authentication 11
Kerberos settings test
If the settings for the Kerberos Realm (Domain) and Kerberos Server Hostname are correct, you can partially authenticate on the MFP/digital sender. To see if you have configured your Kerberos settings correctly, use the following steps:
1. Using the HP Embedded Web Server, click the Settings tab and then select Authentication Manager from the left menu bar.
2. Select Kerberos from the Sign In At Walk Up drop-down list and click Apply. The MFP/digital sender control panel should display a Sign In > Windows prompt.
3. At the MFP/digital sender control panel, attempt to log in using a valid username and password for your domain.
● If the following error message is displayed Authentication Failed: Kerberos LDAP server not configured. Please contact the administrator., the Kerberos Authentication settings were successfully configured.
● If a different error message is displayed, see Kerberos troubleshooting on page 34.
Accessing the LDAP server
Using the Kerberos Authentication page, complete the Accessing the LDAP server section using the following steps:
1. Select the LDAP Server Bind Method (Kerberos or Kerberos Over SSL).
2. Click the Use Device User's Credentials check box.
3. Enter the LDAP Server name. (You can use the same name as used for the Kerberos Server Hostname.)
4. Enter the LDAP server Port number.
5. Click Apply to save the settings.
LDAP settings test
On HP MFPs and digital senders with embedded Kerberos authentication capability, Kerberos
authentication is a two step process. The first step obtains a Kerberos TGT (ticket granting ticket). The Kerberos settings test (see Kerberos settings test on page 12) will indicate if this is successful. The second step looks up the authenticated user’s E-mail address from an LDAP directory. To test your LDAP server access, use the following steps:
1. Using the HP Embedded Web Server, go to the Authentication Manager page by clicking on the Settings tab and then select Authentication Manager from the left menu bar.
2. Select Kerberos from the Send to email drop-down list and click Apply.
3. Verify that a valid SMTP gateway is specified on the E-mail Settings page by selecting the Digital Sending tab and clicking E-mail Settings from the left menu bar.
Figure 2-6 E-mail Settings
4. Access the menu on the MFP/digital sender control panel and touch E-mail.
● If you authenticate with no error message and the correct name displays in the From field on the E-mail Settings screen, then the LDAP settings are configured correctly.
● If you receive an error message or do not see the correct display name, see LDAP server troubleshooting on page 37.
Install the Kerberos Server Root Certificate Authority Certificate
The issuer’s certificate for your KDC certificate must be installed on the MFP/digital sender in order to perform PKINIT authentication. To install this certificate:
1. Using the HP Embedded Web Server, select the Settings tab.
2. On the left menu bar, click Kerberos Authentication.
3. Select the domain name and click Edit, or enter a new domain name by clicking Add. The Kerberos Authentication page is displayed.
ENWW Configure the MFP/digital sender for Kerberos authentication 13
4. Scroll down to the Using PKINIT Authentication (Smart Card Authentication Only) section and click PKINIT Settings.
The following screen is displayed:
Figure 2-7 Kerberos Authentication page (PKINIT Settings)
5. From the Kerberos Server Root Certificate Authority (CA) Certificate section, click Edit.
6. On the Certificates page, click Browse and locate the certificate file.
7. Once the file is located, click Import.
If you can use Smartcard to log on to a PC, you may be able to find the certificates that must be installed on the MFP/digital sender on that PC. To find certificates installed on a PC:
1. Log on to a PC using a Smartcard.
2. Open Internet Explorer.
3. On the Tools menu, select Internet Options.
4. Select the Content tab and click Certificates.
5. On the Intermediate Certification Authorities and Trusted Root Certification Authorities tabs you may find certificates that allow the MFP/digital sender to authenticate successfully.
If there is a certificate problem, the error message on the MFP/digital sender often contains the subject of the required certificate. The subject normally has a CN=<some name> value in it. The <some name>
portion is the value that Internet Explorer shows in the Issued To column of the Certificates dialog box.
Once the following steps are completed, you are ready to test PKINIT Smartcard authentication. Verify the following before you begin:
● The HP Smartcard reader is attached to the MFP/digital sender.
● The Kerberos settings are configured and working correctly.
● The LDAP settings are configured and working correctly.
● The KDC issuer certificate is loaded.
PKINIT Smartcard authentication test
To test PKINIT Smartcard authentication:
1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication Manager from the left menu bar.
2. Select U.S. Gov't Smartcard v2.xx from the Sign In At Walk Up drop-down list.
3. Select U.S. Gov't Smartcard v2.xx from the Send to E-mail drop-down list.
NOTE: If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists on the
Authentication Manager page, the HP Access Control Smartcard Solution authentication upgrade is not installed. (See Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.)
4. Click Apply.
5. The MFP/digital sender should now have the following prompt: “Please insert your Smartcard, then press OK”.
6. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch OK.
● If you authenticate successfully, then the correct certificate is properly installed.
● If you cannot authenticate, see PKINIT troubleshooting on page 39.
Configure validation of the KDC certificate
KDCs validate that the client requesting authentication has possession of a valid digital certificate (not expired or revoked). However, to verify that the KDC’s certificate is not revoked, and to ensure that the MFP/digital sender does not use an insecure Kerberos server for authentication, the remaining items listed in the Using PKINIT Authentication (Smart Card Authentication Only) section of the Kerberos Authentication page should be configured.
The KDC certificate is received by the MFP/digital sender during the PKINIT handshake. It does not need to be stored on the MFP/digital sender.
NOTE: The MFP/digital sender performs certificate revocation list (CRL) checking on the KDC's certificate only. Therefore, it is not necessary to install user CRLs during the configuration process.
ENWW Configure the MFP/digital sender for Kerberos authentication 15
The MFP/digital sender supports two methods for validating the KDC’s certificate:
● OCSP (Online Certificate Status Protocol) One or more OCSP responders can be used for validation. OCSP responders are contacted in the order entered. As soon as a good or bad response is received from a responder, no more responders are contacted. If all known OCSP servers are exhausted and no response is received, CRL checking commences if the check box for Perform CRL checking on the Kerberos Server certificate chain is selected. OCSP validation is the preferred method for validating the server’s certificate.
● CRL (Certificate Revocation List) checking HP MFPs and digital senders support two different mutually exclusive modes for CRL checking.
◦ CRL distribution point (CDP) The CDP method assumes that the CRL is installed off the MFP/digital sender. In this case, the CDP referencing the CRL location must exist in the server's certificate, or the administrator must configure the MFP/digital sender with the location of the CRL. Only full CRLs (also known as base CRLs) are currently supported. Partitioned CRLs (also known as distributed or delta CRLs) are not supported.
◦ Local device CRL A full CRL is loaded onto the MFP/digital sender hard drive.
NOTE: Because CRLs change often (sometimes daily), the local device CRL method requires a process to copy the updated CRL to the MFP/digital sender at regular intervals.
For this reason, local MFP/digital sender CRLs are not recommended.
To configure OCSP validation of the KDC certificate:
1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos Authentication from the left menu bar.
2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT Settings.
3. In the OCSP validation of Kerberos Server Certificate section, select the check box for Perform OCSP Validation on the Kerberos Server certificate chain.
4. Click Edit below the OCSP server certificates.
5. On the Load Certificate page, click Browse and locate the certificate file.
6. Click Load Certificate.
7. If the OCSP responder certificate is not a Root CA (self-signed), then continue to load all certificates in the OCSP responder trust chain.
To configure CDP validation of the KDC certificate:
1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos Authentication from the left menu bar.
2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT Settings.
3. In the CRL validation of Kerberos Server Certificate section, select the check box for Perform CRL checking on the Kerberos Server certificate chain.
4. Select the CRL Distribution Point (CDP) check box.
cannot be obtained solely from the CDP information provided in the server's certificate, then the MFP/digital sender attempts to use the following fields to help locate a CRL:
● CDP Distinguished Name (DN) — standard DN format
● LDAP Server — IP address or hostname
● Port — LDAP server port
NOTE: Anonymous is the only LDAP Server Bind Method that is currently supported.
To obtain the location of a CRL from the server certificate, the certificate must contain a CDP extension (specifically, one named “CRL Distribution Points”). The extension must contain an LDAP URL (HTTP URLs and Directory Address formats, usually associated with delta CRLs, are not currently supported).
If no LDAP URL exists, the MFP/digital sender attempts to locate the CRL using the CDP Distinguished Name, LDAP Server, and Port fields in the HP Embedded Web Server configuration page as previously described. If the entries exist in the HP Embedded Web Server fields, they override any corresponding values in any LDAP URL found in the CDP extension.
The location of the CRL on the LDAP server must have the attribute: certificateRevocationList The LDAP filter and LDAP scope, which are used internally and not configured using the
HP Embedded Web Server, default to the following values if they are not specified in the CDP extension:
● filter: objectClass=*
● scope: base
To configure local device CRL validation of the KDC certificate (not recommended):
A script for delivering CRLs to the MFPs/digital senders in your organization is required. The script should run at regular intervals. Running the script at shorter intervals than the certificate expiration cycle is recommended. This ensures that if an MFP/digital sender misses an update due to maintenance or being powered off, it still has a chance to receive the update before the certificate expires.
Before running the script, the administrator should ensure that PJL access to the file system is available.
This means that the PJL password is not set and PJL disk access is enabled. For security reasons, it is recommended that PJL access to the file system should always be restricted by a password and that disk access be turned off except when executing scripts or commands to load objects onto the MFP/
digital sender. For more information on how to secure LaserJet devices, see the NIST Security Checklist available for download at checklists.nist.gov/repository/1087.html. (You can also search for the latest checklist at: checklists.nist.gov/ )
1. Ensure that the script ran and loaded the CRL to the MFP/digital sender. Verify by printing a file system listing from the MFP/digital sender control panel.
2. In the Kerberos PKINIT Configuration section of the Kerberos Authentication page, select the Validate the Kerberos Server Certificate check box.
3. Enter the file location in the CRL URL(s) text box. This location is controlled by the script that pushes the CRL to the MFP/digital sender.
4. Click Apply.
ENWW Configure the MFP/digital sender for Kerberos authentication 17
KDC Certificate Validation Test
1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication Manager from the left menu bar.
2. Verify that U.S. Gov't Smartcard v2.xx is selected from the Sign In At Walk Up drop-down list and click Apply.
3. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch OK.
● If you authenticate successfully, then the correct certificates are properly installed.
● If you cannot authenticate, see OCSP/CRL troubleshooting on page 41.
Configure authentication using the Smartcard accessory
1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender.
2. Click the Settings tab.
3. On the left menu bar, click Authentication Manager. The Authentication Manager page is displayed.
Figure 2-8 Authentication Manager page
4. Review each of the MFP/digital sender functions on this page. Select U.S. Gov't Smartcard v2.xx from the drop-down list next to each function for which Smartcard authentication is required.
NOTE: When U.S. Gov't Smartcard v2.xx is selected from the Sign in at Walk Up drop-down list, all other functions are also restricted to Smartcard authentication. To require the authenticated user's E-mail address be used in the From field when sending E-mail, make sure that U.S. Gov't Smartcard v2.xx is selected from the Send to E-mail drop-down list.
If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists, the
HP Access Control Smartcard Solution authentication upgrade is not installed. (see Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.)
5. Click Apply.
ENWW Configure authentication using the Smartcard accessory 19
Configure access to the network destination folders
Configure the access options for each folder to Use Public Credentials, and then configure the public credentials with those of a known authorized user (such as an administrator account).
1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender.
2. Click the Digital Sending tab. On the left menu bar, click Send to Folder. The Send to Folder page is displayed.
Figure 2-9 Send to Folder page
3. Select Kerberos from the Authentication Setting drop-down list and click Apply.
4. Select a folder in the Predefined Folders list.
NOTE: To select a folder, one or more network folders must already be configured. If you need to add a new folder, click Add under the Predefined Folders list, and complete the applicable fields.
5. Click Edit. The Edit Shared Folder page is displayed.
Figure 2-10 Edit Folder Access settings
6. In the Access Credentials drop-down list, select Use Device User's Credentials or Use Public Credentials. If Use Device User's Credentials is selected, then the MFP/digital sender uses the credentials of the current user to access the shared folder. If Use Public Credentials is selected, then the credentials that were specified during the configuration are used.
7. If Use Public Credentials was selected, type the appropriate values for a known authorized user in the Domain, Username, and Password text fields.
8. Click Test Folder Access to verify that the supplied credentials provide access to the folder.
9. Click OK.
10. Repeat the preceding steps for each folder in the Predefined Folders list.
When the configuration is complete, the MFP/digital sender requires an authorized Smartcard in order to use the selected features.
ENWW Configure access to the network destination folders 21
Configure LDAP access for address books
When a user enters the send to E-mail screen, next to each recipient field (“To”, “Cc”, “Bcc”) is an address book icon. As the user types a recipient on the keyboard screen, the recipient name can be auto-completed. This auto-complete feature is enabled by specifying the LDAP addressing settings in the HP Embedded Web Server.
1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender.
2. Click the Digital Sending tab. On the left menu bar, click LDAP Settings. The Addressing
2. Click the Digital Sending tab. On the left menu bar, click LDAP Settings. The Addressing