HP Access Control Smartcard Solution

(1)

HP Access Control

Smartcard Solution

for U. S. Government

(2)

(3)

HP Access Control Smartcard Solution for

U.S. Government

(4)

Copyright information

2009 Copyright Hewlett-Packard Development Company, L.P.

Reproduction, adaptation or translation without prior written permission is prohibited, except as allowed under the copyright laws. The information contained herein is subject to change without notice.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Edition 2, 11/2009 Trademark credits

Microsoft®_{and Outlook}®_{are U.S. registered}

(5)

1 Installation

Use this section to upgrade the HP Access Control Smartcard Solution firmware (if required) and then install the Smartcard reader.

● Upgrade the device firmware ● Install the hardware

(8)

Upgrade the device firmware

This section provides instructions for upgrading the firmware on the MFP/digital sender to allow it to work with the HP Access Control Smartcard Solution for U. S. Government.

You must have the correct MFP/digital sender Internet Protocol (IP) address to install the firmware. Obtain the IP address of the MFP/digital sender by printing a configuration page or using the control panel. See the MFP/digital sender user guide for instructions.

Make sure that the MFP/digital sender is connected to the network, turned on, and in the Ready mode.

● Supported devices

● Enable remote firmware upgrades

● Upgrade the Smartcard and MFP/digital sender firmware

Supported devices

The following lists the supported HP MFPs/digital senders.

NOTE: HP recommends that you upgrade your MFP/digital sender to the latest firmware version and the corresponding authentication agent. (You download the upgrades from the

HP Access Control Smartcard Solution Web site.) For more information, see Upgrade the Smartcard and MFP/digital sender firmware on page 3.

● HP Color Laserjet ◦ CM3530 ◦ CM4730 ◦ CM6030/6040 ● HP Digital Sender ◦ DS9250C ● HP Laserjet ◦ M3035 ◦ M4345 ◦ M5035 ◦ M9040/M9050

Enable remote firmware upgrades

If you are upgrading the firmware (recommended), the MFP/digital sender might be configured with the recommended security settings, which disables remote firmware upgrades. Use the following

(9)

NOTE: The instructions are for an HP LaserJet M3035. Your MFP/digital sender might access this option differently. For complete instructions about accessing the Remote Firmware Upgrade option, see the MFP/digital sender user guide.

1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender.

NOTE: Recommended security settings typically disable the MFP/digital sender from accessing the HP Embedded Web Server from a Web browser. If the HP Embedded Web Server page does not display, enable access using HP Web Jetadmin. For more information, see the MFP/digital sender user guide.

2. Click the Settings tab. Enter the administrator password if you are prompted for administrator credentials.

3. On the left menu bar, click Security

4. On the Device Security Settings page, scroll down to the Options for Services section.

5. Verify that the Remote Firmware Upgrade check box is selected.

Figure 1-1 Enable Remote Firmware Upgrade option in the EWS.

6. Click Apply and close the browser window.

NOTE: To maintain the recommended security settings, disable the setting after upgrading the firmware on the MFP/digital sender.

Upgrade the Smartcard and MFP/digital sender firmware

HP recommends that you upgrade your MFP/digital sender with the latest authentication agent and the corresponding firmware version. (You must have Internet access to download the files to your computer.) The upgrade consists of an authentication agent file (.pjl), which upgrades the Smartcard, and a firmware image file (.rfu), which allows the MFP/digital sender to detect and use the Smartcard reader. You will download both of these files from the HP Access Control Smartcard Solution Web site.

To download the firmware upgrades, use the following steps:

1. Start a supported Web browser.

2. Go to the following URL: www.hp.com/go/smartcard_firmware

(10)

3. First, download the authentication agent file:

a. Go to the Software section and click Download.

b. When the File Download — Security Warning is displayed, click Run and run the

usgovt_auth_agent_v2.xx.exe file.

c. When the Self-Extractor window is displayed, click Browse to select a temporary folder to unzip the file, or use the default (C:\Temp\AuthAgent), and click Unzip.

The file named usgovt_auth_agent_v2.xx.pjl is extracted to the selected folder.

4. If you need to download the firmware upgrade image for your MFP/digital sender, use the following steps:

a. Go to the Software section and click Smartcard Authentication Agent and Required

Firmware.

b. Select your MFP/digital sender from the list. (For example, HP LaserJet M5035mfp

Firmware.)

c. Use the Description field to locate the correct operating system for your MFP/digital sender and click Download.

d. When the File Download — Security Warning is displayed, click Run and select the file (for example, ljM5025–35mfpfw_win_48.xxx.x.exe).

e. When the Internet Explorer — Security Warning window is displayed, click Run.

f. Click Browse to choose a folder, or use the default (for example, C:\HP_M5025– M5035_printer_rfu_xx.xxx.x), and click Extract.

The files are extracted to the selected folder.

To copy the files to the MFP/digital sender using FTP, use the following steps: If the necessary firmware is already installed, skip to step 7 below.

1. Open an MS DOS command prompt window by clicking Start, then click Run, type cmd at the run prompt, and then press Enter.

2. Type the following command, using the IP address of the MFP/digital sender: ftp <MFP IP address> (example: ftp 192.168.0.90). Press Enter. A prompt is displayed for the user name.

3. By default, neither a user name or password are required for ftp access to the MFP/digital sender. Press Enter at the user name and password prompts. An FTP> prompt is displayed.

4. Type bin and press Enter. The FTP prompt is again displayed.

5. Use the FTP put command to copy the .pjl file to the MFP/digital sender. Type the following command, using the path to the location of the file: put <path of the file> (for example: put C:\Temp\AuthAgent\usgovt_auth_agent_v2.xx.pjl ).

(11)

8. Press Enter. Text is displayed in the command window to indicate that the FTP copy job is processing. When the file is copied, the control panel displays Performing Upgrade and then the MFP/digital sender restarts.

9. After the file is copied to the MFP/digital sender, type bye and press Enter. The session ends. If the firmware on the MFP/digital sender is current and only the .pjl file is installed, the MFP/digital sender must be restarted before U.S. Gov't Smartcard v2.xx appears on the Authentication

Manager page.

NOTE: After installing the firmware upgrade, print a configuration page from the MFP/digital sender to verify that the new firmware is installed. See the MFP/digital sender user guide for information about how to print a configuration page.

To verify that the HP Access Control Smartcard Solution authentication and firmware upgrades were installed correctly, start the HP Embedded Web Server, click the Settings tab, then click the

Authentication Manager from the left menu bar. Click on a Sign In Method for any of the device

functions. If the authentication upgrade installed correctly, the sign in methods include U.S. Gov't

Smartcard 2.xx as a selection.

CAUTION: A 49.4c18 error might occur when the MFP/digital sender restarts. The most common cause of this error is installing the Smartcard authentication (.pjl) upgrade and restarting without the necessary firmware (.rfu) installed. For more information, see Troubleshooting on page 31.

(12)

Install the hardware

1. Plug the Smartcard reader into the external universal serial bus (USB) port on a supported MFP/ digital sender.

NOTE: If a label covers the USB port on the MFP/digital sender, remove the label before plugging in the Smartcard reader.

2. Attach the Smartcard reader to an appropriate location on the MFP/digital sender.

Ensure that the USB cable from the Smartcard reader does not interfere with any other functions of the MFP/digital sender.

3. Restart the MFP/digital sender.

4. Print a configuration page to verify that the MFP/digital sender recognizes the installed Smartcard reader. If installed correctly, the Smartcard reader is listed as MFP Smart Card in the USB

(13)

2 Configuring the MFP/digital sender

After the HP Access Control Smartcard Solution firmware and hardware are installed, the MFP/digital sender is ready to configure. This chapter provides information about the following topics:

● Configure the IPv4 settings

● Configure the MFP/digital sender for Kerberos authentication ● Configure authentication using the Smartcard accessory ● Configure access to the network destination folders ● Configure LDAP access for address books

● Configure Send to E-mail

(14)

Configure the IPv4 settings

1. Open a supported Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/ digital sender.

2. Click the Settings tab.

3. On the left menu bar, click Configure Device. The Configure Device page is displayed.

(15)

4. From the menu on the main page, navigate to the IPV4 settings. Click Initial Setup, click

Networking and I/O, click Embedded Jetdirect, click TCP/IP, and then click IPV4 Settings.

Figure 2-2 Access the IPV4 settings

5. Scroll down to the IPV4 SETTINGS section.

Figure 2-3 IPV4 options

6. Type the IP address of the Kerberos server in the Primary DNS text box.

7. Click Apply.

(16)

Configure the MFP/digital sender for Kerberos

authentication

For additional information on configuring Kerberos authentication refer to the Configuring Embedded

Kerberos Authentication guide. It comes bundled on the product CD and is also available for download

from HP at: h20000.www2.hp.com/bc/docs/support/SupportManual/c00646187/c00646187.pdf

TIP: When installing this solution for the first time in a new environment, it is recommended that you configure and test the Kerberos settings first. Once Kerberos is working correctly, then configure LDAP settings. Once LDAP is working correctly, then configure PKINIT settings.

Accessing the Kerberos Authentication page

Many of the steps required to configure the MFP/digital sender for Kerberos authentication are completed on the Kerberos Authentication page. Follow the steps below to access the page.

3. On the left menu bar, click Kerberos Authentication. The following panel is displayed:

(17)

4. Select the domain name and click Edit, or click Add to enter a new domain name. The Kerberos

Authentication detail panel is displayed.

Figure 2-5 Kerberos Authentication page (part 2)

Enter the Kerberos authentication information

On the Kerberos Authentication detail page, complete the Accessing the Kerberos Authentication

Server section using the following steps:

1. Enter the Kerberos Realm (Domain).

NOTE: You must enter the Kerberos Realm using all uppercase letters.

2. Enter the Kerberos Server Hostname.

3. Enter the Kerberos Server Port if required.

4. Click Apply to save the settings.

(18)

Kerberos settings test

If the settings for the Kerberos Realm (Domain) and Kerberos Server Hostname are correct, you can partially authenticate on the MFP/digital sender. To see if you have configured your Kerberos settings correctly, use the following steps:

1. Using the HP Embedded Web Server, click the Settings tab and then select Authentication

Manager from the left menu bar.

2. Select Kerberos from the Sign In At Walk Up drop-down list and click Apply. The MFP/digital sender control panel should display a Sign In > Windows prompt.

3. At the MFP/digital sender control panel, attempt to log in using a valid username and password for your domain.

● If the following error message is displayed Authentication Failed: Kerberos LDAP server

not configured. Please contact the administrator., the Kerberos Authentication settings

were successfully configured.

● If a different error message is displayed, see Kerberos troubleshooting on page 34.

Accessing the LDAP server

Using the Kerberos Authentication page, complete the Accessing the LDAP server section using the following steps:

1. Select the LDAP Server Bind Method (Kerberos or Kerberos Over SSL).

2. Click the Use Device User's Credentials check box.

3. Enter the LDAP Server name. (You can use the same name as used for the Kerberos Server

Hostname.)

4. Enter the LDAP server Port number.

5. Click Apply to save the settings.

LDAP settings test

On HP MFPs and digital senders with embedded Kerberos authentication capability, Kerberos

authentication is a two step process. The first step obtains a Kerberos TGT (ticket granting ticket). The Kerberos settings test (see Kerberos settings test on page 12) will indicate if this is successful. The second step looks up the authenticated user’s E-mail address from an LDAP directory. To test your LDAP server access, use the following steps:

1. Using the HP Embedded Web Server, go to the Authentication Manager page by clicking on the

Settings tab and then select Authentication Manager from the left menu bar.

(19)

3. Verify that a valid SMTP gateway is specified on the E-mail Settings page by selecting the Digital

Sending tab and clicking E-mail Settings from the left menu bar.

Figure 2-6 E-mail Settings

4. Access the menu on the MFP/digital sender control panel and touch E-mail.

● If you authenticate with no error message and the correct name displays in the From field on the E-mail Settings screen, then the LDAP settings are configured correctly.

● If you receive an error message or do not see the correct display name, see LDAP server troubleshooting on page 37.

Install the Kerberos Server Root Certificate Authority Certificate

The issuer’s certificate for your KDC certificate must be installed on the MFP/digital sender in order to perform PKINIT authentication. To install this certificate:

1. Using the HP Embedded Web Server, select the Settings tab.

2. On the left menu bar, click Kerberos Authentication.

3. Select the domain name and click Edit, or enter a new domain name by clicking Add. The Kerberos Authentication page is displayed.

(20)

4. Scroll down to the Using PKINIT Authentication (Smart Card Authentication Only) section and click PKINIT Settings.

The following screen is displayed:

Figure 2-7 Kerberos Authentication page (PKINIT Settings)

5. From the Kerberos Server Root Certificate Authority (CA) Certificate section, click Edit.

6. On the Certificates page, click Browse and locate the certificate file.

7. Once the file is located, click Import.

If you can use Smartcard to log on to a PC, you may be able to find the certificates that must be installed on the MFP/digital sender on that PC. To find certificates installed on a PC:

1. Log on to a PC using a Smartcard.

2. Open Internet Explorer.

3. On the Tools menu, select Internet Options.

4. Select the Content tab and click Certificates.

(21)

If there is a certificate problem, the error message on the MFP/digital sender often contains the subject of the required certificate. The subject normally has a CN=<some name> value in it. The <some name> portion is the value that Internet Explorer shows in the Issued To column of the Certificates dialog box. Once the following steps are completed, you are ready to test PKINIT Smartcard authentication. Verify the following before you begin:

● The HP Smartcard reader is attached to the MFP/digital sender.

● The Kerberos settings are configured and working correctly.

● The LDAP settings are configured and working correctly.

● The KDC issuer certificate is loaded.

PKINIT Smartcard authentication test

To test PKINIT Smartcard authentication:

1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication

2. Select U.S. Gov't Smartcard v2.xx from the Sign In At Walk Up drop-down list.

3. Select U.S. Gov't Smartcard v2.xx from the Send to E-mail drop-down list.

NOTE: If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists on the

Authentication Manager page, the HP Access Control Smartcard Solution authentication upgrade is not installed. (See Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.)

4. Click Apply.

5. The MFP/digital sender should now have the following prompt: “Please insert your Smartcard, then press OK”.

6. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch

OK.

● If you authenticate successfully, then the correct certificate is properly installed. ● If you cannot authenticate, see PKINIT troubleshooting on page 39.

Configure validation of the KDC certificate

KDCs validate that the client requesting authentication has possession of a valid digital certificate (not expired or revoked). However, to verify that the KDC’s certificate is not revoked, and to ensure that the MFP/digital sender does not use an insecure Kerberos server for authentication, the remaining items listed in the Using PKINIT Authentication (Smart Card Authentication Only) section of the Kerberos

Authentication page should be configured.

The KDC certificate is received by the MFP/digital sender during the PKINIT handshake. It does not need to be stored on the MFP/digital sender.

NOTE: The MFP/digital sender performs certificate revocation list (CRL) checking on the KDC's certificate only. Therefore, it is not necessary to install user CRLs during the configuration process.

(22)

The MFP/digital sender supports two methods for validating the KDC’s certificate:

● OCSP (Online Certificate Status Protocol) One or more OCSP responders can be used for

validation. OCSP responders are contacted in the order entered. As soon as a good or bad response is received from a responder, no more responders are contacted. If all known OCSP servers are exhausted and no response is received, CRL checking commences if the check box for Perform CRL checking on the Kerberos Server certificate chain is selected. OCSP validation is the preferred method for validating the server’s certificate.

● CRL (Certificate Revocation List) checking HP MFPs and digital senders support two different

mutually exclusive modes for CRL checking.

◦ CRL distribution point (CDP) The CDP method assumes that the CRL is installed off the

MFP/digital sender. In this case, the CDP referencing the CRL location must exist in the server's certificate, or the administrator must configure the MFP/digital sender with the location of the CRL. Only full CRLs (also known as base CRLs) are currently supported. Partitioned CRLs (also known as distributed or delta CRLs) are not supported.

◦ Local device CRL A full CRL is loaded onto the MFP/digital sender hard drive.

NOTE: Because CRLs change often (sometimes daily), the local device CRL method requires a process to copy the updated CRL to the MFP/digital sender at regular intervals. For this reason, local MFP/digital sender CRLs are not recommended.

To configure OCSP validation of the KDC certificate:

1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos

Authentication from the left menu bar.

2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT

Settings.

3. In the OCSP validation of Kerberos Server Certificate section, select the check box for Perform

OCSP Validation on the Kerberos Server certificate chain.

4. Click Edit below the OCSP server certificates.

5. On the Load Certificate page, click Browse and locate the certificate file.

6. Click Load Certificate.

7. If the OCSP responder certificate is not a Root CA (self-signed), then continue to load all certificates in the OCSP responder trust chain.

To configure CDP validation of the KDC certificate:

1. Using the HP Embedded Web Server, click on the Settings tab and then select Kerberos

Authentication from the left menu bar.

2. In the Using PKINIT Authentication (Smart Card Authentication Only) section, click PKINIT

Settings.

3. In the CRL validation of Kerberos Server Certificate section, select the check box for Perform

CRL checking on the Kerberos Server certificate chain.

(23)

cannot be obtained solely from the CDP information provided in the server's certificate, then the MFP/digital sender attempts to use the following fields to help locate a CRL:

● CDP Distinguished Name (DN) — standard DN format

● LDAP Server — IP address or hostname

● Port — LDAP server port

NOTE: Anonymous is the only LDAP Server Bind Method that is currently supported.

To obtain the location of a CRL from the server certificate, the certificate must contain a CDP extension (specifically, one named “CRL Distribution Points”). The extension must contain an LDAP URL (HTTP URLs and Directory Address formats, usually associated with delta CRLs, are not currently supported). If no LDAP URL exists, the MFP/digital sender attempts to locate the CRL using the CDP Distinguished

Name, LDAP Server, and Port fields in the HP Embedded Web Server configuration page as previously

described. If the entries exist in the HP Embedded Web Server fields, they override any corresponding values in any LDAP URL found in the CDP extension.

The location of the CRL on the LDAP server must have the attribute: certificateRevocationList The LDAP filter and LDAP scope, which are used internally and not configured using the

HP Embedded Web Server, default to the following values if they are not specified in the CDP extension:

● filter: objectClass=*

● scope: base

To configure local device CRL validation of the KDC certificate (not recommended):

A script for delivering CRLs to the MFPs/digital senders in your organization is required. The script should run at regular intervals. Running the script at shorter intervals than the certificate expiration cycle is recommended. This ensures that if an MFP/digital sender misses an update due to maintenance or being powered off, it still has a chance to receive the update before the certificate expires.

Before running the script, the administrator should ensure that PJL access to the file system is available. This means that the PJL password is not set and PJL disk access is enabled. For security reasons, it is recommended that PJL access to the file system should always be restricted by a password and that disk access be turned off except when executing scripts or commands to load objects onto the MFP/ digital sender. For more information on how to secure LaserJet devices, see the NIST Security

Checklist available for download at checklists.nist.gov/repository/1087.html. (You can also search for the latest checklist at: checklists.nist.gov/ )

1. Ensure that the script ran and loaded the CRL to the MFP/digital sender. Verify by printing a file system listing from the MFP/digital sender control panel.

2. In the Kerberos PKINIT Configuration section of the Kerberos Authentication page, select the

Validate the Kerberos Server Certificate check box.

3. Enter the file location in the CRL URL(s) text box. This location is controlled by the script that pushes the CRL to the MFP/digital sender.

4. Click Apply.

(24)

KDC Certificate Validation Test

1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication

2. Verify that U.S. Gov't Smartcard v2.xx is selected from the Sign In At Walk Up drop-down list and click Apply.

3. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch

OK.

(25)

Configure authentication using the Smartcard accessory

3. On the left menu bar, click Authentication Manager. The Authentication Manager page is displayed.

Figure 2-8 Authentication Manager page

4. Review each of the MFP/digital sender functions on this page. Select U.S. Gov't Smartcard

v2.xx from the drop-down list next to each function for which Smartcard authentication is required.

NOTE: When U.S. Gov't Smartcard v2.xx is selected from the Sign in at Walk Up drop-down list, all other functions are also restricted to Smartcard authentication. To require the authenticated user's E-mail address be used in the From field when sending E-mail, make sure that U.S. Gov't

Smartcard v2.xx is selected from the Send to E-mail drop-down list.

If U.S. Gov't Smartcard v2.xx is not listed on any of the drop-down lists, the

HP Access Control Smartcard Solution authentication upgrade is not installed. (see Upgrade the Smartcard and MFP/digital sender firmware on page 3 for more information.)

5. Click Apply.

(26)

Configure access to the network destination folders

Configure the access options for each folder to Use Public Credentials, and then configure the public credentials with those of a known authorized user (such as an administrator account).

2. Click the Digital Sending tab. On the left menu bar, click Send to Folder. The Send to Folder page is displayed.

Figure 2-9 Send to Folder page

3. Select Kerberos from the Authentication Setting drop-down list and click Apply.

4. Select a folder in the Predefined Folders list.

(27)

5. Click Edit. The Edit Shared Folder page is displayed.

Figure 2-10 Edit Folder Access settings

6. In the Access Credentials drop-down list, select Use Device User's Credentials or Use Public

Credentials. If Use Device User's Credentials is selected, then the MFP/digital sender uses the

credentials of the current user to access the shared folder. If Use Public Credentials is selected, then the credentials that were specified during the configuration are used.

7. If Use Public Credentials was selected, type the appropriate values for a known authorized user in the Domain, Username, and Password text fields.

8. Click Test Folder Access to verify that the supplied credentials provide access to the folder.

9. Click OK.

10. Repeat the preceding steps for each folder in the Predefined Folders list.

When the configuration is complete, the MFP/digital sender requires an authorized Smartcard in order to use the selected features.

(28)

Configure LDAP access for address books

When a user enters the send to E-mail screen, next to each recipient field (“To”, “Cc”, “Bcc”) is an address book icon. As the user types a recipient on the keyboard screen, the recipient name can be auto-completed. This auto-complete feature is enabled by specifying the LDAP addressing settings in the HP Embedded Web Server.

2. Click the Digital Sending tab. On the left menu bar, click LDAP Settings. The Addressing

Settings page is displayed.

Figure 2-11 LDAP addressing settings

3. Select the Allow Device to directly access an LDAP Address Book check box.

(29)

NOTE: You should be able to use the same values used to configure LDAP access on the Kerberos page to configure the LDAP address settings.

6. Click Apply.

The search root might need to be refined to return only LDAP records, which represent users in your organization. If entries are returned which do not contain an E-mail address or a display name, the MFP/digital sender considers the results invalid. The MFP/digital sender might not display any entries and may fail to auto-complete addresses that would otherwise work. Use the ldp tool (as described in the Kerberos setup guide Configuring Embedded Kerberos Authentication) to find the search root that returns only valid results from your LDAP server.

NOTE: The Kerberos setup guide Configuring Embedded Kerberos Authentication comes bundled on the product CD and is available for download from HP at h20000.www2.hp.com/bc/docs/support/ SupportManual/c00646187/c00646187.pdf

LDAP performance can be severely impacted by the lack of DNS entries for referrals returned by your LDAP server. Unfortunately there is no indication on the MFP/digital sender that it is waiting for a referral. The best way to diagnose this situation is with a network trace.

Configuring LDAP over SSL

If your LDAP server allows binds over SSL only, then you must install the digital certificate for the LDAP server onto the MFP/digital sender and change the bind type to Simple over SSL or Kerberos over

SSL.

1. Install the digital certificate for the LDAP server onto the MFP/digital sender.

a. Start the HP Embedded Web Server and click the Networking tab. On the left menu bar, click

Authorization. The Authorization page is displayed.

b. Select the Certificates tab. The Certificates page is displayed.

Figure 2-12 Network Authorization - Certificates

(30)

c. In the CA Certificate section, click Configure. The Certificate Options page is displayed.

Figure 2-13 Network Authorization - Certificate Options

d. Make sure the Install CA Certificate option is selected and then click Next. The Install CA

Certificate page is displayed.

Figure 2-14 Network Authorization - Install CA Certificate

e. Click Browse and search for the root CA certificate. Click Finish to install the specified certificate.

2. Change the bind type to Simple over SSL or Kerberos over SSL.

a. On the LDAP settings page, change the bind type to Simple over SSL.

b. Select Use Public Credentials and enter credentials for a service account which can be used to access the LDAP server.

(31)

Configure Send to E-mail

E-mail messages are digitally signed by default when Smartcard authentication is used. However, this can be changed on the advanced E-mail settings screen.

2. Click the Digital Sending tab. On the left menu bar, click E-mail Settings. The Addressing

Settings page is displayed.

Figure 2-15 E-mail settings

3. Enter the appropriate information in each of the applicable fields to configure the E-mail settings.

(32)

4. Click the Advanced button. The Advanced E-mail Settings panel is displayed:

Figure 2-16 Advanced E-mail settings

5. If E-mail signing is preferred for outgoing operations:

a. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Sign Message in the

Digital Signature section.

b. If signing is preferred but not required, select the Allow users to send unsigned

messages check box. (If signing is required, do not select this check the box.) c. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Do Not Sign

Message in the Digital Signature section.

d. If signing is not preferred but allowed, select the Allow users to send signed messages check box. (If signing is not allowed, do not select this check the box.)

6. If E-mail encryption is preferred for outgoing operations:

a. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Encrypt Message in the Encryption section.

b. If encryption is preferred but not required, select the Allow users to send unencrypted

messages check box. (If encryption is required, do not select this check the box.) c. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Do Not Encrypt

Message in the Encryption section.

d. If encryption is not preferred but allowed, select the Allow users to send encrypted

(33)

digital sender by clicking Edit in the Signed E-mail Certificate Chains section on the Kerberos Authentication page.

If you use Microsoft Outlook®_{and already have signed E-mail configured for your personal account,}

here is one way to gather certificates in your E-mail signature chain:

1. Send a signed E-mail to yourself.

2. Click on the certificate icon.

3. Click Details.

4. Click on the signer, and then click View Details.

5. Click View Certificate.

6. Click on the Certification Path tab.

7. For each certificate above yourself in the chain:

a. Click View Certificate.

b. Click on the Details tab.

c. Click Copy To File.

d. Export the file in DER or Base-64 format.

e. Import the file into the MFP/digital sender.

TIP: Once all required certificates related to the KDC, OCSP, and E-mail signing trust chain have been installed on the MFP/digital sender, these can be exported to a single file on the

HP Embedded Web Server Kerberos Certificates page. This file can then be imported to another MFP/ digital sender. If you are using Simple over SSL for your LDAP binds, this certificate must be imported separately on the Networking tab.

(34)

(35)

3 Normal use of the

HP Access Control Smartcard Solution

After the firmware and hardware are installed and the MFP/digital sender is configured for

HP Access Control Smartcard Solution authentication, the MFP/digital sender restricts access according to the specified options.

When a user attempts to use a Smartcard-restricted function, the following actions occur:

1. The MFP/digital sender prompts for a valid card to be placed in the Smartcard reader. The user places the card into the reader and leaves it there while using the MFP/digital sender.

2. The MFP/digital sender prompts for a personal identification number (PIN) before continuing. The user types the PIN on the number pad on the MFP/digital sender control panel, and then touches

OK on the touchscreen.

3. The MFP/digital sender authenticates the user by accessing the Active Directory user attributes through a PKI version of the Kerberos authentication protocol. When authentication is complete, the MFP/digital sender provides access to the selected function.

If the user types an incorrect PIN, the MFP/digital sender prompts for the number again. If the user enters the wrong PIN three times, the Smartcard is disabled and no longer usable.

(36)

(37)

4 Troubleshooting

NOTE: For the most current troubleshooting information regarding this product, go to: www.hp.com/ support/usdodsmartcard.

NOTE: For additional information on configuring Kerberos authentication refer to the Configuring

Embedded Kerberos Authentication guide. It comes bundled on the product CD and is available for

download from HP at h20000.www2.hp.com/bc/docs/support/SupportManual/c00646187/ c00646187.pdf

If you are experiencing an issue that is not documented here or the steps here do not resolve the issue, contact HP support.

(38)

General troubleshooting

49.4c18 error displays when restarting device

Cause Solution

An unsupported firmware version is installed on the device. The authentication upgrade was installed on the device without the correct firmware.

To enable the device to boot to Ready after this message has appeared:

CAUTION: The following procedure is for resolving the 49.4c18 error only and is not recommended for any other operation of the device.

1. Turn the device off and back on.

2. Hold down the 9 key during the memory test.

3. After all 3 LEDs are a solid color, release 9 key and then press and release the 3 key.

4. Press and release the Start key. The device should now say “SKIP DISK LOAD”.

5. Press and release the 6 key.

6. The device should then proceed to boot to ready.

Smartcard authentication does not work after performing a Secure Storage Erase or Disk Init on the MFP/digital sender.

Performing a Secure Storage Erase or Disk Init erases information that is critical for the Smartcard authentication to work.

The entire HP Access Control Smartcard Solution installation and configuration must be completed again. This includes reinstalling the authentication upgrade and performing all of the necessary HP Embedded Web Server configuration steps. Refer to Installation on page 1 and Configuring the MFP/digital sender on page 7 for instructions.

MFP/digital sender authentication is working, but remote features such as Send to email and LDAP lookup are not.

The MFP/digital sender clock is out of sync with the server clock.

Clients and servers must be synced to within 5 minutes of each other. Either configure both the MFP/digital sender and the KDC server to use the same NTP server, or configure the MFP/ digital sender to use the KDC server as the clock drift correction server.

The DNS lookup zone is not properly configured. Hostnames must be used for all Kerberos and SSL servers. Verify that the servers listed in the HP Embedded Web Server for Kerberos, Send to Folder, and LDAP addressing configuration are listed as hostnames and not IP addresses. Kerberos Realm names are not listed in upper case. Check the Kerberos configuration in the

(39)

Error: “No card detected” when using a valid Smartcard

If the Smartcard is valid then the mechanical switch on the card reader may have failed.

Replace the card reader.

Error: “Please insert a valid card” when using a valid Smartcard

If the Smartcard is valid then the card contacts on the reader may have failed.

Replace the card reader.

The configured device no longer recognizes the Smartcard.

An incorrect PIN for the Smartcard has been entered successively three or more times.

After entering an incorrect PIN successively three or more times, the Smartcard is disabled as a security measure. Once a Smartcard is disabled, it must be replaced.

(40)

Kerberos troubleshooting

Error message: “Authentication Failed: Kerberos server not available. Please contact the administrator.”

The Kerberos server hostname was not entered correctly or is not a valid hostname.

To determine if the hostname is valid, open a Windows command shell and type: ping <kerberos hostname>. If ping cannot find the host you are typing, then it is probably not the correct hostname.

The DNS settings on the device are not correct. To determine if the device’s DNS settings are not correct, try using the IP address of the Kerberos server instead of a hostname. Open a Windows command shell and type: nslookup <kerberos hostname>.

The nslookup command should return the name of the DNS server that resolved the Kerberos host and the IP address of the host. Try entering the Kerberos server IP address on the settings page and performing authentication again. If this works, then open the HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the

Primary DNS text box, enter the IP address of the DNS server

returned by the nslookup command.

The Kerberos server is powered off or not reachable. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server.

The host is not a valid Kerberos server. If the host is a valid Kerberos server, it should accept connections through port 88. Open a Windows command shell, type: telnet <kerberos hostname> 88.

If the telnet command returns “Connecting To <host>…Could not open connection to the host, or port 88: Connect failed”, then the host is not a valid Kerberos server.

If the window becomes blank, then it is accepting connections on port 88. Most likely the device network settings are not correct or the device is not operating correctly.

Error message: “Authentication Failed: Realm not recognized. Please contact the administrator.” or “Authentication Failed: Kerberos server not available for provided domain. Please contact the administrator.”

The domain field is not correct for the server that is being contacted. If the hostname for the server were

“ad1.technical.marketing”, then the realm name is probably “TECHNICAL.MARKETING”.

If you have followed the procedure for finding the default realm from the Configuring Embedded Kerberos Authentication guide and it does not work, try this alternative method for discovering the domain:

1. On the Windows desktop, click Start, then right-click on

My Computer and select Properties.

2. Select the Computer Name tab.

3. Copy the value in the Domain field to the Kerberos

(41)

Error message: “Authentication Failed: Device time not synchronized with server. Set correct time, then turn device off and back on.”

The device clock is offset more than five minutes from the Kerberos server.

The Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server, in order to prevent replay attacks.

On the device control panel press Administration, then press

Time/Scheduling, then press Date/Time. Use the control panel keys to change the time.

After changing the time setting, turn the device off and back on for the change to take effect.

The device’s Network Time Protocol (NTP) server is reporting a different time from the KDC time.

The device uses the NTP server to determine if the device is in a different time zone than the KDC and if the time stamp reported by the device to the KDC should be adjusted by half hour increments.

Most KDC servers are also hosting a NTP service, so try setting your NTP server to the same hostname as your Kerberos server.

1. Start the HP Embedded Web Server and select the

Settings tab.

2. On the left menu bar, click Date & Time, then click Clock

Drift Correction.

3. Copy the value from the Kerberos Server text box on the Kerberos Settings page into the Network Time Server

Address text field.

After changing your NTP setting, turn the device off and back on for the change to take effect.

NOTE: Because of the NTP adjustment, the time zone and daylight savings settings on the device do not affect the time reported by the device.

Error message: “Login failed. Please try again”

Incorrect credentials were entered, or the user is unknown on the server to which you are authenticating.

Verify that the user is authorized and using valid credentials.

Error message: “Authentication Failed: Kerberos LDAP server not configured. Please contact the administrator.” or any other LDAP related error

The settings under “Accessing the LDAP Server” are not correct.

See the Configuring Embedded Kerberos Authentication guide for help in determining your organization’s LDAP configuration. See LDAP server troubleshooting on page 37 for other possible issues.

(42)

Error message: “Authentication Failed: Error code XXXXX”

(43)

LDAP server troubleshooting

Error message: “LDAP bind at server ‘X’ failure: Server down”

The LDAP server hostname was not entered correctly or is not a valid hostname.

To determine if the hostname is valid, open a Windows command shell and type: ping <LDAP hostname>. If ping cannot find the host you are typing, then it is probably not the correct hostname.

The DNS settings on the device are not correct. To determine if the device’s DNS settings are not correct, try using the IP address of the LDAP server instead of a hostname. Open a Windows command shell and type: nslookup <LDAP hostname>.

The nslookup command should return the name of the DNS server that resolved the LDAP host and the IP address of the host. Try entering the LDAP server IP address on the settings page and performing authentication again. If this works, then open the device's HP Embedded Web Server and click on the

Networking tab, then click on TCP/IP settings on the left

menu bar. Select the Network Identification tab. In the

The LDAP server is powered off or not reachable. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server.

The host is not a valid LDAP server. If the host is a valid LDAP server, it should accept connections through port 389 or 3268. Open a Windows command shell, type: telnet <LDAP hostname> 389.

If the telnet command returns “Connecting To <host>…Could not open connection to the host, or port 389: Connect failed”, then the host is not a valid Kerberos server.

If the window becomes blank, then it is accepting connections on port 389. Most likely the device network settings are not correct or the device is not operating correctly.

Error message: “LDAP bind at server ‘X’ failure: Local error”

A DNS reverse lookup zone for your LDAP server’s IP address is not configured.

To confirm this, open a Windows command shell and type: nslookup <IP address of host>.

If the nslookup command returns the correct hostname, then the reverse DNS zone is configured correctly.

If the nslookup command does not come back with the correct hostname, the DNS administrator needs to add a reverse lookup zone to resolve the issue.

An unhandled error has occurred on the device and is preventing it from operating correctly.

Try rebooting the device.

(44)

Error message: “LDAP bind at server ‘X’ failure: SSL bind required”

The LDAP server requires that the connection be made using Secure Sockets Layer (SSL).

See Configuring LDAP over SSL on page 23

Error message: “LDAP failure retrieving display name. Result code: Fail”

The search root is incorrect. Typically if your domain is TECHNICAL.MARKETING.COM, then your search root would be:

DC=TECHNICAL,DC=MARKETING,DC=COM It may also have CN=Users.

The attribute used to retrieve the username is incorrect. This attribute is often “displayName”, but it may different depending on the LDAP schema.

Contact your LDAP administrator to obtain the correct LDAP settings, or use the ldp tool as described in theConfiguring

Embedded Kerberos Authentication guide to discover them.

Error message: “LDAP failure retrieving E-mail address. Result code: Fail”

The attribute used to retrieve the E-mail address is incorrect. This attribute is often “email”, but it may be different depending on the LDAP schema.

The LDAP database does not have an E-mail address populated for this user.

Contact your LDAP administrator to verify this, or use the ldp tool as described in the Configuring Embedded Kerberos

(45)

PKINIT troubleshooting

Error message: “HP smart card reader not detected. Please connect the HP reader #nnnnn to the device, and turn the device off and back on.”

The reader detection algorithm may have failed. Reboot the device and try again.

The connection may be loose. If the device reboots and the same problem persists, power the device off and check that the reader is connected firmly. After ensuring the connection is secure, power the device back on. The reader may be faulty. Try replacing the card reader with a different reader. Return

the faulty reader to HP for replacement.

Error message: “Authentication Failed: CMS verify signed failed: Failed to find issuer with subject ‘X’ for certificate with subject ‘Y’. Please contact the administrator.”

The issuer certificate of the KDC certificate is not installed on the device.

Installing the issuer’s certificate on the device enables the device to verify that the response from the KDC is valid. To see the certificates that have been installed on the device:

1. Start the device HP Embedded Web Server and select the Settings tab.

2. On the left menu bar, click Kerberos Authentication. Select the domain name and click Edit, or enter a new domain name. The Kerberos Authentication page displays.

3. Scroll down to the Kerberos PKINIT Configuration section and click Certificates.

Error: “Authentication Failed: KDC issuer certificate with subject 'X' is expired. Please contact the administrator.”

The issuer certificate of the KDC certificate is installed on the device, but it is no longer valid.

Every digital certificate is only valid for a specific time period. Once that time period is expired the certificate is no longer considered valid. You need to install a new certificate on the device.

To see certificates that have been installed on the device, go to the Kerberos Authentication page, and click Edit under the appropriate certificate type heading in the Using PKINIT

Authentication (Smart Card Authentication Only) section.

You do not see a prompt to enter your PIN or insert your card when you try to access the device.

The device is not configured properly for Smartcard authentication.

See Configure authentication using the Smartcard accessory on page 19 for additional information.

(46)

Error: “Authentication Failed: Authentication Method Not Found. Please contact the administrator”

Smartcard authentication was previously installed on the device, but the device configuration has been changed because the hard disk was re-initialized.

The entire HP Access Control Smartcard Solution installation and configuration must be completed again. This includes reinstalling the HP Access Control Smartcard Solution authentication upgrade and performing all of the necessary HP Embedded Web Server configuration steps. Refer to

Installation on page 1 and Configuring the MFP/digital sender on page 7 for instructions.

If the hard disk was not intentionally reinitialized, then you may want to secure the device so that only an administrator can re-initialize the hard disk. Please contact HP for more information on protecting the device from unauthorized bootloader access.

Error: “Authentication Failed: User certificate has been revoked”

The user is trying to authenticate with an invalid Smartcard. Try using a different Smartcard for authentication.

Error: “Authentication Failed: User certificate is expired”

The user is trying to authenticate with an expired Smartcard. Try using a different Smartcard for authentication.

Error: “Authentication Failed: Kerberos Server unable to validate user certificate”

The Kerberos server may have an outdated CRL or may be unable to contact the OCSP server for validation.

(47)

OCSP/CRL troubleshooting

Error message: “Authentication Failed: KDC certificate with subject ‘X’ has been revoked.”

The OCSP responder returned a revoked status for the KDC certificate with subject ‘X’

Contact your PKI administrator.

Error message: “Authentication Failed: KDC certificate status with subject ‘X’ is unknown.”

The OCSP responder returned an unknown status for the KDC certificate with subject ‘X’

Contact your PKI administrator.

Error message: “Authentication Failed: Unable to contact OCSP responder.”

The OCSP responder URL was not entered correctly or is not a valid URL

To determine if the URL is valid, open a Web browser and copy the Web URL into the address bar. If the Web browser is unable to connect to the host or it returns a “page not found” error, then the URL is not the address of a valid OCSP responder.

DNS settings on the device are not correct. To determine if the device DNS settings are incorrect, use the IP address of the OCSP responder instead of a hostname as the URL. To determine the IP address, open a Windows command shell, type: nslookup <OCSP responder hostname>

The nslookup command should return the name of the DNS server that resolved the host and the IP address of the host. Try entering the OCSP responder IP address on the settings page and performing authentication again. If this works, start the device's HP Embedded Web Server and click on the

Networking tab, then click on TCP/IP settings on the left

menu bar. Select the Network Identification tab. In the

The OCSP responder is powered off or not reachable. If the URL is correct but accessing the OCSP responder through a Web browser is failing, the responder may be powered off or network problems may be preventing access. The OCSP responder is only accessible through a proxy

server.

Check the Web browser settings to determine if it is configured to use a proxy server.

Disable the proxy settings and try contacting the OCSP responder through the Web browser again. If the Web browser indicates that it is not able to connect to this host or it returns a “page not found” error, then a proxy connection is required. The device only supports direct HTTP connections to OCSP responders.

(48)

Error message: “Authentication Failed: OCSP request failed: Failed to find issuer with subject ‘X’ for certificate with subject ‘Y’. Please contact the administrator.”

A certificate in the issuing chain of the KDC certificate is not installed on the device.

In order for the KDC certificate to be trusted, if the KDC certificate is not self-signed, then all certificates in the KDC certificate chain must be validated. One of the certificates in this chain is not installed on the device.

To see the certificates that have been installed on the device:

1. Start the device's HP Embedded Web Server and select the Settings tab.

Error message: “Authentication Failed: OCSP response verification failed. Responder certificate with subject ‘X’ not installed. Please contact the administrator.”

OCSP responder certificate is not installed on the device. The device will only trust the OCSP response if the OCSP responder’s certificate is installed on the device. The OCSP response is signed, and installing the responder’s certificate on the device allows the device to verify that the response should be trusted.

To see the certificates that have been installed on the device:

1. Start the device's HP Embedded Web Server and select the Settings tab.

Error: “Authentication Failed: OCSP responder certificate with subject 'X' is expired. Please contact the administrator.”

The OCSP responder certificate is installed on the device, but it is no longer valid.

(49)

Error: “Authentication Failed: CRL X not found. Please contact the administrator.”

A CRL specified in the PKINIT configuration settings is not found. This may be because the file path was entered incorrectly, the device hard disk was reinitialized, or the CRL file has never been installed onto the device.

To view files on the device hard disk, on the control panel touch: Administration, then touch Information, then touch

Configuration / Status Pages, and then touch File Directory. Touch Print to print the file directory list. The CRL file should be at the same location as the path indicated in the PKINIT configuration settings.

Error: “Authentication Failed: No valid CRL found for this KDC. Please contact the administrator.”

All of the CRL(s) specified in the PKINIT configuration settings are present on the device, but none are signed by the proper certificate authority

A CRL file needs to present for each certificate in the KDC issuer chain, and each CRL should be signed by the same certificate authority which issued the certificate.

Error: “Authentication Failed: CRL X is expired. Please contact the administrator.”

The specified CRL is no longer valid. CRL files, like certificates, are only valid for a specific period of time. Once that time period expires the CRL is not considered valid. A new CRL needs to be installed on the device.

Error: “Unable to decode CDP extension.”

CDP was enabled but the server certificate did not contain a valid CDP extension.

Contact the administrator responsible for server certificates to resolve the problem.

Error: “No CDP is present in server certificate.”

The server certificate contained a valid CDP extension but the extension contained no CDP entries.

Contact the administrator responsible for server certificates to resolve the problem.

(50)

Error: “Unable to obtain CRL from Distribution Point”

A valid CDP extension was found on the server certificate, but the CRL could not be obtained. Possible causes are: An improperly formatted CDP entry, incomplete or inaccurate LDAP parameters in the CDP entry, problems communicating with the LDAP server, or the CRL is not present on the LDAP server in the location referenced by the CDP.

Using an LDAP browsing tool, verify that the LDAP server is responding and contains a CRL in the location referenced by the CDP on the server’s certificate. Ensure that the location of the CRL on the LDAP server has the attribute

(51)

E-mail troubleshooting

Error: "E-mail Gateway rejected the job because of the addressing information. Job Failed"

The E-mail address attribute under "Searching the LDAP Database" on the Kerberos settings page is incorrect. The E-mail address attribute is used to set the authenticated user’s from address.

The E-mail gateway is trying to make sure that the "from" address is a valid from address.

Try changing the E-mail address attribute on the Kerberos page to reflect the correct LDAP attribute.

Error: "There are problems with the signature. Click the signature button for details."

Using Microsoft Outlook, E-mail sent by the device have an invalid digital signature.

Viewing details on the signature shows:

"Error: The system cannot validate the certificate used to create this signature because the issuer's certificate is either unavailable or invalid."

The recipient of the E-mail message does not have the intermediate and/or root certificate necessary to validate the client’s E-mail certificate installed on their PC, and the device is not appending the intermediate and root certificates in the E-mail message because they have not been installed on the device.

Check the Kerberos page to see if the E-mail signing certificates are installed. Even if the device shows the certificates are installed, this does not mean the correct certificates are installed.

To ensure that the correct certificates are installed, you need to know which CA issued the user’s E-mail signing certificate. To do this, while viewing details for the digital signature in Microsoft Outlook, click on the signer and then click the "View Details" button. Under "Certificate Information" look at "Issued By". This certificate should be installed on the recipient’s PC. For more information on exporting the E-mail certificate chain to the device, follow the steps under "Configure Send to E-mail".

Error: "Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority."

Using Microsoft Outlook, E-mail sent by the device have an invalid digital signature and a window with the following message is displayed when the user views details on the signature:

"Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority.

The signature is invalid because you have either distrusted or not yet chosen to trust the following Certificate Authority: Issued By: <CA Issuer Name>

Valid From: <Validity Dates>

At the bottom of the window is a prompt to Trust the Certificate Authority.

The correct E-mail signing certificates have been installed on the device, however, the user has not yet chosen to trust the certificate chain which signed the user's E-mail certificate. When the user decides to trust the signature, the CA certificate (s) are installed on their PC and future messages appear to have valid signatures.

The recipient of the message needs to decide whether or not to trust the CA that issued your digital certificate.

(52)

(53)

A

Licenses

This solution from HP uses and contains open source code and libraries from Heimdal Kerberos 5 and the OpenSSL project. Following are acknowledgements, copyrights, and license information associated to these open source solutions.

● Heimdal Kerberos 5 ● OpenSSL

(54)

Heimdal Kerberos 5

This solution from HP uses and contains open source code and libraries from Heimdal Kerberos 5 and the OpenSSL project. Following are acknowledgements, copyrights, and license information associated to these open source solutions.

Heimdal is a free implementation of Kerberos 5. The goals are to: • have an implementation that can be freely used by anyone

• be protocol compatible with existing implementations and, if not in conflict, with RFC 1510 (and any future updated RFC)

• be reasonably compatible with the M.I.T Kerberos V5 API • have support for Kerberos V5 over GSS-API (RFC1964)

• include the most important and useful application programs (rsh, telnet, popper, etc.) • include enough backwards compatibility with Kerberos V4

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Eric Young wrote “libdes”. Heimdal used to use libdes, without it kth-krb would never have existed. All functions in libdes have been re-implemented or used available public domain code. The core AES function where written by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto. The core DES SBOX transformation was written by Richard Outerbridge.

HP Access Control Smartcard Solution

HP Access Control

Smartcard Solution

for U. S. Government

HP Access Control Smartcard Solution for

U.S. Government

Table of contents

1

Installation

Upgrade the device firmware

Supported devices

Enable remote firmware upgrades

Upgrade the Smartcard and MFP/digital sender firmware

Install the hardware

2

Configuring the MFP/digital sender

Configure the IPv4 settings

Configure the MFP/digital sender for Kerberos

authentication

Accessing the Kerberos Authentication page

Enter the Kerberos authentication information

Accessing the LDAP server

Install the Kerberos Server Root Certificate Authority Certificate

Configure validation of the KDC certificate

Configure authentication using the Smartcard accessory

Configure access to the network destination folders

Configure LDAP access for address books

Configuring LDAP over SSL

Configure Send to E-mail

3

Normal use of the

HP Access Control Smartcard Solution

4

Troubleshooting

General troubleshooting

Kerberos troubleshooting

LDAP server troubleshooting

PKINIT troubleshooting

OCSP/CRL troubleshooting

E-mail troubleshooting

A

Licenses

Heimdal Kerberos 5