PlotWave-ColorWave Security 2020-07 Administration Guide en - GB

PlotWave - ColorWave Systems
Administration guide
Security information
© 2020 Canon Production Printing

Copyright and Trademarks
Copyright
Copyright 2020 Canon Production Printing.
No part of this publication may be copied, modified, reproduced or transmitted in any form or by
any means, electronic, manual, or otherwise, without the prior written permission of Canon
Production Printing. Illustrations and printer output images are simulated and do not necessarily
apply to products and services offered in each local market. The content of this publication
should neither be construed as any guarantee or warranty with regard to specific properties or
specifications nor of technical performance or suitability for particular applications. The content
of this publication may be subject to changes from time to time without notice.
CANON PRODUCTION PRINTING SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL DAMAGES OF ANY NATURE, OR LOSSES OR EXPENSES RESULTING FROM
THE USE OF THE CONTENTS OF THIS PUBLICATION.
Language
Original instructions that are in British English.
Trademarks
Canon is a registered trademark of Canon Inc. ColorWave, PlotWave are trademarks or registered
trademarks of Canon Production Printing Netherlands B.V.
Adobe, PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated
in the United States and/or other countries.
Internet Explorer, Microsoft, Windows, Windows Server are trademarks or registered trademarks
of Microsoft Corp. incorporated in the United States and/or other countries.
McAfee is a trademark or registered trademark of McAfee, Inc. in the United States and other
countries.
All other trademarks are the property of their respective owners and hereby acknowledged.
Edition 2020-07 GB
Contents
Contents
Chapter 1
Introduction.......................................................................................................................11
The Security policy ........................................................................................................................................12
Downloads and support for your product....................................................................................................14
Overview of the security features available per system ............................................................................ 15
The use of software names and releases in this manual............................................................................23
Chapter 2
Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
............................................................................................................................................ 25
Security on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300................................................... 26
Overview...................................................................................................................................................26
Security overview for the PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and the
ColorWave 300 systems ...................................................................................................................26
System and Network security................................................................................................................. 27
Ports - Protocols.................................................................................................................................27
Security Patches................................................................................................................................ 32
Security levels....................................................................................................................................35
Prevent any outgoing connection to the Internet .......................................................................... 38
Security of the USB connection (PlotWave 300/350, ColorWave 300).......................................... 39
Antivirus ............................................................................................................................................ 40
Roles and Passwords........................................................................................................................ 41
Data Security ........................................................................................................................................... 44
E-Shredding....................................................................................................................................... 44
IPsec (on PlotWave 300/350, PlotWave 900 1.2 and higher 1.x, ColorWave 300)........................ 47
Prevent USB Direct Print and Scan to USB (PlotWave 300/350, ColorWave 300)........................65
HTTPS with PlotWave 900 R1.x........................................................................................................ 68
Smart Inbox management................................................................................................................ 76
Security on PlotWave 750 and PlotWave 900 R2.x .....................................................................................77
Overview...................................................................................................................................................77
Security overview for the PlotWave 750 and the PlotWave 900 R2.x systems............................ 77
System and Network security................................................................................................................. 78
Ports - Protocols.................................................................................................................................78
Security Patches................................................................................................................................ 83
Security levels....................................................................................................................................86
Prevent any outgoing connection to the Internet .......................................................................... 88
Antivirus ............................................................................................................................................ 89
Roles and Passwords........................................................................................................................ 90
Audit log............................................................................................................................................. 92
Data Security ........................................................................................................................................... 93
E-Shredding....................................................................................................................................... 93
IPsec ...................................................................................................................................................96
HTTPS (on PlotWave 750 and PlotWave 900 R2.x)....................................................................... 102
Smart Inbox management and job management.........................................................................113
Chapter 3
Security on PlotWave 500 and PlotWave 340/360.......................................................115
Overview....................................................................................................................................................... 116
Security overview for the PlotWave 500 and PlotWave 340/360 systems........................................ 116
3
Contents
System and Network security..................................................................................................................... 117

Ports - Protocols..................................................................................................................................... 117
Applications, protocols and ports ................................................................................................. 117
Security Patches.....................................................................................................................................120
Install Operating system patch.......................................................................................................120
Protocol protection................................................................................................................................ 122
Network protocols protection ........................................................................................................122
Prevent any outgoing connection to the Internet ...............................................................................124
Security of the USB connection ...........................................................................................................125
The USB connection on the printer user interface ...................................................................... 125
Antivirus .................................................................................................................................................126
Roles and Passwords.............................................................................................................................127
Roles and profiles............................................................................................................................ 127
Passwords policy and behaviour in the PlotWave 500 and PlotWave 340/360 systems........... 128
Access control........................................................................................................................................ 130
Audit log................................................................................................................................................. 131
Data security................................................................................................................................................. 132
E-Shredding in PlotWave 500 and PlotWave 340/360 systems..........................................................132
E-shredding presentation................................................................................................................132
Enable the e-shredding in Express WebTools.............................................................................. 133
E-shredding process and system behaviour................................................................................. 135
IPsec ....................................................................................................................................................... 136
IPsec presentation .......................................................................................................................... 136
Configure the IPsec settings in the controller .............................................................................. 138
Configure the IPsec settings on a workstation or a print server..................................................140
Troubleshooting: Disable 'Access control' and IPsec (PlotWave 500 and PlotWave 340/360
systems)........................................................................................................................................... 153
HTTPS .................................................................................................................................................... 156
Encrypt print data and manage the system configuration using HTTPS....................................156
Request and import a CA-signed certificate..................................................................................164
Prevent 'Print from USB' and/or 'Scan to USB' ..................................................................................170
How to prevent 'Print from USB' and/or 'Scan to USB'............................................................... 170
Smart Inbox management and job management............................................................................... 171
Chapter 4
Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500.................... 173
Overview....................................................................................................................................................... 174
Security overview for the PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500.................... 174
Ports - Protocols..................................................................................................................................... 176
Install Operating system patch for PW345/365/450/550............................................................... 180
Install Operating system patch for PW3000/3500/5000/5500/7500.............................................. 182
Port based authentication (IEEE 802.1X)..............................................................................................188
Port-based authentication (IEEE 802.1X) - explained................................................................... 188
IEEE802.1X - Configuration steps...................................................................................................193
Configure a Certification Authority (example on Windows Server 2016)...................................194
Prepare the RADIUS server (example on Windows Server 2016)............................................... 196
Prepare the switch........................................................................................................................... 200
Configure the printer controller......................................................................................................202
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'......... 209
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-
TLS)'..................................................................................................................................................219
4
Contents
Troubleshoot....................................................................................................................................236
Antivirus .................................................................................................................................................242
User access/LDAP authentication......................................................................................................... 243
Roles................................................................................................................................................. 243
Local users....................................................................................................................................... 244
Domain users (LDAP authentication): for PW3000/3500/5000/5500/7500 and for
PW345/365/450/550 R1.2 and higher versions...............................................................................245
Configure the Domain users (LDAP authentication over Kerberos)............................................246
Validate the configuration (Kerberos)............................................................................................249
Configure the Domain users (LDAP authentication over SSL).................................................... 251
Configure the trusted certificates .................................................................................................. 254
Validate the configuration (SSL).................................................................................................... 256
User access on the user panel........................................................................................................257
User access with Express Webtools.............................................................................................. 259
Password policy...............................................................................................................................261
Disabling local user access............................................................................................................. 262
Troubleshooting LDAP authentication over Kerberos..................................................................263
Troubleshooting LDAP authentication over SSL.......................................................................... 264
Permissions for Service operations......................................................................................................265
Passwords policy................................................................................................................................... 266
Access control........................................................................................................................................ 268
Audit log................................................................................................................................................. 269
SNMPv3: for PW3000/3500/5000/5500/7500 and for PW345/365/450/550 R1.2 and higher
versions...................................................................................................................................................271
Secure Boot (PW3000/3500/5000/5500/7500) ...................................................................................... 272
Whitelisting (McAfee Application Control) (PW3000/3500/5000/5500/7500) .................................... 273
Data security................................................................................................................................................. 275
User authentication................................................................................................................................275
Secure printing, copying and scanning operations with the User authentication.....................275
User authentication: the standard workflows............................................................................... 279
Authentication by Smart card ........................................................................................................286
Authentication by Contactless card .............................................................................................. 293
Authentication by user name and password................................................................................ 298
Log out .............................................................................................................................................304
Troubleshooting.............................................................................................................................. 307
Hard disk encryption (for PW345/365/450/550)....................................................................................310
Hard disk encryption (PW3000/3500/5000/5500/7500).........................................................................313
E-Shredding............................................................................................................................................315
IPsec ....................................................................................................................................................... 319
Troubleshooting: Disable 'Access control' and IPsec...................................................................336
HTTPS .................................................................................................................................................... 338
TLSv1.2 / Strong cipher...................................................................................................................352
HTTPS recommendations for Certificate creation........................................................................ 354
Scan to Home folder / Print from Home folder....................................................................................355
Data protection for template export (for PW3000/3500/5000/5500/7500 and
PW345/365/450/550 R1.2 and higher versions)....................................................................................359
5
Contents
Chapter 5
Security on ColorWave 550/600/650 (and Poster Printer).......................................... 361
Security on ColorWave 550 R2.x, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster
Printer)...........................................................................................................................................................362
Overview.................................................................................................................................................362
Security overview for the ColorWave 600/650 (Poster Printer) and the ColorWave 550
systems.............................................................................................................................................362
System and Network security............................................................................................................... 364
Ports - Protocols...............................................................................................................................364
Security Patches.............................................................................................................................. 367
Protocol protection.......................................................................................................................... 370
Prevent any outgoing connection to the Internet ........................................................................ 371
Security of the USB connection .................................................................................................... 372
Operating System and software protection.................................................................................. 373
Roles and Passwords...................................................................................................................... 374
Access control..................................................................................................................................376
Data Security.......................................................................................................................................... 377
E-Shredding on ColorWave 600 and ColorWave 650 (PP) and ColorWave 550......................... 377
IPsec on ColorWave 550 v2.3.1 and higher and ColorWave 650 (PP) v2.3.1 and higher...........380
How to prevent 'Print from USB' on ColorWave 550/650 (and PP) ............................................ 396
Security on ColorWave 550 R3.x, ColorWave 650 R3.x.............................................................................398
Overview.................................................................................................................................................398
Security overview for the ColorWave 550 R3.x, ColorWave 650 R3.x system........................... 398
System and Network security............................................................................................................... 399
Ports - Protocols...............................................................................................................................399
Security Patches.............................................................................................................................. 402
Protocol protection.......................................................................................................................... 404
Prevent any outgoing connection to the Internet ........................................................................ 406
Security of the USB connection .................................................................................................... 407
Antivirus .......................................................................................................................................... 408
Roles and Passwords...................................................................................................................... 409
Access control..................................................................................................................................411
Audit log........................................................................................................................................... 412
Data security...........................................................................................................................................413
E-Shredding..................................................................................................................................... 413
IPsec .................................................................................................................................................414
HTTPS (on ColorWave 550 R3.x and ColorWave 650 R3.x)......................................................... 420
How to prevent 'Print from USB' on ColorWave 550/650 (and PP) ............................................ 430
Chapter 6
Security on ColorWave 500, 700, 3500, 3600, 3700, 3800............................................433
Overview....................................................................................................................................................... 434
Security overview for the ColorWave 3500/3600/3700/3800 and ColorWave 500/700 systems...... 434
Ports - Protocols..................................................................................................................................... 437
Install Operating system patch for CW500/700............................................................................. 441
Install Operating system patch for CW3500/3600/3700/3800....................................................... 443
6
Contents

TLS)'..................................................................................................................................................480
Troubleshoot....................................................................................................................................497
Antivirus .................................................................................................................................................503
Roles................................................................................................................................................. 504
Local users....................................................................................................................................... 505
Domain users (LDAP authentication): for CW3500/3600/3700/3800 and CW500/700 R4.2
and higher versions.........................................................................................................................506
Password policy...............................................................................................................................520
Permissions for Service operations......................................................................................................524
Passwords policy................................................................................................................................... 525
Access control........................................................................................................................................ 527
Audit log................................................................................................................................................. 528
SNMPv3: for CW3600/3800, CW3500/3700 (R5.1 and higher versions) and CW500/700 R4.3
and higher versions).............................................................................................................................. 530
Secure Boot (CW3600/3800) .................................................................................................................531
Whitelisting (McAfee Application Control) (CW3600/3800) ...............................................................532
Data security................................................................................................................................................. 534
User authentication................................................................................................................................534
Secure printing, copying and scanning operations with the User authentication.....................534
User authentication: the standard workflows............................................................................... 538
Authentication by Smart card ........................................................................................................545
Authentication by Contactless card (for CW3500/3600/3700/3800 and CW500/700 4.2 and
higher versions) .............................................................................................................................. 552
Authentication by user name and password................................................................................ 557
Log out .............................................................................................................................................563
Hard disk encryption (for CW500/700/3500/3700)................................................................................569
Hard disk encryption (CW3600/3800)................................................................................................... 572
E-Shredding............................................................................................................................................574
IPsec ....................................................................................................................................................... 578
HTTPS .................................................................................................................................................... 597
7
Contents
Scan to Home folder / Print from Home folder....................................................................................614

Data protection for template export (for CW3500/3600/3700/3800 and CW500/700 R4.2 and
higher versions)..................................................................................................................................... 618
Chapter 7
Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave
910 (lower than R1.4)......................................................................................................619
Overview....................................................................................................................................................... 620
Security overview for the ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave
910 (lower than R1.4) systems.............................................................................................................. 620
Ports - Protocols..................................................................................................................................... 621
Install Operating system patch.......................................................................................................623
Roles and Passwords.............................................................................................................................629
Roles and profiles............................................................................................................................ 629
Audit log ................................................................................................................................................ 631
Data security................................................................................................................................................. 632
HTTPS .................................................................................................................................................... 632
Chapter 8
Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and
higher versions).............................................................................................................. 647
Overview....................................................................................................................................................... 648
Security overview for the ColorWave 9000 and ColorWave 810/910 R1.4 (and higher versions)
................................................................................................................................................................. 648
Ports - Protocols..................................................................................................................................... 649
Install Operating system patch for CW810/910 ............................................................................ 652
Install Operating system patch for CW9000.................................................................................. 654
8
Contents
TLS)'..................................................................................................................................................691
Troubleshoot....................................................................................................................................708
Roles................................................................................................................................................. 714
Local users....................................................................................................................................... 715
Domain users (LDAP authentication).............................................................................................716
Password policy...............................................................................................................................731
Audit log ................................................................................................................................................ 735
SNMPv3: for CW9000 (2.1 and higher versions) and CW810/910 (1.5 and higher versions)...........736
Data security................................................................................................................................................. 737
E-Shredding............................................................................................................................................737
IPsec ....................................................................................................................................................... 742
HTTPS .................................................................................................................................................... 761
Data protection for template export..................................................................................................... 778
Index.................................................................................................................................779
9
Contents
10
Chapter 1
Introduction
The Security policy
The Security policy

Definition
At Canon Production Printing, security is an integral part of system development, and the
company is taking a proactive approach to the improvement of security-related issues. Canon
Production Printing is working to address security requirements across all of its digital document
systems.
For its printing systems connected to the network, Canon Production Printing strives to ensure
the:
- Security of the system on the network
- Security of the data sent to the printers, with a focus on protecting sensitive documents from
being captured by un-authorised persons
- Security of the configuration and data on the controller
NOTE
See the Table of the security features on page 15 to get an overview of the security features
available per print system.
System security and security on the network

Faced with system vulnerabilities, viruses, worms and in order to maximise the protection of the
print systems from hackers and networking attacks, Canon Production Printing has reinforced the
security of the print systems by, for example:
• Introducing the Security levels to offer network security protection against virus / worm attacks
or system vulnerabilities (on Windows Operating Systems).
Once the Security Interface is activated, you can define the level of security according to your
system needs. Notice that the higher level of security you set, the fewer printing and scanning
functionalities you get.
• Implementing network protocols protection features (by use of the Security levels filtering or
by configuring each network protocol for firewall filtering).
• Protecting the system roles and passwords. The main network and system settings are
protected against change. Only authorised users can configure or change these settings.
• Allowing a user, member of a domain, to logon to the system with LDAP authentication.
• Regularly checking the relevance of Microsoft flaws and delivering security patches whenever
it is necessary.
• Providing OS and software protection mechanism. The internal system software is protected
against alteration.
• Make the USB connection secure (on systems with USB slot).
• Restricting the access to the printer to allowed stations only.
• Allowing the installation of an Antivirus software on the system controller.
• Being compliant with IPv6 and then benefiting from IPv6 secured assets.
• Secure boot, to ensure that the system boots using only trusted software.
• Whitelisting (McAfee Application Control), to prevent any unauthorised change on the system.
NOTE
The availability of the security features depends on the products. See the Overview of the
security features available per system on page 15.
Data security
To ensure the security of the print data, Canon Production Printing has implemented:
12 Chapter 1 - Introduction
The Security policy
• The user authentication to allow only the owner of a job to print it or perform actions on it
(copy / scan), after authentication on the system user panel.
Find all information about the user authentication in the section Secure printing, copying and
scanning operations with the User authentication on page 534.
• The Scan to Home feature that allows an authenticated user to send scanned files from the
print system directly to the Microsoft Active Directory Home folder.
• The HTTPS (HTTP over SSL) protocol to encrypt the configuration management data,
submitted print data and saved scan data.
• The disk encryption capability.
• The e-shredding feature to overwrite any user data (print/copy/scan) when it is deleted from
the system.
This feature prevents the recovery of any deleted user data.
• The IPsec configuration, that provides authentication, data confidentiality and integrity in the
network communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan
data on the network.
• The Smart Inbox and job protection by:
- Limiting and restricting the access to the print and scan job data with the Smart Inbox
management capability.
- Managing the visibility of jobs and their availability through job submission tools with the job
management settings.
NOTE
The availability of the security features depends on the products. See the Overview of the
security features available per system on page 15.
Chapter 1 - Introduction 13
Downloads and support for your product
Downloads and support for your product

Downloads
User guides, printer drivers and other resources can change without prior notice. To stay up-to-
date, you are advised to download the latest resources from:
"http://downloads.cpp.canon"
Before you use your product, you must always download the latest safety information for your
product: make sure that you read and understand all safety information in the manual entitled
'Safety Guide' .
Support
For support information please contact your Canon local representative.
Find your local contact for support from:
"http://www.canon.com/support/"
From the Canon support page, you can also download the printer drivers for the Canon printers,
their related user guides and other resources.
Overview of the security features available per system

Introduction
Find below an overview of the security features for every PlotWave and ColorWave system.
Security features in PlotWave 300, 340, 345, 350, 360, 365, 450, 500, 550, 750, 900 R2.x systems
and in the ColorWave 300, 500 and 700 systems
PlotWave 300 from PlotWave 340 PlotWave 750

R1.5 PlotWave 345 PlotWave 900 R2.x
PlotWave 350 from PlotWave 360
R1.5 PlotWave 365
ColorWave 300 from PlotWave 450
R1.5 PlotWave 500
PlotWave 550
ColorWave 500
ColorWave 700
Operating System Windows Embedded - Windows Embedded Windows Embedded
Standard 2009 Standard 7 SP1 for: Standard 7 SP1
PlotWave 340
PlotWave 360
PlotWave 500
- Windows Embedded
Standard 8 64 bit for:
PlotWave 345
PlotWave 365
PlotWave 450
PlotWave 550
ColorWave 500
ColorWave 700
Firewall Yes Yes Yes
MS Security flaws / Yes Yes Yes
Security patches
Network protocols Security levels - 3 lev- Yes. Protection config- Security levels - 4 lev-
protection els urable per protocol els
OS and software in‐ - - -
tegrity mechanism
Disk encryption - Yes for: -
PlotWave 345
PlotWave 365
PlotWave 450
PlotWave 550
ColorWave 500 R4.1
and higher
ColorWave 700 R4.1
and higher 4
User authentication - - By smart card or -

user name / password
for:
PlotWave 345
PlotWave 365
PlotWave 450
PlotWave 550
ColorWave 500
ColorWave 700
- By contactless card
for:
PlotWave 345/365 1.1
and higher versions
PlotWave 450/550 1.1
and higher versions
ColorWave 500/700
4.2 and higher ver-
sions
Antivirus Compatible with 2 an- Compatible with 2 an- Compatible with 2 an-
tivirus brands tivirus brands tivirus brands
IPv6 Yes (IPV6 and IPV4 Yes (IPv6 only or IPv6 Yes (IPv6 only or IPv6
combination) and IPv4 combination) and IPv4 combination)
SMB authentication NTLMV2 NTLMV2 NTLMV2
Feature to encrypt da‐ - IPsec for: - IPsec - IPsec
ta on the network PlotWave 300 - HTTPS - HTTPS
PlotWave 350
ColorWave 300
Password protection Yes for: Yes for: Yes for:
- User settings - User settings - User settings
- Administration set- - Administration set- - Administration set-
tings tings tings
- Settings on the print- - Settings on the print- - Settings on the print-
er user panel er user panel er user panel
Data overwrite E-shredding E-shredding E-shredding
Access control - IP filtering -
Smart Inbox manage‐ - Smart Inbox restric- - Smart Inbox capabili- - Smart Inbox capabili-
ment tion ty can be disabled ty can be disabled
- Remote view restric- - Remote view restric- - Remote view restric-
tion tion tion
Scan to Home folder - Yes for: -
PlotWave 345
PlotWave 365
PlotWave 450
PlotWave 550
ColorWave 500 R4.1
and higher
ColorWave 700 R4.1
and higher 4
Publisher Express ac‐ - Access restriction Access restriction

cess
Control over actions - Remote action restric- Remote action restric-
on jobs tion tion
Control over Service - Operations made by -
operations Service under the con-
trol of the System Ad-
ministrator on:
PlotWave 345
PlotWave 365
PlotWave 450
PlotWave 550
ColorWave 500 R4.1
and higher
ColorWave 700 R4.1
and higher
Device authentication - IEEE802.1X for: -
PlotWave
345/365/450/550 R1.2
and higher
ColorWave 500/700
R4.2 and higher
User access (Local - - Local accounts (Key -
User Interface/ Ex‐ Operator, System Ad-
press WebTools) ministrator, Power
User, Service)
- LDAP authentica-
tion : Domain ac-
counts via LDAP over
Kerberos or LDAP
over SSL (for Plot-
Wave 345/365/450/550
R1.2 and higher, Col-
orWave 500/700 R4.2
and higher)
SNMPv3 support - for: -
PlotWave
345/365/450/550 R1.2
and higher
ColorWave 500/700
R4.3 and higher
Security features in PlotWave 3000, 3500, 5000, 5500, 7500
Operating System Microsoft Windows 10 IoT Enterprise LTSC 2019

Firewall Standard Microsoft Security updates (.MSU) approved
by Canon Production Printing
Yes
Network protocols protection Yes (per protocol, through firewall) 4
MS security patches
Security logging Auditing of security related events
Antivirus Yes
User authentication Yes, by:
- User name and password
- Smart card
- Contactless card
Scan to Home folder Yes, when User authentication by user name and pass-
word is enabled
Hard Disk encryption Yes (standard), 1 mode:
used space encryption with AES256 encryption
IPv6 Yes (IPV6 only or in combination with IPv4)
Access control IP filtering
Data overwrite E-shredding
Data encryption on the network IPsec
HTTPS for administration (Express WebTools) and for
Job submission through Publisher Express
HTTPS for Job submission via Publisher Select
Device authentication IEEE802.1X
User access (Local User Interface/ - Local accounts (Key Operator, System Administrator,
Express Web Tools) Power User, Service)
- LDAP authentication: Domain accounts via LDAP over
Kerberos or LDAP over SSL
Password protection Yes for:
- User settings
- Administration settings
- Settings on the printer user panel
SMB authentication NTLMV2
Smart Inbox management - Smart Inbox capability can be disabled
- Remote view restriction
Publisher Express access Access restriction
Control over actions on jobs Remote action restriction
Control over Service operations Operations made by Service under the control of the
System Administrator
SNMPv3 support Yes
Secure boot Yes
McAfee Application Control Yes
Security features in the ColorWave 550, ColorWave 600 (PP) and ColorWave 650 (PP) systems
ColorWave 600 (PP) ColorWave 650 R3.x

ColorWave 650 R2.x
ColorWave 650 PP
ColorWave 550
Operating System Linux and WES 2009 for: Windows Embedded Standard 7
- ColorWave 650 (multifunctional) SP1
- ColorWave 550 (multifunctional)
Linux for:
- ColorWave 650 (printer only)
- ColorWave 550 (printer only)
- ColorWave 600 (PP)
- ColorWave 650 PP
Firewall Yes Yes
MS Security flaws / Yes for ColorWave 650 / 550 (mul- Yes
Security patches tifunctional)
N/A for ColorWave 600 (PP), Color-
Wave 650 PP, ColorWave 650
(printer only) and ColorWave 550
(printer only)
Network protocols Yes. Protection configurable per Yes. Protection configurable per
protection protocol protocol
OS and software in‐ Yes -
tegrity mechanism
Antivirus - Compatible with 2 antivirus
brands
IPv6 Yes (IPv6 only or IPv6 and IPv4 Yes (IPv6 only or IPv6 and IPv4
combination) combination)
SMB authentication NTLMV1 NTLMV2 or NTLMV1
NTLMV2 or NTLMV1 only for:
- ColorWave 550 R2.2.3 and higher
Feature to encrypt da‐ IPsec for: - IPsec
ta on the network ColorWave 550 R2.3.1 and higher - HTTPS
ColorWave 650 R2.3.1 and higher
ColorWave 650 PP R2.3.1 and
higher
Password protection Yes for: Yes for:
- User settings - User settings
- Administration settings - Administration settings
- Settings on the printer user panel - Settings on the printer user panel 4
Data overwrite E-shredding for: E-shredding

ColorWave 650 PP R2.1 and higher
ColorWave 600 R1.5 and higher
higher
ColorWave 550 R2.2 and higher
Access control Access restriction to the printer IP filtering
for:
higher
Smart Inbox manage‐ - - Smart Inbox capability can be
ment disabled
Publisher Express ac‐ - Access restriction
cess
Actions on jobs Remote action restriction Remote action restriction
Security features in the ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910
(lower than R1.4) systems
Operating System Microsoft Windows Embedded Standard 8 64 bit

Firewall Yes
Network protocols protection Yes (per protocol, through firewall)
MS security patches Canon Production Printing released patches
Data encryption on the network HTTPS for administration (Express WebTools) and for
job submission through Publisher Express
- User settings
Security features in the ColorWave 9000 and ColorWave 810/910 R1.4 (and higher versions)
systems
Operating System Microsoft Windows 10 IoT Enterprise LTSB 2016

Firewall Yes
MS security patches Standard Microsoft Security updates (.MSU) approved
by Canon Production Printing (please check Security
Web Page on http://downloads.cpp.canon)
Security logging Auditing of security related events 4
Express WebTools) Power User, Service)
- LDAP authentication : Domain accounts via LDAP over
IPv6 Yes (IPV6 only or in combination with IPv4) (for CW9000
2.1 and higher and for CW810/910 1.5 and higher)
Device authentication IEEE802.1X (for CW9000 2.1 and higher and for
CW810/910 1.5 and higher)
- User settings
SNMPv3 support Yes (for CW9000 2.1 and higher and for CW810/910 1.5
and higher)
Security features in the ColorWave 3500/3600/3700/3800 systems
Operating System Microsoft Windows 10 IoT Enterprise LTSB 2016 (for

CW3500/3700)
Microsoft Windows 10 IoT Enterprise LTSC 2019 (for
CW3600/3800)
Firewall Yes
by Canon Production Printing (for
CW3500/3600/3700/3800)
(please check Security Web Page on http://down-
loads.cpp.canon)
Antivirus Yes
- Smart card
- Contactless card
word is enabled 4
Hard Disk encryption For CW3500/3700:

Yes (optional), 2 modes:
- Full disk encryption
- Normal encryption
Encryption mode:
- AES256
For CW3600/3800:
Yes (standard), 1 mode:
HTTPS for Job submission via Publisher Select (for
CW3600/3800)
Device authentication IEEE802.1X
- User settings
SNMPv3 support Yes for:
• CW3500/3700 5.1 and higher versions
• CW3600/3800
Secure boot Yes for:
• CW3600/3800
McAfee Application Control Yes for:
• CW3600/3800
The use of software names and releases in this manual

'Océ Express WebTools' and 'WebTools Express
NOTE
For new printers 'Océ Express WebTools' is called 'WebTools Express'.
When 'Express Webtools' is mentioned in this manual, depending on the printer 'Océ Express
WebTools' or 'WebTools Express' is meant.
'WPD2' and 'Driver Select'

Driver Select is the successor of WPD2.
'PS3' and 'Driver Express'

'Driver Express' is the successor of 'PS3'
Releases of the software

If software releases are mentioned in this manual, the topic only concerns these specific software
releases.
If no release is mentioned, the topic counts for each software release.
Chapter 2
Security on PlotWave 300/350,
PlotWave 750, PlotWave 900 and
ColorWave 300
Security on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300
Security on PlotWave 300/350, PlotWave 900 R1.x and

ColorWave 300
Overview
Security overview for the PlotWave 300, the PlotWave 350, the PlotWave 900
R1.x and the ColorWave 300 systems
Introduction
The PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and the ColorWave 300 are equipped
with the following security features:
Security overview
Operating System - Windows XP Service Pack 3 for all versions of

PlotWave 300, PlotWave 350, and ColorWave
300 prior to R1.5 and PlotWave 900 R1.x
- Windows Embedded Standard 2009 for Plot-
Wave 300 R1.5, PlotWave 350 R1.5, ColorWave
300 R1.5 and higher versions
Firewall Yes
Network protocols protection 3 Security Levels
MS Security patches Canon Production Printing released patches
Antivirus Compatible with 2 Antivirus brands
IPV6 Yes
Data encryption on the network - IPsec for PlotWave 300, PlotWave 350, Plot-
Wave 900 from R1.2, and ColorWave 300
- HTTPS for PlotWave 900
- User settings
- Settings on the printer user panel*
* Except on PlotWave 900 R1.2.
26 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
System and Network security
Ports - Protocols
Applications, protocols and ports used in the PlotWave 300, the PlotWave
350, the PlotWave 900 R1.x and ColorWave 300 systems
Printing applications: security levels, ports and protocols used by the print systems
Application /Function‐ System Supported security lev‐ Port used on the

ality els (x) and open port controller: protocol
N* M* H*
Wide-format Printer PlotWave 300/ Plot- x x(1) x(2) TCP 515: LPR
Driver for Microsoft Wave 350/ PlotWave TCP 515 TCP TCP TCP 65200: back-
Windows (WPD, 900 R1.x TCP 515 515 channel(**)
WPD2) ColorWave 300 65200 TCP TCP 80: HTTP (for
Driver Select TCP 80 65200 advanced account-
UDP TCP 80 ing)
515 UDP 515: proprietary
protocol (for printer
discovery)
PostScript 3 driver PlotWave 300/ Plot- x x x TCP 515: LPR
Driver Express Wave 350/ PlotWave TCP 515 TCP TCP
900 R1.x 515 515
ColorWave 300
Publisher Express PlotWave 300/ Plot- x x TCP 80: HTTP
Wave 350/ PlotWave TCP 80 TCP 80
900 R1.x
ColorWave 300
Publisher Express over PlotWave 900 x x x TCP 443: HTTPS
SSL TCP 443 TCP TCP
443 443
Publisher Select PlotWave 300/ Plot- x x TCP 80: HTTP
Wave 350/ PlotWave TCP 515 TCP TCP 65200: back-
900 R1.x TCP 515 channel(**)
ColorWave 300 65200 TCP TCP 515: LPR
TCP 80 65200 UDP 515: proprietary
UDP TCP 80 protocol (for printer
515 discovery) 4
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 27
Applications, protocols and ports used in the PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and ColorWave 300
systems

N* M* H*
Publisher Mobile PlotWave 300/ Plot- x TCP 515: LPR (3)
Wave 350/ PlotWave TCP 515 TCP 21: FTP (4)
900 R1.x TCP TCP 4242: FTP pas-
ColorWave 300 4242 sive mode(6)
ICMP ICMP: ping
UDP UDP 515: proprietary
515 protocol (for printer
TCP 21 discovery)
(4)
Mobile WebTools PlotWave 350 x x TCP 80: HTTP

PlotWave 900 R1.2 TCP 80 TCP 80
and higher
ReproDesk Studio PlotWave 300/ Plot- x x TCP 515: LPR
Wave 350/ PlotWave TCP 515 TCP TCP 65200: back-
900 R1.x TCP 515 channel(**)
ColorWave 300 65200 TCP
65200
Novell NDPS printing PlotWave 300/ Plot- x x x TCP 515: LPR
Wave 350/ PlotWave TCP 515 TCP TCP
900 R1.x 515 515
ColorWave 300
LPR printing (com- PlotWave 300/ Plot- x x x TCP 515: LPR
mand line) Wave 350/ PlotWave TCP 515 TCP TCP
900 R1.x 515 515
ColorWave 300
FTP printing PlotWave 300/ Plot- x x(5) TCP 21: FTP
Wave 350/ PlotWave TCP 21 TCP 21 TCP 4242: FTP (6)
900R1.x TCP
ColorWave 300 4242
Notes:
• * Levels: N: Normal - M: Medium - H: High
• (**) Back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
• (1) LPR printing with back-channel and advanced accounting
• (2) LPR printing. No back-channel. No advanced accounting
• (3) Publisher Mobile v 2.2 and later for Android, and for Publisher Mobile v 2.3 and later for iOS
• (4) Only for Publisher Mobile v 2.0 to v 2.2 for iOS
• (5) FTP active mode only
• (6) Data channel for FTP passive mode
systems
Scanning / copying applications: security levels, ports and protocols used by the print systems

N* M* H*
Scan to File Remote PlotWave 300/ Plot- x -
SMB Wave 350
ColorWave 300
PlotWave 900 R1.x x x x -
Scan to File Remote PlotWave 300/ Plot- x x(1) x(1) -
FTP Wave 350/ PlotWave
900 R1.x
ColorWave 300
Scan data retrieval by PlotWave 300/ Plot- x x(2) TCP 21: FTP
FTP Wave 350/ PlotWave TCP 21 TCP 21 TCP 4242: FTP (3)
900 R1.x TCP
ColorWave 300 4242
Scan data retrieval PlotWave 300/ Plot- x x TCP 80: HTTP
from Smart Inbox Wave 350/ PlotWave TCP 80 TCP 80
(Scans) 900 R1.x
ColorWave 300
Scan data retrieval PlotWave 900 R1.x x x x TCP 443: HTTPS
from Smart Inbox TCP 443 TCP TCP
(Scans) over SSL 443 443
Notes:
• (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive
mode
Control management: security levels, ports and protocols used by the print systems

N* M* H*
PING PlotWave 300/ Plot- x x x ICMP
Wave 350/ PlotWave
900 R1.x
ColorWave 300
SNMP based applica- PlotWave 300/ Plot- x UDP 161: SNMP
tions Wave 350/ PlotWave UDP
900 R1.x 161
ColorWave 300 4
systems

N* M* H*
WSD PlotWave 350 x x x TCP 80: HTTP
TCP 80 TCP 80 TCP UDP 3702: WSD dis-
UDP UDP 80 covery
3702 3702 UDP
3702
Express WebTools PlotWave 300/ Plot- x x TCP 80: HTTP
Wave 350/ PlotWave TCP 80 TCP 80
900 R1.x
ColorWave 300
Express WebTools PlotWave 900 R1.x x x x TCP 443: HTTPS
over SSL TCP 443 TCP TCP
443 443
Name resolution(**) PlotWave 300/ Plot- x Outgoing connec-

Wave 350 tion:
ColorWave 300 - local port (on con-
troller): UDP(/TCP)
PlotWave 900 R1.x x x x
<dynamic value>
- remote port (on
DNS server): UDP(/
TCP) 53
DHCP PlotWave 300/ Plot- x x x Outgoing connec-
Wave 350/ PlotWave tion:
900 R1.x - local port (on con-
ColorWave 300 troller) : UDP 68
- remote port (on
DNS server): UDP 67
Account Center PlotWave 300/ Plot- x x TCP 80: HTTP
Advanced accounting Wave 350/ PlotWave TCP 80 TCP 80
(WPD) 900 R1.x
ColorWave 300
Accounting informa- PlotWave 300/ Plot- x x(1) TCP 21: FTP
tion retrieval by FTP Wave 350/ PlotWave TCP 21 TCP 21 TCP 4242: FTP (2)
900 R1.x TCP
ColorWave 300 4242
Browse print systems PlotWave 300/ Plot- x UDP 137: NetBios
on the network with Wave 350/ PlotWave UDP over TCP/IP
Windows network 900 R1.x 137
neighbourhood ColorWave 300
Service Logic PlotWave 300/ Plot- x x(1) TCP 21: FTP
Wave 350/ PlotWave TCP 21 TCP 21 TCP 4242: FTP (2)
900 R1.x TCP
ColorWave 300 4242 4
systems

N* M* H*
IPsec PlotWave 300/ Plot- x UDP 500
Wave 350 UDP UDP 4500
ColorWave 300 500
PlotWave 900 R1.2 UDP
and higher 4500
Remote Meter Read- PlotWave 300/ Plot- x UDP 161: SNMP
ing Manager Wave 350/ PlotWave UDP
900 R1.x 161
ColorWave 300
On Remote Service PlotWave 300 R1.5 x x x HTTPS outgoing
and higher connection required:
PlotWave 350 R1.5 TCP/IP port 443 (3)
and higher
PlotWave 900 R1.x
ColorWave 300 R1.5
and higher
Notes:
• (**) The name resolution is mainly used to determine the IP address of the scan destination
during Scan fo File operation
• (3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure
firewall.
Security Patches
Security Patches
Install the Remote patch (on PlotWave 300/350, PlotWave 900 R1.x and
ColorWave 300)
Introduction
You can install the Remote patches (Security patches) in the following versions of the systems:
• PlotWave 300 1.2.1 and higher
• PlotWave 350 1.0 and higher
• PlotWave 900 1.x
• ColorWave 300 1.2.1 and higher
Before you begin

NOTE
Security patches are not incremental. Therefore, if you install a security patch on the printer,
make sure that the previous security patches are already installed.
Find the Security patch from the Downloads website on "http://downloads.cpp.canon":

Open the product page and go to the Security tab to download the available security patches.
Install the Remote patch
Procedure
1. Open Express Webtools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
Install the Remote patch (on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300)
4. Log in as the System administrator or Power user

All the patches successfully applied (when any) are displayed
5. Click on the 'Update' icon (top right corner) to open the wizard
6. Click OK
7. Browse to the Remote patch and click OK to install it
Install the Remote patch (on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300)
8. Click OK to confirm the update

The system restarts to apply the patch.
Security levels
Security levels
Security levels presentation
Introduction
Canon Production Printing defined 3 levels of security according to the customer needs. The
presentation below can help you to select the most suitable level.
High security level

The High level is the most secure mode for printing and scanning.
The compliant applications are based on:
• the LPR protocol for printing
• the HTTPS protocol (PlotWave 900 only) for printing
• the FTP protocol for scanning.
Target:
• This level provides you the most secure mode while using the basic feature for printing and
scanning. Only some applications are available. See the security levels supported per
application/functionality on page 27.
• This security level may also be used when you want to be protected whenever a vulnerability
has been discovered and the corresponding patch cannot be yet installed. As soon as the patch
can be installed, you can go back to the original security level.
Medium security level

The Medium level is compliant with all the applications available for printing and scanning which
do not present a high risk (as reported by most popular network scanners).
Target:
This level is recommended if you need to be secured while you want to use the applications for
printing and/or scanning (you can use the system including more functions than with the High
security level).
Normal security level

This mode offers all the functionalities.
Target:
• You can select this level if you want to use some features not covered by MEDIUM security
level.
• This level is more dedicated for small network infrastructure where security is less required
versus features.
Set the security level in PlotWave 300, PlotWave 350 and ColorWave 300
Introduction
The [Security] wizard on the printer user panel gives the option to check or change the security
level of the system.
Before you begin

The System Administrator or a Power User can protect the security settings with a password.
Protect the security level by a password
When the protection is activated, you must type the password in the printer user panel before
you can change the security level.
Procedure
1. From the [HOME] screen select the [System] tab.
2. Select the [Setup] tab.
3. Use the scroll wheel to go to the [Security]([Configure settings]) wizard.
4. Open this section with the confirmation button.

5. The screen displays the security level and the active network access options:
6. Two options are possible:

• Press the [Back] key in case you only want to check the security settings.
• Press the [Next >] key in case you want to adapt the security level.
Enter the password if requested and follow the wizard to adapt the security level.
Protect the security level by a password
Procedure
1. Open the Express Webtools in a web browser (http://Printer IP address or hostname)
2. In the 'Preferences' tab, select 'System settings'
3. In the 'Printer Properties', goes to 'Password to change security level'
4. Click on the value to edit it
5. Log in as the System Administrator or as a Power User
6. Select 'New'
7. Type and re-type a numeric password
Set the security level in PlotWave 900 R1.1 and higher R1.x versions
8. Confirm to activate the password.
Result
You must type the password in the printer user panel when you want change the security level.
Set the security level in PlotWave 900 R1.1 and higher R1.x versions
Introduction
The security user interface is available through the Express WebTools application.
NOTE
You need to be logged on as the System Administrator to access the security level interface and
change the security levels.
Procedure
1. Open the Express Webtools in a web browser (http://Printer IP address or hostname)
2. On the [Configuration] tab, select [Connectivity]
3. Go to the Security section
4. Click on 'Edit' or double click on the value to open the [Security level] window
5. Set the security level and click 'OK'
6. Restart the printer when prompted
Result
After you set the Security level to 'High', you must open Express Web Tools by means of the
HTTPS protocol: type https://Printer IP address or hostname in the web browser.
Prevent any outgoing connection to the Internet
Introduction
Some features of the following systems allow or request a connection over the Internet to work
properly:
• PlotWave 300 R1.5 and higher
• PlotWave 350 R1.5 and higher
• ColorWave 300 R1.5 and higher
When the Security Policy in a company prevents any outgoing network traffic over the Internet,
perform all the following actions in Express WebTools:
St In the Express WebT‐ Action Detail

ep ools section
1 Support - Remote Serv- Stop the Remote assistance if is ac- Click 'Stop remote assis-
ice - Remote assistance tivated tance' until it changes into
'Allow remote assistance' .
The two blinking arrows
on the right side disap-
pear.
2 Preferences - System Disable Online Services Set 'Online connection en-
Settings - Service abled' to 'Disabled'
3 Configuration - Scan Delete any scan destination going to Uncheck 'Scan destination
destination [X] the Internet: [X]: enabled'
FTP sites reachable through the In-
ternet
4 Support - About - Shut- Restart the system
down - Restart
Security of the USB connection (PlotWave 300/350, ColorWave 300)
Security of the USB connection (PlotWave 300/350, ColorWave 300)
The USB connection on the Local user interface
Introduction
A USB connection is available on the PlotWave 300, PlotWave 350 and ColorWave 300 Local user
interface.
This USB connection is used to:
• Install and upgrade the controller software
• Backup and restore the controller configuration
• Scan to the USB storage device
• Print from the USB storage device
Security on the USB port

General USB port protection:
• Booting from the USB device is not possible.
• Executing any programme present on the USB device is not possible
The Autorun is disabled and no operation on the controller can execute a programme on the
USB device.
• Propagating on network any infected file present on the USB device plugged on the USB port
is not possible
Read from / write to USB device protection
• Protection of the USB READ operation:
- when restoring a controller configuration from the Local User Interface.
In that case, any file infected by a virus appears as an invalid backup file. The controller
software detects it and rejects the restore operation.
- when printing from the USB device.
Any print file infected by a virus will never compromise controller's software integrity.
• Protection of the USB WRITE operation:
- during the backup of the controller configuration, from the Local User Interface.
The backup is performed by the internal controller software. It cannot contaminate the USB
device by any threat.
- when making a Scan To File to the USB device:
The Scan To File operation to USB device is performed by the internal controller software. It
cannot contaminate the USB device by any threat.
Disable the USB features

You can disable:
• The direct printing operation from USB. See How to prevent 'Print from USB' on page 65
• The scanning operation to USB. See 1- Disable any 'USB stick' scan destination on page 65
Antivirus
Antivirus
Compatibility and recommendations

The following antivirus software can be installed on your PlotWave/ColorWave systems:
• Symantec AntiVirus Endpoint Protection
• McAfee VirusScan Enterprise Edition / ePolicy Orchestrator for AntiVirus update
Contact your Canon representative to know which antivirus version to install on your PlotWave/
ColorWave systems and get the installation procedure.
NOTE
Canon shall not be liable for damages of any kind attributable to the use of an antivirus on its
controllers.
Roles and Passwords
Roles and Passwords
Roles and profiles in the PlotWave 300/350, Plotwave 900 R1.x and
ColorWave 300
Roles description
In the system, the main network and system settings are protected against change. Only
authorised users can configure/change these settings.
4 roles are available:
• Key operator:
The Key operator can manage the jobs and the device settings
• System administrator
The System administrator can manage the Configuration settings such as the Network settings,
scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software
configuration settings...
• Power user
The Power user has both the rights of the Key operator and the System administrator
• Service
This role is used exclusively by the Canon Service technician
Passwords policy and behaviour in the PlotWave 300/350 and ColorWave 300
Introduction
There are 2 groups of passwords:
• The passwords used in Express WebTools
• The passwords used in the printer user panel (also named Local User Interface)
Passwords used in Express WebTools

In Express WebTools the passwords protect:
• The roles
• The Scan to File remote user name
• The security settings (preshared key for IPsec)
Password modification table for PlotWave 300/350 and ColorWave 300

Password for Can be changed by
Key operator Key operator or Power user
System administrator System administrator or Power user
Power user Power user
Any ScanToFile remote user name System administrator or Power user
Any preshared key for IPsec System administrator or Power user
Mobile printing with Mobile WebTools System administrator or Power user
Password policy
A password can be made of 256 characters maximum.
Passwords policy and behaviour in the PlotWave 300/350 and ColorWave 300
For PlotWave 300 v1.2.1 and higher, PlotWave 350 and ColorWave 300 1.2.1 and higher, all MS
Windows characters are allowed in a password.
For previous versions of PlotWave 300 and ColorWave 300 the passwords can be made of:
• Any number [0-9]
• Any letter lowercase/uppercase [a-z][A-Z]
• the following special characters:
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
Passwords used on the printer user panel (Plotwave 300/350 and ColorWave 300)
Important: These passwords can only be made of numbers.
NOTE
Keep these passwords. The loss of these passwords may require the intervention of Canon
Service.
Printer panel passwords modification table for PlotWave 300/350 and ColorWave 300
Printer user panel password for Can be changed by
Change of the Network Settings
Change of the security level
Clear of the system
System administrator or Power user
Print of demo and test prints
Change of the hardware/software configuration
Start of the scanner calibration
Password backup/restore policy with the 'Save Set'/'Open Set' features

Some passwords are stored into the backup set made with the 'Save Set' feature of Express
WebTools (the passwords for the printer panel)
Password backup table for PlotWave 300/350 and ColorWave 300

Password / pincode for Backup with 'Save set'? Restore with 'Open set'?
Change of the Network Settings Yes, encrypted (1) Yes(2)
Change of the security level Yes, encrypted(1) Yes(2)
Clear of the system Yes, encrypted(1) Yes(2)
Print of demo and test prints Yes, encrypted(1) Yes(2)
Change of the hardware/software configu- Yes, encrypted(1) Yes(2)
ration
Start of the scanner calibration Yes, encrypted(1) Yes(2)
Any preshared key for IPsec No -
Mobile printing with Mobile WebTools No -
Any ScanToFile remote user name No -
Key operator No - 4
Passwords policy and behaviour in the PlotWave 900 R1.x
Password / pincode for Backup with 'Save set'? Restore with 'Open set'?
System administrator No -
Power user No -
(1):
- When a password is configured as 'No password', the information 'Auto' (meaning 'No
password') is stored in the backup file. It is not encrypted
- The passwords are stored in the backup file whatever the login used when making the 'Save
Set' operation (System administrator, the Key operator, or the Power user)
(2)
- The passwords are restored only when the System administrator or the Power user makes the
'Open Set' operation
- When a password has been stored with 'Auto' value, it is restored with the 'No password' value
Passwords policy and behaviour in the PlotWave 900 R1.x

• The roles
Password modification table for PlotWave 900 R1.x

Any ScanToFile remote user name System administrator or Power user
Mobile printing with Mobile WebTools System administrator or Power user
Remote Service proxy setting System administrator or Power user
Password policy
• 256 characters maximum
• Any 'Microsoft Windows' characters

None of the passwords for Power user, System administrator, Key operator, ScanToFile remote
user, Preshared key, Mobile printing or Remote Service proxy setting is stored in the back up file
with the 'Save Set' feature.
Data Security
Data Security
E-Shredding
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/
scan) when it is deleted from the system.
This feature prevents the recovery of any deleted user data (files' content and attributes)
A deleted job is a job that cannot be retrieved from any user interface.
When is a job deleted?

A job is deleted either:
• When it is manually deleted from a Smart Inbox
• After it was successfully printed and was not saved in a Smart Inbox ('Save printed jobs in a
Smart Inbox' system setting is disabled in the Express Webtools)
• After a 'ScanToFile to remote destination' has been successfully performed
• After a 'ScanToFile to USB stick' has been performed successfully or not (only on PlotWave
300/350 and ColorWave 300)
• When it is automatically deleted after a timeout:
- When the end of the job lifetime in the Smart Inbox is reached ('Save printed jobs in a Smart
Inbox' system setting is enabled in the Express Webtools and the 'Printed jobs in Smart Inbox:
job lifetime' is set)
- When the time for the cleanup of the 'Scans in Smart Inbox' is reached
• When a 'Clear system Remove all jobs' is performed on the printer local interface
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
Enable the e-shredding
Before you begin

You must be logged as a System Administrator or a Power user.
NOTE
When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a
Smart Inbox' setting. The jobs previously printed and stored in the Smart Inbox are deleted.
They are not e-shredded.
Enable/disable the e-shredding (Express WebTools)
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section
3. Click Edit
4. Check 'E-shredding' feature to enable it
5. Select the algorithm.

When you select 'Custom', set the number of passes
Result
When the E-shredding feature is enabled, an indication is displayed at 2 locations in the system:
• On the printer user panel (PlotWave 300/350 and ColorWave 300), an indication is displayed in
the System menu: 'E-shredding enabled'
• In the Express WebTools window, a new icon is added to the list of icons (bottom right)
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
For a while, the E-shredding feedback returns as 'busy':
• On the printer user panel (PlotWave 300/350 and ColorWave 300), an indication is displayed in
the System menu: 'E-shredding busy'
• In the Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-
shredding busy' status
Once the e-shredding data processed is complete, the status comes back to:
• 'E-shredding enabled' in the printer user panel (PlotWave 300/350 and ColorWave 300)
• 'E-shredding ready' in the Express WebTools (roll over the icon)
E-shredding process and system behaviour
NOTE
In case some scanned files have a 'Scan destination file name' composed of more than 256
characters, on the controller or on the remote destination, they will be deleted, but they will not
be e-shredded (too long name).
When you enable the e-shredding

When you enable the e-shredding, the system starts the e-shredding process for all print/scan
jobs that will be deleted.
E-shredding process will occur as a background task.
All processed jobs will be e-shredded as soon as they are deleted:
- After a manual deletion from the Smart Inbox
- After an automatic deletion of the print and scan jobs by the system (timeout, disabled Smart
Inbox, cleanup)
When you disable the e-shredding

When you disable the e-shredding, the system:
• Terminates the e-shredding process for files which are being e-shredded
• Will not e-shred the new deleted files
Make sure all the scan/copy/print jobs are completely e-shredded

Once a batch of scan/copy/print jobs has been processed, perform the following actions to make
sure all the files are e-shredded:
1- Unplug the system from the network
2- Check that 'Saved print jobs in Smart Inbox' is disabled
3- Delete any job from the 'Scans' Smart Inbox
4- Make a 'Clear System' on the Printer User interface
5- Wait until the e-shredder status comes back to 'Ready' (in Express WebTools)
6- Restart the system
7- Wait until the e-shredder status displays 'Ready' (in Express WebTools)
IPsec (on PlotWave 300/350, PlotWave 900 1.2 and higher 1.x, ColorWave 300)
IPsec (on PlotWave 300/350, PlotWave 900 1.2 and higher 1.x, ColorWave 300)
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
IPsec is particularly suitable in a configuration where you need to create a dedicated secure link
between the printer/copier system and a workstation which can be dedicated as a Print Server (or
a Scan Server).
You can connect up to 5 IPsec stations to the printer/copier system.
In this configuration below:
• The printer/copier system is physically connected to the network but communicates only with a
dedicated station (a Print Server or Scan Server for example)
• The Print Server receives the print request from the workstations via IP on the network
• The Print Server send the print requests to the printer/copier system via IPsec
• The workstations cannot communicate directly with the printer/copier system
NOTE
In this configuration, the back-channel communication between a workstation and the printer is
unavailable (the back-channel information is not displayed in the WPD driver).
NOTE
IPsec is compatible with IPv4 only.
Make sure IPv6 is 'Disabled' before you configure IPsec on the controller.
IPsec presentation
Illustration
IPsec parameters in the Express WebTools (EWT)

The following IPsec parameters are available in the Express WebTools :
IPsec Generic section:
IPSec General setting to enable or disable IPsec.

Enabled/Disabled Once enable, only the network traffic defined by the IPsec configuration
rules is authorised.
Failsafe option Keep this option enabled during the IPsec configuration, until the com-
Enabled/Disabled plete and successful IPsec communication between the printer/copier
system and the configured station.
- When the option is Enabled (with IPsec enabled), only the network
traffic defined by IPsec configuration rules is authorised.
All other network traffic is denied except the HTTP traffic* for Express
WebTools with any workstation: this allows to change some IPsec set-
tings via Express WebTools, from any workstation.
- When the option is Disabled (with IPsec enabled): only the network
traffic defined by the IPsec configuration rules is authorised. All other
network traffic is denied.
Default preshared key You can define a default preshared key that will be used for all the sta-
tions connected by IPsec to the printer/scanner system.
Other settings You can display the other IPsec generic settings ('See all').
Keep them unchanged.
* and HTTPS traffic for Plotwave 900.
Configure the IPsec settings in the controller
IPsec stations section:

You can configure a maximum of 5 IPsec communications between the printer/copier system and
5 workstations.
Enable and configure the parameters for each required station.
The parameters can be different for each different workstation:
- the IP address
- the preshared key (keep the generic default one or set a custom one)
Before you begin

Activate and configure IPsec in the printer/scanner controller
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page
3. In 'IPsec generic' section, click 'Edit'

4. Check 'IPsec'
5. Keep 'Failsafe option' checked during the phase you configure the IPSec.
In case of need, this allows to be able to connect to Express WebTools from any workstation in
order to be able to change parameters.
6. Keep the other parameters as they are.
7. In the 'IPsec stations' section, click 'Edit'

8. Select '"IPsec station 1: Enable'
9. Enter the 'IPsec station 1: IP address' of the workstation
10. Create and enter the 'IPsec station 1: Preshared key' using the following policy:
• Any letter lowercase/upper-case [a-z][A-Z]
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
NOTE
Write it down, this preshared key will be required during the IPsec configuration on the
workstation.
NOTE
In the 'TCP/IP: IPv6' section, make sure TCP/IP (IPv6) is disabled.
Configure the IPsec settings on a workstation or a print server
Result
The IPsec settings are configured on the controller for a connection to a workstation (which can
be a print server).
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 6 following actions:
1- Add the security snap-in on page 51
2- Create the security policy on page 53
3- Create the filter list on page 54
4- Define the filter actions and security negotiation on page 56
5- Define the security rule on page 58
6- Assign the security policy on page 61
NOTE
The procedure below shows the configuration steps on Windows server 2008.
The procedure is similar on other Operating Systems (Windows 7).
Add the security snap-in
Procedure
1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console
2. In the top menu select 'File' - 'Add/Remove Snap-in'
3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console
4. Keep 'Local computer' checked and click 'Finish'

The security snap-in is added, click 'OK'
Create the security policy
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security
Policy'
2. Click 'Next' to open the wizard

3. Enter the name for the policy and click 'Next'
4. Uncheck 'Activate the default response rule'
Create the filter list
5. Uncheck 'Edit properties' and click 'Finish'
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter
lists and filter actions…'
2. In the 'Manage IP filter lists' tab click 'Add'
3. Enter a filter name and a description and click 'Add'

5. Check the 'Mirrored' checkbox and click 'Next'
6. Select 'My IP address' as the 'Source address and click 'Next'

7. Select 'A specific IP address or subnet' as 'Destination address' and enter the IP address of the
controller
8. Select 'Any' as the 'IP Protocol Type' and click 'Next'

9. Click 'Finish'
10. In the 'IP filter list' window, click OK
The filter list is set
Define the filter actions and security negotiation
Procedure
1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.
2. Click 'Next'
3. Give a name to the filter actions and click 'Next'
4. Select 'Negotiate security' and click 'Next'
5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall

back to unsecured communication' (depending on the Operating System) and click 'Next'
6. Select 'Custom' and click on the 'Settings...' button
Define the security rule
7. Configure the settings as below
8. Click 'OK' and 'Next', then 'Finish'
Procedure
1. In the console, right click on the IP security policy just created and select 'Properties' to open the
wizard
(On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on
"Add")
2. Click 'Next'
3. Select 'This rule does not specify a tunnel', and click 'Next'
4. As the Network type, select 'All network connections' and click 'Next'
5. Select the filter previously created then click 'Next'
6. Select the filter action previously created then click 'Next'
7. In the 'Authentication method' window, check 'Use this string to protect the key exchange
(preshared key)'
8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the
controller on page 49), then click 'Next'
9. Click 'Finish'
10. Click 'OK' to validate the Security rule
Assign the security policy
Procedure
1. In the console, right click on the security policy just created and select 'Assign'
The configuration is activated on the IPsec station (workstation):
2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec
station to the printer/scanner controller
When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/
scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner
system.
NOTE
In case you use the WPD driver, see The impact of IPsec when you print through a print
server on page 61.
The impact of IPsec when you print through a print server
Introduction
This topic concerns the drivers: WPD, WPD2 and Driver Select.
When you use a driver on a print server, with advanced accounting activated, the use of IPsec has
an impact on the workflow.
When the following conditions are gathered:

• A print server is configured as an IPsec station. The driver is installed on the print server.
• IPsec is activated and the 'Failsafe mode' is disabled on the printer controller.
• The client workstation is not configured as an IPsec station.
• The client workstation uses the shared driver installed on the print server (Point & Print) to
print jobs.
Troubleshooting: emergency procedure to disable IPsec
Pre-requisites
When advanced accounting is required, make sure you configured Account Center BEFORE
disabling the 'Failsafe mode' on the printer controller.
Consequences of the IPsec configuration on the client workstation:

The back-channel information (printer status, feed data) is not retrieved from the printer. It is not
displayed in the driver interface.
On the workstation, when the job is sent with the driver:
• The required accounting information is not requested when submitting the job.
• The submitted job is stored in the Smart Inbox. It is not printed since accounting information is
missing.
Open the Inbox in Express WebTools (on an IPsec station) to enter the required accounting
information and print the job.
NOTE
To be able to enter the accounting information and print directly from the workstation, enable
the 'Failsafe mode' on the controller.
Then, the accounting window will be displayed on the client workstation, and the accounting
information can be entered to print the job.
Introduction
In the following case:
• IPsec is enabled and activated on the printer/scanner controller
and
• The 'Failsafe mode' is disabled
and
• The communication between the controller and the IPsec stations fails
You cannot open remotely Express WebTools to change the settings. The system is unreachable.
Then you can use the emergency procedure to disable IPsec:
• Via the printer User panel on the printer/scanner system, for PlotWave 300/350 and ColorWave
300
• Via Express WebTools on the printer controller monitor for PlotWave 900 R1.2 and higher 1.x
Disable IPsec on the printer user panel (PlotWave 300/350 and ColorWave 300)
Procedure
1. On the printer printer user panel, click on 'System'
2. Select 'Setup'
3. Roll down to the Security item and open the Security menu
The status is 'IPsec is enabled'
4. Click 'Next' several times to open the IPsec window
NOTE
Enter the password if required (Password to change the security level - depends on the
configuration of the access to the Security menu).
Disable IPsec on the controller monitor (PlotWave 900 R1.2 and higher 1.x)
5. Select 'Disabled' to deactivate IPsec
6. Click 'Next' to the end of the procedure

7. Restart the controller
Result
IPsec is disabled.
After the restart, you will be able to open Express WebTools remotely from a workstation (HTTP).
Disable IPsec on the controller monitor (PlotWave 900 R1.2 and higher 1.x)
When to do
When communication fails between the controller and the identified hosts, you can disable IPsec
in Express WebTools only via the printer controller monitor.
Procedure
1. On the printer controller, open Express WebTools and log in as System administrator.
2. Open the Configuration - Connectivity tab.
3. Go to the IPsec section
4. Click on Edit, in the upper right hand corner of the section.
5. Change the IPsec setting from 'Enabled' to 'Disabled':
Result
IPsec is disabled.
You can open Express WebTools remotely from a workstation (HTTP).
Prevent USB Direct Print and Scan to USB (PlotWave 300/350, ColorWave 300)
Prevent USB Direct Print and Scan to USB (PlotWave 300/350, ColorWave
300)
How to prevent 'Print from USB'
Introduction
You can disable any access to the USB device by preventing printing from / scanning to the USB
device.
Illustration
[1] USB direct print: Disabled
How to disable the 'USB direct print' feature
Procedure
2. Open the 'Preferences' - 'System settings' page and select the 'Printer properties' section
3. Go to the 'USB direct print' setting
4. Click on the value to open the 'USB direct print' window
5. Log in
6. Select 'Disabled' and 'Ok'
How to prevent 'Scan to USB'
Introduction
You can neutralize the 'Scan to File to USB storage device' capability.
2-step procedure to prevent scanning to USB destination:

1. Disable any 'USB stick' scan destination
2. Remove the USB destination from all Scan templates
1- Disable any 'USB stick' scan destination
Introduction
You can neutralize the 'Scan to File to USB storage device' capability.
To prevent scanning to USB destination you must:
1. Disable any 'USB stick' scan destination
2. Remove the USB destination from all Scan templates
2- Remove the USB destination from all Scan templates
Purpose
Prevent any user from scanning to a USB device.
Illustration
[2] Disable the 'Scan to USB'
Procedure
2. Open the 'Configuration' - 'Scan destinations' page
3. Edit the 'Scan destination 2: Local to USB storage device'
4. Uncheck the setting 'Scan destination 2 enabled' and click 'Ok'
5. For each scan destination from 'Scan destination 3' to 'Scan destination 10', make sure that the
scan destination type is NOT 'Local to USB storage device'
Procedure
1. In Express WebTools open the 'Preferences' - 'Scan job defaults' page
2. In each 'Scan template: File' section, check that the 'Destination' is not 'USB stick'
3. When the destination is 'USB stick', edit the setting to change it
HTTPS with PlotWave 900 R1.x
HTTPS with PlotWave 900 R1.x
Encrypt print data using HTTPS with the self-signed certificate
Introduction
On the PlotWave 900 you can use the HTTPS protocol with the self-signed certificate of the
printer:
- to send encrypted print data to the printer controller via Publisher Express
- to securely manage the configuration of the system through Express WebTools
The HTTPS protocol is available with all security levels.
All settings and options available through HTTP are also available through HTTPS.
NOTE
Only the self-signed certificate is supported (this excludes the Certificate Authority signed
certificates).
Before you begin

The first time you use a self-signed certificate, your web browser will generate security error
messages.
In order to easily and securely use the self-signed certificate in your web browser, you must:
- View and check the self-signed certificate in your web browser
- Configure your web browser to trust the self-signed certificate
Use the self-signed certificate with Internet Explorer
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
2. Click on 'More information' to get additional information.
3. Click on 'Go on to the webpage (not recommended)'.

4. Click on 'Certificate error'.
5. Click on 'View certificates'.
Note that the certificate information is depending on the printer model.

On the PW3000/3500/5000/5500/7500 and the CW3600/3800 the certificate looks like:
6. Click on 'Install Certificate...'.
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
9. Select 'Trusted Root Certification Authorities' and click on 'OK'.
10. Click on 'Finish'.

You will get a security warning:
11. Click on 'Yes'.

Next the certificate is imported and you get a status message.
When the import is successful, the certificate is recognised and its status is OK.
You can verify this by viewing the certificate again and selecting the tab 'Certification Path':
Before the import or when the import fails, the certificate status will look like:
12. Open in Internet Explorer the Tools menu\Internet options\Advanced tab.
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Use the self-signed certificate with Mozilla Firefox
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
2. Select 'Advanced'.
The certificate is not trusted because it is self-signed.

3. To bypass the warning you have to add an exception. Select "Accept the Risk and Continue".
Now an exception will be added and you go to the webpage of the printer.
Smart Inbox management
Smart Inbox management
Configure the Smart Inboxes to manage the access to job data

Use the Smart Inbox management features of your system to limit and restrict the access to the
print and scan job data.
Depending on your system capabilities, go to the 'Preferences'/'System settings' to disable or
restrict, for example:
• The remote view of the Smart Inboxes
• The printing from the Smart Inboxes
• The storage of the job data in the Smart Inboxes
Depending on your printer capabilities, you can also disable the printing from Publisher Express.
Security on PlotWave 750 and PlotWave 900 R2.x
Security on PlotWave 750 and PlotWave 900 R2.x
Overview
Security overview for the PlotWave 750 and the PlotWave 900 R2.x systems
Introduction
The PlotWave 750 and the PlotWave 900 R2.x are equipped with the following security features:
Security overview
Operating System Windows Embedded Standard 7 SP1

Firewall Yes
Network protocols protection 4 Security Levels
MS Security patches Canon Production Printing released patches
IPv6 Yes (IPV6 only or IPV6/IPV4 combination)
Antivirus Compatible with 2 Antivirus brands
Data encryption on the network - IPsec
- HTTPS for administration and for job submis-
sion through Publisher Express
- User settings
Smart Inbox management - Can be enabled/disabled
- Delete scan restriction
- Display on printer user panel restriction (for
PlotWave 750)
Ports - Protocols
Applications, protocols and ports used on the PlotWave 750 and the
PlotWave 900 R2.x systems
Printing applications: security levels, ports and protocols used by the print systems
Application /Function‐ System Supported security levels (x) and Port used on the
ality open port controller: proto‐
col
N* M* M-H* H*
Wide-format Printer PlotWave x x(1) x(2) x(2) TCP 515: LPR
Driver for Microsoft 750 / TCP 515 TCP 515 TCP TCP TCP 65200: back-
Windows (WPD, WPD2 PlotWave TCP TCP 515 515 channel(**)
or Driver Select) 900 R2.x 65200 65200 UDP TCP 80: HTTP (for
TCP 80 TCP 80 515 advanced ac-
UDP UDP counting)
515 515 UDP 515: propriet-
ary protocol (for
printer discovery)
PostScript 3 driver PlotWave x x x x TCP 515: LPR
Driver Express 750 / TCP 515 TCP 515 TCP TCP
PlotWave 515 515
900 R2.x
Publisher Express PlotWave x x TCP 80: HTTP
750 / TCP 80 TCP 80
PlotWave
900 R2.x
Publisher Express over PlotWave x x x x TCP 443: HTTPS
SSL 750 / TCP 443 TCP 443 TCP TCP
PlotWave 443 443
900 R2.x
Publisher Select PlotWave x x TCP 80: HTTP
750 / TCP 515 TCP 515 TCP 65200: back-
PlotWave TCP TCP channel(**)
900 R2.x 65200 65200 TCP 515: LPR
TCP 80 TCP 80 UDP 515: propriet-
UDP UDP ary protocol (for
515 515 printer discovery) 4
Applications, protocols and ports used on the PlotWave 750 and the PlotWave 900 R2.x systems
col
N* M* M-H* H*
Publisher Mobile PlotWave x TCP 21: FTP
750 / TCP 21 TCP 4242: FTP
PlotWave TCP passive mode(6)
900 R2.x 4242 ICMP: ping
ICMP UDP 515: propriet-
UDP ary protocol (for
515 printer discovery)
Mobile WebTools PlotWave x x TCP 80: HTTP
750 / TCP 80 TCP 80
PlotWave
900 R2.x
ReproDesk Studio PlotWave x x TCP 515: LPR
750 / TCP 515 TCP 515 TCP 65200: back-
PlotWave TCP TCP channel(**)
900 R2.x 65200 65200
Novell NDPS printing PlotWave x x x x TCP 515: LPR
750 / TCP 515 TCP 515 TCP TCP
PlotWave 515 515
900 R2.x
LPR printing (com- PlotWave x x x x TCP 515: LPR
mand line) 750 / TCP 515 TCP 515 TCP TCP
PlotWave 515 515
900 R2.x
FTP printing PlotWave x x(3) TCP 21: FTP
750 / TCP 21 TCP 21 TCP 4242: FTP (4)
PlotWave TCP
900 R2.x 4242
Notes:
• * Levels: N: Normal - M: Medium - M-H: Medium/High - H: High
• (**) Back-channel is a proprietary protocol used to retrieve information from the printer (status,
• (1) LPR printing with back-channel and advanced accounting
• (2) LPR printing. No back-channel. No advanced accounting
Scanning / copying applications: security levels, ports and protocols used
col
N* M* M-H* H*
Scan to File Remote PlotWave 750 / x -
SMB PlotWave 900
R2.x
Scan to File Remote PlotWave 750 / x x(1) x(1) x(1) -
FTP PlotWave 900
R2.x
Scan data retrieval by PlotWave 750 / x x(2) TCP 21: FTP
FTP PlotWave 900 TCP 21 TCP 21 TCP 4242: FTP (3)
R2.x TCP
4242
Scan data retrieval PlotWave 750 / x x TCP 80: HTTP
from Smart Inbox PlotWave 900 TCP 80 TCP 80
(Scans) R2.x
Scan data retrieval PlotWave 750 / x x x x TCP 443: HTTPS
from Smart Inbox PlotWave 900 TCP 443 TCP 443 TCP TCP
(Scans) over SSL R2.x 443 443
Notes:
mode
Control management: security levels, ports and protocols used
Application /Func‐ System Supported security levels (x) Port used on the
tionality and open port controller: pro‐
tocol
N* M* M-H* H*
PING PlotWave 750 / x x x x ICMP
PlotWave 900 R2.x
SNMP based applica- PlotWave 750 / x UDP 161: SNMP
tions PlotWave 900 R2.x UDP
161
Express WebTools PlotWave 750 / x x TCP 80: HTTP
PlotWave 900 R2.x TCP 80 TCP
80
Express WebTools PlotWave 750 / x x x x TCP 443: HTTPS
over SSL PlotWave 900 R2.x TCP TCP TCP TCP
443 443 443 443 4
tocol
N* M* M-H* H*
Name resolution(**) PlotWave 750 / x Outgoing con-

PlotWave 900 R2.x nection:
- local port (on
controller):
UDP(/TCP) <dy-
namic value>
- remote port (on
DNS server):
UDP(/TCP) 53
DHCP PlotWave 750 / x x x x Outgoing con-
PlotWave 900 R2.x nection:
- local port (on
controller) : UDP
68
- remote port (on
DNS server):
UDP 67
Account Center PlotWave 750 / x x TCP 80: HTTP
Advanced accounting PlotWave 900 R2.x TCP 80 TCP
(WPD) 80
Accounting informa- PlotWave 750 / x x(1) TCP 21: FTP
tion retrieval by FTP PlotWave 900 R2.x TCP 21 TCP TCP 4242: FTP (2)
TCP 21
4242
Browse print systems PlotWave 750 / x UDP 137: Net-
on the network with PlotWave 900 R2.x UDP Bios over TCP/IP
Windows network 137
neighbourhood
Service Logic PlotWave 750 / x x(1) TCP 21: FTP
PlotWave 900 R2.x TCP 21 TCP TCP 4242: FTP (2)
TCP 21
4242
IPsec PlotWave 750 / x UDP 500
PlotWave 900 R2.x UDP UDP 4500
500
UDP
4500
Remote Meter Read- PlotWave 750 / x UDP 161: SNMP
ing Manager PlotWave 900 R2.x UDP
161
On Remote Service PlotWave 750 / x x x x HTTPS outgoing
PlotWave 900 R2.x connection re-
quired: TCP/IP
port 443 (3) 4
tocol
N* M* M-H* H*
WSD print / WSD dis- PlotWave 750 x x x UDP 3702
covery TCP 5357
Notes:
• (**) The name resolution is mainly used to determine the IP address of the scan destination
during Scan to File operation
• (3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure
firewall.
Security Patches
Security Patches
Install the Remote patch on PlotWave 750 and PlotWave 900 R2.x
Introduction
You can install the Remote patches (Security patches) in the following versions of the systems:
• PlotWave 750
• PlotWave 900 R2.x
Before you begin

NOTE

Install the Remote patch
Procedure
3. Select 'Update'

The latest patch successfully applied (when any) is displayed
5. Click on the 'Update' icon (top right corner) to open the wizard
6. Click OK
7. Browse to the Remote patch and click OK to install it
Security levels
Security levels
Introduction
On the PlotWave 750 and PlotWave 900 R2.x, there are defined 4 levels of security according to
the customer needs. The presentation below can help you to select the most suitable level
High and Medium-High security levels

The High and Medium-High levels are the most secure mode for printing and scanning.
The compliant applications are based on:
• the LPR protocol or HTTPS protocol for printing
• the FTP protocol for scanning.
Differences between High and Medium-High
• The Printer Discovery (UDP 515) is available only in Medium-High level (not in HIGH)
• WSD Print/WSD Discovery are present only in Medium-High level (for PlotWave 750 only)
Target:
• These levels provides you the most secure mode while using the basic feature for printing and
scanning. Only some applications are available. See the security levels supported per
application/functionality on page 78.
• These security levels may also be used when you want to be protected whenever a
vulnerability has been discovered and the corresponding patch cannot be yet installed. As
soon as the patch can be installed, you can go back to the original security level.
NOTE
Attention when you set the Medium high or High security level through the HTTP protocol, the
communication immediately stops.
Open Express WebTools by means of the HTTPS protocol (type https://Printer IP address or
hostname in the web browser) and restart the system. Then use the HTTPS protocol.
Medium security level

The Medium level is compliant with all the applications available for printing and scanning which
do not present a high risk (as reported by most popular network scanners).
Target:
This level is recommended if you need to be secured while you want to use the applications for
printing and/or scanning (you can use the system including more functions than with the HIGH
and Medium-High security levels).
Normal security level

This mode offers all the functionalities.
Target:
• You can select this level if you want to use some features not covered by MEDIUM security
level.
• This level is more dedicated for small network infrastructure where security is less required
versus features.
Set the security level on the PlotWave 750 or PlotWave 900 R2.x
Refer to Set the security level in PlotWave 900 R1.1 and higher R1.x versions on page 37.
Introduction
properly:
• PlotWave 750
• PlotWave 900 R2.x

ep ools section
1 Support - Remote Serv- Stop the Remote assistance if it is Click 'Stop remote assis-
ice - Remote assistance activated tance' until it changes into
pear.
2 Preferences - System Disable Online Services Set 'Online connection en-
settings - Service abled' to 'Disabled'
3 Configuration - Scan Disable all scan destinations to FTP Uncheck 'Scan destination
destination [X] sites reachable through the Internet [X]: enabled'
down - Restart
Antivirus
Antivirus

NOTE
controllers.
Roles and Passwords
Roles and Passwords
Roles and profiles in the PlotWave 750 and Plotwave 900 R2.x
Roles description
In the system, the main network and system settings are protected against change. Only
authorised users can configure/change these settings.
4 roles are available:
• Key operator:
The System administrator can manage the Configuration settings such as the Network settings,
scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software
configuration settings...
• Power user
The Power user has both the rights of the Key operator and the System administrator
• Service
Passwords policy and behaviour for PlotWave 750 and PlotWave 900 R2.x
Introduction
• The roles
• The mobile printing password
On the printer panel, a password protects the administration settings.
Passwords in Express WebTools
Password modification table for PlotWave 750 and PlotWave 900 R2.x
Password for Can be changed by Stored in the back up set*
Key operator Key operator or Power user No
System administrator System administrator or Power No
user
Power user Power user No
Service System administrator or Power No
user
Mobile printing password (for System administrator or Power No
Mobile WebTools) user
Any Scan To File remote user System administrator or Power No
name user
Any preshared key for IPsec System administrator or Power No
user 4
Printer panel protection
Password for Can be changed by Stored in the back up set*

Remote Service Proxy authenti- System administrator or Power Yes, stored encrypted.
cation user user
* When you make a back up set of your system settings using the 'Save Set' feature in Express
WebTools ('Preferences' tab).
The passwords are stored in the backup file whatever the role used when making the 'Save Set'
operation (as System administrator, Key operator, or Power user). However, the passwords are
restored only when the System administrator or the Power user performs the 'Open Set'
operation.
Password policy
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
Passwords storage on the controller

All passwords are stored encrypted on the controller. There is no open access to the system to
change them.
You can change them only through the standard user interface on the controller.
Password on the printer panel (for PlotWave 750)

You can activate the password to restrict the access to the Administrator settings from the printer
panel. this password is fixed and cannot be changed (refer to the PlotWave 750 Operation Guide
to know more about the password)
Printer panel protection
Introduction
From Express WebTools, you can disable the access to some administration and network settings
from the printer panel.
When the 'System administration from Printer Panel' feature is disabled in the Configuration -
Connectivity settings in Express WebTools, the 'Administrator only' menu is no more displayed
on the printer panel.
Therefore, the following settings are no more accessible from the printer panel:
• Network adaptor settings
• ‘Clear memory’ (job removal)
• Activate deactivate buzzer
• Activate deactivate password (on the printer panel)
Audit log
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
The operations stored in the Audit log

In Express WebTools, open the Support - Audit log tab to download the Audit log that contains
information on any change made in settings.
Collected information on each setting is:
NOTE
In columns from left to right.
1. Username (if available)

2. IP address of the host or printer user interface from where the modification was done
3. Name of the host or printer user interface from where the modification was done
4. Type of event (create/modify/delete/start/stop/action)
5. Object concerned (setting/template name, service name, operation/action)
6. New value (if applicable, and not logged for password fields)
7. Timestamp in UTC (date&time in ISO-8601 format, yyyy-mm-ddThh:mm:ssZ)
User (Key operator, System administrator, Power user) and Service settings:
• IPv4/IPv6 network settings (IP address, Subnet mask, DNS, Gateway, DHCP, …)
• IPsec settings
• Network services (enable/disable/settings)
• Creation/modification/removal of scan destinations
• Changes of passwords used to protect security-related settings (Key operator, System
administrator, Power user, Service, User interface password/PIN for network settings, …)
• Timezone
• E-shredding settings
• Remote service online connection (enabled/disabled)
• 3rd-party software settings (remote desktop, admin account, firewall port)
• Smart Inbox (enable/disable)
• Allow Service Technician to reset passwords (on/off)
• Save retrieved job data for service (on/off)
• HTTPS settings (enable/disable, change of certificate)
• HTTP proxy settings (for remote service)
• Force entry of accounting data for scan/copy/print (on/off)
• Startup/ shutdown of the audit functionality
• Tracking info: when someone logs on to view or to change non-security settings
• Changing date and time
• Use of restore and 'open set'
Service settings only:
• Retrieval of job data by service
• Resetting of passwords by service
• Remote service (Allow remote login)
• Audit log export
• Accounting dialog upload (used to implement access control for scan/copy)
Data Security
Data Security
E-Shredding
Introduction
The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/
scan) when it is deleted from the system.

• After it was successfully printed and was not saved in a Smart Inbox ('Save printed jobs in a
Smart Inbox' system setting is disabled in the Express Webtools)
• When it is automatically deleted after a timeout:
- When the end of the job lifetime in the Smart Inbox is reached ('Save printed jobs in a Smart
Inbox' system setting is enabled in the Express Webtools and the 'Printed jobs in Smart Inbox:
job lifetime' is set)
- When the time for the cleanup of the 'Scans in Smart Inbox' is reached
• When a 'Clear system' or 'Clear memory' (job removal) is performed on the printer local
interface
directive):
NOTE
performance.
Before you begin

NOTE
When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a
Smart Inbox' setting.
Enable/disable the e-shredding (Express WebTools)
Procedure
3. Click Edit

When you select 'Custom', set the number of passes
Result
When the E-shredding feature is enabled, an indication is displayed at 2 locations in the system:
• On the printer user panel, an indication is displayed in the System menu: 'E-shredding
enabled'
• In the Express WebTools window, a new icon is added to the list of icons (bottom right)
occurs.
For a while, the E-shredding feedback returns as 'busy':
Once the e-shredding data processed is complete, the status comes back to 'E-shredding ready' in
Express WebTools (roll over the icon) on a workstation or on the controller monitor
NOTE
In case some scanned files have a 'Scan destination file name' composed of more than 256
characters, on the controller or on the remote destination, they will be deleted, but they will not
be e-shredded (too long name).
Example
E-shredding and 'Save received job data for Service' feature

On the PlotWave 750 and PlotWave 900 R2.x, enabling the e-shredding function doesn't impact
the feature 'Save received job data for Service'.
If 'Save received job data for Service' is activated it is recommended to clean-up the system and
delete all job data previously saved for Service:
1. Enable e-shredding
2. In Preferences - Systems settings, go to the Contact section
3. Set the 'Save received job data for Service' setting to 'Off and clear at next reboot'

When you enable the e-shredding, the system starts the e-shredding process for all print/scan
All processed jobs will be e-shredded as soon as they are deleted:
- After an automatic deletion of the print and scan jobs by the system (timeout, disabled Smart
Inbox, cleanup)


1. Unplug the system from the network
2. Check that 'Save received job data for Service' setting is set to 'Off and clear at next reboot'
3. Restart the system controller
4. Check that 'Saved print jobs in Smart Inbox' is disabled
5. Delete any job from the 'Scans' Smart Inbox
6. Make a 'Clear system' from Express WebTools (Maintenance section in the Support tab)
7. Wait until the e-shredder status comes back to 'Ready' (in Express WebTools or on the printer
panel)
8. Restart the system controller
9. Wait until the e-shredder status displays 'Ready' (in Express WebTools)
IPsec
IPsec
IPsec presentation
Introduction
on the network.
a Scan Server).
dedicated station (a Print Server or Scan Server for example)
• The Print Server receives the print request from the workstations via IP on the network
• The Print Server send the print requests to the printer/copier system via IPsec
NOTE
unavailable (the back-channel information is not displayed in the WPD driver).
NOTE
IPsec can be used only with IPv4 (IP type set to 'IPv4 only' or 'IPV4 and IPv6 both enabled').
In the Connectivity - Network adapter section, the IPsec settings are not available when 'IPv6
only' is selected.
IPsec presentation
Illustration
IPsec parameters in Express WebTools (EWT)

The following IPsec parameters are available in Express WebTools :
IPsec Generic section:
IPSec General setting to enable or disable IPsec.

Enabled/Disabled Once enable, only the network traffic defined by the IPsec configuration
rules is authorised.
Failsafe option Keep this option enabled during the IPsec configuration, until the com-
Enabled/Disabled plete and successful IPsec communication between the printer/copier
system and the configured station.
- When the option is Enabled (with IPsec enabled), only the network
traffic defined by IPsec configuration rules is authorised.
All other network traffic is denied except the HTTP traffic for Express
WebTools with any workstation: this allows to change some IPsec set-
tings via Express WebTools, from any workstation.
- When the option is Disabled (with IPsec enabled): only the network
traffic defined by the IPsec configuration rules is authorised. All other
network traffic is denied.
Default preshared key You can define a default preshared key that will be used for all the sta-
tions connected by IPsec to the printer/scanner system.
Other settings You can display the other IPsec generic settings ('See all').
Keep them unchanged.
IPsec stations section:
You can configure a maximum of 5 IPsec communications between the printer/copier system and
5 workstations.
- the IP address
Before you begin

Procedure
3. In 'IPsec generic' section, click 'Edit'

4. Check 'IPsec'
5. Keep 'Failsafe option' checked during the phase you configure the IPSec.
In case of need, this allows to be able to connect to Express WebTools from any workstation in
order to be able to change parameters.
6. Keep the other parameters as they are.
7. In the 'IPsec stations' section, click 'Edit'

8. Select '"IPsec station 1: Enable'
9. Enter the 'IPsec station 1: IP address' of the workstation
10. Create and enter the 'IPsec station 1: Preshared key' using the following policy:
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
NOTE
Write it down, this preshared key will be required during the IPsec configuration on the
workstation.
NOTE
IPsec can be used only with IPv4 (IP type set to 'IPv4 only' or 'IPV4 and IPv6 both
enabled').
In the Connectivity - Network adapter section, make sure 'IPv6 only' is NOT enabled
before you configure IPsec on the controller.
Result
be a print server).
When to do
Pre-requisites
Purpose
a workstation.
NOTE
The impact of IPsec when you print through a print server
Introduction
This topic concerns the drivers: WPD, WPD2 and Driver Select.
When you use a driver on a print server, with advanced accounting activated, the use of IPsec has
an impact on the workflow.
When the following conditions are gathered:

• A print server is configured as an IPsec station. The driver is installed on the print server.
• IPsec is activated and the 'Failsafe mode' is disabled on the printer controller.
• The client workstation is not configured as an IPsec station.
• The client workstation uses the shared driver installed on the print server (Point & Print) to
print jobs.
Pre-requisites
When advanced accounting is required, make sure you configured Account Center BEFORE
disabling the 'Failsafe mode' on the printer controller.
Consequences of the IPsec configuration on the client workstation:

The back-channel information (printer status, feed data) is not retrieved from the printer. It is not
displayed in the driver interface.
On the workstation, when the job is sent with the driver:
• The required accounting information is not requested when submitting the job.
• The submitted job is stored in the Smart Inbox. It is not printed since accounting information is
missing.
Open the Inbox in Express WebTools (on an IPsec station) to enter the required accounting
information and print the job.
NOTE
To be able to enter the accounting information and print directly from the workstation, enable
the 'Failsafe mode' on the controller.
Then, the accounting window will be displayed on the client workstation, and the accounting
information can be entered to print the job.
Introduction
• IPsec is enabled and activated on the printer/scanner controller
and
• The 'Failsafe mode' is disabled
and
• The communication between the controller and the IPsec stations fails
Solution to disable IPsec:
Connect to the printer system through the controller monitor (configuration where a keyboard
and monitor are plugged on the printer controller) to open Express WebTools and disable IPsec.
HTTPS (on PlotWave 750 and PlotWave 900 R2.x)
HTTPS (on PlotWave 750 and PlotWave 900 R2.x)
Encrypt print data and manage the system configuration using HTTPS
Introduction
On the PlotWave 750 and PlotWave 900 R2.x systems, you can use the HTTPS protocol to:
- to send encrypted print data to the printer controller via Publisher Express
- to save encrypted scan jobs from the printer controller (Scans Inbox)
- to securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
The self-signed certificate and the CA-signed certificate

2 types of certificates can be used:
• By default, the printer has a self-signed certificate. This certificate provides encryption of the
print data (sent through Publisher Express) and of the configuration settings (accessed through
Express WebTools) between the client and the controller. It can be easily used.
This self-signed certificate has not been signed by a Certification Authority, consequently the
web browser will display a 'Certificate Error' message the first time you use the HTTPS
protocol.
• The CA-signed certificate is delivered by a Certification Authority.
To ensure a fully trustful authentication, it's recommended to use a certificate delivered by a
Certification Authority (CA-signed certificate).
Configure the HTTPS settings

Go to Configuration - Remote security and log on as the System administrator to manage the
certificates.
NOTE
On the controller monitor (screen/keyboard connected directly to the controller) only the 'Reset
Certificate' item is displayed on the Remote security page.
Configure the browser for a self-signed certificate

messages.
Procedure

'Next'.

11. Click on 'Yes'.

Result
Procedure
Request and import a CA-signed certificate


Description of the overall procedure to request and import a CA-signed certificate
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trustful authentication, you can request and import a certificate delivered by a
Information about certificates

When you generate a CA-signed certificate request on a controller:
• A new private key is created: this key stays in the controller
• The certificate request containing the public key is created. Send it to the Certification
Authority.
The CA-signed certificate you will receive also contains the public key. This public key is linked
to the private key already stored in the controller.
In the controller, the private key and the public key must match to enable a secure HTTPS
protocol.
To request and then import a CA-signed certificate while you are still using HTTPS, follow these 2
procedures, step by step:
Overall procedure to prepare and generate the CA-signed certificate request
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and a private key on page 165.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate request on
page 166.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
Overall procedure to import the new CA-signed certificate
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA-signed certificate (into the controller
and workstations) on page 167.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the Root certificate into the work-
stations browser on page 168. 4
Step Description
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate and a private key on page 169
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset the current certificate on page 169
Smart Inbox management and job management
Configure the Smart Inboxes and the job management settings

You can use the Smart Inbox management features of your system to limit and restrict the access
to the print and scan job data.
Configure the job management settings to manage the visibility of jobs and their availability
through Express WebTools
Smart Inbox and job management configuration:
Go to the 'Preferences'/'System properties' to disable or restrict:
The use of the Smart Inboxes When the 'Smart Inbox capability' is set to 'Disa-
('Smart Inbox capability') bled' the incoming jobs are temporary displayed
grey out in the Smart Inbox and sent to the print
job queue. The jobs are removed from the Smart
Inbox as soon as they are printed.
Recommendation
Before disabling the “Smart Inbox capability” it is
advised to cleanup the jobs:
• Clear the temporary store
• Clear the system
The remote view of the Smart Inboxes When set to 'Login needed', you restrict the view
('Remote Smart Inbox view') on the Smart Inboxes to the Key operator or Power
user only (logging needed to view the Smart In-
box).
The ability to print from Smart Inbox and When set to 'Login needed', all remote actions on
to make queue operations jobs in the Smart Inboxes and queue are restricted
('Printing from Smart Inbox and queue to the Key Operator or Power user only.
operations')
The use of Publisher Express to create When set to 'no one', the job submission capability
jobs (through Express WebTools) is completely deacti-
('Create print job via Publisher Express') vated.
When the login is needed, only the System admin-
istrator, the Power user or the Key operator can log
to use Publisher Express.
The ability to delete scans from the Smart When set to 'Login needed', only the Key Operator
Inbox or Power user can log to delete scans from an in-
('Delete scans from the Smart Inbox') box.
Chapter 3
Security on PlotWave 500 and
PlotWave 340/360
Overview
Overview
Security overview for the PlotWave 500 and PlotWave 340/360

systems
Introduction
The PlotWave 500 and PlotWave 340/360 systems are equipped with the following security
features:
Security overview

Firewall Yes
Antivirus Yes
- User settings
116 Chapter 3 - Security on PlotWave 500 and PlotWave 340/360

Ports - Protocols
Applications, protocols and ports
Printing applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Wide-format Printer Driver for TCP 515: LPR UDP 515: proprietary protocol
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan- (for printer discovery)
Driver Select nel* and Advanced accounting
UDP 515: proprietary protocol
(for printer discovery)
PostScript 3 driver TCP 515: LPR
Driver Express
Publisher Express TCP 80: HTTP
TCP 443: HTTPS
Publisher Select TCP 80: HTTP
Publisher Mobile TCP 515: LPR (1)
TCP 4242: FTP passive mode
(for data channel in FTP pas-
sive mode)
ICMP: ping
TCP 21: FTP (2)
Reprodesk Studio TCP 515: LPR
TCP 80: back-channel (WAVE)
Novell NDPS printing TCP 515: LPR
LPR printing TCP 515: LPR
FTP printing TCP 21: FTP
TCP 4242 (for data channel in
FTP passive mode)
Print from SMB TCP 139, 445
UDP 138, 445
Print from FTP FTP command(3) :
- Local: TCP any
- Remote: TCP 21
FTP Data(3) :
- Local : TCP any
- Remote: TCP any 4
Chapter 3 - Security on PlotWave 500 and PlotWave 340/360 117

Print from Cloud: WebDAV TCP 80: HTTP
TCP 443: HTTPS
TCP web proxy port (4)
TCP WebDAV port
Notes:
* back-channel is a proprietary protocol used to retrieve information from the printer (status,
(1)
For Publisher Mobile v 2.2 and later for Android, and for Publisher Mobile v 2.3 and later for
iOS
(2) Only for Publisher Mobile v 2.0 to v2.2 for iOS
(3) FTP passive mode only (FTP active mode not supported).
(4) When there is a proxy.
Scanning applications: INBOUND and OUTBOUND ports and protocols used by the system
Scan to File: SMB TCP 139, 445
UDP 137, 138, 445
Scan to File: FTP FTP command(1) :
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Scan to File: Cloud (WebDAV) TCP 80: HTTP
TCP 443: HTTPS
TCP WebDAV port
Scan data retrieval from Smart TCP 80: HTTP
Inbox (Scans) TCP 443: HTTPS
Notes:
Control management: INBOUND and OUTBOUND ports and protocols used by the system
PING IPv4 ICMPv4
PING IPv6 ICMPv6 4

nslookup UDP local port : any
UDP remote port : 53
SNMP based applications UDP 161: SNMP
Name resolution Outgoing connection: Remote port (on DNS server):
Local port (on controller): UDP(/TCP) 53
UDP(/TCP) <dynamic value>
Express WebTools TCP 80: HTTP
TCP 443: HTTPS
Account Center TCP 80: HTTP
Accounting information re- TCP 80: HTTP
trieval
Meter Manager UDP 161: SNMP
Back-channel TCP 65200 for OCI back-chan-
nel
On Remote Service TCP 443: HTTPS
NetBios over TCP/IP UDP 137 TCP 139, 445
UDP 138
WSD TCP 80: HTTP
UDP 3702 for WSD discovery
TCP 5357 for WSD eventing
WAVE TCP 80: HTTP
OBIS TCP 80: HTTP for back-channel
(Publisher Select)
IPsec UDP 500
UDP 4500
Notes:
Additional built-in Windows firewall rules

Inbound rules:
• Core Networking - Dynamic Host Configuration Protocol (DHCP-In)
• Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
Outbound rules:
• Core Networking - DNS (UDP-Out)
• Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)
• Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out)
• Core Networking - IPv6 (IPv6-Out)

Security Patches
Security Patches
Install Operating system patch
Introduction
You can install the Canon Production Printing released security patches in your print system.
Before you begin

NOTE

Install a patch
Procedure
1. Open Express WebTools
3. Select 'Update'


5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
7. Browse to the patch and click OK to install it

Protocol protection
Protocol protection
Network protocols protection
Introduction
In these systems, you can completely disable some protocols in order to protect them against
attacks.
HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled.
List of network protocols
Protocols or Network Protocol ba‐ Available protection Remarks

services sis
'FTP' FTP For FTP printing (the con-
troller acts as a FTP serv-
Enable/Disable er).
Not applicable to Print
from/Scan to FTP features.
'SNMP' SNMP Enable/Disable
'LPR/LPD' LPR Enable/Disable For LPR printing
'WAVE interface' HTTP Enable/Disable Used for:
- back-channel for WPD2
- Account Center
- Reprodesk
' Web Services on De- HTTP Enable/Disable For WSD device discovery
vices (WSD)'
'OCI interfaces' proprietary Enable/Disable
interfaces
'Allow interaction with HTTP Enable/Disable Used only for Publisher Se-
Publisher Select' lect backchannel
'Express WebTools via HTTP Enable/Disable For Express WebTools and
HTTP' Publisher Express
'Locking of the user HTTP Enable/Disable When this setting is ena-
panel via the Wave in- bled, 'Wave interface' set-
terface' ting must be enabled 4


services sis
HTTP (inbound) HTTP There is no specific setting
to disable the HTTP proto-
col.
Inbound HTTP is enabled
as long as at least one of
the following services is
enabled:
- 'Wave interface'
- 'Web Services for Devi-
ces'
- 'Allow interaction with
Publisher Select'
- 'Express Web Tools via
HTTP'
Inbound HTTP is totally
disabled when ALL afore‐
mentioned network serv‐
ices are disabled.
HTTPS (inbound) HTTPS Always Enabled - Cannot
be disabled.
' Allow automatic up- HTTP/ Enable/Disable Outbound connection
date of Service infor- HTTPS
mation'
'Online Services con- HTTPS Enable/Disable Outbound connection used
nection enabled' by Remote Service
or
'Remote Service con-
nection'
Note: To disable a network protocol or network service, go to the 'Configuration' - 'Connectivity'

section of Express WebTools and uncheck the protocol or service.
To disable the connection to Remote Service ('Online Services connection enabled' or 'Remote
Service connection' feature) , go to 'Preferences' - 'System defaults' - 'Service related
information'.


Introduction
Some system features allow or request a connection over the Internet to work properly.
perform all the following actions, step by step, in Express WebTools:
In the Express WebT‐ Action Detail

ools section
1 Support - Remote Stop the Remote assistance if it is Click 'Stop remote assis-
Service - Remote as- activated tance' until it changes into
sistance 'Allow remote assistance' .
The two blinking arrows on
the right side disappear.
2 Preferences - System Disable Online Services or Remote Set 'Online Services connec-
Defaults - Service rela- Service tion enabled' or 'Remote
ted information Service connection' to 'Disa-
bled'
3 Configuration - Con- Disable the automatic update of Set ' Allow automatic update
nectivity - Other net- the embedded Service information of service information' or 'Al-
work interfaces low automatic update of em-
bedded Service documenta-
tion' to 'Disabled'
4 Configuration - Exter- Delete all External locations going
nal location to the Internet:
• External cloud through WebDAV
protocol
• FTP sites reachable through the
Internet
5 Configuration - Con- Disable the proxy (recommended Set 'Proxy enabled' to 'Disa-
nectivity - Proxy set- as an additional security measure) bled'
tings
6 Support - About - Shut Restart the system
down

Security of the USB connection
The USB connection on the printer user interface
Introduction
A USB connection is available on the touch panel.
• Install / upgrade the controller software

USB device.
is not possible

You can disable:
• The direct printing operation from USB only
• The scanning operation to USB only
• Both of the printing and scanning operations from USB
The procedure is described in the section about PlotWave 340/360: refer to Prevent 'Print from
USB' and/or 'Scan to USB' on page 170.

Antivirus
Antivirus
NOTE
controllers.

Roles and Passwords
Roles and Passwords
Roles and profiles
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key operator:
The Key operator can manage the jobs and the device settings.
The System administrator can manage the configuration settings, such as the network and
security settings.
• Power user
The Power User has both the rights of the Key operator and the System administrator.
• Service
This role is used exclusively by the Service technician.
Permissions for Service operations

The System administrator and the Power user control the following Service operations:
• Allow Service technician to reset passwords
• Allow software reinstallation from USB
• Allow an update or patch installation by Service
• Allow Service to access licenses information
• Allow automatic update of embedded Service documentation
Each of these permissions can be disabled in the 'Permissions for Service' section of the
'Security' - 'Configuration' page in Express WebTools.
The System administrator and the Power user control also the connection via a Remote Desktop
Protocol needed by a Service technician to install a third-party application on the system (an
antivirus for instance).
To allow the connection via Remote Desktop Protocol (RDP), go to the 'Third-Party application'
section of the 'Configuration' - 'Connectivity' page in Express WebTools.

Passwords policy and behaviour in the PlotWave 500 and PlotWave 340/360 systems
Passwords policy and behaviour in the PlotWave 500 and PlotWave 340/360
systems
Introduction
• The passwords used on the printer user panel

• The roles
• Name of the user of an external location
• The Proxy authentication passwords
Password policy
• all MS Windows characters are allowed
Passwords used on the user panel

On PlotWave 500
The following settings are protected by the System administrator or Power user password on the
user panel:
• The network settings
• The security settings
• The system update
The following settings and functions are protected by the Key operator or Power user password
on the user panel:
• The print density
• The 'Clear system' function
• The 'Install additional hardware' function
• The scanner calibration
On PlotWave 340/360 up to R1.1
In Express Webtools, he System administrator or the Power user can configure the 'Password to
change network settings'.
This password is used on the printer user panel to protect:
• the network settings
• the security settings
NOTE
Keep this password. The reset of this password may require the intervention of a Service
technician.
Passwords modification
Password modification table for PlotWave 500 and PlotWave 340/360

Password for/to Can be changed by
Key operator Key operator or Power user 4

Passwords policy and behaviour in the PlotWave 500 and PlotWave 340/360 systems

User name of external locations System administrator or Power user
Proxy authentication (for On Remote System administrator or Power user
Service and for External location)
Password backup/restore policy with the 'Export templates'/'Import templates' features

During the "Export templates" operation, the passwords for any external location remote user
name are stored encrypted in the file 'exportExternalLocationTemplates.xml' (included in the file
'exportExternalLocationTemplates.zip').
The 'Import templates' operation restores the passwords.
Temporary password for the installation of 3rd party application

To install a 3rd party application in the controller system, a Canon representative generates a
temporary administrative password for the Windows Administrative account.
This password is valid for 4 hours.

Access control
Access control
Introduction
Access control allows to limit the access to the print system according to IP filtering method.
Use the access restriction to limit the access to the printer

NOTE
Important: ALWAYS define the hosts before enabling Access control.
In case Access control is enabled without any host configured, communication is blocked. Go to
the printer user panel to disable Access control.
Enable 'Access control' and set the list of IP addresses of the computers (hosts) that will be able
to communicate with the printer. This action sets the IP filtering. The access restriction is then
applied to print operations (for which a host workstation contacts the printer) as well as scan
operations (the scanner contacts the external location).
In case DHCP and DNS servers are used:
• Add the DHCP server in the list of the Access control stations.
Otherwise the DHCP protocol is disabled: you can disable the DHCP settings in the
Configuration - Connectivity settings and configure the network settings manually.
• Add the DNS server in the list of the Access control stations.
Otherwise the DNS protocol is disabled: you can configure the path of the external locations
with the IP address instead of a hostname.
NOTE
When configuring the 'Access control station: IPv6 address', use the IPv6 static address (instead
of a dynamic stateless or stateful one)
You can define up to 5 hosts.

For each of the hosts you can decide whether the communication from this host to the system
needs to be encrypted by IPsec (see IPsec on page 96)
You enable 'Access control' in Express WebTools. You can disable it in Express WebTools or via
the printer user panel.
NOTE
• 'Configuration' of the 'Access control' settings is only available to the 'System administrator'
and 'Power user'.
• To prevent unauthorised access to these settings via the printer user panel:
- on PlotWave 340/360, ensure that the 'Password to change network settings' is set
- on PlotWave 500, you must log in as a System administrator to edit the network settings
• When you enable Access control and/or IPsec, configure the path of the external locations
with the IP address instead of a hostname (the DNS protocol is disabled).

Audit log
Audit log
Introduction
and/or cleared.

2. Host (IP address and name) or printer user interface from where the modification was done
• IPsec settings
• Creation/modification/removal of external locations
• Timezone
• HTTP proxy settings (for Cloud and remote service)
• USB print (on/off)
• Scan to USB (on/off)
• Service documentation auto updates of code/content from internet (on/off)
Each log-in operation by the System administrator, the Key operator, and the Power user is also
stored into the audit log.
• Retrieval of job data by Service
• Resetting of passwords by Service
• Manual update of the Service Information content (from Internet)

Data security
Data security
E-Shredding in PlotWave 500 and PlotWave 340/360 systems
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data and
any user print/copy/scan data when it is deleted from the system.
This feature prevents the recovery of any deleted user data (file's content and attributes).

• After it was successfully printed and was not saved in a Smart Inbox
( 'Keep completed jobs in the Smart Inbox', 'Keep a copy of copy jobs in Smart Inbox', 'Keep a
copy of scanned jobs in Smart Inbox' and 'Keep a copy of local print jobs in the Smart Inbox'
system settings are disabled in the Express WebTools)
• After a 'ScanToFile to external location' has been successfully performed
• After a 'ScanToFile to USB stick' has been performed successfully or not
• When it is automatically deleted after a time-out: the end of the job lifetime in the Smart Inbox
is reached
('Keep completed jobs in the Smart Inbox' is enabled, with 'Expiration time-out for Smart
Inbox' and 'Expiration time-out for Smart Inbox copy and scan jobs' set in the job management
settings of Express WebTools)
• When a 'Clear system' is performed on the printer user panel
• When a 'Clear system at next start-up' is selected in Express WebTools and the system is
restarted.
directive):
NOTE
performance.

Enable the e-shredding in Express WebTools
Before you begin

Perform the following actions:
1. Open a web browser and enter the system URL: http://<hostname>, to open Express
WebTools
2. In Express Webtools ('Preferences' - 'System Defaults') go to the 'Job Management' settings
3. Disable 'Keep completed jobs in the Smart Inbox' (so that all the print jobs will be
automatically deleted after successful printing) before enabling the e-shredding.
4. Go to the 'In case of errors' settings
5. Check the 'Save received jobdata for Service' setting is disabled.
6. On the printer user panel, make a 'Clear system'
Procedure
1. In Express Webtools, open the 'Configuration' - 'Connectivity' page and select the 'E-shredding'
section
2. Click Edit

5. When you select 'Custom', set the number of passes.
Result
When the E-shredding feature is enabled:
• A new icon is added to the list of icons (bottom right) in the Express WebTools window:
enabled':

occurs.
For a while, the E-shredding feedback returns 'busy'.
In the Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-
Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in
Express WebTools (roll over the icon).


When you enable the e-shredding feature, the system starts the e-shredding process for all scan/
copy/print jobs that will be deleted.
All processed jobs will be e-shredded after they are deleted:
- After an automatic deletion of the print or scan jobs by the system (time-out, disabled Smart
Inbox, cleanup)
NOTE
When you enable the e-shredding feature, the 'Save received job data for Service' feature (in
Preferences - System defaults - In case of errors) is automatically disabled, to avoid any storage
of job data that would not be automatically deleted.
The first e-shredding pass is performed immediately after the job is deleted. Subsequent passes
are performed in background.


2- Delete all jobs from all the Smart Inboxes
3- Make a 'Clear System' on the printer user panel

IPsec
IPsec
IPsec presentation
Introduction
on the network.
You can connect up to 5 IPsec stations to the print/scan system.
Illustration
IPsec and Access control behavior

Find below the 4 combinations of Access control with IPsec :

IPsec presentation
IPsec enabled IPsec disabled

Access control enabled IP filtering + Encryption are acti- IP filtering is activated , no en-
vated. cryption.
Only the stations configured Only the stations configured for
with IPsec can connect to the Access control in Express
system. No other stations can WebTools can communicate
communicate with the print/ with the print/scan system.
scan system. The system can communicate
The system can communicate only with the stations config-
only with the IPsec stations. ured for Access control.
Communication and data are The communication is not en-
encrypted. crypted.
Access control disabled Encryption between the print/ No filtering. No encryption.
scan system and IPsec stations
is activated.
All stations can communicate
with the system.
The system can communicate
with all stations.
The communication is encryp-
ted ONLY with the stations con-
figured as IPsec stations.
IPsec parameters in Express WebTools

The following IPsec parameters are available on the Express WebTools - Configuration -
Connectivity page, Access control section:
- the IP address
You can define a default preshared key that will be used for all the IPsec stations connected to the
print/scan system.
NOTE
The following IPsec parameters cannot be changed:
• IKE Diffie-Hellman group : 2 then 1
• IKE SA lifetime : 28800 s
• IKE security method : 3DES then MD5
• IKE hash : SHA1 then MD5
• ESP encryption : 3DESthen DES
• ESP hash : SHA1 then MD5 then None
• AH hash : SHA1 the MD5
• Encpasulation type : Transport
• Protocol SA lifetime : 3600 s

Before you begin

To benefit from the full IPsec mechanism, the DHCP protocol must not be used. On the
Configuration - Connectivity page, disable all the network settings that require the DHCP.
Activate and configure IPsec in the system controller
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools.
2. Open the 'Configuration' - 'Connectivity' page.
3. In the 'Access control' section, click on the general 'Edit':
4. Check the 'Enable/Disable IPsec' box to enable 'IPsec'

You can also activate the 'Access control' (see the combinations of IPsec and Access Control in
IPsec and Access control behaviour on page 136)
5. Enable 'IPsec station 1'
Tip: When you enable Access control, it is recommended to declare the workstation from which
you remotely configure the system, at least during the configuration time (IPsec is not needed).
6. Enter the IPsec preshared key or keep it empty to use the default preshared key. The 'IPsec default
preshared key' setting is available at the bottom of the 'Access control' section.
• Any MS character
NOTE
Write down this preshared key. It will be required during the IPsec configuration on the
workstation.
7. Click OK
Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose
the remote connection to the system when your workstation is not part of the configured stations.

Result
The IPsec settings are configured on the controller for a connection to a workstation.

When to do
Pre-requisites
Purpose
a workstation.
7- Customize the IPsec settings on page 150
NOTE
The procedure below shows the configuration steps on Windows server 2008 for a ColorWave
300 system.
The procedure is similar on other Operating Systems (Windows 7) and for other ColorWave/
PlotWave printers.
Procedure



Procedure
Policy'


Procedure



controller

9. Click 'Finish'

Procedure
2. Click 'Next'



'Data and address integrity without encryption (AH)' setting is not mandatory.
Procedure
wizard
"Add")
2. Click 'Next'


(preshared key)'
9. Click 'Finish'

Procedure
Customize the IPsec settings
Procedure
1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows
Firewall with Advanced Security' window
2. In the 'Actions' section on the right hand side, click on 'Windows Firewall with Advanced Security
on Local Computer' to expand the menu
3. Select 'Properties'

4. In the 'IPsec Settings' tab, click on the 'Customize...' button of the 'IPsec defaults'
5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...'
6. Check the 'Require encryption for all connection security rules that use these settings.' box
7. Click 'OK' on all open windows to validate and close them.
After you finish

For PlotWave 340/345/360/450/500/550/3000/3500/5000/5500/7500, and ColorWave
500/550/650/650R3/700/3500/3600/3700/3800

Remove your workstation from the IPsec/Access control configuration when it must not remain in
the list of connected stations.
For all other printers
system.

Troubleshooting: Disable 'Access control' and IPsec (PlotWave 500 and PlotWave 340/360 systems)
Troubleshooting: Disable 'Access control' and IPsec (PlotWave 500 and

PlotWave 340/360 systems)
Introduction
• Access control and IPsec have been enabled without any station defined
and
• The communication between the controller and the host stations fails
Any remote connection to Express WebTools is impossible. The system is unreachable.
Then, use the emergency procedure to disable IPsec and Access control via the printer user
panel.
Disable Access control on the printer user panel
Procedure
1. On the user panel, tap the upper right corner, to display the menu
2. Select 'Security'
3. For PlotWave 500, enter the System administrator (or Power user) password
For PlotWave 340/360 enter the 'Password to change networks settings' if set.

4. A wizard is displayed. Follow the instructions
5. Confirm to disable access control

6. Press 'Finish'
Result
Access control and IPsec functions are disabled.

After the restart, you will be able to remotely open Express WebTools from any workstation
(HTTP).

HTTPS
HTTPS
Introduction
In the print systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Express
- save encrypted scan jobs from the printer controller (Scans Inbox)
- securely manage the configuration of the system through Express WebTools
communication.

protocol.
To ensure a fully trustful authentication, it is recommended to use a certificate delivered by a

certificates.

messages.


Procedure




'Next'.



11. Click on 'Yes'.


Result
Procedure



Description of the overall procedure to request and import a CA-signed

certificate
Introduction
printer.

Authority.
protocol.
Step Description
created.
page 166.
ply.
request feedback
A4- Restart the controller 4

Back up a certificate and a private key
Step Description
Step Description
each workstation.
stations browser on page 168.
Other procedures
certificate.
When to do
You must back up the certificate and private key:

Generate a CA-signed certificate request
• BEFORE the generation of a certificate request (step A1 of the Description of the overall
procedure to request and import a CA-signed certificate on page 110):
To save your current certificate and private key.
• AFTER the generation of the certificate request:
To save the private key linked to the certificate request.
• AFTER the import of the new certificate (step B5):
To save your new certificate and private key, in order to be able to restore them if needed.
Back up the current certificate and private key
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. Log on as the printer system administrator
3. On the Configuration - Remote Security page, select [Backup certificate and private key]
4. To save the server certificate and private key, enter a password made of 6 characters at least
([Password used to encrypt the private key])
5. Confirm the password
6. Click 'Save'
7. Download and store the back up file (.jks).
Purpose
Create a certificate request.
Use this function only when you want to request a new CA-certificate.
Pre-requisites
Back up the current Certificate and Private key already installed on the controller (see Back up a
certificate and a private key on page 165).
[Generate a certificate request]

NOTE
Step A2 of the Description of the overall procedure to request and import a CA-signed certificate
on page 110.
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname])
2. On the Configuration - Remote Security page, select 'Generate a certificate request'
3. Fill out the form with the requested information
NOTE
Attention : In the certificate request:
• The Common name MUST be the hostname or the Fully Qualified Domain Name
(FQDN) of the printer (e.g.: or 'PlotWave360' or 'PlotWave360.mycompany.com').
This Common Name will be used in the URL (e.g.: 'https://[CommonName]).
• The country name MUST follow the ISO 3166 standard and be composed of 2
characters (e.g.: 'us' for United States)
4. Click 'Generate'.

Save and send the request
Result
The web server generates a certificate request. The content of the request is displayed (plain
text).
Example (fake request):
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV
J
TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M
DAtNzQw
LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM
d
HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o
W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4
yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=-
-----END NEW CERTIFICATE REQUEST-----
When to do
NOTE
Step A3 of the Description of the overall procedure to request and import a CA-signed certificate
on page 110.
Procedure
1. Copy and paste the content of the request in a .csr file (named 'certificate_request.csr' by default)
2. Send the content of this request to the Certification Authority.
Import a CA-signed certificate (into the controller and workstations)
Introduction: overall procedure

1. Import the CA-signed certificate into the controller:
• Import the 'Root certificate'
• Import the 'Intermediate certificate'
• Import the CA-certificate
2. Import the Root certificate into the workstations web browser
Import the [Root certificate] into the controller

NOTE
Step B2 of the Description of the overall procedure to request and import a CA-signed certificate
on page 110
Save locally or on the network all the CA-signed certificate files the Certification Authority sent
you.

Import the [Intermediate certificate]
Procedure
2. On the Configuration - Remote Security page, select 'Import CA-signed certificate'
3. Select [Root certificate]
4. Browse to the Root certificate file and click [Import]
NOTE
The Root certificate may already exist in the web server certificates list.
5. Validate to confirm the import

6. When the message [Certificate successfully imported.] pops up, go on to import the [Intermediate
certificate]
Procedure
1. Select [Intermediate certificate]
2. Browse to the Intermediate certificate file and click [Import]
3. When the message [Certificate successfully imported.] pops up, go back to the main page to
import the [CA-signed certificate]
Import the [CA-signed certificate]
Procedure
1. Select [CA-signed certificate]
2. Browse to the certificate file
3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import'
4. When the message [Certificate successfully imported.] pops up, restart the controller.
Result
Result: The certificate is now installed on the server.
Check and import (if needed) the CA Root certificate also into the workstations web browser. That
will secure the complete data workflow between the workstations and the server.
Check and import the [Root certificate] into the workstations browser
When to do
NOTE
on page 110.
Procedure
1. On each workstation, open the web browser
2. In the Tools - Internet Options - Content window, open the 'Certificates'
3. Check if the CA [Root certificate] is already displayed in the 'Trusted Root Certification
Authorities' list
4. If it is not in the list, import the CA Root certificate.

Restore a certificate and a private key
When to do
You can restore the certificate and the private key at any moment, in case of need.
Restore the certificate and private key
Procedure
2. On the Configuration - Remote security page, select [Restore certificate and private key]
3. Browse to the back up file
4. Enter the password of the back up file
5. Click 'Restore'
6. A dialog box opens: [This action will overwrite the current certificate. Continue?]
Click 'OK'
7. When the key and the certificate are successfully restored, restart the controller.
Reset the current certificate
Purpose
This procedure creates a new Océ self-signed certificate.
When to do
You can reset the certificate after a certificate request or at any moment when you want to restore
a self-signed certificate.
NOTE
Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of
the original self-signed certificate. See Back up a certificate and a private key on page 165):
Each 'Reset certificate' action generates a new self-signed certificate (with a new private and
public key). So each time you reset the certificate, you must import the new certificate into the
web browser.
Reset the certificate
Procedure
2. On the Configuration - Remote security page, select [Reset certificate]
3. Click the 'Reset' button
4. When the reset is successful ([Certificate successfully reset]), restart the controller
Result
A new self-signed certificate has been generated on the controller.
Configure your web browser to use it (see Use the self-signed certificate with Internet Explorer on
page 68)

Prevent 'Print from USB' and/or 'Scan to USB'
How to prevent 'Print from USB' and/or 'Scan to USB'
Introduction
device.
Illustration
[3] USB capability in External locations
Procedure
2. Open the 'Configuration' - 'External locations' page
3. Log in as a System administrator or Power user
4. Edit the 'USB' type
5. In the 'Enabled functionalities' drop down list, select:

- 'None' to disable 'print from' and 'scan to' capabilities
- 'Print from only' to enable to print from USB and disable 'Scan to USB' capability
- 'Scan to only' to enable to scan to USB and disable 'Print from USB' capability
Note: Select 'Print from and scan to' to allow both 'print from' and 'scan to' USB capabilities
6. Click 'OK'


through Express WebTools.
Go to the 'Preferences' - 'System defaults' page to disable or restrict:
The use of the Smart Inboxes When the 'Smart Inbox capability' is set to
('Smart Inbox capability') 'Disabled', all the jobs currently present in the
Smart Inboxes are deleted. All incoming print
jobs are directly and solely sent to the print job
queue.
The use of Publisher Express When disabled, the job submission capability
('Publisher Express' or 'Enable Publisher Ex- (through Express WebTools) is completely de-
press') activated.
The remote actions on jobs to the Operator When enabled, all remote actions on jobs in
('Restrict remote actions on jobs to the Key the queue are restricted to the Key Operator or
Operator') Power user only.
The display of Smart Inboxes in Express When enabled, all users of Express WebTools
WebTools can see the Smart Inboxes. When disabled, the
Key operator or Power user only can see them
(logging needed).
Keep completed jobs in the Smart Inbox When enabled, a copy of jobs is kept in the
Keep a copy of scanned jobs in the Smart In- Smart Inbox for later use, until the expiration
box time-out.
Keep a copy of copy jobs in the Smart Inbox Disable these settings to delete all jobs from
(Public) the Smart Inboxes after they are processed.
Keep a copy of local print jobs in the Smart In-
box


Chapter 4
Security on PlotWave 345, 365, 450,
550, 3000, 3500, 5000, 5500, 7500
Overview
Overview
Security overview for the PlotWave 345, 365, 450, 550, 3000, 3500,
5000, 5500, 7500
Introduction
The PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 systems are equipped with the
following security features:
Security overview
Operating System Microsoft Windows Embedded Standard 8 64 bit (for

PW345/365/450/550)
PW3000/3500/5000/5500/7500)
Firewall Yes
MS security patches Canon Production Printing released patches (for
PW345/365/450/550)
Standard Microsoft Security updates (.MSU) approved
PW3000/3500/5000/5000/7500)
Antivirus Yes
- Smart card
- Contactless card (in case of PW345/365/450/550, only
R1.1 and higher versions)
word is enabled
Hard Disk encryption For PW345/365/450/550:
- Normal encryption
Encryption mode:
- AES256 for PW345/365/450/465 R1.2 and higher ver-
sions
- AES128 for other PW345/365/450/465 versions
For PW3000/3500/5000/5500/7500:
Data overwrite E-shredding 4
174 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Security overview for the PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500

PW3000/3500/5000/5000/7500)
Device authentication IEEE802.1X for:
• PW345/365/450/550 R1.2 and higher versions
• PW3000/3500/5000/5500/7500
- LDAP authentication: Domain accounts via LDAP over
Kerberos or LDAP over SSL, for:
• PW3000/3500/5000/5500/7500
- User settings
• PW3000/3500/5000/5500/7500
• PW3000/3500/5000/5500/7500
• PW3000/3500/5000/5500/7500
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 175
Ports - Protocols
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan- for Printer Discovery
for Printer Discovery
Driver Express
TCP 443: HTTPS
TCP 443: HTTPS
(PW3000/3500/5000/5500/7500)
sive mode)
ICMP: ping
TCP 21: FTP (2)
FTP passive mode)
UDP 138, 445 4
- Local: TCP any
- Remote: TCP 21
FTP Data(3) :
- Local : TCP any
- Remote: TCP any
TCP 443: HTTPS
TCP WebDAV port
Notes:
* Back-channel is a proprietary protocol used to retrieve information from the printer (status,
(1)
iOS
UDP 137, 138, 445
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
TCP 443: HTTPS
TCP WebDAV port
Scan to Home folder TCP 88 /UDP 88: Kerberos
TCP 389 /UDP 389: LDAP
TCP 139, 445
UDP 137, 138, 445
Notes:
PING IPv4 ICMPv4
PING IPv6 ICMPv6
TCP 443: HTTPS
trieval TCP 443: HTTPS
(PW3000/3500/5000/5500/7500)
User authentication by user TCP 88 /UDP 88: Kerberos
name and password TCP 389 /UDP 389: LDAP
User authentication by smart TCP 80: OCSP
card TCP 80: HTTP or TCP 443:
HTTPS
nel
UDP 138
WSD TCP 80: HTTP
WAVE TCP 80: HTTP
TCP 443: HTTPS
(PW3000/3500/5000/5500/7500)
(Publisher Select)
TCP 443: HTTPS for back chan-
nel
(PW3000/3500/5000/5500/7500) 4
IPsec UDP 500
UDP 4500
LDAP authentication over Ker- TCP 88/ UDP any: for Kerberos
beros TCP 389 (configurable)/ UDP
any: for LDAP
LDAP authentication over SSL Customer configurable
TCP port 636 by default/ UDP
any
Time synchronisation UDP 123: Network Time Proto- UDP 123: Network Time Proto-
col col
(PW3000/3500/5000/5500/7500) (PW3000/3500/5000/5500/7500)
Notes:

Inbound rules:
Outbound rules:
Security Patches
Security Patches
Install Operating system patch for PW345/365/450/550
Introduction
Before you begin

NOTE

Install a patch
Procedure
3. Select 'Update'

Install Operating system patch for PW345/365/450/550
wizard
6. Click OK
Install Operating system patch for PW3000/3500/5000/5500/7500
Introduction
Install Windows updates, also called security patches, when they are available for your product.
Before you begin

Find the Canon Production Printing approved security patches on the Downloads website: "http://
downloads.cpp.canon"
Open the product page and go to the Security tab to download the available Operating system
patches.
Functional description
1. In WebTools Express, the user selects the Operating system patch file that he previously
retrieved.
2. The system downloads this patch file and checks its integrity.
3. The printer starts the patch installation.
4. A reboot is necessary to complete the installation.
Install a patch
Procedure
1. Open WebTools Express.
2. Open the [Support] tab.
3. Select [Update].
4. Click on [Install] in the [Operating system patches] section.
After a warning popup window, the following window is displayed:
5. Browse to the downloaded patch file (*.msu) and click OK to install it.
There are 2 options available:
• Option 1 : Automatically install the operating system patch after the file has been uploaded
• Option 2 : Restart the system automatically to finish the installation of the operating system
Here are the useful scenarios:
Automatically install the Restart the system auto‐ Scenario

operating system patch af‐ matically to finish the in‐
ter the file has been uploa‐ stallation of the operating
ded system
Disable Enable After the patch have been checked,
you are prompted to start the instal-
lation. After acknowledging the dia-
log box, the system will reboot auto-
matically to complete the installation
(default behavior).
Recommended if you want to pre-
pare the patch installation (patch
downloaded and checked) but you
want to install it during non working
hours for a faster installation.
Enable Enable After having selected the Operating
system patch, the process (patch
download, verification and installa-
tion with reboot ) is fully unattended.
Recommended if the system is not
printing, you want to initiate the
process and don't want to wait for
any confirmation.
6. Click OK to confirm when the update is finished.
Protocol protection
Protocol protection
Introduction
attacks.

services sis
Enable/Disable er).
- Account Center
- Reprodesk
- Third party applications
vices (WSD)'
interfaces

services sis
col.
enabled:
- 'Wave interface'
ces'
Publisher Select'
HTTP'
ices are disabled.
be disabled.
date of embedded HTTPS
Service documenta-
tion'
'Remote Service con- HTTPS Enable/Disable Outbound connection used
nection' by Remote Service

section of the Express WebTools and uncheck the protocol or service.
To disable the connection to Remote Service ('Remote Service connection' feature) , go to
'Preferences' - 'System defaults' - 'Service related information'.
To allow/disallow 'automatic update of embedded Service documentation', go to 'Security' -
'Configuration' - 'Permissions for Service'.

Introduction

ools section
bled'
3 Security - Configura- Disable the automatic update of Set 'Allow automatic update
tion - Permissions for the embedded Service information of embedded Service docu-
Service mentation' to 'Disabled'
protocol
Internet
tings
down
Introduction

USB device.
is not possible

You can disable:
Port based authentication (IEEE 802.1X)
Port-based authentication (IEEE 802.1X) - explained
What is port-based authentication

A printer can act in a network (LAN) protected by IEEE 802.1X. The 802.1X standard provides the
possibility to allow or to deny a network connection based on the identity of an endpoint. This
endpoint can be a user, a device or an application. As long as the endpoint has not been
identified and verified, the access to other endpoints of the protected network is not possible.
IEEE 802.1X security is based on the status of the LAN ports of the network entities. An IEEE
802.1X configurable LAN port can be dynamically enabled or disabled. The results of the IEEE
802.1X authentication process determine if the port will be enabled or not.
Framed text in this topic describes the IEEE 802.1X implementation of the printer.
IEEE 802.1X components and their tasks

The IEEE 802.1X standard distinguishes the following components: supplicant, authenticator and
authentication server.
• Supplicant
The supplicant is the endpoint that wants to access the protected network.
• Authenticator
The authenticator is a LAN switch that acts as a security guard to the protected network.
• Authentication server
The authentication server verifies the identity of the supplicant. The industry standard of the
authentication server is a RADIUS server.
The authentication server is a host with software that supports the RADIUS and EAP protocols.
It provides a database of information required for the authentication. The authentication server
can query a back end LDAP directory server to validate identity information of the supplicant.
A. B.
Supplicant Authentication Supplicant Authentication

(Printer) Authenticator server (Printer) Authenticator server
802.1x
802.1x
LAN LAN
LAN
The scheme is a simple overview of how IEEE 802.1X works.

A. Before the port authentication, the identity of the endpoint, for example a printer, is unknown
and all data traffic to the protected side of the network is blocked. The IEEE 802.1X message
sending is necessary to exchange identity information, such as identity certificates and to agree
on the used protocols and authentication methods,
B. After the port authentication, all traffic to the protected side of the network is allowed.
EAP
In general IEEE 802.1X uses the EAP (Extensible Authentication Protocol) protocol to negotiate
the way to authenticate the supplicant and the authentication server. In general, the supplicant
can have a certificate, a smart card, or credentials for identification.
EAP collaborates with additional authentication protocols, such as Transport Layer Security (TLS)
and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).
• EAP-TLS
EAP-TLS is used in certificate-based security environments. It provides the strongest
authentication and key determination method. EAP-TLS requires that the supplicant has an
identity certificate.
• EAP-MS-CHAP v2
EAP-MS-CHAP v2 is a mutual authentication method that supports password-based endpoint
authentication.
NOTE
Not all authentication servers, supplicants and LDAP directory servers support all authentication
methods.
The printer supports: EAP-TLS and EAP-MS-CHAP v2.
PEAP
PEAP (Protected EAP) is a protocol to increase the security of EAP-MS-CHAP v2 and EAP-TLS.
PEAP builds an encrypted channel during the second part of the EAP handshake process. Inside
this secure channel a new EAP negotiation takes place to authenticate the supplicant.
EAP-MS-
PEAP EAP-TLS EAP-TLS
CHAP v2
• PEAP with EAP-TLS

PEAP provides the highest security by protecting the Identity certificate of the supplicant
during the transfer to the authentication server.
• PEAP with EAP-MS-CHAP v2
PEAP combines the easy of use EAP-MS-CHAP v2 with an extra security level by encrypting the
EAP-MS-CHAP v2 credentials. The combination is generally used in Microsoft Active Directory
environments.
The authentication methods the printer supports are: PEAP with EAP-TLS, PEAP with EAP-MS-
CHAP v2 and EAP-TLS.
Identity certificates
All authentication methods require that the trusted CA certificates of the authentication server are
available on the supplicant to authenticate the authentication server to the controller's list of
trusted certificate. We will use the same identity certificate for HTTPS, IPsec and for IEEE 802.1x
EAP-TLS requires a valid Identity certificate of the supplicant that is mapped to a user account or
computer account in the LDAP directory server (Active Directory Domain Services (AD DS)).
• When the certificate refers to a computer account, the Subject Alternative Name
(SubjectAltName) field in the certificate must contain the Fully Qualified Domain Name (FQDN)
of the client, which is also called the DNS name.
• When the certificate refers to a user account, the Subject Alternative Name (SubjectAltName)
field in the certificate must contain the User Principal Name (UPN).
NOTE
EAP-MS-CHAP v2 does not need an Identity certificate of the supplicant.
• When the printer uses IEEE 802.1X the CA certificates of the RADIUS server must be imported
into the list of trusted certfificates.
• The printer Identity certificate that is valid for HTTPS can be used for IEEE 802.1X.
• One of the Subject Alternative Name fields of the printer Identity certificate must be equal to
the Fully Qualified Domain Name (FQDN).
NOTE
EAP-MS-CHAP v2 requires an MS-CHAP v2 username and a MS-CHAP v2 password
that are configured in Express Webtools.
Start of the IEEE 802.1X authentication

An IEEE 802.1X authentication can be initiated by either the authenticator (the switch) or the
supplicant. When the authenticator detects a link up to the port, it sends a message to the
supplicant.
It is usually not needed to re-authenticate a previously authenticated endpoint that remains
connected to the network. After a successful 802.1X authentication, the port remains open until
the connection is terminated, for example when the physical link shows a down status. As long as
the physical link is maintained, the authenticated endpoint remains connected to the port.
Below you find schemes that explain how the IEEE 802.1X authentication occurs for EAP-TLS,
PEAP with EAP-TLS, and PEAP with MS-CHAP v2.
EAP-TLS
Authenticator
Trusted certificates Trusted certificates

1. Request IEEE 802.1X
5. FQDN
Identify certificate Identify certificate /UPN Username
2. Certificate 2. Certificate Printer name

3. Authentication
4. Certificate
4. Certificate 6. Authentication
Domain controller
7. Data directory service
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the authentication method, the authenticator sends the Identity of the
Authentication server.
3. The supplicant authenticates the Identity certificate of the Authentication server.

4. The supplicant sends its Identity certificate.
5. The Authentication server verifies the Identity certificate. The directory service of the domain
controller is used to query the user account or computer account reference of the certificate.
6. The Authentication server authenticates the Identity certificate of the supplicant.
7. The Authenticator enables the IEEE 802.1X configured port and the supplicant can access the
network.
PEAP with EAP-TLS
Authenticator

1. Request IEEE 802.1X 5. FQDN

3. Authentication
4. Certificate
Domain controller
(Printer) server
LAN
2. After negotiating the first part of the authentication method, the authenticator sends the
Identity of the Authentication server.
4. The supplicant builds a PEAP encrypted channel to negotiate the second part of the
authentication. Thereafter, it sends its Identity certificate through the channel.
network.
PEAP with MS-CHAP v2
Authenticator

Identify certificate
MS-CHAPv2 login
2. Certificate 2. Certificate
3. Authentication 4. MS-CHAPv2 login 4. MS-CHAPv2 login

5. Authentication
6. Data
(Printer) server
LAN
authentication. Thereafter, it sends its MS-CHAP v2 login information through the channel.
5. The Authentication server validates the MS-CHAP v2 login information.
network.
IEEE802.1X - Configuration steps
Prerequisites
• A printer
• A switch supporting port-based authentication for IEEE802.1X
• A RADIUS server
Introduction
2 main different port-based authentication methods are supported:
• With username from domain (requires a username/password)
• With printer name from domain (requires a client certificate)
The configuration of IEEE802.1X includes several procedures, some of them depending on the
authentication method.
Configuration procedures
1. IEEE802.1X environment preparation
1. Configure a Certification Authority
see Configure a Certification Authority (example on Windows Server 2016) on page 194
2. Prepare the RADIUS server
see Prepare the RADIUS server (example on Windows Server 2016) on page 196
3. Prepare the switch
see Prepare the switch on page 200
2. Configure the printer controller
see Configure the printer controller on page 202
3. Configure the Radius server
• for username from domain
see Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
on page 209
• for printer name from domain
see Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with
EAP-TLS)' on page 219
Troubleshoot
For more information about troubleshooting the configuration of IEEE802.1X see Troubleshoot on
page 236.
Configure a Certification Authority (example on Windows Server 2016)
Introduction
As Certificates (Server and/or Client Certificates) are required for the IEEE802.1X configuration, it
is customary to configure your own Certification Authority rather than using a commercial
Certification Authority.
To configure such an environment on a Windows server 2016:
• Active Directory Certificate Services must be installed, and
• Certificate Authority (Default) must be installed
• It is recommended to install Certification Authority Web Enrollment, which will provide an
easy way for Certification with a web interface.
Once configured, you can see the local Certification Authority like in the example below:
Check that you have a certificate template for Client Authentication or create one:
NOTE
For complete Certification Authority configuration, please check relevant documentation. For
example 'How to configure Certification Authority on Windows Server 2016'.
Prepare the RADIUS server (example on Windows Server 2016)
Procedure
1. Install Network Policy and Access Services as a role on Windows Server 2016
2. Manage 'Network Policy Server' (NPS) and create a Radius client which is related to the switch
used:
• IP address of the switch
• It is recommended to add a 'Shared secret' which will also be set on the switch.
Example:
3. Check there is a Connection Request policy enabled with NAS port type = Ethernet.
Example:
Prepare the switch
Prepare the switch
Introduction
The switch must be configured, but the configuration depends on the switch chosen. We give
here an example of a Cisco SG-350:
Procedure
1. Configure IEEE802.1X on the switch.
2. Configure the port on the switch supporting IEEE802.1X where the printer will be plugged in (for
example port 'GE2' in the picture below).
3. Configure the switch as a radius client with the following information:

• Radius Server name or IP address
• Secret (also configured in the Radius server, see previous section 'Prepare the RADIUS server')
Prepare the switch
4. It is recommended to configure the switch logging for debug.
Configure the printer controller
Introduction
The settings for IEEE802.1X on the printer controller are accessible through:
• Express WebTools (for settings configuration)
• Printer user panel (for IEEE802.1X status and disable in case of trouble)
Procedure
1. Open Express WebTools - Security - Trusted certificates.
2. Click on 'Create new' to import the Radius Server Root certificate on the controller.
This is the root certificate you defined when you created the Certification Authority (see Configure
a Certification Authority (example on Windows Server 2016) on page 194)
3. Browse to the root certificate and select it.
4. Click 'Ok'.
5. Edit the settings for IEEE802.1X on the printer controller in Express WebTools - Security -
Configuration - Network-based configuration (IEEE 802.1X)
• Network-based authentication (IEEE 802.1X)

• enable/disable the functionality
• Fallback to unauthorized network access
• 'Yes' allows network access when network authentication failed
• 'No' disallows network access when network authentication failed
• Regular expressions for authentication server
• A regular expression to identify the Radius server
• Minimal version of TLS protocol
• For security purpose, it is recommend to use TLSv1.2
• For compatibility, older TLS version may be required
Only for the authentication method 'Username from domain; PEAP with EAP-MSCHAPv2' define:
• Domain username (which is used by the controller to identify itself to the Radius server)
• Password
Only for the authentication methods 'Printer name from domain; EAP-TLS' or 'Printer name from
domain; PEAP with EAP-TLS' create a (client) certificate on the controller in the next step.
6. Use the following procedure (from 1 to 13) to create a (client) certificate on the controller. (Only
for the authentication methods 'Printer name from domain; EAP-TLS' or 'Printer name from
domain; PEAP with EAP-TLS').
1. Open Express WebTools - Security - HTTPS - Generate a certificate request.
2. Enter the DNS name of the printer in at least one of the Subject alternative name (SAN). In
this example : cw3700.sns.ocegr.fr
3. Click on 'OK' and wait for the following window to appear:
4. Copy the content (all the text including ' ----- BEGIN NEW CERTIFICATE REQUEST -----' and
'----- END NEW CERTIFICATE REQUEST -----')
5. Submit this certificate request to a Certification Authority (CA). See the following example
with an internal Certification Authority, realized with an Enrollment Web Server with
Windows Server 2016).
NOTE
A certificate template compatible with client authentication is required.
6. Create the certificate, web page: http://<hostname_certificate_server>/certsrv.
7. Paste the content previously copied in the field 'Saved Request'.

8. Select a Certificate template compatible with Client authentication (as explained earlier in
topic 'Configure a Certification Authority').
9. Click on 'Submit'.
The following window appears:
10. Click on 'Download certificate' to retrieve the certificate (certnew.cer).

You have now to import the CA signed certificate (certnew.cer) and the ROOT (and
Intermediate if relevant) certificate(s) (in our example LDAPSNS-CA).
11. Open Express WebTools - Security - HTTPS - Import CA signed certificate.
12. Select 'Root certificate' in Certificate type to import the Root certificate.
13. Select 'CA-signed certificate' in Certificate type to import the certificate previously
downloaded.
7. Click on 'Test the configuration'.

This functionality tests the configuration locally but does not use the network for complete
testing. It can be considered as a pre-test only.
8. To see the IEEE802.1X status and to disable IEEE802.1X in case of network trouble, tap on the
printer user panel - System - Security.
Tap 'Next' for advanced operations.
Select an operation and tap 'Next'.
Tap 'Restore' to disable IEEE802.1X in case of trouble.
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
Configure the Radius server for 'Username from domain; PEAP with EAP-
MSCHAPv2'
Introduction
This procedure describes how to configure the Radius server for 'Username from domain; PEAP
with EAP-MSCHAPv2' (example on Windows Server 2016).
For more information about this port-based authentication method see Port-based authentication
(IEEE 802.1X) - explained on page 188
Before you begin

The previous procedures of the IEEE802.1X configuration are:
Procedure
1. Open Windows Server Active Directory Users and Computers.
2. Create a Group for the printer:
3. Create a user for the printer belonging to the aforementioned group with the same <username>
and <password> defined on the controller.
4. Add the user as a member of the aforementioned group.
Configure the Radius server for 'Username from domain' - Network Policy
5. At the Dial-in tab, give access permission to 'Control access through NPS Network Policy'.
6. Configure a Network Policy, see Configure the Radius server for 'Username from domain' -
Network Policy on page 211
Introduction
This procedure describes how to configure the Network Policy on the Radius server for
'Username from domain; PEAP with EAP-MSCHAPv2' (example on Windows Server 2016).
Procedure
1. Create a Network Policy.
• Fill in the 'Policy name'.

• Select 'Unspecified' as 'Type of network access server'.
• Click on 'Next'.
2. Click on 'Add' in 'Specify Conditions' to add the group you defined before.
3. Select the Group and click on 'OK'.
4. Click on 'Next'.
5. In 'Specify Access Permission', select 'Access granted'.
6. Click on 'Next'.
7. In 'Configure Authentication Methods', add PEAP.
8. Click on 'OK'.
9. Select PEAP and click on 'Edit'.
10. Define the certificate the server will use (the certificate you imported into the controller)
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'EAP-
MSCHAP v2 '.
12. Click on 'OK'.
13. It is recommended to disable the 'Less secure authentication methods'.
14. Click on 'Next'.

The 'Configure Constraints' window opens.
15. Keep the default values in the 'Configure Constraints' window and click on 'Next'.
The 'Configure Settings' window opens.
16. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP
with EAP-TLS)'
Introduction
This procedure describes how to configure the Radius server for 'Printer name from domain;
EAP-TLS' and 'Printer name from domain; PEAP with EAP-TLS' (example on Windows Server
2016).
Before you begin

Procedure
3. Create a computer for the printer with the computer name equal to the Subject Alternative name
(without the DNS suffix) you entered when creating the certificate request. See the step '... create
a (client) certificate on the controller' in Configure the printer controller on page 202:
In this example, the Subject Alternative name was : 'cw3700.sns.ocegr.fr', so the computer name
is 'cw3700'.
4. Add the computer as a member of the aforementioned group.
5. At the Dial-in tab, give 'Network Access Permission' to 'Control access through NPS Network
Policy'.
6. At the Attribute Editor tab, set the Attribute 'servicePrincipalName' with the syntax:
servicePrincipalName=host/<computername>.<domainsuffix>
Example: servicePrincipalName=host/cw3700.sns.ocegr.fr
7. Configure a Network Policy:

• For 'Printer name from domain; EAP-TLS' see Configure the Radius server for 'Printer name
from domain; EAP-TLS' - Network Policy on page 222
• For 'Printer name from domain; PEAP with EAP-TLS' see Configure the Radius server for
'Printer name from domain; PEAP with EAP-TLS' - Network Policy on page 228
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
Configure the Radius server for 'Printer name from domain; EAP-TLS' -
Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for 'Printer
name from domain; EAP-TLS' (example on Windows Server 2016).
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
7. In 'Configure Authentication Methods', add 'Microsoft: Smart Card or other certificate'.
8. Click on 'OK'.
9. Select 'Microsoft: Smart Card or other certificate' and click on 'Edit'.

11. Click on 'OK'.

14. Keep the default values in the 'Configure Constraints' window'.

Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Result
switch.
Configure the Radius server for 'Printer name from domain; PEAP with EAP-
TLS' - Network Policy
Introduction
name from domain; PEAP with EAP-TLS' (example on Windows Server 2016).
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
7. In 'Configure Authentication Methods', add 'Microsoft: Protected EAP (PEAP)'.
8. Click on 'OK'.
9. Select 'Microsoft: Protected EAP (PEAP)' and click on 'Edit'.
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'Smart Card
or other certificate'.
12. Click on 'Edit' to define the certificate which will be used as Server certificate (the certificate you
imported into the controller).
13. Click on 'OK'.



Result
switch.
Troubleshoot
Troubleshoot
Introduction
As IEEE802.1X involves the printer, the switch, and the Radius Server, there are several tools for
troubleshooting.
Tools for troubleshooting

1. On the printer via Express Web Tools
• Tests the configuration locally, not the connection to the network.
2. On the printer user panel

• The status of IEEE802.1X connection is given.
3. On the switch
Generally:
• Some logging is present.
• Some switches have a test feature to check communication with the Radius server.
4. On the Radius Server
• Check the event viewer of Network Policy and Access Services.
Troubleshoot
5. Network protocol analyser

• This tool allows to follow all the network traffic between controller, switch and Radius
Server, but requires thorough knowledge. It allows to follow the communication according
to the following diagram:
Example of a network protocol capture with IEEE802.1X frames (PEAP with EAP-TLS):
Troubleshoot
Troubleshooting first step

In case IEEE802.1X is not working, before consulting the troubleshooting table, first check the
IEEE802.1X configuration with the validation tool 'Test the configuration' in Express Web Tools.
Reminder: This tool tests the configuration only locally, it does not test the connection with the
switch or the radius server.
Troubleshoot
Troubleshooting table IEEE802.1X
Error Possible cause Action

No communication at all while ev- • IEEE802.1X could • Plug the Ethernet cable in a non
erything seems correct have been disa- IEEE802.1X Ethernet outlet (trans-
No other indicator bled on Controller parent mode)
• Controller could • Check whether IEEE802.1X has not
have entered a been disabled on the controller
blocking situation • It is HIGHLY RECOMMENDED TO
after an unsuc- DISABLE/ENABLE IEEE802.1X
cessful attempt of each time you change settings in
IEEE802.1X con- the infrastructure to prevent the
nection controller from entering a blocking
situation
No authentication method set Wrong restore oper- Restore defaults setting in Express
when opening the IEEE 802.1X ation after an up- WebTools:
menu: grade
Then program the settings again.

In the complete IEEE802.1X edit Occurs in some ver- Use the individual setting to enable
window, the setting 'Network- sions IEEE802.1X
based authentication' has no in-
fluence. Independent of the value
the setting is set to, after closing
the window the value is always
'No'.
No communication with the Radi- Radius Server not Check the Radius Server name in Ex-
us Server while the Printer sent its correctly set press WebTools (caution: it must
identity correctly to the Switch contain at least one '*' character)
(seen with network protocol ana-
lyser)
4
Troubleshoot

All settings seems correct while Possible IEEE802.1x • Disable IEEE802.1X on the Local
Event viewer 'Network Policy and locking situation User Interface : Settings - Security.
Access Services' (NPAS for Radi- The last screen displays:
us server) mentions 'Authentica-
tion failed due to a user creden-
tials mismatch. Either the user
name provided does not map to
an existing user account or the
password was incorrect.'
• Click on Restore (this disables

IEEE802.1X)
• Enable IEEE802.1X in Express
WebTools (on a full authorized
ethernet port)
Event viewer NPAS (Radius serv- The certificate im- Check/Import the correct Root certifi-
er) mentions: 'The certificate ported in the con- cate(s) (chain) in the controller
chain was issued by an authority troller is not correct
that is not trusted.'
Event viewer NPAS (Radius serv- Network Policy is Check Network Policy (on the Net-
er) mentions: 'The connection re- not correctly set on work policy server) (see relevant sec-
quest did not match any config- the Radius Server tion corresponding to the Authenti-
ured network policy.' cation method chosen)
Event viewer NPAS (Radius serv- There is a mismatch Check Network Policy (on the Net-
er) mentions: 'The client could not in EAP types of Net- work policy server), section 'Authen-
be authenticated because the Ex- work Policy, for ex- tication methods' (see relevant sec-
tensible Authentication Protocol ample PEAP is miss- tion corresponding to the Authenti-
(EAP) Type cannot be processed ing. cation method chosen)
by the server.' For example:
Troubleshoot

Event viewer NPAS (Radius serv- Connection request Check the connection request policy
er) mentions: 'The RADIUS re- policy is potentially (on the Network policy server) (see
quest did not match any config- wrong relevant section)
ured connection request policy for example
(CRP).'
Event viewer NPAS (Radius serv- Mismatch in the Check Network Policy (on the Net-
er) mentions: 'No credentials are EAP type setting in work policy server), section 'Authen-
available in the security package.' Network Policy tication methods' (see relevant sec-
tion corresponding to the Authenti-
cation method chosen)
Event viewer NPAS (Radius serv- User not defined • Check username or printer name
er) mentions: 'The specified user (username or printer on controller
account does not exist.' name) • Check username or printer name
in Active Directory
Event viewer NPAS (Radius serv- • Bad configuration Check the Radius client settings:
er) mentions: 'An Access-Request of the Radius Cli- • on the switch
message was received from RADI- ent (on the Radius • on the Network policy server
US client <IP address of radius cli- Server)
ent -the switch- configured on the • Secret mismatch
Radius Server> with a Message- between the
Authenticator attribute that is not switch and the
valid.' Radius client
Antivirus
Antivirus
NOTE
controllers.
User access/LDAP authentication
Roles
Introduction
The "User access" feature allows to access the Local User Interface as well as Express WebTools
with different roles,
Each role gives permission to edit and change some parameters.
Roles description
system settings.
The roles are:
• Key Operator:
The Key Operator can manage the jobs and the device settings.
• System Administrator
The System Administrator can manage the configuration settings, such as the network and
security settings.
• Power User
• Service
Local users and domain users

There are 2 possibilities to acquire any of those roles:
• Local Users : these are built-in accounts locally on the printer
• Domain Users (for PW3000/3500/5000/5500/7500 and for PW345/365/450/550 R1.2 and higher
versions): the IT administrator defines users in a domain who can act as Key Operator, System
Administrator, Power User and Service role
Local users
Local users
These users are built-in users and cannot be changed, there are 4 local users:
• Key Operator (acting as Key Operator role)
• System Administrator (acting as System Administrator role)
• Power User (acting as Power User role)
• Service (acting as Service role)
NOTE
It is possible to disable one or more local users depending on the users and roles defined in
Domain users.
Domain users (LDAP authentication): for PW3000/3500/5000/5500/7500 and for PW345/365/450/550 R1.2 and higher versions
Domain users (LDAP authentication): for PW3000/3500/5000/5500/7500 and

for PW345/365/450/550 R1.2 and higher versions
Introduction
This feature allows the IT manager to define which user, member of a domain, can logon to the
system with which role (Key Operator/ System Administrator/ Power User/ Service), valid for
Express WebTools as well as the Local User Interface.
This feature, called LDAP authentication, is based on secure LDAP protocol with 2 flavors:
• LDAP over Kerberos for Microsoft Windows environment
• LDAP over TLS mainly for non-Microsoft environment
• On Server:
• The IT manager defines in each domain (several domains are possible):
• A domain group for System administrator role
• A domain group for Key Operator roole
• A domain group for Power User role
• A domain group for Service
• For each group, the IT manager defines which user (member of a domain) will belong to
which group
• On the Printer:
• The IT manager defines the aforementioned domain(s) by mean of Express Web Tools
• Any authorized user defined in a specific domain group can authenticate on Express Web
Tools and the Local User Interface with the dedicated role.
Before you begin

• A domain environment containing users must be in place:
• With Microsoft Active Directory services (for LDAP with Kerberos)
• With Certificates Services (for LDAP over TLS)
• The aforementioned domain groups (in “Functional description” section) with their users must
have been defined on the Server
• E.g. in Active Directory Users and Computers
Configure the Domain users (LDAP authentication over Kerberos)
Introduction
Perform the following steps to configure LDAP authentication over Kerberos.
Before you begin

The domain group(s) and the users belonging to those groups must have been defined on the
LDAP server.
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Security' - 'Domains' page.
3. Click 'Create new' to create a domain.
4. Enter the following information for domain access:

• A name for the domain. This name will appear on the user panel as the domain name, so it is
recommended to give it a clear name.
• A description.
• The exact fully qualified domain name (FQDN).
• The credentials for the LDAP lookup account (mandatory) with the policy defined by the IT
administrator:
• Either the account of the authenticated user.
• Or with a specific LDAP account username/password.
5. Expand the LDAP and Advanced Settings sections:
6. In LDAP settings,
• enter the LDAP group name(s) defined in the LDAP server.
Note: you can leave some fields empty.
• define the protocol type according to LDAP policy.
• Kerberos (in this section)
7. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as existing
suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
NOTE : for Kerberos, the port number is usually 389
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
8. When you click on "OK" a verification is performed, and an error is displayed in case of a domain
creation problem.
NOTE
It is always possible to save the configuration in case of failure and to edit it later on
(e.g. if changes must be performed on LDAP server).
9. Repeat the creation operation for every domain needed.
After you finish

After you configured the domains, validate it. See Validate the configuration (Kerberos) on
page 720
Validate the configuration (Kerberos)
Introduction
After you configured the domains, validate it.
Procedure
1. Go to the 'Security' - 'Configuration'.
2. Click on 'Validate the configuration of the user access mode'.
3. Select the domain name, enter a valid username and the associated password.
4. Click 'OK.
A report is generated:
5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over Kerberos
on page 263
Configure the Domain users (LDAP authentication over SSL)
Introduction
Perform the following steps to configure LDAP authentication over SSL
Before you begin

LDAP server.
Procedure

• A description.
administrator:
• SSL (in this section)
suffixes).
NOTE : for SSL, the port number is usually 636
creation problem.
NOTE
After you finish

After you configured the domains for LDAP over SSL, it is mandatory to configure the trusted
certificate chain. See Configure the trusted certificates on page 255
After you configured the domains, validate it. See Validate the configuration (SSL) on page 256
Configure the trusted certificates
When to do
certificate chain since the LDAP server will send the complete certificate to the printer, and the
printer needs to check the validity of certificates by checking all the Root and/or intermediate
certificates embedded in this complete certificate.
Before you begin

First ask to (/get from) the IT administrator all the Root/intermediate trusted certificates required
to validate the LDAP server certificates.
Procedure
1. Open the 'Security' - 'Trusted certificates' page.
2. Click 'Create new' to create one certificate for each of the root and intermediate certificates used
in the LDAP server certificate.
It is recommended to leave the field 'Forced URL of OCSP responder' empty as LDAP server
certificates must always be valid. Please check this with the IT administrator.
3. Repeat the creation operation for every root and intermediate certificate.
When to do
Before you begin

Procedure
Validate the configuration (SSL)
Introduction
Procedure
4. Click 'OK.
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over SSL on
page 264
User access on the user panel
No domain configured
When a user wants to access the settings on the Local UI, the following window opens when
there is no domain configured:
You can select the relevant local user.
At least one domain configured

there is at least one domain configured with a right user role.
You can select either a local user or a domain user.
When 'local users' is selected, you can select the local user according to the desired role.
When a domain is selected, the 'User name' field is empty. It is up to the user to select his
username (the associated role has been setup by the IT administrator in the LDAP server)
NOTE
'Local users' may not appear, in case the local users are disabled.
User access with Express Webtools
When a user wants to access the settings with Express WebTools, the following window opens
when there is no domain configured:
Only the local users are allowed.

when there is at least one domain configured:
When selecting the Domain 'Local Users', one or more of the 4 built-in users (Key operator,
System Administrator, Power User or Service) are available, and you can enter the password for
login.
NOTE
Once logged in, a message mentioning the user has logged in is displayed on top right of the
screen:
When selecting a Domain that was previously configured, you have to enter the username which
has the appropriate role (as defined in the LDAP server).
screen:
Password policy
Password policy
Passwords used in Express Webtools and on the local UI.

There are 2 type of passwords:
• Passwords for local users
• Passwords for domain users
Password policy for local users

• Password for local users can be changed (Access : Express Webtools/Preferences/Connectivity/
Passwords) according to following rules:
Password for local user can be changed by

Power user Power User
Service System administrator or Power user
Password policy for domain users

• as defined by the IT administrator for the domains
Disabling local user access

When domain users have been configured, it is possible to disable one or more local users:
NOTE
A local user can be disabled ONLY if a valid domain user (with the same role) exists (in order to
avoid locking the settings access).
CAUTION :
Keep the domain users passwords in a safe place. Since if you disable ALL local users, and if you
cannot log in as a Domain User for any reason (password lost), you'll need to call Service to
install again the complete system.
Troubleshooting LDAP authentication over Kerberos
Introduction
Find below the list of possible causes of errors that can occur during the process of creating a
domain or when using the tool 'Validate the configuration of the user access mode'.
Error Message Possible cause Action

Failed: The server could The LDAP server setting is Check the LDAP server access (host-
not be contacted. not correct name) with the IT administrator
or
Ldap connection failure:
The LDAP server is unavail-
able.
TCP port not correctly set Default value is 389, check with IT
administrator
Detecting LDAP server: An The LDAP lookup account Check the LDAP lookup account cre-
error occured while trying credentials are not correct dentials with the IT administrator
to find an AD server: The
specified domain does not
exist or cannot be contac-
ted.
Validating credentials for Problem with LDAP lookup Check credentials to access to the
<user> account LDAP lookup account
Checking LDAP groups One or more LDAP group Check LDAP groups syntax
membership to domain is not correct
Verifying configuration for Timeout problem when Try again
authentication Domain not contacting LDAP server
correctly configured.
Please try again.
Troubleshooting LDAP authentication over SSL
Introduction

Failed: The server could Intermediate and Root cer- Request the ROOT and Intermediate
not be contacted. tificates not correctly set in certificates of the CA signed certifi-
or controller cates to the IT administrator and cre-
Ldap connection failure: ate them in “Trusted certificates” on
The LDAP server is unavail- the controller
able.
administrator
The CA signed certificate Enter in the field "LDAP server" one
domain suffix and the of the Principal Name/Subject Alter-
printer domain suffix do native Name of the LDAP server cer-
not match tificate (generally the Fully Qualified
Domain Name e.g. "server.mydo-
main.com")
Avoid entering an IP address in the
field "LDAP server" (except if part of
one of the "LDAP server" certificate
Subject Alternative Name)
Check that the hostname entered in
“LDAP server” belongs to the same
domain as the certificate domain
The LDAP server setting is Check the LDAP server access (host-
not correct name) with the IT administrator
No error message, but cre- The field "LDAP server" Enter in the field "LDAP server" one
ation of the domain or au- contains only one part of of the Principal Name/Subject Alter-
thentication takes a long one of the Principal name/ native Name of the LDAP server cer-
time (~10s or ~20s or Subject Alternative Name tificate.
more) of the LDAP server certifi-
cate (E.g. "server" instead
of "server.mydomain.com")

• Allow Service Technician to enable local users (for PW345/365/450/550: R1.2 and higher
versions, and for PW3000/3500/5000/5500/7500)
NOTE
This feature is applicable when LDAP authentication has been setup and when the
system administrator has disabled the local System Administrator and the local
Power user account. In this case, if domain users are not accessible anymore for any
reason, it is not possible to login locally on Express Webtools to change settings.
The only way is to re-enable the local users (System Administrator and Power user).
ONLY if the setting "Allow Service Technician to enable local users" is set to
"enabled", this operation can be performed by the Service technician on site. If the
setting "Allow Service Technician to enable local users" is set to "disable", a re-
installation of the printer software by the service technician is mandatory.

Passwords policy
Passwords policy
Introduction

• The roles
Password policy

user panel:
on the user panel:
• The printer calibration
• 'Clear system'
• The media calibration
• The roll-to-roll option
NOTE
technician.

Passwords policy

During the 'Export templates' operation, the passwords for any external location remote user

This password is valid for 4 hours or until the next reboot.
Access control
Access control
Introduction
Access control allows to limit the access to the print system based on the IP filtering method.
In Express WebTools, find the 'Access control' settings on the Security - Configuration page.
Pre-requisites
• The configuration of the 'Access control' settings is only available to the 'System
administrator' and 'Power user'.
To prevent unauthorised access to these settings via the printer panel, the System
administrator must log in to access the network settings.
• Important: ALWAYS define the hosts before enabling 'Access control'.
In case 'Access control' is enabled without any host configured, communication is blocked. Go
to the printer panel to disable 'Access control'.

NOTE

NOTE
Audit log
Audit log
Introduction
and/or cleared.

In Express WebTools, open the 'Security' - 'Audit log' tab to download the Audit log that contains
• IPsec settings
• Disk encryption
• Whitelisting (McAfee Application control, for PW3000/3500/5000/5500/7500)
• Timezone
Audit log
SNMPv3: for PW3000/3500/5000/5500/7500 and for PW345/365/450/550 R1.2 and higher versions
SNMPv3: for PW3000/3500/5000/5500/7500 and for

PW345/365/450/550 R1.2 and higher versions
Introduction
SNMPv3 offers a secure version of SNMP protocol that provides user authentication and data
encryption.
SNMPv3 implementation
The current implementation of SNMP v3 offers user authentication only to ensure identity of the
user, this corresponds to the SNMP security level "Auth, NoPriv" in the SNMP applications.
Encryption in the data transfer is not supported (the security level "Auth, Priv" is not supported)
For the Authentication, the Authentication protocol is fixed to MD5 only.
SNMPv3 settings
You can access to the SNMPv3 settings by mean of the settings Editor : section Configuration |
Connectivity |SNMP v3
User name the account used for the authentication

Password the <user name> password (for the authentication)
Administrator for reinforcing the security, you can change the password of the internal ad-
password ministrator account (@Oce_V3-admin) which is used to modify the SNMP
table to register the aforementioned username and password for authentica-
tion
Reminder : SNMP supported MIBs

The SNMP implementation supports the following MIBs:
• RFC 2790 Host Resources MIB
• RFC 3805 Printer MIB version 2
• RFC 4293 MIB-II
• Proprietary MIB: Océ billing counters
Secure Boot (PW3000/3500/5000/5500/7500)
Secure Boot (PW3000/3500/5000/5500/7500)

Introduction
Secure boot is a security standard developed by members of the PC industry. It helps to make
sure that a device boots using only software that is trusted by the Original Equipment
Manufacturer (OEM).
When the device starts, the firmware checks the signature of each piece of boot software,
including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the
operating system. If the signatures are valid, the device boots, and the firmware gives control to
the operating system.
Whitelisting (McAfee Application Control) (PW3000/3500/5000/5500/7500)
Whitelisting (McAfee Application Control)

(PW3000/3500/5000/5500/7500)
Introduction
Some printers have the option McAfee Application Control. This feature is also known as
Whitelisting or McAfee Embedded Control.
Unlike a virus scanner, which can create a security risk if you do not keep it constantly updated
with the latest virus definitions, McAfee Application Control creates a detailed map - a
'fingerprint' - of all the files on the printer and prevents any unauthorized changes, whether by
malware, viruses or unauthorized users. It is constantly checking the integrity of the files against
the fingerprint, and will block and report any tampering or unauthorized change.
If printer software needs to be upgraded, then the fingerprint will be updated as well.
Pre-requisite
• A license for the option: 'Whitelisting (McAfee) License'
How to check the status of Whitelisting

The current status can be checked in the Security tab of WebTools Express:
The default status is 'Not activated'.
Enable white listing in WebTools Express

NOTE
You must be logged in as a System Administrator or a Power user.

1. Open a web browser and enter the system URL: http://<hostname>, to open WebTools
Express.
2. In Webtools Express ('Security' - 'Configuration') go to 'Whitelisting settings'.
3. Select the setting 'Block unauthorised changes'.
4. Select 'Activated' and click OK.
Whitelisting (McAfee Application Control) (PW3000/3500/5000/5500/7500)
NOTE
The Whitelisting process needs 30-60 minutes to create the 'fingerprint' (on new
installed systems this process is faster than on systems in use for some time, as the
amount of data on the disks will have increased). The setting 'Current protection
status' stays at 'Protection not activated'.
5. After 60 minutes reboot the printer. After the reboot the setting 'Current protection status' will
change to 'Protection activated'.
NOTE
If the reboot is done before the Whitelisting process is finished, the process will
start again after the reboot. When the process then finishes, the setting 'Current
protection status' will change to 'Protection activated'.
Data security
Data security
User authentication
Secure printing, copying and scanning operations with the User

authentication
Introduction
In order to increase document confidentiality, the users can secure printing/copying/scanning
operations with the user authentication.
The 'User authentication' feature is an option.
When the 'User authentication' feature is enabled:
• The jobs are not printed until the owner of the job authenticates on the system user panel.
The print jobs are stored in the printer and only the owner of the jobs can access them.
• Copying and scanning operations are accessible only after the user authenticates on the
system user panel.
• You cannot retrieve scanned files that are stored locally on the controller.
User authentication methods
One of the three following methods can be used for user authentication:
• User name and password
The user name and password are required on the printer panel. This authentication method is
mainly targeted to Windows based environment (Microsoft Active Directory).
• Smart card (PKI card compatible with MS Active Directory Certificates Services)
A valid smart card must be inserted into the smart card reader (plugged into the USB outlet).
• Contactless card
A valid card without contact must be passed over a contactless card reader (plugged into the
USB outlet). The authentication method is mainly targeted to a Windows based environment
(Microsoft Active Directory).
NOTE
It is possible to mix some authentication methods:
Secure printing, copying and scanning operations with the User authentication
3 4
The system showed in this example is the ColorWave 700.
The print workflow

1- The user logs in on a workstation to prepare the job.
2- The user uses a job submission tool to submit the job to the printer. The submitted job
contains the job owner identity.
The job is stored in the printer (it is not printed).
Note: the submission tool can be Publisher Select, or a driver within an application (e.g. WPD2/
Driver Select), or a LPR or FTP command.
3- The owner of the job logs in on the printer user panel. Only the job owner can see the job and
print it (user authentication is required to unlock the printer panel accessibility).
4- The job owner launches the print.
5- The job owner collects the printed output.
The scan and copy workflow
Impact of the user authentication on the system features and Express WebTools
The Scan and Copy features are accessible only after the user authenticates on the user panel.
Impact of the user authentication on the system features and Express

WebTools
Introduction
When the user authentication is activated, and in order to guarantee the data confidentiality:
• Some features of the system are disabled (see below).
• The related settings are no more accessible (see below).
• The time-out set for the 'Remove completed jobs from the Smart Inbox after' setting in
'Preferences' - 'System defaults' - 'Job management' applies and deletes:
- the jobs that are submitted without valid authentication information.
- the jobs that are not accessed during this period of time.
Disabled features in Express WebTools when user authentication is activated
DISABLED feature Setting removed from Express WebTools

Send the job directly In 'Preferences' - 'System defaults' - 'Job management':
to the print queue • 'Default destination of print jobs'
• 'Override destination of print jobs'
Smart Inbox In 'Preferences' - 'System defaults' - 'Job management':
• 'Display Smart Inboxes in Express WebTools'
• 'Display a view on all Smart Inbox jobs'
• 'Keep completed jobs in the Smart Inbox'
• 'Keep a copy of scanned jobs in the Smart Inbox'
• 'Keep a copy of copy jobs in the Smart Inbox'
• 'Keep a copy of local print jobs in the Smart Inbox'
Key operator actions In 'Preferences' - 'System defaults' - 'Job management':
on jobs • ' Restrict remote actions on jobs to the Key Operator'
Copy job priority In 'Preferences' - 'System defaults' - 'Job management':
• ' Copy job priority'
OCI interface In 'Configuration - 'Connectivity'' - 'Other network interfaces':
• 'OCI interfaces'
Locking of the user In 'Configuration - 'Connectivity'' - 'Other network interfaces':
panel via the Wave in- • 'Locking of the user panel via the Wave interface'
terface
And consequently:
• 'Restrict the locking action to a single device'
• ' Device hostname'
Third-party applica- In 'Configuration - 'Connectivity'' - 'Third-party applications':
tions on the user pan- • 'Third-party application button on the user panel'
el
Save job data for In 'Preferences' - 'System defaults' - 'In case of errors':
Service • ' Save received job data for Service'
Jobs view in Express WebTools

On the 'Jobs' page, the Job queue displays the job names only.
NO user, even users with privileges such as System Administrator, Key Operator, Power user or
Service, can see the content of the jobs or act on them.
Disabled feature on the system user panel

The 'Move to top' feature on the system user panel is disabled.
Additional information
To secure the job data and job ownership on the network, during the job submission / the job
scanning to external locations, the use of a secured network (IPsec for instance) is recommended.
User authentication: the standard workflows
Introduction
Find below the standard workflow for printing and the standard workflow for scanning/copying
when the user authentication is activated and configured on the print system.
Standard workflow for print
Step Action
1- Logging on a work- The user logs in with his/her credentials.
station Example: 'user1' on 'domain.com' and the associated password.
2- Job submission The user submits jobs using a printer driver (e.g. WPD2/ Driver Select)
or a job submitter (example: Publisher Select 3)
3- Authentication on The user logs in on the printer:
the printer
• either by typing his/her user name and password on the printer pan-
el
• or by using his/her smart card
The credentials used on the printer must be the same as the ones used
at the job submission time.
Example: 'user1' belonging to the domain 'domain.com'. 4
Step Action
4- Job management On the bottom right part of the panel (Smart Access), the user can see
the jobs submitted with his/her user credentials.
The user can check the jobs and change the settings.
5- Job print The user prints the jobs by clicking the green button.
6- Print queue The user can open the print queue and follow the progress of the jobs.
NOTE
All the jobs in 'Ready to print' state are printed, even when
the users logs out in the meanwhile.
Recommendation: For complete security of the printed data,
we recommend that the user stays close to the printer until
all the jobs are completely printed.
The jobs in 'Processing' state are not printed if the user logs
out before they are in 'Ready to print' status.
Standard workflow for scan and copy
Step Action
1- Logging on the The user logs in on the printer:
printer • either by typing his/her user name and password on the printer pan-
el.
• or by using his/her smart card.
Example: 'user1' on 'domain.com'
The user authentication in the main job submission workflows
Step Action
2- Workflow selection The user selects Copy or Scan in the menu.
NOTE
For scan operations, it is recommended to scan to an external
location (not locally on the controller).
When the user logs to an external location, the login name in
the top menu is replaced by the login name to the external lo-
cation. The 'User session time-out' set in the 'Security' - 'Con-
figuration' tab applies for both the user authentication on the
user panel and the authentication on the external locations.
The files scanned locally to the controller can be used only
for reprint purpose. They cannot be retrieved or saved from
the network.
3- Job copy or scan The user loads the original and starts the copy or scan of the job to an
external location.
Introduction
There are several ways to submit print jobs to the printer.
Find below the recommendations for benefiting from the protection by the user authentication in
the recommended job submission workflows:
• Job submission with Publisher Select (from version 1.17)
• Job submission from an application with the WPD2 (from version 2.11) or Driver Select
• Job submission from an application with the PS3 driver (from version 1.24) or Driver Express
Job submission with Publisher Select
Steps Recommendations / Remarks

1- Log in on a work- Log in on the workstation with the same credentials as the ones you
station will use to authenticate on the printer panel later on.
Example: 'user1' on domain 'domain.com'.
2- Open Publisher Se-
lect and connect to a
printer
3- Create a print job The user account name that the Publisher Select application will attach
to the print job is:
• <user name>@<domain> if the domain is detected by the application
(example: 'user1@domain.com')
• <user name> if the domain is not detected (example: 'user1'). Which
is the case for instance when the user account is a local account on
the workstation.
NOTE
In Publisher Select, the user account name cannot be
changed.
Job submission with WPD2/ Driver Select

2- Open the applica-
tion to open the file.
3- Open the driver When the driver window opens, check the user account name of the
(Properties) to print job in the top right part of the window. This user name is going to be
the job from the appli- sent along with the job.
cation Example: 'user1@domain.com'.
NOTE
If the user account name is not displayed, open the 'Options'
- 'Advanced options' window and check the option 'Require
user authentication' in 'Troubleshooting'. 4
Other submission workflows

4- Change the user In the driver, you can change the user name of the owner of the job
name when needed when needed:
Click on the current user account name to edit it, and change it.
Important remark:
Make sure the new user name you select will be the one you will use
on the printer to access the jobs.
Job submission with PS3 driver/ Driver Express

3- Open the driver to - Driver for Windows:
print the job from the The driver attaches the user account name to the print job:
application • <user name>@<domain> if the domain is detected by the driver (ex-
ample: 'user1@domain.com').
• <user> if the domain is not detected. Which is the case for instance
when the user account is a local account to the workstation (exam-
ple: 'user1').
NOTE
In the driver, the user name cannot be changed.
- driver for Mac:

The driver does not attach a user account name to the job.
If there is no job ticket in the file or no 'Username' in the job ticket, then
the (non FQDN) user name of the user logged in on the system is used
(example: 'user1').
Job submission by LPR

For a file submitted by LPR, the system will use the 'Username' tag present in the job ticket of the
file if any.
If there is no job ticket in the file or no 'Username' in the job ticket, then the (non FQDN) user
name of the user logged in on the system is used (example: 'user1').
The LPR command to submit the job is: [LPR -S <printer-name> -P <printer-name> -x <filename>].
NOTE
The user name of the user logged on the system does not overwrite the 'Username' embedded
into the job ticket.
Job submission via FTP

For a file submitted by FTP, the system will use the 'Username' tag present in the job ticket of the
file if any.
If there is no ticket or no 'Username' in the ticket, then the user name 'anonymous' is attached to
the job and stored in the system controller. Only an user with a user account name 'anonymous'
is then able to see and perform actions on these jobs.
Job submission with Publisher Express (Express WebTools)

For a file submitted by Publisher Express, the system will use the 'Username' tag present in the
job ticket of the file if any.
If there is no ticket or no 'Username' in the ticket, then the content of the 'Job owner' field in
Publisher Express is used.
The user name entered in this field must not be blank. The name must be the same as the one
that will be used to log in on the system (example: 'user@domain.com').
NOTE
The job owner declared in Publisher Express does not overwrite the 'Username' embedded into
the job ticket.
Authentication by Smart card
Requirements
Introduction
To use the authentication by smart card, the smart card and the smart card reader must comply
with the following requirements:
Requirements for the smart card

The smart card is a PKI card compatible with MS Active Directory Certificates Services.
Compatible smart cards
• Gemalto IDPrime MD and Gemalto IDPrime .NET (formerly Cryptoflex .NET)
• HID Global Corporation: Crescendo MiniDriver (formerly named Crescendo C1150)
Smart card configuration
The smart card embeds:
• The user valid certificates: all the root and intermediate CA certificates used in the certificate
chain.
'DER encoded binary X.509 (.CER)' and 'Base-64 encoded X.509 (.CER)' formats are supported.
• The URL of a revocation server which checks the validity of the user certificate (using 'Online
Certificate Status Protocol').
In case the URL of the revocation server is not embedded into the smart card, you will have to
declare the URL in Express WebTools (in the 'Security' - 'Trusted Certificates' - 'Forced URL of
OCSP responder' setting).
• The PIN of the card, if needed.
Compatible smart card readers

• HID Global Corporation: OMNIKEY 5x2x products
• Identive infrastructure (formerly SCM Microsystems Inc.): SCR33x products
• Gemalto: IDBridge products (formerly GEMPC/GEMPLUS)
• Advanced Card Systems Holdings Limited: ACR1281U product (contact support only)
• HID Global Corporation: OMNIKEY 3x2x products*
* For PW3000/3500/5000/5500/7500, CW3500/3600/3700/3800, PlotWave 345/365/450/550 and for
ColorWave 500/700 R4.1 and higher.
Most of the smart card readers which are plug and play compatible with the Windows operating
system used in the printer are compliant.
- Contact your Canon representative in case you want to use a smart card or a smart card reader
which is not recorded in the above lists.
- Plug the smart card reader into the USB port (contact your local Canon representative).
- The only network communication performed during authentication with a smart card is the one
with the revocation server. The information on the smart card and the information on the Express
WebTools settings are checked against the one which is stored in the revocation server.
Configure the Smart card authentication
Introduction
Perform the following steps to activate the user authentication and configure the smart card
authentication.
Before you begin

The smart card and the smart card reader are compliant with the requirements.
Activate the smart card authentication

1. In a web browser, enter the URL or IP address of the printer to open Express WebTools
2. Open the 'Security' - 'Configuration' page.
Log in as a system administrator if requested.
3. In the 'User access mode' section, select 'Smart card' as the 'User authentication':
4. The restart is required. Select 'Restart now'.

When 'User access mode' is set to 'Smart card' or 'User name and password', the system
must be restarted to guarantee the data confidentiality of future incoming jobs. Do not select
'Restart later'.
Configure the smart card settings

Configure:
• The trusted certificates.
• The user access settings.
Procedure
in the certificate chain for the authentication.
3. Browse for one root or intermediate certificate.
When the URL of the revocation server is embedded into the smart cards, leave the 'Forced URL
of OCSP responder' field empty.
Enter the URL of the revocation server only if this URL is not already embedded into the smart
cards.
5. Go to the 'Security' - 'Configuration' - 'User access configuration' section.
6. Set the user access settings:
Set the following options:

• The 'User session time-out' to configure, in minutes, the duration of a user session before
automatic log out on the system user panel.
Note: It is recommended to increase this duration for big jobs or heavy print files.
• Whether the revocation server is systematically consulted at logging time.
• Whether the PIN of the smart card is requested at logging time.
• Whether the fully qualified name of the job owner is used for job filtering.
When this setting is activated, the FQDN of the user (<user name>@<domain>) is requested
when the user logs in on the printer panel. Once logged in, the user sees only the jobs that
have been submitted with the same FQDN.
Example: the user 'user1@domain.com' logs in on the printer. This user can see only the jobs
that have been submitted by 'user1@domain.com'.
Validate the smart card configuration
When this setting is not activated, only the user name (without the suffix) is used for the job
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, whatever their
domain. When logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@domain.com'
• 'user1'
• 'user1@anydomain.net'
When to do
After you configured the user access mode via smart card, validate it.
Before you begin

A supported smart card and a supported smart card reader connected to the print system.
Procedure
1. Insert a valid smart card in the smart card reader.
2. Below the 'User access mode' section, click 'Validate the configuration'.
3. Leave the 'User name' field empty and enter the PIN if it is required in the user access settings.
4. Click 'OK'.
Authentication on the user panel
5. Check there is no red cross icon in the report.

If there is a red cross, solve the issue or check the solutions in the troubleshooting section, see
Troubleshooting of authentication by smart card on page 291.
Introduction
Insert the smart card into the card reader.
• The authentication is automatic when the smart card contains a valid user name (and no
password is needed).
• A login window is displayed when the authentication with the smart card requires a PIN. Enter
the PIN in the password field.
• A login window is displayed when there is more than one user registered into the smart card.
Select the user name and enter the PIN in the password field
After authentication, the name of the user is displayed in the top menu.
Troubleshooting of authentication by smart card
Introduction
When an error occurs during the configuration of the authentication by smart card, go to the
'Security' - 'Configuration' page and start the validation tool (See topic 'Validate the smart card
configuration').
Find below the list of possible causes of errors that can occur during the validation of the smart
card configuration.
Authentication by smart card: errors

A red cross in the report indicates an error:
Error message attach‐ Possible cause(s) Actions

ed to the red cross
Error detecting readers Reader not supported or read- Check the connection of the smart
er not correctly connected. card reader.
Check that the smart card reader is
supported.
Failed connecting with No smart card is inserted in Insert a smart card into the reader.
card: The Smart card the smart card reader.
resource manager is The smart card is not correctly
not running. inserted.
A card is present but The card is invalid. Check the card.
unreadable (mute or in-
correctly inserted)
No certificates found No certificates found on the Refer to the IT administrator.
card. 4

ed to the red cross
List certificates: Chain At least one root or intermedi- Create all the necessary (root and in-
status not trusted ate certificate is missing or in termediate) certificate(s) in Express
error (in the system configura- WebTools. Go to the 'Security' - 'Trus-
tion). ted certificates' page to create them.
If the intermediate or root certificates
cannot be easily retrieved, you can :
1. Identify all of them with the vali-
dation tool report:
They are identified with lines :
- Certificate [0,1]: XXXXXXXXX
- Type : [Intermediate] or [ROOT]
-…
2. Check whether you find those cer-
tificates XXXXXXXXX in your
browser, then export each certifi-
cate in your browser
3. Configure in Express WebTools
the trusted certificates you just ex-
ported (see section 'Configure the
smart card settings' in topic 'Con-
figure the Smart card authentica-
tion').
Revocation status : The revocation server is re- - Check that the URL of the revocation
Server is off line quired but cannot be reached. server is present on the smart card or
declared in Express WebTools.
- Deactivate the check for certificate
revocation (not recommended if a cer-
tificate revocation is required).
Invalid PIN Invalid PIN Type in the correct PIN.
Authentication by Contactless card
Authentication by Contactless card
Requirements
Introduction
To use the authentication by contactless card, the contactless card and the contactless card
reader must comply with the following requirements:
Requirements for the contactless card

Contactless card configuration
The contactless card embeds all information (user/password/domain/…) which will be checked
with Active Directory.
Compatible contacless cards
• Felica (Felica, Felica Lite, Felica Lite-S)
• Mifare (Mifare Classic 1K, Mifare Classic 4K,Mifare Plus, Mifare DESfire EV1, Mifare Ultralight,
Mifare Ultralight C)
Compatible contactless card readers

• Sony RC-S380(/S)
• Advanced Card Systems (ACS) ACR1252U
• Advanced Card Systems (ACS) ACR122U (no support of Felica Lite cards)
• Readers compatible with the CCID and PC/SC standards may work with restrictions :
• disabling beep not supported
• configuration of card types in Express WebTools is not supported, so other cards than Felica
or Mifare may work. (The 'Type of contactless card' setting in Express WebTools - Security -
Configuration - User access configuration' has no influence in this case)
- Contact your Canon representative in case you want to use a contactless card or a contactless
card reader which is not recorded in the above lists.
- Plug the contactless card reader into the USB port (contact your local Canon representative).
Configure the Contactless card authentication
Introduction
Perform the following steps to activate the user authentication and configure the contactless card
authentication.
Before you begin

The contactless card and the contactless card reader are compliant with the requirements.
Activate the contactless card authentication

3. In the 'User access mode' section, select 'Contactless card' as the 'User authentication':

When 'User access mode' is set to another setting than 'Disabled', the system must be
restarted to guarantee the data confidentiality of future incoming jobs. Do not select 'Restart
later'.
Create the domain(s) and set the user access configuration settings
Procedure
2. Click 'Create new' to create a domain:
3. Enter the following information:

• A description.
• The credentials (username/password ) for the LDAP lookup account (mandatory).
• The LDAP attribute for the card ID (it is up to the IT administrator to use or define a new one in
Active Directory). The card ID is the unique identifier sent to the Active Directory for
identification.
it (if there are several suffixes in the same domain, create as many domains as suffixes).
Validate the contactless card configuration
• The 'User session time-out', in minutes. This is the duration of a user session before automatic
log out on the system user panel.
• Whether the PIN of the contactless card is requested at logging time.
('Require the fully qualified name of the job owner' setting). The user then sees only the jobs
that have been submitted with this FQDN.
• The type of the contactless card: Felica or Mifare or both.
When to do
After you configured the authentication by contactless card, validate it.
Procedure
1. Below the 'User access mode' section, click 'Validate the configuration of the user access mode'.
2. Select the domain name.

3. Click 'OK'.
Authentication by contactless card on the user panel

Troubleshooting of authentication by contactless card on page 296.
Introduction
Approach the contactless card reader with the contactless card.
• The authentication is automatic when the contactless card contains valid credentials.
• A login window is displayed when the authentication with the contactless card requires a PIN.
Enter the PIN in the password field.
Troubleshooting of authentication by contactless card
Introduction
When an error occurs during the configuration of the authentication by contactless card, go to the
'Security' - 'Configuration' page and start the validation tool (See Validate the contactless card
configuration on page 295).
Find below the list of possible causes of errors that can occur during the validation of the
contactless card configuration.
Authentication by contactless card: errors

A red cross in the report indicates an error.
For error messages with possible causes and actions to solve the error see:

ed to the red cross
Domain not correctly No domain defined Define at least one domain in Ex-
configured press WebTools. (Go to the 'Se-
curity' - 'Domains' page)
Error in DNS lookup: The domain entered is not correct Check the syntax of the domain
DNS name does not name.
exist Correct the domain name in Ex-
press WebTools ('Security' - 'Do-
mains' - 'Fully Qualified Domain
Name')
The server is not op- The LDAP server is not recog- Check the LDAP server in the
erational nized. DNS.
If needed, declare the LDAP serv-
er.
Enter the LDAP server and LDAP
port explicitly in Express WebT-
ools (in 'Security' - 'Domains' - '
Advanced').
Detect search base: The authenticated user has no ac- In Express WebTools check the
Failed to bind to cess to the LDAP lookup account. LDAP lookup account in 'Security'
rootDSE: The user - 'Domains'
name or password is
incorrect
Directory lookup: User The LDAP search filter is not cor- In Express WebTools check the
object cannot be found rect. LDAP search filter in 'Security' -
'Domains' - ' Advanced'.
Directory lookup: The LDAP search base is not cor- In Express WebTools check the
Failed to bind: An inva- rect. LDAP search base in 'Security' -
lid dn syntax has been 'Domains' - ' Advanced'.
specified
If a red cross is not reported with the 'Validate configuration' tool, but there is an error during
authentication with the card, please check:
• If the PIN code is correct but authentication fails, check that the LDAP attribute for card ID is
correctly set in the domain created (this may occur in case PIN code setting is setup AFTER the
domain has been created).
• If the account has been disabled in Active Directory
• If the account has been locked in Active Directory
• If the account has been expired in Active Directory
• If the account password has expired
Authentication by user name and password
Configure the user authentication by user name and password
Introduction
Perform the following steps to activate and configure the user authentication by user name and
password
Before you begin

A domain containing users with Microsoft Active Directory credentials.
Check that the printer 'Current date and time' and 'Time zone' values are correct (in Express
WebTools, Configuration - System defaults)
Activate the User name and password authentication

3. In the 'User access mode' section, select 'User name and password' as the 'User
authentication':

'Restart later'.
Procedure
1. Open the 'Security' - 'Domains' page
3. Enter a name for the domain. This name will appear on the user panel as the domain name, so it
is recommended to give it a clear name.
4. Enter a description.
5. Enter the exact fully qualified domain name (FQDN):
• 'LDAP lookup account': enter the credentials if different from the account of the authenticated
user (which is the default).
• 'LDAP attribute for Home folder' : by default the Home directory (for product with the 'Scan to
Home folder' feature).
automatic log out on the printer panel.
Note that it is recommended to increase this duration for big jobs or heavy print files.
Validate the configuration
• Whether the fully qualified name of the job owner is used for job filtering ('Require the fully
qualified name of the job owner' setting).
When this setting is activated, the FQDN of the user is requested when the user logs in on the
printer panel. The user then sees only the jobs that have been submitted with this FQDN.
Example: 'user1@mydomain.com' is logged in on the printer. This user will see only the jobs
that have been submitted by 'user1@mydomain.com'. So the user must make sure that the
submission process embedded this information.
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, if several. When
logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@mydomain.com'
• 'user1'
When to do
After you configured the authentication by user name and password, validate it.
Procedure
Authentication on the system user panel
3. Enter a valid user name and the associated password.
4. Click 'OK'.

If there is a red cross, solve the issue or check the solutions in the troubleshooting section below.
Introduction
On the system user panel, tap the 'log in' icon to display the window.
• Select the domain.
• Type in the user name and the password.
Troubleshooting
Troubleshooting
Introduction
When an error occurs during the process of authentication by user name and password, go to the
'Security' - 'Configuration' page and Validate the configuration on page 559.
configuration.
Authentication by user name / password: errors in the validation report


ed to the red cross
configured press WebTools. Go to the 'Secur-
ity' - 'Domains' page)
Error in DNS lookup: The domain entered is not correct. Check the syntax of the domain
Name')
er. Enter the LDAP server and
LDAP port explicitly in Express
WebTools (in 'Security' - 'Do-
mains' - ' Advanced').
The user name or pass- The combination of user name Check the user name and pass-
word is incorrect and password is not correct. word.
The suffix for the User Principal Check the Fully Qualified Domain
Name (UPN) is not correct. Name (FQDN). 4
Troubleshooting

ed to the red cross
Authenticating user: Additional test: Authenticate on In Express WebTools correct the
xxx the user panel. If the authentica- 'Current date and time' in 'Prefer-
A local error has occur- tion fails and a 'Invalid creden- ences' - 'System defaults' - Re-
red. tials' message is displayed then: gional settings'.
The date and/or time set in the
system is not correct.
rootDSE: The user - 'Domains' - ' Advanced'.
name or password is
incorrect.
Directory lookup: The LDAP search filter is not cor- In Express WebTools check the
User object cannot be rect. LDAP search filter in 'Security' -
found 'Domains' - ' Advanced'.
specified.
Log out
Log out
Introduction
A session can be manually interrupted by a manual log out, or automatically interrupted by the
session time-out, in any conditions (normal working condition or in an error status).
A warning message announces the session time-out 10 seconds before the session closes.
When the session time-out expires the user session is automatically closed, even when a smart
card is inserted.
For security reasons, it is recommended to log out after the job completion, before leaving the
system place.
Log out after an authentication by login / password

On the system user panel, tap on the user name icon.
Confirm the log out.
Log out after an authentication by smart card

To log out, remove the smart card from the smart card reader.
NOTE
The session is automatically closed when the time-out occurs, even if the smart card is still in the
card reader.
Pull the card out of the reader and insert it again to start a new session.
Log out after an authentication by contactless card

Special cases: a time-out, pause, or error occurs
Introduction
Find below some cases where the time-out can interact with the behaviour of the system.
NOTE
The time-out starts when no operation is made on the printer panel.
A job remains 24 hours maximum in the system. After this period of time, the jobs that are not
processed are automatically deleted.
Time-out occurs or the user logs out

When the time-out occurs during a job (or when the user logs out):
Case Status of the jobs When the session time-out or log

out occurs
'User A' has submitted a There is at least one job in The job in 'printing' and in 'Ready to
job. A time-out or logout 'Printing' state, in the job print' statuses are printed.
occurs. queue. All the jobs that have another status
(for example: 'Processing') are put
on hold. The user must log in and
tap 'Resume' to print the pending
jobs.
'User A' has submitted a • There is at least one job The jobs of 'User A' in 'Ready to
batch of jobs. A time-out or of 'User A' in 'Printing' print' status are printed.
logout occurs before the state. The jobs of 'User B' are printed.
end of the printing process. • When 'User B' logs in on
'User B' submits a job. the system panel he can
see:
- the jobs of 'User A' that
are in 'Ready to print'
state.
- the jobs he submitted.
The processing time for a The time-out occurs before The user is automatically logged out.
big job is longer than the the job is processed. The job is not printed. The job is put
session time-out. The job does not reach the on hold.
'Printing' status. It is recommended to increase the
user session time-out.
batch of jobs is longer than all the jobs are processed. Only the jobs in 'Ready to print' and
the session time-out. At least one job is printing. 'Printing' statuses are printed.
All the jobs that have another status
jobs.
The queue is paused
Case Status of the jobs What to do

A user has submitted a batch The jobs in 'Printing' status The user logs in (when nee-
of jobs. The user pauses the are printed. ded) and resumes the queue
queue. All the other jobs are put on to print the remaining jobs.
hold.
'User A' has submitted a batch The job in 'Printing' status is 'User A' must log in to see his
of jobs. A time-out occurs or printed. jobs on hold and resume the
the user log out before the All the other jobs of 'User A' queue.
end of the printing process. are put on hold and disappear
'User B' logs in on the system from the queue view.
panel and pauses the queue.
An error occurs
Case Status of the jobs Then

An error occurs on a job The job is put on hold. It When the issue is fixed before the
will not be printed until the time-out occurs, the job restarts and
problem is solved. is printed.
When the time-out occurs before the
issue is fixed, this job is put on hold.
The user must solve the issue, and
then must log in to resume the
queue.
A 'Media request' occurs The following combination When the media is loaded, the job
of settings applies: restarts and is printed.
- 'Media request time-out ' When the time-out occurs before the
- 'Action after media re- media is loaded, this job is put on
quest time-out ' hold. The user must load the media,
and then must log in to resume the
queue.
Troubleshooting
Troubleshooting
Troubleshooting after a successful authentication

The authentication is successful but I cannot see the job I submitted to the system.
Possible cause:
The owner of the job (the user name sent within the job) does not match the user name of the
user authenticated on the system.
This issue can occur in the context of authentication by smart card or by user name and
password.
Actions:
The user name used for authentication on the system must match the exact user name of the
owner of the job:
1. Verify the user name used for authentication on the system.
- In case of authentication by smart card, start and follow the validation procedure (see
Validate the smart card configuration on page 289) and check the complete User Principal
Name in the report.
Example: 'user1@mydomain.com' in the report below:
- In case of authentication by user name and password check the domain, and the user name
used to log in on the printer user panel.
2. Check the exact user name of the owner of the job. Set or change it when needed.
Refer to the user authentication according to the job submission workflow, see The user
authentication in the main job submission workflows on page 282.
• For a job submitted with the PS3 driver, Driver Express or Publisher Select, the user name
and the domain of the user logged in on the workstation are used to submit the job
(including the domain when detected). If needed, log in on the workstation with the
relevant user name on the relevant domain (example: 'user1' on domain 'domain.com')
• For a job submitted with WPD2 or Driver Select , the 'user account name' displayed in the
top right part of the window is used. Change it if needed (example: user1@domain.com).
Note: If the user account name is not displayed, open the 'Options' - 'Advanced options'
window and check the option 'Require user authentication' in 'Troubleshooting'.
• For a job submitted with Publisher Express, or via FTP, or via LPR, that contains a job ticket,
open the job ticket to check the 'Username' field.
• For a job submitted with Publisher Express, that does not contain a job ticket, check the
content of the 'Job owner' field in the Publisher Express (Express WebTools) application.
Set or change the 'Job owner' to the user Fully Qualified Name (example:
user1@domain.com)
• For a job submitted via LPR that does not contain a job ticket, check the user name used for
logging on the workstation, and uncheck the setting, 'Require the fully qualified name of
the job owner' (in Express WebTools - Security - 'Configuration' - 'User access
configuration').
The authentication is successful, I can see the jobs I submitted to the system but not all of them
are printed.
Disable the user authentication
Possible cause:
The time for the processing of the jobs exceeds the user session time-out. All the jobs have not
reached the 'Ready to print' or 'Printing' status.
Action:
Increase the 'User session time-out' (in Express WebTools - Security - 'Configuration' - 'User
access configuration').
Introduction
In case you are locked because the user access mode is enabled and you cannot access Express
WebTools, you can disable it on the system panel.
Disable the user authentication on the printer user panel
Procedure
1. On the user panel, tap the upper right corner, to display the menu.
2. Select 'Security'.
3. Enter the System administrator password.

The current security configuration is displayed.
4. Tap 'Next' to go on and disable a feature.
5. Select 'User authentication' and tap 'Next'.
6. Tap 'Finish'.
7. Restart the system.
Result
The user authentication is disabled.
Hard disk encryption (for PW345/365/450/550)

Introduction
In order to protect the confidentiality of print and scan data in the system controller hard disk,
some security policies request the encryption of all data on disk.
Pre-requisite
• The hard disk encryption licence
Contact your Canon representative.
• A TPM (Trusted Platform Module) board installed in the controller
A Service technician installs the license and the TPM board. Make sure the System Administrator
grants him the permission by setting 'Allow Service to access licenses information' (in Express
WebTools, in ' Security' - 'Configuration', 'Permissions for Service').
When to perform the encryption of the hard disk

You can decide to encrypt the controller disk:
• During the installation of a new PlotWave/ColorWave (recommended)
• On a running system which has already processed data
2 encryption modes
There are 2 encryption modes:
Encryption mode Scope Duration Remarks

Normal The Normal encryption encrypts the around 30
used disk space only. minutes
It is recommended for new systems,
at installation time, when no print/
scan data has been processed on the
disk.
Full The Full encryption encrypts the en- around 2 When the system has
tire disk. hours already been used:
It is recommended in the following - a back-up of the sys-
cases: tem is required.
• encryption of a running system - the system is com-
that has already processed data pletely reinstalled.
• encryption of a disk which has al-
ready been used
• when the security policy requires
it
Check the encryption mode

To check the encryption mode configured on the system:
1. In the system settings, select 'Security'
2. In the 'Current Security Configuration' window, check the encryption mode.

The disk encryption status can be:
• 'No encryption'
• 'Full disk encrypted' (Full mode)
• AES-256 method for PW345/365/450/550 1.2 and higher versions
• AES-128 method for other PW345/365/450/550 versions
• 'Used space encrypted' (Normal mode)
• AES-256 method for PW345/365/450/550 1.2 and higher versions
• AES-128 method for other PW345/365/450/550 versions
NOTE
The encryption method for PW345/365/450/550 1.2 and higher version is fixed to AES-256 while
the encryption method for other PW345/365/450/550 versions is fixed to AES-128.
When upgrading a PW345/365/450/550 1.1 version with an encrypted disk to a
PW345/365/450/550 1.2 version, it is mandatory to first purge the encrypted disk of the
PW345/365/450/550 1.1 before installing the version R1.2 and to encrypt the disk in order to
benefit the AES256 method on the new version (Please contact your Canon local representative).
How to change the encryption mode

Contact your Service representative to change the encryption mode.
The change of the encryption mode is performed in 4 steps:
1. The Service technician makes a back-up of the system
2. The System Administrator purges the system (see procedure below)
3. The Service technician re-installs the system and set the required encryption mode
4. The Service technician restores the configuration
Purge an encrypted system

The System Administrator can purge the system to decommission the system data and print/scan
data stored in the hard disk.
It is particularly recommended:
• In case of leasing, before the system is given back
• At the system's end of life, before it is recycled
To purge the system from the system user panel:
1. In the system settings, select 'Security'.
2. In the 'Current Security Configuration' window, check the encryption mode and tap 'Next'.
(the 'Next' button is displayed only when an encryption mode is active).
3. In the list of actions, select 'Purge the System' and tap 'Next'.
4. A message ('Purging') is displayed. Wait until the message 'Purge complete / Power off the
system / Power on to reinstall' confirms the purge.
5. Power off the system (by using the black power button at the back of the printer, or by
pushing the button on the front of the printer for a few seconds).
NOTE
Important remark: when the system is purged, the system and the print/scan data are
decommissioned.
To use the system again, it must be completely reinstalled. The reinstallation will start
automatically when the system is powered on again. Contact your Service representative.
Hard disk encryption (PW3000/3500/5000/5500/7500)

Introduction
In order to protect the confidentiality of print and scan data on the system controller hard disk,
Disk encryption on the PW3000/3500/5000/5500/7500 is different from the older printers:
• It is not an option anymore. It is standard available.
• BitLocker is used in pre-provisioned mode in combination with the now standard TPM
hardware module (Trusted Platform Module) in the controller.
• The TPM module is integrated in the controller motherboard.
• There is just one mode: used space encryption.
• The data on the disk is always encrypted.
• The System administrator can suspend the encryption (via the operator panel or WebTools
Express) to remove the key from the TPM module and store it on disk (now the disk is readable
by other devices).
NOTE
Disk encryption has no impact on the performance. It should only be suspended in exceptional
cases.
After suspending it, you can re-enable encryption again. Re-enabling disk encryption should be
done by your local (Canon) representative, as the printer software needs to be reinstalled after
re-enabling encryption.
Suspend/Enable disk encryption

NOTE

Express.
2. In Webtools Express ('Security' - 'Configuration') go to 'Disk Encryption'.
3. Select the setting 'Disk encryption mode'.
4. • Select 'No encryption' to suspend encryption.

• Select 'Used disk space encrypted' to enable disk encryption.

• In case of leasing, before the system is given back.
• At the system's end of life, before it is recycled.
To purge the system from the printer operating panel:
2. In the 'Current Security Configuration' window, tap 'Next'.
3. Now you get a window with possible operations.
Select 'Purge the System' and tap 'Next'.
4. A warning window is displayed.
Tap ‘Start’ to start the purging process.
5. When the purge process is ready, power off the system (by using the black power button at
the back of the printer, or by pushing the button on the front of the printer for a few seconds).
NOTE
Important remark: when the system is purged, all the data and the configuration are deleted.
To use the system again, it must be completely reinstalled.
E-Shredding
E-Shredding
Introduction

is reached
restarted.
directive):
NOTE
performance.
Before you begin

1. Open a web browser and enter the system URL: http://<hostname>, to open the Express
WebTools
Procedure
1. In Express Webtools, open the 'Security' - 'Configuration' page and select the 'E-shredding'
section.
2. Click 'Edit.'
5. When you select 'Custom', set the number of passes:
Result
enabled':
occurs.
the Express WebTools (roll over the icon).

Inbox, cleanup)
NOTE


IPsec
IPsec
IPsec presentation
Introduction
on the network.
Illustration

IPsec presentation

vated. cryption.
encrypted. crypted.
is activated.
with the system.
with all stations.

The following IPsec parameters are available on the Express WebTools - Security - Configuration
page, Access control section:
- the IP address
print/scan system.
NOTE
Before you begin

Procedure
4. Check the 'IPsec' box to enable it.

NOTE
workstation.
7. Click OK
Result
When to do
Pre-requisites
Purpose
a workstation.
NOTE
300 system.
PlotWave printers.
Procedure

Procedure
Policy'

Procedure


controller

9. Click 'Finish'
Procedure
2. Click 'Next'

Procedure
wizard
"Add")
2. Click 'Next'
(preshared key)'
9. Click 'Finish'
Procedure
Procedure
After you finish

500/550/650/650R3/700/3500/3600/3700/3800
system.
Troubleshooting: Disable 'Access control' and IPsec
Introduction
and
panel.
Procedure
3. Enter the System administrator (or Power user) password


6. Press 'Finish'
Result
(HTTP).
HTTPS
HTTPS
Introduction
In the PlotWave systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Select 3 (for
PW3000/3500/5000/5500/7500)
communication.

protocol.

Go to 'Security' - 'HTTPS' and log on as the System administrator to manage the certificates.

messages.
Procedure


'Next'.

11. Click on 'Yes'.

Result
Procedure


certificate
Introduction
printer.
To ensure a fully trusted authentication, you can request and import a certificate delivered by a

Authority.
protocol.
Step Description
See Back up a certificate and private key on page 347.
created.
See Generate a CA-signed certificate on page 348.
ply.
request feedback
Step Description
Step Description
See Import a CA signed certificate on page 349.
each workstation.
See Check and import the root certificate on page 350.
Other procedures
See Restore a certificate on page 351
certificate.
See Reset a certificate on page 351.
When to do
• BEFORE the generation of a certificate request (step A1 of the HTTPS Description of the overall
procedure on page 346):

Procedure
3. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Backup
certificate and private key]
6. Click 'Save'
Purpose
Pre-requisites
certificate and private key on page 347).

NOTE
Step A2 of the HTTPS Description of the overall procedure on page 346.
Procedure
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Generate a
certificate request'
NOTE
(FQDN) of the printer (e.g.: or 'ColorWave700' or 'ColorWave700.mycompany.com').
Result
text).
J
DAtNzQw
d
When to do
NOTE
Procedure

2. Import the Root certificate into the workstations web browser.

NOTE
on page 110
you.
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname]).
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Import CA-
signed certificate'.
3. Select [Root certificate].
4. Browse to the Root certificate file and click [Import].
NOTE
5. Validate to confirm the import.

certificate].
Procedure
Procedure
Result
When to do
NOTE
Step B4 of the HTTPS Description of the overall procedure on page 346.
Procedure
Authorities' list
When to do
Procedure
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Restore
5. Click 'Restore'
Click 'OK'
Purpose
When to do
NOTE
the original self-signed certificate. See Back up a certificate and private key on page 347):
web browser.
Procedure
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Reset
certificate]
Result
page 68)
TLSv1.2 / Strong cipher

For compatibility with old browsers or specific web client applications, the printer is backward
compatible with different TLS protocol versions and with different cipher suites.
In high security environment, some old TLS protocol versions and some cipher suites may be
prohibited. It is possible to disable them:
• by establishing the minimum TLS version allowed
• by dis-allowing less strong cipher suites
Access is : Express Web Tools / Security /Configuration / HTTPS
Example : in High security environment, set the following parameter:

• Oldest allowed version of TLS protocol = TLS v1.2 (TLS v1.0, TLS v1.1 protocol negotiation
attempts will be refused by the printer).
• Less strong cipher suites allowed : No
Cipher algorithms
• When the setting 'Less strong cipher suites allowed' is set to 'No', the following weak ciphers
are NOT used:
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA
• The strong available ciphers are:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
HTTPS recommendations for Certificate creation

For a better compatibility with most of the Internet browsers it is highly recommended , during
certificate request creation, to fill the « Subject alternative name x » with the name(s) which will
be used in the URL (https://<name>). Some browsers do not recognize the common name if it is
not part of one of the Subject alternative names.
Scan to Home folder / Print from Home folder

Introduction
Home folders are private network locations where the Active Directory users can store their files.
With the 'Scan to Home folder' feature, an authenticated user can send scanned files from the
system directly to his/her Microsoft Active Directory Home folder.
The authenticated user can also print files from his/her Home folder.
Pre-requisites
To allow a user to scan files to his/her Home folder, the following configurations are required:
• In the Microsoft Active Directory:
- A Home folder, that is a UNC path location, exists for each user
- Users have the Read and Write rights to their private Home folder
• In the printer configuration:
- The User authentication is enabled
- The User authentication is configured with 'User name and password' (no Smart card or
Contactless card)
The 'Home folder' location is then automatically created as an 'External location'. You can
open the 'External locations' tab in 'Configuration' to see this 'Home folder' new location.
- The domain is created and configured
In the domain 'Advanced settings' keep the default 'homeDirectory' value in the 'LDAP
attribute for Home folder'.
- Check that the printer 'Current date and time' and 'Time zone' values are correct (in Express
Refer to Configure the user authentication by user name and password on page 557 for the
detailed procedure.
It is recommended that the System Administrator validates this new configuration by clicking
'Validate this configuration' in 'Security' - 'Configuration' (see Validate the configuration on
page 559).
Scan to the Home folder

There are 2 ways to send a scanned filed to the home folder:
Using a predefined scan template
A Key Operator can create a scan template in which the default destination for the scanned files is
the authenticated user's Home folder:
In Express WebTools for the system, in the 'Preference' - 'Scan' tab, create a new template and
set:
• the 'Scan destination type' to ' To External locations'
• The 'External location' to 'Home folder'
This scan template will be available to the authenticated users when they browse the list of scan
templates. They can select it to scan to their private Home folder.
Selecting the Home folder destination at the system panel
An authenticated user can always select the 'Home folder' in the scan settings at the moment
when he scans a document:
1. At the system panel, open the Scan settings
2. In 'Workflow', select the 'Network location' type and then the 'Home folder' as the destination.
Troubleshooting
Result
Both methods send the scanned files to the users' private Home folder (root directory).
Print from the Home folder

An authenticated user can also print from his/her private Home folder:
1. At the system panel, select the 'Print' tile to turn it into 'Print from...'.
2. Open it and browse to 'Home Folder'
3. Select 'Home Folder'
4. You can browse your personal 'Home folder' to the file to print.
Troubleshooting
When an error occurs during the process of authentication by user name and password follow
the procedures below to test and troubleshoot:
• Use the validation tool to validate the configuration. See Validate the configuration on
page 300
• Apply the corrective actions when needed. SeeTroubleshooting on page 302
In case the home folder is not accessible
• Use the validation tool and check in the report that the path to the Home folder is correct:
• Check the Read/ Write rights on the Home folder.
Introduction
device.
Illustration
Procedure

6. Click 'OK'

queue.
The use of Publisher Express to create jobs When 'No one' is selected, the job submission
('Create print job via Publisher Express') capability through Express WebTools is com-
pletely deactivated.
The remote actions on submitted jobs to the When set to 'Login needed', only the Key oper-
Key operator or Power user ator or Power user can remotely delete or
('Perform job actions in the print queue') move a submitted job.
Key operator or Power user only can see them.
box time-out.
box
Data protection for template export (for PW3000/3500/5000/5500/7500 and PW345/365/450/550 R1.2 and higher versions)
Data protection for template export (for

PW3000/3500/5000/5500/7500 and PW345/365/450/550 R1.2 and
higher versions)
Introduction
In order to reinforce data protection, a setting 'Password encryption key' has been added to
encrypt any sensitive data (e.g. passwords, certificates) which can be exported (like templates).
CAUTION :
It is mandatory to define this password FIRST before exporting any template containing sensitive
data, otherwise exporting a template will not be possible and an error message will be displayed.
Procedure
3. Go to the 'Passwords' section and define the 'Password encryption key'.
NOTE
To import a template it is mandatory to use the SAME 'Password encryption key' on the printer
where the template will be imported as the 'Password encryption key' that was used to export
the template, otherwise the import of the template will fail.
Data protection for template export (for PW3000/3500/5000/5500/7500 and PW345/365/450/550 R1.2 and higher versions)
Chapter 5
Security on ColorWave 550/600/650
(and Poster Printer)
Security on ColorWave 550 R2.x, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer)
Security on ColorWave 550 R2.x, ColorWave 600 (Poster

Printer), ColorWave 650 R2.x (Poster Printer)
Overview
Security overview for the ColorWave 600/650 (Poster Printer) and the
ColorWave 550 systems
Introduction
The ColorWave 550 and ColorWave 600 (Poster Printer) / ColorWave 650 (Poster Printer) have
been designed around the secured Linux Operating System. However any new release of the
Linux operating system always embeds the latest security fixes.
The ColorWave 650 and ColorWave 550 use Windows Embedded Standard 2009 (WES 2009)
operating system for scanning operations. This operating system is not accessible from the
network.
For ColorWave 550 R3.x and ColorWave 650 R3.x, refer to Security on ColorWave 550 R3.x,
ColorWave 650 R3.x on page 398.
The ColorWave 600 (Poster Printer) / ColorWave 650/ ColorWave 550 offer the following security
features:
Security overview
Operating System Linux for ColorWave 550, ColorWave 600

(Poster Printer) and ColorWave 650 (Poster
Printer)
Linux and WES 2009 for ColorWave 650 multi-
functional (printer and scanner) and Color-
Wave 550 multifunctional (printer and scanner)
Firewall Yes
OS and software integrity Yes
Antivirus No
IPv6 Yes
Data overwrite E-shredding for ColorWave 600 R1.5 and high-
er / ColorWave 650 (PP) and ColorWave 550
Data encryption on the network IPsec for:
- ColorWave 650 R2.3.1 and higher (see also
Security on ColorWave 550 R3.x, ColorWave
650 R3.x on page 398)
- ColorWave 650 PP R2.3.1 and higher 4
362 Chapter 5 - Security on ColorWave 550/600/650 (and Poster Printer)

Security overview for the ColorWave 600/650 (Poster Printer) and the ColorWave 550 systems

- User settings
Access control Access restriction to the printer for:
- ColorWave 650 R2.3.1 and higher (see also
Security on ColorWave 550 R3.x, ColorWave
650 R3.x on page 398)
- ColorWave 650 PP v2.3.1 and higher
Chapter 5 - Security on ColorWave 550/600/650 (and Poster Printer) 363

Ports - Protocols
Applications, protocols and ports used in the ColorWave 600 (Poster Printer) /
ColorWave 650 (Poster Printer) / ColorWave 550 systems
Printing applications: ports and protocols used by the system
Application /Functionality Port used on the controller: Remarks

protocol
Wide-format Printer Driver for TCP 515: LPR Printer Discovery:
Microsoft Windows (WPD or TCP 65200: back-channel* for ColorWave 600 R1.3.1 and
WPD2) WPD(1) higher / ColorWave 600 Poster
Driver Select TCP 80: HTTP for: Printer R1.4 and higher / Col-
- back-channel for WPD2(2) orWave 650 (PP) / ColorWave
- advanced accounting 550
Driver Express
sive mode)
ICMP: ping
TCP 21: FTP (4)
TCP 65200: Back-channel(*)
FTP printing TCP 21
FTP passive mode)
Publisher Copy TCP 80: HTTP ColorWave 600 only
media loaded...) and to display it in the application or driver. For IPv4
(1) Back-channel
for ColorWave 600 1.5 and lower, and ColorWave 650 2.0.1 and lower, and
ColorWave 550 2.2 and lower.

Applications, protocols and ports used in the ColorWave 600 (Poster Printer) / ColorWave 650 (Poster Printer) / ColorWave 550
systems
(2) Back-channel
for ColorWave 600 R1.6.1 and higher, ColorWave 650 2.3.1 and higher,
ColorWave 550 2.3.1 and higher.
(3)
iOS
Scanning applications in ColorWave 650 and ColorWave 550 only: ports and protocols used by
the system

protocol
Scan to File Remote SMB Outgoing connection: SMB
Scan to File Remote FTP Outgoing connection: FTP passive mode only (1)
Local port (on controller):
Inbox (Scans)
Notes:
mode
Control management: ports and protocols used by the system

protocol
PING ICMP (incoming echo request
only)
Account Center / Advanced ac- TCP 80: HTTP
counting (WPD)
trieval
Service Logic TCP 21: FTP
Meter Manager UDP 161: SNMP ColorWave 600 R1.3.1 and
higher / ColorWave 600 PP
R1.4 and higher / ColorWave
650 (PP) / ColorWave 550
On Remote Service Outgoing connection HTTPS outgoing connection
required: TCP/IP port 443 (1)

Applications, protocols and ports used in the ColorWave 600 (Poster Printer) / ColorWave 650 (Poster Printer) / ColorWave 550
systems
Notes:
(1) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall.

Security Patches
Security Patches
Introduction
You can install the Canon Production Printing released security patches in the following (versions
of the) systems:
• ColorWave 650 multifunctional (printer and scanner)
• ColorWave 550 multifunctional (printer and scanner)
Before you begin

NOTE

Procedure
3. Select 'Update'


wizard
6. Click OK


Protocol protection
Protocol protection
Introduction
In the ColorWave 600 (Poster Printer), ColorWave 650 (Poster Printer) and ColorWave 550
systems, you can completely disable some protocols in order to protect them against attacks.
Protocols Available Protection

FTP Yes.
Can be disabled*
SNMP Yes
Can be disabled*
LPR Yes
Can be disabled*
Backchannel Always Enabled
Proprietary protocol
HTTP No, always Enabled
ICMP No, always Enabled
DNS No, always Enabled
* To disable a network protocol, go to the Configuration / Connectivity section of the Express

WebTools and uncheck the protocol.

Introduction
properly:
• ColorWave 550 R3 and higher

ep ools section
pear.
2 Preferences - System Disable Remote Service connection Set 'Remote Service con-
Properties - Service nection enabled' to 'Disa-
bled'
3 Configuration - Remote Disable all scan destinations to FTP
destination [X] sites reachable through the Internet
down - Restart

Introduction
A USB connection is available on the ColorWave 650/550 printer panel.
This USB connection is used to print from the USB storage device

USB device.
is not possible
Read from USB device protection
The USB READ operation is protected when printing from the USB device.

You can disable the direct printing operation from USB only
Refer to Prevent Print from USB on page 396.

Operating System and software protection
Operating System and software protection
Linux OS and software protection

In the ColorWave 600 (Poster Printer) / ColorWave 650 (Poster Printer) and ColorWave 550
systems the Linux operating system and associated software are stored on 'read only' partitions
to guaranty the Operating System and software integrity at each reboot.
At power on, the original Linux system software is loaded. This original system software cannot
be modified (except when using the procedures for update)
Any exploit of the security vulnerability can only affect temporary files.
A reboot of the system brings it back to the original genuine one.
Windows Embedded Standard 2009 OS and software protection

An additional Operating system is used for scanning on the ColorWave 650 multifunctional
(printer and scanner) and ColorWave 550 multifunctional (printer and scanner): Windows
Embedded Standard 2009 .
It is protected by the Linux OS so it is not accessible from the network.

Roles and Passwords
Roles and Passwords
Roles and profiles in the ColorWave 600 (Poster Printer) / ColorWave 650
(Poster Printer) / ColorWave 550 systems
Roles description
system settings.
The roles are:
• Key operator:
The System administrator can manage the Configuration settings, such as the Network settings
• Power user
The Power User has both the rights of the Key operator and the System administrator
• Service
Passwords policy and behaviour in the ColorWave 600 (Poster Printer) /

ColorWave 650 (Poster Printer) / ColorWave 550 systems
Introduction
• The passwords used in the Printer Operator Panel

In Express WebTools the passwords protect the roles.
Password modification table for ColorWave 600, ColorWave 650 and ColorWave 550
Any ScanToFile remote user name Key operator or System administrator or Power user
(ColorWave 550 / 650 only)
Password policy
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \

Passwords policy and behaviour in the ColorWave 600 (Poster Printer) / ColorWave 650 (Poster Printer) / ColorWave 550
systems

The 'Password to change network settings' is stored encrypted into the backup set made with the
'Save Set' feature of Express WebTools.
The roles passwords are not stored in the backup set.
NOTE
Set' operation (System administrator, the Key operator, or the Power user)

During the "Export templates" operation, the passwords for any ScanToFile remote user name are
stored encrypted in the file 'remotedestinationTemplates.xml' (included in the file
'exportTemplates.zip').

Access control
Access control
Introduction
The 'Access control' feature is available on the following printers and versions:
- ColorWave 550 v2.3.1 and higher
- ColorWave 650 v2.3.1 and higher
- ColorWave 650 PP v2.3.1 and higher

to communicate with the printer controller, for printing only.
Once enabled, you can define up to 5 hosts.
In case you use a print server, this server must be declared in the list of hosts to be able to print
from this server.
needs to be encrypted by IPsec (see IPsec for ColorWave printers on page 380)
You can enable 'Access control' in Express WebTools. You can disable it in Express WebTools or
via the printer user panel.
NOTE
- In case DHCP and DNS servers are used:
- 'Configuration' of the 'Access control' settings is only available to the 'System administrator'.
- To prevent unauthorised access to these settings via the printer user panel, ensure that the
'Password to change network settings' is set.

Data Security
Data Security
E-Shredding on ColorWave 600 and ColorWave 650 (PP) and ColorWave 550
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data (for
ColorWave 600 / 650 PP) and any user print/copy/scan data (for ColorWave 650 / 550) when it is
deleted from the system.
The e-shredding functionality is available on:
- ColorWave 600 R1.5 and higher
- ColorWave 600 PP R1.6.1 and higher
- ColorWave 650
- ColorWave 650 Poster Printer
- ColorWave 550

• After it was successfully printed and was not saved in a Smart Inbox ( 'Keep completed jobs in
the Smart Inbox' system setting is disabled in the Express Webtools)
• When it is automatically deleted after a timeout: the end of the job lifetime in the Smart Inbox
is reached
Inbox' set in the job management settings of the Express Webtools)
• When a 'Clear system Remove all jobs' is performed on the printer local interface
directive):
NOTE
performance.

Before you begin

Recommendation: in the Express Webtools ('Preferences'), make sure you:
- Disable 'Keep completed jobs in the Smart Inbox' in the Job management settings (so that all
the print jobs will be automatically deleted after successful printing) before enabling the e-
shredding.
- Disable 'Save received jobdata for service' in 'In case of errors' settings.
Procedure
WebTools
3. Click Edit

When you select 'Custom', you must set the number of passes:
On ColorWave 650 (PP) / 550, click on the value of 'E-shredding custom number of passes' to set
the number of passes
[5] Set the number of passes for ColorWave 650

Result
When the E-shredding feature is enabled, a new icon is added to the list of icons (bottom right) in
the Express WebTools window.
occurs.

When you enable the e-shredding, the system starts the e-shredding process for all scan/copy/
print jobs that will be deleted.
- After an automatic deletion of the print or scan jobs by the system (timeout, disabled Smart
Inbox, cleanup)

Make sure a file is completely e-shredded (e-shredding enabled)

Perform the following actions to make sure this file is e-shredded:
1- Check the "Save received jobdata for service" setting is 'off' (in Express WebTools/Preferences/
System properties/In case of errors)
2- Send the print file, make a copy or make a scan
3- Once the job has been printed/copied/scanned, make sure it has been deleted from the Smart
Inbox (in Express WebTools/Jobs)
4- Shut down the system (e-shredding will terminate the system clean up before the shut down)

IPsec on ColorWave 550 v2.3.1 and higher and ColorWave 650 (PP) v2.3.1 and higher
IPsec on ColorWave 550 v2.3.1 and higher and ColorWave 650 (PP) v2.3.1 and
higher
IPsec presentation
Introduction
on the network.
a Scan Server).
IPsec can be enabled only when 'Access Control' is enabled.
dedicated station (a print server or scan server for example)
• The print server receives the print request from the workstations via IP on the network
• The print server send the print requests to the printer/copier system via IPsec
• The printer/copier system cannot communicate directly with the workstations.
NOTE
unavailable (the back-channel information is not displayed in WPD/ Driver Select).
NOTE
- DHCP must be disabled to allow the display and the configuration of the IPsec settings.

Illustration
IPsec parameters in Express WebTools (EWT)

The following IPsec parameters are available in the Express WebTools :
Network security section:
The generic 'Access control' must be enabled.
The 'Access control station X' must be enabled.
- the IP address
- You can define a default preshared key that will be used for all the stations connected by IPsec
to the printer/scanner system.
Before you begin

DHCP must be disabled.

Procedure
3. In 'Network security' section, click on the general Edit
4. Enable Access control

5. Enable Access control station 1
6. Enter IP address of the station 1
7. Enable IPsec control station 1
8. Enter the IPsec preshared key or keep it empty to use the default preshared key (you can
configure at the bottom of the Network security section)
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
NOTE
Write it down. This preshared key will be required during the IPsec configuration on the
workstation.
Result
be a print server).

When to do
Pre-requisites
Purpose
a workstation.
1- Add the security snap in on page 383
NOTE
Procedure



Procedure
Policy'


Procedure



controller

9. Click 'Finish'

Procedure
2. Click 'Next'



Procedure
wizard
"Add")
2. Click 'Next'


(preshared key)'
9. Click 'Finish'

Procedure
system.
NOTE
In case you use the WPD driver, see The impact of IPsec when you print through a print
server on page 61.
Troubleshooting: Disable 'Access control' and IPsec (ColorWave 650/550

systems)
Introduction
• Access control is enabled and activated on the printer/scanner controller of ColorWave 650/550
v2.3.1 and higher
and
Then you can use the emergency procedure to disable Access control Via the printer user panel
on the printer/scanner system

Troubleshooting: Disable 'Access control' and IPsec (ColorWave 650/550 systems)
Disable Access control on the printer user panel (ColorWave 650/550)
Procedure
1. On the printer user panel, click on 'System'
2. Select 'Setup'
3. Roll down to 'Disable access control'

Enter the password if requested (Password to change the network settings).

5. Press 'Finish'
Result
Access control is disabled.
If IPsec was also activated on the controller, it is also disabled with this operation.

How to prevent 'Print from USB' on ColorWave 550/650 (and PP)
Introduction
You can disable any access to the USB device by preventing printing from the USB device.
Illustration
Procedure
2. Open the 'Preferences' - 'System properties' page and select the 'Printer properties' section
5. Log in as a 'Key Operator' or 'Power User'

Configure the Smart Inboxes to manage the access to job data

Use the Smart Inbox management features of your system to limit and restrict the access to the
print and scan job data.
Depending on your system, go to the 'Preferences'/'System properties' to disable or restrict, for
example:
• The remote view of the Smart Inboxes
• The display of the Smart Inboxes on the printer panel
• The storage of the job data in the Smart Inboxes
Set the job management settings

The 'Job management' settings are available on the 'Preferences'/'System properties' tab.
Configure the job management settings to manage the visibility of jobs and their availability in
Express WebTools or in the printer operator panel.

Security on ColorWave 550 R3.x, ColorWave 650 R3.x
Security on ColorWave 550 R3.x, ColorWave 650 R3.x
Overview
Security overview for the ColorWave 550 R3.x, ColorWave 650 R3.x system
Introduction
The ColorWave 550 R3.x and ColorWave 650 R3.x systems are equipped with the following
security features:
Security overview

Firewall Yes
Antivirus Yes
- User settings
SMB authentication NTLMV2 or NTLMV1 (can be set in Express WebTools)
Smart Inbox management - Can be enabled/disabled

Ports - Protocols
Applications, protocols and ports used in the ColorWave 550/650 R3.x system
Printing applications with ColorWave 550/650 R3.x: INBOUND and OUTBOUND ports and
protocols used by the system
Wide-format Printer Driver for TCP 515: LPR
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan-
Driver Express
TCP 443: HTTPS
Publisher Mobile TCP 21: FTP
sive mode)
ICMP: ping
TCP 65200: back-channel
FTP passive mode)
UDP 138, 445
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Notes:

* back-channel is a proprietary protocol used to retrieve information from the printer (status,
Scanning applications with ColorWave 550/650 R3.x: INBOUND and OUTBOUND ports and
UDP 137, 138, 445
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Notes:
Control management with ColorWave 550/650 R3.x0: INBOUND and OUTBOUND ports and
PING IPv4 ICMPv4
PING IPv6 ICMPv6
TCP 443: HTTPS
trieval
Back-channel TCP 65200 for back-channel
TCP web proxy port (1) 4

UDP 138
WSD TCP 80: HTTP
WAVE TCP 80: HTTP
(Publisher Select)
IPsec UDP 500
UDP 4500
Notes:
Additional built-in Windows 7 firewall rules

Inbound rules:
Outbound rules:

Security Patches
Security Patches
Introduction
Before you begin

NOTE

Install a patch
Procedure
3. Select 'Update'


wizard
6. Click OK

Protocol protection
Protocol protection
Introduction
In the ColorWave 550/650 R3.x system, you can completely disable some protocols in order to
protect them against attacks.
HTTPS, ICMP (ping), DNS protocols cannot be completely disabled.

services sis
FTP FTP For FTP printing (the con-
Enable/Disable er).
SNMP SNMP Enable/Disable
LPR/LPD LPR Enable/Disable For LPR printing
WAVE interface HTTP Enable/Disable Used for:
- Account Center
Account dialog upload HTTP Enable/Disable When both this 'Account
interface dialog interface' AND
'WAVE interface' are disa-
bled, any interaction with
Account Center is disabled.
Web Services for De- HTTP Enable/Disable For WSD device discovery
vices (WSD)
OCI interfaces Proprietary Enable/Disable Used for Reprodesk Server
interfaces
Allow interaction with HTTP Enable/Disable Used only for Publisher Se-
Publisher Select lect backchannel
Express WebTools via HTTP Enable/Disable For Express WebTools and
HTTP Publisher Express 4


services sis
HTTP HTTP There is no specific setting
to enable disable HTTP
protocol.
enabled:
- 'Wave interface'
ces'
Publisher Select'
HTTP'
ices are disabled.
HTTPS HTTPS Always Enabled - Cannot
be disabled.
Note: To disable a network protocol or network service, go to the Configuration / Connectivity


Introduction
properly:

ep ools section
pear.
2 Preferences - System Disable Remote Service connection Set 'Remote Service con-
Properties - Service nection enabled' to 'Disa-
bled'
3 Configuration - Remote Disable all scan destinations to FTP
destination [X] sites reachable through the Internet
down - Restart

Introduction
A USB connection is available on the ColorWave 650/550 printer panel.
This USB connection is used to print from the USB storage device

USB device.
is not possible
Read from USB device protection
The USB READ operation is protected when printing from the USB device.

You can disable the direct printing operation from USB only
Refer to Prevent Print from USB on page 396.

Antivirus
Antivirus

NOTE
controllers.

Roles and Passwords
Roles and Passwords
Roles and profiles
Roles description
system settings.
The roles are:
• Key operator:
security settings.
• Power user
• Service

Passwords policy and behaviour in the ColorWave 650 R3.x systems
Introduction
• The passwords used in the printer user panel

• The roles

Passwords policy and behaviour in the ColorWave 650 R3.x systems
Password policy
Passwords used on the printer user panel

In Express Webtools, configure the 'Password to change network settings'.
This password is used on the printer user panel to protect:
• the network settings
• the security settings
NOTE
Keep this password. The reset of this password may require the intervention of an Canon
Service technician.
Password modification table for ColorWave 650 R3.x

Change network settings System administrator or Power user
Proxy authentication for Remote System administrator or Power user
Service

The 'Password to change network settings' and the 'Proxy authentication: password' are stored
encrypted into the backup set made with the 'Save Set' feature of Express WebTools.
The roles passwords are not stored in the backup set.
NOTE
Set' operation (System administrator, Key operator, or Power user)

During the "Export templates" operation, the passwords for any external location remote user

Access control
Access control
Introduction
Access control allows to limit the access to the system according to IP filtering method.

NOTE
Important: ALWAYS define the hosts before enabling Access control.
In case Access control is enabled without any host configured, communication is blocked. Go to
the printer user panel to disable Access control.
needs to be encrypted by IPsec (see IPsec presentation on page 414)
NOTE
- In case DHCP and DNS servers are used:
- 'Configuration' of the 'Access control' settings is only available to the 'System administrator'.
- To prevent unauthorised access to these settings via the printer user panel, ensure that the
'Password to change network settings' is set.

Audit log
Audit log
Introduction
and/or cleared.

• IPsec settings
• Timezone
• Retrieval of job data by service
• Resetting of passwords by service

Data security
Data security
E-Shredding
Introduction

( 'Keep completed jobs in the Smart Inbox' ans 'Keep copies of local print jobs in the Smart
Inbox 'system settings are disabled in the Express WebTools)
is reached
settings of the Express WebTools)
directive):
NOTE
performance.

IPsec
IPsec
IPsec presentation
Introduction
on the network.
Illustration


IPsec presentation

vated. cryption.
encrypted. crypted.
is activated.
with the system.
with all stations.
IPsec parameters in the Express WebTools

The following IPsec parameters are available on the Express WebTools - Configuration -
Connectivity tab, Network security section:
- the IP address
print/scan system.
NOTE
• Encapsulation type : Transport

Configure the IPsec settings on the controller
Configure the IPsec settings on the controller
Before you begin

Activate and configure IPsec on the system controller
Procedure
3. In the 'Access control' section, click on the general 'Edit'
4. Check the 'Enable/Disable IPsec' box to enable 'IPsec'

You can also activate the Access control
5. Enable 'IPsec control station 1'
you remotely configure the system, at least during the configuration time (IPsec not needed).
6. Enter the IPsec preshared key or keep it empty to use the default preshared key . You can
configure the default preshared key at the bottom of the Network security section.
NOTE
workstation.
7. Click OK

Result
When to do
Pre-requisites
Purpose
a workstation.
NOTE
300 system.
PlotWave printers.
Troubleshooting: Disable 'Access control' and IPsec (ColorWave 650/550

systems)
Introduction
• Access control is enabled and activated on the printer/scanner controller of ColorWave 650/550
v2.3.1 and higher
and
Then you can use the emergency procedure to disable Access control Via the printer user panel
on the printer/scanner system

Disable Access control on the printer user panel (ColorWave 650/550)
Procedure
1. On the printer user panel, click on 'System'
2. Select 'Setup'
3. Roll down to 'Disable access control'

Enter the password if requested (Password to change the network settings).

5. Press 'Finish'
Result
Access control is disabled.
If IPsec was also activated on the controller, it is also disabled with this operation.

HTTPS (on ColorWave 550 R3.x and ColorWave 650 R3.x)
HTTPS (on ColorWave 550 R3.x and ColorWave 650 R3.x)
Introduction
On the ColorWave 550/650 R3.x systems, you can use the HTTPS protocol to:
communication.

protocol.

certificates.

messages.


Procedure




'Next'.



11. Click on 'Yes'.


Result
Procedure




Introduction
printer.

Authority.
protocol.
Step Description
created.
page 166.
ply.
request feedback
A4- Restart the controller

Step Description
each workstation.
stations browser on page 168.
Other procedures
certificate.

Introduction
You can disable any access to the USB device by preventing printing from the USB device.
Illustration
Procedure
2. Open the 'Preferences' - 'System properties' page and select the 'Printer properties' section
5. Log in as a 'Key Operator' or 'Power User'


queue.
press') activated.
(logging needed).
box time-out.
box


Chapter 6
Security on ColorWave 500, 700, 3500,
3600, 3700, 3800
Overview
Overview
Security overview for the ColorWave 3500/3600/3700/3800 and

ColorWave 500/700 systems
Introduction
The ColorWave 3500/3600/3700/3800 and ColorWave 500/700 systems are equipped with the
following security features:
Security overview
Operating System Microsoft Windows Embedded Standard 8 64 bit (for

CW500/700)
Microsoft Windows 10 IoT Enterprise LTSB 2016 (for
CW3500/3700)
CW3600/3800)
Firewall Yes
(CW500/700)
Standard Microsoft Security updates (.MSU) approved
CW3500/3600/3700/3800)
(please check Security Web Page on
http://downloads.cpp.canon)
Antivirus Yes
- Smart card
- Contactless card for CW3500/3600/3700/3800 and
CW500/700 4.2 and higher versions
word is enabled on:
- CW500/700 R4.1 and higher
- CW3500/3600/3700/3800 4
434 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Security overview for the ColorWave 3500/3600/3700/3800 and ColorWave 500/700 systems
Hard Disk encryption For CW500/700/3500/3700:

- Normal encryption
Encryption mode:
- AES256 for CW3500/3700 and CW500/700 4.2 and high-
er versions
- AES128 for other CW500/700 versions
For CW3600/3800:
CW3600/3800)
Device authentication IEEE802.1X for CW3500/3600/3700/3800 and CW500/700
4.2 and higher versions
Kerberos or LDAP over SSL (for CW3500/3600/3700/3800
and CW500/700 4.2 and higher versions)
- User settings
System Administrator on:
- CW500/700 4.1 and higher
- CW3500/3600/3700/3800
• CW3600/3800
• CW3600/3800 4
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 435
Security overview for the ColorWave 3500/3600/3700/3800 and ColorWave 500/700 systems

• CW3600/3800
Ports - Protocols
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan- for Printer Discovery
Driver Select
TCP 443: HTTPS
TCP 443: HTTPS
(CW3600/3800)
sive mode)
ICMP: ping
TCP 21: FTP (2)
FTP passive mode)
UDP 138, 445 4
- Local: TCP any
- Remote: TCP 21
FTP Data(3) :
- Local : TCP any
- Remote: TCP any
TCP 443: HTTPS
TCP WebDAV port
Notes:
(1)
iOS.
(2) Only for Publisher Mobile v 2.0 to v2.2 for iOS.
UDP 137, 138, 445
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
TCP 443: HTTPS
TCP WebDAV port
Scan to Home folder(3) TCP 88/UDP 88: Kerberos

TCP 389/UDP 389: LDAP
TCP 139, 445
UDP 137, 138, 445
Notes:
(3) Available on ColorWave 500/700 R4.1 and higher and ColorWave 3500/3600/3700/3800.
PING IPv4 ICMPv4
PING IPv6 ICMPv6
TCP 443: HTTPS
trieval TCP 443: HTTPS
(CW3600/3800)
User authentication by user TCP 88 /UDP 88: Kerberos
name and password TCP 389 /UDP 389: LDAP
User authentication by smart TCP 80: OCSP
card TCP 80: HTTP or TCP 443:
HTTPS
back-channel TCP 65200 for OCI back-chan-
nel
Remote Service TCP 443: HTTPS
UDP 138
WSD TCP 80: HTTP
WAVE TCP 80: HTTP
TCP 443: HTTPS
(CW3600/3800)
(Publisher Select)
TCP 443: HTTPS for back-
channel (CW3600/3800) 4
IPsec UDP 500
UDP 4500
LDAP authentication over Ker- TCP 88/ UDP any: for Kerberos
any: for LDAP
any
Time synchronisation UDP 123: Network Time Proto- UDP 123: Network Time Proto-
col (CW3600/3800) col (CW3600/3800)
Notes:

Inbound rules:
• Core Networking - Dynamic Host Configuration Protocol (DHCP-In).
• Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In).
Outbound rules:
• Core Networking - DNS (UDP-Out).
• Core Networking - Dynamic Host Configuration Protocol (DHCP-Out).
• Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out).
• Core Networking - IPv6 (IPv6-Out).
Security Patches
Security Patches
Install Operating system patch for CW500/700
Introduction
Before you begin

NOTE
Find the Security patch on the Downloads website on "http://downloads.cpp.canon":

Install a patch
Procedure
3. Select 'Update'

wizard
6. Click OK
Install Operating system patch for CW3500/3600/3700/3800
Introduction
Before you begin

patches.
1. In Express WebTools, the user selects the Operating system patch file that he previously
retrieved.
Install a patch
Procedure
1. Open Express WebTools .
3. Select [Update].

ded system
lation. After acknowledging the dia-
log box, the system will reboot auto-
(default behavior).
downloaded and checked) but you
want to install it during non working
hours for a faster installation.
any confirmation.
Protocol protection
Protocol protection
Introduction
attacks.

services sis
Enable/Disable er).
- Account Center
- Reprodesk
- Third party applications
vices (WSD)'
interfaces

services sis
col.
enabled:
- 'Wave interface'
ces'
Publisher Select'
HTTP'
ices are disabled.
be disabled.
Service documenta-
tion'


Introduction

ools section
bled'
3 Configuration - Con- Disable the automatic update of Set ' Allow automatic update
nectivity - Other net- the embedded Service information of service information' or 'Al-
work interfaces low automatic update of em-
bedded Service documenta-
tion' to 'Disabled'
protocol
Internet
tings
down
Introduction
• Connect a Smart card reader or a Contactless card reader

• Executing any program present on the USB device is not possible
USB device.
is not possible

You can disable:


• Supplicant
• Authenticator
A. B.

802.1x
802.1x
LAN LAN
LAN

EAP
• EAP-TLS
• EAP-MS-CHAP v2
authentication.
NOTE
methods.
PEAP
EAP-MS-
CHAP v2

environments.
NOTE
NOTE

supplicant.
EAP-TLS
Authenticator

5. FQDN

3. Authentication
4. Certificate
Domain controller
(Printer) server
LAN

network.
PEAP with EAP-TLS
Authenticator


3. Authentication
4. Certificate
Domain controller
(Printer) server
LAN
network.
Authenticator

MS-CHAPv2 login

5. Authentication
6. Data
(Printer) server
LAN
network.
Prerequisites
• A printer
• A RADIUS server
Introduction
see Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
on page 209
Troubleshoot
page 236.
Introduction
NOTE
Procedure
used:
Example:
Example:
Prepare the switch
Prepare the switch
Introduction
Procedure

Prepare the switch
Introduction
Procedure
4. Click 'Ok'.

• Password
NOTE


downloaded.

MSCHAPv2'
Introduction
Before you begin

Procedure
Introduction
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
8. Click on 'OK'.
MSCHAP v2 '.
12. Click on 'OK'.

Result
switch.
with EAP-TLS)'
Introduction
2016).
Before you begin

Procedure
is 'cw3700'.
Policy'.

Network Policy
Introduction
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
8. Click on 'OK'.

11. Click on 'OK'.


Result
switch.
Introduction
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
8. Click on 'OK'.
13. Click on 'OK'.



Result
switch.
Troubleshoot
Troubleshoot
Introduction
troubleshooting.


3. On the switch
Generally:
Troubleshoot

Troubleshoot

Troubleshoot

situation
menu: grade

'No'.
lyser)
4
Troubleshoot


IEEE802.1X)
ethernet port)
Troubleshoot

(CRP).'
in Active Directory
Antivirus
Antivirus
NOTE
controllers.
Roles
Introduction
Roles description
system settings.
The roles are:
• Key Operator:
security settings.
• Power User
• Service

• Domain Users (for CW3500/3600/3700/3800 and CW500/700 R4.2 and higher versions): the IT
administrator defines users in a domain who can act as Key Operator, System Administrator,
Power User and Service role
Local users
Local users
NOTE
Domain users.
Domain users (LDAP authentication): for CW3500/3600/3700/3800 and CW500/700 R4.2 and higher versions
Domain users (LDAP authentication): for CW3500/3600/3700/3800 and

CW500/700 R4.2 and higher versions
Introduction
• On Server:
which group
• On the Printer:
• The IT manager defines the aforementioned domain(s) by mean of Express Web Tools
• Any authorized user defined in a specific domain group can authenticate on Express Web
Tools and the Local User Interface with the dedicated role.
Before you begin

Introduction
Before you begin

LDAP server.
Procedure

• A description.
administrator:
suffixes).
creation problem.
NOTE
After you finish

page 720
Introduction
Procedure
4. Click 'OK.
on page 263
Introduction
Before you begin

LDAP server.
Procedure

• A description.
administrator:
suffixes).
creation problem.
NOTE
After you finish

When to do
Before you begin

Procedure
Introduction
Procedure
4. Click 'OK.
page 264

NOTE

login.
NOTE
screen:
screen:
Password policy
Password policy





NOTE
CAUTION :
Introduction

or
able.
administrator
ted.
Please try again.
Introduction

able.
administrator
main.com")

• Allow Service Technician to enable local users (for CW3500/3600/3700/3800 and CW500/700
R4.2 and higher versions)
NOTE
This feature is applicable when LDAP authentication has been setup and when the
system administrator has disabled the local System Administrator and the local
Power user account. In this case, if domain users are not accessible anymore for any
reason, it is not possible to login locally on Express Webtools to change settings.
The only way is to re-enable the local users (System Administrator and Power user).
ONLY if the setting "Allow Service Technician to enable local users" is set to
"enabled", this operation can be performed by the Service technician on site. If the
setting "Allow Service Technician to enable local users" is set to "disable", a re-
installation of the printer software by the service technician is mandatory.

Passwords policy
Passwords policy
Introduction

• The roles
Password policy

user panel:
on the user panel:
• The printer calibration
• 'Clear system'
• The media calibration
• The roll-to-roll option
NOTE
technician.

Passwords policy

During the 'Export templates' operation, the passwords for any external location remote user

This password is valid for 4 hours or until the next reboot.
Access control
Access control
Introduction
Access control allows to limit the access to the print system based on the IP filtering method.
In Express WebTools, find the 'Access control' settings on the Security - Configuration page.
Pre-requisites
• The configuration of the 'Access control' settings is only available to the 'System
administrator' and 'Power user'.
To prevent unauthorised access to these settings via the printer panel, the System
administrator must log in to access the network settings.
• Important: ALWAYS define the hosts before enabling 'Access control'.
In case 'Access control' is enabled without any host configured, communication is blocked. Go
to the printer panel to disable 'Access control'.

NOTE

NOTE
Audit log
Audit log
Introduction
and/or cleared.

In Express WebTools, open the 'Security' - 'Audit log' tab to download the Audit log that contains
• IPsec settings
• Disk encryption
• Whitelisting (McAfee Application control, for CW3600/3800)
• Timezone
Audit log
SNMPv3: for CW3600/3800, CW3500/3700 (R5.1 and higher versions) and CW500/700 R4.3 and higher versions)
SNMPv3: for CW3600/3800, CW3500/3700 (R5.1 and higher

versions) and CW500/700 R4.3 and higher versions)
Introduction
encryption.
The current implementation of SNMP v3 offers user authentication only to ensure identity of the
SNMPv3 settings
You can access to the SNMPv3 settings by mean of the settings Editor : section Configuration |
Connectivity |SNMP v3

tion

• RFC 4293 MIB-II
Secure Boot (CW3600/3800)
Secure Boot (CW3600/3800)

Introduction
Secure boot is a security standard developed by members of the PC industry. It helps to make
sure that a device boots using only software that is trusted by the Original Equipment
Manufacturer (OEM).
When the device starts, the firmware checks the signature of each piece of boot software,
including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the
operating system. If the signatures are valid, the device boots, and the firmware gives control to
the operating system.
Whitelisting (McAfee Application Control) (CW3600/3800)

Introduction
Some printers have the option McAfee Application Control. This feature is also known as
Whitelisting or McAfee Embedded Control.
Unlike a virus scanner, which can create a security risk if you do not keep it constantly updated
with the latest virus definitions, McAfee Application Control creates a detailed map - a
'fingerprint' - of all the files on the printer and prevents any unauthorized changes, whether by
malware, viruses or unauthorized users. It is constantly checking the integrity of the files against
the fingerprint, and will block and report any tampering or unauthorized change.
If printer software needs to be upgraded, then the fingerprint will be updated as well.
Pre-requisite
• A license for the option: 'Whitelisting (McAfee) License'
How to check the status of Whitelisting

The current status can be checked in the Security tab of WebTools Express:
The default status is 'Not activated'.
Enable white listing in WebTools Express

NOTE

Express.
2. In Webtools Express ('Security' - 'Configuration') go to 'Whitelisting settings'.
3. Select the setting 'Block unauthorised changes'.
4. Select 'Activated' and click OK.
NOTE
The Whitelisting process needs 30-60 minutes to create the 'fingerprint' (on new
installed systems this process is faster than on systems in use for some time, as the
amount of data on the disks will have increased). The setting 'Current protection
status' stays at 'Protection not activated'.
5. After 60 minutes reboot the printer. After the reboot the setting 'Current protection status' will
change to 'Protection activated'.
NOTE
If the reboot is done before the Whitelisting process is finished, the process will
start again after the reboot. When the process then finishes, the setting 'Current
protection status' will change to 'Protection activated'.
Data security
Data security
User authentication
Secure printing, copying and scanning operations with the User

authentication
Introduction
In order to increase document confidentiality, the users can secure printing/copying/scanning
operations with the user authentication.
The 'User authentication' feature is an option.
When the 'User authentication' feature is enabled:
• The jobs are not printed until the owner of the job authenticates on the system user panel.
The print jobs are stored in the printer and only the owner of the jobs can access them.
• Copying and scanning operations are accessible only after the user authenticates on the
system user panel.
• You cannot retrieve scanned files that are stored locally on the controller.
User authentication methods
One of the two following methods can be used for user authentication:
• User name and password
The sser name and password are required on the printer panel. This authentication method is
mainly targeted to Windows based environment (Microsoft Active Directory).
• Smart card (PKI card compatible with MS Active Directory Certificates Services)
A valid smart card must be inserted into the smart card reader (plugged into the USB outlet).
• Contactless card
A valid card without contact must be passed over a contactless card reader (plugged into the
USB outlet). The authentication method is mainly targeted to a Windows based environment
(Microsoft Active Directory).
NOTE
It is possible to mix some authentication methods:
Secure printing, copying and scanning operations with the User authentication
3 4
The system showed in this example is the ColorWave 700.
The print workflow

1- The user logs in on a workstation to prepare the job.
2- The user uses a job submission tool to submit the job to the printer. The submitted job
contains the job owner identity.
The job is stored in the printer (it is not printed).
Note: the submission tool can be Publisher Select, or a driver within an application (e.g. WPD2/
Driver Select), or an ONYX application, or a LPR or FTP command.
3- The owner of the job logs in on the printer user panel. Only the job owner can see the job and
print it (user authentication is required to unlock the printer panel accessibility).
4- The job owner launches the print.
5- The job owner collects the printed output.
The scan and copy workflow
The Scan and Copy features are accessible only after the user authenticates on the user panel.
Impact of the user authentication on the system features and Express

WebTools
Introduction
When the user authentication is activated, and in order to guarantee the data confidentiality:
• Some features of the system are disabled (see below).
• The related settings are no more accessible (see below).
• The time-out set for the 'Remove completed jobs from the Smart Inbox after' setting in
'Preferences' - 'System defaults' - 'Job management' applies and deletes:
- the jobs that are submitted without valid authentication information.
- the jobs that are not accessed during this period of time.
Disabled features in Express WebTools when user authentication is activated
DISABLED feature Setting removed from Express WebTools

Send the job directly In 'Preferences' - 'System defaults' - 'Job management':
to the print queue • 'Default destination of print jobs'
• 'Override destination of print jobs'
Smart Inbox In 'Preferences' - 'System defaults' - 'Job management':
• 'Display Smart Inboxes in Express WebTools'
• 'Display a view on all Smart Inbox jobs'
• 'Keep completed jobs in the Smart Inbox'
• 'Keep a copy of scanned jobs in the Smart Inbox'
• 'Keep a copy of copy jobs in the Smart Inbox'
• 'Keep a copy of local print jobs in the Smart Inbox'
Key operator actions In 'Preferences' - 'System defaults' - 'Job management':
on jobs • ' Restrict remote actions on jobs to the Key Operator'
Copy job priority In 'Preferences' - 'System defaults' - 'Job management':
• ' Copy job priority'
OCI interface In 'Configuration - 'Connectivity'' - 'Other network interfaces':
• 'OCI interfaces'
Locking of the user In 'Configuration - 'Connectivity'' - 'Other network interfaces':
panel via the Wave in- • 'Locking of the user panel via the Wave interface'
terface
And consequently:
• 'Restrict the locking action to a single device'
• ' Device hostname'
Third-party applica- In 'Configuration - 'Connectivity'' - 'Third-party applications':
tions on the user pan- • 'Third-party application button on the user panel'
el
Save job data for In 'Preferences' - 'System defaults' - 'In case of errors':
Service • ' Save received job data for Service'
Jobs view in Express WebTools

On the 'Jobs' page, the Job queue displays the job names only.
NO user, even users with privileges such as System Administrator, Key Operator, Power user or
Service, can see the content of the jobs or act on them.
Disabled feature on the system user panel

The 'Move to top' feature on the system user panel is disabled.
To secure the job data and job ownership on the network, during the job submission / the job
scanning to external locations, the use of a secured network (IPsec for instance) is recommended.
Introduction
Find below the standard workflow for printing and the standard workflow for scanning/copying
when the user authentication is activated and configured on the print system.
Standard workflow for print
Step Action
1- Logging on a work- The user logs in with his/her credentials.
station Example: 'user1' on 'domain.com' and the associated password.
2- Job submission The user submits jobs using a printer driver (e.g. WPD2/ Driver Select)
or a job submitter (example: Publisher Select 3)
3- Authentication on The user logs in on the printer:
the printer
• either by typing his/her user name and password on the printer pan-
el
• or by using his/her smart card
The credentials used on the printer must be the same as the ones used
at the job submission time.
Example: 'user1' belonging to the domain 'domain.com'. 4
Step Action
4- Job management On the bottom right part of the panel (Smart Access), the user can see
the jobs submitted with his/her user credentials.
The user can check the jobs and change the settings.
5- Job print The user prints the jobs by clicking the green button.
6- Print queue The user can open the print queue and follow the progress of the jobs.
NOTE
All the jobs in 'Ready to print' state are printed, even when
the users logs out in the meanwhile.
Recommendation: For complete security of the printed data,
we recommend that the user stays close to the printer until
all the jobs are completely printed.
The jobs in 'Processing' state are not printed if the user logs
out before they are in 'Ready to print' status.
Standard workflow for scan and copy
Step Action
1- Logging on the The user logs in on the printer:
printer • either by typing his/her user name and password on the printer pan-
el.
• or by using his/her smart card.
Example: 'user1' on 'domain.com'
Step Action
2- Workflow selection The user selects Copy or Scan in the menu.
NOTE
For scan operations, it is recommended to scan to an external
location (not locally on the controller).
When the user logs to an external location, the login name in
the top menu is replaced by the login name to the external lo-
cation. The 'User session time-out' set in the 'Security' - 'Con-
figuration' tab applies for both the user authentication on the
user panel and the authentication on the external locations.
The files scanned locally to the controller can be used only
for reprint purpose. They cannot be retrieved or saved from
the network.
3- Job copy or scan The user loads the original and starts the copy or scan of the job to an
external location.
Introduction
There are several ways to submit print jobs to the printer.
Find below the recommendations for benefiting from the protection by the user authentication in
the recommended job submission workflows:
• Job submission with Publisher Select (from version 1.17)
• Job submission from an application with the WPD2 (from version 2.11) or Driver Select
• Job submission from an application with the PS3 driver (from version 1.24) or Driver Express
Job submission with Publisher Select

2- Open Publisher Se-
lect and connect to a
printer
3- Create a print job The user account name that the Publisher Select application will attach
to the print job is:
• <user name>@<domain> if the domain is detected by the application
(example: 'user1@domain.com')
• <user name> if the domain is not detected (example: 'user1'). Which
is the case for instance when the user account is a local account on
the workstation.
NOTE
In Publisher Select, the user account name cannot be
changed.
Job submission with WPD2/ Driver Select

3- Open the driver When the driver window opens, check the user account name of the
(Properties) to print job in the top right part of the window. This user name is going to be
the job from the appli- sent along with the job.
cation Example: 'user1@domain.com'.
NOTE
If the user account name is not displayed, open the 'Options'
- 'Advanced options' window and check the option 'Require
user authentication' in 'Troubleshooting'. 4

4- Change the user In the driver, you can change the user name of the owner of the job
name when needed when needed:
Click on the current user account name to edit it, and change it.
Important remark:
Make sure the new user name you select will be the one you will use
on the printer to access the jobs.
Job submission with PS3 driver/ Driver Express

3- Open the driver to - Driver for Windows:
print the job from the The driver attaches the user account name to the print job:
application • <user name>@<domain> if the domain is detected by the driver (ex-
ample: 'user1@domain.com').
• <user> if the domain is not detected. Which is the case for instance
when the user account is a local account to the workstation (exam-
ple: 'user1').
NOTE
In the driver, the user name cannot be changed.
- driver for Mac:

The driver does not attach a user account name to the job.
If there is no job ticket in the file or no 'Username' in the job ticket, then
the (non FQDN) user name of the user logged in on the system is used
(example: 'user1').
Job submission by LPR

For a file submitted by LPR, the system will use the 'Username' tag present in the job ticket of the
file if any.
If there is no job ticket in the file or no 'Username' in the job ticket, then the (non FQDN) user
name of the user logged in on the system is used (example: 'user1').
The LPR command to submit the job is: [LPR -S <printer-name> -P <printer-name> -x <filename>].
NOTE
The user name of the user logged on the system does not overwrite the 'Username' embedded
into the job ticket.
Job submission via FTP

For a file submitted by FTP, the system will use the 'Username' tag present in the job ticket of the
file if any.
If there is no ticket or no 'Username' in the ticket, then the user name 'anonymous' is attached to
the job and stored in the system controller. Only an user with a user account name 'anonymous'
is then able to see and perform actions on these jobs.
Job submission with Publisher Express (Express WebTools)

For a file submitted by Publisher Express, the system will use the 'Username' tag present in the
job ticket of the file if any.
If there is no ticket or no 'Username' in the ticket, then the content of the 'Job owner' field in
Publisher Express is used.
The user name entered in this field must not be blank. The name must be the same as the one
that will be used to log in on the system (example: 'user@domain.com').
NOTE
The job owner declared in Publisher Express does not overwrite the 'Username' embedded into
the job ticket.
Job submission with ONYX

For a file submitted with ONYX, the system uses the (non FQDN) user name the user has entered
to log in on the workstation (example: 'user1').
To be able to see the files on the user panel, the user must log in on the system with the same
user name.
Requirements
Introduction
To use the authentication by smart card, the smart card and the smart card reader must comply
with the following requirements:
Requirements for the smart card

The smart card is a PKI card compatible with MS Active Directory Certificates Services.
Compatible smart cards
• Gemalto IDPrime MD and Gemalto IDPrime .NET (formerly Cryptoflex .NET)
• HID Global Corporation: Crescendo MiniDriver (formerly named Crescendo C1150)
Smart card configuration
The smart card embeds:
• The user valid certificates: all the root and intermediate CA certificates used in the certificate
chain.
'DER encoded binary X.509 (.CER)' and 'Base-64 encoded X.509 (.CER)' formats are supported.
• The URL of a revocation server which checks the validity of the user certificate (using 'Online
Certificate Status Protocol').
In case the URL of the revocation server is not embedded into the smart card, you will have to
declare the URL in Express WebTools (in the 'Security' - 'Trusted Certificates' - 'Forced URL of
OCSP responder' setting).
• The PIN of the card, if needed.
Compatible smart card readers

• HID Global Corporation: OMNIKEY 5x2x products
• Identive infrastructure (formerly SCM Microsystems Inc.): SCR33x products
• Gemalto: IDBridge products (formerly GEMPC/GEMPLUS)
• Advanced Card Systems Holdings Limited: ACR1281U product (contact support only)
• HID Global Corporation: OMNIKEY 3x2x products*
* For PW3000/3500/5000/5500/7500, CW3500/3600/3700/3800, PlotWave 345/365/450/550 and for
ColorWave 500/700 R4.1 and higher.
Most of the smart card readers which are plug and play compatible with the Windows operating
system used in the printer are compliant.
- Contact your Canon representative in case you want to use a smart card or a smart card reader
which is not recorded in the above lists.
- Plug the smart card reader into the USB port (contact your local Canon representative).
- The only network communication performed during authentication with a smart card is the one
with the revocation server. The information on the smart card and the information on the Express
WebTools settings are checked against the one which is stored in the revocation server.
Introduction
Perform the following steps to activate the user authentication and configure the smart card
authentication.
Before you begin

The smart card and the smart card reader are compliant with the requirements.
Activate the smart card authentication

3. In the 'User access mode' section, select 'Smart card' as the 'User authentication':

'Restart later'.
Configure the smart card settings

Configure:
• The trusted certificates.
• The user access settings.
Procedure
in the certificate chain for the authentication.
3. Browse for one root or intermediate certificate.
When the URL of the revocation server is embedded into the smart cards, leave the 'Forced URL
of OCSP responder' field empty.
Enter the URL of the revocation server only if this URL is not already embedded into the smart
cards.
Set the following options:

automatic log out on the system user panel.
• Whether the revocation server is systematically consulted at logging time.
• Whether the PIN of the smart card is requested at logging time.
When this setting is activated, the FQDN of the user (<user name>@<domain>) is requested
when the user logs in on the printer panel. Once logged in, the user sees only the jobs that
have been submitted with the same FQDN.
Example: the user 'user1@domain.com' logs in on the printer. This user can see only the jobs
that have been submitted by 'user1@domain.com'.
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, whatever their
domain. When logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@domain.com'
• 'user1'
When to do
After you configured the user access mode via smart card, validate it.
Before you begin

A supported smart card and a supported smart card reader connected to the print system.
Procedure
1. Insert a valid smart card in the smart card reader.
3. Leave the 'User name' field empty and enter the PIN if it is required in the user access settings.
4. Click 'OK'.

Troubleshooting of authentication by smart card on page 291.
Introduction
Insert the smart card into the card reader.
• The authentication is automatic when the smart card contains a valid user name (and no
password is needed).
• A login window is displayed when the authentication with the smart card requires a PIN. Enter
the PIN in the password field.
• A login window is displayed when there is more than one user registered into the smart card.
Select the user name and enter the PIN in the password field
Introduction
When an error occurs during the configuration of the authentication by smart card, go to the
'Security' - 'Configuration' page and start the validation tool (See topic 'Validate the smart card
configuration').
Find below the list of possible causes of errors that can occur during the validation of the smart
card configuration.
Authentication by smart card: errors


ed to the red cross
Error detecting readers Reader not supported or read- Check the connection of the smart
er not correctly connected. card reader.
Check that the smart card reader is
supported.
Failed connecting with No smart card is inserted in Insert a smart card into the reader.
card: The Smart card the smart card reader.
resource manager is The smart card is not correctly
not running. inserted.
A card is present but The card is invalid. Check the card.
unreadable (mute or in-
correctly inserted)
No certificates found No certificates found on the Refer to the IT administrator.
card. 4

ed to the red cross
List certificates: Chain At least one root or intermedi- Create all the necessary (root and in-
status not trusted ate certificate is missing or in termediate) certificate(s) in Express
error (in the system configura- WebTools. Go to the 'Security' - 'Trus-
tion). ted certificates' page to create them.
If the intermediate or root certificates
cannot be easily retrieved, you can :
1. Identify all of them with the vali-
dation tool report:
They are identified with lines :
-…
2. Check whether you find those cer-
tificates XXXXXXXXX in your
browser, then export each certifi-
cate in your browser
3. Configure in Express WebTools
the trusted certificates you just ex-
ported (see section 'Configure the
smart card settings' in topic 'Con-
figure the Smart card authentica-
tion').
Revocation status : The revocation server is re- - Check that the URL of the revocation
Server is off line quired but cannot be reached. server is present on the smart card or
declared in Express WebTools.
- Deactivate the check for certificate
revocation (not recommended if a cer-
tificate revocation is required).
Invalid PIN Invalid PIN Type in the correct PIN.
Authentication by Contactless card (for CW3500/3600/3700/3800 and CW500/700 4.2 and higher versions)
Authentication by Contactless card (for CW3500/3600/3700/3800 and

CW500/700 4.2 and higher versions)
Requirements
Introduction
To use the authentication by contactless card, the contactless card and the contactless card
reader must comply with the following requirements:
Requirements for the contactless card

Contactless card configuration
The contactless card embeds all information (user/password/domain/…) which will be checked
with Active Directory.
Compatible contacless cards
• Felica (Felica, Felica Lite, Felica Lite-S)
• Mifare (Mifare Classic 1K, Mifare Classic 4K,Mifare Plus, Mifare DESfire EV1, Mifare Ultralight,
Mifare Ultralight C)
Compatible contactless card readers

• Sony RC-S380(/S)
• Advanced Card Systems (ACS) ACR1252U
• Advanced Card Systems (ACS) ACR122U (no support of Felica Lite cards)
• Readers compatible with the CCID and PC/SC standards may work with restrictions :
• disabling beep not supported
• configuration of card types in Express WebTools is not supported, so other cards than Felica
or Mifare may work. (The 'Type of contactless card' setting in Express WebTools - Security -
Configuration - User access configuration' has no influence in this case)
- Contact your Canon representative in case you want to use a contactless card or a contactless
card reader which is not recorded in the above lists.
- Plug the contactless card reader into the USB port (contact your local Canon representative).
Introduction
Perform the following steps to activate the user authentication and configure the contactless card
authentication.
Before you begin

The contactless card and the contactless card reader are compliant with the requirements.
Activate the contactless card authentication

3. In the 'User access mode' section, select 'Contactless card' as the 'User authentication':

When 'User access mode' is set to another setting than 'Disabled', the system must be
restarted to guarantee the data confidentiality of future incoming jobs. Do not select 'Restart
later'.
Procedure
3. Enter the following information:

• A description.
• The credentials (username/password ) for the LDAP lookup account (mandatory).
• The LDAP attribute for the card ID (it is up to the IT administrator to use or define a new one in
Active Directory). The card ID is the unique identifier sent to the Active Directory for
identification.
• The 'User session time-out', in minutes. This is the duration of a user session before automatic
log out on the system user panel.
• Whether the PIN of the contactless card is requested at logging time.
('Require the fully qualified name of the job owner' setting). The user then sees only the jobs
that have been submitted with this FQDN.
• The type of the contactless card: Felica or Mifare or both.
When to do
After you configured the authentication by contactless card, validate it.
Procedure
1. Below the 'User access mode' section, click 'Validate the configuration of the user access mode'.

3. Click 'OK'.

Troubleshooting of authentication by contactless card on page 296.
Introduction
Approach the contactless card reader with the contactless card.
• The authentication is automatic when the contactless card contains valid credentials.
• A login window is displayed when the authentication with the contactless card requires a PIN.
Enter the PIN in the password field.
Introduction
When an error occurs during the configuration of the authentication by contactless card, go to the
'Security' - 'Configuration' page and start the validation tool (See Validate the contactless card
configuration on page 295).
contactless card configuration.
Authentication by contactless card: errors

A red cross in the report indicates an error.
For error messages with possible causes and actions to solve the error see:

ed to the red cross
configured press WebTools. (Go to the 'Se-
curity' - 'Domains' page)
Error in DNS lookup: The domain entered is not correct Check the syntax of the domain
Name')
er.
Enter the LDAP server and LDAP
port explicitly in Express WebT-
ools (in 'Security' - 'Domains' - '
Advanced').
rootDSE: The user - 'Domains'
name or password is
incorrect
Directory lookup: User The LDAP search filter is not cor- In Express WebTools check the
object cannot be found rect. LDAP search filter in 'Security' -
'Domains' - ' Advanced'.
specified
If a red cross is not reported with the 'Validate configuration' tool, but there is an error during
authentication with the card, please check:
• If the PIN code is correct but authentication fails, check that the LDAP attribute for card ID is
correctly set in the domain created (this may occur in case PIN code setting is setup AFTER the
domain has been created).
• If the account has been disabled in Active Directory
• If the account has been locked in Active Directory
• If the account has been expired in Active Directory
• If the account password has expired
Introduction
Perform the following steps to activate and configure the user authentication by user name and
password
Before you begin

A domain containing users with Microsoft Active Directory credentials.
Check that the printer 'Current date and time' and 'Time zone' values are correct (in Express
Activate the User name and password authentication

3. In the 'User access mode' section, select 'User name and password' as the 'User
authentication':

'Restart later'.
Procedure
1. Open the 'Security' - 'Domains' page
3. Enter a name for the domain. This name will appear on the user panel as the domain name, so it
is recommended to give it a clear name.
4. Enter a description.
5. Enter the exact fully qualified domain name (FQDN):
• 'LDAP lookup account': enter the credentials if different from the account of the authenticated
user (which is the default).
• 'LDAP attribute for Home folder' : by default the Home directory (for product with the 'Scan to
Home folder' feature).
automatic log out on the printer panel.
Note that it is recommended to increase this duration for big jobs or heavy print files.
• Whether the fully qualified name of the job owner is used for job filtering ('Require the fully
qualified name of the job owner' setting).
When this setting is activated, the FQDN of the user is requested when the user logs in on the
printer panel. The user then sees only the jobs that have been submitted with this FQDN.
Example: 'user1@mydomain.com' is logged in on the printer. This user will see only the jobs
that have been submitted by 'user1@mydomain.com'. So the user must make sure that the
submission process embedded this information.
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, if several. When
logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@mydomain.com'
• 'user1'
When to do
After you configured the authentication by user name and password, validate it.
Procedure
3. Enter a valid user name and the associated password.
4. Click 'OK'.

If there is a red cross, solve the issue or check the solutions in the troubleshooting section below.
Introduction
On the system user panel, tap the 'log in' icon to display the window.
• Select the domain.
• Type in the user name and the password.
Troubleshooting
Troubleshooting
Introduction
When an error occurs during the process of authentication by user name and password, go to the
'Security' - 'Configuration' page and Validate the configuration on page 559.
configuration.
Authentication by user name / password: errors in the validation report


ed to the red cross
configured press WebTools. Go to the 'Secur-
ity' - 'Domains' page)
Error in DNS lookup: The domain entered is not correct. Check the syntax of the domain
Name')
er. Enter the LDAP server and
LDAP port explicitly in Express
WebTools (in 'Security' - 'Do-
mains' - ' Advanced').
The user name or pass- The combination of user name Check the user name and pass-
word is incorrect and password is not correct. word.
The suffix for the User Principal Check the Fully Qualified Domain
Name (UPN) is not correct. Name (FQDN). 4
Troubleshooting

ed to the red cross
Authenticating user: Additional test: Authenticate on In Express WebTools correct the
xxx the user panel. If the authentica- 'Current date and time' in 'Prefer-
A local error has occur- tion fails and a 'Invalid creden- ences' - 'System defaults' - Re-
red. tials' message is displayed then: gional settings'.
The date and/or time set in the
system is not correct.
rootDSE: The user - 'Domains' - ' Advanced'.
name or password is
incorrect.
Directory lookup: The LDAP search filter is not cor- In Express WebTools check the
User object cannot be rect. LDAP search filter in 'Security' -
found 'Domains' - ' Advanced'.
specified.
Log out
Log out
Introduction
A session can be manually interrupted by a manual log out, or automatically interrupted by the
session time-out, in any conditions (normal working condition or in an error status).
A warning message announces the session time-out 10 seconds before the session closes.
When the session time-out expires the user session is automatically closed, even when a smart
card is inserted.
For security reasons, it is recommended to log out after the job completion, before leaving the
system place.
Log out after an authentication by login / password

Log out after an authentication by smart card

To log out, remove the smart card from the smart card reader.
NOTE
The session is automatically closed when the time-out occurs, even if the smart card is still in the
card reader.
Pull the card out of the reader and insert it again to start a new session.
Log out after an authentication by contactless card

Introduction
Find below some cases where the time-out can interact with the behaviour of the system.
NOTE
The time-out starts when no operation is made on the printer panel.
A job remains 24 hours maximum in the system. After this period of time, the jobs that are not
processed are automatically deleted.
Time-out occurs or the user logs out

When the time-out occurs during a job (or when the user logs out):
Case Status of the jobs When the session time-out or log

out occurs
'User A' has submitted a There is at least one job in The job in 'printing' and in 'Ready to
job. A time-out or logout 'Printing' state, in the job print' statuses are printed.
occurs. queue. All the jobs that have another status
jobs.
'User A' has submitted a • There is at least one job The jobs of 'User A' in 'Ready to
batch of jobs. A time-out or of 'User A' in 'Printing' print' status are printed.
logout occurs before the state. The jobs of 'User B' are printed.
end of the printing process. • When 'User B' logs in on
'User B' submits a job. the system panel he can
see:
- the jobs of 'User A' that
are in 'Ready to print'
state.
- the jobs he submitted.
big job is longer than the the job is processed. The job is not printed. The job is put
session time-out. The job does not reach the on hold.
'Printing' status. It is recommended to increase the
user session time-out.
batch of jobs is longer than all the jobs are processed. Only the jobs in 'Ready to print' and
the session time-out. At least one job is printing. 'Printing' statuses are printed.
All the jobs that have another status
jobs.
The queue is paused
Case Status of the jobs What to do

A user has submitted a batch The jobs in 'Printing' status The user logs in (when nee-
of jobs. The user pauses the are printed. ded) and resumes the queue
queue. All the other jobs are put on to print the remaining jobs.
hold.
'User A' has submitted a batch The job in 'Printing' status is 'User A' must log in to see his
of jobs. A time-out occurs or printed. jobs on hold and resume the
the user log out before the All the other jobs of 'User A' queue.
end of the printing process. are put on hold and disappear
'User B' logs in on the system from the queue view.
panel and pauses the queue.
An error occurs
Case Status of the jobs Then

An error occurs on a job The job is put on hold. It When the issue is fixed before the
will not be printed until the time-out occurs, the job restarts and
problem is solved. is printed.
When the time-out occurs before the
issue is fixed, this job is put on hold.
The user must solve the issue, and
then must log in to resume the
queue.
A 'Media request' occurs The following combination When the media is loaded, the job
of settings applies: restarts and is printed.
- 'Media request time-out ' When the time-out occurs before the
- 'Action after media re- media is loaded, this job is put on
quest time-out ' hold. The user must load the media,
and then must log in to resume the
queue.
Troubleshooting
Troubleshooting
Troubleshooting after a successful authentication

The authentication is successful but I cannot see the job I submitted to the system.
Possible cause:
The owner of the job (the user name sent within the job) does not match the user name of the
user authenticated on the system.
This issue can occur in the context of authentication by smart card or by user name and
password.
Actions:
The user name used for authentication on the system must match the exact user name of the
owner of the job:
1. Verify the user name used for authentication on the system.
- In case of authentication by smart card, start and follow the validation procedure (see
Validate the smart card configuration on page 289) and check the complete User Principal
Name in the report.
Example: 'user1@mydomain.com' in the report below:
- In case of authentication by user name and password check the domain, and the user name
used to log in on the printer user panel.
2. Check the exact user name of the owner of the job. Set or change it when needed.
Refer to the user authentication according to the job submission workflow, see The user
authentication in the main job submission workflows on page 282.
• For a job submitted with the PS3 driver, Driver Express or Publisher Select, the user name
and the domain of the user logged in on the workstation are used to submit the job
(including the domain when detected). If needed, log in on the workstation with the
relevant user name on the relevant domain (example: 'user1' on domain 'domain.com')
• For a job submitted with WPD2/ Driver Select, the 'user account name' displayed in WPD2,
in the top right part of the window is used. Change it if needed (example:
user1@domain.com).
Note: If the user account name is not displayed, open the 'Options' - 'Advanced options'
window and check the option 'Require user authentication' in 'Troubleshooting'.
• For a job submitted with Publisher Express, or via FTP, or via LPR, that contains a job ticket,
open the job ticket to check the 'Username' field.
• For a job submitted with Publisher Express, that does not contain a job ticket, check the
content of the 'Job owner' field in the Publisher Express (Express WebTools) application.
Set or change the 'Job owner' to the user Fully Qualified Name (example:
user1@domain.com)
• For a job submitted via LPR or with ONYX, that does not contain a job ticket, check the user
name used for logging on the workstation, and uncheck the setting, 'Require the fully
qualified name of the job owner' (in Express WebTools - Security - 'Configuration' - 'User
The authentication is successful, I can see the jobs I submitted to the system but not all of them
are printed.
Possible cause:
The time for the processing of the jobs exceeds the user session time-out. All the jobs have not
reached the 'Ready to print' or 'Printing' status.
Action:
Increase the 'User session time-out' (in Express WebTools - Security - 'Configuration' - 'User
Introduction
In case you are locked because the user access mode is enabled and you cannot access Express
WebTools, you can disable it on the system panel.
Disable the user authentication on the printer user panel
Procedure
1. On the user panel, tap the upper right corner, to display the menu.
3. Enter the System administrator password.

The current security configuration is displayed.
4. Tap 'Next' to go on and disable a feature.
5. Select 'User authentication' and tap 'Next'.
6. Tap 'Finish'.
7. Restart the system.
Result
The user authentication is disabled.
Hard disk encryption (for CW500/700/3500/3700)

Introduction
In order to protect the confidentiality of print and scan data in the system controller hard disk,
Pre-requisite
• The release of the ColorWave 3500/3700 or ColorWave 500/700 system R4.1 or higher.
• The hard disk encryption licence.
Contact your Canon representative.
• A TPM (Trusted Platform Module) board installed in the controller.
A Service technician installs the license and the TPM board. Make sure the System Administrator
grants him the permission by setting 'Allow Service to access licenses information' (in Express
WebTools, in ' Security' - 'Configuration', 'Permissions for Service').
When to perform the encryption of the hard disk

You can decide to encrypt the controller disk:
• During the installation of a new print system (recommended)
• On a running system which has already processed data
2 encryption modes
There are 2 encryption modes:
Encryption mode Scope Duration Remarks

Normal The Normal encryption encrypts the around 30
used disk space only. minutes
It is recommended for new systems,
at installation time, when no print/
scan data has been processed on the
disk.
Full The Full encryption encrypts the en- around 4 When the system has
tire disk. hours and already been used:
It is recommended in the following 45 minutes - a back-up of the sys-
cases: tem is required.
• encryption of a running system - the system is com-
that has already processed data pletely reinstalled.
• encryption of a disk which has al-
ready been used
• when the security policy requires
it
Check the encryption mode

To check the encryption mode configured on the system:
1. In the system settings, select 'Security'
2. In the 'Current Security Configuration' window, check the encryption mode.

The disk encryption status can be:
• 'No encryption'
• 'Full disk encrypted' (Full mode)
• AES 256 method for CW3500/3700 and CW500/700 4.2 and higher versions
• AES-128 method for other CW500/700 versions
• 'Used space encrypted' (Normal mode)
• AES 256 method for CW3500/3700 and CW500/700 4.2 and higher versions
• AES-128 method for other CW500/700 versions
NOTE
Encryption method for CW3500/3700 and CW500/700 4.2 and higher version is fixed
to AES256 while encryption method for other CW500/700 versions is fixed to
AES128
When upgrading a CW500/700 R4.1 version with an encrypted disk to a CW500/700
R4.2, it is mandatory to purge first the encrypted disk of the CW500/700 R4.1 before
installing the version R4.2 and encrypting the disk in order to benefit the AES256
method on the new version (Please contact you Canon local representative).
How to change the encryption mode

Contact your Service representative to change the encryption mode.
The change of the encryption mode is performed in 4 steps:
1. The Service technician makes a back-up of the system.
2. The System Administrator purges the system (see procedure below).
3. The Service technician re-installs the system and set the required encryption mode.
4. The Service technician restores the configuration.

To purge the system from the system user panel:
2. In the 'Current Security Configuration' window, check the encryption mode and tap 'Next'.
(the 'Next' button is displayed only when an encryption mode is active).
3. In the list of actions, select 'Purge the System' and tap 'Next'.
4. A message ('Purging') is displayed. Wait until the message 'Purge complete / Power off the
system / Power on to reinstall' confirms the purge.
5. Power off the system (by using the black power button at the back of the printer, or by
pushing the button on the front of the printer for a few seconds).
NOTE
Important remark: when the system is purged, the system and the print/scan data are
decommissioned.
To use the system again, it must be completely reinstalled. The reinstallation will start
automatically when the system is powered on again. Contact your Service representative.
Hard disk encryption (CW3600/3800)

Introduction
In order to protect the confidentiality of print and scan data on the system controller hard disk,
Disk encryption on the CW3600/3800 is different from the older printers:
• It is not an option anymore. It is standard available.
• BitLocker is used in pre-provisioned mode in combination with the now standard TPM
hardware module (Trusted Platform Module) in the controller.
• The TPM module is integrated in the controller motherboard.
• There is just one mode: used space encryption.
• The data on the disk is always encrypted.
• The System administrator can suspend the encryption (via the operator panel or WebTools
Express) to remove the key from the TPM module and store it on disk (now the disk is readable
by other devices).
NOTE
Disk encryption has no impact on the performance. It should only be suspended in exceptional
cases.
After suspending it, you can re-enable encryption again. Re-enabling disk encryption should be
done by your local (Canon) representative, as the printer software needs to be reinstalled after
re-enabling encryption.
Suspend/Enable disk encryption

NOTE

Express.
2. In Webtools Express ('Security' - 'Configuration') go to 'Disk Encryption'.
3. Select the setting 'Disk encryption mode'.
4. • Select 'No encryption' to suspend encryption.

• Select 'Used disk space encrypted' to enable disk encryption.

To purge the system from the printer operating panel:
2. In the 'Current Security Configuration' window, tap 'Next'.
3. Now you get a window with possible operations.
Select 'Purge the System' and tap 'Next'.
4. A warning window is displayed.
Tap ‘Start’ to start the purging process.
5. When the purge process is ready, power off the system (by using the black power button at
the back of the printer, or by pushing the button on the front of the printer for a few seconds).
NOTE
Important remark: when the system is purged, all the data and the configuration are deleted.
To use the system again, it must be completely reinstalled.
E-Shredding
E-Shredding
Introduction

is reached
restarted.
directive):
NOTE
performance.
Before you begin

WebTools
Procedure
section.
2. Click 'Edit.'
Result
enabled':
occurs.
the Express WebTools (roll over the icon).

Inbox, cleanup)
NOTE


IPsec
IPsec
IPsec presentation
Introduction
on the network.
Illustration

IPsec presentation

vated. cryption.
encrypted. crypted.
is activated.
with the system.
with all stations.

- the IP address
print/scan system.
NOTE
Before you begin

Procedure

NOTE
workstation.
7. Click OK
Result
When to do
Pre-requisites
Purpose
a workstation.
NOTE
300 system.
PlotWave printers.
Procedure

Procedure
Policy'

Procedure


controller

9. Click 'Finish'
Procedure
2. Click 'Next'

Procedure
wizard
"Add")
2. Click 'Next'
(preshared key)'
9. Click 'Finish'
Procedure
Procedure
After you finish

500/550/650/650R3/700/3500/3600/3700/3800
system.
Introduction
and
panel.
Procedure
3. Enter the System administrator (or Power user) password


6. Press 'Finish'
Result
(HTTP).
HTTPS
HTTPS
Introduction
In the ColorWave systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Select 3 (for CW3600/3800)
communication.

protocol.


messages.

Procedure


'Next'.

11. Click on 'Yes'.

Result
Procedure


certificate
Introduction
printer.

Authority.
protocol.
Step Description
created.
ply.
request feedback
Step Description
Step Description
each workstation.
Other procedures
certificate.
When to do

Procedure
6. Click 'Save'
Purpose
Pre-requisites

NOTE
Procedure
NOTE
Result
text).
J
DAtNzQw
d
When to do
NOTE
Procedure


NOTE
on page 110
you.
Procedure
NOTE

certificate].
Procedure
Procedure
Result
When to do
NOTE
Procedure
Authorities' list
When to do
Procedure
5. Click 'Restore'
Click 'OK'
Purpose
When to do
NOTE
web browser.
Procedure
certificate]
Result
page 68)


Cipher algorithms
are NOT used:


Introduction
Home folders are private network locations where the Active Directory users can store their files.
With the 'Scan to Home folder' feature, an authenticated user can send scanned files from the
system directly to his/her Microsoft Active Directory Home folder.
The authenticated user can also print files from his/her Home folder.
Pre-requisites
To allow a user to scan files to his/her Home folder, the following configurations are required:
• In the Microsoft Active Directory:
- A Home folder, that is a UNC path location, exists for each user
- Users have the Read and Write rights to their private Home folder
• In the printer configuration:
- The User authentication is enabled
- The User authentication is configured with 'User name and password' (no Smart card or
Contactless card)
The 'Home folder' location is then automatically created as an 'External location'. You can
open the 'External locations' tab in 'Configuration' to see this 'Home folder' new location.
- The domain is created and configured
In the domain 'Advanced settings' keep the default 'homeDirectory' value in the 'LDAP
attribute for Home folder'.
- Check that the printer 'Current date and time' and 'Time zone' values are correct (in Express
Refer to Configure the user authentication by user name and password on page 557 for the
detailed procedure.
It is recommended that the System Administrator validates this new configuration by clicking
'Validate this configuration' in 'Security' - 'Configuration' (see Validate the configuration on
page 559).
Scan to the Home folder

There are 2 ways to send a scanned filed to the home folder:
Using a predefined scan template
A Key Operator can create a scan template in which the default destination for the scanned files is
the authenticated user's Home folder:
In Express WebTools for the system, in the 'Preference' - 'Scan' tab, create a new template and
set:
• the 'Scan destination type' to ' To External locations'
• The 'External location' to 'Home folder'
This scan template will be available to the authenticated users when they browse the list of scan
templates. They can select it to scan to their private Home folder.
Selecting the Home folder destination at the system panel
An authenticated user can always select the 'Home folder' in the scan settings at the moment
when he scans a document:
1. At the system panel, open the Scan settings
2. In 'Workflow', select the 'Network location' type and then the 'Home folder' as the destination.
Troubleshooting
Result
Both methods send the scanned files to the users' private Home folder (root directory).
Print from the Home folder

An authenticated user can also print from his/her private Home folder:
1. At the system panel, select the 'Print' tile to turn it into 'Print from...'.
2. Open it and browse to 'Home Folder'
3. Select 'Home Folder'
4. You can browse your personal 'Home folder' to the file to print.
Troubleshooting
When an error occurs during the process of authentication by user name and password follow
the procedures below to test and troubleshoot:
• Use the validation tool to validate the configuration. See Validate the configuration on
page 300
• Apply the corrective actions when needed. SeeTroubleshooting on page 302
In case the home folder is not accessible
• Use the validation tool and check in the report that the path to the Home folder is correct:
• Check the Read/ Write rights on the Home folder.
Introduction
device.
Illustration
Procedure

6. Click 'OK'

queue.
press') activated.
(logging needed).
box time-out.
box
Data protection for template export (for CW3500/3600/3700/3800 and CW500/700 R4.2 and higher versions)
Data protection for template export (for CW3500/3600/3700/3800

and CW500/700 R4.2 and higher versions)
Introduction
CAUTION :
Procedure
NOTE
Chapter 7
Security on ColorWave 810 (lower
than R1.4), ColorWave 900 and
ColorWave 910 (lower than R1.4)
Overview
Overview
Security overview for the ColorWave 810 (lower than R1.4),

ColorWave 900 and ColorWave 910 (lower than R1.4) systems
Introduction
The ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
systems are equipped with the following security features:
Security overview
Operating System Microsoft Windows Embedded Standard 8 64 bits

Firewall Yes
Data encryption on the network HTTPS for administration (Express WebTools) and for
- User settings
620 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Ports - Protocols
Driver Express
TCP 443: HTTPS
ONYX UDP 161: SNMP
TCP 515: LPR
TCP 80: HTTP
FTP passive mode)
Notes:
Back-channel is a proprietary protocol used to retrieve information from the printer (status, media
loaded...) and to display it in the application or driver.
PING IPv4 ICMPv4
UDP(/TCP) <dynamic value> 4
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 621
TCP 443: HTTPS
trieval
UDP 138
WAVE TCP 80: HTTP
(Publisher Select)

Inbound rules:
Outbound rules:
Security Patches
Security Patches
Introduction
Before you begin

NOTE

Important: When the Service technician installs the patches, make sure the System Administrator
allows him to do it (in Security' - 'Configuration').
Install a patch
Procedure
3. Select 'Update'
The authentication window opens.

wizard
6. Click OK
Protocol protection
Protocol protection
Introduction
attacks.
HTTPS (inbound), ICMP (ping), DNS, LPR protocols cannot be disabled.

services sis
Enable/Disable troller acts as a FTP serv-
er).
'LPR/LPD' LPR Always Enabled - Cannot For LPR printing
be disabled.
- Account Center
- Reprodesk
col.
enabled:
- 'Wave interface'
Publisher Select'
HTTP'
ices are disabled.
be disabled.
Note: To disable a network protocol or network service, go to the Preferences / Connectivity

To disable the connection to Remote Service, go to Preferences / System defaults / Service
related information.

Introduction

ools section
2 Preferences - System Disable Remote Service Set 'Remote Service connec-
Defaults - Service rela- tion' to 'Disabled'
ted information
down...
Introduction
• Collect log files into a USB device ('Get logfiles to USB stick' button in the 'Launcher'
application)

USB device.
is not possible
- during the storage of the log files
Roles and Passwords
Roles and Passwords
Roles and profiles
Roles description
system settings.
The roles are:
• Key operator:
security settings.
• Power user
• Service
Permissions for Service

In the 'Passwords' section on the 'Preferences' - 'Connectivity' page, the System administrator
and the Power User define whether they allow the Service technician to reset passwords.
On the 'Security' - 'Configuration' page, the System administrator and the Power User define
whether they allow the Service technician to:
• Perform the software reinstallation using the USB installation key
• Install an update or a patch on the system
Passwords policy in the ColorWave 810 (lower than R1.4) and ColorWave 910
(lower than R1.4) systems

• The roles
• The Proxy authentication password for Remote Service
Password policy
Password modification table

Service System administrator or Power user 4
Passwords policy in the ColorWave 810 (lower than R1.4) and ColorWave 910 (lower than R1.4) systems

Proxy authentication (for Remote System administrator or Power user
Service)
Audit log
Audit log
Introduction
and/or cleared.

In Express WebTools, open the 'Security' - 'Audit log' tab to download the Audit events log that
contains information on any change made in settings.
7. Event status (success, Failure)
• IPv4network settings (IP address, Subnet mask, DNS, Gateway, DHCP, …)
administrator, Power user, Service)
• Timezone
• HTTPS settings (change of certificate)
• Force entry of accounting data for print (on/off)
• Use of save and restore configuration
• Remote Service connection (enabled/disabled)
Data security
Data security
HTTPS
Introduction
In the PlotWave/ColorWave systems, you can use the HTTPS protocol to:
communication.

protocol.


messages.

Procedure


'Next'.

11. Click on 'Yes'.

Result
Procedure


certificate
Introduction
printer.

Authority.
protocol.
Step Description
created.
ply.
request feedback
Step Description
Step Description
each workstation.
Other procedures
certificate.
When to do

Procedure
6. Click 'Save'
Purpose
Pre-requisites

NOTE
Procedure
NOTE
Result
text).
J
DAtNzQw
d
When to do
NOTE
Procedure


NOTE
on page 110
you.
Procedure
NOTE

certificate].
Procedure
Procedure
Result
When to do
NOTE
Procedure
Authorities' list
When to do
Procedure
5. Click 'Restore'
Click 'OK'
Purpose
When to do
NOTE
web browser.
Procedure
certificate]
Result
page 68)
Chapter 8
Security on ColorWave 9000 (R2.x and
R 3.x) and ColorWave 810/910 (R1.4
and higher versions)
Overview
Overview
Security overview for the ColorWave 9000 and ColorWave 810/910

R1.4 (and higher versions)
Introduction
The ColorWave 9000 and ColorWave 810/910 R1.4 (and higher versions) systems are equipped
with the following security features:
Security overview
Operating System Microsoft Windows 10 IoT Enterprise LTSB 2016 (for

CW9000)
Microsoft Windows Embedded Standard 8 64 bits (for
ColorWave 810/910)
Firewall Yes
by Canon Production Printing (for CW9000)
Canon Production Printing released patches (for Color-
Wave 810/910)
(please check Security Web Page on
http://downloads.cpp.canon)
IPv6 Yes (IPV6 only or in combination with IPv4) (for CW9000
2.1 and higher and for CW810/910 1.5 and higher)
Device authentication IEEE802.1X (for CW9000 2.1 and higher and for
CW810/910 1.5 and higher)
- User settings
SNMPv3 support Yes (for CW9000 2.1 and higher and for CW810/910 1.5
and higher)
648 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Ports - Protocols
Microsoft Windows (WPD2) TCP 80: HTTP for back-channel for Printer Discovery
Driver Select 1 and Advanced accounting

Driver Express
TCP 443: HTTPS
ONYX UDP 161: SNMP
TCP 515: LPR
TCP 80: HTTP
TCP 80: back-channel1 (WAVE)
FTP passive mode)
Notes:
1Back-channel is a proprietary protocol used to retrieve information from the printer (status,
PING IPv4 ICMPv4
PING IPv6 ICMPv6 4
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 649
TCP 443: HTTPS
trieval
nel
LDAP authentication over Ker- TCP 88 /UDP any: for Kerberos
any: for LDAP
any
UDP 138
WSD TCP 80: HTTP
WAVE TCP 80: HTTP
(Publisher Select)
IPsec UDP 500
UDP 4500
Notes:

Inbound rules:
• Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-In)
Outbound rules:

• Core Networking - IPv6 (IPv6-Out).
Security Patches
Security Patches
Introduction
Before you begin

NOTE

Important: When the Service technician installs the patches, make sure the System Administrator
allows him to do it (in Security' - 'Configuration').
Install a patch
Procedure
3. Select 'Update'
The authentication window opens.

wizard
6. Click OK
Install Operating system patch for CW9000
Introduction
Before you begin

patches.
1. In Express WebTools, the user selects the Operating system patch file that he previously
retrieved.
Install a patch
Procedure
1. Open Express WebTools .
3. Select [Update].

ded system
lation, the system will reboot auto-
(default behavior)
downloaded and checked) but want
to really install it during non working
hours for a faster installation
any confirmation.
Protocol protection
Protocol protection
Introduction
attacks.
HTTPS (inbound), ICMP (ping), DNS, LPR protocols cannot be disabled.

services sis
Enable/Disable er).
- Back-channel for WPD2
- Account Center
- Reprodesk
vices (WSD)'
'OCI interfaces' Proprietary Enable/Disable
interfaces

services sis
col.
enabled:
- 'Wave interface'
ces'
Publisher Select'
HTTP'
ices are disabled.
be disabled.
Service documenta-
tion'


Introduction

ools section
2 Preferences - System Disable Remote Service connec- Set 'Remote Service connec-
Defaults - Service rela- tion tion' to 'Disabled'
ted information
3 Security - Configura- Disable the automatic update of Set 'Allow automatic update
tion - Permissions for the embedded Service information of embedded Service docu-
Service mentation' to 'Disabled'
down...
Introduction

• Executing any programme present on the USB device is not possible.
USB device.
is not possible.
- during the storage of the log files


• Supplicant
• Authenticator
A. B.

802.1x
802.1x
LAN LAN
LAN

EAP
• EAP-TLS
• EAP-MS-CHAP v2
authentication.
NOTE
methods.
PEAP
EAP-MS-
CHAP v2

environments.
NOTE
NOTE

supplicant.
EAP-TLS
Authenticator

5. FQDN

3. Authentication
4. Certificate
Domain controller
(Printer) server
LAN

network.
PEAP with EAP-TLS
Authenticator


3. Authentication
4. Certificate
Domain controller
(Printer) server
LAN
network.
Authenticator

MS-CHAPv2 login

5. Authentication
6. Data
(Printer) server
LAN
network.
Prerequisites
• A printer
• A RADIUS server
Introduction
see Configure the Radius server for 'Username from domain' - Network Policy on
page 683
Troubleshoot
page 708.
Introduction
NOTE
Procedure
used:
Example:
Example:
Prepare the switch
Prepare the switch
Introduction
Procedure

Prepare the switch
Introduction
Procedure
4. Click 'Ok'.

• Password
NOTE


downloaded.

MSCHAPv2'
Introduction
Before you begin

Procedure
Introduction
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
8. Click on 'OK'.
MSCHAP v2 '.
12. Click on 'OK'.

Result
switch.
with EAP-TLS)'
Introduction
2016).
Before you begin

Procedure
is 'cw3700'.
Policy'.

Network Policy
Introduction
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
8. Click on 'OK'.

11. Click on 'OK'.


Result
switch.
Introduction
Procedure

4. Click on 'Next'.
6. Click on 'Next'.
8. Click on 'OK'.
13. Click on 'OK'.



Result
switch.
Troubleshoot
Troubleshoot
Introduction
troubleshooting.


3. On the switch
Generally:
Troubleshoot

Troubleshoot

Troubleshoot

situation
menu: grade

'No'.
lyser)
4
Troubleshoot


IEEE802.1X)
ethernet port)
Troubleshoot

(CRP).'
in Active Directory
Roles
Introduction
Roles description
system settings.
The roles are:
• Key Operator:
security settings.
• Power User
• Service

• Domain Users: the IT administrator defines users in a domain who can act as Key Operator,
System Administrator, Power User and Service role
Local users
Local users
NOTE
Domain users.
Domain users (LDAP authentication)
Domain users (LDAP authentication)
Introduction
• On Server:
which group
• On the Printer:
• The IT manager defines the aforementioned domain(s) by mean of Express WebTools
• Any authorized user defined in a specific domain group can authenticate on Express WebTools
and the Local User Interface with the dedicated role.
Before you begin

Introduction
Before you begin

LDAP server.
Procedure

• A description.
administrator:
suffixes).
creation problem.
NOTE
After you finish

page 720
Introduction
Procedure
4. Click 'OK.
on page 263
Introduction
Before you begin

LDAP server.
Procedure

• A description.
administrator:
suffixes).
creation problem.
NOTE
After you finish

When to do
Before you begin

Procedure
Introduction
Procedure
4. Click 'OK.
page 264

NOTE

login.
NOTE
screen:
screen:
Password policy
Password policy





NOTE
CAUTION :
Introduction

or
able.
administrator
ted.
Please try again.
Introduction

able.
administrator
main.com")
Audit log
Audit log
Introduction
and/or cleared.

In Express WebTools, open the 'Security' - 'Audit log' tab to download the Audit events log that
contains information on any change made in settings.
7. Event status (success, Failure)
• IPv4network settings (IP address, Subnet mask, DNS, Gateway, DHCP, …)
administrator, Power user, Service)
• Timezone
• HTTPS settings (change of certificate)
• Force entry of accounting data for print (on/off)
• Use of save and restore configuration
• Remote Service connection (enabled/disabled)
SNMPv3: for CW9000 (2.1 and higher versions) and CW810/910 (1.5 and higher versions)
SNMPv3: for CW9000 (2.1 and higher versions) and CW810/910 (1.5
and higher versions)
Introduction
encryption.
The current implementation of SNMPv3 offers user authentication only to ensure identity of the
SNMPv3 settings
You can access to the SNMPv3 settings via the settings Editor : section Preferences - Connectivity
- SNMP v3

tion

• RFC 4293 MIB-II
Data security
Data security
E-Shredding
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data when it
is deleted from the system.

( 'Keep completed jobs in the Smart Inbox', 'Keep rasterised files in the system' system
settings are disabled in the Express WebTools)
is reached
('Keep completed jobs in the Smart Inbox' is enabled, with 'Remove jobs from the Smart Inbox
after' set in the job management settings of Express WebTools)
restarted.
directive):
NOTE
performance.
Before you begin

You must be logged on as a System Administrator or a Power user.
1. Open a web browser and enter the system URL: http://<hostname>, to open Express
WebTools
Procedure
section.
2. Click 'Edit.'
Result
enabled':
occurs.


When you enable the e-shredding feature, the system starts the e-shredding process for all print
- After an automatic deletion of the print jobs by the system (time-out, disabled Smart Inbox,
cleanup)
NOTE

Make sure all the print jobs are completely e-shredded

Once a batch of print jobs has been processed, perform the following actions to make sure all the
files are e-shredded:
IPsec
IPsec
IPsec presentation
Introduction
A strong mechanism of encryption guarantees the confidentiality of the user print data on the
network.
You can connect up to 5 IPsec stations to the print system.
Illustration

IPsec presentation

vated. cryption.
communicate with the print sys- with the print system.
tem. The system can communicate
encrypted. crypted.
Access control disabled Encryption between the print No filtering. No encryption.
system and IPsec stations is ac-
tivated.
with the system.
with all stations.

- the IP address
print/scan system.
NOTE
Before you begin

You must be logged on as a System Administrator or a Power user.
Procedure

NOTE
workstation.
7. Click OK
Result
When to do
Pre-requisites
Procedure
Complete the IPsec configuration for a secure connection between the printer system and a
workstation.
1. Add the security snap-in
2. Create the security policy
3. Create the filter list
4. Define the filter actions and security negotiation
5. Define the security rule
6. Assign the security policy
7. Customize the IPsec settings
NOTE
300 system.
The procedure is similar on other Operating Systems and for other PlotWave/ColorWave
printers.
Procedure

Procedure
Policy'

Procedure


controller

9. Click 'Finish'
Procedure
2. Click 'Next'

Procedure
wizard
"Add")
2. Click 'Next'
(preshared key)'
9. Click 'Finish'
Procedure
Procedure
After you finish

500/550/650/650R3/700/3500/3600/3700/3800
system.
Introduction
and
panel.
Procedure
1. On the user panel, tap in 'System' menu : 'System settings'.
Result
(HTTP).
HTTPS
HTTPS
Introduction
In the PlotWave/ColorWave systems, you can use the HTTPS protocol to:
communication.

protocol.


messages.
Procedure


'Next'.

11. Click on 'Yes'.

Result
Procedure


certificate
Introduction
printer.

Authority.
protocol.
Step Description
created.
ply.
request feedback
Step Description
Step Description
each workstation.
Other procedures
certificate.
When to do

Procedure
6. Click 'Save'
Purpose
Pre-requisites

NOTE
Procedure
NOTE
Result
text).
J
DAtNzQw
d
When to do
NOTE
Procedure


NOTE
on page 110
you.
Procedure
NOTE

certificate].
Procedure
Procedure
Result
When to do
NOTE
Procedure
Authorities' list
When to do
Procedure
5. Click 'Restore'
Click 'OK'
Purpose
When to do
NOTE
web browser.
Procedure
certificate]
Result
page 68)


Cipher algorithms
are NOT used:

Data protection for template export
Data protection for template export

Introduction
CAUTION :
Procedure
2. Open the 'Preferences' - 'Connectivity' page.
NOTE
Index
Index
A Presentation.... 47, 96, 136, 319, 380, 414,

578, 742
Antivirus............................ 40, 89, 126, 242, 408, 503
Workstation configuration... 51, 53, 54, 56,
58, 61, 140, 142, 143, 145, 147, 150, 323,
C 325, 326, 328, 330, 333, 383, 385, 386,
CA-signed certificate 388, 390, 393, 582, 584, 585, 587, 589,
Overall procedure.... 110, 164, 346, 428, 592, 746, 748, 749, 751, 753, 756
605, 640, 769
Certificate L
Backup.............................165, 347, 606, 641, 770
LDAP authentication.............................245, 506, 716
Import.... 167, 168, 349, 350, 608, 609, 643,
Local users............................................ 244, 505, 715
644, 772, 773
Request.... 166, 167, 348, 349, 607, 608,
642, 643, 771, 772 M
Reset................................169, 351, 610, 645, 774 McAfee Application Control........................ 273, 532
Restore............................ 169, 351, 610, 645, 774
O
D
OS and software protection: Linux
Domain users........................................245, 506, 716 ColorWave 600 (PP)....................................... 373
OS and software protection: Linux/WES2009
E ColorWave 650............................................... 373
E-shredding
Activation............44, 93, 133, 316, 378, 575, 738 P
Behaviour............46, 95, 135, 318, 379, 577, 741 Password
Enable................. 44, 93, 133, 316, 378, 575, 738 LUI passwords..................................................42
E-shredding Restore........................................ 42, 43, 375, 410
Algorithms.. 44, 93, 132, 315, 377, 413, 574, 737 Password
Presentation.... 44, 93, 132, 315, 377, 413, Backup.........................................42, 43, 375, 410
574, 737 Password policy............................128, 266, 409, 525
ColorWave 300................................................. 41
H ColorWave 6x0............................................... 374
PlotWave...........................................................41
HTTPS
PlotWave 900....................................................43
CA-signed certificate.... 110, 164, 346, 428,
Patch.... 120, 180, 182, 367, 402, 441, 443, 623,
605, 640, 769
652, 654
Self-signed certificate.... 68, 74, 103, 109,
Ports and protocols.... 27, 78, 117, 176, 364,
157, 162, 339, 344, 421, 426, 598, 603,
399, 437, 621, 649
633, 638, 762, 767
R
I
Remote Patch....................................................32, 83
IPsec
Roles.......... 41, 90, 127, 243, 374, 409, 504, 629, 714
Controller configuration...49, 98, 138, 321,
381, 416, 580, 744
Express WebTools settings.... 48, 97, 137,
320, 381, 415, 579, 743
779
Index
S
Scan to Home............................................... 355, 614
Scan to USB
Neutralize....................................................65, 66
Security................................................................... 37
Security levels
Available applications.... 27, 78, 117, 176,
364, 399, 437, 621, 649
Available protocols...27, 78, 117, 176, 364,
399, 437, 621, 649
Ports............................................................ 27, 78
Presentation................................................35, 86
Security policy........................................................ 12
Service operations........................................265, 524
Smart Inbox............ 76, 113, 171, 358, 397, 431, 617
Smart Inbox management .. 76, 113, 171, 358,
397, 431, 617
Support
Downloads........................................................14
Manuals............................................................ 14
Printer drivers...................................................14
U
USB direct print
Disabled.................... 65, 170, 357, 396, 430, 616
User authentication...................................... 275, 534
Contactless card..................................... 293, 552
Smart card.............................................. 286, 545
Troubleshooting.....................................307, 566
User name/ password............................298, 557
Workflow.................................................282, 541
W
Whitelisting................................................... 273, 532
Wizard: Security......................................................35
780
Canon Inc.
canon.com
Canon U.S.A., Inc.

usa.canon.com
Canon Canada Inc.

canon.ca
Canon Europe Ltd

canon-europe.com
Canon Latin America Inc.

cla.canon.com
Canon Production Printing Australia Pty. Ltd.

anz.cpp.canon
Canon China Co., Ltd.

canon.com.cn
Canon Singapore Pte. Ltd.

sg.canon
Canon Hongkong Co., Ltd.

hk.canon
© 2020 Canon Production Printing

PlotWave-ColorWave Security 2020-07 Administration Guide en - GB

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PlotWave-ColorWave Security 2020-07 Administration Guide en - GB

Uploaded by

Copyright:

Available Formats

PlotWave - ColorWave Systems

© 2020 Canon Production Printing

System and Network security..................................................................................................................... 117

IEEE802.1X - Configuration steps...................................................................................................454

Scan to Home folder / Print from Home folder....................................................................................614

The Security policy

System security and security on the network

Downloads and support for your product

Overview of the security features available per system

PlotWave 300 from PlotWave 340 PlotWave 750

User authentication - - By smart card or -

Publisher Express ac‐ - Access restriction Access restriction

Security features in PlotWave 3000, 3500, 5000, 5500, 7500

Operating System Microsoft Windows 10 IoT Enterprise LTSC 2019

ColorWave 600 (PP) ColorWave 650 R3.x

Data overwrite E-shredding for: E-shredding

Operating System Microsoft Windows Embedded Standard 8 64 bit

Operating System Microsoft Windows 10 IoT Enterprise LTSB 2016

Security features in the ColorWave 3500/3600/3700/3800 systems

Operating System Microsoft Windows 10 IoT Enterprise LTSB 2016 (for

Hard Disk encryption For CW3500/3700:

The use of software names and releases in this manual

'WPD2' and 'Driver Select'

'PS3' and 'Driver Express'

Releases of the software

Security on PlotWave 300/350, PlotWave 900 R1.x and

Operating System - Windows XP Service Pack 3 for all versions of

* Except on PlotWave 900 R1.2.

System and Network security

Application /Function‐ System Supported security lev‐ Port used on the

Application /Function‐ System Supported security lev‐ Port used on the

Mobile WebTools PlotWave 350 x x TCP 80: HTTP

Application /Function‐ System Supported security lev‐ Port used on the

Application /Function‐ System Supported security lev‐ Port used on the

Application /Function‐ System Supported security lev‐ Port used on the

Name resolution(**) PlotWave 300/ Plot- x Outgoing connec-

Application /Function‐ System Supported security lev‐ Port used on the

Before you begin

Find the Security patch from the Downloads website on "http://downloads.cpp.canon":

Install the Remote patch

4. Log in as the System administrator or Power user

7. Browse to the Remote patch and click OK to install it

8. Click OK to confirm the update

Security levels presentation

High security level

Medium security level

Normal security level

Before you begin

4. Open this section with the confirmation button.

6. Two options are possible:

Protect the security level by a password

8. Confirm to activate the password.

Prevent any outgoing connection to the Internet

St In the Express WebT‐ Action Detail

Security of the USB connection (PlotWave 300/350, ColorWave 300)

The USB connection on the Local user interface

Security on the USB port

Disable the USB features

Compatibility and recommendations

Roles and Passwords

Passwords used in Express WebTools

Password modification table for PlotWave 300/350 and ColorWave 300

Password backup/restore policy with the 'Save Set'/'Open Set' features